Balancer V2 Composable Pools Exploit Drains $128 Million across Multiple Chains ∞ Security

A detailed perspective showcases two advanced, metallic components in the process of interlocking, set against a softly blurred blue background. The right element, finished in matte white with geometric segments, reveals an intricate internal structure, while the left component, in polished silver, displays precise engineering and a threaded connection point

The image displays intricate transparent blue structures, partially adorned with granular white frost, encapsulating clusters of vibrant blue granular material. A smooth white sphere is positioned on one of the frosted blue elements

Briefing

A critical access control vulnerability in the Balancer V2 Composable Stable Pools allowed an attacker to execute unauthorized internal withdrawal operations, resulting in a total loss of approximately $128 million across seven different blockchain networks. This systemic failure was traced to a subtle logic error within the core manageUserBalance function, which failed to properly validate the caller’s permissions, enabling the impersonation of legitimate users. The immediate consequence was the draining of high-value assets, including staked ETH derivatives, from pools on Ethereum, Arbitrum, and other Layer-2 chains, solidifying the incident as one of the largest decentralized finance breaches of 2025.

A close-up view reveals a complex metallic device partially encased in striking blue, ice-like crystalline structures, with a central square component suggesting a specialized chip. Wires and other mechanical elements are visible, indicating an intricate technological assembly

Context

The prevailing risk factor for Balancer was the inherent complexity of its V2 architecture, which utilizes a centralized vault to manage funds for various composable pools, significantly expanding the attack surface. Despite the affected V2 smart contracts undergoing over ten audits by four different security firms, the specific logic flaw remained undetected for an extended period. This history underscores a known class of vulnerability where deep, subtle logic errors persist even after extensive formal verification, posing a persistent systemic risk to highly composable DeFi primitives.

The image features two transparent, elongated modules intersecting centrally in an 'X' shape, showcasing internal blue-lit circuitry, encased within a clear, intricate lattice framework. A spherical, multifaceted core node is visible in the background

Analysis

The attack vector leveraged a faulty access check within the manageUserBalance function of the V2 Composable Stable Pools, which governs the movement of funds within the Balancer vault. The vulnerability stemmed from an inadequate validation of the user-supplied op.sender against the transaction’s msg.sender , allowing the attacker to bypass permission checks. By exploiting this flaw, the threat actor was able to call the UserBalanceOpKind.WITHDRAW_INTERNAL operation, effectively convincing the vault contract that they were an authorized internal component or a legitimate user withdrawing their balance. This unauthorized execution permitted the attacker to systematically empty the internal balances of the affected pools, moving assets like osETH and wstETH into an external, attacker-controlled wallet.

The image showcases a complex mechanical device encased in translucent blue material, revealing metallic internal gears, shafts, and cylindrical components. The perspective highlights the intricate interplay of these parts against a smooth, light grey background

Parameters

Total Funds Drained ∞ ~$128 Million – The estimated total value of assets stolen across all affected chains.
Affected Component ∞ V2 Composable Stable Pools – The specific smart contract type containing the access control flaw.
Vulnerability Type ∞ Faulty Access Control Logic – A failure in the manageUserBalance function’s internal permission checks.
Chains Affected ∞ Ethereum, Arbitrum, Base, Optimism, Polygon, Sonic, Berachain – The exploit’s impact was multi-chain due to shared V2 codebase deployment.

The image displays a brushed metallic cylindrical component, precisely positioned within a translucent, deep blue, fluid-like material. This composition evokes the essential integration of robust hardware security with dynamic blockchain protocols

Outlook

The immediate mitigation for all users involves withdrawing liquidity from any remaining V2 Composable Stable Pools, as the protocol has already paused the affected pools and is operating in recovery mode. This incident will likely establish new security best practices mandating a deeper focus on formal verification of access control logic, particularly in complex, multi-chain vault architectures. The successful partial recovery of assets by StakeWise and Berachain via emergency governance actions demonstrates the value of pre-planned, on-chain defensive levers, setting a new standard for rapid response to systemic exploits.

The Balancer V2 exploit is a definitive signal that even heavily audited, foundational DeFi infrastructure remains vulnerable to subtle logic flaws, necessitating a strategic shift toward real-time monitoring and robust, pre-deployed emergency governance controls.

access control logic, smart contract security, defi governance, protocol risk management, on chain forensics, multi chain deployment, white hat bounty, emergency multisig, asset recovery operation, systemic vulnerability Signal Acquired from ∞ tradebrains.in