Balancer DeFi Protocol Suffers $128M Exploit in V2 Pools Amid Smart Contract Vulnerability

Quick Take

• Balancer’s V2 Composable Stable Pools were exploited for approximately $128 million in assets, including WETH, osETH, and wstETH.
• The vulnerability stemmed from a logic flaw in smart contract functions, allowing unauthorized withdrawals despite multiple audits.
• Affected chains such as Berachain implemented emergency measures, including network halts and hard forks, to protect users.

Ethereum-based decentralized finance (DeFi) protocol Balancer was hit by a significant exploit on November 3, 2025, resulting in the drainage of over $128 million from its V2 Composable Stable Pools.

The attack, which began around 7:48 AM UTC, targeted pools across multiple chains including Ethereum, Arbitrum, Base, Polygon, and Berachain.

Onchain data revealed substantial outflows, with assets such as 6,587 WETH ($24.5 million), 6,851 osETH ($26.9 million), and 4,260 wstETH ($19.3 million) transferred to attacker-controlled wallets.

Estimates of total losses varied slightly across reports, ranging from $110 million to $128 million, reflecting the ongoing nature of the incident.

The exploit appears to have exploited a precision or rounding error in Balancer Pool Token (BPT) pricing.

Attackers performed multiple swaps in a single transaction to depress the BPT value, then minted or swapped into underpriced tokens before converting them back to underlying assets and ETH. This vulnerability was linked to faulty access controls in the protocol’s Vault functions, specifically in manageUserBalance and validateUserBalanceOp, enabling unauthorized internal withdrawals.

Balancer’s team quickly acknowledged the issue on X, stating they were “aware of a potential exploit impacting Balancer v2 pools” and that engineering and security teams were investigating.

In a follow-up post, they confirmed the isolation to V2 Composable Stable Pools, paused affected pools where possible, and enabled recovery mode.

The protocol emphasized that V3 pools and other Balancer offerings remained unaffected. A full post-mortem is expected soon, with the team collaborating with security researchers.

Community and market reactions were swift. Balancer’s native token, BAL, dropped between 4% and 11% following the news.

The incident highlighted ongoing DeFi security challenges, especially as Balancer had undergone over 10 audits, including three on its Vault.

Analysts noted that audits alone may not suffice for complex, composable systems.

The exploit extended to protocols built on Balancer’s codebase. Berachain, which incurred about $12.86 million in losses, halted its network for an emergency hard fork to roll back transactions and recover funds.

Berachain founder Smokey the Bera explained the priority was user protection, stating, “Users and LPs on the network are always our priority.”

Similarly, Beets Finance reported over $3 million in losses.

Other chains like Polygon censored attacker transactions, and Sonic froze related accounts to prevent further drains.

This marks Balancer’s third major security incident, following exploits in 2021 and 2023.

With total value locked (TVL) exceeding $350 million on Ethereum alone prior to the attack, the event underscores the risks in DeFi infrastructure and the need for enhanced runtime protections.

Disclaimer: This article is for informational purposes only and does not constitute advice of any kind. Readers should conduct their own research before making any decisions.