Balancer Traces $128M Multi-Chain DeFi Exploit to Rounding Error in Swap Logic

Decentralized finance (DeFi) protocol Balancer has released a preliminary incident report confirming that a rounding error in its swap logic caused the Nov. 3 exploit that drained over $128 million from its liquidity pools across multiple blockchain networks.

The attack targeted Balancer’s Composable Stable Pools (CSPs), affecting deployments on major chains including Ethereum, Base, Avalanche, Arbitrum, Optimism, Gnosis, Polygon, Berachain, and Sonic. Initial losses, first estimated at $70 million, quickly doubled as blockchain analytics firms Nansen and Peckshield tracked the outflows in real time.

What Went Wrong: A Subtle Rounding Bug

According to Balancer’s report, the vulnerability originated from a rounding flaw in the upscale function used for EXACT_OUT swaps within the v2 vault’s batchSwap feature — a function that lets users combine multiple swaps into one gas-efficient transaction.

Attackers exploited how deferred settlement worked in composable pools, allowing liquidity to drop below safe thresholds. When scaling factors were not whole numbers, the system rounded down small amounts, creating discrepancies attackers used to manipulate balances and extract value.

Much of the stolen liquidity was first funneled into the Balancer Vault’s internal balances before being drained through subsequent transactions. The exploit primarily hit Composable Stable v5 pools with expired pause windows, while Balancer’s partner Hypernative automatically paused v6 pools, limiting further damage.

“The incident was limited to Composable Stable Pools on Balancer v2 and its forks such as BEX and Beets,” the team confirmed, adding that Balancer v3 and other pool types remain unaffected.

Cross-Chain Fallout and Partial Recovery

The exploit rippled across several networks and Balancer forks. StakeWise DAO recovered around $19 million in osETH and $1.7 million in osGNO, roughly 73.5% of the stolen osETH. On Berachain, validators executed an emergency hard fork to patch vulnerabilities in BEX’s v2 pools, completed on Nov. 4.

Other partners also took rapid action. Sonic Labs froze addresses linked to the attacker, Gnosis temporarily restricted bridge activity, and Monerium froze 1.3 million EURe within the affected vault. Smaller recoveries totaling about $750,000 were returned to Balancer’s DAO by BitFinding and Base MEV bots.

Balancer emphasized that circulating loss estimates are unverified until its ongoing on-chain reconciliation with partners is completed.

Emergency Response and Future Safeguards

In response, Balancer disabled the CSPv6 factory to prevent new pool creation and paused liquidity gauges tied to affected pools to stop emissions. Users are still able to safely withdraw funds from paused pools.

The incident also marked a successful test of Balancer’s Safe Harbor framework (BIP-726), introduced in 2023. The legal mechanism allowed whitehat teams to step in immediately without fear of liability — a move the project says “significantly improved response speed and coordination.”

A final verified report, including confirmed loss and recovery amounts, will be published once partner validations conclude.

A Reminder for DeFi

The Balancer exploit underscores how even small coding oversights — like rounding behavior — can have major consequences in decentralized finance, where billions move autonomously across networks. As Balancer and its partners finalize recovery efforts, the incident serves as a call for tighter auditing standards and proactive automation in multi-chain DeFi systems.