Unusual mempool pattern from deployer wallet

A real-time signals factor in the v1.7.0 rubric. Measured per protocol on a rt cadence.

Methodology how we score #

**What this measures** This real-time signal fires when the protocol's deployer wallet (or admin wallet) submits a mempool transaction sequence that deviates from its established behavioral baseline — for instance, new contract deployments, unusual approval grants, or high-frequency transaction bursts from an address that has been dormant. The signal is generated by maintaining a behavioral baseline for the deployer wallet and flagging deviations beyond a configurable standard-deviation threshold. Category 6 context: deployer wallet re-activation is a documented precursor pattern in insider-drain exploits, where the attacker waits for a dormancy window before re-activating privileged access.

**Why it matters** The Infini exploit ($49.5M, 2025) demonstrated a 114-day dormancy period before the rogue developer re-activated the retained admin key and executed the drain. Merlin DEX ($1.82M) showed the Feeto privileged EOA activating unexpectedly. When a deployer wallet that has been dormant for weeks or months suddenly submits transactions — particularly contract deployments or admin function calls — it is structurally similar to the pre-exploit pattern. The signal is P2 in priority because the mempool monitoring infrastructure required is substantial and the false positive rate from legitimate protocol upgrades is high.

**Green / Yellow / Red** Green is the baseline state when the deployer wallet shows transaction patterns consistent with its 30-day behavioral baseline. Yellow fires when the deployer submits an unusual transaction type (e.g., new approval or deployment) that deviates from baseline but is within explainable operational activity. Red fires when the deployer wallet re-activates after 30 or more days of dormancy and immediately submits admin-category transactions, particularly if the wallet is not a multisig and the transactions are not preceded by governance discussion.

**Common gray cases** Gray applies when the deployer wallet is a multisig and individual signer actions are not separately monitorable, or when the protocol has a documented active upgrade schedule that normalizes frequent deployer activity.

**Notable historical examples** No cross-hacked incidents currently linked in database for this factor.

Measurement what to look for #

Detect whether the deployer wallet submits an unusual sequence (new contract deploys, mass approvals) vs its historical baseline.

Data & output #

Data source

Mempool stream + deployer address baseline behavioral model

Output format

Green / Yellow / Red

Evidence artifact

Flagged mempool tx hashes + deviation from baseline description

Confidence signal

green = signal not firing; red = anomaly detected; gray = deployer wallet not registered in monitoring config

Scored protocols 80 carry this factor #

Protocol RD-F-092

Aave v3 ethereum not_assessed Across Protocol ethereum green Aerodrome Finance base gray Axelar Network ethereum green Babylon Protocol bitcoin gray Balancer (v2 + v3) ethereum gray Beefy Finance ethereum green BENQI avalanche gray BlackRock USD Institutional Digital Liquidity Fund (BUIDL) ethereum gray Cap (cUSD / stcUSD) ethereum gray Centrifuge ethereum green Chainlink CCIP ethereum gray Circle USYC binance gray Compound V3 (Comet) ethereum green Concrete ethereum gray Convex Finance ethereum gray crvUSD (Curve Stablecoin) ethereum green Curve Finance ethereum not_assessed deBridge ethereum gray Dolomite ethereum gray dYdX v4 (dYdX Chain) dydx not_applicable EigenLayer ethereum green Ethena ethereum green ether.fi ethereum green Euler V2 ethereum gray Falcon Finance ethereum green Fluid ethereum green Frax Finance ethereum gray GMX v2 (GMX Synthetics) arbitrum gray Hyperlane ethereum gray Hyperliquid arbitrum gray Jito solana not_assessed Jupiter solana not_assessed Jupiter Perpetual Exchange solana not_applicable JustLend DAO tron not_applicable Kamino Lend solana green Kinetiq hyperliquid gray Lido ethereum gray Liquid Collective (LsETH) ethereum gray Liquity V1 + V2 (LUSD / BOLD) ethereum green Lista DAO bsc gray Lombard Finance ethereum green M^0 ethereum gray Maple Finance ethereum gray Marinade Finance solana not_applicable Meteora solana gray mETH Protocol ethereum green Midas ethereum gray Morpho V1 (Morpho Blue + MetaMorpho) ethereum green Multipli ethereum gray Ondo Finance ethereum green OpenEden ethereum gray Orca solana not_applicable PancakeSwap bsc not_assessed Pendle Finance ethereum not_assessed Polymarket polygon not_assessed QuickSwap polygon gray Raydium solana not_assessed Rocket Pool ethereum gray Sanctum solana gray Save (formerly Solend) solana not_applicable Sky Lending (formerly MakerDAO) ethereum gray Spark Protocol ethereum green Spiko stellar not_assessed Stake DAO ethereum gray StakeWise v3 ethereum gray Stargate Finance ethereum gray stHYPE (Valantis Labs) hyperliquid gray SUNSwap (sun.io) tron gray Superstate ethereum not_assessed Sushi (SushiSwap) — v2 + v3 + Trident + BentoBox/Kashi + SushiXSwap ethereum green Symbiotic ethereum green Synapse Protocol ethereum not_applicable Uniswap (v2 + v3) ethereum gray USDD (Decentralized USD) tron gray Usual (USD0 / bUSD0 / USUAL) ethereum green Veda (BoringVault) ethereum gray Venus Protocol bsc not_assessed Wormhole ethereum gray Yearn Finance ethereum gray

Linked hacks no historical incidents linked #

No historical incidents are linked to this factor.

rubric_version v1.7.0 factor RD-F-092 category 6 carried 80 critical no