Fork has different economic parameters than upstream

A fork / dependency lineage factor in the v1.7.0 rubric. Measured per protocol on a s cadence.

Methodology how we score #

**What this measures** This factor identifies whether the fork's economic parameters -- collateral factors, liquidation thresholds, LTV ratios, fee tiers, reserve factors -- differ from the upstream protocol's audited defaults, without a corresponding re-audit or independent parameter review covering those changes. The assessment requires comparing the deployed parameter values against the upstream's documented defaults and checking whether any audit report specifically reviewed the fork's parameterization.

**Why it matters** Economic parameters in lending and governance protocols are not purely configuration: they affect the mathematical properties that auditors review for safety. A Compound fork that changes the collateral factor for a governance token from 60% to 85% without re-audit has introduced a parameter that the original security review never validated. Curio ($16M, 2024) exploited a MakerDAO fork where the IDSChief voting power privilege logic had been parameterized differently from MakerDAO's canonical settings; the modified parameters created an exploitable governance privilege escalation. The governance fork category in the synthesis covers three hack instances of this specific pattern.

**Green / Yellow / Red** Green: all economic parameters match the upstream's audited defaults, or an independent parameter review or audit specifically validates the fork's parameter choices for safety. Yellow: parameters differ from upstream defaults in low-risk ways (e.g., lower fees, not higher collateral factors) that a curator has confirmed do not introduce additional mathematical risk. Red: collateral factors, LTV ratios, or governance voting power thresholds differ materially from upstream audited values with no independent parameter review.

**Common gray cases** This factor is gray for original protocols (no upstream comparison possible) or when the upstream's audited parameter values are not publicly documented.

**Notable historical examples** - **Curio** ($16M, 2024): MakerDAO governance fork with modified IDSChief voting power parameterization; no independent parameter audit; governance privilege exploited.

Measurement what to look for #

Determine whether the fork's economic parameters (collateral factor, LTV, fee structure) differ from upstream audited defaults without a subsequent re-audit.

Data & output #

Data source

Source inspection of config params vs upstream repo + audit PDF scope check

Output format

Green / Yellow / Red

Evidence artifact

Fork config values + upstream config values + diff + audit coverage of changed params

Confidence signal

green = parameters match upstream audited defaults or parameter changes are covered by delta-audit; yellow = minor parameter deviations without specific audit coverage; red = major parameter deviations (e.g. LTV >10pp higher than upstream) without re-audit; gray = upstream not identified

Scored protocols 80 carry this factor #

Protocol RD-F-132

Linked hacks 1 historical incident #

causalCurio (CurioDAO) — Voting power privilege escalation via MakerDAO fork governance bug → mass CGT token minting2024-03-23 · $16M · Voting power privilege escalation via MakerDAO fork governance bug → mass CGT token minting · Fork has different economic parameters than upstream (audit gap) [via cross-hack: Factor 17: Governance Fork Without Independent Parameter Audit]

rubric_version v1.7.0 factor RD-F-132 category 8 carried 80 critical no