Balancer encountered a $128 million vulnerability: how a rounding error drained the liquidity pool

Event Bulletin

Last Monday morning, the DeFi protocol Balancer was reported to have a major security vulnerability - the composable stable pools of version V2 were subjected to a large-scale attack, involving approximately $128 million. The good news is that most of the assets have been recovered, but this incident exposed a critical rounding error in the batch exchange mechanism.

Technical Analysis: A Disaster Caused by a Rounding Error

The source of the vulnerability is surprisingly simple - The Balancer V2 Vault has a rounding vulnerability in the scaling function when processing EXACT_OUT orders during batch swaps.

Specifically:

• Batch swapping allows multiple operations to be completed within a single transaction, optimizing Gas fees through deferred settlement.
• When the scaling factor is not an integer, the system rounds down, resulting in a small numerical difference.
• Attackers exploit these differences repeatedly through batch exchange functions, extracting value step by step like a card trick.
• Liquidity provider tokens are treated as ordinary tokens, bypassing the minimum liquidity protection.

Result: In some older versions of the V5 pool, the liquidity level was pushed to an abnormally low position, leading to a massive outflow of funds.

How wide is the scope of impact?

Affected Chains: Ethereum, Arbitrum, Optimism, Polygon, Avalanche, Base, Gnosis, Sonic, Berachain and other 9 mainstream public chains.

But this is crucial:

• ✅ Balancer V3 is completely unaffected
• ✅ Other types of liquidity pools in V2 are safe and sound.
• ❌ Only Composable Stable v5 version has collapsed (v6 has been automatically paused)

Progress of the Retrieval Campaign

• StakeWise has independently recovered 70% of the stolen osETH funds.
• BitFinding intercepted approximately $600,000 in transferred assets
• Multi-chain collaboration: Sonic Labs, Berachain validators, Monerium, etc. have deployed freezing measures on their respective networks.
• The current asset recovery rate exceeds 70%, and it is still being tracked continuously.

Impact on Ordinary Users

V6 Composable Stable Pool: Recovery mode has been activated, allowing proportional withdrawal of underlying assets (can operate normally)

V5 Composable Stable Pool: Paused, interaction is not recommended, please wait for official notice.

Other pools: Operating as usual, zero risk

Follow-up Highlights

• Complete technical audit report pending.
• Legal assessment and compensation plan formulation
• Ethical hackers are helping with fund tracking.

This incident reminds us once again that even small flaws in the code of large DeFi protocols can lead to significant losses. Fortunately, Balancer's quick response and collaboration with ecosystem partners helped recover the damages and kept them within a controllable range.