Centrifuge · DeFi Risk

DeploymentsEthereum · $1.6B

Risk profile at a glance

1 red · 2 yellow · 10 green

Categories & evidence

184 factors · 13 categories

Code & audits Green 12 25 of 25

RD-F-003 yellow Resolved-without-proof findings Cantina July 2024 audit: 1 critical + 1 high + 2 medium findings, all marked fixed. Code4rena Sept 2023: 8 medium findings, all resolved. January 2026 yAudit fix review conducted specifically to verify remediations. No documented case of a finding marked resolved that was not patched. Individual fix commits not verified against on-chain bytecode in this assessment. RD-F-007 yellow Bug bounty presence & max payout Active Cantina bug bounty program as of July 17 2025. Maximum payout: $250,000 for critical severity. Tiers: Critical $250K, High $50K, Medium $5K. HackenProof also lists Centrifuge. $250K max is below the ≥$500K green threshold. Payout cap for multi-pool issues is $125K. RD-F-009 yellow Formal verification coverage Recon Pro conducted invariant testing of ERC-7540 implementation (Foundry-based fuzz + Medusa). foundry.toml includes SMT model checker profile with CHC engine. No Certora/Kani/Halmos formal verification specification files found. Invariant testing present but no full formal verification proof coverage. RD-F-010 yellow Static-analyzer high-severity count Static analysis tools not run locally. Protocol uses Slither in CI. foundry.toml includes Echidna/Medusa profiles for active fuzzing. Multiple professional audits performed deep static analysis; Spearbit/Cantina July 2024 found 1 critical + 1 high — all resolved. No unfixed high/critical static findings post-V3.1. Marked yellow because local tool run not performed. RD-F-014 yellow Reentrancy guard on external-calling functions Centrifuge V3.1 implements custom reentrancy protection via ReentrancyProtection.sol using transient storage. The protected() modifier tracks caller; nested calls from same sender permitted, reentrant calls from different senders rejected. Gateway.sol prevents reentrant batch creation. V3.1 changelog notes reentrancy fixes. Deployed V3.1 uses 0.8.26 (unaffected by 0.8.28 transient-storage bug). RD-F-016 yellow Divide-before-multiply pattern Slither not run locally. Centrifuge uses proprietary MathLib for decimal arithmetic. Multiple audits reviewed arithmetic paths. Tinlake v0.3.0 Least Authority audit noted rounding concerns in epoch calculations (deprecated). No public report of divide-before-multiply finding in V3/V3.1 across 22+ audits. Marked yellow for absence of local Slither run. RD-F-017 yellow Mixed-decimals math without explicit scaling V3/V3.1 ERC-7540 vaults handle tokenized RWA assets in stable currencies (USDC 6 decimals, DAI 18 decimals). Multiple audit engagements reviewed multi-token arithmetic. Code4rena 2023 noted rounding issues in maxDeposit/maxMint (medium severity, resolved). Centrifuge's hub-and-spoke design propagates pricing from hub with explicit decimal normalization expected in NAVManager. Static analysis not run locally. RD-F-183 yellow Bug bounty scope gap on highest-TVL contracts Cantina bug bounty ($250K max critical) active since July 17 2025 for Centrifuge V3.1. The Cantina scope page does not identify specific highest-TVL contracts as explicitly out of scope beyond 'spamming through vaults' exclusion. V3.1 protocol broadly in scope. Full contract-level in/out-of-scope details not enumerable from available page content. RD-F-021 n/a UUPS _authorizeUpgrade correctly permissioned N/A — Centrifuge V3/V3.1 does not use UUPS or any proxy upgrade pattern. All contracts use constructor-based initialization. The protocol's immutable core design explicitly avoids proxy upgrades. No _authorizeUpgrade function needed or present. Contract changes are deployed as new instances. RD-F-023 n/a Constructor calls _disableInitializers() N/A — _disableInitializers() is an OpenZeppelin pattern for upgradeable proxy implementations. Centrifuge does not use proxy contracts or OZ Initializable. All contracts use standard constructors. The _disableInitializers() pattern is not applicable to this immutable-core architecture.

RD-F-001 green Audit scope mismatch All five primary Ethereum mainnet contracts verified on Etherscan with Exact Match status. Sherlock February 2026 deployment-verification audit (2026-02-Sherlock-deployment.pdf) explicitly covers V3.1 mainnet bytecode. No material scope mismatch found between audit scope and deployed bytecode.

RD-F-002 green Audit recency Most recent audit over deployed V3.1 bytecode: Sherlock deployment verification February 2026 (≤3 months ago). yAudit V3.1 fix review January 2026. Sherlock+Blackthorn competition concluded November-December 2025. Last audit over currently-live bytecode is ≤3 months old.

RD-F-004 green Audit count Distinct audit firms covering V3/V3.1: Spearbit/Cantina, Code4rena, SRLabs, yAudit (multiple), Sherlock+Blackthorn, burraSec (5 engagements), xmxanuel, Recon/Recon Pro. Total distinct firms ≥8. Centrifuge docs state 24 audit engagements; protocol repo README states 19 completed security reviews. Well above ≥2-firm threshold.

RD-F-005 green Audit firm tier Tier-1 firms covering deployed code: Spearbit/Cantina (July 2024, 1 critical + 1 high); Sherlock ($320K USDC V3.1 contest Oct-Dec 2025); Code4rena (85 wardens); yAudit (multiple V3/V3.1 engagements); SRLabs. At least Spearbit and Code4rena qualify as Tier-1/established for EVM code.

RD-F-006 green Audit-to-deploy gap V3.1 (January 2026): multiple audits concluded Nov-Dec 2025 before Jan 20 2026 deploy. Gap between last pre-deploy audit (Dec 2025) and deploy (Jan 20 2026) is approximately 20-50 days — within the ≤60-day green threshold. Sherlock deployment verification conducted Feb 2026 post-deploy.

RD-F-008 green Ignored bounty disclosure No prior incidents found in Rekt database, DeFiLlama hacks list, or public post-mortems. Zero exploits reported. No evidence of a disclosed vulnerability being ignored before an exploit.

RD-F-011 green SELFDESTRUCT reachable from non-admin path Centrifuge V3/V3.1 uses immutable core pattern — no proxy upgrades, no selfdestruct. Source inspection of Root.sol confirms no selfdestruct operations. Multiple audits with no reported SELFDESTRUCT vulnerability. EVM Cancun (EIP-6780) further restricts selfdestruct semantics.

RD-F-012 green delegatecall with user-controlled target No delegatecall with user-controlled target found across any inspected Centrifuge V3/V3.1 contract. Gateway.sol uses typed external interface calls. WormholeAdapter.sol calls immutable relayer address. Auth.sol and Root.sol use only standard external calls. No delegatecall pattern identified in any of 22+ audit engagements.

RD-F-013 green Arbitrary call with user-controlled target No arbitrary call with user-controlled target and data found in Centrifuge V3/V3.1. Gateway.sol withBatch() calls msg.sender.call{value}(data) but target is always msg.sender (self-callback, not arbitrary), protected by lockCallback() verification. VaultRouter.sol calls typed vault interfaces. No unfiltered arbitrary-call external target found.

RD-F-015 green ERC-777/1155/721 hook without reentrancy guard Centrifuge V3/V3.1 uses ERC-20 tokens (USDC, stablecoins) and SafeTransferLib for all token interactions. No ERC-777 tokensReceived, ERC-1155 onReceived, or ERC-721 onReceived hooks integrated. RestrictionManager implements ERC-1404 (transfer restrictions without external callbacks). AsyncVault.sol uses SafeTransferLib.

RD-F-018 green Signed/unsigned arithmetic confusion Solidity 0.8.26 (deployed) and 0.8.28 (repo) both provide built-in overflow/underflow revert protection eliminating classic signed/unsigned arithmetic confusion. Auth.sol contains no arithmetic. Gateway.sol uses uint128 for gas limits with bounded addition guarded by maxBatchGasLimit() check. No signed/unsigned confusion finding raised in any of 22+ audit engagements.

RD-F-019 green ecrecover zero-address return unchecked SignatureLib.isValidSignature() guards against address(0) via require(signer != address(0), InvalidSigner()) before ecrecover is called. ERC20.sol permit function delegates to SignatureLib. No other ecrecover usage found. Code4rena 2023 flagged domain-separator caching (separate issue, resolved); no ecrecover zero-return finding in any audit.

RD-F-020 green EIP-712 domain separator missing chainId EIP712Lib.sol confirmed to include block.chainid in domain separator calculation. ERC20.sol DOMAIN_SEPARATOR() recalculates if block.chainid changes post-deploy (fork protection). Code4rena Sept 2023 identified DOMAIN_SEPARATOR caching issue as medium finding — subsequently fixed and verified in Oct 2023 Spearbit/Cantina post-fix audit.

RD-F-022 green Public initialize() without initializer modifier Centrifuge V3/V3.1 uses no upgradeable proxy pattern. All contracts use standard constructors (e.g., constructor(uint256 _delay, address deployer) Auth(deployer)). No initialize() function found in Root.sol, Gateway.sol, InvestmentManager, PoolManager, or WormholeAdapter. The MakerDAO-inspired ward pattern is constructor-initialized.

RD-F-024 green Code complexity vs audit coverage V3.1 codebase spans approximately 22 Solidity source directories. 22+ distinct audit engagements 2023-2026. Sherlock+Blackthorn $320K USDC contest (Oct-Dec 2025) with 85+ wardens provides high-breadth coverage. yAudit conducted a dedicated fix review in January 2026. Audit breadth and firm diversity appear well-matched to code complexity.

Governance & admin Green 13 24 of 24

RD-F-028 yellow Low-threshold multisig vs TVL Guardian Safe is 4-of-8. At ~$1.89B TVL, peer norm for top-tier RWA/lending protocols is 5-of-8 or higher. 4-of-8 is defensible but not at the top of the peer cohort. Signer identities: 8 owner addresses fetched from Safe API; none publicly attested. Docs state third-party signers from Cantina but specific signers unknown publicly. RD-F-030 yellow Hot-wallet signer flag Of 8 Guardian Safe signers, on-chain behavioral inspection of 4 sampled addresses shows mixed patterns. 0x4d47a7a8 (301 txs, 277 days, moderate velocity) and 0xc4576CE4 (352 txs, cluster of activity in Jan 2026, multi-exec pattern) show higher frequency consistent with managed wallets. 0x790c2c86 and 0x080001dB show low-frequency patterns. No confirmed hot wallet but 0xc4576CE4 shows concentrated January 2026 bursts suggesting potential software signing. RD-F-031 yellow Signer rotation recency One signer-set change confirmed: nonce-38 executed a swapOwner call, replacing 0xc599bb54E3BFb6393c7feAf0EC97a947753aC0c8 with 0x080001dBE12fA46A1d7C03fa0Cbf1839E367F155. Threshold (4-of-8) was NOT changed. Routine signer rotation (swap, not add/remove + threshold reduction) = yellow. RD-F-033 yellow Timelock on sensitive actions scheduleRely/executeScheduledRely covers all ward/role grants. Pause is callable by Guardian (no additional timelock on pause — appropriate for emergency use). recoverTokens() is in Root; existing wards can call it. No evidence of a separate untimelocked rescue path outside Root's ward-system flow. Cannot fully confirm recoverTokens call path without BSL-licensed source static analysis. RD-F-036 yellow Flash-loanable voting weight No on-chain EVM governor has been deployed. Governance is via OpenSquare (off-chain). CFG token has delegation support (ERC20Votes-style). Because governance is entirely off-chain, there is no flash-loan attack vector against an on-chain governance contract. Risk is centralization in the multisig. RD-F-041 yellow Rescue/emergencyWithdraw without timelock Root contract has recoverTokens() function. Root's 48h timelock covers scheduleRely (granting new permissions). However, existing wards can call recoverTokens() directly without a separate timelock pass. UserEscrow contract constrains token recovery (tokens can only be transferred to the declared destination, not arbitrary addresses). Partial evidence — BSL-licensed source limits static analysis. RD-F-042 yellow Admin has mint() with unlimited max CFG ERC-20 (0xcccCCCcCCC33D538DBC2EE4fEab0a7A1FF4e8A94) has mint(address to, uint256 value) callable by ward-authorized addresses. No hard supply cap in the contract; mint is bounded only by the ward access control system. Annual inflation is governed off-chain (3% protocol parameter, not a contract-enforced cap). RD-F-045 yellow Constructor args match governance proposal Root contract constructor args (escrow=0x0000000005F458Fd6ba9EEb5f365D83b7dA913dD, delay=172800) confirmed on-chain. CP141 governance proposal approved V3 development but does not specify constructor-level deployment parameters. Sherlock Feb 2026 deployment verification audit covers bytecode reproducibility but specific constructor arg verification not publicly extractable. Yellow: parameters consistent but no canonical governance-proposal-to-constructor-arg match document found. RD-F-029 gray Multisig signers co-hosted 8 Guardian Safe signer addresses confirmed via Safe API (nonce=44, threshold=4/8). Signer identities are NOT publicly attested — docs state third-party signers from Cantina but no individual names or on-chain attestations exist. Co-hosting/ASN analysis is impossible without public identity. Cannot infer from available public OSINT. RD-F-047 gray Governance token concentration (Gini) CFG total supply ~691M. No Gini calculation found in public sources. Top holder concentration data not available from available tooling. Protocol has noted whale influence risk in community documentation. Governance forum discussions mention whale influence; no Gini data. RD-F-167 gray Deprecated contract paused but pause reversible by live admin Tinlake is deprecated (pools frozen, no new originations). Tinlake pool contracts remain deployed on Ethereum. Current admin structure (Guardian Safe / Root) likely retains some administrative capability over Tinlake contracts through original deployment ward structure but the specific state of Tinlake admin pause is not confirmed.

RD-F-025 green Admin key custody type Root contract (48h timelock) controls all privileged operations. Guardian role is held by Gnosis Safe (4-of-8). Governance is off-chain (OpenSquare); no EVM governor deployed. Classification: multisig + timelock.

RD-F-026 green Upgrade multisig signer configuration (M/N) Distinct admin roles: ProtocolGuardian 0xCEb7eD5d5B3bAD3088f6A1697738B60d829635c6, OpsGuardian 0x055589229506Ee89645EF08ebE9B9a863486d0dE, Guardian Safe 0xD9D30ab47c0f096b0AA67e9B8B1624504a63e7FD (Eth), separate Guardian contracts per chain, Root contract itself. Roles distributed across multiple contracts with separation of emergency vs ops.

RD-F-027 green Single admin EOA Root contract enforces 48h timelock for all privileged escalation. The Guardian is a Gnosis Safe (4-of-8). No EOA holds admin unilaterally. Deployer EOA last active July 2025 but is not the admin role-holder post-deployment.

RD-F-032 green Timelock duration on upgrades Root contract delay: 172,800 seconds = 48 hours (confirmed from contract constructor args). Guardian Zodiac Delay module adds a further 24 hours on emergency actions, giving a combined 72-hour aggregate delay for most changes.

RD-F-034 green Guardian/pause-keeper distinct from upgrader Separation exists: OpsGuardian has NO pause authority; ProtocolGuardian handles pause + upgrades. Both are distinct from each other and from the CFG governance token holder community. Role separation is explicitly designed and documented.

RD-F-035 green Role separation: upgrade ≠ fee ≠ oracle Upgrade path: Root → ProtocolGuardian. Fee/oracle configuration: OpsGuardian or pool-level wards. Ward-based access control allows distinct role assignment per contract. Pool-level oracles (NAV managers) are separate permissioned roles. Explicit separation documented for ProtocolGuardian vs OpsGuardian.

RD-F-037 green Quorum achievable via single-entity flash loan N/A: no on-chain governor; quorum is 4M CFG on OpenSquare off-chain. Flash-loan attack is structurally impossible against the current governance setup.

RD-F-038 green Proposal execution delay < 24h OpenSquare votes have a minimum 7-day discussion period plus snapshot vote period. On-chain execution of any resulting Root change requires 48h timelock (72h aggregate). No sub-24h execution path exists.

RD-F-039 green delegatecall/call in proposal execution without allowlist No on-chain governor; no governance proposal execution contract. All protocol changes are executed via Root's scheduleRely/executeScheduledRely — a specific structured call, not an arbitrary delegatecall with proposal-supplied target. This pattern eliminates the classic governance-executor attack vector.

RD-F-040 green Emergency-veto multisig present ProtocolGuardian (4-of-8) can pause the protocol instantly without timelock in emergency. This IS the emergency-response multisig. Zodiac Delay 24h applies to non-emergency actions through Guardian, but pause itself is immediate.

RD-F-043 green Admin = deployer EOA after 7 days Deployer 0x7270b20603fbb3df0921381670fbd62b9991ada4 last active July 25, 2025 for a minor deployment. Root admin is held by ProtocolGuardian multisig contract, not the deployer EOA. Ownership was transferred to the multisig+timelock structure at protocol launch (August 2024).

RD-F-044 green Admin wallet interacts with flagged addresses Deployer 0x7270b20603fbb3df0921381670fbd62b9991ada4 Etherscan tx history shows exclusively legitimate Centrifuge protocol deployments (Root, CentrifugeRouter, Spell, RelinkV2Eth, etc.) and admin operations (Rely/Deny). No Tornado Cash interactions, no mixer deposits, no OFAC-listed counterparties identified in public search.

RD-F-046 green Contract unverified on Etherscan/Sourcify All core V3 contracts verified on Etherscan with full Solidity source. Root, Guardian, InvestmentManager, PoolManager, Gateway, Escrow, CentrifugeRouter all verified. CFG ERC-20 token verified. BSL-1.1 applies to GitHub source, but deployed bytecode ABI is public.

Oracle & external dependencies Red 51 17 of 17

RD-F-053 green Oracle source = spot DEX pool (no TWAP) GREEN — not applicable. Centrifuge does not use spot DEX pool prices as an oracle source. The NAV oracle is permissioned/admin-fed (pool managers submit valuations). No AMM price reading occurs in the V3 investment pricing path. RD-F-053 critical risk pattern is absent.

RD-F-061 green LP token balanceOf used for pricing Not applicable. Centrifuge does not use LP token balanceOf for pricing. The permissioned NAV oracle model is not susceptible to donation-manipulation via direct transfer to an LP pool.

RD-F-181 green Permissionless-pool lending oracle N/A — not applicable. Centrifuge is not a lending protocol with permissionless pool listing. Pools are permissioned and created by authorized pool managers. Asset classes are not added permissionlessly. No Uniswap-style permissionless pool oracle acceptance exists.

Economic risk Green 13 13 of 13

RD-F-064 yellow TVL concentration (top-10 wallet share) JTRSY + JAAA combined represent an estimated 60-70% of total TVL, both managed under Janus Henderson / Anemoy umbrella. Grove (single institutional allocator) provided $1B commitment to JAAA and $250M to Avalanche deployment — one counterparty may hold 20-35% of total protocol TVL. Exact top-10 wallet share not enumerable from public sources (permissioned whitelisted investor lists). RD-F-065 yellow Liquidity depth per major asset Protocol holds tokenized RWAs, not spot DeFi assets. No DEX liquidity depth metric is applicable. Redemption is epoch-based; for liquid pools (JTRSY T-bills) daily redemption is feasible; for illiquid pools (JAAA CLOs, private credit) redemption may take days-to-weeks. JTRSY/JAAA beginning to appear as DeFi collateral but secondary market on-chain depth is minimal. CFG token itself has ~$1.53M on-chain DEX liquidity vs $169M market cap — extremely thin. RD-F-067 yellow Historical bad-debt events Tinlake legacy: Harbor Trade Credit Series 2 pool — all 3 remaining assets in default since April 2023; investors who redeemed in August 2023 could not receive DAI and stopped earning interest. Recovery ongoing via legal proceedings. No evidence of senior (DROP) tranche losses — junior (TIN) tranche absorbed defaults. No bad debt events on V3/V2 LP pools. No protocol-wide socialized loss event. RD-F-068 gray Collateralization under stress Not applicable in traditional collateralization sense. Centrifuge pools hold tokenized claims on off-chain assets. No liquidation cascade risk from price drops. Stress scenario: underlying borrowers default, NAV falls, tranche token price declines. For JTRSY (T-bills): effectively backed by U.S. government (zero credit risk). For JAAA (AAA CLO): protected by CLO waterfall. No stress test simulatable from on-chain data. RD-F-070 gray Empty cToken-style market (zero supply/borrow) NOT a Compound V2 fork. Centrifuge does not use cToken-style markets. ERC-7540 async vaults use epoch-based price oracle (not balanceOf-derived share price), so the classic cToken donation exploit path is structurally different. Share-inflation via donation is attenuated by permissioned pool creation, permissioned depositor lists (KYC-gated), and price set by hub oracle not by share/totalSupply ratio. Gray — not a Compound fork; share-inflation path attenuated by permissioned architecture. RD-F-073 gray Oracle-manipulation-proof borrow cap Not directly applicable. Centrifuge does not have per-asset on-chain borrow caps with DEX TWAP oracle-manipulation resistance. The NAV oracle is a permissioned hub-push, not a DEX TWAP. Oracle manipulation risk is a Cat 3 concern, not an on-chain borrow-cap oracle-manipulation attack. No DEX TWAP borrow caps exist. RD-F-074 gray ERC-4626 virtual-share offset (OZ ≥4.9) Centrifuge uses ERC-7540 (extension of ERC-4626) for tranche vaults. V2 LiquidityPool.sol (C4 2023 codebase) shows no virtual-share offset pattern. Price is set by hub NAV oracle (not share/totalAssets formula). Classic OZ ≥4.9 virtual-share offset is designed for synchronous vault deposits where share price is balanceOf-derived; Centrifuge's asynchronous epoch model sets price externally, making the OZ offset pattern less relevant. RD-F-075 gray First-depositor / share-inflation guard No explicit first-depositor guard (seed deposit or virtual-share offset) identifiable in V2 codebase. However, the epoch model and permissioned NAV pricing provide architectural mitigation: (1) all investors are KYC-gated/whitelisted, (2) share price is set by permissioned hub oracle not by deposit size, (3) new pools require governance approval with professional issuers seeding pools operationally. Practical share-inflation risk is very low despite absent on-chain guard.

RD-F-063 green TVL (current + 30d trend) TVL ~$1.89B as of 2026-04-27. Grew from $50M (early 2025) to $1.9B (2026) — extraordinary growth. 30d trend: roughly flat-to-growing; JAAA had a 42% monthly drawdown in March 2026 but TVL recovered. Far above $100M threshold.

RD-F-066 green Utilization rate (lending protocols) Centrifuge is not a traditional lending protocol. The $78.5M outstanding borrow against ~$1.89B TVL = 4.15% utilization — extremely low, confirming most TVL is in liquid institutional fund products (JTRSY T-bills), not deployed into illiquid private credit loans. No market exceeds 95% utilization threshold.

RD-F-069 green Algorithmic / under-collateralized stablecoin Centrifuge does not issue stablecoins. It issues tranche tokens (JTRSY, JAAA, ACRDX) that are claims on real-world assets. These are not algorithmic or under-collateralized by design. CFG is the governance/utility token, not a stablecoin.

RD-F-071 green Seed-deposit requirement for new market listing Not applicable. Pool creation is permissioned — only authorized issuers can create pools. There is no permissionless market listing. The concept of a seed deposit before borrow-enable does not map to the RWA vault architecture. New pools require governance approval and off-chain legal structuring.

RD-F-072 green Market-listing governance threshold Pool onboarding requires formal Pool Onboarding Proposals (POPs) on the governance forum with CFG token holder vote. Centrifuge governance uses OpenSquare offchain voting (4M CFG quorum, 7-day discussion minimum). Classification: high-threshold (DAO vote required for new pool onboarding).

Operational history Yellow 27 15 of 15

RD-F-089 red Insurance coverage active No active smart contract insurance coverage confirmed for V3/V3.1 deployed contracts. Centrifuge partnered with Nexus Mutual in October 2021 for Tinlake DAI investors — Tinlake-era only, now deprecated. No evidence of active Nexus Mutual, Unslashed, or Sherlock coverage for V3 contracts found. Sherlock V3.1 audit contest is not the same as insurance coverage. TVL ~$1.89B with no confirmed smart contract insurance. RD-F-166 red Deprecated contracts still holding value True — Tinlake deprecated contracts still holding material value. DeFiLlama Tinlake tracking shows ~$74M TVL in 2024 (declining from peak). Harbor Trade Credit Series 2 pool has defaulted assets since April 2023 with capital locked due to off-chain recovery processes. Investor redemption blocked (zero pool reserve). DROP/TIN ERC-20 tokens representing claims are still on-chain with capital locked in deprecated pool contracts. RD-F-084 yellow TVL stability (CoV over 90d) CoV estimated high based on rapid TVL growth trajectory. TVL grew from ~$50M in early 2025 to ~$1.89B by April 2026. The trailing 90-day window likely captures moderate growth from ~$1.5B to ~$1.89B. Institutional concentration (Janus Henderson JTRSY/JAAA, Sky/Spark) means large single-entity movements could spike CoV. Quantitative confirmation requires DeFiLlama API pull. RD-F-086 yellow Pause activations (trailing 12 months) 0 confirmed pause activations in trailing 12 months found via public search, but cannot be confirmed with certainty without on-chain Paused event log enumeration. Protocol deployed Guardian contract with Zodiac Delay module and Root contract with 48h timelock, both implying an emergency pathway exists. V3 launch July 2025 was a planned migration, not an emergency pause. No governance forum posts referencing an emergency pause activation were found. RD-F-088 yellow Re-deployed to new addresses in last year True — Centrifuge V3 launched July 24 2025 representing a full redeployment to new EVM contract addresses (Root 0x0C1fDfd6a1331a875EA013F3897fc8a76ada5DfC created Aug 1 2024). V2 Liquidity Pools contracts retired/superseded. CFG token migration from WCFG to new EVM CFG completed Nov 30 2025. Falls within 12-month lookback from profile date. Yellow (not red) because migration had comprehensive documentation, long migration window, full user communication. RD-F-081 gray Post-exploit response score Gray (N/A — no prior exploits). Cannot assess post-exploit response quality. No incidents to review. This is a favorable gray (absence of incidents), not a penalizing gray. RD-F-082 gray Post-mortem published within 30 days Gray (N/A — no prior exploits). No post-mortem to assess. Favorable absence. RD-F-083 gray Auditor re-engaged after last exploit Gray (N/A — no prior exploits). Note: Centrifuge has an extensive ongoing audit program (24 engagements per docs) but this factor measures post-incident re-engagement specifically. Favorable absence. RD-F-085 gray Incident response time (minutes) Gray (N/A — no prior exploits). Cannot assess incident response time. No incidents to review. Favorable absence.

RD-F-076 green Protocol age (days) Protocol age: ~2,280 days since Tinlake v0.2.x first deployment audited April 2020. Even by narrowest definition (V3 Root deployed Aug 1 2024), age is >365 days at profile date. Well above 365-day threshold on all definitions.

RD-F-077 green Prior exploit count 0 confirmed on-chain exploits. Rekt.news, DeFiLlama hacks database, De.Fi rekt database, and in-house hacksdatabase all searched — zero on-chain security exploits found. Cantina 2024 audit found a critical vulnerability but it was fixed pre-deployment and never exploited. Credit defaults in Tinlake pools are off-chain credit events, not protocol exploits.

RD-F-078 green Chronic-exploit flag (≥3 incidents) Chronic flag: false. 0 exploits, well below threshold of 3. Derived from RD-F-077 count = 0.

RD-F-079 green Same-root-cause repeat exploit No repeat exploits (no exploits at all). False — no same-root-cause repeat exploit. Derived from RD-F-077.

RD-F-080 green Days since last exploit N/A (no prior exploits). Displays as No prior incidents. Derived from RD-F-077.

RD-F-087 green Pause > 7 consecutive days False — no evidence of any pause event, let alone one lasting >7 consecutive days. Derived from RD-F-086 finding. No pause activation events found in public record.

Real-time signals Green 5 22 of 22

RD-F-099 yellow Oracle price deviation >X% from secondary Structurally limited for RWA. Primary oracle is permissioned NAV oracle (pool managers submit periodic NAV updates) — no real-time secondary source exists for private credit NAV comparison. Chainlink feeds present per data-cache but specific consuming contracts unidentified. Signal cannot be fully configured for this architecture. RD-F-182 yellow Security-Council threshold reduction (RT) Directly applicable. Guardian Safe 0xD9D30ab47c0f096b0AA67e9B8B1624504a63e7FD (Ethereum) and 0x427A1ce127b1775e4Cbd4F58ad468B9F832eA7e9 (Base) are the Security Council equivalent. Yellow because baseline signer count/threshold unverified (safe_api_gap) — signal cannot be calibrated without getOwners()/getThreshold(). No threshold reduction event found in 39-transaction history. RD-F-093 gray Abnormal gas-price willingness from attacker wallet Signal requires live mempool monitoring for priority-fee anomalies (≥5× EMA baseline) from wallets interacting with Centrifuge contracts. Centrifuge's ERC-7540 asynchronous vault architecture substantially reduces MEV/frontrun surface — redemptions settle over multi-day epochs, not single-block atomic transactions. No live mempool feed available for static assessment. RD-F-094 gray New contract with similar bytecode to exploit template Signal requires a live on-chain sweep of newly deployed contracts with bytecode similarity scoring against a known exploit template for Centrifuge. No such exploit template exists in public databases (zero prior Centrifuge exploits). Cannot confirm threshold is not crossed without a live sweep; cannot confirm it is crossed because no template exists to match against. RD-F-095 gray Known-exploit function-selector replay Signal requires matching live mempool call-patterns against a known-exploit replay template for Centrifuge. No such template exists because Centrifuge has zero prior exploits. Cannot evaluate threshold without both a live mempool feed and a reference exploit call-pattern. RD-F-096 gray New ERC-20 approval to unverified contract from whale Signal requires live mempool and on-chain monitoring for new ERC-20 approvals granted by high-TVL Centrifuge users to unverified contracts. Centrifuge pools are KYC-gated (permissioned access). No public data source surfaces user-level approval events in real time for static assessment. T-09 classification: v2 deferred. RD-F-101 gray Large governance proposal queued Signal requires on-chain ProposalCreated/ProposalQueued events on a tracked governor contract. Centrifuge has no deployed on-chain EVM Governor as of assessment date — governance is via OpenSquare (off-chain). Signal cannot be configured. Off-chain governance forum shows routine monthly activity; no anomalous proposals found. RD-F-106 gray Cross-chain bridge unverified mint pattern Signal requires live cross-chain event monitoring for unverified mints on Centrifuge spoke chains (Arbitrum, Base, Avalanche, Plume, BSC, Optimism, HyperEVM, Monad). T-09 v2-deferred (high-lift engineering). No live cross-chain indexer available for static assessment. No unverified mint events found in public data. RD-F-107 gray Admin EOA signing from new geography/device Signal requires off-chain signing telemetry with team opt-in — geography/device fingerprint of admin EOA signers compared against prior history. No public data source surfaces this. Centrifuge AG (Switzerland) is a doxxed institutional team but per-signer telemetry is not publicly accessible. T-09 v2-deferred. RD-F-109 gray Social-media impersonation scam spike Signal requires a social-media monitoring vendor to detect coordinated impersonation spikes (≥5 coordinated accounts). No automated social monitor available for static assessment. Public search found no active coordinated impersonation campaign against @centrifuge or CFG token as of assessment date. T-09 v2-deferred. RD-F-110 gray Unusual pending/executed proposal ratio Signal requires an on-chain governor contract to track ProposalCreated/ProposalQueued event ratios. Centrifuge has no deployed on-chain EVM Governor — governance is fully off-chain via OpenSquare. Signal structurally inapplicable until on-chain governor is deployed. No anomalous proposal volume on governance forum.

RD-F-090 green Mixer withdrawal → protocol interaction No mixer-funded wallet interactions detected in public data. Centrifuge investment pools require KYC — a mixer-funded EOA cannot directly participate without passing identity verification. No flagged addresses found in public Etherscan transaction history for core contracts.

RD-F-091 green Partial-drain test transactions Signal architecture not applicable to RWA asynchronous vault pattern. Centrifuge has no instant withdrawal mechanism — ERC-7540 asynchronous vaults require requestRedeem → epoch → claimRedeem cycle. No single-transaction drain pattern is possible against this architecture.

RD-F-092 green Unusual mempool pattern from deployer wallet Deployer 0x7270b20603fbb3df0921381670fbd62b9991ada4 last transaction was 275 days ago (~July 2025, consistent with V3 launch). 162 total transactions, primarily contract deployments. No unusual mempool activity pattern in trailing period.

RD-F-097 green Sybil surge of identical-pattern transactions No Sybil surge detected. Centrifuge pools require KYC for participation, structurally preventing traditional Sybil attacks. A Sybil attacker would need distinct verified identities per wallet. RestrictionManager 0x4737C3f62Cc265e786b280153fC666cEA2fBc0c0 enforces KYC allowlist. No reports of coordinated Sybil-pattern transactions.

RD-F-098 green TVL anomaly — % drop in <1h TVL stable/growing at ~$1.89B. April 2026: Centrifuge saw inflows following Kelp DAO $292M hack as institutional capital rotated to RWA vaults. No anomalous drops detected. RWA TVL is fundamentally slow-moving — 30% drop in 1h is near-impossible given multi-day ERC-7540 redemption settlement.

RD-F-100 green Flash loan >$10M targeting protocol tokens No for primary attack vector. Centrifuge governance uses off-chain OpenSquare voting — flash loans cannot achieve voting quorum (token snapshotted off-chain). No on-chain Governor contract susceptible to flash-loan quorum manipulation. ERC-7540 async vault is not flash-loanable by design. No flash-loan interactions detected.

RD-F-102 green Admin/upgrade transaction in mempool No admin/upgrade transactions in mempool detected. Root contract 0x0C1fDfd6a1331a875EA013F3897fc8a76ada5DfC and Guardian contracts are monitorable. 72-hour aggregate timelock (48h Root + 24h Guardian Zodiac Delay) provides substantial detection window. Last deployer activity was 275 days ago.

RD-F-103 green Bridge signer-set change proposed/executed Critical signal for Centrifuge given exclusive Wormhole dependency. Wormhole guardian set: 19 validators, 13-of-19 quorum. No unscheduled guardian-set reduction detected in public sources for 2025-2026. Wormhole ZK-proof integration is planned architecture upgrade, not an unscheduled signer removal.

RD-F-104 green Stablecoin depeg >2% on shared-LP venue No USDC or USDT depeg events active. USDC/USDT are investment entry/exit currencies, not core collateral — underlying RWA pools hold off-chain private credit/CLOs denominated in USD. The 5% protocol TVL exposure threshold for this signal is not met for USDC as a collateral asset.

RD-F-105 green DNS/CDN/frontend hash drift No DNS change, CDN compromise, or frontend hash drift detected. No phishing reports, no typosquat domains found. No social reports of fake frontend or credential harvesting. centrifuge.io SSL maintained. Domain appears stable in search results.

RD-F-108 green GitHub force-push to sensitive branch No force-push or anomalous sensitive-branch push detected on centrifuge/protocol or centrifuge/liquidity-pools. Latest release v3.1.0 tagged January 20, 2026 — consistent with documented V3.1 launch. Multiple audits (Sherlock V3.1 contest, yAudit V3.1 upgrade, yAudit fix review) confirm controlled release process.

Dev identity & insider risk Green 2 16 of 16

RD-F-123 yellow Sudden admin-rescue/ACL change without discussion No evidence of sudden admin-rescue or ACL change without preceding governance discussion. Root contract enforces 48-hour scheduleRely/executeScheduledRely delay. Guardian has 24-hour Zodiac Delay module. Monthly governance updates on forum (Aug 2024–March 2025). YELLOW because Guardian Safe signer set is opaque (safe_api_gap) — cannot fully confirm insider-implant absence. RD-F-117 gray ENS/NameStone identity bound to deployer No ENS name found bound to deployer 0x7270b20603fbb3df0921381670fbd62b9991ada4. Etherscan labels address as 'Centrifuge: Deployer' (internal label, not ENS). No ENS reverse-record confirmed. Minor informational gap — most institutional protocol deployers do not bind ENS names to hot deployment wallets.

RD-F-111 green Team doxx status Real-name, fully doxxed leadership team. 8 named executives with verifiable LinkedIn profiles, conference appearances, and prior employer trails. All co-founders have years-long public digital footprints predating Centrifuge. CEO Bhaji Illuminati has LinkedIn, X, and conference speaker profiles. No anonymous or pseudonymous team members found.

RD-F-112 green Team public accountability surface Extensive multi-channel public presence. Vogelsang: Blockworks speaker, Medium blog, DeinDeal acquisition (2011). Quensel: GOTO Berlin 2018 speaker, AIMA member, SAP background since 1997. Sood: Goldman Sachs/Morgan Stanley/Cantor Fitzgerald pedigree. Blumberg: GS ETF Accelerator COO EMEA, CoinDesk appointment article. Cohen: 25-year legal career.

RD-F-113 green Team other-protocol involvement history Positive track record for all key team members. Taulia (supply chain finance, acquired by SAP 2022) is shared prior employer for Vogelsang, Quensel, Sood. No prior rug or exit-scam affiliations found. Quensel co-founded Anemoy (active onchain asset manager). No team member linked to failed/rugged protocol in public OSINT.

RD-F-114 green Deployer address prior on-chain history Deployer 0x7270b20603fbb3df0921381670fbd62b9991ada4 shows consistent protocol-operations history: RelinkV2Eth (July 2025), Spell contracts (May 2025), SpellEthereum (Feb 2025), CentrifugeRouter (Feb 2025). 162 total token transactions. Legacy deployer 0xbc16b2b144550ecdceb825517846ff3581932b97 active since March 2020. All activities are normal institutional-dev pattern.

RD-F-115 green Prior rug/exit-scam affiliation No team member linked to prior rug or exit-scam protocol. rekt.news, REKT database, and public DeFi hack databases returned zero Centrifuge results. All co-founders' prior companies (DeinDeal, Taulia, ReadSoft, NBRHD Capital) are legitimate acquired/operational fintech businesses. No adverse findings in public OSINT.

RD-F-116 green Contributor tenure at admin-permissioned PR Active committers to centrifuge/protocol (April 2026): gpmayorga, wischli, lemunozm, onnovisser, hieronx (Jeroen Offerijns). hieronx has contributed to Centrifuge repos since 2020+ (Arctic Code Vault contributor). Lucas Vogelsang (lucasvo) has 82 repos with contributions since 2017. No evidence of fresh/new contributors executing admin-permissioned code changes.

RD-F-118 green Handle reuse across failed/rugged projects No evidence of any team member's social handle previously associated with a rugged or failed project under a different alias. All handles trace cleanly to the same Centrifuge identity. @lucasvo, @mr_optimax, @offerijns, @itsbhaji — all consistent with long-standing professional identities. No handle reuse pattern detected.

RD-F-119 green Commit timezone consistent with stated geography Centrifuge offices in San Francisco and Berlin. Recent committers (gpmayorga, wischli, lemunozm, onnovisser, hieronx) include names consistent with European/North American geography. No anomalous timezone pattern detected. Commit timestamps showed no cluster of off-hours commits inconsistent with stated locations.

RD-F-120 green Video-off/voice-consistency flag Multiple public video interviews and conference appearances confirmed. Vogelsang: YouTube interview (ep. 466); Blockworks conferences. Quensel: GOTO Berlin 2018 in-person speaker. Bhaji Illuminati: CFC St. Moritz conference speaker. Blumberg: Global WealthTech Summit 2025 speaker. No video-off-only pattern found.

RD-F-121 green Contributor OSINT depth score OSINT depth 5/5 for core leadership. Vogelsang: LinkedIn, GitHub (82 repos), Medium blog, YouTube, Blockworks. Quensel: LinkedIn, GOTO Berlin in-person, AIMA membership. Sood: LinkedIn, Goldman Sachs confirmation, Anemoy portfolio. Blumberg: CoinDesk Aug 2025, LinkedIn, GS career. Offerijns: LinkedIn, GitHub (hieronx, Pull Shark x4), Bloomberg Markets profile.

RD-F-122 green Contributor paid to DPRK-cluster wallet No payment routing to DPRK cluster found in public data. Deployer wallet cluster shows internal Centrifuge funding only. Team members have institutional employer backgrounds (Goldman Sachs, CME Group, Morgan Stanley). Public Chainalysis/TRM blog posts show no Centrifuge attribution in DPRK-linked activity reports. OFAC SDN search returned no Centrifuge team wallet hits.

RD-F-124 green Deployer wallet mixer-funded within 30 days NOT triggered. Deployer 0x7270b20603fbb3df0921381670fbd62b9991ada4 funded ~November 2023 from internal Centrifuge wallet cluster. No Tornado Cash, Railgun, or other mixer interaction found in 162 token transactions. Intermediate funder 0x790c2c860ddc993f3da92b19cb440cf8338c59a6 traces to legacy 'Centrifuge.io: Deployer' labeled address. Legacy deployer first funded March 14, 2020 with no mixer label at origin.

RD-F-125 green Deployer linked within 3 hops to DPRK/Lazarus NOT triggered. Full 3-hop chain (0x7270→0x790c→0xbc16b2b1→0x53123Be7) shows no OFAC SDN wallet, no Chainalysis public Lazarus label, no TRM-flagged address. Centrifuge is VC-backed (Galaxy Digital, ParaFi, IOSG, Coinbase Ventures, Greenfield) and Swiss/US incorporated. Public Chainalysis/TRM blog posts contain no Centrifuge DPRK attribution. Confidence: medium (full 3-hop depth requires Chainalysis/Nansen API).

RD-F-184 green Real-capital social-engineering persona No evidence of any team member or contributor persona deploying ≥$1M of real capital to build credibility ahead of social engineering. Janus Henderson JTRSY (~$761M) and JAAA CLO (~$700M) integrations are legitimate institutional asset-management relationships. No UNC4736-class (Drift Protocol) pattern identified. This is an M-curation factor requiring ongoing monitoring.

Fork / dependency lineage Green 11 10 of 10

RD-F-133 yellow Dependency manifest uses unpinned versions centrifuge/protocol repo uses Foundry with soldeer for dependency management. foundry.toml shows auto_detect_remappings = false and specific lib paths. soldeer.lock file not found at root (404) suggesting it may be elsewhere or dependencies pinned via git submodule SHAs. No npm-style unpinned dependencies found in smart contract repos. Marking yellow for incomplete evidence. RD-F-126 n/a Is-a-fork-of Centrifuge is an original implementation, not a fork of any DeFi protocol. Tinlake (2019) was purpose-built for RWA securitization. V3/V3.1 (2024-2026) is a novel hub-and-spoke multichain architecture. ERC-7540 async vault standard was co-developed by Centrifuge itself. Not a fork of Compound, Aave, Uniswap, or any major DeFi protocol. RD-F-127 n/a Upstream patch not merged N/A — protocol is not a fork; no upstream exists. No DeFi protocol vulnerability patches are applicable as unmerged. The Wormhole bridge dependency had a $326M hack in February 2022 but Wormhole security updates are managed by Wormhole's team; Centrifuge integrates via the Wormhole Relayer API. RD-F-128 n/a Upstream vulnerability disclosure (last 90d) N/A — not a fork; no upstream. Not applicable. Wormhole as a dependency is assessed under Cat 10 (cross-chain). RD-F-129 n/a Code divergence from upstream (%) N/A — not a fork; no upstream to compute divergence against. RD-F-130 n/a Fork depth (generations from original audit) N/A — original implementation; fork depth = 0 in the sense of no fork hops. RD-F-131 n/a Fork retains upstream audit coverage N/A — not a fork; Centrifuge has its own comprehensive audit coverage (22+ engagements). RD-F-132 n/a Fork has different economic parameters than upstream N/A — not a fork. Centrifuge's economic parameters (NAV pricing, epoch-based redemption queues, tranche token issuance) are proprietary and fully audited.

RD-F-134 green Dependency had malicious-release incident (last 90d) No npm/cargo/crates.io dependency incident flagged in the trailing 90 days affecting Centrifuge protocol smart contract dependencies. Protocol uses Foundry-native toolchain (Solidity, forge) with minimal npm surface. No security advisory found targeting any Centrifuge dependency.

RD-F-135 green Shared-library version with known-vuln status centrifuge/protocol uses foundry-based dependency management. Auth pattern is MakerDAO-derived, not OZ-based. V3.1 codebase uses custom ReentrancyProtection.sol, custom Auth.sol, custom MathLib.sol — minimal external library dependency. No OpenZeppelin or Solady version with known CVE identified in accessible dependency files.

Post-deploy hygiene & change mgmt Green 8 13 of 13

RD-F-146 yellow New contract deploys in last 30 days Centrifuge V3 Migration completed 2026-04-15 — 20 days before 2026-05-05 assessment date, falling inside the 30-day fresh-deploy window this factor measures. New V3 contracts (Hub/Spoke/Gateway/WormholeAdapter across 9 chains) constitute a material recent deploy. Last Root interaction August 2025 still indicates legacy core is dormant, but fresh attack surface from V3 contracts is meaningful. Yellow per rubric: recent deploy without 30+ days of mainnet exposure post-launch. RD-F-168 yellow Stale-approval exposure on deprecated router Tinlake is deprecated (pools frozen, no new originations). Tinlake contracts (CentrifugeRouter v2, Tinlake pool contracts) remain deployed on Ethereum mainnet. Users who approved Tinlake contracts still have open ERC-20 approvals to deprecated contracts. No evidence of an off-ramp notice or revoke advisory published by Centrifuge. Legacy WCFG also deprecated. RD-F-185 yellow Bridge rate-limiter / chain-pause as positive mitigant Centrifuge V3 uses Wormhole as exclusive cross-chain messaging. Wormhole Guardian network can pause cross-chain message delivery. ProtocolGuardian can pause the Centrifuge protocol side (investment/redemption flows) instantly. No Centrifuge-specific per-window outflow rate-limiter found in public documentation. Chain-pause capability exists via ProtocolGuardian pause() function. Rate-limiter unconfirmed. RD-F-143 gray Reinitializable implementation (no _disableInitializers) Centrifuge V3 does NOT use the proxy/implementation pattern for core contracts. There are no upgradeable proxies in the core architecture. _disableInitializers() is irrelevant to this architecture. N/A — gray, not a risk. Immutable core architecture makes this factor inapplicable.

RD-F-136 green Deployed bytecode matches signed release tag V3.1.0 is the latest release tag in centrifuge/protocol. Sherlock's Feb 2026 deployment verification review explicitly covers deployed bytecode matching the audited source. This is the strongest available evidence of commit-to-bytecode match.

RD-F-137 green Upgrade frequency (per 90 days) Root contract shows 15 total transactions since August 2024 creation, most recent August 25 2025. Root itself is not upgradeable (immutable core). Protocol upgrades accomplished by deploying new contract versions and re-wiring wards — deliberate architectural choice. Few upgrade events in recent 90d.

RD-F-138 green Hot-patch deploys without timelock (last 30 days) No hot-patch deploys found in the last 30 days. Last Root interaction was August 2025. V3.1.0 deployed January 2026. No untimelocked changes found in recent period.

RD-F-139 green Post-audit code changes without re-audit V3.1 (January 2026) was audited by: yAudit Oct 2025, Sherlock $320K contest Oct 2025, yAudit fix review Jan 2026, Sherlock deployment verification Feb 2026. The audit trail closely tracks each deployment milestone. No evidence of unaudited material changes deployed to production.

RD-F-140 green Fix-merged-but-not-deployed gap Sherlock Feb 2026 deployment verification audit explicitly covers whether fixes from Oct 2025 Sherlock V3.1 contest were included in deployed bytecode. yAudit Jan 2026 fix review covers post-Sherlock remediation. No public evidence of a merged vulnerability fix not included in deployed V3.1.0. Fix-verification chain: contest (Oct 2025) → fix review (Jan 2026) → deployment verification (Feb 2026).

RD-F-141 green Test-mode parameters in deploy Root constructor args show 172800s delay (production value, not 0). Escrow address is the canonical production deployment. No test-mode flags found in public sources. Deployer EOA has not retained admin role post-deployment.

RD-F-142 green Storage-layout collision risk across upgrades Centrifuge V3 uses immutable-core architecture with no proxy for core contracts (Root, Gateway, PoolManager, InvestmentManager are all deployed as non-upgradeable monolith contracts). Storage layout collision risk is definitionally N/A. The ward-based upgrade pattern (deploy new contract, re-wire ward permissions) avoids storage layout collision by design.

RD-F-144 green CREATE2 factory permits same-address redeploy Core contracts deployed at identical deterministic addresses across all chains (CREATE2 for cross-chain address parity). Standard CREATE2 does not permit redeployment to the same address with different bytecode — once deployed, the address is occupied. No factory pattern that permits same-address redeploy with different bytecode identified.

RD-F-145 green Deployed bytecode reproducibility Sherlock's Feb 2026 deployment verification audit specifically tested reproducibility of deployed bytecode from the protocol repo and build toolchain. Foundry is used (foundry.toml in repo). Reproducible builds via Foundry are standard.

Cross-chain & bridge Yellow 30 12 of 12

RD-F-153 red Bridge tracks nonce-consumed mapping The WormholeAdapter.sol does NOT implement a deliveries mapping or nonce-consumed check. The deliveryHash parameter in receiveWormholeMessages() is commented out and unused: bytes32 /* deliveryHash */. Wormhole's documentation states replay protection must be enforced by the receiving contract. Redeliveries can be requested by anyone. If a message is replayed, WormholeAdapter would process it twice unless the underlying message handler has its own deduplication. Gateway.sol failedMessages mapping is retry logic, not deduplication. RD-F-148 yellow Bridge validator count (M) Wormhole Guardian set: 19 guardians. Quorum: 13-of-19 (two-thirds supermajority). PoA network of established validator companies. 19 guardians is the full set for mainnet. F179 (LayerZero DVN) is N/A — Centrifuge V3 does not use LayerZero. RD-F-149 yellow Bridge validator threshold (k-of-M) 13-of-19 (68%) supermajority required for VAA validity. Above 2/3 threshold. For governance actions, Wormhole requires two-thirds supermajority. The 13-of-19 threshold means 7 guardians would need to be compromised to forge a message. Threshold is reasonable but PoA not trustless. RD-F-150 yellow Bridge validator co-hosting 19 Wormhole guardians are named independent institutional staking operators (01node, ChainLayer, Chorus One, Everstake, Figment, P2P Validator, Staked, Staking Facilities, Staking Fund, xLabs, MCF, Forbole, HashKey Cloud, Inotel, MoonletWallet, syncnode, Triton, ChainodeTech, Google Cloud). No evidence of systematic ASN or datacenter co-hosting concentration above 30% threshold found. Full per-guardian OSINT-level ASN enumeration not determinable from available public documentation. RD-F-151 yellow Bridge ecrecover checks result ≠ address(0) Centrifuge's WormholeAdapter.sol validates msg.sender == address(relayer) and source address against a whitelisted mapping; it does NOT perform ecrecover itself. VAA signature validation (13-of-19 guardians via ecrecover) occurs inside Wormhole's core contracts. Centrifuge's adapter trusts the Wormhole relayer contract as an oracle of truth. Assessment: yellow because critical validation is abstracted to an external dependency. RD-F-155 yellow Bridge validator-set rotation recency Wormhole guardian set has been stable for extended periods. The 19 guardians are institutional and rotation is infrequent. No recent guardian set change publicly reported as of profile date. Centrifuge has no control over the Wormhole guardian set — Wormhole protocol governance decision. Rotation events not tracked in available data. RD-F-156 yellow Bridge uses same key custody for >30% validators 19 guardians are named independent institutional staking operators across distinct organizations. No evidence that any single key custodian holds keys for >30% (>5.7 of 19) of guardians. However, independent per-guardian key custody verification via OSINT was not completed. Yellow reflects absence of confirmed concentration, not confirmed absence. RD-F-157 yellow Bridge TVL per validator ratio Centrifuge TVL ~$1.9B (DeFiLlama, Apr 2026). Wormhole guardian count: 19. TVL per guardian: $1,900M / 19 = ~$100M. Taxonomy threshold: green < $50M/validator; yellow $50M-$200M/validator; red > $200M/validator. $100M falls firmly in yellow band. Wormhole transmits messages only — assets remain in Escrow on each chain; risk is message forgery causing accounting corruption rather than direct asset exfiltration. RD-F-179 gray LayerZero OFT DVN config (count, threshold, diversity) N/A. Centrifuge V3 does not use LayerZero. Profile explicitly states layerzero_bridge: false. The V3 migration moved from V2's multi-adapter model (which included LayerZero) to Wormhole-exclusive. F179 does not apply.

RD-F-147 green Protocol has bridge surface Yes. Centrifuge V3 uses Wormhole's Automatic Relayer as the exclusive cross-chain messaging layer across a 9-chain hub-and-spoke deployment. The Gateway contract routes all investment requests, share price updates, and redemption confirmations through the WormholeAdapter.

RD-F-152 green Bridge binds message to srcChainId Wormhole VAAs include emitterChainId in the message structure. WormholeAdapter.sol validates sourceWormholeId in receiveWormholeMessages() against the configured source.wormholeId for each Centrifuge chain. Per-chain separation is enforced through the sources mapping.

RD-F-154 green Default bytes32(0) acceptable as valid root GREEN — not applicable. Centrifuge uses Wormhole Automatic Relayer model, not a Merkle-root-based inbox. WormholeAdapter.sol has no root-acceptance check. Nomad-class bytes32(0) bug pattern does not exist in this architecture.

Threat intelligence & recon Green 0 8 of 8

RD-F-159 gray Attacker wallet pre-strike probe (low-gas failing txs) Gray — requires mempool + CTI cluster feed integration not publicly available. Permissioned pool access (KYC) makes traditional mempool probing less useful for an attacker — they cannot call investment functions without KYC approval. No probe activity evidence in public data. RD-F-163 gray Avg attacker reconnaissance time for peer-class protocols In-house hack DB (311 entries) contains no RWA tokenization protocol entries with attacker reconnaissance time data. The hack DB covers lending/DEX/bridge/perps/yield protocols. Centrifuge's peer class (institutional RWA vault tokenization) has no meaningful sample (n=0). Insufficient DB sample to produce statistically meaningful reconnaissance-time estimate for this protocol class. RD-F-164 gray Leaked credential on paste/sentry site Gray — requires paste-site / credential-dump monitoring feed not publicly accessible. No public reporting of Centrifuge credential leaks found. Centrifuge infrastructure (RPC endpoints, admin keys, frontend CDN credentials) could theoretically appear in paste sites but cannot be assessed from public data. RD-F-165 gray Protocol social channel has scam-coordinator flag No scam-coordinator flag found in public sources. Centrifuge has Telegram at t.me/centrifuge_chat and governance forum at gov.centrifuge.io; Discord not confirmed as active per profile. No curator scam-coordinator watchlist available for cross-reference. Absence of evidence without watchlist cannot support green.

RD-F-158 green Known-threat-actor cluster has touched protocol No known threat-actor wallet interactions with Centrifuge contracts found in public data. The Kelp DAO exploit (April 2026, Lazarus/$292M) targeted LayerZero OFT 1/1 DVN — Centrifuge uses Wormhole 13-of-19, no overlap in attack surface. No Chainalysis/TRM public reports flag Centrifuge contracts.

RD-F-160 green GitHub malicious-dependency incident touching protocol deps No malicious dependency release advisories in trailing 90 days affecting Centrifuge's dependency tree found in public search results. No npm security advisory flagging centrifuge/protocol dependencies. No GitHub security advisory for centrifuge/protocol package dependencies.

RD-F-161 green Protocol-impersonator domain registered (typosquat) No typosquat domains specifically targeting centrifuge.io found in search results. General search for 'centrifuge phishing domain' returned only generic methodology articles, not Centrifuge-specific incidents. No active impersonation domain registered. centrifuge.io SSL is maintained.

RD-F-162 green Known-exploit-template selector deployed by any address Centrifuge has zero known prior exploits, meaning no exploit-specific template exists for this protocol. The broader RWA vault architecture has no established exploit template in public databases. No exploit-template contracts targeting Centrifuge's selector patterns deployed.

Tooling / compiler / AI Green 8 5 of 5

RD-F-170 yellow Solc version used (known-bug versions flagged) Deployed V3.1 contracts compiled with Solidity 0.8.26 (Etherscan Exact Match confirmed) — no known critical bugs at this config. Development repo (foundry.toml) targets Solidity 0.8.28 which has a known HIGH-severity bug: Transient Storage Clearing Helper Collision Bug (fixed in 0.8.34). The bug only affects the viaIR pipeline; foundry.toml does NOT enable via_ir so current deploys are safe. Future deploys from current repo risk this bug if viaIR is enabled. RD-F-171 n/a Bytecode similarity to audited upstream with behavior deviation Centrifuge is an original implementation. No bytecode similarity to an upstream protocol exists. The custom Auth/ward pattern differs from OZ/Aave architectures both structurally and in state-mutation ordering. No AI-generated copy pattern identified.

RD-F-172 green Repo shows AI-tool co-authorship in critical files Recent commit history (April 2026) shows no explicit AI-tool co-authorship markers (no Co-authored-by: GitHub Copilot or Generated by ChatGPT in commit messages). One Feb 10 2026 commit adds CLAUDE.md system prompt for CI/documentation assistance — not code generation. No commits in critical contract files mention AI-tool co-authorship.

RD-F-173 green Team self-disclosure of AI-generated Solidity No public disclosure found in Centrifuge blog posts, team X posts, docs, or governance forum indicating AI-generated Solidity in security-critical paths. The CLAUDE.md commit is for CI/documentation tooling, not Solidity generation. Audit trail and code style are consistent with professional human-authored Solidity.

RD-F-174 green Dependency tree uses EOL Solidity version Deployed contracts use Solidity 0.8.26 (released November 2023) — not EOL. Development repo targets 0.8.28 (released October 2024) — not EOL (current latest 0.8.34 as of February 2026). Solidity 0.8.x is actively maintained. No deployment artifact using a version prior to 0.8.24 identified.

Response & disclosure hygiene Green 8 4 of 4

RD-F-176 yellow Disclosure SLA public 72-hour acknowledgement SLA is publicly stated per centrifuge.io/security. However: (a) Cantina bounty program does not state a specific Centrifuge SLA — it says researchers should report within 24 hours which is a researcher SLA, not a team-response SLA; (b) no evidence found of SLA being honored or tested in a documented public case; (c) legacy bounty SLA ($50K DAI max) is not aligned with current Cantina $250K program.

RD-F-175 green Disclosure channel exists Multiple disclosure channels exist: security@centrifuge.io (primary), Cantina managed bug bounty platform, legacy HackenProof listing, GitHub security repo with public issues. All appear actively monitored.

RD-F-177 green Prior known-ignored disclosure False — no evidence found of any disclosure that was known to the team and not actioned before an exploit. No prior exploits occurred (RD-F-077 = 0). Cantina 2024 critical router finding was discovered during an audit, was not exploited, and was fixed before deployment. GitHub security repo shows 3 open issues (2019 DMARC/SPF findings) — none appear to be pre-exploit ignored vulnerability disclosures.

RD-F-178 green CVE/GHSA advisory issued against protocol False — no CVE or GHSA advisory found for Centrifuge protocol. Web search returned no Centrifuge-specific GHSA entries. NVD CVE search returned no Centrifuge DeFi protocol CVEs. The 2024 critical router finding was disclosed via the Cantina audit report system, not issued as a GHSA advisory.

rubric_version v1.7.0 graded_at 2026-05-12 04:38:07 factors 184 protocol centrifuge