Security & Tools
Sam Nolan
4 min read

Balancer Exploit (Nov 3, 2025): $128M Drained from V2 Pools via Rounding Bug & Liquidity Manipulation

Balancer exploit 2025

What Happened

On November 3, 2025, Balancer experienced a major DeFi hack targeting V2 pools. Attackers exploited a rounding bug and related contract flaws to manipulate pool liquidity and accounting, siphoning more than $128 million in assets. Affected tokens include WETH, osETH, and other pool constituents.

The exploit spanned multiple chains, primarily Ethereum and Berachain. In response, Berachain temporarily halted operations to assist the investigation and prevent further contagion. This is the third major security incident involving Balancer, underscoring systemic risk from interconnected pools, complex pool math, and code errors.

Why V2 Pools Were Vulnerable

Balancer V2 centralizes token balances in a single Vault, letting many pool types share liquidity and accounting. While efficient, this design increases interdependence: a flaw in pool math (e.g., a rounding bug in fee/amount calculations) can be composed across pools, creating opportunities for:

  • Liquidity manipulation (skewing balances during swaps/joins/exits)
  • State desynchronization (mismatched accounting enabling value extraction)
  • Cross-pool amplification (exposure propagates via shared Vault mechanics)

In this case, rounding errors and edge-case arithmetic let attackers extract value while keeping transactions within protocol rules, bypassing typical checks.

Impacted Assets & Chains

  • Chains: Ethereum, Berachain (paused temporarily)
  • Assets observed: WETH, osETH, and other tokens sitting in compromised Balancer V2 pools
  • Scale: $128M+ drained across multiple pools/transactions
  • Market: News flow contributed to a 7% drop in ETH, intensifying risk-off conditions across DeFi.

Risk Factors Highlighted by the Attack

  • Smart contract vulnerability in production pools
  • Interconnected pools increasing blast radius
  • Rounding bug and precision/fee math issues in AMM pool logic
  • Cross-chain exposure and operational halts (e.g., on Berachain)
  • Audit gaps: prior audits don’t guarantee safety when new pool types, upgrades, or edge-case math are involved

What Users Should Do Now (Safety Checklist)

  1. Avoid vulnerable pools: Do not add liquidity or perform joins/exits on affected Balancer V2 pools until official remediation is published.
  2. Withdraw if possible: If a pool is flagged as at-risk but still operating, consider exiting liquidity prudently (gas/MEV aware).
  3. Revoke allowances: Review and revoke token approvals for Balancer Vault/pool addresses you no longer use.
  4. Verify audits & notices: Check the latest security advisories, post-mortems, and audit updates from Balancer/core partners.
  5. Beware phishing: Expect fake “refund portals.” Only trust official channels.
  6. Diversify: Spread liquidity across audited protocols, consider insurance, and keep long-term holdings in self-custody.

What Balancer Is Doing

  • Incident response: Core team analyzing attack transactions, pool types, and rounding paths
  • Damage containment: Disabling/pausing vulnerable pool configs and advising LPs
  • Remediation plan: Preparing patches, upgrades, and migration guidance (details pending)
  • Communications: Ongoing updates promised; as of Nov 6, no recovered funds reported.

Why This Matters for DeFi

This is a third major incident for Balancer and a cautionary tale for AMM design:

  • Precision & rounding are not trivial; small math errors can cascade in automated market makers.
  • Composability risk: Shared vaults and interconnected pools can widen the impact of a single bug.
  • Audit depth: Traditional audits must be continuous and math-focused (formal verification, invariant testing, differential fuzzing).

Developer & LP Takeaways

  • Test for rounding/precision invariants across joins/exits/swaps/fees with extreme edge cases.
  • Use formal verification & fuzzing for pool math and integer rounding paths.
  • Design blast-radius limits: per-pool circuit breakers, caps, guarded launches, and opt-in migrations.
  • Operational readiness: emergency pause playbooks, chain-specific coordination, and clear LP comms.

FAQ

Was only Ethereum affected?

No. Ethereum and Berachain were impacted, with Berachain pausing operations mid-response.

Which assets took the biggest hit?

Reports include WETH, osETH, and other pool tokens in Balancer V2.

Did ETH drop because of this?


The hack coincided with ETH down ~7%, reinforcing broader DeFi security fears.

Are funds coming back?

As of Nov 6, 2025, there’s no confirmed recovery; the post-mortem and remediation steps are still in progress.

Suggested keywords (use across H2/H3, alt text, and internal links)

balancer exploit 2025; balancer v2 vulnerability; balancer rounding bug; defi hack balancer; liquidity manipulation; smart contract vulnerability; $128m drained; weth exploit; osETH exploit; ethereum defi security; berachain pause; interconnected pools; audit recommendations; revoke allowances; withdraw liquidity; AMM precision bug

If you want, I can convert this into your exact WP block structure (H2/H3/blockquote/FAQ schema) and add internal links to your Security and DeFi 101 pages for stronger topical authority.

Share this article

Related Articles