defirisk.co
rubric v1.7.0

Concrete

ERC-4626 multi-strategy yield vault infrastructure by Blueprint Finance. Factory-based deployment model: ConcreteFactory (UUPS proxy) deploys per-asset upgradeable VaultProxy instances (EIP-1967 transparent proxy). Vault types: Standard, Async (queue-based withdrawals), Pre-deposit, Bridged. Capital allocated across external yield strategies (Aave, Compound, Morpho, Silo, Radiant) via role-gated Allocator. Role-based access control (Vault Manager, Strategy Admin, Hook Manager, Allocator roles). No governance token, no DAO, no on-chain Governor or Timelock identified. Factory owner controls upgrade authority over all vaults. Bug bounty self-hosted via GitHub repo (no Immunefi). Audited by Halborn (4 engagements 2024-2025), Zellic (Jun 2025), and Code4rena (Nov 2024). Current TVL ~$990M across Ethereum (86.5%), Stable Network, Berachain, Arbitrum. Developed and operated by Blueprint Finance.

Sector evm_yield_vault
TVL $989.8M
Reviewed May 17, 2026
Factors 184
Categories 13
Risk score 20.0
DeploymentsEthereum · $50.1M
01

Risk profile at a glance

0 red · 3 yellow · 10 green
25 24 17 13 15 22 16 10 13 12 8 5 4
02

Categories & evidence

184 factors · 13 categories
Code & audits Green 14 25 of 25
RD-F-009 red Formal verification coverage No formal verification engagement found in any audit listing (docs.concrete.xyz/audits/ has 27+ entries — none are Certora, Halmos, Kani, or equivalent FV tools). GitHub repo has no spec/ directory for FV. Halborn and Cantina use manual+automated traditional auditing, not formal proof. Red — 0% formal verification coverage. RD-F-001 yellow Audit scope mismatch Cantina Feb 20, 2026 audit covers V2 Core at an unstated commit (PDF is binary-only). Factory upgraded March 19, 2026 (tx 0xb0fcfafe, block 24,692,293) to impl 0x224f3450, 27 days after Cantina audit. No audit explicitly covers the upgraded factory impl post-March 19. Halborn Apr 2026 component audits (Position Helper, Hurdle Rate) do not cover the factory upgrade. Yellow: not confirmed bytecode match between audit commit and deployed impl; material gap limited to factory only; CONTRIBUTING.md requires audited code on main branch; upgrade executed via 3-of-5 Safe multisig suggesting controlled process. RD-F-002 yellow Audit recency Most recent component audit: Halborn Hurdle Rate Apr 22 2026 (25 days ago). Most recent comprehensive V2 Core: Cantina Feb 20 2026 (86 days ago). ConcreteFactory last audited at impl level: Halborn Oct 10 2025 (219 days ago). Yellow — factory scope exceeds 180-day yellow threshold but recent component audits keep overall cadence active. RD-F-007 yellow Bug bounty presence & max payout Cantina $250,000 USDC bug bounty is active for Concrete — targeting core vault infrastructure, strategy integrations, and withdrawal safety. No Immunefi program (HTTP 404). The $250K total pool is below the ≥$500K green threshold. Per-severity maximum payout not publicly specified. Yellow ($50K–$499K effective range; scope covers core contracts). RD-F-183 yellow Bug bounty scope gap on highest-TVL contracts Cantina $250K USDC bug bounty scope stated as 'universal yield infrastructure, strategy integrations, supporting libraries' and 'core contracts of Concrete' — this description encompasses highest-TVL contracts (ConcreteStandardVaultImpl, ConcreteFactory). However, no explicit per-contract address enumeration in Cantina scope definition found publicly. GitHub self-hosted repo (concrete-earn-v2-bug-bounty) exposes V2 core source but no explicit scope list. Yellow — scope description covers core contracts but lacks explicit per-address confirmation that the $857M Ethereum vaults are in scope. RD-F-010 gray Static-analyzer high-severity count No direct Slither/Mythril run available (src/ files return HTTP 404 on GitHub raw). Halborn V2 audits found 0 critical/high/medium findings for V2 deployed code, suggesting clean static analysis result, but cannot confirm via independent tool run. Marked gray pending tool run. RD-F-011 gray SELFDESTRUCT reachable from non-admin path Cannot run Slither suicidal detector — source files inaccessible via WebFetch (HTTP 404 on raw GitHub src paths). EIP-6780 restricts SELFDESTRUCT effectiveness post-Cancun; OZ 5.2.0 pattern does not use SELFDESTRUCT. Needs tool run for confirmation. RD-F-012 gray delegatecall with user-controlled target Cannot confirm absence of user-controlled delegatecall without Slither run. Architecture.md describes UUPS delegatecall as internal OZ standard pattern only. No audit finding flagged this issue. Needs tool run. RD-F-013 gray Arbitrary call with user-controlled target Hook system uses role-gated external calls (Hook Manager Admin role). Strategy calls are factory-approved. No audit finding flagged arbitrary external call. Cannot confirm without Slither. Needs tool run. RD-F-016 gray Divide-before-multiply pattern No Slither divide-before-multiply output available. No audit finding flagged this issue in any V2 engagement. Needs tool run. RD-F-017 gray Mixed-decimals math without explicit scaling Cannot inspect cross-decimal arithmetic paths without source access. OraclePlug.sol in V1 scope handles price normalization. No audit finding flagged mixed-decimal math. Needs tool run. RD-F-018 gray Signed/unsigned arithmetic confusion Cannot confirm absence without tool run. Solidity 0.8.x default overflow protection reduces risk. No audit finding flagged signed/unsigned confusion. Needs tool run. RD-F-019 gray ecrecover zero-address return unchecked ERC-4626 vault pattern does not typically use ecrecover in core vault logic. Architecture.md does not describe signature verification. Cannot confirm without source inspection. Needs tool run.
RD-F-003 green Resolved-without-proof findings Halborn V2 Standard: 100% of findings addressed (remediation commit 4f64163). Halborn V2 Async: 100% addressed (remediation 01a030b, 92b192f). Halborn V1: 100% addressed. Money Printer: 100% addressed. Earn Diff: 100% addressed. No unverifiable resolutions identified.
RD-F-004 green Audit count V2 deployed code covered by: Halborn (multiple V2 engagements 2025-2026), Cantina (Feb 2026 V2 Core), Zellic (Jun 2025 EVM audit). V1 also covered by Code4rena (Nov 2024). Minimum 3 distinct firms across the full codebase lineage; 2 distinct firms (Halborn + Cantina) for currently-deployed V2 code. Green (≥2 firms).
RD-F-005 green Audit firm tier Zellic (Tier-1 per taxonomy firm-tier registry) has audited Concrete (Jun 2025 EVM audit, found in Zellic publications index). Cantina qualifies as a top-tier competitive platform. Halborn is Tier-2. At least one Tier-1 firm (Zellic) has covered deployed code. Green.
RD-F-006 green Audit-to-deploy gap Halborn V2 Standard (report Oct 10, 2025) to ConcreteFactory deploy (Oct 17, 2025, block 21399154) = 7 days gap. Cantina V2 Core (Feb 20, 2026) to March 2026 upgrade (Mar 19, 2026, block 24692293) = 27 days gap. Both within ≤60 day green threshold.
RD-F-008 green Ignored bounty disclosure No known incidents for Concrete or Blueprint Finance (Rekt: 0 incidents; hacksdatabase: 0 entries; data cache rekt.incidents=[]). No prior post-mortems exist. Green — no evidence of ignored bounty disclosure.
RD-F-014 green Reentrancy guard on external-calling functions Halborn V2 Async informational finding #9 flagged ReentrancyGuardUpgradeable initializer not invoked; addressed in remediation commits 01a030b and 92b192f. Post-remediation: reentrancy guard properly initialized. Green post-remediation.
RD-F-015 green ERC-777/1155/721 hook without reentrancy guard Protocol handles ERC-20 tokens only (USDT, USDC, ETH-wrappers, WBTC). Code4rena scope explicitly covers ERC-20 variants (fee-on-transfer, rebasing, pausable) but not ERC-777/1155/721. No ERC-777 tokensReceived hook integration found. Green — not applicable to this protocol's token standard.
RD-F-020 green EIP-712 domain separator missing chainId OZ 5.2.0 EIP712Upgradeable includes chainId in domain separator by default. Multi-chain deployment (Ethereum, Arbitrum, Berachain) makes chainId binding critical — OZ 5.2.0 handles this correctly. No finding flagged chainId omission in any audit. Green.
RD-F-021 green UUPS _authorizeUpgrade correctly permissioned ConcreteFactory impl (0x224f3450): _authorizeUpgrade(address newImplementation) internal override onlyOwner — restricted to owner (3-of-5 Safe multisig via upgrade tx). No open upgrade path. Green.
RD-F-022 green Public initialize() without initializer modifier ConcreteFactory impl constructor confirmed: constructor() { _disableInitializers(); } — prevents re-initialization of implementation. ConcreteAsyncVaultImpl constructor confirmed: constructor(address factory) { _disableInitializers(); _grantRole(DEFAULT_ADMIN_ROLE, factory); }. Both use OZ _disableInitializers() pattern. initialize() is protected from being called directly on implementation. Green.
RD-F-023 green Constructor calls _disableInitializers() _disableInitializers() confirmed in constructors of both ConcreteFactory impl and ConcreteAsyncVaultImpl. Green.
RD-F-024 green Code complexity vs audit coverage Code4rena Nov 2024 (V1): 3,396 LOC over 14 days = 242 LOC/audit-day (well below 500 threshold). Halborn V2 Standard: 14 contracts over 14 days — adequate coverage ratio. Cantina Feb 2026: V2 Core at unstated LOC over unstated duration. Multiple engagements over distinct scopes. Complexity within credible audit coverage limits. Green.
Governance & admin Yellow 43 24 of 24
RD-F-032 red Timelock duration on upgrades No timelock on upgrades. ConcreteFactory upgrades execute immediately via Safe execTransaction with 0 delay. Data cache timelock_address=null. All 26 Safe transactions are direct execTransaction with no TimelockController interactions. The factory owner can upgrade vault implementations in a single Safe execution. RD-F-033 red Timelock on sensitive actions No timelock on any sensitive action. ConcreteFactory approveImplementation, blockImplementation, and factory upgrade are all gated only by onlyOwner (the 3-of-5 Safe) with no timelock modifier. VaultProxy upgrades execute immediately. No emergency pause with timelock. No oracle config function in ConcreteFactory (oracles are at strategy level). RD-F-034 red Guardian/pause-keeper distinct from upgrader No guardian or pause-keeper role identified. ConcreteFactory has no pause() function. VaultProxy has no pause mechanism. The Allocator role can halt fund routing but is not a protocol-level pause guardian distinct from the upgrader. No separate pause-keeper address found. RD-F-040 red Emergency-veto multisig present No emergency-veto multisig identified. The 3-of-5 Safe is the sole admin entity. No separate guardian with veto authority over malicious proposals. A malicious upgrade would have no independent veto mechanism. RD-F-025 yellow Admin key custody type ConcreteFactory owner is a 3-of-5 Gnosis Safe (0xdc29BD10CB9000dffBb5aAcD30606c66f07c866C, Safe 1.4.1). VaultProxy admin is the ConcreteFactory. No timelock interposed. Pattern: multisig without timelock — yellow by rubric (multisig present but no delay). RD-F-026 yellow Upgrade multisig signer configuration (M/N) 3-of-5 Safe multisig controls factory upgrade authority. Signers: 0x607E77a952ddbe942b49D2e18592CEBeb4ebC0C6, 0x266Bf5eDB37C45CEcab12907f7F8983de674Fd7A, 0x0252556e0fA9722F389C2bda58D8754D7145bFAC, 0x4767c164333E0745B658e077c4046bbc9DbF9472, 0xd5F9ce3BBCb6877488335d1CA0c2180e842bb2b8. RD-F-028 yellow Low-threshold multisig vs TVL 3-of-5 Safe threshold for ~$990M TVL. Any 3 of 5 signers can upgrade all vaults with no timelock delay, representing unilateral drain risk at ~$330M/signer. Peer norm for protocols >$500M TVL is 4-of-7 or 5-of-8. 3-of-5 is at the low boundary but not catastrophically low (e.g., 2-of-3 or 1-of-3 would be red). RD-F-031 yellow Signer rotation recency Safe has nonce=26 with 26 executions since Oct 2025 (~7 months). No explicit signer rotation (addOwner/removeOwner/changeThreshold) events observed in accessible tx history. Signer set appears stable. However, signer set was only established ~7 months ago (Oct 2025) with no prior rotation history available. RD-F-035 yellow Role separation: upgrade ≠ fee ≠ oracle Factory-level roles not fully separated: the 3-of-5 Safe (factory owner) controls both upgrade authority AND high-level fee configuration. Per-vault roles (VAULT_MANAGER, ALLOCATOR, STRATEGY_MANAGER) are distinct from factory owner at the vault level but role holders not confirmed. Partial separation: vault-level roles exist but factory owner retains combined upgrade+fee power. RD-F-041 yellow Rescue/emergencyWithdraw without timelock No explicit rescue/emergencyWithdraw function in ConcreteFactory or VaultProxy. However, the factory owner (3-of-5 Safe) can approveImplementation for a malicious vault impl and immediately upgrade any VaultProxy — equivalent to unrestricted fund extraction with no timelock. The absence of an explicit rescue function prevents a red flag, but the upgrade-as-drain vector is the structural concern captured in F032/F033. RD-F-029 gray Multisig signers co-hosted Five Safe signer addresses identified (0x607E77..., 0x266Bf5..., 0x0252556e..., 0x4767c164..., 0xd5F9ce3B...) but no public identity attestations found for any. Cannot assess ASN/datacenter co-hosting without signer identity or OSINT trace. RD-F-030 gray Hot-wallet signer flag Five signer addresses identified but hot-wallet behavioral analysis (on-chain tx pattern, signing cadence) not performed. Cannot assess hot-wallet status without per-address tx history review. RD-F-036 n/a Flash-loanable voting weight No governance token, no on-chain Governor, no Snapshot space. Admin control is via Safe multisig. Flash-loanable voting weight is structurally impossible by construction. RD-F-037 n/a Quorum achievable via single-entity flash loan No on-chain governance with flash-loanable quorum. Not applicable by construction. RD-F-038 n/a Proposal execution delay < 24h No governance proposal engine. Not applicable by construction. RD-F-039 n/a delegatecall/call in proposal execution without allowlist No governance proposal execution engine. The AllocateModule uses delegatecall internally for strategy routing but is called by the Allocator role (not a public governance proposal path) and operates on pre-approved strategy contracts only. Not the delegatecall-in-proposal-execution pattern this factor measures. RD-F-042 n/a Admin has mint() with unlimited max Concrete is an ERC-4626 yield vault factory with no protocol governance token and no admin-callable mint function. Vault shares are minted only on asset deposit (ERC-4626 standard). No unlimited admin mint capability exists. RD-F-044 gray Admin wallet interacts with flagged addresses Five Safe signer addresses (0x607E77..., 0x266Bf5..., 0x0252556e..., 0x4767c164..., 0xd5F9ce3B...) and deployer EOA (0x1fa1c72a) not checked against mixer or flagged-address watchlists. Behavioral analysis requires dedicated on-chain OSINT pass. RD-F-045 gray Constructor args match governance proposal No public governance forum or proposal process exists. Vault deployments executed by the Safe without public proposal artifacts. Constructor-args-vs-stated comparison is not possible without a governance proposal record. RD-F-047 n/a Governance token concentration (Gini) No governance token exists. Governance power concentration cannot be measured as a Gini coefficient. Effective control concentration (3-of-5 Safe = any 3 signers control ~$990M) is captured in F028.
RD-F-027 green Single admin EOA ConcreteFactory owner is the 3-of-5 Gnosis Safe (0xdc29BD10CB9000dffBb5aAcD30606c66f07c866C), not a bare EOA. The March 19, 2026 factory upgrade was executed via the Safe's execTransaction — confirming Safe control of the factory since at least Oct 2025. Deployer EOA (0x1fa1c72a) is NOT the current factory owner.
RD-F-043 green Admin = deployer EOA after 7 days Not triggered. The ConcreteFactory has been under Safe control since at least October 2025 (Safe created 208 days ago; March 2026 upgrade executed by Safe). Deployer EOA (0x1fa1c72a) is not the current factory owner.
RD-F-046 green Contract unverified on Etherscan/Sourcify ConcreteFactory proxy (0x0265d73a) and implementation (0x224f3450) both verified on Etherscan with Exact Match status. VaultProxy (0x0e609b) verified. V2 factory launched Oct 2025 with verified source code (Solidity 0.8.27, optimizer 190 runs, viaIR false).
RD-F-167 green Deprecated contract paused but pause reversible by live admin No deprecated contracts with material value found. V1 (Blueprint Finance Earn V1 / money-printer era) codebase appears fully migrated to V2. No V1 contract addresses with active TVL identified in Etherscan or DefiLlama.
Oracle & external dependencies Green 6 17 of 17
RD-F-050 yellow Dependency graph (protocols depended upon) Concrete is critically dependent on external yield strategy protocols: Aave v3, Compound v3, Morpho Blue, Silo Finance, Radiant Capital. These protocols hold the capital allocated by Concrete vaults. AllocateModule calls IStrategyTemplate.allocateFunds() / deallocateFunds() on strategy adapters that interact with these external protocols. If any strategy protocol is exploited or becomes insolvent, Concrete vault NAV is reduced proportionally to that strategy's allocation weight. Halborn V2 audit (Sep 2025) flagged 'Strategy removal allowed while holding allocated funds' as a Low finding (Risk Accepted), confirming no automatic exit on strategy failure. ~$990M TVS exposed. RD-F-052 yellow Breakage analysis per dependency Breakage analysis: (1) External strategy protocol (Aave, Morpho, Silo) exploit: vault loses NAV proportional to allocation; Allocator must manually deallocate — no automatic exit. Halborn V2 finding 'Strategy removal allowed while holding allocated funds' (Low, Risk Accepted) confirms. (2) ConcreteFactory compromise: all vaults upgradeable to malicious implementation instantly — no timelock confirmed (governance-admin-analyst to confirm). (3) LayerZero pre-deposit path failure: ~$120M in pre-deposit/destination-chain positions stranded if PredepostVaultOApp or LayerZero endpoint fails; not permanent loss but significant operational impact. (4) Strategy self-reporting failure (totalAllocatedValue() returns incorrect value): vault NAV miscalculated until next Allocator intervention. (5) AllocateModule failure: new allocation calls revert; withdrawal from unallocated idle capital still works. RD-F-062 yellow External keeper/relayer not redundant Concrete's pre-deposit vault system (ctStableUSDT and ctStablefrxUSD vaults on Ethereum, ~$70.5M Stable Network + ~$49.9M Berachain positions) depends on a single LayerZero message-passing path for share claim delivery. PredepostVaultOApp.sol (inherits OAppUpgradeable) calls _lzSend() to transmit claim messages to Stable Network / Berachain. ShareDistributor.sol on destination chains receives via _lzReceive() and distributes shares. No secondary messaging path confirmed. If the LayerZero endpoint becomes unavailable, fees cannot be paid, or the OApp is misconfigured, ~$120M in pre-deposit/destination assets cannot complete claim delivery. The Stable vault docs confirm the burn-and-mint claim process but do not describe fallback mechanisms. RD-F-181 n/a Permissionless-pool lending oracle Concrete is not a lending protocol. It is an ERC-4626 yield vault aggregator with no lending market, no collateral, no borrow function, and no isolated-tier oracle configuration. The permissionless-pool lending oracle failure mode (accepting spot prices from user-created DEX pools as collateral for borrowing) does not apply. Data cache confirms borrow.present: false.
RD-F-048 green Oracle providers used No oracle providers are directly consumed by Concrete's vault contracts (ConcreteStandardVaultImpl, AllocateModule, BaseStrategy). The 19 Chainlink feeds in the data cache belong to external strategy protocols (Aave, Compound, Morpho) consumed by those protocols' own contracts, not by Concrete. Architecture.md confirms totalAssets is a cached state variable updated by strategy yield reporting, not external price feeds. Data cache field oracle: null.
RD-F-049 green Oracle role per asset No oracle serves any role (primary, secondary, fallback) for any asset in Concrete's vaults. Share price is derived from strategy-reported yield via IStrategyTemplate.totalAllocatedValue(), aggregated in _previewAccrueYieldAndFees(). No price feed consulted for any asset.
RD-F-051 green Fallback behavior on oracle failure No oracle is used in Concrete's vaults, so oracle-failure fallback design is not applicable in the traditional sense. For strategy yield accounting, the cached totalAssets state is updated pre-operation by _accrueYield(); if a strategy's totalAllocatedValue() returns stale data, the vault uses cached state which does not auto-correct. No explicit circuit breaker on strategy yield reporting is present, but this is a strategy-failure risk (scored under F052), not an oracle-failure-fallback gap.
RD-F-053 green Oracle source = spot DEX pool (no TWAP) [★ CRITICAL] GREEN. No spot DEX oracle exists in Concrete's vault logic. Share price is pure ERC-4626 cached totalAssets accounting driven by strategy-reported yields. ConcreteStandardVaultImpl.sol contains no oracle import, no latestAnswer(), no latestRoundData(), no TWAP call, no DEX pool price read. Halborn V2 audit (Sep 2025) found zero oracle-related findings. No flash-loan oracle manipulation attack vector exists in the deposit/withdraw/share-price path.
RD-F-054 green TWAP window duration No TWAP is used by Concrete vault contracts. External strategy protocols (Aave, Compound) use Chainlink spot-price feeds with heartbeat and deviation controls, but those are consumed by the strategy protocols' own contracts, not by Concrete's vault layer.
RD-F-055 green Oracle pool depth (USD) No DEX pool oracle is used by Concrete. Factor assesses underlying oracle pool depth — not applicable as no pool-based oracle exists in vault logic.
RD-F-056 green Single-pool oracle (no medianization) No single-pool oracle (or any pool oracle) is used by Concrete. The factor's medianization concern is not applicable — no pool-based oracle at all.
RD-F-057 green Circuit breaker on price deviation No price deviation circuit breaker needed — no price oracle in vault's value path. Strategy yield reporting could theoretically deliver erroneous values but this is a strategy-protocol risk (F052), not a price-deviation circuit-breaker gap.
RD-F-058 green Max-deviation threshold (bps) No max-deviation threshold configured — no price circuit breaker in Concrete's vault logic. Not applicable as no oracle is present.
RD-F-059 green Oracle staleness check present No oracle staleness check needed — no external oracle consumed by Concrete. The ERC-4626 totalAssets cache is updated pre-operation by _accrueYield() which calls strategy.totalAllocatedValue(). This is strategy-yield freshness (a strategy-protocol concern), not oracle staleness.
RD-F-060 green Chainlink aggregator min/max bound misconfig Concrete does not consume Chainlink aggregators. No minAnswer/maxAnswer misconfiguration risk in Concrete's own contracts. The 19 Chainlink feeds in data cache are consumed by external strategy protocols (Aave, Compound) — their aggregator configurations are a concern for those protocols' own risk assessments, not Concrete's.
RD-F-061 green LP token balanceOf used for pricing Concrete does not use LP token balanceOf for pricing. totalAssets aggregates IStrategyTemplate.totalAllocatedValue() calls — strategy-internal position values, not balanceOf of LP tokens. No donation-manipulable pricing mechanism present.
RD-F-180 green Immutable oracle address [★ CRITICAL — F180 PD-017 CANDIDATE, compose-counted] GREEN. No oracle address of any kind exists in Concrete's vault contracts — neither immutable, nor admin-replaceable. The 19 Chainlink feed addresses in the data cache belong to external strategy protocols (Aave, Morpho, Silo) consumed by those protocols' own contracts. Concrete's vault bytecode (ConcreteStandardVaultImpl, AllocateModule, BaseStrategy) contains zero oracle address constants, no oracle interface imports, and no oracle function calls. There is nothing to be immutable. Source inspections of all three core contracts confirmed. Halborn V2 audit (Sep 2025) found zero oracle-related findings in the audited scope.
Economic risk Yellow 25 13 of 13
RD-F-064 yellow TVL concentration (top-10 wallet share) Ethereum chain holds 86.54% of total TVL ($857.7M of $991M). Single-day 4x TVL jump on 2025-02-14 (from $139M to $598M) indicates likely whale-concentration. Wallet-level depositor concentration across 40+ vault contracts not computed in this session. Yellow: chain-level concentration is high and the step-change pattern is a strong circumstantial whale indicator; wallet-level data gap confirmed. RD-F-074 yellow ERC-4626 virtual-share offset (OZ ≥4.9) Concrete uses a custom conversion library (Conversion.sol) rather than OZ's built-in _decimalsOffset() virtual-share mechanism. The library explicitly implements a +1 virtual offset, documented inline as '// setting uint256 decimalsOffset = 0; // + 10 ** decimalsOffset = 1'. Both calcConvertToShares and calcConvertToAssets add +1 to numerator and denominator. This is equivalent to OZ's _decimalsOffset()=0 (minimal protection). With decimalsOffset=0 the inflation-attack cost scales with only 1 unit of virtual backing — minimal deterrent for empty vaults at launch. OZ 5.2.0 is imported but the _convertToShares/_convertToAssets overrides bypass OZ's built-in virtual shares entirely. Halborn Sep 2025 audit found no finding on this. Yellow: offset present but minimal (0-decimals equivalent); does not meet the 'OZ >=4.9 recommended _decimalsOffset>=6' bar. RD-F-075 yellow First-depositor / share-inflation guard No seed deposit at vault initialization. No dead-shares burn on deploy. The deposit() function enforces minDepositAmount (from getDepositLimits()) but this prevents zero-value deposits, not first-depositor inflation attacks. The +1 virtual offset from Conversion.sol provides partial mathematical protection: with decimalsOffset=0, the cost to manipulate share price rises with the amount donated but remains economically viable for attackers targeting small/new vaults. ConcreteAsyncVaultImpl (inherits from ConcreteStandardVaultImpl) adds no additional first-depositor guard. Yellow: partial mitigation via +1 offset; no strong first-depositor guard mechanism. RD-F-065 gray Liquidity depth per major asset Concrete is a yield-vault aggregator, not a DEX or perps protocol. The standard 2%/5% DEX slippage liquidity-depth metric does not apply. Yield-vault redemption-queue liquidity depends on utilization rates of external strategy protocols (Aave, Compound, Morpho, Silo, Radiant). A redemption-queue liquidity model reading per-strategy utilization has not been implemented in the current pipeline. Cannot assess without this tooling. RD-F-066 n/a Utilization rate (lending protocols) Lending-specific factor. Concrete is an ERC-4626 yield vault factory with no borrow markets. Per PD-024 taxonomy §Cat 4 applicability: utilization rate is lending-only; N/A for yield vault protocols. RD-F-067 n/a Historical bad-debt events Lending-specific factor. Concrete does not issue loans or hold collateral positions. No bad-debt socialization mechanism exists. Per PD-024: N/A for non-lending protocols. RD-F-068 n/a Collateralization under stress Lending-specific factor. No collateral/debt ratio exists in Concrete's architecture. Per PD-024: N/A for non-lending protocols. RD-F-069 n/a Algorithmic / under-collateralized stablecoin Lending-specific / stablecoin-issuer factor. Concrete does not issue a stablecoin. Per PD-024: N/A for non-lending/non-stablecoin protocols. RD-F-070 n/a Empty cToken-style market (zero supply/borrow) [★ CRITICAL] NOT APPLICABLE. Concrete is an ERC-4626 yield vault factory, not a Compound V2 fork. No cToken-style markets with zero supply/borrow exist. Per taxonomy §Cat 4 applicability: F070 is Compound-fork-only — N/A for non-Compound-fork protocols. Profile §11 explicitly pre-marks this N/A. No critical red fires. RD-F-071 n/a Seed-deposit requirement for new market listing Lending-specific factor. Concrete vaults are factory-deployed; there is no market-listing governance process requiring seed deposits. Per PD-024: N/A. RD-F-072 n/a Market-listing governance threshold Lending-specific factor. No market-listing governance exists in Concrete. Per PD-024: N/A. RD-F-073 n/a Oracle-manipulation-proof borrow cap Lending-specific factor. No per-asset borrow caps exist. Concrete is not a lending protocol. Per PD-024: N/A.
RD-F-063 green TVL (current + 30d trend) Current TVL ~$991M (data cache 2026-05-17T14:05:58Z; DefiLlama HTML confirms ~$989.77M same-day). 30d change -8.4%; 90d CoV 12.8% (mean $963.8M, std $123.8M). Protocol grew from $139M at Feb 2025 launch to ~$1.06B peak in ~15 months. Size and growth trajectory are strong; short V2 operating history (~7 months). Green: TVL current and trend are well above coverage threshold; no acute decline.
Operational history Green 9 15 of 15
RD-F-076 yellow Protocol age (days) Protocol earliest live date ~Q4 2024 (V1; Code4rena Nov 2024 contest confirms V1 was in production). V2 factory deployed October 2025 (Etherscan block 21399154). As of 2026-05-17 this is ~16 months from earliest live date. At 16 months live with ~$990M TVL, the protocol has not yet crossed the ~24-month threshold typically associated with a green on protocol age for a core-five factor at this TVL scale. RD-F-084 yellow TVL stability (CoV over 90d) Pipeline-computed 90-day CoV: 0.1284 (mean $963.8M, std $123.8M). The TVL series shows large step inflows at protocol milestones (e.g. ~330% jump from ~$138M to ~$598M in one week in Feb 2025 coinciding with vault launches), not adverse-event exits. CoV of ~12.8% is moderate — not alarming for a protocol actively onboarding new vaults and chains, but above the near-zero CoV of a mature, stabilised protocol. RD-F-089 yellow Insurance coverage active No active insurance cover (Nexus Mutual, Sherlock, Unslashed, or equivalent) found for Concrete / Blueprint Finance at ~$990M TVL. Nexus Mutual's entire capital pool is ~$200M, making full coverage structurally unavailable at this TVL scale. Protocol has Hypernative real-time monitoring and ZeroShadow emergency pause as operational mitigants, but these are monitoring/response tools, not insurance. Yellow rather than red because market capacity is structurally limited at this TVL scale. RD-F-081 n/a Post-exploit response score No prior exploits exist; post-exploit response scoring requires an incident to score against. Not applicable by construction. RD-F-082 n/a Post-mortem published within 30 days No prior exploits; no post-mortem scenario exists. Not applicable by construction. RD-F-083 n/a Auditor re-engaged after last exploit No prior exploits; no post-exploit re-audit scenario. Not applicable by construction. RD-F-085 n/a Incident response time (minutes) No incidents exist; incident response time cannot be measured. Not applicable by construction.
RD-F-077 green Prior exploit count Zero exploits found. Proprietary hacksdatabase grep for 'concrete' and 'blueprint' (case-insensitive) returned no matching incident files. Data cache rekt.incidents is empty. rekt.news leaderboard and DefiLlama hacks database contain no entries for Blueprint Finance or Concrete as of 2026-05-17.
RD-F-078 green Chronic-exploit flag (≥3 incidents) Derives from F077: zero prior exploits. Chronic flag (>=3 incidents) does not apply.
RD-F-079 green Same-root-cause repeat exploit Zero prior incidents; same-root-cause repeat exploit cannot apply. Factor trivially satisfied.
RD-F-080 green Days since last exploit No exploits on record; there is no 'last exploit' to measure days from. Green by default given incident-free history.
RD-F-086 green Pause activations (trailing 12 months) No public record of deliberate pause activations. ZeroShadow emergency pause controls are in place (concrete.xyz/enterprise) and Hypernative monitors vault activity for anomalous behavior, but no pause activation events have been documented publicly as of 2026-05-17. Protocol upgrades (March 2026 factory, May 2026 vault) are normal upgrades, not emergency pauses.
RD-F-087 green Pause > 7 consecutive days No extended pause detected. TVL time series (data cache) shows continuous operation with no zero-TVL gaps consistent with a multi-day halt. No public announcement of an operational pause found.
RD-F-088 green Re-deployed to new addresses in last year Protocol uses EIP-1967 transparent proxy pattern. Implementation upgrades are executed through the ConcreteFactory proxy (0x0265d73a), not by deploying new user-facing contract addresses. The factory proxy address has been unchanged since October 2025. Vault proxy addresses are also unchanged. No full redeploy to new addresses in the last 12 months.
RD-F-166 green Deprecated contracts still holding value V1 to V2 migration was an in-place proxy upgrade, not a parallel deployment leaving V1 contracts independently holding user funds. Data cache coverage_flags.has_legacy_v1: false. No separate V1 protocol slug exists on DefiLlama. The V1 bytecode (superseded) is retired behind the EIP-1967 proxy; it is not independently callable. No deprecated contract with >$100K material TVL identified.
Real-time signals Green 17 22 of 22
RD-F-098 yellow TVL anomaly — % drop in <1h TVL anomaly signal: T-09 v1 launch signal, fully applicable. Current TVL ~$991M (DefiLlama); 1d change +0.51%; 30d change -8.4% (gradual market-correlated). Threshold for firing: 30% drop in 1h vs 30d baseline — not breached today. However 90d CoV = 0.128 (mean $963.8M, std $123.8M per data cache) is elevated above what a stable mature protocol would show. Historical TVL series shows large step-changes (e.g., June 2025: ~$483M → ~$50M over a few days; September 2025: ~$118M → ~$949M) which appear to reflect vault-routing migrations or data artefacts rather than exploits, but would trigger false positives in a live F098 system without a pre-announcement allowlist. Score yellow: signal would not fire today but elevated CoV and structural step-change history indicate meaningful false-positive operational risk if this signal were live without protocol-specific change-management allowlists. RD-F-090 gray Mixer withdrawal → protocol interaction Mixer→protocol signal applicable to this EVM protocol. No public evidence of mixer-funded depositors found via OSINT. Wallet-clustering attribution feed (Chainalysis or TRM) required for production signal — T-09 phase-2 signal infrastructure not yet deployed. Static assessment cannot verify; threshold requires 30-day mixer-withdrawal + >$100K protocol interaction + ≥2 attribution sources. RD-F-091 gray Partial-drain test transactions Partial-drain test-transaction signal applicable to ERC-4626 vault infrastructure. No prior incidents recorded (rekt.incidents = []). Signal requires continuous block-scan with pre-strike pattern matching — not operational in static assessment. No test-tx patterns observed in available data. RD-F-092 gray Unusual mempool pattern from deployer wallet Deployer wallet (0x1fa1c72A48243E7C7D78f4b95D942D96A8d05588, labeled 'Concrete: Deployer') is the known admin EOA and has executed legitimate administrative actions (factory upgrade 2026-03-19, vault upgrade 2026-05-06). Static Etherscan data shows normal admin-tx pattern. Continuous mempool monitoring required for RT signal — not operational. RD-F-093 gray Abnormal gas-price willingness from attacker wallet Abnormal gas-price willingness signal requires real-time mempool monitoring with per-wallet gas EMA baseline. Not operational in static assessment. Protocol is EVM-based and signal is applicable. RD-F-094 gray New contract with similar bytecode to exploit template Similar-bytecode new-deploy sweep requires on-chain contract deployment monitoring and exploit-template database. ConcreteStandardVaultImpl and ConcreteFactory are public bytecode references that could be cloned. Not operational in static assessment. RD-F-095 gray Known-exploit function-selector replay Exploit-replay selector pattern detection requires mempool monitoring and an exploit-template database. No prior exploit to provide a replay template for Concrete specifically. Signal applicable (EVM, ERC-4626 selectors). Not operational in static assessment. RD-F-096 gray New ERC-20 approval to unverified contract from whale Whale ERC-20 approval to unverified contract requires continuous mempool + explorer monitoring and top-TVL-user tracking. Protocol is EVM-based with standard ERC-20 approval pattern for vault deposits. Not operational in static assessment. RD-F-097 gray Sybil surge of identical-pattern transactions Sybil surge detection requires on-chain clustering analysis of deposit patterns. Protocol is EVM with ERC-4626 deposit entry point. Not operational in static assessment. RD-F-099 gray Oracle price deviation >X% from secondary Oracle price deviation signal: T-09 phase-2 signal. Concrete has 19 Chainlink feed addresses in data cache, but their provenance is uncertain — oracle-dependency-analyst must confirm which feeds Concrete's contracts directly invoke vs. inherited from Aave/Compound/Morpho strategy integrations. No live deviation observed in public data today. Secondary-oracle mapping not yet implemented. Score gray pending (1) oracle provenance confirmation and (2) T-09 phase-2 infrastructure deployment. RD-F-100 gray Flash loan >$10M targeting protocol tokens Flash-loan targeting signal: T-09 phase-2 signal. Applicable — protocol integrates with Aave v3 and Morpho Blue (both major flash-loan sources); ConcreteFactory and vault contracts are accessible to flash-loan receiver contracts. Per-block scan not operational in static assessment. RD-F-101 n/a Large governance proposal queued Governance proposal signal: not applicable. Concrete has no on-chain Governor contract. Governance is EOA-admin-only (deployer EOA 0x1fa1c72a executes upgrades directly). No ProposalCreated or ProposalQueued events are emitted by any Concrete contract. Data cache confirms: governance.governor_address=null, governance.type='unknown', snapshot_space=null, governance.timelock_address=null. Admin transactions are detectable via RD-F-102 (admin tx in mempool) but not via governor event monitoring. RD-F-102 gray Admin/upgrade transaction in mempool Admin/upgrade tx in mempool: T-09 phase-2 signal. Maximally applicable — Concrete has no timelock; deployer EOA (0x1fa1c72a) executes upgrades directly. Factory upgraded 2026-03-19; vault 0x0E609b upgraded ~2026-05-06. Had mempool monitoring been live, both events would have met F102's detection criteria. Signal gap is structurally significant for this protocol. Mempool listener not operational in static assessment. RD-F-103 n/a Bridge signer-set change proposed/executed Bridge signer-set change signal: not applicable. Concrete does not operate a bridge with a signer set. Pre-deposit vaults bridge to Berachain/Stable Network via an external (unidentified) mechanism, but that is not a Concrete-controlled bridge. Data cache confirms layerzero.present=false. No Concrete-operated bridge contracts found. The signal requires a protocol-controlled bridge validator/signer set — this architecture does not exist for Concrete. RD-F-105 gray DNS/CDN/frontend hash drift DNS/frontend hash drift: T-09 phase-2 signal. Applicable — concrete.xyz is a live production frontend at risk of Curve-class frontend compromise given $990M TVL makes it a high-value target. No hash baseline established; no external monitoring deployed. Post-v1 signal infrastructure required. RD-F-106 n/a Cross-chain bridge unverified mint pattern Cross-chain bridge mint-without-proof: not applicable. Concrete does not operate a bridge with a mint mechanism. Pre-deposit vault bridging to Berachain/Stable Network uses an external (unidentified) bridge not controlled by Concrete. No cross-chain mint events are emitted by Concrete contracts. RD-F-107 gray Admin EOA signing from new geography/device Admin EOA new-geography signing signal: requires off-chain signing telemetry (MPC session data, device fingerprint). Not publicly accessible. Deployer EOA (0x1fa1c72a) is the known admin signer; Blueprint Finance team is publicly associated with multiple geographies (US/Asia based on investor base). Signal not operational in static assessment. RD-F-108 gray GitHub force-push to sensitive branch GitHub force-push/sensitive-branch push: T-09 v2/deferred signal. Applicable — Blueprint-Finance/concrete-earn-v2-bug-bounty is a public GitHub repo; last commit 2026-04-20 (normal commit, not force-push per data cache). GitHub API monitoring not operational. No force-push indicators visible in current data. RD-F-109 gray Social-media impersonation scam spike Social-media impersonation scam spike: T-09 v2/deferred signal. Applicable — @ConcreteXYZ (X/Twitter) and Discord at discord.gg/concretexyz are active channels. Protocol is institutional DeFi with $990M TVL — a meaningful impersonation target. Social-media monitoring not operational. No spike observed in manual OSINT search. RD-F-110 n/a Unusual pending/executed proposal ratio Unusual pending/executed proposal ratio: not applicable. Concrete has no on-chain Governor contract; no proposals can be pending or executed. Same structural N/A as RD-F-101. Data cache confirms governance.governor_address=null. RD-F-182 n/a Security-Council threshold reduction (RT) Security-Council threshold reduction event (batch-24, Cat 6B): not applicable. Concrete has no Security Council multisig structure. Data cache confirms safe_multisigs=[], governance fields all null. No Gnosis Safe or equivalent SC multisig has been identified. The signal fires on bridge/protocol Security Council threshold reductions (e.g., 3/5 → 2/5 per Drift Protocol pattern). This governance structure does not exist for Concrete — governance is EOA-admin-only. If governance-admin-analyst discovers a previously-unidentified Safe multisig (U18 resolution), this factor should be re-evaluated.
RD-F-104 green Stablecoin depeg >2% on shared-LP venue Stablecoin depeg signal: T-09 v1 launch signal, applicable and no current fire. Concrete vaults hold USDT (ctStableUSDT, DeFi USDT vault with $50.1M TVL) and frxUSD (ctStablefrxUSD) — stablecoin exposure is material (>5% of TVL threshold for signal eligibility). Chainlink feeds confirm: USDT/USD feed 0x3E7d1eAB13ad0104d2750B8863b489D65364e32D (heartbeat 86400s, deviation threshold 0.25%); USDC/USD feed 0x8fFfFfd4AfB6115b954Bd326cbe7B4BA576818f6 (heartbeat 82800s, deviation threshold 0.25%). As of 2026-05-17: USDT and USDC are on-peg; frxUSD is stable; no >2% depeg event on any major stablecoin with protocol exposure. Signal is correctly scoped and would fire appropriately if USDT/USDC were to depeg given the material vault exposure.
Dev identity & insider risk Green 8 16 of 16
RD-F-116 yellow Contributor tenure at admin-permissioned PR Public GitHub repo (concrete-earn-v2-bug-bounty) has only 5 commits from 2 contributors. Primary contributor 'leomarlo' has a GitHub account created June 2014 (12-year tenure at time of contribution, low risk). Secondary contributor 'marcin-kepa' account created Aug 2024 (~15 months tenure), references prior GitHub accounts. Real engineering development is likely in a private Blueprint-Finance repo not accessible for OSINT. Sample is too small and limited to the bug-bounty surface to draw strong conclusions about admin-PR authors in the main codebase. RD-F-117 yellow ENS/NameStone identity bound to deployer Deployer EOA (0x1fa1c72a) has no ENS name registered to it per Etherscan search (no ENS-related events in transaction history; address displays only via Etherscan public name tag 'Concrete: Deployer'). Mirror article uses concretexyz.eth as a Mirror publishing handle, which resolves to the org's publishing address, not the deployer EOA. No ENS binding on the deployer itself. RD-F-123 yellow Sudden admin-rescue/ACL change without discussion CRITICAL ★ — YELLOW. ConcreteFactory proxy (0x0265d73a) received an implementation upgrade ~March 19 2026 (block 24692293, 58 days before assessment) and vault proxy ctDeFiUSDT was upgraded ~May 6 2026. Both upgrades were executed via the ConcreteFactory's owner: a 3-of-5 Gnosis Safe (0xdc29BD10CB9000dffBb5aAcD30606c66f07c866C, Safe v1.4.1, threshold=3, 5 owners, nonce=26), on-chain-verified via the Safe Transaction Service API by code-security and governance-admin specialists using the U18-correct method. CORRECTION (U3 cross-specialist fact): a prior version of this assessment stated the upgrade authority was the deployer EOA (0x1fa1c72a) acting as a single EOA admin with no multisig. That framing was an un-derived assumption, now corrected. The deployer EOA is the historical deployer; the 3-of-5 Gnosis Safe is the live admin authority executing upgrades via execTransaction. No public governance forum exists; no Snapshot space; no GitHub issue or PR preceding these upgrades was found RD-F-119 gray Commit timezone consistent with stated geography Public GitHub repo has only 5 commits (2 contributors, Oct-Nov 2025). Sample is insufficient for timezone distribution analysis. The main development codebase is in a private Blueprint-Finance repository inaccessible at OSINT tier. No commit-time anomaly could be assessed from the sparse public data. No DPRK-timezone signal (+08/+09) detected but sample too small to be meaningful. RD-F-122 gray Contributor paid to DPRK-cluster wallet Cannot be assessed at OSINT tier. Team operates with off-chain payroll (institutionally backed startup with $17M+ raised). No on-chain payment streams to contributors visible. Deployer EOA is the only known contributor wallet on-chain; its 3-hop analysis is clean (Kraken-sourced, no DPRK proximity). All other contributor payments are off-chain (bank/stablecoin payroll), making this factor structurally inaccessible without insider knowledge. RD-F-184 gray Real-capital social-engineering persona No evidence of a real-capital social-engineering persona (Drift/UNC4736 pattern) found. Concrete is an EVM yield-vault protocol distinct from Drift's Solana architecture. No OSINT evidence of a persona building credibility via ≥$1M capital deposits prior to a social-engineering event. Deployer EOA holds only ~$1,400 in operating balances. Curator verification would be required for positive scoring; absence of public signal does not confirm absence of risk. Factor definition (F184) requires curator-confidence attribution beyond OSINT trail; gray is appropriate per the process-learnings note for this factor.
RD-F-111 green Team doxx status Founders Nic Roberts-Huntley (CEO) and Dillon Liang (CSO) are publicly identified with real names in Fortune, BusinessWire, Crunchbase, LinkedIn, and podcast media. Category: real-name / doxxed. CEO has an Oxford MD/MBA, former VP at Point72, CoinDesk author, and multiple podcast appearances. CSO has BoxGroup and Bullpen Capital VC background, UCLA BA, confirmed across ≥2 independent domains.
RD-F-112 green Team public accountability surface CEO Nic Roberts-Huntley: Oxford MD/MBA, former VP Point72, CoinDesk author, Spotify podcast guest (#509), Bloomberg Markets profile, Fortune and BusinessWire interviews. CSO Dillon Liang: BoxGroup (2021-22), Bullpen Capital (2019-21) investor background, LinkedIn, Crunchbase, RootData. COO Steve Weidenbach: Syntax Advisors and University of Michigan prior roles. Product Lead Kareem Grant: Consensys, Coinbase, Bison Trails — verified at ≥2 independent domains. Team accountability surface is high for a DeFi startup of this age.
RD-F-113 green Team other-protocol involvement history No prior rug or exit-scam involvement for any named team member. CEO came from TradFi (Point72) with no DeFi protocol history. CSO from VC (BoxGroup, Bullpen). Product Lead Grant from Consensys/Coinbase — legitimate entities. Blueprint Finance is their first DeFi protocol launch. Glow Finance (Solana) is a Blueprint Finance product, not a separate failed project. REKT news search and hacksdatabase confirm no Blueprint Finance incidents.
RD-F-114 green Deployer address prior on-chain history Deployer EOA (0x1fa1c72A48243E7C7D78f4b95D942D96A8d05588) first funded ~Jan 2024; 1,035 total transactions, all administrative (GrantRole, RevokeRole, OwnershipTransfer, contract deployments) consistent with a dedicated protocol deployer. No prior contracts deployed before the Concrete V2 factory. No prior rug-linked protocol found for this address. Etherscan label 'Concrete: Deployer' confirms identity. Note: the deployer EOA is the original deployer; live upgrade authority subsequently passed to a 3-of-5 Gnosis Safe (0xdc29BD10CB9000dffBb5aAcD30606c66f07c866C), verified by code-security and governance-admin specialists via Safe Transaction Service API. The RD-F-114 assessment concerns the deployer address's on-chain history and is unaffected by this admin-authority distinction.
RD-F-115 green Prior rug/exit-scam affiliation Web search for 'Blueprint Finance rug hack scam REKT exit fraud 2024 2025' returned no relevant results — only general crypto education articles about scams, with no Blueprint Finance / Concrete association. REKT database and data cache both confirm zero incidents. None of the named team members (Roberts-Huntley, Liang, Weidenbach, Turner, Grant) appear in any publicly available rug-deployer database.
RD-F-118 green Handle reuse across failed/rugged projects No handle reuse across failed/rugged projects detected. @ConcreteXYZ and @Blueprint_DeFi X handles are cleanly associated with the current protocol. CEO Roberts-Huntley's identity trace goes back to Blueprint Finance founding (2022/2023) with no prior DeFi handle found. Web search for team member handle reuse returned no results.
RD-F-120 green Video-off/voice-consistency flag CEO Nic Roberts-Huntley has appeared in multiple public-facing audio/video media with consistent persona: Untold Stories podcast (video interview format), CryptoNews Podcast #509 (Spotify audio), Bloomberg Markets profile, Fortune interviews with byline photo. No video-off flags or voice-consistency anomalies reported. Team persona is consistent across appearances.
RD-F-121 green Contributor OSINT depth score Composite OSINT depth: CEO Roberts-Huntley scores 5/5 (Oxford MD/MBA, Point72 VP, CoinDesk author, Bloomberg profile, multiple podcast appearances, Crunchbase, Fortune). CSO Liang scores 4/5 (BoxGroup/Bullpen background, UCLA BA, LinkedIn, Crunchbase, RootData, multiple outlets). COO Weidenbach and Product Lead Grant both ≥3/5 (LinkedIn, prior-employer verification at ≥2 sources). Overall composite ≥4/5, well above threshold for green.
RD-F-124 green Deployer wallet mixer-funded within 30 days CRITICAL ★ — CLEAN. V2 factory deployed Oct 17 2025. Deployer EOA (0x1fa1c72a) was funded ~Jan 2024, approximately 21 months before deploy — well outside the 30-day window. Funder (0xf3f36244) received funds from Kraken exchange (major regulated CEX, KYC-gated). No Tornado Cash or privacy-mixer interactions found in deployer's transaction history (token txns, internal txns checked on Etherscan). The 30-day pre-deploy window (mid-Sep to Oct 17 2025) shows only administrative contract operations, no mixer activity. Note: RD-F-124 concerns the deployer EOA's funding history; the live admin authority (3-of-5 Gnosis Safe 0xdc29BD…) is a distinct address whose funding trail is a Cat 2/Cat 9 governance concern, not within the RD-F-124 30-day-pre-deploy scope. This factor's green finding is unaffected by the admin-authority correction.
RD-F-125 green Deployer linked within 3 hops to DPRK/Lazarus CRITICAL ★ — CLEAN. Hop-0 (deployer 0x1fa1c72a): Etherscan label 'Concrete: Deployer', no OFAC SDN designation. Hop-1 (0xf3f36244): unlabeled personal wallet with standard DeFi activity, funded from Kraken; no OFAC designation, no Chainalysis Lazarus label in public data. Hop-2: Kraken exchange — major regulated CEX with AML compliance, no DPRK proximity. Chain terminates clean within 2 hops. Web search for 'Blueprint Finance DPRK Lazarus Tornado' returned zero relevant results. Protocol has institutional investors (Polychain Capital, VanEck, YZi Labs) who conduct KYC/due diligence on founders and treasury operations. No DPRK/Lazarus proximity found at any hop.
Fork / dependency lineage Green 0 10 of 10
RD-F-126 n/a Is-a-fork-of Concrete is an original Blueprint Finance codebase (ERC-4626 vault system). No upstream fork identified. Profile §5: 'Not forked / original. No fork claim found in README or docs.' RD-F-127 n/a Upstream patch not merged No upstream fork — factor not applicable. RD-F-128 n/a Upstream vulnerability disclosure (last 90d) No upstream fork — factor not applicable. RD-F-129 n/a Code divergence from upstream (%) No upstream fork — factor not applicable. RD-F-130 n/a Fork depth (generations from original audit) No upstream fork — factor not applicable. RD-F-131 n/a Fork retains upstream audit coverage No upstream fork — factor not applicable. RD-F-132 n/a Fork has different economic parameters than upstream No upstream fork — factor not applicable.
RD-F-133 green Dependency manifest uses unpinned versions foundry.toml pins OZ at exact version 5.2.0 (no ^ or ~ prefix). Data cache confirms oz_contracts_version='5.2.0'. Critical library (OZ) is pinned to exact version. Green.
RD-F-134 green Dependency had malicious-release incident (last 90d) No npm/PyPI/crates.io malicious-release advisory found for OZ 5.2.0 or related dependencies in trailing 90 days. GitHub OZ security page shows no malicious-release advisory in recent 90 days. Green.
RD-F-135 green Shared-library version with known-vuln status OZ 5.2.0 active advisories: GHSA-9rcw-c2f9-2j55 (Bytes.lastIndexOf, Low severity, Jul 2025) — affects util library only, not vault logic. No high or critical advisory for OZ 5.2.0. UUPSUpgradeable GHSA-5vp3-v4hc-gx76 (Critical) only affects 4.1.0–<4.3.2 — not applicable to 5.2.0. Green.
Post-deploy hygiene & change mgmt Yellow 37 13 of 13
RD-F-138 red Hot-patch deploys without timelock (last 30 days) VaultProxy (0x0e609b) upgraded May 6, 2026 (11 days before profile date) via Safe execTransaction with no timelock. ConcreteFactory has no timelock mechanism. Hot-patch-class deploy without delay confirmed in last 30 days. RD-F-139 red Post-audit code changes without re-audit ConcreteFactory upgraded to 0x224f3450 on March 19, 2026 (block 24692293). Most recent V2 audit: Halborn Sep 3–16, 2025 (commit b1b7cec, remediation Oct 3, 2025). No audit identified for the March 2026 factory implementation. VaultProxy (0x0e609b) upgraded March 30 and May 6, 2026 — also post any known audit scope. Zellic (May–Jun 2025) predates all 2026 upgrades. Total unaudited deployment window: ~5 months. This is a [★ CRITICAL] factor. RD-F-136 yellow Deployed bytecode matches signed release tag No signed release tags found in the public bug-bounty repo. GitHub repo (Blueprint-Finance/concrete-earn-v2-bug-bounty) shows no releases. Last commit April 20, 2026 but no tagged version corresponding to deployed factory impl (0x224f3450, March 19, 2026) is public. Etherscan shows Exact Match verified source, confirming deployed bytecode matches verified source, but no signed release artifact. RD-F-137 yellow Upgrade frequency (per 90 days) At least 3 upgrades in trailing 90 days: ConcreteFactory upgraded March 19, 2026; VaultProxy 0x0e609b upgraded March 30, 2026 and May 6, 2026. Elevated cadence (≥3 upgrades/90d) for a ~$990M protocol without corresponding re-audit coverage. RD-F-145 yellow Deployed bytecode reproducibility Source code is public in bug-bounty repo. Build toolchain is documented (foundry.toml: Solidity 0.8.27, optimizer 190 runs, viaIR false). Etherscan shows Exact Match verification for key contracts. However, no public reproducibility artifact (forge build verification script) was found. Bytecode should be reproducible via forge build but this has not been publicly demonstrated. RD-F-146 yellow New contract deploys in last 30 days Multiple new vault deployments in last 30 days (factory continuously deploys vaults via CREATE2; 40+ vaults active on app.concrete.xyz). May 6, 2026 vault upgrade adds fresh attack surface. Ongoing deployment cadence is expected for a vault factory but represents elevated fresh-surface risk without commensurate audit coverage. RD-F-140 gray Fix-merged-but-not-deployed gap No specific known vulnerability with a PR merged but not deployed identified. GitHub last commit April 20, 2026 (27 days before profile date). Recent commits may include security fixes not yet deployed. Cannot confirm without full commit-to-bytecode diff. RD-F-142 gray Storage-layout collision risk across upgrades UUPS pattern used (ConcreteFactory) and EIP-1967 transparent proxies (VaultProxy). Multiple 2026 upgrades occurred. No public OZ upgrades-plugin storage-layout validation artifact found for any 2026 upgrade. Curator should verify storage layout compatibility for March 2026 factory upgrade. RD-F-168 gray Stale-approval exposure on deprecated router No deprecated router with known stale approvals identified. V1 (Blueprint Finance Earn V1) appears fully migrated. No active user-approval allowance scan performed — requires on-chain allowance query across V1 contract addresses to confirm. RD-F-185 n/a Bridge rate-limiter / chain-pause as positive mitigant Concrete is not a bridge protocol and has no bridge rate-limiter mechanism. Cross-chain pre-deposit vaults exist (Berachain, Stable Network) but no bridge rate-limiter has been identified. Factor RD-F-185 measures bridge rate-limiter as a positive mitigant — not applicable here.
RD-F-141 green Test-mode parameters in deploy No test-mode parameters identified. ConcreteFactory uses standard onlyOwner ACL. VaultProxy admin correctly set to factory. Halborn V2 audit found 0 critical/high/medium findings (all 3 low + 9 informational addressed). No test oracle or test-mode configuration found in source.
RD-F-143 green Reinitializable implementation (no _disableInitializers) ConcreteFactory implementation calls _disableInitializers() in constructor (confirmed from GitHub raw source). VaultProxy.sol sets _admin=msg.sender immutably at construction (no re-init path). ConcreteStandardVaultImpl uses _initialize() called only through factory's CREATE2 deployment flow — single-initialization enforced by proxy pattern. Halborn V2 audit (0 critical/high findings) would have flagged missing disableInitializers.
RD-F-144 green CREATE2 factory permits same-address redeploy Factory tracks registered vaults and enforces uniqueness via registerVault validation. Same-salt CREATE2 redeploy would be rejected by factory logic. No CREATE2 redeploy attack surface identified.
Cross-chain & bridge Green 13 12 of 12
RD-F-147 yellow Protocol has bridge surface YES — Concrete operates a LayerZero v2 OApp (PredepostVaultOApp.sol, import: @layerzerolabs/oapp-evm-upgradeable) used in production by ctStableUSDT and ctStablefrxUSD pre-deposit vaults. The OApp calls _lzSend($.dstEid, payload, options, ...) to relay share-claim authorization messages from Ethereum to Stable Network / Berachain. ShareDistributor.sol on destination chains is also a LayerZero v2 OApp that receives these messages via _lzReceive() and executes vault-share transfers to users. Combined ~$120M in pre-deposit + destination-chain positions depends on this path. ConcreteBridgedVaultImpl is NOT a bridge (intra-protocol vault-version migration, VAULT_MANAGER-gated unbackedMint, no cross-chain logic). Scored yellow rather than green because the OApp is a real cross-chain dependency securing significant user positions, not merely informational cross-chain communication. RD-F-153 yellow Bridge tracks nonce-consumed mapping ShareDistributor.sol contains NO application-level nonce-consumed mapping. The _lzReceive() function dispatches on MSG_TYPE without any idempotency check or replay guard at the contract level. The claimedShares[user] += shares accumulator is additive — a duplicate message delivery would execute the share transfer twice. Replay protection is delegated entirely to the LZ v2 infrastructure (endpoint-level ordered nonce delivery via allowInitializePath() / nonce commit system). This is not auditable from Concrete's own contract source. While LZ v2's ordered delivery design makes duplicate delivery unlikely under normal operation, absence of application-level defence is a yellow finding per the taxonomy's requirement for contracts to track nonce-consumed mappings. RD-F-148 gray Bridge validator count (M) For LayerZero v2 OApps, validator count is expressed as DVN count per messaging pathway. The DVN configuration for PredepostVaultOApp's Ethereum-to-Stable-Network and Ethereum-to-Berachain pathways resides in the LZ v2 SendUln302 / ReceiveUln302 endpoint-level channel config, NOT in the OApp contract source. DVN count cannot be determined from source inspection alone. The LayerZero scan API (layerzeroscan.com) returned HTTP 429 (rate-limited). No alternative public source returned DVN count for this OApp. Honest-null: data is technically retrievable via on-chain call to SendUln302.getAppConfig(oappAddress, dstEid) but was not retrieved in this session. RD-F-149 gray Bridge validator threshold (k-of-M) DVN threshold (k-of-N) for Concrete's OApp pathways not retrievable — same blocker as F148. The catastrophic edge case of 1/1 DVN threshold (Kelp DAO $292M Apr 2026 class) cannot be ruled out without on-chain endpoint config query. This is the primary unresolved risk for Cat 10: if threshold = 1, a single compromised DVN operator could forge share-claim messages to ShareDistributor. ~$120M exposure. See F179 for the LZ-specific escalation condition. RD-F-150 gray Bridge validator co-hosting DVN operator identity and hosting diversity for Concrete's OApp pathways not retrievable. Requires on-chain DVN registry enumeration and OSINT on DVN operators, neither of which was achievable with layerzeroscan.com rate-limited (HTTP 429). Honest-null. RD-F-155 gray Bridge validator-set rotation recency DVN operator set and rotation history for Concrete's OApp pathways not retrievable. Requires on-chain DVN registry enumeration + event log history. layerzeroscan.com returned HTTP 429. Honest-null. RD-F-156 gray Bridge uses same key custody for >30% validators DVN operator custody concentration for Concrete's OApp pathways not retrievable. Requires DVN operator identity OSINT + key custody inference. layerzeroscan.com returned HTTP 429. Honest-null. RD-F-157 gray Bridge TVL per validator ratio Bridge TVL (~$120M pre-deposit and destination-chain positions) divided by DVN count — ratio cannot be computed because DVN count is unknown (layerzeroscan.com HTTP 429). If DVN count = 1 (catastrophic edge), ratio = $120M per DVN operator. Honest-null pending DVN config retrieval. RD-F-179 gray LayerZero OFT DVN config (count, threshold, diversity) LayerZero v2 confirmed for PredepostVaultOApp (import @layerzerolabs/oapp-evm-upgradeable; __OApp_init(); no trustedRemote mapping — all LZ v2 indicators; no LZ v1 indicators present). DVN configuration (count, threshold, operator diversity) for the Ethereum-to-Stable-Network and Ethereum-to-Berachain pathways is NOT encoded in the OApp contract source — it is set per-pathway at the LZ v2 endpoint level via SendUln302.setConfig(). The layerzeroscan.com API returned HTTP 429 (rate-limited); no alternative public data source returned the DVN config for this OApp. Honest-null: gap_reason external_api_blocked. HIGH-RISK CURATOR ESCALATION CONDITION: if on-chain query of LZ v2 SendUln302.getAppConfig(oappAddress, dstEid) for either pathway (dstEid for Stable Network or Berachain) reveals DVN threshold = 1/1, Cat 10 becomes RED and F179 is flagged as a critical-candidate warranting T-14 post-launch promotion per the Kelp-DAO $292M Apr 2026 / usual-USD0 / veda-F179 precedent class applied to
RD-F-151 green Bridge ecrecover checks result ≠ address(0) [★ CRITICAL] GREEN. LayerZero v2 does NOT use ecrecover for message authentication at the OApp layer. The LZ v2 OAppReceiver.lzReceive() enforces two guards before calling _lzReceive(): (1) OnlyEndpoint: msg.sender must equal the registered LZ endpoint address — only the LZ v2 endpoint contract can invoke lzReceive(); (2) OnlyPeer: _getPeerOrRevert(origin.srcEid) must equal origin.sender — message must originate from the registered peer OApp on the correct source chain. No raw signature verification (ecrecover) occurs at the OApp level. The Wormhole-class ecrecover-zero-address failure mode is structurally absent from LZ v2's endpoint-auth model. ShareDistributor._lzReceive() only dispatches on MSG_TYPE — no signature check of any kind.
RD-F-152 green Bridge binds message to srcChainId LayerZero v2 binds messages to source endpoint ID (srcEid) via the peer-validation mechanism. OAppReceiver._getPeerOrRevert(origin.srcEid) looks up the registered peer for that specific srcEid and compares against origin.sender. The Origin struct carries {srcEid, sender, nonce}. A message replay from a different source chain (different srcEid) would fail unless a peer for that srcEid was also registered. ShareDistributor.sol receives the Origin struct from the LZ endpoint which has already performed srcEid-binding validation. The srcChainId binding is enforced at the infrastructure level before _lzReceive() is invoked.
RD-F-154 green Default bytes32(0) acceptable as valid root [★ CRITICAL] GREEN. LayerZero v2 OAppCore._getPeerOrRevert() explicitly reverts with NoPeer(_eid) if peers[_eid] == bytes32(0). The default (zero) value for an unregistered peer causes a revert, not message acceptance. This is the structural inverse of the Nomad bug ($190M, bytes32(0) accepted as valid root): in LZ v2, zero = NoPeer revert. Furthermore, allowInitializePath() returns `peers[origin.srcEid] == origin.sender` — a zero peer would not match any real sender address. No bytes32(0)-as-valid-root path exists in the LZ v2 OApp standard as used by ShareDistributor.
Threat intelligence & recon Green 8 8 of 8
RD-F-163 yellow Avg attacker reconnaissance time for peer-class protocols Attacker wallet reconnaissance time for similar class: class-level probabilistic factor, not protocol-specific observation. Concrete is an ERC-4626 yield vault aggregator (Veda-class). Hack database shows pre-strike reconnaissance averages 14–78 days for DeFi protocols generally (USPD pattern). For yield vault aggregator class (Veda-class, strategy-allocation model): relevant exploit classes are C2 (oracle manipulation) and C14 (post-audit code change), both of which show 14–30 day reconnaissance patterns in the database. Protocol has been live ~7 months from V2 factory deploy (Oct 2025) and ~16 months from V1 (Jan 2025) — well past the reconnaissance window. The $990M TVL makes Concrete a high-value target that would attract advanced reconnaissance. Score yellow: the class-level risk is real and applicable. No protocol-specific reconnaissance signals observed, but the class establishes baseline vigilance requirement. Note: Concrete has deployed Hypernative + zeroShadow monitoring whic RD-F-159 gray Attacker wallet pre-strike probe (low-gas failing txs) Mempool probe (low-gas failing txs from threat-actor cluster): requires real-time mempool monitoring + threat-actor cluster feed. Not operational in static assessment. Protocol is EVM and the signal is applicable. RD-F-162 gray Known-exploit-template selector deployed by any address Known-exploit-template selector-pattern deployed: requires on-chain new-deploy sweep and exploit-template database for vault-infrastructure class (ERC-4626 reentrancy, share inflation, strategy manipulation templates). Not operational in static assessment. RD-F-164 gray Leaked credential on paste/sentry site Leaked credential on paste/sentry site: requires automated credential-dump feed monitoring for Blueprint Finance / Concrete infrastructure endpoints (RPC keys, Hypernative API keys, admin signing infrastructure). Not operational in static assessment. No public reports of Blueprint Finance credential leaks found in OSINT. RD-F-165 gray Protocol social channel has scam-coordinator flag Discord/Telegram scam-coordinator flag: requires curator social watchlist operational. Concrete Discord at discord.gg/concretexyz is active. No public reports of scam-coordinator activity in Concrete channels found via OSINT. Not operational in static assessment.
RD-F-158 green Known-threat-actor cluster has touched protocol Known-threat-actor wallet cluster touch: T-09 phase-2 advisory signal. No evidence of known threat-actor wallets (Lazarus/DPRK cluster, past exploiter wallets, OFAC-sanctioned addresses) interacting with Concrete contracts. OSINT search for 'Blueprint Finance Lazarus DPRK North Korea' returned no relevant results. No prior exploits (rekt.incidents=[]). Protocol has Hypernative live monitoring deployed (listed security partner). Requires Chainalysis/TRM partner feed for full 3-hop on-chain verification; public proxy observation is clean. Score green reflects no positive evidence from available public sources.
RD-F-160 green GitHub malicious-dependency incident touching protocol deps GitHub malicious-dependency incident: no malicious release found affecting Concrete's dependency tree. Protocol uses OpenZeppelin Contracts v5.2.0 (confirmed from data cache §sources.github.oz_contracts_version). No GitHub Security Advisory (GHSA) or npm advisory for OZ 5.2.0 modules used by Concrete (AccessControlUpgradeable, OwnableUpgradeable, UUPS proxy) as of 2026-05-17. No other runtime npm dependencies identified in data cache (foundry-based Solidity project with no package.json runtime deps). No known malicious release in trailing 90 days affecting this protocol's direct dependency tree.
RD-F-161 green Protocol-impersonator domain registered (typosquat) Protocol-impersonator domain (typosquat): no genuine typosquat of concrete.xyz found within 90 days. CONCRETE-Project (concretecoin.org) is an UNRELATED entity (C++ Proof-of-Work blockchain per U22 disambiguation in profile §11) — not scored as an impersonator. No evidence of concretexyz.com, concrete-xyz.xyz, concrete-finance.xyz, or similar concrete.xyz-deceptive domains registered within 90 days found in public OSINT searches as of 2026-05-17. Score green reflects absence of positive evidence from available public sources; production alerting requires a domain-monitoring feed (post-v1 signal infrastructure). F161 reg-date-to-assessment delta: no genuine impersonator found to calculate.
Tooling / compiler / AI Green 8 5 of 5
RD-F-170 yellow Solc version used (known-bug versions flagged) Deployed bytecode: solc v0.8.27+commit.40a35a09 (confirmed on Etherscan for 0x224f3450 and 0x21051573; consistent with foundry.toml). Applicable compiler bug for 0.8.27: LostStorageArrayWriteOnSlotOverflow (SOL-2025-1, Low severity, affects 0.1.0–0.8.31) — low severity, requires specific storage slot overflow conditions unlikely in ERC-4626 vault math with OZ 5.2.0 SafeMath patterns. No high or critical compiler bugs affect 0.8.27. Yellow — one low-severity compiler bug technically in scope for 0.8.27, but exploitability is low for this contract type. RD-F-171 n/a Bytecode similarity to audited upstream with behavior deviation Protocol is an original codebase — no audited upstream exists to perform bytecode similarity comparison against. AI-copy risk pattern requires an upstream reference. Not applicable.
RD-F-172 green Repo shows AI-tool co-authorship in critical files GitHub commit history (5 commits on main, 2026-04-20): all commits authored by human contributors (leomarlo, marcin-kepa). No co-authored-by trailers matching AI-tool signature patterns (GitHub Copilot, ChatGPT). No AI co-authorship in security-critical files detected. Green.
RD-F-173 green Team self-disclosure of AI-generated Solidity No public disclosure of AI-generated Solidity found in Blueprint Finance blog, X/Twitter, or docs.concrete.xyz. Web search for 'Concrete Blueprint Finance AI ChatGPT Copilot code disclosure' returned no relevant results. Green.
RD-F-174 green Dependency tree uses EOL Solidity version Solidity 0.8.27 is an actively supported, non-EOL release within the 0.8.x stable series (current stable is 0.8.28+). OZ 5.2.0 requires 0.8.20+ — compatible. No EOL Solidity version in use. Green.
Response & disclosure hygiene Green 8 4 of 4
RD-F-176 yellow Disclosure SLA public No public acknowledgment-time SLA found on the Cantina program page or in Concrete's documentation. The program requires researchers to report within 24 hours of discovery (researcher obligation), but no team response SLA (e.g., '72h ack') is stated. Cantina's managed model implies structured triage, but no committed response window is disclosed. Yellow: channel exists, SLA absent.
RD-F-175 green Disclosure channel exists Active Cantina-hosted bug bounty launched November 5, 2025 with $250,000 USDC max payout (Critical: $250K, High: $100K). Scope covers universal vault system, strategy integrations, NAV updates, and withdrawal paths. Program is managed by Cantina's specialized Web3 security team. Constitutes a clear public disclosure channel.
RD-F-177 green Prior known-ignored disclosure No prior incidents exist (F077 = green); no post-mortem documents an ignored pre-exploit disclosure. No OSINT findings on rekt.news or web searches indicate a vulnerability was disclosed to the team and left unactioned. Code4rena Nov 2024 findings were addressed in V2 — standard audit remediation, not an ignored disclosure.
RD-F-178 green CVE/GHSA advisory issued against protocol No CVE, GHSA (GitHub Security Advisory), or equivalent public advisory found for Blueprint Finance, Concrete, or the concrete-earn-* repositories. Searched NVD/CISA and GitHub Advisory Database; no results returned for this protocol as of 2026-05-17.
rubric_version v1.7.0 graded_at 2026-05-17 14:37:02 factors 184 protocol concrete