Shared-library version with known-vuln status

Balancer (v2 + v3)'s assessment for RD-F-135 — scored yellow on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.

Evidence summary #

v2: Uses vendored OZ 3.x-compatible code (Solidity >=0.7.0 <0.9.0 per v2-solidity-utils). OZ 3.x is EOL. The vendored code avoids npm dependency management risk but may not incorporate upstream OZ security patches. However 11 external audits would likely surface known OZ 3.x CVEs if exploitable in Balancer's context. v3: Uses @openzeppelin/contracts ~5.4.0 — OZ 5.x is actively maintained, no known CVE at assessment date. Higher risk from v2 vendored EOL OZ 3.x. Scored yellow.

Sources #

GitHub
v2 vendored OZ: 0.7.x compatible (OZ 3.x EOL)https://github.com/balancer/balancer-v2-monorepo/tree/master/pkg/solidity-utils/contracts/openzeppelinretrieved 2026-05-05
GitHub
v3 package.json: OZ ~5.4.0 (tilde), upgradeable ^4.9.6 (caret)https://github.com/balancer/balancer-v3-monorepo/blob/main/package.jsonretrieved 2026-05-05

Methodology #

Identify the version of key shared libraries (OZ, Solady, Solmate) used and check against CVE/GHSA databases for any active advisory.

See the full factor methodology and distribution across all protocols →

rubric_version v1.7.0 protocol balancer factor RD-F-135 score yellow collected_at 2026-05-05 12:41:36