Security

Balancer V2 Stable Pools Drained Exploiting Precision Rounding Flaw

Precision rounding errors in core swap logic created an economic invariant manipulation, exposing multi-chain liquidity to systemic theft.
November 25, 20253 min

A mesmerizing blue liquid, rich with effervescent bubbles, dynamically swirls within a sleek, multi-layered structure composed of metallic silver and deep navy blue rings. At its core, a luminous, reflective blue orb gleams, anchoring the fluid motion
A striking, clear, interwoven structure, reminiscent of a complex lattice, takes center stage against a soft, blurred blue and grey background. This transparent form appears to flow and connect, hinting at underlying digital processes and data streams

Briefing

The Balancer V2 protocol suffered a catastrophic security breach on November 3, 2025, resulting in the theft of approximately $128 million across multiple blockchain networks. The incident was caused by a sophisticated exploitation of a precision rounding vulnerability within the Composable Stable Pool’s swap calculation mechanisms. This core logic flaw allowed the threat actor to systematically manipulate the pool’s invariant, which directly suppressed the price of Balancer Pool Tokens (BPT). The total confirmed loss of assets, including WETH and wstETH, is quantified at $128 million, making it one of the largest DeFi security events of the year.

A polished metallic object, featuring multiple parallel blades and geometric facets, protrudes from a layer of fine white foam. Bright blue, irregularly shaped crystalline structures are scattered beneath and around the foamy surface

Context

Balancer’s V2 architecture utilizes a centralized Vault contract to hold tokens for all connected pools, a design intended to maximize capital efficiency. However, this architecture creates a single point of failure, meaning a vulnerability in a single pool type’s logic exposes all assets within the Vault. This specific class of Composable Stable Pool had undergone eleven security audits, demonstrating that even rigorous review can fail to anticipate subtle, low-level arithmetic edge cases.

The image displays an abstract composition of metallic, cylindrical objects interspersed with voluminous clouds of white and blue smoke. A glowing, textured sphere resembling the moon is centrally positioned among the metallic forms

Analysis

The attack vector was a precision rounding error in the _upscaleArray function used for EXACT_OUT swaps within the batchSwap feature. This function incorrectly utilized downward rounding ( mulDown ) when scaling token balances, introducing a microscopic discrepancy into the pool’s accounting. The threat actor first conditioned the pool by executing swaps to push token balances to the specific 8-9 wei numerical boundary where the rounding error was maximized.

By executing a batched sequence of 65+ micro-swaps, the actor compounded these tiny, one-wei errors into a catastrophic manipulation of the pool’s invariant (D value). This artificial invariant reduction suppressed the BPT price, allowing the threat actor to mint undervalued BPT and immediately redeem them for full-value assets, effectively draining the liquidity.

The image presents a meticulously rendered abstract mechanism, featuring polished silver cylindrical components, a prominent blue multi-bladed rotor, and clear, transparent conduits that intricately wrap around the central elements. These components are dynamically arranged against a smooth, gradient dark grey background, highlighting their interconnectedness

Parameters

  • Key Metric → $128 Million → Total estimated value of assets drained from Balancer V2 Composable Stable Pools.
  • Vulnerability Type → Precision Rounding Flaw → The specific arithmetic error in the _upscaleArray function that caused invariant manipulation.
  • Affected Chains → Nine Blockchain Networks → The exploit spread across Ethereum, Base, Avalanche, Arbitrum, Optimism, Gnosis, Polygon, Berachain, and Sonic.
  • Attack Duration → Under 30 Minutes → The time taken for the threat actor to execute the entire multi-chain exploitation sequence.

Transparent blue concentric rings form a multi-layered structure, with white particulate matter adhering to their surfaces and suspended within their inner chambers, intermingling with darker blue aggregations. This visual metaphor illustrates a complex system where dynamic white elements, resembling digital assets or tokenized liquidity, undergo transaction processing within a decentralized ledger

Outlook

Immediate mitigation requires all users to withdraw liquidity from any remaining V2 Composable Stable Pools that have not been paused or upgraded. The systemic risk of this incident extends to all DeFi protocols that rely on similar StableSwap-based mathematical invariants and integer-based arithmetic for critical financial logic. This event will establish a new security best practice, mandating a formal, economic-level verification of all rounding and precision logic, moving beyond traditional code-level audits to focus on adversarial economic boundary conditions.

The image showcases tall, reflective rectangular structures emerging from a vast body of rippling water, flanked by dynamic white cloud formations and scattered blue particles. A prominent, textured white mass, resembling a complex brain or cloud, sits partially submerged in the water on the right

Verdict

This breach confirms that subtle, low-level arithmetic flaws in core financial logic are a critical, high-impact attack vector, necessitating a complete re-evaluation of mathematical rigor in all DeFi smart contract design.

Precision rounding, Smart contract flaw, Stable pool invariant, Multi-chain contagion, Automated market maker, DeFi exploit, Batch swap logic, Asset vault, Integer division, Liquidity pool drain, On-chain forensics, Security audit failure, Arithmetic edge case, Protocol vulnerability, Token price manipulation, Vault architecture, Composable pools, Multi-chain exposure, Swap calculation Signal Acquired from → secureblink.com

Micro Crypto News Feeds

blockchain networks

Definition ∞ Blockchain networks are distributed ledger systems where transactions are recorded chronologically and immutably across many computers.

vulnerability

Definition ∞ A vulnerability refers to a flaw or weakness in a system, protocol, or smart contract that could be exploited by malicious actors to compromise its integrity, security, or functionality.

rounding error

Definition ∞ A rounding error is a discrepancy that arises when representing a number with a finite number of digits during calculations.

threat actor

Definition ∞ A threat actor is an individual or group that poses a risk to information systems and data security.

composable stable pools

Definition ∞ Composable stable pools are liquidity pools in decentralized finance that consist of stablecoins and allow for flexible integration with other protocols.

invariant manipulation

Definition ∞ Invariant manipulation is a type of exploit where an attacker disrupts the fundamental mathematical relationships or rules designed to be constant within a smart contract or protocol.

exploit

Definition ∞ An exploit refers to the malicious utilization of a security flaw or vulnerability within a protocol, smart contract, or application to gain unauthorized access, steal assets, or disrupt operations.

multi-chain

Definition ∞ A multi-chain system refers to an architecture that supports multiple independent blockchain networks.

stable pools

Definition ∞ Stable pools are specialized liquidity pools within decentralized finance (DeFi) protocols designed for trading stablecoins or other assets that are pegged to the same value, such as different versions of wrapped Bitcoin.

smart contract

Definition ∞ A Smart Contract is a self-executing contract with the terms of the agreement directly written into code.

Tags:

Tags: