LP token balanceOf used for pricing

Balancer (v2 + v3)'s assessment for RD-F-061 — scored green on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.

Evidence summary #

No balanceOf-based LP token pricing in Balancer v2 or v3. v2 Vault manages all token balances in internal accounting structures (not derived from ERC-20 balanceOf()). Swap math uses these internal vault balances. v3 Vault similarly manages token balances via the poolData struct, not ERC-20 balanceOf(). The August 2023 exploit involved rounding in rate math, not balanceOf-based pricing. The November 2025 exploit involved rounding direction error in _upscaleArray, also not balanceOf-based.

Detail #

Template: green = balanceOf not used in price path. Balancer's internal Vault accounting is the key architectural feature that prevents balanceOf donation attacks on swap pricing.

Sources #

GitHub
Balancer v2 Vault.solv2 Vault.sol — internal token accounting, not balanceOfretrieved 2026-05-05
URL
Balancer hack analysis | Trail of BitsTrail of Bits Nov 2025 analysis — root cause is rounding, not balanceOfretrieved 2026-05-05

Methodology #

Determine whether protocol pricing is derived from the `balanceOf` of LP tokens in a contract (manipulable by direct token transfer / donation).

See the full factor methodology and distribution across all protocols →

rubric_version v1.7.0 protocol balancer factor RD-F-061 score green collected_at 2026-05-05 12:41:36