This story was originally published on HackerNoon at:
https://hackernoon.com/balancer-v2-exploit-explained-inside-the-smart-contract-rounding-error-that-cost-$120m.
How a rounding bug in Balancer V2’s Composable Stable Pools led to a $120M exploit—and why continuous audits are now a DeFi must.
Check more stories related to web3 at:
https://hackernoon.com/c/web3.
You can also check exclusive content about
#smart-contract-security,
#balancer-v2,
#composable-stable-pools,
#defi-exploit,
#openzeppelin,
#rounding-error-blockchain-hack,
#defi-vulnerabilities,
#hackernoon-top-story, and more.
This story was written by:
@0xsmartcontract. Learn more about this writer by checking
@0xsmartcontract's about page,
and for more stories, please visit
hackernoon.com.
Balancer V2’s Composable Stable Pools, modeled after Curve’s StableSwap, use math-driven invariants to minimize slippage in like-valued token swaps. However, a persistent rounding-down behavior in the _upscale function—introduced in 2021—created a precision loss that attackers exploited in low-liquidity states, draining over $120 million. The incident underscores the need for continuous, holistic security partnerships and evolving audit frameworks in the DeFi ecosystem, rather than isolated, one-off reviews.