EigenLayer · DeFi Risk

DeploymentsEthereum · $8.9B

Risk profile at a glance

0 red · 3 yellow · 9 green

Categories & evidence

184 factors · 13 categories

Code & audits Green 6 25 of 25

RD-F-002 yellow Audit recency Most recent full-scope core-contract audit: Sigma Prime + Certora Feb 2025 + Cantina Mar 2025 (slashing release). Sigma Prime's Feb 2026 engagement covers Rewards v2.2 sidecar only, not core contracts (DelegationManager, EigenPodManager, AllocationManager). Core contracts are approximately 14 months from last full-scope audit as of 2026-04-28. Certora Hourglass (Aug 2025) covers a narrower scope. Rolling audit program is active but core-contract coverage has a gap. RD-F-007 yellow Bug bounty presence & max payout Immunefi bug bounty program active with confirmed $2M floor (per Stage 1 launch blog, 2023). August 2025 Immunefi disclosure of EigenPods vulnerability handled effectively — demonstrating active program. Live Immunefi page (immunefi.com/bug-bounty/eigenlayer/) returned 404 and docs page (docs.eigencloud.xyz/eigenlayer/security/bug-bounty) returned 403 as of 2026-04-28. Current maximum payout and exact in-scope contract list cannot be verified from live sources. Scored yellow for inaccessible live scope confirmation. RD-F-024 yellow Code complexity vs audit coverage EigenLayer's beacon chain proof verification (EigenPod) is exceptionally complex. Hexens found a critical Merkle bit-length validation gap (EIG-10) in the nested Merkle tree system. Certora found a critical validator hazard in checkpoint/Electra interaction. Both were pre-exploitation findings — demonstrating the complexity has strained audit coverage at least twice. AllocationManager was split into two contracts for size (v1.9.0). However, 22 audit engagements across 4 firms over 3 years provides adequate coverage-per-complexity ratio overall. RD-F-183 yellow Bug bounty scope gap on highest-TVL contracts Immunefi program page (404) and docs page (403) inaccessible as of 2026-04-28 — live scope cannot be verified. August 2025 EigenPods Immunefi disclosure was handled effectively, confirming core TVL-bearing EigenPod contracts are in scope. No evidence of scope exclusion on highest-TVL contracts (StrategyManager, DelegationManager, EigenPodManager). However, the $8.89B TVL vs $2M max bounty ceiling (confirmed 2023) creates a significant economic mismatch — the bounty cap is 0.02% of TVL, well below the 1% standard for large protocols. Scored yellow for the bounty cap-to-TVL mismatch and inability to verify current live scope. RD-F-010 gray Static-analyzer high-severity count No tool run executed per methodology (published analysis only). Olympix comparison study on EigenLayer found: (a) abi.encodePacked concerns in EigenPodManager.sol and DelayedWithdrawalRouter.sol; (b) locked Ether risk in DelayedWithdrawalRouter.sol (deprecated contract). Slither produced high false-positive rate on reentrancy due to correctly-implemented nonReentrant guards. No confirmed true-positive high-severity static analysis finding on current deployed bytecode. Marked gray — programmatic tool run on current bytecode is required for definitive assessment. RD-F-021 n/a UUPS _authorizeUpgrade correctly permissioned EigenLayer uses Transparent Upgradeable Proxy (TUP) pattern, not UUPS. Under TUP, upgrades are controlled by the Proxy Admin contract (0x8b9566AdA63B64d1E1dcF1418b43fd1433b72444), not via _authorizeUpgrade(). This factor is N/A for TUP architecture. Upgrade admin posture belongs to Cat 2.

RD-F-001 green Audit scope mismatch 22 audit engagements across ConsenSys Diligence, Sigma Prime, Cantina, and Certora track deployed code from M1 (2023) through Rewards v2.2 (Feb 2026). Cantina competition commit 722f3cbeb7721431f1a2a4a73582f7981212e23d and Sigma Prime PR #679 provide commit-level anchoring for slashing release. One narrow uncertainty: the August 2025 EigenPods Pectra hotfix (v1.6.1) executed via community multisig may lack a dedicated post-fix external audit. Overall scope coverage across lifecycle is strong.

RD-F-003 green Resolved-without-proof findings No findings marked 'Resolved' without corresponding on-chain change. Code4rena 2023 H-01 (empty slot/block proof) and H-02 (loop increment misplacement) were confirmed and fixed. Sigma Prime slashing edge case in EigenPodManager._reduceSlashingFactor() was acknowledged as intentional design ('won't fix') with documentation — not a false resolution claim.

RD-F-004 green Audit count Four distinct Tier-1/Tier-2 firms with confirmed public audit reports covering deployed bytecode: ConsenSys Diligence, Sigma Prime, Cantina, Certora. Additionally Code4rena public contest (April 2023) and Dedaub middleware audit (Feb 2024, middleware scope). 4 major firms across 22+ engagements is among the highest audit investment in DeFi.

RD-F-005 green Audit firm tier All four engaged firms are Tier-1: Certora (formal verification, Prover-based), Sigma Prime (Ethereum Foundation trusted, consensus client auditors), ConsenSys Diligence (institutional, industry standard), Cantina (competitive platform, multiple independent reviewers). No boutique or unverified firms.

RD-F-006 green Audit-to-deploy gap M1 mainnet: ConsenSys Diligence ended April 2023, launch June 2023 (~60 days). V1.0.0 Slashing: last audit (Cantina) completed March 2025, slashing launched April 17 2025 (~45 days). All major deployments within the 60-day acceptable window.

RD-F-008 green Ignored bounty disclosure No evidence of ignored disclosures. August 2025 EigenPods Immunefi disclosure was patched same day via community multisig. No post-mortem evidence of a disclosure that was ignored prior to exploitation. October 2024 investor compromise was an operational/custody event not a protocol vulnerability.

RD-F-009 green Formal verification coverage Certora has conducted at least 10 distinct formal verification engagements across EigenLayer (M4/PEPE Aug 2024; Duration Vaults Aug 2024; Incentive Council Aug 2024; V1.0.0 Slashing Feb 2025; MOOCOW Jun 2025; Multichain PT1 Jul 2025; Multichain pt2 Jul 2025; Merkle Jul 2025; Hourglass pt1 Aug 2025; Hourglass pt2 Aug 2025). A pre-launch Certora engagement detected a critical validator hazard in EigenPod checkpoint/Electra interaction and it was fixed before deployment. This represents among the strongest FV coverage in DeFi.

RD-F-011 green SELFDESTRUCT reachable from non-admin path No evidence of SELFDESTRUCT opcode in production EigenLayer contracts. TUP and BeaconProxy patterns do not include selfdestruct in the upgrade path. No published audit finding references selfdestruct in any core contract. Assessment is based on published analysis; needs tool run for programmatic confirmation.

RD-F-012 green delegatecall with user-controlled target EigenLayer uses OZ TransparentUpgradeableProxy delegatecall to implementation address stored in EIP-1967 slot, set only by Proxy Admin (not user-controlled). No published audit finding identifies delegatecall-to-user-supplied-target. Certora and Sigma Prime broad-scope engagements would have surfaced this pattern.

RD-F-013 green Arbitrary call with user-controlled target No published audit finding identifies arbitrary call-with-user-controlled-target in EigenLayer core contracts. StrategyManager calls only whitelisted strategy contracts. No open call-with-user-data pattern found in published analysis. Needs tool run for programmatic confirmation on deployed bytecode.

RD-F-014 green Reentrancy guard on external-calling functions Confirmed: StrategyManager uses ReentrancyGuardUpgradeable with nonReentrant on queueWithdrawal and depositIntoStrategyWithSignature. DelegationManager has nonReentrant on queueWithdrawals. EigenPodManager has nonReentrant on createPod and recordBeaconChainETHBalanceUpdate. Olympix analysis confirmed these as correctly implemented. StrategyBase functions only callable via StrategyManager, blocking cross-contract reentrancy.

RD-F-015 green ERC-777/1155/721 hook without reentrancy guard EigenLayer accepts LST tokens (standard ERC-20, no ERC-777 callbacks). EIGEN and bEIGEN tokens are standard ERC-20. Protocol does not integrate ERC-777, ERC-1155, or ERC-721 hooks in its core deposit/withdrawal flow.

RD-F-016 green Divide-before-multiply pattern No published analysis flags divide-before-multiply as a confirmed true-positive. Certora formal verification engagements would detect integer arithmetic ordering issues via invariant proofs. Olympix analysis did not identify divide-before-multiply. Assessment is green with [?] confidence pending tool run.

RD-F-017 green Mixed-decimals math without explicit scaling EigenLayer strategies handle multiple LSTs with potentially differing decimal precision. StrategyBase handles per-strategy asset accounting. No published audit finding confirms a mixed-decimals scaling vulnerability across the 4-firm audit program. Assessment is green with [?] confidence pending tool run.

RD-F-018 green Signed/unsigned arithmetic confusion No published audit finding identifies signed/unsigned arithmetic confusion. Solidity 0.8.x default overflow protection; unchecked blocks used explicitly where intended. Certora formal verification would detect type-confusion arithmetic via invariant proofs.

RD-F-019 green ecrecover zero-address return unchecked Code4rena 2023 identified signature replay issue in depositIntoStrategyWithSignature (issue #363) — addressed in post-contest fixes. Subsequent Sigma Prime and Certora audits (post-2023) did not identify unguarded ecrecover returns as open findings. Certora Merkle engagement (Jul 2025) covered Merkle proof verification domain.

RD-F-020 green EIP-712 domain separator missing chainId EigenLayer uses EIP-712 structured signing via the standard OpenZeppelin EIP712 implementation, which includes chainId in the domain separator by default. No published audit finding identifies a missing chainId or domain-separator vulnerability. The Code4rena 2023 EigenLayer audit (https://code4rena.com/reports/2023-04-eigenlayer) contains no signature-replay or chainId-related findings — its scope was EigenPod / BeaconChainProofs withdrawal mechanics (H-01, H-02) and strategy/slashing logic. Replay protection for delegation signatures relies on per-staker nonces in DelegationManager.

RD-F-022 green Public initialize() without initializer modifier Confirmed: EigenPod constructor calls _disableInitializers() after setting immutable variables (ethPOS, eigenPodManager). StrategyManager implementation confirmed to include _disableInitializers() in constructor. This is the standard OZ v4.9.0 pattern. No published audit finding identifies an unguarded public initialize on any implementation contract across 22+ audit engagements.

RD-F-023 green Constructor calls _disableInitializers() Confirmed for EigenPod (GitHub source) and StrategyManager (search evidence). Pattern consistent with OZ v4.9.0 upgradeable template across all implementation contracts. Certora and Sigma Prime formal audits have covered implementation contract posture.

Governance & admin Green 14 24 of 24

RD-F-026 yellow Upgrade multisig signer configuration (M/N) Operations Multisig: 3-of-6 (Eigen Labs personnel). Protocol Council: 3-of-5. Community Multisig: 9-of-13. Pauser Multisig: 1-of-7. Executor Multisig: 1-of-2. Multiple multisigs at varying thresholds; the 3-of-6 single-org and 1-of-7 single-signer configurations are the material findings. RD-F-028 yellow Low-threshold multisig vs TVL Operations Multisig is 3-of-6 with all signers being Eigen Labs personnel — organizational co-concentration within a single entity at $8.89B TVL. Peer norm at this TVL tier is 5-of-9 or higher. Additionally Executor Multisig is 1-of-2. 3-of-6 single-org is below the peer cohort norm for a protocol of this size. RD-F-029 yellow Multisig signers co-hosted Operations Multisig signers are all Eigen Labs employees — organizational co-hosting near-certain even if physical custody differs. Community Multisig (9-of-13) is more diverse with external community representatives. Signer ASN/datacenter data unavailable at OSINT tier. RD-F-032 yellow Timelock duration on upgrades Primary timelock MINIMUM_DELAY = 172,800s (48 hours / 2 days) per Etherscan source code read. Foundation docs state 'minimum 10-day delay on safety-critical functions' — major upgrades (ELIP-002 slashing) used 10-day delays in practice. Floor of 2 days (48h) is below the 72h+ threshold expected for a protocol of this TVL; operational standard of 10 days is good. Recorded as ambiguous — curator should confirm which governs. RD-F-033 yellow Timelock on sensitive actions Upgrades: timelocked (2-day min, 10-day in practice). Pause: NOT timelocked — Pauser Multisig (1-of-7) can pause instantly; any single signer can execute a pause without delay. bEIGEN mint: allowances owner-set without timelock on the grant. The 1-of-7 instant-pause is the key finding: a single signer can halt the entire $8.89B TVL protocol without any governance delay. RD-F-041 yellow Rescue/emergencyWithdraw without timelock No dedicated rescue/emergencyWithdraw/sweep/skim/recover function found in DelegationManager or StrategyManager source (confirmed via GitHub source reads). Pause capability exists via Pausable mixin but does not allow fund extraction. The Pauser Multisig (1-of-7) can pause without timelock — single-signer unilateral protocol halt — but this is an operational control, not a fund-drain mechanism. Yellow rather than red: no instant-drain path identified. RD-F-042 yellow Admin has mint() with unlimited max bEIGEN (0x83E9115d334D248Ce39a6f36144aEaB5b3456e75) has a mint() function callable only by owner-granted minters (isMinter[msg.sender] check). Initial supply fixed at 1,673,646,668 tokens minted at initialization. EIGEN token mints from bEIGEN via mintingAllowance model set by owner. No immutable hard cap enforced by code — additional minting possible for authorized minters. Not unlimited-by-default but unbounded by code constraint. RD-F-047 yellow Governance token concentration (Gini) No on-chain token-weighted vote exists; EIGEN token concentration does not directly affect governance outcomes. Protocol Council (3-of-5) and Foundation Board represent structural institutional concentration — effectively a high-Gini equivalent. The 3-of-5 Protocol Council controlled by 2 Eigen Foundation reps + 3 external members concentrates upgrade approval in 5 individuals. Not a flash-loan attack surface but is institutional concentration. RD-F-030 gray Hot-wallet signer flag No on-chain heuristic evidence of hot-wallet signing behavior available. Signer address activity not independently assessed. Six Operations Multisig owner addresses listed in data cache but no hot-wallet pattern scan performed at assessment tier. Gap flagged for curator. RD-F-037 n/a Quorum achievable via single-entity flash loan No token-weighted quorum exists. Protocol Council (3-of-5 multisig) approval is the mechanism — not a quorum vote. Flash-loan-quorum attack is structurally impossible in this governance design. RD-F-044 gray Admin wallet interacts with flagged addresses No flagged interactions identified for admin addresses. No Chainalysis-style feed data available at assessment tier. Six Operations Multisig owner addresses listed in cache but no watchlist cross-reference performed. Gap flagged for curator. RD-F-045 gray Constructor args match governance proposal ELIP-001 (Rewards v2) and ELIP-002 (Slashing) are the two major upgrade proposals with public Protocol Council evaluation posts. Constructor arg verification against proposal-stated args was not independently confirmed for these upgrades. Gap: no independent bytecode-vs-proposal verification at assessment tier. RD-F-167 gray Deprecated contract paused but pause reversible by live admin No evidence of deprecated EigenLayer contracts retaining material assets. Profile §2 notes milestones — Stage 1 → Stage 2 → Slashing with progressive migration. No independently confirmed deprecated-contract TVL data at assessment tier. Gap flagged for curator.

RD-F-025 green Admin key custody type Admin key custody type is multisig+timelock. All core proxy upgrades route through Operations Multisig (3-of-6 Gnosis Safe) to a custom timelock (min 2-day delay); Community Multisig (9-of-13) holds emergency override. No EOA in the upgrade path.

RD-F-027 green Single admin EOA No single EOA holds upgrade/admin authority. Operations Multisig (3-of-6 Gnosis Safe, 0xBE1685C81aA44FF9FB319dD389addd9374383e90) is the timelock admin; all proxy admin calls route through this multisig and the Timelock contract (0xA6Db1A8C5a981d1536266D2a393c5F8dDb210EAF) which enforces a 10-day operational delay (delay() = 864,000s, set at construction; MINIMUM_DELAY constant 172,800s = 2 days is a floor, not the active value). Not a single EOA.

RD-F-031 green Signer rotation recency No signer-set change or threshold reduction identified in the public record in last 12 months. Governance model appears stable. No Drift-class threshold-reduction event (3/5 → 2/5 type) detected. Governance forum has no signer rotation announcements in the ELIP process.

RD-F-034 green Guardian/pause-keeper distinct from upgrader Pauser Multisig (0x5050389572f2d220ad927CcbeA0D406831012390, 1-of-7) is entirely distinct from the Operations Multisig that controls timelock/upgrade admin (0xBE1685...). Protocol Council can also pause. Guardian / pause-keeper role is separate from upgrader — clean role separation on this dimension.

RD-F-035 green Role separation: upgrade ≠ fee ≠ oracle Upgrade role: Operations Multisig; Pause role: Pauser Multisig; Rewards/fee parameters: controlled via ELIP process through Protocol Council; Oracle: no price oracle in EigenLayer core. Distinct role holders confirmed for principal roles. Minor concentration: Operations Multisig holds both timelock admin and canceler roles.

RD-F-036 green Flash-loanable voting weight No token-weighted on-chain governor exists. EIGEN token does not feed a Compound/Governor Bravo-style voting mechanism. Governance operates through Protocol Council (3-of-5 multisig) + ELIP process + Community Multisig veto. No flash-loanable governance vector. Profile §6 confirms 'no on-chain token-weighted governor; no Snapshot space'.

RD-F-038 green Proposal execution delay < 24h Timelock minimum is 2 days (172,800s) per on-chain read; major upgrades use 10-day delays in practice (ELIP-002 slashing used 10-day timelock confirmed via web search). No proposal-to-execution path under 24 hours exists for upgrades. Pause is instant but pause is not a 'proposal' in the governance sense.

RD-F-039 green delegatecall/call in proposal execution without allowlist No Governor Bravo-style arbitrary calldata executor exists. Governance operates through Protocol Council multisig signing specific on-chain transactions to known contract targets via the primary timelock. No delegatecall-to-user-supplied-target pattern found. Note: zero-delay timelock (0xC06F...) could theoretically relay arbitrary calls — flagged to code-security-analyst for deeper review.

RD-F-040 green Emergency-veto multisig present Community Multisig (9-of-13, 0xFEA47018D632A77bA579846c840d5706705Dc598) holds emergency override capability including ability to replace timelocks and cancel malicious proposals. Protocol Council charter also provides for emergency procedures. Veto power is well-documented.

RD-F-043 green Admin = deployer EOA after 7 days Protocol has been live for ~34 months (since June 2023). All admin roles demonstrably held by multisigs at assessment date (2026-04-28). No evidence of deployer EOA admin persisting past 7 days. Deployer address unavailable in data cache (institutional deploy pattern). Multisig-from-day-one architecture confirmed.

RD-F-046 green Contract unverified on Etherscan/Sourcify All core contracts are Etherscan source-verified. EIGEN token proxy verified as TransparentUpgradeableProxy with Exact Match. Implementation contracts verified separately. No unverified contracts in the production governance surface at assessment date.

Oracle & external dependencies Green 14 17 of 17

RD-F-050 yellow Dependency graph (protocols depended upon) EigenLayer's external protocol dependencies are: (1) Ethereum consensus layer — EIP-4788 precompile for beacon chain proof validity in EigenPod system; (2) Per-LST token contracts (stETH, rETH, cbETH, etc.) — ERC-20 balance reads in LST strategies; (3) Ethereum beacon deposit contract (0x00000000219ab540356cBB839Cbe05303d7705Fa) — for native ETH staking inflows. AVSs call INTO EigenLayer (inbound), not the reverse, so AVS protocol failures do not constitute an EigenLayer dependency failure. No DeFi protocol (Aave, Uniswap, Curve) is called by core contracts. Yellow because LST token issuers represent a material trust dependency: a catastrophic LST protocol exploit could compromise assets held in that LST strategy, and EigenLayer cannot reprice. RD-F-051 yellow Fallback behavior on oracle failure If EIP-4788 precompile returns an invalid or missing root (timestamp outside the 8191-slot ring buffer), EigenPod proof verification reverts. There is no fallback oracle and no fallback behavior — EigenPod simply cannot verify proofs for out-of-window timestamps. Native ETH restakers cannot checkpoint or exit until valid proofs are submitted within the valid window. The 8191-slot (~27-hour) ring buffer means short outages are recoverable, but a persistent consensus anomaly would halt native ETH restaking operations. Yellow: no fallback, but the failure mode is liveness (not funds-at-risk-immediately) and the ring buffer provides meaningful recovery window. RD-F-052 yellow Breakage analysis per dependency Dependency breakage analysis: (1) EIP-4788 precompile unavailable — EigenPod checkpointing and native ETH exits halt; existing shares remain valid; funds not immediately at risk; requires proxy upgrade to fix if precompile behavior changes. Precedent: Pectra upgrade broke EigenPod proof assumptions (Aug 2025); patched same day. (2) LST token contract exploit — shares in affected LST strategy lose backing value; EigenLayer shares become unbacked but EigenLayer cannot automatically adjust; downstream AVS restaking using that LST loses cryptoeconomic backing. (3) Beacon deposit contract failure — native ETH restaking inflows halt; not a realistic failure mode as it is core Ethereum infrastructure. (4) AVS registrar revert — operator registration/deregistration for that specific AVS halts; isolated impact. Yellow overall because the primary liveness dependency (EIP-4788) has a realistic precedent and no automatic fallback. RD-F-059 yellow Oracle staleness check present EigenPod proof verification uses the EIP-4788 ring buffer as a passive temporal bound: proofs must reference a beacon timestamp within the last 8191 slots (~27 hours). If outside this window, the staticcall returns empty and proof verification reverts. This is NOT an explicit updatedAt > now - maxAge staleness check as defined by F059. The protocol lacks a protocol-level guard that enforces 'proof must be within N hours of submission.' Old-but-in-window timestamps are accepted. In practice, this has not caused an issue because checkpoint submissions are user-incentivized, but the absence of an explicit staleness guard is a gap relative to the taxonomy definition. Yellow: passive bound exists via ring buffer but not an explicit protocol-enforced updatedAt check. RD-F-062 yellow External keeper/relayer not redundant EigenPod checkpoint proof submission depends on external parties (typically pod owners or relayers) submitting valid beacon chain proofs. There is no on-chain keeper or automated redundancy enforced at the protocol level. Users must actively submit proofs to checkpoint validator balances and access the withdrawal queue. During the Aug 2025 Pectra fix, rapid manual proof submissions were required. Protocol does not depend on a keeper service for core accounting security, but proof submission liveness has a meaningful dependency on user-side participation. Yellow: liveness dependency without formal redundancy, though economically self-incentivized. RD-F-054 n/a TWAP window duration NOT APPLICABLE — No TWAP oracle used. EigenLayer uses only the EIP-4788 beacon root for state proof verification, which is a consensus primitive with no TWAP concept. No TWAP implementation exists in any core contract. RD-F-055 n/a Oracle pool depth (USD) NOT APPLICABLE — No DEX pool oracle. The EIP-4788 precompile has no pool depth concept; it is an Ethereum consensus-layer primitive queried for beacon block roots, not a DEX-based oracle. RD-F-056 n/a Single-pool oracle (no medianization) NOT APPLICABLE — No DEX pool oracle. EigenLayer does not use any DEX venue for pricing. No single-pool or multi-pool medianization question arises. RD-F-058 n/a Max-deviation threshold (bps) NOT APPLICABLE — No price oracle exists in EigenLayer core, so no deviation threshold configuration is relevant. RD-F-181 n/a Permissionless-pool lending oracle NOT APPLICABLE — EigenLayer is not a lending protocol. It does not accept collateral, issue loans, or accept spot prices from DEX pools for collateral valuation. No venue-listing mechanism exists. F181 applies to lending protocols where any user can permissionlessly create accepted collateral pools (e.g., Rhea Finance NEAR Apr 2026 $18.4M exploit pattern). EigenLayer's category is LRT/restaking primitive — no borrowing, no lending, no collateral valuation occurs in any core contract. Green by construction.

RD-F-048 green Oracle providers used EigenLayer core contracts use NO price oracle providers. The single oracle-class dependency is the EIP-4788 BEACON_ROOTS precompile for beacon chain state proof verification in EigenPod.sol — an Ethereum consensus-layer primitive, not a DeFi oracle vendor. Source inspection of EigenPod.sol, StrategyBase.sol, DelegationManager.sol, StrategyManager.sol, and AllocationManager.sol confirmed no Chainlink, Pyth, Uniswap TWAP, or DEX spot price feed imports or calls. The 19 Chainlink feed addresses in the data cache are not consumed by EigenLayer core contracts.

RD-F-049 green Oracle role per asset No per-asset price oracle exists in EigenLayer core. The EIP-4788 BEACON_ROOTS precompile serves as a state-proof oracle for beacon chain validator balances only — not an asset pricing oracle. Its role is: Primary source for beacon chain state root verification in EigenPod checkpoints and withdrawal credential proofs. EigenPod.sol's getParentBlockRoot() function queries this precompile via staticcall. No per-LST or per-asset price oracle role is assigned anywhere in the core contracts.

RD-F-053 green Oracle source = spot DEX pool (no TWAP) [★ CRITICAL] NOT APPLICABLE by protocol design. EigenLayer does NOT use price oracles for any core function. No spot DEX pool is read for any asset pricing. No asset pricing occurs in any core contract. The protocol tracks restaking shares, not asset prices. EigenPod.sol, StrategyBase.sol, DelegationManager.sol, StrategyManager.sol, and AllocationManager.sol were each verified via source inspection — none import oracle interfaces or call DEX pools for pricing. F053 GREEN by construction.

RD-F-057 green Circuit breaker on price deviation NOT APPLICABLE in the price-oracle circuit-breaker sense. EigenPod uses cryptographic proof verification, not price-based logic. A proof either verifies (returns valid beacon root) or reverts (invalid proof). There is no price deviation threshold. The binary proof-validity check is structurally equivalent to an implicit circuit breaker — invalid proofs are rejected, not accepted with a warning.

RD-F-060 green Chainlink aggregator min/max bound misconfig NOT APPLICABLE — No Chainlink aggregator is used by EigenLayer core contracts. The 19 Chainlink feed addresses in the data cache are not consumed by any EigenLayer core contract (verified via source inspection of all primary contracts). The data cache defillama section shows oracle: null.

RD-F-061 green LP token balanceOf used for pricing NOT APPLICABLE as a price oracle concern. StrategyBase reads ERC-20 balanceOf for share accounting (tracking how many underlying tokens the strategy holds), not for asset pricing. A donation attack on balanceOf was mitigated by the virtual-share offset (ERC-4626 style) in StrategyBase. This is a Cat 4 economic concern, not a Cat 3 oracle pricing concern — EigenLayer does not use balanceOf as a pricing oracle.

RD-F-180 green Immutable oracle address [★ CRITICAL-CANDIDATE per T-12 PD-017 — evaluate but do not count in 19 ★ critical total; flag for orchestrator T-14 post-launch tracking] The EIP-4788 BEACON_ROOTS precompile at 0x000F3df6D732807Ef1319fB7B8bB8522d0Beac02 is hardcoded in EigenPod.sol as a constant. F180 targets 'oracle source address is not programmatically replaceable by admin action' — specifically the failure mode where a vendor-chosen oracle address cannot be replaced post-depeg. The EIP-4788 address is an Ethereum consensus-layer protocol primitive (analogous to the ECRECOVER precompile), not a vendor oracle address. Hardcoding it is correct design. The EigenPodManager proxy (0x91E677b07F7AF907ec9a428aafA9fc14a0d3A338) is an EIP-1967 transparent upgradeable proxy, so if EIP-4788 behavior changes in a future hard fork, the EigenPod implementation can be upgraded via governance. The legacy EigenLayerBeaconOracle (0x343907185b71aDF0eBa9567538314396aa985442) was the prior approach; current EigenPod.sol uses EIP-4788 d

Economic risk Yellow 22 13 of 13

RD-F-064 yellow TVL concentration (top-10 wallet share) TVL is structurally concentrated in a small number of large LRT protocol depositors. ether.fi alone held ~$5.6B in restaked positions as of early 2026; Kelp, Renzo, Swell, and Puffer collectively account for additional billions. The top 5 LRT wallets likely represent 60-70%+ of total EigenLayer TVL. This creates a concentrated withdrawal and governance-influence risk: if one large LRT protocol (e.g., ether.fi) decides to reduce restaking exposure, the impact on EigenLayer TVL would be material. No on-chain top-10 depositor breakdown confirmed (Dune Analytics inaccessible). Qualitative concentration is clear from the LRT market structure. RD-F-065 yellow Liquidity depth per major asset Not a DEX; DEX-style liquidity depth is not applicable. The relevant liquidity constraint is withdrawal queue throughput: EIGEN token unstaking is 7 days (reduced from 24 days in August 2024); native ETH withdrawal involves EigenLayer delay plus Ethereum beacon chain exit queue (variable; can reach 4+ days under high exit demand); Unique Stake allocated to AVS operator sets has a 14-day unslashability window post-slashing-launch (April 2025). LRT secondary market liquidity is also a structural constraint — LRT tokens (eETH, rsETH, ezETH) are subject to depeg risk under mass-exit scenarios. The Renzo ezETH depeg episode (April 2024) demonstrated that LRT liquidity can collapse quickly under redemption pressure. A mass-exit from EigenLayer could stress both the protocol withdrawal queue and the Ethereum beacon chain exit queue simultaneously. RD-F-066 n/a Utilization rate (lending protocols) EigenLayer is a restaking protocol with no lending markets. Utilization rate (borrowed/supplied) is not a concept that applies. Data cache confirms borrow.present: false. RD-F-067 n/a Historical bad-debt events No lending markets exist in EigenLayer. Bad debt (lending sense) is not applicable. No socialized loss events recorded. Rekt database shows zero incidents. RD-F-068 n/a Collateralization under stress No collateralized lending markets. EigenLayer restakers do not borrow against their restaked positions within the protocol. Collateralization ratio is not a protocol concept for EigenLayer. RD-F-069 n/a Algorithmic / under-collateralized stablecoin EigenLayer does not issue a stablecoin. EIGEN is an 'intersubjective' work-token (ERC-20); bEIGEN is its backing counterpart in the dual-token model. Neither is an algorithmic or under-collateralized stablecoin. Factor is not applicable. RD-F-070 n/a Empty cToken-style market (zero supply/borrow) CRITICAL FACTOR — N/A BY CONSTRUCTION. EigenLayer is not a Compound V2 fork and has no cToken-style markets. The StrategyManager + EigenPod model uses direct balance tracking, not share-minting where totalSupply == 0 could enable a donation/inflation attack. The ★ critical flag does not fire. Taxonomy PD-024 explicitly classifies this factor as Compound-fork-only, N/A for non-Compound-fork protocols. RD-F-071 n/a Seed-deposit requirement for new market listing No lending markets and no cToken-style market listings. EigenLayer's strategy registration is governance-controlled via ELIP process. Seed deposit requirement for lending-market listing does not apply. RD-F-072 n/a Market-listing governance threshold No lending market listing mechanism exists. EigenLayer's LST strategy additions are governance-controlled via ELIP process and are assessed in Cat 2 (governance threshold), not Cat 4. RD-F-073 n/a Oracle-manipulation-proof borrow cap No borrow markets, no borrow caps. EigenLayer does not lend against restaked collateral. Oracle-manipulation-proof borrow cap is not applicable. RD-F-074 n/a ERC-4626 virtual-share offset (OZ ≥4.9) EigenLayer's StrategyBase contracts do not use ERC-4626 accounting. Deposits are tracked via custom balance mechanisms, not ERC-4626 virtual-share offsets. The OZ >=4.9 virtual-share offset first-depositor protection is not relevant to EigenLayer's architecture. RD-F-075 n/a First-depositor / share-inflation guard EigenLayer does not use ERC-4626 share mechanics or cToken-style minting. First-depositor share-inflation guard is not applicable. The Sigma Prime August 2024 permissionless-strategies audit reviewed the strategy share accounting. No share-inflation vector identified in an original restaking architecture.

RD-F-063 green TVL (current + 30d trend) TVL is $8,885,521,692 as of 2026-04-28 (DefiLlama API). 30-day trend +6.48%; 1-day -1.11%. 100% on Ethereum. Peaked at ~$20B mid-2024; partial recovery from ~$7B trough to $8.89B. ETH-denominated composition makes USD TVL correlated with ETH price. No stablecoin or long-tail token concentration.

Operational history Green 6 15 of 15

RD-F-084 yellow TVL stability (CoV over 90d) EigenLayer TVL peaked in the high-teens ($19–20B range, mid-2024), declined to $7–8B by late 2025 following slashing launch (April 2025) and EIGEN token decline (~86% from highs). Live DefiLlama API snapshot 2026-05-07: $7.86B current TVL (Ethereum + ETH-staking chains). Daily TVL time-series CoV cannot be precisely computed (DefiLlama time-series 403s per process learnings); within the trailing 90d window TVL has oscillated in the ~$7.8B–$9.0B band. Yellow: 12-month absolute decline context warrants caution pending formal CoV computation in production pipeline. RD-F-089 yellow Insurance coverage active Nexus Mutual offers a 'Bundled Protocol Cover' product that includes EigenLayer as part of a multi-protocol stack (alongside ether.fi, Pendle) — this is passive user-purchasable cover, not a protocol-sponsored insurance fund. No evidence EigenLayer has purchased or sponsors proportionate Nexus Mutual, Sherlock, or Unslashed cover at the $8.9B TVL scale. At $8.9B TVL, no first-party or proportionate third-party insurance active. Yellow (not red because: protocol security is structural/smart-contract-based; no insurance gap is a near-universal condition for large restaking protocols; Nexus Mutual product availability provides partial mitigation). RD-F-078 n/a Chronic-exploit flag (≥3 incidents) Zero protocol exploits. Chronic threshold (≥3 exploits) is not reached. Not applicable. RD-F-079 n/a Same-root-cause repeat exploit Zero protocol exploits. No same-root-cause repeat pattern is possible. Not applicable. RD-F-080 n/a Days since last exploit No protocol exploit has occurred; display value is N/A (never exploited). This field is effectively unbounded green — no exploit in 1,049 days of operation.

RD-F-076 green Protocol age (days) EigenLayer Stage 1 mainnet launched 2023-06-14. As of 2026-04-28: 1,049 days (~34.7 months). Well above the 12-month A-grade floor. Protocol age is green by a wide margin.

RD-F-077 green Prior exploit count Zero protocol-level exploits as of 2026-04-28. The October 2024 event was an off-chain operational failure (email thread compromise of an investor wallet; EigenLayer confirmed 'no vulnerability on the protocol'). The August 2025 EigenPods bug was patched before exploitation ($0 loss). Rekt DB shows zero incidents (00-data-cache.json). Hacksdatabase search returned no eigenlayer entries.

RD-F-081 green Post-exploit response score No protocol exploit to score. Curator estimate 4/5: The October 2024 investor wallet event (off-chain) was handled with rapid coordination with CEXs and law enforcement; EigenLayer publicly confirmed no protocol vulnerability within days. The August 2025 EigenPods vulnerability was disclosed via Immunefi, patched same day with public technical forum post. Both events demonstrate a functioning response process despite no protocol exploit.

RD-F-082 green Post-mortem published within 30 days No protocol exploit requiring a post-mortem. The August 2025 EigenPods vulnerability disclosure is the closest equivalent: public forum post published same day (2025-08-29) with technical description (Pectra withdrawal mechanic, share-minting inflation vector, patch status). The October 2024 investor wallet event had a brief public statement within days but no formal post-mortem (off-chain event, not a protocol vulnerability).

RD-F-083 green Auditor re-engaged after last exploit No protocol exploit has occurred, so re-audit after exploit is not required. EigenLayer maintains continuous audit engagement: 22 distinct audits from ConsenSys Diligence, Sigma Prime, Cantina, Certora as of 2026-04-28. The August 2025 EigenPods patch was covered under the ongoing Sigma Prime engagement (2024-07, updated 2025-08).

RD-F-085 green Incident response time (minutes) No protocol exploit has occurred. For the August 2025 EigenPods vulnerability: Immunefi disclosure → patch executed same day (August 29, 2025) by community multisig → public announcement same day. Response time: hours (sub-day). For the October 2024 investor wallet event (off-chain): no on-chain emergency action applicable; response was off-chain coordination with exchanges and law enforcement.

RD-F-086 green Pause activations (trailing 12 months) One planned pause identified in trailing 12 months: EigenPods paused ~16 hours on May 7, 2025 for Pectra upgrade compatibility (pre-announced maintenance; service restored same day ~6 PM ET). The August 2025 EigenPods bug patch required a brief maintenance execution by community multisig (same-day). No unplanned emergency pauses due to exploit or attack identified in trailing 12 months. Pauser Multisig (1-of-7) provides instant pause capability — not activated for any incident.

RD-F-087 green Pause > 7 consecutive days The Pectra upgrade maintenance pause lasted approximately 16 hours (May 7, 2025). No pause exceeding 7 consecutive days identified in the trailing 12 months. Green.

RD-F-088 green Re-deployed to new addresses in last year EigenLayer uses transparent upgradeable proxies (TUPs/EIP-1967) throughout. No address-set migration or redeploy in the last 12 months (April 2025 – April 2026). The AllocationManager was added as a new additive contract with the April 2025 slashing launch, not a replacement of existing addresses. Core contract addresses (DelegationManager, StrategyManager, EigenPodManager, AVSDirectory, RewardsCoordinator) remain unchanged.

RD-F-166 green Deprecated contracts still holding value No formally deprecated contracts with separate on-chain addresses identified. EigenLayer uses transparent upgradeable proxies (TUPs) — contract addresses remain stable through upgrades; no address is deprecated and abandoned. The data-cache flag has_legacy_v1: true refers to protocol version history, not a deprecated contract deployment. MAINTENANCE.md contains no deprecated contract inventory. Legacy withdrawal state within DelegationManager is backward-compat code within the live upgraded contract, not a deprecated address. No on-chain deprecated address with confirmed residual TVL found.

Real-time signals Green 10 22 of 22

RD-F-105 yellow DNS/CDN/frontend hash drift Signal applicable: primary frontend is app.eigenlayer.xyz (now redirecting to app.eigencloud.xyz). The domain migration from eigenlayer.xyz to eigencloud.xyz is announced and allowlist-eligible. However: (1) the domain migration creates new monitoring surface requiring a fresh hash baseline for eigencloud.xyz assets; (2) old eigenlayer.xyz domains must be monitored for potential takeover; (3) EigenLayer's X account was hacked (Unchained Crypto report), confirming active brand-impersonation threat. Score yellow because the domain migration creates a monitoring gap — production hash monitoring must be recalibrated for eigencloud.xyz. RD-F-109 yellow Social-media impersonation scam spike Sharp uptick in social-media impersonation is applicable and elevated for EigenLayer. Two confirmed social-channel attacks: (1) EigenLayer's X account was hacked (Unchained Crypto report confirms this occurred, exact date unknown from public sources as of 2026-04-28); (2) the October 2024 investor compromise used sophisticated email impersonation — a social-engineering pattern that required brand trust built from EigenLayer's social channels. The DPRK Contagious Interview campaign specifically targets developer communities via Discord/Telegram, and EigenLayer's developer community is a natural target. Score yellow: confirmed X account compromise + email-spoofing attack history + DPRK threat actor active interest in restaking ecosystem = elevated impersonation risk posture. RD-F-182 yellow Security-Council threshold reduction (RT) Signal is directly applicable. EigenLayer's Pauser Multisig (0x5050389572f2d220ad927CcbeA0D406831012390) is already at 1-of-7 threshold (data cache) or 1-of-8 (Eigen Foundation docs — discrepancy to resolve). The Pauser Multisig's existing 1-of-N configuration means any single signer can pause the entire protocol — this is the structural pre-condition that makes any FURTHER threshold reduction on other multisigs highly consequential. The zero-delay timelock (0xC06Fd4F821eaC1fF1ae8067b36342899b57BAa2d) represents a potential bypass path for the timelock removal sub-pattern of F182. No threshold reduction events or new-signer additions observed in the 14-day lookback window as of 2026-04-28. The Drift Protocol precedent (3/5 to 2/5 SC threshold reduction, 6 days before $285M DPRK exploit) is directly analogous to what F182 would monitor on EigenLayer's multisigs. Score yellow because: (1) structural pre-conditions (1-of-N Pauser, zero-delay timelock) are elevated; (2) no event-trigger ob RD-F-090 gray Mixer withdrawal → protocol interaction Signal is applicable: StrategyManager and DelegationManager are high-TVL targets where mixer-funded wallets could interact. Requires live wallet-clustering feed (Chainalysis, TRM, Arkham) for definitive assessment. No public reports of specific Tornado Cash / Railgun withdrawal wallets interacting with EigenLayer core contracts within 30 days. Cannot confirm or deny from OSINT alone. Gray reflects data gap, not absence of risk. RD-F-093 gray Abnormal gas-price willingness from attacker wallet Signal requires mempool monitoring with gas-price telemetry. Applicable to EigenLayer as an Ethereum mainnet protocol. No public reports of abnormal gas-price willingness from wallets targeting EigenLayer core contracts in the 30 days before assessment. Cannot assess without live mempool feed. Gray reflects data gap. RD-F-096 gray New ERC-20 approval to unverified contract from whale Signal applicable: major LST restakers (large whale positions in StrategyManager) granting ERC-20 approvals to unverified contracts would be a precursor flag. Cannot assess without live on-chain approval monitoring. No public reports of whale-level approvals to unverified contracts on EigenLayer. Gray reflects data gap. RD-F-097 n/a Sybil surge of identical-pattern transactions No sybil surges of identical transaction patterns targeting EigenLayer core contracts identified as of 2026-04-28. Historical airdrop-farming patterns (2024, pre-EIGEN airdrop) involved many small identical deposits but these are historical, not current pre-strike indicators. TVL trend is positive (+6.48% 30d), inconsistent with an active sybil-attack setup. RD-F-099 n/a Oracle price deviation >X% from secondary EigenLayer core protocol does not consume price oracles for primary functions (delegation, strategy deposit/withdrawal, slashing). The data cache oracle field is null. The BeaconOracle (0x343907185b71aDF0eBa9567538314396aa985442) is a consensus-layer proof source for beacon chain withdrawals, not a price feed. Chainlink feed addresses in the data cache are from LST strategy periphery or downstream LRT protocol interactions, not from EigenLayer core contracts. Price oracle deviation signal is not applicable to the primary TVL-bearing attack surface. RD-F-100 n/a Flash loan >$10M targeting protocol tokens Applicable in principle for flash loans targeting EIGEN token or major LSTs interacting with DelegationManager/StrategyManager. However, EigenLayer has NO on-chain Governor contract, so flash-loan-funded governance takeover (the primary C2 cluster threat) is structurally unavailable. Flash-loan threat is narrower (withdrawal queue manipulation, not governance). No flash-loan events targeting EigenLayer core contracts identified as of 2026-04-28. Rekt DB: 0 incidents. RD-F-103 n/a Bridge signer-set change proposed/executed EigenLayer is NOT a bridge protocol. Profile §7 explicitly states has_bridge_surface: false. Data cache coverage flag layerzero_bridge: false. No Wormhole guardian set, LayerZero DVN, Axelar validator set, or CCTP attestor set exists in EigenLayer's architecture. The Base network contracts are for task verification only (not TVL-bearing). Bridge signer-set change signal has no mapping to EigenLayer. RD-F-104 n/a Stablecoin depeg >2% on shared-LP venue EigenLayer's core restaking contracts (StrategyManager, DelegationManager, EigenPodManager) hold restaked LSTs and native ETH only — no stablecoin collateral. Signal suppression rule (protocol exposure <5% of protocol TVL to the depegging stablecoin) would apply. The 18 Chainlink feed addresses in the data cache include USDT/USD and USDC/USD pairs but these are from LST strategy periphery or downstream LRT protocol detection, not from EigenLayer core. Direct stablecoin depeg impact on EigenLayer TVL is negligible. RD-F-106 n/a Cross-chain bridge unverified mint pattern Not applicable — EigenLayer has no cross-chain bridge architecture. The Base network destination contracts mentioned in the README are for task verification only (not TVL-bearing). No cross-chain mint-without-proof attack surface exists in EigenLayer core. RD-F-107 gray Admin EOA signing from new geography/device Signal applicable in principle: Operations Multisig (0xBE1685...) and Protocol Council (0x461854...) signers sign from identifiable geographical contexts. However, off-chain signing telemetry is not publicly available. Cannot assess without private signing fingerprint data. Gray reflects structural data unavailability. RD-F-108 n/a GitHub force-push to sensitive branch GitHub repo github.com/Layr-Labs/eigenlayer-contracts is the primary monitored surface. Last commit: 2026-04-07. No public reports of unauthorized force-push or sensitive-branch push incidents. Repository uses release tags for deployment; GitHub API monitoring for unauthorized pushes to main/production branches is implementable. No force-push events identified in publicly available commit history. RD-F-110 gray Unusual pending/executed proposal ratio Signal design requires on-chain Governor contract with ProposalCreated/ProposalQueued state machine. EigenLayer has no on-chain Governor (governor_address: null). ELIP governance is off-chain (GitHub + forum). Monitoring of ELIP proposal-to-execution ratio on the forum/GitHub could be a proxy, but it does not match the signal definition. Gray reflects structural mismatch between signal design and EigenLayer's governance architecture.

RD-F-091 green Partial-drain test transactions No partial-drain test transaction patterns identified on EigenLayer core contracts (StrategyManager, DelegationManager, EigenPodManager). TVL trend is +6.48% over trailing 30 days and -1.11% on assessment day — inconsistent with an active drain pattern. The Kelp DAO April 2026 exploit (DPRK) targeted rsETH/LayerZero, not EigenLayer core contracts directly, so no EigenLayer partial-drain precursor was observed.

RD-F-092 green Unusual mempool pattern from deployer wallet Deployer wallet (0xfc905d4b37c9d97b1d172906208e5b09f02277c2, Etherscan label: 'EigenLayer: Deployer') has been effectively dormant since initial contract deployments in August 2023. Admin activity flows through Operations Multisig (0xBE1685...) and Community Multisig (0xFEA470...), not the original deployer EOA. Last known deployer activity: July 2025 (transfer only). No unusual mempool patterns from deployer wallet identified.

RD-F-094 green New contract with similar bytecode to exploit template No public reports of exploit-template contracts with bytecode similar to EigenLayer's targets deployed by any address as of 2026-04-28. EigenLayer is an original protocol (not a fork) making exact bytecode replay harder. The August 2025 EigenPods Pectra bug was patched before exploitation with no public exploit template published. No known-exploit-template specific to EigenLayer exists.

RD-F-095 green Known-exploit function-selector replay No known-exploit replay templates for EigenLayer exist. Protocol has had no protocol-level exploit (Rekt DB: 0 incidents). The August 2025 EigenPods Pectra vulnerability was responsible-disclosed via Immunefi and patched before any exploitation — no exploit calldata sequence was published that an attacker could replay.

RD-F-098 green TVL anomaly — % drop in <1h TVL at assessment: $8,885,521,692. 30-day change: +6.48%. 1-day change: -1.11%. No sustained drop pattern. The Kelp DAO April 2026 DPRK exploit triggered broad DeFi TVL withdrawal (>$13B sector-wide over 48h) but EigenLayer core TVL did not cross the >30% drop threshold required to trigger RD-F-098. Signal would not fire today. Signal is applicable and should be wired up in production monitoring given the $8.89B TVL scale.

RD-F-101 green Large governance proposal queued EigenLayer uses ELIP off-chain governance process with Protocol Council multisig and 10-day primary timelock (0xA6Db1A8C5a981d1536266D2a393c5F8dDb210EAF). No on-chain Governor contract exists (governor_address: null per data cache). No queued timelock proposals of concern identified as of 2026-04-28. Standard ProposalCreated event monitoring is not applicable; monitoring must target the timelock's CallScheduled events. Operations Multisig (3-of-6) holds proposer role — moderate threshold with legitimate governance path.

RD-F-102 green Admin/upgrade transaction in mempool Signal applicable: ProxyAdmin (0x8b9566AdA63B64d1E1dcF1418b43fd1433b72444) owned by Operations Multisig (0xBE1685C81aA44FF9FB319dD389addd9374383e90) is the upgrade path for all 7 core proxy contracts. Any admin/upgrade tx from Operations Multisig without a prior timelock proposal would be a red flag. No unexpected admin tx in mempool identified as of 2026-04-28. Last GitHub commit: 2026-04-07 — consistent with active development, no unannounced upgrade observed. Signal should be wired to ProxyAdmin + Operations Multisig in production.

Dev identity & insider risk Green 5 16 of 16

RD-F-114 yellow Deployer address prior on-chain history Data cache deployer.address is null — the data pipeline did not auto-resolve the specific deployer EOA. Eigen Labs core contracts are labeled 'EigenLayer:' on Etherscan (e.g., DelegationManager at 0x39053D51B77DC0d36036Fc1fCc8Cb819df8Ef37A), consistent with institutional deployment under the Eigen Labs entity. No deployer address linked to a prior rug or failed project identified in OSINT. Institutional VC-backed corporate entity deployment provides accountability backstop. Yellow (not green) because the specific deployer EOA(s) were not positively identified and on-chain history of the deployer wallet(s) was not traced at the individual address level. Curator action required: run contractCreator on Etherscan for DelegationManager to close this gap. RD-F-123 yellow Sudden admin-rescue/ACL change without discussion EigenLayer has a formal ELIP process (15 ELIPs through ELIP-015 as of 2026-04-28) with public forum discussion required before Protocol Council approval. The Protocol Council charter explicitly states that 'modifications to multisig governance architecture (i.e. transferring ownership / admin access)' require an ELIP. No specific undiscussed admin-rescue or ACL change event was affirmatively identified in the last 180 days. Three structural concerns prevent green: (1) Operations Multisig (3-of-6, Eigen Labs) can execute 'routine upgrades' through the 10-day timelock without a full ELIP — the charter boundary between routine and ELIP-required is not precisely enumerated in public documentation; (2) a community forum post ('Improved MultiSig Process and Documentation') explicitly calls for better history documentation of past multisig actions, implying the current record is incomplete; (3) the October 2024 investor wallet hack was an EXTERNAL email-based social-engineering attack (invest RD-F-117 gray ENS/NameStone identity bound to deployer Data cache deployer.address is null — deployer EOA not identified, preventing ENS binding check. Eigen Labs multisig addresses are labeled on Etherscan by role ('EigenLayer: Community Multisig', etc.) but no ENS / NameStone name resolution linking deployer EOA to a verifiable real-world identity is confirmed. Gray (not red) — absence of ENS binding is not a risk indicator for an institutional entity with a high-profile named founder. Green would require positive confirmation of ENS / NameStone binding. RD-F-122 n/a Contributor paid to DPRK-cluster wallet Cannot meaningfully assess at OSINT tier. Eigen Labs uses off-chain payroll (87 employees as of March 2026); on-chain payment streams from the Eigen Labs treasury to individual contributor wallets are not publicly traceable in a way that enables 3-hop analysis to DPRK-labeled cluster. OSINT search for 'EigenLayer DPRK Lazarus developer' found zero results connecting team members to DPRK cluster payments. However, absence of on-chain payroll visibility means contributor wallet routing cannot be positively cleared. Per process-learnings.md guidance: mark NOT ASSESSED for off-chain payroll contributors beyond what OSINT can confirm. RD-F-184 gray Real-capital social-engineering persona No curator-flagged evidence of a 'team contributor' or 'external integrator' persona deploying >=1M USD of real capital to EigenLayer to build credibility ahead of a social-engineering attack. The October 2024 $5.7M investor wallet incident was an email-thread compromise (attacker intercepted custodian-investor-Eigen Labs email thread and substituted their wallet address) — the attack vector was email compromise, not a persona-build strategy requiring DeFi capital deployment by the attacker. The Drift Protocol UNC4736 persona-build pattern (6-month conference + in-person build-up + >$1M capital deployment) does not appear in EigenLayer's known incident record. M-only / curator-dependent factor; absence cannot be definitively confirmed at OSINT tier. Per process-learnings.md guidance: mark GRAY, note Drift comparator as reference pattern.

RD-F-111 green Team doxx status Founder Sreeram Kannan is fully doxxed: real name, UW ECE associate professor, LinkedIn with complete academic history, Google Scholar publication trail, public conference speaker (Devcon, Blockworks). Legal entity Eigen Labs is an incorporated company with VC-grade KYC implied from a16z / Polychain / Blockchain Capital investment diligence. Protocol Council external members are individually named (Mehdi Zerouali / Sigma Prime, Mike Reinhart / Unit410, Gonçalo Sá / Creed+ConsenSys Diligence). All 13 Community Multisig signers are publicly named by the Eigen Foundation. Operations Multisig and Pauser Multisig individual signer identities not individually named (described as 'Eigen Labs personnel'). Classification: real-name for founder and protocol council; pseudonymous for ops/pauser individual EOAs.

RD-F-112 green Team public accountability surface Accountability surface is among the highest in DeFi. Sreeram Kannan: UW ECE faculty page, Google Scholar (extensive academic publication history in information theory, blockchain), CoinDesk profile, Blockworks speaker, Devcon Bogotá speaker, LinkedIn with complete academic/professional history. Protocol Council: Mehdi Zerouali (Sigma Prime) has a decade of public blockchain security work and is on Polygon's Protocol Council; Gonçalo Sá (Creed/ConsenSys Diligence) has 20+ years offensive security with public presence; Mike Reinhart (Unit410) is named as a crypto staking operator. Community Multisig includes Tim Beiko (Ethereum Foundation), Tarun Chitra (Gauntlet/Robot Ventures), Anna Rose (ZK Podcast host), Viktor Bunin, Uma Roy — all have extensive public professional trails.

RD-F-113 green Team other-protocol involvement history No prior rug or exit-scam affiliations found for any named team member. Sreeram Kannan's career is entirely academic + Eigen Labs (founded 2021) — no prior DeFi protocol involvement identified. Gonçalo Sá: Security Council lead at Everclear, Technical Partner at Ethereal Ventures — no rug affiliations. Mehdi Zerouali: Sigma Prime CEO, Polygon Protocol Council member — clean track record. Tim Beiko: Ethereum Foundation, EIP editor — clean. Community Multisig named signers all have established DeFi ecosystem reputations without prior rug affiliations. OSINT search 'EigenLayer rug OR exit scam developer team' returned zero relevant results.

RD-F-115 green Prior rug/exit-scam affiliation No team member has a prior rug or exit-scam affiliation verified via OSINT or curator rug list. OSINT search returned no results connecting any named Eigen Labs employee, Protocol Council member, or Community Multisig signer to a prior rugged or exit-scam-labeled protocol. REKT database shows zero incidents for EigenLayer. Named team members (Sreeram Kannan, Mehdi Zerouali, Gonçalo Sá, Tim Beiko, Tarun Chitra) all have verifiable multi-year professional histories inconsistent with rug-deployer profiles.

RD-F-116 green Contributor tenure at admin-permissioned PR Eigen Labs was founded in 2021; mainnet launched June 2023. The eigenlayer-contracts GitHub repository (https://github.com/Layr-Labs/eigenlayer-contracts) has been active for 3+ years. Last commit date per data cache: 2026-04-07, confirming ongoing active development by the same engineering team. No newly-joined (<90 days) contributor has been identified as the author of an admin-permissioned code change in publicly available information. Contributor tenure is institutional — the core engineering team has multi-year tenure with the project. Medium confidence: GitHub contributor graph is JS-rendered and full contributor-tenure analysis was not performed via API.

RD-F-118 green Handle reuse across failed/rugged projects Primary X/Twitter handles @eigenlayer and @eigenfoundation have no history of association with prior rugged or failed projects. Named team members (Sreeram Kannan, Tim Beiko, Tarun Chitra, Anna Rose, etc.) have long-standing Twitter/X accounts with no known handle recycling from prior failed DeFi projects. No OSINT evidence of handle reuse across rug-pull projects found.

RD-F-119 green Commit timezone consistent with stated geography Eigen Labs is headquartered in Seattle (stated geography, US Pacific time). Data cache shows last commit date 2026-04-07 on the eigenlayer-contracts repo. No timezone anomaly reported in any public OSINT. GitHub commit-hour distribution analysis was not performed at full PH-curation depth (GitHub contributor graph is JS-rendered; API call not executed). No indicators of commit-time anomaly suggesting a non-US timezone or DPRK-pattern commit distribution. Medium confidence given OSINT-tier limitation.

RD-F-120 green Video-off/voice-consistency flag Sreeram Kannan has participated in multiple public video interviews and on-stage conference appearances with no video-off flag. Confirmed appearances: The Defiant podcast (audio+video), Bell Curve podcast (Crypto Briefing), Devcon Bogotá (on-stage speaker). Protocol Council external members Mehdi Zerouali (Sigma Prime) and Gonçalo Sá (Creed/ConsenSys Diligence) are named security professionals with conference and public appearance track records. No curator observation of video-off behavior or voice/timezone inconsistency. High confidence — multiple independent public video sources.

RD-F-121 green Contributor OSINT depth score Curator-estimated OSINT depth scores: Sreeram Kannan: 5/5 (PhD ECE + MS Mathematics UIUC; postdoctoral scholar UC Berkeley as primary appointment + visiting postdoc Stanford 2012-2014; UW ECE faculty since 2014 incl. director of UW Blockchain Lab; full academic publication trail via Google Scholar; LinkedIn with complete history; multiple public conference appearances; extensive media coverage). Protocol Council external members: 4/5 (named institutional affiliations, public websites, multi-year professional track records). Community Multisig notable signers (Tim Beiko: 5/5, Tarun Chitra: 5/5, Anna Rose: 5/5). Operations/Pauser Multisig individual contributors: 2/5 (institutional affiliation known but individual contributor identifiability is more limited).

RD-F-124 green Deployer wallet mixer-funded within 30 days No evidence of Tornado Cash / Railgun / mixer funding within 30 days of any EigenLayer core contract deployment. Eigen Labs received institutional VC funding (Series A March 2023 from Blockchain Capital + Polychain; before mainnet launch June 2023), providing a clean, large-scale institutional funding source for contract deployment costs. Data cache deployer.address is null (pipeline gap prevents full on-chain verification of specific deployer EOA), but no OSINT allegation of mixer-funded deployment exists. Important clarification: a Yahoo Finance article from June 2023 noted the Tornado Cash *protocol deployer address* was among early depositors into EigenLayer LST pools — this refers to that address acting as a USER of EigenLayer's pools, not to EigenLayer's own deployer being funded via mixer. The 30-day window criterion for RD-F-124 is not triggered by external users of the protocol. Curator action: confirm by tracing contractCreator EOA on Etherscan for DelegationManager (0x39053D

RD-F-125 green Deployer linked within 3 hops to DPRK/Lazarus No evidence of EigenLayer deployer wallet or team member wallets being within 3 hops of DPRK / Lazarus cluster. OSINT search specifically targeting 'EigenLayer Eigen Labs DPRK Lazarus North Korea developer' returned zero results connecting the EigenLayer development team to the Lazarus cluster. The April 2026 Kelp DAO $292M exploit attributed to the Lazarus Group (DPRK-nexus) targeted a protocol BUILT ON TOP OF EigenLayer via Kelp's own 1/1 LayerZero DVN misconfiguration — this is a downstream user protocol hack, not an EigenLayer team wallet / deployer connection. OFAC SDN list does not contain Eigen Labs, Eigen Foundation, or any named EigenLayer team member. No public Chainalysis report links Eigen Labs wallet to Lazarus cluster. ESCALATION: NOT REQUIRED — RD-F-125 is green.

Fork / dependency lineage Yellow 22 10 of 10

RD-F-133 yellow Dependency manifest uses unpinned versions EigenLayer's .gitmodules lists openzeppelin-contracts-v4.9.0 and openzeppelin-contracts-upgradeable-v4.9.0 as named submodules with version encoded in the path name. However, no explicit commit SHA is pinned for any submodule (OZ, ds-test, forge-std, zeus-templates). The OZ version is anchored by path naming convention only — not cryptographic SHA pinning. This is a mild dependency management gap applicable even to original protocols. RD-F-135 yellow Shared-library version with known-vuln status OpenZeppelin v4.9.0 (the pinned version) has two known advisories: (1) GHSA-g4vp-m682-qqmp — Governor proposal frontrunning in v4.9.0 only, fixed in v4.9.1; (2) ERC2771Context _msgSender returns address(0) for calldata < 20 bytes (v4.0.0–v4.9.2), fixed in v4.9.3. Neither advisory is applicable to EigenLayer's current usage pattern (EigenLayer uses TimelockController not OZ Governor; does not use ERC2771Context). However, the pin is not patched to v4.9.1 or v4.9.3 — future code additions could inherit these patterns. Scored yellow for the unpatched library version, not red, given current inapplicability. RD-F-126 n/a Is-a-fork-of EigenLayer is an original protocol developed by Eigen Labs. No upstream fork relationship exists in git history. README describes it as a novel restaking primitive; the academic whitepaper (Sreeram Kannan, UW 2023) introduces the concept independently. No bytecode similarity to any existing DeFi protocol. RD-F-127 n/a Upstream patch not merged Not applicable — EigenLayer has no upstream DeFi fork; there is no upstream protocol from which security patches could propagate. RD-F-128 n/a Upstream vulnerability disclosure (last 90d) Not applicable — EigenLayer has no upstream DeFi fork; no upstream vulnerability disclosures to propagate. RD-F-129 n/a Code divergence from upstream (%) Not applicable — EigenLayer is an original codebase with no upstream fork to compare divergence against. RD-F-130 n/a Fork depth (generations from original audit) Not applicable — original codebase. Fork depth = 0 by definition (no fork hops from any upstream protocol). RD-F-131 n/a Fork retains upstream audit coverage Not applicable — EigenLayer has its own original and comprehensive audit program (22+ engagements). No upstream audit coverage to inherit or lose. RD-F-132 n/a Fork has different economic parameters than upstream Not applicable — EigenLayer is an original protocol. All economic parameters (AVS slashing conditions, withdrawal delays, operator registration rules) are original to EigenLayer's design with no upstream audited-defaults to diverge from.

RD-F-134 green Dependency had malicious-release incident (last 90d) OpenZeppelin, forge-std, and ds-test have not had malicious-release incidents in the trailing 90 days as of 2026-04-28. No GitHub security advisory flagging for these dependencies in this window. zeus-templates (Layr-Labs internal) has no malicious release history.

Post-deploy hygiene & change mgmt Green 18 13 of 13

RD-F-136 yellow Deployed bytecode matches signed release tag EigenLayer uses a structured release cadence (GitHub releases: v1.6.0, v1.8.1, v1.9.0, v1.12.0 with dates). Audit reports reference specific commit SHAs. No independent bytecode-vs-commit-SHA match verification at assessment tier — gap for curator. Release discipline is above average for the space but not independently confirmed. RD-F-137 yellow Upgrade frequency (per 90 days) Approximately 1-2 major upgrades per 90 days in 2024-2025: ELIP-001 (Jan 2025), ELIP-002 / Slashing (Apr 2025), Redistribution (Jul 2025), v1.12.0 (Mar 2025), EigenPods emergency patch (Aug 2025). High upgrade cadence for a complex protocol. Each major upgrade was audited, which partially mitigates the risk, but frequency of change is elevated. RD-F-139 yellow Post-audit code changes without re-audit August 2025 EigenPods Pectra bug fix was a same-day emergency patch following Immunefi disclosure. Certora had audited Pectra-related changes in July 2025 (Multichain/Merkle audits) but these predate the specific vulnerability. The 'Pectra Compatibility Audit Handbook' (HackMD) is a planning doc, not a completed audit of the patch. Residual audit gap of ~4-6 weeks for this specific patch. Tempered by: proactive fix before exploitation, strong prior audit culture (22 audits since 2023), recent Certora Pectra engagement. RD-F-142 yellow Storage-layout collision risk across upgrades EigenLayer uses OpenZeppelin TUP (EIP-1967) throughout; 5+ major upgrades executed across all core contracts (ELIP-001, ELIP-002, v1.12.0). Each upgrade touching multiple implementation contracts creates storage layout risk in theory. No publicly disclosed storage collision found. OZ upgrades plugin discipline assumed but not independently verified at assessment tier. RD-F-145 yellow Deployed bytecode reproducibility Foundry-based build system with deterministic compilation settings (foundry.toml present; optimizer enabled, 200 runs; Solidity 0.8.30). In principle reproducible. No independent reproduction attempt made at assessment tier — gap for curator. RD-F-185 yellow Bridge rate-limiter / chain-pause as positive mitigant EigenLayer is not a bridge; the F185 bridge rate-limiter is not applicable in its primary definition. The closest analogue is the Pauser Multisig (1-of-7, instant-pause) which provides a circuit-breaker capability without delay. A single authorized signer can halt the entire protocol in an emergency. No on-chain rate-limiter for withdrawals beyond the existing 14-day withdrawal queue (post-slashing launch). Scored yellow: instant-pause exists as positive mitigant but no rate-limiter; withdrawal queue is a delay not a cap. RD-F-138 gray Hot-patch deploys without timelock (last 30 days) No hot-patches without timelock identified in last 30 days (no confirmed mainnet deploy in trailing 30d relative to 2026-04-28). The August 2025 EigenPods Pectra bug fix was deployed urgently via Community Multisig; whether the standard 2-day timelock was bypassed in an emergency path is unclear from public sources. Gap flagged. RD-F-168 gray Stale-approval exposure on deprecated router No deprecated router identified in current contract surface. EigenLayer uses transparent upgradeable proxies; user approvals to the proxies persist through implementation upgrades by design (not a deprecated-router problem). No approval-to-deprecated-contract pattern identified. Gap: no automated allowance scan performed.

RD-F-140 green Fix-merged-but-not-deployed gap No evidence of a known-vulnerability fix merged in repo but pending deployment. The August 2025 EigenPods patch was deployed same-day as Immunefi disclosure — proactive monitoring and fast deployment. No fix-merged-but-not-deployed gap identified.

RD-F-141 green Test-mode parameters in deploy No test-mode parameters found in production contracts. ProxyAdmin is a dedicated contract (not deployer EOA). DelegationManager and StrategyManager constructors use _disableInitializers() — no test-mode config left on. No evidence of test oracle, infinite allowance, or admin=deployer pattern in deployed contracts.

RD-F-143 green Reinitializable implementation (no _disableInitializers) DelegationManager, StrategyManager, BackingEigen, and Eigen token implementations all confirmed to call _disableInitializers() in constructors (GitHub source reads). OpenZeppelin TUP pattern correctly applied. No implementation can be re-initialized directly.

RD-F-144 green CREATE2 factory permits same-address redeploy No evidence of CREATE2 factory usage in the core EigenLayer protocol. All contracts are standard deployer-created proxies. No redeploy-to-same-address pattern found in README or audits directory.

RD-F-146 green New contract deploys in last 30 days GitHub last commit date: 2026-04-07 (21 days ago). No confirmed mainnet deploy in the trailing 30 days relative to 2026-04-28 assessment date. Active development but no new surface added to mainnet recently. Last major release was v1.12.0 on March 24, 2025.

Cross-chain & bridge Gray 0 12 of 12

Threat intelligence & recon Yellow 20 8 of 8

RD-F-158 yellow Known-threat-actor cluster has touched protocol Known-threat-actor (Lazarus/TraderTraitor) recently targeted the restaking ecosystem directly. The Kelp DAO rsETH exploit (April 19, 2026, ~$292M, Lazarus attribution by LayerZero Labs) involved rsETH assets that were backed by EigenLayer StrategyManager positions. The attack vector was LayerZero bridge to rsETH contract, not EigenLayer core contracts directly. No confirmed direct Lazarus cluster wallet interaction with EigenLayer core contracts via public on-chain data. However, DPRK targeting of EigenLayer-adjacent ecosystem constitutes elevated threat proximity. Requires curated TI feed (Chainalysis/TRM) for definitive 30-day window check. Score yellow: proximity to confirmed DPRK attack on restaking ecosystem + insufficient public data to confirm or deny direct EigenLayer contract touch. RD-F-161 yellow Protocol-impersonator domain registered (typosquat) EigenLayer is a high-recognition $8.89B TVL protocol — a prime typosquat target. The documented brand migration from eigenlayer.xyz to eigencloud.xyz creates new impersonation surface (e.g., eigencloud-xyz.com, eigen-cloud.xyz). EigenLayer's X account was hacked (Unchained Crypto report), confirming active brand-impersonation threat. The October 2024 investor compromise used email thread spoofing — a sophisticated impersonation technique. No specific typosquat domain incident identified via OSINT as of 2026-04-28 (WHOIS monitoring feed required for definitive 90-day window check). Score yellow: high-value brand + confirmed X account compromise + domain migration creating new attack surface. RD-F-163 yellow Avg attacker reconnaissance time for peer-class protocols For restaking/LRT-class protocols, reconnaissance patterns vary: Kelp DAO (Lazarus, April 2026) showed pre-funding via Tornado Cash ~10h before exploit (short-cycle reconnaissance); Drift Protocol (DPRK, April 2026) showed 6-day SC governance-weakening pre-strike; USPD-class attacks showed 78-day reconnaissance windows. EigenLayer's October 2024 investor compromise involved sustained email thread monitoring (reconnaissance duration unknown, likely weeks). EigenLayer as the $8.89B TVL foundational restaking layer is a higher-value target than any single LRT. Average reconnaissance time for similar-class peer protocols: 6 to 78 days. Score yellow because the restaking protocol class is now confirmed as an active DPRK targeting priority, elevating the reconnaissance risk baseline for EigenLayer itself. RD-F-159 gray Attacker wallet pre-strike probe (low-gas failing txs) Signal applicable: mempool probing from attacker-labeled wallets (low-gas failing txs to EigenLayer contracts) would be a precursor indicator. Requires live mempool monitoring + curated threat-actor cluster list. No public reports of mempool probing against EigenLayer core contracts identified as of 2026-04-28. Gray reflects data gap requiring private TI feed. RD-F-164 gray Leaked credential on paste/sentry site The October 2024 investor hack involved email thread compromise. Whether the attacker obtained credentials from a paste/Sentry site or through direct email account compromise is not publicly confirmed. No confirmed credential leak on paste sites matching EigenLayer infra endpoints as of 2026-04-28. Requires dedicated paste-monitoring and Sentry-alt monitoring feed. Gray reflects data gap. RD-F-165 gray Protocol social channel has scam-coordinator flag EigenLayer Discord URL (discord.gg/eigenlayer) is listed in the profile but flagged as not independently verified as of 2026-04-28. No specific scam-coordinator flagging in EigenLayer's Discord or Telegram identified via OSINT. The DPRK Contagious Interview campaign specifically targets developer communities via Discord/Telegram — EigenLayer developer community would be a natural target. Cannot assess without curator social watchlist and Discord verification. Gray reflects dual data gap (unverified Discord + no scam-coordinator data).

RD-F-160 green GitHub malicious-dependency incident touching protocol deps EigenLayer uses npm (package_json_present: true) and Foundry (foundry_toml_present: true). No GitHub security advisory matching EigenLayer's dependency tree identified as of 2026-04-28. Key dependencies: OpenZeppelin (v4/v5 for proxy, timelock, accesscontrol). No flagged malicious release in OZ or Foundry package sets in trailing 90 days found via public search. Solidity 0.8.30 is a compiler version, not an npm package.

RD-F-162 green Known-exploit-template selector deployed by any address No known-exploit-template selector pattern deployed by any address targeting EigenLayer contract architecture as of 2026-04-28. EigenLayer has had no protocol-level exploit (Rekt DB: 0 incidents). The August 2025 EigenPods Pectra vulnerability was responsible-disclosed and patched before any exploitation — no exploit calldata template was published publicly. No contracts with bytecode similarity to EigenLayer's StrategyManager/DelegationManager/EigenPodManager found in public exploit databases.

Tooling / compiler / AI Green 0 5 of 5

RD-F-170 green Solc version used (known-bug versions flagged) Solidity 0.8.30 per foundry.toml. High-severity known bug TransientStorageClearingHelperCollision (affects delete on transient storage variables) is non-applicable — EigenLayer does not use transient storage (no Solidity transient keyword declarations found; via_ir is false). Low-severity bugs (LostStorageArrayWriteOnSlotOverflow, VerbatimInvalidDeduplication, etc.) have negligible exploitability. Version 0.8.30 is not deprecated or EOL.

RD-F-171 green Bytecode similarity to audited upstream with behavior deviation EigenLayer is an original protocol with no upstream DeFi fork. The beacon chain proof verification system is a novel cryptographic construction with no analogous upstream bytecode to copy from. No evidence of high-bytecode-similarity-with-behavior-deviation pattern consistent with AI-copy risk.

RD-F-172 green Repo shows AI-tool co-authorship in critical files No AI-tool co-authorship disclosures found in EigenLayer commit history (no 'co-authored-by: GitHub Copilot' or similar commit messages). Web search for EigenLayer AI code disclosure returned no relevant results. Confidence is [?] as this requires direct commit history inspection.

RD-F-173 green Team self-disclosure of AI-generated Solidity No public disclosure by Eigen Labs of AI-generated Solidity in security-critical contract paths found. No blog post, tweet, or documentation mentions AI code generation for smart contracts. Confidence is [?] as absence of disclosure is not the same as confirmed absence of use.

RD-F-174 green Dependency tree uses EOL Solidity version Solidity 0.8.30 is not EOL. OpenZeppelin v4.9.0 is a maintained version (no EOL designation). forge-std and ds-test are actively maintained. zeus-templates is maintained by Layr-Labs. All dependencies on supported, non-deprecated versions.

Response & disclosure hygiene Green 8 4 of 4

RD-F-176 yellow Disclosure SLA public No formal acknowledgment-time SLA (e.g., 72-hour ack) published in docs, GitHub SECURITY.md (absent), or Immunefi program page (inaccessible). The GitHub repo (eigenlayer-contracts) explicitly lacks a SECURITY.md: https://github.com/Layr-Labs/eigenlayer-contracts/security/policy states 'This project has not set up a SECURITY.md file yet.' The August 2025 EigenPods event demonstrates same-day response capability but no published SLA commitment. Immunefi platform-level practices apply by inference only.

RD-F-175 green Disclosure channel exists EigenLayer operates an active bug bounty program on Immunefi. Confirmed by: (1) Stage 1 launch blog post citing '$2,000,000 of bug bounties available via Immunefi'; (2) Immunefi LinkedIn post referencing 'EigenLayer Bug Bounties | Immunefi'; (3) August 2025 EigenPods bug was reported via Immunefi and patched same day — demonstrating the channel is functionally active. The docs page and Immunefi slug page were inaccessible (403/404) but the channel's existence and functionality are confirmed by the working disclosure event.

RD-F-177 green Prior known-ignored disclosure No evidence that EigenLayer ignored a disclosed vulnerability that was later exploited. The August 2025 EigenPods bug was disclosed via Immunefi and patched same day. The October 2024 investor wallet event was an off-chain operational failure, not a disclosed-then-ignored vulnerability. No post-mortems reveal a known-but-ignored pattern. Note: The Kelp DAO April 2026 exploit ($292M) involved an ignored 1/1 DVN warning on Aave forum (Jan 2025) — but this is Kelp's failure, not EigenLayer's.

RD-F-178 green CVE/GHSA advisory issued against protocol No CVE or GHSA public advisory issued against EigenLayer's core contracts as of 2026-04-28. The August 2025 EigenPods bug was disclosed and patched before exploitation; no CVE was filed (pre-exploitation disclosures typically do not generate CVEs). No CVE or GHSA entry for EigenLayer found in public sources. Rekt DB shows zero incidents.

rubric_version v1.7.0 graded_at 2026-05-12 04:38:07 factors 184 protocol eigenlayer