Balancer V2 Pools Drained Exploiting Precision Error across Seven Chains → Security

A close-up view captures a futuristic device, featuring transparent blue cylindrical and rectangular sections filled with glowing blue particles, alongside brushed metallic components. The device rests on a dark, reflective surface, with sharp focus on the foreground elements and a soft depth of field blurring the background

A futuristic, segmented white sphere is partially submerged in dark, reflective water, with vibrant blue, crystalline formations emerging from its central opening. These icy structures spill into the water, forming a distinct mass on the surface

Briefing

A sophisticated exploit targeted the Balancer V2 Composable Stable Pools, resulting in a loss estimated at approximately $128 million across seven different blockchain networks. This attack leveraged a subtle precision error within the manageUserBalance function, which is responsible for managing internal user balances within the core vault system. The primary consequence is a significant, systemic capital loss for Liquidity Providers (LPs) across the affected chains, severely undermining confidence in the protocol’s core vault architecture. The total financial impact of the event is quantified at up to $128 million, making it one of the largest decentralized finance breaches of 2025.

A close-up view reveals intricately intertwined abstract forms, featuring both transparent blue and brushed metallic silver components. These elements create a sense of depth and interconnectedness, with light reflecting off their polished and textured surfaces

Context

The prevailing security posture for complex DeFi protocols, particularly those utilizing a central vault architecture like Balancer V2, has always carried an elevated risk of single-point-of-failure vulnerabilities. Despite multiple security audits on its vault system, the sheer complexity of composable finance → where multiple token types and pool logics interact → created an expanded attack surface. The known class of vulnerability leveraged here is a logic flaw in access control, where a function intended for internal balance management failed to properly validate the caller’s permissions, a systemic risk inherent in highly-permissioned smart contract designs.

Abstract, flowing forms in translucent white and vibrant deep blue dominate the frame, set against a dark, gradient background. The composition features smooth, overlapping layers that create a sense of depth and continuous movement, with light reflecting off the polished surfaces

Analysis

The incident’s technical mechanics centered on a faulty access control check within the manageUserBalance function of the V2 Composable Stable Pools. Specifically, the vulnerability allowed an external actor to execute the UserBalanceOpKind.WITHDRAW_INTERNAL operation without proper authorization, essentially impersonating a legitimate user’s withdrawal request. The attacker successfully fooled the Balancer system into believing they were an authorized entity, enabling them to quietly drain funds from internal balances held within the core vault. This chain of cause and effect → a logic error leading to unauthorized function execution → was successful due to the contract’s failure to rigorously confirm the msg.sender against the expected op.sender.

A translucent, intricate structure encases vibrant blue, particulate matter, reminiscent of dynamic data streams within a decentralized network. Metallic, precision-engineered components integrate seamlessly, suggesting advanced cryptographic modules and secure hardware enclaves

Parameters

Total Funds Drained → $128 Million (The estimated total loss across all affected chains before any recovery)
Affected Chains → Seven (Ethereum, Arbitrum, Base, Optimism, Polygon, Sonic, Berachain)
Vulnerability Type → Faulty Access Control Logic / Precision Error (The specific smart contract flaw exploited in the V2 Composable Stable Pools)
Bounty Offered → 20% of Recovered Funds (The percentage offered by the protocol to the attacker for the return of assets)

A sophisticated, silver-toned modular device, featuring a prominent circular interface with a blue accent and various rectangular inputs, is dynamically positioned amidst a flowing, translucent blue material. The device's sleek, futuristic design suggests advanced technological capabilities, with the blue element appearing to interact with its structure

Outlook

The immediate mitigation step for all users is to immediately withdraw liquidity from any Balancer V2 Composable Stable Pools that have not been explicitly verified as safe or paused by the protocol team. The second-order effect is a significant contagion risk, as similar vault-based and composable DeFi protocols must now urgently review their internal balance management and access control functions for identical logic flaws. This incident will likely establish new, more stringent auditing standards for complex, multi-asset pool contracts, emphasizing formal verification of permissioned internal functions to prevent unauthorized state changes.

The Balancer V2 exploit is a critical architectural failure demonstrating that multi-audited, complex vault systems remain vulnerable to subtle access control logic flaws, demanding an immediate industry-wide re-evaluation of composable DeFi security models.

smart contract security, defi risk, protocol exploit, decentralized finance, token vault, liquidity pool, access control, logic flaw, multi-chain architecture, asset recovery, security audit failure, composability risk, smart contract logic, precision vulnerability, pool draining, emergency governance, token withdrawal, white-hat negotiation, on-chain forensics, system risk Signal Acquired from → crypto.news