defirisk.co
rubric v1.7.0

Static-analyzer high-severity count

A code & audits factor in the v1.7.0 rubric. Measured per protocol on a s cadence.

Methodology how we score #

**What this measures** This factor records the count of high-severity findings flagged by static analysis tools -- specifically Slither, Mythril, and Semgrep -- run against the protocol's deployed bytecode and verified source code, after deduplication across tools. The count excludes findings that have documented on-chain fixes or that the protocol has formally acknowledged and risk-accepted with curator review. The measurement is programmatic and runs on each assessment cadence using the verified source from Etherscan.

**Why it matters** Static analyzers detect a broad range of well-documented vulnerability patterns automatically: reentrancy, unchecked return values, integer overflow, arbitrary call targets, and storage collision risks. A high count of unresolved high-severity findings indicates that the protocol has deployed code with known warning patterns that have not been investigated or resolved. While false positives exist, each unresolved high finding represents a potential real vulnerability that deserves manual review. Protocols with large numbers of unaddressed static findings have consistently lower code quality baselines in the historical exploit dataset.

**Green / Yellow / Red** Green: zero unresolved high-severity static analysis findings across all deployed contracts covering user funds, or all findings are documented as accepted-risk with curator rationale on file. Yellow: one to three unresolved high-severity findings in non-critical contract paths, with documentation that the team is aware. Red: four or more unresolved high-severity findings, or any unresolved finding in a function that directly controls user fund movements.

**Common gray cases** Curators cannot grade this factor when the protocol's source is not verified on any explorer and static analysis cannot be run, or when the verified source is Yul or assembly-heavy code that the standard Slither/Mythril detectors cannot parse reliably.

**Notable historical examples** Static analyzer findings are a preventive input that correlates with code quality rather than directly with exploits.

Measurement what to look for #

Count the number of unique high-severity detector findings from Slither + Mythril + Semgrep run against the deployed verified source (after deduplication across tools).

Data & output #

Data source
Slither + Mythril + Semgrep run on Etherscan-verified source tree; deduplicated by finding class
Output format
Green / Yellow / Red
Evidence artifact
Tool run timestamp + source hash + JSON findings output + dedup count
Confidence signal
green = 0 high-severity findings; yellow = 1–3 high-severity with documented curator dismissals; red = ≥4 undismissed high-severity or any unfixed critical; gray = source not verified on Etherscan/Sourcify — cannot run

Scored protocols 80 carry this factor #

Protocol RD-F-010
Aave v3 ethereum gray Across Protocol ethereum yellow Aerodrome Finance base gray Axelar Network ethereum gray Babylon Protocol bitcoin gray Balancer (v2 + v3) ethereum gray Beefy Finance ethereum gray BENQI avalanche gray BlackRock USD Institutional Digital Liquidity Fund (BUIDL) ethereum gray Cap (cUSD / stcUSD) ethereum gray Centrifuge ethereum yellow Chainlink CCIP ethereum gray Circle USYC binance gray Compound V3 (Comet) ethereum yellow Concrete ethereum gray Convex Finance ethereum yellow crvUSD (Curve Stablecoin) ethereum gray Curve Finance ethereum gray deBridge ethereum gray Dolomite ethereum gray dYdX v4 (dYdX Chain) dydx gray EigenLayer ethereum gray Ethena ethereum yellow ether.fi ethereum gray Euler V2 ethereum yellow Falcon Finance ethereum yellow Fluid ethereum gray Frax Finance ethereum gray GMX v2 (GMX Synthetics) arbitrum gray Hyperlane ethereum gray Hyperliquid arbitrum gray Jito solana gray Jupiter solana gray Jupiter Perpetual Exchange solana gray JustLend DAO tron not_applicable Kamino Lend solana gray Kinetiq hyperliquid gray Lido ethereum gray Liquid Collective (LsETH) ethereum gray Liquity V1 + V2 (LUSD / BOLD) ethereum yellow Lista DAO bsc gray Lombard Finance ethereum yellow M^0 ethereum gray Maple Finance ethereum gray Marinade Finance solana gray Meteora solana gray mETH Protocol ethereum gray Midas ethereum yellow Morpho V1 (Morpho Blue + MetaMorpho) ethereum yellow Multipli ethereum gray Ondo Finance ethereum yellow OpenEden ethereum gray Orca solana gray PancakeSwap bsc yellow Pendle Finance ethereum not_assessed Polymarket polygon gray QuickSwap polygon yellow Raydium solana gray Rocket Pool ethereum gray Sanctum solana gray Save (formerly Solend) solana gray Sky Lending (formerly MakerDAO) ethereum gray Spark Protocol ethereum gray Spiko stellar gray Stake DAO ethereum gray StakeWise v3 ethereum gray Stargate Finance ethereum gray stHYPE (Valantis Labs) hyperliquid gray SUNSwap (sun.io) tron gray Superstate ethereum gray Sushi (SushiSwap) — v2 + v3 + Trident + BentoBox/Kashi + SushiXSwap ethereum gray Symbiotic ethereum gray Synapse Protocol ethereum not_assessed Uniswap (v2 + v3) ethereum yellow USDD (Decentralized USD) tron gray Usual (USD0 / bUSD0 / USUAL) ethereum gray Veda (BoringVault) ethereum gray Venus Protocol bsc gray Wormhole ethereum yellow Yearn Finance ethereum gray
0 red · 16 yellow · 0 green

Linked hacks no historical incidents linked #

No historical incidents are linked to this factor.
rubric_version v1.7.0 factor RD-F-010 category 1 carried 80 critical no