★ Audit scope mismatch

Balancer (v2 + v3)'s assessment for RD-F-001 — scored yellow on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.

Evidence summary #

v2 (higher-risk): Trail of Bits Sept 2022 ComposableStablePool audit explicitly excluded the Stable Math library from scope; Certora 2022 FV verified solvency invariants but did not verify rounding behavior or swap reversibility. The Nov 2025 $128M exploit exploited _upscaleArray rounding direction in the excluded Stable Math library. v2 Boosted Pools / Linear Pools were never in any audit scope across 11 engagements. v3: Pre-launch audits (Certora 2024-09, Spearbit 2024-10, ToB 2024-10) covered deployed Vault/Weighted/Stable bytecode before Dec 2024 launch; Certora 2026-01-26 comprehensive assessment found no critical findings. Scored yellow (not red) because v2 core Vault deploy commit is covered; the gap is pool math library coverage depth.

Sources #

URL
Certora: Breaking Down the Balancer Hackhttps://www.certora.com/blog/breaking-down-the-balancer-hackretrieved 2026-05-05
URL
Balancer hack analysis and guidance for the DeFi ecosystemhttps://blog.trailofbits.com/2025/11/07/balancer-hack-analysis-and-guidance-for-the-defi-ecosystem/retrieved 2026-05-05
GitHub
Balancer v2 audit reports directoryhttps://github.com/balancer/balancer-v2-monorepo/tree/master/auditsretrieved 2026-05-05
GitHub
Balancer v3 audit reports directoryhttps://github.com/balancer/balancer-v3-monorepo/tree/main/auditsretrieved 2026-05-05

Methodology #

Check whether the commit SHA cited in the audit report matches the bytecode deployed at the production proxy/implementation address.

See the full factor methodology and distribution across all protocols →

rubric_version v1.7.0 protocol balancer factor RD-F-001 score yellow collected_at 2026-05-05 12:41:36