Security

DeFi Protocol Balancer V2 Drained Exploiting Smart Contract Logic Flaw

A critical rounding error combined with batch swap logic allowed attackers to manipulate pool balances and systematically drain over $120 million across nine chains .
November 13, 20253 min

A metallic, gear-like component is prominently featured, partially submerged and surrounded by vibrant blue granular material within a structured enclosure. The detailed composition highlights the intricate interaction between the central mechanism and the surrounding elements
A white, fuzzy spherical object is positioned centrally, interacting with a complex blue lattice structure. Transparent, blade-like elements with blue accents and white specks extend outwards from the central interaction point, suggesting dynamic movement

Briefing

The Balancer V2 protocol suffered a catastrophic multi-chain exploit targeting its Composable Stable Pools, resulting in a systemic drain of user-provided liquidity. This attack leveraged a combination of a faulty access control check and a critical rounding error within the batchSwap function, allowing the manipulation of internal pool balances before withdrawal. The immediate consequence is a loss of approximately $128.6 million in diverse digital assets across nine separate blockchain networks, highlighting a profound vulnerability in widely forked V2 smart contract logic.

A polished silver toroidal structure rests alongside a sculpted, translucent sapphire-blue form, revealing an intricate mechanical watch movement. The objects are presented on a minimalist light grey background, highlighting their forms and internal details

Context

The prevailing security posture for complex DeFi protocols like Balancer V2, which utilize advanced features such as internal token balances and batch swaps, inherently presents a large attack surface. Prior to this incident, the risk of logic flaws in highly integrated, multi-function smart contracts → especially those managing liquidity across numerous chains → was a known, high-severity factor, often compounded by the difficulty of formally verifying all possible state transitions. The use of custom pool logic, such as the Composable Stable Pool design, introduced bespoke risk factors that were not fully mitigated by standard audits.

A pristine white sphere, its lower half transitioning into a vibrant blue gradient, rests centrally amidst a formation of granular white and blue material, accompanied by a large translucent blue crystal shard. This entire arrangement floats on a dark, rippled water surface, creating a serene yet dynamic visual

Analysis

The attack vector was a sophisticated manipulation of the pool’s internal accounting, specifically targeting the manageUserBalance function which failed to correctly validate withdrawal permissions. The attacker exploited a rounding direction flaw in the EXACT_OUT transaction upscale function, combining it with the batchSwap feature’s deferred settlement capability. This allowed the attacker to treat the Pool’s LP tokens (BPT) as regular tokens, bypassing minimum supply limits and driving the pool’s liquidity to extremely low values. By repeatedly executing this sequence, the attacker was able to manipulate the pool’s internal balance and systematically extract value before finally withdrawing the substantial accumulated funds.

A close-up view reveals a transparent, multi-chambered mechanism containing distinct white granular material actively moving over a textured blue base. The white substance appears agitated and flowing, guided by the clear structural elements, with a circular metallic component visible within the blue substrate

Parameters

  • Initial Loss Metric → $128.6 Million – The estimated total value of assets drained from Balancer V2 and its forks across all affected chains.
  • Vulnerability Type → Rounding Error & Access Control Flaw – The specific combination of logic errors in the batchSwap and balance management functions that enabled the exploit.
  • Affected Components → Composable Stable Pools V2 – The primary smart contract architecture targeted by the attack.
  • Affected Blockchains → Nine Chains – The total number of separate networks, including Ethereum, Arbitrum, and Polygon, where the vulnerability was exploited.

A vibrant blue, translucent, hourglass-shaped structure, filled with flowing light, dominates the frame, intersected centrally by two silver metallic rods forming an 'X' against a soft grey background. The internal blue elements suggest dynamic movement within the clear container, highlighting a complex interplay of light and form

Outlook

Immediate user mitigation involves withdrawing all assets from unpaused, affected Composable Stable Pools and monitoring for official recovery updates. This incident will inevitably trigger a high-priority, system-wide security review across all protocols that have forked or integrated Balancer V2’s code, presenting a significant contagion risk for the broader multi-chain DeFi ecosystem. New security best practices will focus on mandatory, rigorous formal verification of all custom pool logic and internal balance management functions, moving beyond standard unit testing to prevent precision-based exploits.

A close-up view reveals a multi-faceted, transparent object with sharp geometric edges, encasing a smooth, amorphous blue mass within its core. The interplay of light through the clear material highlights the vibrant blue interior and the intricate structure of the outer shell

Verdict

This multi-chain exploit represents a systemic failure in complex DeFi smart contract logic, proving that even well-established protocols remain critically vulnerable to precision-based and access control flaws that bypass conventional audit scopes.

smart contract exploit, decentralized finance, multi-chain vulnerability, liquidity pool drain, access control flaw, rounding error, batch swap function, composable stable pool, vault manipulation, internal balance, on-chain forensics, asset security risk, token price oracle, flash loan attack, protocol integrity, systemic weakness, governance failure, risk mitigation, emergency pause, cross-chain contagion. Signal Acquired from → protos.com

Micro Crypto News Feeds

composable stable pools

Definition ∞ Composable stable pools are liquidity pools in decentralized finance that consist of stablecoins and allow for flexible integration with other protocols.

composable stable pool

Definition ∞ A composable stable pool is a type of liquidity pool in decentralized finance designed to facilitate efficient swaps between various stablecoins while allowing for integration with other DeFi protocols.

internal balance

Definition ∞ Internal balance refers to the amount of funds or assets held within a specific platform or system.

assets

Definition ∞ A digital asset represents a unit of value recorded on a blockchain or similar distributed ledger technology.

access control flaw

Definition ∞ An access control flaw permits unauthorized users to perform actions they should not be able to.

smart contract

Definition ∞ A Smart Contract is a self-executing contract with the terms of the agreement directly written into code.

vulnerability

Definition ∞ A vulnerability refers to a flaw or weakness in a system, protocol, or smart contract that could be exploited by malicious actors to compromise its integrity, security, or functionality.

custom pool logic

Definition ∞ Custom pool logic refers to specialized rules governing a liquidity pool within a decentralized exchange.

smart contract logic

Definition ∞ Smart contract logic refers to the predefined, self-executing code embedded within a smart contract that dictates its behavior and conditions for execution.

Tags:

Tags: