The decentralized finance (DeFi) protocol Balancer was the target of a significant security breach, resulting in the loss of approximately $128 million in digital assets. The incident was traced back to the exploitation of a rounding error vulnerability within the protocol’s smart contracts.

An attacker successfully identified and leveraged a flaw in how the protocol performed mathematical calculations. This vulnerability allowed for the manipulation of token balances within liquidity pools, enabling the attacker to withdraw assets of far greater value than their initial deposits.

Exploitation of a Calculation Flaw

The core of the attack was a precision issue, commonly referred to as a rounding error. By making specific types of transactions, the attacker was able to trigger this flaw repeatedly. Each transaction created a small discrepancy in the protocol’s accounting, which the attacker aggregated to create a large imbalance in their favor. This imbalance was then used to drain funds from the affected Balancer pools.

Financial Impact of the Breach

The total financial damage from this exploit amounted to $128 million. The attacker systematically siphoned various cryptocurrencies from the protocol’s liquidity pools until the vulnerability was addressed. This event highlights a known class of smart contract risk where minor computational inaccuracies can be escalated into major financial exploits. The attack on Balancer serves as a real-world case study of a rounding error leading to a nine-figure loss within the DeFi ecosystem.

Source: https://research.checkpoint.com/2025/how-an-attacker-drained-128m-from-balancer-through-rounding-error-exploitation/