Security

Balancer V2 Pools Drained $128 Million Exploiting Precision Rounding Flaw

A subtle arithmetic flaw in the `_upscaleArray` function allowed batch-swap manipulation, catastrophically distorting the pool invariant and draining assets.
November 26, 20254 min

A close-up view reveals a highly detailed mechanical component, featuring transparent blue casing and polished silver elements. The central focus is a cylindrical silver mechanism with fine grooves, capped by a clear blue lens-like structure, while intricate metallic parts and subtle blue lights are visible throughout the assembly
A dark blue, spherical digital asset is partially enveloped by a translucent, light blue, flowing material. This enveloping layer is speckled with numerous tiny white particles, creating a dynamic, abstract composition against a soft grey background

Briefing

The Balancer V2 protocol suffered a catastrophic multi-chain exploit, resulting in the loss of approximately $128 million from its Composable Stable Pools (CSPs) across six major networks, including Ethereum, Base, and Arbitrum. The attack vector was a highly sophisticated manipulation of a core smart contract function, leveraging a precision rounding error to artificially suppress the price of Balancer Pool Tokens (BPT). This incident immediately triggered systemic risk across the decentralized finance (DeFi) ecosystem, compelling dependent protocols and forked projects, such as Berachain, to execute emergency network halts to quarantine the compromised V2 contracts. The total financial impact of the event is confirmed to be over $128 million, making it one of the largest code-level exploits of the year.

Two futuristic white devices with prominent blue illuminated panels are shown interacting at their core, where a bright blue energy field connects them. The devices feature metallic accents and intricate modular designs, set against a softly blurred background of abstract blue and grey technological forms

Context

The protocol’s security posture was considered robust, having undergone at least eleven formal security audits by reputable firms, yet the vulnerability persisted in the core pool logic. The V2 architecture, which separates token storage into a centralized “Vault” and pool logic into individual contracts, was designed for capital efficiency, but this interconnectedness amplified the risk, ensuring a single flaw could affect all integrated Composable Stable Pools. The attack surface was a mathematical edge case within the smart contract’s handling of small-number precision, a class of vulnerability often missed by traditional testing focused on standard operational flows.

Four blue, rectangular, device-like modules are symmetrically arranged in an "X" pattern, intricately linked by flowing, translucent structures. Each module features prominent metallic cylindrical components on its sides, alongside subtle circular indentations and small white indicator dots

Analysis

The attack specifically targeted the _upscaleArray function within the Composable Stable Pool contracts, which utilized downward rounding ( mulDown ) during internal balance scaling. The attacker first executed preparatory swaps to push specific token balances to a critical numerical boundary (the 8-9 wei range), setting up the rounding cliff. They then weaponized this boundary condition by executing a sequence of over 65 micro-swaps within a single, atomic batchSwap transaction. This process compounded the negligible rounding errors into a catastrophic distortion of the pool invariant (D value), which in turn artificially suppressed the price of BPT, allowing the attacker to mint undervalued BPT and redeem them for full-value underlying assets.

The image displays a detailed close-up of a metallic, interconnected structural lattice, featuring numerous spherical nodes joined by cylindrical rods. A prominent central node exhibits a distinct knurled texture, set against a blurred, translucent blue background with subtle water droplets

Parameters

  • Total Loss Estimate → $128.64 Million – The approximate value of assets drained across all affected chains.
  • Vulnerable Component → _upscaleArray Function – The specific smart contract logic containing the precision rounding error.
  • Attack Vector TypePrecision Loss/Invariant Manipulation – A mathematical flaw weaponized via atomic batch operations.
  • Affected Chains → Six Blockchains – Including Ethereum, Base, Arbitrum, Optimism, Polygon, and Sonic/Berachain.

A close-up reveals an intricate mechanical system featuring two modular units, with the foreground unit exposing precision gears, metallic plates, and a central white geometric component within a brushed metal casing. Multi-colored wires connect the modules, which are integrated into a blue structural frame alongside additional mechanical components and a ribbed metallic adjustment knob

Outlook

Immediate mitigation requires all users to halt interactions with the affected V2 pools, which have been paused or placed into recovery mode, while all V3 pools remain secure. The primary second-order effect is the high contagion risk for all protocols that have forked the vulnerable Balancer V2 codebase, necessitating urgent, independent code review and patching of the _upscaleArray function and related invariant calculations. This incident will establish a new security best practice mandating comprehensive, adversarial testing for cumulative mathematical errors and boundary condition analysis, moving beyond the scope of typical functional audits to prevent the weaponization of minute precision loss.

The Balancer V2 exploit decisively proves that even extensive security audits are insufficient against sophisticated attacks targeting subtle mathematical logic and compounded precision loss in core DeFi invariant calculations.

precision rounding, invariant calculation, smart contract logic, batch swap, composable pool, multi-chain exploit, arithmetic vulnerability, downward rounding, BPT price manipulation, liquidity pool drain, DeFi systemic risk, vault architecture, token balance, integer division, atomic transaction, adversarial input, code-level vulnerability, asset extraction, liquid staking tokens, composable stable pools Signal Acquired from → checkpoint.com

Micro Crypto News Feeds

precision rounding error

Definition ∞ A precision rounding error is a computational inaccuracy that occurs when numerical values are rounded during calculations, leading to a slight discrepancy from the true mathematical result.

composable stable pools

Definition ∞ Composable stable pools are liquidity pools in decentralized finance that consist of stablecoins and allow for flexible integration with other protocols.

boundary condition

Definition ∞ A boundary condition defines the specific limits or operational parameters governing a system, model, or protocol.

assets

Definition ∞ A digital asset represents a unit of value recorded on a blockchain or similar distributed ledger technology.

smart contract logic

Definition ∞ Smart contract logic refers to the predefined, self-executing code embedded within a smart contract that dictates its behavior and conditions for execution.

precision loss

Definition ∞ Precision loss describes the reduction in accuracy of numerical values, often occurring during data processing or storage.

security

Definition ∞ Security refers to the measures and protocols designed to protect assets, networks, and data from unauthorized access, theft, or damage.

Tags:

Tags: