defirisk.co
rubric v1.7.0

Audit count

A code & audits factor in the v1.7.0 rubric. Measured per protocol on a s cadence.

Methodology how we score #

**What this measures** This factor records the count of distinct, independent audit firms whose reports cover any portion of the currently deployed bytecode. Each firm is counted once regardless of how many reports they have issued. The data source is publicly available audit PDFs, and the count is restricted to firms that reviewed code currently live on-chain -- audits of deprecated or superseded contracts do not count toward the current total.

**Why it matters** A single audit is a single opinion. Multiple independent auditors reviewing the same code have historically caught bugs that one firm missed: MonoX ($31.4M, 2021) was reviewed by both Halborn and PeckShield, yet both missed the self-swap token pricing bug. While multiple audits do not guarantee safety, a protocol with zero audits removes even the baseline gatekeeping. Unaudited protocols account for a disproportionate share of exploits in the dataset -- including Cetus ($223M, 2025), where the integer-mate library exploited was explicitly excluded from all audit scopes. Audit count serves as a floor signal for the minimum diligence applied to a protocol's code.

**Green / Yellow / Red** Green: two or more independent audit firms have reviewed the currently deployed code, covering the primary contracts holding user funds. Yellow: exactly one audit exists covering the deployed code, with no independent second opinion. Red: no audit by any firm covers the currently deployed code, including the primary contracts holding user funds.

**Common gray cases** Curators cannot grade this factor when audit PDFs are not publicly available and the protocol cannot confirm audit provenance, or when the protocol claims private audits but refuses to disclose them.

**Notable historical examples** - **Compound Finance** ($147M, 2021): Exploited code in the Proposal 62 upgrade was unaudited regardless of the protocol's overall audit history. - **Cetus Protocol** ($223M, 2025): The integer-mate library was explicitly out of scope for all audits; audit count = 0 for the exploited surface. - **Nomad Bridge** ($190M, 2022): The specific initialisation parameter vulnerability was in an unaudited upgrade. - **BNB Bridge** ($586M, 2022): The exploited flaw was in code without specific audit coverage. - **Fei/Rari Fuse** ($80M, 2022): Vulnerability was in code modified after the last audit.

Measurement what to look for #

Count the number of distinct audit firms whose reports cover any portion of the currently-deployed bytecode.

Data & output #

Data source
Auditor firm report index pages + protocol docs security section + GitHub repo (audits/ directory)
Output format
Green / Yellow / Red
Evidence artifact
List of audit firm slugs + report PDF URLs + SHA-256 per PDF
Confidence signal
green = ≥2 distinct firms; yellow = 1 firm; red = 0 audits; gray = no verifiable audit record found

Scored protocols 80 carry this factor #

Protocol RD-F-004
Aave v3 ethereum green Across Protocol ethereum yellow Aerodrome Finance base green Axelar Network ethereum green Babylon Protocol bitcoin green Balancer (v2 + v3) ethereum green Beefy Finance ethereum yellow BENQI avalanche green BlackRock USD Institutional Digital Liquidity Fund (BUIDL) ethereum red Cap (cUSD / stcUSD) ethereum green Centrifuge ethereum green Chainlink CCIP ethereum green Circle USYC binance red Compound V3 (Comet) ethereum green Concrete ethereum green Convex Finance ethereum green crvUSD (Curve Stablecoin) ethereum green Curve Finance ethereum green deBridge ethereum green Dolomite ethereum green dYdX v4 (dYdX Chain) dydx yellow EigenLayer ethereum green Ethena ethereum green ether.fi ethereum green Euler V2 ethereum green Falcon Finance ethereum green Fluid ethereum green Frax Finance ethereum green GMX v2 (GMX Synthetics) arbitrum green Hyperlane ethereum green Hyperliquid arbitrum yellow Jito solana green Jupiter solana green Jupiter Perpetual Exchange solana green JustLend DAO tron yellow Kamino Lend solana green Kinetiq hyperliquid green Lido ethereum green Liquid Collective (LsETH) ethereum green Liquity V1 + V2 (LUSD / BOLD) ethereum green Lista DAO bsc green Lombard Finance ethereum green M^0 ethereum green Maple Finance ethereum green Marinade Finance solana green Meteora solana green mETH Protocol ethereum green Midas ethereum green Morpho V1 (Morpho Blue + MetaMorpho) ethereum green Multipli ethereum yellow Ondo Finance ethereum green OpenEden ethereum green Orca solana green PancakeSwap bsc green Pendle Finance ethereum green Polymarket polygon green QuickSwap polygon green Raydium solana green Rocket Pool ethereum green Sanctum solana yellow Save (formerly Solend) solana red Sky Lending (formerly MakerDAO) ethereum green Spark Protocol ethereum green Spiko stellar green Stake DAO ethereum green StakeWise v3 ethereum green Stargate Finance ethereum green stHYPE (Valantis Labs) hyperliquid green SUNSwap (sun.io) tron red Superstate ethereum yellow Sushi (SushiSwap) — v2 + v3 + Trident + BentoBox/Kashi + SushiXSwap ethereum yellow Symbiotic ethereum green Synapse Protocol ethereum red Uniswap (v2 + v3) ethereum green USDD (Decentralized USD) tron green Usual (USD0 / bUSD0 / USUAL) ethereum green Veda (BoringVault) ethereum green Venus Protocol bsc green Wormhole ethereum green Yearn Finance ethereum green
5 red · 9 yellow · 66 green

Linked hacks 112 historical incidents #

causalKelp DAO (rsETH liquid restaking) — Forged cross-chain message via LayerZero EndpointV2 lzReceive — exploitation of 1/1 DVN (single-validator) configuration2026-04-18 · $292M · Forged cross-chain message via LayerZero EndpointV2 lzReceive — exploitation of 1/1 DVN (single-validator) configuration · Audit count likely 0; floor display [via dashboard_risk_factors/Vulnerability in audited or unaudited code: Likely unaudited or out-of-scope code (bridge contracts excluded from bug bounty; audit coverage of lzReceive configuration unconfirmed)]
causalDango (custom-L1 perpetual DEX; Grug engine on Tendermint) — Missing sign/positivity check on `donate()` input in the insurance-fund contract — negative value reversed accounting direction2026-04-13 · $2M · Missing sign/positivity check on `donate()` input in the insurance-fund contract — negative value reversed accounting direction · Audit count likely 0; floor display [via dashboard_risk_factors/Vulnerability in audited or unaudited code: Presumed unaudited (no public audit on record)]
causalSolv Protocol (BRO vault) — ERC-3525 Callback Reentrancy — Double Mint (onERC721Received fires before state update)2026-03-05 · $3M · ERC-3525 Callback Reentrancy — Double Mint (onERC721Received fires before state update) · Audit count likely 0; floor display [via dashboard_risk_factors/Vulnerability in audited or unaudited code: Unaudited code (BRO vault never in any audit scope)]
causalMoonwell — Oracle Misconfiguration (Missing ETH/USD Multiplier)2026-02-15 · $2M · Oracle Misconfiguration (Missing ETH/USD Multiplier) · Audit count likely 0; floor display [via dashboard_risk_factors/Vulnerability in audited or unaudited code: Unaudited configuration (governance parameter)]
causalTruebit — Integer Overflow in Unverified Bytecode / Bonding Curve Exploit2026-01-08 · $26M · Integer Overflow in Unverified Bytecode / Bonding Curve Exploit · Audit count likely 0; floor display [via dashboard_risk_factors/Vulnerability in audited or unaudited code: Unaudited]
causalTMXTribe — Logic Bug — Mint/Stake/Swap Loop2026-01-05 · $1M · Logic Bug — Mint/Stake/Swap Loop · Audit count likely 0; floor display [via dashboard_risk_factors/Vulnerability in audited or unaudited code: Unaudited]
causalGANA Payment — Leaked Owner Key + EIP-7702 Delegator Contract (onlyEOA Bypass)2025-11-20 · $3M · Leaked Owner Key + EIP-7702 Delegator Contract (onlyEOA Bypass) · Audit count likely 0; floor display [via dashboard_risk_factors/Vulnerability in audited or unaudited code: Unaudited — no audit; off-chain key compromise as root cause]
causalAbracadabra Money (3rd incident — abracadabra-rekt3) — Deprecated cauldron security flag bypass — cook() action ordering resets solvency check flag → uncollateralized MIM borrow2025-10-04 · $2M · Deprecated cauldron security flag bypass — cook() action ordering resets solvency check flag → uncollateralized MIM borrow · Audit count likely 0; floor display [via dashboard_risk_factors/Vulnerability in audited or unaudited code: Unaudited state — deprecated contracts with no audit since Nov 2023]
causalNew Gold Protocol (NGP) — Flash loan + spot price oracle manipulation + broken transfer logic (dead address bypass of buy limits)2025-09-17 · $2M · Flash loan + spot price oracle manipulation + broken transfer logic (dead address bypass of buy limits) · Audit count likely 0; floor display [via dashboard_risk_factors/Vulnerability in audited or unaudited code: Unaudited — two independent elementary vulnerabilities]
relatedGMX V1 — Cross-Contract Reentrancy via Order-Keeper Callback2025-07-09 · Cross-Contract Reentrancy via Order-Keeper Callback · Audit count likely 0; floor display [via dashboard_risk_factors/Vulnerability in audited or unaudited code: Unaudited post-audit code; bug introduced by a security patch in 2022]
causalAlexLab (Bitcoin DeFi / Stacks) — Vault permission hijack via malicious token self-listing; `as-contract` context abuse2025-06-06 · $16M · Vault permission hijack via malicious token self-listing; `as-contract` context abuse · Audit count likely 0; floor display [via dashboard_risk_factors/Vulnerability in audited or unaudited code: Unaudited code** — exploited contract was not in audit scope]
causalCork Protocol — Fake token injection → exchange rate manipulation via unvalidated CorkHook input2025-05-28 · $12M · Fake token injection → exchange rate manipulation via unvalidated CorkHook input · Audit count likely 0; floor display [via dashboard_risk_factors/Vulnerability in audited or unaudited code: Unaudited code (CorkHook was out of scope for all known auditors)]
causalCetus Protocol — Integer Overflow / Division-by-Near-Zero in Concentrated Liquidity Math2025-05-22 · $223M · Integer Overflow / Division-by-Near-Zero in Concentrated Liquidity Math · Audit count likely 0; floor display [via dashboard_risk_factors/Vulnerability in audited or unaudited code: Unaudited** — Zellic explicitly stated the `integer-mate` library was out of scope for their April 2025 audit. MoveIT and Otter audited 2 ye...]
causalMobiusDAO — Decimal handling double-multiplication bug in minting function — pennies-to-quadrillions inflation2025-05-11 · $2M · Decimal handling double-multiplication bug in minting function — pennies-to-quadrillions inflation · Audit count likely 0; floor display [via dashboard_risk_factors/Vulnerability in audited or unaudited code: Unaudited — elementary double-multiplication bug]
causalLNDFi (LND.fi) — Admin Backdoor (Malicious Code Injection by Contractor / DPRK Dev)2025-05-09 · $1M · Admin Backdoor (Malicious Code Injection by Contractor / DPRK Dev) · Audit count likely 0; floor display [via dashboard_risk_factors/Vulnerability in audited or unaudited code: Unaudited; backdoor injected at development stage]
causalKiloEx — Missing signature verification in MinimalForwarder → unvalidated oracle price update → multi-chain drain2025-04-14 · $7M · Missing signature verification in MinimalForwarder → unvalidated oracle price update → multi-chain drain · Audit count likely 0; floor display [via dashboard_risk_factors/Vulnerability in audited or unaudited code: Unaudited code (out of scope for all 5 audits)]
causalThe Idols NFT — Self-Transfer Reward Loop (Logic Bug in Token Transfer Hook)2025-01-14 · $324K · Self-Transfer Reward Loop (Logic Bug in Token Transfer Hook) · Audit count likely 0; floor display [via dashboard_risk_factors/Vulnerability in audited or unaudited code: Audited (if Tikkala Security did audit) or unaudited (if they were only the detector) — unclear]
causalOrange Finance — Admin private key compromise → proxy upgrade → privileged drain of LP vault positions2025-01-07 · $844K · Admin private key compromise → proxy upgrade → privileged drain of LP vault positions · Audit count likely 0; floor display [via dashboard_risk_factors/Vulnerability in audited or unaudited code: Unaudited]
causalClober DEX — Reentrancy (Post-Audit Code Change)2024-12-10 · $500K · Reentrancy (Post-Audit Code Change) · Audit count likely 0; floor display [via dashboard_risk_factors/Vulnerability in audited or unaudited code: Unaudited (post-audit addition)]
causalPolter Finance — Spot price oracle manipulation (SpookySwap V2/V3) → inflated BOO collateral → draining borrow2024-11-16 · $9M · Spot price oracle manipulation (SpookySwap V2/V3) → inflated BOO collateral → draining borrow · Audit count likely 0; floor display [via dashboard_risk_factors/Vulnerability in audited or unaudited code: Unaudited]
causalBedrock (uniBTC vault) — Unregistered NATIVE_BTC in SigmaSupplier → disabled supply cap → ETH-to-BTC 1:1 minting (infinite mint)2024-09-25 · $2M · Unregistered NATIVE_BTC in SigmaSupplier → disabled supply cap → ETH-to-BTC 1:1 minting (infinite mint) · Audit count likely 0; floor display [via dashboard_risk_factors/Vulnerability in audited or unaudited code: Unaudited post-upgrade code]
causalGriffin AI ($GAIN token) — Fake LayerZero Peer Initialization (Cross-Chain Minting Exploit)2024-09-24 · $3M · Fake LayerZero Peer Initialization (Cross-Chain Minting Exploit) · Audit count likely 0; floor display [via dashboard_risk_factors/Vulnerability in audited or unaudited code: Unaudited; LayerZero OFT peer configuration misconfiguration]
causalBanana Gun — Telegram Message Oracle Vulnerability2024-09-19 · $3M · Telegram Message Oracle Vulnerability · Audit count likely 0; floor display [via dashboard_risk_factors/Vulnerability in audited or unaudited code: Unaudited (off-chain component)]
causalPenpie — Reentrancy via fake Pendle market → staking balance inflation → excess reward drain2024-09-03 · $27M · Reentrancy via fake Pendle market → staking balance inflation → excess reward drain · Audit count likely 0; floor display [via dashboard_risk_factors/Vulnerability in audited or unaudited code: Unaudited (post-audit feature addition)]
causalAstroport (on Terra Phoenix chain) — IBC hooks reentrancy — reintroduced known vulnerability in June upgrade after April patch; timeout callback re-enters token minting2024-07-30 · $6M · IBC hooks reentrancy — reintroduced known vulnerability in June upgrade after April patch; timeout callback re-enters token minting · Audit count likely 0; floor display [via dashboard_risk_factors/Vulnerability in audited or unaudited code: Chain infrastructure (unaudited per-upgrade)]
causalLiFi Protocol (Jumper Exchange) — Call Injection via Unvalidated Swap Function2024-07-16 · $10M · Call Injection via Unvalidated Swap Function · Audit count likely 0; floor display [via dashboard_risk_factors/Vulnerability in audited or unaudited code: Unaudited new code]
causalPike Finance — Storage Layout Collision → Unauthorized Proxy Upgrade / Ownership Takeover2024-04-26 · $2M · Storage Layout Collision → Unauthorized Proxy Upgrade / Ownership Takeover · Audit count likely 0; floor display [via dashboard_risk_factors/Vulnerability in audited or unaudited code: Unaudited (emergency patch)]
causalHedgey Finance — Unverified User Input — Flash Loan Enabled Approval Manipulation2024-04-19 · $45M · Unverified User Input — Flash Loan Enabled Approval Manipulation · Audit count likely 0; floor display [via dashboard_risk_factors/Vulnerability in audited or unaudited code: Unaudited (post-audit code addition)]
causalGrand Base — Deployer wallet private key leak → unauthorized token minting → dump2024-04-15 · $2M · Deployer wallet private key leak → unauthorized token minting → dump · Audit count likely 0; floor display [via dashboard_risk_factors/Vulnerability in audited or unaudited code: Unaudited code; root cause is key management failure not a code bug]
causalPrismaFi — Flash Loan + Missing Input Validation (Migration Helper)2024-03-28 · $12M · Flash Loan + Missing Input Validation (Migration Helper) · Audit count likely 0; floor display [via dashboard_risk_factors/Vulnerability in audited or unaudited code: Unaudited (newly deployed migration helper)]
causalMunchables — Malicious Insider — Storage Slot Manipulation via Upgradeable Proxy2024-03-26 · $63M · Malicious Insider — Storage Slot Manipulation via Upgradeable Proxy · Audit count likely 0; floor display [via dashboard_risk_factors/Vulnerability in audited or unaudited code: Unaudited (unverified implementation)]
causalUnizen — Unvalidated external call in upgraded DEX Aggregation contract — approval drain2024-03-08 · $2M · Unvalidated external call in upgraded DEX Aggregation contract — approval drain · Audit count likely 0; floor display [via dashboard_risk_factors/Vulnerability in audited or unaudited code: Unaudited code (the upgrade)]
causalSocket (Bungee Bridge) — Unvalidated user input in new route — transferFrom injection via approval drain2024-01-16 · $3M · Unvalidated user input in new route — transferFrom injection via approval drain · Audit count likely 0; floor display [via dashboard_risk_factors/Vulnerability in audited or unaudited code: Unaudited — post-audit route addition]
causalYearn Finance (legacy iearn TUSD V1 vault — deployed 2020) — Flash loan → misconfigured vault (TUSD vault tracking iSUSD/sUSD strategy) → share accounting inflation → Curve yPool drain2023-12-16 · $293K · Flash loan → misconfigured vault (TUSD vault tracking iSUSD/sUSD strategy) → share accounting inflation → Curve yPool drain · Audit count likely 0; floor display [via dashboard_risk_factors/Vulnerability in audited or unaudited code: Unaudited at time of exploit; legacy configuration error never caught]
causalYearn Finance (yETH LST stableswap pool + yETH-WETH Curve pool) — Invariant corruption via remove_liquidity(0) + update_rates() calls → Newton-Raphson arithmetic underflow → 235 trillion yETH minted from dust deposit → single-asset drain2023-11-30 · $9M · Invariant corruption via remove_liquidity(0) + update_rates() calls → Newton-Raphson arithmetic underflow → 235 trillion yETH minted from dust deposit → single-asset drain · Audit count likely 0; floor display [via dashboard_risk_factors/Vulnerability in audited or unaudited code: Unaudited-at-time-of-exploit (audits were historical; no ongoing review of this abandoned pool)]
causalAnonymous MEV Sandwich Bot (on-chain MEV contract) — Unprotected public swap function → sandwich attack via Curve WETH/WBTC pool — $50M flash loan2023-11-07 · $2M · Unprotected public swap function → sandwich attack via Curve WETH/WBTC pool — $50M flash loan · Audit count likely 0; floor display [via dashboard_risk_factors/Vulnerability in audited or unaudited code: Unaudited — proprietary bot contract]
causalUnibot — Unvalidated arbitrary call in new router — transferFrom injection via approval drain2023-10-31 · $640K · Unvalidated arbitrary call in new router — transferFrom injection via approval drain · Audit count likely 0; floor display [via dashboard_risk_factors/Vulnerability in audited or unaudited code: Unaudited code]
causalPlatypus Finance (3rd exploit) — Flash loan + LP-AVAX pool cash/liability manipulation → slippage-inflated swap output2023-10-12 · $2M · Flash loan + LP-AVAX pool cash/liability manipulation → slippage-inflated swap output · Audit count likely 0; floor display [via dashboard_risk_factors/Vulnerability in audited or unaudited code: Unaudited (post-audit deployment)]
causalStars Arena — Reentrancy2023-10-07 · $3M · Reentrancy · Audit count likely 0; floor display [via dashboard_risk_factors/Vulnerability in audited or unaudited code: Unaudited]
relatedBalancer V2 (+ Beethoven X fork) — Linear pool rounding-down logic → cached rate manipulation → boosted pool drain2023-08-27 · $2M · Linear pool rounding-down logic → cached rate manipulation → boosted pool drain · Audit count likely 0; floor display [via dashboard_risk_factors/Vulnerability in audited or unaudited code: Unaudited code (Boosted Pools explicitly out of scope)]
causalExactly Protocol — Unvalidated market address in periphery — fake market injection → _msgSender hijack → collateral drain + reentrancy2023-08-18 · $7M · Unvalidated market address in periphery — fake market injection → _msgSender hijack → collateral drain + reentrancy · Audit count likely 0; floor display [via dashboard_risk_factors/Vulnerability in audited or unaudited code: Unaudited periphery code]
causalRocketSwap — Bruteforced server private keys → farming contract drain via proxy admin + high-risk permissions2023-08-14 · $869K · Bruteforced server private keys → farming contract drain via proxy admin + high-risk permissions · Audit count likely 0; floor display [via dashboard_risk_factors/Vulnerability in audited or unaudited code: Unaudited — root cause is key management and proxy permission architecture]
causalZunami Protocol — Flash loan + SDT token swap → totalHoldings price calculation manipulation → zETH/UZD LP price manipulation → drain2023-08-13 · $2M · Flash loan + SDT token swap → totalHoldings price calculation manipulation → zETH/UZD LP price manipulation → drain · Audit count likely 0; floor display [via dashboard_risk_factors/Vulnerability in audited or unaudited code: Unaudited (post-audit strategy addition)]
relatedCurve Finance (multiple pools) + JPEG'd, Alchemix, Metronome — Compiler-Level Reentrancy Guard Failure (Vyper 0.2.15–0.3.0 Bug)2023-07-30 · $69M · Compiler-Level Reentrancy Guard Failure (Vyper 0.2.15–0.3.0 Bug) · Audit count likely 0; floor display [via dashboard_risk_factors/Vulnerability in audited or unaudited code: Unaudited — compiler-level; no audit reviews compiler correctness]
causalDeFiLabs — Backdoor Function in Staking Contract (Insider Rug Pull)2023-07-27 · $2M · Backdoor Function in Staking Contract (Insider Rug Pull) · Audit count likely 0; floor display [via dashboard_risk_factors/Vulnerability in audited or unaudited code: Unaudited — vPoolv6 not in audit scope]
causalEraLend (formerly Nexon Finance) — Read-Only Reentrancy (SyncSwap LP Callback — Stale Reserves Oracle)2023-07-25 · $3M · Read-Only Reentrancy (SyncSwap LP Callback — Stale Reserves Oracle) · Audit count likely 0; floor display [via dashboard_risk_factors/Vulnerability in audited or unaudited code: Effectively unaudited — oracle mechanism explicitly excluded from audit scope]
causalConic Finance — Read-only reentrancy in CurveLPOracleV2 (ETH/WETH mismatch bypassed reentrancy guard) + sandwich attack on imbalanced pool2023-07-21 · $4M · Read-only reentrancy in CurveLPOracleV2 (ETH/WETH mismatch bypassed reentrancy guard) + sandwich attack on imbalanced pool · Audit count likely 0; floor display [via dashboard_risk_factors/Vulnerability in audited or unaudited code: Unaudited (new contract out of scope); audit had flagged the same class of bug in a different contract]
causalJimbo's Protocol — Flash loan + missing slippage control in rebalancing function → liquidity drain2023-05-28 · $8M · Flash loan + missing slippage control in rebalancing function → liquidity drain · Audit count likely 0; floor display [via dashboard_risk_factors/Vulnerability in audited or unaudited code: Unaudited — no audit existed]
causalSwaprum — Rug Pull via Malicious Contract Upgrade2023-05-18 · $3M · Rug Pull via Malicious Contract Upgrade · Audit count likely 0; floor display [via dashboard_risk_factors/Vulnerability in audited or unaudited code: Unaudited (malicious upgrade); structural risk in audited (upgradeable contract owned by team)]
causalDeus DAO / DEI stablecoin — Mis-ordered Parameters in burnFrom — Public Approval Override2023-05-06 · $7M · Mis-ordered Parameters in burnFrom — Public Approval Override · Audit count likely 0; floor display [via dashboard_risk_factors/Vulnerability in audited or unaudited code: Unknown — likely unaudited for the specific upgrade]
causalYearn Finance (iearn yUSDT) — Misconfiguration (copy/paste error) in yUSDT — wrong Fulcrum USDC address used instead of USDT → share price manipulation → 1.2 quadrillion yUSDT minted2023-04-13 · $10M · Misconfiguration (copy/paste error) in yUSDT — wrong Fulcrum USDC address used instead of USDT → share price manipulation → 1.2 quadrillion yUSDT minted · Audit count likely 0; floor display [via dashboard_risk_factors/Vulnerability in audited or unaudited code: Unaudited (yUSDT specifically) — copy/paste error at deployment]
causalSafemoon — Upgrade introduced public burn() function → LP token burn → pool price manipulation → BNB drain2023-03-28 · $9M · Upgrade introduced public burn() function → LP token burn → pool price manipulation → BNB drain · Audit count likely 0; floor display [via dashboard_risk_factors/Vulnerability in audited or unaudited code: Unaudited — the upgrade was not reviewed]
causalKokomo Finance — Insider rug — deployer upgraded implementation to malicious contract → drained WBTC deposits2023-03-26 · $4M · Insider rug — deployer upgraded implementation to malicious contract → drained WBTC deposits · Audit count likely 0; floor display [via dashboard_risk_factors/Vulnerability in audited or unaudited code: Unaudited lending contracts]
causalDexible — Unvalidated router — selfSwap() transferFrom injection via approval drain2023-02-17 · $2M · Unvalidated router — selfSwap() transferFrom injection via approval drain · Audit count likely 0; floor display [via dashboard_risk_factors/Vulnerability in audited or unaudited code: Unaudited code]
causalPlatypus Finance — Flash loan + emergencyWithdraw() solvency check bypass — collateral withdrawal without repaying borrowed USP2023-02-16 · $9M · Flash loan + emergencyWithdraw() solvency check bypass — collateral withdrawal without repaying borrowed USP · Audit count likely 0; floor display [via dashboard_risk_factors/Vulnerability in audited or unaudited code: Unaudited]
causalOrion Protocol — Fake token reentrancy — depositAsset() double-credit via ATK token transfer hook2023-02-02 · $3M · Fake token reentrancy — depositAsset() double-credit via ATK token transfer hook · Audit count likely 0; floor display [via dashboard_risk_factors/Vulnerability in audited or unaudited code: Unaudited]
causalBonqDAO — Oracle Manipulation (Tellor Price Feed — Instant Value)2023-02-01 · $120M · Oracle Manipulation (Tellor Price Feed — Instant Value) · Audit count likely 0; floor display [via dashboard_risk_factors/Vulnerability in audited or unaudited code: Unaudited (post-audit oracle contracts)]
causalMidas Capital — Read-only reentrancy on Curve LP token virtual price — inflated collateral valuation2023-01-15 · $660K · Read-only reentrancy on Curve LP token virtual price — inflated collateral valuation · Audit count likely 0; floor display [via dashboard_risk_factors/Vulnerability in audited or unaudited code: Unaudited new collateral integration; the read-only reentrancy risk was known from market.xyz (Oct 2022)]
relatedRaydium — Compromised pool owner private key → withdraw_pnl() fee drain + SyncNeedTake parameter manipulation2022-12-16 · $4M · Compromised pool owner private key → withdraw_pnl() fee drain + SyncNeedTake parameter manipulation · Audit count likely 0; floor display [via dashboard_risk_factors/Vulnerability in audited or unaudited code: Unaudited (no public audit) — root cause is key management failure, not code bug]
causalLodestar Finance — Oracle Price Manipulation (LP Token Donation)2022-12-10 · $7M · Oracle Price Manipulation (LP Token Donation) · Audit count likely 0; floor display [via dashboard_risk_factors/Vulnerability in audited or unaudited code: Likely unaudited custom oracle code]
causalSkyward Finance — Missing Parameter Validation — Redemption Loop (redeem_skyward)2022-11-03 · $3M · Missing Parameter Validation — Redemption Loop (redeem_skyward) · Audit count likely 0; floor display [via dashboard_risk_factors/Vulnerability in audited or unaudited code: Unknown (likely unaudited)]
causalTempleDAO / STAX Finance — Missing access control in migrateStake() — unvalidated oldStaking parameter2022-10-11 · $2M · Missing access control in migrateStake() — unvalidated oldStaking parameter · Audit count likely 0; floor display [via dashboard_risk_factors/Vulnerability in audited or unaudited code: Unaudited code (STAX staking contract)]
causalBNB Bridge / BSC Token Hub — Forged Cryptographic Proof / IAVL Verification Bypass2022-10-06 · $586M · Forged Cryptographic Proof / IAVL Verification Bypass · Audit count likely 0; floor display [via dashboard_risk_factors/Vulnerability in audited or unaudited code: Unaudited for this specific flaw]
causalSovryn — External call reentrancy via callTokensToSend — token price inflation via mid-transaction mint → overclaim via burn2022-10-04 · $1M · External call reentrancy via callTokensToSend — token price inflation via mid-transaction mint → overclaim via burn · Audit count likely 0; floor display [via dashboard_risk_factors/Vulnerability in audited or unaudited code: Unaudited]
causalTransit Swap — Controllable transferFrom() in unverified (closed-source) swap contract — approval drain2022-10-01 · $21M · Controllable transferFrom() in unverified (closed-source) swap contract — approval drain · Audit count likely 0; floor display [via dashboard_risk_factors/Vulnerability in audited or unaudited code: Unaudited — contracts were not even verified on-chain]
causal0xbad MEV Bot (on-chain MEV arbitrage contract) — Unprotected flashloan callback — arbitrary execution via callFunction → WETH approval exploit2022-09-27 · $2M · Unprotected flashloan callback — arbitrary execution via callFunction → WETH approval exploit · Audit count likely 0; floor display [via dashboard_risk_factors/Vulnerability in audited or unaudited code: Unaudited — proprietary bot contract]
causalNomad Bridge — Initialisation Error — Zero-Address Trusted Root (Merkle Proof Bypass)2022-08-02 · $190M · Initialisation Error — Zero-Address Trusted Root (Merkle Proof Bypass) · Audit count likely 0; floor display [via dashboard_risk_factors/Vulnerability in audited or unaudited code: Unaudited upgrade (initialisation parameter)]
causalNirvana Finance — Flash Loan + AMM Price Manipulation (Treasury Drain)2022-07-28 · $4M · Flash Loan + AMM Price Manipulation (Treasury Drain) · Audit count likely 0; floor display [via dashboard_risk_factors/Vulnerability in audited or unaudited code: Unknown — likely unaudited given "automatic audit" claim]
causalInverse Finance — Oracle Price Manipulation (Flash Loan)2022-06-16 · $6M · Oracle Price Manipulation (Flash Loan) · Audit count likely 0; floor display [via dashboard_risk_factors/Vulnerability in audited or unaudited code: Likely unaudited oracle addition]
causalGym Network (GymNet) — Missing caller verification — fake deposits via unchecked balance inflation → withdraw drain2022-06-10 · $2M · Missing caller verification — fake deposits via unchecked balance inflation → withdraw drain · Audit count likely 0; floor display [via dashboard_risk_factors/Vulnerability in audited or unaudited code: Unaudited code (post-audit addition)]
causalFei Protocol / Rari Capital (Fuse) — Re-entrancy via `exitMarket()` in Compound fork missing check-effects-interaction pattern2022-04-30 · $80M · Re-entrancy via `exitMarket()` in Compound fork missing check-effects-interaction pattern · Audit count likely 0; floor display [via dashboard_risk_factors/Vulnerability in audited or unaudited code: Unaudited version of patched code; vulnerability re-introduced in a developer commit to forked Compound code]
causalElephant Money — Flash loan + spot price manipulation during stablecoin minting2022-04-12 · $22M · Flash loan + spot price manipulation during stablecoin minting · Audit count likely 0; floor display [via dashboard_risk_factors/Vulnerability in audited or unaudited code: Mixed: vulnerability identified in audit but unaddressed; drained treasury was unaudited]
causalInverse Finance — SushiSwap TWAP Oracle Manipulation — Thin Liquidity Governance Token2022-04-02 · $16M · SushiSwap TWAP Oracle Manipulation — Thin Liquidity Governance Token · Audit count likely 0; floor display [via dashboard_risk_factors/Vulnerability in audited or unaudited code: Unaudited]
causalVoltage Finance / Ola Finance — ERC677 callAfterTransfer() reentrancy in Compound fork — borrow before balance update2022-03-31 · $4M · ERC677 callAfterTransfer() reentrancy in Compound fork — borrow before balance update · Audit count likely 0; floor display [via dashboard_risk_factors/Vulnerability in audited or unaudited code: Likely unaudited for ERC677 compatibility; inherited Compound fork risk]
causalCashio — Infinite mint via incomplete collateral validation — fake account chain bypasses all verification2022-03-23 · $48M · Infinite mint via incomplete collateral validation — fake account chain bypasses all verification · Audit count likely 0; floor display [via dashboard_risk_factors/Vulnerability in audited or unaudited code: Unaudited code]
causalDeus DAO (1st incident) — Flash loan → spot price manipulation of Solidex USDC/DEI AMM pool (used as oracle) → user positions liquidated2022-03-15 · $3M · Flash loan → spot price manipulation of Solidex USDC/DEI AMM pool (used as oracle) → user positions liquidated · Audit count likely 0; floor display [via dashboard_risk_factors/Vulnerability in audited or unaudited code: Unaudited]
causalDeus DAO (DEI lending contract) — Flash loan oracle manipulation via Solidly AMM pool → user position liquidation2022-03-15 · $3M · Flash loan oracle manipulation via Solidly AMM pool → user position liquidation · Audit count likely 0; floor display [via dashboard_risk_factors/Vulnerability in audited or unaudited code: Unaudited newly deployed contract]
causalMeter (Passport Bridge) — Deposit method calldata bypass — unwrapped native token assumption not enforced in secondary deposit path2022-02-05 · $8M · Deposit method calldata bypass — unwrapped native token assumption not enforced in secondary deposit path · Audit count likely 0; floor display [via dashboard_risk_factors/Vulnerability in audited or unaudited code: Unaudited (the Meter-specific ERC20 Handler modification)]
causalVisor Finance — Vulnerable require() in vVISR deposit() — self-referential ownership bypass → unlimited share minting2021-12-22 · $8M · Vulnerable require() in vVISR deposit() — self-referential ownership bypass → unlimited share minting · Audit count likely 0; floor display [via dashboard_risk_factors/Vulnerability in audited or unaudited code: Unaudited code]
causalGrim Finance — Reentrancy2021-12-18 · $30M · Reentrancy · Audit count likely 0; floor display [via dashboard_risk_factors/Vulnerability in audited or unaudited code: Unaudited]
causalBrincFi — Insider backdoor — rescueTokens() admin drain via ownership transfer + malicious contract upgrade2021-12-14 · $1M · Insider backdoor — rescueTokens() admin drain via ownership transfer + malicious contract upgrade · Audit count likely 0; floor display [via dashboard_risk_factors/Vulnerability in audited or unaudited code: Unaudited; insider-introduced backdoor]
causal8ight Finance — Admin key compromise — private key shared via Facebook chat and Google Drive → treasury drain2021-12-07 · $2M · Admin key compromise — private key shared via Facebook chat and Google Drive → treasury drain · Audit count likely 0; floor display [via dashboard_risk_factors/Vulnerability in audited or unaudited code: Unaudited]
causalSnowdog (SnowdogDAO) — Insider front-running — privileged challengeKey knowledge + custom AMM sniping2021-11-25 · $21M · Insider front-running — privileged challengeKey knowledge + custom AMM sniping · Audit count likely 0; floor display [via dashboard_risk_factors/Vulnerability in audited or unaudited code: Unaudited — custom Snowswap AMM with challengeKey]
causalIndexed Finance — Flash Loan — Rebalancing Delay Pool Oracle Manipulation2021-10-14 · $16M · Flash Loan — Rebalancing Delay Pool Oracle Manipulation · Audit count likely 0; floor display [via dashboard_risk_factors/Vulnerability in audited or unaudited code: Unaudited]
relatedCompound Finance — Governance-introduced bug — updated Comptroller vault incorrectly distributed COMP rewards; any user could call `drip()` to refill the vulnerable vault from the Reservoir2021-09-29 · $147M · Governance-introduced bug — updated Comptroller vault incorrectly distributed COMP rewards; any user could call `drip()` to refill the vulnerable vault from the Reservoir · Audit count likely 0; floor display [via dashboard_risk_factors/Vulnerability in audited or unaudited code: Unaudited upgrade (new governance proposal code)]
causalDAO Maker — Reinitializable init() function + emergencyExit() drain on token vesting contracts2021-09-04 · $4M · Reinitializable init() function + emergencyExit() drain on token vesting contracts · Audit count likely 0; floor display [via dashboard_risk_factors/Vulnerability in audited or unaudited code: Disputed; likely unaudited or audit scope did not cover the specific vesting contracts]
causalCream Finance — ERC-777 Reentrancy (Token Integration Vulnerability)2021-08-30 · $19M · ERC-777 Reentrancy (Token Integration Vulnerability) · Audit count likely 0; floor display [via dashboard_risk_factors/Vulnerability in audited or unaudited code: Unaudited — the AMP token integration (ERC-777 callback) was added post-audit]
causalPunk Protocol — Unprotected initialize() — delegateCall Forge Address Override2021-08-10 · $9M · Unprotected initialize() — delegateCall Forge Address Override · Audit count likely 0; floor display [via dashboard_risk_factors/Vulnerability in audited or unaudited code: Unknown (likely unaudited — no audit mentioned)]
causalPopsicle Finance (Sorbetto Fragola) — Fee Accounting Bug — LP Token Transfer Without Reward Checkpoint2021-08-04 · $20M · Fee Accounting Bug — LP Token Transfer Without Reward Checkpoint · Audit count likely 0; floor display [via dashboard_risk_factors/Vulnerability in audited or unaudited code: Unknown — likely unaudited or audit missed known bug class]
causalTHORChain — Fake deposit via fake Asgard vault + malicious memo — Bifrost refund logic abuse2021-07-26 · $8M · Fake deposit via fake Asgard vault + malicious memo — Bifrost refund logic abuse · Audit count likely 0; floor display [via dashboard_risk_factors/Vulnerability in audited or unaudited code: Unaudited code]
causalTHORChain — ETH Bifrost override loop — msg.value spoofing via wrapped router2021-07-16 · $5M · ETH Bifrost override loop — msg.value spoofing via wrapped router · Audit count likely 0; floor display [via dashboard_risk_factors/Vulnerability in audited or unaudited code: Unaudited code (ETH MCCN Bifrost)]
causalChainSwap — Auth bypass in Factory minting contract — sloppy signature check bypassed with fresh addresses2021-07-11 · $4M · Auth bypass in Factory minting contract — sloppy signature check bypassed with fresh addresses · Audit count likely 0; floor display [via dashboard_risk_factors/Vulnerability in audited or unaudited code: Unaudited / inadequate review]
causalAnySwap (Multichain) V3 — ECDSA repeated k-value (same R signature) → MPC private key back-calculation2021-07-10 · $8M · ECDSA repeated k-value (same R signature) → MPC private key back-calculation · Audit count likely 0; floor display [via dashboard_risk_factors/Vulnerability in audited or unaudited code: Unaudited (V3); off-chain MPCNode software]
causalMerlin Labs (REKT 3) — Reward Minting Manipulation (Balance Inflation)2021-06-29 · $330K · Reward Minting Manipulation (Balance Inflation) · Audit count likely 0; floor display [via dashboard_risk_factors/Vulnerability in audited or unaudited code: Unaudited (new test vault)]
causalSafeDollar — Infinite Mint via Fee-on-Transfer Reward Accounting Bug2021-06-28 · $248K · Infinite Mint via Fee-on-Transfer Reward Accounting Bug · Audit count likely 0; floor display [via dashboard_risk_factors/Vulnerability in audited or unaudited code: Unaudited]
causalStableMagnet — Malicious Unverified Library (SwapUtils) — Rugpull with Approval Drain2021-06-24 · $27M · Malicious Unverified Library (SwapUtils) — Rugpull with Approval Drain · Audit count likely 0; floor display [via dashboard_risk_factors/Vulnerability in audited or unaudited code: Unaudited (deployed library differed from audited source)]
causalAlchemix — Logic bug in alETH collateral accounting — ETH collateral position assigned zero debt → users could withdraw collateral without repaying loan2021-06-16 · $5 · Logic bug in alETH collateral accounting — ETH collateral position assigned zero debt → users could withdraw collateral without repaying loan · Audit count likely 0; floor display [via dashboard_risk_factors/Vulnerability in audited or unaudited code: New feature code — likely unaudited or insufficiently reviewed]
causalEleven Finance (11) — emergencyBurn() missing balance accounting — ghost withdrawal double-spend2021-06-14 · $5M · emergencyBurn() missing balance accounting — ghost withdrawal double-spend · Audit count likely 0; floor display [via dashboard_risk_factors/Vulnerability in audited or unaudited code: Unaudited]
causalLevyathan Finance — Exposed Private Key + Minting + emergencyWithdraw Bug2021-06-01 · $2M · Exposed Private Key + Minting + emergencyWithdraw Bug · Audit count likely 0; floor display [via dashboard_risk_factors/Vulnerability in audited or unaudited code: Unaudited]
causalAutoShark Finance — Flash loan + SharkMinter balance spoofing → excess native token minting2021-06-01 · $745K · Flash loan + SharkMinter balance spoofing → excess native token minting · Audit count likely 0; floor display [via dashboard_risk_factors/Vulnerability in audited or unaudited code: Unaudited]
causalBurgerSwap — Reentrancy via non-standard BEP-20 + missing x*y=k invariant check2021-05-28 · $7M · Reentrancy via non-standard BEP-20 + missing x*y=k invariant check · Audit count likely 0; floor display [via dashboard_risk_factors/Vulnerability in audited or unaudited code: Unaudited]
causalMerlin Labs (REKT 2) — Oracle Mispricing2021-05-27 · $550K · Oracle Mispricing · Audit count likely 0; floor display [via dashboard_risk_factors/Vulnerability in audited or unaudited code: Unaudited (post-hack patch)]
causalPancakeBunny — Flash loan + spot price manipulation → inflated LP token valuation → excess BUNNY minting2021-05-19 · $45M · Flash loan + spot price manipulation → inflated LP token valuation → excess BUNNY minting · Audit count likely 0; floor display [via dashboard_risk_factors/Vulnerability in audited or unaudited code: Unaudited — the exploited vault code was a post-audit upgrade]
causalbEarnFi (BvaultsBank) — Logic bug — token denomination mismatch between vault and strategy layers2021-05-16 · $18M · Logic bug — token denomination mismatch between vault and strategy layers · Audit count likely 0; floor display [via dashboard_risk_factors/Vulnerability in audited or unaudited code: Unaudited code]
causalUranium Finance — Math bug — constant product formula check broken by inconsistent parameter change (1000→10000)2021-04-28 · $57M · Math bug — constant product formula check broken by inconsistent parameter change (1000→10000) · Audit count likely 0; floor display [via dashboard_risk_factors/Vulnerability in audited or unaudited code: Unaudited — no audit performed]
causalCover Protocol (formerly SAFE / SAFE2) — Infinite Mint — Blacksmith Farming Contract Withdrawal Bug2020-12-28 · $9M · Infinite Mint — Blacksmith Farming Contract Withdrawal Bug · Audit count likely 0; floor display [via dashboard_risk_factors/Vulnerability in audited or unaudited code: Appears unaudited or newly deployed code path]
causalWarp Finance — Flash loan + Uniswap V2 LP token spot oracle manipulation → inflated collateral → over-borrow drain2020-12-17 · $8M · Flash loan + Uniswap V2 LP token spot oracle manipulation → inflated collateral → over-borrow drain · Audit count likely 0; floor display [via dashboard_risk_factors/Vulnerability in audited or unaudited code: Unaudited]
causalCompounder Finance — Malicious Strategy Contracts — Backdoor Withdrawal (Insider Rug Pull)2020-12-02 · $12M · Malicious Strategy Contracts — Backdoor Withdrawal (Insider Rug Pull) · Audit count likely 0; floor display [via dashboard_risk_factors/Vulnerability in audited or unaudited code: Unaudited — the malicious strategies were added after audit completion]
causalPickle Finance — Fake jar injection — missing whitelist in Controller's jar-swap function2020-11-22 · $20M · Fake jar injection — missing whitelist in Controller's jar-swap function · Audit count likely 0; floor display [via dashboard_risk_factors/Vulnerability in audited or unaudited code: Unaudited — `controller-v4.sol` was not in scope of either audit]
causalValue DeFi — Flash loan + Curve spot price oracle manipulation → inflated collateral → over-borrow drain2020-11-14 · $7M · Flash loan + Curve spot price oracle manipulation → inflated collateral → over-borrow drain · Audit count likely 0; floor display [via dashboard_risk_factors/Vulnerability in audited or unaudited code: Unaudited]
causalCheese Bank — Flash loan + Uniswap LP spot oracle manipulation → inflated collateral value → drain via borrow()2020-11-06 · $3M · Flash loan + Uniswap LP spot oracle manipulation → inflated collateral value → drain via borrow() · Audit count likely 0; floor display [via dashboard_risk_factors/Vulnerability in audited or unaudited code: Unaudited (likely)]
causalEminence Finance (EMN) — Flash loan + bonding curve arbitrage (buy/burn/sell cycle)2020-09-28 · $15M · Flash loan + bonding curve arbitrage (buy/burn/sell cycle) · Audit count likely 0; floor display [via dashboard_risk_factors/Vulnerability in audited or unaudited code: Unaudited; vulnerability is inherent to the bonding curve design (circular token mechanics exploitable via flash loans)]
rubric_version v1.7.0 factor RD-F-004 category 1 carried 80 critical no