★ Audit scope mismatch
A code & audits factor in the v1.7.0 rubric. Measured per protocol on a s cadence.
Methodology how we score #
**What this measures** This factor assesses whether the runtime bytecode deployed on-chain for all contracts holding user funds corresponds exactly to the code covered by the protocol's most recent audit report. A mismatch is recorded when the audit document cites a specific commit hash or contract address and the live deployed bytecode differs from the bytecode at that reference point. Assessment is performed via bytecode diffing against Etherscan-verified source and audit PDF metadata.
**Why it matters** Audit scope mismatch is the single most frequent factor in the cross-hack database, appearing as a contributor in more than 25 documented exploits. When deployed code diverges from audited code, the entire security assurance of the audit is voided for that surface -- yet the protocol can still truthfully claim to have been audited, creating false confidence for depositors. Low-level proxy upgrade patterns hinder static analysis — post-audit divergence routinely goes undetected by standard tooling. Seven of thirteen audited protocols in the dataset were exploited via code explicitly outside audit scope.
**Green / Yellow / Red** Green: all contracts holding user funds have runtime bytecode matching the commit hash cited in the most recent audit, with no unaudited modifications post-deployment. Yellow: minor peripheral contracts (fee collectors, reward distributors) are unaudited, but core lending or bridge logic is fully covered. Red: the primary contracts holding user funds contain code that was not reviewed in any audit, or the deployed bytecode hash differs materially from the audited commit with no delta-audit covering the change.
**Common gray cases** Curators legitimately cannot grade this factor when the protocol does not publish its audit report with a commit hash reference, or when Etherscan source verification is absent and bytecode diffing is therefore impossible.
**Notable historical examples** - **Compound Finance** ($147M, 2021): Proposal 62 introduced a new Comptroller upgrade not covered by prior audit; the drip() vulnerability lived in the unaudited code. - **Fei/Rari Fuse** ($80M, 2022): Partial patch to CToken and Comptroller left exitMarket() uncovered; the introduced gap was in post-audit code. - **PancakeBunny** ($45M, 2021): Team upgraded to VaultFlipToFlip contracts after the Haechi audit closed; the flash-loan vector was in the unaudited upgrade. - **Hedgey Finance** ($44.7M, 2024): Vulnerable createLockedCampaign() function was deployed after audit completion. - **KyberSwap Elastic** ($48M, 2023): Sub-microscopic precision failure survived multiple audit rounds; deployed bytecode had diverged from reviewed code.
***** Critical factor This factor is critical under rubric v1.7.0: a single Red assessment here is sufficient to trigger a D or F grade regardless of all other category scores, because an unaudited primary attack surface nullifies the protocol's core security assurance.
Measurement what to look for #
Check whether the commit SHA cited in the audit report matches the bytecode deployed at the production proxy/implementation address.
Data & output #
Data source
Auditor firm's published PDF (commit SHA field) + Etherscan contract-verified source tab + `eth_getCode` RPC call at deploy block
Output format
Green / Yellow / Red
· critical gate active
Evidence artifact
Audit PDF URL + SHA-256 of PDF + report commit SHA + deployed bytecode hash + diff output (empty = match)
Confidence signal
green = bytecode matches report commit exactly; yellow = minor non-logic diff (whitespace/comment ≤5 LOC, no state-mutating change); red = material divergence or no verifiable commit SHA in report; gray = audit report not publicly accessible or contract source unverified
Scored protocols 80 carry this factor #
Protocol RD-F-001
Aave v3 ethereum yellow Across Protocol ethereum yellow Aerodrome Finance base yellow Axelar Network ethereum yellow Babylon Protocol bitcoin green Balancer (v2 + v3) ethereum yellow Beefy Finance ethereum yellow BENQI avalanche yellow BlackRock USD Institutional Digital Liquidity Fund (BUIDL) ethereum yellow Cap (cUSD / stcUSD) ethereum yellow Centrifuge ethereum green Chainlink CCIP ethereum yellow Circle USYC binance red Compound V3 (Comet) ethereum yellow Concrete ethereum yellow Convex Finance ethereum yellow crvUSD (Curve Stablecoin) ethereum yellow Curve Finance ethereum yellow deBridge ethereum yellow Dolomite ethereum red dYdX v4 (dYdX Chain) dydx yellow EigenLayer ethereum green Ethena ethereum green ether.fi ethereum yellow Euler V2 ethereum green Falcon Finance ethereum red Fluid ethereum yellow Frax Finance ethereum yellow GMX v2 (GMX Synthetics) arbitrum yellow Hyperlane ethereum yellow Hyperliquid arbitrum yellow Jito solana yellow Jupiter solana yellow Jupiter Perpetual Exchange solana red JustLend DAO tron yellow Kamino Lend solana yellow Kinetiq hyperliquid yellow Lido ethereum yellow Liquid Collective (LsETH) ethereum yellow Liquity V1 + V2 (LUSD / BOLD) ethereum yellow Lista DAO bsc yellow Lombard Finance ethereum yellow M^0 ethereum green Maple Finance ethereum yellow Marinade Finance solana yellow Meteora solana yellow mETH Protocol ethereum yellow Midas ethereum yellow Morpho V1 (Morpho Blue + MetaMorpho) ethereum green Multipli ethereum yellow Ondo Finance ethereum yellow OpenEden ethereum yellow Orca solana green PancakeSwap bsc yellow Pendle Finance ethereum yellow Polymarket polygon yellow QuickSwap polygon yellow Raydium solana yellow Rocket Pool ethereum yellow Sanctum solana red Save (formerly Solend) solana yellow Sky Lending (formerly MakerDAO) ethereum yellow Spark Protocol ethereum yellow Spiko stellar yellow Stake DAO ethereum yellow StakeWise v3 ethereum yellow Stargate Finance ethereum yellow stHYPE (Valantis Labs) hyperliquid yellow SUNSwap (sun.io) tron red Superstate ethereum yellow Sushi (SushiSwap) — v2 + v3 + Trident + BentoBox/Kashi + SushiXSwap ethereum yellow Symbiotic ethereum yellow Synapse Protocol ethereum red Uniswap (v2 + v3) ethereum green USDD (Decentralized USD) tron yellow Usual (USD0 / bUSD0 / USUAL) ethereum yellow Veda (BoringVault) ethereum yellow Venus Protocol bsc yellow Wormhole ethereum yellow Yearn Finance ethereum yellow Linked hacks 65 historical incidents #
causalSolv Protocol (BRO vault) — ERC-3525 Callback Reentrancy — Double Mint (onERC721Received fires before state update)2026-03-05 · $3M · ERC-3525 Callback Reentrancy — Double Mint (onERC721Received fires before state update) · ★ Audit scope mismatch — exploited code outside scope [via dashboard_risk_factors/Was exploited code in audit scope?: No — BRO vault explicitly excluded from all published audits] || ★ Audit scope mismatch — full field name [via dashboard_risk_factors/Was exploited code in audit scope?: No — BRO vault explicitly excluded from all published audits]
causalYieldBlox / Script3 (Blend V2 community-managed pool) — Illiquid collateral oracle manipulation — single USTRY/USDC trade pumped price 100x → inflated collateral → undercollateralized borrow drain2026-02-22 · $11M · Illiquid collateral oracle manipulation — single USTRY/USDC trade pumped price 100x → inflated collateral → undercollateralized borrow drain · ★ Audit scope mismatch — exploited code outside scope [via dashboard_risk_factors/Was exploited code in audit scope?: N — the smart contracts had no vulnerability; the exploit was in the oracle configuration (Reflector) and pool listing decision (USTRY as co...] || ★ Audit scope mismatch — full field name [via dashboard_risk_factors/Was exploited code in audit scope?: N — the smart contracts had no vulnerability; the exploit was in the oracle configuration (Reflector) and pool listing decision (USTRY as co...]
causalMakina Finance — Permissionless share price oracle update (updateTotalAum) + flash loan Curve pool manipulation → share price inflation → LP drain2026-01-20 · $4M · Permissionless share price oracle update (updateTotalAum) + flash loan Curve pool manipulation → share price inflation → LP drain · ★ Audit scope mismatch — alternate field name [via dashboard_risk_factors/Exploited code in scope?: No — the Dialectic Curve pool integration was deployed in late October 2025, after all audits completed; oracle manipulation explicitly list...] || ★ Direct: Audit scope mismatch (report commit ≠ deployed bytecode) [via cross-hack: Factor 1: Audit Scope Mismatch]
causalAevo (formerly Ribbon Finance) — Proxy upgrade removed oracle access control — oracle price settable to arbitrary value → vault fully drained in atomic loop2025-12-12 · $3M · Proxy upgrade removed oracle access control — oracle price settable to arbitrary value → vault fully drained in atomic loop · ★ Audit scope mismatch — alternate field name [via dashboard_risk_factors/Exploited code in scope?: No — the specific oracle upgrade that removed access control was not audited]
causalUSPD — CPIMP (Clandestine Proxy In the Middle of Proxy) — front-run proxy initialization, shadow admin installation, 78-day dormancy, then mint + drain2025-12-04 · $1M · CPIMP (Clandestine Proxy In the Middle of Proxy) — front-run proxy initialization, shadow admin installation, 78-day dormancy, then mint + drain · ★ Audit scope mismatch — exploited code outside scope [via dashboard_risk_factors/Was exploited code in audit scope?: No — the CPIMP attack targeted the deployment procedure, not the audited contract logic; audited implementation was the decoy] || ★ Audit scope mismatch — full field name [via dashboard_risk_factors/Was exploited code in audit scope?: No — the CPIMP attack targeted the deployment procedure, not the audited contract logic; audited implementation was the decoy]
Balancer V2 (Composable Stable Pools) — `_upscale()` rounding-down compounded across 65+ micro-swaps2025-11-03 · $128M · `_upscale()` rounding-down compounded across 65+ micro-swaps · Composable Stable Pools were within audit scope but verified properties did not constrain batch-rounding behavior
causalAbracadabra Money (3rd incident — abracadabra-rekt3) — Deprecated cauldron security flag bypass — cook() action ordering resets solvency check flag → uncollateralized MIM borrow2025-10-04 · $2M · Deprecated cauldron security flag bypass — cook() action ordering resets solvency check flag → uncollateralized MIM borrow · ★ Audit scope mismatch — alternate field name [via dashboard_risk_factors/Exploited code in scope?: No — deprecated contracts explicitly excluded from any recent audit scope]
GMX V1 — Cross-Contract Reentrancy via Order-Keeper Callback2025-07-09 · Cross-Contract Reentrancy via Order-Keeper Callback · ★ Audit scope mismatch — exploited code outside scope [via dashboard_risk_factors/Was exploited code in audit scope?: No — keeper callbacks, globalShortAveragePrices logic, and AUM circular dependency were all post-audit additions or changes] || ★ Audit scope mismatch — full field name [via dashboard_risk_factors/Was exploited code in audit scope?: No — keeper callbacks, globalShortAveragePrices logic, and AUM circular dependency were all post-audit additions or changes] || ★ Direct: Audit scope mismatch (report commit ≠ deployed bytecode) [via cross-hack: Factor 1: Audit Scope Mismatch]
causalAlexLab (Bitcoin DeFi / Stacks) — Vault permission hijack via malicious token self-listing; `as-contract` context abuse2025-06-06 · $16M · Vault permission hijack via malicious token self-listing; `as-contract` context abuse · ★ Audit scope mismatch — exploited code outside scope [via dashboard_risk_factors/Was exploited code in audit scope?: N** — the live `amm-vault-v2-01` that was drained was explicitly outside the May 2025 audit scope] || ★ Audit scope mismatch — full field name [via dashboard_risk_factors/Was exploited code in audit scope?: N** — the live `amm-vault-v2-01` that was drained was explicitly outside the May 2025 audit scope] || ★ Direct: Audit scope mismatch (report commit ≠ deployed bytecode) [via cross-hack: Factor 1: Audit Scope Mismatch]
causalCork Protocol — Fake token injection → exchange rate manipulation via unvalidated CorkHook input2025-05-28 · $12M · Fake token injection → exchange rate manipulation via unvalidated CorkHook input · ★ Audit scope mismatch — exploited code outside scope [via dashboard_risk_factors/Was exploited code in audit scope?: NO** — CorkHook contract was explicitly out of scope for at least Sherlock, Runtime Verification, and Quantstamp. Sherlock confirmed: "The e...] || ★ Audit scope mismatch — full field name [via dashboard_risk_factors/Was exploited code in audit scope?: NO** — CorkHook contract was explicitly out of scope for at least Sherlock, Runtime Verification, and Quantstamp. Sherlock confirmed: "The e...] || ★ Direct: Audit scope mismatch (report commit ≠ deployed bytecode) [via cross-hack: Factor 1: Audit Scope Mismatch]
causalZunami Protocol — Admin key compromise → withdrawStuckToken() drain of LP collateral2025-05-14 · $500K · Admin key compromise → withdrawStuckToken() drain of LP collateral · ★ Audit scope mismatch — exploited code outside scope [via dashboard_risk_factors/Was exploited code in audit scope?: No — withdrawStuckToken() admin privilege and centralized key management were operational/governance risk, not a code vulnerability in audit...] || ★ Audit scope mismatch — full field name [via dashboard_risk_factors/Was exploited code in audit scope?: No — withdrawStuckToken() admin privilege and centralized key management were operational/governance risk, not a code vulnerability in audit...]
causalKiloEx — Missing signature verification in MinimalForwarder → unvalidated oracle price update → multi-chain drain2025-04-14 · $7M · Missing signature verification in MinimalForwarder → unvalidated oracle price update → multi-chain drain · ★ Audit scope mismatch — alternate field name [via dashboard_risk_factors/Exploited code in scope?: No — ScaleBit confirmed root cause was outside their scope] || ★ Direct: Audit scope mismatch (report commit ≠ deployed bytecode) [via cross-hack: Factor 1: Audit Scope Mismatch]
causalClober DEX — Reentrancy (Post-Audit Code Change)2024-12-10 · $500K · Reentrancy (Post-Audit Code Change) · ★ Audit scope mismatch — alternate field name [via dashboard_risk_factors/Exploited code in scope?: No — the reentrancy was introduced in a post-audit code addition not covered by Trust Security's audit; Kupia flagged concerns about malicio...]
causalPolter Finance — Spot price oracle manipulation (SpookySwap V2/V3) → inflated BOO collateral → draining borrow2024-11-16 · $9M · Spot price oracle manipulation (SpookySwap V2/V3) → inflated BOO collateral → draining borrow · ★ Audit scope mismatch — exploited code outside scope [via dashboard_risk_factors/Was exploited code in audit scope?: N/A — no audit performed] || ★ Audit scope mismatch — full field name [via dashboard_risk_factors/Was exploited code in audit scope?: N/A — no audit performed]
causalBedrock (uniBTC vault) — Unregistered NATIVE_BTC in SigmaSupplier → disabled supply cap → ETH-to-BTC 1:1 minting (infinite mint)2024-09-25 · $2M · Unregistered NATIVE_BTC in SigmaSupplier → disabled supply cap → ETH-to-BTC 1:1 minting (infinite mint) · ★ Audit scope mismatch — alternate field name [via dashboard_risk_factors/Exploited code in scope?: No — unaudited upgrade]
causalPenpie — Reentrancy via fake Pendle market → staking balance inflation → excess reward drain2024-09-03 · $27M · Reentrancy via fake Pendle market → staking balance inflation → excess reward drain · ★ Direct: Audit scope mismatch (report commit ≠ deployed bytecode) [via cross-hack: Factor 1: Audit Scope Mismatch]
causalUnnamed Crypto Whale (Maker DSProxy vault) — Phishing → EOA compromise → DSProxy ownership transfer → DAI vault drain2024-08-20 · $55M · Phishing → EOA compromise → DSProxy ownership transfer → DAI vault drain · ★ Audit scope mismatch — exploited code outside scope [via dashboard_risk_factors/Was exploited code in audit scope?: N/A — the exploit is off-chain phishing; no code bug] || ★ Audit scope mismatch — full field name [via dashboard_risk_factors/Was exploited code in audit scope?: N/A — the exploit is off-chain phishing; no code bug]
causalRonin Network (Bridge) — Uninitialized Variable in Contract Upgrade (initializeV3 Skipped)2024-08-06 · $12M · Uninitialized Variable in Contract Upgrade (initializeV3 Skipped) · ★ Audit scope mismatch — exploited code outside scope [via dashboard_risk_factors/Was exploited code in audit scope?: No — the specific initializeV3-skip appears to have been a deployment error, not a code-level flaw; the new implementation (MainchainGateway...] || ★ Audit scope mismatch — full field name [via dashboard_risk_factors/Was exploited code in audit scope?: No — the specific initializeV3-skip appears to have been a deployment error, not a code-level flaw; the new implementation (MainchainGateway...]
causalLiFi Protocol (Jumper Exchange) — Call Injection via Unvalidated Swap Function2024-07-16 · $10M · Call Injection via Unvalidated Swap Function · ★ Audit scope mismatch — alternate field name [via dashboard_risk_factors/Exploited code in scope?: No — new facet was not audited]
causalSonne Finance — Compound V2 empty-market donation attack — permissionless governance execution + exchange rate manipulation2024-05-14 · $20M · Compound V2 empty-market donation attack — permissionless governance execution + exchange rate manipulation · ★ Direct: Audit scope mismatch (report commit ≠ deployed bytecode) [via cross-hack: Factor 1: Audit Scope Mismatch]
causalPike Finance — Storage Layout Collision → Unauthorized Proxy Upgrade / Ownership Takeover2024-04-26 · $2M · Storage Layout Collision → Unauthorized Proxy Upgrade / Ownership Takeover · ★ Audit scope mismatch — alternate field name [via dashboard_risk_factors/Exploited code in scope?: No — emergency patch introduced the bug; original audit did not cover post-patch code]
causalHedgey Finance — Unverified User Input — Flash Loan Enabled Approval Manipulation2024-04-19 · $45M · Unverified User Input — Flash Loan Enabled Approval Manipulation · ★ Audit scope mismatch — exploited code outside scope [via dashboard_risk_factors/Was exploited code in audit scope?: No — vulnerable `createLockedCampaign()` function deployed after the audit] || ★ Audit scope mismatch — full field name [via dashboard_risk_factors/Was exploited code in audit scope?: No — vulnerable `createLockedCampaign()` function deployed after the audit] || ★ Direct: Audit scope mismatch (report commit ≠ deployed bytecode) [via cross-hack: Factor 1: Audit Scope Mismatch]
causalPrismaFi — Flash Loan + Missing Input Validation (Migration Helper)2024-03-28 · $12M · Flash Loan + Missing Input Validation (Migration Helper) · ★ Audit scope mismatch — exploited code outside scope [via dashboard_risk_factors/Was exploited code in audit scope?: No — MigrateTroveZap was a recently deployed helper contract; unclear if it was in any audit scope; likely deployed after last audit] || ★ Audit scope mismatch — full field name [via dashboard_risk_factors/Was exploited code in audit scope?: No — MigrateTroveZap was a recently deployed helper contract; unclear if it was in any audit scope; likely deployed after last audit]
causalUnizen — Unvalidated external call in upgraded DEX Aggregation contract — approval drain2024-03-08 · $2M · Unvalidated external call in upgraded DEX Aggregation contract — approval drain · ★ Audit scope mismatch — exploited code outside scope [via dashboard_risk_factors/Was exploited code in audit scope?: No — the upgrade that introduced the vulnerability was not audited] || ★ Audit scope mismatch — full field name [via dashboard_risk_factors/Was exploited code in audit scope?: No — the upgrade that introduced the vulnerability was not audited]
causalIonic Money (formerly Midas) — Fake Collateral Listing (Social Engineering → On-chain Exploit)2024-02-04 · $7M · Fake Collateral Listing (Social Engineering → On-chain Exploit) · ★ Audit scope mismatch — alternate field name [via dashboard_risk_factors/Exploited code in scope?: No — the exploit was via social engineering to whitelist fake collateral; the smart contract code itself was not bugged]
causalSocket (Bungee Bridge) — Unvalidated user input in new route — transferFrom injection via approval drain2024-01-16 · $3M · Unvalidated user input in new route — transferFrom injection via approval drain · ★ Direct: Audit scope mismatch (report commit ≠ deployed bytecode) [via cross-hack: Factor 1: Audit Scope Mismatch]
causalKyberSwap Elastic — Tick Manipulation + Double Liquidity Counting — Precision Arithmetic Edge Case2023-11-22 · $48M · Tick Manipulation + Double Liquidity Counting — Precision Arithmetic Edge Case · ★ Direct: Audit scope mismatch (report commit ≠ deployed bytecode) [via cross-hack: Factor 1: Audit Scope Mismatch]
causalStars Arena — Reentrancy2023-10-07 · $3M · Reentrancy · ★ Audit scope mismatch — exploited code outside scope [via dashboard_risk_factors/Was exploited code in audit scope?: N/A — no audit existed] || ★ Audit scope mismatch — full field name [via dashboard_risk_factors/Was exploited code in audit scope?: N/A — no audit existed]
Balancer V2 (+ Beethoven X fork) — Linear pool rounding-down logic → cached rate manipulation → boosted pool drain2023-08-27 · $2M · Linear pool rounding-down logic → cached rate manipulation → boosted pool drain · ★ Audit scope mismatch — alternate field name [via dashboard_risk_factors/Exploited code in scope?: No — Boosted Pools and Linear Pools explicitly out of scope for all linked audit reports] || ★ Direct: Audit scope mismatch (report commit ≠ deployed bytecode) [via cross-hack: Factor 1: Audit Scope Mismatch]
causalExactly Protocol — Unvalidated market address in periphery — fake market injection → _msgSender hijack → collateral drain + reentrancy2023-08-18 · $7M · Unvalidated market address in periphery — fake market injection → _msgSender hijack → collateral drain + reentrancy · ★ Direct: Audit scope mismatch (report commit ≠ deployed bytecode) [via cross-hack: Factor 1: Audit Scope Mismatch]
causalZunami Protocol — Flash loan + SDT token swap → totalHoldings price calculation manipulation → zETH/UZD LP price manipulation → drain2023-08-13 · $2M · Flash loan + SDT token swap → totalHoldings price calculation manipulation → zETH/UZD LP price manipulation → drain · ★ Audit scope mismatch — exploited code outside scope [via dashboard_risk_factors/Was exploited code in audit scope?: No — MimCurveStakeDAO strategy added after audit; totalHoldings() price manipulation not in reviewed scope] || ★ Audit scope mismatch — full field name [via dashboard_risk_factors/Was exploited code in audit scope?: No — MimCurveStakeDAO strategy added after audit; totalHoldings() price manipulation not in reviewed scope]
causalDeFiLabs — Backdoor Function in Staking Contract (Insider Rug Pull)2023-07-27 · $2M · Backdoor Function in Staking Contract (Insider Rug Pull) · ★ Audit scope mismatch — exploited code outside scope [via dashboard_risk_factors/Was exploited code in audit scope?: N — vPoolv6 was not in scope for either Certik or Cyberscope, despite being the active user-facing contract] || ★ Audit scope mismatch — full field name [via dashboard_risk_factors/Was exploited code in audit scope?: N — vPoolv6 was not in scope for either Certik or Cyberscope, despite being the active user-facing contract]
causalConic Finance — Read-only reentrancy in CurveLPOracleV2 (ETH/WETH mismatch bypassed reentrancy guard) + sandwich attack on imbalanced pool2023-07-21 · $4M · Read-only reentrancy in CurveLPOracleV2 (ETH/WETH mismatch bypassed reentrancy guard) + sandwich attack on imbalanced pool · ★ Audit scope mismatch — alternate field name [via dashboard_risk_factors/Exploited code in scope?: No — CurveLPOracleV2 was not part of the audit scope] || ★ Direct: Audit scope mismatch (report commit ≠ deployed bytecode) [via cross-hack: Factor 1: Audit Scope Mismatch]
causalSturdy Finance — Read-only reentrancy on Balancer LP (B-stETH-STABLE) → manipulated collateral price → undercollateralized borrow drain2023-06-12 · $800K · Read-only reentrancy on Balancer LP (B-stETH-STABLE) → manipulated collateral price → undercollateralized borrow drain · ★ Audit scope mismatch — exploited code outside scope [via dashboard_risk_factors/Was exploited code in audit scope?: N — the vulnerable LendingPool contract version was outside all three audit scopes] || ★ Audit scope mismatch — full field name [via dashboard_risk_factors/Was exploited code in audit scope?: N — the vulnerable LendingPool contract version was outside all three audit scopes] || ★ Direct: Audit scope mismatch (report commit ≠ deployed bytecode) [via cross-hack: Factor 1: Audit Scope Mismatch]
causalLevel Finance — Logic bug — referral reward claimMultiple() epoch not checked for reuse2023-05-01 · $1M · Logic bug — referral reward claimMultiple() epoch not checked for reuse · ★ Audit scope mismatch — alternate field name [via dashboard_risk_factors/Exploited code in scope?: No — the vulnerable implementation was introduced in a post-audit proxy upgrade not committed to the public repo]
causalMerlin DEX — Insider rug — max approval drain via privileged Feeto address2023-04-25 · $2M · Insider rug — max approval drain via privileged Feeto address · ★ Direct: Audit scope mismatch (report commit ≠ deployed bytecode) [via cross-hack: Factor 1: Audit Scope Mismatch]
causalYearn Finance (iearn yUSDT) — Misconfiguration (copy/paste error) in yUSDT — wrong Fulcrum USDC address used instead of USDT → share price manipulation → 1.2 quadrillion yUSDT minted2023-04-13 · $10M · Misconfiguration (copy/paste error) in yUSDT — wrong Fulcrum USDC address used instead of USDT → share price manipulation → 1.2 quadrillion yUSDT minted · ★ Audit scope mismatch — exploited code outside scope [via dashboard_risk_factors/Was exploited code in audit scope?: No — yUSDT was not audited] || ★ Audit scope mismatch — full field name [via dashboard_risk_factors/Was exploited code in audit scope?: No — yUSDT was not audited]
causalKokomo Finance — Insider rug — deployer upgraded implementation to malicious contract → drained WBTC deposits2023-03-26 · $4M · Insider rug — deployer upgraded implementation to malicious contract → drained WBTC deposits · ★ Audit scope mismatch — alternate field name [via dashboard_risk_factors/Exploited code in scope?: No — the lending/vault contracts were not audited]
causalBonqDAO — Oracle Manipulation (Tellor Price Feed — Instant Value)2023-02-01 · $120M · Oracle Manipulation (Tellor Price Feed — Instant Value) · ★ Audit scope mismatch — alternate field name [via dashboard_risk_factors/Exploited code in scope?: No — the attacked oracle contracts (TellorPriceFeed etc.) were added post-audit and were explicitly out of scope]
causalAnkr (aBNBc) + Helio Money (HAY stablecoin) — Deployer private key compromise → malicious aBNBc contract upgrade → permissionless infinite mint → PancakeSwap pool drain + Helio collateral collapse2022-12-02 · $5M · Deployer private key compromise → malicious aBNBc contract upgrade → permissionless infinite mint → PancakeSwap pool drain + Helio collateral collapse · ★ Audit scope mismatch — alternate field name [via dashboard_risk_factors/Exploited code in scope?: No — deployer key compromise is an operational security failure, not a code vulnerability]
causalMoola Markets — Price Manipulation (Native Token Collateral)2022-10-19 · $8M · Price Manipulation (Native Token Collateral) · ★ Audit scope mismatch — alternate field name [via dashboard_risk_factors/Exploited code in scope?: N/A — no smart contract bug; protocol-design risk]
causalMango Markets — Self-funded MNGO spot price pump using two accounts → inflated unrealized collateral → lending pool drain2022-10-11 · $115M · Self-funded MNGO spot price pump using two accounts → inflated unrealized collateral → lending pool drain · ★ Audit scope mismatch — alternate field name [via dashboard_risk_factors/Exploited code in scope?: No — marked "Out of Scope" in rekt.news metadata; the spot price manipulation risk was not caught or addressed]
causalTempleDAO / STAX Finance — Missing access control in migrateStake() — unvalidated oldStaking parameter2022-10-11 · $2M · Missing access control in migrateStake() — unvalidated oldStaking parameter · ★ Audit scope mismatch — exploited code outside scope [via dashboard_risk_factors/Was exploited code in audit scope?: No — STAX staking contract was separate from audited Temple core vaults] || ★ Audit scope mismatch — full field name [via dashboard_risk_factors/Was exploited code in audit scope?: No — STAX staking contract was separate from audited Temple core vaults]
Curve Finance (curve.fi frontend) — DNS nameserver compromise → malicious frontend injection → approval harvesting2022-08-09 · $575K · DNS nameserver compromise → malicious frontend injection → approval harvesting · ★ Audit scope mismatch — alternate field name [via dashboard_risk_factors/Exploited code in scope?: N/A — no smart contract exploited]
causalFei Protocol / Rari Capital (Fuse) — Re-entrancy via `exitMarket()` in Compound fork missing check-effects-interaction pattern2022-04-30 · $80M · Re-entrancy via `exitMarket()` in Compound fork missing check-effects-interaction pattern · ★ Audit scope mismatch — exploited code outside scope [via dashboard_risk_factors/Was exploited code in audit scope?: No — the specific `exitMarket()` gap was introduced after prior audits; the vulnerability had been partially patched but incompletely] || ★ Audit scope mismatch — full field name [via dashboard_risk_factors/Was exploited code in audit scope?: No — the specific `exitMarket()` gap was introduced after prior audits; the vulnerability had been partially patched but incompletely]
causalElephant Money — Flash loan + spot price manipulation during stablecoin minting2022-04-12 · $22M · Flash loan + spot price manipulation during stablecoin minting · ★ Direct: Audit scope mismatch (report commit ≠ deployed bytecode) [via cross-hack: Factor 1: Audit Scope Mismatch]
causalAgave DAO + Hundred Finance (dual attack) — ERC677 callAfterTransfer() reentrancy — flash loan collateral → nested borrow calls before debt balance update → multi-asset drain2022-03-15 · $12M · ERC677 callAfterTransfer() reentrancy — flash loan collateral → nested borrow calls before debt balance update → multi-asset drain · ★ Audit scope mismatch — alternate field name [via dashboard_risk_factors/Exploited code in scope?: No — the xDai token callback compatibility risk was not in audit scope]
causalbZx (bzx.network) — Phishing → Private Key Compromise → Smart Contract Drain2021-11-05 · $55M · Phishing → Private Key Compromise → Smart Contract Drain · ★ Audit scope mismatch — alternate field name [via dashboard_risk_factors/Exploited code in scope?: No — the vulnerability was operational (single EOA admin key), not a code bug]
Compound Finance — Governance-introduced bug — updated Comptroller vault incorrectly distributed COMP rewards; any user could call `drip()` to refill the vulnerable vault from the Reservoir2021-09-29 · $147M · Governance-introduced bug — updated Comptroller vault incorrectly distributed COMP rewards; any user could call `drip()` to refill the vulnerable vault from the Reservoir · ★ Direct: Audit scope mismatch (report commit ≠ deployed bytecode) [via cross-hack: Factor 1: Audit Scope Mismatch]
causalJayPegs Automart (via SushiSwap MISO platform) — Supply Chain Attack (Malicious Contractor Code Injection)2021-09-17 · $3M · Supply Chain Attack (Malicious Contractor Code Injection) · ★ Audit scope mismatch — alternate field name [via dashboard_risk_factors/Exploited code in scope?: No — contract behaved as written; the malicious wallet address was injected, not a code bug]
causalCream Finance — ERC777 reentrancy via newly integrated AMP token — reentrant `borrow()` before state update2021-08-30 · $19M · ERC777 reentrancy via newly integrated AMP token — reentrant `borrow()` before state update · ★ Audit scope mismatch — exploited code outside scope [via dashboard_risk_factors/Was exploited code in audit scope?: NO (partial)** — Trail of Bits audited Cream's base code in January 2021. The AMP token integration was added via governance in February 202...] || ★ Audit scope mismatch — full field name [via dashboard_risk_factors/Was exploited code in audit scope?: NO (partial)** — Trail of Bits audited Cream's base code in January 2021. The AMP token integration was added via governance in February 202...]
causalTHORChain — Fake deposit via fake Asgard vault + malicious memo — Bifrost refund logic abuse2021-07-26 · $8M · Fake deposit via fake Asgard vault + malicious memo — Bifrost refund logic abuse · ★ Audit scope mismatch — exploited code outside scope [via dashboard_risk_factors/Was exploited code in audit scope?: No] || ★ Audit scope mismatch — full field name [via dashboard_risk_factors/Was exploited code in audit scope?: No]
causalTHORChain — ETH Bifrost override loop — msg.value spoofing via wrapped router2021-07-16 · $5M · ETH Bifrost override loop — msg.value spoofing via wrapped router · ★ Audit scope mismatch — exploited code outside scope [via dashboard_risk_factors/Was exploited code in audit scope?: No — ETH MCCN Bifrost was explicitly out of scope at time of hack] || ★ Audit scope mismatch — full field name [via dashboard_risk_factors/Was exploited code in audit scope?: No — ETH MCCN Bifrost was explicitly out of scope at time of hack]
causalMerlin Labs (REKT 3) — Reward Minting Manipulation (Balance Inflation)2021-06-29 · $330K · Reward Minting Manipulation (Balance Inflation) · ★ Audit scope mismatch — alternate field name [via dashboard_risk_factors/Exploited code in scope?: No — new test vault deployed to mainnet without audit]
causalStableMagnet — Malicious Unverified Library (SwapUtils) — Rugpull with Approval Drain2021-06-24 · $27M · Malicious Unverified Library (SwapUtils) — Rugpull with Approval Drain · ★ Audit scope mismatch — exploited code outside scope [via dashboard_risk_factors/Was exploited code in audit scope?: No — the malicious SwapUtils library was not the code submitted for audit] || ★ Audit scope mismatch — full field name [via dashboard_risk_factors/Was exploited code in audit scope?: No — the malicious SwapUtils library was not the code submitted for audit]
causalAlchemix — Logic bug in alETH collateral accounting — ETH collateral position assigned zero debt → users could withdraw collateral without repaying loan2021-06-16 · $5 · Logic bug in alETH collateral accounting — ETH collateral position assigned zero debt → users could withdraw collateral without repaying loan · ★ Audit scope mismatch — alternate field name [via dashboard_risk_factors/Exploited code in scope?: No — alETH was a new feature extension; the debt accounting bug was in new, possibly unaudited code]
causalMerlin Labs (REKT 2) — Oracle Mispricing2021-05-27 · $550K · Oracle Mispricing · ★ Audit scope mismatch — alternate field name [via dashboard_risk_factors/Exploited code in scope?: No — new priceCalculator was not audited; it was an emergency patch]
causalPancakeBunny — Flash loan + spot price manipulation → inflated LP token valuation → excess BUNNY minting2021-05-19 · $45M · Flash loan + spot price manipulation → inflated LP token valuation → excess BUNNY minting · ★ Audit scope mismatch — exploited code outside scope [via dashboard_risk_factors/Was exploited code in audit scope?: N — Haechi audited the original contracts; the team upgraded to new contracts (VaultFlipToFlip) without a new audit. Haechi's post-incident ...] || ★ Audit scope mismatch — full field name [via dashboard_risk_factors/Was exploited code in audit scope?: N — Haechi audited the original contracts; the team upgraded to new contracts (VaultFlipToFlip) without a new audit. Haechi's post-incident ...] || ★ Direct: Audit scope mismatch (report commit ≠ deployed bytecode) [via cross-hack: Factor 1: Audit Scope Mismatch]
causalbEarnFi (BvaultsBank) — Logic bug — token denomination mismatch between vault and strategy layers2021-05-16 · $18M · Logic bug — token denomination mismatch between vault and strategy layers · ★ Direct: Audit scope mismatch (report commit ≠ deployed bytecode) [via cross-hack: Factor 1: Audit Scope Mismatch]
causalRari Capital — Fake token + protocol callback exploit (ibETH injection via Alpha Homora) → ETH pool drain2021-05-08 · $10M · Fake token + protocol callback exploit (ibETH injection via Alpha Homora) → ETH pool drain · ★ Direct: Audit scope mismatch (report commit ≠ deployed bytecode) [via cross-hack: Factor 1: Audit Scope Mismatch]
causalEasyFi (Easy Network) — Admin key theft via compromised machine (malicious MetaMask binary)2021-04-19 · $59M · Admin key theft via compromised machine (malicious MetaMask binary) · ★ Audit scope mismatch — exploited code outside scope [via dashboard_risk_factors/Was exploited code in audit scope?: No — exploit was off-chain key compromise, not a code flaw. However, the `transfer()` admin function with no timelock was in-scope risk not ...] || ★ Audit scope mismatch — full field name [via dashboard_risk_factors/Was exploited code in audit scope?: No — exploit was off-chain key compromise, not a code flaw. However, the `transfer()` admin function with no timelock was in-scope risk not ...]
causalFurucombo — Evil Contract — Delegatecall Storage Collision2021-02-27 · $14M · Evil Contract — Delegatecall Storage Collision · ★ Direct: Audit scope mismatch (report commit ≠ deployed bytecode) [via cross-hack: Factor 1: Audit Scope Mismatch]
causalAlpha Finance / Alpha Homora V2 (leveraged yield farming) — Debt accounting manipulation via rounding bug + public `resolveReserve` function + custom "evil spell"; insider knowledge of unannounced sUSD pool required2021-02-13 · $38M · Debt accounting manipulation via rounding bug + public `resolveReserve` function + custom "evil spell"; insider knowledge of unannounced sUSD pool required · ★ Direct: Audit scope mismatch (report commit ≠ deployed bytecode) [via cross-hack: Factor 1: Audit Scope Mismatch]
causalPickle Finance — Fake jar injection — missing whitelist in Controller's jar-swap function2020-11-22 · $20M · Fake jar injection — missing whitelist in Controller's jar-swap function · ★ Direct: Audit scope mismatch (report commit ≠ deployed bytecode) [via cross-hack: Factor 1: Audit Scope Mismatch]
causalEminence Finance (EMN) — Flash loan + bonding curve arbitrage (buy/burn/sell cycle)2020-09-28 · $15M · Flash loan + bonding curve arbitrage (buy/burn/sell cycle) · ★ Audit scope mismatch — exploited code outside scope [via dashboard_risk_factors/Was exploited code in audit scope?: N/A — no audit existed] || ★ Audit scope mismatch — full field name [via dashboard_risk_factors/Was exploited code in audit scope?: N/A — no audit existed]
rubric_version v1.7.0 factor RD-F-001 category 1 carried 80 critical yes