Balancer's $120M Disaster: Small Swaps That Almost Led to a Major Break
A recent exploit on Balancer's platform, leading to a loss of $120 million, reveals the vulnerabilities within automated market makers.
On November 3rd, an exploit of Balancer v2 resulted in an approximate loss of $120 million across its main protocol and multiple forks. According to an analysis by the SlowMist security team, the incident was due to a precision loss in the integer fixed-point arithmetic used for calculating scaling factors in Composable Stable Pools, which typically accommodate near-parity asset pairs like USDC/USDT or WETH/stETH.
SlowMist’s Investigation
The post-incident report clarified that the flaw resulted in minor yet consistent price discrepancies during swaps. This was particularly evident when the attackers utilized the batch swap feature to execute several operations within one transaction.
The attackers employed a systematic strategy that included:
- Swapping BPT for liquidity tokens to deplete the pool’s reserves before initiating small-value swaps.
- Conducting liquidity token swaps (e.g., osETH → WETH) to establish control over small-swap precision errors.
- Executing targeted osETH → WETH swaps to deliberately generate precision errors.
- Restoring liquidity by swapping between liquidity tokens again (WETH → osETH) to recover the pool’s balance.
- Repeating these steps to further amplify the accuracy discrepancies.
In the end, through manipulative small-sized swaps, the attackers caused the system to settle an amountOut that was greater than the actual amountIn owed, allowing them to reap substantial profits.
Tracing the Attacker
SlowMist was able to trace the operations back to multiple addresses and chains. Initial funds were routed via Tornado Cash, and the trails led through various nodes and cross-chain services before settling on Ethereum-based addresses containing vast amounts of ETH and WETH.
Remediation Steps Taken
Following the exploit, steps were taken to mitigate the impact, including pausing the affected CSPv6 pools, disabling the factory, and ensuring that major liquidity providers could safely withdraw.
As a cautionary note for teams and auditors, SlowMist highlighted the importance of improving test coverage for extreme scenarios and being vigilant about precision handling during low-liquidity conditions.
