Hackers on Monday drained more than $120 million in cryptocurrency from the decentralized finance (DeFi) protocol Balancer by exploiting a rounding function and performing batch swaps.
The attack occurred at 7:48 AM UTC (2:48 AM ET) and impacted Balancer V2 composable stable pools, some of which have been live on the blockchain for years, meaning they could not be paused.
“Any pools that could be paused have been paused and are now in recovery mode. All other Balancer pools are unaffected,” Balancer said on Monday.
In a Wednesday preliminary incident report, the DeFi protocol revealed that pools across Ethereum, Base, Avalanche, Gnosis, Berachain, Polygon, Sonic, Arbitrum, and Optimism were affected, both on Balancer V2 and its forks on other blockchains.
The attackers, Balancer says, exploited the protocol’s support for batch swap, which allows users to combine multiple operations into a single transaction. Batch swap supports ‘deferred settlements’, enabling users to ‘flashloan’ tokens when performing swaps.
“Specifically for composable stable pools, the LP receipt-tokens (BPT) are treated as regular tokens, which allows bypassing the minimum pool supply limit, allowing the liquidity levels in the pool to reach extremely low values,” Balancer explains.
The hackers exploited a rounding direction in the upscale function of EXACT_OUT transactions, which rounds down values under certain circumstances.
“Attackers were able to exploit the incorrect rounding behavior in combination with the batch swap functionality to manipulate pool balances and extract value. In many instances, the exploited funds remained within the Vault as internal balances before being withdrawn in subsequent transactions,” Balancer explains.
Essentially, the attackers manipulated BPT price calculations, and then performed the batch swap to profit from a deflated price, protocol security firm BlockSec Phalcon notes.
The DeFi protocol is still investigating the attack and has not provided a final impact figure. Initial estimates suggested that roughly $128 million were drained, but rapid response from the community reduced the total losses by more than $20 million.
“Balancer continues to work with partners, researchers, exchanges, and whitehat teams to recover funds. A comprehensive post-mortem with validated totals, transaction references, and recovery/distribution flows will be published once partner verification and reconciliation are complete,” the DeFi protocol said.
The attack mainly affected Composable Stable v5 pools that were out of the pause window, and Balancer recommends that users refrain from interacting with them, noting that its priority is mitigation and recovery of funds.
Related: US Sanctions North Korean Bankers Accused of Laundering Stolen Cryptocurrency
Related: US Charges Cambodian Executive in Massive Crypto Scam and Seizes More Than $14 Billion in Bitcoin
Related: North Korean Hackers Have Stolen $2 Billion in Cryptocurrency in 2025
Related: Predatory Sparrow Burns $90 Million on Iranian Crypto Exchange in Cyber Shadow War
