Balancer V2 Exploit Analysis: Rounding Error Leads to $120M Loss

Executive Summary

On November 3rd, the Balancer V2 protocol and its forked projects on multiple chains suffered an attack, resulting in a severe loss of over $120M. BlockSec promptly issued a warning and provided an initial analysis. This was a highly complex attack event. Our initial analysis indicates that the root cause lies in attackers manipulating the invariant, thereby distorting the calculation of the BPT (Balancer Pool Token) price -- which is the LP token of the Balancer Pool -- enabling them to profit through a batchSwap operation in a certain stable pool.

Key Takeaways:

* **Attack Date:** November 3rd * **Losses:** Over $120 million * **Root Cause:** Invariant manipulation and exploitation of rounding errors * **Affected Protocols:** Balancer V2 and its forks

Background

1. Scaling and Rounding

To standardize the decimals of different tokens, Balancer contracts will: * **Upscale:** Amplify balances and amounts to a uniform internal precision before performing calculations. * **Downscale:** Reduce the results back to the native precision, with directed rounding (e.g., input side usually rounds up to ensure the pool doesn't undercharge; output path often has truncation downwards). **Conclusion:** Within the same transaction, asymmetry in the rounding directions employed in different segments can generate systematic minor deviations when repeatedly executed in extremely small steps.

2. Impact on D and BPT Price

The Composable Stable Pool of the Balancer V2 protocol and forked protocols are affected by this attack. Stable Pools are used for assets that are expected to maintain a close to 1:1 exchange ratio (or exchange at known exchange rates), allowing large exchanges without causing significant price impact, thereby greatly increasing the capital utilization efficiency between similar or related assets. This pool uses Stable Math (based on Curve's StableSwap model), and the invariant D represents the pool's "virtual total value". The BPT (Pool's LP Token) price is approximate to: [Equation] From the above equation, if D can be made smaller on paper (even if funds are not actually lost), the BPT price can become cheaper. BTP represents the pool's share, which is used to calculate how much Reserve in the pool can be obtained when withdrawing liquidity, so if an attacker can obtain more BPT, they can ultimately profit when withdrawing liquidity.

Attack Analysis

Taking the attack transaction on Arbitrum as an example, the batchSwap operation can be divided into three stages: * **Stage 1:** The attacker swaps BPT for the underlying assets to precisely adjust the balance of one of the tokens (cbETH) to the critical point of the rounding boundary (quantity = 9). This step creates the conditions for precision loss in the next stage. * **Stage 2:** The attacker uses a carefully constructed quantity (= 8) to swap between another underlying asset (wstETH) and cbETH. Due to rounding down when scaling the token quantity, the calculated Δx is slightly smaller (changing from 8.918 to 8), thereby causing Δy to be underestimated and making the invariant D (from Curve's StableSwap model) smaller. Since BPT price = D / totalSupply, the BPT price is artificially lowered. * **Stage 3:** The attacker swaps the underlying assets back to BPT, profiting from the lowered BPT price while restoring the balance within the pool -- obtaining more BPT Tokens. Finally, the attacker uses another profit transaction to withdraw liquidity, thereby leveraging the additional BPT to obtain other underlying assets in the pool (cbETH and wstETH) thereby profiting. * **Attack Transaction:** [https://app.blocksec.com/explorer/tx/arbitrum/0x7da32ebc615d0f29a24cacf9d18254bea3a2c730084c690ee40238b1d8b55773](https://app.blocksec.com/explorer/tx/arbitrum/0x7da32ebc615d0f29a24cacf9d18254bea3a2c730084c690ee40238b1d8b55773) * **Profit Transaction:** [https://app.blocksec.com/explorer/tx/arbitrum/0x4e5be713d986bcf4afb2ba7362525622acf9c95310bd77cd5911e7ef12d871a9](https://app.blocksec.com/explorer/tx/arbitrum/0x4e5be713d986bcf4afb2ba7362525622acf9c95310bd77cd5911e7ef12d871a9) **References:** [1] [https://x.com/Phalcon_xyz/status/1985262010347696312](https://x.com/Phalcon_xyz/status/1985262010347696312) [2] [https://x.com/Phalcon_xyz/status/1985302779263643915](https://x.com/Phalcon_xyz/status/1985302779263643915) [3] [https://docs-v2.balancer.fi/concepts/pools/composable-stable.html](https://docs-v2.balancer.fi/concepts/pools/composable-stable.html)