defirisk.co
rubric v1.7.0

Same-root-cause repeat exploit

Balancer (v2 + v3)'s assessment for RD-F-079 — scored green on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.

Evidence summary #

Three distinct root-cause clusters: (1) 2020 deflationary ERC-20 transfer-fee AMM accounting; (2) 2023 Linear Pool _downscaleDown() rounding-to-zero on tiny BPT redemptions leading to cached rate manipulation; (3) 2025 Stable Math _upscale()/_swapGivenOut EXACT_OUT rounding direction error in ComposableStablePools. Different functions, different pool architectures, different exploit vectors. No same-root-cause repeat. Per critical-interpretation rule in scope: compiler-level vs protocol-level distinction addressed — 2023 and 2025 are both Balancer protocol-level rounding bugs but distinct functions/surfaces.

Sources #

  • Docs
    hacksdatabase/hacks/balancer-rekt.mdretrieved 2026-05-05
  • URL
    https://research.checkpoint.com/2025/how-an-attacker-drained-128m-from-balancer-through-rounding-error-exploitation/retrieved 2026-05-05
  • Audit
    https://blog.trailofbits.com/2025/11/07/balancer-hack-analysis-and-guidance-for-the-defi-ecosystem/retrieved 2026-05-05

Methodology #

Determine whether the protocol has been exploited ≥2 times via the same root-cause cluster.

See the full factor methodology and distribution across all protocols →

rubric_version v1.7.0 protocol balancer factor RD-F-079 score green collected_at 2026-05-05 12:41:36