Balancer V2 Pools Drained Exploiting Smart Contract Authorization Flaw → Security

A vibrant blue, intricately structured translucent form dominates the foreground, set against a blurred background of metallic cylindrical and gear-like components. The detailed blue lattice appears to flow and connect, highlighting its complex internal structure and reflective surfaces

A transparent, abstract car-like form, composed of clear crystalline material and vibrant blue liquid, is depicted against a subtle white and dark blue background. The structure features intricate, glowing internal patterns resembling circuit boards, partially submerged and distorted by the blue fluid

Briefing

A sophisticated exploit targeted Balancer’s V2 Composable Stable Pools, resulting in a catastrophic loss of user-deposited liquidity. The core failure resides in the protocol’s smart contract logic, specifically improper authorization and callback handling within the V2 vault, which allowed an attacker to bypass internal safeguards during pool initialization. This systemic vulnerability enabled unauthorized swap and balance manipulation across interconnected pools, ultimately leading to a total financial loss estimated to exceed $128 million.

A close-up view reveals a sleek, high-tech metallic and dark blue module, centrally featuring the distinct Ethereum emblem on its silver surface. Numerous blue wires are intricately woven around and connected to various components, including a textured metallic dial and digital displays showing "0" and "01"

Context

Prior to this event, the prevailing attack surface for major Automated Market Makers (AMMs) was a known risk in complex, multi-token pools and external call handling. Balancer V2, despite undergoing numerous security audits since 2021, maintained a high-complexity architecture with interconnected vault and pool contracts. The specific class of vulnerability → faulty access control and precision errors in swap calculations → had been previously exploited in smaller incidents, indicating an unaddressed systemic risk in the V2 architecture.

A close-up view reveals a modern device featuring a translucent blue casing and a prominent brushed metallic surface. The blue component, with its smooth, rounded contours, rests on a lighter, possibly silver-toned base, suggesting a sophisticated piece of technology

Analysis

The attack vector leveraged a flaw in how the V2 vault managed external calls and authorizations during pool initialization. The attacker deployed a malicious contract that manipulated the vault’s state by exploiting the callback mechanism designed for internal pool functions. This manipulation effectively granted the attacker unauthorized control over asset movements, enabling them to execute a series of chained batchSwap transactions. By repeatedly exploiting this logic flaw, the attacker was able to drain vast amounts of liquidity from the composable stable pools before the protocol could fully react and pause the affected contracts.

The image displays smooth, glossy, intertwined abstract forms rendered in a palette of white, light blue, dark blue, and silver, set against a soft grey background. These dynamic, flowing shapes create a sense of interconnectedness and layered complexity

Parameters

Total Loss Estimate → $128,000,000+ (The estimated value of assets drained from the V2 Composable Stable Pools).
Affected Component → Balancer V2 Composable Stable Pools (Specific pool type impacted by the authorization flaw).
Exploit Date → November 3, 2025 (The date the attack was confirmed and announced by the protocol).
Stolen Assets → Liquid staked Ethereum derivatives (e.g. wstETH, OSETH) and Wrapped Ether (WETH).

A detailed view reveals a futuristic mechanical assembly, featuring a prominent central circular mechanism surrounded by a helix-like arrangement of smooth white tubular components. Embedded within this framework are numerous translucent blue cuboid elements, appearing as structured data units

Outlook

Immediate mitigation requires all remaining V2 Composable Stable Pools to be paused or have their liquidity withdrawn by users where possible. This incident establishes a critical new standard for auditing, emphasizing rigorous formal verification of complex, interconnected vault and pool logic, particularly external call and access control flows. Contagion risk is elevated for similar AMMs utilizing multi-pool or vault-based architectures, necessitating immediate internal security reviews to prevent a cascade of similar exploits.

The Balancer V2 exploit is a high-severity architectural failure, confirming that complex DeFi primitives with flawed access control remain the single greatest systemic risk to deposited capital.

defi security, smart contract logic, access control, composable pool, vault exploit, liquidity pool, amm vulnerability, on-chain forensics, asset drain, precision error, batch swap, multi-chain risk, decentralized finance, token manipulation, protocol insolvency, yield farming risk, external call, security audit failure, financial primitive, systemic risk Signal Acquired from → bleepingcomputer.com