Security

Balancer Protocol Drained $128 Million Exploiting Smart Contract Rounding Error

A critical rounding error in the batchSwap upscale logic enabled multi-chain liquidity draining, exposing systemic risk in complex DeFi pool invariants.
November 18, 20253 min

A detailed view of a metallic, blue-accented mechanical object immersed in a dynamic, bubbly blue liquid. The object features a multi-layered, hexagonal design with visible internal components, while the liquid flows around it, covered in countless small, bright bubbles against a soft grey background
Abstract, flowing forms in translucent white and vibrant deep blue dominate the frame, set against a dark, gradient background. The composition features smooth, overlapping layers that create a sense of depth and continuous movement, with light reflecting off the polished surfaces

Briefing

The Balancer decentralized finance protocol suffered a catastrophic multi-chain exploit, resulting from a subtle rounding error within its V2 Composable Stable Pool smart contract logic. This vulnerability allowed an attacker to manipulate the pool’s internal accounting, enabling unauthorized withdrawals and a complete draining of assets across multiple deployed instances. The primary consequence is a significant loss of user and treasury funds, underscoring the extreme fragility of complex DeFi invariants when exposed to adversarial transaction ordering. The total financial impact is quantified at over $128 million lost from various liquidity pools.

A futuristic, multi-segmented white sphere is shown partially open, revealing a dense cluster of glowing blue, translucent cubic forms within its core. These internal cubes feature intricate white line patterns and symbols, suggesting complex data structures

Context

The pre-incident security posture was characterized by an over-reliance on the complexity of V2’s pooled architecture, specifically the batchSwap feature designed for gas efficiency in multi-token trades. This complexity expanded the attack surface by introducing deferred settlement mechanisms, a known risk class where state changes are not immediately finalized. The prevailing risk factor was the potential for low-level arithmetic flaws to violate the core invariant of the stable pools under specific, high-volume transaction conditions.

A stark white, cube-shaped module stands prominently with one side open, exposing a vibrant, glowing blue internal matrix of digital components. Scattered around the central module are numerous similar, out-of-focus structures, suggesting a larger interconnected system

Analysis

The attack leveraged a rounding error in the _upscale function used by the batchSwap feature to manage token amounts within the pool. The attacker executed a sequence of swaps that exploited how the contract calculated and settled token balances during deferred transactions. This manipulation allowed the attacker to repeatedly push the pool’s internal liquidity metric below the safe threshold without triggering the intended safety checks. The resulting invariant violation permitted the withdrawal of more tokens than the attacker was entitled to, effectively draining the pool across Ethereum, Base, and Arbitrum.

A complex, multi-component mechanical device crafted from polished silver and dark grey materials, with transparent blue elements, is shown with a vivid blue liquid circulating dynamically through its intricate structure. The sophisticated engineering of this system conceptually illustrates advanced blockchain architecture designed for optimal on-chain data processing

Parameters

  • Total Funds Drained → $128 Million → The estimated cumulative value of assets siphoned from the Composable Stable Pools across all affected chains.
  • Vulnerability Type → Rounding Error Flaw → A low-level arithmetic bug in the batchSwap function’s token amount calculation.
  • Affected Chains → Ethereum, Base, Arbitrum → The primary blockchains hosting the vulnerable V2 pool contracts.
  • Attacker ActionLiquidity Invariant Violation → The specific mechanism used to bypass internal security checks and drain the funds.

A close-up view reveals two complex, futuristic mechanical components connecting, generating a bright blue energy discharge at their interface. The structures feature white and grey outer plating, exposing intricate dark internal mechanisms illuminated by subtle blue lights and the central energy burst

Outlook

Immediate mitigation for users requires withdrawing funds from any remaining Composable Stable Pools that have not been paused or drained. The second-order effect is a heightened contagion risk, pressuring other protocols that utilize similar complex pool designs or rely on shared arithmetic libraries to conduct emergency audits. This incident establishes a new security best practice → the mandatory implementation of formal verification specifically targeting low-level arithmetic operations and invariant checks within multi-asset, multi-step transaction functions like batchSwap.

A white, high-tech module is shown partially separated, revealing glowing blue internal components and metallic rings. The detached front section features a circular opening, while the main body displays intricate, illuminated circuitry

Verdict

The exploit confirms that low-level arithmetic flaws in highly complex smart contract architectures remain the single most dangerous vector for catastrophic, multi-chain DeFi capital loss.

Smart contract exploit, DeFi liquidity drain, multi-chain vulnerability, rounding error flaw, batch swap function, invariant violation, composable stable pool, decentralized finance risk, on-chain forensics, protocol security audit, flash loan attack vector, asset recovery strategy Signal Acquired from → bankinfosecurity.com

Micro Crypto News Feeds

composable stable pool

Definition ∞ A composable stable pool is a type of liquidity pool in decentralized finance designed to facilitate efficient swaps between various stablecoins while allowing for integration with other DeFi protocols.

stable pools

Definition ∞ Stable pools are specialized liquidity pools within decentralized finance (DeFi) protocols designed for trading stablecoins or other assets that are pegged to the same value, such as different versions of wrapped Bitcoin.

rounding error

Definition ∞ A rounding error is a discrepancy that arises when representing a number with a finite number of digits during calculations.

composable stable pools

Definition ∞ Composable stable pools are liquidity pools in decentralized finance that consist of stablecoins and allow for flexible integration with other protocols.

vulnerability

Definition ∞ A vulnerability refers to a flaw or weakness in a system, protocol, or smart contract that could be exploited by malicious actors to compromise its integrity, security, or functionality.

liquidity

Definition ∞ Liquidity refers to the degree to which an asset can be quickly converted into cash or another asset without significantly affecting its market price.

transaction

Definition ∞ A transaction is a record of the movement of digital assets or the execution of a smart contract on a blockchain.

smart contract

Definition ∞ A Smart Contract is a self-executing contract with the terms of the agreement directly written into code.

Tags:

Tags: