defirisk.co
rubric v1.7.0

Code divergence from upstream (%)

A fork / dependency lineage factor in the v1.7.0 rubric. Measured per protocol on a s cadence.

Methodology how we score #

**What this measures** This factor records the percentage of lines changed between this fork's deployed code and the stated upstream source at the fork point, computed via git diff against the upstream repository at the reference commit. A high divergence percentage indicates that the fork has evolved substantially beyond the audited upstream, potentially introducing novel vulnerabilities that the upstream's audit does not cover. The data source is the protocol's public repository combined with bytecode diffing against the upstream.

**Why it matters** Fork divergence is a proxy for how much 'new surface' has been added beyond the audited upstream code. A fork that has diverged 80% from Compound Finance is essentially a new protocol in a Compound wrapper -- the upstream's audit provides minimal assurance for the diverged portions. The sweet spot of fork risk is high divergence without corresponding audit coverage of the diverged code: the team gets the credibility signal of forking from a well-known protocol while deploying substantial novel code that has not been independently reviewed. Governance fork parameter changes are one of the most common forms of divergence; Curio ($16M, 2024) exploited a MakerDAO fork where voting power privilege logic had been modified without independent parameter review.

**Green / Yellow / Red** Green: code divergence from upstream is below 20% and the diverged portion has been independently audited or is limited to configuration parameters. Yellow: divergence is 20% to 60%; a delta-audit covers the changed portions. Red: divergence exceeds 60% with no audit of the diverged code, or divergence is in security-critical functions (access control, oracle integration, liquidation logic) without independent review.

**Common gray cases** This factor is gray when the protocol does not publish source code, when the upstream commit reference is not stated, or when the fork is of a non-public upstream that cannot be compared.

**Notable historical examples** The factor is a structural input that feeds the RD-F-131 audit coverage assessment.

Measurement what to look for #

Measure the percentage of lines changed between this fork's deployed code and the stated upstream codebase at fork point.

Data & output #

Data source
`git diff` between fork commit and upstream fork-point commit; LOC changed / total LOC
Output format
Green / Yellow / Red
Evidence artifact
Fork-point upstream commit SHA + this fork's commit SHA + LOC diff count + total LOC + %
Confidence signal
green = <20% divergence (mostly config/param changes); yellow = 20–50% divergence; red = >50% divergence (materially different codebase, upstream audit no longer applies); gray = upstream not identified

Scored protocols 80 carry this factor #

Protocol RD-F-129
Aave v3 ethereum not_applicable Across Protocol ethereum not_applicable Aerodrome Finance base yellow Axelar Network ethereum not_applicable Babylon Protocol bitcoin not_applicable Balancer (v2 + v3) ethereum not_applicable Beefy Finance ethereum not_applicable BENQI avalanche yellow BlackRock USD Institutional Digital Liquidity Fund (BUIDL) ethereum not_applicable Cap (cUSD / stcUSD) ethereum not_applicable Centrifuge ethereum not_applicable Chainlink CCIP ethereum not_applicable Circle USYC binance not_applicable Compound V3 (Comet) ethereum not_applicable Concrete ethereum not_applicable Convex Finance ethereum not_applicable crvUSD (Curve Stablecoin) ethereum not_applicable Curve Finance ethereum not_applicable deBridge ethereum not_applicable Dolomite ethereum yellow dYdX v4 (dYdX Chain) dydx not_applicable EigenLayer ethereum not_applicable Ethena ethereum not_applicable ether.fi ethereum not_applicable Euler V2 ethereum not_applicable Falcon Finance ethereum not_applicable Fluid ethereum not_applicable Frax Finance ethereum not_applicable GMX v2 (GMX Synthetics) arbitrum not_applicable Hyperlane ethereum not_applicable Hyperliquid arbitrum not_applicable Jito solana yellow Jupiter solana not_applicable Jupiter Perpetual Exchange solana not_applicable JustLend DAO tron yellow Kamino Lend solana not_applicable Kinetiq hyperliquid not_applicable Lido ethereum not_applicable Liquid Collective (LsETH) ethereum not_applicable Liquity V1 + V2 (LUSD / BOLD) ethereum not_applicable Lista DAO bsc red Lombard Finance ethereum not_applicable M^0 ethereum not_applicable Maple Finance ethereum not_applicable Marinade Finance solana not_applicable Meteora solana not_applicable mETH Protocol ethereum not_applicable Midas ethereum not_applicable Morpho V1 (Morpho Blue + MetaMorpho) ethereum not_applicable Multipli ethereum not_applicable Ondo Finance ethereum yellow OpenEden ethereum not_applicable Orca solana not_applicable PancakeSwap bsc yellow Pendle Finance ethereum not_applicable Polymarket polygon green QuickSwap polygon green Raydium solana not_applicable Rocket Pool ethereum not_applicable Sanctum solana not_applicable Save (formerly Solend) solana red Sky Lending (formerly MakerDAO) ethereum not_applicable Spark Protocol ethereum green Spiko stellar not_applicable Stake DAO ethereum not_applicable StakeWise v3 ethereum not_applicable Stargate Finance ethereum not_applicable stHYPE (Valantis Labs) hyperliquid not_applicable SUNSwap (sun.io) tron yellow Superstate ethereum not_applicable Sushi (SushiSwap) — v2 + v3 + Trident + BentoBox/Kashi + SushiXSwap ethereum yellow Symbiotic ethereum not_applicable Synapse Protocol ethereum yellow Uniswap (v2 + v3) ethereum not_applicable USDD (Decentralized USD) tron not_applicable Usual (USD0 / bUSD0 / USUAL) ethereum not_applicable Veda (BoringVault) ethereum not_applicable Venus Protocol bsc yellow Wormhole ethereum not_applicable Yearn Finance ethereum not_applicable
2 red · 11 yellow · 3 green

Linked hacks no historical incidents linked #

No historical incidents are linked to this factor.
rubric_version v1.7.0 factor RD-F-129 category 8 carried 80 critical no