Balancer Team Identifies Cause of $128 Million Hack

Balancer hack attributed to Composable Stable pools flaw.

The hack on the DeFi protocol Balancer was attributed to a flaw in one of the platform’s key components—the Composable Stable pools. This conclusion was shared by the project’s developers.

https://t.co/a1cyWETmhC

— Balancer (@Balancer) November 5, 2025

According to the statement, the vulnerability allowed attackers to exploit a feature of the deferred settlement mechanism. Due to a coding error, liquidity could temporarily fall below the critical minimum threshold.

In certain swap operations (EXACT_OUT), non-integer scaling factors led to rounding down values. These discrepancies accumulated, creating an opportunity to manipulate pool balances, enabling hackers to withdraw funds.

Assets were initially moved to internal accounts of Balancer v2 storage and then withdrawn through separate transactions.

The main impact was on Composable Stable v5 pools, whose protective period had expired. The v6 pools avoided extensive depletion thanks to the Hypernative emergency response system, which automatically suspended their operation.

“The incident exclusively affected Composable Stable Pools in Balancer v2 and their forks in other networks: BEX and Beets. Balancer v3 and other pool types were not attacked,” noted the protocol team.

Scale of the Incident

To counter the threat, other Balancer partners also took various measures. Specifically:

• StakeWise DAO returned about $19 million in osETH and $1.7 million in osGNO—73.5% of the stolen osETH volume;
• Berachain validators halted the network for a hard fork that addressed the vulnerability in BEX v2;
• Sonic Labs froze wallets linked to the suspected attacker and blocked fund movements in its Balancer fork;
• Gnosis imposed temporary restrictions on bridge operations;
• Monerium froze 1.3 million EURe in the affected storage account.

Efforts by BitFinding and MEV bots Base recovered about $750,000.

According to developers, the previously adopted Safe Harbor legal framework (BIP-726) “significantly improved response speed and coordination.”

The exact amount of recovered funds is still unknown. The Balancer team promised to report on the final losses and recovered assets after the audit is completed.

As reported, the DeFi protocol was hacked on November 3. The attack lasted several hours.