★ Post-audit code changes without re-audit

Balancer (v2 + v3)'s assessment for RD-F-139 — scored yellow on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.

Evidence summary #

v3: 7 Certora post-launch audits (Jan 2025–Jan 2026) covering hooks, oracles, LBP, and Jan 2026 comprehensive assessment. Spearbit finding 5.2.6 resolved via PR #1113 between audit and deploy — known minor post-audit change. v2: The Nov 2025 $128M exploit was rooted in a Stable Math rounding error present since ComposableStablePool launch 2022 — the 2022 Trail of Bits audit explicitly excluded Stable Math from scope. No subsequent audit covered this path 2022–2025. However, affected pools are now disabled. Remaining v2 TVL is in non-CSP pools with audit coverage from 2021-2022 audits. Scored yellow (not red) because: v3 has strong continuous audit cadence; v2 critical unaudited code has been disabled post-exploit.

Sources #

Audit
Balancer v2 Audit ReportsABDK 2022-05 TimelockAuthorizer audit — scope reference for what was and wasn't coveredretrieved 2026-05-05
GitHub
Balancer v3 Monorepo Audit Reportsv3 audit reports directory — 7 Certora reports 2025-2026retrieved 2026-05-05
URL
Trail of Bits: Balancer Hack AnalysisTrail of Bits Nov 2025 analysis — confirms Stable Math was audit-scoped-out, v3 unaffectedretrieved 2026-05-05

Methodology #

Count deployed changes to audited bytecode where no subsequent audit or spot-review covers the changed code.

See the full factor methodology and distribution across all protocols →

rubric_version v1.7.0 protocol balancer factor RD-F-139 score yellow collected_at 2026-05-05 12:41:36