Security

Balancer Protocol Drained $128 Million Exploiting Smart Contract Rounding Error

A critical rounding error in the batchSwap upscale logic enabled multi-chain liquidity draining, exposing systemic risk in complex DeFi pool invariants.
November 18, 20253 min

Abstract, flowing forms in translucent white and vibrant deep blue dominate the frame, set against a dark, gradient background. The composition features smooth, overlapping layers that create a sense of depth and continuous movement, with light reflecting off the polished surfaces
A mesmerizing blue liquid, rich with effervescent bubbles, dynamically swirls within a sleek, multi-layered structure composed of metallic silver and deep navy blue rings. At its core, a luminous, reflective blue orb gleams, anchoring the fluid motion

Briefing

The Balancer decentralized finance protocol suffered a catastrophic multi-chain exploit, resulting from a subtle rounding error within its V2 Composable Stable Pool smart contract logic. This vulnerability allowed an attacker to manipulate the pool’s internal accounting, enabling unauthorized withdrawals and a complete draining of assets across multiple deployed instances. The primary consequence is a significant loss of user and treasury funds, underscoring the extreme fragility of complex DeFi invariants when exposed to adversarial transaction ordering. The total financial impact is quantified at over $128 million lost from various liquidity pools.

The image displays a detailed, close-up view of a three-dimensional structure composed of numerous translucent blue spheres interconnected by an organic, off-white skeletal framework. Smaller bubbles are visible within the larger blue spheres, adding to their intricate appearance

Context

The pre-incident security posture was characterized by an over-reliance on the complexity of V2’s pooled architecture, specifically the batchSwap feature designed for gas efficiency in multi-token trades. This complexity expanded the attack surface by introducing deferred settlement mechanisms, a known risk class where state changes are not immediately finalized. The prevailing risk factor was the potential for low-level arithmetic flaws to violate the core invariant of the stable pools under specific, high-volume transaction conditions.

A close-up view reveals a transparent, multi-chambered mechanism containing distinct white granular material actively moving over a textured blue base. The white substance appears agitated and flowing, guided by the clear structural elements, with a circular metallic component visible within the blue substrate

Analysis

The attack leveraged a rounding error in the _upscale function used by the batchSwap feature to manage token amounts within the pool. The attacker executed a sequence of swaps that exploited how the contract calculated and settled token balances during deferred transactions. This manipulation allowed the attacker to repeatedly push the pool’s internal liquidity metric below the safe threshold without triggering the intended safety checks. The resulting invariant violation permitted the withdrawal of more tokens than the attacker was entitled to, effectively draining the pool across Ethereum, Base, and Arbitrum.

The image presents a close-up view of two abstract, smooth forms. A translucent, deep blue element, covered in small water droplets, gently rests against a soft, light grey, subtly contoured background

Parameters

  • Total Funds Drained → $128 Million → The estimated cumulative value of assets siphoned from the Composable Stable Pools across all affected chains.
  • Vulnerability Type → Rounding Error Flaw → A low-level arithmetic bug in the batchSwap function’s token amount calculation.
  • Affected Chains → Ethereum, Base, Arbitrum → The primary blockchains hosting the vulnerable V2 pool contracts.
  • Attacker ActionLiquidity Invariant Violation → The specific mechanism used to bypass internal security checks and drain the funds.

A sleek, metallic component with a hexagonal opening is enveloped by a translucent, vibrant blue structure that appears to flow and twist around its core. The object rests on a smooth, light grey surface, highlighting its intricate design and reflective properties

Outlook

Immediate mitigation for users requires withdrawing funds from any remaining Composable Stable Pools that have not been paused or drained. The second-order effect is a heightened contagion risk, pressuring other protocols that utilize similar complex pool designs or rely on shared arithmetic libraries to conduct emergency audits. This incident establishes a new security best practice → the mandatory implementation of formal verification specifically targeting low-level arithmetic operations and invariant checks within multi-asset, multi-step transaction functions like batchSwap.

A detailed close-up captures a futuristic mechanical structure composed of polished blue and metallic silver components, intricately connected by a dynamically stretching, transparent, gel-like material. The perspective highlights the smooth, reflective surfaces and the translucent substance forming organic, interconnected pathways

Verdict

The exploit confirms that low-level arithmetic flaws in highly complex smart contract architectures remain the single most dangerous vector for catastrophic, multi-chain DeFi capital loss.

Smart contract exploit, DeFi liquidity drain, multi-chain vulnerability, rounding error flaw, batch swap function, invariant violation, composable stable pool, decentralized finance risk, on-chain forensics, protocol security audit, flash loan attack vector, asset recovery strategy Signal Acquired from → bankinfosecurity.com

Micro Crypto News Feeds

composable stable pool

Definition ∞ A composable stable pool is a type of liquidity pool in decentralized finance designed to facilitate efficient swaps between various stablecoins while allowing for integration with other DeFi protocols.

stable pools

Definition ∞ Stable pools are specialized liquidity pools within decentralized finance (DeFi) protocols designed for trading stablecoins or other assets that are pegged to the same value, such as different versions of wrapped Bitcoin.

rounding error

Definition ∞ A rounding error is a discrepancy that arises when representing a number with a finite number of digits during calculations.

composable stable pools

Definition ∞ Composable stable pools are liquidity pools in decentralized finance that consist of stablecoins and allow for flexible integration with other protocols.

vulnerability

Definition ∞ A vulnerability refers to a flaw or weakness in a system, protocol, or smart contract that could be exploited by malicious actors to compromise its integrity, security, or functionality.

liquidity

Definition ∞ Liquidity refers to the degree to which an asset can be quickly converted into cash or another asset without significantly affecting its market price.

transaction

Definition ∞ A transaction is a record of the movement of digital assets or the execution of a smart contract on a blockchain.

smart contract

Definition ∞ A Smart Contract is a self-executing contract with the terms of the agreement directly written into code.

Tags:

Tags: