defirisk.co
rubric v1.7.0

CVE/GHSA advisory issued against protocol

A response & disclosure hygiene factor in the v1.7.0 rubric. Measured per protocol on a e cadence.

Methodology how we score #

**What this measures** This factor records whether a CVE (Common Vulnerabilities and Exposures), GHSA (GitHub Security Advisory), or equivalent standardized public advisory has been issued against the monitored protocol or its core smart contracts. Detection is programmatic via the CVE database, GitHub Advisory Database, and OSV vulnerability feed, cross-referenced against the protocol's repository identifiers and known contract addresses. Category 13 context: a CVE or GHSA represents the highest-formality level of public vulnerability disclosure — it indicates that a vulnerability has been assessed as sufficiently significant to warrant standardized public notification, creating a documented public record and a timestamp against which the team's response can be measured.

**Why it matters** A CVE issued against a DeFi protocol creates a public, indexed record that any researcher, auditor, or monitor can retrieve and cross-reference. KyberSwap Elastic ($48M, 2023) had its tick-crossing precision failure ultimately documented in public advisories after the exploit. Compound's governance vulnerability family has multiple associated GHSAs. The existence of a CVE or GHSA against a protocol is not inherently a red flag — it may indicate responsible disclosure and patching — but the combination of an open (unresolved) advisory and a live protocol represents a specific elevated risk state. A resolved advisory provides the opposite signal: evidence that the protocol has engaged with formal vulnerability disclosure processes and maintained a public fix record.

**Green / Yellow / Red** Green is scored when no open CVE, GHSA, or equivalent public advisory exists for the protocol's core contracts, or when all historical advisories are marked as patched with on-chain proof of fix. Yellow applies when a historical advisory exists and is marked resolved, but the curator cannot verify on-chain that the fix was actually deployed. Red is scored when an open (unresolved) CVE or GHSA advisory exists against the protocol's core smart contracts that have not been marked as patched, indicating a known public vulnerability with no confirmed fix.

**Common gray cases** Gray applies when the protocol's contracts are not registered in any vulnerability tracking system and the absence of a CVE/GHSA reflects non-registration rather than absence of known vulnerabilities — the typical state for most DeFi protocols that have not engaged with formal CVE coordination.

**Notable historical examples** No cross-hacked incidents currently linked in database for this factor.

Measurement what to look for #

Determine whether a CVE, GHSA, or equivalent public advisory has been issued against this protocol or its code.

Data & output #

Data source
GHSA API search for protocol repo + NVD CVE database search for protocol name
Output format
Green / Yellow / Red
Evidence artifact
GHSA/CVE ID + advisory URL + severity + patched status
Confidence signal
green = no advisory or all advisories patched; yellow = advisory exists and patched; red = advisory exists and unpatched in current deploy; gray = protocol not indexed in GHSA/NVD

Scored protocols 80 carry this factor #

Protocol RD-F-178
Aave v3 ethereum yellow Across Protocol ethereum gray Aerodrome Finance base green Axelar Network ethereum green Babylon Protocol bitcoin yellow Balancer (v2 + v3) ethereum yellow Beefy Finance ethereum green BENQI avalanche green BlackRock USD Institutional Digital Liquidity Fund (BUIDL) ethereum green Cap (cUSD / stcUSD) ethereum green Centrifuge ethereum green Chainlink CCIP ethereum green Circle USYC binance green Compound V3 (Comet) ethereum green Concrete ethereum green Convex Finance ethereum green crvUSD (Curve Stablecoin) ethereum green Curve Finance ethereum yellow deBridge ethereum green Dolomite ethereum green dYdX v4 (dYdX Chain) dydx green EigenLayer ethereum green Ethena ethereum green ether.fi ethereum green Euler V2 ethereum green Falcon Finance ethereum green Fluid ethereum green Frax Finance ethereum green GMX v2 (GMX Synthetics) arbitrum green Hyperlane ethereum green Hyperliquid arbitrum green Jito solana green Jupiter solana green Jupiter Perpetual Exchange solana green JustLend DAO tron green Kamino Lend solana green Kinetiq hyperliquid green Lido ethereum yellow Liquid Collective (LsETH) ethereum green Liquity V1 + V2 (LUSD / BOLD) ethereum green Lista DAO bsc green Lombard Finance ethereum green M^0 ethereum green Maple Finance ethereum green Marinade Finance solana green Meteora solana green mETH Protocol ethereum green Midas ethereum green Morpho V1 (Morpho Blue + MetaMorpho) ethereum green Multipli ethereum green Ondo Finance ethereum gray OpenEden ethereum green Orca solana green PancakeSwap bsc green Pendle Finance ethereum green Polymarket polygon green QuickSwap polygon green Raydium solana green Rocket Pool ethereum green Sanctum solana green Save (formerly Solend) solana green Sky Lending (formerly MakerDAO) ethereum green Spark Protocol ethereum green Spiko stellar green Stake DAO ethereum green StakeWise v3 ethereum green Stargate Finance ethereum gray stHYPE (Valantis Labs) hyperliquid green SUNSwap (sun.io) tron green Superstate ethereum green Sushi (SushiSwap) — v2 + v3 + Trident + BentoBox/Kashi + SushiXSwap ethereum green Symbiotic ethereum green Synapse Protocol ethereum not_assessed Uniswap (v2 + v3) ethereum yellow USDD (Decentralized USD) tron green Usual (USD0 / bUSD0 / USUAL) ethereum green Veda (BoringVault) ethereum green Venus Protocol bsc green Wormhole ethereum gray Yearn Finance ethereum green
0 red · 6 yellow · 69 green

Linked hacks no historical incidents linked #

No historical incidents are linked to this factor.
rubric_version v1.7.0 factor RD-F-178 category 13 carried 80 critical no