Arbitrary call with user-controlled target

Balancer (v2 + v3)'s assessment for RD-F-013 — scored green on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.

Evidence summary #

v2 Batch Relayer (ToB 2022-05 audit): by design allows chained operations, but restricted to predefined relayer operations; no arbitrary call with user-supplied target and data. v3 hooks: addresses are immutable per pool post-registration, not user-controllable at call time. No critical finding of arbitrary call(target, data) without allowlist in v2 or v3 published audits. Confidence [?] without tool run.

Sources #

Audit
Trail of Bits 2022-05-27: Batch Relayer audithttps://github.com/balancer/balancer-v2-monorepo/blob/master/audits/trail-of-bits/2022-05-27.pdfretrieved 2026-05-05
Docs
v3 Hooks: hook address immutable post pool registrationhttps://docs.balancer.fi/concepts/core-concepts/hooks.htmlretrieved 2026-05-05

Methodology #

Determine whether any contract performs `.call(target, data)` where target and/or data is user-supplied without a target allowlist or selector filter.

See the full factor methodology and distribution across all protocols →

rubric_version v1.7.0 protocol balancer factor RD-F-013 score green collected_at 2026-05-05 12:41:36