What happened?
A small rounding bug in Balancer’s V2 Composable Stable Pools was exploited on November 3, allowing attackers to drain over $128 million across multiple blockchains. The flaw was in the “upscale” logic used for EXACT_OUT batch swaps, which let attackers manipulate pool balances and extract funds quickly. The attack was detected minutes later, prompted emergency freezes, partial recoveries (roughly $19M+ recovered), and coordinated responses including wallet freezes and a Berachain hard fork to trap funds.
Who does this affect?
Liquidity providers in the affected CSPs saw large losses and sudden liquidity pauses, and users with funds in those pools faced disrupted withdrawals until recovery-mode measures were enabled. Traders and token holders of assets involved (ETH, osETH, wstETH, EURe and others) were hurt by stolen funds being bridged and laundered, and whitehat/MEV actors scrambled to recover assets. The wider DeFi ecosystem — other AMMs, auditors, insurance providers, and cross-chain infrastructure — also took a hit as TVL, trust, and fast liquidity flows were disrupted.
Why does this matter?
The breach triggered a >50% plunge in Balancer’s TVL, created immediate liquidity stress and pushed markets to reprice risk around DeFi pools and stablecoin-linked assets. It undermines confidence in “audited” smart contracts, likely raising due diligence costs, insurance premiums, and capital flight to perceived safer venues. In the short term expect increased volatility and contagion risk across chains, more defensive on-chain behavior, and heightened regulatory and institutional scrutiny that could reshape liquidity and funding in DeFi for months.