Skip to main content
Security

Balancer V2 Stable Pools Drained Exploiting Precision Rounding Logic Flaw

A systemic rounding flaw in Balancer V2's stable math was weaponized via batched micro-swaps, enabling catastrophic invariant manipulation.
November 24, 20254 min

A futuristic, silver-grey metallic mechanism guides a vivid blue, translucent substance through intricate internal channels. The fluid appears to flow dynamically, contained within the sleek, high-tech structure against a deep blue background
A striking abstract form, rendered in luminous blue and translucent material, features an outer surface adorned with numerous small, spherical bubbles, set against a soft, gradient background. Its internal structure reveals complex, layered pathways, suggesting intricate design and functional depth within its fluid contours

Briefing

The Balancer V2 protocol suffered a catastrophic loss exceeding $120 million after an attacker exploited a fundamental precision rounding flaw in its Composable Stable Pool smart contract logic. This core vulnerability, residing in the integer fixed-point math for token scaling, allowed for the systematic manipulation of the pool’s invariant (D) value. The primary consequence is a massive, multi-chain liquidity drain impacting all V2 Composable Stable Pools and their forks, demonstrating the compounding risk of microscopic code errors. The total financial damage across affected pools is estimated at over $120 million, underscoring the necessity of zero-tolerance for arithmetic asymmetry in financial primitives.

The image prominently features a clear, segmented cylindrical vessel filled with a blue, bubbly liquid, alongside a transparent rod extending from its core. This apparatus rests on a surface displaying vibrant blue waveform graphics against a dark background, with blurred metallic components in the periphery

Context

The incident leveraged a known class of vulnerability related to integer arithmetic and rounding in complex StableSwap-based formulas, a risk factor previously identified in similar DeFi protocols. Furthermore, the specific vulnerability was linked to a similar rounding error first flagged in August 2023, indicating a failure to fully mitigate the systemic risk across all affected pool types. The protocol’s use of a centralized Vault holding tokens for all pools also amplified the risk, allowing a single pool logic flaw to create a multi-chain contagion.

A detailed close-up presents a blue, granular, modular device with a prominent central dial. The device's surface is heavily textured, resembling tiny aggregated particles or frozen micro-crystals, while a sleek metallic mechanism with blue and silver rings is precisely positioned on top

Analysis

The attack vector was rooted in the _upscaleArray function, which uses a mulDown operation for scaling, causing significant relative precision loss when token balances were forced to an extremely low boundary (e.g. 8-9 wei). The attacker first used a large swap to deplete liquidity, then executed a sequence of over 65 micro-swaps within a single batchSwap transaction.

Each micro-swap compounded the precision error, artificially reducing the pool’s Invariant (D) value. This suppressed D value, which determines the Balancer Pool Token (BPT) price, allowed the attacker to acquire BPT at a massive discount and subsequently redeem it for the full underlying asset value, completing the arbitrage.

Intricate metallic blue and silver structures form the focal point, detailed with patterns resembling circuit boards and micro-components. Silver, highly reflective strands are tightly wound around a central blue element, while other similar structures blur in the background

Parameters

  • Key Metric ∞ $120 Million ∞ The estimated total value of assets drained from Balancer V2 Composable Stable Pools and forks.
  • Vulnerability Type ∞ Precision Rounding Error ∞ The root cause was a flaw in the integer fixed-point arithmetic used for token scaling.
  • Affected Contracts ∞ Composable Stable Pools V2 ∞ The specific smart contract type that contained the flawed _upscaleArray logic.
  • Attack Function ∞ batchSwap ∞ The Balancer Vault function used to bundle the micro-swaps and compound the precision loss.
  • Blockchains ImpactedMulti-Chain ∞ The exploit successfully drained pools across multiple networks, including Ethereum and Arbitrum.

Polished blue and metallic mechanical components integrate with a translucent, organic-like network structure, featuring a glowing blue conduit. This intricate visual symbolizes advanced blockchain architecture and the underlying distributed ledger technology DLT powering modern web3 infrastructure

Outlook

Immediate user mitigation requires all liquidity providers to withdraw from any remaining V2 Composable Stable Pools or affected forks until a full, audited patch is deployed and verified. The contagion risk is high for any DeFi protocol that has forked the Balancer V2 stable pool math or uses similar integer arithmetic for invariant calculation, mandating an immediate, comprehensive code review of all rounding logic. This incident will establish a new security best practice requiring auditors to specifically test for precision loss at the extreme boundaries of token balances, particularly when combined with batched transaction functionality.

An abstract geometric composition features two luminous, faceted blue crystalline rods intersecting at the center, surrounded by an intricate framework of dark blue and metallic silver blocks. The crystals glow with an internal light, suggesting precision and value, while the structural elements create a sense of depth and interconnectedness, all set against a soft grey background

Verdict

This $120 million exploit is a definitive signal that even microscopic rounding errors in core smart contract math can be weaponized into a systemic financial threat, demanding a complete overhaul of fixed-point arithmetic auditing standards.

precision loss vulnerability, smart contract logic, invariant manipulation, automated market maker, composable stable pool, fixed point arithmetic, batch swap function, token price distortion, multi-chain protocol, DeFi systemic risk, liquidity pool drain, integer division error, low liquidity attack, token scaling factor, BPT price suppression Signal Acquired from ∞ openzeppelin.com

Micro Crypto News Feeds

composable stable pools

Definition ∞ Composable stable pools are liquidity pools in decentralized finance that consist of stablecoins and allow for flexible integration with other protocols.

integer arithmetic

Definition ∞ Integer arithmetic involves mathematical operations performed exclusively on whole numbers, without fractions or decimal components.

precision loss

Definition ∞ Precision loss describes the reduction in accuracy of numerical values, often occurring during data processing or storage.

price

Definition ∞ Price represents the monetary value assigned to an asset or service in exchange for other goods or services.

stable pools

Definition ∞ Stable pools are specialized liquidity pools within decentralized finance (DeFi) protocols designed for trading stablecoins or other assets that are pegged to the same value, such as different versions of wrapped Bitcoin.

rounding error

Definition ∞ A rounding error is a discrepancy that arises when representing a number with a finite number of digits during calculations.

smart contract

Definition ∞ A Smart Contract is a self-executing contract with the terms of the agreement directly written into code.

multi-chain

Definition ∞ A multi-chain system refers to an architecture that supports multiple independent blockchain networks.

liquidity

Definition ∞ Liquidity refers to the degree to which an asset can be quickly converted into cash or another asset without significantly affecting its market price.

financial

Definition ∞ Financial refers to matters concerning money, banking, investments, and credit.

Tags:

Tags: