A minor rounding error hidden deep within Balancer’s smart contracts has led to one of the largest decentralized finance (DeFi) exploits of 2025, draining more than $128 million from its Composable Stable Pools (CSPs) across multiple blockchains.
The exploit began on November 3 at 07:46 UTC and was first detected by Hypernative’s automated monitoring system.
Minutes later, Balancer confirmed an active attack targeting its V2 Composable Stable Pools across networks, including Ethereum, Base, Arbitrum, Avalanche, Optimism, Gnosis, Polygon, Berachain, and Sonic.
Notably, other Balancer pool types and its V3 protocol were unaffected.
If Balancer Passed 10 Audits, What Went Wrong This Time?
According to Balancer’s preliminary report, the breach was caused by a small but critical rounding miscalculation in the “upscale” function used during batch swaps, a feature that enables multiple token swaps in one transaction.
The flaw appeared in code handling “EXACT_OUT” swaps, where non-integer scaling factors caused rounding in the wrong direction, allowing attackers to manipulate pool balances and extract funds in quick succession.
Balancer said the attack was confined to V2 Composable Stable Pools and their forks, such as BEX and Beets.
Early assessments suggest that the affected contracts were primarily those with expired pause windows, while newer CSPv6 pools were automatically paused by Hypernative’s emergency controls within minutes of detection.
Blockchain security firm PeckShield estimated total losses above $128 million, though Balancer said exact figures are still being verified. Stolen assets, including ETH, osETH, and wstETH, were quickly bridged and partially laundered through Tornado Cash.
Balancer activated its emergency war room, coordinating with partners, whitehats, and security teams to contain the attack.
Its Safe Harbor framework (BIP-726), introduced in 2024, allowed whitehat responders to intervene legally and recover funds. Early recoveries included $19 million in osETH and $1.7 million in osGNO retrieved by the StakeWise DAO.
Additional efforts across the DeFi ecosystem helped curb losses. The Berachain Foundation executed an emergency hard fork to trap stolen funds after an MEV bot operator agreed to return them.
Sonic Labs froze attacker wallets, while Gnosis and Monerium halted around €1.3 million in EURe stablecoins to prevent cross-chain movement. Whitehat groups, including BitFinding and Base MEV bots, recovered an additional $750,000.
In its latest update, Balancer noted that it had disabled the CSPv6 factory to prevent new pool creation, halted liquidity gauges for affected pools to stop emissions, and enabled recovery-mode withdrawals for liquidity providers.
