On November 3, the Balancer V2 protocol and its fork projects were attacked on multiple chains, resulting in a serious loss of more than $120 million. BlockSec issued an early warning at the first opportunity [1] and gave a preliminary analysis conclusion [2]. This was a highly complex attack. Our preliminary analysis showed that the root cause was that the attacker manipulated the invariant, thereby distorting the calculation of the price of BPT (Balancer Pool Token) -- that is, the LP token of Balancer Pool -- so that it could profit in a stable pool through a batchSwap operation. Background Information 1. Scaling and Rounding To standardize the decimal places of different tokens, the Balancer contract will: upscale: Upscales the balance and amount to a uniform internal precision before performing the calculation; downscale: Reduces the result to its original precision and performs directional rounding (e.g., inputs are usually rounded up to ensure the pool is not under-filled; output paths are often truncated downwards). Conclusion: Within the same transaction, the asymmetrical rounding direction used in different stages can lead to a systematic slight deviation when executed repeatedly in very small steps. 2. Prices of D and BPT The Balancer V2 protocol’s Composable Stable Pool[3] and the fork protocol were affected by this attack. Stable Pool is used for assets that are expected to maintain a close 1:1 exchange ratio (or be exchanged at a known exchange rate), allowing large exchanges without causing significant price shocks, thereby greatly improving the efficiency of capital utilization between similar or related assets. The pool uses the Stable Math (a Curve-based StableSwap model), where the invariant D represents the pool's "virtual total value". The approximate price of BPT (Pool's LP Token) is: The formula above shows that if D is made smaller on paper (even if no funds are actually withdrawn), the price of BPT will be cheaper. BTP represents the pool share and is used to calculate how many pool reserves can be obtained when withdrawing liquidity. Therefore, if an attacker can obtain more BPT, they can profit when withdrawing liquidity. Attack Analysis Taking an attack transaction on Arbitrum as an example, the batchSwap operation can be divided into three stages: Phase 1: The attacker redeems BPT for the underlying asset to precisely adjust the balance of one of the tokens (cbETH) to a critical point (amount = 9) for rounding. This step sets the stage for the precision loss in the next phase. Phase Two: The attacker uses a carefully crafted quantity (= 8) to swap between another underlying asset (wstETH) and cbETH. Due to rounding down when scaling the token quantity, the calculated Δx is slightly smaller (from 8.918 to 8), causing Δy to be underestimated and the invariant D (derived from Curve's StableSwap model) to be smaller. Since BPT price = D / totalSupply, the BPT price is artificially suppressed. Phase 3: The attackers reverse-swap the underlying assets back to BPT, restoring the balance within the pool while profiting from the depressed price of BPT—acquiring more BPT tokens. Finally, the attacker used another profitable transaction to withdraw liquidity, thereby using the extra BPT to acquire other underlying assets (cbETH and wstETH) in the Pool and thus profit. Attacking the transaction: https://app.blocksec.com/explorer/tx/arbitrum/0x7da32ebc615d0f29a24cacf9d18254bea3a2c730084c690ee40238b1d8b55773 Profitable trades: https://app.blocksec.com/explorer/tx/arbitrum/0x4e5be713d986bcf4afb2ba7362525622acf9c95310bd77cd5911e7ef12d871a9 Reference: [1]https://x.com/Phalcon_xyz/status/1985262010347696312 [2]https://x.com/Phalcon_xyz/status/1985302779263643915 [3]https://docs-v2.balancer.fi/concepts/pools/composable-stable.htmlOn November 3, the Balancer V2 protocol and its fork projects were attacked on multiple chains, resulting in a serious loss of more than $120 million. BlockSec issued an early warning at the first opportunity [1] and gave a preliminary analysis conclusion [2]. This was a highly complex attack. Our preliminary analysis showed that the root cause was that the attacker manipulated the invariant, thereby distorting the calculation of the price of BPT (Balancer Pool Token) -- that is, the LP token of Balancer Pool -- so that it could profit in a stable pool through a batchSwap operation. Background Information 1. Scaling and Rounding To standardize the decimal places of different tokens, the Balancer contract will: upscale: Upscales the balance and amount to a uniform internal precision before performing the calculation; downscale: Reduces the result to its original precision and performs directional rounding (e.g., inputs are usually rounded up to ensure the pool is not under-filled; output paths are often truncated downwards). Conclusion: Within the same transaction, the asymmetrical rounding direction used in different stages can lead to a systematic slight deviation when executed repeatedly in very small steps. 2. Prices of D and BPT The Balancer V2 protocol’s Composable Stable Pool[3] and the fork protocol were affected by this attack. Stable Pool is used for assets that are expected to maintain a close 1:1 exchange ratio (or be exchanged at a known exchange rate), allowing large exchanges without causing significant price shocks, thereby greatly improving the efficiency of capital utilization between similar or related assets. The pool uses the Stable Math (a Curve-based StableSwap model), where the invariant D represents the pool's "virtual total value". The approximate price of BPT (Pool's LP Token) is: The formula above shows that if D is made smaller on paper (even if no funds are actually withdrawn), the price of BPT will be cheaper. BTP represents the pool share and is used to calculate how many pool reserves can be obtained when withdrawing liquidity. Therefore, if an attacker can obtain more BPT, they can profit when withdrawing liquidity. Attack Analysis Taking an attack transaction on Arbitrum as an example, the batchSwap operation can be divided into three stages: Phase 1: The attacker redeems BPT for the underlying asset to precisely adjust the balance of one of the tokens (cbETH) to a critical point (amount = 9) for rounding. This step sets the stage for the precision loss in the next phase. Phase Two: The attacker uses a carefully crafted quantity (= 8) to swap between another underlying asset (wstETH) and cbETH. Due to rounding down when scaling the token quantity, the calculated Δx is slightly smaller (from 8.918 to 8), causing Δy to be underestimated and the invariant D (derived from Curve's StableSwap model) to be smaller. Since BPT price = D / totalSupply, the BPT price is artificially suppressed. Phase 3: The attackers reverse-swap the underlying assets back to BPT, restoring the balance within the pool while profiting from the depressed price of BPT—acquiring more BPT tokens. Finally, the attacker used another profitable transaction to withdraw liquidity, thereby using the extra BPT to acquire other underlying assets (cbETH and wstETH) in the Pool and thus profit. Attacking the transaction: https://app.blocksec.com/explorer/tx/arbitrum/0x7da32ebc615d0f29a24cacf9d18254bea3a2c730084c690ee40238b1d8b55773 Profitable trades: https://app.blocksec.com/explorer/tx/arbitrum/0x4e5be713d986bcf4afb2ba7362525622acf9c95310bd77cd5911e7ef12d871a9 Reference: [1]https://x.com/Phalcon_xyz/status/1985262010347696312 [2]https://x.com/Phalcon_xyz/status/1985302779263643915 [3]https://docs-v2.balancer.fi/concepts/pools/composable-stable.html

Preliminary analysis of the Balancer V2 attack, which resulted in a loss of $120 million.

2025/11/04 14:00
3 min read
For feedback or concerns regarding this content, please contact us at crypto.news@mexc.com

On November 3, the Balancer V2 protocol and its fork projects were attacked on multiple chains, resulting in a serious loss of more than $120 million. BlockSec issued an early warning at the first opportunity [1] and gave a preliminary analysis conclusion [2]. This was a highly complex attack. Our preliminary analysis showed that the root cause was that the attacker manipulated the invariant, thereby distorting the calculation of the price of BPT (Balancer Pool Token) -- that is, the LP token of Balancer Pool -- so that it could profit in a stable pool through a batchSwap operation.

Background Information

1. Scaling and Rounding

To standardize the decimal places of different tokens, the Balancer contract will:

  • upscale: Upscales the balance and amount to a uniform internal precision before performing the calculation;
  • downscale: Reduces the result to its original precision and performs directional rounding (e.g., inputs are usually rounded up to ensure the pool is not under-filled; output paths are often truncated downwards).

Conclusion: Within the same transaction, the asymmetrical rounding direction used in different stages can lead to a systematic slight deviation when executed repeatedly in very small steps.

2. Prices of D and BPT

The Balancer V2 protocol’s Composable Stable Pool[3] and the fork protocol were affected by this attack. Stable Pool is used for assets that are expected to maintain a close 1:1 exchange ratio (or be exchanged at a known exchange rate), allowing large exchanges without causing significant price shocks, thereby greatly improving the efficiency of capital utilization between similar or related assets.

  • The pool uses the Stable Math (a Curve-based StableSwap model), where the invariant D represents the pool's "virtual total value".
  • The approximate price of BPT (Pool's LP Token) is:

The formula above shows that if D is made smaller on paper (even if no funds are actually withdrawn), the price of BPT will be cheaper. BTP represents the pool share and is used to calculate how many pool reserves can be obtained when withdrawing liquidity. Therefore, if an attacker can obtain more BPT, they can profit when withdrawing liquidity.

Attack Analysis

Taking an attack transaction on Arbitrum as an example, the batchSwap operation can be divided into three stages:

Phase 1: The attacker redeems BPT for the underlying asset to precisely adjust the balance of one of the tokens (cbETH) to a critical point (amount = 9) for rounding. This step sets the stage for the precision loss in the next phase.

Phase Two: The attacker uses a carefully crafted quantity (= 8) to swap between another underlying asset (wstETH) and cbETH. Due to rounding down when scaling the token quantity, the calculated Δx is slightly smaller (from 8.918 to 8), causing Δy to be underestimated and the invariant D (derived from Curve's StableSwap model) to be smaller. Since BPT price = D / totalSupply, the BPT price is artificially suppressed.

Phase 3: The attackers reverse-swap the underlying assets back to BPT, restoring the balance within the pool while profiting from the depressed price of BPT—acquiring more BPT tokens.

Finally, the attacker used another profitable transaction to withdraw liquidity, thereby using the extra BPT to acquire other underlying assets (cbETH and wstETH) in the Pool and thus profit.

Attacking the transaction:

Profitable trades:

Reference:

[1]https://x.com/Phalcon_xyz/status/1985262010347696312

[2]https://x.com/Phalcon_xyz/status/1985302779263643915

[3]https://docs-v2.balancer.fi/concepts/pools/composable-stable.html

Market Opportunity
TokenFi Logo
TokenFi Price(TOKEN)
$0.002247
$0.002247$0.002247
-0.57%
USD
TokenFi (TOKEN) Live Price Chart

World Cup Combo: Aim for 200x

World Cup Combo: Aim for 200xWorld Cup Combo: Aim for 200x

Combine up to 20 World Cup matches in one order

Disclaimer: The articles reposted on this site are sourced from public platforms and are provided for informational purposes only. They do not necessarily reflect the views of MEXC. All rights remain with the original authors. If you believe any content infringes on third-party rights, please contact crypto.news@mexc.com for removal. MEXC makes no guarantees regarding the accuracy, completeness, or timeliness of the content and is not responsible for any actions taken based on the information provided. The content does not constitute financial, legal, or other professional advice, nor should it be considered a recommendation or endorsement by MEXC.

You May Also Like

BlackRock Transfers $212M in Bitcoin to Coinbase, Signaling ETF Activity

BlackRock Transfers $212M in Bitcoin to Coinbase, Signaling ETF Activity

BitcoinWorld BlackRock Transfers $212M in Bitcoin to Coinbase, Signaling ETF Activity BlackRock, the world’s largest asset manager and a leading issuer of spot
Share
bitcoinworld2026/07/01 20:05
Belgium vs Senegal Tactical Preview: World Cup 2026 Game Plan, Key Battles and Match Prediction

Belgium vs Senegal Tactical Preview: World Cup 2026 Game Plan, Key Battles and Match Prediction

Belgium vs Senegal tactical preview focuses on a classic knockout contrast: Belgium’s control and creativity against Senegal’s speed and transition threat. Belgium enter the World Cup 2026 Round of 32 as Group G winners with a fully fit squad, while Senegal arrive as one of the best third-placed teams after a difficult group stage. Belgium are expected to rely on Kevin De Bruyne’s passing, Jérémy Doku’s one-on-one danger and Romelu Lukaku’s penalty-box presence.
Share
MEXC NEWS2026/07/01 22:02
Belgium vs Senegal Key Players: World Cup 2026 Stars to Watch, Matchups and Prediction Angles

Belgium vs Senegal Key Players: World Cup 2026 Stars to Watch, Matchups and Prediction Angles

Belgium vs Senegal key players will decide one of the most interesting Round of 32 matchups at the World Cup 2026. Belgium have the stronger squad on paper, led by Kevin De Bruyne, Jérémy Doku, Romelu Lukaku and Thibaut Courtois. Senegal, however, bring speed and physical danger through Sadio Mané, Ismaïla Sarr, Nicolas Jackson and Kalidou Koulibaly. This guide looks at the most important players, the key matchups, tactical impact and prediction market angles. For the full match preview, read the main Hub article: Belgium vs Senegal Prediction: World Cup 2026 Round of 32 Preview, Lineups, Odds and Score Forecast.
Share
MEXC NEWS2026/07/01 21:49