On November 3, the Balancer V2 protocol and its fork projects were attacked on multiple chains, resulting in a serious loss of more than $120 million. BlockSec issued an early warning at the first opportunity [1] and gave a preliminary analysis conclusion [2]. This was a highly complex attack. Our preliminary analysis showed that the root cause was that the attacker manipulated the invariant, thereby distorting the calculation of the price of BPT (Balancer Pool Token) -- that is, the LP token of Balancer Pool -- so that it could profit in a stable pool through a batchSwap operation. Background Information 1. Scaling and Rounding To standardize the decimal places of different tokens, the Balancer contract will: upscale: Upscales the balance and amount to a uniform internal precision before performing the calculation; downscale: Reduces the result to its original precision and performs directional rounding (e.g., inputs are usually rounded up to ensure the pool is not under-filled; output paths are often truncated downwards). Conclusion: Within the same transaction, the asymmetrical rounding direction used in different stages can lead to a systematic slight deviation when executed repeatedly in very small steps. 2. Prices of D and BPT The Balancer V2 protocol’s Composable Stable Pool[3] and the fork protocol were affected by this attack. Stable Pool is used for assets that are expected to maintain a close 1:1 exchange ratio (or be exchanged at a known exchange rate), allowing large exchanges without causing significant price shocks, thereby greatly improving the efficiency of capital utilization between similar or related assets. The pool uses the Stable Math (a Curve-based StableSwap model), where the invariant D represents the pool's "virtual total value". The approximate price of BPT (Pool's LP Token) is: The formula above shows that if D is made smaller on paper (even if no funds are actually withdrawn), the price of BPT will be cheaper. BTP represents the pool share and is used to calculate how many pool reserves can be obtained when withdrawing liquidity. Therefore, if an attacker can obtain more BPT, they can profit when withdrawing liquidity. Attack Analysis Taking an attack transaction on Arbitrum as an example, the batchSwap operation can be divided into three stages: Phase 1: The attacker redeems BPT for the underlying asset to precisely adjust the balance of one of the tokens (cbETH) to a critical point (amount = 9) for rounding. This step sets the stage for the precision loss in the next phase. Phase Two: The attacker uses a carefully crafted quantity (= 8) to swap between another underlying asset (wstETH) and cbETH. Due to rounding down when scaling the token quantity, the calculated Δx is slightly smaller (from 8.918 to 8), causing Δy to be underestimated and the invariant D (derived from Curve's StableSwap model) to be smaller. Since BPT price = D / totalSupply, the BPT price is artificially suppressed. Phase 3: The attackers reverse-swap the underlying assets back to BPT, restoring the balance within the pool while profiting from the depressed price of BPT—acquiring more BPT tokens. Finally, the attacker used another profitable transaction to withdraw liquidity, thereby using the extra BPT to acquire other underlying assets (cbETH and wstETH) in the Pool and thus profit. Attacking the transaction: https://app.blocksec.com/explorer/tx/arbitrum/0x7da32ebc615d0f29a24cacf9d18254bea3a2c730084c690ee40238b1d8b55773 Profitable trades: https://app.blocksec.com/explorer/tx/arbitrum/0x4e5be713d986bcf4afb2ba7362525622acf9c95310bd77cd5911e7ef12d871a9 Reference: [1]https://x.com/Phalcon_xyz/status/1985262010347696312 [2]https://x.com/Phalcon_xyz/status/1985302779263643915 [3]https://docs-v2.balancer.fi/concepts/pools/composable-stable.htmlOn November 3, the Balancer V2 protocol and its fork projects were attacked on multiple chains, resulting in a serious loss of more than $120 million. BlockSec issued an early warning at the first opportunity [1] and gave a preliminary analysis conclusion [2]. This was a highly complex attack. Our preliminary analysis showed that the root cause was that the attacker manipulated the invariant, thereby distorting the calculation of the price of BPT (Balancer Pool Token) -- that is, the LP token of Balancer Pool -- so that it could profit in a stable pool through a batchSwap operation. Background Information 1. Scaling and Rounding To standardize the decimal places of different tokens, the Balancer contract will: upscale: Upscales the balance and amount to a uniform internal precision before performing the calculation; downscale: Reduces the result to its original precision and performs directional rounding (e.g., inputs are usually rounded up to ensure the pool is not under-filled; output paths are often truncated downwards). Conclusion: Within the same transaction, the asymmetrical rounding direction used in different stages can lead to a systematic slight deviation when executed repeatedly in very small steps. 2. Prices of D and BPT The Balancer V2 protocol’s Composable Stable Pool[3] and the fork protocol were affected by this attack. Stable Pool is used for assets that are expected to maintain a close 1:1 exchange ratio (or be exchanged at a known exchange rate), allowing large exchanges without causing significant price shocks, thereby greatly improving the efficiency of capital utilization between similar or related assets. The pool uses the Stable Math (a Curve-based StableSwap model), where the invariant D represents the pool's "virtual total value". The approximate price of BPT (Pool's LP Token) is: The formula above shows that if D is made smaller on paper (even if no funds are actually withdrawn), the price of BPT will be cheaper. BTP represents the pool share and is used to calculate how many pool reserves can be obtained when withdrawing liquidity. Therefore, if an attacker can obtain more BPT, they can profit when withdrawing liquidity. Attack Analysis Taking an attack transaction on Arbitrum as an example, the batchSwap operation can be divided into three stages: Phase 1: The attacker redeems BPT for the underlying asset to precisely adjust the balance of one of the tokens (cbETH) to a critical point (amount = 9) for rounding. This step sets the stage for the precision loss in the next phase. Phase Two: The attacker uses a carefully crafted quantity (= 8) to swap between another underlying asset (wstETH) and cbETH. Due to rounding down when scaling the token quantity, the calculated Δx is slightly smaller (from 8.918 to 8), causing Δy to be underestimated and the invariant D (derived from Curve's StableSwap model) to be smaller. Since BPT price = D / totalSupply, the BPT price is artificially suppressed. Phase 3: The attackers reverse-swap the underlying assets back to BPT, restoring the balance within the pool while profiting from the depressed price of BPT—acquiring more BPT tokens. Finally, the attacker used another profitable transaction to withdraw liquidity, thereby using the extra BPT to acquire other underlying assets (cbETH and wstETH) in the Pool and thus profit. Attacking the transaction: https://app.blocksec.com/explorer/tx/arbitrum/0x7da32ebc615d0f29a24cacf9d18254bea3a2c730084c690ee40238b1d8b55773 Profitable trades: https://app.blocksec.com/explorer/tx/arbitrum/0x4e5be713d986bcf4afb2ba7362525622acf9c95310bd77cd5911e7ef12d871a9 Reference: [1]https://x.com/Phalcon_xyz/status/1985262010347696312 [2]https://x.com/Phalcon_xyz/status/1985302779263643915 [3]https://docs-v2.balancer.fi/concepts/pools/composable-stable.html