Security

DeFi Protocol Balancer Drained $128 Million Exploiting Smart Contract Flaw

A critical rounding error in the batchSwap logic of Composable Pools enabled a multi-chain asset drain, compromising liquidity and user capital.
November 16, 20253 min

A polished silver toroidal structure rests alongside a sculpted, translucent sapphire-blue form, revealing an intricate mechanical watch movement. The objects are presented on a minimalist light grey background, highlighting their forms and internal details
Abstract blue translucent structures, resembling flowing liquid or ice, intertwine with flat white ribbon-like components. One white component features a dark blue section illuminated with glowing blue digital patterns, suggesting active data display

Briefing

The Balancer V2 protocol suffered a catastrophic multi-chain exploit, resulting in the loss of over $128 million in digital assets from its Composable Stable Pools. The primary consequence is a significant capital impairment across six major networks, fundamentally challenging the trust in complex DeFi primitive designs. Forensic analysis points to a critical rounding error within the batchSwap function, which was leveraged to illegitimately withdraw funds from the protocol’s main vault. The total financial impact quantifies the event as one of the largest smart contract exploits of the year.

A prominent blue faceted object, resembling a polished crystal, is situated within a foamy, dark blue liquid on a dark display screen. The screen beneath illuminates with bright blue data visualizations, depicting graphs and grid lines, all resting on a sleek, multi-tiered metallic base

Context

The prevailing security posture for complex Automated Market Makers (AMMs) has long been characterized by systemic risk in composable designs, where interactions between multiple smart contracts create an expanded attack surface. This incident specifically leveraged a known class of vulnerability in pool logic → precision and rounding errors → which are notoriously difficult to detect in pre-deployment audits of highly customized pool types. The use of boosted pools, which rely on external protocols for yield, introduced an implicit dependency that amplified the exploit’s financial impact.

The image showcases tall, reflective rectangular structures emerging from a vast body of rippling water, flanked by dynamic white cloud formations and scattered blue particles. A prominent, textured white mass, resembling a complex brain or cloud, sits partially submerged in the water on the right

Analysis

The attacker exploited a rounding error in the batchSwap function, which manages multi-token exchanges within the Balancer Vault architecture. By performing a sequence of carefully timed transactions, the attacker manipulated the internal accounting of the Composable Stable Pools. This manipulation, combined with a faulty access control mechanism, allowed the attacker to repeatedly push the pool’s liquidity below its safe threshold and siphon off large quantities of underlying assets like osETH and wstETH directly from the vault. The successful execution was a direct result of exploiting deferred settlement logic inherent in the pool’s design.

The image presents a detailed, close-up view of a complex, futuristic mechanism featuring translucent, tube-like structures that house glowing blue internal components. These conduits appear to connect various metallic and dark blue elements, suggesting a system designed for intricate data or energy transfer

Parameters

  • Total Funds Drained → $128 Million (The estimated value of assets lost across all affected chains).
  • Vulnerability TypeRounding Error Flaw (A precision error in the batchSwap smart contract logic).
  • Affected Chains → Six Networks (The exploit successfully compromised pools on Ethereum, Base, Arbitrum, Polygon, Optimism, and Sonic).

A prominent circular metallic button is centrally positioned within a sleek, translucent blue device, revealing intricate internal components. The device's polished surface reflects ambient light, highlighting its modern, high-tech aesthetic

Outlook

Immediate user mitigation requires revoking all token approvals granted to the compromised Balancer V2 contracts to prevent further draining. This event introduces significant contagion risk for other DeFi protocols utilizing similar boosted pool architectures or relying on Balancer as a core liquidity primitive. The incident will establish new security best practices mandating formal verification specifically targeting precision, rounding, and access control logic in multi-token swap functions before any deployment.

A detailed view presents a dark, multi-faceted mechanical component at its core, surrounded by a light blue, textured material resembling fine particles. A bright, translucent blue fluid dynamically twists and flows around this central element, creating a striking visual contrast

Verdict

This $128 million breach serves as a definitive validation that even rigorously audited DeFi primitives remain susceptible to catastrophic failure from subtle, system-level precision errors.

smart contract exploit, DeFi liquidity pool, composable stable pool, batch swap logic, rounding error, access control flaw, multi-chain vulnerability, asset drain, on-chain forensics, protocol insolvency, boosted pool, token derivative risk, liquidity provider loss, smart contract risk, decentralized finance, oracle dependency, governance risk, system-level vulnerability, cross-chain attack, smart contract audit Signal Acquired from → bankinfosecurity.com

Micro Crypto News Feeds

composable stable pools

Definition ∞ Composable stable pools are liquidity pools in decentralized finance that consist of stablecoins and allow for flexible integration with other protocols.

financial impact

Definition ∞ Financial impact describes the consequences of an event, decision, or technology on monetary values, asset prices, or economic activity.

access control

Definition ∞ Access control dictates who or what can view or use resources within a digital system.

assets

Definition ∞ A digital asset represents a unit of value recorded on a blockchain or similar distributed ledger technology.

rounding error

Definition ∞ A rounding error is a discrepancy that arises when representing a number with a finite number of digits during calculations.

exploit

Definition ∞ An exploit refers to the malicious utilization of a security flaw or vulnerability within a protocol, smart contract, or application to gain unauthorized access, steal assets, or disrupt operations.

liquidity

Definition ∞ Liquidity refers to the degree to which an asset can be quickly converted into cash or another asset without significantly affecting its market price.

defi

Definition ∞ Decentralized Finance (DeFi) refers to an ecosystem of financial applications built on blockchain technology, aiming to recreate traditional financial services in an open, permissionless, and decentralized manner.

Tags:

Tags: