A critical vulnerability in the Balancer decentralized exchange protocol allowed attackers to extract more than $120 million by exploiting a rounding-error in the batched swap mechanism. Analysis indicates that the flawed logic in the EXACT_OUT swap function improperly up-scaled and down-scaled token amounts across multiple steps, creating minuscule balance imbalances that accrued over repeated transactions. These discrepancies, akin to shaving fractions of a cent, were systematically drained by the hacker until conditions triggered insufficient liquidity safeguards.
The exploit targeted pools containing tokens with differing decimal precisions, a scenario that went undetected despite multiple security audits. During batched trades, Balancer’s code converted input amounts to 18-decimal representation before executing price calculations, then reverted results to native token decimals. In some cases, the final down-scaling step rounded values upward, granting excess assets to the swap initiator. By orchestrating high-frequency micro-swaps, the attacker generated cumulative gains that bypassed on-chain slippage limits.
Upon discovery, the Balancer team issued a preliminary report and coordinated with blockchain validators and node operators to implement emergency measures. On Polygon and Sonic, governance bodies enacted freeze modules to lock affected pool contracts and intercept outgoing transfers. Berachain stakeholders approved an emergency hard fork to roll back the exploit window and enable restitution for liquidity providers. These interventions highlight ongoing tensions between immutable ledger principles and rapid crisis response in DeFi ecosystems.
The incident has reignited debates over the centralization of security controls, with critics arguing that freeze functions and hard forks contradict the “code is law” ethos. Proponents counter that adaptive governance tools are necessary to protect users in high-risk environments. Balancer’s vulnerability underscores the importance of rigorous decimal‐handling checks and highlights evolving attack vectors leveraging mathematical edge cases. Protocol developers are now revisiting audit frameworks and integrating automated fuzz testing for decimal operations to prevent similar exploits in future releases.
Comments (0)