Balancer V2 Pools Drained Exploiting Smart Contract Authorization Flaw → Security

The image displays granular blue and white material flowing through transparent, curved channels, interacting with metallic components and a clear sphere. A mechanical claw-like structure holds a white disc, while a thin rod with a small sphere extends over the white granular substance

The image presents a close-up of a futuristic device featuring a translucent casing over a dynamic blue internal structure. A central, brushed metallic button is precisely integrated into the surface

Briefing

A sophisticated exploit targeted Balancer’s V2 Composable Stable Pools, resulting in a catastrophic loss of user-deposited liquidity. The core failure resides in the protocol’s smart contract logic, specifically improper authorization and callback handling within the V2 vault, which allowed an attacker to bypass internal safeguards during pool initialization. This systemic vulnerability enabled unauthorized swap and balance manipulation across interconnected pools, ultimately leading to a total financial loss estimated to exceed $128 million.

The image showcases tall, reflective rectangular structures emerging from a vast body of rippling water, flanked by dynamic white cloud formations and scattered blue particles. A prominent, textured white mass, resembling a complex brain or cloud, sits partially submerged in the water on the right

Context

Prior to this event, the prevailing attack surface for major Automated Market Makers (AMMs) was a known risk in complex, multi-token pools and external call handling. Balancer V2, despite undergoing numerous security audits since 2021, maintained a high-complexity architecture with interconnected vault and pool contracts. The specific class of vulnerability → faulty access control and precision errors in swap calculations → had been previously exploited in smaller incidents, indicating an unaddressed systemic risk in the V2 architecture.

A large, irregularly shaped white object with a rough texture stands partially submerged in rippling blue water. Next to it, a substantial dark blue circular object with horizontal ridges is also partially submerged, reflecting in the water

Analysis

The attack vector leveraged a flaw in how the V2 vault managed external calls and authorizations during pool initialization. The attacker deployed a malicious contract that manipulated the vault’s state by exploiting the callback mechanism designed for internal pool functions. This manipulation effectively granted the attacker unauthorized control over asset movements, enabling them to execute a series of chained batchSwap transactions. By repeatedly exploiting this logic flaw, the attacker was able to drain vast amounts of liquidity from the composable stable pools before the protocol could fully react and pause the affected contracts.

A translucent, melting ice formation sits precariously on a detailed blue electronic substrate, evoking the concept of frozen liquidity within the cryptocurrency ecosystem. This imagery highlights the fragility of digital asset markets and the potential for blockchain network disruptions

Parameters

Total Loss Estimate → $128,000,000+ (The estimated value of assets drained from the V2 Composable Stable Pools).
Affected Component → Balancer V2 Composable Stable Pools (Specific pool type impacted by the authorization flaw).
Exploit Date → November 3, 2025 (The date the attack was confirmed and announced by the protocol).
Stolen Assets → Liquid staked Ethereum derivatives (e.g. wstETH, OSETH) and Wrapped Ether (WETH).

The image displays two translucent blue-tinted structures with reflective metallic edges intersecting prominently against a blurred grey and blue background. Internal components are visible through the transparent material, suggesting intricate mechanical or digital workings

Outlook

Immediate mitigation requires all remaining V2 Composable Stable Pools to be paused or have their liquidity withdrawn by users where possible. This incident establishes a critical new standard for auditing, emphasizing rigorous formal verification of complex, interconnected vault and pool logic, particularly external call and access control flows. Contagion risk is elevated for similar AMMs utilizing multi-pool or vault-based architectures, necessitating immediate internal security reviews to prevent a cascade of similar exploits.

The Balancer V2 exploit is a high-severity architectural failure, confirming that complex DeFi primitives with flawed access control remain the single greatest systemic risk to deposited capital.

defi security, smart contract logic, access control, composable pool, vault exploit, liquidity pool, amm vulnerability, on-chain forensics, asset drain, precision error, batch swap, multi-chain risk, decentralized finance, token manipulation, protocol insolvency, yield farming risk, external call, security audit failure, financial primitive, systemic risk Signal Acquired from → bleepingcomputer.com