UUPS _authorizeUpgrade correctly permissioned

Balancer (v2 + v3)'s assessment for RD-F-021 — scored not_applicable on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.

Evidence summary #

Balancer v2 pool contracts are immutable deployments from factories — no UUPS proxy pattern. v3 Vault uses delegatecall to hardcoded VaultExtension/VaultAdmin addresses (set in constructor), not UUPS upgradeable proxy. No UUPS _authorizeUpgrade pattern in either version. N/A is appropriate — this factor measures a specific proxy pattern that Balancer does not use.

Sources #

Etherscan
v3 Vault Etherscan: delegatecall proxy to hardcoded VaultExtension, not UUPShttps://etherscan.io/address/0xbA1333333333a1BA1108E8412f11850A5C319bA9#coderetrieved 2026-05-05
GitHub
v2 Vault.sol: constructor pattern, no initializehttps://github.com/balancer/balancer-v2-monorepo/blob/master/pkg/vault/contracts/Vault.solretrieved 2026-05-05

Methodology #

Determine whether the UUPS implementation defines `_authorizeUpgrade(address)` restricted to owner/admin/timelock (not open to arbitrary callers).

See the full factor methodology and distribution across all protocols →

rubric_version v1.7.0 protocol balancer factor RD-F-021 score not_applicable collected_at 2026-05-05 12:41:36