Decentralized finance (DeFi) protocol and automated market maker Balancer announced that it has issued an initial report regarding a recent security incident involving its infrastructure.
According to the statement, at 07:46 UTC on Monday, Hypernative’s monitoring system detected unusual activity suggesting an exploit targeting Balancer V2 Composable Stable Pools. Further investigation confirmed that the issue impacted pools across several networks, including Ethereum, Base, Avalanche, Gnosis, Berachain, Polygon, Sonic, Arbitrum, and Optimism.
The vulnerability was confined to Balancer V2 Composable Stable Pools and their derivatives on related chains such as BEX and Beets, while Balancer V3 and other pool types remained unaffected.
In response, the Balancer team worked with contributors, security partners, and whitehat responders to contain the incident, recover part of the affected assets, and freeze compromised funds.
A coordinated response effort was managed through a dedicated war room to oversee containment, communication, and asset recovery across multiple networks. CSPv6 Pools were switched to Recovery Mode, and mitigation steps were implemented in collaboration with external partners under the SEAL Safe Harbor framework.
Although the final scope of losses is still being assessed, the exploit has been described as large. A detailed post-mortem report will be released following the completion of ongoing technical and legal evaluations.
The initial technical analysis identified that the vulnerability originated from the design of the Balancer V2 Vault, which supports both simple and batch swaps. The batch swap function enables multiple operations to occur within a single transaction, improving gas efficiency through deferred settlement, a mechanism that allows temporary use of tokens as long as balances are restored by the end of the process. Within composable stable pools, liquidity provider tokens were treated as standard tokens, effectively bypassing the minimum supply threshold and allowing liquidity levels to fall to unusually low values.
The exploit leveraged an issue in the rounding behavior of the upscale function for EXACT_OUT swaps in composable stable pools. Specifically, the function rounded down when scaling factors were non-integer, creating discrepancies that could be exploited through the batchSwap feature to manipulate balances and extract value. Some affected assets remained temporarily within internal Vault balances before being withdrawn in subsequent transactions.
The vulnerability primarily affected Composable Stable v5 pools with expired pause windows, while Composable Stable v6 pools were automatically paused through Hypernative’s emergency controls and protected from further impact. Balancer V3 and other V2 pool types were not affected.
Mitigation efforts focused on containment, recovery, and cross-chain verification. Emergency response measures included freezing vulnerable pools, disabling the creation of new ones, halting emissions, and initiating recovery operations in collaboration with partners and whitehat teams under the SEAL Safe Harbor framework. Several entities contributed to fund recovery, including StakeWise, which retrieved over 70% of stolen osETH, and BitFinding, which intercepted approximately $600,000 worth of exploited assets. Additional interventions came from partners such as Sonic Labs, Berachain validators, and Monerium, which implemented network halts or freezes to prevent further losses.
Balancer noted that it continues to coordinate with external auditors, exchanges, and recovery teams to verify fund movements and reconcile affected addresses.
Operations on unaffected Balancer pools continue to function securely, as the exploit vector was limited to certain Composable Stable Pool types within Balancer V2. Balancer V3 and all other V2 pool categories remain unaffected and operate as normal. For users in paused Composable Stable v6 pools, Recovery Mode has been activated, allowing proportional withdrawal of underlying assets. Composable Stable v5 pools were impacted and remain under active review, and users are advised to refrain from interacting with these contracts until official confirmation is released.
All verified communications and instructions will be issued solely through Balancer’s official channels. Updates regarding fund recovery, reconciled impact figures, and post-mortem findings will be published once cross-chain and partner verification processes are complete. Recovery and tracing efforts continue in collaboration with security firms, auditors, and whitehat teams under the SEAL and zeroShadow coordination framework, ensuring transparency and compliance throughout the fund restitution process.
The post Balancer Releases Preliminary Report On Its $128M Exploit, Finds Rounding Error In Bulk Exchange Transactions appeared first on Metaverse Post.
