How a Tiny Rounding Error Ignited Balancer’s $128M Multi-Chain DeFi Exploit

A minor rounding error hidden deep inside Balancer’s good contracts has led to one of many largest decentralized finance (DeFi) exploits of 2025, draining more than $128 million from its Composable Stable Pools (CSPs) throughout a number of blockchains.

The exploit started on November 3 at 07:46 UTC and was first detected by Hypernative’s automated monitoring system.

Balancer Protocol loses over $116 million in cross-chain exploit, marking one of many largest DeFi safety breaches in 2025.#Balancer #DeFihttps://t.co/7nZYB2xSar

— Cryptonews.com (@cryptonews) November 3, 2025

Minutes later, Balancer confirmed an energetic assault focusing on its V2 Composable Stable Pools throughout networks, together with Ethereum, Base, Arbitrum, Avalanche, Optimism, Gnosis, Polygon, Berachain, and Sonic.

Notably, different Balancer pool varieties and its V3 protocol have been unaffected.

If Balancer Passed 10 Audits, What Went Wrong This Time?

According to Balancer’s preliminary report, the breach was attributable to a small however crucial rounding miscalculation within the “upscale” perform used throughout batch swaps, a function that permits a number of token swaps in a single transaction.

https://t.co/a1cyWETmhC

— Balancer (@Balancer) November 5, 2025

The flaw appeared in code dealing with “EXACT_OUT” swaps, the place non-integer scaling components precipitated rounding within the fallacious course, permitting attackers to govern pool balances and extract funds in fast succession.

Balancer mentioned the assault was confined to V2 Composable Stable Pools and their forks, reminiscent of BEX and Beets.

Early assessments counsel that the affected contracts have been primarily these with expired pause home windows, whereas newer CSPv6 swimming pools have been mechanically paused by Hypernative’s emergency controls inside minutes of detection.

Blockchain safety agency PeckShield estimated whole losses above $128 million, although Balancer mentioned precise figures are nonetheless being verified. Stolen belongings, together with ETH, osETH, and wstETH, have been shortly bridged and partially laundered via Tornado Cash.

Balancer activated its emergency conflict room, coordinating with companions, whitehats, and safety groups to comprise the assault.

Its Safe Harbor framework (BIP-726), launched in 2024, allowed whitehat responders to intervene legally and recuperate funds. Early recoveries included $19 million in osETH and $1.7 million in osGNO retrieved by the StakeWise DAO.

Additional efforts throughout the DeFi ecosystem helped curb losses. The Berachain Foundation executed an emergency hard fork to entice stolen funds after an MEV bot operator agreed to return them.

@berachain initiated an emergency onerous fork, freezing $12M in stolen funds, following a wider exploit impacting @Balancer V2 swimming pools.#Berachain #DeFi #Balancerhttps://t.co/C3iIMJtnn6

— Cryptonews.com (@cryptonews) November 4, 2025

Sonic Labs froze attacker wallets, whereas Gnosis and Monerium halted round €1.3 million in EURe stablecoins to stop cross-chain motion. Whitehat teams, together with BitFinding and Base MEV bots, recovered an extra $750,000.

In its newest replace, Balancer famous that it had disabled the CSPv6 manufacturing facility to stop new pool creation, halted liquidity gauges for affected swimming pools to cease emissions, and enabled recovery-mode withdrawals for liquidity suppliers.

Users with belongings in paused swimming pools can now withdraw their underlying tokens proportionally.

Balancer emphasised that its V3 swimming pools and non-stable V2 swimming pools stay unaffected and totally operational.

Balancer’s Breach Tied to Previously Known Rounding Flaw, TVL Plunges Over 50%

The breach comes regardless of Balancer’s long-standing popularity for strong safety. The protocol, certainly one of DeFi’s oldest automated market makers, has undergone greater than ten audits by high corporations, together with OpenZeppelin, Trail of Bits, and Certora.

balancer went via 10+ audits. the vault was audited 3 separate instances by totally different corporations

nonetheless acquired hacked for $110M

this area wants to simply accept that ‘audited by X’ means virtually nothing. code is difficult, defi is tougher

it’s unlucky however hope the group recovers pic.twitter.com/nZzVzCdqDO

— Suhail Kakar (@SuhailKakar) November 3, 2025

Yet, this newest exploit mirrors an earlier rounding-related vulnerability discovered in 2023, the identical kind of flaw that attackers have now used on a a lot bigger scale.

Balancer has confronted a number of safety incidents in its historical past, together with a $520,000 loss in 2020, a $2.1 million rounding exploit in 2023, and a DNS hijack later that same year.

Following the breach, Balancer’s whole worth locked (TVL) dropped sharply from $442 million on November 2 to only over $214 million inside 24 hours; it has now dropped to $182 million, according to DeFiLlama.

The influence despatched shockwaves throughout the DeFi ecosystem, with a giant whale pockets withdrawing $6.5 million shortly after the assault.

The put up How a Tiny Rounding Error Ignited Balancer’s $128M Multi-Chain DeFi Exploit appeared first on Cryptonews.