The automated market maker Balancer suffered a significant security breach on Monday, resulting in losses estimated at up to $128 million in digital assets across several blockchains. The attack targeted a vulnerability in Balancer V2, impacting its deployments on Ethereum, Arbitrum, and Base.

Because many other protocols have built their products using Balancer’s open-source code, the vulnerability had a cascading effect. Any project using the compromised V2 codebase was also exposed to the same risk.

How a Rounding Error Led to Massive Losses

According to on-chain analytics firm Nansen, the exploit stemmed from a minuscule precision and rounding error within Balancer V2’s liquidity pools. The attacker cleverly executed multiple swaps in a single transaction to push the pools toward this rounding error. This manipulation caused the Balancer Pool Token (BPT), which represents a user’s share in a liquidity pool, to become severely undervalued by the protocol’s own logic.

Nansen research analyst Nicolai Sondergaard explained the process, stating that once the BPT price was artificially depressed, the attacker acquired the tokens at a deflated value. They then immediately redeemed these underpriced BPTs for the underlying assets, converted them to ETH, and profited from the price difference.

Security firms Cyvers and PeckShield place the total losses near $128 million. Nansen’s estimate is closer to $100 million, a figure that has fluctuated with the broader market downturn. The stolen funds were quickly moved through various addresses and swapped on decentralized exchanges.

Balancer has since acknowledged the exploit, confirming that the issue was isolated to its V2 Composable Stable Pools and that its V3 pools remain secure. The project is collaborating with security researchers to conduct a full postmortem. In the wake of the news, Balancer’s native BAL token dropped over 11%, reducing its market capitalization to $56 million.

Berachain Halts Network in Controversial Move

The Balancer exploit had severe consequences for Berachain, a blockchain whose native decentralized exchange was built on the vulnerable V2 codebase. The network sustained heavy losses, estimated at around $12.86 million.

In response, Berachain validators coordinated to halt the entire blockchain. The team plans to execute an emergency hard fork to roll the chain back to its state before the attack occurred, effectively reversing the malicious transactions. The Berachain Foundation noted that since the exploit affected non-native assets, the rollback is a complex procedure that required a temporary network shutdown.

This decision has sparked debate within the crypto community, as intentionally rolling back a blockchain challenges the core principle of immutability. The situation echoes the infamous 2016 hack of The DAO on Ethereum, which led to a contentious hard fork that split the community and created what is now known as Ethereum Classic.

Smokey the Bera, the pseudonymous founder of Berachain, acknowledged the controversial nature of the decision. “Users and LPs on the network are always our priority,” he wrote on X. “When approximately $12 million of user funds are at risk from a malicious attacker, we attempted to coordinate the validator set to protect those users.” He added that the primary goal is to recover funds and ensure all liquidity providers are made whole. Following the incident, Berachain’s token also saw a nearly 10% price drop.