defirisk.co
rubric v1.7.0

Prior known-ignored disclosure

A response & disclosure hygiene factor in the v1.7.0 rubric. Measured per protocol on a e cadence.

Methodology how we score #

**What this measures** This factor records evidence in prior-incident post-mortems or public records that a disclosed vulnerability was known to the protocol team before the exploit but was not acted upon within a reasonable timeframe. Evidence sources include: post-mortem disclosures by audit firms, security researchers, or the team itself; governance forum posts naming specific vulnerabilities; Discord or Telegram records; and curator-maintained records of ignored disclosure events. Measurement is manual curator review of all available post-mortems and public records for the protocol. Category 13 context: prior ignored disclosure is the strongest available signal for systematic response-hygiene failure — it demonstrates that the team's disclosure process failed under real conditions.

**Why it matters** Prior ignored disclosure is documented across five in-sample hacks with total losses exceeding $233M. Mango Markets ($115M, 2022) had a Discord warning in March 2022 specifically referencing Venus Protocol and the oracle manipulation vector — the attack occurred six months later. Atomic Wallet ($100M, 2023) ignored a Least Authority security report describing the vulnerability class. Sonne Finance ($20M, 2024) had yAudit flag the Compound V2 donation risk in their own audit report — the governance execution gap was not addressed. Balancer ($2.1M, 2023) had a five-day public warning before the exploit. Sturdy Finance ($800K, 2023) had a Balancer forum post specifically naming Sturdy's pools as vulnerable four months before the exploit.

**Green / Yellow / Red** Green is scored when no evidence exists in any accessible post-mortem or public record of a prior security disclosure being ignored or unacted upon within the response window. Yellow applies when a prior disclosure was acted upon but with a delay exceeding the protocol's stated SLA, or when the response was partial (the disclosed finding was addressed but a related attack surface was not). Red is scored when post-mortem evidence confirms that a prior disclosed vulnerability was known to the team and no action was taken within 30 days, and the vulnerability was subsequently exploited.

**Common gray cases** Gray applies when the protocol is new enough that no post-mortem record exists, or when prior disclosures were made through private channels that the curator cannot access.

**Notable historical examples** - **Mango Markets** ($115M, 2022): Discord warning in March 2022 referencing the exact oracle manipulation vector; ignored for six months before exploit. - **Atomic Wallet** ($100M, 2023): Least Authority security report (2022) describing vulnerability class; not acted upon. - **Sonne Finance** ($20M, 2024): yAudit flagged Compound V2 donation risk; governance execution gap not addressed. - **Balancer V2** ($2.1M, 2023): Five-day public warning before exploit; at-risk TVL partially evacuated. - **Sturdy Finance** ($800K, 2023): Balancer forum named Sturdy's specific pools as vulnerable four months before exploit; no action taken.

Measurement what to look for #

Determine whether evidence exists in prior-incident post-mortems that a disclosed vulnerability was reported to the team and not actioned before exploit.

Data & output #

Data source
Protocol post-mortems + OSINT (rekt.news, governance forum incident discussions) + security researcher public disclosures
Output format
Green / Yellow / Red
Evidence artifact
Post-mortem URL + disclosure report URL + curator note connecting disclosure to exploit
Confidence signal
green = no evidence of ignored disclosure; red = confirmed prior ignored disclosure (post-mortem acknowledges received-but-not-actioned report); gray = no prior incidents

Scored protocols 80 carry this factor #

Protocol RD-F-177
Aave v3 ethereum green Across Protocol ethereum gray Aerodrome Finance base green Axelar Network ethereum green Babylon Protocol bitcoin green Balancer (v2 + v3) ethereum green Beefy Finance ethereum green BENQI avalanche green BlackRock USD Institutional Digital Liquidity Fund (BUIDL) ethereum green Cap (cUSD / stcUSD) ethereum gray Centrifuge ethereum green Chainlink CCIP ethereum green Circle USYC binance green Compound V3 (Comet) ethereum green Concrete ethereum green Convex Finance ethereum green crvUSD (Curve Stablecoin) ethereum green Curve Finance ethereum green deBridge ethereum green Dolomite ethereum green dYdX v4 (dYdX Chain) dydx green EigenLayer ethereum green Ethena ethereum green ether.fi ethereum green Euler V2 ethereum green Falcon Finance ethereum gray Fluid ethereum green Frax Finance ethereum yellow GMX v2 (GMX Synthetics) arbitrum green Hyperlane ethereum red Hyperliquid arbitrum green Jito solana green Jupiter solana green Jupiter Perpetual Exchange solana green JustLend DAO tron green Kamino Lend solana green Kinetiq hyperliquid green Lido ethereum green Liquid Collective (LsETH) ethereum green Liquity V1 + V2 (LUSD / BOLD) ethereum green Lista DAO bsc green Lombard Finance ethereum green M^0 ethereum green Maple Finance ethereum green Marinade Finance solana yellow Meteora solana green mETH Protocol ethereum green Midas ethereum green Morpho V1 (Morpho Blue + MetaMorpho) ethereum green Multipli ethereum gray Ondo Finance ethereum gray OpenEden ethereum green Orca solana green PancakeSwap bsc green Pendle Finance ethereum green Polymarket polygon yellow QuickSwap polygon green Raydium solana green Rocket Pool ethereum green Sanctum solana green Save (formerly Solend) solana green Sky Lending (formerly MakerDAO) ethereum green Spark Protocol ethereum green Spiko stellar green Stake DAO ethereum green StakeWise v3 ethereum green Stargate Finance ethereum gray stHYPE (Valantis Labs) hyperliquid green SUNSwap (sun.io) tron green Superstate ethereum green Sushi (SushiSwap) — v2 + v3 + Trident + BentoBox/Kashi + SushiXSwap ethereum green Symbiotic ethereum green Synapse Protocol ethereum not_assessed Uniswap (v2 + v3) ethereum green USDD (Decentralized USD) tron green Usual (USD0 / bUSD0 / USUAL) ethereum green Veda (BoringVault) ethereum green Venus Protocol bsc red Wormhole ethereum gray Yearn Finance ethereum green
2 red · 3 yellow · 67 green

Linked hacks 5 historical incidents #

causalSonne Finance — Compound V2 empty-market donation attack — permissionless governance execution + exchange rate manipulation2024-05-14 · $20M · Compound V2 empty-market donation attack — permissionless governance execution + exchange rate manipulation · Cat 13: Prior known-ignored disclosure [via cross-hack: Factor 3: Ignored / Dismissed Security Disclosure]
relatedBalancer V2 (+ Beethoven X fork) — Linear pool rounding-down logic → cached rate manipulation → boosted pool drain2023-08-27 · $2M · Linear pool rounding-down logic → cached rate manipulation → boosted pool drain · Cat 13: Prior known-ignored disclosure [via cross-hack: Factor 3: Ignored / Dismissed Security Disclosure]
causalSturdy Finance — Read-only reentrancy on Balancer LP (B-stETH-STABLE) → manipulated collateral price → undercollateralized borrow drain2023-06-12 · $800K · Read-only reentrancy on Balancer LP (B-stETH-STABLE) → manipulated collateral price → undercollateralized borrow drain · Cat 13: Prior known-ignored disclosure [via cross-hack: Factor 3: Ignored / Dismissed Security Disclosure]
causalAtomic Wallet (non-custodial multi-chain wallet) — Unknown officially; suspected: BGP hijacking combined with client-side vulnerability (possibly private key logging); Least Authority had flagged vulnerabilities in 2021 that were never addressed2023-06-02 · $100M · Unknown officially; suspected: BGP hijacking combined with client-side vulnerability (possibly private key logging); Least Authority had flagged vulnerabilities in 2021 that were never addressed · Cat 13: Prior known-ignored disclosure [via cross-hack: Factor 3: Ignored / Dismissed Security Disclosure]
causalMango Markets — Self-funded MNGO spot price pump using two accounts → inflated unrealized collateral → lending pool drain2022-10-11 · $115M · Self-funded MNGO spot price pump using two accounts → inflated unrealized collateral → lending pool drain · Cat 13: Prior known-ignored disclosure [via cross-hack: Factor 3: Ignored / Dismissed Security Disclosure]
rubric_version v1.7.0 factor RD-F-177 category 13 carried 80 critical no