The Balancer v2 exploit on November 3rd resulted in losses of around $120 million across its main protocol and multiple 0 to the SlowMist security team’s post-incident analysis, the exploit stemmed from a precision loss flaw in the integer fixed-point arithmetic used to calculate scaling factors inside Composable Stable Pools, which are designed for near-parity asset pairs such as USDC/USDT or WETH/stETH. In the latest update, SlowMist confirmed that this flaw caused small but consistent price discrepancies during swaps, especially when attackers used the batch swap function to chain multiple operations within a single 1 attackers’ strategy was executed across several 2 Postmortem The attacker swapped BPT for liquidity tokens to reduce the pool’s liquidity reserves, preparing for small-amount 3 performed swaps between liquidity tokens (osETH → WETH) to prepare for precise control of small-swap precision 4 executed carefully controlled $osETH → swaps to accumulate precision 5 swapped between liquidity tokens (WETH → osETH) to restore 6 repeated steps 2-4 to amplify the error 7 swapped the liquidity tokens back into BPT to restore the pool 8 attacker first swapped BPT for liquidity tokens to drain and reduce the pool’s liquidity reserves in a bid to prepare for small-amount 9 then conducted swaps between liquidity tokens (osETH → WETH) to set up control over small-swap precision errors.
Next, they executed highly controlled osETH → WETH swaps to intentionally build up precision errors. Afterwards, the attacker swapped between liquidity tokens again (WETH → osETH) to restore enough 10 repeating the steps 2-4 in loops to continuously expand the accumulated error, they finally swapped the liquidity tokens back into BPT to return the pool to a balanced 11 repeatedly leveraging the precision flaw with small-sized swaps, the attacker pushed the system into settling a final “amountOut” that exceeded the true amountIn owed, and allowed them to pocket a massive 12 managed to trace the attacker’s operations across addresses and multiple 13 found initial funds were routed through Tornado Cash, then through intermediate nodes and cross-chain 14 usage, before being assembled on Ethereum-based addresses holding thousands of ETH and 15 Efforts As part of the remediation efforts, CSPv6 pools across the affected network were paused, CSPv6 factory disabled was disabled, gauges were killed for affected pools, and major LPs safely withdrew, among other 16 Balancer team coordinated with whitehats as well as cybersecurity partners and various networks to retrieve or freeze portions of the stolen 17 included 5,041 StakeWise osETH worth about $19 million and 13,495 osGNO, estimated to be around $2 18 project teams and auditors facing similar scenarios, SlowMist said that the focus should be on enhancing test coverage for extreme cases and boundary conditions.
Additionally, the firm urged the projects to pay particular attention to precision handling strategies under low-liquidity conditions.
Story Tags
Latest news and analysis from Crypto Potato
