Security

Balancer V2 Composable Pools Drained via BatchSwap Rounding Flaw

A critical rounding error in the `batchSwap` upscale logic allowed adversaries to exploit deferred settlement mechanisms, resulting in over $128M in multi-chain asset loss.
November 17, 20253 min

A sophisticated metallic mechanism features multiple silver rings, through which a vibrant, translucent blue substance flows in complex, intertwined streams. The abstract composition highlights the dynamic interaction between the metallic structures and the fluid, suggesting a process of controlled movement and transformation
A detailed, close-up view shows a light blue, textured surface forming a deep, circular indentation. A spherical object resembling a full moon floats centrally above this void, symbolizing a digital asset experiencing significant price action or 'mooning' within the DeFi landscape

Briefing

The Balancer V2 protocol suffered a catastrophic multi-chain exploit, resulting in the draining of over $128 million from its Composable Stable Pools. This incident represents a severe failure in core smart contract logic, immediately compromising the solvency of affected pools and eroding user trust across multiple Layer 1 and Layer 2 networks. Forensic analysis confirms the root cause was a subtle yet critical rounding error within the batchSwap upscale function, which was weaponized to illegitimately siphon assets from the vault.

A transparent, abstract car-like form, composed of clear crystalline material and vibrant blue liquid, is depicted against a subtle white and dark blue background. The structure features intricate, glowing internal patterns resembling circuit boards, partially submerged and distorted by the blue fluid

Context

The prevailing security posture for complex DeFi primitives, particularly those involving multi-token swaps and boosted liquidity, has always carried elevated risk due to the sheer complexity of the invariant logic. Previous incidents have repeatedly highlighted the danger of precision errors and flawed access controls in pool management functions. The failure to fully mitigate this known class of vulnerability → specifically, issues related to deferred settlement accounting and precision during upscaling → created the attack surface that the adversary ultimately leveraged.

The image displays a sleek, translucent device with a central brushed metallic button, surrounded by a vibrant blue luminescence. The device's surface exhibits subtle reflections, highlighting its polished, futuristic design, set against a dark background

Analysis

The attack was executed by exploiting a rounding error within the batchSwap feature, which is responsible for multi-token swaps and managing the pool’s internal accounting. The attacker used this flaw to manipulate the protocol’s deferred settlement mechanism. By executing a sequence of specific swaps, the attacker was able to push the pool’s internal liquidity accounting below a safe, auditable threshold, effectively bypassing the intended access controls and allowing them to withdraw assets far in excess of their actual contribution. This chain of cause and effect demonstrates a direct compromise of the smart contract’s financial invariant.

The image presents a close-up of a futuristic device featuring a translucent casing over a dynamic blue internal structure. A central, brushed metallic button is precisely integrated into the surface

Parameters

  • Total Funds Drained → $128 Million → The final estimated value of assets siphoned from the Composable Stable Pools across all affected blockchains.
  • Vulnerability Type → Rounding Error → A critical precision flaw in the batchSwap upscale function that enabled the exploit.
  • Affected Chains → Six Blockchains → The exploit impacted pools on Ethereum, Base, Polygon, Arbitrum, Optimism, and Sonic.
  • Affected Assets → osETH, WETH, wstETH → Major liquid-staked Ethereum derivatives and wrapped Ether were the primary targets.

A close-up view reveals multiple translucent blue gears meshing with silver metallic components, forming an intricate mechanical assembly. The blue gears, with their faceted surfaces, suggest advanced digital processes and programmatic logic

Outlook

Immediate mitigation for all users involves revoking token approvals for Balancer V2 contracts, especially those connected to Composable Stable Pools, to prevent further unauthorized access. This incident will trigger a mandatory, industry-wide re-audit of all complex swap logic, particularly focusing on floating-point arithmetic and precision handling in multi-asset vaults. The contagion risk is moderate, as similar AMM protocols utilizing complex internal accounting for boosted or composable liquidity must now prioritize formal verification of their swap and settlement functions to establish a new, higher standard for smart contract security.

A transparent, flowing conduit connects to a metallic interface, which is securely plugged into a blue, rectangular device. This device is mounted on a dark, textured base, secured by visible screws, suggesting a robust and precise engineering

Verdict

The Balancer V2 exploit is a definitive, high-severity case study proving that subtle precision flaws in core DeFi logic remain the single greatest systemic risk to multi-billion dollar liquidity protocols.

DeFi exploit, smart contract vulnerability, decentralized exchange, multi-chain attack, composable stable pools, access control flaw, liquidity pool drain, rounding error, batch swap logic, on-chain forensics, asset siphoning, protocol solvency, critical vulnerability, risk mitigation, security posture, pool invariant, generalized swap Signal Acquired from → bankinfosecurity.com

Micro Crypto News Feeds

composable stable pools

Definition ∞ Composable stable pools are liquidity pools in decentralized finance that consist of stablecoins and allow for flexible integration with other protocols.

security posture

Definition ∞ A security posture describes the overall state of an organization's cybersecurity defenses and its readiness to counter threats.

rounding error

Definition ∞ A rounding error is a discrepancy that arises when representing a number with a finite number of digits during calculations.

stable pools

Definition ∞ Stable pools are specialized liquidity pools within decentralized finance (DeFi) protocols designed for trading stablecoins or other assets that are pegged to the same value, such as different versions of wrapped Bitcoin.

vulnerability

Definition ∞ A vulnerability refers to a flaw or weakness in a system, protocol, or smart contract that could be exploited by malicious actors to compromise its integrity, security, or functionality.

exploit

Definition ∞ An exploit refers to the malicious utilization of a security flaw or vulnerability within a protocol, smart contract, or application to gain unauthorized access, steal assets, or disrupt operations.

assets

Definition ∞ A digital asset represents a unit of value recorded on a blockchain or similar distributed ledger technology.

smart contract

Definition ∞ A Smart Contract is a self-executing contract with the terms of the agreement directly written into code.

liquidity

Definition ∞ Liquidity refers to the degree to which an asset can be quickly converted into cash or another asset without significantly affecting its market price.

Tags:

Tags: