Balancer released a vulnerability attack incident report, which was exploited due to a rounding logic error in batch exchange transactions

According to official news, Balancer has released a preliminary report on the vulnerability attack incident, indicating that the Balancer V2 composable stable pools were attacked on November 4 across multiple chains (including Ethereum, Base, Avalanche, Polygon, Arbitrum, etc.).

The vulnerability originated from a rounding logic error in the EXACT_OUT transactions during batch exchanges, which the attacker exploited to manipulate the pool's balance and withdraw assets. This incident only affected Balancer V2's composable stable pools, while Balancer V3 and other pool types were not impacted. The Balancer team, along with security partners and white hat teams, acted swiftly by implementing measures such as automatic suspension through Hypernative, asset freezing, and white hat intervention under the SEAL framework, successfully curbing the spread of the attack and recovering some assets. Among them, StakeWise has recovered approximately 73.5% of the stolen osETH, and teams like BitFinding and Base MEV bot have also assisted in recovering some funds. Currently, Balancer is working with security partners such as SEAL and zeroShadow for cross-chain tracking and fund recovery, with the final verified losses and recovery data to be published in a complete technical review report. The official reminder to users is: obtain confirmation information only through Balancer's official channels; operations on V3 and non-stable pools remain safe.