Security

Balancer V2 Stable Pools Drained Exploiting Precision Rounding Logic Flaw

A systemic rounding flaw in Balancer V2's stable math was weaponized via batched micro-swaps, enabling catastrophic invariant manipulation.
November 24, 20254 min

A vivid blue, reflective X-shaped crystalline structure is enveloped by an intricate, porous light-grey matrix. The surface of the grey structure exhibits a granular, bubbly texture where it meets the blue core
A sophisticated digital rendering displays two futuristic, cylindrical modules, predominantly white with translucent blue sections, linked by a glowing central connector. Intricate geometric patterns and visible internal components characterize these high-tech units, set against a smooth blue-gray background

Briefing

The Balancer V2 protocol suffered a catastrophic loss exceeding $120 million after an attacker exploited a fundamental precision rounding flaw in its Composable Stable Pool smart contract logic. This core vulnerability, residing in the integer fixed-point math for token scaling, allowed for the systematic manipulation of the pool’s invariant (D) value. The primary consequence is a massive, multi-chain liquidity drain impacting all V2 Composable Stable Pools and their forks, demonstrating the compounding risk of microscopic code errors. The total financial damage across affected pools is estimated at over $120 million, underscoring the necessity of zero-tolerance for arithmetic asymmetry in financial primitives.

A futuristic, silver-grey metallic mechanism guides a vivid blue, translucent substance through intricate internal channels. The fluid appears to flow dynamically, contained within the sleek, high-tech structure against a deep blue background

Context

The incident leveraged a known class of vulnerability related to integer arithmetic and rounding in complex StableSwap-based formulas, a risk factor previously identified in similar DeFi protocols. Furthermore, the specific vulnerability was linked to a similar rounding error first flagged in August 2023, indicating a failure to fully mitigate the systemic risk across all affected pool types. The protocol’s use of a centralized Vault holding tokens for all pools also amplified the risk, allowing a single pool logic flaw to create a multi-chain contagion.

A polished metallic X-shaped object with glowing blue internal channels rests on a reflective surface. White, granular particles emanate dynamically from its structure, suggesting energetic dispersal

Analysis

The attack vector was rooted in the _upscaleArray function, which uses a mulDown operation for scaling, causing significant relative precision loss when token balances were forced to an extremely low boundary (e.g. 8-9 wei). The attacker first used a large swap to deplete liquidity, then executed a sequence of over 65 micro-swaps within a single batchSwap transaction.

Each micro-swap compounded the precision error, artificially reducing the pool’s Invariant (D) value. This suppressed D value, which determines the Balancer Pool Token (BPT) price, allowed the attacker to acquire BPT at a massive discount and subsequently redeem it for the full underlying asset value, completing the arbitrage.

A macro view captures a dense assembly of interconnected blue metallic cubic modules, each adorned with numerous silver surface-mounted electronic components. Braided blue cables intricately link these modules, forming a complex, interwoven structure against a softly blurred white background

Parameters

  • Key Metric → $120 Million → The estimated total value of assets drained from Balancer V2 Composable Stable Pools and forks.
  • Vulnerability Type → Precision Rounding Error → The root cause was a flaw in the integer fixed-point arithmetic used for token scaling.
  • Affected Contracts → Composable Stable Pools V2 → The specific smart contract type that contained the flawed _upscaleArray logic.
  • Attack Function → batchSwap → The Balancer Vault function used to bundle the micro-swaps and compound the precision loss.
  • Blockchains ImpactedMulti-Chain → The exploit successfully drained pools across multiple networks, including Ethereum and Arbitrum.

A translucent blue crystalline mechanism precisely engages a light-toned, flat data ribbon, symbolizing a critical interchain communication pathway. This intricate protocol integration occurs over a metallic grid, representing a distributed ledger technology DLT network architecture

Outlook

Immediate user mitigation requires all liquidity providers to withdraw from any remaining V2 Composable Stable Pools or affected forks until a full, audited patch is deployed and verified. The contagion risk is high for any DeFi protocol that has forked the Balancer V2 stable pool math or uses similar integer arithmetic for invariant calculation, mandating an immediate, comprehensive code review of all rounding logic. This incident will establish a new security best practice requiring auditors to specifically test for precision loss at the extreme boundaries of token balances, particularly when combined with batched transaction functionality.

A striking visual depicts a luminous blue, bubbly liquid moving along a dark metallic channel, creating a sense of dynamic flow and intricate processing. The liquid's surface is covered in countless small, spherical bubbles, indicating effervescence or aeration within the transparent medium

Verdict

This $120 million exploit is a definitive signal that even microscopic rounding errors in core smart contract math can be weaponized into a systemic financial threat, demanding a complete overhaul of fixed-point arithmetic auditing standards.

precision loss vulnerability, smart contract logic, invariant manipulation, automated market maker, composable stable pool, fixed point arithmetic, batch swap function, token price distortion, multi-chain protocol, DeFi systemic risk, liquidity pool drain, integer division error, low liquidity attack, token scaling factor, BPT price suppression Signal Acquired from → openzeppelin.com

Micro Crypto News Feeds

composable stable pools

Definition ∞ Composable stable pools are liquidity pools in decentralized finance that consist of stablecoins and allow for flexible integration with other protocols.

integer arithmetic

Definition ∞ Integer arithmetic involves mathematical operations performed exclusively on whole numbers, without fractions or decimal components.

precision loss

Definition ∞ Precision loss describes the reduction in accuracy of numerical values, often occurring during data processing or storage.

price

Definition ∞ Price represents the monetary value assigned to an asset or service in exchange for other goods or services.

stable pools

Definition ∞ Stable pools are specialized liquidity pools within decentralized finance (DeFi) protocols designed for trading stablecoins or other assets that are pegged to the same value, such as different versions of wrapped Bitcoin.

rounding error

Definition ∞ A rounding error is a discrepancy that arises when representing a number with a finite number of digits during calculations.

smart contract

Definition ∞ A Smart Contract is a self-executing contract with the terms of the agreement directly written into code.

multi-chain

Definition ∞ A multi-chain system refers to an architecture that supports multiple independent blockchain networks.

liquidity

Definition ∞ Liquidity refers to the degree to which an asset can be quickly converted into cash or another asset without significantly affecting its market price.

financial

Definition ∞ Financial refers to matters concerning money, banking, investments, and credit.

Tags:

Tags: