Decentralized finance protocol Balancer has confirmed a major security breach in its V2 pools, with estimated losses exceeding $128 million, making it one of the largest cryptocurrency thefts of 2025.
Balancer, built on the Ethereum blockchain, is an automated market maker and liquidity infrastructure platform, enabling users to deposit assets, earn fees, and trade tokens within flexible pools. The protocol’s governance token BAL had a market capitalization of around $65 million prior to the incident.
The company disclosed that the exploit specifically targeted its V2 Composable Stable Pools. Other Balancer pools, including those under V3, were reportedly unaffected.
“Our team is working with leading security researchers to understand the issue,” Balancer said in a series of posts.
Preliminary analysis from GoPlus Security suggests that the attack exploited a precision rounding error in Balancer’s Vault swap calculations. Each calculation rounded down, affecting token prices. The batchSwap function amplified this vulnerability, allowing attackers to manipulate prices through crafted parameters.
However, other blockchain experts say that the attack involved improper authorization and callback handling. According to Aditya Bajaj, a malicious contract manipulated vault calls during pool initialization, bypassing built-in safeguards and enabling unauthorized swaps and balance alterations across connected pools.
Balancer say it will publish a comprehensive post-mortem once the root cause is fully understood.
In an unrelated case, cybersecurity researchers have discovered a malicious extension in the Open VSX registry containing a remote access trojan (RAT) dubbed SleepyDuck. The compromised package, juan-bianco.solidity-vlang, was initially uploaded on October 31, 2025, as a harmless library but was later updated to version 0.0.8 on November 1 to include malicious code after surpassing 14,000 downloads. According to Secure Annex, the malware employs sandbox evasion techniques and leverages an Ethereum smart contract to dynamically update its command-and-control (C2) address, allowing it to maintain persistence even if the original server is shut down.
