defirisk.co
rubric v1.7.0

Admin EOA signing from new geography/device

A real-time signals factor in the v1.7.0 rubric. Measured per protocol on a rt cadence.

Methodology how we score #

**What this measures** This real-time signal fires when the admin or upgrader EOA signs a transaction from a geography (as inferred from IP metadata, if observable) or device fingerprint inconsistent with the prior signing history for that address. This signal is off-chain in nature — it requires access to signing telemetry from the wallet provider or a relay — and is therefore M (manual) curation and P2 priority. Category 6 context: geography and device anomalies are the off-chain behavioral indicators of key compromise, particularly relevant for the class of exploits where the attacker physically compromised a signing device or intercepted signing credentials.

**Why it matters** Radiant Capital II ($53M, 2024) involved what Radiant described as a sophisticated device-level compromise across three signers' hardware wallets — an attack that left no on-chain precursor signal but would theoretically have been detectable via signing-session fingerprint anomalies if those signers' device environments were monitored. EasyFi ($59M, 2021) involved a MetaMask compromise that exposed private keys. The Harmony Bridge compromise involved hot-wallet signers whose key exposure would have been preceded by an anomalous signing session. The signal is P2 because signing-session telemetry is not broadly accessible from protocol-external monitoring — it requires cooperation from wallet providers or relay operators.

**Green / Yellow / Red** Green is the baseline when all admin signing sessions show device fingerprints and network characteristics consistent with the established signing history for each admin address. Yellow fires when a signing session shows an unfamiliar device fingerprint but from a consistent geography — could indicate hardware upgrade. Red fires when an admin signing session originates from an entirely new geography and device fingerprint combination never previously associated with that address.

**Common gray cases** Gray applies in virtually all v1 monitoring cases where signing telemetry is not accessible from the dashboard's external vantage point — this is the norm and Gray is the expected baseline state for most protocols.

**Notable historical examples** No cross-hacked incidents currently linked in database for this factor.

Measurement what to look for #

Detect whether an admin/upgrader EOA signs from a geography or device fingerprint inconsistent with prior signing history.

Data & output #

Data source
Off-chain signing telemetry (requires protocol team opt-in monitoring integration)
Output format
Green / Yellow / Red
Evidence artifact
Geography/device fingerprint anomaly report + signing tx hash
Confidence signal
green = signal not firing; red = anomaly detected; gray = off-chain telemetry not available (requires team opt-in — practically always gray)

Scored protocols 80 carry this factor #

Protocol RD-F-107
Aave v3 ethereum gray Across Protocol ethereum gray Aerodrome Finance base gray Axelar Network ethereum not_applicable Babylon Protocol bitcoin gray Balancer (v2 + v3) ethereum gray Beefy Finance ethereum gray BENQI avalanche gray BlackRock USD Institutional Digital Liquidity Fund (BUIDL) ethereum gray Cap (cUSD / stcUSD) ethereum gray Centrifuge ethereum gray Chainlink CCIP ethereum gray Circle USYC binance gray Compound V3 (Comet) ethereum gray Concrete ethereum gray Convex Finance ethereum gray crvUSD (Curve Stablecoin) ethereum gray Curve Finance ethereum not_assessed deBridge ethereum gray Dolomite ethereum gray dYdX v4 (dYdX Chain) dydx gray EigenLayer ethereum gray Ethena ethereum gray ether.fi ethereum gray Euler V2 ethereum gray Falcon Finance ethereum gray Fluid ethereum not_assessed Frax Finance ethereum gray GMX v2 (GMX Synthetics) arbitrum gray Hyperlane ethereum gray Hyperliquid arbitrum gray Jito solana not_applicable Jupiter solana not_assessed Jupiter Perpetual Exchange solana not_applicable JustLend DAO tron not_applicable Kamino Lend solana gray Kinetiq hyperliquid gray Lido ethereum gray Liquid Collective (LsETH) ethereum gray Liquity V1 + V2 (LUSD / BOLD) ethereum not_applicable Lista DAO bsc gray Lombard Finance ethereum gray M^0 ethereum not_assessed Maple Finance ethereum gray Marinade Finance solana not_applicable Meteora solana not_applicable mETH Protocol ethereum not_assessed Midas ethereum gray Morpho V1 (Morpho Blue + MetaMorpho) ethereum gray Multipli ethereum gray Ondo Finance ethereum gray OpenEden ethereum gray Orca solana gray PancakeSwap bsc not_assessed Pendle Finance ethereum not_assessed Polymarket polygon not_assessed QuickSwap polygon not_assessed Raydium solana not_assessed Rocket Pool ethereum gray Sanctum solana gray Save (formerly Solend) solana not_applicable Sky Lending (formerly MakerDAO) ethereum gray Spark Protocol ethereum gray Spiko stellar not_assessed Stake DAO ethereum gray StakeWise v3 ethereum gray Stargate Finance ethereum gray stHYPE (Valantis Labs) hyperliquid gray SUNSwap (sun.io) tron gray Superstate ethereum not_assessed Sushi (SushiSwap) — v2 + v3 + Trident + BentoBox/Kashi + SushiXSwap ethereum not_applicable Symbiotic ethereum gray Synapse Protocol ethereum not_assessed Uniswap (v2 + v3) ethereum gray USDD (Decentralized USD) tron gray Usual (USD0 / bUSD0 / USUAL) ethereum gray Veda (BoringVault) ethereum gray Venus Protocol bsc not_assessed Wormhole ethereum gray Yearn Finance ethereum gray
0 red · 0 yellow · 0 green

Linked hacks no historical incidents linked #

No historical incidents are linked to this factor.
rubric_version v1.7.0 factor RD-F-107 category 6 carried 80 critical no