Balancer releases incident report on exploit, caused by rounding error in batch swap logic

According to ChainCatcher, Balancer has released a preliminary report on the recent vulnerability attack. The report states that on November 4, Balancer V2's composable stable pools were attacked across multiple chains, including Ethereum, Base, Avalanche, Polygon, Arbitrum, and others.

The vulnerability stemmed from a rounding logic error in batch swaps for EXACT_OUT transactions, which attackers exploited to manipulate pool balances and extract assets. This incident only affected Balancer V2's composable stable pools; Balancer V3 and other pool types were not impacted. The Balancer team, along with security partners and white hat teams, responded quickly, successfully containing the attack and recovering some assets through measures such as Hypernative's automatic pausing, asset freezing, and white hat intervention under the SEAL framework. StakeWise has recovered approximately 73.5% of the stolen osETH, while teams like BitFinding and Base MEV bot have also assisted in recovering some funds. Currently, Balancer is working with security partners such as SEAL and zeroShadow to conduct cross-chain tracking and asset recovery. Final verified losses and recovery data will be published in a comprehensive technical review report. The official team reminds users to only obtain confirmation information through Balancer's official channels, and that operations on V3 and non-stable pools remain secure.