A small rounding error embedded in the smart contract logic of Balancer has triggered a massive multi-chain exploit, draining over $128 million from the protocol’s Composable Stable Pools (CSPs). The incident, which began on November 3, 2025, highlights how a seemingly insignificant precision flaw can cause a catastrophic failure in a complex decentralized finance (DeFi) ecosystem.

A Critical Flaw in Batch Swaps

The attack was first identified by Hypernative’s automated monitoring systems, with Balancer confirming the active exploit shortly after. The vulnerability was located in the “upscale” function used during batch swaps, a feature that processes multiple token trades within a single transaction. According to a preliminary report from Balancer, the flaw specifically affected “EXACT_OUT” swaps, where incorrect rounding of non-integer scaling factors allowed attackers to manipulate pool balances and systematically drain funds.

The exploit was confined to Balancer’s V2 Composable Stable Pools and their forks, such as BEX and Beets, across nine different blockchains, including Ethereum, Base, Arbitrum, and Polygon. Other pool types and the newer V3 protocol were not affected. Blockchain security firm PeckShield placed the total losses at over $128 million, with stolen assets like ETH, osETH, and wstETH being rapidly bridged and laundered through Tornado Cash.

Ecosystem Rallies for Damage Control

In response, Balancer activated its emergency war room to coordinate with security partners and whitehat hackers. The protocol’s Safe Harbor framework, established in 2024, enabled legal intervention from responders to recover funds. The StakeWise DAO successfully retrieved $19 million in osETH and $1.7 million in osGNO in the initial hours.

The broader DeFi community also moved to contain the damage. The Berachain Foundation executed an emergency hard fork to trap stolen funds after a MEV bot operator agreed to return them. Similarly, Sonic Labs froze attacker wallets, while Gnosis and Monerium halted approximately €1.3 million in EURe stablecoins to prevent them from being moved off-chain. Additional recovery efforts from whitehat groups like BitFinding and Base MEV bots secured another $750,000.

A Known Vulnerability and a Plummeting TVL

This breach occurred despite Balancer having undergone more than ten security audits from top firms. Alarmingly, the exploit mirrors a similar rounding-related vulnerability that was first discovered in 2023, suggesting a known issue was leveraged on a much larger scale. Balancer has previously faced other security incidents, including a $520,000 loss in 2020 and a $2.1 million rounding exploit in 2023.

The market impact was immediate and severe. According to data from DeFiLlama, Balancer’s total value locked (TVL) plummeted from $442 million to just over $214 million within 24 hours of the attack and has since fallen to $182 million. To prevent further losses, Balancer has disabled the creation of new CSPs, halted liquidity rewards for affected pools, and enabled recovery-mode withdrawals for liquidity providers to safely exit their positions.