Balancer V2 (Composable Stable Pools): `_upscale()` rounding-down compounded across 65+ micro-swaps
The 2025 Balancer V2 exploit ("Rekt II" — distinct from the 2023 Boosted Pools incident at ) targeted Composable Stable Pools, draining ~$128M across eight chains in roughly five hours.
Summary #
Balancer V2 (Composable Stable Pools) suffered a DEX / AMM (Composable Stable Pools, BPT flash-mint vector) on 2025-11-03, resulting in a loss of approximately $128M.
What happened #
The 2025 Balancer V2 exploit ("Rekt II" — distinct from the 2023 Boosted Pools incident at ) targeted Composable Stable Pools, draining ~$128M across eight chains in roughly five hours.
Linked factors #
- RD-F-001 — related : Composable Stable Pools were within audit scope but verified properties did not constrain batch-rounding behavior
- RD-F-022 — illustrative : Cat 9 hygiene pattern: audited but not stress-tested under batch composition; live 4+ years before vector discovered
- RD-F-070 — related : Composable Stable Pool _upscale() rounding-down compounded across batch swaps; root cause of $128M loss
- RD-F-081 — related : Auto-linked by C.4 triage 2026-05-07
- RD-F-084 — related : Auto-linked by C.4 triage 2026-05-07