defirisk.co
rubric v1.7.0

Ignored bounty disclosure

A code & audits factor in the v1.7.0 rubric. Measured per protocol on a e cadence.

Methodology how we score #

**What this measures** This factor captures post-mortem evidence that a disclosed vulnerability was reported to the protocol team -- whether through the bug bounty channel, a security researcher DM, an audit finding, or a public forum post -- and was not actioned before an exploit occurred. The data source is post-mortem text, audit reports, and OSINT. This factor is episodic: it fires when evidence emerges rather than on a continuous schedule.

**Why it matters** A disclosed but unactioned vulnerability is strictly worse than an undiscovered one: the team has been informed, the risk window is open, and the protocol continues to accept user funds without mitigating the known risk. Elephant Money ($22.2M, 2022) is the sharpest example in the dataset: Solidity Finance's audit specifically identified the flash-loan price manipulation vulnerability but failed to adequately communicate its severity to the team; the attack vector remained open and was exploited. The ignored disclosure pattern is also documented in Atomic Wallet (Least Authority findings from 2021 went unaddressed until the 2023 exploit) and MonoX (two independent auditors missed the self-swap bug). Audit quality and bounty programs are both undermined when disclosure-to-action pipelines break down.

**Green / Yellow / Red** Green: no evidence of unactioned disclosures in the protocol's public history; all known prior disclosures have documented on-chain or commit-level resolutions. Yellow: a disclosure exists in the record but the team actioned it within a reasonable window (under 30 days) and has post-mortem documentation of the fix. Red: post-mortem or public record shows a disclosed vulnerability was reported to the team and remained unaddressed for more than 30 days, or was dismissed without a documented rationale.

**Common gray cases** This factor is gray by default for most protocols because ignored disclosures are only surfaced by post-mortems; curators cannot assess what has not been publicly documented.

**Notable historical examples** - **Elephant Money** ($22.2M, 2022): Audit firm identified the flash-loan manipulation vector; the finding was not adequately communicated to or acted upon by the team. - **Euler Finance** ($197M, 2023): Bug survived a Sherlock review; Sherlock paid a $4.5M insurance claim acknowledging the miss -- the closest analog to an ignored-disclosure outcome. - **Atomic Wallet** ($100M est., 2023): Least Authority findings from 2021 were not addressed in the two years before the exploit. - **MonoX** ($31.4M, 2021): Self-swap token pricing bug survived two independent audits by Halborn and PeckShield. - **KyberSwap Elastic** ($48M, 2023): Precision failure survived two independent reviews by ChainSecurity and Sherlock.

Measurement what to look for #

Determine whether any prior post-mortem documents a disclosed vulnerability that was reported to the team and not actioned before exploit.

Data & output #

Data source
Protocol incident post-mortems (protocol docs / Mirror / Notion) + OSINT (rekt.news, GitHub security advisories)
Output format
Green / Yellow / Red
Evidence artifact
Post-mortem URL + curator note citing specific disclosure reference + date
Confidence signal
green = no evidence of ignored disclosure; yellow = report of delayed response (>30d) but ultimately actioned; red = post-mortem confirms disclosure was ignored pre-exploit; gray = no prior incidents, cannot assess

Scored protocols 80 carry this factor #

Protocol RD-F-008
Aave v3 ethereum green Across Protocol ethereum green Aerodrome Finance base green Axelar Network ethereum green Babylon Protocol bitcoin green Balancer (v2 + v3) ethereum yellow Beefy Finance ethereum green BENQI avalanche green BlackRock USD Institutional Digital Liquidity Fund (BUIDL) ethereum gray Cap (cUSD / stcUSD) ethereum green Centrifuge ethereum green Chainlink CCIP ethereum gray Circle USYC binance green Compound V3 (Comet) ethereum green Concrete ethereum green Convex Finance ethereum green crvUSD (Curve Stablecoin) ethereum green Curve Finance ethereum green deBridge ethereum green Dolomite ethereum green dYdX v4 (dYdX Chain) dydx green EigenLayer ethereum green Ethena ethereum green ether.fi ethereum green Euler V2 ethereum green Falcon Finance ethereum gray Fluid ethereum green Frax Finance ethereum red GMX v2 (GMX Synthetics) arbitrum green Hyperlane ethereum yellow Hyperliquid arbitrum green Jito solana green Jupiter solana green Jupiter Perpetual Exchange solana green JustLend DAO tron green Kamino Lend solana green Kinetiq hyperliquid green Lido ethereum green Liquid Collective (LsETH) ethereum green Liquity V1 + V2 (LUSD / BOLD) ethereum green Lista DAO bsc green Lombard Finance ethereum green M^0 ethereum green Maple Finance ethereum green Marinade Finance solana green Meteora solana green mETH Protocol ethereum green Midas ethereum green Morpho V1 (Morpho Blue + MetaMorpho) ethereum green Multipli ethereum green Ondo Finance ethereum green OpenEden ethereum green Orca solana green PancakeSwap bsc green Pendle Finance ethereum green Polymarket polygon green QuickSwap polygon green Raydium solana green Rocket Pool ethereum green Sanctum solana green Save (formerly Solend) solana green Sky Lending (formerly MakerDAO) ethereum green Spark Protocol ethereum green Spiko stellar green Stake DAO ethereum green StakeWise v3 ethereum green Stargate Finance ethereum green stHYPE (Valantis Labs) hyperliquid gray SUNSwap (sun.io) tron gray Superstate ethereum green Sushi (SushiSwap) — v2 + v3 + Trident + BentoBox/Kashi + SushiXSwap ethereum green Symbiotic ethereum green Synapse Protocol ethereum gray Uniswap (v2 + v3) ethereum green USDD (Decentralized USD) tron gray Usual (USD0 / bUSD0 / USUAL) ethereum green Veda (BoringVault) ethereum green Venus Protocol bsc yellow Wormhole ethereum green Yearn Finance ethereum green
1 red · 3 yellow · 69 green

Linked hacks 34 historical incidents #

illustrativeRhea Finance (merged entity of Ref Finance DEX + Burrow Finance lending; launched February 2025) — Permissionless fake-token pool creation → spot-price oracle acceptance → margin-trading `min_amount_out` double-counting across sequential swaps2026-04-16 · $18M · Permissionless fake-token pool creation → spot-price oracle acceptance → margin-trading `min_amount_out` double-counting across sequential swaps · Bug survived review (RD-F-008 = ignored disclosure; closest semantic match for audit-missed-bug) [via dashboard_risk_factors/Vulnerability in audited or unaudited code: Audited code (per BlockSec + ToB October 2025); the specific double-counting case was not caught]
illustrativeHyperbridge (Polkadot-native interoperability rollup built by Polytope Labs; Token Gateway / HandlerV1) — Smart-contract proof-verification bypass — MMR bounds-check failure + missing proof-to-request binding + zero challenge period + single-step admin transfer2026-04-13 · $3M · Smart-contract proof-verification bypass — MMR bounds-check failure + missing proof-to-request binding + zero challenge period + single-step admin transfer · Bug survived review (RD-F-008 = ignored disclosure; closest semantic match for audit-missed-bug) [via dashboard_risk_factors/Vulnerability in audited or unaudited code: Audited code (SR Labs 2024); the specific MMR off-by-one and missing proof-to-request binding were not caught]
illustrativeVenus Protocol — Donation Attack → Supply Cap Bypass → Collateral Inflation → Recursive Borrow Loop2026-03-15 · $4M · Donation Attack → Supply Cap Bypass → Collateral Inflation → Recursive Borrow Loop · Bug survived review (RD-F-008 = ignored disclosure; closest semantic match for audit-missed-bug) [via dashboard_risk_factors/Vulnerability in audited or unaudited code: Audited — explicitly flagged by Code4rena, dismissed by team]
illustrativeArcadiaFi — Arbitrary swapData call via trusted rebalancer contract — attacker exploited cooldown period from decoy pause to prevent emergency shutdown during drain2025-07-14 · $4M · Arbitrary swapData call via trusted rebalancer contract — attacker exploited cooldown period from decoy pause to prevent emergency shutdown during drain · Bug survived review (RD-F-008 = ignored disclosure; closest semantic match for audit-missed-bug) [via dashboard_risk_factors/Vulnerability in audited or unaudited code: Audited but rebalancer external call validation missed]
illustrative1inch (Fusion v1 resolver contracts) — Integer underflow in deprecated assembly — calldata pointer corruption → resolver address forgery2025-03-05 · $5M · Integer underflow in deprecated assembly — calldata pointer corruption → resolver address forgery · Bug survived review (RD-F-008 = ignored disclosure; closest semantic match for audit-missed-bug) [via dashboard_risk_factors/Vulnerability in audited or unaudited code: Audited — bug survived 9 reviews; required assembly/Web2 heap exploitation expertise]
illustrativeGemPad — Reentrancy — Missing Guards on collectFees / Withdrawal Function2024-12-17 · $2M · Reentrancy — Missing Guards on collectFees / Withdrawal Function · Bug survived review (RD-F-008 = ignored disclosure; closest semantic match for audit-missed-bug) [via dashboard_risk_factors/Vulnerability in audited or unaudited code: Audited (partially) — the vulnerability class (missing reentrancy guard) is a fundamental security check; its presence suggests the lock con...]
causalSonne Finance — Compound V2 empty-market donation attack — permissionless governance execution + exchange rate manipulation2024-05-14 · $20M · Compound V2 empty-market donation attack — permissionless governance execution + exchange rate manipulation · Ignored disclosure — closest [via cross-hack: Factor 19: Audit Finding Not Communicated to Team] || Ignored bug bounty disclosure — adjacent [via cross-hack: Factor 3: Ignored / Dismissed Security Disclosure]
illustrativeWooFi (WooPPV2) — Flash loan → WOO oracle price manipulation → pool swap drain2024-03-05 · $9M · Flash loan → WOO oracle price manipulation → pool swap drain · Bug survived review (RD-F-008 = ignored disclosure; closest semantic match for audit-missed-bug) [via dashboard_risk_factors/Vulnerability in audited or unaudited code: Audited code — the sPMM oracle was audited by CertiK; the specific interaction between sPMM out-of-range + missing WOO Chainlink fallback wa...]
illustrativeSeneca Protocol — Approval Exploit — Arbitrary transferFrom via Constructed Calldata2024-02-28 · $6M · Approval Exploit — Arbitrary transferFrom via Constructed Calldata · Bug survived review (RD-F-008 = ignored disclosure; closest semantic match for audit-missed-bug) [via dashboard_risk_factors/Vulnerability in audited or unaudited code: In audited code (Halborn) — related issues flagged but specific flaw missed]
illustrativeAbracadabra Money (1st incident — abra-rekt) — ERC-4626 rounding error — borrow share price inflation via repeated borrow/repay → phantom debt drain2024-01-30 · $7M · ERC-4626 rounding error — borrow share price inflation via repeated borrow/repay → phantom debt drain · Bug survived review (RD-F-008 = ignored disclosure; closest semantic match for audit-missed-bug) [via dashboard_risk_factors/Vulnerability in audited or unaudited code: Audited — rounding flaw survived review]
illustrativeRadiant Capital (1st incident) — Compound V2 / Aave V2 empty-market rounding error — new USDC market with totalSupply = 02024-01-02 · $5M · Compound V2 / Aave V2 empty-market rounding error — new USDC market with totalSupply = 0 · Bug survived review (RD-F-008 = ignored disclosure; closest semantic match for audit-missed-bug) [via dashboard_risk_factors/Vulnerability in audited or unaudited code: Audited code (Aave V2 fork) — but design risk not caught as critical]
illustrativeKyberSwap Elastic — Tick Manipulation + Double Liquidity Counting — Precision Arithmetic Edge Case2023-11-22 · $48M · Tick Manipulation + Double Liquidity Counting — Precision Arithmetic Edge Case · Bug survived review (RD-F-008 = ignored disclosure; closest semantic match for audit-missed-bug) [via dashboard_risk_factors/Vulnerability in audited or unaudited code: Audited — bug survived two independent reviews (ChainSecurity + Sherlock)]
illustrativeRaft — Flash loan + collateral inflation via position liquidation → infinite R mint → stablecoin dump2023-11-10 · $3M · Flash loan + collateral inflation via position liquidation → infinite R mint → stablecoin dump · Bug survived review (RD-F-008 = ignored disclosure; closest semantic match for audit-missed-bug) [via dashboard_risk_factors/Vulnerability in audited or unaudited code: Audited — bug survived Trail of Bits review]
illustrativeBalancer V2 (+ Beethoven X fork) — Linear pool rounding-down logic → cached rate manipulation → boosted pool drain2023-08-27 · $2M · Linear pool rounding-down logic → cached rate manipulation → boosted pool drain · Ignored bug bounty disclosure — adjacent [via cross-hack: Factor 3: Ignored / Dismissed Security Disclosure]
causalKannagi Finance — Insider rug — privileged admin withdrawal on behalf of users (MainChef address)2023-07-29 · $1M · Insider rug — privileged admin withdrawal on behalf of users (MainChef address) · Ignored disclosure — closest [via cross-hack: Factor 19: Audit Finding Not Communicated to Team]
relatedSturdy Finance — Read-only reentrancy on Balancer LP (B-stETH-STABLE) → manipulated collateral price → undercollateralized borrow drain2023-06-12 · $800K · Read-only reentrancy on Balancer LP (B-stETH-STABLE) → manipulated collateral price → undercollateralized borrow drain · Ignored bug bounty disclosure — adjacent [via cross-hack: Factor 3: Ignored / Dismissed Security Disclosure]
relatedAtomic Wallet (non-custodial multi-chain wallet) — Unknown officially; suspected: BGP hijacking combined with client-side vulnerability (possibly private key logging); Least Authority had flagged vulnerabilities in 2021 that were never addressed2023-06-02 · $100M · Unknown officially; suspected: BGP hijacking combined with client-side vulnerability (possibly private key logging); Least Authority had flagged vulnerabilities in 2021 that were never addressed · Ignored bug bounty disclosure — adjacent [via cross-hack: Factor 3: Ignored / Dismissed Security Disclosure]
illustrativeMerlin DEX — Insider rug — max approval drain via privileged Feeto address2023-04-25 · $2M · Insider rug — max approval drain via privileged Feeto address · Bug survived review (RD-F-008 = ignored disclosure; closest semantic match for audit-missed-bug) [via dashboard_risk_factors/Vulnerability in audited or unaudited code: Audited — but centralization risk dismissed by auditor]
illustrativeEuler Finance — Donation Function Bypassing Health Check (Logic Bug in EIP-14 upgrade)2023-03-13 · $197M · Donation Function Bypassing Health Check (Logic Bug in EIP-14 upgrade) · Bug survived review (RD-F-008 = ignored disclosure; closest semantic match for audit-missed-bug) [via dashboard_risk_factors/Vulnerability in audited or unaudited code: Audited** (by Sherlock) — but the health-check omission was missed. Sherlock accepted responsibility and paid out $4.5M.]
illustrativeTeam Finance — Flawed migrate() function — Uniswap V2→V3 migration with skewed price manipulation2022-10-27 · $16M · Flawed migrate() function — Uniswap V2→V3 migration with skewed price manipulation · Bug survived review (RD-F-008 = ignored disclosure; closest semantic match for audit-missed-bug) [via dashboard_risk_factors/Vulnerability in audited or unaudited code: Audited — migrate() was in Zokyo's audit scope but the authorization bypass and price manipulation vulnerability were missed]
relatedMango Markets — Self-funded MNGO spot price pump using two accounts → inflated unrealized collateral → lending pool drain2022-10-11 · $115M · Self-funded MNGO spot price pump using two accounts → inflated unrealized collateral → lending pool drain · Ignored bug bounty disclosure — adjacent [via cross-hack: Factor 3: Ignored / Dismissed Security Disclosure]
illustrativeAudius — Storage collision in upgradeable proxy — governance contract reinitializable via AudiusAdminUpgradabilityProxy slot 0 collision with OpenZeppelin Initializable; attacker reinitializes, inflates own voting power, passes malicious treasury transfer proposal2022-07-23 · $6M · Storage collision in upgradeable proxy — governance contract reinitializable via AudiusAdminUpgradabilityProxy slot 0 collision with OpenZeppelin Initializable; attacker reinitializes, inflates own voting power, passes malicious treasury transfer proposal · Bug survived review (RD-F-008 = ignored disclosure; closest semantic match for audit-missed-bug) [via dashboard_risk_factors/Vulnerability in audited or unaudited code: Audited — storage collision survived review]
illustrativeFortress Protocol (lending arm of JetFuel Finance) — Oracle Manipulation + Malicious Governance Proposal2022-05-09 · $3M · Oracle Manipulation + Malicious Governance Proposal · Bug survived review (RD-F-008 = ignored disclosure; closest semantic match for audit-missed-bug) [via dashboard_risk_factors/Vulnerability in audited or unaudited code: Audited — both auditors missed the public oracle submit() function; collateral factor manipulation via governance was not flagged]
causalElephant Money — Flash loan + spot price manipulation during stablecoin minting2022-04-12 · $22M · Flash loan + spot price manipulation during stablecoin minting · Ignored disclosure — closest [via cross-hack: Factor 19: Audit Finding Not Communicated to Team]
illustrativeRevest Finance — ERC1155 reentrancy via onERC1155Received — fnftId update timing flaw inflates FNFT redemption value2022-03-27 · $2M · ERC1155 reentrancy via onERC1155Received — fnftId update timing flaw inflates FNFT redemption value · Bug survived review (RD-F-008 = ignored disclosure; closest semantic match for audit-missed-bug) [via dashboard_risk_factors/Vulnerability in audited or unaudited code: Audited — bug survived single review]
illustrativeQubit Finance — Zero-Address safeTransferFrom Logic Bug (Cross-Chain Bridge Deposit)2022-01-28 · $80M · Zero-Address safeTransferFrom Logic Bug (Cross-Chain Bridge Deposit) · Bug survived review (RD-F-008 = ignored disclosure; closest semantic match for audit-missed-bug) [via dashboard_risk_factors/Vulnerability in audited or unaudited code: In audited code — but the audit missed the dead-code / zero-address safeTransferFrom interaction]
illustrativeMonoX — Native token self-swap price inflation — tokenIn/tokenOut identity bypass2021-11-30 · $31M · Native token self-swap price inflation — tokenIn/tokenOut identity bypass · Bug survived review (RD-F-008 = ignored disclosure; closest semantic match for audit-missed-bug) [via dashboard_risk_factors/Vulnerability in audited or unaudited code: Audited — bug survived two independent audits (Halborn + Peckshield)]
illustrativexToken Market — Public callFunction() in xSNXAdmin — same SNX price manipulation, different access control bug2021-08-30 · $5M · Public callFunction() in xSNXAdmin — same SNX price manipulation, different access control bug · Bug survived review (RD-F-008 = ignored disclosure; closest semantic match for audit-missed-bug) [via dashboard_risk_factors/Vulnerability in audited or unaudited code: Audited — incorrect require() survived PeckShield review twice]
illustrativeMerlin Labs — External token balance spoofing → excess native token minting2021-05-26 · $680K · External token balance spoofing → excess native token minting · Bug survived review (RD-F-008 = ignored disclosure; closest semantic match for audit-missed-bug) [via dashboard_risk_factors/Vulnerability in audited or unaudited code: Audited — bug survived Hacken review conducted 11 days prior]
illustrativexToken Market — Flash loan + SNX/BNT price manipulation → xSNX/xBNT share price inflation → drain2021-05-12 · $24M · Flash loan + SNX/BNT price manipulation → xSNX/xBNT share price inflation → drain · Bug survived review (RD-F-008 = ignored disclosure; closest semantic match for audit-missed-bug) [via dashboard_risk_factors/Vulnerability in audited or unaudited code: Audited — bug survived PeckShield review]
illustrativeSpartan Protocol — Flash loan + inflated pool balance → LP burn liquidity share manipulation2021-05-01 · $31M · Flash loan + inflated pool balance → LP burn liquidity share manipulation · Bug survived review (RD-F-008 = ignored disclosure; closest semantic match for audit-missed-bug) [via dashboard_risk_factors/Vulnerability in audited or unaudited code: Audited — core protocol code was in CertiK's audit scope; the bug in calcLiquidityShare() was missed]
illustrativeDODO (V2 Crowdpooling) — Reinitializable init() in Crowdpool contract — attacker calls init() twice with counterfeit then real token, resets reserve to 0 via sync(), drains pool via flash loan2021-03-09 · $4M · Reinitializable init() in Crowdpool contract — attacker calls init() twice with counterfeit then real token, resets reserve to 0 via sync(), drains pool via flash loan · Bug survived review (RD-F-008 = ignored disclosure; closest semantic match for audit-missed-bug) [via dashboard_risk_factors/Vulnerability in audited or unaudited code: Audited — re-initialization vulnerability survived audit]
illustrativeAkropolis (Delphi savings pool) — Flash loan + fake token reentrancy — malicious ERC20 deposit triggers re-entrant deposit() before balance update2020-11-12 · $2M · Flash loan + fake token reentrancy — malicious ERC20 deposit triggers re-entrant deposit() before balance update · Bug survived review (RD-F-008 = ignored disclosure; closest semantic match for audit-missed-bug) [via dashboard_risk_factors/Vulnerability in audited or unaudited code: Audited — reentrancy bug survived three audits]
illustrativeHarvest Finance — Flash loan + Curve Y-pool spot price manipulation → inflated fToken share valuation → vault drain2020-10-26 · $34M · Flash loan + Curve Y-pool spot price manipulation → inflated fToken share valuation → vault drain · Bug survived review (RD-F-008 = ignored disclosure; closest semantic match for audit-missed-bug) [via dashboard_risk_factors/Vulnerability in audited or unaudited code: Audited code — design flaw survived all three reviews]
rubric_version v1.7.0 factor RD-F-008 category 1 carried 80 critical no