Security

Balancer V2 Stable Pools Drained Exploiting Precision Rounding Logic Flaw

A systemic rounding flaw in Balancer V2's stable math was weaponized via batched micro-swaps, enabling catastrophic invariant manipulation.
November 24, 20254 min

A sleek, white, modular device emits a brilliant blue, energetic stream into a textured, luminous blue substance, creating frothy white patterns. The central apparatus, a sophisticated piece of blockchain infrastructure, appears to be actively engaging in a high-intensity digital asset processing operation
A close-up view reveals an advanced internal machine, featuring metallic components, bright blue circuit boards, and a central accumulation of small blue particles. The intricate design highlights mechanical precision and digital integration within a complex system

Briefing

The Balancer V2 protocol suffered a catastrophic loss exceeding $120 million after an attacker exploited a fundamental precision rounding flaw in its Composable Stable Pool smart contract logic. This core vulnerability, residing in the integer fixed-point math for token scaling, allowed for the systematic manipulation of the pool’s invariant (D) value. The primary consequence is a massive, multi-chain liquidity drain impacting all V2 Composable Stable Pools and their forks, demonstrating the compounding risk of microscopic code errors. The total financial damage across affected pools is estimated at over $120 million, underscoring the necessity of zero-tolerance for arithmetic asymmetry in financial primitives.

A detailed close-up presents a blue, granular, modular device with a prominent central dial. The device's surface is heavily textured, resembling tiny aggregated particles or frozen micro-crystals, while a sleek metallic mechanism with blue and silver rings is precisely positioned on top

Context

The incident leveraged a known class of vulnerability related to integer arithmetic and rounding in complex StableSwap-based formulas, a risk factor previously identified in similar DeFi protocols. Furthermore, the specific vulnerability was linked to a similar rounding error first flagged in August 2023, indicating a failure to fully mitigate the systemic risk across all affected pool types. The protocol’s use of a centralized Vault holding tokens for all pools also amplified the risk, allowing a single pool logic flaw to create a multi-chain contagion.

The image displays a detailed view of a sophisticated mechanical device, featuring white segmented external parts and translucent blue internal components. These internal sections are heavily textured with numerous small, light-colored particles, creating a dynamic visual effect

Analysis

The attack vector was rooted in the _upscaleArray function, which uses a mulDown operation for scaling, causing significant relative precision loss when token balances were forced to an extremely low boundary (e.g. 8-9 wei). The attacker first used a large swap to deplete liquidity, then executed a sequence of over 65 micro-swaps within a single batchSwap transaction.

Each micro-swap compounded the precision error, artificially reducing the pool’s Invariant (D) value. This suppressed D value, which determines the Balancer Pool Token (BPT) price, allowed the attacker to acquire BPT at a massive discount and subsequently redeem it for the full underlying asset value, completing the arbitrage.

A futuristic, silver-grey metallic mechanism guides a vivid blue, translucent substance through intricate internal channels. The fluid appears to flow dynamically, contained within the sleek, high-tech structure against a deep blue background

Parameters

  • Key Metric → $120 Million → The estimated total value of assets drained from Balancer V2 Composable Stable Pools and forks.
  • Vulnerability Type → Precision Rounding Error → The root cause was a flaw in the integer fixed-point arithmetic used for token scaling.
  • Affected Contracts → Composable Stable Pools V2 → The specific smart contract type that contained the flawed _upscaleArray logic.
  • Attack Function → batchSwap → The Balancer Vault function used to bundle the micro-swaps and compound the precision loss.
  • Blockchains ImpactedMulti-Chain → The exploit successfully drained pools across multiple networks, including Ethereum and Arbitrum.

A visually striking spherical apparatus, constructed from interlocking white and metallic segments, encases a dynamic blue, textured interior. Fine white particles actively disperse and swirl across the structure's surface and through its internal spaces

Outlook

Immediate user mitigation requires all liquidity providers to withdraw from any remaining V2 Composable Stable Pools or affected forks until a full, audited patch is deployed and verified. The contagion risk is high for any DeFi protocol that has forked the Balancer V2 stable pool math or uses similar integer arithmetic for invariant calculation, mandating an immediate, comprehensive code review of all rounding logic. This incident will establish a new security best practice requiring auditors to specifically test for precision loss at the extreme boundaries of token balances, particularly when combined with batched transaction functionality.

A complex, silver-toned mechanical component is situated within a textured, deep blue substrate, from which a vibrant blue fluid stream flows. The surrounding blue material is covered in countless small, luminous bubbles

Verdict

This $120 million exploit is a definitive signal that even microscopic rounding errors in core smart contract math can be weaponized into a systemic financial threat, demanding a complete overhaul of fixed-point arithmetic auditing standards.

precision loss vulnerability, smart contract logic, invariant manipulation, automated market maker, composable stable pool, fixed point arithmetic, batch swap function, token price distortion, multi-chain protocol, DeFi systemic risk, liquidity pool drain, integer division error, low liquidity attack, token scaling factor, BPT price suppression Signal Acquired from → openzeppelin.com

Micro Crypto News Feeds

composable stable pools

Definition ∞ Composable stable pools are liquidity pools in decentralized finance that consist of stablecoins and allow for flexible integration with other protocols.

integer arithmetic

Definition ∞ Integer arithmetic involves mathematical operations performed exclusively on whole numbers, without fractions or decimal components.

precision loss

Definition ∞ Precision loss describes the reduction in accuracy of numerical values, often occurring during data processing or storage.

price

Definition ∞ Price represents the monetary value assigned to an asset or service in exchange for other goods or services.

stable pools

Definition ∞ Stable pools are specialized liquidity pools within decentralized finance (DeFi) protocols designed for trading stablecoins or other assets that are pegged to the same value, such as different versions of wrapped Bitcoin.

rounding error

Definition ∞ A rounding error is a discrepancy that arises when representing a number with a finite number of digits during calculations.

smart contract

Definition ∞ A Smart Contract is a self-executing contract with the terms of the agreement directly written into code.

multi-chain

Definition ∞ A multi-chain system refers to an architecture that supports multiple independent blockchain networks.

liquidity

Definition ∞ Liquidity refers to the degree to which an asset can be quickly converted into cash or another asset without significantly affecting its market price.

financial

Definition ∞ Financial refers to matters concerning money, banking, investments, and credit.

Tags:

Tags: