Ignored bounty disclosure

Balancer (v2 + v3)'s assessment for RD-F-008 — scored yellow on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.

Evidence summary #

The Aug 2023 exploit: whitehatter GothicShanon89238 submitted the rounding vulnerability to Immunefi on Aug 11 2023; Balancer issued warnings and began pool migration, but the exploit occurred Aug 27 before completion. Balancer paid $1M bounty. This is not a case of ignoring the disclosure — they responded and paid. However, the 2025 November $128M exploit used the same root-cause class (rounding direction) in a different pool type (ComposableStablePool), suggesting the 2023 remediation did not fully address the underlying vulnerability class. This repeat-class pattern is a yellow here (not fully ignored, but remediation incomplete).

Sources #

URL
Balancer hack analysis and guidance for the DeFi ecosystemhttps://blog.trailofbits.com/2025/11/07/balancer-hack-analysis-and-guidance-for-the-defi-ecosystem/retrieved 2026-05-05
URL
Immunefi: Balancer Rounding Error Bugfix Review (Aug 2023, $1M bounty paid)https://immunefi.com/blog/bug-fix-reviews/balancer-rounding-error/retrieved 2026-05-05

Methodology #

Determine whether any prior post-mortem documents a disclosed vulnerability that was reported to the team and not actioned before exploit.

See the full factor methodology and distribution across all protocols →

rubric_version v1.7.0 protocol balancer factor RD-F-008 score yellow collected_at 2026-05-05 12:41:36