Security

DeFi Protocol Balancer V2 Drained Exploiting Smart Contract Logic Flaw

A critical rounding error combined with batch swap logic allowed attackers to manipulate pool balances and systematically drain over $120 million across nine chains .
November 13, 20253 min

A metallic, gear-like component is prominently featured, partially submerged and surrounded by vibrant blue granular material within a structured enclosure. The detailed composition highlights the intricate interaction between the central mechanism and the surrounding elements
A central metallic protocol mechanism, intricately designed with visible apertures, is depicted surrounded by a dynamic, luminous blue fluid. This fluid, resembling a liquidity pool, exhibits flowing motion, highlighting the metallic component's precision engineering

Briefing

The Balancer V2 protocol suffered a catastrophic multi-chain exploit targeting its Composable Stable Pools, resulting in a systemic drain of user-provided liquidity. This attack leveraged a combination of a faulty access control check and a critical rounding error within the batchSwap function, allowing the manipulation of internal pool balances before withdrawal. The immediate consequence is a loss of approximately $128.6 million in diverse digital assets across nine separate blockchain networks, highlighting a profound vulnerability in widely forked V2 smart contract logic.

The image presents a macro perspective of a textured blue granular mass interacting with metallic, modular structures. These components are embedded within and around the substance, showcasing a complex interplay of forms and textures

Context

The prevailing security posture for complex DeFi protocols like Balancer V2, which utilize advanced features such as internal token balances and batch swaps, inherently presents a large attack surface. Prior to this incident, the risk of logic flaws in highly integrated, multi-function smart contracts → especially those managing liquidity across numerous chains → was a known, high-severity factor, often compounded by the difficulty of formally verifying all possible state transitions. The use of custom pool logic, such as the Composable Stable Pool design, introduced bespoke risk factors that were not fully mitigated by standard audits.

A robust, metallic blue and silver apparatus is partially submerged in a field of fine, sparkling granular particles. A vibrant stream of blue, particle-laden fluid traverses a transparent central channel

Analysis

The attack vector was a sophisticated manipulation of the pool’s internal accounting, specifically targeting the manageUserBalance function which failed to correctly validate withdrawal permissions. The attacker exploited a rounding direction flaw in the EXACT_OUT transaction upscale function, combining it with the batchSwap feature’s deferred settlement capability. This allowed the attacker to treat the Pool’s LP tokens (BPT) as regular tokens, bypassing minimum supply limits and driving the pool’s liquidity to extremely low values. By repeatedly executing this sequence, the attacker was able to manipulate the pool’s internal balance and systematically extract value before finally withdrawing the substantial accumulated funds.

A white, textured sphere rests within a dynamic, translucent blue, fluid-like structure, set against a light grey background. The blue form exhibits complex ripples and varying opacities, appearing to cradle the sphere

Parameters

  • Initial Loss Metric → $128.6 Million – The estimated total value of assets drained from Balancer V2 and its forks across all affected chains.
  • Vulnerability Type → Rounding Error & Access Control Flaw – The specific combination of logic errors in the batchSwap and balance management functions that enabled the exploit.
  • Affected Components → Composable Stable Pools V2 – The primary smart contract architecture targeted by the attack.
  • Affected Blockchains → Nine Chains – The total number of separate networks, including Ethereum, Arbitrum, and Polygon, where the vulnerability was exploited.

The image features two prominent white, smooth, spiraling tubes or rings, partially encircling a dense, spherical cluster of dark blue and lighter blue multifaceted crystalline objects. Small, translucent blue droplets are scattered around and appear to be flowing from and into these structures

Outlook

Immediate user mitigation involves withdrawing all assets from unpaused, affected Composable Stable Pools and monitoring for official recovery updates. This incident will inevitably trigger a high-priority, system-wide security review across all protocols that have forked or integrated Balancer V2’s code, presenting a significant contagion risk for the broader multi-chain DeFi ecosystem. New security best practices will focus on mandatory, rigorous formal verification of all custom pool logic and internal balance management functions, moving beyond standard unit testing to prevent precision-based exploits.

A close-up view reveals a segmented, cylindrical apparatus featuring alternating bands of polished blue, dark grey, and metallic silver. Transparent, effervescent bubbles cling to and flow around the various sections of the intricate structure

Verdict

This multi-chain exploit represents a systemic failure in complex DeFi smart contract logic, proving that even well-established protocols remain critically vulnerable to precision-based and access control flaws that bypass conventional audit scopes.

smart contract exploit, decentralized finance, multi-chain vulnerability, liquidity pool drain, access control flaw, rounding error, batch swap function, composable stable pool, vault manipulation, internal balance, on-chain forensics, asset security risk, token price oracle, flash loan attack, protocol integrity, systemic weakness, governance failure, risk mitigation, emergency pause, cross-chain contagion. Signal Acquired from → protos.com

Micro Crypto News Feeds

composable stable pools

Definition ∞ Composable stable pools are liquidity pools in decentralized finance that consist of stablecoins and allow for flexible integration with other protocols.

composable stable pool

Definition ∞ A composable stable pool is a type of liquidity pool in decentralized finance designed to facilitate efficient swaps between various stablecoins while allowing for integration with other DeFi protocols.

internal balance

Definition ∞ Internal balance refers to the amount of funds or assets held within a specific platform or system.

assets

Definition ∞ A digital asset represents a unit of value recorded on a blockchain or similar distributed ledger technology.

access control flaw

Definition ∞ An access control flaw permits unauthorized users to perform actions they should not be able to.

smart contract

Definition ∞ A Smart Contract is a self-executing contract with the terms of the agreement directly written into code.

vulnerability

Definition ∞ A vulnerability refers to a flaw or weakness in a system, protocol, or smart contract that could be exploited by malicious actors to compromise its integrity, security, or functionality.

custom pool logic

Definition ∞ Custom pool logic refers to specialized rules governing a liquidity pool within a decentralized exchange.

smart contract logic

Definition ∞ Smart contract logic refers to the predefined, self-executing code embedded within a smart contract that dictates its behavior and conditions for execution.

Tags:

Tags: