Balancer’s Post-Mortem Report Identifies Rounding Error as Root Cause of $116 Million Exploit

Decentralized finance (DeFi) protocol Balancer has published a preliminary report detailing the cause of the exploit on its multi-chain token pools that resulted in hackers siphoning $116 million in liquid staked Ether (ETH) tokens.

The automated market maker (AMM) and liquidity platform suffered a massive outflow from its core vault on November 3, which targeted the Balancer v2 Stable Pools and Composable Stable (CSP) v5 Pools across Ethereum, Base, Avalanche, Arbitrum, Optimism, Gnosis, Polygon, Berachain, and Sonic blockchains. 

Initial estimates showed losses of $70 million, which quickly rose to over $128 million within a few hours.

Rounding Error in the BatchSwap Feature of Stable Pools: the Root Cause of $116 Million Balancer v2 Exploit

In the preliminary report, Balancer attributed the hack to a rounding error in the upscale function for “EXACT_OUT” swaps within the v2 vault’s BatchSwaps feature – a function that allowed users to combine multiple swap operations into a single transaction to save on gas fees.

The rounding function intends to round down when token prices are an input, but a bug in the system resulted in non-integer scaling factors to round down during specific calculations, which created small discrepancies. The hacker exploited the bug in conjunction with the BatchSwap feature, including flashloans – short-term loans borrowed and repaid within the same transaction – to manipulate balances and drain funds from the Stable Pools.

This resulted in liquidity falling below Balancer’s minimum threshold.

The report stated that in many instances, the stolen funds were first redirected into the Balancer vault’s internal balances before being withdrawn in subsequent transactions. The bug primarily affected CSP v5 pools with expired pause windows, while automated emergency controls on the v6 mode transitioned it into recovery mode during the hack.

The team said the attack spanned across several Balancer-supported blockchains and forks, including BEX on Berachain, Beets on Sonic, and Gnosis-based platforms. However, the partner ecosystems implemented emergency protocols to contain further fallout.

The hackers involved were highly skilled and had been preparing for months before executing their attack. They used a series of 0.1 ETH deposits on the token mixer platform Tornado Cash to fund the attack and avoid detection.

Balancer’s Security and Strategic Partners and White Hats Have Recovered $23.05 Million in Stolen Assets

Balancer worked with its cybersecurity partner Hypernative and other crypto protocols, including SEAL 911, BitFinding, and StakeWise, to recover or freeze a portion of the stolen funds. The StakeWise DAO managed to recover 5,041 osETH and 13,495 osGNO tokens, valued at approximately $19 million and up to $2 million, respectively.

Meanwhile, validators on Berachain halted the network on November 4 to perform an emergency hard fork to address BEX’s exposure to Balancer v2. Sonic Labs froze addresses linked to the suspect, restricting the movement of funds tied to its Balancer fork. Gnosis temporarily restricted token bridging activity to prevent any cross-chain propagation. Monetium froze 1.3 million EURe tokens in the affected vault.

BitFinding and Base MEV bots managed to recover about $750,000 worth of funds, returning them to the Balancer DAO.

Balancer has paused all affected pools and disabled the creation of new pools on CSP v6 until the security issue is fixed. Furthermore, the team has enabled liquidity pool exits from paused pools to allow safe withdrawal of remaining funds. The protocol implemented a Safe Harbor legal framework (BIP-726) last year, which allowed white hat teams to intervene immediately without any legal repercussions. The report noted that this structure “materially improved” its response speed and coordination.

Balancer has offered a 20% white hat bounty to the perpetrator of the attack and ethical hackers for the safe return of the stolen funds, but so far, no one has come forward to claim the reward. The team has stated that a final verified accounting of the recovered and frozen funds will be published once partners complete on-chain reconciliation.

The post Balancer’s Post-Mortem Report Identifies Rounding Error as Root Cause of $116 Million Exploit appeared first on BiteMyCoin.