Decentralized finance platform Balancer has identified a specific rounding error in its code as the technical vulnerability responsible for the multi-chain hack that drained over USD $128 million in crypto assets on November 3.
The flaw was pinpointed to the EXACT_OUT function within the v2 batchSwap vault, primarily impacting its Composable Stable Pools (CSPs). This systemic error allowed attackers to exploit the protocol across multiple blockchain networks.
Initial estimates of the losses were around USD $70 million, but subsequent analysis by firms like Nansen and Peckshield raised the figure to more than USD $128 million. Balancer stated these figures are preliminary and a final verified count will follow.
The attack affected protocols on various networks, including Ethereum, Polygon, Base, Avalanche, Arbitrum, and Optimism. Forks of Balancer, such as BEX on Berachain and Beets on Sonic, were also compromised.
The exploit leveraged a defective implementation in CSPs, where non-integer scaling factors caused the system to round down during calculations. This created small discrepancies that enabled the extraction of value and redirection of funds into Balancer’s internal vault for subsequent withdrawal.
Balancer’s security partner, Hypernative, detected the incident early. CSPv5 pools with expired pause windows were the most vulnerable, while CSPv6 pools automatically entered a recovery mode.
In an immediate, coordinated response, various white-hat partners and collaborators intervened to mitigate damages and recover funds. StakeWise DAO successfully recovered approximately USD $1.7 million in osGNO and USD $19 million in osETH, representing 73.5% of those stolen tokens.
BitFinding, alongside Base MEV bots, recovered an additional USD $750,000, which has been returned to the Balancer DAO.
Affected ecosystems also took action. Berachain halted its network and implemented an emergency hard fork on November 4 to address its BEX exposure. Gnosis temporarily restricted bridge activity to prevent further propagation of the exploit, and Monerium froze USD $1.3 million in the affected vault.
As part of its mitigation strategy, Balancer disabled the CSPv6 factory to prevent the creation of new vulnerable pools. It also stopped liquidity gauges on affected pools to cease additional token emissions and enabled liquidity exits for safe withdrawals.
Hypernative’s automated emergency system played a role by automatically pausing v6 pools. Balancer’s Safe Harbor legal framework (BIP-726) facilitated the intervention of ethical hackers without legal risk, accelerating the overall response efforts.
Balancer v3 and all other versions of the protocol remained unaffected by the vulnerability. A final report detailing confirmed losses and recoveries is expected once all partner validations are complete.