Balancer V2 Composable Pools Drained via Faulty Smart Contract Access Control → Security

A vibrant blue, translucent, hourglass-shaped structure, filled with flowing light, dominates the frame, intersected centrally by two silver metallic rods forming an 'X' against a soft grey background. The internal blue elements suggest dynamic movement within the clear container, highlighting a complex interplay of light and form

A detailed close-up reveals an abstract arrangement of polished silver and black mechanical components, interwoven with prominent, glossy blue tubular elements against a soft grey background. The intricate interplay of these metallic and dark structures suggests a highly engineered system, featuring various connectors and conduits

Briefing

The Balancer V2 Composable Stable Pools protocol suffered a critical exploit stemming from a faulty access control mechanism within its core vault architecture. This systemic vulnerability allowed a threat actor to execute unauthorized internal withdrawal commands, resulting in the immediate and irreversible drain of user-deposited assets across multiple chains. The cross-chain attack has led to an estimated total loss of approximately $128 million, making it one of the largest DeFi security incidents of 2025.

The image displays an abstract molecular-like structure featuring a central white sphere orbited by a white ring. Surrounding this core are multiple blue crystalline shapes and smaller white spheres, all interconnected by white rods

Context

The Balancer V2 Vault was considered a hardened system, having undergone at least eleven extensive security audits by multiple top-tier firms over its lifecycle. Despite this rigorous review, the underlying complexity of composable finance architectures maintained a subtle attack surface where intricate, multi-step contract logic could mask a simple but devastating access control flaw.

A gleaming, interconnected silver lattice structure forms a complex network, with a vibrant blue, fluid-like substance flowing within its channels. The metallic framework exhibits precise modularity, suggesting engineered components and robust connectivity, rendered with a shallow depth of field

Analysis

The attack vector leveraged a logic check failure in the V2 Vault’s manageUserBalance function, which incorrectly validated the identity of the user initiating a transaction. By manipulating the check between msg.sender and a user-supplied op.sender , the attacker effectively impersonated authorized liquidity providers. This allowed the perpetrator to execute the WITHDRAW_INTERNAL operation, bypassing all permissions to quietly empty the internal balances of multiple Composable Stable Pools across seven different blockchain networks.

A detailed close-up reveals a futuristic, metallic and white modular mechanism, bathed in cool blue tones, with a white granular substance at its operational core. One component features a small, rectangular panel displaying intricate circuit-like patterns

Parameters

Total Funds Drained → $128 Million (The estimated total value of assets stolen across all affected chains.)
Vulnerability Type → Faulty Access Control (A logic error in the manageUserBalance function allowing unauthorized withdrawals.)
Affected Contracts → V2 Composable Stable Pools (The specific pool type targeted; V3 pools were unaffected.)
Partial Recovery → $19.3 Million (The amount of osETH recovered by StakeWise DAO using emergency contract calls.)

A futuristic, white and grey mechanical assembly dominates the frame, showcasing a complex central hub with exposed internal components. Glowing electric blue translucent elements, intricately patterned like advanced circuitry, are visible within the core, extending outward in a modular fashion, suggesting active data flow

Outlook

Protocols utilizing the Balancer V2 codebase or similar complex vault architectures must immediately halt vulnerable pools and conduct a comprehensive review of all access control and internal balance management functions. This incident establishes a new security mandate → that even multi-audited codebases require continuous, adversarial formal verification, particularly around state-changing functions. The event will accelerate the industry’s shift toward more resilient, pause-enabled V3-style designs and increase scrutiny on the security limits of composable DeFi.

A central translucent blue liquid structure forms an X-shaped nexus, intricately connected to multiple circular metallic nodes. These nodes are partially encased in a frosted, granular white material that suggests a protective or processed layer

Verdict

This exploit serves as a definitive validation that audit quantity does not equal security, underscoring the critical need for formal verification of complex access control logic in all high-value DeFi vaults.

Decentralized finance, Automated market maker, Smart contract exploit, Access control flaw, Vulnerability analysis, Composable stable pools, Cross chain loss, Liquidity pool drain, On chain forensics, Internal withdrawal bug, Protocol security, Token vault system, DeFi audit failure, Logic check error, Multi chain incident, Risk mitigation strategy, Staked asset theft, Faulty function call, Vault contract compromise, Unauthorized asset transfer Signal Acquired from → pymnts.com