Upstream patch not merged

BENQI's assessment for RD-F-127 — scored yellow on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.

Evidence summary #

Compound V2 upstream (compound-finance/compound-protocol) has no formal published GitHub security advisories as of 2026-05-16. However, the donation/empty-market vulnerability class is a well-documented attack affecting Compound V2 forks: Hundred Finance (April 2023), Sonne Finance (May 2024), Onyx Protocol all exploited via direct token transfer to cToken inflating exchange rate with zero totalSupply. The community-recommended mitigation is to seed markets (mint-and-burn initial cTokens) before enabling borrows. BENQI has operated 57 months without being exploited via this vector, suggesting either (a) markets were adequately seeded, or (b) attack surface economics were unfavorable on Avalanche. No explicit documentation of BENQI's seeding practice or virtual accounting fix found in public sources. Yellow: upstream vulnerability class exists and is unmitigated by formal upstream patch; BENQI's mitigation status is unconfirmed from public sources.

Sources #

URL
Rekt.news — no BENQI entryBENQI 57-month clean incident record (no donation attack observed)retrieved 2026-05-16
URL
VeriChains — Compound V2 Fork VulnerabilityCompound V2 fork donation attack writeup — Hundred Finance / Sonne Finance / Onyx exploit classretrieved 2026-05-16
URL
Compound Protocol GitHub Security AdvisoriesCompound V2 GitHub security advisories — none published as of 2026-05-16retrieved 2026-05-16

Methodology #

Determine whether the upstream fork source has published a known-vulnerability patch that has not been merged into this fork's deployed code.

See the full factor methodology and distribution across all protocols →

rubric_version v1.7.0 protocol benqi factor RD-F-127 score yellow collected_at 2026-05-16 11:02:12