Imagine a bank vault, not made of steel and concrete, but lines of code. Now imagine a tiny, almost invisible crack in that code, a flaw so small it seems harmless. This is essentially what happened to Balancer, a major player in decentralized finance (DeFi), when a rounding error opened the door for an exploit that drained tens of millions of dollars across various blockchain networks.
- A subtle rounding error in Balancer’s v2 vault’s batchSwap feature, specifically within the upscale function for EXACT_OUT swaps, was exploited. This mathematical miscalculation allowed attackers to manipulate balances by exploiting deferred settlement and causing liquidity to dip below minimum thresholds.
- The exploit primarily affected Composable Stable v5 pools which had expired pause windows, while newer v6 pools were automatically paused by security partners, limiting further damage. The incident spread across multiple blockchain networks and their Balancer forks, impacting platforms like BEX on Berachain and Beets on Sonic.
- Community and ecosystem partners rallied to contain the fallout, with significant funds recovered and attacker addresses frozen. Berachain validators even halted their network for an emergency hard fork to address the vulnerability, demonstrating a rapid, coordinated response to mitigate the crisis.
The incident, which unfolded on November 3, hit Balancer’s Composable Stable Pools (CSPs). These are specialized liquidity pools (shared pots of tokens traders swap against) designed to keep certain assets stable. The initial estimates of the losses were stark, quickly climbing from around $70 million to over $128 million, according to blockchain analytics firms.
Balancer, an automated market maker (AMM) and liquidity platform, found itself in a scramble. Its security partner, Hypernative, first flagged the suspicious activity. Soon after, a host of contributors and whitehat responders, including SEAL 911, BitFinding, and StakeWise, jumped in to help stop the bleeding.
The Tiny Flaw That Caused Big Trouble
So, what exactly went wrong? Balancer’s preliminary report points to a rounding error. This wasn’t some grand, sophisticated hack involving zero-day exploits. It was a subtle mathematical miscalculation within the v2 vault’s batchSwap feature.
Think of batchSwap as a way for users to bundle several token swaps into one transaction. This saves on gas fees, which are the costs associated with performing operations on a blockchain. The problem lay in the upscale function for EXACT_OUT swaps.
An EXACT_OUT swap means a user wants to receive a precise amount of a certain token. The system then calculates how much of another token they need to put in. The rounding error occurred when non-integer scaling factors were involved in these calculations. The system would round down, creating tiny, almost imperceptible discrepancies.
Attackers, with a keen eye for such details, exploited how deferred settlement worked in these composable pools. This allowed the liquidity (the total value of tokens in the pool) to dip below minimum thresholds. The small rounding differences, when repeated and amplified, let the attackers manipulate balances. They could then drain value from the pools.
Funds often took a detour first. They were redirected into Balancer Vault’s internal balances. Then, they were withdrawn through follow-up transactions. It was a multi-step process, carefully executed.
The exploit primarily affected Composable Stable v5 pools. These pools had what’s called “expired pause windows,” meaning their emergency stop mechanisms were no longer active. Thankfully, Hypernative’s emergency automation automatically paused the newer v6 pools, limiting further damage.
Balancer clarified that the incident was limited to its v2 Composable Stable Pools and their forks on other chains. This includes platforms like BEX and Beets. Balancer v3 and all other pool types remained untouched, a small comfort in a stressful situation.
The CSPv6 pools, though automatically paused, were moved into a recovery mode under emergency controls. It’s a bit like putting a damaged car into the repair shop, but keeping it on a tow truck for safety.
A Multi-Chain Ripple and Recovery Efforts
This wasn’t just a problem on one blockchain. The attack spread across several networks and their Balancer forks. We saw impacts on BEX on Berachain, Beets on Sonic, and various Gnosis-based deployments. It was a wide net, indeed.
But the crypto community, for all its quirks, often rallies in a crisis. Ecosystem partners quickly initiated emergency actions to contain the fallout. StakeWise DAO, for example, managed to recover approximately $19 million in osETH and $1.7 million in osGNO. That’s a significant chunk, roughly 73.5% of the stolen osETH, pulled back from the brink.
Berachain validators took a drastic, but necessary, step. They halted their entire network to perform an emergency hard fork. This was to address BEX’s v2 exposure. The hard fork was completed swiftly on November 4, showing a rapid, coordinated response.
Meanwhile, Sonic Labs froze suspected attacker addresses, putting a stop to fund movements tied to its Balancer fork. Gnosis temporarily restricted bridge activity. This was a smart move to prevent the exploit from spreading further across different chains. Monerium also stepped in, freezing 1.3 million EURe in the affected vault.
Smaller, but still important, sums were recovered by BitFinding and Base MEV bots. They managed to retrieve about $750,000 in total. These funds were then returned to the Balancer DAO. It’s a testament to the collective effort when things go sideways.
Balancer stated that a portion of the affected assets has either been recovered or frozen. They also mentioned that a final, verified accounting will be published once all partners complete their on-chain reconciliation. Until then, any circulating loss figures are unconfirmed, a reminder that in crypto, numbers can shift quickly.
Looking Ahead: Mitigations and Next Steps
In the immediate aftermath, Balancer took several steps to prevent a repeat performance. They disabled the CSPv6 factory, which means no new vulnerable pools can be created. They also halted liquidity gauges for affected pools, stopping further token emissions.
To help users, the team enabled liquidity pool exits from paused pools. This allows for safe withdrawals, giving people a way to get their assets out without further risk. It’s a crucial step in rebuilding trust.
An interesting aspect of the response was the protocol’s Safe Harbor legal framework (BIP-726). Adopted just last year, this framework allowed whitehat teams to intervene immediately. They could act without legal risk, which Balancer said “materially improved response speed and coordination.” It’s a good example of how forward-thinking governance can make a real difference when disaster strikes.
We’re still waiting for the full picture. A final report, which will include confirmed loss and recovery figures, is expected. Balancer says this will come “once all partner validations are complete.” It’s a complex process, untangling transactions across multiple chains and entities.
This incident serves as a stark reminder. Even the most sophisticated systems can have tiny, hidden flaws. And in the world of DeFi, those flaws can have very real, very expensive consequences. It also highlights the resilience of the community, often quick to respond and work together when the chips are down.