The $128.64 million Balancer exploit on November 3, 2025 was not the result of a simple bug. It was a sophisticated attack leveraging arithmetic precision loss in a protocol that had passed eleven separate audits by four different security firms. The incident exposed a class of vulnerability — rounding error exploitation in automated market maker contracts — that is both deeply technical and alarmingly common. This advanced tutorial dissects the exploit mechanics and provides a framework for identifying similar vulnerabilities in your own smart contract auditing practice.
The Objective
By the end of this tutorial, you will understand how rounding errors in DeFi pool invariant calculations can be weaponized, how the Balancer v2 ComposableStablePool’s upscale function was exploited, and what patterns to look for when auditing any contract that performs arithmetic on token amounts. This is not a beginner’s guide — it assumes familiarity with Solidity, automated market maker mechanics, and basic number theory.
Prerequisites
Before proceeding, ensure you understand the following concepts: fixed-point arithmetic in Solidity (particularly the limitations of integer division), how constant-product and stable-swap AMMs maintain pool invariants through balance calculations, the concept of upscale and downscale functions that convert between token decimals, and how EXACT_OUT swap modes differ from EXACT_IN modes in their mathematical requirements.
The attack targeted Balancer v2’s ComposableStablePool contracts, which implement a variant of the StableSwap invariant designed for assets that trade at approximately equal values. Unlike constant-product pools where the invariant is simply x times y equals k, stable pools use a more complex curve that provides concentrated liquidity around a target price.
Step-by-Step Walkthrough
Step 1: Understanding the vulnerable function. The attack centered on the upscale function used in ComposableStablePool’s invariant calculation. This function converts token amounts from their native decimal representation to a standardized 18-decimal format used internally by the pool. The conversion involves multiplying by scaling factors, and crucially, performing division operations that can introduce rounding errors.
Step 2: The rounding direction vulnerability. In a correctly implemented pool, rounding should always favor the protocol — that is, rounding should reduce the amount a user receives and increase the amount they pay. The Balancer vulnerability existed because the upscale function’s rounding behavior could be inverted through carefully crafted inputs. Specifically, when processing EXACT_OUT swaps, the function could round upward instead of downward, allowing an attacker to extract more value from the pool than the invariant should permit.
Step 3: The attack sequence. The attacker prepared by studying the pool’s mathematical behavior over months, as confirmed by blockchain forensics. On November 3, 2025, they executed a sequence of batched transactions within a single block. Each transaction exploited the rounding inversion to extract a small amount of value. By chaining hundreds of these transactions together in a single block, the attacker accumulated $128.64 million in losses across six blockchain networks: Ethereum ($99 million), Arbitrum, Base, Berachain, Optimism, Polygon, and Sonic.
Step 4: Why audits missed it. The vulnerability survived eleven audits because rounding behavior in AMM contracts is extremely difficult to verify through standard testing approaches. Unit tests typically check that functions produce correct results for representative inputs, but the attack required specific combinations of inputs that were not in any test suite. Formal verification could have caught it, but the mathematical complexity of the StableSwap invariant made formal proofs impractical with available tooling.
Step 5: Detecting similar vulnerabilities. When auditing AMM contracts, apply differential fuzzing — a technique that compares the contract’s actual behavior against a mathematical reference implementation across millions of random inputs. The Ackee Blockchain team published a detailed analysis using this approach, showing that differential fuzzing can identify rounding discrepancies that manual review misses. Additionally, analyze every arithmetic operation in the critical path for rounding direction: is the result always rounded in the protocol’s favor, or can inputs be chosen to reverse the rounding direction?
Troubleshooting
If you encounter a pool contract where the rounding direction is not immediately obvious from code review, try the following approach. First, identify every division operation in the invariant calculation and swap execution paths. For each division, determine whether the remainder is discarded (rounding down) or whether the result is incremented (rounding up). Then, for each rounding operation, ask: can an attacker choose inputs that make the rounding direction unfavorable to the protocol?
Pay particular attention to scaling functions that convert between decimal precisions. These are the most common source of rounding errors because they involve multiplication by one factor followed by division by another, and the order of operations determines the rounding behavior. If the scaling factor is applied after a swap calculation rather than before, the accumulated rounding errors can be significantly larger.
Also watch for contracts that batch multiple operations in a single transaction. Batching is a legitimate optimization, but it compounds rounding errors across operations. An attacker who can control the inputs to a batched transaction can potentially amplify a small rounding error into a significant value extraction.
Mastering the Skill
The Balancer exploit demonstrates that smart contract security in DeFi requires deep mathematical intuition, not just code review skills. To advance your auditing practice, study the formal specification of the StableSwap invariant and implement it in a high-level language like Python. Then, compare your reference implementation’s outputs against the Solidity contract’s outputs across a wide range of inputs. Any discrepancy — no matter how small — is a potential vulnerability.
The Balancer DAO has since released a governance proposal, posted on November 27, 2025, to distribute $27.7 million in recovered assets to affected liquidity providers. This represents approximately 22 percent of total losses, with $8 million recovered through white-hat interventions and $19.7 million recovered by liquid-staking partner StakeWise. While the recovery effort continues, the exploit itself stands as the definitive case study in rounding error exploitation and a benchmark against which all future DeFi audit methodologies should be measured.
Disclaimer: This article is for informational purposes only and does not constitute financial or investment advice. Always conduct your own research before making any financial decisions.
Great breakdown of the mulDiv pattern. Most devs don’t realize how crucial it is to perform all multiplications before any division to keep precision high. I’ve seen way too many ‘secure’ protocols get drained just because they didn’t account for how Solidity handles integer truncation. Solid technical deep dive!
solidity wizard is right about mulDiv. the number of devs who do division before multiplication in production contracts is terrifying. always multiply first
overflow_catch multiply before divide is rule #1 in Solidity. 11 audits from 4 firms and they still missed it. the $128M Balancer exploit shows audits are necessary but not sufficient
This is some high-level alpha right here. It’s crazy how a tiny rounding difference can be exploited with enough leverage. Makes me want to double-check the docs of every pool I’m farming in right now. Thanks for the heads up on these obscure edge cases, definitely keeping my funds safer!
cryptomax88 wanting to double check every pool is the right instinct. but most users cant read solidity let alone audit rounding logic. thats the real problem
Minh T. most users cant read Solidity but they also cant audit C++ code in traditional finance. the difference is DeFi losses are instant and public
The more I read about these exploits, the more I realize how ‘early’ we still are. If even top-tier audits can miss these rounding issues, how can we trust any new DeFi project? It feels like it’s only a matter of time before the next big exploit hits the news. Stay safe out there folks.
Excellent analysis of how flash loans amplify these rounding errors. A one-wei difference doesn’t look like much until an attacker cycles it through a million times in a single transaction. This article highlights why economic auditing is just as important as code auditing in the current DeFi landscape. Looking forward to more posts like this.