defirisk.co
rubric v1.7.0

Post-exploit response score

Balancer (v2 + v3)'s assessment for RD-F-081 — scored yellow on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.

Evidence summary #

Nov 2025 incident (most recent): Compensation completeness 2/5 (20% white-hat bounty offered; ~$38.4M of ~$128M recovered; no protocol-level user compensation announced). Transparency 4/5 (preliminary PM Nov 5, full PM Nov 18, multiple independent analyses). Root-cause depth 4/5 (EXACT_OUT _upscale() rounding named; audit scope gap acknowledged). Recovery speed 4/5 (pools frozen within 20 min; factory disabled within 48h). Overall curator score 3.5/5 — rounds to yellow (2–3 range) given incomplete compensation and no v2 re-audit. Labs wind-down as institutional response is not a positive remediation signal.

Sources #

  • URL
    https://x.com/Balancer/status/1990856260988670132retrieved 2026-05-05
  • URL
    https://x.com/Balancer/status/1986104426667401241retrieved 2026-05-05
  • URL
    https://rekt.news/balancer-rekt2retrieved 2026-05-05
  • Audit
    https://blog.trailofbits.com/2025/11/07/balancer-hack-analysis-and-guidance-for-the-defi-ecosystem/retrieved 2026-05-05

Methodology #

Curator-score (1–5) the most recent incident response on: compensation completeness, transparency of disclosure, root-cause analysis depth, and operational recovery speed.

See the full factor methodology and distribution across all protocols →

rubric_version v1.7.0 protocol balancer factor RD-F-081 score yellow collected_at 2026-05-05 12:41:36