defirisk.co
rubric v1.7.0

Test-mode parameters in deploy

A post-deploy hygiene & change mgmt factor in the v1.7.0 rubric. Measured per protocol on a s cadence.

Methodology how we score #

**What this measures** This factor identifies whether a deployed contract retains test-mode configuration parameters — such as a test oracle address, infinite token allowances for deployer addresses, an admin role still set to the deployer EOA, or debug-level access control conditions. These are parameters that are appropriate in a testing environment but represent active security vulnerabilities in production. Detection combines static analysis of the deployed configuration against the declared production parameter set.

**Why it matters** Test-mode configurations left active in production have caused several significant exploits. Eminence Finance lost $15M because speculative depositors found and funded what was effectively a development contract that had not been made production-safe. The pattern of "deployed to mainnet before final hardening" appears across multiple incidents in the evidence base — particularly in newly deployed contracts and contracts deployed as part of a rapid upgrade cycle. The risk is not the test-mode configuration alone but the combination of that configuration with live user funds: a debug admin address or infinite allowance in production is an immediately exploitable state.

**Green / Yellow / Red** Green is assigned when source inspection and on-chain configuration confirm no test-mode parameters are active in the production deployment. Yellow covers cases where minor non-security-critical test parameters remain (e.g., verbose event emissions) but no privilege-escalating test configs are present. Red is assigned when any privilege-escalating test-mode configuration is found in the production deployment — including deployer-admin, infinite allowances for test addresses, or a mock oracle address.

**Common gray cases** This factor is grayed when source code is unavailable and bytecode-level configuration analysis is inconclusive.

**Notable historical examples** - **Eminence Finance** ($15M, 2020): Protocol deployed to mainnet in development state; speculative deposits funded what was essentially a test contract. - **Compound Finance** ($147M at risk, 2021): Proposal 62 introduced a governance upgrade with test-level parameter assumptions. - **Penpie** ($27M, 2024): Permissionless market registration accepted external contracts without the whitelist that the production spec required.

Measurement what to look for #

Determine whether the deployed configuration retains test-mode parameters (test oracle address, infinite allowance, admin = deployer EOA).

Data & output #

Data source
Source inspection of deploy config + constructor args decode on Etherscan + comparison to production-expected values
Output format
Green / Yellow / Red
Evidence artifact
Constructor args JSON + decoded config values + expected production values
Confidence signal
green = no test-mode parameters detected; red = test-mode parameter confirmed in production deploy; gray = constructor args not decodable

Scored protocols 80 carry this factor #

Protocol RD-F-141
Aave v3 ethereum green Across Protocol ethereum gray Aerodrome Finance base green Axelar Network ethereum green Babylon Protocol bitcoin green Balancer (v2 + v3) ethereum green Beefy Finance ethereum green BENQI avalanche green BlackRock USD Institutional Digital Liquidity Fund (BUIDL) ethereum green Cap (cUSD / stcUSD) ethereum green Centrifuge ethereum green Chainlink CCIP ethereum green Circle USYC binance yellow Compound V3 (Comet) ethereum green Concrete ethereum green Convex Finance ethereum green crvUSD (Curve Stablecoin) ethereum green Curve Finance ethereum green deBridge ethereum green Dolomite ethereum green dYdX v4 (dYdX Chain) dydx green EigenLayer ethereum green Ethena ethereum green ether.fi ethereum green Euler V2 ethereum green Falcon Finance ethereum yellow Fluid ethereum green Frax Finance ethereum green GMX v2 (GMX Synthetics) arbitrum green Hyperlane ethereum green Hyperliquid arbitrum green Jito solana green Jupiter solana gray Jupiter Perpetual Exchange solana gray JustLend DAO tron green Kamino Lend solana green Kinetiq hyperliquid green Lido ethereum green Liquid Collective (LsETH) ethereum green Liquity V1 + V2 (LUSD / BOLD) ethereum green Lista DAO bsc green Lombard Finance ethereum yellow M^0 ethereum yellow Maple Finance ethereum green Marinade Finance solana green Meteora solana green mETH Protocol ethereum yellow Midas ethereum green Morpho V1 (Morpho Blue + MetaMorpho) ethereum green Multipli ethereum green Ondo Finance ethereum green OpenEden ethereum green Orca solana green PancakeSwap bsc green Pendle Finance ethereum green Polymarket polygon green QuickSwap polygon yellow Raydium solana green Rocket Pool ethereum green Sanctum solana green Save (formerly Solend) solana gray Sky Lending (formerly MakerDAO) ethereum green Spark Protocol ethereum green Spiko stellar green Stake DAO ethereum yellow StakeWise v3 ethereum green Stargate Finance ethereum gray stHYPE (Valantis Labs) hyperliquid green SUNSwap (sun.io) tron green Superstate ethereum green Sushi (SushiSwap) — v2 + v3 + Trident + BentoBox/Kashi + SushiXSwap ethereum yellow Symbiotic ethereum green Synapse Protocol ethereum green Uniswap (v2 + v3) ethereum green USDD (Decentralized USD) tron green Usual (USD0 / bUSD0 / USUAL) ethereum green Veda (BoringVault) ethereum green Venus Protocol bsc green Wormhole ethereum gray Yearn Finance ethereum green
0 red · 8 yellow · 66 green

Linked hacks 14 historical incidents #

relatedMakina Finance — Permissionless share price oracle update (updateTotalAum) + flash loan Curve pool manipulation → share price inflation → LP drain2026-01-20 · $4M · Permissionless share price oracle update (updateTotalAum) + flash loan Curve pool manipulation → share price inflation → LP drain · Test-mode parameters left on in deploy (possibly related) [via cross-hack: Factor 4: Newly Deployed or Unannounced Contract]
illustrativeGMX V1 — Cross-Contract Reentrancy via Order-Keeper Callback2025-07-09 · Cross-Contract Reentrancy via Order-Keeper Callback · Test-mode parameters left on in deploy (possibly related) [via cross-hack: Factor 4: Newly Deployed or Unannounced Contract]
relatedMobiusDAO — Decimal handling double-multiplication bug in minting function — pennies-to-quadrillions inflation2025-05-11 · $2M · Decimal handling double-multiplication bug in minting function — pennies-to-quadrillions inflation · Test-mode parameters left on in deploy (possibly related) [via cross-hack: Factor 4: Newly Deployed or Unannounced Contract]
relatedPolter Finance — Spot price oracle manipulation (SpookySwap V2/V3) → inflated BOO collateral → draining borrow2024-11-16 · $9M · Spot price oracle manipulation (SpookySwap V2/V3) → inflated BOO collateral → draining borrow · Test-mode parameters left on in deploy (possibly related) [via cross-hack: Factor 4: Newly Deployed or Unannounced Contract]
relatedBedrock (uniBTC vault) — Unregistered NATIVE_BTC in SigmaSupplier → disabled supply cap → ETH-to-BTC 1:1 minting (infinite mint)2024-09-25 · $2M · Unregistered NATIVE_BTC in SigmaSupplier → disabled supply cap → ETH-to-BTC 1:1 minting (infinite mint) · Test-mode parameters left on in deploy (possibly related) [via cross-hack: Factor 4: Newly Deployed or Unannounced Contract]
relatedPenpie — Reentrancy via fake Pendle market → staking balance inflation → excess reward drain2024-09-03 · $27M · Reentrancy via fake Pendle market → staking balance inflation → excess reward drain · Test-mode parameters left on in deploy (possibly related) [via cross-hack: Factor 4: Newly Deployed or Unannounced Contract]
relatedJimbo's Protocol — Flash loan + missing slippage control in rebalancing function → liquidity drain2023-05-28 · $8M · Flash loan + missing slippage control in rebalancing function → liquidity drain · Test-mode parameters left on in deploy (possibly related) [via cross-hack: Factor 4: Newly Deployed or Unannounced Contract]
relatedDeus DAO / DEI stablecoin — Mis-ordered Parameters in burnFrom — Public Approval Override2023-05-06 · $7M · Mis-ordered Parameters in burnFrom — Public Approval Override · Test-mode parameters left on in deploy (possibly related) [via cross-hack: Factor 4: Newly Deployed or Unannounced Contract]
relatedKokomo Finance — Insider rug — deployer upgraded implementation to malicious contract → drained WBTC deposits2023-03-26 · $4M · Insider rug — deployer upgraded implementation to malicious contract → drained WBTC deposits · Test-mode parameters left on in deploy (possibly related) [via cross-hack: Factor 4: Newly Deployed or Unannounced Contract]
illustrativeCompound Finance — Governance-introduced bug — updated Comptroller vault incorrectly distributed COMP rewards; any user could call `drip()` to refill the vulnerable vault from the Reservoir2021-09-29 · $147M · Governance-introduced bug — updated Comptroller vault incorrectly distributed COMP rewards; any user could call `drip()` to refill the vulnerable vault from the Reservoir · Test-mode parameters left on in deploy (possibly related) [via cross-hack: Factor 4: Newly Deployed or Unannounced Contract]
relatedCream Finance — ERC-777 Reentrancy (Token Integration Vulnerability)2021-08-30 · $19M · ERC-777 Reentrancy (Token Integration Vulnerability) · Test-mode parameters left on in deploy (possibly related) [via cross-hack: Factor 4: Newly Deployed or Unannounced Contract]
relatedPancakeBunny — Flash loan + spot price manipulation → inflated LP token valuation → excess BUNNY minting2021-05-19 · $45M · Flash loan + spot price manipulation → inflated LP token valuation → excess BUNNY minting · Test-mode parameters left on in deploy (possibly related) [via cross-hack: Factor 4: Newly Deployed or Unannounced Contract]
relatedAlpha Finance / Alpha Homora V2 (leveraged yield farming) — Debt accounting manipulation via rounding bug + public `resolveReserve` function + custom "evil spell"; insider knowledge of unannounced sUSD pool required2021-02-13 · $38M · Debt accounting manipulation via rounding bug + public `resolveReserve` function + custom "evil spell"; insider knowledge of unannounced sUSD pool required · Test-mode parameters left on in deploy (possibly related) [via cross-hack: Factor 4: Newly Deployed or Unannounced Contract]
relatedEminence Finance (EMN) — Flash loan + bonding curve arbitrage (buy/burn/sell cycle)2020-09-28 · $15M · Flash loan + bonding curve arbitrage (buy/burn/sell cycle) · Test-mode parameters left on in deploy (possibly related) [via cross-hack: Factor 4: Newly Deployed or Unannounced Contract]
rubric_version v1.7.0 factor RD-F-141 category 9 carried 80 critical no