Balancer 的 1.16 亿美元漏洞：具有实际后果的舍入错误

深入研究 Balancer 漏洞，揭示导致 1.16 亿美元损失的舍入错误及其对 DeFi 的影响。

Balancer, once a DeFi darling, faced a harsh reality check when a rounding error in its BatchSwap feature led to a $116 million exploit. Let's break down what happened and why it matters.

Balancer 曾经是 DeFi 的宠儿，但它的 BatchSwap 功能中的舍入错误导致了 1.16 亿美元的漏洞，因此面临着严峻的现实检验。让我们来分析一下发生了什么以及为什么它很重要。

The Root Cause: A Tiny Rounding Error, Massive Impact

根本原因：微小的舍入误差，巨大的影响

The culprit? A subtle rounding error in the "upscale" function of Balancer's v2 vault's BatchSwaps feature. This function, designed to save gas fees by combining multiple swaps, had a flaw. Instead of always rounding down when calculating token prices, it sometimes didn't, creating tiny discrepancies. Hackers exploited this, using flash loans to manipulate balances and drain funds. Think of it as finding a minuscule crack in a dam – seemingly harmless, but capable of unleashing a torrent.

罪魁祸首？ Balancer v2Vault 的 BatchSwaps 功能的“高档”功能中存在细微的舍入错误。这个功能旨在通过组合多个交换来节省汽油费，但有一个缺陷。在计算代币价格时，它并不总是向下舍入，而是有时不向下舍入，从而产生微小的差异。黑客利用这一点，利用闪电贷来操纵余额并耗尽资金。可以把它想象成在大坝上发现一个微小的裂缝——看似无害，但能够释放洪流。

The Timeline: From Discovery to Damage Control

时间表：从发现到损害控制

The exploit, discovered on November 3, 2025, quickly escalated, targeting Balancer v2 Stable Pools and Composable Stable (CSP) v5 Pools across multiple blockchains, including Ethereum, Base, Avalanche, Arbitrum, Optimism, Gnosis, Polygon, Berachain, and Sonic. Initial estimates of $70 million ballooned to over $128 million within hours. The attack targeted Balancer Pool Tokens (BPT), manipulating pool prices during batch swaps.

该漏洞于 2025 年 11 月 3 日发现，并迅速升级，针对跨多个区块链的 Balancer v2 稳定池和可组合稳定 (CSP) v5 池，包括以太坊、Base、Avalanche、Arbitrum、Optimism、Gnosis、Polygon、Berachain 和 Sonic。最初预计的 7000 万美元在数小时内飙升至超过 1.28 亿美元。该攻击针对 Balancer 矿池代币（BPT），在批量交换期间操纵矿池价格。

The Aftermath: Recovery Efforts and DeFi's Vulnerability

后果：恢复工作和 DeFi 的漏洞

Balancer and its security partners sprang into action, pausing affected pools, disabling new pool creation, and halting rewards for vulnerable pools. They even offered a 20% white hat bounty. Some funds were recovered, thanks to the efforts of StakeWise, BitFinding, and Base MEV bots, amounting to millions. Berachain validators halted their network to prevent further damage. It's like a frantic, multi-team effort to bail out a sinking ship.

Balancer 及其安全合作伙伴迅速采取行动，暂停受影响的矿池，禁止创建新矿池，并停止对脆弱矿池进行奖励。他们甚至提供了 20% 的白帽赏金。在 StakeWise、BitFinding 和 Base MEV 机器人的努力下，一些资金被追回，金额达数百万美元。 Berachain 验证者停止了他们的网络以防止进一步的损害。这就像多团队疯狂地努力救助一艘正在下沉的船。

Why This Matters: A Wake-Up Call for DeFi

为什么这很重要：为 DeFi 敲响警钟

This exploit isn't just about Balancer; it highlights a fundamental challenge in DeFi: the composability paradox. The same features that enable innovation also multiply systemic risk. As one security expert put it, it was a "trust collapse, not just a hack." Even protocols with multiple audits can harbor hidden vulnerabilities. This incident underscores the need for stronger risk management infrastructure in the DeFi space and a more nuanced understanding of smart contract risk.

此漏洞不仅仅与 Balancer 有关；还与 Balancer 相关。它凸显了 DeFi 的一个根本挑战：可组合性悖论。促进创新的相同特征也会增加系统性风险。正如一位安全专家所说，这是“信任崩溃，而不仅仅是黑客攻击”。即使具有多重审核的协议也可能隐藏着隐藏的漏洞。这一事件凸显了 DeFi 领域需要更强大的风险管理基础设施以及对智能合约风险更细致的了解。

The Human Element: Trust and Credibility

人的因素：信任和信誉

Beyond the technical aspects, this incident underscores the importance of trust and credibility in the decentralized world. As one developer pointed out, people follow people they trust, not just whitepapers. Projects led by visible, consistent, and credible builders are more likely to succeed. The Balancer exploit serves as a stark reminder that in DeFi, resilience is never guaranteed, not even after eleven audits.

除了技术方面之外，这一事件还强调了去中心化世界中信任和信誉的重要性。正如一位开发人员指出的那样，人们追随他们信任的人，而不仅仅是白皮书。由可见、一致且可信的建设者领导的项目更有可能成功。 Balancer 漏洞清楚地提醒我们，在 DeFi 中，弹性永远无法得到保证，即使经过 11 次审计也是如此。

Looking Ahead: A More Resilient DeFi?

展望未来：更具弹性的 DeFi？

The Balancer exploit was a painful lesson, but it's also an opportunity to learn and build a more resilient DeFi ecosystem. Stronger risk management, a deeper understanding of smart contract vulnerabilities, and a focus on trust and credibility are essential. It's like DeFi is going through its awkward teenage years, full of growing pains, but with the potential to mature into something truly remarkable. And who knows, maybe Balancer will even make a comeback story worthy of a Hollywood script!

Balancer 漏洞是一个惨痛的教训，但它也是一个学习和构建更具弹性的 DeFi 生态系统的机会。更强的风险管理、对智能合约漏洞的更深入了解以及对信任和信誉的关注至关重要。就像 DeFi 正在经历尴尬的青少年时期，充满成长的烦恼，但有潜力成熟为真正非凡的东西。谁知道呢，也许 Balancer 甚至会制作一个值得好莱坞剧本的卷土重来的故事！