Balancer has confirmed that a subtle rounding error buried deep in its V2 smart contract logic was the root cause of a devastating multi-chain exploit on November 3, 2025. The vulnerability, which went undetected for years despite multiple audits, allowed an attacker to siphon roughly $128 million worth of assets across seven blockchain networks.
How a Tiny Error Became a Massive Breach
The issue stemmed from a precision loss in the swap calculation logic of Balancer’s V2 Composable Stable Pools, specifically in the _upscaleArray and mulDown functions. These functions, responsible for token scaling during pool swaps, introduced downward rounding errors when processing extremely small balances, sometimes as low as 8–9 wei, or a billionth of a billionth of an ether.
While each rounding event created only a minuscule discrepancy, the attacker weaponized the flaw through repeated batch swaps. By chaining hundreds of such micro-swaps into single flash-loan transactions, the exploiter amplified those minor deviations into massive distortions in the pool’s internal balance.
This precision error propagated through the pool’s invariant calculation (D), a key variable that maintains equilibrium between tokens. As the invariant value fell artificially, the price of the Balancer Pool Tokens (BPT) plummeted. The hacker then withdrew assets at deflated valuations, effectively draining the affected pools.
The Multi-Chain Fallout
The exploit targeted Balancer’s deployments on Ethereum, Base, Polygon, Arbitrum, Avalanche, Gnosis, and Berachain, with combined estimated losses of $128.64 million. Only V2 Composable Stable Pools were impacted, newer versions, including V3, remain unaffected.
Balancer’s response was swift. The team paused all vulnerable pools, halted the creation of new ones, and launched a safe withdrawal interface to help users recover remaining funds. The protocol is now working with blockchain forensic specialists to track the stolen tokens and coordinate cross-chain recovery efforts.
Audits, Accountability, and Lessons Learned
Perhaps most troubling for DeFi observers is that Balancer’s V2 code had undergone multiple security audits by reputable firms since 2021. None identified this rounding-based economic logic flaw. The incident has reignited debate over whether traditional code audits can effectively anticipate non-linear economic exploits, those that exploit mathematical edge cases rather than coding oversights.
Balancer’s engineering team described the event as “a precision vulnerability that eluded static analysis,” adding that additional economic stress testing frameworks will be implemented before reactivating affected pools.
The breach underscores a recurring truth in decentralized finance: even a rounding difference of a few wei can become a multimillion-dollar exploit when paired with leverage, composability, and code operating at global scale.