Balancer published a preliminary post-mortem report on Wednesday after an exploit drained about $116 million from its decentralized finance protocol. The breach specifically hit Balancer v2 Stable Pools and Composable Stable v5 pools, while other pool types remained unaffected, according to the report. The attacker successfully exploited a combination of BatchSwaps—which bundle multiple actions into a single transaction—along with flashloans and a flaw in the upscale rounding function used in EXACT_OUT swaps. This bug allowed the exploiter to manipulate token pricing calculations and consequently extract liquidity from Balancer’s stable pools. The Balancer team stated that the rounding function was intended to round down when prices were input, but the attacker discovered a method to alter these rounding values under specific conditions. When combined with BatchSwaps, this enabled them to move tokens through the Vault in multiple rapid transactions. The report noted that in many instances, the exploited funds remained within the Vault as internal balances before being withdrawn in subsequent transactions.
The exploit underscores ongoing vulnerabilities in DeFi infrastructure and the importance of independent code reviews beyond automated audits.
Industry Response and Recovery Efforts
Security analysts believe the hackers meticulously prepared the operation for months, funding the attack through small deposits of 0.1 Ether via Tornado Cash to mask their trail. Blockchain forensics teams described the execution as “methodical,” suggesting the attackers possessed a deep familiarity with Balancer’s codebase and liquidity mechanisms. Balancer confirmed it has been collaborating with cybersecurity partners and other DeFi protocols to recover or freeze stolen funds. Through these collaborative efforts, approximately 5,041 StakeWise Staked ETH (osETH), valued at roughly $19 million, and 13,495 osGNO tokens, worth up to $2 million, were successfully traced and frozen. The protocol has since paused all affected pools and halted the creation of new stable pools until a permanent fix is deployed. Developers clarified that no other versions of the Balancer pools were compromised, and liquidity in unaffected pools remains secure.
White Hat Bounty and Ongoing Investigation
Balancer has offered a 20% bounty to any ethical hacker or the attacker themselves for the return of the stolen assets. As of the publication of this report, no one has claimed the reward or initiated contact with the Balancer team. Blockchain security firms are continuing their efforts to trace the flow of stolen tokens across multiple DeFi platforms and mixers. The Balancer team also expressed gratitude to community responders who assisted in containing the incident, including developers from major DeFi projects that worked to block further withdrawals. A Balancer representative stated that the swift cooperation across the ecosystem prevented even greater losses. This attack follows several high-value DeFi breaches in recent months, reigniting discussions about the reliability of smart contract audits. Industry observers have questioned whether automated tools are sufficient to detect complex logic flaws, such as the rounding exploit used in this incident.
The Balancer breach highlights how composability—a key DeFi feature—can also expand the attack surface, making multi-contract exploits harder to detect or prevent.
DeFi’s Broader Security Reckoning
The Balancer exploit occurs amidst increasing pressure on DeFi platforms to enhance their risk controls following a series of large-scale thefts. According to blockchain analytics firm DefiLlama, losses from protocol hacks have exceeded $2.3 billion in 2025, with flashloan-enabled exploits representing a growing proportion of these losses. Balancer’s engineers are currently conducting a comprehensive code review and coordinating additional third-party audits before reopening the affected pools. The team indicated that lessons learned from this attack will be incorporated into new safeguard models for all future pool releases.