Balancer (v2 + v3) · DeFi Risk

DeploymentsArbitrum · —

Risk profile at a glance

1 red · 5 yellow · 6 green

Categories & evidence

184 factors · 13 categories

Code & audits Yellow 21 25 of 25

RD-F-003 red Resolved-without-proof findings Trail of Bits flagged a similar rounding-direction issue (finding TOB-BALANCER-004 in Oct 2021 Linear Pools audit) as 'undetermined severity' rather than treating it as exploitable and requiring a code fix. It was not marked 'Resolved' with on-chain proof of remediation. This downgrade pattern led to the finding being effectively ignored — the Aug 2023 exploit ($2.1M) and Nov 2025 exploit ($128M) both confirmed the same root-cause class (rounding direction in pool math) was live and exploitable. A finding that was flagged, downgraded, and then repeatedly exploited constitutes a clear failure of the resolved-without-proof category. v3: Certora 2026-01 reportedly found no findings of severity >= medium. RD-F-001 yellow Audit scope mismatch v2 (higher-risk): Trail of Bits Sept 2022 ComposableStablePool audit explicitly excluded the Stable Math library from scope; Certora 2022 FV verified solvency invariants but did not verify rounding behavior or swap reversibility. The Nov 2025 $128M exploit exploited _upscaleArray rounding direction in the excluded Stable Math library. v2 Boosted Pools / Linear Pools were never in any audit scope across 11 engagements. v3: Pre-launch audits (Certora 2024-09, Spearbit 2024-10, ToB 2024-10) covered deployed Vault/Weighted/Stable bytecode before Dec 2024 launch; Certora 2026-01-26 comprehensive assessment found no critical findings. Scored yellow (not red) because v2 core Vault deploy commit is covered; the gap is pool math library coverage depth. RD-F-002 yellow Audit recency v2 (higher-risk): Last audit covering currently-deployed core v2 pool contracts (ComposableStablePool) was Trail of Bits Sept 2022 (~31 months before assessment date 2026-05-05). The 2023-05 Certora FV covered the deprecated TimelockAuthorizer only. v3: Certora comprehensive assessment dated 2026-01-26 (~99 days before assessment). Scoring against v2 = yellow (31 months since last full audit of deployed pool code, well above a 12-month threshold). RD-F-006 yellow Audit-to-deploy gap v2: OZ audit ended 2021-03-15; deploy 2021-04-20 = ~36 days (within 60d threshold). v3: Core audits (Certora 2024-09, Spearbit 2024-10-04, ToB 2024-10-08) completed before the Dec 11 2024 launch. However Cantina competition audits (2024-12-17 pre-competition and 2024-12-31 post-competition) straddle and post-date the Dec 11 launch — the post-competition Cantina report completed after launch creates a gap where code was live without the full competition audit complete. This is a yellow condition for v3. RD-F-008 yellow Ignored bounty disclosure The Aug 2023 exploit: whitehatter GothicShanon89238 submitted the rounding vulnerability to Immunefi on Aug 11 2023; Balancer issued warnings and began pool migration, but the exploit occurred Aug 27 before completion. Balancer paid $1M bounty. This is not a case of ignoring the disclosure — they responded and paid. However, the 2025 November $128M exploit used the same root-cause class (rounding direction) in a different pool type (ComposableStablePool), suggesting the 2023 remediation did not fully address the underlying vulnerability class. This repeat-class pattern is a yellow here (not fully ignored, but remediation incomplete). RD-F-009 yellow Formal verification coverage v2: Certora 2021-04 FV (Vault), Certora 2022-09 FV (ComposableStablePool). The 2022 FV proved high-level solvency invariants (sum of BPT <= totalSupply; no BPT minted without asset increase) but explicitly did not verify rounding behavior or swap reversibility — the missing properties that would have caught the Nov 2025 exploit. v3: Certora 2024-09 FV (Vault, Weighted, Stable) plus Certora 2026-01 comprehensive assessment reportedly no critical findings. v3 FV incorporates lessons from v2 exploit (post-Certora-blog: roundtrip swap invariance and BPT share value preservation would have caught the bug). FV coverage exists but v2 FV had critical gaps proven by the exploit. RD-F-014 yellow Reentrancy guard on external-calling functions v2: Vault uses a custom reentrancy lock (not OZ nonReentrant). A read-only reentrancy vulnerability class was identified across v2 integrations (Balancer forum 'reentrancy-vulnerability-scope-expanded' 2022); Balancer v2 published a scope expansion to notify integrators. v3 (higher risk): Only _swap, _addLiquidity, _removeLiquidity internal functions have reentrancy guards. Hook callbacks (onBeforeSwap, onAfterSwap, onBeforeAddLiquidity, etc.) are explicitly reentrant by design — the docs state 'it is possible to reenter the Vault as part of a hook execution.' Third-party hook contracts create an open-ended reentrancy surface for custom logic. This is intentional but represents elevated risk compared to a fully non-reentrant protocol. RD-F-016 yellow Divide-before-multiply pattern The Nov 2025 exploit involved a rounding-direction error in FixedPoint.mulDown() within _upscaleArray — analogous to the divide-before-multiply class (precision loss favoring attacker). Certora post-exploit analysis confirmed 'rounded down when it should have been rounded up.' While not a literal Slither divide-before-multiply detector hit, the underlying precision-direction issue is the same root cause. This class of arithmetic precision error has caused two exploits (2023 $2.1M, 2025 $128M). No published Slither divide-before-multiply specific finding available; scored yellow based on confirmed exploit evidence of the same pattern. RD-F-017 yellow Mixed-decimals math without explicit scaling Balancer v2/v3 do use explicit token scaling (upscaleArray/downscaleArray, rate providers) to normalize tokens with different decimal precision to 18-decimal WAD format. However the Nov 2025 exploit occurred *within* this scaling framework — a rounding direction error in the scaling function itself. The scaling architecture is well-designed but the implementation had a precision-direction error. This factor asks about the presence of explicit scaling (which exists), but the exploit shows the scaling implementation had a defect. Scored yellow: scaling exists but proved insufficient. RD-F-018 yellow Signed/unsigned arithmetic confusion v2 uses Solidity 0.7.1 which lacks overflow protection by default (pre-0.8.x). Balancer v2 uses a custom FixedPoint library for all math. The vendored OZ SafeMath is available in v2-solidity-utils but extent of application across all pool contracts requires tool inspection. No signed/unsigned confusion finding at high/critical in published v2 audits (11 engagements). However the absence of SafeMath-by-default on a 0.7.x codebase is a structural risk. v3 uses 0.8.26 (overflow protection by default — this sub-factor is green for v3). Scoring against v2 (higher risk) = yellow. RD-F-183 yellow Bug bounty scope gap on highest-TVL contracts v3 contracts (Vault, VaultExtension, core routers) were NOT in Immunefi bounty scope at v3 launch (Dec 2024). BIP-758 proposal added v3 contracts to scope post-launch — the highest-TVL v3 contracts had a bounty scope gap during their initial deployment period. Current status: v3 is now in scope per BIP-758. BIP-687 uncertainty about responsible party under Labs wind-down is an ongoing concern. Aug 2023 exploit confirms that when bounty scope covers the affected contracts, bounties work (whitehatter paid $1M). The period of v3 being out of scope is a historical gap now partially remediated. RD-F-010 gray Static-analyzer high-severity count No published Slither, Mythril, or Semgrep static analysis output for Balancer v2 or v3 deployed bytecode found in public sources. The v2 repo uses foundry with fuzz_runs:9999 (Echidna-equivalent fuzzing confirmed per data cache). Trail of Bits 2021 audits used Echidna finding TOB-BALANCER-004. No systematic CI-integrated static analyzer output publicly released. Requires tool run on deployed bytecode to score this factor. RD-F-021 n/a UUPS _authorizeUpgrade correctly permissioned Balancer v2 pool contracts are immutable deployments from factories — no UUPS proxy pattern. v3 Vault uses delegatecall to hardcoded VaultExtension/VaultAdmin addresses (set in constructor), not UUPS upgradeable proxy. No UUPS _authorizeUpgrade pattern in either version. N/A is appropriate — this factor measures a specific proxy pattern that Balancer does not use. RD-F-023 n/a Constructor calls _disableInitializers() Balancer v2 and v3 core contracts do not use OZ Initializable upgradeable proxy pattern. _disableInitializers() is an OZ 4.x+ pattern for implementation contracts behind UUPS proxies. Since neither v2 nor v3 pools/Vault use OZ upgradeable proxy pattern, this factor does not apply. RD-F-024 gray Code complexity vs audit coverage No LOC/audit-day metric available for this assessment without tool run. Balancer has 24 audit engagements across 4 firms — the coverage breadth is exceptional. However, the confirmed exploits of code areas excluded from audit scope (Stable Math library, Boosted Pools/LinearPools never audited) suggest complexity exceeded coverage in specific sub-modules. Exact cyclomatic complexity or LOC per audit-day ratio requires tool inspection not available in this static assessment.

RD-F-004 green Audit count v2: 4 distinct audit firms (OpenZeppelin 2 engagements, Trail of Bits 5 engagements, Certora 3 engagements, ABDK 1 engagement) = 11 total engagements. v3: 4 distinct firms (Certora 9 engagements, Spearbit 1, Trail of Bits 1, Cantina 2 competition audits) = 13 total engagements. Combined: 4 firms, 24 audit engagements. Excellent coverage by industry standards.

RD-F-005 green Audit firm tier All four audit firms are Tier-1: Trail of Bits (top-tier security firm), OpenZeppelin (top-tier), Certora (top-tier formal verification provider), Spearbit (top-tier, high-profile engagements), Cantina (competitive audit platform used by top protocols). No boutique-only or unknown-firm coverage.

RD-F-007 green Bug bounty presence & max payout Active Immunefi program with $1,000,000 maximum payout (10% of funds at risk, capped at $1M). Program confirmed live as of 2026-04-27 (last update date per Immunefi). 38 assets in scope. v3 contracts added via BIP-758. Concern: BIP-687 proposed transitioning bounty management to DAO under Labs wind-down; responsible party uncertainty exists but program appears operationally active at assessment date.

RD-F-011 green SELFDESTRUCT reachable from non-admin path v2 Vault (Solidity 0.7.1) and v3 Vault (0.8.26): both use constructor-based deployment; no proxy pattern introduces delegatecall-to-selfdestruct risk. v3 VaultExtension is called via delegatecall from Vault but to a hardcoded address set in Vault constructor — not user-supplied. No published audit finding identifies a reachable selfdestruct from a non-admin path in v2 or v3 core contracts. Assessment is [?] confidence due to no tool run.

RD-F-012 green delegatecall with user-controlled target v2 Vault: no delegatecall with user-controlled target. Pool factories create immutable pool contracts. v3: Vault delegates to VaultExtension/VaultAdmin at hardcoded constructor-set addresses — not user-controllable. AuthorizerAdaptor routes admin calls but scope is admin-restricted. No published high/critical audit finding of user-controlled delegatecall target in v2 or v3 core. Confidence [?] without tool run.

RD-F-013 green Arbitrary call with user-controlled target v2 Batch Relayer (ToB 2022-05 audit): by design allows chained operations, but restricted to predefined relayer operations; no arbitrary call with user-supplied target and data. v3 hooks: addresses are immutable per pool post-registration, not user-controllable at call time. No critical finding of arbitrary call(target, data) without allowlist in v2 or v3 published audits. Confidence [?] without tool run.

RD-F-015 green ERC-777/1155/721 hook without reentrancy guard Balancer explicitly excludes non-standard ERC-20 tokens (ERC-777 callback tokens, rebasing tokens, fee-on-transfer tokens) from protocol compatibility. The Immunefi scope exclusion confirms 'Non-standard ERC20 tokens...exhibiting unexpected behavior' are out of scope. No ERC-777/ERC-1155/ERC-721 token hook integration without reentrancy guards found in core protocol.

RD-F-019 green ecrecover zero-address return unchecked Balancer v2/v3 core AMM contracts (Vault, pool contracts) do not use ecrecover for security-critical AMM paths. EIP-712 permit is used in periphery (Batch Relayer, v3 Router). No published high/critical finding of unchecked ecrecover return in v2 or v3 audits across 24 audit engagements. Confidence [?] without tool run on all periphery contracts.

RD-F-020 green EIP-712 domain separator missing chainId Balancer v2 operates on multiple chains with the same vanity Vault address (0xBA1222...); EIP-712 domain separators include chainId to prevent cross-chain replay. This is standard v2 design. No published finding of missing chainId in EIP-712 domain separator. ToB 2022 Batch Relayer audit covers signature contexts — no chainId issue at high severity found.

RD-F-022 green Public initialize() without initializer modifier v2: ComposableStablePool uses struct-based constructor (not OZ Initializable proxy); Vault uses standard constructor (Solidity 0.7.1, Etherscan exact match confirmed). No public initialize() without initializer modifier found. v3: VaultExtension has an 'initialize' function for pool initialization but it is gated by 'onlyVaultDelegateCall' modifier — callable only via the Vault's delegatecall, not as a direct public call to the implementation address. This is not equivalent to the RD-F-022 pattern (which requires no protection). No one-tx exploit vector via unprotected initialize() found in either v2 or v3.

Governance & admin Yellow 35 24 of 24

RD-F-032 red Timelock duration on upgrades NO ACTIVE TIMELOCK. The v2 Vault's current Authorizer is AuthorizerWithAdaptorValidation (0x6048A8c631Fb7e77EcA533Cf9C29784e482391e7) which has no timelock logic — confirmed by Etherscan source inspection (no getMinDelay() or timelock functions). The TimelockAuthorizer (0x9E3cD0606...) is flagged DEPRECATED in balancer-deployments mainnet.json and is NOT registered as the Vault's Authorizer. Data cache confirms timelock_delay_seconds: null. Effective timelock delay = 0. RD-F-033 red Timelock on sensitive actions Since no active timelock exists (RD-F-032 red): mint (BalancerTokenAdmin — rate-limited by emission schedule but no tx-level delay), pause (Emergency subDAO — immediate), fee collection (ProtocolFeesCollector — no delay), permission grants (AuthorizerWithAdaptorValidation — no delay). None of the five sensitive action types enforce a timelock delay. The deprecated TimelockAuthorizer is not in the execution path. RD-F-038 red Proposal execution delay < 24h No on-chain governor contract with voting delay/period. Data cache: governor_address: null, timelock_delay_seconds: null. Governance is Snapshot off-chain. Once a Snapshot vote passes, the 6-of-11 multisig can execute immediately — no programmatic on-chain delay enforced. Effective on-chain execution delay = 0 seconds. RD-F-041 red Rescue/emergencyWithdraw without timelock [★ CRITICAL] No timelock on the v2 Vault Authorizer path. Privileged admin functions — fee collection from ProtocolFeesCollector, setting protocol fee percentages, granting/revoking permissions — are executable by the 6-of-11 DAO Multisig without any enforced delay. v3 VaultAdmin pause is executable immediately by Emergency subDAO (3-of-7) with no timelock. The TimelockAuthorizer was built but is DEPRECATED and disconnected from the Vault. Any 6-of-11 consensus (or compromise) can execute immediately with no user exit window. RD-F-047 red Governance token concentration (Gini) Aura Finance controls approximately 68% of all veBAL, making it the dominant meta-governance protocol. Balancer co-founder Fernando Martinelli cited this in the March 2026 Labs wind-down announcement as veBAL being 'captured by meta-governance protocols like Aura and bribe markets that made voting unrepresentative of actual Balancer front line contributors.' Top-3 holders (Aura + bribe-market accumulation) control a majority of effective governance power. veBAL is the operative governance token for Snapshot votes. RD-F-025 yellow Admin key custody type Admin custody type is multisig without timelock. AuthorizerWithAdaptorValidation (0x6048A8c631Fb7e77EcA533Cf9C29784e482391e7) delegates permissions to the DAO Multisig (6-of-11 Gnosis Safe). No timelock is active on the v2 Vault authorizer path. v3 VaultAdmin pause is Emergency subDAO (3-of-7). Categorical classification: multisig without timelock. RD-F-028 yellow Low-threshold multisig vs TVL DAO Multisig 6-of-11 is adequate for $115M TVL. However, Emergency subDAO threshold was reduced from 4-of-7 to 3-of-7 per BIP-883, below peer norm for emergency bodies at this TVL. BIP-907 (Jan 2026) proposed replacing 4 of 11 signers; Snapshot vote February 2026, passage not confirmed. 11 signers are documented external delegates from distinct organizations. RD-F-031 yellow Signer rotation recency BIP-907 (January 2026) proposed replacing 4 of 11 signers. Snapshot vote posted February 6, 2026, approximately 90 days ago. BIP-911 (Q1 2026) proposed Emergency subDAO signer swap. Rotations appear to be normal maintenance. No threshold reduction pattern. Signer changes within 90 days warrant yellow per methodology cadence definition. RD-F-035 yellow Role separation: upgrade ≠ fee ≠ oracle Upgrade/configuration: DAO Multisig (6-of-11) via Authorizer. Fee collection: ProtocolFeesCollector (0xce886865...) — separate contract. Treasury: Treasury Multisig (5-of-7, 0x0EFcCBb9...). Oracle/rate-provider config: pool-level, not a single protocol role. OpCo Safe (3-of-4) for operational spending. Some concentration at the DAO Multisig level across configuration types. Not full role separation across all three dimensions. RD-F-040 yellow Emergency-veto multisig present Emergency subDAO (0xA29F61256e948F3FB707b4b3B138C5cCb9EF9888, 3-of-7) holds kill-gauge, enable-recovery-mode, and pool-pause powers. Functions as emergency response, not a formal proposal-veto mechanism. No on-chain governor exists to cancel proposals from — veto concept does not apply. Emergency body is distinct from DAO Multisig. Powers are bounded to defensive actions (cannot drain funds). RD-F-042 yellow Admin has mint() with unlimited max BAL minting via BalancerTokenAdmin (0xf302f9F50958c5593770FDf4d4812309fF77414f) follows epoch-based emission schedule with time-decay (RATE_REDUCTION_COEFFICIENT = 2^(1/4) annually). No hard supply cap, but rate-limited by schedule — cannot mint unlimited tokens in a single transaction. Admin cannot arbitrarily inflate supply without following the schedule. BAL emissions proposed to end entirely per March 2026 tokenomics revamp BIPs (Snapshot vote). BalancerTokenAdmin access is gated through Authorizer (multisig-controlled). RD-F-167 yellow Deprecated contract paused but pause reversible by live admin v2 TimelockAuthorizer (0x9E3cD0606...) is DEPRECATED in the deployments registry — not connected to the Vault. Original Authorizer (0xA331D84eC860...) is also superseded. These are authorization contracts (not TVL-holding contracts). They are not formally paused; they are simply bypassed by routing through the current AuthorizerWithAdaptorValidation. The DAO Multisig still theoretically holds pause-role on these deprecated contracts. No evidence of significant TVL held by deprecated authorization contracts. RD-F-029 gray Multisig signers co-hosted 11 signers represent organizations across multiple jurisdictions (LayerZero, BGD, Paraswap, Gnosis, Snapshot, Raft, Karpatkey, Blockful/ENS, StakeDAO). Cannot confirm ASN co-hosting or shared infrastructure from available OSINT. Deliberate organizational diversity documented in governance docs. RD-F-030 n/a Hot-wallet signer flag Signer addresses are documented community delegates from established external organizations with multi-year on-chain histories. No hot-wallet pattern evidence identified. Cannot confirm hardware vs software wallet from available data. RD-F-039 gray delegatecall/call in proposal execution without allowlist Balancer uses Snapshot off-chain voting with no on-chain governor or executor contract. No proposal calldata is submitted to an on-chain governor for execution. The 6-of-11 multisig enacts Snapshot votes as discrete Safe transactions. v3 internal delegatecall uses fixed immutable addresses (VaultExtension, VaultAdmin), not proposal-supplied targets. No on-chain delegatecall proposal execution attack surface exists.

RD-F-026 green Upgrade multisig signer configuration (M/N) DAO Multisig 6-of-11 on Ethereum (0x10A19e7eE7d7F8a52822f6817de8ea18204F2e4f) confirmed via Safe API: threshold=6, owner_count=11. Same 6-of-11 configuration replicated on Arbitrum (0xaF23DC...), Polygon (0xeE071f...), Optimism (0x043f96...), Gnosis (0x2a5AEc...), Avalanche (0x17b11F...), Base (0xC40DCF...). Treasury Multisig 5-of-7 (0x0EFcCB...). All api_status: found.

RD-F-027 green Single admin EOA No EOA holds any admin role. DAO Multisig is a Gnosis Safe (6-of-11). Deployer EOA is not the current admin — multisig control established at v2 launch April 2021. All privileged roles confirmed via Safe API as contract addresses (Gnosis Safe), not EOAs.

RD-F-034 green Guardian/pause-keeper distinct from upgrader Emergency subDAO (0xA29F61256e948F3FB707b4b3B138C5cCb9EF9888, 3-of-7) is distinct from the DAO Multisig (6-of-11, 0x10A19e7e...). Emergency subDAO holds pause/killGauge/recovery-mode powers; DAO Multisig holds parameter/permission configuration powers. Roles are explicitly distinct addresses confirmed by governance docs.

RD-F-036 green Flash-loanable voting weight veBAL (0xC128a9954e6c874eA3d62ce62B468bA073093F25) uses vote-escrow with checkpoint-based historical balance via balanceOfAt(address, block). Voting power is time-locked, decays linearly. Smart contract depositors are explicitly disallowed. Governance is Snapshot off-chain — no on-chain governor contract that could be flash-loan attacked. Flash-loan voting attack is architecturally impossible.

RD-F-037 green Quorum achievable via single-entity flash loan Governance uses Snapshot off-chain with veBAL (locked token). No on-chain governor quorum achievable via flash loan. Lock period requirement prevents instant veBAL acquisition even if BAL flash loans were available. Quorum 2M veBAL minimum.

RD-F-043 green Admin = deployer EOA after 7 days v2 launched April 2021; DAO Multisig has been admin since launch per governance documentation. Deployer EOA is not the current admin. ~49 months since v2 deploy. Governance docs state 'limited admin powers initially granted to a Multisig.' No deployer-EOA admin retention at any point post-launch.

RD-F-044 green Admin wallet interacts with flagged addresses 11 signer addresses are documented community delegates from established organizations (LayerZero, BGD, Paraswap, Gnosis, Snapshot, Raft, Karpatkey, Blockful/ENS, StakeDAO). No evidence of interactions with OFAC-listed or known-rug addresses. No flagged interactions identified in available OSINT.

RD-F-045 green Constructor args match governance proposal BIP-734 approved v3 launch. Deployment tasks in balancer-deployments repository (20241204-v3-vault) contain deployed addresses matching launch announcement. v3 deployed December 11, 2024 consistent with BIP-734. No evidence of material constructor arg deviation from proposal.

RD-F-046 green Contract unverified on Etherscan/Sourcify All core contracts are Etherscan-verified with Exact Match status. Confirmed: v2 Vault (0xBA12222...) — Solidity 0.7.1 exact match; v2 AuthorizerWithAdaptorValidation (0x6048A8c6...) — Solidity 0.7.1 exact match; v3 Vault (0xbA133333...), v3 VaultExtension (0x0E8B0765...), v3 VaultAdmin (0x35fFB749...) all verified. Multiple v3 contracts verified Nov-Dec 2025 per Etherscan.

Oracle & external dependencies Yellow 31 17 of 17

RD-F-051 red Fallback behavior on oracle failure No protocol-level fallback behavior on rate provider failure. v2: if getRate() reverts, the affected pool's swap/join/exit reverts. The ComposableStablePool rate caching mechanism does NOT include a try/catch fallback to a secondary oracle — it will revert on exception. Docs recommend ExternalCallLib try/catch for Linear Pool implementations but this was not uniformly enforced in deployed pools. v3: rate refreshed via reloadBalancesAndRates() each operation; a failing rate provider reverts the operation for that pool. No last-known-price or secondary-oracle fallback exists in either version. RD-F-057 red Circuit breaker on price deviation No circuit breaker on rate provider outputs in v2 or v3. Rate values returned by rate providers (Aave, wstETH, ERC-4626, Chainlink) are accepted without any deviation guard relative to a reference source. v2 ComposableStablePool implements a rate cache with configurable cache duration (preventing stale reads) but this is NOT a deviation circuit breaker — it does not reject rates that deviate abnormally from prior values. No maxDeviationBps or priceGuard pattern found in Balancer v2 or v3 core contracts. RD-F-049 yellow Oracle role per asset Single rate provider per yield token per pool in both v2 and v3. No secondary or fallback oracle at the protocol level. v2 ComposableStablePool: one rate provider per token slot (primary only). v3: one rate provider per token slot at pool registration (immutable post-registration). The v3 Geomean Oracle Hook uses no fallback oracle. No protocol-defined failover exists if the primary rate provider fails. RD-F-052 yellow Breakage analysis per dependency Breakage analysis partially documented through exploit post-mortems and architecture docs. Key failure modes: (1) Aave rate failure → swap/join/exit freeze on affected Boosted Pool; (2) wstETH rate failure → wstETH pool pricing disruption; (3) ERC-4626 vault exploit → Linear Pool misvaluation; (4) v3 hook oracle failure → swap reverts for that pool. The August 2023 ($2.1M) and November 2025 ($128M) exploits provide empirical breakage evidence for the rate-math path. No single formal breakage-analysis document exists, but major dependencies are covered in audit reports and post-mortems. RD-F-059 yellow Oracle staleness check present Partial staleness protection. v2 ComposableStablePool implements a rate cache with configurable cache duration — if the cache is older than the configured duration, a fresh rate is fetched from the rate provider. This is a pseudo-staleness mechanism on the cache, not a strict updatedAt check on the underlying oracle feed. The underlying Chainlink feeds (ETH/USD 3600s heartbeat, BTC/USD 3600s, USDC/USD 82800s) have their own SLAs but Balancer does not enforce them on-chain. v3 fetches fresh rates on every operation via reloadBalancesAndRates() — no cache staleness risk, but no heartbeat enforcement on the underlying oracle data source. RD-F-060 yellow Chainlink aggregator min/max bound misconfig Chainlink rate providers (ChainlinkRateProvider, ChainlinkRegistryRateProvider) call latestRoundData() but do not implement minAnswer/maxAnswer checks at the Balancer adapter layer. For yield-rate use cases (wstETH/ETH ratio, aToken/underlying ratio), minAnswer/maxAnswer bounds are less operationally critical — the rate is always near 1.0 by design. The Chainlink USD-price feeds listed in data cache (ETH/USD 0x5f4eC3Df9cbd43714FE2740f5E3616155c5b8419, BTC/USD 0xF4030086522a5bEEa4988F8cA5B36dbC97BeE88c) appear to be for downstream consumers of Balancer TWAP, not used by Balancer internally. Cannot verify per-feed minAnswer/maxAnswer without direct on-chain reads. RD-F-180 yellow Immutable oracle address [★ CANDIDATE — held per T-12 PD-017; flag for T-14 review] v2: rate providers (oracle addresses) are configurable by pool admins — not immutable. v2 Vault Authorizer is replaceable via setAuthorizer() (confirmed in IVault interface), and the current AuthorizerWithAdaptorValidation (0x6048A8c631Fb7e77EcA533Cf9C29784e482391e7) was itself set this way. v2 rate provider cache durations can be updated by governance. However, rate-provider changes in v2 currently lack a timelock (TimelockAuthorizer was deprecated, current Authorizer has no enforced delay). v3: rate providers are immutable per-pool at registration — but new pools can be deployed with corrected configurations, so the immutability is per-pool not protocol-level. Overall: oracle/rate-provider addresses are configurable in v2 (yellow: configurable but no timelock) and per-pool immutable in v3 (yellow: new pool needed to correct). Neither meets green (configurable with timelock). RD-F-054 n/a TWAP window duration N/A — Balancer does not consume TWAP oracles internally. The v2 WeightedPool TWAP oracle (min 2 min, max ~34.1 hrs) is provided FOR external consumers, not used by Balancer for swap pricing. The v3 Geomean Oracle Hook (customizable window up to 30 days) similarly outputs data for external consumers. This factor asks about TWAP windows Balancer consumes; Balancer's internal invariant math has no TWAP window parameter. RD-F-055 n/a Oracle pool depth (USD) N/A — Balancer does not read from external DEX liquidity pools as an oracle consumer. Balancer is the liquidity pool. The pool depth measurement (for oracle manipulation resistance) does not apply when the protocol uses invariant-math pricing. RD-F-056 n/a Single-pool oracle (no medianization) N/A — Balancer does not use single DEX pool oracles internally. Rate providers use point-source yield-protocol rates from authoritative sources (wstETH contract, Aave contracts). These are not DEX pool prices that would benefit from medianization — they are conversion rates between a yield-bearing asset and its underlying. RD-F-058 n/a Max-deviation threshold (bps) N/A — no circuit breaker exists (see RD-F-057 = red). Max deviation threshold is not applicable when no circuit breaker is present. RD-F-181 n/a Permissionless-pool lending oracle N/A — Balancer is a DEX, not a lending protocol. F181 asks whether a lending protocol accepts spot prices from permissionlessly-created DEX pools without TWAP/liquidity/age filters. Balancer has no collateral pricing, no borrow/lend mechanics, and no liquidation path that reads oracle prices. data cache: borrow.present: false. profile §1: 'Protocol is not a lending protocol, perps protocol, or bridge.'

RD-F-048 green Oracle providers used Balancer v2 and v3 core AMM pricing uses invariant math (pool balances + weights/amplification), not external price oracles. External oracle contact occurs only through rate providers: v2 uses Chainlink (ChainlinkRateProvider), wstETH stEthPerToken(), Aave getRate(), ERC-4626 convertToAssets() per pool configuration. v3 uses Aave ERC-4626 convertToAssets() for Boosted Pools and optional Chainlink adaptor in the Geomean Oracle Hook. Data cache records 19 Chainlink feeds across chains (rate-provider and downstream-consumer uses). All providers are established push oracles or on-chain yield-rate sources with documented SLAs.

RD-F-050 green Dependency graph (protocols depended upon) External dependency graph is well-understood. v2 key deps: Aave v2/v3 (aToken rate for Boosted Pools), Lido/wstETH (stEthPerToken()), ERC-4626 vault contracts (Linear Pool wrappers), Chainlink (optional ChainlinkRateProvider). v3 key deps: Aave v3 ERC-4626 (Boosted Pools), hook contracts (per-pool), Permit2 (router). All deps are highly reliable protocols (Aave, Lido). Dependency scope is per-pool — a failure in one rate provider does not cascade to the global Vault. The Vault itself (v2 0xBA12222... v3 0xbA13333...) has no external oracle dependency for core operations.

RD-F-053 green Oracle source = spot DEX pool (no TWAP) [★ CRITICAL — GREEN] No spot DEX oracle in any Balancer internal pricing path. v2 AMM uses invariant math (pool balances + weights/amplification coefficient) with no external oracle call. v2 rate providers call getRate() on yield protocols (Aave, wstETH, ERC-4626) — not spot DEX pools. v2 WeightedPool TWAP oracle mode outputs TWAP data for external consumers but Balancer does not consume it internally for swap math. v3 AMM uses same invariant approach. v3 Geomean Oracle Hook computes from pool invariant math, not spot price. No liquidation path exists in Balancer (it is a DEX, not a lending protocol). The critical oracle-manipulation vector (reading spot DEX price without TWAP) is absent.

RD-F-061 green LP token balanceOf used for pricing No balanceOf-based LP token pricing in Balancer v2 or v3. v2 Vault manages all token balances in internal accounting structures (not derived from ERC-20 balanceOf()). Swap math uses these internal vault balances. v3 Vault similarly manages token balances via the poolData struct, not ERC-20 balanceOf(). The August 2023 exploit involved rounding in rate math, not balanceOf-based pricing. The November 2025 exploit involved rounding direction error in _upscaleArray, also not balanceOf-based.

RD-F-062 green External keeper/relayer not redundant Balancer does not require keepers or relayers for core AMM operations. Swaps are permissionless — any address can interact with the Vault directly. v2 GaugeController (0xC128468b7Ce63eA702C1f104D55A2566b13D3ABD) distributes gauge emissions but BAL emissions are being ended per March 2026 DAO decision. v3 ProtocolFeeController (0xa731C23D7c95436Baaae9D52782f966E1ed07cc8) manages fee collection but is not a keeper dependency. No single keeper/relayer that causes protocol halting on failure.

Economic risk Red 50 13 of 13

RD-F-067 red Historical bad-debt events Two documented loss events: (1) August 2023 — v2 Boosted Pool rounding exploit, ~$2.1M loss; (2) November 2025 — v2 ComposableStablePool rounding/invariant manipulation across 9 chains, $128M drained. For the Nov 2025 event: ~$28M salvaged via whitehat actions; Balancer distributed ~$8M to affected LPs; ~$19.7M in osETH/osGNO handled separately by StakeWise. Net unrecovered by protocol: ~$100M+. The reimbursement was non-socialized (each pool's recovered funds go only to that pool's LPs) — affected pools had losses of ~87% of drained assets unrecovered. This constitutes uncompensated bad debt at pool level across multiple pools. Two separate events with $130M+ combined loss, majority uncompensated, triggers red under the factor threshold (>=2 events or any uncompensated loss). RD-F-072 red Market-listing governance threshold Pool creation on Balancer v2 and v3 is permissionless — anyone can deploy a new pool via the registered factory contracts (WeightedPoolFactory, StablePoolFactory, etc.) without a DAO vote, minimum liquidity requirement, or token vetting. Factory addresses are granted permissions via governance (e.g., BIP-910 grants v3 factory permissions across chains), but the act of creating an individual pool through those factories requires no governance approval. This means arbitrary tokens — including scam tokens, low-liquidity tokens, and tokens with malicious transfer logic — can be paired in Balancer pools. LPs who add liquidity to such pools bear full economic risk without protocol-level safeguards. Balancer's prior exploit history (2023 Boosted Pool exploit on a specific pool type variant) demonstrates how the combinatorial risk of pool type + token type can manifest. Permissionless listing earns a red score under the rubric (no threshold required to list). RD-F-063 yellow TVL (current + 30d trend) Current TVL $115.8M as of 2026-05-05T12:10:03Z per DefiLlama (data cache). 30-day change: -19.99%; 1-day change: -1.91%. TVL exceeds $100M floor (green threshold) but the 30-day decline exceeds 20%, triggering yellow. Pre-November 2025 exploit baseline was ~$775-800M; current represents ~85% decline from that baseline. Ethereum dominates at 74.79% ($86.6M), Arbitrum 6.38%, Monad 5.72%, Base 4.53%, Polygon 3.84%. Long-term ATH was ~$3.5B (2021), a ~97% decline. Trend is structurally negative post-Labs wind-down announcement (March 2026). RD-F-064 yellow TVL concentration (top-10 wallet share) Top-10 depositor wallet concentration cannot be precisely computed for Balancer without a multi-pool subgraph query across hundreds of separately-tracked BPT contracts. Qualitatively, concentration is elevated: Aura Finance controls a large fraction of veBAL votes (meta-governance capture documented in profile §11) and holds BPTs in the 80/20 BAL/WETH pool. The remaining $115.8M TVL is concentrated 74.79% on Ethereum alone. No single confirmed top-10 wallet breakdown available from data cache (Dune subgraph not queried). Scored yellow as conservative estimate reflecting known Aura concentration and the dramatic TVL decline that has compressed the LP base. If Aura or another large LP exits, remaining pool depth would deteriorate rapidly. RD-F-065 yellow Liquidity depth per major asset Balancer is the liquidity venue — pool TVL and depth are the same construct. With $115.8M total TVL across hundreds of pools on 13 chains, individual pool depth is thin. The primary governance pool (80/20 BAL/WETH on Ethereum) has seen severe depth erosion alongside the ~85% TVL decline since the Nov 2025 exploit. At current TVL levels, Balancer's aggregate 2% price impact depth is materially lower than the $500M+ protocol period. The protocol no longer has the pool depth to absorb large liquidations from integrating protocols. No 2% depth figure computed (subgraph unavailable); scored yellow based on TVL-derived proxy. RD-F-071 yellow Seed-deposit requirement for new market listing No formal 'market listing' mechanism exists on Balancer — it is a DEX. Pools can be permissionlessly created via registered factories. The closest analogue is pool initialization: any user can create a pool and seed it. For v3 boosted pool buffers, the Vault burns minimal initial shares to the zero address during initialization to prevent inflation attacks, providing functional protection. However, there is no enforced minimum seed deposit for pool creation across v2 or v3. The protocol documentation describes pool creation as permissionless. Scored yellow: functional guard exists in v3 for the specific share-inflation attack vector, but no enforced minimum seed deposit for general pool creation. RD-F-074 yellow ERC-4626 virtual-share offset (OZ ≥4.9) Balancer v3 uses ERC-4626 wrapped tokens as pool assets in Boosted Pools and implements pool LP token accounting via the Vault's ERC20MultiToken system (not a standard ERC-4626 vault itself). For ERC-4626 buffer initialization in v3, the protocol burns minimal initial shares to the zero address as an anti-inflation mechanism — functionally equivalent to the OpenZeppelin >=4.9 virtual-share offset but implemented as a custom pattern in the Balancer v3 Vault, not using OZ's exact implementation. v2 Linear Pools (the deprecated ERC-4626 integration in v2) did not have equivalent virtual-share protections; those pool types are now deprecated following the Nov 2025 exploit. Scored yellow: custom mitigation present in v3 (not OZ >=4.9 specifically), absent in v2 Linear Pools (deprecated). RD-F-075 yellow First-depositor / share-inflation guard v3 Vault implements three first-depositor guard mechanisms: (1) minimal share burn to zero address during ERC-4626 buffer initialization; (2) _MINIMUM_TRADE_AMOUNT threshold preventing sub-minimum operations; (3) _MINIMUM_WRAP_AMOUNT threshold for ERC-4626 wrap/unwrap operations; (4) consistent rounding in favor of the protocol rather than the user. These together constitute a composite guard against share-inflation attacks on v3. For v2 pool types, first-depositor protections are not confirmed across all pool types — particularly the now-deprecated LinearPool and the ComposableStablePool (which was the exploit target in Nov 2025). Since v2 represents the dominant share of current $115.8M TVL, the higher-risk version (v2, less protected) governs the score. Scored yellow: explicit guard confirmed in v3, not confirmed across all v2 pool types still holding TVL. RD-F-066 gray Utilization rate (lending protocols) Not applicable. Balancer is a DEX (AMM) with no lending markets, borrow/supply ratios, or utilization rates. The data cache confirms borrow.present=false, total_supplied_usd=null, total_borrowed_usd=null, utilization_rate_pct=null. RD-F-068 gray Collateralization under stress Not applicable. Balancer is a DEX (AMM) with no lending or collateralization model. LP positions are directly backed by pooled assets without leverage; impermanent loss is a feature of AMM design but not a collateralization ratio subject to stress testing under this factor. RD-F-069 gray Algorithmic / under-collateralized stablecoin Not applicable. Balancer does not issue or manage a stablecoin. BAL is a governance token and is not pegged. No algorithmic or under-collateralized stablecoin component exists in the protocol. RD-F-070 gray Empty cToken-style market (zero supply/borrow) Not applicable. Balancer is not a Compound V2-style lending fork and has no cToken markets, totalSupply()/totalBorrow() market accounting, or donation-exploit surface in the classic sense. ERC-4626 share-inflation risk for v3 boosted pool buffers is addressed under RD-F-074 and RD-F-075. Per profile §5 (Fork Lineage): Balancer v2 and v3 are original protocols not forked from Compound. Critical ★ factor: N/A (gray). RD-F-073 gray Oracle-manipulation-proof borrow cap Not applicable. Balancer has no borrow markets and therefore no borrow caps. The oracle-manipulation-proof borrow cap factor is specific to lending protocols where flash-loan oracle manipulation can be used to inflate collateral value and max out a borrow against it. This attack surface does not exist on Balancer's AMM architecture.

Operational history Yellow 47 15 of 15

RD-F-077 red Prior exploit count 3 smart-contract-level exploits: 2020-06-28 v1 STA deflationary token ~$500K; 2023-08-27 v2 Linear Pool rounding ~$2.1M; 2025-11-03 v2 ComposableStablePool rounding ~$128M. Plus 1 DNS/frontend incident 2023-09-20 ~$364K. Aggregate unrecovered smart-contract loss >$130M. Red: ≥2 exploits or any unrecovered loss. RD-F-078 red Chronic-exploit flag (≥3 incidents) 4 distinct incidents total (2020 v1, 2023-08 v2 SC, 2023-09 DNS, 2025-11 v2 SC); 3 smart-contract-level incidents alone meet ≥3 threshold. CHRONIC badge per PD-022 does NOT trigger: the 2023 and 2025 incidents have distinct root-cause clusters (different functions, pool types, vectors) and are 26 months apart. No same-root-cause pair in 24 months. RD-F-084 red TVL stability (CoV over 90d) DefiLlama daily time-series unavailable (403 structural gap). Estimated from monthly data points: TVL declined from ~$775M (pre-exploit, Oct 2025) to ~$258M (Nov 2025, post-exploit within 2 weeks) to ~$157M (March 2026) to $115.8M (May 2026). Approximate CoV across trailing 6 months ≈ 0.84 (σ ~$230M, μ ~$274M). Red threshold is CoV >0.35. High structural instability is unambiguous. RD-F-087 red Pause > 7 consecutive days v2 CSPv6 contracts paused 2025-11-03 and placed into Recovery Mode. Factory disabled 2025-11-05. As of 2026-05-05, these contracts remain paused/in Recovery Mode — approximately 183 consecutive days. Red: any pause >7 consecutive days in last 12 months. Met unambiguously. RD-F-089 red Insurance coverage active No active Nexus Mutual, Sherlock, Unslashed, or equivalent protocol-level insurance coverage confirmed for Balancer. Searches returned no Balancer-specific active cover on any major DeFi insurance platform. Green threshold: ≥5% of TVL = ≥$5.8M active coverage on current $115.8M TVL. Given November 2025 $128M exploit and Labs wind-down, no insurer would realistically offer proportionate cover at this point. Score: red. RD-F-080 yellow Days since last exploit Most recent incident: 2025-11-03. Days since as of 2026-05-05 = 183 days. Yellow threshold: 90–365 days. Labs wind-down (2026-03-24, 142 days post-exploit) confirms ongoing operational instability but does not change the 183-day count into red territory by the factor's strict threshold. RD-F-081 yellow Post-exploit response score Nov 2025 incident (most recent): Compensation completeness 2/5 (20% white-hat bounty offered; ~$38.4M of ~$128M recovered; no protocol-level user compensation announced). Transparency 4/5 (preliminary PM Nov 5, full PM Nov 18, multiple independent analyses). Root-cause depth 4/5 (EXACT_OUT _upscale() rounding named; audit scope gap acknowledged). Recovery speed 4/5 (pools frozen within 20 min; factory disabled within 48h). Overall curator score 3.5/5 — rounds to yellow (2–3 range) given incomplete compensation and no v2 re-audit. Labs wind-down as institutional response is not a positive remediation signal. RD-F-083 yellow Auditor re-engaged after last exploit Nov 2025 incident: Trail of Bits published incident analysis/guidance 2025-11-07 (Tier-1 firm, but commentary not a formal re-audit). Certora published root-cause breakdown. No formal re-audit of patched v2 contracts post-Nov-2025 found. Protocol response was factory disable + migration to v3 rather than v2 patch + re-audit. v3 had ongoing Certora audits (2026-01 comprehensive) but v3 was not the affected system. Score: yellow (third-party review only, not a formal Tier-1 re-audit of affected codebase). RD-F-086 yellow Pause activations (trailing 12 months) Trailing 12 months (2025-05-05 to 2026-05-05): 1 coordinated emergency pause event on 2025-11-03 across v2 CSPv6 on 9 chains, with documented reason (exploit response). Emergency SubDAO killed gauges 2025-11-04; factory disabled 2025-11-05. Treating as 1 coordinated pause with documented reason = yellow (1–2 pauses with documented reason per threshold). RD-F-088 yellow Re-deployed to new addresses in last year No complete redeployment of v2 system to new addresses. v3 launched 2024-12-11 (within 12-month assessment window) with new vault architecture at new addresses, with documented migration path (BIP-734 governance announcement, public launch coverage). v2 CSPv6 factory disabled 2025-11-05. Score: yellow (major new deployment within 12 months with documented migration path, not an unexplained redeployment). RD-F-166 yellow Deprecated contracts still holding value v2 TimelockAuthorizer (0x9E3cD0606Db55ac68845bB60121847823712ae05) is flagged DEPRECATED in balancer-deployments registry. It is an access-control contract not holding user TVL; direct balance ~$0. v2 CSPv6 factory disabled; individual v6 pools remain deployed in Recovery Mode with residual TVL (post-exploit user exit has substantially drained but exact residual unknown without live RPC). Stale approvals to the v2 Vault (which routes v6 pools) persist for users who have not revoked. Score: yellow (deprecated contract directly holds $0 TVL; broader deprecated v6 pool surface residual is uncertain but likely below $100K per contract; stale approval surface exists but not quantified).

RD-F-076 green Protocol age (days) v2 Vault deployed 2021-04-20; as of 2026-05-05 = 1476 days (~49 months). Green threshold ≥365 days. v3 launched 2024-12-11 (~146 days, assessed against v2 as dominant TVL version).

RD-F-079 green Same-root-cause repeat exploit Three distinct root-cause clusters: (1) 2020 deflationary ERC-20 transfer-fee AMM accounting; (2) 2023 Linear Pool _downscaleDown() rounding-to-zero on tiny BPT redemptions leading to cached rate manipulation; (3) 2025 Stable Math _upscale()/_swapGivenOut EXACT_OUT rounding direction error in ComposableStablePools. Different functions, different pool architectures, different exploit vectors. No same-root-cause repeat. Per critical-interpretation rule in scope: compiler-level vs protocol-level distinction addressed — 2023 and 2025 are both Balancer protocol-level rounding bugs but distinct functions/surfaces.

RD-F-082 green Post-mortem published within 30 days Nov 2025 incident: preliminary post-mortem published 2025-11-05 (2 days post-exploit); full post-mortem 2025-11-18 (15 days post-exploit). Both well within 30-day green threshold. Third-party analyses (Trail of Bits 2025-11-07, Certora, Check Point) provide additional corroborating detail.

RD-F-085 green Incident response time (minutes) Nov 2025: First malicious txs detected 07:46 UTC by Hypernative. V6 CSP implementations paused by 08:07 UTC (~21 minutes). Broader pool freeze by 08:20 UTC (~34 minutes). Green threshold ≤60 minutes. Response time was within green boundary.

Real-time signals Green 13 22 of 22

RD-F-098 yellow TVL anomaly — % drop in <1h TVL anomaly — % drop in <1h [T-09 v1] | Applicable: Yes — $115.8M TVL directly measurable | Current TVL: $115.8M (DefiLlama, 2026-05-05T12:10:03Z). 30d change: -19.99%. 24h change: -1.91%. The 30d sustained decline reflects post-November 2025 exploit structural exodus, not an acute intraday drain event in the assessment window. The 1h tier-A threshold (>30% in 60 minutes) has not been breached in the current window. Yellow because: (1) the November 2025 exploit would have produced the largest tier-A fire in the assessment set (TVL ~$443M → ~$186M in <30 minutes); (2) current TVL is 97% below all-time peak, making the absolute remaining TVL more fragile to threshold breaches; (3) the 30d decline of ~20% erodes the baseline buffer before the threshold is reached. | Threshold: TVL drops >30% within 1h vs 30d baseline | Would fire: No (acute threshold not breached in current window); precursor erosion justifies yellow RD-F-102 yellow Admin/upgrade transaction in mempool Admin/upgrade tx in mempool [T-09 v1] | Applicable: Yes — highly applicable and structurally critical | No pending admin/upgrade transactions from Ethereum DAO Multisig (0x10A19e7eE7d7F8a52822f6817de8ea18204F2e4f) or OpCo Safes detected in assessment window. Critical structural finding: v2 Vault current Authorizer is AuthorizerWithAdaptorValidation (0x6048A8c631Fb7e77EcA533Cf9C29784e482391e7) which does NOT enforce a timelock delay. TimelockAuthorizer (0x9E3cD0606Db55ac68845bB60121847823712ae05) is DEPRECATED per deployments registry. Any admin action approved by 6-of-11 multisig can execute with zero delay. Mempool signal fires simultaneously with execution — near-zero lead time for user protective action. This structural gap makes the signal critically important to deploy and simultaneously limits its protective value. Yellow reflects structural weakness even when signal is not currently firing. | Threshold: Pending tx to admin contracts with upgrade/pause/grantRole selector from adm RD-F-105 yellow DNS/CDN/frontend hash drift DNS/frontend hash drift [T-09 v1] | Applicable: Yes — confirmed September 2023 DNS/BGP exploit; highest-risk frontend signal for any DEX | Current state: app.balancer.fi and balancer.fi appear live and properly configured as of 2026-05-05. TLS active. No current DNS compromise detected. CRITICAL GAP: no post-exploit frontend hash baseline established for this assessment. Prior confirmed exploit: September 2023 EuroDNS social engineering attack — balancer.fi / app.balancer.fi hijacked, Angel Drainer phishing contract deployed, ~$364K stolen ($238K-$364K reported range across sources). Post-November 2025 exploit: brand impersonation active, balancer-fi.website confirmed scam domain (ScamAdviser). Phishing campaigns with fake white-hat bounty programs launched within hours of the Nov 2025 exploit. Balancer has the highest confirmed DNS-compromise risk of any DEX in this coverage set. Production deployment of this signal requires: (1) establishing a JS bundle hash baseline; (2) CertStream RD-F-109 yellow Social-media impersonation scam spike Social-media impersonation scam spike | Applicable: Yes — high-value target; confirmed post-exploit impersonation | Post-November 2025 exploit: phishing campaigns launched within hours with fraudulent accounts posing as Balancer representatives offering fake white-hat bounty programs (documented in Yahoo Finance scam alert). balancer-fi.website confirmed scam domain (ScamAdviser). Post-Balancer Labs wind-down (March 2026): governance transition creates additional impersonation surface (fake emergency compensation or migration scams common in wind-down scenarios). pcrisk.com documents a specific Balancer scam pattern targeting users. No single coordinated spike ≥5 accounts confirmed with certainty in the 30-day assessment window, but persistent elevated post-exploit impersonation environment is documented. Yellow reflects sustained impersonation risk rather than an acute spike. | Threshold: Coordinated impersonation campaign ≥5 accounts or verified drain reports via impersonation | Woul RD-F-182 yellow Security-Council threshold reduction (RT) Security-Council threshold reduction event (RT signal) [batch-24, T-09 v1.1 candidate] | Applicable: Yes — directly applicable to Balancer's multisig governance structure | Threshold: Multisig executes threshold reduction (e.g., 6-of-11 → 4-of-11) OR timelock removal OR new-signer addition within ≤14 days of either of the above. Current DAO Multisig threshold: 6-of-11. BIP-907 (Jan 2026) replaced 4 signers but maintained 6-of-11 threshold — signer rotation, not threshold reduction; governance-sanctioned. Historical threshold-reduction event: the TimelockAuthorizer (0x9E3cD0606Db55ac68845bB60121847823712ae05) was deprecated and removed from the active Authorizer chain in a prior governance cycle — this represents a timelock removal event that would have fired this signal. The signal's precondition (no active timelock in the Vault's Authorizer path) is now permanently in a fired state — the current design is structurally equivalent to having executed a timelock removal. Drift Protocol an RD-F-092 gray Unusual mempool pattern from deployer wallet Unusual mempool pattern from deployer wallet | Applicable: Partial — v1 deployer inactive since 2020-09-30; v2/v3 deployer address not in data cache | v1 deployer (0x6e9eef9b53a69f37efcab8489706e8b2bd82608b) last active 2020-09-30, no recent mempool activity. V2/v3 deployer addresses not resolved (data cache: deployer.address: null). Signal is not actionable without v2/v3 deployer address registration. No unusual activity from known Balancer admin or relay wallets in assessment window. | Threshold: Deployer wallet submits unusual sequence (new deploys, mass approvals) vs historical baseline | Would fire: No (signal not configured — deployer address unresolved) RD-F-093 gray Abnormal gas-price willingness from attacker wallet Abnormal gas-price willingness from attacker wallet | Applicable: Yes | No high-priority-fee transactions (≥5x EMA priority fee) from unidentified wallets interacting with Balancer v2 or v3 Vault detected in assessment window. Requires live mempool monitoring not configured in this static assessment. | Threshold: Wallet pays ≥5x median gas priority fee AND interacts with Balancer core contracts | Would fire: No (signal infrastructure not configured in static assessment) RD-F-094 gray New contract with similar bytecode to exploit template New contract with similar bytecode to exploit template | Applicable: Yes — v2 CSP rounding exploit template now public | The November 2025 exploit technique (rounding error in _upscaleArray + batchSwap against v2 ComposableStablePool) is publicly documented by Check Point Research and Certora. A bytecode-similar exploit template contract could be re-deployed against residual v2 CSP pools. No confirmed exploit-template contract deployment detected in assessment window. v3 confirmed unaffected by v2 rounding mechanism. Requires bytecode-similarity index not configured in this static assessment. | Threshold: New contract deployed with high bytecode similarity to known exploit template for this protocol class | Would fire: No RD-F-095 gray Known-exploit function-selector replay Known-exploit function-selector replay | Applicable: Yes — batchSwap selector with CSP-targeting calldata is documented | The November 2025 attack pattern involves batchSwap sequences exploiting _upscaleArray rounding in v2 ComposableStablePools. Attack is documented publicly. No confirmed replay selector pattern deployed against remaining v2 CSP pools in assessment window. Requires selector pattern index not maintained in this static assessment. | Threshold: Specific selector sequence and calldata shape matching known Balancer-class exploit template | Would fire: No RD-F-096 gray New ERC-20 approval to unverified contract from whale New ERC-20 approval to unverified contract from whale | Applicable: Partial — user-level approvals to router/Permit2 | No new approvals from top-TVL Balancer LPs to unverified contracts detected in assessment window. September 2023 DNS/BGP exploit was exactly this vector — users approving Angel Drainer malicious contract when visiting hijacked app.balancer.fi. No current instance of large LP granting approval to unverified contract detected. Permit2 (0x000...22D473) is whitelisted v3 integrator. | Threshold: Top-TVL depositor grants new token approval to unverified contract interacting with Balancer | Would fire: No RD-F-101 gray Large governance proposal queued Large governance proposal queued (flagged) [T-09 v1] | Applicable: Partial — no on-chain Governor; Snapshot + Gnosis Safe execution only | Signal infrastructure must be re-mapped: ProposalCreated events do not exist (no Governor). Signal equivalent is Gnosis Safe execution events on DAO Multisig (0x10A19e7eE7d7F8a52822f6817de8ea18204F2e4f). BIP-907 (Jan 2026) and BIP-911 (Feb 2026) were executed — signer replacements, governance-sanctioned. Pending: veBAL abolition and BAL emissions-end proposals from March 2026 wind-down. No malicious-pattern payloads detected. Signal is gray due to governance infrastructure mismatch; monitoring adaptation required for Snapshot + multisig governance. | Threshold: Governance proposal queued with privileged admin payload from new/untrusted proposer | Would fire: No RD-F-106 gray Cross-chain bridge unverified mint pattern Cross-chain bridge mint-without-proof | Applicable: N/A — Balancer does not operate a bridge; multi-chain TVL deployment uses canonical bridges (Arbitrum, Polygon PoS) not a Balancer-operated bridge. LayerZero usage is governance-messaging only (omni-chain voting escrow), not a TVL bridge. | Threshold: Deposit on source chain without corresponding verified proof on destination | Would fire: N/A RD-F-107 gray Admin EOA signing from new geography/device Admin EOA signing from new geography/device | Applicable: Partial — off-chain telemetry not available | Requires off-chain signing telemetry via protocol team opt-in; not available in static assessment. Balancer DAO Multisig (0x10A19...) uses Gnosis Safe with hardware signing expected from named signers. No geographic anomaly publicly reported. | Threshold: Off-chain signing telemetry shows anomaly vs historical device/geo baseline | Always gray in static assessment RD-F-110 gray Unusual pending/executed proposal ratio Unusual pending/executed proposal ratio | Applicable: Partial — Snapshot governance only; no on-chain Governor | Signal requires on-chain ProposalCreated / ProposalExecuted event ratio from a Governor contract. Balancer uses Snapshot + Gnosis Safe; no on-chain governor. Snapshot activity in 2026: BIP-907 (Jan), BIP-911 (Feb), wind-down proposals (March). Proposal activity is coordinated and purposeful during transition, not anomalous. No unusual ratio vs baseline detected. Adaptation required: monitor Snapshot proposal creation vs Gnosis Safe execution cadence. | Threshold: Pending/executed proposal ratio anomaly >3σ vs 30d baseline from on-chain Governor | Would fire: No (signal infrastructure N/A; Snapshot adaptation required)

RD-F-090 green Mixer withdrawal → protocol interaction Mixer withdrawal → protocol interaction [T-09 v1] | Applicable: Yes | No confirmed mixer-funded wallet interacting with Balancer v2 Vault (0xBA122...) or v3 Vault (0xbA133...) in 30-day assessment window. Historical context: v1 deployer (0x6e9eef...) was Tornado Cash-funded in 2020; November 2025 exploiter (0x86fedad...) was Tornado Cash-funded and laundered 2,000 ETH via Tornado Cash post-exploit (Nov 15, 2025). These are historical events outside the 30-day window. | Threshold: Wallet withdrew from TC/Railgun within 30 days AND interacts with core contracts >$100K AND ≥2 attribution sources | Would fire: No

RD-F-091 green Partial-drain test transactions Partial-drain test transactions | Applicable: Yes | No small-value probe transactions from known attacker wallets on Balancer v2 Vault or v3 Vault detected in assessment window. November 2025 exploit was a rapid multi-chain drain (~$128M in <30 minutes) with no staged partial-drain precursor pattern — attack was algorithmic and executed in a single sequence. Remaining v2 CSP pool TVL is residual post-exploit. No pre-strike test transaction pattern detected. | Threshold: Small-value outflows fitting known pre-strike pattern preceding a larger drain | Would fire: No

RD-F-097 green Sybil surge of identical-pattern transactions Sybil surge of identical-pattern transactions | Applicable: Limited — DEX/AMM not lending protocol with permissionless pool creation | No sybil surge pattern on Balancer v2 or v3 contracts detected. v3 hooks architecture allows per-pool custom logic but does not create a permissionless-pool-oracle attack surface analogous to Rhea Finance class. No unusual surge of identical transactions from new EOAs detected in assessment window. | Threshold: Multiple new EOAs submitting identical transaction patterns within short window | Would fire: No

RD-F-099 green Oracle price deviation >X% from secondary Oracle price deviation >X% from secondary [T-09 v1] | Applicable: Partial — v2 rate providers for Boosted Pools; core v2 Vault does not use external oracles | No oracle deviation >1% detected on live Chainlink feeds (ETH/USD: 0x5f4eC3Df..., USDC/USD: 0x8fFfFfd4..., USDT/USD: 0x3E7d1eAB...) as of 2026-05-05. Rate provider manipulation was root cause of August 2023 $2.1M exploit; Linear Pools largely deprecated post-November 2025. v3 oracle hooks are immutable post-registration. No oracle deviation event in current window. | Threshold: Primary vs secondary deviation >1% sustained ≥4 blocks AND protocol uses primary for safety-critical reads | Would fire: No

RD-F-100 green Flash loan >$10M targeting protocol tokens Flash loan >$10M targeting protocol [T-09 v1] | Applicable: Yes — Balancer v2 is itself a flash loan provider; November 2025 exploit used Balancer flash loans | No flash loan >$10M against Balancer Vault interacting with protocol core contracts detected in assessment window. The November 2025 exploit used flash loans internally as part of the invariant manipulation attack. Signal is applicable and historically validated. | Threshold: Flash loan ≥$10M with receiver contract interacting with Balancer oracle/market/governor | Would fire: No

RD-F-103 green Bridge signer-set change proposed/executed Bridge signer-set change [T-09 v1] | Applicable: Partial — no bridge operated; DAO Multisig signer changes are the functionally equivalent signal | BIP-907 (Jan 2026) replaced 4 of 11 DAO Multisig signers: removed 0xSausageDoge, AlexLangeVC, lewis, nanexcool; added elbagococina (0x6578183A...), netto.eth (0x235F00a6...), MikeB (0xF01Cc715...), hubert (0x02e4De71...). This governance-sanctioned change would have fired the signal at execution time; suppression applies (pre-announced via Snapshot). No further unscheduled signer changes detected since BIP-907. Current 6-of-11 threshold maintained. BIP-911 (Feb 2026) was emergency subDAO (not main DAO multisig) signer swap. | Threshold: SignerAdded / SignerRemoved / ThresholdChanged AND no governance pre-announcement in preceding 24h | Would fire: No (current signer set stable; BIP-907 was governance-sanctioned)

RD-F-104 green Stablecoin depeg >2% on shared-LP venue Stablecoin depeg >2% [T-09 v1] | Applicable: Yes — v2 CSPs include stablecoin exposure | No stablecoin depeg >2% as of 2026-05-05: USDC ~$1.000, USDT ~$1.000, DAI ~$1.000 (Chainlink feeds confirmed). Remaining v2 stable pool TVL is significantly reduced post-November 2025 exploit; most CSP pools were drained or paused. Depeg signal has reduced impact on remaining TVL composition vs pre-exploit state. | Threshold: Stablecoin depegs >2% on venue with shared LP AND protocol exposure ≥5% TVL sustained ≥30 min | Would fire: No

RD-F-108 green GitHub force-push to sensitive branch GitHub force-push to sensitive branch | Applicable: Yes — v2 monorepo github.com/balancer/balancer-v2-monorepo; v3 monorepo github.com/balancer/balancer-v3-monorepo | v2 monorepo last commit 2025-12-14 (data cache confirmed). No public reports of unauthorized force-push to main/production branches in the assessment window. v2 monorepo in wind-down posture (last commit 5+ months ago) consistent with Labs wind-down. v3 monorepo still actively maintained (Certora audits Jan 2026, deployment expansions to HyperEVM/Plasma per BIP-862/BIP-874). No anomalous push patterns detected in either repo. | Threshold: Force-push or unauthorized push to main/production branch | Would fire: No

Dev identity & insider risk Green 4 16 of 16

RD-F-117 yellow ENS/NameStone identity bound to deployer Deployer 0x697A71353A4BC1eb1356763018a229c27a3fbA0C does not display an ENS name on Etherscan. The address carries an Arbiscan 'Balancer: Deployer' protocol label which provides equivalent accountability for institutional deployers. DAO signer netto.eth (0x235F00a6e9416b114780F0b97aFCb40f623f65B4) has ENS identity. YELLOW reflects absence of the specific ENS/NameStone mechanism on the deployer, not an adverse signal. RD-F-123 yellow Sudden admin-rescue/ACL change without discussion BIP-883 (October 2025) reduced emergency safe threshold 4/7 to 3/7 and revoked VaultAdmin.disableQueryPermanently() permission, with forum post on 2025-10-29 and Snapshot vote on 2025-10-31 (2-day window, citing internal Security Council Meeting Notes). November 2025 emergency pool pauses (Shezmu, uniBTC) were documented defensive responses to external token exploits per Emergency Sub-DAO Q4 2024–Jan 2025 activity report. Emergency Sub-DAO signer set updated per BIP-652 (June 2024) through formal governance. No evidence of a completely undiscussed surprise admin-rescue in last 180 days. YELLOW for the abbreviated BIP-883 discussion window on a governance-control change. RD-F-184 gray Real-capital social-engineering persona No curator flag or OSINT evidence of any 'contributor' or 'external integrator' persona deploying ≥$1M of attributed real capital to build credibility ahead of a social-engineering attack on Balancer. The November 2025 $128M exploit was a pure smart contract vulnerability (rounding error in Stable Math library); the September 2023 frontend incident was a DNS/BGP social-engineering attack on the EuroDNS registrar — neither fits the UNC4736/Drift class of real-capital credibility-building persona. P1 M-only factor per taxonomy batch-24. GRAY per Drift comparator: attribution requires curator confidence beyond on-chain trail; no positive evidence to anchor a green and no adverse signal to anchor yellow.

RD-F-111 green Team doxx status Fernando Martinelli (co-founder, CEO) is fully doxxed: real name, Portuguese/Brazilian engineer, Federal University of Santa Catarina BSc (2008), three MSc degrees (Scotland/France/Spain), Executive MBA Panthéon Sorbonne (2011), Honda Research Institute Europe and Bain & Company work history, IQ.wiki profile, LinkedIn, Medium, X since 2019. Mike McDonald (co-founder, CTO) has public GitHub (mikemcdonald), Crunchbase profile, security engineer background. All 11 DAO multisig signers are named representatives from established DeFi organizations (LayerZero, BGD, Paraswap, Gnosis, Snapshot, Karpatkey, Blockful/ENS, Raft, StakeDAO).

RD-F-112 green Team public accountability surface Fernando Martinelli has verifiable trails across LinkedIn (employment history), IQ.wiki (academic CV), Medium, X, and has been cited by CoinDesk, The Block, DL News, and Unchained across 7+ years of public DeFi presence. Mike McDonald: GitHub contributions, Crunchbase, X. All 11 DAO multisig signers have documented organizational affiliations with public accountability surfaces via their respective protocols.

RD-F-113 green Team other-protocol involvement history Fernando Martinelli: PrepLounge and Brasil Mate (2014, no adverse outcomes), Balancer (2019–present). Mike McDonald: security engineer background, no prior rugged protocol involvement. All 11 DAO multisig signers are representatives from established protocols (LayerZero, BGD, Paraswap, Gnosis, Snapshot, Karpatkey, ENS, Raft, StakeDAO, Balancer Maxis) with no known rug or exit-scam history.

RD-F-114 green Deployer address prior on-chain history Deployer 0x697A71353A4BC1eb1356763018a229c27a3fbA0C is labeled 'Balancer: Deployer' on Arbiscan confirming protocol-attributed status. Address has 31 total transactions comprising contract deployments and protocol operations since 2021-04-19. No prior rug-pattern deployments or adverse prior contracts found. Last active 2024-08-09.

RD-F-115 green Prior rug/exit-scam affiliation Balancer Labs corporate wind-down (2026-03-24) is a board-approved financial/legal decision following the November 2025 $128M exploit — explicitly distinguished from a rug or exit scam by co-founder Fernando Martinelli and reported as such by CoinDesk, Unchained, DL News, The Block. Protocol remains operational under DAO/OpCo. Martinelli offered to remain as advisor. No team member has prior rug or exit-scam affiliation. The two major exploits (2023 $2.1M and 2025 $128M) were smart contract vulnerabilities, not insider theft.

RD-F-116 green Contributor tenure at admin-permissioned PR Balancer Labs has operated publicly since 2019 (company formation) and deployed v2 in April 2021 (49 months of operation as of assessment date). v3 was deployed December 2024 by the same team. Balancer GitHub org (github.com/balancer) shows established member roster (johngrantuk, brunoguerios, mendesfabio, MattPereira, 0xDanko). BIP governance processes use established contributors. No evidence of a recent admin-permissioned code change by a new or short-tenure contributor.

RD-F-118 green Handle reuse across failed/rugged projects No social handle associated with Fernando Martinelli (@fcmartinelli), Mike McDonald (@mikeraymcdonald), or any named DAO multisig signer has been linked to a prior rugged or failed project under a different alias. All handles are consistently associated with Balancer or their affiliated established protocols across public history.

RD-F-119 green Commit timezone consistent with stated geography Fernando Martinelli is publicly documented as Portugal/Brazil-based. Balancer Labs organizational presence consistent with European/US timezone distribution based on visible GitHub org members. No anomalous East-Asia/DPRK timezone burst patterns identified from publicly visible commit metadata. Full statistical distribution analysis not performed (would require GitHub API); OSINT-negative basis for green.

RD-F-120 green Video-off/voice-consistency flag Fernando Martinelli is cited by name in multiple news articles about the wind-down with attributed statements (CoinDesk, DL News, Unchained), implying on-record media engagement. Protocol team participated in DeFi conferences during operational years. No video-off or voice inconsistency pattern reported in any public source.

RD-F-121 green Contributor OSINT depth score Fernando Martinelli scores 5/5 on OSINT depth: complete engineering CV (BSc, 3 MSc, MBA), Honda/Bain professional history, 7+ years DeFi public presence, IQ.wiki, LinkedIn, Medium, X, multiple Tier-1 media citations. Mike McDonald scores 4/5: GitHub, Crunchbase, X, security engineer background. DAO multisig signers average 3/5: organizational affiliation documented; individual depth varies by signer.

RD-F-122 green Contributor paid to DPRK-cluster wallet No evidence of any Balancer contributor payment wallet routing to a DPRK-labeled cluster within 3 hops. All 11 DAO multisig signer addresses are named DeFi participants from established organizations with no OFAC designation. Web search for 'Balancer Labs DPRK OR Lazarus OR North Korea developer' returns zero adverse results. November 2025 exploit attacker wallets (funded via Tornado Cash per OKX reporting) are distinct from all team/deployer wallets.

RD-F-124 green Deployer wallet mixer-funded within 30 days Deployer 0x697A71353A4BC1eb1356763018a229c27a3fbA0C was funded on 2021-04-19 (same day as v2 Vault deploy) by 0xCAA4642602f8a0B2216f5b301c5D4abBF018F277, which received 10.007 ETH from 0x018FC8Eb3CD0C0BD85E0f64a226A2626a93B9BEE. Both intermediary addresses are unlabeled, fresh wallets with 2 and 0 subsequent transactions respectively — no Tornado Cash, Railgun, or mixer labels on any address in the chain. Etherscan reports no mixer interactions in deployer's 31 total txs. 30-day pre-deploy window clean. Fresh wallet deploy chain is standard institutional key management practice.

RD-F-125 green Deployer linked within 3 hops to DPRK/Lazarus No OFAC SDN designation for any Balancer wallet. No Chainalysis published Lazarus attribution or US Treasury press release links any Balancer address to the DPRK/Lazarus cluster. Fully doxxed founding team (Fernando Martinelli, Mike McDonald) with 7+ year verifiable professional histories is inconsistent with nation-state implant profile. Corporate wind-down is financial/liability-driven post-$128M exploit, not DPRK-connected. Web search across multiple formulations returns zero adverse results. No escalation required.

Fork / dependency lineage Yellow 33 10 of 10

RD-F-133 yellow Dependency manifest uses unpinned versions This factor applies to library dependencies even for original protocols. v3 package.json uses '@openzeppelin/contracts': '~5.4.0' (tilde = patch-only updates, relatively strict) and '@openzeppelin/contracts-upgradeable': '^4.9.6' (caret = minor+patch updates, less strict). The caret on upgradeable contracts is less strict than ideal for security-critical dependencies. v2 vendored OZ locally in v2-solidity-utils — eliminates npm dependency risk for v2 OZ. Mixed strategy is yellow: v3 caret on upgradeable OZ is the risk item. RD-F-135 yellow Shared-library version with known-vuln status v2: Uses vendored OZ 3.x-compatible code (Solidity >=0.7.0 <0.9.0 per v2-solidity-utils). OZ 3.x is EOL. The vendored code avoids npm dependency management risk but may not incorporate upstream OZ security patches. However 11 external audits would likely surface known OZ 3.x CVEs if exploitable in Balancer's context. v3: Uses @openzeppelin/contracts ~5.4.0 — OZ 5.x is actively maintained, no known CVE at assessment date. Higher risk from v2 vendored EOL OZ 3.x. Scored yellow. RD-F-126 n/a Is-a-fork-of Balancer v2 is an ORIGINAL protocol — not a fork of any upstream codebase. Balancer v1 was the same team's prior protocol; v2 is a ground-up redesign (single-Vault architecture). v3 is a further ground-up re-architecture by the same team. Profile §5 confirms: 'Not forked — Balancer v2 is an original protocol.' Cat 8 fork-lineage factors do not apply. RD-F-127 n/a Upstream patch not merged No upstream — Balancer is an original protocol. This factor (upstream patch not merged into fork) does not apply. RD-F-128 n/a Upstream vulnerability disclosure (last 90d) No upstream — original protocol. No upstream disclosure in last 90d applicable. RD-F-129 n/a Code divergence from upstream (%) No upstream — original protocol. Code divergence from upstream cannot be computed. RD-F-130 n/a Fork depth (generations from original audit) Not a fork — fork depth is 0 in the sense of being an original protocol. N/A. RD-F-131 n/a Fork retains upstream audit coverage Not a fork — upstream audit retention question is moot. Balancer has its own original audit coverage (11 v2 + 13 v3 engagements). N/A. RD-F-132 n/a Fork has different economic parameters than upstream Not a fork — no upstream economic parameters to deviate from. N/A. RD-F-134 n/a Dependency had malicious-release incident (last 90d) No published malicious npm/pip/crates release affecting Balancer v2 or v3 dependencies in the 90 days before 2026-05-05 found in any security advisory database or news source reviewed. No GHSA or CVE advisory flagged for OpenZeppelin 5.x or other Balancer-listed dependencies in Q1-Q2 2026.

Post-deploy hygiene & change mgmt Green 13 13 of 13

RD-F-136 yellow Deployed bytecode matches signed release tag balancer-deployments repository uses structured task folders with output JSONs containing deployed addresses. Source code is Etherscan-verified. No explicit GPG-signed release tags confirmed from available data. Last v2 commit December 2025. v3 has active development. Repository is public with documented commit history. Unsigned tag pattern is consistent with methodology yellow. RD-F-138 yellow Hot-patch deploys without timelock (last 30 days) No timelock exists on the primary admin path (RD-F-032 red). Core contracts are immutable so traditional proxy hot-patches are impossible. Parameter/permission changes by the 6-of-11 multisig execute without timelock. The November 2025 emergency response executed immediate factory disabling and gauge killing without timelock — intentionally as emergency response. Cannot confirm specific parameter changes in last 30 days. RD-F-139 yellow Post-audit code changes without re-audit v3: 7 Certora post-launch audits (Jan 2025–Jan 2026) covering hooks, oracles, LBP, and Jan 2026 comprehensive assessment. Spearbit finding 5.2.6 resolved via PR #1113 between audit and deploy — known minor post-audit change. v2: The Nov 2025 $128M exploit was rooted in a Stable Math rounding error present since ComposableStablePool launch 2022 — the 2022 Trail of Bits audit explicitly excluded Stable Math from scope. No subsequent audit covered this path 2022–2025. However, affected pools are now disabled. Remaining v2 TVL is in non-CSP pools with audit coverage from 2021-2022 audits. Scored yellow (not red) because: v3 has strong continuous audit cadence; v2 critical unaudited code has been disabled post-exploit. RD-F-168 yellow Stale-approval exposure on deprecated router Deprecated TimelockAuthorizer and original Authorizer are authorization contracts, not token-handling routers — users do not approve ERC-20 tokens directly to these contracts. Stale-approval exposure in the router sense does not apply to deprecated Authorizer contracts. v2 Vault itself is not deprecated. Quantitative approval count to deprecated contracts not available for assessment. Assessed yellow due to uncertainty about any residual approvals. RD-F-145 n/a Deployed bytecode reproducibility All core contracts are Etherscan-verified. Build settings documented: Solidity 0.7.1 (v2), optimizer enabled, runs 9999 (per data cache). Foundry toolchain present (foundry_toml_present: true). balancer-deployments repository provides task-based output with declared addresses. Bytecode reproducibility is feasible from verified source with documented settings. RD-F-146 gray New contract deploys in last 30 days Deployer address not identified in data cache (deployer.address: null). Cannot enumerate deployer-address-linked new deploys in last 30 days. Protocol is in active v3 deployment phase with BIPs approving new factories/chains (BIP-910, BIP-862). Active operational cadence expected but specific transaction count unavailable. RD-F-185 gray Bridge rate-limiter / chain-pause as positive mitigant Balancer is not a bridge protocol. No bridge TVL, no bridge validator set, no rate-limiter applicable. Data cache: layerzero.present: false. Coverage flags: layerzero_bridge: false. Profile §7 confirms 'Has bridge surface: No'. This factor is N/A for Balancer.

RD-F-137 green Upgrade frequency (per 90 days) v2 Vault and pool contracts are immutable — no proxy upgrades occur. v3 Vault, VaultExtension, VaultAdmin are immutable. No Upgraded events occur on core contracts. New pool/factory contracts are fresh deploys, not upgrades to existing proxies. Router v2 deployed March 2025 as a new contract. Effectively 0 upgrades in any 90-day window by architectural design.

RD-F-140 green Fix-merged-but-not-deployed gap Following the November 2025 exploit, emergency fixes (disabling CSPv6 factory, killing gauges, enabling recovery mode) were deployed November 3-5 per post-mortem timeline. Vulnerable v2 CSP contracts are immutable and cannot be patched — fix was pool-disabling. No evidence of a merged security PR awaiting deployment in any repository.

RD-F-141 green Test-mode parameters in deploy No evidence of test-mode parameters in production deploys. v2 live 49 months; v3 17 months. Deployment tasks in balancer-deployments use structured task outputs with documented expected addresses. No test-oracle addresses, infinite allowances, or deployer-as-admin identified in any source.

RD-F-142 green Storage-layout collision risk across upgrades v2 Vault is immutable (not upgradeable). v3 Vault, VaultExtension, VaultAdmin are immutable contracts. v3 uses internal delegatecall to fixed immutable extension addresses — not behind UUPS/transparent proxies. No OZ upgrades plugin storage layout checks applicable. Storage collision risk is non-applicable in this architecture.

RD-F-143 green Reinitializable implementation (no _disableInitializers) Neither v2 nor v3 uses a UUPS/transparent proxy pattern that would expose initialize() to re-initialization. v2 Vault is immutable. v3 Vault uses internal delegatecall to VaultExtension/VaultAdmin (immutable fixed addresses). No initialize() re-initialization attack surface exists. Certora formal verification 2024-09 covered Vault architecture. Architecture confirmed via profile and docs.

RD-F-144 green CREATE2 factory permits same-address redeploy Balancer factory contracts deploy new pool instances with pool-specific salt values. No SELFDESTRUCT + redeploy logic identified in factory pattern. Pool contracts deployed via factory are immutable. No same-address redeploy attack surface identified.

Cross-chain & bridge Gray 0 12 of 12

Threat intelligence & recon Green 13 8 of 8

RD-F-161 yellow Protocol-impersonator domain registered (typosquat) Protocol-impersonator domain registered (typosquat) | Applicable: Yes — high-impersonation-risk post-exploit | Official domains: balancer.fi, app.balancer.fi, docs.balancer.fi. Confirmed scam domains: balancer-fi.website (ScamAdviser flagged as likely scam). Post-November 2025 exploit phishing campaigns active immediately with fake white-hat bounty offers. September 2023 DNS attack exploited the .fi TLD registrar directly (EuroDNS social engineering — app.balancer.fi redirected to Angel Drainer contract). Common typosquat variants in scope: balancer-fi.io, balancer-finance.xyz, balancerprotocol.com, bal-finance.io, app-balancer.fi. The 90-day registration window encompasses the post-exploit period (Nov 2025) and the post-Labs-wind-down period (March 2026) — both historically the highest brand-impersonation risk periods. No dedicated domain monitoring baseline established for this assessment. Registration delta assessment: balancer-fi.website is a confirmed active scam domain — cannot c RD-F-162 yellow Known-exploit-template selector deployed by any address Known-exploit-template selector deployed by any address | Applicable: Yes — November 2025 exploit technique is publicly documented | The November 2025 attack pattern (batchSwap sequences exploiting _upscaleArray rounding in v2 ComposableStablePool) is fully documented by Check Point Research, Certora, and Trail of Bits. An exploit template targeting this pattern could be deployed against residual v2 CSP pool TVL. Most v2 CSP pools were drained or paused post-exploit, but residual TVL at $115.8M means remaining pool exposure exists. V3 confirmed unaffected by v2 rounding mechanism (Trail of Bits). Beethoven X (Balancer v2 fork) was also affected in November 2025, confirming the exploit template works against forks. No confirmed new exploit-template contract deployment detected in 30-day assessment window via public sources. Yellow: public template exists and residual v2 TVL is potentially exploitable by a re-deployment; requires bytecode-similarity monitoring to confirm or deny active d RD-F-163 yellow Avg attacker reconnaissance time for peer-class protocols Attacker wallet reconnaissance time before strike (days, peer class) | Applicable: Yes — DEX/AMM class | For the November 2025 Balancer exploit: exploiter wallet funded from Tornado Cash approximately 2 days before attack (Nov 1 → Nov 3, 2025). Extremely compressed reconnaissance window — consistent with a well-prepared attacker who understood the vulnerability in advance and required minimal on-chain reconnaissance before executing. August 2023 exploit also showed minimal on-chain recon. USPD-class attacks average 78 days. Balancer's attack class (arithmetic rounding bug exploitation) does not require extensive on-chain reconnaissance — the vulnerability is static and algorithmic. DEX/AMM class hack DB average: 14-30 days. Balancer's actual exploitation windows: 2 days (2025) and effectively 0 days (2023 DNS/frontend). This compressed recon window is a systemic signal posture gap: the reconnaissance-to-strike interval is too compressed for recon-based signals (RD-F-158, RD-F-159, RD-F

RD-F-158 green Known-threat-actor cluster has touched protocol Known-threat-actor wallet cluster has touched protocol [T-09 v1] | Applicable: Yes | November 2025 exploiter cluster: primary wallet 0x86fedad11c4765700934639f1efe1fc01355c982, intermediary 0x766a892f8ba102556c8537d02fca0ff4cacfc492, exploit deployer on Arbitrum 0x506d1f9efe24f0d47853adca907eb8d89ae03207, proceeds consolidator 0x872757006b6f2fd65244c0a2a5fdd1f70a7780f4. These are the highest-salience Balancer-specific threat-actor wallets. As of the 30-day assessment window (approx. April 5 – May 5, 2026), no confirmed interaction of these wallets with remaining Balancer contracts. Last confirmed exploiter activity: Nov 15, 2025 (2,000 ETH moved to Tornado Cash). No DPRK/Lazarus attribution confirmed in available public CTI (Halborn, Trail of Bits, Certora, Check Point post-mortems). General ecosystem context: Lazarus executed Drift ($285M, Apr 1 2026) and Kelp DAO ($292M, Apr 18 2026) exploits within 90-day window prior to assessment — elevated nation-state DeFi threat environment. |

RD-F-159 green Attacker wallet pre-strike probe (low-gas failing txs) Attacker wallet pre-strike probe (low-gas failing txs) | Applicable: Yes | No low-gas failing transactions from CTI-flagged wallets on Balancer v2 Vault (0xBA12222...) or v3 Vault (0xbA13333...) identified in public-source review in the 30-day assessment window. No anomalous failed transaction spike from unknown wallets visible on Etherscan for Vault contracts. Requires live mempool CTI feed for definitive coverage. | Threshold: Wallet in CTI cluster sends failing/low-gas txs to Balancer contracts | Would fire: No

RD-F-160 green GitHub malicious-dependency incident touching protocol deps GitHub malicious-dependency incident touching protocol deps | Applicable: Yes | No GHSA advisory flagging a malicious release in a dependency consumed by Balancer v2 or v3 in the trailing 90 days identified. v2 uses Solidity 0.7.1 (data cache confirmed; Etherscan verification). v3 uses newer Solidity. No npm/PyPI/crates.io advisory found for Balancer dependencies in assessment window. v2 monorepo last commit 2025-12-14 — reduced commit activity in wind-down reduces supply-chain attack surface. v3 monorepo actively maintained. | Threshold: GHSA advisory for a malicious release in a dependency consumed by Balancer | Would fire: No

RD-F-164 green Leaked credential on paste/sentry site Leaked credential on paste/sentry site | Applicable: Yes | No paste-site or GitHub secret scanner reports referencing Balancer infrastructure endpoints, API keys, or admin credentials identified in public-source OSINT. Balancer GitHub org (github.com/balancer) is public; no credentials visible in public repos. Labs wind-down may create credential hygiene risks if former Balancer Labs engineer off-boarding was incomplete. Immunefi bounty program ownership uncertain post-Labs-wind-down (BIP-687 transition to DAO — resolution unclear), which is an adjacent credential/responsibility risk but not a credential leak. No Sentry.io exposure reports found. | Threshold: Public paste site, Sentry, or credential dump referencing Balancer infra endpoints or keys | Would fire: No

RD-F-165 green Protocol social channel has scam-coordinator flag Telegram/Discord channel has scam-coordinator flag | Applicable: Yes | Official Discord: discord.balancer.fi. No flagged scam-coordinator identified as admin of official Balancer Discord or Telegram channels in public-source review. Post-November 2025 exploit, fake Balancer support accounts were active on X (Twitter) and Telegram offering fake recovery services — these are external impersonation accounts, not infiltration of official channels. Official Discord not known to have been compromised. Labs wind-down reduces active moderation capacity (secondary risk factor for channel integrity), but no identified scam-coordinator in official channels. | Threshold: Protocol-adjacent social channel admin flagged on curator scam-coordinator watchlist | Would fire: No

Tooling / compiler / AI Green 17 5 of 5

RD-F-170 yellow Solc version used (known-bug versions flagged) v2 (higher-risk): Solidity 0.7.1 confirmed (Etherscan v2 Vault: v0.7.1+commit.f4a555be, optimizer 1500 runs). Known bug in 0.7.x: storage byte-array copy corruption (introduced before 0.7.4, medium severity, fixed in 0.7.4). v2 is permanently on EOL 0.7.1 as contracts are immutable. v3: Solidity 0.8.26 confirmed (Etherscan v3 Vault: v0.8.26+commit.8a97fa7a, optimizer 500 runs, Cancun EVM). The transient-storage-clearing-helper-collision bug affects 0.8.28-0.8.33 (IR pipeline only) — v3 at 0.8.26 is below this range and unaffected. 0.8.26 has no known high-severity compiler bug at assessment date. Overall yellow due to v2 on EOL 0.7.1. RD-F-174 yellow Dependency tree uses EOL Solidity version v2 (higher-risk): Deployed at Solidity 0.7.1 which is End-of-Life (Solidity 0.8.x is the current supported series; 0.7.x reached EOL when 0.8.0 launched Sept 2020, with 0.8.x receiving all subsequent security patches). v2 contracts are immutable — permanently on EOL 0.7.1 with no upgrade path. v3: Solidity 0.8.26 is within the active 0.8.x support window (not EOL). Scoring against v2 = yellow. RD-F-171 n/a Bytecode similarity to audited upstream with behavior deviation Balancer is an original protocol; there is no upstream audited codebase to compare against for bytecode similarity deviation. This factor is designed for AI-generated forks that mimic an audited protocol while deviating in behavior. N/A for an original protocol.

RD-F-172 green Repo shows AI-tool co-authorship in critical files No evidence of GitHub Copilot 'Co-authored-by:' tags or equivalent AI-tool disclosures in Balancer v2 or v3 monorepo commit messages found in any public analysis, news, or code review sources. Data cache: v2 last commit 2025-12-14 (post-exploit maintenance). v3 monorepo active (Certora audit 2026-01-26). Balancer Labs maintained professional security posture with $635K in 2024 audit spend — inconsistent with undisclosed AI code generation in critical paths. Confidence [?] without full commit-history scan.

RD-F-173 green Team self-disclosure of AI-generated Solidity No public blog post, tweet, or documentation from Balancer Labs or contributors disclosing AI-generated Solidity in security-critical code paths. Balancer Labs published extensive technical documentation and security-focused content. $635K in 2024 audit spend implies professional security development practices. No self-disclosure found.

Response & disclosure hygiene Green 17 4 of 4

RD-F-176 yellow Disclosure SLA public No explicit acknowledgment-time SLA published on the Immunefi program page or in Balancer docs/SECURITY.md (data cache: security_md_present: false). Immunefi platform implies standard 48h triage window but Balancer has not published a specific SLA. 2023 disclosure-to-action gap (11 days from report to public announcement) is consistent with norms but no SLA was formally committed. Score: yellow (SLA not published; implied by platform norms only). RD-F-178 yellow CVE/GHSA advisory issued against protocol No CVE/NVD entry found for Balancer protocol in searches. GHSA advisory status in the balancer-v2-monorepo or balancer-v3-monorepo GitHub Security tab not directly verified (no GHSA API access in this session). The November 2025 exploit generated extensive third-party analyses (Trail of Bits, Certora, Check Point Research, BlockSec, Halborn) but these are blog posts, not formal CVE/GHSA advisories. No specific CVE ID surfaced. Score: yellow (existence of GHSA advisory cannot be confirmed or excluded without direct GHSA search; code-security-analyst should verify).

RD-F-175 green Disclosure channel exists Immunefi bug bounty program active at https://immunefi.com/bug-bounty/balancer/; last updated 2026-04-27; live since 2022-05-12; $1M max payout for critical. Active monitoring confirmed by 2023 incident: GothicShanon89238 received $1M bounty for responsible disclosure of Linear Pool bug. Program continues under DAO/OpCo management per Labs wind-down. Score: green (active program with recent-12-month evidence of monitoring).

RD-F-177 green Prior known-ignored disclosure No post-mortem confirms a received-but-not-actioned disclosure for any Balancer incident. 2023 incident: disclosure made 2023-08-11, $1M bounty paid, public emergency procedures launched 2023-08-22 (11 days). Exploiters acted on the publicly disclosed information, not on an ignored disclosure. Balancer acted on the disclosure. 2025 incident: no evidence of prior disclosure that was ignored. Score: green (no confirmed ignored disclosure).

rubric_version v1.7.0 graded_at 2026-05-12 04:38:07 factors 184 protocol balancer