Balancer V2 Pools Drained Exploiting Smart Contract Authorization Flaw → Security

A luminous, multifaceted blue crystal structure, shaped like an 'X' or a cross, is depicted with polished metallic components at its intersections. The object appears to be a stylized control mechanism, possibly a valve, set against a blurred background of blues and greys, with frosty textures on the lower left

The image displays an abstract composition of frosted, textured grey-white layers partially obscuring a vibrant, deep blue interior. Parallel lines and a distinct organic opening within the layers create a sense of depth and reveal the luminous blue

Briefing

A sophisticated exploit targeted Balancer’s V2 Composable Stable Pools, resulting in a catastrophic loss of user-deposited liquidity. The core failure resides in the protocol’s smart contract logic, specifically improper authorization and callback handling within the V2 vault, which allowed an attacker to bypass internal safeguards during pool initialization. This systemic vulnerability enabled unauthorized swap and balance manipulation across interconnected pools, ultimately leading to a total financial loss estimated to exceed $128 million.

$The image displays a partially opened spherical object, revealing an inner core and surrounding elements. Its outer shell is white and segmented, fractured to expose a vibrant blue granular substance mixed with clear, cubic crystals$

Context

Prior to this event, the prevailing attack surface for major Automated Market Makers (AMMs) was a known risk in complex, multi-token pools and external call handling. Balancer V2, despite undergoing numerous security audits since 2021, maintained a high-complexity architecture with interconnected vault and pool contracts. The specific class of vulnerability → faulty access control and precision errors in swap calculations → had been previously exploited in smaller incidents, indicating an unaddressed systemic risk in the V2 architecture.

A detailed perspective showcases a sleek, futuristic device featuring a white and silver chassis accented by dark modular segments. Its prominent circular mechanism comprises a polished metallic inner ring encircled by an outer band of vibrant, glowing blue block-like elements, suggesting active data flow and computational processes

Analysis

The attack vector leveraged a flaw in how the V2 vault managed external calls and authorizations during pool initialization. The attacker deployed a malicious contract that manipulated the vault’s state by exploiting the callback mechanism designed for internal pool functions. This manipulation effectively granted the attacker unauthorized control over asset movements, enabling them to execute a series of chained batchSwap transactions. By repeatedly exploiting this logic flaw, the attacker was able to drain vast amounts of liquidity from the composable stable pools before the protocol could fully react and pause the affected contracts.

A central, transparent sphere, containing numerous angular, sapphire-hued crystalline fragments, is encased in a clear, multi-tubed structure. This assembly is positioned against a backdrop of larger, fragmented, dark blue crystalline forms and a pale, speckled surface

Parameters

Total Loss Estimate → $128,000,000+ (The estimated value of assets drained from the V2 Composable Stable Pools).
Affected Component → Balancer V2 Composable Stable Pools (Specific pool type impacted by the authorization flaw).
Exploit Date → November 3, 2025 (The date the attack was confirmed and announced by the protocol).
Stolen Assets → Liquid staked Ethereum derivatives (e.g. wstETH, OSETH) and Wrapped Ether (WETH).

A close-up view reveals a multi-faceted, transparent object with sharp geometric edges, encasing a smooth, amorphous blue mass within its core. The interplay of light through the clear material highlights the vibrant blue interior and the intricate structure of the outer shell

Outlook

Immediate mitigation requires all remaining V2 Composable Stable Pools to be paused or have their liquidity withdrawn by users where possible. This incident establishes a critical new standard for auditing, emphasizing rigorous formal verification of complex, interconnected vault and pool logic, particularly external call and access control flows. Contagion risk is elevated for similar AMMs utilizing multi-pool or vault-based architectures, necessitating immediate internal security reviews to prevent a cascade of similar exploits.

The Balancer V2 exploit is a high-severity architectural failure, confirming that complex DeFi primitives with flawed access control remain the single greatest systemic risk to deposited capital.

defi security, smart contract logic, access control, composable pool, vault exploit, liquidity pool, amm vulnerability, on-chain forensics, asset drain, precision error, batch swap, multi-chain risk, decentralized finance, token manipulation, protocol insolvency, yield farming risk, external call, security audit failure, financial primitive, systemic risk Signal Acquired from → bleepingcomputer.com