Balancer V2 Composable Pools Exploit Drains $128 Million across Multiple Chains → Security

The image displays a sophisticated device crafted from brushed metal and transparent materials, showcasing intricate internal components illuminated by a vibrant blue glow. This advanced hardware represents a critical component in the digital asset ecosystem, functioning as a secure cryptographic module

A detailed perspective showcases a sleek, futuristic device featuring a white and silver chassis accented by dark modular segments. Its prominent circular mechanism comprises a polished metallic inner ring encircled by an outer band of vibrant, glowing blue block-like elements, suggesting active data flow and computational processes

Briefing

A critical access control vulnerability in the Balancer V2 Composable Stable Pools allowed an attacker to execute unauthorized internal withdrawal operations, resulting in a total loss of approximately $128 million across seven different blockchain networks. This systemic failure was traced to a subtle logic error within the core manageUserBalance function, which failed to properly validate the caller’s permissions, enabling the impersonation of legitimate users. The immediate consequence was the draining of high-value assets, including staked ETH derivatives, from pools on Ethereum, Arbitrum, and other Layer-2 chains, solidifying the incident as one of the largest decentralized finance breaches of 2025.

A sophisticated, spherical mechanical construct dominates the frame, showcasing a prominent white and dark grey central core encircled by a dynamic flow of bright blue cubic elements. The intricate details of interconnected white and grey components form a larger, complex sphere in the background

Context

The prevailing risk factor for Balancer was the inherent complexity of its V2 architecture, which utilizes a centralized vault to manage funds for various composable pools, significantly expanding the attack surface. Despite the affected V2 smart contracts undergoing over ten audits by four different security firms, the specific logic flaw remained undetected for an extended period. This history underscores a known class of vulnerability where deep, subtle logic errors persist even after extensive formal verification, posing a persistent systemic risk to highly composable DeFi primitives.

A sophisticated, futuristic mechanical apparatus features a brightly glowing blue central core, flanked by two streamlined white cylindrical modules. Visible internal blue components and intricate structures suggest advanced technological function and data processing

Analysis

The attack vector leveraged a faulty access check within the manageUserBalance function of the V2 Composable Stable Pools, which governs the movement of funds within the Balancer vault. The vulnerability stemmed from an inadequate validation of the user-supplied op.sender against the transaction’s msg.sender , allowing the attacker to bypass permission checks. By exploiting this flaw, the threat actor was able to call the UserBalanceOpKind.WITHDRAW_INTERNAL operation, effectively convincing the vault contract that they were an authorized internal component or a legitimate user withdrawing their balance. This unauthorized execution permitted the attacker to systematically empty the internal balances of the affected pools, moving assets like osETH and wstETH into an external, attacker-controlled wallet.

The visual presents a sophisticated abstract representation featuring a prominent, smooth white spherical shell, partially revealing an internal cluster of shimmering blue, geometrically faceted components. Smaller white spheres orbit this structure, connected by sleek silver filaments, forming a dynamic decentralized network

Parameters

Total Funds Drained → ~$128 Million – The estimated total value of assets stolen across all affected chains.
Affected Component → V2 Composable Stable Pools – The specific smart contract type containing the access control flaw.
Vulnerability Type → Faulty Access Control Logic – A failure in the manageUserBalance function’s internal permission checks.
Chains Affected → Ethereum, Arbitrum, Base, Optimism, Polygon, Sonic, Berachain – The exploit’s impact was multi-chain due to shared V2 codebase deployment.

The image displays an abstract, futuristic representation of interconnected digital infrastructure, featuring a central glowing sphere surrounded by white tubular structures and chains of blue cuboid elements. Smaller blue particles emanate from the core, interacting with the surrounding network components

Outlook

The immediate mitigation for all users involves withdrawing liquidity from any remaining V2 Composable Stable Pools, as the protocol has already paused the affected pools and is operating in recovery mode. This incident will likely establish new security best practices mandating a deeper focus on formal verification of access control logic, particularly in complex, multi-chain vault architectures. The successful partial recovery of assets by StakeWise and Berachain via emergency governance actions demonstrates the value of pre-planned, on-chain defensive levers, setting a new standard for rapid response to systemic exploits.

The Balancer V2 exploit is a definitive signal that even heavily audited, foundational DeFi infrastructure remains vulnerable to subtle logic flaws, necessitating a strategic shift toward real-time monitoring and robust, pre-deployed emergency governance controls.

access control logic, smart contract security, defi governance, protocol risk management, on chain forensics, multi chain deployment, white hat bounty, emergency multisig, asset recovery operation, systemic vulnerability Signal Acquired from → tradebrains.in