Upstream patch not merged
A fork / dependency lineage factor in the v1.7.0 rubric. Measured per protocol on a s cadence.
Methodology how we score #
**What this measures** This factor checks whether the upstream protocol that this fork descends from has published a known-vulnerability patch since the fork was taken, and whether that patch has been merged into this fork's deployed code. The check compares the fork's deployed bytecode against the upstream's patched bytecode at the relevant function level, and cross-references any public security advisories or GitHub patch commits from the upstream. The data source is GitHub patch history combined with bytecode diffing.
**Why it matters** When an upstream protocol patches a vulnerability, all downstream forks that have not merged the patch become known-vulnerable by definition. The attacker's playbook is explicit: exploit the upstream, then scan GitHub for all forks of the same code within hours. AutoShark -- a PancakeBunny fork -- was exploited eight hours after PancakeBunny's original exploit using the identical vector. Merlin Labs (another PancakeBunny fork) was exploited one week later. The Compound fork CEI reentrancy was exploited across four separate protocols over 12 months, each time the same unpatched pattern was present. Upstream patch status is therefore one of the highest-signal leading indicators of imminent exploit risk.
**Green / Yellow / Red** Green: no outstanding upstream vulnerability patches exist, or all known upstream patches have been merged into the fork's deployed bytecode and verified by bytecode comparison. Yellow: an upstream patch exists for a medium-severity vulnerability that has not been merged; the fork team has acknowledged the gap and provided a remediation timeline. Red: an upstream patch exists for a high or critical vulnerability that has not been merged into the fork's deployed code, or a sibling fork was exploited via the same pattern within the last 30 days.
**Common gray cases** This factor is gray for original protocols with no fork origin (not applicable) and for protocols where the upstream does not maintain a public security advisory or patch trail.
**Notable historical examples** - **Compound Finance** ($147M, 2021): Original; multiple downstream forks failed to merge subsequent CEI patches. - **Fei/Rari Fuse** ($80M, 2022): Compound fork; patch to exitMarket() reentrancy was incomplete, leaving an entry point exposed. - **Cream Finance** ($18.8M, 2021): Compound fork; CEI reentrancy in borrow() not patched from upstream. - **Sonne Finance** ($20M, 2024): Compound V2 fork; donation attack pattern not patched despite upstream disclosure. - **Qubit Finance** ($80M, 2022): BSC lending protocol with Compound-adjacent architecture; upstream patching gaps present.
Measurement what to look for #
Determine whether the upstream fork source has published a known-vulnerability patch that has not been merged into this fork's deployed code.
Data & output #
Data source
GitHub diff between upstream main (or security-patch tag) and this fork's deployed commit + upstream security advisory feed
Output format
Green / Yellow / Red
Evidence artifact
Upstream patch commit SHA + this fork's deployed commit SHA + diff URL
Confidence signal
green = all upstream security patches merged; yellow = upstream patch exists but is non-critical for this fork's config; red = critical upstream security patch not merged; gray = upstream not identified (see F126)
Scored protocols 80 carry this factor #
Protocol RD-F-127
Aave v3 ethereum not_applicable Across Protocol ethereum not_applicable Aerodrome Finance base green Axelar Network ethereum not_applicable Babylon Protocol bitcoin not_applicable Balancer (v2 + v3) ethereum not_applicable Beefy Finance ethereum not_applicable BENQI avalanche yellow BlackRock USD Institutional Digital Liquidity Fund (BUIDL) ethereum not_applicable Cap (cUSD / stcUSD) ethereum not_applicable Centrifuge ethereum not_applicable Chainlink CCIP ethereum not_applicable Circle USYC binance not_applicable Compound V3 (Comet) ethereum not_applicable Concrete ethereum not_applicable Convex Finance ethereum not_applicable crvUSD (Curve Stablecoin) ethereum not_applicable Curve Finance ethereum not_applicable deBridge ethereum not_applicable Dolomite ethereum green dYdX v4 (dYdX Chain) dydx not_applicable EigenLayer ethereum not_applicable Ethena ethereum not_applicable ether.fi ethereum not_applicable Euler V2 ethereum not_applicable Falcon Finance ethereum not_applicable Fluid ethereum not_applicable Frax Finance ethereum not_applicable GMX v2 (GMX Synthetics) arbitrum not_applicable Hyperlane ethereum not_applicable Hyperliquid arbitrum not_applicable Jito solana green Jupiter solana not_applicable Jupiter Perpetual Exchange solana not_applicable JustLend DAO tron yellow Kamino Lend solana not_applicable Kinetiq hyperliquid not_applicable Lido ethereum not_applicable Liquid Collective (LsETH) ethereum not_applicable Liquity V1 + V2 (LUSD / BOLD) ethereum not_applicable Lista DAO bsc yellow Lombard Finance ethereum not_applicable M^0 ethereum not_applicable Maple Finance ethereum not_applicable Marinade Finance solana not_applicable Meteora solana not_applicable mETH Protocol ethereum not_applicable Midas ethereum not_applicable Morpho V1 (Morpho Blue + MetaMorpho) ethereum not_applicable Multipli ethereum not_applicable Ondo Finance ethereum red OpenEden ethereum not_applicable Orca solana not_applicable PancakeSwap bsc green Pendle Finance ethereum not_applicable Polymarket polygon green QuickSwap polygon green Raydium solana not_applicable Rocket Pool ethereum not_applicable Sanctum solana not_applicable Save (formerly Solend) solana green Sky Lending (formerly MakerDAO) ethereum not_applicable Spark Protocol ethereum green Spiko stellar not_applicable Stake DAO ethereum not_applicable StakeWise v3 ethereum not_applicable Stargate Finance ethereum not_applicable stHYPE (Valantis Labs) hyperliquid not_applicable SUNSwap (sun.io) tron green Superstate ethereum not_applicable Sushi (SushiSwap) — v2 + v3 + Trident + BentoBox/Kashi + SushiXSwap ethereum green Symbiotic ethereum not_applicable Synapse Protocol ethereum red Uniswap (v2 + v3) ethereum not_applicable USDD (Decentralized USD) tron not_applicable Usual (USD0 / bUSD0 / USUAL) ethereum not_applicable Veda (BoringVault) ethereum not_applicable Venus Protocol bsc red Wormhole ethereum not_applicable Yearn Finance ethereum not_applicable Linked hacks 28 historical incidents #
illustrativeVenus Protocol — Donation Attack → Supply Cap Bypass → Collateral Inflation → Recursive Borrow Loop2026-03-15 · $4M · Donation Attack → Supply Cap Bypass → Collateral Inflation → Recursive Borrow Loop · Upstream Compound has patches that may not be merged here [via dashboard_risk_factors/Forked?: Y — forked from Compound]
Moonwell — Oracle Misconfiguration (Missing ETH/USD Multiplier)2026-02-15 · $2M · Oracle Misconfiguration (Missing ETH/USD Multiplier) · Upstream Compound has patches that may not be merged here [via dashboard_risk_factors/Forked?: Yes — Compound V2 fork]
Onyx Protocol (2nd incident) — Compound V2 empty-market donation attack — VUSD governance-added market2024-09-25 · $4M · Compound V2 empty-market donation attack — VUSD governance-added market · Upstream Compound has patches that may not be merged here [via dashboard_risk_factors/Forked?: Y — Compound V2 fork]
Rho Market — Oracle misconfiguration (deployment error) → MEV bot price manipulation → USDC/USDT drain2024-07-19 · Oracle misconfiguration (deployment error) → MEV bot price manipulation → USDC/USDT drain · Upstream Compound has patches that may not be merged here [via dashboard_risk_factors/Forked?: Y — Compound Finance fork]
Sonne Finance — Compound V2 empty-market donation attack — permissionless governance execution + exchange rate manipulation2024-05-14 · $20M · Compound V2 empty-market donation attack — permissionless governance execution + exchange rate manipulation · Upstream Compound has patches that may not be merged here [via dashboard_risk_factors/Forked?: Y — Compound V2 fork]
Ionic Money (formerly Midas) — Fake Collateral Listing (Social Engineering → On-chain Exploit)2024-02-04 · $7M · Fake Collateral Listing (Social Engineering → On-chain Exploit) · Upstream Compound has patches that may not be merged here [via dashboard_risk_factors/Forked?: Yes — Midas was a lending protocol; architecture similar to Compound forks]
Onyx Protocol — Compound V2 empty-market donation attack — governance-added PEPE market exploited via rounding + exchange rate inflation2023-10-31 · $2M · Compound V2 empty-market donation attack — governance-added PEPE market exploited via rounding + exchange rate inflation · Upstream Compound has patches that may not be merged here [via dashboard_risk_factors/Forked?: Yes — Compound Finance fork]
Midas Capital — Compound V2 empty-market donation attack — exchange rate inflation + rounding error in redeemUnderlying2023-06-17 · $600K · Compound V2 empty-market donation attack — exchange rate inflation + rounding error in redeemUnderlying · Upstream Compound has patches that may not be merged here [via dashboard_risk_factors/Forked?: Yes — Compound V2 / Fuse fork]
Atlantis Loans — Governance attack on abandoned protocol — attacker passed malicious proposal granting token contract control, then upgraded to drain addresses with active approvals2023-06-10 · $3M · Governance attack on abandoned protocol — attacker passed malicious proposal granting token contract control, then upgraded to drain addresses with active approvals · Upstream Compound has patches that may not be merged here [via dashboard_risk_factors/Forked?: Likely a Compound/Aave fork (BSC lending)]
Hundred Finance — ERC-4626-style cToken exchange rate manipulation + rounding error2023-04-15 · $7M · ERC-4626-style cToken exchange rate manipulation + rounding error · Upstream Compound has patches that may not be merged here [via dashboard_risk_factors/Forked?: Yes — Compound V2 fork]
Kokomo Finance — Insider rug — deployer upgraded implementation to malicious contract → drained WBTC deposits2023-03-26 · $4M · Insider rug — deployer upgraded implementation to malicious contract → drained WBTC deposits · Upstream Compound has patches that may not be merged here [via dashboard_risk_factors/Forked?: Yes — Compound V2 fork]
dForce Network — Read-Only Reentrancy (Curve wstETH/ETH LP Oracle Manipulation)2023-02-13 · $4M · Read-Only Reentrancy (Curve wstETH/ETH LP Oracle Manipulation) · Upstream Compound has patches that may not be merged here [via dashboard_risk_factors/Forked?: Compound fork (dForce lending is Compound-inspired)]
Midas Capital — Read-only reentrancy on Curve LP token virtual price — inflated collateral valuation2023-01-15 · $660K · Read-only reentrancy on Curve LP token virtual price — inflated collateral valuation · Upstream Compound has patches that may not be merged here [via dashboard_risk_factors/Forked?: Yes — Compound V2 / Fuse fork architecture]
Lodestar Finance — Oracle Price Manipulation (LP Token Donation)2022-12-10 · $7M · Oracle Price Manipulation (LP Token Donation) · Upstream Compound has patches that may not be merged here [via dashboard_risk_factors/Forked?: Yes — Compound fork]
Sovryn — External call reentrancy via callTokensToSend — token price inflation via mid-transaction mint → overclaim via burn2022-10-04 · $1M · External call reentrancy via callTokensToSend — token price inflation via mid-transaction mint → overclaim via burn · Upstream Compound has patches that may not be merged here [via dashboard_risk_factors/Forked?: Y — lending pool design influenced by Compound/Aave patterns adapted for RSK]
Inverse Finance — Oracle Price Manipulation (Flash Loan)2022-06-16 · $6M · Oracle Price Manipulation (Flash Loan) · Upstream Compound has patches that may not be merged here [via dashboard_risk_factors/Forked?: Original protocol with Compound-style mechanics]
illustrativeVenus Protocol + Blizz Finance (two protocols, one event) — Oracle Min-Price Floor Exploit (Stale Price Feed During Depeg)2022-05-12 · $14M · Oracle Min-Price Floor Exploit (Stale Price Feed During Depeg) · Upstream Compound has patches that may not be merged here [via dashboard_risk_factors/Forked?: Y — Venus forked from Compound; Blizz forked from Aave]
Fortress Protocol (lending arm of JetFuel Finance) — Oracle Manipulation + Malicious Governance Proposal2022-05-09 · $3M · Oracle Manipulation + Malicious Governance Proposal · Upstream Compound has patches that may not be merged here [via dashboard_risk_factors/Forked?: Y — JetFuel Finance / Compound-style lending fork on BSC]
Fei Protocol / Rari Capital (Fuse) — Re-entrancy via `exitMarket()` in Compound fork missing check-effects-interaction pattern2022-04-30 · $80M · Re-entrancy via `exitMarket()` in Compound fork missing check-effects-interaction pattern · Upstream Compound has patches that may not be merged here [via dashboard_risk_factors/Forked?: Y — Compound Finance fork (Fuse uses modified Compound codebase)]
Voltage Finance / Ola Finance — ERC677 callAfterTransfer() reentrancy in Compound fork — borrow before balance update2022-03-31 · $4M · ERC677 callAfterTransfer() reentrancy in Compound fork — borrow before balance update · Upstream Compound has patches that may not be merged here [via dashboard_risk_factors/Forked?: Yes — Compound fork (via Ola Finance "Compound-like instance" architecture)]
Agave DAO + Hundred Finance (dual attack) — ERC677 callAfterTransfer() reentrancy — flash loan collateral → nested borrow calls before debt balance update → multi-asset drain2022-03-15 · $12M · ERC677 callAfterTransfer() reentrancy — flash loan collateral → nested borrow calls before debt balance update → multi-asset drain · Upstream Compound has patches that may not be merged here [via dashboard_risk_factors/Forked?: Yes — both are forks (Aave V2 and Compound respectively)]
Qubit Finance — Zero-Address safeTransferFrom Logic Bug (Cross-Chain Bridge Deposit)2022-01-28 · $80M · Zero-Address safeTransferFrom Logic Bug (Cross-Chain Bridge Deposit) · Upstream Compound has patches that may not be merged here [via dashboard_risk_factors/Forked?: Y — BSC lending protocol; Compound-adjacent architecture]
illustrativeCompound Finance — Governance-introduced bug — updated Comptroller vault incorrectly distributed COMP rewards; any user could call `drip()` to refill the vulnerable vault from the Reservoir2021-09-29 · $147M · Governance-introduced bug — updated Comptroller vault incorrectly distributed COMP rewards; any user could call `drip()` to refill the vulnerable vault from the Reservoir · Upstream Compound has patches that may not be merged here [via dashboard_risk_factors/Forked: N — Compound is the original; many others forked from it]
Vee Finance — Pangolin spot price oracle manipulation via custom trading pairs + decimal handling bug2021-09-21 · $34M · Pangolin spot price oracle manipulation via custom trading pairs + decimal handling bug · Upstream Compound has patches that may not be merged here [via dashboard_risk_factors/Forked?: Partially — leveraged trading platform with Compound-style lending influences]
Cream Finance — ERC-777 Reentrancy (Token Integration Vulnerability)2021-08-30 · $19M · ERC-777 Reentrancy (Token Integration Vulnerability) · Upstream Compound has patches that may not be merged here [via dashboard_risk_factors/Forked?: Y — Cream Finance is a fork of Compound Finance]
Cream Finance — ERC777 reentrancy via newly integrated AMP token — reentrant `borrow()` before state update2021-08-30 · $19M · ERC777 reentrancy via newly integrated AMP token — reentrant `borrow()` before state update · Upstream Compound has patches that may not be merged here [via dashboard_risk_factors/Forked: Compound V2 fork]
Punk Protocol — Unprotected initialize() — delegateCall Forge Address Override2021-08-10 · $9M · Unprotected initialize() — delegateCall Forge Address Override · Upstream Compound has patches that may not be merged here [via dashboard_risk_factors/Forked?: Yes — built on Compound infrastructure]
EasyFi (Easy Network) — Admin key theft via compromised machine (malicious MetaMask binary)2021-04-19 · $59M · Admin key theft via compromised machine (malicious MetaMask binary) · Upstream Compound has patches that may not be merged here [via dashboard_risk_factors/Forked?: Y — Compound Finance fork]
rubric_version v1.7.0 factor RD-F-127 category 8 carried 80 critical no