Уязвимость в пулах Composable Stable стала причиной хакерского нападения на Balancer на $128 млн Vulnerability in Composable Stable Pools Led to $128 Million Hacker Attack on Balancer

A hacking incident targeting the DeFi protocol Balancer was attributed to a flaw in one of the platform’s critical components—the Composable Stable pools. This conclusion was shared by the project’s developers.

According to their statement, the vulnerability enabled attackers to exploit a feature of the deferred settlement mechanism. Due to a coding error, liquidity could temporarily dip below a crucial minimum threshold.

During certain exchange operations (EXACT_OUT), non-integer scaling factors resulted in values being rounded down. Over time, these discrepancies created an opportunity for manipulating the pool balances, allowing hackers to withdraw funds.

Assets were initially transferred to internal accounts of Balancer v2’s storage and were subsequently withdrawn through separate transactions.

The primary impact was on Composable Stable pools v5, which had surpassed their protective period. Pools v6 managed to avoid widespread depletion thanks to the Hypernative emergency response system that automatically halted their operations.

*“The incident specifically affected Composable Stable Pools in Balancer v2 and their forks on other networks: BEX and Beets. Balancer v3 and other pool types were not compromised,”* noted the protocol’s team.

To counter the threat, other Balancer partners took several measures. Notably, efforts by BitFinding and MEV bots from Base managed to *recover* around $750,000.

The developers stated that the Safe Harbor legal framework adopted previously (BIP-726) *“significantly improved the speed and coordination of the response.”*

The exact amount of returned funds remains unclear. The Balancer team promised to report on the final losses and recovered assets once the audit is complete.

Recall that the DeFi protocol was *subjected* to a hack on November 3. The attack lasted for several hours.