A minor rounding error hidden deep inside Balancer’s good contracts has led to one of many largest decentralized finance (DeFi) exploits of 2025, draining greater than $128 million from its Composable Steady Swimming pools (CSPs) throughout a number of blockchains.
The exploit started on November 3 at 07:46 UTC and was first detected by Hypernative’s automated monitoring system.
Balancer Protocol loses over $116 million in cross-chain exploit, marking one of many largest DeFi safety breaches in 2025.#Balancer #DeFihttps://t.co/7nZYB2xSar
— Cryptonews.com (@cryptonews) November 3, 2025
Balancer Protocol loses over $116 million in cross-chain exploit, marking one of many largest DeFi safety breaches in 2025.Minutes later, Balancer confirmed an energetic assault focusing on its V2 Composable Steady Swimming pools throughout networks, together with Ethereum, Base, Arbitrum, Avalanche, Optimism, Gnosis, Polygon, Berachain, and Sonic.
Notably, different Balancer pool sorts and its V3 protocol had been unaffected.
If Balancer Handed 10 Audits, What Went Unsuitable This Time?
In accordance with Balancer’s preliminary report, the breach was attributable to a small however essential rounding miscalculation within the “upscale” perform used throughout batch swaps, a function that permits a number of token swaps in a single transaction.
The flaw appeared in code dealing with “EXACT_OUT” swaps, the place non-integer scaling components induced rounding within the unsuitable path, permitting attackers to govern pool balances and extract funds in fast succession.
Balancer stated the assault was confined to V2 Composable Steady Swimming pools and their forks, corresponding to BEX and Beets.
Early assessments counsel that the affected contracts had been primarily these with expired pause home windows, whereas newer CSPv6 swimming pools had been mechanically paused by Hypernative’s emergency controls inside minutes of detection.
Blockchain safety agency PeckShield estimated complete losses above $128 million, although Balancer stated precise figures are nonetheless being verified. Stolen belongings, together with ETH, osETH, and wstETH, had been shortly bridged and partially laundered by way of Twister Money.
Balancer activated its emergency struggle room, coordinating with companions, whitehats, and safety groups to comprise the assault.
Its Protected Harbor framework (BIP-726), launched in 2024, allowed whitehat responders to intervene legally and get well funds. Early recoveries included $19 million in osETH and $1.7 million in osGNO retrieved by the StakeWise DAO.
Further efforts throughout the DeFi ecosystem helped curb losses. The Berachain Basis executed an emergency laborious fork to lure stolen funds after an MEV bot operator agreed to return them.
— Cryptonews.com (@cryptonews) November 4, 2025
Sonic Labs froze attacker wallets, whereas Gnosis and Monerium halted round €1.3 million in EURe stablecoins to stop cross-chain motion. Whitehat teams, together with BitFinding and Base MEV bots, recovered an extra $750,000.
In its newest replace, Balancer famous that it had disabled the CSPv6 manufacturing unit to stop new pool creation, halted liquidity gauges for affected swimming pools to cease emissions, and enabled recovery-mode withdrawals for liquidity suppliers.
Customers with belongings in paused swimming pools can now withdraw their underlying tokens proportionally.
Balancer emphasised that its V3 swimming pools and non-stable V2 swimming pools stay unaffected and absolutely operational.
Balancer’s Breach Tied to Beforehand Identified Rounding Flaw, TVL Plunges Over 50%
The breach comes regardless of Balancer’s long-standing repute for strong safety. The protocol, certainly one of DeFi’s oldest automated market makers, has undergone greater than ten audits by high companies, together with OpenZeppelin, Path of Bits, and Certora.
But, this newest exploit mirrors an earlier rounding-related vulnerability found in 2023, the identical sort of flaw that attackers have now used on a a lot bigger scale.
Balancer has confronted a number of safety incidents in its historical past, together with a $520,000 loss in 2020, a $2.1 million rounding exploit in 2023, and a DNS hijack later that very same 12 months.
Following the breach, Balancer’s complete worth locked (TVL) dropped sharply from $442 million on November 2 to only over $214 million inside 24 hours; it has now dropped to $182 million, in accordance to DeFiLlama.
The impression despatched shockwaves throughout the DeFi ecosystem, with a big whale pockets withdrawing $6.5 million shortly after the assault.
The submit How a Tiny Rounding Error Ignited Balancer’s $128M Multi-Chain DeFi Exploit appeared first on Cryptonews.
