defirisk.co
rubric v1.7.0

Fork depth (generations from original audit)

A fork / dependency lineage factor in the v1.7.0 rubric. Measured per protocol on a s cadence.

Methodology how we score #

**What this measures** This factor records the number of fork hops between the assessed protocol and an originally-audited base protocol. A direct fork of Compound Finance has a fork depth of 1. A fork of a Compound fork has a fork depth of 2. Each additional hop potentially dilutes the audit coverage assurance and introduces new parameter divergences at each layer. The data source is a curator-maintained lineage map cross-referenced with bytecode similarity analysis.

**Why it matters** Fork-of-fork deployments compound the audit coverage risk at each layer. A third-generation fork (depth 3) may carry bugs introduced at the second-generation level that were never audited, combined with parameter changes introduced at the third level that diverge from both the first and second generation audits. The BSC DeFi ecosystem during 2021-2022 was dominated by second- and third-generation forks where an already-dangerous pattern (unaudited BSC fork of an audited Ethereum protocol) was further forked without any additional review. AutoShark was a fork of PancakeBunny which was itself a yield aggregator inspired by Yearn -- two hops from the original audited design, with vulnerabilities introduced at each layer.

**Green / Yellow / Red** Green: fork depth of 0 (original code) or 1 (direct fork with independent audit of the fork itself). Yellow: fork depth of 2, where the protocol can demonstrate that the intermediate fork's changes were reviewed. Red: fork depth of 3 or more, or fork depth of 2 without any audit of the intermediate changes.

**Common gray cases** Fork depth is gray when the lineage cannot be reliably traced due to undisclosed or multiple overlapping upstream sources.

**Notable historical examples** The factor is a structural modifier on the overall Cat 8 lineage assessment.

Measurement what to look for #

Count the number of fork hops from an originally audited protocol (0 = direct fork of an audited protocol, N = N-th generation).

Data & output #

Data source
Curator lineage map built from F126 results + GitHub repo histories
Output format
Green / Yellow / Red
Evidence artifact
Fork chain list (protocol names + commit SHAs) + depth integer
Confidence signal
green = depth 0–1 (direct fork of audited protocol); yellow = depth 2; red = depth ≥3 (audit coverage very diluted); gray = fork lineage not determinable

Scored protocols 80 carry this factor #

Protocol RD-F-130
Aave v3 ethereum not_applicable Across Protocol ethereum not_applicable Aerodrome Finance base green Axelar Network ethereum not_applicable Babylon Protocol bitcoin not_applicable Balancer (v2 + v3) ethereum not_applicable Beefy Finance ethereum not_applicable BENQI avalanche yellow BlackRock USD Institutional Digital Liquidity Fund (BUIDL) ethereum not_applicable Cap (cUSD / stcUSD) ethereum not_applicable Centrifuge ethereum not_applicable Chainlink CCIP ethereum not_applicable Circle USYC binance not_applicable Compound V3 (Comet) ethereum not_applicable Concrete ethereum not_applicable Convex Finance ethereum not_applicable crvUSD (Curve Stablecoin) ethereum not_applicable Curve Finance ethereum not_applicable deBridge ethereum not_applicable Dolomite ethereum green dYdX v4 (dYdX Chain) dydx not_applicable EigenLayer ethereum not_applicable Ethena ethereum not_applicable ether.fi ethereum not_applicable Euler V2 ethereum not_applicable Falcon Finance ethereum not_applicable Fluid ethereum not_applicable Frax Finance ethereum not_applicable GMX v2 (GMX Synthetics) arbitrum not_applicable Hyperlane ethereum not_applicable Hyperliquid arbitrum not_applicable Jito solana green Jupiter solana not_applicable Jupiter Perpetual Exchange solana not_applicable JustLend DAO tron green Kamino Lend solana not_applicable Kinetiq hyperliquid not_applicable Lido ethereum not_applicable Liquid Collective (LsETH) ethereum not_applicable Liquity V1 + V2 (LUSD / BOLD) ethereum not_applicable Lista DAO bsc green Lombard Finance ethereum not_applicable M^0 ethereum not_applicable Maple Finance ethereum not_applicable Marinade Finance solana not_applicable Meteora solana not_applicable mETH Protocol ethereum not_applicable Midas ethereum not_applicable Morpho V1 (Morpho Blue + MetaMorpho) ethereum not_applicable Multipli ethereum not_applicable Ondo Finance ethereum green OpenEden ethereum not_applicable Orca solana not_applicable PancakeSwap bsc green Pendle Finance ethereum not_applicable Polymarket polygon green QuickSwap polygon green Raydium solana not_applicable Rocket Pool ethereum not_applicable Sanctum solana not_applicable Save (formerly Solend) solana green Sky Lending (formerly MakerDAO) ethereum not_applicable Spark Protocol ethereum green Spiko stellar not_applicable Stake DAO ethereum not_applicable StakeWise v3 ethereum not_applicable Stargate Finance ethereum not_applicable stHYPE (Valantis Labs) hyperliquid not_applicable SUNSwap (sun.io) tron green Superstate ethereum not_applicable Sushi (SushiSwap) — v2 + v3 + Trident + BentoBox/Kashi + SushiXSwap ethereum green Symbiotic ethereum not_applicable Synapse Protocol ethereum red Uniswap (v2 + v3) ethereum not_applicable USDD (Decentralized USD) tron not_applicable Usual (USD0 / bUSD0 / USUAL) ethereum not_applicable Veda (BoringVault) ethereum not_applicable Venus Protocol bsc green Wormhole ethereum not_applicable Yearn Finance ethereum not_applicable
1 red · 1 yellow · 14 green

Linked hacks no historical incidents linked #

No historical incidents are linked to this factor.
rubric_version v1.7.0 factor RD-F-130 category 8 carried 80 critical no