Security

Balancer V2 Stable Pools Drained Exploiting Precision Rounding Logic Flaw

A systemic rounding flaw in Balancer V2's stable math was weaponized via batched micro-swaps, enabling catastrophic invariant manipulation.
November 24, 20254 min

A close-up view reveals complex, intertwined metallic structures, predominantly in vibrant blue and silver tones. These highly detailed components feature intricate panels, visible bolts, and subtle wiring, creating a sense of advanced engineering and precision
A highly detailed, three-dimensional rendering showcases an intricate mechanical movement, featuring polished silver-toned components alongside striking blue elements. Gears, plates, and shafts are meticulously arranged, suggesting a complex, high-precision engine

Briefing

The Balancer V2 protocol suffered a catastrophic loss exceeding $120 million after an attacker exploited a fundamental precision rounding flaw in its Composable Stable Pool smart contract logic. This core vulnerability, residing in the integer fixed-point math for token scaling, allowed for the systematic manipulation of the pool’s invariant (D) value. The primary consequence is a massive, multi-chain liquidity drain impacting all V2 Composable Stable Pools and their forks, demonstrating the compounding risk of microscopic code errors. The total financial damage across affected pools is estimated at over $120 million, underscoring the necessity of zero-tolerance for arithmetic asymmetry in financial primitives.

An abstract geometric composition features two luminous, faceted blue crystalline rods intersecting at the center, surrounded by an intricate framework of dark blue and metallic silver blocks. The crystals glow with an internal light, suggesting precision and value, while the structural elements create a sense of depth and interconnectedness, all set against a soft grey background

Context

The incident leveraged a known class of vulnerability related to integer arithmetic and rounding in complex StableSwap-based formulas, a risk factor previously identified in similar DeFi protocols. Furthermore, the specific vulnerability was linked to a similar rounding error first flagged in August 2023, indicating a failure to fully mitigate the systemic risk across all affected pool types. The protocol’s use of a centralized Vault holding tokens for all pools also amplified the risk, allowing a single pool logic flaw to create a multi-chain contagion.

A complex, silver-toned mechanical component is situated within a textured, deep blue substrate, from which a vibrant blue fluid stream flows. The surrounding blue material is covered in countless small, luminous bubbles

Analysis

The attack vector was rooted in the _upscaleArray function, which uses a mulDown operation for scaling, causing significant relative precision loss when token balances were forced to an extremely low boundary (e.g. 8-9 wei). The attacker first used a large swap to deplete liquidity, then executed a sequence of over 65 micro-swaps within a single batchSwap transaction.

Each micro-swap compounded the precision error, artificially reducing the pool’s Invariant (D) value. This suppressed D value, which determines the Balancer Pool Token (BPT) price, allowed the attacker to acquire BPT at a massive discount and subsequently redeem it for the full underlying asset value, completing the arbitrage.

A polished silver toroidal structure rests alongside a sculpted, translucent sapphire-blue form, revealing an intricate mechanical watch movement. The objects are presented on a minimalist light grey background, highlighting their forms and internal details

Parameters

  • Key Metric → $120 Million → The estimated total value of assets drained from Balancer V2 Composable Stable Pools and forks.
  • Vulnerability Type → Precision Rounding Error → The root cause was a flaw in the integer fixed-point arithmetic used for token scaling.
  • Affected Contracts → Composable Stable Pools V2 → The specific smart contract type that contained the flawed _upscaleArray logic.
  • Attack Function → batchSwap → The Balancer Vault function used to bundle the micro-swaps and compound the precision loss.
  • Blockchains ImpactedMulti-Chain → The exploit successfully drained pools across multiple networks, including Ethereum and Arbitrum.

A vibrant blue, metallic, cylindrical mechanism forms the central focus, partially enveloped by a dynamic cascade of numerous small, translucent, spherical particles. The particles appear to be in motion, some clinging to the blue surface, others flowing around it, creating a sense of intricate interaction and processing

Outlook

Immediate user mitigation requires all liquidity providers to withdraw from any remaining V2 Composable Stable Pools or affected forks until a full, audited patch is deployed and verified. The contagion risk is high for any DeFi protocol that has forked the Balancer V2 stable pool math or uses similar integer arithmetic for invariant calculation, mandating an immediate, comprehensive code review of all rounding logic. This incident will establish a new security best practice requiring auditors to specifically test for precision loss at the extreme boundaries of token balances, particularly when combined with batched transaction functionality.

A fragmented blue sphere with icy textures sits on a layered blue platform, surrounded by white clouds and bare branches. In the background, a smaller white sphere and two blurry reflective spheres are visible against a grey backdrop

Verdict

This $120 million exploit is a definitive signal that even microscopic rounding errors in core smart contract math can be weaponized into a systemic financial threat, demanding a complete overhaul of fixed-point arithmetic auditing standards.

precision loss vulnerability, smart contract logic, invariant manipulation, automated market maker, composable stable pool, fixed point arithmetic, batch swap function, token price distortion, multi-chain protocol, DeFi systemic risk, liquidity pool drain, integer division error, low liquidity attack, token scaling factor, BPT price suppression Signal Acquired from → openzeppelin.com

Micro Crypto News Feeds

composable stable pools

Definition ∞ Composable stable pools are liquidity pools in decentralized finance that consist of stablecoins and allow for flexible integration with other protocols.

integer arithmetic

Definition ∞ Integer arithmetic involves mathematical operations performed exclusively on whole numbers, without fractions or decimal components.

precision loss

Definition ∞ Precision loss describes the reduction in accuracy of numerical values, often occurring during data processing or storage.

price

Definition ∞ Price represents the monetary value assigned to an asset or service in exchange for other goods or services.

stable pools

Definition ∞ Stable pools are specialized liquidity pools within decentralized finance (DeFi) protocols designed for trading stablecoins or other assets that are pegged to the same value, such as different versions of wrapped Bitcoin.

rounding error

Definition ∞ A rounding error is a discrepancy that arises when representing a number with a finite number of digits during calculations.

smart contract

Definition ∞ A Smart Contract is a self-executing contract with the terms of the agreement directly written into code.

multi-chain

Definition ∞ A multi-chain system refers to an architecture that supports multiple independent blockchain networks.

liquidity

Definition ∞ Liquidity refers to the degree to which an asset can be quickly converted into cash or another asset without significantly affecting its market price.

financial

Definition ∞ Financial refers to matters concerning money, banking, investments, and credit.

Tags:

Tags: