A minor rounding error hidden deep within Balancer’s smart contracts has led to one of the largest decentralized finance (DeFi) exploits of 2025, draining more than $128 million from its Composable Stable Pools (CSPs) across multiple blockchains.
The exploit began on November 3 at 07:46 UTC and was first detected by Hypernative’s automated monitoring system.
Minutes later, Balancer confirmed an active attack targeting its V2 Composable Stable Pools across networks, including Ethereum, Base, Arbitrum, Avalanche, Optimism, Gnosis, Polygon, Berachain, and Sonic.
Notably, other Balancer pool types and its V3 protocol were unaffected.
If Balancer Passed 10 Audits, What Went Wrong This Time?
According to Balancer’s preliminary report, the breach was caused by a small but critical rounding miscalculation in the “upscale” function used during batch swaps, a feature that enables multiple token swaps in one transaction.
The flaw appeared in code handling “EXACT_OUT” swaps, where non-integer scaling factors caused rounding in the wrong direction, allowing attackers to manipulate pool balances and extract funds in quick succession.
Balancer said the attack was confined to V2 Composable Stable Pools and their forks, such as BEX and Beets.
Early assessments suggest that the affected contracts were primarily those with expired pause windows, while newer CSPv6 pools were automatically paused by Hypernative’s emergency controls within minutes of detection.
Blockchain security firm PeckShield estimated total losses above $128 million, though Balancer said exact figures are still being verified. Stolen assets, including ETH, osETH, and wstETH, were quickly bridged and partially laundered through Tornado Cash.
Balancer activated its emergency war room, coordinating with partners, whitehats, and security teams to contain the attack.
Its Safe Harbor framework (BIP-726), introduced in 2024, allowed whitehat responders to intervene legally and recover funds. Early recoveries included $19 million in osETH and $1.7 million in osGNO retrieved by the StakeWise DAO.
Additional efforts across the DeFi ecosystem helped curb losses. The Berachain Foundation executed an emergency hard fork to trap stolen funds after an MEV bot operator agreed to return them.
Sonic Labs froze attacker wallets, while Gnosis and Monerium halted around €1.3 million in EURe stablecoins to prevent cross-chain movement. Whitehat groups, including BitFinding and Base MEV bots, recovered an additional $750,000.
In its latest update, Balancer noted that it had disabled the CSPv6 factory to prevent new pool creation, halted liquidity gauges for affected pools to stop emissions, and enabled recovery-mode withdrawals for liquidity providers.
Users with assets in paused pools can now withdraw their underlying tokens proportionally.
Balancer emphasized that its V3 pools and non-stable V2 pools remain unaffected and fully operational.
Balancer’s Breach Tied to Previously Known Rounding Flaw, TVL Plunges Over 50%
The breach comes despite Balancer’s long-standing reputation for robust security. The protocol, one of DeFi’s oldest automated market makers, has undergone more than ten audits by top firms, including OpenZeppelin, Trail of Bits, and Certora.
Yet, this latest exploit mirrors an earlier rounding-related vulnerability discovered in 2023, the same type of flaw that attackers have now used on a much larger scale.
Balancer has faced several security incidents in its history, including a $520,000 loss in 2020, a $2.1 million rounding exploit in 2023, and a DNS hijack later that same year.
Following the breach, Balancer’s total value locked (TVL) dropped sharply from $442 million on November 2 to just over $214 million within 24 hours; it has now dropped to $182 million, according to DeFiLlama.
The impact sent shockwaves across the DeFi ecosystem, with a large whale wallet withdrawing $6.5 million shortly after the attack.
The post How a Tiny Rounding Error Ignited Balancer’s $128M Multi-Chain DeFi Exploit appeared first on Cryptonews.
