How a Tiny Rounding Error Ignited Balancer’s $128M Multi-Chain DeFi Exploit

A minor rounding error hidden deep within Balancer’s smart contracts has led to one of the largest decentralized finance (DeFi) exploits of 2025, draining more than $128 million from its Composable Stable Pools (CSPs) across multiple ￰3￱ exploit began on November 3 at 07:46 UTC and was first detected by Hypernative’s automated monitoring ￰4￱ Protocol loses over $116 million in cross-chain exploit, marking one of the largest DeFi security breaches in 2025. #Balancer #DeFi ￰0￱ — ￰5￱ (@cryptonews) November 3, 2025 Minutes later, Balancer confirmed an active attack targeting its V2 Composable Stable Pools across networks, including Ethereum, Base, Arbitrum, Avalanche, Optimism, Gnosis, Polygon, Berachain, and Sonic.

Notably, other Balancer pool types and its V3 protocol were ￰6￱ Balancer Passed 10 Audits, What Went Wrong This Time? According to Balancer’s preliminary report , the breach was caused by a small but critical rounding miscalculation in the “upscale” function used during batch swaps, a feature that enables multiple token swaps in one transaction. ￰1￱ — Balancer (@Balancer) November 5, 2025 The flaw appeared in code handling “EXACT_OUT” swaps, where non-integer scaling factors caused rounding in the wrong direction, allowing attackers to manipulate pool balances and extract funds in quick ￰7￱ said the attack was confined to V2 Composable Stable Pools and their forks, such as BEX and ￰8￱ assessments suggest that the affected contracts were primarily those with expired pause windows, while newer CSPv6 pools were automatically paused by Hypernative’s emergency controls within minutes of ￰9￱ security firm PeckShield estimated total losses above $128 million, though Balancer said exact figures are still being ￰10￱ assets, including ETH, osETH, and wstETH, were quickly bridged and partially laundered through Tornado ￰11￱ activated its emergency war room, coordinating with partners, whitehats, and security teams to contain the ￰12￱ Safe Harbor framework (BIP-726), introduced in 2024, allowed whitehat responders to intervene legally and recover ￰13￱ recoveries included $19 million in osETH and $1.7 million in osGNO retrieved by the StakeWise ￰14￱ efforts across the DeFi ecosystem helped curb ￰15￱ Berachain Foundation executed an emergency hard fork to trap stolen funds after an MEV bot operator agreed to return them. @berachain initiated an emergency hard fork, freezing $12M in stolen funds, following a wider exploit impacting @Balancer V2 pools. #Berachain #DeFi #Balancer ￰2￱ — ￰16￱ (@cryptonews) November 4, 2025 Sonic Labs froze attacker wallets, while Gnosis and Monerium halted around €1.3 million in EURe stablecoins to prevent cross-chain ￰17￱ groups, including BitFinding and Base MEV bots, recovered an additional $750,000.

In its latest update, Balancer noted that it had disabled the CSPv6 factory to prevent new pool creation, halted liquidity gauges for affected pools to stop emissions, and enabled recovery-mode withdrawals for liquidity ￰18￱ with assets in paused pools can now withdraw their underlying tokens ￰19￱ emphasized that its V3 pools and non-stable V2 pools remain unaffected and fully operational. Balancer’s Breach Tied to Previously Known Rounding Flaw, TVL Plunges Over 50% The breach comes despite Balancer’s long-standing reputation for robust ￰20￱ protocol, one of DeFi’s oldest automated market makers, has undergone more than ten audits by top firms, including OpenZeppelin, Trail of Bits, and ￰21￱ went through 10+ ￰22￱ vault was audited 3 separate times by different firms still got hacked for $110M this space needs to accept that 'audited by X' means almost ￰23￱ is hard, defi is harder it is unfortunate but hope the team recovers ￰24￱ — Suhail Kakar (@SuhailKakar) November 3, 2025 Yet, this latest exploit mirrors an earlier rounding-related vulnerability discovered in 2023 , the same type of flaw that attackers have now used on a much larger ￰25￱ has faced several security incidents in its history, including a $520,000 loss in 2020, a $2.1 million rounding exploit in 2023, and a DNS hijack later that same ￰26￱ the breach, Balancer’s total value locked (TVL) dropped sharply from $442 million on November 2 to just over $214 million within 24 hours; it has now dropped to $182 million, according to DeFiLlama.