defirisk.co
rubric v1.7.0

Market-listing governance threshold

A economic risk factor in the v1.7.0 rubric. Measured per protocol on a s cadence.

Methodology how we score #

**What this measures** This factor is a categorical assessment of the protocol's market-listing governance threshold: permissionless (any address can create markets), low-threshold (governance vote required but with low quorum or short timelock), high-threshold (governance vote with meaningful quorum and timelock), or no new listings (protocol does not add new markets). The classification is derived from source code inspection and governance configuration. This factor applies to lending protocols and permissionless vaults.

**Why it matters** The ability of any address to list new markets or vaults without human review is a direct enabler of injection attacks. AlexLab II ($16.18M, 2025) was exploited when an attacker self-listed a malicious token through the protocol's permissionless vault mechanism. Cork Protocol ($12M, 2025) lost funds because its CorkHook contract accepted unvalidated external contracts as legitimate inputs. Penpie ($27M, 2024) and Pickle Finance ($19.7M, 2020) share the same root cause: permissionless registration paths that allowed fake markets or jars to be created without whitelist review. The severity of this factor is amplified when the protocol is also a Compound V2 fork (where permissionless market creation enables the empty-market inflation attack).

**Green / Yellow / Red** Green: no new market listings permitted (fixed market set), or new listings require a high-threshold governance vote with at least forty-eight hours of timelock and multisig countersignature. Yellow: new listings require a governance vote but with a low quorum threshold or less than forty-eight hours of timelock, creating an exploitable activation window. Red: any address can create markets, vaults, or pools without governance approval or whitelist review.

**Common gray cases** Protocols that allow permissionless creation of isolated markets with limited collateral sharing may present lower risk than fully-shared-liquidity permissionless designs; curator must assess the isolation boundary when scoring.

**Notable historical examples** - **Penpie** ($27M, 2024): Permissionless market registration allowed attacker to create a fake market and exploit the protocol. - **Sonne Finance** ($20M, 2024): Permissionless governance execution enabled front-running of market activation. - **Pickle Finance** ($19.7M, 2020): Permissionless jar creation without whitelist review. - **AlexLab** ($16.18M, 2025): Permissionless vault token self-listing used to inject malicious asset. - **Cork Protocol** ($12M, 2025): Permissionless contract registration without validation of submitted contract code. - **Radiant Capital 1st** ($4.5M, 2024): Governance-activated market with 6-second exploitation window. - **Onyx Protocol** ($2.1M, 2023): Governance-added PEPE market with no seed deposit.

Measurement what to look for #

Classify the governance threshold required to list a new market as: permissionless / low-threshold (team multisig) / high-threshold (DAO vote) / no new listings.

Data & output #

Data source
Governance contract source + protocol docs on market listing process
Output format
Green / Yellow / Red
Evidence artifact
Classification string + evidence URL
Confidence signal
green = high-threshold (full DAO vote required); yellow = low-threshold (team multisig); red = permissionless (anyone can list); gray = protocol does not support new market listings

Scored protocols 80 carry this factor #

Protocol RD-F-072
Aave v3 ethereum green Across Protocol ethereum yellow Aerodrome Finance base not_applicable Axelar Network ethereum not_applicable Babylon Protocol bitcoin not_applicable Balancer (v2 + v3) ethereum red Beefy Finance ethereum not_applicable BENQI avalanche yellow BlackRock USD Institutional Digital Liquidity Fund (BUIDL) ethereum not_applicable Cap (cUSD / stcUSD) ethereum not_applicable Centrifuge ethereum green Chainlink CCIP ethereum not_applicable Circle USYC binance not_applicable Compound V3 (Comet) ethereum green Concrete ethereum not_applicable Convex Finance ethereum not_applicable crvUSD (Curve Stablecoin) ethereum green Curve Finance ethereum not_applicable deBridge ethereum gray Dolomite ethereum green dYdX v4 (dYdX Chain) dydx not_applicable EigenLayer ethereum not_applicable Ethena ethereum not_applicable ether.fi ethereum not_applicable Euler V2 ethereum yellow Falcon Finance ethereum not_applicable Fluid ethereum yellow Frax Finance ethereum green GMX v2 (GMX Synthetics) arbitrum yellow Hyperlane ethereum not_applicable Hyperliquid arbitrum red Jito solana not_applicable Jupiter solana not_applicable Jupiter Perpetual Exchange solana not_applicable JustLend DAO tron green Kamino Lend solana yellow Kinetiq hyperliquid not_applicable Lido ethereum not_applicable Liquid Collective (LsETH) ethereum not_applicable Liquity V1 + V2 (LUSD / BOLD) ethereum green Lista DAO bsc red Lombard Finance ethereum gray M^0 ethereum not_applicable Maple Finance ethereum green Marinade Finance solana not_applicable Meteora solana yellow mETH Protocol ethereum not_applicable Midas ethereum not_applicable Morpho V1 (Morpho Blue + MetaMorpho) ethereum yellow Multipli ethereum not_applicable Ondo Finance ethereum green OpenEden ethereum not_applicable Orca solana yellow PancakeSwap bsc yellow Pendle Finance ethereum yellow Polymarket polygon green QuickSwap polygon not_applicable Raydium solana not_applicable Rocket Pool ethereum not_applicable Sanctum solana yellow Save (formerly Solend) solana green Sky Lending (formerly MakerDAO) ethereum green Spark Protocol ethereum green Spiko stellar not_applicable Stake DAO ethereum not_applicable StakeWise v3 ethereum not_applicable Stargate Finance ethereum gray stHYPE (Valantis Labs) hyperliquid not_applicable SUNSwap (sun.io) tron yellow Superstate ethereum not_applicable Sushi (SushiSwap) — v2 + v3 + Trident + BentoBox/Kashi + SushiXSwap ethereum yellow Symbiotic ethereum not_applicable Synapse Protocol ethereum not_applicable Uniswap (v2 + v3) ethereum not_applicable USDD (Decentralized USD) tron not_applicable Usual (USD0 / bUSD0 / USUAL) ethereum not_applicable Veda (BoringVault) ethereum not_applicable Venus Protocol bsc green Wormhole ethereum not_applicable Yearn Finance ethereum not_applicable
3 red · 14 yellow · 15 green

Linked hacks 7 historical incidents #

causalAlexLab (Bitcoin DeFi / Stacks) — Vault permission hijack via malicious token self-listing; `as-contract` context abuse2025-06-06 · $16M · Vault permission hijack via malicious token self-listing; `as-contract` context abuse · Market-listing governance threshold = permissionless [via cross-hack: Factor 7: Permissionless Feature Without Safety Validation]
causalCork Protocol — Fake token injection → exchange rate manipulation via unvalidated CorkHook input2025-05-28 · $12M · Fake token injection → exchange rate manipulation via unvalidated CorkHook input · Market-listing governance threshold = permissionless [via cross-hack: Factor 7: Permissionless Feature Without Safety Validation]
causalPenpie — Reentrancy via fake Pendle market → staking balance inflation → excess reward drain2024-09-03 · $27M · Reentrancy via fake Pendle market → staking balance inflation → excess reward drain · Market-listing governance threshold = permissionless [via cross-hack: Factor 7: Permissionless Feature Without Safety Validation]
causalSonne Finance — Compound V2 empty-market donation attack — permissionless governance execution + exchange rate manipulation2024-05-14 · $20M · Compound V2 empty-market donation attack — permissionless governance execution + exchange rate manipulation · Market-listing governance threshold = permissionless [via cross-hack: Factor 7: Permissionless Feature Without Safety Validation]
causalRadiant Capital (1st incident) — Compound V2 / Aave V2 empty-market rounding error — new USDC market with totalSupply = 02024-01-02 · $5M · Compound V2 / Aave V2 empty-market rounding error — new USDC market with totalSupply = 0 · Market-listing governance threshold = permissionless [via cross-hack: Factor 7: Permissionless Feature Without Safety Validation]
causalOnyx Protocol — Compound V2 empty-market donation attack — governance-added PEPE market exploited via rounding + exchange rate inflation2023-10-31 · $2M · Compound V2 empty-market donation attack — governance-added PEPE market exploited via rounding + exchange rate inflation · Market-listing governance threshold = permissionless [via cross-hack: Factor 7: Permissionless Feature Without Safety Validation]
causalPickle Finance — Fake jar injection — missing whitelist in Controller's jar-swap function2020-11-22 · $20M · Fake jar injection — missing whitelist in Controller's jar-swap function · Market-listing governance threshold = permissionless [via cross-hack: Factor 7: Permissionless Feature Without Safety Validation]
rubric_version v1.7.0 factor RD-F-072 category 4 carried 80 critical no