How Does Balancer V2 Work?

DEX|Risk C-|7 mechanisms|5 interactions

Balancer V2 is the legacy version of the Balancer decentralized exchange, still running across multiple blockchains with $74M in deposits. It allows flexible pool designs with custom asset ratios. However, V2 suffered a devastating $128M exploit in November 2025 from a math error in its stable pool code, causing over half its TVL to flee. V2 is being phased out in favor of V3, but legacy pools remain live and carry elevated risk.

TVL

$37M

Sector

DEX

Risk Grade

C-

Value Grade

D-

Core Mechanisms

DEX/AMM/Weighted

Weighted pools with customizable asset ratios (e.g., 80/20, 60/20/20)

Standard weighted pool AMM since 2020. Allows arbitrary asset ratios beyond the typical 50/50 split. Core V2 functionality.

DEX/AMM/Stable

Composable stable pools for pegged assets — the pool type exploited in the November 2025 hack

Standard stable pool pattern. The V2 composable stable pool invariant contained a rounding error that was exploited for $128M in November 2025. This specific pool type carries elevated risk on V2.

DEX/AMM/Boosted

Boosted pools connecting idle liquidity to yield-bearing protocols

Boosted pools route idle liquidity to external yield sources (Aave, Euler). Introduces composability risk from yield-source protocol dependencies.

Governance/veToken

veBAL: vote-escrowed BAL for governance and fee distribution

Standard veToken pattern adopted from Curve. Lock BAL for up to 1 year for veBAL. Governs gauge emissions and protocol parameters.

Emissions/Gauge

Gauge voting for BAL emission allocation across pools

Standard gauge voting for emission direction. Similar to Curve's gauge system.

Flash-Loan/Native

Flash loans from the Balancer vault

The V2 vault provides flash loans. Standard pattern since 2020. Flash loans can be used to amplify attack vectors.

Cross-Chain/Multi-Deployment

V2 deployed across Ethereum, Polygon, Arbitrum, Gnosis, and other chains

Multi-chain V2 deployments remain live even as V3 launches. Each chain's V2 deployment carries independent risk and may not receive security updates.

How the Pieces Interact

Composable stable pool invariantRounding precision in large poolsCritical

The November 2025 exploit demonstrated that rounding errors in the composable stable pool math can be weaponized to drain pools. Despite prior audits, this class of precision bugs went undetected. Remaining V2 composable stable pools may harbor similar issues.

Legacy V2 contracts on multiple chainsIncomplete migration to V3Critical

V2 contracts across multiple chains cannot be upgraded (immutable). Known vulnerability classes persist until all liquidity migrates to V3. Multi-chain coordination of security responses is slow, leaving some deployments exposed for extended periods.

Flash loan vaultPool invariant manipulationHigh

The V2 vault's flash loan facility can amplify attacks against pool invariant bugs. An attacker can borrow large amounts, manipulate pool state, extract value, and repay within a single transaction — exactly the pattern used in the November 2025 exploit.

Boosted pool yield-source dependencyExternal protocol exploitsMedium

Boosted pools route idle liquidity to external protocols. If an external yield source is exploited (e.g., Euler hack in March 2023 affected Balancer boosted pools), LP depositors in boosted pools suffer losses from external protocol failures.

veBAL governancePost-exploit trust deficitMedium

The $128M exploit created a governance crisis. veBAL holders must now govern both V2 wind-down and V3 transition simultaneously. Governance fatigue and fractured community attention could lead to suboptimal security decisions.

What Could Go Wrong

  1. $128M exploit in November 2025 via rounding error in composable stable pool invariant — the largest DEX exploit at that scale in DeFi history
  2. Legacy V2 contracts remain deployed across multiple chains with known vulnerability classes; migration to V3 is incomplete
  3. 58% TVL collapse post-exploit ($775M to $258M) signals deep erosion of protocol trust and institutional confidence

Second V2 Exploit Across Multiple Chains

Moderate

Trigger: A second critical vulnerability is discovered in V2 contracts (e.g., in weighted pools or vault logic), and exploited across multiple chains before liquidity can be migrated

  1. 1.Security researcher or attacker discovers a new critical vulnerability in V2 pool or vault contracts V2 deployments across Ethereum, Polygon, Arbitrum, and other chains are all vulnerable simultaneously
  2. 2.Attacker exploits the vulnerability on the chain with highest V2 TVL first, then moves to other chains Multi-chain drain of V2 pools within hours; $50-74M at risk across remaining V2 TVL
  3. 3.Community loses all remaining confidence in Balancer V2; even V3 trust is damaged by association BAL token crashes 60-80%; veBAL governance becomes dysfunctional as locked token value evaporates
  4. 4.Protocols and integrations that still rely on V2 pools face emergency migration pressure Balancer ecosystem faces existential crisis; V3 adoption is set back as institutional partners reassess relationship
See all 3 collapse scenarios in the full risk report →

Risk Profile at a Glance

Mechanism Novelty0/15
Interaction Severity18/20
Oracle Surface2/10
Documentation Gaps5/10
Track Record15/15
Scale Exposure3/10
Regulatory Risk2/10
Vitality Risk6/10
C-

Overall: C- (51/100)

Lower score = safer

More on Balancer V2

Is Balancer V2 Safe?

Safety analysis

Is Balancer V2 a Good Investment?

Value analysis

Full Risk Report

All mechanisms & interactions

Related DEX Explainers

How Does THORChain Work?DHow Does Cetus Protocol Work?D+How Does ALEX Lab Work?C-How Does PulseX V2 Work?C-How Does WOOFi Work?C