Compound V3 (Comet) · DeFi Risk

DeploymentsEthereum · $1.2B

Risk profile at a glance

0 red · 3 yellow · 10 green

Categories & evidence

184 factors · 13 categories

Code & audits Green 10 25 of 25

RD-F-001 yellow Audit scope mismatch OZ 2022 audit commit 0f1221967 no longer matches deployed impl (upgraded April 26, 2026 via tx 0x747628b8). OZ continuous partnership (12 audits in 2024, 40+ in July 2024-June 2025 term) covers V3 updates but per-deployment commit-level match is not publicly verifiable from individual audit PDFs. RD-F-003 yellow Resolved-without-proof findings OZ audit: 1 high finding (locked assets, partially addressed), 3 medium (2 resolved via PR, 1 acknowledged with docs only). ChainSecurity: ERC-777 reentrancy in buyCollateral acknowledged without code fix. No post-audit finding has been exploited in 44+ months. RD-F-006 yellow Audit-to-deploy gap OZ audit ended June 14, 2022; mainnet launch August 26, 2022 = 73-day gap. ChainSecurity dated May 30, 2022 = ~88-day gap. Both fall in 61-180 day yellow range per methodology. RD-F-009 yellow Formal verification coverage Certora (Feb-March 2022) wrote 50 correctness rules covering core lending, collateral flag integrity, balance tracking. Found one concrete bug (isInAsset returning false for assetOffset >= 8). Percentage of rules successfully proven not publicly quantified. RD-F-010 yellow Static-analyzer high-severity count No public Slither/Mythril/Semgrep output on deployed bytecode. Audit proxy: OZ 0 critical, 1 high (partially addressed), 3 medium; ChainSecurity reentrancy informational. OZ 2024 disclosed no high-severity V3 code findings. RD-F-014 yellow Reentrancy guard on external-calling functions Comet does not use nonReentrant guards. ChainSecurity identified Bulker invoke and doTransferIn as reentrancy-possible (informational) — no exploitable path found. Team declined guards for code clarity. No exploit in 44+ months with current ERC-20-only collateral set. RD-F-015 yellow ERC-777/1155/721 hook without reentrancy guard ChainSecurity identified ERC-777 tokens could enable reentrant buyCollateral calls, allowing excess collateral purchase. Team acknowledged without code fix. Current collateral set (WETH, WBTC, USDC, LINK, UNI, COMP, wstETH, USDT, USDS) are all standard ERC-20s — practical risk is mitigated; architectural risk exists for future ERC-777 listings. RD-F-021 n/a UUPS _authorizeUpgrade correctly permissioned Compound V3 uses OpenZeppelin EIP-1967 Transparent Proxy pattern, not UUPS. Upgrades go through CometProxyAdmin (Timelock-owned) calling upgradeTo() on the proxy — no _authorizeUpgrade in any Comet implementation contract.

RD-F-002 green Audit recency OZ conducted 12 comprehensive V2/V3 audits and 7 governance proposal audits in 2024; 40+ security audits in the July 2024-June 2025 annual term. Continuous coverage well within any recency threshold.

RD-F-004 green Audit count At least 3 independent firms: OZ (2022 comprehensive + ongoing since Dec 2021), ChainSecurity (May 2022), Certora formal verification (Feb-March 2022). Additional OZ audits for Scroll Alpha Comet, GovernorBravo, ERC-4626 wrapper.

RD-F-005 green Audit firm tier OpenZeppelin: Tier-1 (taxonomy-listed). ChainSecurity: established European security firm, Tier-2 equivalent. Certora: leading formal verification firm for DeFi, Tier-1 FV.

RD-F-007 green Bug bounty presence & max payout Active Immunefi program since December 11, 2024; max payout $1,000,000 for critical smart contract bugs (10% of funds at risk, $50,000 floor); 254 total assets in scope; Primacy of Impact applies; KYC required.

RD-F-008 green Ignored bounty disclosure No evidence of ignored disclosure. 2023 Comet vulnerability patched before public disclosure with no user funds at risk. Tally Proposal 203 rewarded responsible discloser. Rekt DB shows zero V3 incidents.

RD-F-011 green SELFDESTRUCT reachable from non-admin path GitHub code search on compound-finance/comet returns 0 files matching 'selfdestruct' — opcode is absent from the codebase. Post-Dencun EIP-6780 further restricts SELFDESTRUCT semantics.

RD-F-012 green delegatecall with user-controlled target CometExt invoked via delegatecall from Comet.sol with hardcoded immutable target set at deploy time. No user-supplied target possible. OZ audit found no user-controlled delegatecall target. RareSkills architecture confirms fixed-target design.

RD-F-013 green Arbitrary call with user-controlled target No arbitrary .call(target, data) with user-controlled target identified in OZ or ChainSecurity audits or secondary analysis. Bulker performs standard ERC-20 transfers to user-specified beneficiary addresses, not arbitrary contract calls.

RD-F-016 green Divide-before-multiply pattern No divide-before-multiply finding in OZ or ChainSecurity audits. Compound V3 uses explicit fixed-point scaling with BASE_INDEX_SCALE and CometMath.sol is explicit about operation ordering.

RD-F-017 green Mixed-decimals math without explicit scaling No decimal mismatch finding in OZ or ChainSecurity audits. Compound V3 normalizes all tokens through Chainlink oracle price scaling and base-unit accounting in CometCore.sol.

RD-F-018 green Signed/unsigned arithmetic confusion No signed/unsigned confusion finding in OZ or ChainSecurity audits. Solidity 0.8.x provides built-in overflow/underflow protection. Certora's 50 FV rules cover arithmetic invariants.

RD-F-019 green ecrecover zero-address return unchecked CometExt.sol function allowBySig uses ecrecover and immediately checks: if (signatory == address(0)) revert BadSignatory() — zero-address guard properly implemented.

RD-F-020 green EIP-712 domain separator missing chainId CometExt.sol constructs domain separator using block.chainid: keccak256(abi.encode(DOMAIN_TYPEHASH, keccak256(bytes(name())), keccak256(bytes(version)), block.chainid, address(this))) — chainId included, preventing cross-chain signature replay.

RD-F-022 green Public initialize() without initializer modifier Comet.sol initializeStorage() uses state-based guard: if (lastAccrualTime != 0) revert AlreadyInitialized(). OZ audit noted front-run risk and recommended constructor-based approach; team mitigated via governance atomicity (deploy+initialize called atomically). No exploit in 44+ months.

RD-F-023 green Constructor calls _disableInitializers() OZ 2022 audit L04 'Logic contracts initialization allowed' was scoped to Configurator.sol (the upgradeable proxy implementation), not Comet.sol. Fixed in compound-finance/comet PR #425 / commit 79f59e5 (merged 2022-06-23): Configurator constructor sets version = type(uint256).max, so the existing 'if (version != 0) revert AlreadyInitialized()' guard blocks any direct initialize() call on the implementation. Comet.sol itself uses immutables in its constructor and a 'lastAccrualTime != 0' guard in initializeStorage(); not Initializable-proxied so _disableInitializers() does not apply. OZ marked the finding Fixed.

RD-F-024 green Code complexity vs audit coverage OZ audit ran 32 days covering 18 contracts; ChainSecurity ran independently; Certora FV covered core math. OZ 2024 partnership conducted 40+ audits in annual term specifically for Compound — audit cadence clearly calibrated to codebase complexity and upgrade frequency.

RD-F-183 green Bug bounty scope gap on highest-TVL contracts Immunefi program (Dec 2024) covers 254 assets; Primacy of Impact applies for critical findings meaning researchers can report any impactful vulnerability. No evidence of Kelp-DAO-style exclusion of major Comet contracts. cUSDCv3 (~$1.21B TVL) is in scope.

Governance & admin Yellow 21 24 of 24

RD-F-039 red delegatecall/call in proposal execution without allowlist GovernorBravoDelegate.execute() calls timelock.executeTransaction(targets[i], values[i], signatures[i], calldatas[i], eta). Timelock.executeTransaction() performs target.call{value}(callData) with NO enforced allowlist on target or calldata. Any address can be targeted. Comet exposes approveThis(asset, manager, amount) and withdrawReserves(address to, uint amount) callable by governor/Timelock — full drain vectors. Demonstrated by Proposal 289 (July 2024): 682,191 vs 633,636 votes, $24M COMP nearly transferred; cancelled only by social negotiation with attackers. RD-F-026 yellow Upgrade multisig signer configuration (M/N) At least 5 distinct privileged addresses on Ethereum mainnet: Timelock (upgrade+execute), Community MultiSig (pause+proposal cancel), GovernorBravo 0x309a862 (active, queues proposals), GovernorBravo 0xc0Da02 (legacy status unclear), Timelock.admin EOA 0x8B8592 (direct queue/execute rights per Timelock.sol). Plus L2 local timelocks per chain. RD-F-027 yellow Single admin EOA Primary upgrade path routes through Timelock -> GovernorBravo -> COMP DAO. Not a single EOA for the standard path. Exception: Timelock.admin() = 0x8B8592E9570E96166336603a1b4bd1E8Db20fa20, confirmed EOA (no contract code, 152 transactions over 7+ years, personal wallet). Per Compound Timelock.sol, the admin can call queueTransaction() and executeTransaction() directly bypassing GovernorBravo. Whether this is an active bypass or legacy residual unresolved. RD-F-028 yellow Low-threshold multisig vs TVL Community MultiSig confirmed 4-of-6 by OpenZeppelin compound-security-policies README (6 named signers: Paul L./Gauntlet, 0age/OpenSea, arr00, blck, Jared F., TennisBowling; threshold: 4/6). DeFiScan reports 4-of-8 and states the multisig does not meet security council standards (requires >=7 signers, >=51% threshold). Either reading is below the >=5-of-8 peer norm for $1.35B TVL. Powers limited to pause + proposal cancel. RD-F-032 yellow Timelock duration on upgrades Timelock MINIMUM_DELAY = 172,800s = 48h. Active GovernorBravo (0x309a862): votingPeriod = 50,400 blocks (~7 days), votingDelay = 19,710 blocks (~2.7 days). Total governance cycle ~12 days. DeFiScan flags Stage 0 noting timelock alone is 2 days, below 7-day exit window standard. Scoring yellow because the minimum timelock delay alone is 48h (a hostile proposal could set eta at minimum); but the practical total cycle is ~12 days with the new governor. RD-F-033 yellow Timelock on sensitive actions Upgrade: timelocked (CometProxyAdmin.owner = Timelock). Oracle config (Configurator): timelocked. Market params: timelocked. Fund drain (approveThis, withdrawReserves): timelocked (governor = Timelock). Pause: NOT timelocked (Community MultiSig direct pause, by design as emergency mechanism). 4 of 5 sensitive action classes timelocked; pause intentionally exempt. RD-F-035 yellow Role separation: upgrade ≠ fee ≠ oracle All three governance roles (upgrade, fee/reserve config, oracle config) route through the single Timelock as final executor. Role separation exists at the calldata level (different target contracts, different functions) but all execution concentrates through the same Timelock address. Design choice, not misconfiguration. RD-F-040 yellow Emergency-veto multisig present Community MultiSig holds Proposal Guardian role — can cancel queued proposals before execution. Meaningful veto mechanism exists. However Proposal 289 was NOT cancelled by guardian action; attackers withdrew voluntarily after social negotiation. Guardian unilateral veto effectiveness under pressure is unproven. RD-F-041 yellow Rescue/emergencyWithdraw without timelock Comet.sol exposes approveThis(address manager, address asset, uint amount) and withdrawReserves(address to, uint amount), both callable only by governor (= Timelock in production). approveThis grants approval over any ERC-20 held in Comet; withdrawReserves moves base token reserves. Both require full governance process (GovernorBravo vote + 48h timelock). No single EOA or multisig direct bypass path. Drain capability is real but timelocked through governance (risk captured under RD-F-039). RD-F-047 yellow Governance token concentration (Gini) Governance is demonstrably concentrated. Proposal 289 passed with 57 participating wallets; 5 wallets contributed >228,000 COMP delegated from Bybit alone. Total quorum = 400,000 COMP = 4% of 10M supply. A single coordinated entity (Humpy/Golden Boys) nearly passed a hostile $24M proposal. Precise Gini not computed but strong qualitative evidence of high concentration. RD-F-167 yellow Deprecated contract paused but pause reversible by live admin Compound V2 (predecessor protocol) shares the same Timelock (0x6d903f) and GovernorBravo governance infrastructure. V2 is active (not deprecated), so no deprecated surface in strict sense. However the shared Timelock constitutes admin scope extension — governance affecting Timelock affects both V2 and V3 simultaneously. Community MultiSig holds pause guardian rights over both V2 and V3. Data cache: has_legacy_v1 = true. RD-F-029 gray Multisig signers co-hosted Signers from three distinct organizations: Gauntlet (professional risk management firm), OpenSea (0age), community members (arr00, blck, Jared F., TennisBowling). Organizational diversity makes co-hosting unlikely. Full ASN/datacenter OSINT not conducted. RD-F-030 gray Hot-wallet signer flag Not assessed. No on-chain behavioral analysis of individual signer nonce/gas-price patterns conducted. Signer identities known from OZ security policies repo but signing pattern (hardware vs. hot wallet) not analyzed. RD-F-045 gray Constructor args match governance proposal Not assessed. Each governance proposal encodes deployAndUpgradeTo calldata with a new implementation address. Per-proposal calldata decode and comparison to deployed constructor args for April 2026 upgrades would require individual proposal-level inspection. Tally governance proposals are searchable but individual calldata decode was not completed.

RD-F-025 green Admin key custody type Effective admin/upgrader = full DAO+timelock. CometProxyAdmin.owner() = Timelock 0x6d903f. COMP DAO proposal + full governance cycle required for any upgrade or config change. Categorical: full DAO+timelock.

RD-F-031 green Signer rotation recency Community MultiSig exec transaction on April 25, 2026 (block 24958754). Current signer set managed through annual governance renewal process. No threshold-reduction event identified. No DPRK-precursor signer-rotation pattern observed.

RD-F-034 green Guardian/pause-keeper distinct from upgrader Community MultiSig (0xbbf3f1) = pause guardian + proposal guardian. Timelock (0x6d903f) = upgrader. Distinct addresses with architecturally distinct powers. Roles are structurally separated.

RD-F-036 green Flash-loanable voting weight COMP uses EIP-20 checkpoint delegation. GovernorBravo reads getPriorVotes(account, block.number - 1). Voting weight snapshotted at prior block. Flash loans cannot retroactively inflate prior-block checkpoint balances. Beanstalk-class attack prevented. Proposal 289 used pre-accumulated COMP from Bybit, not flash loans.

RD-F-037 green Quorum achievable via single-entity flash loan Quorum = 400,000 COMP (4% of supply). Checkpoint voting prevents flash-loan quorum manipulation. Proposal 289 used 682,191 votes from pre-held COMP across 57 wallets (228k+ from Bybit delegates). Flash-loan quorum attack not feasible given checkpoint design.

RD-F-038 green Proposal execution delay < 24h Active GovernorBravo (0x309a862): votingDelay = 19,710 blocks (~2.7 days) + votingPeriod = 50,400 blocks (~7 days) + timelock 48h = ~12 days total. Well above 24-hour threshold. Users have a meaningful window to exit before any governance change can execute.

RD-F-042 green Admin has mint() with unlimited max Not applicable. COMP total supply = 10,000,000 tokens, all minted at genesis (June 2020). No admin-callable mint function with unlimited max exists. COMP is a fixed-supply governance token. CometRewards distributes pre-minted COMP via treasury transfer, not via mint.

RD-F-043 green Admin = deployer EOA after 7 days CometProxyAdmin deployed by Compound: Deployer 5 (0x343715fa797b8e9fe48b9efab4b54f01ca860e78). Ownership transferred to Timelock (0x6d903f) at/shortly after August 2022 deploy. Protocol live ~44 months. No deployer EOA retains any current admin role on live contracts.

RD-F-044 green Admin wallet interacts with flagged addresses No flagged interactions identified for Timelock (0x6d903f), Community MultiSig (0xbbf3f1), or CometProxyAdmin (0x1EC63B). Data cache: rekt.incidents = [], deployer.funded_by = null. No mixer-funded deployer or DPRK-linked address signals. Immunefi bug bounty active with no incident history noted.

RD-F-046 green Contract unverified on Etherscan/Sourcify All core Ethereum mainnet contracts verified on Etherscan: cUSDCv3 proxy (TransparentUpgradeableProxy, Exact Match verified), GovernorBravoDelegator 0x309a862 (Exact Match verified), GovernorBravoDelegator 0xc0Da02 (verified), Timelock (verified Compound Timelock.sol), CometProxyAdmin (verified), ConfiguratorProxy (verified), COMP token (verified). Newest implementation 0xFe36A006 (April 26, 2026) verification status flagged for code-security-analyst confirmation.

Oracle & external dependencies Yellow 33 17 of 17

RD-F-051 red Fallback behavior on oracle failure No fallback oracle. Zero price triggers BadPrice() revert; stale positive price silently accepted. Governance replacement: 5–7 days minimum due to immutable oracle addresses requiring new implementation deploy. RD-F-180 red Immutable oracle address [★ CRITICAL — RED] baseTokenPriceFeed declared immutable in Comet.sol. All collateral price feeds packed as immutable variables. No admin setter. Oracle replacement requires full governance cycle + new implementation deployment (5-7 days minimum). No emergency path. RD-F-049 yellow Oracle role per asset Each asset has exactly one oracle (Primary role only). No Secondary or Fallback oracle assigned. DeFiScan confirms: 'no fallback oracle mechanism.' RD-F-052 yellow Breakage analysis per dependency Stale positive price silently accepted (highest-impact failure). Zero price causes market halt (recoverable). Breakage analysis documented per dependency. RD-F-056 yellow Single-pool oracle (no medianization) Chainlink feeds aggregate 16-31 operators internally. However, no cross-provider medianization at protocol level — single Chainlink feed per asset with no secondary source cross-validation. RD-F-057 yellow Circuit breaker on price deviation No circuit breaker on price deviation. Only check is price <= 0 (BadPrice revert). No maximum-deviation threshold, no cross-source comparison, no pausing on extreme price movement. RD-F-059 yellow Oracle staleness check present No staleness check. Comet discards updatedAt from latestRoundData(). USDC/USD heartbeat is 82,800s (23h); stale prices silently accepted for up to 23–24h. RD-F-060 yellow Chainlink aggregator min/max bound misconfig Chainlink internal minAnswer/maxAnswer bounds apply but cannot be fully confirmed without direct RPC reads. Lower-liquidity assets (COMP, UNI, AVAX) may have bounds insufficient to protect against extreme moves. Comet provides no additional min/max layer. RD-F-054 n/a TWAP window duration Protocol does not use DEX-TWAP oracles. All feeds are push-model aggregators (Chainlink, RedStone, API3). TWAP window concept does not apply. RD-F-055 n/a Oracle pool depth (USD) Protocol does not use DEX pool oracles. All oracles are off-chain aggregator models. Pool liquidity depth is not relevant. RD-F-058 n/a Max-deviation threshold (bps) No circuit breaker exists (see F057). Max-deviation threshold concept does not apply. RD-F-061 n/a LP token balanceOf used for pricing No LP token collateral accepted. All collateral assets are individual ERC-20 tokens priced via off-chain aggregators. No balanceOf in any oracle path. RD-F-181 n/a Permissionless-pool lending oracle Compound V3 does not accept oracle prices from permissionlessly-created DEX pools. New oracle feeds added only via governance using established providers (Chainlink/RedStone/API3). Asset listing requires governance approval.

RD-F-048 green Oracle providers used Ethereum: 19 verified Chainlink feeds. Unichain: RedStone push-model via ScalingPriceFeed. Mantle: API3 OEV Network. Per-chain single-provider; established oracle providers with documented SLAs.

RD-F-050 green Dependency graph (protocols depended upon) Full dependency graph documented: Chainlink (Eth), RedStone (Unichain), API3 (Mantle), native L2 bridges (governance relay), ERC-20 collateral tokens, CometRewards. No undocumented protocol-level deps.

RD-F-053 green Oracle source = spot DEX pool (no TWAP) [★ CRITICAL — DOES NOT FIRE] All oracles are Chainlink AggregatorV3Interface (latestRoundData), RedStone push-model, or API3 OEV — none read raw DEX spot prices. No slot0(), getReserves(), or observe() calls.

RD-F-062 green External keeper/relayer not redundant Liquidations are fully permissionless (any address can call absorb()). No single-keeper dependency. Governance relay uses canonical bridges, not a protocol-specific keeper. COMP rewards distribution is also permissionless.

Economic risk Green 19 13 of 13

RD-F-065 yellow Liquidity depth per major asset 2%/5% slippage depth not measured numerically. WETH/WBTC have deep DEX liquidity; COMP/UNI/LINK mid-tier. April 2026 rsETH incident demonstrated exotic bridged-LRT collateral had insufficient liquidity when worthless. storeFrontPriceFactor=0.5 creates ~2.5% net liquidation discount on WETH/WBTC — thin for volatile assets. RD-F-067 yellow Historical bad-debt events April 2026 KelpDAO rsETH exploit: attackers deposited stolen rsETH on cWETHv3, borrowed ~$39.4M WETH. RSETh became worthless. Target reserves cWETHv3 ≈ 5,000 WETH (~$13M). Estimated reserve shortfall ~$26M — governance resolution pending as of assessment date. No prior V3 bad-debt events. Rekt DB shows 0 incidents. RD-F-068 yellow Collateralization under stress No formal stress simulation performed. Qualitative: ETH-correlated collateral dominates. High LLTV for staked ETH (90% borrow CF, 93% liquidate CF). ~2.5% net liquidation incentive is thin for fast-moving cascades. Market isolation limits cross-market contagion. April 2026 rsETH event is a real-world stress case. RD-F-071 yellow Seed-deposit requirement for new market listing No coded seed deposit requirement in Comet initialization. New markets require full governance proposals (DAO vote + 2-day Timelock). Governance gate is the functional barrier. V2-style empty-market attack not applicable to Comet architecture. RD-F-073 yellow Oracle-manipulation-proof borrow cap Chainlink feeds (not DEX TWAPs) mitigate classic oracle-manipulation borrow-cap attack. Supply caps = 0 (uncapped) in cUSDCv3 configuration — governance must set caps explicitly. AVAX/USD feed has widest deviation (2%) and longest heartbeat (86400s). April 2026 rsETH event shows uncapped collateral risk materializing via bridge exploit. RD-F-064 gray TVL concentration (top-10 wallet share) Per-wallet depositor concentration not obtained — requires on-chain subgraph scan not performed. Chain-level: Ethereum = 89.6% of TVL (structurally concentrated). RD-F-069 n/a Algorithmic / under-collateralized stablecoin Compound V3 is an over-collateralized lending protocol. Base assets (USDC, USDT, WETH, USDS, wstETH) are established external assets. No algorithmic or under-collateralized stablecoin design. RD-F-070 gray Empty cToken-style market (zero supply/borrow) Not applicable — Compound V3 is not a Compound V2-style fork. No cToken share accounting exists. Index-based model (baseSupplyIndex/baseBorrowIndex) cannot be manipulated by donation. Taxonomy marks this factor 'Compound-fork-only: N/A for non-fork protocols.' No critical flag fires. RD-F-074 n/a ERC-4626 virtual-share offset (OZ ≥4.9) Native Comet contracts do not implement ERC-4626. CometWrapper implements ERC-4626 with custom internal-accounting inflation protection (functionally equivalent to OZ >=4.9 virtual shares). Core protocol not an ERC-4626 vault.

RD-F-063 green TVL (current + 30d trend) Current TVL $1.35B (+8.87% over 30 days). Well above $100M green threshold. Growing trend. 89.6% on Ethereum. Data cache DefiLlama 2026-04-27T03:38:24Z.

RD-F-066 green Utilization rate (lending protocols) Overall utilization 45.64% ($617M borrowed / $1.35B supplied). Well below 80% yellow threshold and far below 95% red threshold. Kink-based rate model at 80% provides strong disincentive for the withdrawal-freeze zone.

RD-F-072 green Market-listing governance threshold High-threshold DAO vote required for all new markets and collateral additions. GovernorBravo: 100k COMP proposal threshold, 400k COMP quorum, 3-day vote, 2-day Timelock. Classification: high-threshold.

RD-F-075 green First-depositor / share-inflation guard Native Comet: structural immunity via index-based accounting (baseSupplyIndex cannot be inflated by donation — updated by time-weighted accrual only). CometWrapper: explicit protection via internal accounting (direct token transfers not recognized). No seed deposit mechanism coded but architecture is immune.

Operational history Yellow 25 15 of 15

RD-F-089 red Insurance coverage active No active on-chain insurance coverage found on Nexus Mutual, Sherlock, or Unslashed for Compound V3. TVL ~$1.35B; 0% coverage = red. F089-gray-for-permissioned-RWA exception does not apply. RD-F-077 yellow Prior exploit count 0 direct smart-contract exploits against Compound V3 Comet. 1 V3-era governance attack (2024-07-28, $0 net loss after proposal cancellation). Threshold: green=0 exploits; yellow=1 with full recovery. RD-F-080 yellow Days since last exploit Most recent V3-era adverse event: 2024-07-28 (governance attack, $0 net loss). Days since: ~274 days. Threshold: green >365 days; yellow 90-365 days. 274 days falls in yellow band. RD-F-081 yellow Post-exploit response score 2024 governance attack response: negotiated cancellation over 2-3 days, staking truce, transparent community process, $0 loss. Score ~3/5. 2023 vulnerability: excellent — disclosed, patched, bounty rewarded. Threshold: green >=4; yellow 2-3. RD-F-086 yellow Pause activations (trailing 12 months) April 2026 KelpDAO rsETH incident: Compound V3 paused WETH/USDC/wstETH on Ethereum + WETH on Optimism/Base/Arbitrum/Linea for one documented external reason. Threshold: yellow = 1-2 pauses with documented reason. RD-F-087 yellow Pause > 7 consecutive days April 2026 KelpDAO-driven pause duration not confirmed from available evidence. On-chain RPC event log required. >7 consecutive days plausible for some markets but not verified. Scoring yellow pending PE verification. RD-F-166 yellow Deprecated contracts still holding value Compound V2 formally deprecated via governance vote passed 2025-02-01, executed on-chain 2025-02-04 (99.99% approval; borrows/mints paused; reserve factors 100%). ~$143M TVL in early 2025; April 2026 balance declining but not confirmed. Managed wind-down in progress — not abandoned. Wind-down has been in progress for ~15 months as of the assessment window. RD-F-082 gray Post-mortem published within 30 days No smart-contract exploit requiring a post-mortem. 2024 governance attack: $0 net loss, proposal cancelled — formal post-mortem not applicable. 2023 vulnerability: forum disclosure served as post-mortem equivalent (published same day). Gray = N/A. RD-F-083 gray Auditor re-engaged after last exploit No smart-contract exploit requiring post-incident re-audit. OZ provides continuous engagement (12 audits in 2024 alone). 2023 vulnerability patch reviewed under existing OZ partnership. Gray = N/A (no prior exploits requiring incident-triggered re-audit). RD-F-085 gray Incident response time (minutes) No direct on-chain exploit against Compound V3 from which to measure exploit-tx to team-statement timing. 2024 governance attack was a multi-day negotiation. Gray = N/A.

RD-F-076 green Protocol age (days) Earliest mainnet deploy 2022-08-13/14 (CometProxyAdmin creation tx); public launch 2022-08-26. Age ~1,340 days (~44 months). Threshold: green >= 365 days.

RD-F-078 green Chronic-exploit flag (≥3 incidents) V3-era incident count: 1 (governance attack, 2024). Chronic flag threshold (>= 3 incidents) not triggered.

RD-F-079 green Same-root-cause repeat exploit Only 1 V3-era incident (governance attack, 2024). No repeat root-cause cluster. V2 2021 bug has different root cause (smart contract distribution logic) vs. 2024 governance attack (token accumulation).

RD-F-084 green TVL stability (CoV over 90d) TVL 30-day change +8.87% (data cache). 1-day change -0.37%. Stable upward trajectory. Precise CoV not computed (PE pipeline gap); proxy evidence indicates CoV < 0.15.

RD-F-088 green Re-deployed to new addresses in last year No protocol-wide redeployment to new addresses in last 12 months. New market deployments (Ronin, Unichain) are expansion, not replacement. Implementation upgrades via EIP-1967 proxy retain existing addresses.

Real-time signals Green 11 22 of 22

RD-F-090 yellow Mixer withdrawal → protocol interaction Lazarus Group (TC-attributed DPRK cluster) deposited stolen rsETH into Compound V3 cWETHv3 on Apr 18 2026, borrowing ~$39M WETH. State-changing interaction >$100k. Attribution: LayerZero + Coindesk (>=2 sources). Within 30-day window. Tier-C advisory, does not flip grade. RD-F-098 yellow TVL anomaly — % drop in <1h TVL stable today at $1,351,889,827 (2026-04-27, -0.37% 1d, +8.87% 30d). Tier-A 30% threshold not breached. Tier-B precursor sub-rule fired on Apr 18 2026 during rsETH exploit (~$39M WETH borrowed by attacker to unknown EOA in short window). Bad debt frozen, no ongoing drain. RD-F-104 yellow Stablecoin depeg >2% on shared-LP venue No current stablecoin depeg (USDC/USDT/USDS stable as of 2026-04-27). rsETH effective backing collapsed ~18% on Apr 18 — exposure ~2.9% TVL is BELOW the 5% grade-eligible threshold. Advisory note: bad debt frozen in unliquidatable rsETH collateral (~$39M). RD-F-105 yellow DNS/CDN/frontend hash drift Two confirmed DNS/frontend attacks in 21 months: (a) Jul 2024 compound.finance DNS hijacked via Squarespace vulnerability — drainer installed; (b) Mar 2026 compound.finance redirected to compoond.finance typosquat domain. Both resolved. No active drift 2026-04-27. Repeat pattern confirms highest-priority monitoring requirement. RD-F-093 gray Abnormal gas-price willingness from attacker wallet Mempool monitoring not configured. No public reports of >=5x EMA gas-price willingness from wallets interacting with Compound V3 in last 30 days. RD-F-094 gray New contract with similar bytecode to exploit template Bytecode similarity index not maintained for Compound V3 lending class. No public reports of exploit-template contract deployment targeting V3 in last 90 days. RD-F-095 gray Known-exploit function-selector replay Function-selector pattern index not maintained for Compound V3 class. rsETH exploit used lzReceive selector on Kelp infrastructure, not Compound V3 selectors. RD-F-096 gray New ERC-20 approval to unverified contract from whale Whale list and ERC-20 approval monitoring not configured for Compound V3. RD-F-097 gray Sybil surge of identical-pattern transactions Transaction clustering algorithm not deployed for Compound V3. No public reports of sybil-burst transaction pattern against V3. RD-F-099 gray Oracle price deviation >X% from secondary Secondary oracle source map not configured (phase 2 prerequisite). Chainlink-only on Ethereum per DeFiScan. Core USDC/ETH feeds appear stable. rsETH-specific feed deviation occurred Apr 18; governance updated to CAPO via Apr 13 proposal. RD-F-102 gray Admin/upgrade transaction in mempool Mempool monitoring not deployed (phase 2). Most recent upgrade (cUSDCv3 April 4 2026) was governance-executed through Timelock. Pause events during rsETH event were legitimate risk-management activations. RD-F-107 gray Admin EOA signing from new geography/device Off-chain signing telemetry not available. Requires protocol team opt-in integration. Structurally always gray for all protocols without team integration. RD-F-108 gray GitHub force-push to sensitive branch GitHub monitoring not configured. compound-finance/comet repo last commit 2025-12-19 (~4 months ago — repo appears inactive). No public reports of unauthorized push. RD-F-109 gray Social-media impersonation scam spike Social monitoring not configured. Mar 2026 compoond.finance incident involved phishing campaign linked to DNS redirect — resolved. Standard background impersonation noise expected for major DeFi protocol.

RD-F-091 green Partial-drain test transactions No small-value pre-strike test transactions from new wallets identified against Compound V3 contracts in trailing 30 days. TVL trend +8.87% 30d — no partial-drain pattern visible from public DeFiLlama data.

RD-F-092 green Unusual mempool pattern from deployer wallet Compound deployer 0x18c8f1222083997405f2e482338a4650ac02e1d6 is a historical inactive deployer. Active governance executed through Timelock (0x6d903f6003cca6255D85CcA4D3B5E5146dC33925). No anomalous mempool activity from deployer.

RD-F-100 green Flash loan >$10M targeting protocol tokens GovernorBravo uses getPriorVotes() checkpoint — flash-loan governance attacks structurally mitigated. No flash loan targeting Compound V3 oracle or governor detected in Apr 2026. COMP checkpointing prevents single-block flash-loan-to-governance attack.

RD-F-101 green Large governance proposal queued No flagged-pattern proposal queued as of 2026-04-27. Recent proposals (rsETH price feed update Apr 13, Compound Foundation, Growth Program) are legitimate. 2024 Proposal 289 confirms this signal is load-bearing for Compound — must be wired for live monitoring.

RD-F-103 green Bridge signer-set change proposed/executed Compound V3 is not a canonical configurable-signer bridge. Native L2 governance relay bridges (Arbitrum Inbox, OP Messenger) do not expose user-configurable signer sets. Community MultiSig threshold stable at 5-of-9 per data cache (2026-04-27). No threshold change event detected.

RD-F-106 green Cross-chain bridge unverified mint pattern Compound V3 uses native L2 bridges for governance message-passing only; user assets are NOT bridged. No financial bridge mint-without-proof risk applicable. Signal structurally N/A for this protocol's cross-chain architecture.

RD-F-110 green Unusual pending/executed proposal ratio Governance activity appears normal as of 2026-04-27. Tally shows active proposals in expected cadence: rsETH price feed update, Compound Foundation, Growth Program. No anomalous pending/executed ratio.

RD-F-182 green Security-Council threshold reduction (RT) Community MultiSig (0xbbf3f1421D886E9b2c5D716B5192aC998af2012c) threshold stable at 5-of-9 per data cache Safe API (2026-04-27T03:38:24Z). No ChangedThreshold, AddedOwner, or RemovedOwner event detected in last 14 days.

Dev identity & insider risk Green 0 16 of 16

RD-F-117 gray ENS/NameStone identity bound to deployer Compound: Deployer 5 (0x343715FA...) does not have an ENS name bound per Etherscan. Absence is expected and not adverse for an institutional/organizational deployment wallet. RD-F-119 gray Commit timezone consistent with stated geography compound-finance GitHub org has no public members. Commit-time timezone analysis requires contributor-level metadata not accessible via public WebFetch. P2 factor; not assessed. RD-F-122 gray Contributor paid to DPRK-cluster wallet Compound Labs is a US-registered company with off-chain USD payroll for employees. On-chain COMP grants to Woof Software tracked through governance proposals. No on-chain payment stream routing to a DPRK-labeled cluster identified. RD-F-184 gray Real-capital social-engineering persona No curator-flagged ≥$1M real-capital social-engineering persona identified for Compound V3. Proposal 289 (Golden Boys, $24M COMP accumulation) was overt DAO governance — not a covert insider persona. July 2024 DNS attack was infrastructure-level, not a developer implant. No UNC4736-class long-dwell pattern found.

RD-F-111 green Team doxx status Founders Robert Leshner (5/5 doxxed: UPenn econ, CFA, multi-year media profile) and Geoffrey Hayes (4/5 doxxed: LinkedIn, GitHub/Exthereum history) are fully real-name verified. Current Woof Software dev team uses pseudonymous GitHub handles; depth ~2/5 for individual contributors.

RD-F-112 green Team public accountability surface Leshner has 8+ year verifiable public trail (conferences, media, FoundersPledge, regulatory filings). Hayes has 8+ year trail (GitHub, LinkedIn, startup co-founder record to 2011). Woof Software has agency-level accountability; individual contributor depth ~2/5.

RD-F-113 green Team other-protocol involvement history Leshner founded Superstate (RWA tokenized T-bills, 2023) after Compound Labs. Woof Software clients include Benqi, Silo, Ava Labs, Ronin — mainstream DeFi with no rug/exit-scam history. No adverse protocol history found.

RD-F-114 green Deployer address prior on-chain history Compound: Deployer 5 (0x343715FA797B8e9fe48b9eFaB4b54f01CA860e78) first tx ~Aug 2021; activity is exclusively Compound V3 protocol contract deployment. Last tx ~3 years 103 days ago. No rug-linked contracts or exploiter-labeled interactions.

RD-F-115 green Prior rug/exit-scam affiliation No team member linked to prior rug or exit-scam. The 2021 COMP distribution bug was a smart contract error (not an insider rug). The 2024 Golden Boys governance attack was external delegation accumulation, not insider activity. REKT incidents for compound-v3: none (data cache rekt.incidents: []).

RD-F-116 green Contributor tenure at admin-permissioned PR All Compound V3 parameter changes and upgrades route through GovernorBravo → 2-day Timelock → CometProxyAdmin. No individual contributor has unilateral admin-permissioned change capability. Woof Software contributors (DAO-granted May 2024) have ≥12 months tenure. OZ reviews all proposals.

RD-F-118 green Handle reuse across failed/rugged projects No handle reuse across failed/rugged projects for Leshner (@rleshner), Hayes, or known contributor handles. All maintain single consistent identity with no prior rugged project association.

RD-F-120 green Video-off/voice-consistency flag Robert Leshner has appeared in multiple video interviews (Fortune Apr 2024, DeFi conference talks). No video-off or voice-consistency flags identified for any team member.

RD-F-121 green Contributor OSINT depth score Leshner 5/5; Hayes 4/5; named Compound Labs team ~3/5; Woof Software individual contributors ~2/5 (pseudonymous GitHub handles). Weighted average for identified principals ~4/5 — predominantly doxxed by historical standard.

RD-F-123 green Sudden admin-rescue/ACL change without discussion All ACL-relevant changes route through GovernorBravo → 2-day Timelock → CometProxyAdmin — mechanically enforced, not a social norm. OZ reviews 180+ proposals annually. Community MultiSig can only pause markets, not change ACL. No stealth ACL changes found in 180-day lookback.

RD-F-124 green Deployer wallet mixer-funded within 30 days Compound Deployer 5 (0x343715fa797b8e9fe48b9efab4b54f01ca860e78) is publicly tagged on Etherscan as 'Compound: Deployer 5' and 'Funded By: Coinbase 23' -- the deployer EOA's first funding hop is a Coinbase-tagged hot wallet (US-regulated exchange, AML/BSA/OFAC compliant). The Coinbase funding predates the August 2022 CometProxyAdmin deploy by ~153 days, so no Tornado Cash or Railgun interaction is required to fund the deploy. A full 30-day-pre-deploy mixer trace was not separately audited beyond the address-page review; the green grade rests on first-hop being a US-regulated exchange rather than on a continuous-window mixer scan.

RD-F-125 green Deployer linked within 3 hops to DPRK/Lazarus Hop 1 from deployer: Coinbase 23 (US-regulated, definitively not DPRK-proximate). No secondary DPRK-linked flows found. Web search 'Compound Labs DPRK Lazarus North Korea' returned zero relevant hits. No OFAC SDN match. Compound Labs is US-domiciled with SEC-adjacent litigation history.

Fork / dependency lineage Green 11 10 of 10

RD-F-135 yellow Shared-library version with known-vuln status OZ 4.8.3 has GHSA-g4vp-m682-qqmp (CVE-2023-40014, Moderate/CVSS 5.3) affecting ERC2771Context with custom forwarder. Compound V3 does NOT use ERC2771Context — advisory is non-exploitable in Compound's usage. No high/critical CVE for OZ 4.8.3 in any Compound-relevant pattern. RD-F-126 n/a Is-a-fork-of Compound V3 (Comet) is an original codebase, NOT a fork. GitHub repo shows no upstream fork reference. Architecture fundamentally different from V2: single-base-asset-per-market, isolated liquidation, direct collateral custody vs cToken model. BUSL-1.1 license confirms proprietary innovation. RD-F-127 n/a Upstream patch not merged Not a fork; no upstream protocol from which patches could propagate. RD-F-128 n/a Upstream vulnerability disclosure (last 90d) Not a fork; no upstream protocol to monitor for vulnerability disclosures. RD-F-129 n/a Code divergence from upstream (%) Not a fork; no upstream fork point exists from which to measure code divergence. RD-F-130 n/a Fork depth (generations from original audit) Not a fork; fork depth is not a meaningful metric for an original protocol. RD-F-131 n/a Fork retains upstream audit coverage Not a fork; Compound V3 has independent original audit coverage from OZ, ChainSecurity, and Certora — no upstream audit to retain. RD-F-132 n/a Fork has different economic parameters than upstream Not a fork; original protocol with no upstream economic parameters to compare against.

RD-F-133 green Dependency manifest uses unpinned versions package.json pins @openzeppelin/contracts at exact version '4.8.3' (no caret or tilde). Security-critical library is exact-pinned. Dev tooling (hardhat ^2.22.17, ethers ^5.7.2) uses ^ ranges which is standard practice for non-deployed build tooling.

RD-F-134 green Dependency had malicious-release incident (last 90d) No malicious-release advisory for any Comet dependency (OZ 4.8.3, hardhat, ethers, TypeScript) found for January-April 2026. OZ Contracts has a stable release track with no supply-chain incidents in this trailing window.

Post-deploy hygiene & change mgmt Green 13 13 of 13

RD-F-137 yellow Upgrade frequency (per 90 days) Minimum 5 upgrades for cUSDCv3 proxy in trailing 90 days: March 17, April 4, April 25 (x2), April 26, 2026. Three upgrades in 48-hour window on April 25-26 structurally driven by Compound architecture (each parameter change via Configurator triggers new CometFactory deploy). Yellow threshold is 3-5 per 90 days. RD-F-139 yellow Post-audit code changes without re-audit OpenZeppelin has active ongoing security partnership: 12 comprehensive audits in 2024; 7 governance proposal reviews in 2024; annual renewal via governance vote. New chain deployments follow structured process including OZ security review. Individual per-upgrade audit reports for April 2026 implementations not individually published/publicly accessible — per-upgrade traceability insufficient for green. Not red because OZ partnership materially mitigates risk and 2023 vulnerability was proactively patched before public disclosure. RD-F-143 yellow Reinitializable implementation (no _disableInitializers) _disableInitializers() absent from compound-finance/comet (GitHub search: 0 results). Comet uses custom guard in initializeStorage(): 'if (lastAccrualTime != 0) revert AlreadyInitialized()'. Custom guard protects against re-running initializeStorage() but does not provide OZ-standard guarantee blocking all reinitializer(N) paths. If a future upgrade adds reinitializer(2), lastAccrualTime check would not catch it. Yellow (not red) because: (1) custom guard was in original 2022 OZ+ChainSecurity audited codebase, not flagged critical; (2) adequately covers primary attack vector; (3) OZ reviews each upgrade. RD-F-146 yellow New contract deploys in last 30 days Four new implementation contracts deployed via CometFactory for cUSDCv3 in last 30 days: April 4, April 25 (x2), April 26, 2026. Yellow threshold is 3-5 new deploys in 30 days. Score yellow. cUSDCv3 only; other markets likely similar cadence. RD-F-136 gray Deployed bytecode matches signed release tag Compound uses deployAndUpgradeTo pattern — each governance proposal triggers CometFactory to deploy a new implementation. No GPG-signed GitHub release tags found corresponding to April 2026 upgrades. GitHub last commit: 2025-12-19; on-chain upgrades continued through April 2026. One-to-one repo tag to deployed bytecode not practically achievable with this architecture. Gray because absence of signed tags is architectural, not evidence of mismatch. RD-F-145 gray Deployed bytecode reproducibility Build: Solidity 0.8.15, optimizer_runs=1, via_ir=true (data cache confirmed). The via_ir=true compilation path routes through Yul IR, which can introduce toolchain-specific bytecode variation. Reproducibility theoretically possible with pinned settings but via_ir increases build non-determinism risk. No independent third-party reproducibility confirmation found in public evidence. RD-F-168 gray Stale-approval exposure on deprecated router No explicitly deprecated V3 router contract identified. Compound V3 users interact directly with Comet proxy addresses — no intermediary router layer exists in the V3 architecture. The specific condition (deprecated router with stale approvals) does not apply to V3's direct-proxy architecture. V2 cToken contracts exist but V2 is not deprecated. Scored gray because factor condition is N/A for V3.

RD-F-138 green Hot-patch deploys without timelock (last 30 days) All April 2026 upgrades appear to have executed via governance proposals through the Timelock (standard path). CometProxyAdmin.owner = Timelock; all upgrades flow through this chain. The 3-upgrade cluster on April 25-26 is consistent with a single governance proposal executing multiple sequential deployAndUpgradeTo calls. No hot-patch bypass identified.

RD-F-140 green Fix-merged-but-not-deployed gap No evidence of merged security fix not yet deployed. GitHub last commit 2025-12-19; on-chain upgrades continued April 2026 (governance latency, not fix-withholding). 2023 Comet vulnerability (flash loan COMP reward manipulation) patched before public disclosure, confirmed by Tally proposal 203 and Messari record showing bug bounty reward was approved. Data cache rekt.incidents = [].

RD-F-141 green Test-mode parameters in deploy No evidence of test-mode parameters in production. Governor = Timelock (not deployer EOA). Price feeds are live Chainlink production feeds (confirmed in data cache oracle_feeds array with production heartbeats and deviation thresholds). Optimizer_runs=1 is intentional for code size per Compound comet repo build config, not a test artifact. Protocol live 44 months.

RD-F-142 green Storage-layout collision risk across upgrades Compound V3 uses CometFactory to deploy entirely new implementation contracts (new addresses each time — not in-place UUPS modification). Storage layout compatibility critical across upgrades; OZ partnership includes upgrade compatibility review. No publicly documented storage layout collision found in 44 months. All observed upgrade implementation addresses are distinct.

RD-F-144 green CREATE2 factory permits same-address redeploy CometFactory deploys new implementations to new addresses each time (standard CREATE, not CREATE2-at-same-address). No selfdestruct + CREATE2 redeploy pattern. Each governance proposal triggers fresh CometFactory.deploy() producing a new contract address. Upgrade history confirms distinct implementation addresses across all upgrades.

RD-F-185 green Bridge rate-limiter / chain-pause as positive mitigant Not applicable. Compound V3 is a lending protocol, not an asset bridge. Cross-chain governance uses native L2 bridges for message-passing only; user assets are not bridged. No asset-bridge rate-limiter applicable to Compound's primary TVL. Community MultiSig can pause Comet markets (supply, transfer, withdraw, absorb, buy) — this is a protocol emergency pause, not a bridge rate-limiter. Absence of bridge rate-limiter does not penalize a non-bridge protocol.

Cross-chain & bridge Green 10 12 of 12

RD-F-148 yellow Bridge validator count (M) Compound does not maintain its own bridge validator set. Governance relay delegates to canonical L2 bridge validators (Arbitrum, Optimism, Polygon PoS). Validator count is outside Compound's control. RD-F-149 yellow Bridge validator threshold (k-of-M) Threshold is determined by canonical L2 bridge models, not by Compound. Polygon PoS: 2/3+ validators. Arbitrum/Optimism: fraud-proof model (not k-of-M signature). Compound's effective threshold: trust canonical bridge delivery. RD-F-150 gray Bridge validator co-hosting Compound inherits canonical L2 bridge validator co-hosting posture. Not independently assessable without per-bridge validator infrastructure deep-dive outside Compound's control. RD-F-155 gray Bridge validator-set rotation recency Compound does not control bridge validator rotation schedules. Canonical L2 bridge governance is external. Not assessable within Compound's scope. RD-F-156 gray Bridge uses same key custody for >30% validators Key custody for canonical L2 bridge validators is outside Compound's control. Cannot assess without per-bridge validator investigation. RD-F-157 n/a Bridge TVL per validator ratio User funds do NOT cross chains via these bridges. Governance relay bridges carry governance messages only, not user TVL. TVL-per-validator metric does not apply to governance-relay bridges. RD-F-179 n/a LayerZero OFT DVN config (count, threshold, diversity) Protocol does not use LayerZero OFT. Data cache confirms layerzero.present: false. All cross-chain messaging uses native L2 bridges. F179 does not apply.

RD-F-147 green Protocol has bridge surface Bridge surface confirmed: 8 L2/alt-chain deployments use native bridge infrastructure for governance relay. Profile §7 flags has_bridge_surface: true.

RD-F-151 green Bridge ecrecover checks result ≠ address(0) [★ CRITICAL — GREEN] Compound BridgeReceiver contracts do NOT use ecrecover. Message authentication delegates to canonical L2 bridges. BaseBridgeReceiver only checks rootMessageSender == govTimelock. OZ audit found 0 critical/high issues and no ecrecover in bridge path.

RD-F-152 green Bridge binds message to srcChainId Canonical L2 bridges bind messages to source chain by design. Compound inherits this protection. Local Timelock queuedTransactions mapping provides secondary replay barrier.

RD-F-153 green Bridge tracks nonce-consumed mapping BaseBridgeReceiver implements replay protection via local Timelock queuedTransactions mapping. Duplicate message delivery rejected because transaction hash already queued/executed. OZ audit reviewed and confirmed.

RD-F-154 green Default bytes32(0) acceptable as valid root [★ CRITICAL — GREEN] BridgeReceiver contracts do NOT validate Merkle roots. The Nomad bug pattern (bytes32(0) as valid root) is structurally absent — no root variable exists in the validation path.

Threat intelligence & recon Green 17 8 of 8

RD-F-158 yellow Known-threat-actor cluster has touched protocol Lazarus Group / TraderTraitor (DPRK-attributed) deposited stolen rsETH into Compound V3 cWETHv3 on Apr 18 2026, borrowing ~$39M WETH. Attribution: LayerZero + Coindesk (>=2 sources, HIGH confidence). Within 30-day window. Tier-C advisory, does not flip grade. Attacker-as-user pattern, not developer/deployer DPRK linkage. RD-F-161 yellow Protocol-impersonator domain registered (typosquat) compoond.finance typosquat registered ~Mar 7, 2026 (49 days before 2026-04-27 assessment — within 90-day window). Used to redirect compound.finance traffic. Resolved. Previous incident Jul 2024. Two confirmed impersonation incidents in 21 months. RD-F-159 gray Attacker wallet pre-strike probe (low-gas failing txs) Mempool and failed-tx monitoring not configured. No public reports of systematic failing-tx reconnaissance pattern against Compound V3 contracts prior to Apr 18. rsETH attack was primarily targeted at Kelp infrastructure. RD-F-162 gray Known-exploit-template selector deployed by any address Selector-pattern index not maintained for Compound V3 lending class. No public reports of exploit-template contract deployment targeting V3's specific function-selector set in last 90 days. RD-F-164 gray Leaked credential on paste/sentry site Paste monitoring not configured. No public reports of Compound V3 infrastructure credential leaks. Mar 2026 redirect incident resolved via credential rotation. No GitHub secret scanner alerts visible on public compound-finance/comet repo. RD-F-165 gray Protocol social channel has scam-coordinator flag Curator scam-coordinator watchlist not configured. No public reports (ScamSniffer, Chainabuse) of Compound Discord/Telegram/comp.xyz admin flagged as scam coordinator. Mar 2026 incident was DNS-level redirect, not social channel compromise.

RD-F-160 green GitHub malicious-dependency incident touching protocol deps No active GHSA advisory for malicious release affecting OZ Contracts 4.8.3 or known compound-finance/comet dependencies. OpenZeppelin continuous security partnership provides ongoing advisory coverage.

RD-F-163 green Avg attacker reconnaissance time for peer-class protocols Lending protocol peer class average reconnaissance time >30 days (78-day USPD pattern; 2024 Proposal 289 required multi-week COMP accumulation). Compound V3's clean exploit record (rekt.incidents: []) supports green class posture. Sufficient warning window if monitoring deployed.

Tooling / compiler / AI Green 8 5 of 5

RD-F-170 yellow Solc version used (known-bug versions flagged) Deployed on solc 0.8.15 (confirmed via foundry.toml and Etherscan). Contains CalldataTupleReencodingHeadOverflow bug (medium severity, fixed in 0.8.16) which affects BOTH via-IR and legacy pipelines. Configurator.sol passes structs as calldata (setConfiguration, addAsset) potentially satisfying trigger. Functions are governance-restricted (Timelock-only), substantially reducing exploitability. RD-F-171 n/a Bytecode similarity to audited upstream with behavior deviation Compound V3 is an original codebase with no audited upstream to compare bytecode against. AI-copy risk factor is moot for a non-fork protocol.

RD-F-172 green Repo shows AI-tool co-authorship in critical files GitHub commits (latest: ed6ebcd 'Current dev (#1060)' 2025-12-19 by MishaShWoof; prior by dmitriy-woof-software and others) show no AI-tool co-authorship trailers. No 'Co-authored-by: GitHub Copilot' or equivalent AI attribution in visible commit history.

RD-F-173 green Team self-disclosure of AI-generated Solidity No public disclosure by Compound Labs or Comet contributors of AI-generated Solidity in security-critical paths. Protocol follows traditional write-audit-review-deploy workflow with OZ as dedicated security partner. No AI disclosure in GitHub repo, docs, or forum posts.

RD-F-174 green Dependency tree uses EOL Solidity version Solidity 0.8.15 is within the actively maintained 0.8.x series which received patches through 0.8.29+ in 2025. No EOL declaration for any 0.8.x release by the Solidity team. Not EOL, though not the latest minor version.

Response & disclosure hygiene Green 8 4 of 4

RD-F-176 yellow Disclosure SLA public No explicit acknowledgment-time SLA (e.g., 72h) published on Immunefi program, compound-security-policies repo, or docs.compound.finance. Immunefi Category 3 implies coordinated disclosure window but no specific acknowledgment time stated.

RD-F-175 green Disclosure channel exists Immunefi bug bounty active (launched 2024-12-11): 254 assets in scope, $1M critical cap. Security email security@compound.finance. 2023 vulnerability disclosed, patched, bounty rewarded — active monitoring confirmed.

RD-F-177 green Prior known-ignored disclosure No evidence of a disclosed vulnerability reported to Compound V3 and not actioned before exploitation. 2023 Comet vulnerability: disclosed, patched, bounty awarded. V2 2021 bug: governance-introduced, not a prior-disclosure-ignored scenario.

RD-F-178 green CVE/GHSA advisory issued against protocol No CVE or GHSA advisory issued against Compound V3 (Comet) as of 2026-04-27. 2023 vulnerability handled as coordinated disclosure without formal CVE/GHSA filing. No NVD results for compound-v3.

rubric_version v1.7.0 graded_at 2026-05-12 04:38:07 factors 184 protocol compound-v3