Skip to main content
Security

Balancer V2 Pools Drained Exploiting BatchSwap Rounding and Access Control Flaw

A complex logic flaw leveraging batch swaps and a rounding error allowed attackers to bypass internal access controls, resulting in a $116M liquidity drain.
November 12, 20253 min

The image presents a macro perspective of a textured blue granular mass interacting with metallic, modular structures. These components are embedded within and around the substance, showcasing a complex interplay of forms and textures
A striking abstract form, rendered in luminous blue and translucent material, features an outer surface adorned with numerous small, spherical bubbles, set against a soft, gradient background. Its internal structure reveals complex, layered pathways, suggesting intricate design and functional depth within its fluid contours

Briefing

The Balancer V2 protocol suffered a catastrophic multi-chain exploit, resulting in the theft of approximately $116 million from its Composable Stable Pools. This incident immediately froze affected liquidity pools, causing significant market instability for associated liquid-staked tokens and secondary contagion risk for forked protocols. The attack was a sophisticated chain of operations that leveraged a rounding-down flaw in the internal swap calculation combined with a critical access control vulnerability to siphon funds. The total quantified loss is estimated at $116 million, marking one of the largest DeFi breaches of 2025.

The composition showcases luminous blue and white cloud formations interacting with polished silver rings and transparent spherical enclosures. Several metallic spheres are integrated within this intricate, dynamic structure

Context

The prevailing security posture of many V2 DeFi protocols remains vulnerable to complex, chained logic exploits, despite multiple independent audits. Traditional code review often fails to detect subtle economic logic flaws or race conditions that materialize only when combining multiple functions like flash loans and batch swaps. This specific attack surface ∞ the interaction between internal accounting logic and external swap operations ∞ was a known class of high-risk vulnerability in older DeFi architectures.

A modern, elongated device features a sleek silver top and dark base, with a transparent blue section showcasing intricate internal clockwork mechanisms, including visible gears and ruby jewels. Side details include a tactile button and ventilation grilles, suggesting active functionality

Analysis

The attacker initiated the exploit using a flash loan to execute a series of BatchSwaps targeting the EXACT_OUT function in V2 Stable Pools. This function’s rounding-down mechanism was manipulated to create a minuscule, repeatable surplus of tokens in the protocol’s internal vault balance with each loop. Crucially, a separate logic flaw in the validateUserBalanceOp process failed to correctly verify the message sender, allowing the attacker to execute an unauthorized WITHDRAW_INTERNAL operation. This access control bypass was the final step, enabling the withdrawal of the accumulated $116 million in internally-held, stolen assets.

A complex, metallic and transparent apparatus, featuring bright blue internal elements, is centrally positioned against a soft grey background, surrounded by dynamic splashes of clear liquid. The intricate design showcases precise engineering with fluid dynamics

Parameters

  • Total Loss Estimate ∞ $116 Million – The final amount of assets drained across multiple chains, confirmed by the protocol’s post-mortem.
  • Vulnerable Component ∞ V2 Composable Stable Pools – The specific pool type containing the exploitable rounding and access logic.
  • Attack Vector Core ∞ BatchSwap Rounding Error – The fundamental logic flaw that created the exploitable internal balance surplus.
  • Contagion RiskForked Protocols – Projects utilizing the vulnerable Balancer V2 codebase, such as Beets Finance, which reported secondary losses.

The image prominently features a clear, segmented cylindrical vessel filled with a blue, bubbly liquid, alongside a transparent rod extending from its core. This apparatus rests on a surface displaying vibrant blue waveform graphics against a dark background, with blurred metallic components in the periphery

Outlook

Protocols must immediately audit all internal accounting and withdrawal logic, prioritizing complex interactions like BatchSwap and flashloan operations, to mitigate this systemic risk. Users are advised to withdraw liquidity from all V2 Composable Stable Pools and any forked protocol using the same V2 codebase until a formal, third-party audit confirms the patch. This incident will likely establish a new security best practice requiring formal verification of all multi-step transaction logic to prevent chained economic exploits.

A modern, rectangular device with a silver metallic chassis and a clear, blue-tinted top cover is presented against a plain white background. Visible through the transparent top, a complex internal mechanism featuring a polished circular platter, gears, and an articulating arm suggests a precision data processing or storage unit

Verdict

The Balancer V2 breach is a decisive case study proving that logic flaws in complex DeFi primitives, even after extensive auditing, pose a critical and persistent threat to the entire ecosystem’s financial integrity.

Smart contract exploit, DeFi logic flaw, Batch swap vulnerability, Rounding error, Access control bypass, Liquidity pool drain, Multi-chain attack, Financial primitives risk, Decentralized exchange, Economic security, Internal balance manipulation, Protocol solvency, External call security, Systemic risk, On-chain forensics, Codebase vulnerability, Asset withdrawal logic, Token price manipulation, Flash loan attack, Liquidity provider risk Signal Acquired from ∞ markets.com

Micro Crypto News Feeds

composable stable pools

Definition ∞ Composable stable pools are liquidity pools in decentralized finance that consist of stablecoins and allow for flexible integration with other protocols.

vulnerability

Definition ∞ A vulnerability refers to a flaw or weakness in a system, protocol, or smart contract that could be exploited by malicious actors to compromise its integrity, security, or functionality.

access control bypass

Definition ∞ Access Control Bypass involves circumventing security rules designed to limit system or data access.

protocol

Definition ∞ A protocol is a set of rules governing data exchange or communication between systems.

stable pools

Definition ∞ Stable pools are specialized liquidity pools within decentralized finance (DeFi) protocols designed for trading stablecoins or other assets that are pegged to the same value, such as different versions of wrapped Bitcoin.

internal balance

Definition ∞ Internal balance refers to the amount of funds or assets held within a specific platform or system.

forked protocols

Definition ∞ Forked protocols are new versions of existing blockchain protocols created when a community or development team modifies the original codebase.

systemic risk

Definition ∞ Systemic risk refers to the danger that the failure of one component within a financial system could trigger a cascade of failures across the entire network.

financial

Definition ∞ Financial refers to matters concerning money, banking, investments, and credit.

Tags:

Tags: