First-depositor / share-inflation guard

Balancer (v2 + v3)'s assessment for RD-F-075 — scored yellow on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.

Evidence summary #

v3 Vault implements three first-depositor guard mechanisms: (1) minimal share burn to zero address during ERC-4626 buffer initialization; (2) _MINIMUM_TRADE_AMOUNT threshold preventing sub-minimum operations; (3) _MINIMUM_WRAP_AMOUNT threshold for ERC-4626 wrap/unwrap operations; (4) consistent rounding in favor of the protocol rather than the user. These together constitute a composite guard against share-inflation attacks on v3. For v2 pool types, first-depositor protections are not confirmed across all pool types — particularly the now-deprecated LinearPool and the ComposableStablePool (which was the exploit target in Nov 2025). Since v2 represents the dominant share of current $115.8M TVL, the higher-risk version (v2, less protected) governs the score. Scored yellow: explicit guard confirmed in v3, not confirmed across all v2 pool types still holding TVL.

Sources #

GitHub
Balancer v3 Monorepobalancer-v3-monorepo vault implementation with anti-inflation mechanismsretrieved 2026-05-05
URL
Check Point Research: Balancer v2 Exploit AnalysisCheck Point Research: v2 ComposableStablePool rounding vulnerability (no first-depositor guard context)retrieved 2026-05-05
URL
Modern DEXes: Balancer V3 First-Depositor ProtectionsMixBytes v3 analysis: _MINIMUM_TRADE_AMOUNT, _MINIMUM_WRAP_AMOUNT, zero-address share burnretrieved 2026-05-05

Methodology #

Determine whether the vault has a first-depositor guard (seed deposit on deploy, virtual-share offset, or floor-check).

See the full factor methodology and distribution across all protocols →

rubric_version v1.7.0 protocol balancer factor RD-F-075 score yellow collected_at 2026-05-05 12:41:36