Signed/unsigned arithmetic confusion

Balancer (v2 + v3)'s assessment for RD-F-018 — scored yellow on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.

Evidence summary #

v2 uses Solidity 0.7.1 which lacks overflow protection by default (pre-0.8.x). Balancer v2 uses a custom FixedPoint library for all math. The vendored OZ SafeMath is available in v2-solidity-utils but extent of application across all pool contracts requires tool inspection. No signed/unsigned confusion finding at high/critical in published v2 audits (11 engagements). However the absence of SafeMath-by-default on a 0.7.x codebase is a structural risk. v3 uses 0.8.26 (overflow protection by default — this sub-factor is green for v3). Scoring against v2 (higher risk) = yellow.

Sources #

Etherscan
v2 Vault Etherscan: constructor-based, no proxyhttps://etherscan.io/address/0xBA12222222228d8Ba445958a75a0704d566BF2C8#coderetrieved 2026-05-05
GitHub
v2 solidity-utils: vendored OZ SafeMath availablehttps://github.com/balancer/balancer-v2-monorepo/tree/master/pkg/solidity-utilsretrieved 2026-05-05

Methodology #

Determine whether signed-integer conversions or comparisons where unsigned was intended exist in the deployed bytecode/source.

See the full factor methodology and distribution across all protocols →

rubric_version v1.7.0 protocol balancer factor RD-F-018 score yellow collected_at 2026-05-05 12:41:36