dYdX v4 (dYdX Chain)

Sovereign Cosmos-SDK + CometBFT application-specific blockchain (appchain) running a perpetuals DEX with an off-chain validator-run orderbook. Validators execute order matching in-memory; fills are settled on-chain via the x/clob module. Includes MegaVault USDC aggregator vault (dYdX Unlimited, launched ~Oct 2024). Codebase is fully open-source Go (AGPLv3) at github.com/dydxprotocol/v4-chain — NOT a closed-source binary. Clean-break rewrite from dYdX v3 (StarkEx/Ethereum); no fork lineage from EVM lending/DEX protocols. Governance via on-chain Cosmos x/gov with staked DYDX (21-day unbonding). Oracle prices via validator-run Slinky sidecar (aggregates CEX feeds via ABCI++ vote extensions). Audited by Informal Systems in 6 engagements (2023 Q4 through 2024 Q2+). Bug bounty on Cantina ($1M max; launched 2026-05-08).

Sector perps_dex

TVL $99.1M

Reviewed May 17, 2026

Factors 184

Categories 13

Risk score 16.1

DeploymentsDydx · —

Risk profile at a glance

1 red · 1 yellow · 10 green

25 24 17 13 15 22 16 10 13 12 8 5 4

Categories & evidence

184 factors · 13 categories

Code & audits Green 13 25 of 25

RD-F-001 yellow Audit scope mismatch Six Informal Systems engagements cover all original custom modules through Q2+ 2024; Q3 2025 Proposer Selection audit is a narrower-scope follow-on. MegaVault/x/vault covered by 2024 Vaults audit. Cantina bounty active since May 2026. Some 2025 module changes (v5-v9 protocol upgrades) lack a full-scope audit. Non-EVM chain means audit coverage is evaluated against governance-upgrade-activated release tags rather than Etherscan bytecode. RD-F-002 yellow Audit recency Most recent quarterly audit in /audits directory is Q2+ 2024 (~11 months ago). Q3 2025 Proposer Selection audit is partial-scope (~8 months ago). Protocol has released v5 through v9.6.3 since Q2 2024, with significant module additions (x/vault MegaVault, x/govplus). No full-scope audit of the current deployed binary. Cantina bounty supplements but does not replace a structured audit. RD-F-004 yellow Audit count All 7 audit engagements (6 in /audits directory + Q3 2025 in informalsystems/audits) are by a single firm: Informal Systems. Cantina is a crowdsourced bounty program, not a second independent audit firm. No Trail of Bits, Zellic, Spearbit, or other distinct firm has audited the v4 Go codebase. Single-firm coverage = yellow. RD-F-009 yellow Formal verification coverage Informal Systems actively uses Quint, Apalache, and TLA+-based model-based testing infrastructure. Per search evidence, they leverage these tools for Cosmos appchain audits. Whether specific v4-chain engagements included TLA+/Quint formal verification passes cannot be confirmed from public PDF contents (PDFs not parseable via WebFetch). Conservative yellow: firm capability confirmed, scope per engagement unverified. RD-F-010 gray Static-analyzer high-severity count Slither, Mythril, and Semgrep are EVM/Solidity-specific static analysis tools. dYdX v4 is a Go/Cosmos-SDK appchain; these tools cannot execute on the Go binary. No published Go-specific static analysis report with severity-classified findings exists in public sources. Pipeline unimplemented for Go-substrate protocols. RD-F-011 n/a SELFDESTRUCT reachable from non-admin path SELFDESTRUCT is an EVM opcode. dYdX v4 core chain is written in Go; no Solidity contracts in the on-chain binary. The wethDYDX bridge Ethereum contract ceased support June 2025 and was not upgradeable by design. Not applicable to Go/Cosmos architecture. RD-F-012 n/a delegatecall with user-controlled target delegatecall is an EVM opcode not present in Go/Cosmos-SDK module architecture. Not applicable. RD-F-013 n/a Arbitrary call with user-controlled target Arbitrary .call(target, data) is an EVM pattern. Not present in Go Cosmos-SDK message handlers. Not applicable. RD-F-014 n/a Reentrancy guard on external-calling functions Solidity nonReentrant guard is EVM-specific. Cosmos-SDK module message handlers execute atomically within block processing; the EVM-style reentrant call pattern does not exist in Go module architecture. Not applicable. RD-F-015 n/a ERC-777/1155/721 hook without reentrancy guard ERC-777/1155/721 token standards and their hooks are EVM-specific. dYdX v4 uses native Cosmos SDK bank module and IBC for token handling. Not applicable. RD-F-016 n/a Divide-before-multiply pattern Slither divide-before-multiply detector requires Solidity source. Not applicable to Go codebase. RD-F-017 gray Mixed-decimals math without explicit scaling Mixed-decimals arithmetic confusion is conceptually possible in Go perpetuals math (x/perpetuals, x/clob use sdk.Dec and sdk.Int types). The Informal Systems audits cover these modules but specific findings on decimal handling are not accessible from public audit blog summaries. No published Go static analysis for this specific pattern. Pipeline unimplemented for Go substrate. RD-F-018 n/a Signed/unsigned arithmetic confusion Go's type system enforces explicit conversions between signed (int) and unsigned (uint) types at compile time; implicit cast confusion is a compile-time error, not a runtime risk. The EVM signed/unsigned confusion pattern does not exist in Go. RD-F-019 n/a ecrecover zero-address return unchecked ecrecover is an EVM precompile. Cosmos-SDK uses standard ed25519/secp256k1 via the SDK crypto/keys package with proper Go error handling. No ecrecover usage in Go chain binary. RD-F-020 n/a EIP-712 domain separator missing chainId EIP-712 domain separator is Ethereum-specific. Not used in the Go Cosmos appchain binary. RD-F-021 n/a UUPS _authorizeUpgrade correctly permissioned UUPS _authorizeUpgrade is an OpenZeppelin EVM proxy pattern. dYdX v4 chain upgrades are governed via x/gov proposals calling an upgrade handler — a fundamentally different mechanism. Not applicable. RD-F-022 n/a Public initialize() without initializer modifier The public initialize() without initializer modifier pattern is specific to OpenZeppelin upgradeable Solidity contracts. dYdX v4 uses InitGenesis() protected by Cosmos consensus rules. No Solidity proxies in the core chain binary. Not applicable. RD-F-023 n/a Constructor calls _disableInitializers() _disableInitializers() is an OpenZeppelin pattern for Solidity proxy implementations. Not applicable to Go/Cosmos architecture. RD-F-024 gray Code complexity vs audit coverage Cannot compute exact LOC/audit-day ratio without tool access to the Go source tree. Informal Systems conducted 6+ engagements over ~12 months. Finding density (1 critical, 4 medium across all phases) suggests meaningful depth. Qualitative evidence suggests adequate coverage, but the metric cannot be computed programmatically for a Go codebase.

RD-F-003 green Resolved-without-proof findings Audit blog confirms 1 critical (resolved), 4 medium, 17 low, 19 informational findings; 34 accepted, 5 functioning as designed. Zero unresolved critical issues per dYdX blog and blockchain.news reporting. Resolutions are tracked via PR commits in the open AGPLv3 repo, publicly verifiable.

RD-F-005 green Audit firm tier Informal Systems is the top-tier Cosmos/Go security specialist: principal CometBFT upstream security maintainers, creators of Quint/Apalache formal verification tools, recognized leader in Cosmos appchain auditing. For Cosmos-SDK appchains this is the Tier-1 equivalent of Trail of Bits or OpenZeppelin for EVM protocols.

RD-F-006 green Audit-to-deploy gap Phase I-II and Phase III audits preceded mainnet launch (Oct 2023). Quarterly reviews (Q4 2023, Q1 2024, Q2 2024) conducted during live chain operation — continuous coverage model rather than point-in-time gap. Q3 2025 Proposer Selection audit timed to governance upgrade. Audit-to-deploy gap is effectively zero for quarterly engagements.

RD-F-007 green Bug bounty presence & max payout Active Cantina bug bounty launched 2026-05-08: Critical up to $1,000,000, High $150,000, Medium $50,000, Low $5,000. Covers protocol layer (v4-chain), indexer, web client, and client SDKs. Prior direct program via bugbounty@dydx.exchange had up to $5M max. Program is well-funded (>$500K critical threshold met).

RD-F-008 green Ignored bounty disclosure No evidence of a disclosed vulnerability ignored before v4 exploitation. Feb 2026 npm/PyPI compromise was a client SDK supply-chain attack (wallet stealer) — not a chain vulnerability disclosure. Socket disclosed responsibly and dYdX responded promptly. No v4 post-mortem documents a disclosure-ignored pattern.

RD-F-183 green Bug bounty scope gap on highest-TVL contracts Cantina bounty (launched 2026-05-08) explicitly covers the protocol layer at github.com/dydxprotocol/v4-chain, which includes x/clob, x/perpetuals, x/vault (MegaVault), and all other custom modules. No explicit high-TVL contract exclusions identified. The prior direct bugbounty@dydx.exchange program also covered the chain. The Feb 2026 npm/PyPI compromise affected client SDK packages, not the chain protocol layer — the protocol layer bounty coverage is intact.

Governance & admin Green 9 24 of 24

RD-F-028 yellow Low-threshold multisig vs TVL Cosmos reframe as validator-set concentration. Active set: 50 validators (reduced from 60, governance vote June 2025). Top validator Polychain dYdX holds ~29.5M DYDX out of ~241M total staked (~12.2%). Top-5 combined ~70.6M (~29.3%) — below the 33% chain-halt threshold. Historically 7 validators controlled 66%+ (early 2024). Current distribution more spread but still notable concentration at Polychain. Yellow: no single entity near 33% solo-halt threshold, but validator set is relatively concentrated. RD-F-033 yellow Timelock on sensitive actions Cosmos reframe: all on-chain parameter changes and software upgrades require x/gov proposals (4-day voting). However, the October 2025 chain-halt patch demonstrated validators can coordinate an emergency binary upgrade outside the 4-day period (67%+ consensus required). This is a legitimate but timelock-bypassing emergency path. Yellow: most sensitive actions are governance-gated; the emergency validator patch path is a known-approved bypass. RD-F-034 yellow Guardian/pause-keeper distinct from upgrader Cosmos reframe: no separate pause-keeper distinct from upgrader. October 2025 chain-halt was a consensus failsafe (software), not a human admin key. Recovery required same validator set (67%+ VP) that controls upgrades. Yellow: no role separation between pause-stop and upgrade authority — both are the validator set — but this is inherent to sovereign-chain model, distinct from a single admin holding both roles. RD-F-040 yellow Emergency-veto multisig present No EVM-style emergency veto multisig. Veto mechanism in Cosmos x/gov is the NoWithVeto vote option (33.4% of votes as NoWithVeto rejects and burns deposits). Distributed veto — all token holders can veto. No dedicated guardian role. Yellow: effective veto exists but no dedicated guardian; no emergency pre-execution pause. RD-F-047 yellow Governance token concentration (Gini) DYDX: ~1B max supply, ~83.9% unlocked as of 2025. ~53,000 holders; ~17,700 stakers with ~241M DYDX bonded. Staking is concentrated in institutional validators (Polychain ~12.2% of staked). Initial distribution included team, investors, and community allocations — likely high Gini coefficient but exact computation not available from accessible sources. Yellow: significant concentration suspected given initial distribution structure and institutional staker dominance. RD-F-037 n/a Quorum achievable via single-entity flash loan Flash-loan quorum achievement is not applicable on Cosmos x/gov. The 33.4% quorum is measured against total bonded DYDX (21-day unbonding). No DEX flash-loan can supply bonded staking delegation. N/A by Cosmos substrate construction. RD-F-039 n/a delegatecall/call in proposal execution without allowlist Cosmos x/gov executes proposals as typed Cosmos SDK message objects (MsgSoftwareUpgrade, ParamChangeProposal, etc.) — not as EVM calldata with delegatecall or arbitrary call patterns. No EVM execution path exists for proposals. N/A by Cosmos substrate. RD-F-041 n/a Rescue/emergencyWithdraw without timelock No EVM rescue/emergencyWithdraw function exists on the Cosmos appchain. Chain-level fund access requires governance proposals. The x/clob and x/insurance modules hold funds in native Cosmos module state; no single admin key can drain them. N/A by Cosmos substrate. RD-F-043 n/a Admin = deployer EOA after 7 days No EVM deployer EOA / proxy-admin retention pattern on a Cosmos appchain. Chain launch established the genesis validator set; no deployer EOA admin key ever existed. The concept of admin=deployer-EOA at deploy+7d is structurally N/A by Cosmos substrate. RD-F-044 gray Admin wallet interacts with flagged addresses No single admin wallet to assess. Validator operator wallets could be checked but no Cosmos-compatible CTI feed is available in this assessment pipeline. Cannot confirm or deny flagged interactions for validator operator addresses.

RD-F-025 green Admin key custody type Cosmos reframe: x/gov on-chain DAO. No EOA, no multisig, no EVM timelock. All parameter changes require governance proposals with 4-day voting period and 33.4% quorum. Categorically equivalent to full DAO+timelock.

RD-F-026 green Upgrade multisig signer configuration (M/N) Cosmos reframe: no fixed M/N multisig threshold. Governance requires 33.4% quorum of staked DYDX and >50% Yes votes over 4-day voting period. Display as 'DAO'. 50 validators hold delegated stake; no fixed signer set.

RD-F-027 green Single admin EOA No single EOA admin. Sovereignty rests with x/gov module + validator set. No address can unilaterally upgrade, pause, or drain the protocol. All governance actions require multi-party consensus.

RD-F-029 green Multisig signers co-hosted Validators operated by independent commercial entities: Polychain, Binance, Kiln, Blockdaemon, Keplr, Chorus One, Figment, etc. All publicly known with distinct corporate identities and infrastructure. Substantial geographic and operator diversity.

RD-F-030 green Hot-wallet signer flag Leading validators (Kiln, Blockdaemon, Chorus One, Figment) are institutional staking providers using HSM-grade infrastructure. No evidence of hot-wallet validator key patterns among top validators.

RD-F-031 green Signer rotation recency Validator set reduction 60→50 was a long-discussed governance decision (forum post March 2025, vote June 2025) — not a sudden threshold reduction with suspicious timing. No Drift-precursor pattern detected. Delegation market allows dynamic rebalancing without unusual events.

RD-F-032 green Timelock duration on upgrades Cosmos reframe: x/gov voting period = effective timelock. Standard voting period: 4 days (345,600 seconds = 96 hours) — exceeds the 48-hour green threshold. Software upgrade proposals must complete this voting period before executing at upgrade-height. Expedited proposals: 1 day minimum (86,400 seconds).

RD-F-035 green Role separation: upgrade ≠ fee ≠ oracle All three function types (upgrade, fee parameters, oracle config) are governance-module-gated. No single admin address holds all three roles. Role 'separation' is via on-chain DAO governance rather than distinct multisig keys, which is appropriate for a sovereign Cosmos appchain.

RD-F-036 green Flash-loanable voting weight Staked DYDX has a 21-day unbonding period. Voting power derives from bonded stake at vote time, not from liquid token balance. Flash-loan governance attacks are structurally impossible — no flash-loan protocol can acquire bonded delegation weight. Green by construction on Cosmos-staking substrate.

RD-F-038 green Proposal execution delay < 24h Standard voting period 4 days (96 hours) >> 24-hour threshold. Even expedited proposals require 1 day. Green.

RD-F-042 green Admin has mint() with unlimited max DYDX token has a fixed max supply of 1 billion tokens with a perpetual inflation rate capped at 2% per year. All inflation requires explicit governance approval via on-chain proposal. No uncapped unlimited-mint admin key exists.

RD-F-045 green Constructor args match governance proposal Software upgrade proposals include the binary version, upgrade-height, and handler specification — publicly verifiable on-chain before the vote. v9.0 upgrade proposal was published on governance forum with binary specification before the vote. Upgrade proposals are auditable against executed parameters.

RD-F-046 green Contract unverified on Etherscan/Sourcify Cosmos reframe: source-transparency equivalent fully met. dYdX v4 is fully open-source (AGPLv3) at github.com/dydxprotocol/v4-chain — all module source is public, tagged, and audited by Informal Systems. Launch was preceded by Phase I-II and Phase III audits. No closed-source binary modules. Etherscan/Sourcify verification is N/A on Cosmos; the equivalent standard is met by public GitHub + public audit reports.

RD-F-167 green Deprecated contract paused but pause reversible by live admin wethDYDX bridge (Ethereum side) officially discontinued by governance vote on June 13, 2025. Bridge contract permanently locks ethDYDX — its discontinued state is irreversible by design. No admin can re-enable the bridge. No live admin retains reversible pause over a deprecated surface.

Oracle & external dependencies Green 15 17 of 17

RD-F-049 yellow Oracle role per asset Slinky serves as the single Primary oracle for all perpetual markets. No secondary or fallback oracle configured. The x/prices module stores one canonical price per market derived from validator vote extensions. Single oracle system with no fallback is a structural single point of failure for pricing. RD-F-050 yellow Dependency graph (protocols depended upon) Key dependencies: (1) Slinky sidecar (Skip Protocol) — existential dependency for price discovery; (2) CometBFT consensus engine; (3) Cosmos SDK standard modules; (4) Noble chain via IBC — USDC inflow channel; (5) CEX price APIs (Slinky-mediated). Multiple critical non-redundant dependencies. Skip Protocol received 700K DYDX + 500K USDC grant for Slinky integration, indicating deep institutional dependency. RD-F-051 yellow Fallback behavior on oracle failure No explicit application-layer fallback oracle identified. If Slinky consensus prices fail, GetValidMedianPrices() returns invalid for affected markets. Validator Slinky config specifies 10-second price TTL. The protocol rejects price updates that fail validation rather than falling back to a secondary source. No secondary oracle system exists. RD-F-052 yellow Breakage analysis per dependency Breakage analysis by dependency: (1) Slinky fails: liquidation engine (GetPerpetualAndMarketPriceAndLiquidityTier in liquidations.go) loses accurate prices; conditional order triggers (stop-limit, take-profit) use stale prices; collateral checks degrade. Missed or premature liquidations possible. (2) Noble IBC fails: USDC inflow blocked; existing balances and positions safe. (3) CEX API failures below minimum exchange count: that market's price treated as invalid. (4) Skip market-mapper fails: new market listings require 4-day governance vote instead. Slinky failure is highest-severity dependency failure mode. RD-F-057 yellow Circuit breaker on price deviation Partial circuit-breaker logic exists via crossing-price validation: when proposed price crosses the index price and old deviation >1 tick, new_ticks must satisfy new_ticks <= sqrt(old_ticks). CrossingPriceUpdateCutoffPpm = 500_000 (50% absolute floor). MinPriceChangePpm (governed per market) requires minimum change. These are price-smoothing controls on update acceptance, not a hard circuit breaker that halts trading when prices deviate. No dedicated circuit-breaker contract identified. RD-F-062 yellow External keeper/relayer not redundant Slinky sidecar is functionally a keeper/relayer for oracle price submission, but is redundantly operated — every validator must run it (mandatory from v5.0.0). With 60+ active dYdX Chain validators, no single keeper can be taken down. However, Skip Protocol is the sole maintainer of the Slinky library — a supply-chain concentration risk. A malicious or buggy Slinky library update could affect oracle consensus across all validators simultaneously. RD-F-180 yellow Immutable oracle address [★-CANDIDATE F180; PD-017 held — compose.py counts in ★ total] Slinky market parameters (oracle source config, MinPriceChangePpm, market pair definitions) ARE governance-replaceable. Confirmed in app.go: PricesKeeper authority is lib.GovModuleAddress.String() plus delaymsgmoduletypes.ModuleAddress. MsgUpdateMarketParam and MsgCreateOracleMarket messages are gated to governance authority with govtypes.ErrInvalidSigner if authority check fails. Oracle configuration changes require governance proposal with 4-day standard voting period. This is the 'governance-replaceable with voting-period delay' class — NOT immutable-red. The 4-day voting window creates exposure if an oracle source is compromised before governance can update it. RD-F-181 n/a Permissionless-pool lending oracle dYdX v4 is a perps DEX, not a pooled-permissionless lending protocol. There is no mechanism for users to create new lending pools or collateral listings without governance. The Rhea Finance NEAR attack class (fake pool seeding, permissionless oracle acceptance) is not applicable to this protocol type.

RD-F-048 green Oracle providers used Single oracle system: Slinky (Skip Protocol) validator-consensus oracle. Each validator runs the Slinky sidecar as a mandatory process (required from v5.0.0). Slinky aggregates prices from CEX APIs via websocket/REST; no Chainlink, no Pyth, no Uniswap TWAP. Cache shows no Chainlink feeds — confirmed as correct for this Cosmos appchain.

RD-F-053 green Oracle source = spot DEX pool (no TWAP) [★ CRITICAL — GREEN] dYdX v4 uses Slinky validator-consensus oracle, NOT a spot DEX pool. Each validator independently aggregates CEX API prices and submits via ABCI++ vote extensions. x/prices aggregates via stake-weighted median (GetValidMedianPrices). Manipulation requires colluding >1/3 staked DYDX — same Byzantine-fault threshold as chain consensus, not a flash-loan-exploitable DEX pool. F053 red class (spot DEX manipulation) does NOT apply. Slinky market price decoder verifies prices are derived from vote-extensions injected into blocks. Price validation enforces MinPriceChangePpm and crossing-price bounds.

RD-F-054 green TWAP window duration TWAP window concept is not applicable to the Slinky validator-consensus oracle model. Prices are updated per-block (~1 second); no TWAP window is configured. MinPriceChangePpm is the per-market update threshold, not a TWAP window. TWAP manipulation class is structurally inapplicable to validator-consensus oracle.

RD-F-055 green Oracle pool depth (USD) Not applicable — Slinky does not read from a DEX liquidity pool. It aggregates from CEX order books (Binance, Coinbase, OKX, etc.) via websocket/API. No on-chain pool dependency. Pool-depth manipulation class is structurally absent from dYdX v4's oracle design.

RD-F-056 green Single-pool oracle (no medianization) Slinky performs medianization across multiple CEX price feeds per market. GetValidMedianPrices() in the index price cache computes a median across exchange prices. The minimum number of exchanges parameter (per market config) ensures multi-source coverage — a market is only valid if enough exchanges have provided fresh prices. Not a single-pool oracle.

RD-F-058 green Max-deviation threshold (bps) CrossingPriceUpdateCutoffPpm = 500_000 (50%) is defined as an absolute floor for crossing-price updates. MinPriceChangePpm is set per-market via governance (MsgUpdateMarketParam). Exact bps values per market are not individually verified (governed state), but the threshold mechanism exists and is source-verified in validate_market_price_updates.go.

RD-F-059 green Oracle staleness check present Staleness check confirmed. GetMarketIdToValidIndexPrice() in market_price.go explicitly checks: (1) 'last update time is within a predefined threshold away from the given read time,' AND (2) 'number of prices that meet [the time requirement] are greater than the minimum number of exchanges specified.' Both must hold. Validator Slinky config recommends price TTL of 10 seconds. Both freshness and multi-source conditions are source-verified.

RD-F-060 green Chainlink aggregator min/max bound misconfig Not applicable — dYdX v4 does not use Chainlink. The validator-reported price model via Slinky has no Chainlink aggregator configuration. Data cache listing Chainlink feeds is a known false positive for Cosmos non-EVM chains (U6 advisory). x/prices module source has no Chainlink imports.

RD-F-061 green LP token balanceOf used for pricing Not applicable — dYdX v4 is a perps DEX using Slinky validator-consensus oracle. No LP token balance reads for pricing. The protocol holds USDC collateral natively, not LP tokens.

Economic risk Yellow 33 13 of 13

RD-F-063 yellow TVL (current + 30d trend) TVS $99.1M as of 2026-05-17; 30-day change -5.3%; 90-day CoV 10.6% (mean $115.0M, std $12.2M). Sustained decline from ~$325M in Feb 2026 to $99.1M in May 2026 (~-70% over 90 days). Protocol now below $100M current and $250M 12-month-peak coverage thresholds (included under Rule 4). Single-asset composition (100% USDC via Noble IBC) is clean. Trend indicates managed outflow rather than exploit-driven bank run but is persistent and significant. RD-F-067 yellow Historical bad-debt events Reframed as insurance-fund-shortfall / bad-debt events on dYdX v4 only (per pre-mark; v3 YFI $9M event excluded per U2). v4-specific record: (1) October 10, 2025 chain halt — isolated market liquidation edge case triggered a false-negative insurance-fund balance check; protocol auto-halted (~8 hours); insurance fund was well-capitalized and no actual bad debt occurred; $462K compensation approved from fund (27 affected addresses). (2) March 2025 DAO governance approved $10M USDC transfer from insurance fund to operations subDAOs (Proposal #372), reducing fund from ~$17M to ~$7M before replenishment. Fund replenished to ~$16M by Oct 2025 via liquidation fees (~$613K/month avg). No v4 bad-debt events confirmed. Yellow because: insurance fund was reduced by governance action for non-safety purposes, creating a structural adequacy risk; October 2025 halt exposed a liquidation accounting bug that could cause chain downtime (blocking liquidations) during a volatile period. RD-F-064 gray TVL concentration (top-10 wallet share) dYdX v4 is a sovereign Cosmos appchain — per-depositor TVS concentration cannot be retrieved via DefiLlama (aggregate only) or EVM tooling. On-chain enumeration requires custom Cosmos SDK account queries against the dYdX chain (non-EVM, Mintscan-based). MegaVault is a pooled USDC vault; exact depositor distribution not published. Data collection blocked by non-EVM substrate requiring custom tooling not available in this assessment cycle. RD-F-065 gray Liquidity depth per major asset dYdX v4 is an off-chain orderbook perpetuals DEX — no on-chain DEX pool exists to measure 2%/5% slippage depth in the conventional sense. The single deposited asset is USDC (IBC from Noble), which is liquid at par. Perps-specific order book depth is controlled by MegaVault sub-vault quoting and external market-makers, not quantifiable via DEX subgraph. Factor methodology assumes DEX/AMM pool; does not map to an off-chain orderbook architecture. RD-F-066 n/a Utilization rate (lending protocols) dYdX v4 has no lending markets and no borrowing functionality. Data cache confirms borrow.present: false. Per taxonomy PD-024 resolution, utilization-rate factor is lending-only and scores not_applicable for perps DEX protocols. OI-utilization proxy (OI/TVS ~77%) is noted in narrative but does not alter factor score. RD-F-068 n/a Collateralization under stress dYdX v4 has no overcollateralized lending markets or CDP stablecoin. No collateralization ratio is applicable. Per PD-024 lending-only classification. RD-F-069 n/a Algorithmic / under-collateralized stablecoin dYdX v4 has no protocol-issued stablecoin. Settlement is exclusively in native USDC (IBC from Noble). No algorithmic or under-collateralized stablecoin design. Per PD-024 lending-only classification. RD-F-070 n/a Empty cToken-style market (zero supply/borrow) dYdX v4 is a sovereign Cosmos-SDK perpetuals DEX, not a Compound V2 fork. No cToken-style lending markets exist. No share-based vault accounting of the Compound/cToken pattern is present. The empty-market donation-exploit attack surface does not exist on this protocol architecture. Per PD-024 (Compound-fork-only applicability) and taxonomy §Cat4 note. Two distinct-domain sources confirm non-Compound architecture. RD-F-071 n/a Seed-deposit requirement for new market listing dYdX v4 has no lending market listing process requiring a seed deposit. Per PD-024 lending-only classification. RD-F-072 n/a Market-listing governance threshold dYdX v4 has no permissionless lending market listing. MegaVault instant market listings are a perpetuals-DEX feature unrelated to lending-market-listing governance thresholds. Per PD-024 lending-only classification. RD-F-073 n/a Oracle-manipulation-proof borrow cap dYdX v4 has no borrow caps (no lending). OI caps on perpetuals markets are a distinct governance parameter not captured by this lending-specific factor. Per PD-024 lending-only classification. RD-F-074 n/a ERC-4626 virtual-share offset (OZ ≥4.9) MegaVault is a Cosmos-native x/vault module on the dYdX appchain — it is NOT an ERC-4626 contract. No EVM share-accounting exists anywhere in the dYdX v4 protocol. The ERC-4626 virtual-share-offset attack vector requires EVM-based share arithmetic (OpenZeppelin >=4.9 virtual shares). Per PD-024 (Cosmos-native-not-ERC-4626 rationale). No gap_reason required. RD-F-075 n/a First-depositor / share-inflation guard Same rationale as RD-F-074. dYdX v4 MegaVault is Cosmos-native; there is no ERC-4626 first-depositor share-inflation vulnerability surface. The dYdX appchain has no EVM runtime and no ERC-4626 vault pattern anywhere in the v4 protocol. Per PD-024 (Cosmos-native-not-ERC-4626 rationale). No gap_reason required.

Operational history Green 18 15 of 15

RD-F-081 yellow Post-exploit response score Assessed against the Oct 2025 operational incident (closest analog to an exploit-response event on v4). Oct 2025: compensation approved ($462K from insurance fund), root cause named (order-of-operations in collateral pool transfer), sequencing fix documented, validators coordinated patch in ~8h — strong response. Apr 2024 chain halt: no formal post-mortem published, only contemporaneous news coverage — weak response record. Composite: 3.5/5. Yellow due to the Apr 2024 gap. RD-F-082 yellow Post-mortem published within 30 days Oct 2025 incident: incident review published ~2025-10-24, approximately 14 days after the Oct 10 halt — within 30 days (green for this incident). Apr 2024 chain halt (~9.5h, Apr 8, 2024): no formal dYdX-published post-mortem found; only third-party news coverage. Yellow composite: one incident with timely post-mortem, one without. RD-F-083 yellow Auditor re-engaged after last exploit No confirmed incident-triggered formal re-audit documented for either the Apr 2024 or Oct 2025 chain halt. Ongoing Informal Systems quarterly review cadence (through Q2 2024+) represents continuous engagement. Cantina bug bounty launched May 2026 is a proactive security measure, not a post-incident re-audit. Yellow: continuous audit engagement exists but no incident-specific re-audit evidence. RD-F-084 yellow TVL stability (CoV over 90d) 90-day TVL window (Feb 17 – May 17, 2026): mean $115.0M, std $12.2M, CV ~10.6%. However TVL declined from ~$220M at period start to $99.1M at assessment — a ~55% decline over 90 days. 30-day change: -5.3%. Moderate-to-high volatility driven by a sustained downtrend. Yellow. RD-F-085 yellow Incident response time (minutes) Oct 2025: Chain halt began 5:35 PM ET Oct 10; dYdX communicated publicly same evening; formal incident review published Oct 24 (~14 days). Feb 2026 supply-chain: disclosure Jan 28 ~12:19 UTC; dYdX acknowledged same day via X. Response appears prompt in both cases but exact first-statement minute-level timestamps not confirmed from primary sources. Yellow — directionally good but precise timing not fully confirmed. RD-F-086 yellow Pause activations (trailing 12 months) Two protocol failsafe chain-halt activations in the v4 operational record: (1) Apr 8, 2024 — ~9.5h halt triggered by IAVL library bug during v4.0.0 upgrade; (2) Oct 10, 2025 — ~8h halt triggered by collateral logic ordering bug in isolated market. Both resolved without fund loss (Oct 2025 resulted in ~$462K protocol-level execution errors from stale oracle on resumption, covered by insurance fund). The automatic halt mechanism functioned as designed. Two halts in ~19 months is elevated operational friction for a perpetuals DEX. Yellow. RD-F-089 yellow Insurance coverage active dYdX v4 has a native protocol insurance fund (x/insurance Cosmos module). At time of Oct 2025 incident the fund held ~$16M USDC; $462K compensation (2.85% of fund) was proposed from it, leaving the fund well-capitalized. The fund is funded from trading fees and protocol revenue. No third-party insurance coverage (Nexus Mutual, Sherlock, Unslashed) for v4 identified. Yellow: native protocol insurance fund exists and has functioned as designed (Oct 2025 compensation), which is materially better than zero insurance, but there is no independent insurer backstop. Per U2 protocol-specific note: this is NOT default-red — the fund's existence and demonstrated adequacy warrant yellow. RD-F-166 yellow Deprecated contracts still holding value The wethDYDX bridge on Ethereum was officially deprecated via governance votes (Dec 2024 community vote; chain support ceased Jun 13, 2025). The bridge contract on Ethereum continues to hold substantial DYDX governance token value — Etherscan shows ~731.5M DYDX (~$103M at current DYDX spot price) in the contract at 0x46b2deae6eff3011008ea27ea36b7c27255ddfa9 [address requires curator verification]. Additionally ~41.7M ethDYDX (~$25M at earlier prices per press reports) from users who did not migrate before the deadline are permanently locked. F166 threshold (>$100K) clearly met. However, the locked value is governance token only — not trading TVS. The lock is by protocol design (bridge permanently locks ethDYDX; never held user trading collateral). Yellow: deprecated surface holds substantial value, but governance-token-only, by-design lock reduces risk severity vs. a stranded TVS scenario.

RD-F-076 green Protocol age (days) dYdX v4 mainnet genesis block: 2023-10-26; full-production trading enabled 2023-11-28. Age at assessment (2026-05-17): ~19 months since genesis, ~18 months since full production. Exceeds the 12-month A-grade floor.

RD-F-077 green Prior exploit count Zero confirmed on-chain contract exploits on dYdX v4 in ~19 months of live operation. Two chain-halt incidents (Apr 2024, Oct 2025) were operational bugs (failsafe activations), not attacker-driven contract exploits. The Oct 2025 incident resulted in ~$462K losses from stale-oracle trades on resumption — classified as protocol-level execution error, not a smart-contract exploit. The Feb 2026 SDK supply-chain compromise did not affect on-chain protocol funds (Go chain binary confirmed unaffected). The v3 YFI incident (Nov 2023) is on dYdX v3 StarkEx L2 on Ethereum and is fully excluded from v4 Cat 5 scoring. Hacks DB entry dydx.md explicitly labels the protocol as dYdX v3 and the event as pre-v4 full-production launch.

RD-F-078 green Chronic-exploit flag (≥3 incidents) Zero v4-native on-chain exploits confirmed. Chronic flag threshold of 3 exploits is not met. No repeat incidents of any exploit class.

RD-F-079 green Same-root-cause repeat exploit Zero v4-native exploits. No same-root-cause repeat to assess. Factor vacuously passes.

RD-F-080 green Days since last exploit No v4 exploit has occurred in ~19 months of live operation. Days-since-last-exploit is effectively infinite / undefined. Protocol has sufficient live time (19 months) paired with clean exploit record to score green.

RD-F-087 green Pause > 7 consecutive days Neither the Apr 2024 halt (~9.5h) nor the Oct 2025 halt (~8h) exceeded 7 consecutive days. Both resolved in under 10 hours. No pause exceeding 7 days in the last 12 months (or in the full v4 operational history).

RD-F-088 green Re-deployed to new addresses in last year dYdX v4 is a Cosmos-SDK appchain. There are no EVM contract addresses to redeploy. Chain software upgrades (v4.0.0 to v4.0.2; Oct 2025 patch) are in-place validator software upgrades via CometBFT governance upgrade mechanism, not address-breaking contract redeployments. No equivalent of retiring a prior deploy and redeploying to new addresses applies in this architecture. Green: no address-breaking redeployment has occurred; protocol continuity maintained.

Real-time signals Green 14 22 of 22

RD-F-098 yellow TVL anomaly — % drop in <1h TVL $99.1M as of 2026-05-17 (DeFiLlama). 30-day change: -5.3%. 90-day trend: from ~$212M in Feb 2026 to $99.1M — a 53% decline over ~90 days. The tier-A threshold (>30% drop in 1 hour) does not fire today; the decline is gradual. However, the sustained multi-month decline from a $415M peak (Dec 2024) to sub-$100M is anomalous relative to the protocol's own baseline and warrants monitoring posture. Yellow: within-hour threshold not breached but 90-day trajectory is a background precursor signal. RD-F-105 yellow DNS/CDN/frontend hash drift T-09 phase-2 signal. dYdX suffered two DNS hijacking incidents on dydx.exchange (Jul 9 and Jul 23, 2024) before migrating to Cloudflare registrar and transitioning to dydx.xyz/dydx.trade. The v4 frontend uses IPFS with Cloudflare DNS and is open-source (github.com/dydxprotocol/v4-web). The Jan 2026 supply-chain attack used typosquatted subdomain dydx.priceoracle.site (not a DNS hijack of dydx.xyz). No current unscheduled DNS drift on dydx.xyz/dydx.trade detected from available sources as of 2026-05-17. Yellow: persistent adversarial interest in dYdX frontend distribution channels; live T-09 phase-2 monitoring is not yet wired up; historical DNS attack pattern demonstrates real attack surface. RD-F-109 yellow Social-media impersonation scam spike The Feb 2026 supply-chain attack demonstrates active adversarial investment in dYdX brand impersonation. The typosquatted domain dydx.priceoracle.site (registered Jan 9, 2026) mimicked dYdX oracle infrastructure branding. Prior incidents: Aug 2022 npm compromise, Jul 2024 DNS hijacking (two separate events). The pattern of coordinated brand-impersonation attacks targeting dYdX's distribution channels is persistent. No current confirmed spike in Discord/Telegram/X impersonation account volumes beyond the Jan 2026 package attack scope. Yellow: pattern of adversarial brand abuse is documented and ongoing. RD-F-090 gray Mixer withdrawal → protocol interaction T-09 phase-2 signal. dYdX v4 is a Cosmos appchain; EVM Tornado Cash interactions do not directly map to the Cosmos layer. dYdX's own compliance infrastructure (Aug 2022) blocked TC-linked Ethereum user accounts proactively. No direct on-chain precursor found via public sources. Requires proprietary wallet-clustering feed for Cosmos-native address assessment. RD-F-091 gray Partial-drain test transactions T-09 phase-2 signal. No EVM-style partial-drain pattern applies to a Cosmos perpetuals DEX. Detecting partial-drain test transactions on the Cosmos appchain would require a custom Cosmos indexer on x/bank module transfers. No such infrastructure exists for T-10 static assessment. RD-F-092 n/a Unusual mempool pattern from deployer wallet Cosmos appchain genesis model; no EVM deployer wallet or EVM mempool exists for dYdX v4. The chain was initialized via a genesis file with no single EOA deployer. The EVM mempool-monitoring signal does not translate to Cosmos CometBFT consensus. RD-F-093 n/a Abnormal gas-price willingness from attacker wallet Cosmos transactions use a different fee model (gas units x price in USDC/DYDX) rather than EVM gas-price bidding. There is no EVM-style gas-price race or priority-fee MEV signal applicable to CometBFT consensus on the dYdX appchain. RD-F-094 n/a New contract with similar bytecode to exploit template Cosmos appchain uses Go modules; there is no EVM bytecode deployment mechanism or bytecode similarity-scoring applicable to dYdX v4. The protocol logic lives in Cosmos SDK modules compiled into the validator binary, not deployed EVM contracts. RD-F-095 n/a Known-exploit function-selector replay Cosmos appchain uses Protobuf message types, not EVM 4-byte function selectors. The Etherscan 4-byte signature database and selector-replay detection framework do not apply to the dYdX v4 on-chain protocol. RD-F-096 n/a New ERC-20 approval to unverified contract from whale Cosmos appchain; no ERC-20 approval pattern applies. The ethDYDX/wethDYDX Ethereum bridge is discontinued as of June 2025 per governance vote. No live ERC-20 approval surface exists for the v4 perps DEX. RD-F-097 gray Sybil surge of identical-pattern transactions Sybil surge detection is applicable in principle to dYdX v4 (repeated identical x/clob order patterns from new wallets), but no public tooling exists to assess this for the Cosmos appchain without a custom Cosmos indexer. No documented sybil-surge incidents on dYdX v4. RD-F-099 gray Oracle price deviation >X% from secondary T-09 phase-2 signal. No secondary oracle feed mapping for the Slinky-based validator-reported price system has been established in the T-09 pipeline. Slinky requires >=6 robust oracle sources per market per dYdX docs. The Oct 2025 incident was a collateral-pool logic edge case, not an oracle price manipulation event. No oracle deviation incidents reported on dYdX v4 to date. RD-F-100 n/a Flash loan >$10M targeting protocol tokens dYdX v4 is a Cosmos appchain with no EVM flash-loan mechanism. The protocol provides perpetuals trading, not lending pools from which flash loans originate. DYDX governance staking uses a 21-day unbonding period, making flash-loan-based governance attacks structurally impossible. RD-F-102 n/a Admin/upgrade transaction in mempool Cosmos appchain upgrade path uses governance-voted software upgrade proposals submitted as x/gov messages executed by validators upgrading their binary. No EVM mempool exists. Admin transactions in the EVM sense do not apply to this protocol substrate. RD-F-103 n/a Bridge signer-set change proposed/executed dYdX v4 has no protocol-operated bridge with an EVM-style signer set. The wethDYDX Ethereum bridge was discontinued June 13, 2025 via governance vote. IBC is Cosmos-native interoperability infrastructure, not a signer-set bridge. The signal targets bridge guardian/oracle sets (Wormhole, LayerZero, Axelar) — none of which dYdX v4 operates. RD-F-106 n/a Cross-chain bridge unverified mint pattern dYdX v4 is not a bridge protocol and has no cross-chain bridge with a mint/proof model. IBC USDC inflow from Noble chain is Cosmos-native interoperability, not a bridge with proof-based minting. The profile flags has_bridge_surface: false and is_a_bridge: false. RD-F-107 gray Admin EOA signing from new geography/device Off-chain signal requiring signing telemetry data. dYdX v4 validators sign blocks via CometBFT consensus; no public device fingerprint or geographic telemetry is available for validator signing patterns. The Cosmos validator ecosystem does not expose this data. Manual curator assessment with validator operator contacts would be required. RD-F-182 n/a Security-Council threshold reduction (RT) dYdX v4 has no EVM-style Security Council multisig or bridge guardian council with a programmable threshold parameter. Governance is Cosmos x/gov with 21-day unbonding (not a threshold-reducible multisig). The RD-F-182 signal specifically targets SC threshold reduction events in bridge/protocol security councils (Drift Protocol class). The Cosmos validator-set Nakamoto coefficient (5 validators for 33.4% veto) is a distinct concern but is not a threshold-reducible multisig event in the F182 sense.

RD-F-101 green Large governance proposal queued dYdX v4 uses Cosmos x/gov with 4-day standard voting period, 1-day expedited, 33.4% quorum. 21-day unbonding blocks flash-loan voting-weight attacks. Chain upgrade proposals (v4.0 Apr 2024, v5.0, subsequent) have followed normal cadence with public forum discussion. No anomalous proposals with short-fused voting or unusual proposer wallet profiles detected from Mintscan and dydx.forum review. Governance delay exceeds 48-hour tier-B threshold.

RD-F-104 green Stablecoin depeg >2% on shared-LP venue dYdX v4 TVS is 100% USDC (via IBC from Noble chain). USDC is at peg ($0.9997-$1.0002 range per current market data). Depeg threshold (>2%, sustained 30+ min) is not breached. A USDC depeg of >2% would directly affect 100% of TVS ($99.1M) and this signal would fire. Current posture is clean.

RD-F-108 green GitHub force-push to sensitive branch GitHub repo dydxprotocol/v4-chain is active (last commit 2026-05-14 per data cache) with AGPLv3 open-source licensing. No evidence of force-push events or non-protocol account sensitive-branch pushes in available public data. The repo has a standard collaborative development cadence consistent with branch-protection policies on a mature, audited protocol.

RD-F-110 green Unusual pending/executed proposal ratio dYdX Chain governance shows normal cadence. Major chain upgrade proposals (v4.0 April 2024, v5.0, subsequent chain upgrades) follow standard forum-discussion-to-on-chain-proposal flow. The governance forum (dydx.forum) shows active discussion matching proposal cadence. No anomalous pending/executed ratio visible from available Mintscan and forum data.

Dev identity & insider risk Green 0 16 of 16

RD-F-117 n/a ENS/NameStone identity bound to deployer dYdX v4 is a Cosmos-SDK appchain (non-EVM substrate). No EVM deployer EOA exists. No ENS registry exists on the dYdX appchain. ENS is an Ethereum-native naming system; it does not apply to Cosmos bech32 addresses. Per protocol-profile §11 flag: F117 = not_applicable on non-EVM substrate per U7. RD-F-122 gray Contributor paid to DPRK-cluster wallet dYdX Labs is a US-incorporated legal entity (dYdX Trading Inc.) paying employees via standard corporate payroll -- not via on-chain wallet routing. On Cosmos substrate, on-chain contributor payment routing is not indexed by standard Chainalysis-style public tools. No adverse signals (DPRK cluster payment routing) identified in available public sources. Full chain-hop analysis via Cosmos explorer would be required for definitive clearance. Flagged as gray (requires_curator_input) due to substrate limitations on automated chain-hop analysis, not due to adverse signals. RD-F-184 gray Real-capital social-engineering persona No curator-flagged evidence of a team contributor or external integrator persona deploying >=1M USDC/USD real capital to dYdX Chain to build credibility ahead of a social-engineering attack. The Feb-2026 npm/PyPI attack vector was external credential theft against package registries -- not a 6-month social-engineering capital-deployment buildup (the Drift/UNC4736-class pattern that motivates this factor). F184 is a P1 manual (M) curation factor requiring curator OSINT confidence beyond on-chain trail. No positive evidence of the Drift-class pattern. Scored gray (requires_curator_input) pending curator review. Comparator: Drift Protocol (the F184 motivating case) suffered confirmed 6-month in-person social-engineering with >=1M real capital deposits; no analogous pattern identified for dYdX v4.

RD-F-111 green Team doxx status Team fully doxxed. Antonio Juliano (founder/CEO dYdX Labs): real name, Princeton CS BSE graduate, ex-Coinbase and Uber software engineer, Forbes 30u30 2022 Finance sector, Cointelegraph Top 100, Blockworks speaker, LinkedIn profile with full employment history, returned as CEO per public blog. dYdX Foundation named officers: Charles d'Haussy (CEO), Joshua Watts (COO), council members Arthur Cheong, Rebecca Rettig, Markus Spillman. Foundation incorporated as a named not-for-profit in Zug, Switzerland. No anonymous or pseudonymous-only leadership layer.

RD-F-112 green Team public accountability surface Very high accountability surface. Juliano: LinkedIn with full employer history (MongoDB, Coinbase, Uber, Weipoint, dYdX), Forbes 30u30 Finance 2022 citation, conference speaker profile (Blockworks), IQ.wiki, multiple published media interviews. dYdX Trading Inc. (dYdX Labs) is a US-incorporated legal entity. dYdX Foundation is a Swiss not-for-profit with named council. Per count: Juliano alone exceeds 5 verifiable public trails. Foundation officers similarly public.

RD-F-113 green Team other-protocol involvement history No prior rug or exit-scam affiliation identified for any team member. Juliano's prior protocol: Weipoint (2017, Ethereum search engine, no adverse history -- company wound down, not a rug). dYdX v1 through v3 had clean team history (v3 YFI insurance incident was market manipulation by an external attacker, not team malfeasance). Web search for 'dYdX rug exit scam fraud' returned zero protocol-specific adverse results.

RD-F-114 green Deployer address prior on-chain history Cosmos appchain -- no single EVM deployer EOA (data cache deployer.address: null). Trust root assessed via genesis validator set: Chorus One, Luganodes, Provalidator, and 60+ other institutional professional validators. All identified validators are named entities with public validator blogs, established Cosmos operations, and no adverse prior history. Binary release signers are dYdX Labs engineers (dydxprotocol GitHub org, active since 2018). No prior rug or adverse on-chain history in the trust-root set.

RD-F-115 green Prior rug/exit-scam affiliation No prior rug or exit-scam affiliation for any named team member or Foundation officer. Antonio Juliano: founding track record is continuous dYdX (2017+), Weipoint (legitimate prior project, no exit scam label). Foundation council: Arthur Cheong, Rebecca Rettig, Markus Spillman -- no adverse history found. Web search for dYdX rug/fraud returned only generic rug-pull educational content with no dYdX-specific adverse results.

RD-F-116 green Contributor tenure at admin-permissioned PR Cosmos x/gov model: no EVM-style admin-permissioned PRs that directly execute on-chain changes. Binary release signing (the closest analog) performed by dYdX Labs engineering team, which has been active on the dydxprotocol GitHub org since 2018 (v1 dYdX). v4-chain repo active since 2022 pre-mainnet. 179+ contributors in past year with most recent commit 2026-05-14. Long-tenured contributor base; no evidence of recent short-tenure contributor granted admin-equivalent signing permissions.

RD-F-118 green Handle reuse across failed/rugged projects No social handle reuse across failed or rugged projects identified. The dYdX brand and @dydx X/Twitter handle have been continuously associated with dYdX since 2017 founding. Antonio Juliano's personal handles are consistent with a single public identity. Weipoint (prior project) is documented in employment history, not a rebranded alias. No evidence of handle recycling from a prior rug or exit scam.

RD-F-119 green Commit timezone consistent with stated geography dYdX Labs is stated to be based in San Francisco, CA (US Pacific timezone). GitHub v4-chain repo has 179+ contributors over past year with commit activity visible through 2026-05-14. Available contributor handle evidence (Kefancao, davidli1997, ledigang, anmolagrawal345 etc.) is consistent with a mixed US/international engineering team. No published third-party analysis flags anomalous DPRK-timezone (UTC+9) commit patterns. Low-confidence green: full commit-hour distribution analysis not performed; no adverse signals found in available data.

RD-F-120 green Video-off/voice-consistency flag No video-off or voice/timezone inconsistency flags identified for any named team member. Antonio Juliano appears in public video interviews and conference talks (Blockworks, Unchained podcast, others) as a clearly identified individual. Foundation CEO Charles d'Haussy similarly has public video/conference presence. No curator observations of video-off behavior or timezone inconsistency patterns in available evidence.

RD-F-121 green Contributor OSINT depth score Contributor OSINT depth score: 5/5 (strongest tier). Antonio Juliano has exceptionally deep OSINT trail: LinkedIn (full employment history MongoDB/Coinbase/Uber/Weipoint/dYdX), Princeton University CS degree on record, Forbes 30u30 Finance 2022, Cointelegraph Top 100, Wellfound founder profile, multiple long-form interview transcripts (Alejandro Cremades interview documents full career arc), Blockworks speaker. Foundation officers (d'Haussy, Watts, Cheong, Rettig, Spillman) are separately named public figures. No thin or anonymous leadership layer identified.

RD-F-123 green Sudden admin-rescue/ACL change without discussion CRITICAL FACTOR -- GREEN. dYdX v4 has no EVM-style admin key, multisig ACL, or admin-rescue function. All protocol-parameter changes require on-chain x/gov governance proposals with mandatory deposit period, 4-day standard voting period (1-day expedited), and quorum threshold. Protocol upgrades (chain v4.0 April 2024) and bridge discontinuation (Dec 2024) were preceded by documented governance forum discussion at dydx.forum and on-chain proposals viewable via Mintscan. The Feb-2026 npm/PyPI supply-chain attack was an external credential theft against package publishing infrastructure -- it did not involve on-chain admin manipulation, no insider active-participation has been confirmed (Socket.dev: 'developer account compromise', no specific insider named), and the on-chain protocol was unaffected per dYdX's own clarification. No admin-rescue function or sudden ACL change pattern exists on this Cosmos substrate.

RD-F-124 green Deployer wallet mixer-funded within 30 days CRITICAL FACTOR -- GREEN (Cosmos reframe). No single EVM deployer EOA for dYdX v4 (data cache deployer.address: null; Cosmos appchain). Trust root funding assessed via institutional chain: dYdX Labs funded by Paradigm ($65M Series C lead), a16z (Series A + Series B participant), Polychain Capital (Series A + Seed) -- all institutional VCs with named, doxxed identities and no mixer-fund history. Genesis validators (Chorus One, Luganodes, Provalidator, 60+ others) are professional institutional operators with clean funding profiles. No mixer-sourced (Tornado Cash, Railgun) funds identified in any privileged party's funding trail within any window.

RD-F-125 green Deployer linked within 3 hops to DPRK/Lazarus CRITICAL FACTOR -- GREEN. No DPRK/Lazarus nexus confirmed to dYdX Labs team, Foundation officers, or v4-chain trust root. Comprehensive search across OFAC SDN list criteria and Chainalysis-class cluster patterns: zero adverse hits for Antonio Juliano, Eddie Zhang (dYdX Labs President), Charles d'Haussy (Foundation CEO), Joshua Watts (Foundation COO), Arthur Cheong, Rebecca Rettig, Markus Spillman (Foundation council), or identified genesis validators. The Feb-2026 npm/PyPI supply-chain attack has no confirmed DPRK/APT attribution as of 2026-05-17 per both Socket.dev and The Hacker News reporting. dYdX as a perps venue through which laundering may pass does not constitute team-level contamination (U4 protocol reframe from orchestrator). RD-F-125 red requires confirmed DPRK/OFAC nexus to the TEAM -- not present.

Fork / dependency lineage Green 0 10 of 10

RD-F-126 n/a Is-a-fork-of dYdX v4 is an original Cosmos-SDK appchain written from scratch in Go. Not a fork of any other DeFi protocol. Per profile: V4 is a from-scratch app-chain rewrite. README states sovereign blockchain software built using Cosmos SDK and CometBFT. All custom modules (x/clob, x/perpetuals, x/prices, x/subaccounts, x/vault) are original dYdX implementations. RD-F-127 n/a Upstream patch not merged Not a fork; factor is structurally moot. As a library-dependency note: cosmos-sdk ISA-2025-005 (integer overflow in x/distribution, affects <= v0.50.13) was patched in dYdX protocol/v8.2.0 (July 2025), well ahead of the 90-day window. Current main branch uses dYdX cosmos-sdk fork at v0.50.6-0.20260428, incorporating all current upstream security patches. RD-F-128 n/a Upstream vulnerability disclosure (last 90d) Not a fork; factor is structurally moot. Library dependency note: no new critical cosmos-sdk or cometbft security advisories in the 90 days prior to May 2026 assessment affecting the current dYdX fork. ISA-2025-005 patched July 2025; ISA-2025-002 (x/group, v0.50.12) addressed in prior releases. RD-F-129 n/a Code divergence from upstream (%) Original protocol, not a fork. No upstream fork point to diff against. RD-F-130 n/a Fork depth (generations from original audit) Not a fork; fork depth = 0 (not applicable). RD-F-131 n/a Fork retains upstream audit coverage Not a fork. dYdX v4 has its own independent audit coverage via Informal Systems (6+ engagements). Upstream audit retention is not relevant. RD-F-132 n/a Fork has different economic parameters than upstream Not a fork. No upstream economic parameters to diverge from.

RD-F-133 green Dependency manifest uses unpinned versions dYdX v4 uses Go modules (go.mod + go.sum). All dependencies are pinned to exact versions or pseudoversions: cosmos-sdk at v0.50.6-0.20260428191449-a212821dc2c3 (dYdX fork), cometbft at v0.38.6-0.20260428184537-904204b11c9e (dYdX fork), slinky at v1.3.2, ibc-go at v8.5.1, go-ethereum at v1.14.11. go.sum provides cryptographic hash pinning for all transitive dependencies. No unpinned version ranges possible in Go module system.

RD-F-134 green Dependency had malicious-release incident (last 90d) The Feb 2026 npm/PyPI compromise targeted @dydxprotocol/v4-client-js and dydx-v4-client Python packages — client SDK packages, NOT Go module dependencies of the v4-chain binary. Source explicitly confirms on-chain Go binary unaffected: the versions of dydx-v4-clients hosted in the dydxprotocol Github do not contain the malware. No malicious-release advisory affecting the Go dependency tree in trailing 90 days.

RD-F-135 green Shared-library version with known-vuln status dYdX maintains custom forks of cosmos-sdk and cometbft with security patches applied. ISA-2025-005 (critical, cosmos-sdk <= v0.50.13, integer overflow in x/distribution) was patched in protocol/v8.2.0 (July 2025). v9.6.1 release notes confirm further security updates: upgrade cometbft and cosmos-sdk for tachyon security fix. v9.6.3 (May 14, 2026 — current latest) contains height poisoning fix via cosmos-sdk/cometbft upgrade. No active high/critical advisory for the current dYdX fork versions identified.

Post-deploy hygiene & change mgmt Green 19 13 of 13

RD-F-136 yellow Deployed bytecode matches signed release tag Go binary releases on GitHub use GPG-signed tags — release protocol/v9.4.0 was signed by committer jusbar23 (GPG key 8BD52CBD93180098) and GitHub (GPG key B5690EEEBB952194). However, binary checksums for compiled Go artifacts were not confirmed on the release page. The February 2026 npm/PyPI compromise showed developer credential risk for client libraries (not chain binary), but demonstrates underlying developer account exposure. Yellow: signed tags exist; binary checksum confirmation absent. RD-F-137 yellow Upgrade frequency (per 90 days) Multiple major software upgrades in 2025: v8.0 (January 2025), v9.0 (September 2025), emergency patch (October 2025). Active development cadence with 2-3 upgrades per 90-day window typical. Cosmos upgrades are large binary version changes, not granular EVM proxy slot changes. Yellow: moderate-high upgrade frequency consistent with active protocol development. RD-F-139 yellow Post-audit code changes without re-audit Informal Systems maintains a continuous quarterly audit program: Q1 2024, Q2 2024, Q2+ supplemental 2024, Q3 2025 Proposer Selection Updates, plus the Vaults audit for MegaVault. Major upgrades v4.0, v8.0, v9.0 all had governance proposals and pre-deployment audit coverage. Identified gap: (1) The October 2025 emergency chain-halt patch was deployed without pre-deployment audit coverage (emergency scenario). (2) Rapid v9.x minor versions between quarterly audits may include unaudited incremental changes. Yellow: strong continuous audit program but one confirmed instance (Oct 2025 emergency patch) of unaudited code deployed. RD-F-145 yellow Deployed bytecode reproducibility dYdX v4 is fully open-source Go (AGPLv3). In principle, anyone with same Go version and build environment can reproduce the binary from tagged source. However, Go compilation is not fully deterministic by default across OS/toolchain versions. No explicit reproducible-build attestation (e.g., goreleaser --reproducible) was confirmed in release notes. Yellow: broadly reproducible from public source; formal reproducible-build attestation not confirmed. RD-F-185 yellow Bridge rate-limiter / chain-pause as positive mitigant dYdX Chain has demonstrated chain-pause capability: October 2025 chain halted automatically via consensus failsafe when a liquidation error was detected, preventing further fund movement until the validator set coordinated a patched binary. This effectively served as an outflow rate-limiter in practice. No formal per-window USD outflow rate-limiter exists (EVM-style). The insurance fund covers residual losses via governance vote. Yellow: demonstrated chain-pause capability (positive mitigant); no formal per-window rate-limiter. RD-F-142 n/a Storage-layout collision risk across upgrades Not applicable. Cosmos SDK state is stored in IAVL Merkle trees keyed by module prefix bytes — no EVM storage-slot layout, no OpenZeppelin upgrades plugin, no proxy storage collision risk. State migrations for breaking changes use upgrade handlers reviewed as part of governance proposals. N/A by substrate. RD-F-143 n/a Reinitializable implementation (no _disableInitializers) Not applicable. No EVM proxy pattern, no OpenZeppelin initialize(), no _disableInitializers() pattern on a Cosmos SDK appchain. Go module initialization is a compile-time/genesis-time concern with no proxy re-initialization attack surface. N/A by substrate. RD-F-144 n/a CREATE2 factory permits same-address redeploy Not applicable. No EVM deployment pattern, no CREATE2 factory on the Cosmos appchain. Go modules do not have EVM address-space deployment mechanics. N/A by substrate. RD-F-168 gray Stale-approval exposure on deprecated router Cosmos reframe: no EVM router or ERC-20 approvals on the dYdX appchain itself. The Ethereum-side wethDYDX bridge contract (discontinued June 2025) may have residual user ERC-20 approvals but this is on Ethereum, not the appchain, and the bridge is permanently disabled. Exact residual approval count not enumerated. Gray: ERC-20 approval scanning pipeline not configured for Ethereum-side deprecated contracts in this assessment.

RD-F-138 green Hot-patch deploys without timelock (last 30 days) No governance-bypassing patches identified in the last 30 days (assessment date May 2026). The October 2025 emergency patch is outside the 30-day window. Green: zero hot-patches in last 30 days.

RD-F-140 green Fix-merged-but-not-deployed gap No evidence of a known-vulnerability fix merged to the repo but not deployed. The October 2025 chain-halt patch was deployed within ~8 hours of halt. No fix-merged-but-undeployed gap identified.

RD-F-141 green Test-mode parameters in deploy No evidence of test-mode parameters in production chain configuration. Chain has been live since October 2023, processed billions in trading volume, and genesis configuration was reviewed by Informal Systems in multi-phase audits.

RD-F-146 green New contract deploys in last 30 days Cosmos reframe: on-chain state changes via governance (new market listings, parameter changes) rather than new EVM contract deploys. No major new protocol-module deploys identified in the last 30 days. The validator set reduction was governance-executed. Green: no large fresh attack surface expansion in last 30 days.

Cross-chain & bridge Gray 0 12 of 12

Threat intelligence & recon Red 78 8 of 8

RD-F-160 red GitHub malicious-dependency incident touching protocol deps CONFIRMED active F160-class malicious-dependency incident. Packages @dydxprotocol/v4-client-js (npm versions 3.4.1, 1.22.1, 1.15.2, 1.0.31) and dydx-v4-client (PyPI version 1.1.5post1) were confirmed malicious releases. Detected by Socket.dev on January 27, 2026; disclosed to dYdX January 28, 2026 at 12:19 UTC. Malware payload: wallet stealer (seed phrase + device fingerprint exfiltration to dydx.priceoracle.site) in npm; wallet stealer plus RAT enabling arbitrary code execution in PyPI. Attack vector: developer account compromise on npm/PyPI publishing infrastructure (method unconfirmed per Socket). The on-chain v4-chain Go binary was NOT affected — only client SDK libraries. Packages accumulated 121,539 downloads between July 2025 and January 2026. dYdX acknowledged via X on January 28, 2026, urging users to isolate machines, move funds from a clean system, and rotate API keys. RD-F-161 red Protocol-impersonator domain registered (typosquat) CONFIRMED typosquat domain registration linked to the Jan 2026 supply-chain attack. Threat actor registered priceoracle.site on January 9, 2026, approximately 18 days before malicious package publication (Jan 27, 2026). The subdomain dydx.priceoracle.site served as the C2/exfiltration endpoint for the wallet stealer. Domain mimicked dYdX oracle infrastructure (dydx + priceoracle = dual brand deception). Domain status at reporting: server transfer prohibited / client hold — indicating seizure/lockdown. Additional historical context: Jul 2024 DNS hijacking targeted dydx.exchange domain (now migrated to dydx.xyz after Cloudflare registrar move) — demonstrates persistent pattern of dYdX-adjacent domain targeting. RD-F-163 yellow Avg attacker reconnaissance time for peer-class protocols The Jan 2026 supply-chain attack showed a documented 18-day reconnaissance window: priceoracle.site domain registered Jan 9, 2026, with malicious packages published Jan 27, 2026. This is on the shorter end of the USPD 78-day benchmark but demonstrates planned pre-strike infrastructure setup. The Jul 2024 DNS hijacking was part of a broader Squarespace-domain attack wave; reconnaissance time unknown but coordinated. For similar-class protocols (high-profile perps DEX with large developer integrator base), 18-day preparatory windows are within the expected attacker lifecycle for supply-chain-class attacks. Yellow: evidence exists of pre-strike reconnaissance on dYdX-specific attacks within the last 12 months. RD-F-158 gray Known-threat-actor cluster has touched protocol T-09 phase-2 signal. No confirmed Lazarus/DPRK or other known threat-actor cluster touch on dYdX v4 Cosmos-chain addresses per public threat intelligence as of 2026-05-17. The Jan 2026 supply-chain attacker has no confirmed cluster attribution per Socket.dev and TheHackerNews reports. Cosmos-chain addresses require proprietary Chainalysis/TRM feed not available via public sources. dYdX proactively blocked EVM-side TC-linked user accounts in Aug 2022 demonstrating compliance awareness, not team contamination. RD-F-159 gray Attacker wallet pre-strike probe (low-gas failing txs) Cosmos-appchain equivalent would be failed low-fee transactions to x/clob or x/bank; no public mempool monitoring infrastructure exists for dYdX's Cosmos appchain to assess this signal. The Jan 2026 supply-chain attack infrastructure showed no on-chain mempool-probe pattern — it was a package-repository injection, not on-chain reconnaissance. RD-F-162 n/a Known-exploit-template selector deployed by any address Cosmos appchain uses Protobuf message types, not EVM function selectors. The exploit-template selector-pattern detection framework (based on EVM 4-byte selectors matching known exploit contracts) does not apply to the dYdX v4 on-chain protocol. A dYdX-specific exploit template for the Cosmos CLOB module does not exist in public exploit repositories. RD-F-164 gray Leaked credential on paste/sentry site The Jan 2026 supply-chain attack involved developer account credential compromise for npm/PyPI publishing. The mechanism (credential stuffing, phishing, or paste-site credential reuse) is not confirmed per Socket.dev report. No specific evidence of credentials appearing on paste sites or Sentry-alt instances has surfaced in public sources. Requires proprietary paste-monitoring feed for formal assessment. RD-F-165 gray Protocol social channel has scam-coordinator flag No public evidence of a dYdX Discord or Telegram community admin being flagged as a scam-coordinator in available watchlists. The dYdX Discord and Telegram have historically been targeted by impersonation scams common to high-profile DeFi protocols, but no specific channel-admin-level compromise is documented in public sources. Requires curator social watchlist review.

Tooling / compiler / AI Green 0 5 of 5

RD-F-170 n/a Solc version used (known-bug versions flagged) dYdX v4 chain binary is written in Go, not Solidity. Data cache confirms solidity_version: null, foundry_toml_present: false. No solc compiler used for core protocol. Go toolchain is go1.23.x (supported, not EOL). Not applicable. RD-F-171 n/a Bytecode similarity to audited upstream with behavior deviation Bytecode similarity analysis for AI-copy risk targets EVM Solidity bytecode. No EVM bytecode in the core chain binary. Not applicable to Go/Cosmos architecture. RD-F-174 n/a Dependency tree uses EOL Solidity version No Solidity in core chain binary. For Go toolchain: main branch specifies go 1.23.1 with toolchain go1.23.3, which is a supported active Go version as of assessment date. Not applicable in the Solidity-EOL sense; Go toolchain is current.

RD-F-172 green Repo shows AI-tool co-authorship in critical files GitHub repo is publicly accessible. No AI co-authorship metadata (GitHub Copilot Co-authored-by trailers) identified in dYdX v4-chain commits from web search or repository inspection. Active professional engineering team with full commit history. No specific AI-tool co-authorship disclosures for security-critical Go modules. Note: direct GitHub commit API scan was not performed; evidence is from search and repo overview.

RD-F-173 green Team self-disclosure of AI-generated Solidity No public disclosure (blog, tweet, docs) by dYdX Labs or dYdX Foundation mentioning AI-generated Go code in security-critical chain logic. Protocol communications focus on protocol design and Informal Systems audits. Factor definition references Solidity; analog for Go is applied. No such disclosure found.

Response & disclosure hygiene Green 8 4 of 4

RD-F-176 yellow Disclosure SLA public Cantina program terms require reporters to submit within 24 hours of discovery — this is a reporter obligation, not a team acknowledgment SLA. No explicit team acknowledgment-time SLA (e.g., 72h ack) was found in the Cantina program terms or docs.dydx.xyz/policies/security. Yellow: disclosure window established but no published team-response SLA.

RD-F-175 green Disclosure channel exists Active bug bounty program on Cantina launched 2026-05-08 covering protocol layer, indexer, web client, and official client SDKs. Prior email program at bugbounty@dydx.exchange. Security documentation published at docs.dydx.xyz/policies/security. Multiple disclosure channels exist. Green.

RD-F-177 green Prior known-ignored disclosure No evidence found in any post-mortem or incident review that a disclosed vulnerability was reported to the dYdX v4 team and ignored before an exploit or incident. Apr 2024 chain halt: release engineering error (wrong IAVL library version), not a security disclosure. Oct 2025 incident: latent logic bug triggered by an edge-case market event, not a known-reported vulnerability. Feb 2026 supply-chain: external credential compromise, not an ignored internal security disclosure. Green.

RD-F-178 green CVE/GHSA advisory issued against protocol No CVE, GHSA, or equivalent public advisory against dYdX v4 protocol identified. GitHub advisory database search returned no dYdX v4 on-chain protocol entries. The Feb 2026 SDK supply-chain compromise may warrant a GHSA on the npm/PyPI packages themselves, but no formal advisory against the on-chain protocol was found. Green.

rubric_version v1.7.0 graded_at 2026-05-17 11:33:46 factors 184 protocol dydx-v4