Partial-drain test transactions

A real-time signals factor in the v1.7.0 rubric. Measured per protocol on a rt cadence.

Methodology how we score #

**What this measures** This real-time signal monitors for one or more small-value drain transactions from the protocol that fit a known pre-strike test pattern: unusually small withdrawals from a fresh wallet, failed transactions probing contract state, or micro-transfers that match the structure of a larger drain but scaled down. The signal is generated by pattern-matching against a library of known pre-exploit test transaction templates derived from post-mortem analysis. Category 6 context: test transactions represent the reconnaissance phase of an exploit — the attacker is verifying that the vulnerable state exists before committing full capital.

**Why it matters** Radiant Capital II ($53M, 2024) provides the clearest dataset example: a failed exploit attempt occurred six days before the successful attack, and the team did not act on this warning signal. Deus DAO 2 ($13.4M, 2022) showed a pre-poisoning transaction four minutes before the main attack — a test of the oracle manipulation vector. Test transactions are present in the Medium detectability hacks across the dataset, representing a pattern where earlier monitoring would have provided an actionable warning window. The signal requires pattern-matching rather than simple threshold alerting, making it programmatically harder (PH curation) than basic TVL or oracle deviation monitors.

**Green / Yellow / Red** Green is the baseline state when no test-pattern transactions have been observed from addresses not in the protocol's known user set. Yellow fires when small anomalous transactions are detected from a new address but the pattern does not yet match a known pre-exploit template. Red fires when a transaction sequence from a fresh or mixer-funded wallet matches a documented pre-exploit test template for this protocol class, particularly if followed by contract state queries consistent with vulnerability verification.

**Common gray cases** Gray applies when the protocol's normal usage patterns include high-frequency small transactions (e.g., MEV bots, arbitrageurs) that make test-transaction detection unreliable, or when the pattern library does not yet include templates for this protocol's architecture.

**Notable historical examples** No cross-hacked incidents currently linked in database for this factor.

Measurement what to look for #

Detect one or more small-value outflows prior to a larger drain that match a known pre-strike pattern (low-value same-function calls from new wallet).

Data & output #

Data source

On-chain tx pattern matcher on protocol contracts + historical pre-exploit pattern library

Output format

Green / Yellow / Red

Evidence artifact

Flagged tx hash list + pattern template matched + wallet address

Confidence signal

green = signal not firing; yellow = partial match (1 of 2 pattern criteria met); red = full pattern match; gray = pattern matcher not deployed for this protocol

Scored protocols 80 carry this factor #

Protocol RD-F-091

Aave v3 ethereum gray Across Protocol ethereum green Aerodrome Finance base gray Axelar Network ethereum green Babylon Protocol bitcoin green Balancer (v2 + v3) ethereum green Beefy Finance ethereum green BENQI avalanche gray BlackRock USD Institutional Digital Liquidity Fund (BUIDL) ethereum not_applicable Cap (cUSD / stcUSD) ethereum green Centrifuge ethereum green Chainlink CCIP ethereum not_assessed Circle USYC binance not_applicable Compound V3 (Comet) ethereum green Concrete ethereum gray Convex Finance ethereum gray crvUSD (Curve Stablecoin) ethereum gray Curve Finance ethereum not_assessed deBridge ethereum gray Dolomite ethereum gray dYdX v4 (dYdX Chain) dydx gray EigenLayer ethereum green Ethena ethereum green ether.fi ethereum not_assessed Euler V2 ethereum not_assessed Falcon Finance ethereum gray Fluid ethereum not_assessed Frax Finance ethereum gray GMX v2 (GMX Synthetics) arbitrum gray Hyperlane ethereum gray Hyperliquid arbitrum gray Jito solana not_assessed Jupiter solana not_assessed Jupiter Perpetual Exchange solana green JustLend DAO tron gray Kamino Lend solana green Kinetiq hyperliquid gray Lido ethereum green Liquid Collective (LsETH) ethereum gray Liquity V1 + V2 (LUSD / BOLD) ethereum green Lista DAO bsc gray Lombard Finance ethereum green M^0 ethereum green Maple Finance ethereum gray Marinade Finance solana gray Meteora solana green mETH Protocol ethereum green Midas ethereum gray Morpho V1 (Morpho Blue + MetaMorpho) ethereum yellow Multipli ethereum gray Ondo Finance ethereum green OpenEden ethereum gray Orca solana gray PancakeSwap bsc not_assessed Pendle Finance ethereum not_assessed Polymarket polygon not_assessed QuickSwap polygon green Raydium solana not_assessed Rocket Pool ethereum gray Sanctum solana green Save (formerly Solend) solana gray Sky Lending (formerly MakerDAO) ethereum gray Spark Protocol ethereum green Spiko stellar not_assessed Stake DAO ethereum green StakeWise v3 ethereum green Stargate Finance ethereum gray stHYPE (Valantis Labs) hyperliquid gray SUNSwap (sun.io) tron gray Superstate ethereum not_applicable Sushi (SushiSwap) — v2 + v3 + Trident + BentoBox/Kashi + SushiXSwap ethereum green Symbiotic ethereum green Synapse Protocol ethereum not_assessed Uniswap (v2 + v3) ethereum not_assessed USDD (Decentralized USD) tron gray Usual (USD0 / bUSD0 / USUAL) ethereum green Veda (BoringVault) ethereum gray Venus Protocol bsc not_assessed Wormhole ethereum gray Yearn Finance ethereum gray

Linked hacks no historical incidents linked #

No historical incidents are linked to this factor.

rubric_version v1.7.0 factor RD-F-091 category 6 carried 80 critical no