Historical bad-debt events

Balancer (v2 + v3)'s assessment for RD-F-067 — scored red on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.

Evidence summary #

Two documented loss events: (1) August 2023 — v2 Boosted Pool rounding exploit, ~$2.1M loss; (2) November 2025 — v2 ComposableStablePool rounding/invariant manipulation across 9 chains, $128M drained. For the Nov 2025 event: ~$28M salvaged via whitehat actions; Balancer distributed ~$8M to affected LPs; ~$19.7M in osETH/osGNO handled separately by StakeWise. Net unrecovered by protocol: ~$100M+. The reimbursement was non-socialized (each pool's recovered funds go only to that pool's LPs) — affected pools had losses of ~87% of drained assets unrecovered. This constitutes uncompensated bad debt at pool level across multiple pools. Two separate events with $130M+ combined loss, majority uncompensated, triggers red under the factor threshold (>=2 events or any uncompensated loss).

Sources #

URL
How an Attacker Drained $128M from Balancer Through Rounding Error ExploitationCheck Point Research: technical analysis of $128M exploit via rounding error in _upscaleArrayretrieved 2026-05-05
URL
Balancer Outlines Reimbursement Plan Following $128M ExploitDecrypt: Balancer outlines reimbursement plan — $8M distributed, non-socialized approach, 180-day claim periodretrieved 2026-05-05
URL
Balancer Rekt (August 2023)rekt.news Balancer August 2023 exploit ($2.1M, Boosted Pool rounding + rate manipulation)retrieved 2026-05-05
URL
Explained: The Balancer Hack (November 2025)Halborn: Balancer Hack November 2025 — improper access controls + rounding error in manageUserBalanceretrieved 2026-05-05

Methodology #

Count and sum (USD) the number of documented bad-debt events where the protocol socialized losses across depositors.

See the full factor methodology and distribution across all protocols →

rubric_version v1.7.0 protocol balancer factor RD-F-067 score red collected_at 2026-05-05 12:41:36