Balancer DeFi Protocol Loses $116M in Sophisticated Hack

The $116 million exploit against Balancer represents one of the most technically advanced attacks witnessed in the DeFi space this year, according to Deddy Lavid, CEO of blockchain security company Cyvers. The attack, which occurred on Monday, specifically targeted Balancer v2 Stable Pools and Composable Stable v5 pools, while all other pool types within the protocol remained unaffected. This surgical precision in targeting specific pool types demonstrates the attacker’s deep understanding of Balancer’s architecture and vulnerabilities.

The hacker employed a multi-layered approach using BatchSwaps, a feature that allows users to bundle multiple actions within a single transaction. This technique was combined with flashloans—short-term loans that are borrowed and repaid within the same transaction block—creating a powerful mechanism for manipulating pool balances. The core vulnerability exploited was in the upscale rounding function that affects EXACT_OUT swaps in the Stable Pools, allowing the attacker to systematically drain funds through carefully crafted transactions.

According to the preliminary post-mortem report published by the Balancer team on Wednesday, the attack leveraged the protocol’s own features against itself. The BatchSwaps functionality, designed to improve user experience by combining multiple swap operations, became the vehicle for the exploit. When combined with flashloans, which provide substantial temporary liquidity without collateral requirements, the attacker gained the necessary firepower to manipulate pool pricing mechanisms.

The critical vulnerability lay in the upscale rounding function used in EXACT_OUT swaps within Stable Pools. This mathematical function, intended to handle precise calculations for stablecoin transactions, contained a flaw that the attacker exploited to create arbitrage opportunities. By executing multiple coordinated swaps across different pools, the hacker was able to extract value through the rounding discrepancies, ultimately siphoning $116 million from the protocol.

The sophistication of this attack highlights the evolving nature of DeFi security threats. Unlike simpler exploits that target obvious vulnerabilities, this attack required deep technical knowledge of both the Balancer protocol’s specific implementation and general DeFi mechanics. The combination of multiple advanced techniques—BatchSwaps, flashloans, and mathematical function exploitation—represents a new level of complexity in DeFi attacks.

The characterization of this attack as one of the ‘most sophisticated’ of 2025 by Cyvers CEO Deddy Lavid underscores the growing technical capabilities of malicious actors in the DeFi space. As blockchain security firms like Cyvers analyze the attack vectors, the broader DeFi ecosystem must confront the reality that protocol security requires continuous auditing and improvement. The fact that only specific pool types were affected suggests that even within a single protocol, different components may have varying levels of security robustness.

The $116 million loss represents one of the largest DeFi exploits of the year and serves as a stark reminder of the financial risks inherent in decentralized finance. For BAL token holders and users of the Balancer protocol, the immediate impact has been significant, with market confidence potentially shaken by the scale of the breach. The incident also raises questions about the security of similar stable pool implementations across other DeFi protocols.

As the DeFi industry continues to mature, attacks of this sophistication highlight the critical need for enhanced security measures, including more rigorous code audits, bug bounty programs, and real-time monitoring systems. The Balancer team’s prompt publication of a preliminary post-mortem demonstrates the importance of transparency in rebuilding trust, but the incident serves as a cautionary tale for the entire DeFi ecosystem about the evolving sophistication of security threats.