The Complete Analysis of the $128 Million Balancer V2 DeFi Exploit

On November 3, 2025, Balancer's V2 Compostable Stable Pools were drained of approximately $128 million in a multi-vector attack that combined precision rounding exploitation, invariant manipulation, and unauthorized callback handling across Ethereum, Base, Polygon, and Arbitrum simultaneously. The attack also propagated to at least 27 forks of the Balancer codebase on other chains, including Beets on Sonic Chain and Beethoven on Optimism. Despite the protocol having undergone eleven security audits by firms including OpenZeppelin, Trail of Bits, Certora, and ABKD, none of the exploited vulnerabilities had been identified or mitigated.

The Attack Vectors

The first vector targeted precision rounding in the vault's swap calculations. Each individual swap operation rounded down token amounts by a small margin. In isolation, this discrepancy is negligible. The attacker chained multiple swaps through the batchSwap function, compounding these rounding losses across iterations until they accumulated into significant price distortions large enough to drain liquidity from the affected pools.

The second vector involved invariant manipulation. Balancer pools enforce mathematical rules — invariants — that govern exchange rates between assets. The attacker deployed malicious smart contracts and minted fabricated tokens to falsify the inputs to these invariant calculations, manipulating the exchange rates presented to the protocol and enabling swaps to execute at prices far more favorable than the actual pool state would permit.

A third vector exploited improper authorization and callback handling during pool initialization. A maliciously constructed contract manipulated vault calls at the initialization stage, bypassing protocol-level safeguards and enabling unauthorized balance manipulation across interconnected pools.

The three vectors appear to have operated concurrently rather than sequentially, with the attacker's contracts continuing to spawn new instances and mint additional custom tokens throughout the day, suggesting the campaign was structured to maximize extraction across as many pools as possible before intervention.

Scale and Attribution

On-chain data identified large outflows from a Balancer vault address including approximately 6,587 WETH, 6,851 osETH, and 4,260 wstETH among other assets. The heaviest concentration of losses — approximately $100 million — occurred on the Ethereum deployment. Blockchain analytics firms including Nansen and PeckShield flagged the transactions in real time as the attack was underway.

No formal attribution has been made. The scale and methodology are consistent with patterns observed in recent DeFi-targeted campaigns, and analysts noted the attack's similarity to operations previously associated with sophisticated threat actors, but no specific technical indicators — reused contract code, wallet clustering, or shared infrastructure — directly link it to a named group.

In the immediate aftermath, at least one party attempted to impersonate Balancer and offer a fake white-hat bounty to the attacker — a social engineering attempt aimed at recovering funds through deception rather than technical intervention.

What the Audit Record Means

Eleven audits across four leading security firms did not surface the vulnerabilities that the November 3 attacker identified and weaponized. This is not primarily an indictment of any specific firm — it reflects a structural reality about composable DeFi protocols. Rounding errors that are individually within acceptable tolerances become exploitable when chained at scale. Invariant assumptions that hold under normal operating conditions can be broken when a caller controls the inputs. Authorization logic that functions correctly in isolation can be bypassed through the initialization sequence.

These categories of vulnerability are difficult to identify through traditional code review because they require modeling adversarial behavior at the system level — not evaluating individual functions for correctness in isolation. The Balancer incident reinforces that audit coverage, however broad, does not constitute a complete security guarantee for protocols that allow arbitrary external token contracts and composable pool interactions.