Earlier this weekA critical vulnerability in the decentralized finance (DeFi) protocol Balancer has been exploited, with crypto losses estimated at $120 million or more. Although it was initially unclear how the exploit would work, a preliminary report from the team behind Balancer indicated that this mainly came down to how the protocol handled rounding of crypto token balances.
This exploit by Balancer shocked many people in the DeFi ecosystem, as it is a project that has undergone numerous security audits by respected companies, and the particular version of the protocol that was exploited had existed in the wild since 2021.
In an interview with CNBC Squawk Box Wednesday morningFormer Cybersecurity and Infrastructure Security Agency Director Chris Krebs compared the Balancer exploit to the office space, where the idea was to take fractions of a penny from many individual transactions. Krebbs also highlighted the possible use of artificial intelligence in developing exploit code as another interesting aspect of the situation.
Without going into too much technical detail, here’s basically what happened with the exploit, according to Balancer’s own analysis.
At the heart of this mess was a rounding error in Balancer’s code related to how it handles transactions, particularly batch swaps where multiple transactions between different crypto assets can be grouped into a single transaction. This is intended to help users save on gas, which is effectively the cryptographic cost of interacting with a blockchain-based smart contract platform like Balancer.
⚖️ Balancer Hack TL;DR:
🧮 Most tokens on Ethereum use 18 decimal places, but some do not.
✖️ The balancer increases token amounts (until December 18) and reduces them.
🔧 Scaling is always rounded DOWN, but reduction can be rounded UP or DOWN.
😬 The more scaling steps involved, the more…
– Austin Griffith (@austingriffith) November 5, 2025
During a particular version of this type of exchange, known as EXACT_OUT, Balancer’s code must increase or decrease the numbers to make the calculations precise (think converting cents to dollars). But the system has sometimes been rounded down, creating tiny imbalances.
Over repeated transactions, hackers could exploit these tiny gaps to disrupt pool balances, hence Krebs’ comparison to the plan of Office space. There were some additional manipulations on top of that, but this rounding error was the main flaw that opened up the opportunity for the hacker.
While the Balancer exploit sent shockwaves throughout the DeFi ecosystem, some blockchains were able to limit the hacker’s reward by simply freezing assets, which is obviously at odds with the “the code is the law» philosophy that was originally at the heart of crypto platforms focused on more expressive smart contracts, like Ethereum.
Some DeFi supporters feared that a hack of a widely trusted protocol like Balancer would weaken the level of trust in the DeFi sector more generally; however, it is clear that much of this activity is still somewhat centrally controlled and capable of operating in different ways. similar to traditional fintech platforms.
Everyone likes to claim “cryptoeconomic security” until the Lazarus Group shows up.
– Matthew Green is on BlueSky (@matthew_d_green) November 6, 2025
According to Unchainedthe Polygon and Sonic blockchains effectively froze or “censored” some of the hacker’s Balancer assets following the exploit to prevent funds from moving elsewhere in the future. Berachain went so far as to deploy an emergency hard fork which will allow allow those affected by the hack to recover their funds.
This reminds actions taken by Ethereum developers following the infamous DAO hack almost a decade ago, in the early days of the crypto network. And it’s clear that crypto is still grappling with a tradeoff between giving everyone full control of their own digital currency and having no one left to turn to if something goes wrong.
Some have note that it makes sense to implement these kinds of training wheel-style protections on less developed crypto networks, but others see it as another example of the extent to which so-called decentralization in space is more theater than technical reality, as was also exposed during the recent Amazon Web Services downtime.
