On November 3, 2025, Balancer V2 suffered a catastrophic exploit targeting its Composable Stable Pools, resulting in a ~$125M loss across Ethereum + multiple L2s. This was not a brute-force drain. This was precision economic engineering. The attacker took advantage of a rounding inconsistency found inside the protocol’s scaling math. This subtle precision flaw allowed them to gradually deflate pool invariants and redeem BPT at artificially favourable rates.
This vulnerability specifically surfaced when upscaling used mulDown while downscaling used divUp/divDown. This directional mismatch created a path where EXACT_OUT swaps could understate the amountIn required — which meant over multiple rounds, the invariant “D” would shrink invisibly without triggering alarms, reverting protections or sanity checks.
How the Attack Worked (High Level)
The attacker executed this in a two-phase design:
Preparation / Simulation
They gathered pool state, token scales, balance factors, amp, fee parameters and simulated swap sequences with massive iteration depth to land token balances right on wei-level rounding cliffs.Atomic Execution
Using Balancer’s batchSwap, they executed a highly tuned sequence in a single atomic transaction. First positioning a specific token (like cbETH) right on a rounding boundary, then triggering EXACT_OUT hops that shaved the invariant slightly each time. They kept repeating this within one transaction so the pool invariant degraded gradually without checkpoints detecting anything abnormal.
Once the invariant was sufficiently depressed, they exited and converted those artificially favourable BPT positions into higher-valued underlying assets locking in the profit.
This logic was repeated across many chains (Arbitrum, Base, Polygon, Optimism, Sonic) + Balancer forks (Beets / Beethoven X) before ecosystem-wide mitigations caught up.
Root Cause
This exploit proves a larger truth: DeFi math itself can become a vulnerability vector, not code logic alone. A single decimal bias, a tiny rounding edge, can be leveraged at scale if the attacker can run infinite atomic micro manipulations in one block.
Want to go deeper into this exploit?
We have a detailed technical breakdown + full fund flow trace here: The Balancer Hack 2025
What Happened After?
Balancer reacted with heavy emergency mitigations including immediate CSPv6 pauses, factory shutdown, gauge deactivation and cross-ecosystem partner freezes. They announced a one-time 20% whitehat recovery bounty + rapid forensic coordination with chain partners, which massively slowed further damage and enabled recovery paths.
Still, a significant portion of stolen funds remain in attacker EOAs across chains even today.
Final Takeaway
DeFi security now demands defending economic precision, not only coding logic. Rounding assumptions must be adversarially tested.
Batch composability must assume complex multi-order manipulation can occur in a single tx.
Just one rounding cliff here wiped >$125M.
Top comments (0)