defirisk.co
rubric v1.7.0

Contract unverified on Etherscan/Sourcify

A governance & admin factor in the v1.7.0 rubric. Measured per protocol on a s cadence.

Critical factor. A Red on this factor alone is sufficient to gate a protocol to grade D or F regardless of other category rollups.

Methodology how we score #

**What this measures** This factor determines whether a protocol's deployed contracts have their source code verified on a major block explorer (Etherscan, Sourcify, or equivalent) as of the launch date. Verification means the protocol's ABI is publicly readable and its bytecode can be matched against published source. An unverified contract at launch means no third party — whether auditor, security researcher, or user — can independently confirm that the deployed bytecode corresponds to any reviewed codebase.

**Why it matters** Source verification is the minimum transparency bar for any protocol claiming an audit or public security review. Without it, the ABI is opaque, any published audit report is unverifiable against the deployed code, and users have no way to confirm that the contracts they are interacting with correspond to any document they have been shown. Transit Swap ($21M, 2022) operated with closed-source contracts that prevented discovery of a critical allowance-drain vulnerability in the claimTokens function. MobiusDAO ($2.15M, 2025) used unverified contracts concealing an arithmetic error on a three-day-old protocol. OpenZeppelin's governance security guidelines note that accountability requires linking protocol actions to "publicly known" identities and auditable code — unverified contracts eliminate the code side of that equation entirely.

**Green / Yellow / Red** Green is assigned when all contracts holding user funds or controlling admin roles are source-verified on at least one major explorer as of the launch block. Yellow covers cases where core contracts are verified but peripheral contracts (fee routers, helper contracts) are not, or when verification is in progress within 48 hours of launch. Red is assigned when any contract that holds user funds, controls a key admin role, or executes the primary protocol logic is unverified at launch with no public ABI available.

**Common gray cases** This factor is grayed when the protocol operates on a chain where block explorer verification infrastructure is unavailable or immature (some newer L2s), provided alternative verification via Sourcify or equivalent is demonstrated.

**Notable historical examples** - **Transit Swap** ($21M, 2022): Closed-source claimTokens function concealed a critical allowance-drain path; no audit covered the unverified code. - **MobiusDAO** ($2.15M, 2025): Unverified three-day-old protocol; arithmetic error hidden in unreadable bytecode. - **Penpie** ($27M, 2024): Permissionless market registration accepted unvalidated external contracts — adjacent pattern where code opacity enabled the exploit. - **Cork Protocol** ($12M, 2025): Audit scope excluded CorkHook contract that held the exploited logic.

**★ Critical factor** This factor alone is sufficient to trigger a D or F grade under rubric v1.7.0 — a single red assessment here overrides all other category scores. An unverified contract at launch means no audit is verifiable, no monitoring is possible at the function level, and no user can assess what they are trusting — it is the foundational transparency floor of the entire scoring system.

Measurement what to look for #

Determine whether the protocol's deployed contracts have source code verified on Etherscan or Sourcify (public ABI available).

Data & output #

Data source
Etherscan API `?module=contract&action=getsourcecode` + Sourcify API `check-by-addresses` endpoint
Output format
Green / Yellow / Red · critical gate active
Evidence artifact
Contract address + verification status JSON from Etherscan API
Confidence signal
green = all core contracts verified; yellow = non-core periphery contracts unverified; red = any core contract (with user funds) unverified at launch; gray = deployed on a chain with no Etherscan/Sourcify equivalent

Scored protocols 80 carry this factor #

Protocol RD-F-046
Aave v3 ethereum green Across Protocol ethereum gray Aerodrome Finance base green Axelar Network ethereum green Babylon Protocol bitcoin green Balancer (v2 + v3) ethereum green Beefy Finance ethereum green BENQI avalanche green BlackRock USD Institutional Digital Liquidity Fund (BUIDL) ethereum green Cap (cUSD / stcUSD) ethereum green Centrifuge ethereum green Chainlink CCIP ethereum green Circle USYC binance green Compound V3 (Comet) ethereum green Concrete ethereum green Convex Finance ethereum green crvUSD (Curve Stablecoin) ethereum green Curve Finance ethereum green deBridge ethereum green Dolomite ethereum green dYdX v4 (dYdX Chain) dydx green EigenLayer ethereum green Ethena ethereum green ether.fi ethereum green Euler V2 ethereum green Falcon Finance ethereum green Fluid ethereum green Frax Finance ethereum green GMX v2 (GMX Synthetics) arbitrum green Hyperlane ethereum green Hyperliquid arbitrum green Jito solana yellow Jupiter solana yellow Jupiter Perpetual Exchange solana red JustLend DAO tron green Kamino Lend solana green Kinetiq hyperliquid green Lido ethereum green Liquid Collective (LsETH) ethereum green Liquity V1 + V2 (LUSD / BOLD) ethereum green Lista DAO bsc green Lombard Finance ethereum green M^0 ethereum green Maple Finance ethereum green Marinade Finance solana green Meteora solana green mETH Protocol ethereum green Midas ethereum green Morpho V1 (Morpho Blue + MetaMorpho) ethereum green Multipli ethereum yellow Ondo Finance ethereum green OpenEden ethereum green Orca solana not_applicable PancakeSwap bsc green Pendle Finance ethereum green Polymarket polygon green QuickSwap polygon green Raydium solana green Rocket Pool ethereum green Sanctum solana yellow Save (formerly Solend) solana green Sky Lending (formerly MakerDAO) ethereum green Spark Protocol ethereum green Spiko stellar green Stake DAO ethereum green StakeWise v3 ethereum green Stargate Finance ethereum gray stHYPE (Valantis Labs) hyperliquid green SUNSwap (sun.io) tron yellow Superstate ethereum green Sushi (SushiSwap) — v2 + v3 + Trident + BentoBox/Kashi + SushiXSwap ethereum green Symbiotic ethereum green Synapse Protocol ethereum green Uniswap (v2 + v3) ethereum green USDD (Decentralized USD) tron yellow Usual (USD0 / bUSD0 / USUAL) ethereum green Veda (BoringVault) ethereum green Venus Protocol bsc green Wormhole ethereum gray Yearn Finance ethereum green
1 red · 6 yellow · 69 green

Linked hacks 9 historical incidents #

relatedAlexLab (Bitcoin DeFi / Stacks) — Vault permission hijack via malicious token self-listing; `as-contract` context abuse2025-06-06 · $16M · Vault permission hijack via malicious token self-listing; `as-contract` context abuse · ★ Contract unverified at launch — adjacent (no public ABI as a permissionless variant) [via cross-hack: Factor 7: Permissionless Feature Without Safety Validation]
relatedCork Protocol — Fake token injection → exchange rate manipulation via unvalidated CorkHook input2025-05-28 · $12M · Fake token injection → exchange rate manipulation via unvalidated CorkHook input · ★ Contract unverified at launch — adjacent (no public ABI as a permissionless variant) [via cross-hack: Factor 7: Permissionless Feature Without Safety Validation]
causalMobiusDAO — Decimal handling double-multiplication bug in minting function — pennies-to-quadrillions inflation2025-05-11 · $2M · Decimal handling double-multiplication bug in minting function — pennies-to-quadrillions inflation · ★ Contract unverified on Etherscan/Sourcify at launch [via cross-hack: Factor 30: Closed-Source / Unverified Contracts]
relatedPenpie — Reentrancy via fake Pendle market → staking balance inflation → excess reward drain2024-09-03 · $27M · Reentrancy via fake Pendle market → staking balance inflation → excess reward drain · ★ Contract unverified at launch — adjacent (no public ABI as a permissionless variant) [via cross-hack: Factor 7: Permissionless Feature Without Safety Validation]
relatedSonne Finance — Compound V2 empty-market donation attack — permissionless governance execution + exchange rate manipulation2024-05-14 · $20M · Compound V2 empty-market donation attack — permissionless governance execution + exchange rate manipulation · ★ Contract unverified at launch — adjacent (no public ABI as a permissionless variant) [via cross-hack: Factor 7: Permissionless Feature Without Safety Validation]
relatedRadiant Capital (1st incident) — Compound V2 / Aave V2 empty-market rounding error — new USDC market with totalSupply = 02024-01-02 · $5M · Compound V2 / Aave V2 empty-market rounding error — new USDC market with totalSupply = 0 · ★ Contract unverified at launch — adjacent (no public ABI as a permissionless variant) [via cross-hack: Factor 7: Permissionless Feature Without Safety Validation]
relatedOnyx Protocol — Compound V2 empty-market donation attack — governance-added PEPE market exploited via rounding + exchange rate inflation2023-10-31 · $2M · Compound V2 empty-market donation attack — governance-added PEPE market exploited via rounding + exchange rate inflation · ★ Contract unverified at launch — adjacent (no public ABI as a permissionless variant) [via cross-hack: Factor 7: Permissionless Feature Without Safety Validation]
causalTransit Swap — Controllable transferFrom() in unverified (closed-source) swap contract — approval drain2022-10-01 · $21M · Controllable transferFrom() in unverified (closed-source) swap contract — approval drain · ★ Contract unverified on Etherscan/Sourcify at launch [via cross-hack: Factor 30: Closed-Source / Unverified Contracts]
relatedPickle Finance — Fake jar injection — missing whitelist in Controller's jar-swap function2020-11-22 · $20M · Fake jar injection — missing whitelist in Controller's jar-swap function · ★ Contract unverified at launch — adjacent (no public ABI as a permissionless variant) [via cross-hack: Factor 7: Permissionless Feature Without Safety Validation]
rubric_version v1.7.0 factor RD-F-046 category 2 carried 80 critical yes