Balancer Lost $128M in Rounding Error Exploit
Check Point Research reported that an attacker drained $128 million from the Balancer decentralized finance platform by exploiting a rounding error in the protocol’s calculations. The incident shows how small arithmetic flaws in smart-contract logic can be weaponized to manipulate pool balances and extract large amounts of value from DeFi systems.
The reported attack focused on a weakness in how Balancer handled numerical precision, allowing the attacker to repeatedly benefit from favorable rounding behavior until funds were siphoned from the platform. The case highlights the security impact of precision and accounting bugs in blockchain applications, where seemingly minor implementation errors can escalate into major financial losses.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
1 event from the most recent confirmed update back to the earliest known activity.
Attacker drains $128M from Balancer via rounding error exploitation
According to the referenced Check Point Research article, an attacker exploited a rounding error in Balancer and drained approximately $128 million. No earlier or additional dated milestones are provided in the supplied content, so the event is anchored to the article's publication date.
Sources
4 references tracked. Mallory keeps watching after this page renders.
Balancer and Stream Shake Confidence in DeFi - "The Defiant"
thedefiant.io
Open sourceHow an Attacker Drained $128M from Balancer Through Rounding Error Exploitation - Check Point Research
research.checkpoint.com
Open sourceCrypto Community Divided on DeFi Trust Implications After $128M Balancer Exploit - "The Defiant"
thedefiant.io
Open sourceBalancer Hacked? Ethereum DeFi Powerhouse Sees $110M in Crypto Moved
coindesk.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Massive Exploit of Balancer DeFi Protocol via V2 Pool Vulnerability
Hackers exploited a vulnerability in the Balancer DeFi protocol's V2 pools, resulting in the theft of over $120 million in cryptocurrency, with at least $99 million stolen in ETH. The attack targeted Balancer's Compostable Stable Pools and was traced to either a precision rounding error in the Vault’s swap calculations or faulty access control mechanisms, allowing the attacker to manipulate token swaps and balances. Balancer confirmed that the exploit did not impact its V3 pools and has paused affected pools while working with security researchers to investigate the incident. The company has warned users to be vigilant against phishing attempts and fraudulent messages purporting to be from its security team. Several other blockchain organizations connected to Balancer, such as the Berachain Foundation, Gnosis, Sonic, and Beefy, took emergency measures to protect user assets, including halting networks and freezing stolen funds where possible. Despite Balancer's history of multiple security audits and bug bounty programs, this incident highlights ongoing risks in DeFi protocols. A full post-mortem is expected once the investigation concludes.
Mar 21, 2026
Stablecoin Issuers Resolv Labs and StablR Hit by Minting Exploits and Depegs
Resolv Labs and StablR suffered separate stablecoin security incidents that triggered sharp depegs after attackers abused token minting controls. Reporting on the Resolv incident said an attacker minted millions of tokens, undermining confidence in the protocol and pushing the stablecoin off its peg, while a later technical review described the event as a hack tied to failures around minting security. In StablR’s case, attackers exploited the issuer’s minting contract after what on-chain investigators said was likely a compromised key in a `1-of-3` minting multisig, causing both **EURR** and **USDR** to trade more than 20% below their intended values. Loss estimates in the StablR breach varied widely, with Blockaid putting theft near **$2.8 million** and other researchers, including RedStone Oracles co-founder Marcin Kazmierczak and PharosWatch, estimating closer to **$10 million**. The stolen funds were reportedly routed through Circle’s Cross-Chain Transfer Protocol on Noble, and StablR confirmed the exploit while saying it was working to contain the incident; no final recovery plan or definitive loss total had been released at the time of reporting. Together, the incidents highlight how compromise of minting authority can rapidly inflate supply, drain backing, and destabilize fiat-pegged crypto assets.
May 25, 2026
Step Finance Treasury Wallet Theft via Compromised Executive Devices
**Step Finance**, a Solana-based DeFi platform and analytics dashboard, reported a breach in which attackers **compromised devices belonging to company executives** and used that access to drain multiple **treasury wallets**. The incident was detected on **January 31**, with the threat actor described as leveraging a **“well-known attack vector,”** though Step Finance did not publicly disclose the specific technique or attribution. Initial third-party estimates from blockchain analytics firm **CertiK** put the theft at **261,854 SOL (~$28.9M)**, but Step Finance’s internal investigation later assessed total losses at **~$40M**. Step Finance said it has recovered **~$3.7M in Remora assets** and **~$1M in other positions** through partner coordination and **Token22 protections**, temporarily halted some operations to reinforce security, and stated that **Remora Markets is isolated** from the incident with **rTokens remaining 1:1 backed**; users were also advised **not to engage with the `STEP` token** until the investigation concludes.
Mar 21, 2026