defirisk.co
rubric v1.7.0

Constructor args match governance proposal

A governance & admin factor in the v1.7.0 rubric. Measured per protocol on a s cadence.

Methodology how we score #

**What this measures** This factor checks whether the constructor arguments of the deployed contract match the arguments stated in any governance proposal or documentation that authorized the deployment. The assessment compares the on-chain constructor calldata from the deploy transaction against the proposal text, audit report, or governance vote that described the intended deployment parameters.

**Why it matters** Silent deviations between what governance approved and what was actually deployed are a category of insider or deployment-process attack. A proposer who controls both the deployment and the proposal wording can submit a governance vote describing deployment parameters that differ from the bytecode actually deployed. Auditors typically review the described parameters against the source code; they do not independently verify that the deployed bytecode's constructor arguments match the governance proposal wording. This gap creates a window for concealed parameter changes that alter protocol behavior without triggering alarm.

**Green / Yellow / Red** Green is assigned when constructor arguments in the deploy transaction are verified to match the governance proposal or documentation describing the deployment, with on-chain proof available. Yellow covers cases where a partial match is established but one or more parameters cannot be confirmed against proposal text. Red is assigned when a material discrepancy exists between deployed constructor arguments and the governance proposal, or when no proposal exists for a material parameter configuration.

**Common gray cases** This factor is grayed when the protocol deployed before any governance proposal mechanism existed, or when constructor args are not human-readable without ABI decoding and the source ABI is unavailable.

**Notable historical examples** No cross-hacked incidents currently linked in database for this factor.

Measurement what to look for #

Determine whether the deployed contract's constructor arguments match what the governance proposal or deploy announcement stated.

Data & output #

Data source
Etherscan constructor arguments tab + protocol governance proposal text (Snapshot/on-chain proposal calldata)
Output format
Green / Yellow / Red
Evidence artifact
Constructor args (hex decoded) + proposal calldata + comparison result
Confidence signal
green = args match proposal exactly; yellow = minor parameter deviation with post-hoc explanation; red = material deviation with no explanation; gray = no governance proposal for this deploy, or args not decodable

Scored protocols 80 carry this factor #

Protocol RD-F-045
Aave v3 ethereum green Across Protocol ethereum gray Aerodrome Finance base gray Axelar Network ethereum yellow Babylon Protocol bitcoin gray Balancer (v2 + v3) ethereum green Beefy Finance ethereum gray BENQI avalanche gray BlackRock USD Institutional Digital Liquidity Fund (BUIDL) ethereum not_applicable Cap (cUSD / stcUSD) ethereum gray Centrifuge ethereum yellow Chainlink CCIP ethereum gray Circle USYC binance not_applicable Compound V3 (Comet) ethereum gray Concrete ethereum gray Convex Finance ethereum gray crvUSD (Curve Stablecoin) ethereum green Curve Finance ethereum gray deBridge ethereum gray Dolomite ethereum gray dYdX v4 (dYdX Chain) dydx green EigenLayer ethereum gray Ethena ethereum green ether.fi ethereum not_applicable Euler V2 ethereum green Falcon Finance ethereum green Fluid ethereum gray Frax Finance ethereum gray GMX v2 (GMX Synthetics) arbitrum gray Hyperlane ethereum green Hyperliquid arbitrum green Jito solana gray Jupiter solana gray Jupiter Perpetual Exchange solana not_assessed JustLend DAO tron gray Kamino Lend solana not_applicable Kinetiq hyperliquid not_applicable Lido ethereum green Liquid Collective (LsETH) ethereum gray Liquity V1 + V2 (LUSD / BOLD) ethereum green Lista DAO bsc yellow Lombard Finance ethereum green M^0 ethereum gray Maple Finance ethereum green Marinade Finance solana green Meteora solana not_applicable mETH Protocol ethereum gray Midas ethereum green Morpho V1 (Morpho Blue + MetaMorpho) ethereum green Multipli ethereum not_applicable Ondo Finance ethereum gray OpenEden ethereum gray Orca solana gray PancakeSwap bsc yellow Pendle Finance ethereum gray Polymarket polygon gray QuickSwap polygon green Raydium solana not_applicable Rocket Pool ethereum green Sanctum solana green Save (formerly Solend) solana gray Sky Lending (formerly MakerDAO) ethereum green Spark Protocol ethereum green Spiko stellar green Stake DAO ethereum gray StakeWise v3 ethereum gray Stargate Finance ethereum gray stHYPE (Valantis Labs) hyperliquid gray SUNSwap (sun.io) tron gray Superstate ethereum gray Sushi (SushiSwap) — v2 + v3 + Trident + BentoBox/Kashi + SushiXSwap ethereum gray Symbiotic ethereum not_applicable Synapse Protocol ethereum not_assessed Uniswap (v2 + v3) ethereum green USDD (Decentralized USD) tron not_applicable Usual (USD0 / bUSD0 / USUAL) ethereum gray Veda (BoringVault) ethereum green Venus Protocol bsc green Wormhole ethereum gray Yearn Finance ethereum gray
0 red · 4 yellow · 25 green

Linked hacks no historical incidents linked #

No historical incidents are linked to this factor.
rubric_version v1.7.0 factor RD-F-045 category 2 carried 80 critical no