Fix-merged-but-not-deployed gap

Balancer (v2 + v3)'s assessment for RD-F-140 — scored green on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.

Evidence summary #

Following the November 2025 exploit, emergency fixes (disabling CSPv6 factory, killing gauges, enabling recovery mode) were deployed November 3-5 per post-mortem timeline. Vulnerable v2 CSP contracts are immutable and cannot be patched — fix was pool-disabling. No evidence of a merged security PR awaiting deployment in any repository.

Sources #

Tx
Balancer Nov 3 Exploit Post-MortemBalancer post-mortem tweet confirming Nov 3 exploit responseretrieved 2026-05-05
URL
BlockSec: In-Depth Analysis Balancer V2 ExploitBlockSec Nov 2025 exploit analysis — emergency response timelineretrieved 2026-05-05

Methodology #

Determine whether a known vulnerability has a PR merged in the repo but the fix has not been included in the deployed bytecode.

See the full factor methodology and distribution across all protocols →

rubric_version v1.7.0 protocol balancer factor RD-F-140 score green collected_at 2026-05-05 12:41:36