Security

Balancer V2 Pools Drained across Multiple Chains Exploiting Rounding Flaw

A critical rounding error in the Balancer V2 Composable Stable Pool logic allowed an attacker to drain $128 million across seven blockchains.
November 22, 20253 min

A vibrant abstract composition showcases voluminous blue and white smoke-like forms intermingling with multiple transparent, metallic-edged rectangular prisms and a prominent white sphere, all set against a muted grey background. The dynamic interplay of these elements creates a sense of movement and depth, suggesting complex processes within a structured environment
A central translucent blue liquid structure forms an X-shaped nexus, intricately connected to multiple circular metallic nodes. These nodes are partially encased in a frosted, granular white material that suggests a protective or processed layer

Briefing

The Balancer decentralized finance protocol suffered a catastrophic security breach, resulting from a complex exploit targeting the V2 Composable Stable Pool smart contract logic. This systemic failure allowed a malicious actor to manipulate internal accounting, leading to the unauthorized withdrawal of assets across seven distinct blockchain networks. The immediate consequence is a total capital loss exceeding $128 million, forcing the protocol and its forks to halt operations and issue an urgent user advisory. The core vulnerability was a critical rounding error within the BatchSwap function.

A detailed, close-up view shows a light blue, textured surface forming a deep, circular indentation. A spherical object resembling a full moon floats centrally above this void, symbolizing a digital asset experiencing significant price action or 'mooning' within the DeFi landscape

Context

The protocol previously faced multiple security warnings regarding its complex V2 pool architecture, particularly the Composable Stable Pool design which integrates external logic and multiple token interactions. This inherent complexity significantly increased the attack surface, creating a known class of vulnerability where subtle arithmetic flaws could be weaponized through sophisticated transaction sequencing. Prior incidents involving similar rounding or logic errors in other AMM designs established this vector as a high-priority risk factor for all aggregated liquidity protocols.

The image displays granular blue and white material flowing through transparent, curved channels, interacting with metallic components and a clear sphere. A mechanical claw-like structure holds a white disc, while a thin rod with a small sphere extends over the white granular substance

Analysis

The exploit compromised the core smart contract logic of the Balancer V2 Composable Stable Pools. The attacker utilized the BatchSwap function to bundle multiple token swaps within a single transaction, exploiting a precision-based rounding flaw in the pool’s internal accounting mechanism. This flaw allowed the attacker to incrementally drain the pool’s assets by repeatedly manipulating the input and output calculations until the cumulative error was sufficient to siphon the total value of $128.64 million. The chain of effect demonstrates a failure to correctly validate state changes during multi-step, high-volume operations.

The image displays a close-up, shallow depth of field view of multiple interconnected electronic modules. These modules are predominantly blue and grey, featuring visible circuit boards with various components and connecting cables

Parameters

  • Total Funds Drained → $128.64 Million → The final, confirmed total value of assets stolen across all affected chains.
  • Affected Chains → Seven → The total count of distinct blockchains impacted, including Ethereum, Arbitrum, and Base.
  • Vulnerability Type → Precision Rounding Error → The specific arithmetic flaw within the Composable Stable Pool contract logic.
  • Governance Token Impact → 8% Decline → The immediate drop in the price of the native BAL token following the incident disclosure.

A detailed close-up reveals a futuristic, metallic and white modular mechanism, bathed in cool blue tones, with a white granular substance at its operational core. One component features a small, rectangular panel displaying intricate circuit-like patterns

Outlook

Immediate mitigation requires all users to revoke approvals for the vulnerable V2 pools and move funds to cold storage. This event establishes a new security best practice mandating rigorous, formal verification of all complex multi-step transaction logic, especially in pooled AMMs that utilize internal accounting for composable tokens. A significant second-order effect is the increased contagion risk for all protocols forked from or utilizing similar Balancer V2 pool logic, necessitating an immediate and independent code review across the entire ecosystem.

A macro perspective showcases two distinct, intertwined tubular forms. One form is a sleek, reflective silver, while the other is transparent, encapsulating a vibrant, effervescent blue substance

Verdict

This $128 million exploit confirms that subtle arithmetic flaws in complex DeFi smart contract designs represent a critical, systemic risk that bypasses traditional security assumptions.

Decentralized exchange, automated market maker, liquidity pool, smart contract logic, multi-chain deployment, asset withdrawal, on-chain transaction, code exploit, risk mitigation, governance vote, protocol upgrade, security patch, forensic analysis, financial loss, digital asset security, cross-chain bridge, token approval, state change validation, pool accounting, precision flaw Signal Acquired from → tradingview.com

Micro Crypto News Feeds

composable stable pool

Definition ∞ A composable stable pool is a type of liquidity pool in decentralized finance designed to facilitate efficient swaps between various stablecoins while allowing for integration with other DeFi protocols.

vulnerability

Definition ∞ A vulnerability refers to a flaw or weakness in a system, protocol, or smart contract that could be exploited by malicious actors to compromise its integrity, security, or functionality.

smart contract logic

Definition ∞ Smart contract logic refers to the predefined, self-executing code embedded within a smart contract that dictates its behavior and conditions for execution.

assets

Definition ∞ A digital asset represents a unit of value recorded on a blockchain or similar distributed ledger technology.

contract logic

Definition ∞ Contract Logic refers to the set of predefined rules, conditions, and instructions embedded within a smart contract that govern its execution and state changes.

governance token

Definition ∞ A governance token is a type of digital asset that grants its holders voting rights within a decentralized autonomous organization (DAO) or a blockchain protocol.

contagion risk

Definition ∞ Contagion Risk describes the potential for financial distress at one entity or market segment to spread rapidly to others.

smart contract

Definition ∞ A Smart Contract is a self-executing contract with the terms of the agreement directly written into code.

Tags:

Tags: