Skip to main content
Security

Balancer Protocol Drained $128 Million Exploiting Smart Contract Rounding Error

A critical rounding error in the batchSwap upscale logic enabled multi-chain liquidity draining, exposing systemic risk in complex DeFi pool invariants.
November 18, 20253 min

The image presents a macro perspective of a textured blue granular mass interacting with metallic, modular structures. These components are embedded within and around the substance, showcasing a complex interplay of forms and textures
A futuristic, segmented white sphere is partially submerged in dark, reflective water, with vibrant blue, crystalline formations emerging from its central opening. These icy structures spill into the water, forming a distinct mass on the surface

Briefing

The Balancer decentralized finance protocol suffered a catastrophic multi-chain exploit, resulting from a subtle rounding error within its V2 Composable Stable Pool smart contract logic. This vulnerability allowed an attacker to manipulate the pool’s internal accounting, enabling unauthorized withdrawals and a complete draining of assets across multiple deployed instances. The primary consequence is a significant loss of user and treasury funds, underscoring the extreme fragility of complex DeFi invariants when exposed to adversarial transaction ordering. The total financial impact is quantified at over $128 million lost from various liquidity pools.

A robust, metallic blue and silver apparatus is partially submerged in a field of fine, sparkling granular particles. A vibrant stream of blue, particle-laden fluid traverses a transparent central channel

Context

The pre-incident security posture was characterized by an over-reliance on the complexity of V2’s pooled architecture, specifically the batchSwap feature designed for gas efficiency in multi-token trades. This complexity expanded the attack surface by introducing deferred settlement mechanisms, a known risk class where state changes are not immediately finalized. The prevailing risk factor was the potential for low-level arithmetic flaws to violate the core invariant of the stable pools under specific, high-volume transaction conditions.

A distinctive white and polished silver segmented mechanism is partially submerged in a vibrant blue liquid, creating numerous transparent bubbles and dynamic surface agitation. The structured form appears to be integrating with the fluid environment, symbolizing the deployment and interaction of complex systems

Analysis

The attack leveraged a rounding error in the _upscale function used by the batchSwap feature to manage token amounts within the pool. The attacker executed a sequence of swaps that exploited how the contract calculated and settled token balances during deferred transactions. This manipulation allowed the attacker to repeatedly push the pool’s internal liquidity metric below the safe threshold without triggering the intended safety checks. The resulting invariant violation permitted the withdrawal of more tokens than the attacker was entitled to, effectively draining the pool across Ethereum, Base, and Arbitrum.

A stark white, cube-shaped module stands prominently with one side open, exposing a vibrant, glowing blue internal matrix of digital components. Scattered around the central module are numerous similar, out-of-focus structures, suggesting a larger interconnected system

Parameters

  • Total Funds Drained ∞ $128 Million ∞ The estimated cumulative value of assets siphoned from the Composable Stable Pools across all affected chains.
  • Vulnerability Type ∞ Rounding Error Flaw ∞ A low-level arithmetic bug in the batchSwap function’s token amount calculation.
  • Affected Chains ∞ Ethereum, Base, Arbitrum ∞ The primary blockchains hosting the vulnerable V2 pool contracts.
  • Attacker ActionLiquidity Invariant Violation ∞ The specific mechanism used to bypass internal security checks and drain the funds.

A translucent, light blue, organic-shaped structure with multiple openings encloses a complex, metallic deep blue mechanism. The outer material exhibits smooth, flowing contours and stretched connections, revealing intricate gears and components within the inner structure

Outlook

Immediate mitigation for users requires withdrawing funds from any remaining Composable Stable Pools that have not been paused or drained. The second-order effect is a heightened contagion risk, pressuring other protocols that utilize similar complex pool designs or rely on shared arithmetic libraries to conduct emergency audits. This incident establishes a new security best practice ∞ the mandatory implementation of formal verification specifically targeting low-level arithmetic operations and invariant checks within multi-asset, multi-step transaction functions like batchSwap.

The image presents a striking close-up of a crumpled, translucent object filled with a vibrant blue liquid, adorned with numerous white bubbles. A distinct metallic silver ring is integrated into the left side of the object, all set against a soft, light gray background

Verdict

The exploit confirms that low-level arithmetic flaws in highly complex smart contract architectures remain the single most dangerous vector for catastrophic, multi-chain DeFi capital loss.

Smart contract exploit, DeFi liquidity drain, multi-chain vulnerability, rounding error flaw, batch swap function, invariant violation, composable stable pool, decentralized finance risk, on-chain forensics, protocol security audit, flash loan attack vector, asset recovery strategy Signal Acquired from ∞ bankinfosecurity.com

Micro Crypto News Feeds

composable stable pool

Definition ∞ A composable stable pool is a type of liquidity pool in decentralized finance designed to facilitate efficient swaps between various stablecoins while allowing for integration with other DeFi protocols.

stable pools

Definition ∞ Stable pools are specialized liquidity pools within decentralized finance (DeFi) protocols designed for trading stablecoins or other assets that are pegged to the same value, such as different versions of wrapped Bitcoin.

rounding error

Definition ∞ A rounding error is a discrepancy that arises when representing a number with a finite number of digits during calculations.

composable stable pools

Definition ∞ Composable stable pools are liquidity pools in decentralized finance that consist of stablecoins and allow for flexible integration with other protocols.

vulnerability

Definition ∞ A vulnerability refers to a flaw or weakness in a system, protocol, or smart contract that could be exploited by malicious actors to compromise its integrity, security, or functionality.

liquidity

Definition ∞ Liquidity refers to the degree to which an asset can be quickly converted into cash or another asset without significantly affecting its market price.

transaction

Definition ∞ A transaction is a record of the movement of digital assets or the execution of a smart contract on a blockchain.

smart contract

Definition ∞ A Smart Contract is a self-executing contract with the terms of the agreement directly written into code.

Tags:

Tags: