defirisk.co
rubric v1.7.0

Same-root-cause repeat exploit

A operational history factor in the v1.7.0 rubric. Measured per protocol on a e cadence.

Methodology how we score #

**What this measures** This factor flags whether a protocol has been exploited two or more times via the same root-cause cluster. Root-cause clusters are defined in the hacks database synthesis (e.g., oracle manipulation, flash-loan governance, CEI reentrancy, off-chain key compromise). A positive flag indicates the first exploit did not produce a fix that prevented recurrence -- either the fix was incomplete, the pattern existed in an unpatched sister contract, or the team failed to apply the lesson across all affected surfaces.

**Why it matters** Same-root-cause repeat exploits are the clearest signal of incomplete remediation. Deus DAO 2 is the most precise example: the attacker in the second incident specifically bypassed the oracle fix deployed after the first incident by exploiting a zero-day in Solidly's flash-swap mechanism that the new oracle did not filter, and that bypass happened in just forty days. Compound reentrancy was exploited four times across different fork instances of the same codebase. Same-root-cause recurrence indicates the team either does not understand the original vulnerability well enough to remediate fully, or lacks the audit discipline to verify the fix holds across all affected surfaces.

**Green / Yellow / Red** Green: no same-root-cause repeat exploit in the hacks database. Yellow: one prior exploit with a root cause documented and patched, but patch applied to only some affected contracts, with others still unverified. Red: confirmed same-root-cause second exploit, regardless of time elapsed between incidents.

**Common gray cases** When two incidents share a root-cause cluster but the second uses a novel sub-technique (e.g., bypassing a specific fix via a different entry point), it is still classified as same-root-cause because the underlying architectural weakness is identical. Curator judgment is required to distinguish genuine different-vector from disguised same-vector recurrence.

**Notable historical examples** - **Compound Finance** ($147M, 2021): Reentrancy cluster exploited across multiple forks; each instance is same-root-cause propagation. - **Deus DAO** ($6.5M, 2023): Second attacker bypassed the specific oracle fix from the first incident in forty days. - **Onyx Protocol** ($2.1M, 2023): Same empty-market vector exploited twice on the same protocol. - **Platypus Finance** ($8.5M, 2023): Three incidents in eight months with overlapping collateral accounting root cause. - **AlexLab** ($16.18M, 2025): First was key compromise, second was vault permission -- confirmed different root-cause clusters, not same-root-cause.

Measurement what to look for #

Determine whether the protocol has been exploited ≥2 times via the same root-cause cluster.

Data & output #

Data source
In-house hack DB root-cause cluster tags (from T-01 cluster taxonomy)
Output format
Green / Yellow / Red
Evidence artifact
Incident list with root-cause cluster IDs; repeat-cluster flag
Confidence signal
green = no repeat root cause; red = ≥2 incidents with same root-cause cluster; gray = root-cause not classifiable

Scored protocols 80 carry this factor #

Protocol RD-F-079
Aave v3 ethereum green Across Protocol ethereum gray Aerodrome Finance base yellow Axelar Network ethereum green Babylon Protocol bitcoin green Balancer (v2 + v3) ethereum green Beefy Finance ethereum not_applicable BENQI avalanche green BlackRock USD Institutional Digital Liquidity Fund (BUIDL) ethereum green Cap (cUSD / stcUSD) ethereum green Centrifuge ethereum green Chainlink CCIP ethereum green Circle USYC binance green Compound V3 (Comet) ethereum green Concrete ethereum green Convex Finance ethereum green crvUSD (Curve Stablecoin) ethereum not_applicable Curve Finance ethereum green deBridge ethereum green Dolomite ethereum green dYdX v4 (dYdX Chain) dydx green EigenLayer ethereum not_assessed Ethena ethereum not_assessed ether.fi ethereum not_assessed Euler V2 ethereum not_assessed Falcon Finance ethereum not_assessed Fluid ethereum green Frax Finance ethereum green GMX v2 (GMX Synthetics) arbitrum green Hyperlane ethereum green Hyperliquid arbitrum green Jito solana not_assessed Jupiter solana green Jupiter Perpetual Exchange solana green JustLend DAO tron green Kamino Lend solana green Kinetiq hyperliquid green Lido ethereum green Liquid Collective (LsETH) ethereum green Liquity V1 + V2 (LUSD / BOLD) ethereum green Lista DAO bsc green Lombard Finance ethereum not_assessed M^0 ethereum green Maple Finance ethereum green Marinade Finance solana green Meteora solana green mETH Protocol ethereum green Midas ethereum green Morpho V1 (Morpho Blue + MetaMorpho) ethereum green Multipli ethereum green Ondo Finance ethereum gray OpenEden ethereum green Orca solana green PancakeSwap bsc green Pendle Finance ethereum green Polymarket polygon green QuickSwap polygon green Raydium solana green Rocket Pool ethereum green Sanctum solana green Save (formerly Solend) solana green Sky Lending (formerly MakerDAO) ethereum green Spark Protocol ethereum green Spiko stellar green Stake DAO ethereum green StakeWise v3 ethereum green Stargate Finance ethereum gray stHYPE (Valantis Labs) hyperliquid green SUNSwap (sun.io) tron green Superstate ethereum green Sushi (SushiSwap) — v2 + v3 + Trident + BentoBox/Kashi + SushiXSwap ethereum green Symbiotic ethereum green Synapse Protocol ethereum yellow Uniswap (v2 + v3) ethereum green USDD (Decentralized USD) tron green Usual (USD0 / bUSD0 / USUAL) ethereum green Veda (BoringVault) ethereum green Venus Protocol bsc red Wormhole ethereum gray Yearn Finance ethereum red
2 red · 2 yellow · 63 green

Linked hacks 13 historical incidents #

causalAlexLab (Bitcoin DeFi / Stacks) — Vault permission hijack via malicious token self-listing; `as-contract` context abuse2025-06-06 · $16M · Vault permission hijack via malicious token self-listing; `as-contract` context abuse · Same-root-cause repeat exploit [via cross-hack: Factor 5: Second Exploit on Same Protocol]
relatedVenus Protocol (zkSync Era deployment) — Empty-market donation attack on a freshly-deployed market with no virtual liquidity / no `_decimalsOffset()` first-depositor protection2025-03-29 · $902K · Empty-market donation attack on a freshly-deployed market with no virtual liquidity / no `_decimalsOffset()` first-depositor protection · Auto-linked by C.4 triage 2026-05-07
causalAbracadabra Money — Logic bug — phantom collateral / post-liquidation state inconsistency2025-03-25 · $13M · Logic bug — phantom collateral / post-liquidation state inconsistency · Same-root-cause repeat exploit [via cross-hack: Factor 5: Second Exploit on Same Protocol]
causalRadiant Capital — Compromised multisig private keys → malicious contract upgrade → pool ownership transfer → drain2024-10-16 · $53M · Compromised multisig private keys → malicious contract upgrade → pool ownership transfer → drain · Same-root-cause repeat exploit [via cross-hack: Factor 5: Second Exploit on Same Protocol]
causalOnyx Protocol — Compound V2 empty-market donation attack — governance-added PEPE market exploited via rounding + exchange rate inflation2023-10-31 · $2M · Compound V2 empty-market donation attack — governance-added PEPE market exploited via rounding + exchange rate inflation · Same-root-cause repeat exploit [via cross-hack: Factor 5: Second Exploit on Same Protocol]
causalDeus DAO / DEI stablecoin — Mis-ordered Parameters in burnFrom — Public Approval Override2023-05-06 · $7M · Mis-ordered Parameters in burnFrom — Public Approval Override · Same-root-cause repeat exploit [via cross-hack: Factor 5: Second Exploit on Same Protocol]
causalLevel Finance — Logic bug — referral reward claimMultiple() epoch not checked for reuse2023-05-01 · $1M · Logic bug — referral reward claimMultiple() epoch not checked for reuse · Same-root-cause repeat exploit [via cross-hack: Factor 5: Second Exploit on Same Protocol]
causalHundred Finance — ERC-4626-style cToken exchange rate manipulation + rounding error2023-04-15 · $7M · ERC-4626-style cToken exchange rate manipulation + rounding error · Same-root-cause repeat exploit [via cross-hack: Factor 5: Second Exploit on Same Protocol]
causalPlatypus Finance — Flash loan + emergencyWithdraw() solvency check bypass — collateral withdrawal without repaying borrowed USP2023-02-16 · $9M · Flash loan + emergencyWithdraw() solvency check bypass — collateral withdrawal without repaying borrowed USP · Same-root-cause repeat exploit [via cross-hack: Factor 5: Second Exploit on Same Protocol]
causalMidas Capital — Read-only reentrancy on Curve LP token virtual price — inflated collateral valuation2023-01-15 · $660K · Read-only reentrancy on Curve LP token virtual price — inflated collateral valuation · Same-root-cause repeat exploit [via cross-hack: Factor 5: Second Exploit on Same Protocol]
causalDAO Maker — Reinitializable init() function + emergencyExit() drain on token vesting contracts2021-09-04 · $4M · Reinitializable init() function + emergencyExit() drain on token vesting contracts · Same-root-cause repeat exploit [via cross-hack: Factor 5: Second Exploit on Same Protocol]
causalMerlin Labs (REKT 2) — Oracle Mispricing2021-05-27 · $550K · Oracle Mispricing · Same-root-cause repeat exploit [via cross-hack: Factor 5: Second Exploit on Same Protocol]
causalUranium Finance — Math bug — constant product formula check broken by inconsistent parameter change (1000→10000)2021-04-28 · $57M · Math bug — constant product formula check broken by inconsistent parameter change (1000→10000) · Same-root-cause repeat exploit [via cross-hack: Factor 5: Second Exploit on Same Protocol]
rubric_version v1.7.0 factor RD-F-079 category 5 carried 80 critical no