Balancer, a decentralized finance (DeFi) protocol built on Ethereum, suffered a major exploit targeting its V2 Compostable Stable Pools, resulting in losses exceeding $128 million. The attack exploited a precision rounding error in the Vault’s swap calculations, where token amounts were rounded down during swaps, creating small discrepancies that the hacker compounded through repeated batchSwap operations, leading to severe price distortions. Alternative theories suggest the breach stemmed from improper authorization and callback handling in the V2 vaults, allowing a maliciously deployed contract to bypass safeguards and manipulate pool balances.The incident did not affect other Balancer pools, including V3, but raised concerns about security despite the protocol undergoing 11 audits since 2021. Following the attack, a phishing attempt impersonated Balancer, offering the hacker a fake 20% 'white-hat bounty' in exchange for returning the funds, while threatening legal action. The exploit ranks among the largest DeFi heists of 2025, with North Korean hackers suspected as the likely perpetrators, given their history of high-profile crypto thefts, including a $1.5 billion attack on Bybit earlier in the year.
TPRM report: https://www.rankiteo.com/company/balancer-ecosystem
"id": "bal1402314110425",
"linkid": "balancer-ecosystem",
"type": "Cyber Attack",
"date": "6/2021",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization’s existence"{'affected_entities': [{'customers_affected': 'Users of V2 Compostable Stable '
'Pools',
'industry': ['Blockchain',
'Cryptocurrency',
'Automated Market Maker (AMM)'],
'location': 'Global (Ethereum blockchain)',
'name': 'Balancer Protocol',
'type': 'Decentralized Finance (DeFi) Protocol'}],
'attack_vector': ['Smart Contract Vulnerability (Vault’s swap calculations)',
'Improper Authorization/Callback Handling',
'BatchSwap Function Manipulation',
'Maliciously Deployed Contract'],
'customer_advisories': ['Avoid interacting with suspicious links/offers '
'related to the exploit'],
'date_detected': '2025-10-03T07:48:00Z',
'date_publicly_disclosed': '2025-10-03',
'description': "Hackers targeted Balancer Protocol's v2 pools, exploiting a "
'precision rounding error in the Vault’s swap calculations (or '
'improper authorization/callback handling during pool '
'initialization). The attack involved chaining multiple swaps '
'through the batchSwap function, compounding rounding losses '
'into a large price distortion. Losses are estimated at over '
'$128 million. Balancer warned users about potential '
'scams/phishing attempts and is investigating with security '
'researchers. A phishing attempt impersonating Balancer '
"offered the hacker a 20% 'white-hat bounty' to return funds.",
'impact': {'brand_reputation_impact': ['Potential trust erosion in DeFi '
'security',
'High-profile incident in 2025'],
'financial_loss': '$128 million+',
'operational_impact': ['Temporary disruption of V2 pools',
'Warning issued to users about scams'],
'systems_affected': ['Balancer V2 Compostable Stable Pools']},
'initial_access_broker': {'entry_point': ['Vault’s swap calculations '
'(precision rounding error)',
'Improper authorization/callback '
'handling in V2 vaults'],
'high_value_targets': ['Balancer V2 Compostable '
'Stable Pools']},
'investigation_status': 'Ongoing (Post-mortem analysis pending)',
'motivation': ['Financial Gain', 'Cryptocurrency Theft'],
'post_incident_analysis': {'root_causes': ['Precision rounding error in swap '
'calculations',
'Potential improper '
'authorization/callback handling',
'Maliciously deployed contract '
'manipulating vault calls']},
'references': [{'date_accessed': '2025-10-03', 'source': 'GoPlus Security'},
{'date_accessed': '2025-10-03',
'source': 'Balancer Protocol Announcement'},
{'date_accessed': '2025-10-03',
'source': 'Aditya Bajaj (Analysis)'}],
'response': {'communication_strategy': ['Public announcement on incident',
'Warnings about phishing attempts',
'Updates on investigation progress'],
'containment_measures': ['Warning users about scams/phishing',
'Isolating V2 Compostable Stable Pools'],
'incident_response_plan_activated': True,
'remediation_measures': ['Investigation ongoing',
'Post-mortem analysis planned'],
'third_party_assistance': ['Security researchers (unnamed)']},
'stakeholder_advisories': ['Warning about phishing/scams impersonating '
'Balancer'],
'threat_actor': 'Unknown (Suspected North Korean hackers, based on broader '
'DeFi threat trends)',
'title': 'Balancer Protocol V2 Pools Exploit',
'type': ['Exploit',
'DeFi Attack',
'Precision Rounding Error',
'Unauthorized Swaps'],
'vulnerability_exploited': ['Precision rounding error in swap calculations',
'Improper authorization/callback handling in V2 '
'vaults',
'Pool initialization bypass']}