Balancer’s $128 Million DeFi Exploit: A Rounding Error with Far-Reaching Consequences
A small rounding error hidden deep in Balancer’s smart contracts has led to one of the largest decentralized finance (DeFi) exploits of 2025, siphoning more than $128 million from its Composable Stable Pools (CSPs) across multiple blockchains. The exploit began on November 3rd at 07:46 UTC and was first detected by Hypernative’s automated monitoring system.
Minutes later, Balancer confirmed an active attack on its V2 Composable stable pools on networks including Ethereum, Base, Arbitrum, Avalanche, Optimism, Gnosis, Polygon, Berachain, and Sonic. In particular, other balancer pool types and the V3 protocol were not affected. The breach was caused by a small but critical rounding miscalculation in the “upscale” feature used in batch swaps, a feature that allows multiple token swaps in one transaction.
Understanding the Exploit and Its Aftermath
The flaw occurred in the code used to handle EXACT_OUT swaps, where non-integer scaling factors resulted in rounding in the wrong direction, allowing attackers to manipulate pool balances and withdraw funds in rapid succession. Balancer said the attack was limited to V2 Composable Stable Pools and their forks such as BEX and Beets. Initial assessments indicate that the affected contracts were primarily those with expired pause windows, while newer CSPv6 pools were automatically paused by Hypernative’s emergency controls within minutes of detection.
Blockchain security firm PeckShield estimated the total loss at over $128 million, although Balancer said the exact figures are still under review. Stolen assets, including ETH, osETH, and wstETH, were quickly bridged and partially laundered through Tornado Cash. Balancer activated its emergency war room and coordinated with partners, whitehats, and security teams to contain the attack.
Response and Recovery Efforts
Its Safe Harbor Framework (BIP-726), introduced in 2024, allowed white hat responders to legally intervene and recover funds. Early recoveries included $19 million in osETH and $1.7 million in osGNO retrieved from the StakeWise DAO. Additional efforts across the DeFi ecosystem helped curb losses. The Berachain Foundation conducted an emergency hard fork to intercept stolen funds after a MEV bot operator agreed to return them.
Sonic Labs froze attackers’ wallets, while Gnosis and Monerium halted around €1.3 million worth of EURe stablecoins to prevent cross-chain movements. Whitehat groups including BitFinding and Base MEV-Bots recovered another $750,000. In its latest update, Balancer noted that it has disabled the CSPv6 factory to prevent the creation of new pools, paused liquidity indicators for affected pools to stop emissions, and enabled recovery mode withdrawals for liquidity providers.
Lessons Learned and Future Directions
Following the breach, Balancer’s Total Value Locked (TVL) fell sharply from $442 million on November 2 to just over $214 million in 24 hours; According to DeFiLlama, it is now down to $182 million. The impact sent shockwaves across the DeFi ecosystem, with one major whale wallet withdrawing $6.5 million shortly after the attack. The breach occurred despite Balancer’s long-standing reputation for robust security.
Balancer has undergone more than ten audits from top firms including OpenZeppelin, Trail of Bits, and Certora. However, this latest exploit mirrors an earlier rounding vulnerability discovered in 2023, the same type of vulnerability that attackers have now exploited on a much larger scale. Balancer has faced several security incidents in its history, including a $520,000 loss in 2020, a $2.1 million rounding exploit in 2023, and a DNS hijack later that same year.
For more information on the Balancer exploit and its aftermath, visit https://cryptonews.com/news/balancer-dexploit-rounding-error-128m-loss/
