SELFDESTRUCT reachable from non-admin path

Balancer (v2 + v3)'s assessment for RD-F-011 — scored green on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.

Evidence summary #

v2 Vault (Solidity 0.7.1) and v3 Vault (0.8.26): both use constructor-based deployment; no proxy pattern introduces delegatecall-to-selfdestruct risk. v3 VaultExtension is called via delegatecall from Vault but to a hardcoded address set in Vault constructor — not user-supplied. No published audit finding identifies a reachable selfdestruct from a non-admin path in v2 or v3 core contracts. Assessment is [?] confidence due to no tool run.

Sources #

Etherscan
v2 Vault Etherscan: constructor-based, no proxyhttps://etherscan.io/address/0xBA12222222228d8Ba445958a75a0704d566BF2C8#coderetrieved 2026-05-05
GitHub
v2 Vault.sol: constructor pattern, no initializehttps://github.com/balancer/balancer-v2-monorepo/blob/master/pkg/vault/contracts/Vault.solretrieved 2026-05-05

Methodology #

Determine whether any deployed contract contains the SELFDESTRUCT opcode in a code path reachable from a non-admin caller.

See the full factor methodology and distribution across all protocols →

rubric_version v1.7.0 protocol balancer factor RD-F-011 score green collected_at 2026-05-05 12:41:36