defirisk.co
rubric v1.7.0

External keeper/relayer not redundant

A oracle & external dependencies factor in the v1.7.0 rubric. Measured per protocol on a s cadence.

Methodology how we score #

**What this measures** This factor checks whether the protocol depends on a single external keeper or relayer (e.g., Gelato, Chainlink Automation, a bespoke keeper bot) for a critical protocol function — such as liquidations, oracle updates, or reward distribution — without redundancy or a documented failover path. Source inspection and protocol documentation are the primary data sources.

**Why it matters** A single keeper with no redundancy is a centralisation risk and a potential availability failure: if the keeper goes offline, goes rogue, or is compromised, protocol functions that depend on it halt. The Badger DAO hack ($120M, 2021) involved a Cloudflare front-end dependency that was compromised via an off-chain infrastructure attack. SwissBorg ($41.5M, 2025) lost funds when a Kiln staking partner API compromise allowed malicious authorisations to be embedded in routine keeper transactions. MonoX's novel AMM design reduced effective audit coverage due to infrastructure complexity. Keeper redundancy is a maturity indicator for protocols: single-keeper designs are common in early-stage deployments but represent an operational risk that scales with TVL.

**Green / Yellow / Red** Green is scored when critical protocol functions use multiple independent keepers or a permissionless execution path (any address can trigger liquidations). Yellow is scored when a single keeper is in use but the function is also triggerable by a backup path or by governance in an emergency. Red is scored when a single keeper is the sole triggering mechanism for a critical function and no failover path is documented.

**Common gray cases** Gray is applied when keeper infrastructure is partially off-chain and the redundancy configuration cannot be verified from public sources.

**Notable historical examples** - **SwissBorg** ($41.5M, 2025): Kiln staking partner API compromise; malicious authorisations embedded in keeper transactions over 8 days. - **Badger DAO** ($120M, 2021): Off-chain Cloudflare infrastructure dependency compromised; front-end served malicious approval scripts.

Measurement what to look for #

Determine whether the protocol depends on a single keeper or relayer (Gelato, Chainlink Automation, custom) with no redundancy or failover.

Data & output #

Data source
Source inspection for keeper/relayer interface calls + protocol docs on keeper redundancy
Output format
Green / Yellow / Red
Evidence artifact
Keeper contract address or interface + redundancy evidence (or absence)
Confidence signal
green = multiple independent keeper providers or permissionless keeper; yellow = single keeper provider but protocol can function (degraded) without it; red = single keeper with no fallback and protocol halts on keeper failure; gray = protocol does not use keepers (N/A)

Scored protocols 80 carry this factor #

Protocol RD-F-062
Aave v3 ethereum green Across Protocol ethereum yellow Aerodrome Finance base green Axelar Network ethereum green Babylon Protocol bitcoin yellow Balancer (v2 + v3) ethereum green Beefy Finance ethereum green BENQI avalanche green BlackRock USD Institutional Digital Liquidity Fund (BUIDL) ethereum green Cap (cUSD / stcUSD) ethereum yellow Centrifuge ethereum yellow Chainlink CCIP ethereum green Circle USYC binance yellow Compound V3 (Comet) ethereum green Concrete ethereum yellow Convex Finance ethereum green crvUSD (Curve Stablecoin) ethereum green Curve Finance ethereum green deBridge ethereum green Dolomite ethereum green dYdX v4 (dYdX Chain) dydx yellow EigenLayer ethereum yellow Ethena ethereum yellow ether.fi ethereum green Euler V2 ethereum green Falcon Finance ethereum gray Fluid ethereum yellow Frax Finance ethereum green GMX v2 (GMX Synthetics) arbitrum yellow Hyperlane ethereum yellow Hyperliquid arbitrum green Jito solana yellow Jupiter solana yellow Jupiter Perpetual Exchange solana yellow JustLend DAO tron yellow Kamino Lend solana yellow Kinetiq hyperliquid yellow Lido ethereum green Liquid Collective (LsETH) ethereum green Liquity V1 + V2 (LUSD / BOLD) ethereum green Lista DAO bsc yellow Lombard Finance ethereum yellow M^0 ethereum yellow Maple Finance ethereum green Marinade Finance solana yellow Meteora solana yellow mETH Protocol ethereum yellow Midas ethereum yellow Morpho V1 (Morpho Blue + MetaMorpho) ethereum green Multipli ethereum yellow Ondo Finance ethereum yellow OpenEden ethereum green Orca solana green PancakeSwap bsc yellow Pendle Finance ethereum yellow Polymarket polygon yellow QuickSwap polygon green Raydium solana green Rocket Pool ethereum not_applicable Sanctum solana green Save (formerly Solend) solana green Sky Lending (formerly MakerDAO) ethereum yellow Spark Protocol ethereum green Spiko stellar yellow Stake DAO ethereum yellow StakeWise v3 ethereum yellow Stargate Finance ethereum gray stHYPE (Valantis Labs) hyperliquid yellow SUNSwap (sun.io) tron green Superstate ethereum yellow Sushi (SushiSwap) — v2 + v3 + Trident + BentoBox/Kashi + SushiXSwap ethereum yellow Symbiotic ethereum not_applicable Synapse Protocol ethereum yellow Uniswap (v2 + v3) ethereum green USDD (Decentralized USD) tron yellow Usual (USD0 / bUSD0 / USUAL) ethereum green Veda (BoringVault) ethereum yellow Venus Protocol bsc yellow Wormhole ethereum gray Yearn Finance ethereum yellow
0 red · 42 yellow · 33 green

Linked hacks 4 historical incidents #

causalSwissBorg (via Kiln staking partner) — Partner API compromise — withdrawal authority transfer via hidden staking instructions2025-09-08 · $42M · Partner API compromise — withdrawal authority transfer via hidden staking instructions · External keeper/relayer dependency not redundant [via cross-hack: Factor 32: Third-Party API / Infrastructure Dependency] || External keeper/relayer dependency not redundant [via cross-hack: Factor 8: Off-Chain Infrastructure Dependency]
relatedBadger DAO (Bitcoin-yield vaults on Ethereum) — Front-end injection (Cloudflare account compromise) → malicious `increaseAllowance()` approvals → vault token drain2021-12-02 · $120M · Front-end injection (Cloudflare account compromise) → malicious `increaseAllowance()` approvals → vault token drain · External keeper/relayer dependency not redundant [via cross-hack: Factor 8: Off-Chain Infrastructure Dependency]
relatedMonoX — Native token self-swap price inflation — tokenIn/tokenOut identity bypass2021-11-30 · $31M · Native token self-swap price inflation — tokenIn/tokenOut identity bypass · External keeper/relayer dependency not redundant [via cross-hack: Factor 8: Off-Chain Infrastructure Dependency]
relatedAnySwap (Multichain) V3 — ECDSA repeated k-value (same R signature) → MPC private key back-calculation2021-07-10 · $8M · ECDSA repeated k-value (same R signature) → MPC private key back-calculation · External keeper/relayer dependency not redundant [via cross-hack: Factor 8: Off-Chain Infrastructure Dependency]
rubric_version v1.7.0 factor RD-F-062 category 3 carried 80 critical no