Balancer's $128M Exploit: How a Rounding Error Broke DeFi Security
A single rounding direction in Balancer V2 _upscaleArray function enabled a $128M, 9-chain exploit in 30 minutes. Technical breakdown, V3 fixes, and 3 DeFi security lessons.
On November 3, 2025, at 07:46 UTC, a smart contract began deploying itself to Ethereum mainnet. Its constructor function contained no sophisticated exploit logic — just a carefully ordered sequence of swap operations, repeated 65 times. Within 30 minutes, $128.64 million had been drained from Balancer's Composable Stable Pools across nine blockchains.
The root cause was not a novel cryptographic attack, not a flash loan cascade, and not an access control failure. It was a rounding direction in a single internal function — a discrepancy so small it was acknowledged by the development team and judged to be acceptable. That judgment was wrong.
Understanding what happened — and why Balancer V3 was entirely unaffected — reveals a category of vulnerability that every DeFi protocol with an automated market maker must actively defend against.
The $128M Rounding Error: Inside the November 2025 Balancer Attack
Balancer's V2 Composable Stable Pools enable users to trade not only the underlying assets in a pool but also the pool's own liquidity token (BPT). This composability is a feature — and, as it turned out, a critical attack surface.
The exploit targeted pools across nine blockchains simultaneously: Ethereum, Base, Arbitrum, Avalanche, Optimism, Gnosis, Polygon, Berachain, and Sonic. Two pools bore the heaviest losses. The osETH/wETH-BPT pool lost 4,623 WETH and 6,851 osETH. The wstETH-WETH-BPT pool lost 1,963 WETH and 4,259 wstETH.
What made the attack notable from an engineering standpoint was its delivery mechanism. The attacker did not interact with Balancer pools manually. Instead, they deployed a malicious smart contract whose constructor — the code that runs automatically at deployment — executed the entire exploitation sequence. By embedding the attack in contract initialization, the attacker ensured atomic execution across all 65 cycles with no possibility of partial failure or external interruption.
Balancer confirmed the rounding error in the _upscaleArray function as the root cause in its official post-mortem. Only V2 Composable Stable Pools were affected. V3 and all other Balancer versions remained secure throughout.
Inside the Bug: How mulDown Rounding Broke Balancer's Math
The vulnerability originated from inconsistent rounding directions between two symmetric operations: upscaling and downscaling.
When Balancer V2 pools calculate swap invariants, they must scale token amounts from their native decimal representations to a common internal precision. Upscaling (converting external amounts to internal precision) always used mulDown — integer multiplication that rounds down. Downscaling (converting back) used bidirectional rounding: divUp for some operations, divDown for others, depending on context.
This asymmetry violated a foundational principle of DeFi AMM design: rounding should always favor the protocol, never the user. When both upscaling and downscaling round in the same direction (against the user), errors cancel out over time. When they round inconsistently, errors accumulate in the attacker's favor.
The specific failure point was in BaseGeneralPool._swapGivenOut(). For exact-output swaps, this function passed swapRequest.amount through _upscale(), which rounded the value down. The diminished value then fed into _onSwapGivenOut() to calculate the required input amount. Because the output was underestimated, the computed input requirement was also underestimated — meaning users could receive slightly more than they should, at the pool's expense.
To illustrate with concrete numbers from BlockSec's analysis: the attacker positioned cbETH pool balance at exactly 9 wei — a critical rounding boundary. A crafted swap of 8 units then caused the computed token change Δx to collapse from 8.918 to 8. This eight-wei discrepancy deflated the pool invariant D, which in turn deflated the BPT price (calculated as D divided by total BPT supply). Artificially cheap BPT could then be redeemed for more underlying assets than it was worth.
The developers had noted this rounding inconsistency. They characterized its impact as "expected to be minimal" for a single swap. They were right about a single swap. They did not model what happened with 65 consecutive swaps in one atomic batch.
How batchSwap Turned a Micro-Error into a $128M Exploit
Balancer's batchSwap function allows users to chain multiple swaps across multiple pools in a single transaction. It is a core protocol feature designed for efficient multi-hop routing. The attacker used it as an amplifier.
Each exploitation cycle followed three phases:
Phase 1 — Boundary Positioning. A large BPT-for-underlying swap pushed one token's pool balance to the precise wei value that sits at a rounding boundary — where the integer division in mulDown produces maximum relative error.
Phase 2 — Precision Loss Trigger. A small, crafted swap between the boundary-positioned token and another underlying token executed. Due to the downward rounding in _upscale(), the computed Δx was slightly smaller than the true value, causing the invariant D to be underestimated.
Phase 3 — Value Extraction. The underlying assets were swapped back for BPT at the now-deflated price. The protocol issued more BPT than the deposited assets justified, or redeemed BPT for more assets than the BPT was worth.
Repeated 65 times atomically, the compounding turned per-cycle losses of a few wei into tens of millions of dollars drained from real liquidity providers.
The attacker's preparation was thorough. Auxiliary contracts handled parameter optimization to find the exact balance values that maximized rounding error per cycle. Retry logic managed Newton-Raphson convergence failures that can occur during pool invariant calculations. The entire system was designed to fail gracefully and retry until profitable conditions were met.
Check Point Research noted that "traditional audits focus on individual operation correctness but fail to model cumulative effects of adversarial batch operations."
Why Balancer V3 Was Safe — and What Changed
Balancer V3, launched in the months prior to the exploit, was architecturally redesigned in ways that made this attack impossible at the protocol level.
The most significant change was centralizing all upscaling and downscaling logic within the vault itself, rather than distributing it across individual pool contracts. This eliminated the per-pool rounding drift that allowed V2 pools to accumulate asymmetric errors. All computations in V3 are standardized to 18-decimal precision from a single authoritative source.
Equally important was the elimination of composable pools. In V2, pools allowed trading of their own BPT token — a feature that enabled the BPT price manipulation at the heart of the exploit. V3 replaced composable pools with ERC4626 buffer contracts, which handle yield-bearing token integration without exposing BPT as a tradeable collateral asset.
Certora's formal verification work on V3 provides perhaps the most directly relevant protection. Certora verified the "swappingBackAndForth" property: a mathematical proof that swapping token A for token B, then swapping token B back for token A, cannot result in a net gain of either token. This property, if applied to V2, would have directly detected the Balancer exploit pattern during development.
Certora's conclusion: "Solvency proofs alone are insufficient. Aggregate balance conservation doesn't guarantee protection against rounding attacks; compositional properties like swap reversibility must be formally verified."
Venus Protocol: How Real-Time Monitoring Stopped a Different Attack
One month before the Balancer incident, a different attack demonstrated the other half of the DeFi security equation: detection and response.
In early September 2025, an attacker used a compromised Zoom client to gain system access to a Venus Protocol user's machine, ultimately obtaining delegate control over a wallet holding approximately $13 million in assets. This was not a smart contract vulnerability — it was a social engineering attack. But the outcome depended entirely on how fast the protocol could respond.
Chainalysis's Hexagate monitoring platform flagged suspicious contract deployment activity 18 hours before the attack began. When the malicious transaction executed, Hexagate generated a second alert, which prompted the team to contact Venus immediately. Within 20 minutes of the malicious transaction, Venus paused all markets.
The attacker's wallet was force-liquidated within 7 hours. All $13 million in at-risk funds were fully recovered within 12 hours. Through a governance vote, the Venus community froze an additional $3 million in assets still controlled by the attacker — leaving the perpetrators with a net loss rather than a profit.
The contrast with Balancer is instructive. The Balancer exploit executed and completed before any human or automated system could intervene — 30 minutes from first transaction to last. The Venus incident was neutralized because monitoring infrastructure was already in place before the attack, and governance mechanisms enabled rapid market pausing. Attack prevention and attack response are both necessary; neither alone is sufficient.
DeFi Hack Trends: $3.4B Stolen in 2025, But a Meaningful Divergence Emerging
The Balancer exploit occurred within a broader industry context that deserves attention.
Total cryptocurrency theft reached $3.4 billion in 2025, according to Chainalysis. The Bybit compromise in February 2025 alone accounted for $1.5 billion. The three largest hacks that year accounted for 69% of all service losses — an extreme concentration that suggests the overall ecosystem is not in freefall, but that single large-scale incidents carry outsized risk.
The more significant finding is a pattern Chainalysis describes as historically unprecedented: DeFi total value locked has recovered significantly from its 2023 lows, yet DeFi-specific hack losses have not followed suit. In prior cycles, rising TVL and rising hack losses moved together. That correlation appears to be breaking down.
Halborn's analysis of the top 100 DeFi hacks provides additional context on the protocol security landscape. Only 20% of hacked protocols had undergone security audits before being exploited. Audited protocols accounted for just 10.8% of total historical hack losses — a ratio that suggests audit coverage is one of the higher-leverage investments a protocol can make in its security posture.
Three Lessons Every DeFi Protocol Must Take from Balancer's Exploit
The Balancer incident is not just a post-mortem of one protocol's failure. It is a stress test of common assumptions across the DeFi security field.
Lesson 1: Test arithmetic adversarially, not just correctly.
The rounding error in _upscaleArray was known. It was tested in the context of single operations and found to be negligible. What was not tested was the cumulative effect of 65 adversarially structured operations within a single atomic transaction. Security analysis must model batched, adversarially crafted sequences — not just individual function correctness.
Lesson 2: Formally verify round-trip swap properties.
Certora's "swappingBackAndForth" property is a direct technical response to this class of exploit. Any AMM that allows multi-hop swaps should be able to prove that swapping A→B→A returns no more than the initial A. This must be explicitly verified through formal methods or exhaustive adversarial test suites that include tiny liquidity scenarios.
Lesson 3: Real-time monitoring with rapid governance response is not optional.
The Venus Protocol case demonstrates that even a sophisticated attack can be neutralized if detection infrastructure is in place and governance can act within minutes. For on-chain exploits like the Balancer attack, the window for intervention may be zero — but monitoring is essential for identifying suspicious activity before exploitation begins. Protocols should treat real-time monitoring as a required security layer, not a premium feature.
Conclusion
The Balancer exploit was not a surprise in retrospect — but it was a surprise to the people who built and audited the protocol. That gap between what an auditor checks and what an attacker discovers is where DeFi's most expensive failures live.
Precision in smart contract arithmetic is not an implementation detail. It is a security property that requires adversarial modeling, formal verification, and ongoing monitoring. The rounding error in Balancer V2 was real, it was documented, and it was not considered dangerous. The attacker found a way to make it dangerous by batching, composing, and repeating it until the error compounded to nine figures.
Balancer V3 got the architecture right. The DeFi industry is trending in the right direction — the divergence between recovering TVL and stable hack losses in 2025 suggests that improved security practices are having measurable impact. But the Balancer exploit serves as a reminder that the attack surface is always larger than the last audit assumed.
The next rounding error is already in production somewhere. The question is whether the protocol it lives in will find it first.
