Ошибка в Composable Stable Pools стала источником взлома Balancer на $128 млн Translation: Error in Composable Stable Pools Became the Source of Balancer’s $128 Million Hack

A hacker attack on the DeFi protocol Balancer was triggered by a flaw in one of the platform’s critical components—Composable Stable pools. This conclusion was shared by the project’s developers.

According to the statement, the vulnerability allowed attackers to exploit a characteristic of the delayed settlement mechanism. Due to a coding error, liquidity could temporarily drop below a critical minimum threshold.

In specific exchange operations (EXACT_OUT), non-integer scaling factors led to values being rounded down. As these discrepancies accumulated, they created an opportunity for manipulating the pool balances, enabling hackers to withdraw funds.

Initially, assets were moved to Balancer v2’s internal storage accounts and then withdrawn through separate transactions.

The primary impact was felt by Composable Stable pools v5, which were past their protective period. Pools v6 avoided large-scale depletion due to the emergency response system Hypernative, which automatically suspended their operations.

“The incident exclusively affected Composable Stable Pools in Balancer v2 and their forks in other networks: BEX and Beets. Balancer v3 and other pool types were not attacked,” noted the protocol team.

To counter the threat, other partners of Balancer also took several measures. In particular:

Thanks to the efforts of BitFinding and MEV bots from Base, around $750,000 was reclaimed.

According to the developers, the legal framework called Safe Harbor (BIP-726) “significantly improved the speed and coordination of the response.”

The exact amount of funds recovered is still unknown. The Balancer team promised to report on the final losses and restored assets once the audit is completed.

It’s worth noting that the DeFi protocol was breached on November 3, and the attack lasted for several hours.