On November 3, 2025, blockchain security monitoring systems detected a sophisticated exploit targeting Balancer V2’s ComposableStablePool contracts.
An attacker executed a precision loss vulnerability to drain $128.64 million across six blockchain networks in under 30 minutes.
The attack leveraged a rounding error in the _upscaleArray function combined with carefully crafted batchSwap operations, allowing the attacker to artificially suppress BPT (Balancer Pool Token) prices and extract value through repeated arbitrage cycles.
The exploitation occurred primarily during smart contract deployment, with the attacker’s constructor executing over 65 micro-swaps that compounded precision loss to devastating effect.
This incident represents a watershed moment for DeFi security, demonstrating how mathematical vulnerabilities in core protocol functions can be weaponized through automation and precise parameter tuning.
The attack’s sophistication lay not in exploiting a novel vulnerability type, but in recognizing how negligible rounding errors become catastrophic when amplified through dozens of operations in atomic transactions.
Check Point researchers noted that the attack exploited a fundamental weakness in how Balancer’s ComposableStablePools handle small-value swaps.
.webp "Checkpoint Details on How Attackers Drained $128M from Balancer Pools Within 30 Minutes 3")
When token balances are pushed to specific rounding boundaries, particularly the 8-9 wei range, Solidity’s integer division causes significant precision loss.
The researchers identified that individual swaps produce negligible errors, but within a single batchSwap transaction containing 65 operations, these losses compound dramatically, creating exploitable arbitrage opportunities.
The attacker’s technical execution revealed a three-stage pattern repeated 65 times atomically. First, large BPT amounts were swapped for underlying tokens to push specific token balances to critical rounding boundaries.
Second, small swaps involving boundary-positioned tokens triggered precision loss through the _upscaleArray function’s mulDown operation, causing the invariant D (representing total pool value) to be underestimated and BPT price to drop artificially.
Third, the attacker purchased BPT at suppressed prices and immediately redeemed for underlying assets at full value, capturing the price discrepancy as profit.
The Exploit Contract Architecture and Technical Breakdown
Check Point analysts identified the exploit contract deployed at address 0x54B53503c0e2173Df29f8da735fBd45Ee8aBa30d operating with a sophisticated three-address structure designed for operational separation and fund management.
The vulnerability stemmed from the _upscaleArray function’s implementation, which performs integer division during balance scaling operations.
The mulDown function creates rounding errors that propagate directly to invariant calculations, ultimately determining BPT pricing.
The attacker’s constructor automatically executed the complete exploitation sequence targeting two Balancer pools simultaneously.
Analysis revealed 65 token transfers to Balancer’s Protocol Fees Collector, displaying characteristic patterns of iterative precision exploitation.
The stolen value accumulated in the contract’s internal balance through InternalBalanceChanged events: Pool 1 generated +4,623 WETH and +6,851 osETH, while Pool 2 contributed +1,963 WETH and +4,259 wstETH.
Following the initial theft, a secondary withdrawal function transferred the accumulated 6,586 WETH plus additional assets to the final recipient address.
This two-stage approach separated theft execution from fund extraction, demonstrating operational discipline and reducing detection surface during the critical exploitation window.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
