An attacker drained $128.64 million from Balancer V2 ComposableStablePool contracts across six blockchain networks in under 30 minutes by exploiting arithmetic precision loss in pool invariant calculations. Check Point Research describes how the adversary weaponized the _upscaleArray function and FixedPoint.mulDown rounding behavior—when token balances are pushed to the 8-9 wei range, Solidity's integer division causes up to 10% precision loss per operation. The attack occurred entirely during smart contract constructor deployment, executing 65+ micro-swaps that compounded precision errors. What's clever: the attacker used a sophisticated three-phase swap sequence within single batchSwap transactions. Phase 1: swap large amounts of BPT for underlying tokens to push one token's balance to the critical 8-9 wei threshold where rounding errors maximize. Phase 2: execute small swaps involving the boundary-positioned token—the _upscaleArray function rounds down during scaling, causing the invariant D to be underestimated and BPT price to drop artificially. Phase 3: mint or purchase BPT at the suppressed price, then immediately redeem for underlying assets at full value. The exploit contract accumulated stolen funds—4,623 WETH, 6,851 osETH, and 4,259 wstETH—via Balancer's Internal Balance mechanism during deployment, then withdrew them to an externally owned wallet in subsequent transactions. Event logs show thousands of WETH and synthetic ETH tokens reassigned via InternalBalanceChanged events. The attack demonstrates how negligible rounding errors become exploitable when amplified through dozens of operations in atomic transactions.
🎯CORTEX Protocol Intelligence Assessment
Business Impact: Balancer rounding exploit highlights how a single mathematical flaw can vaporize nine-figure liquidity in minutes, directly impacting funds, treasuries, and enterprises with DeFi exposure. Beyond immediate losses, such incidents erode trust in automated market maker platforms and can trigger cascading liquidity crises across interconnected protocols. Technical Context: The attack abused precision loss in StableSwap-style invariant calculations compounded through Balancer's batchSwap and Internal Balance features. By carefully adjusting token balances into rounding-sensitive ranges, the attacker created artificial price deltas invisible to most monitoring tools, demonstrating that integer math edge cases in smart contracts are exploitable at massive scale.
⚡Strategic Intelligence Guidance
- Require formal verification or independent mathematical audits for DeFi protocols managing treasury or corporate liquidity, with emphasis on invariant calculations and rounding behavior.
- Establish continuous on-chain monitoring for unusual price movements or pool balance shifts in key liquidity positions, integrating alerts into existing SOC workflows.
- Diversify on-chain liquidity across multiple audited protocols and avoid concentrating mission-critical funds in complex, algorithmically priced pools without clear risk acceptance.
- Develop emergency DeFi response playbooks that define triggers, authority, and technical steps for rapidly withdrawing liquidity from compromised pools or pausing automated strategies.
Vendors
BalancerCheck Point Research
Threats
Balancer rounding exploitDeFi liquidity drainSmart contract arithmetic bug
Targets
Balancer V2 ComposableStablePool liquidity providersDeFi investors
Impact
Financial:$128.64M stolen liquidity