Inside the Balancer Rounding Flaw: How Tiny Decimal Errors Drained $128 Million From DeFi Pools

The decentralized finance ecosystem suffered one of its most sophisticated exploits on November 4, 2025, when attackers drained approximately $128 million from Balancer V2 composable stable pools across nine blockchain networks. What makes this attack particularly striking is not its scale but its simplicity at its core — a rounding direction error in a scaling function that had existed in production since 2021.

The Exploit Mechanics

At the heart of the vulnerability lay Balancer’s token scaling logic. Most tokens on Ethereum use 18 decimal places, but some use different precision levels. Balancer’s code upscales token amounts to 18 decimals and downcales them back, ensuring consistent calculations across pools. The problem emerged in how this scaling handled rounding during EXACT_OUT batch swap transactions.

According to Balancer’s preliminary incident report published on November 6, the upscale function in EXACT_OUT transactions always rounded values down under certain circumstances. This asymmetry — where upscaling consistently rounded down while downscaling could round in either direction — created tiny imbalances that accumulated across repeated transactions. The attackers exploited this incorrect rounding behavior in combination with the batch swap functionality to manipulate pool balances and extract value.

The attack specifically targeted composable stable pools where LP receipt tokens, known as BPT tokens, are treated as regular tokens. This design allowed the attackers to bypass the minimum pool supply limit, pushing liquidity levels to extremely low values where the rounding errors became magnified. By manipulating BPT price calculations through repeated batch swaps and then executing profitable trades against the deflated prices, the attackers systematically drained pools across Ethereum, Base, Avalanche, Gnosis, Berachain, Polygon, Sonic, Arbitrum, and Optimism.

Former CISA Director Chris Krebs compared the exploit to the scheme depicted in the film Office Space, where fractions of pennies are siphoned from many transactions. The analogy is apt — each individual rounding error represented a minuscule value discrepancy, but when combined with flash loan capabilities and batch swap mechanics, the cumulative effect reached nine figures.

Affected Systems

The exploit impacted Balancer V2 composable stable pools, specifically the Composable Stable v5 variant that had exited its pause window. Pools that remained within their pause window were quickly frozen by the Balancer team and placed into recovery mode. However, some pools had been live on the blockchain for years, meaning they could no longer be paused through standard governance mechanisms.

The attack’s multi-chain nature amplified its impact. Blockchain security firm BlockSec Phalcon noted that exploited funds frequently remained within the Balancer Vault as internal balances before being withdrawn in subsequent transactions, giving defenders a narrow window to respond. Initial estimates suggested roughly $128 million in losses, but rapid community intervention — including fund freezes by Polygon and Sonic validators and an emergency hard fork by Berachain — reduced actual losses by more than $20 million.

Bitcoin was trading near $101,300 and Ethereum around $3,310 at the time of the incident, according to CoinMarketCap data. The broader crypto market was already experiencing a downtrend, with Bitcoin declining 2.5% and Ethereum falling 3.3% over the preceding 24 hours.

The Mitigation Strategy

Balancer’s response unfolded across multiple phases. Immediate mitigation involved pausing all pools that remained within their governance pause window. The team then coordinated with blockchain validators, security researchers, exchange operators, and whitehat teams to trace and recover exploited funds. Polygon and Sonic took the extraordinary step of freezing attacker assets at the validator level, while Berachain deployed an emergency hard fork designed to allow affected users to reclaim their funds.

These responses, while effective at limiting losses, reignited debates about decentralization in practice. Critics noted the irony of DeFi protocols relying on centralized intervention to recover from exploits, while supporters argued that the ability to coordinate emergency responses represents a strength rather than a weakness of the ecosystem.

Lessons Learned

The Balancer exploit underscores several critical security principles for DeFi protocols. First, rounding behavior in financial calculations must be explicitly symmetric and audited independently of other logic. The fact that this vulnerability survived multiple professional security audits from respected firms suggests that rounding direction is an easily overlooked attack surface.

Second, pause windows and governance-controlled emergency mechanisms must extend for the lifetime of high-value pools. Pools that have been live for years but can no longer be paused represent an unacceptable risk profile when managing hundreds of millions of dollars in user funds.

Third, the multi-chain deployment pattern amplifies risk exponentially. A single code vulnerability in Balancer’s V2 contracts propagated across nine blockchains simultaneously, creating a compounded loss that no single chain’s response could contain.

User Action Required

Users who held funds in Balancer V2 composable stable pools should immediately check the Balancer official incident report and follow recovery instructions. The protocol recommends refraining from interacting with any Composable Stable v5 pools that were outside the pause window. Users should verify recovery addresses through official Balancer communication channels and remain vigilant against phishing attempts that commonly follow major exploits. As Balancer continues working with partners to reconcile losses and distribute recovered funds, affected users should monitor official announcements for claim procedures.

Disclaimer: This article is for informational purposes only and does not constitute financial or investment advice. Always conduct your own research before making financial decisions.