Security

Balancer V2 Pools Drained Exploiting Arithmetic Precision Rounding Flaw

A subtle arithmetic precision loss in Composable Stable Pool logic was weaponized through atomic batch swaps to systematically manipulate the invariant and extract $128.64M.
December 7, 20253 min

A high-tech visualization showcases a transparent, modular structure with glowing blue internal pathways, forming an intricate central cross. This complex assembly appears suspended against a dark, industrial-style background, featuring subtle circular details
A gleaming metallic circular component, resembling a precision engineered mechanism, is partially submerged and surrounded by dynamic blue liquid and frothy white foam. In the background, blurred blue lines extend across a dark surface, suggesting intricate digital pathways and data flows within a sophisticated technological environment

Briefing

A catastrophic exploit has drained approximately $128.64 million from Balancer V2’s ComposableStablePools across six distinct blockchain networks. The incident represents a sophisticated attack that leveraged a subtle flaw in the protocol’s core mathematical logic, not an external compromise. This systemic failure in invariant accounting allowed the attacker to artificially suppress the Balancer Pool Token (BPT) price and execute arbitrage operations that systematically extracted liquidity. The total financial impact of the breach is quantified at $128.64 million, underscoring the extreme risk posed by micro-level arithmetic precision errors in high-value DeFi primitives.

Abstract, sleek white and transparent metallic structures dynamically interact with a vibrant blue granular substrate, creating a splash effect and reflecting on a rippled, deep blue liquid surface. The background features a subtle mist, enhancing the futuristic and impactful scene

Context

The prevailing attack surface for complex Automated Market Makers (AMMs) has shifted from simple reentrancy to highly calibrated economic and logic-based exploits. Despite Balancer V2’s battle-tested status and eleven prior security audits, the vulnerability was a subtle mathematical edge case inherent in Solidity’s integer division and downward rounding. This class of flaw, which only becomes exploitable when token balances are driven to specific, microscopic wei-level boundaries, was previously underestimated in its potential for catastrophic, compounded value extraction.

A close-up view reveals a complex, textured metallic structure intricately intertwined with numerous smooth, dark blue cables. The metallic framework exhibits a weathered, almost corroded appearance, contrasting with the sleek, uniform conduits that pass through its openings

Analysis

The attack vector targeted the _upscaleArray function within the ComposableStablePools, which utilizes downward rounding ( mulDown ) during invariant calculation. The attacker first conditioned the pools by executing micro-swaps to push token balances to the precise 8-9 wei rounding boundary. This setup systematically triggered a precision loss in the invariant (D value) calculation, causing it to contract artificially. The attacker then leveraged an atomic, 65-step batchSwap sequence to exploit this suppressed BPT price, minting undervalued BPT and immediately redeeming them for full-value underlying assets, thereby draining the liquidity pools across all affected chains.

A detailed close-up reveals a futuristic metallic device with a prominent translucent blue crystalline structure, appearing as frozen ice, surrounding a central dark mechanical part. The device exhibits intricate industrial design, featuring various metallic layers and a circular element displaying a subtle Ethereum logo

Parameters

  • Total Funds Lost → $128.64 Million – The estimated dollar value drained from ComposableStablePools across all networks.
  • Affected Protocol Version → Balancer V2 ComposableStablePools – The specific contract type containing the arithmetic precision flaw.
  • Attack Duration → Under 30 Minutes – The time required for the attacker to execute the multi-chain exploitation sequence.
  • Vulnerability Type → Arithmetic Precision Loss – The core technical flaw rooted in Solidity’s integer division and downward rounding logic.

A luminous, translucent blue-grey amorphous structure elegantly envelops a vibrant, solid blue sphere, set against a subtle gradient background. The flowing, organic forms create a sense of depth and protection around the central element

Outlook

Immediate mitigation requires all protocols forked from or integrating Balancer V2’s Composable Stable Pool code to conduct an emergency review and implement patching or pool pausing. This incident establishes a new security best practice, mandating that audits move beyond traditional bug hunting to incorporate adversarial simulation focused on compounded precision and boundary-condition manipulation. The contagion risk is high for any AMM utilizing similar downward-rounding logic in its invariant calculations, necessitating a systemic review of all stable pool mathematics across the DeFi ecosystem.

The exploitation of a micro-level rounding error in a major AMM for over $128 million confirms that subtle mathematical flaws are the current high-value threat vector, demanding a complete overhaul of precision-based smart contract security models.

DeFi, Smart Contract, AMM, Stablecoin Pool, Liquidity Protocol, Blockchain Security, Multi-Chain Exploit, Token Vault, Invariant Math, Rounding Vulnerability, Security Audit, Batch Swap Logic, Code Flaw, Financial Primitive, Crypto Threat, Asset Management, Digital Asset Security, Precision Arithmetic, Protocol Logic, Economic Exploit Signal Acquired from → checkpoint.com

Micro Crypto News Feeds

arithmetic precision

Definition ∞ In blockchain, arithmetic precision refers to the degree of exactness maintained in numerical computations.

downward rounding

Definition ∞ Downward rounding is a mathematical operation that reduces a fractional number to the nearest whole number or specified decimal place below it.

precision loss

Definition ∞ Precision loss describes the reduction in accuracy of numerical values, often occurring during data processing or storage.

contract

Definition ∞ A 'Contract' is a set of rules and code that automatically executes when predefined conditions are met.

multi-chain

Definition ∞ A multi-chain system refers to an architecture that supports multiple independent blockchain networks.

integer division

Definition ∞ Integer division is a mathematical operation that divides one integer by another and returns only the whole number part of the quotient.

composable stable pool

Definition ∞ A composable stable pool is a type of liquidity pool in decentralized finance designed to facilitate efficient swaps between various stablecoins while allowing for integration with other DeFi protocols.

Tags:

Tags: