Balancer V2 Composable Pools Exploit Drains $128 Million across Multiple Chains → Security

A polished metallic cylindrical object, characterized by its ribbed design and dark recessed sections, is partially covered by a vibrant blue, bubbly substance. The precise engineering of the component suggests a core blockchain mechanism undergoing a thorough verification process

A sophisticated, silver-toned modular device, featuring a prominent circular interface with a blue accent and various rectangular inputs, is dynamically positioned amidst a flowing, translucent blue material. The device's sleek, futuristic design suggests advanced technological capabilities, with the blue element appearing to interact with its structure

Briefing

A critical access control vulnerability in the Balancer V2 Composable Stable Pools allowed an attacker to execute unauthorized internal withdrawal operations, resulting in a total loss of approximately $128 million across seven different blockchain networks. This systemic failure was traced to a subtle logic error within the core manageUserBalance function, which failed to properly validate the caller’s permissions, enabling the impersonation of legitimate users. The immediate consequence was the draining of high-value assets, including staked ETH derivatives, from pools on Ethereum, Arbitrum, and other Layer-2 chains, solidifying the incident as one of the largest decentralized finance breaches of 2025.

A central spiky cluster of translucent blue crystalline elements and white spheres, emanating from a white core, is visually depicted. Thin metallic wires extend, connecting to two smooth white spherical objects on either side

Context

The prevailing risk factor for Balancer was the inherent complexity of its V2 architecture, which utilizes a centralized vault to manage funds for various composable pools, significantly expanding the attack surface. Despite the affected V2 smart contracts undergoing over ten audits by four different security firms, the specific logic flaw remained undetected for an extended period. This history underscores a known class of vulnerability where deep, subtle logic errors persist even after extensive formal verification, posing a persistent systemic risk to highly composable DeFi primitives.

A pristine white spherical shell, interpreted as a protocol layer or secure enclave, reveals an intricate core of sharp, translucent blue crystalline formations. These structures visually represent fundamental cryptographic primitives or digital asset components, densely packed and interconnected, illustrating the complex architecture of blockchain ledger systems

Analysis

The attack vector leveraged a faulty access check within the manageUserBalance function of the V2 Composable Stable Pools, which governs the movement of funds within the Balancer vault. The vulnerability stemmed from an inadequate validation of the user-supplied op.sender against the transaction’s msg.sender , allowing the attacker to bypass permission checks. By exploiting this flaw, the threat actor was able to call the UserBalanceOpKind.WITHDRAW_INTERNAL operation, effectively convincing the vault contract that they were an authorized internal component or a legitimate user withdrawing their balance. This unauthorized execution permitted the attacker to systematically empty the internal balances of the affected pools, moving assets like osETH and wstETH into an external, attacker-controlled wallet.

A visually striking abstract composition features a central, intricate cluster of translucent blue, spiky forms radiating outwards, encircled by multiple smooth white spheres. Thin, flexible lines extend from this core, some forming elegant loops, against a backdrop of darker blue, angular structures and a soft grey gradient

Parameters

Total Funds Drained → ~$128 Million – The estimated total value of assets stolen across all affected chains.
Affected Component → V2 Composable Stable Pools – The specific smart contract type containing the access control flaw.
Vulnerability Type → Faulty Access Control Logic – A failure in the manageUserBalance function’s internal permission checks.
Chains Affected → Ethereum, Arbitrum, Base, Optimism, Polygon, Sonic, Berachain – The exploit’s impact was multi-chain due to shared V2 codebase deployment.

The image displays a detailed view of intricate mechanical components, featuring a prominent translucent blue cylindrical structure interlocked with various silver metallic gears and shafts. The composition highlights precision engineering with reflective surfaces and clear materials, suggesting complex internal workings

Outlook

The immediate mitigation for all users involves withdrawing liquidity from any remaining V2 Composable Stable Pools, as the protocol has already paused the affected pools and is operating in recovery mode. This incident will likely establish new security best practices mandating a deeper focus on formal verification of access control logic, particularly in complex, multi-chain vault architectures. The successful partial recovery of assets by StakeWise and Berachain via emergency governance actions demonstrates the value of pre-planned, on-chain defensive levers, setting a new standard for rapid response to systemic exploits.

The Balancer V2 exploit is a definitive signal that even heavily audited, foundational DeFi infrastructure remains vulnerable to subtle logic flaws, necessitating a strategic shift toward real-time monitoring and robust, pre-deployed emergency governance controls.

access control logic, smart contract security, defi governance, protocol risk management, on chain forensics, multi chain deployment, white hat bounty, emergency multisig, asset recovery operation, systemic vulnerability Signal Acquired from → tradebrains.in