How Does Balancer Work?
A decentralized exchange known for customizable pool weights and composable stable pools. It holds $106M in deposits, down 58% from $775M after a $128M exploit in November 2025 caused by a rounding error in its pool math. Its C- grade reflects the severe recent exploit and ongoing migration risk from vulnerable V2 pools.
TVL
$81M
Sector
DEX
Risk Grade
C
Value Grade
C+
Core Mechanisms
DEX/AMM/Weighted
Weighted pools with arbitrary asset ratios
Standard weighted pool AMM pattern since 2020.
DEX/AMM/Stable
Composable stable pools for pegged assets
Standard stable pool pattern. V2 composable stable pool had the rounding error exploited in Nov 2025.
DEX/AMM/Boosted
Boosted pools with yield-bearing underlying assets
Standard boosted pool pattern connecting idle liquidity to yield sources.
Governance/veToken
veBAL governance with vote-escrowed BAL
Standard veToken pattern (Curve since 2020).
Emissions/Gauge
Gauge voting for BAL emission allocation
Standard gauge voting pattern.
DEX/V3-Hooks
Balancer V3 with programmable hooks and custom pool logic
V3 introduces hooks system similar to Uniswap V4 hooks. Established pattern.
Flash-Loan/Native
Flash loans from Balancer vault
Standard flash loan pattern since 2020.
Cross-Chain/Multi-Deployment
Deployed across Ethereum, Polygon, Arbitrum, and other chains
Standard multi-chain deployment.
How the Pieces Interact
Rounding error in V2 composable stable pool invariant calculation enabled $128M exploit in November 2025. A fundamental mathematical flaw in the core pool logic.
V2 pools with known vulnerabilities remain active across multiple chains during migration to V3. Each chain requires separate migration coordination.
Migration from V2 to V3 splits liquidity and creates operational complexity. Slow migration leaves TVL exposed to V2 vulnerabilities.
Post-exploit governance decisions about treasury use, V2 shutdown timeline, and victim compensation create contentious dynamics.
Flash loans from Balancer vault could be used to manipulate pool prices during vulnerability exploitation windows.
What Could Go Wrong
- $128M exploit in November 2025 via rounding error in V2 composable stable pool invariant calculation. The largest DEX exploit in DeFi history at that scale.
- 58% TVL collapse post-exploit ($775M to $258M) signals deep erosion of protocol trust and institutional confidence.
- Multi-chain V2 pools remain vulnerable until fully migrated to V3. Legacy pool exposure persists across multiple chains.
Legacy V2 Pool Re-Exploitation
ElevatedTrigger: A new vulnerability is discovered in Balancer V2 pool contracts while $50M+ remains in unmigrated V2 pools across multiple chains
- 1.New V2 vulnerability discovered and exploited before migration completes — Remaining V2 pool depositors lose funds in a repeat of the November 2025 pattern
- 2.Second major exploit destroys remaining institutional confidence in Balancer — Mass withdrawal from both V2 and V3 pools as trust collapses completely
- 3.Aura Finance and other protocols built on Balancer face cascading TVL loss — Balancer ecosystem contracts; veBAL governance becomes irrelevant
Risk Profile at a Glance
Overall: C (49/100)
Lower score = safer