An attacker exploited arithmetic rounding in Balancer's ComposableStablePool invariant combined with batchSwap to drain ~$121.1M across six chains in under 30 minutes.
On November 3, 2025, Balancer V2 was exploited through an arithmetic precision-loss bug in the ComposableStablePool invariant calculations, specifically in the _upscaleArray rounding logic. Combined with batchSwap operations, the attacker drained approximately $121.1M (initially reported as $128.6M) across six chains in under 30 minutes. A coordinated whitehat response under the SEAL Safe Harbor framework secured approximately $45.7M.
No laundering activity observed. ~$45.7M secured via coordinated whitehat SEAL Safe Harbor response; remaining funds unrecovered.
N/A