Balancer preliminary report discloses V2 Composable Pool attack path and recovery progress

Wu reported that Balancer pointed out in the preliminary incident report that the attack originated from the rounding logic of the upscale function in the V2 Composable Stable Pools under the EXACT_OUT path. When the scaling factor is a non-integer, this function produces exploitable precision errors. The attacker combined this with the delayed settlement mechanism of batchSwap (which allows assets to be temporarily borrowed during the transaction and returned at the end), as well as the design where BPT is treated as a regular Token, allowing for bypassing the minimum pool share limit, which reduced the liquidity in the pool to extremely low levels, enabling the manipulation of the pool balance and the extraction of funds. The vulnerability only affects the CSPv5 pool after the pause window has passed; CSPv6 has been automatically paused by Hypernative and is unaffected. Other pool types in V2 and the V3 architecture are also unaffected, and exchanges and liquidity operations in the unaffected pools can still proceed normally. Currently, the CSPv6 pool has entered recovery mode, supporting proportional withdrawals of underlying assets; the CSPv5 pool is still under investigation, and users are advised not to interact for now.