Security

Balancer V2 Stable Pools Drained Exploiting Precision Rounding Flaw

Precision rounding errors in core swap logic created an economic invariant manipulation, exposing multi-chain liquidity to systemic theft.
November 25, 20253 min

The image presents a macro perspective of a textured blue granular mass interacting with metallic, modular structures. These components are embedded within and around the substance, showcasing a complex interplay of forms and textures
A high-resolution image captures a complex metallic mechanism featuring a glowing blue spherical core, partially submerged in a field of transparent bubbles. The intricate silver-toned components are illuminated by the internal blue light, creating a futuristic and dynamic scene

Briefing

The Balancer V2 protocol suffered a catastrophic security breach on November 3, 2025, resulting in the theft of approximately $128 million across multiple blockchain networks. The incident was caused by a sophisticated exploitation of a precision rounding vulnerability within the Composable Stable Pool’s swap calculation mechanisms. This core logic flaw allowed the threat actor to systematically manipulate the pool’s invariant, which directly suppressed the price of Balancer Pool Tokens (BPT). The total confirmed loss of assets, including WETH and wstETH, is quantified at $128 million, making it one of the largest DeFi security events of the year.

The image displays a detailed view of a sophisticated, futuristic mechanism, predominantly featuring metallic silver components and translucent blue elements with intricate, bubbly textures. A prominent central lens and a smaller secondary lens are visible, alongside other circular structures and a slotted white panel on the left, suggesting advanced data capture and processing capabilities

Context

Balancer’s V2 architecture utilizes a centralized Vault contract to hold tokens for all connected pools, a design intended to maximize capital efficiency. However, this architecture creates a single point of failure, meaning a vulnerability in a single pool type’s logic exposes all assets within the Vault. This specific class of Composable Stable Pool had undergone eleven security audits, demonstrating that even rigorous review can fail to anticipate subtle, low-level arithmetic edge cases.

A white, high-tech module is shown partially separated, revealing glowing blue internal components and metallic rings. The detached front section features a circular opening, while the main body displays intricate, illuminated circuitry

Analysis

The attack vector was a precision rounding error in the _upscaleArray function used for EXACT_OUT swaps within the batchSwap feature. This function incorrectly utilized downward rounding ( mulDown ) when scaling token balances, introducing a microscopic discrepancy into the pool’s accounting. The threat actor first conditioned the pool by executing swaps to push token balances to the specific 8-9 wei numerical boundary where the rounding error was maximized.

By executing a batched sequence of 65+ micro-swaps, the actor compounded these tiny, one-wei errors into a catastrophic manipulation of the pool’s invariant (D value). This artificial invariant reduction suppressed the BPT price, allowing the threat actor to mint undervalued BPT and immediately redeem them for full-value assets, effectively draining the liquidity.

A visually striking abstract render features a complex, multi-faceted object composed of clear and deep blue crystalline fragments, centralizing around a core nexus. The intricate, reflective surfaces and sharp geometric edges create a sense of depth and precision against a soft grey background, with blurred elements hinting at a wider network

Parameters

  • Key Metric → $128 Million → Total estimated value of assets drained from Balancer V2 Composable Stable Pools.
  • Vulnerability Type → Precision Rounding Flaw → The specific arithmetic error in the _upscaleArray function that caused invariant manipulation.
  • Affected Chains → Nine Blockchain Networks → The exploit spread across Ethereum, Base, Avalanche, Arbitrum, Optimism, Gnosis, Polygon, Berachain, and Sonic.
  • Attack Duration → Under 30 Minutes → The time taken for the threat actor to execute the entire multi-chain exploitation sequence.

A metallic, gear-like component is prominently featured, partially submerged and surrounded by vibrant blue granular material within a structured enclosure. The detailed composition highlights the intricate interaction between the central mechanism and the surrounding elements

Outlook

Immediate mitigation requires all users to withdraw liquidity from any remaining V2 Composable Stable Pools that have not been paused or upgraded. The systemic risk of this incident extends to all DeFi protocols that rely on similar StableSwap-based mathematical invariants and integer-based arithmetic for critical financial logic. This event will establish a new security best practice, mandating a formal, economic-level verification of all rounding and precision logic, moving beyond traditional code-level audits to focus on adversarial economic boundary conditions.

A transparent vessel filled with vibrant blue liquid and numerous effervescent bubbles rests within a meticulously crafted metallic and dark blue housing. The dynamic interplay of the fluid and bubbles visually articulates complex operational processes, suggesting contained, high-performance activity

Verdict

This breach confirms that subtle, low-level arithmetic flaws in core financial logic are a critical, high-impact attack vector, necessitating a complete re-evaluation of mathematical rigor in all DeFi smart contract design.

Precision rounding, Smart contract flaw, Stable pool invariant, Multi-chain contagion, Automated market maker, DeFi exploit, Batch swap logic, Asset vault, Integer division, Liquidity pool drain, On-chain forensics, Security audit failure, Arithmetic edge case, Protocol vulnerability, Token price manipulation, Vault architecture, Composable pools, Multi-chain exposure, Swap calculation Signal Acquired from → secureblink.com

Micro Crypto News Feeds

blockchain networks

Definition ∞ Blockchain networks are distributed ledger systems where transactions are recorded chronologically and immutably across many computers.

vulnerability

Definition ∞ A vulnerability refers to a flaw or weakness in a system, protocol, or smart contract that could be exploited by malicious actors to compromise its integrity, security, or functionality.

rounding error

Definition ∞ A rounding error is a discrepancy that arises when representing a number with a finite number of digits during calculations.

threat actor

Definition ∞ A threat actor is an individual or group that poses a risk to information systems and data security.

composable stable pools

Definition ∞ Composable stable pools are liquidity pools in decentralized finance that consist of stablecoins and allow for flexible integration with other protocols.

invariant manipulation

Definition ∞ Invariant manipulation is a type of exploit where an attacker disrupts the fundamental mathematical relationships or rules designed to be constant within a smart contract or protocol.

exploit

Definition ∞ An exploit refers to the malicious utilization of a security flaw or vulnerability within a protocol, smart contract, or application to gain unauthorized access, steal assets, or disrupt operations.

multi-chain

Definition ∞ A multi-chain system refers to an architecture that supports multiple independent blockchain networks.

stable pools

Definition ∞ Stable pools are specialized liquidity pools within decentralized finance (DeFi) protocols designed for trading stablecoins or other assets that are pegged to the same value, such as different versions of wrapped Bitcoin.

smart contract

Definition ∞ A Smart Contract is a self-executing contract with the terms of the agreement directly written into code.

Tags:

Tags: