defirisk.co
rubric v1.7.0

Avg attacker reconnaissance time for peer-class protocols

Balancer (v2 + v3)'s assessment for RD-F-163 — scored yellow on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.

Evidence summary #

Attacker wallet reconnaissance time before strike (days, peer class) | Applicable: Yes — DEX/AMM class | For the November 2025 Balancer exploit: exploiter wallet funded from Tornado Cash approximately 2 days before attack (Nov 1 → Nov 3, 2025). Extremely compressed reconnaissance window — consistent with a well-prepared attacker who understood the vulnerability in advance and required minimal on-chain reconnaissance before executing. August 2023 exploit also showed minimal on-chain recon. USPD-class attacks average 78 days. Balancer's attack class (arithmetic rounding bug exploitation) does not require extensive on-chain reconnaissance — the vulnerability is static and algorithmic. DEX/AMM class hack DB average: 14-30 days. Balancer's actual exploitation windows: 2 days (2025) and effectively 0 days (2023 DNS/frontend). This compressed recon window is a systemic signal posture gap: the reconnaissance-to-strike interval is too compressed for recon-based signals (RD-F-158, RD-F-159, RD-F

Sources #

  • URL
    https://www.halborn.com/blog/post/explained-the-balancer-hack-november-2025retrieved 2026-05-05
  • URL
    https://phemex.com/news/article/balancer-attacker-linked-to-tornado-cash-withdrawal-32658retrieved 2026-05-05

Methodology #

Report the average number of days of attacker reconnaissance activity before a strike on peer-class protocols (lending/DEX/bridge/perps), sourced from the hack database.

See the full factor methodology and distribution across all protocols →

rubric_version v1.7.0 protocol balancer factor RD-F-163 score yellow collected_at 2026-05-05 12:41:36