Security

DeFi Protocol Balancer V2 Drained Exploiting Smart Contract Rounding Flaw

A systemic flaw in Balancer V2's Stable Pool rounding logic permitted an attacker to drain $128M across five chains, exposing deep audit limitations.
November 28, 20253 min

A polished, multi-layered metallic mechanism descends into a vibrant, translucent blue liquid, with blue rod-like structures extending from it. White foam actively bubbles at the liquid's surface around the metallic component, set against a soft, light gray background
A sharp, metallic, silver-grey structure, partially covered in white snow, emerges from a vibrant blue, textured mass, itself snow-dusted and resting in calm, rippling water. Another smaller, similar blue and white formation is visible to the left, all set against a soft, cloudy sky

Briefing

The decentralized finance protocol Balancer V2 suffered a catastrophic economic exploit, resulting in a loss of over $128 million from its multi-chain liquidity pools. The primary consequence was the immediate and systemic destabilization of multiple Stable Pools, forcing emergency pause procedures and significant whitehat intervention to prevent further contagion. The core vulnerability was traced to a subtle flaw in the precision rounding logic of the EXACT_OUT swap function, a weakness that persisted despite 11 external security audits.

The image displays a dynamic arrangement of glossy white spheres, striking blue crystalline formations, and deep blue reflective abstract shapes, intricately linked by smooth white orbital rings. This abstract representation vividly illustrates the complex architecture of a modern blockchain infrastructure

Context

The prevailing risk factor for complex DeFi protocols like Balancer V2 is the interaction between multiple functions, where a vulnerability is not an obvious coding error but a subtle logic flaw in cross-function calls. The system’s reliance on complex mathematics for stable pool pricing, particularly the handling of precision and rounding in large-volume swaps, represented a known, high-impact attack surface that static audits often fail to fully simulate.

A close-up view reveals intricately intertwined abstract forms, featuring both transparent blue and brushed metallic silver components. These elements create a sense of depth and interconnectedness, with light reflecting off their polished and textured surfaces

Analysis

The attack exploited a precision rounding error specifically within the Stable Pool’s EXACT_OUT swap logic. The attacker utilized a flash loan to execute a sequence of trades, manipulating the pool’s internal accounting state by repeatedly triggering the downward rounding mechanism in their favor. This allowed the attacker to effectively withdraw more tokens than they deposited in a single, complex transaction, incrementally draining the pool’s assets across multiple EVM chains until the total loss exceeded $128 million. The success was due to the flaw being deep within the core mathematical logic, a vulnerability that bypassed extensive code review and formal verification.

A close-up view of a highly reflective, undulating surface features deep blue internal illumination and highlights. The abstract form appears metallic or liquid-like, with interconnected cavities and a fine granular texture

Parameters

  • Total Loss → $128 Million → The total financial value drained from the Balancer V2 liquidity pools across all affected chains.
  • Vulnerability TypePrecision Rounding Flaw → The specific code-level logic error in the Stable Pool’s EXACT_OUT swap function.
  • Audits Bypassed → 11 External Audits → The number of security reviews the vulnerable code had undergone prior to the exploit.
  • Funds Recovered → ~$28 Million → The approximate amount salvaged through whitehat and internal rescue efforts.

The image displays a metallic, multi-part mechanism with bright blue internal components, enveloped by a translucent, flowing blue substance. This central arrangement is set against a gradient background transitioning from light grey to a deep blue

Outlook

Protocols must now re-evaluate their security posture, shifting auditing standards from isolated code review to formal verification of complex, multi-step transaction logic and precision handling in all swap functions. The immediate mitigation for similar protocols is to implement or activate robust circuit breakers and real-time transaction monitoring to detect abnormal pool state changes, particularly those involving large flash loans and repeated, small-value rounding differences. This incident establishes a new best practice → a logic flaw that bypasses 11 audits demands a systemic shift toward adversarial stress testing of all mathematical primitives in DeFi.

The image displays a close-up of a metallic cylindrical component surrounded by a light-colored, textured framework. Within this framework, a translucent, swirling blue substance is visible, creating a sense of depth and motion

Verdict

This $128 million exploit is a definitive signal that the industry must move beyond superficial code audits to a deep, formal verification of all complex, multi-protocol mathematical logic to secure systemic DeFi capital.

DeFi protocol, liquidity pool, smart contract exploit, rounding logic flaw, exact out swap, stable pool, multi chain vulnerability, flash loan attack, asset drain, whitehat rescue, decentralized finance, token swap, governance proposal, risk mitigation, security posture, audit failure, systemic risk, asset recovery, on chain forensics, pool state manipulation Signal Acquired from → decrypt.co

Micro Crypto News Feeds

decentralized finance

Definition ∞ Decentralized finance, often abbreviated as DeFi, is a system of financial services built on blockchain technology that operates without central intermediaries.

vulnerability

Definition ∞ A vulnerability refers to a flaw or weakness in a system, protocol, or smart contract that could be exploited by malicious actors to compromise its integrity, security, or functionality.

formal verification

Definition ∞ Formal verification is a mathematical technique used to prove the correctness of software or hardware systems.

liquidity pools

Definition ∞ Liquidity pools are pools of digital assets locked in smart contracts, used to facilitate decentralized trading.

precision rounding

Definition ∞ Precision Rounding is a mathematical method of adjusting a numerical value to a specified number of decimal places or significant figures while maintaining accuracy.

security

Definition ∞ Security refers to the measures and protocols designed to protect assets, networks, and data from unauthorized access, theft, or damage.

security posture

Definition ∞ A security posture describes the overall state of an organization's cybersecurity defenses and its readiness to counter threats.

verification

Definition ∞ Verification is the process of confirming the truth, accuracy, or validity of information or claims.

Tags:

Tags: