Resolved-without-proof findings

Balancer (v2 + v3)'s assessment for RD-F-003 — scored red on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.

Evidence summary #

Trail of Bits flagged a similar rounding-direction issue (finding TOB-BALANCER-004 in Oct 2021 Linear Pools audit) as 'undetermined severity' rather than treating it as exploitable and requiring a code fix. It was not marked 'Resolved' with on-chain proof of remediation. This downgrade pattern led to the finding being effectively ignored — the Aug 2023 exploit ($2.1M) and Nov 2025 exploit ($128M) both confirmed the same root-cause class (rounding direction in pool math) was live and exploitable. A finding that was flagged, downgraded, and then repeatedly exploited constitutes a clear failure of the resolved-without-proof category. v3: Certora 2026-01 reportedly found no findings of severity >= medium.

Sources #

URL
Certora: Breaking Down the Balancer Hackhttps://www.certora.com/blog/breaking-down-the-balancer-hackretrieved 2026-05-05
URL
Balancer hack analysis and guidance for the DeFi ecosystemhttps://blog.trailofbits.com/2025/11/07/balancer-hack-analysis-and-guidance-for-the-defi-ecosystem/retrieved 2026-05-05

Methodology #

Count the number of findings the audit report marks "Resolved" or "Fixed" where no matching on-chain bytecode change or verifiable commit can be found.

See the full factor methodology and distribution across all protocols →

rubric_version v1.7.0 protocol balancer factor RD-F-003 score red collected_at 2026-05-05 12:41:36