Less than 48 hours after confirming one of the largest decentralized finance (DeFi) breaches of the year, Balancer has released its preliminary incident report, detailing how a rounding error and batch-swap exploit drained more than $117 million from its V2 Composable Stable Pools across multiple networks.

The report follows a chaotic week that shook the DeFi sector, exposing vulnerabilities in legacy smart contracts even as Balancer’s newest version, V3, remains unaffected. In parallel, Berachain, one of the networks hit during the exploit, announced the recovery of its entire $12.8 million loss, marking one of the rare full restitution cases in DeFi history.

How the exploit unfolded

According to Balancer’s report, the attack began at 07:46 UTC on Monday, when monitoring system Hypernative flagged abnormal behavior across V2 Composable Stable Pools on Ethereum, Base, Avalanche, Arbitrum, Optimism, Polygon, Gnosis, Berachain, and Sonic.

The attacker exploited a flaw in the upscale function, specifically how EXACT_OUT swaps handled non-integer scaling factors, to manipulate pool balances. 

Combined with the protocol’s batchSwap deferred settlement feature, the exploit allowed attackers to repeatedly drain funds while bypassing the minimum pool supply limit.

While Balancer has not confirmed final loss figures, the $117 million estimate remains the most cited by independent analysts. The protocol emphasized that V3 and all non-stable pool types were unaffected and that containment measures, including automated pausing of v6 pools and white-hat recoveries, prevented further losses.

Containment and partial fund recovery

Rapid intervention helped stem the damage across networks. Balancer credits Hypernative, SEAL Safe Harbor, and multiple white-hat teams for recovering or freezing a portion of affected funds. Among the mitigations:

1. StakeWise recovered roughly $19 million in osETH and $2 million in osGNO, totaling nearly 73% of affected assets.

2. Sonic Labs froze attacker wallets linked to Beets Finance, a Balancer fork on Sonic.

3. BitFinding and Base MEV bots retrieved over $750,000 combined.

Balancer confirmed that a full post-mortem will follow, with independent auditors and partners verifying on-chain data, frozen assets, and recovery actions before publishing final figures.

Berachain achieves full restitution

Meanwhile, Berachain confirmed the complete recovery of its $12.8 million lost during the Balancer exploit, crediting swift validator coordination and assistance from a white-hat hacker who returned the funds.

The network had halted block production within hours of detecting the exploit, freezing attacker activity and later issuing an emergency hard fork to prevent further transfers.

Berachain’s Chief Smokey Officer, Smokey The Bera, defended the controversial network halt: “When roughly $12 million of user funds are at risk, our priority is protecting the community. Pausing operations wasn’t ideal, but it prevented total loss.”

Berachain has since resumed all operations, including HONEY minting and redemption, and said it may issue a bounty reward to the white-hat contributor who helped return the assets.

The bigger picture: DeFi’s recurring pain point

While Balancer’s transparency and recovery coordination have been praised, the incident underscores a deeper issue within DeFi, complex smart contract design and fragmented auditing standards.

Composable architecture, once touted as a key DeFi innovation, continues to introduce hidden attack surfaces and security risks. Balancer’s miscalculated rounding logic is just the latest example of how minor arithmetic flaws can cascade into multimillion-dollar exploits across chains.

Balancer team cautioned that public estimates remain unofficial until reconciled through partner verification. It urged users to avoid interacting with affected pools and to monitor only its official X and Discord channels for updates.

The company says recovery efforts under the SEAL Safe Harbor framework continue, with zeroShadow and BitFinding tracing assets. A full post-mortem and migration plan to V3 are next. 

For DeFi, the saga is another warning: even in “trustless” systems, safety still depends on human vigilance, and white-hats fixing what code can’t.

Also read: Balancer Attacker Begins Swapping Stolen Funds for ETH