Balancer V2 Exploit Explained: Inside the Smart Contract Rounding Error That Cost $120M

This story was originally published on HackerNoon at: https://hackernoon.com/balancer-v2-exploit-explained-inside-the-smart-contract-rounding-error-that-cost-$120m.
How a rounding bug in Balancer V2’s Composable Stable Pools led to a $120M exploit—and why continuous audits are now a DeFi must.
Check more stories related to web3 at: https://hackernoon.com/c/web3. You can also check exclusive content about #smart-contract-security, #balancer-v2, #composable-stable-pools, #defi-exploit, #openzeppelin, #rounding-error-blockchain-hack, #defi-vulnerabilities, #hackernoon-top-story, and more.

This story was written by: @0xsmartcontract. Learn more about this writer by checking @0xsmartcontract's about page, and for more stories, please visit hackernoon.com.

Balancer V2’s Composable Stable Pools, modeled after Curve’s StableSwap, use math-driven invariants to minimize slippage in like-valued token swaps. However, a persistent rounding-down behavior in the _upscale function—introduced in 2021—created a precision loss that attackers exploited in low-liquidity states, draining over $120 million. The incident underscores the need for continuous, holistic security partnerships and evolving audit frameworks in the DeFi ecosystem, rather than isolated, one-off reviews.