Security

Balancer V2 Stable Pools Drained Exploiting Smart Contract Access Control Flaw

A critical logic flaw in the Composable Stable Pool's internal balance management allowed unauthorized withdrawal of $128M across seven distinct chains.
November 11, 20253 min

A luminous, translucent blue-grey amorphous structure elegantly envelops a vibrant, solid blue sphere, set against a subtle gradient background. The flowing, organic forms create a sense of depth and protection around the central element
The image features several abstract, interconnected chain links against a soft blue-grey background. Some links are clear blue with a textured, bubbly appearance, while others are smooth, dark blue, and highly reflective

Briefing

The Balancer V2 protocol suffered a catastrophic $128 million exploit, targeting its Composable Stable Pools across seven major EVM chains, including Ethereum and Arbitrum. A deep logic flaw in the core vault’s manageUserBalance function enabled the attacker to execute unauthorized internal withdrawals by impersonating legitimate users, a mechanism distinct from a flash loan attack. This event results in a significant loss of liquidity provider funds, underscoring the systemic risk inherent in complex, composable DeFi architectures; total quantifiable loss reaches approximately $128 million.

A partially opened, textured metallic vault structure showcases an interior teeming with dynamic blue and white cloud-like formations, representing the intricate flow of digital asset liquidity. Prominent metallic elements, including a spherical dial and concentric rings, underscore the robust cryptographic security protocols and underlying blockchain infrastructure

Context

Complex DeFi vaults, managing aggregated liquidity across multiple assets and chains, present a known attack surface due to the inherent complexity of internal accounting logic. Despite multiple audits, the system contained a subtle but critical failure in access control within the V2 architecture; the contract logic did not adequately validate the true source of a withdrawal operation against the authorized user. This prior-existing class of vulnerability highlights the difficulty of fully securing contracts that manage internal balances and external calls simultaneously.

A close-up shot displays a textured, deep blue, porous object encrusted with a thick layer of sparkling white crystalline structures, resembling frost or snowflakes. A central, slightly blurred opening reveals more of the intricate blue interior

Analysis

The attack vector leveraged a specific flaw in the V2 Composable Stable Pool’s implementation of the manageUserBalance function. The vulnerability stemmed from an inadequate check on the op.sender parameter during the UserBalanceOpKind.WITHDRAW_INTERNAL operation, allowing the attacker to bypass the intended authorization logic. By crafting a malicious transaction, the attacker was able to trick the vault into processing an internal withdrawal as if it were requested by an authorized pool owner, effectively draining assets from the pools’ internal balances across the affected chains before converting the majority of the stolen funds to Ether.

A close-up view reveals a transparent, multi-chambered mechanism containing distinct white granular material actively moving over a textured blue base. The white substance appears agitated and flowing, guided by the clear structural elements, with a circular metallic component visible within the blue substrate

Parameters

  • Total Funds Drained → $128 Million – The estimated total loss across all affected chains from the exploit.
  • Affected Chains → Seven EVM Blockchains – Including Ethereum, Arbitrum, Base, Optimism, Polygon, Sonic, and Berachain.
  • Vulnerable Component → manageUserBalance Function – The specific smart contract function containing the faulty access control logic.
  • Recovery Percentage → Approximately 15% – Funds recovered by protocols like StakeWise and Berachain through emergency measures.

A close-up view reveals a multi-faceted, transparent object with sharp geometric edges, encasing a smooth, amorphous blue mass within its core. The interplay of light through the clear material highlights the vibrant blue interior and the intricate structure of the outer shell

Outlook

Immediate mitigation requires all users to withdraw liquidity from any remaining V2 Composable Stable Pools on affected chains, acknowledging the underlying vulnerability presents a critical risk until a complete, verified patch deploys. This event creates a heightened contagion risk for all protocols utilizing Balancer’s V2 pools or similar composable vault architectures, demanding immediate review of all integrated access control and internal accounting functions. The incident establishes new security best practices mandating formal verification of all internal balance management functions, moving beyond traditional auditing to address subtle logic flaws in highly complex DeFi primitives.

A close-up view reveals a sleek, metallic cylindrical object featuring distinct blue rings and internal structural elements. Portions of the cylinder are partially covered by a textured, light gray, granular substance, giving it a dynamic and processed appearance

Verdict

The Balancer V2 exploit is a decisive failure of complex smart contract access control, confirming that composable DeFi architectures introduce critical, subtle logic vulnerabilities that are resistant to standard auditing practices.

composable stable pool, smart contract logic flaw, faulty access control, multi chain exploit, precision rounding error, unauthorized internal withdrawal, decentralized finance security, liquidity pool vulnerability, vault system compromise, on chain forensic analysis, DeFi audit limitations, cross chain contagion, protocol recovery mode, white hat bounty, token price manipulation, systemic risk exposure, external withdrawal operation, asset management logic, emergency governance action, network halt mitigation Signal Acquired from → crypto.news

Micro Crypto News Feeds

composable stable pools

Definition ∞ Composable stable pools are liquidity pools in decentralized finance that consist of stablecoins and allow for flexible integration with other protocols.

access control

Definition ∞ Access control dictates who or what can view or use resources within a digital system.

composable stable pool

Definition ∞ A composable stable pool is a type of liquidity pool in decentralized finance designed to facilitate efficient swaps between various stablecoins while allowing for integration with other DeFi protocols.

exploit

Definition ∞ An exploit refers to the malicious utilization of a security flaw or vulnerability within a protocol, smart contract, or application to gain unauthorized access, steal assets, or disrupt operations.

smart contract

Definition ∞ A Smart Contract is a self-executing contract with the terms of the agreement directly written into code.

recovery

Definition ∞ Recovery, in a financial context, signifies the process by which an asset, market, or economy regains value after a period of decline.

internal balance

Definition ∞ Internal balance refers to the amount of funds or assets held within a specific platform or system.

contract

Definition ∞ A 'Contract' is a set of rules and code that automatically executes when predefined conditions are met.

Tags:

Tags: