Mixed-decimals math without explicit scaling

Balancer (v2 + v3)'s assessment for RD-F-017 — scored yellow on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.

Evidence summary #

Balancer v2/v3 do use explicit token scaling (upscaleArray/downscaleArray, rate providers) to normalize tokens with different decimal precision to 18-decimal WAD format. However the Nov 2025 exploit occurred *within* this scaling framework — a rounding direction error in the scaling function itself. The scaling architecture is well-designed but the implementation had a precision-direction error. This factor asks about the presence of explicit scaling (which exists), but the exploit shows the scaling implementation had a defect. Scored yellow: scaling exists but proved insufficient.

Sources #

URL
Certora: Breaking Down the Balancer Hackhttps://www.certora.com/blog/breaking-down-the-balancer-hackretrieved 2026-05-05
URL
Check Point Research: _upscaleArray mulDown exploitation mechanismhttps://research.checkpoint.com/2025/how-an-attacker-drained-128m-from-balancer-through-rounding-error-exploitation/retrieved 2026-05-05

Methodology #

Determine whether shared numerator/denominator arithmetic operates over tokens with different decimals without WAD/RAY normalization or explicit decimal-adjustment.

See the full factor methodology and distribution across all protocols →

rubric_version v1.7.0 protocol balancer factor RD-F-017 score yellow collected_at 2026-05-05 12:41:36