Trail of Bits Blog
Follow
Balancer hack analysis and guidance for the DeFi ecosystem
A recent hack on Balancer v2, resulting in over $100 million in losses, was caused by a long-standing arithmetic rounding error. Initially, such issues were not considered significant threats to blockchain security due to a different threat landscape. However, as easier attack vectors become scarce, sophisticated attackers now target subtle arithmetic edge cases in DeFi protocols. This incident underscores the critical need for comprehensive invariant documentation and rigorous testing to identify and prevent such vulnerabilities.
The vulnerability exploited was a rounding direction error in Balancer v2's Composable Stable Pools. Trail of Bits had previously identified similar rounding issues during audits in 2021 and recommended enhanced fuzz testing. At the time, the full exploitable impact of these precision loss issues was difficult to definitively assess. The evolution of the blockchain ecosystem has seen a shift from primarily access control or key compromise hacks to more complex DeFi-specific exploits like oracle manipulation and rounding errors.
In 2023, rounding issues led to significant hacks in protocols like Hundred Finance and Sonne Finance, highlighting their growing prevalence. Trail of Bits' own security ratings now classify codebases without robust rounding strategies as "Weak" in arithmetic maturity. To prevent future exploits, DeFi protocols must meticulously document all invariants related to precision loss and rounding direction, going beyond simple rules like "rounding must favor the protocol."
This documentation should then inform comprehensive unit, integration, and fuzz testing suites to achieve 100% coverage. Formal verification can further complement fuzzing by providing additional guarantees. The incident emphasizes four key lessons for the DeFi ecosystem: the critical importance of mathematical accuracy, the necessity of maintaining and updating fuzzing suites with current threat intelligence, the design of robust monitoring and alerting systems, and the implementation of secondary controls to mitigate the impact of potential exploits.
