Checkpoint Details On How Attackers Drained $128m From Balancer...

On November 3, 2025, blockchain security monitoring systems detected a sophisticated exploit targeting Balancer V2’s ComposableStablePool contracts.

An attacker executed a precision loss vulnerability to drain $128.64 million across six blockchain networks in under 30 minutes.

The attack leveraged a rounding error in the _upscaleArray function combined with carefully crafted batchSwap operations, allowing the attacker to artificially suppress BPT (Balancer Pool Token) prices and extract value through repeated arbitrage cycles.

The exploitation occurred primarily during smart contract deployment, with the attacker’s constructor executing over 65 micro-swaps that compounded precision loss to devastating effect.

This incident represents a watershed moment for DeFi security, demonstrating how mathematical vulnerabilities in core protocol functions can be weaponized through automation and precise parameter tuning.

The attack’s sophistication lay not in exploiting a novel vulnerability type, but in recognizing how negligible rounding errors become catastrophic when amplified through dozens of operations in atomic transactions.

Check Point researchers noted that the attack exploited a fundamental weakness in how Balancer’s ComposableStablePools handle small-value swaps.

When token balances are pushed to specific rounding boundaries, particularly the 8-9 wei range, Solidity’s integer division causes significant precision loss.

The researchers identified that individual swaps produce negligible errors, but within a single batchSwap transaction containing 65 operations, these losses compound dramatically, creating exploitable arbitrage opportunities.

The attacker’s technical execution revealed a three-stage pattern repeated 65 times atomically. First, large BPT amounts were swapped for underlying tokens to push specific token balances to critical rounding boundaries.

Source: Cybersecurity News