On Nov 3, 2025, Balancer V2 suffered a $100M+ exploit. It wasn’t the new V3 code, but "battle-tested" legacy pools that failed.
Here is what happened, how a latent arithmetic bug was amplified, and what the industry can learn about the fragility of legacy code.👇
DeFi Rule #1: Rounding must always favour the Protocol. Balancer’s _upscale function violated this by rounding down, favouring the user. Harmless in standard pools, this became fatal when "Composable Pools" introduced complex exchange rates that exposed the gap.
The Amplification: The bug was tiny, but two features turned it into a $100M drain.
batchSwap: Allowed them to borrow assets without collateral.
Composability: The pool’s own LP token was treated as a swappable asset, allowing the attacker to manipulate its price directly.
The Attack:
Using batchSwap, the attacker "borrowed" BPT and swapped it to create a low-liquidity state. They executed a "long, alternating batch-swap sequence," magnifying the rounding error to deflate the pool’s invariant (D) mathematically.
The Payoff:
With the invariant crushed, the BPT price artificially crashed. The attacker swapped assets back into the now-cheap BPT to settle their loan and pocket the difference. They used a two-stage attack (manipulation vs. withdrawal) to evade detection.
Contagion & Fallout:
Berachain validators forced a chain halt to hard fork the exploit away. Sonic Labs and Monerium froze assets. It has been proven that decentralised failures often require highly centralised, coordinated interventions to rectify.
The Audit Blind Spot:
OpenZeppelin audited V2 before the vulnerable code was added. Trail of Bits audited the pool later but had the specific math library "out of scope." The industry suffered from "battle-tested bias," assuming legacy code was safe.
Regulatory Takeaway 1: Audit Scope."
Audited" is not a monolithic status. Supervisors must scrutinise which components were reviewed and when. Post-audit features (like the scaling override) can introduce systemic risks not covered by prior reports.
Regulatory Takeaway 2: The Legacy Liability.
Code in "maintenance mode" is a prime target. While teams focus on V3, attackers hunt for complex math edge cases in V2 that were ignored years ago.
Regulatory Takeaway 3: The Centralisation Reality.
When core protocols break, the only safety nets are centralised (chain halts, asset freezes). We must confront the tension between ideological decentralisation and the practical actions required to protect users.
937
0
The content on this page is provided by third parties. Unless otherwise stated, OKX is not the author of the cited article(s) and does not claim any copyright in the materials. The content is provided for informational purposes only and does not represent the views of OKX. It is not intended to be an endorsement of any kind and should not be considered investment advice or a solicitation to buy or sell digital assets. To the extent generative AI is utilized to provide summaries or other information, such AI generated content may be inaccurate or inconsistent. Please read the linked article for more details and information. OKX is not responsible for content hosted on third party sites. Digital asset holdings, including stablecoins and NFTs, involve a high degree of risk and can fluctuate greatly. You should carefully consider whether trading or holding digital assets is suitable for you in light of your financial condition.