Balancer v2 Pool Exploit

In November 2025, Balancer v2 — one of the longest-running automated market makers in DeFi — was exploited for approximately $120 million across multiple stable and composable pools. The attack chained together two distinct issues: a missing access check and a rounding error in the pool's invariant arithmetic.

What happened

The exploit targeted Balancer v2's composable stable pools. The vulnerability had two halves:

1. A missing access-control check allowed a caller to invoke a sensitive pool-state mutation function that should have been restricted to the pool owner.
2. A rounding error in the invariant manipulation logic let the attacker move the pool's lastInvariant value to a state that the AMM mathematics treated as profitable for them.

By repeatedly exploiting the rounding bias under attacker-controlled conditions, the operator was able to extract roughly the protocol-fee share of the pool with each iteration — compounded across many transactions and many pools.

The loss spread across Balancer pools and protocols built on top of them, including pegged-asset and yield-bearing wrappers that used Balancer for liquidity.

Aftermath

• Balancer governance paused affected pools.
• The team published a post-mortem and shipped patches for v2; the upcoming v3 had already moved invariant maintenance into a different abstraction less susceptible to the same class of bug.
• Some downstream protocols absorbed losses directly; others negotiated partial recoveries with the attacker.

Why it matters

Balancer demonstrated again — five years into the DeFi-AMM era — that invariant math in production AMMs is still a frontier. Rounding direction, integer-truncation, and the interaction between pool-state setters and invariant-readers continue to be a fertile vulnerability class. The successor pattern (v3, and similar designs at Uniswap and Curve) explicitly bakes invariant-maintenance into hardened, audit-frozen libraries rather than per-pool code.