Balancer V2 Composable Pools Exploit Drains $128 Million across Multiple Chains → Security

A close-up view reveals a sophisticated, translucent blue electronic device with a central, raised metallic button. Luminous blue patterns resembling flowing energy or data are visible beneath the transparent surface, extending across the device's length

The composition features a horizontal, elongated mass of sparkling blue crystalline fragments, ranging from deep indigo to bright sapphire, flanked by four smooth white spheres. Transparent, intersecting rings interconnect and encapsulate this central structure against a neutral grey background

Briefing

A critical access control vulnerability in the Balancer V2 Composable Stable Pools allowed an attacker to execute unauthorized internal withdrawal operations, resulting in a total loss of approximately $128 million across seven different blockchain networks. This systemic failure was traced to a subtle logic error within the core manageUserBalance function, which failed to properly validate the caller’s permissions, enabling the impersonation of legitimate users. The immediate consequence was the draining of high-value assets, including staked ETH derivatives, from pools on Ethereum, Arbitrum, and other Layer-2 chains, solidifying the incident as one of the largest decentralized finance breaches of 2025.

The visual presents a sophisticated abstract representation featuring a prominent, smooth white spherical shell, partially revealing an internal cluster of shimmering blue, geometrically faceted components. Smaller white spheres orbit this structure, connected by sleek silver filaments, forming a dynamic decentralized network

Context

The prevailing risk factor for Balancer was the inherent complexity of its V2 architecture, which utilizes a centralized vault to manage funds for various composable pools, significantly expanding the attack surface. Despite the affected V2 smart contracts undergoing over ten audits by four different security firms, the specific logic flaw remained undetected for an extended period. This history underscores a known class of vulnerability where deep, subtle logic errors persist even after extensive formal verification, posing a persistent systemic risk to highly composable DeFi primitives.

A close-up view captures a central metallic component, resembling a core mechanism, enveloped by a textured, porous blue substance, intricately bound by dark chains. The composition highlights the interplay between solid structures and fluid elements, creating a sense of complex integration

Analysis

The attack vector leveraged a faulty access check within the manageUserBalance function of the V2 Composable Stable Pools, which governs the movement of funds within the Balancer vault. The vulnerability stemmed from an inadequate validation of the user-supplied op.sender against the transaction’s msg.sender , allowing the attacker to bypass permission checks. By exploiting this flaw, the threat actor was able to call the UserBalanceOpKind.WITHDRAW_INTERNAL operation, effectively convincing the vault contract that they were an authorized internal component or a legitimate user withdrawing their balance. This unauthorized execution permitted the attacker to systematically empty the internal balances of the affected pools, moving assets like osETH and wstETH into an external, attacker-controlled wallet.

A prominent circular metallic button is centrally positioned within a sleek, translucent blue device, revealing intricate internal components. The device's polished surface reflects ambient light, highlighting its modern, high-tech aesthetic

Parameters

Total Funds Drained → ~$128 Million – The estimated total value of assets stolen across all affected chains.
Affected Component → V2 Composable Stable Pools – The specific smart contract type containing the access control flaw.
Vulnerability Type → Faulty Access Control Logic – A failure in the manageUserBalance function’s internal permission checks.
Chains Affected → Ethereum, Arbitrum, Base, Optimism, Polygon, Sonic, Berachain – The exploit’s impact was multi-chain due to shared V2 codebase deployment.

The image displays a detailed, close-up perspective of numerous blue electronic modules and an extensive network of connecting wires and cables. These metallic components, varying in size and configuration, are densely packed, creating an impression of intricate digital machinery against a soft, blurred background

Outlook

The immediate mitigation for all users involves withdrawing liquidity from any remaining V2 Composable Stable Pools, as the protocol has already paused the affected pools and is operating in recovery mode. This incident will likely establish new security best practices mandating a deeper focus on formal verification of access control logic, particularly in complex, multi-chain vault architectures. The successful partial recovery of assets by StakeWise and Berachain via emergency governance actions demonstrates the value of pre-planned, on-chain defensive levers, setting a new standard for rapid response to systemic exploits.

The Balancer V2 exploit is a definitive signal that even heavily audited, foundational DeFi infrastructure remains vulnerable to subtle logic flaws, necessitating a strategic shift toward real-time monitoring and robust, pre-deployed emergency governance controls.

access control logic, smart contract security, defi governance, protocol risk management, on chain forensics, multi chain deployment, white hat bounty, emergency multisig, asset recovery operation, systemic vulnerability Signal Acquired from → tradebrains.in