Balancer $120M Hack Exposes Stable Pool Precision Flaw

The Balancer hack on November 3 saw an attacker exploit a precision loss flaw in Balancer v2 Composable Stable Pools. Using flash loans and batch swaps, the attacker manipulated rounding logic under low liquidity to drain around $120 million across multiple chains. The exploit stemmed from integer fixed-point truncation during batch swaps. The attacker swapped Balancer Pool Tokens (BPT) for liquidity tokens, then performed small osETH↔WETH trades to amplify rounding errors. Repeating this cycle allowed inflated internal balances and large withdrawals from the Vault. SlowMist traced the stolen funds through Tornado Cash to multiple on-chain addresses. In response to the Balancer hack, the team paused vulnerable pools, blocked new pool creation, and enacted emergency controls. Whitehat interventions and partnerships with Monerium, Sonic Labs and Hypernative recovered about 73.5% of stolen osETH. The incident highlights critical DeFi security risks in stable pool precision handling. Balancer has launched ongoing audits and logic improvements to safeguard future liquidity pools. Crypto traders should monitor upcoming security updates and pool parameters affecting stable pools.