Incident Summary

The decentralized finance (DeFi) platform Balancer has fallen victim to a massive exploit exceeding $120 million, after attackers abused a rounding-error flaw in its V2 Composable Stable Pools.
The breach was detected on November 3, 2025, when Balancer’s monitoring systems flagged abnormal vault activity. The vulnerability, rooted in the platform’s swap calculation logic, allowed hackers to repeatedly drain small token discrepancies across chained transactions — eventually compounding into millions in stolen crypto.

The total stolen funds are estimated at $128 million, making it one of the largest DeFi thefts of 2025.

Balancer clarified that only V2 “Composable Stable” pools were affected; other versions, including V3, remain secure.

Attack Method

The attackers exploited a rounding-down error in the vault’s internal token conversion system.
When executing a batchSwap function across multiple pools, each swap rounded token amounts slightly downward.
While a single transaction loss was minuscule, chaining these operations across hundreds of swaps produced large distortions in pool balances.

Blockchain analysts also suspect that maliciously deployed contracts manipulated pool initialization sequences — potentially bypassing authorization checks and enabling unauthorized fund transfers.

Despite undergoing over 11 independent audits since 2021, this specific logic flaw went undetected, raising questions about the limits of static smart contract auditing in dynamic DeFi environments.

To add to the chaos, opportunistic phishing campaigns emerged shortly after the breach.
Fake accounts posing as Balancer offered a “white-hat bounty” of 20% of stolen funds if the hacker returned the rest — an attempt to lure victims into secondary scams.

Impact and Response

• Total stolen: Estimated $128 million USD worth of crypto assets.

• Affected systems: Only V2 Composable Stable Pools.

• Status: Breach isolated; other versions remain operational.

• User funds: Impacted users have been notified, with Balancer coordinating forensic analysis and recovery efforts.

• Follow-on scams: Phishing impersonators targeting Balancer users post-incident.

Balancer’s security team has paused affected pools and is working with blockchain forensic experts to trace the stolen assets. A detailed post-mortem report is expected once investigations conclude.

ClearPhish Analysis

This attack once again highlights the fragility of smart contract ecosystems, where micro-errors can cause macro-scale financial damage.
Even with multiple audits, vulnerabilities can persist when attackers chain operations to exploit economic logic rather than simple code flaws.

From ClearPhish’s perspective, three lessons stand out:

1. Audits are not absolute. Security must include live monitoring and transaction anomaly detection, not just pre-deployment code review.

2. Economic logic attacks are rising. Threat actors increasingly exploit rounding, slippage, or liquidity imbalances — bypassing traditional controls.

3. Social engineering follows technical breaches. The phishing scams impersonating Balancer reinforce that attackers exploit both code and people.

DeFi platforms must implement continuous behavioral monitoring, automated pool integrity checks, and user education against post-incident scams.

Incident Summary Table

Conclusion

The Balancer exploit is another wake-up call for DeFi infrastructure builders and investors.
It proves that audits cannot replace dynamic defense — especially in systems handling high-frequency, high-value transactions.
As DeFi platforms evolve, so must their resilience against both technical and human-layer vulnerabilities.

Disclaimer: ClearPhish maintains a strict policy of not participating in the theft, distribution, or handling of stolen data or files. The platform does not engage in exfiltration, downloading, hosting, or reposting any illegally obtained information. Any responsibility or legal inquiries regarding the data should be directed solely at the responsible cybercriminals or attackers, as ClearPhish is not involved in these activities. We encourage parties affected by any breach to seek resolution through legal channels directly with the attackers responsible for such incidents.