Balancer identifies rounding error as root cause of multi-chain DeFi exploit
Balancer attributed a multi-chain DeFi exploit draining tens of millions to a rounding error in its Composable Stable Pools swap logic.Summary
DeFi protocol Balancer reported that a multi-chain exploit, which drained over $128 million from its Composable Stable Pools (CSPs) across networks like Ethereum and Base, was caused by a rounding error in the upscale function for EXACT_OUT swaps within the v2 vault’s batchSwap feature. The vulnerability stemmed from non-integer scaling factors causing the system to round down during specific calculations, which attackers exploited in CSPv5 pools with expired pause windows. Ecosystem partners, including StakeWise DAO and Berachain validators, took immediate action to freeze funds, halt networks for emergency hard forks, and recover significant portions of the stolen assets. Balancer has since disabled the CSPv6 factory and enabled safe withdrawals from paused pools, noting that the incident was limited to Composable Stable Pools on Balancer v2 and its forks.
(Source:The Block)