defirisk.co
rubric v1.7.0

Permissionless-pool lending oracle

A oracle & external dependencies factor in the v1.7.0 rubric. Measured per protocol on a s cadence.

Methodology how we score #

**What this measures**

This factor assesses whether a lending protocol accepts spot prices from a DEX where any user can permissionlessly create new pools, without requiring a TWAP window, liquidity floor, or token-age minimum on the venue side. The failure mode is at the *oracle-acceptance layer* — the lending protocol may use a respected oracle source (Chainlink-tier or Uniswap v3 TWAP) for blue-chip assets, but if its acceptance logic also consumes spot prices from a permissionless venue without filters, attacker-created fake pools can be borrowed against as collateral.

**Why it matters**

This is structurally distinct from the better-known oracle-manipulation pattern (RD-F-053) where an attacker manipulates an existing pool via flash-loan to corrupt a spot price. With permissionless-pool acceptance, the attacker does not need to manipulate any real pool — they create their own pools, seed them with worthless tokens, and the lending protocol accepts those spot prices because its acceptance logic has no liquidity floor or venue allowlist. The exploit is *outside* the borrowing protocol's blast radius: nothing fails on-chain at the source, the lending protocol simply trusts a venue it should not trust.

**Green / Yellow / Red**

Green: oracle acceptance logic requires liquidity floor ≥$1M AND token age ≥7 days AND a TWAP window (not raw spot). Yellow: partial filters — one or two of the three controls present, but not all. Red: protocol accepts spot prices from any permissionlessly-created pool with no liquidity, age, or TWAP filter. Gray: source contract unverified on the chain explorer.

**Common gray cases**

Acceptance filters live in off-chain configuration that the contract reads at oracle-set time, requiring multi-step verification beyond static source inspection.

**Notable historical examples**

No cross-hacked incidents currently linked in database for this factor. The reference incident is **Rhea Finance** on NEAR (Apr 2026, $18.4M loss), where 8 fake pools were seeded via a 423-wallet fan-out, the lending protocol's oracle accepted the spot prices from those pools without venue filters, and the attacker borrowed against the synthetic collateral until liquidity drained.

Measurement what to look for #

Determine whether the lending protocol accepts spot prices from a DEX where any user can permissionlessly create new pools, without requiring a TWAP window, liquidity floor, or token-age minimum on the venue side.

Data & output #

Data source
Source inspection of oracle acceptance logic + venue-listing configuration on Etherscan-verified source; check if protocol uses Uniswap v2/v3 factory without pool filters
Output format
Green / Yellow / Red
Evidence artifact
Oracle acceptance logic source excerpt + venue factory address + liquidity/age filter presence
Confidence signal
green = oracle acceptance requires liquidity floor ≥$1M AND token age ≥7 days AND TWAP; yellow = partial filters (one or two of the three); red = accepts any permissionlessly-created pool spot price with no filters; gray = source unverified

Scored protocols 80 carry this factor #

Protocol RD-F-181
Aave v3 ethereum green Across Protocol ethereum not_applicable Aerodrome Finance base not_applicable Axelar Network ethereum not_applicable Babylon Protocol bitcoin not_applicable Balancer (v2 + v3) ethereum not_applicable Beefy Finance ethereum not_applicable BENQI avalanche not_applicable BlackRock USD Institutional Digital Liquidity Fund (BUIDL) ethereum not_applicable Cap (cUSD / stcUSD) ethereum green Centrifuge ethereum green Chainlink CCIP ethereum not_applicable Circle USYC binance not_applicable Compound V3 (Comet) ethereum not_applicable Concrete ethereum not_applicable Convex Finance ethereum not_applicable crvUSD (Curve Stablecoin) ethereum green Curve Finance ethereum not_applicable deBridge ethereum not_applicable Dolomite ethereum green dYdX v4 (dYdX Chain) dydx not_applicable EigenLayer ethereum not_assessed Ethena ethereum green ether.fi ethereum not_applicable Euler V2 ethereum yellow Falcon Finance ethereum not_applicable Fluid ethereum gray Frax Finance ethereum green GMX v2 (GMX Synthetics) arbitrum not_applicable Hyperlane ethereum not_applicable Hyperliquid arbitrum gray Jito solana not_applicable Jupiter solana green Jupiter Perpetual Exchange solana not_applicable JustLend DAO tron green Kamino Lend solana yellow Kinetiq hyperliquid not_applicable Lido ethereum not_applicable Liquid Collective (LsETH) ethereum not_applicable Liquity V1 + V2 (LUSD / BOLD) ethereum not_applicable Lista DAO bsc yellow Lombard Finance ethereum not_applicable M^0 ethereum not_applicable Maple Finance ethereum green Marinade Finance solana not_applicable Meteora solana not_applicable mETH Protocol ethereum not_applicable Midas ethereum not_applicable Morpho V1 (Morpho Blue + MetaMorpho) ethereum yellow Multipli ethereum not_applicable Ondo Finance ethereum green OpenEden ethereum not_applicable Orca solana not_applicable PancakeSwap bsc not_applicable Pendle Finance ethereum green Polymarket polygon not_applicable QuickSwap polygon not_applicable Raydium solana not_applicable Rocket Pool ethereum not_applicable Sanctum solana not_applicable Save (formerly Solend) solana red Sky Lending (formerly MakerDAO) ethereum green Spark Protocol ethereum green Spiko stellar not_applicable Stake DAO ethereum green StakeWise v3 ethereum not_applicable Stargate Finance ethereum gray stHYPE (Valantis Labs) hyperliquid not_applicable SUNSwap (sun.io) tron not_applicable Superstate ethereum not_applicable Sushi (SushiSwap) — v2 + v3 + Trident + BentoBox/Kashi + SushiXSwap ethereum yellow Symbiotic ethereum not_applicable Synapse Protocol ethereum not_applicable Uniswap (v2 + v3) ethereum not_applicable USDD (Decentralized USD) tron not_applicable Usual (USD0 / bUSD0 / USUAL) ethereum not_applicable Veda (BoringVault) ethereum not_applicable Venus Protocol bsc yellow Wormhole ethereum gray Yearn Finance ethereum not_applicable
1 red · 6 yellow · 15 green

Linked hacks no historical incidents linked #

No historical incidents are linked to this factor.
rubric_version v1.7.0 factor RD-F-181 category 3 carried 80 critical no