On November 3, 2025, blockchain safety monitoring techniques detected a complicated exploit concentrating on Balancer V2’s ComposableStablePool contracts.
An attacker executed a precision loss vulnerability to empty $128.64 million throughout six blockchain networks in underneath half-hour.
The assault leveraged a rounding error within the _upscaleArray perform mixed with fastidiously crafted batchSwap operations, permitting the attacker to artificially suppress BPT (Balancer Pool Token) costs and extract worth by repeated arbitrage cycles.
The exploitation occurred primarily throughout sensible contract deployment, with the attacker’s constructor executing over 65 micro-swaps that compounded precision loss to devastating impact.
This incident represents a watershed second for DeFi safety, demonstrating how mathematical vulnerabilities in core protocol capabilities might be weaponized by automation and exact parameter tuning.
The assault’s sophistication lay not in exploiting a novel vulnerability sort, however in recognizing how negligible rounding errors turn out to be catastrophic when amplified by dozens of operations in atomic transactions.
Verify Level researchers famous that the assault exploited a basic weak spot in how Balancer’s ComposableStablePools deal with small-value swaps.
The assault exploited a mathematical vulnerability in how Balancer’s ComposableStablePools deal with small-value swaps (Supply – Verify Level)
When token balances are pushed to particular rounding boundaries, notably the 8-9 wei vary, Solidity’s integer division causes vital precision loss.
The researchers recognized that particular person swaps produce negligible errors, however inside a single batchSwap transaction containing 65 operations, these losses compound dramatically, creating exploitable arbitrage alternatives.
The attacker’s technical execution revealed a three-stage sample repeated 65 instances atomically. First, massive BPT quantities have been swapped for underlying tokens to push particular token balances to important rounding boundaries.
Second, small swaps involving boundary-positioned tokens triggered precision loss by the _upscaleArray perform’s mulDown operation, inflicting the invariant D (representing whole pool worth) to be underestimated and BPT value to drop artificially.
Third, the attacker bought BPT at suppressed costs and instantly redeemed for underlying belongings at full worth, capturing the value discrepancy as revenue.
The Exploit Contract Structure and Technical Breakdown
Verify Level analysts recognized the exploit contract deployed at deal with 0x54B53503c0e2173Df29f8da735fBd45Ee8aBa30d working with a complicated three-address construction designed for operational separation and fund administration.
The vulnerability stemmed from the _upscaleArray perform’s implementation, which performs integer division throughout stability scaling operations.
The mulDown perform creates rounding errors that propagate on to invariant calculations, in the end figuring out BPT pricing.
The attacker’s constructor routinely executed the whole exploitation sequence concentrating on two Balancer swimming pools concurrently.
Evaluation revealed 65 token transfers to Balancer’s Protocol Charges Collector, displaying attribute patterns of iterative precision exploitation.
The stolen worth accrued within the contract’s inner stability by InternalBalanceChanged occasions: Pool 1 generated +4,623 WETH and +6,851 osETH, whereas Pool 2 contributed +1,963 WETH and +4,259 wstETH.
Following the preliminary theft, a secondary withdrawal perform transferred the accrued 6,586 WETH plus extra belongings to the ultimate recipient deal with.
This two-stage method separated theft execution from fund extraction, demonstrating operational self-discipline and lowering detection floor throughout the important exploitation window.
Comply with us on Google Information, LinkedIn, and X to Get Extra On the spot Updates, Set CSN as a Most popular Supply in Google.
