Skip to main content
Security

Balancer V2 Stable Pools Drained Exploiting Precision Rounding Flaw

Precision rounding errors in core swap logic created an economic invariant manipulation, exposing multi-chain liquidity to systemic theft.
November 25, 20253 min

A futuristic, blue metallic, multi-component structure, featuring intricate geometric designs and polished accents, is partially enveloped by a dynamic, translucent foamy substance. The light-colored foam flows around and through the mechanical elements, highlighting their complex interplay
A futuristic rendering displays a complex mechanical assembly featuring polished metallic shafts and intricate cylindrical structures. These components are partially enveloped by a vibrant, translucent blue fluid-like substance, suggesting dynamic interaction and energy transfer

Briefing

The Balancer V2 protocol suffered a catastrophic security breach on November 3, 2025, resulting in the theft of approximately $128 million across multiple blockchain networks. The incident was caused by a sophisticated exploitation of a precision rounding vulnerability within the Composable Stable Pool’s swap calculation mechanisms. This core logic flaw allowed the threat actor to systematically manipulate the pool’s invariant, which directly suppressed the price of Balancer Pool Tokens (BPT). The total confirmed loss of assets, including WETH and wstETH, is quantified at $128 million, making it one of the largest DeFi security events of the year.

The image showcases a dark, metallic "X" structure with bright silver accents and internal blue illumination, surrounded by translucent blue tendrils. These ethereal blue tendrils organically flow around and through the central "X" symbol, visually representing the dynamic transfer of digital assets or oracle data within a sophisticated blockchain architecture

Context

Balancer’s V2 architecture utilizes a centralized Vault contract to hold tokens for all connected pools, a design intended to maximize capital efficiency. However, this architecture creates a single point of failure, meaning a vulnerability in a single pool type’s logic exposes all assets within the Vault. This specific class of Composable Stable Pool had undergone eleven security audits, demonstrating that even rigorous review can fail to anticipate subtle, low-level arithmetic edge cases.

The image presents a detailed view of metallic engineering components partially submerged in a vibrant blue, bubbly, viscous substance. A prominent silver cylindrical element with a central pin is visible on the left, while block-like structures are partially obscured in the background

Analysis

The attack vector was a precision rounding error in the _upscaleArray function used for EXACT_OUT swaps within the batchSwap feature. This function incorrectly utilized downward rounding ( mulDown ) when scaling token balances, introducing a microscopic discrepancy into the pool’s accounting. The threat actor first conditioned the pool by executing swaps to push token balances to the specific 8-9 wei numerical boundary where the rounding error was maximized.

By executing a batched sequence of 65+ micro-swaps, the actor compounded these tiny, one-wei errors into a catastrophic manipulation of the pool’s invariant (D value). This artificial invariant reduction suppressed the BPT price, allowing the threat actor to mint undervalued BPT and immediately redeem them for full-value assets, effectively draining the liquidity.

The image presents two segmented, white metallic cylindrical structures, partially encased in a translucent, light blue, ice-like substance. A brilliant, starburst-like blue energy discharge emanates from the gap between these two components, surrounded by small radiating particles

Parameters

  • Key Metric ∞ $128 Million ∞ Total estimated value of assets drained from Balancer V2 Composable Stable Pools.
  • Vulnerability Type ∞ Precision Rounding Flaw ∞ The specific arithmetic error in the _upscaleArray function that caused invariant manipulation.
  • Affected Chains ∞ Nine Blockchain Networks ∞ The exploit spread across Ethereum, Base, Avalanche, Arbitrum, Optimism, Gnosis, Polygon, Berachain, and Sonic.
  • Attack Duration ∞ Under 30 Minutes ∞ The time taken for the threat actor to execute the entire multi-chain exploitation sequence.

A transparent, abstract car-like form, composed of clear crystalline material and vibrant blue liquid, is depicted against a subtle white and dark blue background. The structure features intricate, glowing internal patterns resembling circuit boards, partially submerged and distorted by the blue fluid

Outlook

Immediate mitigation requires all users to withdraw liquidity from any remaining V2 Composable Stable Pools that have not been paused or upgraded. The systemic risk of this incident extends to all DeFi protocols that rely on similar StableSwap-based mathematical invariants and integer-based arithmetic for critical financial logic. This event will establish a new security best practice, mandating a formal, economic-level verification of all rounding and precision logic, moving beyond traditional code-level audits to focus on adversarial economic boundary conditions.

A vibrant, translucent blue stream, appearing as a liquid data flow, courses across a sleek, dark gray technological interface. Within this glowing stream, a metallic, geometric block featuring a distinct 'Y' symbol is prominently embedded

Verdict

This breach confirms that subtle, low-level arithmetic flaws in core financial logic are a critical, high-impact attack vector, necessitating a complete re-evaluation of mathematical rigor in all DeFi smart contract design.

Precision rounding, Smart contract flaw, Stable pool invariant, Multi-chain contagion, Automated market maker, DeFi exploit, Batch swap logic, Asset vault, Integer division, Liquidity pool drain, On-chain forensics, Security audit failure, Arithmetic edge case, Protocol vulnerability, Token price manipulation, Vault architecture, Composable pools, Multi-chain exposure, Swap calculation Signal Acquired from ∞ secureblink.com

Micro Crypto News Feeds

blockchain networks

Definition ∞ Blockchain networks are distributed ledger systems where transactions are recorded chronologically and immutably across many computers.

vulnerability

Definition ∞ A vulnerability refers to a flaw or weakness in a system, protocol, or smart contract that could be exploited by malicious actors to compromise its integrity, security, or functionality.

rounding error

Definition ∞ A rounding error is a discrepancy that arises when representing a number with a finite number of digits during calculations.

threat actor

Definition ∞ A threat actor is an individual or group that poses a risk to information systems and data security.

composable stable pools

Definition ∞ Composable stable pools are liquidity pools in decentralized finance that consist of stablecoins and allow for flexible integration with other protocols.

invariant manipulation

Definition ∞ Invariant manipulation is a type of exploit where an attacker disrupts the fundamental mathematical relationships or rules designed to be constant within a smart contract or protocol.

exploit

Definition ∞ An exploit refers to the malicious utilization of a security flaw or vulnerability within a protocol, smart contract, or application to gain unauthorized access, steal assets, or disrupt operations.

multi-chain

Definition ∞ A multi-chain system refers to an architecture that supports multiple independent blockchain networks.

stable pools

Definition ∞ Stable pools are specialized liquidity pools within decentralized finance (DeFi) protocols designed for trading stablecoins or other assets that are pegged to the same value, such as different versions of wrapped Bitcoin.

smart contract

Definition ∞ A Smart Contract is a self-executing contract with the terms of the agreement directly written into code.

Tags:

Tags: