The Balancer hack in 2025 exploited vulnerabilities in its Stable Pools, resulting in a $116 million loss through manipulated BatchSwaps and rounding functions. The attack targeted v2 and Composable Stable v5 pools, highlighting ongoing risks in DeFi protocols.
-
Exploit Mechanics: The hacker combined flash loans with an upscale rounding flaw in EXACT_OUT swaps to drain funds from stable pools.
-
Balancer’s Response: The protocol paused affected pools and collaborated with industry partners to recover portions of the stolen assets, including $19 million in staked ETH.
-
Security Implications: This incident, described as one of the most sophisticated in 2025, underscores the need for robust audits and caution with exposed on-chain liquidity, per blockchain security experts.
Discover the details of the 2025 Balancer hack that stole $116M from DeFi pools. Learn exploit mechanics, recovery efforts, and key lessons for crypto security. Stay informed and protect your assets today.
What is the Balancer Hack?
The Balancer hack refers to a major security breach in the decentralized finance protocol Balancer, where attackers siphoned approximately $116 million from its liquidity pools in 2025. This exploit primarily affected Balancer v2 Stable Pools and Composable Stable v5 pools, leaving other pool types intact. The incident, one of the most sophisticated attacks of the year, was executed using advanced techniques that manipulated core protocol functions, as detailed in Balancer’s preliminary post-mortem report.
The Balancer protocol, known for its flexible automated market maker system, allows users to create and interact with customizable liquidity pools. On the day of the attack, the hacker initiated a series of transactions that bypassed standard safeguards. According to the report released by the Balancer team, the breach involved a combination of BatchSwaps—features enabling bundled actions in a single transaction—and an abuse of the protocol’s rounding mechanism in stable pools.
BatchSwaps facilitate efficient trading by allowing multiple swaps to occur atomically, often incorporating flash loans, which are uncollateralized loans repaid within the same block. In this case, the attacker leveraged these tools to amplify their impact. The core vulnerability lay in the upscale rounding function applied to EXACT_OUT swaps, where output tokens are specified precisely. Normally, this function rounds down inputs for fairness, but the hacker manipulated it to inflate values, effectively draining reserves from the pools.
Source: Balancer
The Balancer team noted in their analysis that exploited funds often lingered as internal balances within the protocol’s Vault before being withdrawn in later steps. This delay allowed the attacker to obscure their trail initially. The hack exposed the inherent risks of smart contract interactions in DeFi, where even minor coding oversights can lead to catastrophic losses. Deddy Lavid, CEO of blockchain security firm Cyvers, described the attack as one of the “most sophisticated” seen in 2025, emphasizing the evolving tactics employed by cybercriminals.
Following the incident, Balancer’s liquidity providers faced immediate impacts, with pool values plummeting and user confidence shaken. The event also triggered broader discussions within the crypto community about the adequacy of current auditing practices for DeFi projects. Balancer’s audits, conducted by reputable firms prior to the launch of these pool versions, came under intense scrutiny, as reports from sources like Cointelegraph highlighted potential gaps in vulnerability detection.
How Did the Balancer Exploit Work in Detail?
The Balancer exploit relied on a precise manipulation of the protocol’s BatchSwap functionality combined with a flaw in the rounding logic for stable pools. Attackers initiated the breach by funding their operations through small, obfuscated deposits—such as multiple 0.1 Ether transactions via mixing services like Tornado Cash—to evade early detection. This preparation phase likely spanned months, indicating a high level of coordination and expertise.
Once executed, the attack unfolded in a single transaction block. The hacker borrowed flash loans to acquire a large position in the targeted pools without upfront capital. They then performed EXACT_OUT swaps, specifying exact output amounts, which triggered the vulnerable rounding function. In standard operations, this function ensures conservative calculations by rounding down token inputs based on oracle prices. However, the attacker crafted inputs that forced the function to upscale rounding values erroneously, allowing them to withdraw more tokens than deposited.
Supporting data from on-chain analytics reveals the scale: the exploit affected multiple pools simultaneously, with funds routed through the Vault’s internal balances. Balancer’s post-mortem indicated that “in many instances, the exploited funds remained within the Vault as internal balances before being withdrawn in subsequent transactions.” This step minimized immediate on-chain footprints, complicating real-time monitoring.
Expert analysis from blockchain security specialists, including insights shared by Cyvers, points to the attacker’s use of composable DeFi primitives as a key enabler. Flash loans, a cornerstone of DeFi innovation, were weaponized here, demonstrating how tools designed for efficiency can be turned against protocols. Statistics from the incident show that while $116 million was initially drained, recovery efforts reclaimed significant portions, underscoring the importance of rapid response in crypto ecosystems.
The vulnerability was isolated to specific pool types, preserving the integrity of Balancer’s other offerings like weighted pools. However, the breach highlighted systemic risks in DeFi, where liquidity is perpetually exposed online. Developers are now urged to implement enhanced oracle integrations and multi-signature controls to mitigate similar threats. Quotes from industry leaders, such as those from the SEAL 911 white hat team formed to combat real-time hacks, stress the need for proactive defenses in an era of increasingly clever exploits.
Frequently Asked Questions
What Caused the $116 Million Loss in the Balancer Hack?
The Balancer hack resulted from a vulnerability in the upscale rounding function of Stable Pools, exploited via BatchSwaps and flash loans. Attackers manipulated EXACT_OUT swaps to drain $116 million, primarily from v2 and Composable Stable v5 pools, as outlined in the protocol’s official post-mortem report released in 2025.
How Is Balancer Recovering from the 2025 Hack?
Balancer paused all affected pools and disabled new vulnerable pool creations while partnering with cybersecurity firms and protocols to freeze stolen assets. They recovered items like 5,041 StakeWise staked ETH worth $19 million and 13,495 osGNO tokens valued at $2 million through collaborative efforts across the crypto industry.
The protocol also extended a 20% white hat bounty to encourage the return of funds, though no claims have been reported yet. This multi-faceted approach, involving on-chain tracing and industry coordination, aims to restore user trust and prevent future incidents.
Source: BitFinding
In the aftermath, Balancer committed to comprehensive code reviews and upgrades. The incident serves as a pivotal case study for DeFi security, prompting wider adoption of advanced monitoring tools. Cybersecurity experts recommend that users diversify holdings and avoid overexposure to single protocols amid rising hack sophistication.
The Balancer hack also reignited debates on the role of ethical hackers. Groups like the SEAL 911 team, dedicated to real-time hack mitigation, have gained prominence by offering rapid intervention services. Their formation reflects a growing trend in the crypto space toward community-driven defenses against cyber threats.
Key Takeaways
- Sophisticated Attack Vectors: The use of flash loans and rounding exploits shows how DeFi’s innovative features can be vulnerabilities; protocols must prioritize rigorous testing of composable elements.
- Recovery Through Collaboration: Balancer’s success in freezing $21 million in assets highlights the value of industry partnerships and white hat incentives in damage control.
- Enhanced Security Practices: Users should employ hardware wallets for hot funds and stay updated on audit reports to mitigate risks from evolving cyber threats.
Conclusion
The 2025 Balancer hack, with its $116 million exploit of Stable Pools through BatchSwaps and rounding flaws, exemplifies the persistent cybersecurity challenges in DeFi. By detailing the mechanics and Balancer’s response, this incident reinforces the need for vigilant auditing and user caution. As the crypto landscape evolves, staying informed on such events and adopting best practices will empower investors to navigate risks effectively—secure your portfolio and contribute to a safer blockchain future.
