defirisk.co
rubric v1.7.0

Ethena

Delta-neutral synthetic dollar protocol issuing USDe backed by spot collateral + CEX short perp basis trade, with yield distributed to sUSDe (ERC-4626) holders

Sector cdp
TVL $3.8B
Reviewed May 12, 2026
Factors 184
Categories 13
Risk score 14.6
DeploymentsEthereum · $3.8B
01

Risk profile at a glance

0 red · 4 yellow · 9 green
25 24 17 13 15 22 16 10 13 12 8 5 4
02

Categories & evidence

184 factors · 13 categories
Code & audits Green 6 25 of 25
RD-F-002 yellow Audit recency Most recent audit covering core USDe contracts is Pashov V2 (May 23 2024), covering EthenaMinting V2 and StakedUSDeV2. As of 2026-04-28 this is approximately 706 days (~23 months). ENA audited by Pashov Sep 2 2024 (~600 days). No audit has been published for any post-July 2024 changes. Core architecture is unchanged since V2 deploy, reducing drift risk, but 23-month recency gap is notable. RD-F-003 yellow Resolved-without-proof findings Code4rena 2023 found 4 mediums: M-01 (confirmed fixed), M-02 (disputed — team maintains it is not an invariant), M-03 (confirmed fixed), M-04 (acknowledged, mitigated by deployment practice only). Code4rena 2024 found 2 mediums: M-01 (fixed via PR #2), M-02 (acknowledged/disputed severity). No case where finding is marked Resolved without on-chain change evidence. Two Acknowledged-Disputed mediums create residual ambiguity: M-04 2023 DoS via MinShares is unpatched at contract level. RD-F-010 yellow Static-analyzer high-severity count No public Slither/Mythril/Semgrep run output published for Ethena deployed bytecode. Code4rena 2023 (competitive audit included automated tool use) found 0 high-severity findings and 4 mediums. Code4rena 2024 invitational found 0 high-severity findings and 2 mediums. True-positive high-severity count from systematic static analysis is not independently verifiable. Marked yellow as a programmatic gap, not because findings were identified. RD-F-183 yellow Bug bounty scope gap on highest-TVL contracts 27 assets in scope per Immunefi. Core Ethereum mainnet contracts (USDe, EthenaMinting V2, StakedUSDeV2, ENA, USDeSilo, EthenaLPStaking, StakingRewardsDistributor) are in scope. The USDe OFT adapters deployed across 18 chains via LayerZero (including Arbitrum, Base, Optimism, Mantle, BNB Chain, Solana) are NOT listed in the Immunefi scope table. This represents a material bug bounty scope gap: OFT adapters hold bridged USDe value across 18 chains and are excluded from bounty coverage. Similar in pattern to the Kelp DAO precedent where the OFT adapter holding >$1B was excluded from the bounty. RD-F-009 gray Formal verification coverage No formal verification (Certora, Halmos, Kani) has been published for Ethena contracts. Chaos Labs provided economic risk analysis only (not FV). No FV coverage found in any of the 13 audit engagements. RD-F-021 n/a UUPS _authorizeUpgrade correctly permissioned None of the core Ethena contracts use UUPS or any proxy pattern. USDe, EthenaMinting V2, StakedUSDeV2 are all direct non-upgradeable implementations. UUPS _authorizeUpgrade gate factor is not applicable. USDtb (sub-product) uses upgradeable pattern but is out of core scope. RD-F-023 n/a Constructor calls _disableInitializers() Not applicable — none of the core contracts use a proxy pattern. _disableInitializers() is only relevant for proxy-behind-implementation patterns (EIP-1967, UUPS, transparent proxy). No proxy architecture exists in core Ethena contracts.
RD-F-001 green Audit scope mismatch 13 distinct audit engagements across 7 firms covering core USDe contracts. V2 contracts (EthenaMinting V2, StakedUSDeV2) audited by Pashov (May 23 2024) prior to V2 deploy (July 8 2024). Etherscan verified source on all four core contracts. All audits completed pre-deploy per official docs. No critical or high findings across any engagement. Commit SHA not publicly disclosed, so bytecode-to-commit match is medium confidence, but no evidence of scope mismatch.
RD-F-004 green Audit count 13 distinct engagements across 7 firms: Zellic (1), Quantstamp (2), Spearbit/Cantina (1), Pashov (5), Code4rena (2 contests), Chaos Labs (economic, 1+), Cyfrin (1). Discounting Chaos Labs as economic-only, 12 code security engagements. Exceptional audit density for a 26-month-old protocol.
RD-F-005 green Audit firm tier Tier-1 firms: Spearbit/Cantina, Zellic. Tier-2: Quantstamp, Cyfrin, Code4rena competitive contests. Boutique: Pashov Audit Group (4 engagements). Economic specialist: Chaos Labs. Strong firm diversity for the protocol's size and age.
RD-F-006 green Audit-to-deploy gap V1 contracts: multiple audits Oct-Nov 2023, mainnet launch Feb 19 2024 — approximately 90-120 days post-audit. V2: Pashov audit May 23 2024, V2 deployed July 8 2024 — 46 days. Both within acceptable range. 46 days for V2 is slightly tight but not a red flag given prior extensive V1 coverage.
RD-F-007 green Bug bounty presence & max payout Active Immunefi bug bounty program live since April 4 2024. Max payout $3M for critical smart contract vulnerabilities (10% of affected funds, min $100K). 27 assets in scope. Core contracts (USDe, EthenaMinting V2, StakedUSDeV2, ENA, USDeSilo, EthenaLPStaking, StakingRewardsDistributor) confirmed in scope.
RD-F-008 green Ignored bounty disclosure No post-mortem evidence of a disclosed vulnerability that was reported to the team and ignored before exploit. No smart contract exploits of Ethena core contracts have occurred as of 2026-04-28. April 2026 LayerZero bridge suspension was precautionary (not an exploit of Ethena's own contracts).
RD-F-011 green SELFDESTRUCT reachable from non-admin path Source inspection of USDe, EthenaMinting, StakedUSDeV2, StakedUSDe, USDeSilo shows no selfdestruct opcode in any contract. All contracts are non-upgradeable direct implementations.
RD-F-012 green delegatecall with user-controlled target No delegatecall usage found in USDe, EthenaMinting V2, StakedUSDeV2, or USDeSilo. All contracts are direct implementations with no proxy or delegatecall pattern. Confirmed via source inspection and Etherscan ABI review.
RD-F-013 green Arbitrary call with user-controlled target No arbitrary call pattern found in inspected contracts. EthenaMinting uses ECDSA.recover() for authenticated minting/redemption. External calls are limited to allowlisted custodian addresses and the USDe token contract. No user-supplied target address for arbitrary external calls.
RD-F-014 green Reentrancy guard on external-calling functions StakedUSDe implements OpenZeppelin ReentrancyGuard on transferInRewards(), _deposit(), _withdraw(). EthenaMinting V2 implements nonReentrant on mint(), redeem(), transferToCustody(). USDe has no external calls in critical paths requiring reentrancy guard.
RD-F-015 green ERC-777/1155/721 hook without reentrancy guard Protocol does not integrate ERC-777 or ERC-1155 token standards. Collateral for minting is limited to allowlisted assets (stablecoins, LSTs — all standard ERC-20s). USDe itself is ERC-20 without hooks. No ERC-777 callback integration surface identified.
RD-F-016 green Divide-before-multiply pattern No divide-before-multiply finding documented in any of the 13 audit engagements or Code4rena reports. Code4rena 2023 (588 nSLOC, 98 low/NC findings) did not flag this at any severity. Absence of finding is positive but not fully programmatically confirmed.
RD-F-017 green Mixed-decimals math without explicit scaling EthenaMinting V2 uses allowlisted collateral assets. Price validation applies Chainlink oracle feeds (standard 8-decimal). Pashov V2 audit and Code4rena found no mixed-decimals vulnerability. No confirmed instance of this pattern.
RD-F-018 green Signed/unsigned arithmetic confusion Solidity 0.8.19/0.8.20 with default overflow protection (SafeMath built-in). No signed/unsigned confusion vulnerability documented in any audit. Pashov Oct 2024 (USDtb scope) found L-03 EIP712 type mismatch uint128/uint120 in UStbMinting, but this is the USDtb sub-product and is out of core USDe scope.
RD-F-019 green ecrecover zero-address return unchecked EthenaMinting V2 uses OpenZeppelin ECDSA.recover() which internally validates that the returned address is not address(0). No raw ecrecover without zero-address guard found. OZ ECDSA library is the gold standard for this check.
RD-F-020 green EIP-712 domain separator missing chainId EthenaMinting V2 implements EIP-712 with chainId validation: caches _chainId and recomputes domain separator on chain ID change. Cross-chain replay is prevented. EIP-712 domain separator includes chainId by construction.
RD-F-022 green Public initialize() without initializer modifier All four core contracts use constructor-based initialization. USDe: constructor(address admin). EthenaMinting V2: constructor(IUSDe _usde, IWETH9 _weth, address[] _assets, ...). StakedUSDeV2: constructor(IERC20 _asset, address initialRewarder, address owner). ENA: constructor-based. No initialize() function on any implementation contract. One-tx exploit vector does not exist.
RD-F-024 green Code complexity vs audit coverage V1 contest scope: 6 contracts, 588 nSLOC. V2 invitational scope: 4 contracts, 665 nSLOC. Multiple overlapping audits cover the same contracts. High audit density per line of code. Multiple independent reviews (competitive + boutique) further reduce missed-complexity risk.
Governance & admin Yellow 26 24 of 24
RD-F-032 red Timelock duration on upgrades No on-chain TimelockController deployed. Data cache confirms timelock_address: null. Docs reference '7-day time-lock for core function changes' conceptually but no smart contract implements this. Admin actions execute immediately after 5-of-11 multisig signatures. Effective timelock = 0 hours. RD-F-033 red Timelock on sensitive actions No timelock verified on any sensitive function: mint limit changes, collateral add/remove, rescueTokens, redistributeLockedAmounts, role grants all execute immediately after multisig consensus. GATEKEEPER_ROLE can disable mint/redeem without timelock. DEFAULT_ADMIN_ROLE can change role assignments without timelock. RD-F-025 yellow Admin key custody type Multisig-only admin (no timelock). Dev Multisig 5-of-11 (0x3B0AAf...) is primary ops actor. Docs claim separate 7/10 multisig for DEFAULT_ADMIN_ROLE but no on-chain Timelock contract deployed. timelock_address: null in data cache. RD-F-026 yellow Upgrade multisig signer configuration (M/N) Dev Multisig 5-of-11 confirmed via Safe API. Reserve Fund 4-of-10 confirmed. sUSDe Payout Fund 3-of-11 claimed but Safe API not_found. DEFAULT_ADMIN_ROLE multisig '7/10 or more' per docs but address not published on-chain. RD-F-028 yellow Low-threshold multisig vs TVL Dev Multisig is 5-of-11 at $3.79B TVL. At this TVL peer protocols typically run 5-of-9 or 6-of-11. 5 colluding signers can execute any admin action. Stronger 7/10 DEFAULT_ADMIN_ROLE multisig claimed in docs but unconfirmed on-chain. RD-F-029 yellow Multisig signers co-hosted Docs claim geographic distribution and custody diversity (internal + external stakeholders including market makers and exchanges). Cannot independently verify ASN/custodian co-hosting at OSINT tier. Green claim in docs is plausible but unverified. RD-F-030 yellow Hot-wallet signer flag Docs state all multisig keys are cold wallets. Cannot independently verify signing device types via on-chain heuristics at OSINT tier. Documented claim accepted at low confidence. RD-F-035 yellow Role separation: upgrade ≠ fee ≠ oracle No upgrade function exists (non-upgradeable contracts). Roles are separated at contract level: MINTER_ROLE, REDEEMER_ROLE, GATEKEEPER_ROLE distinct from DEFAULT_ADMIN_ROLE. However, Dev Multisig holds owner/admin over all contracts simultaneously — single Safe controls all levers including minter assignment, collateral config, role grants. RD-F-036 yellow Flash-loanable voting weight Governance is Snapshot-only (non-binding off-chain). Snapshot takes a block-reference snapshot preventing same-tx flash-loan attacks. However, actual execution authority rests with Dev Multisig (5-of-11), not ENA token votes. Flash-loan attack on ENA voting is structurally irrelevant to execution; risk is multisig capture. No on-chain governor checkpoint mechanism exists because there is no on-chain governor. RD-F-038 yellow Proposal execution delay < 24h No on-chain governor, no execution delay mechanism. Multisig executes directly after gathering 5-of-11 signatures. Functionally equivalent to 0-delay execution for any admin action once multisig consensus is reached. No mandatory waiting period between decision and execution. RD-F-040 yellow Emergency-veto multisig present GATEKEEPER_ROLE holders (Ethena staff + external market makers/exchanges, ≥3 EOAs) can pause mint/redeem in EthenaMinting. Meaningful emergency halt capability. However, no formal veto multisig for governance proposals (because governance is off-chain). Specific gatekeeper addresses not published. RD-F-041 yellow Rescue/emergencyWithdraw without timelock StakedUSDeV2 has rescueTokens() callable by DEFAULT_ADMIN_ROLE with no timelock. Function explicitly excludes USDe (primary staked asset) — cannot directly drain staked USDe. Also has redistributeLockedAmounts() — burns blacklisted sUSDe, mints to Ethena wallets — no timelock. Neither function has timelock protection. Drain risk materially limited by USDe exclusion in rescueTokens but redistributeLockedAmounts is an admin-callable fund movement without timelock. RD-F-047 yellow Governance token concentration (Gini) ENA token allocation: Core Contributors 30%, Investors significant %, Foundation, Ecosystem/Airdrops 30%. Gini coefficient not directly measured. Governance is non-binding Snapshot signal — concentration in ENA voting does not directly translate to protocol execution authority (multisig holds actual power). Risk Committee elections bi-annual. RD-F-031 n/a Signer rotation recency No documented signer-set change events found. Dev Multisig has been at 5-of-11 since Safe API snapshot. No threshold reduction event (Drift-class precursor pattern) identified. RD-F-039 n/a delegatecall/call in proposal execution without allowlist No on-chain Governor or proposal executor contract exists. No proposal execution path with delegatecall or arbitrary call. Governance is Snapshot-only off-chain signal; execution is manual multisig signing. No delegatecall-in-proposal risk applies by construction.
RD-F-027 green Single admin EOA No single EOA admin. USDe owner = Dev Multisig 5-of-11 (0x3B0AAf...). EthenaMinting limits managed by Dev Multisig per docs. Deployer (0x8de54b1...) transferred admin to multisig before/at launch.
RD-F-034 green Guardian/pause-keeper distinct from upgrader GATEKEEPER_ROLE exists in EthenaMinting, held by Ethena Labs staff and external third parties (market makers, exchanges). Gatekeepers can only disable mint/redeem (cannot re-enable — re-enable requires DEFAULT_ADMIN_ROLE). Meaningful separation of pause-keeper from upgrade/admin role.
RD-F-037 green Quorum achievable via single-entity flash loan No on-chain governor. Snapshot votes are non-binding. Flash-loan-acquired quorum cannot execute funds transfer or protocol change — the Dev Multisig must sign any on-chain action. Flash-loan governance attack is structurally blocked.
RD-F-042 green Admin has mint() with unlimited max USDe mint() restricted to designated minter address (EthenaMinting contract); owner can change minter but EthenaMinting enforces per-block limits. ENA: 10% annual supply cap, 365-day MINT_WAIT_PERIOD enforced in contract. No unbounded admin mint path exists on either token.
RD-F-043 green Admin = deployer EOA after 7 days Deployer EOA 0x8de54b1... (labeled 'Ethena: Deployer' on Etherscan) transferred admin to Dev Multisig 0x3B0AAf... well before or at public mainnet launch (Feb 2024). Dev Multisig deployed 2023-09-28, predating the Feb 2024 launch. No evidence of deployer EOA retaining admin post-launch.
RD-F-044 green Admin wallet interacts with flagged addresses Dev Multisig 0x3B0AAf... is a Gnosis Safe proxy — no individual signer-level flagged-address interaction analysis available at OSINT tier. No Etherscan watchlist flags on the Safe address. Rekt database shows no incidents flagging Ethena admin addresses.
RD-F-045 green Constructor args match governance proposal Core contracts are not deployed via governance-voted constructor args. EthenaMinting V2 (0xe3490...) verified on Etherscan. July 2024 V2 upgrade was publicly documented. No constructor arg discrepancy flagged in any audit report (Pashov May 2024, Code4rena Nov 2024).
RD-F-046 green Contract unverified on Etherscan/Sourcify All four core contracts verified on Etherscan: USDe (0x4c9EDD...), EthenaMinting V2 (0xe3490...), StakedUSDeV2 (0x9D39A...), ENA (0x57e114...). Source verified with full ABI publicly accessible. Confirmed via Etherscan code tab fetches.
RD-F-167 green Deprecated contract paused but pause reversible by live admin No identified deprecated contract surfaces with material TVL. EthenaMinting V1 was superseded by V2 (July 2024). V1 contract address not publicly identified or holding significant value. No admin pause over deprecated surface with revertible pause state identified.
Oracle & external dependencies Green 18 17 of 17
RD-F-050 yellow Dependency graph (protocols depended upon) Ethena depends on: (1) Pyth + Redstone for off-chain minting price validation; (2) Binance, Bybit, OKX, Deribit, Bitget for delta-hedge perp positions (CEX counterparty risk); (3) Copper, Ceffu, Anchorage Digital for OES spot collateral custody; (4) Lido stETH for LST collateral basket; (5) LayerZero for OFT cross-chain functionality across 18 chains; (6) BlackRock BUIDL indirectly via USDtb in Reserve Fund (~$42M). Multi-provider design for each dependency layer mitigates concentration, but the CEX and OES layers represent significant off-chain trust assumptions not fully mitigated by on-chain controls. RD-F-051 yellow Fallback behavior on oracle failure Minting oracle fallback: if Pyth or Redstone prices diverge >5% from each other, off-chain order validation rejects the mint. GATEKEEPER_ROLE can additionally halt minting upon anomaly detection. On-chain StablesDeltaLimit (configurable by Dev Multisig, default 0 = disabled) provides a USDe/USDT circuit. No automatic fallback to a backup oracle if both Pyth AND Redstone fail simultaneously — relies on GATEKEEPER_ROLE manual intervention. Chainlink PoR feeds have no on-chain circuit-breaker; attestation-only. The dual Pyth/Redstone validation is effective against single-provider failure but lacks an automated tertiary fallback. RD-F-052 yellow Breakage analysis per dependency Dependency failure impacts: (1) Single Pyth OR Redstone failure: minting degrades to single-provider validation; GATEKEEPER can halt. (2) Both Pyth AND Redstone fail: minting halted or continues with degraded validation depending on GATEKEEPER response speed. (3) Single custodian fails: redemptions impaired during transition; Reserve Fund buffers. (4) Single CEX fails: delta-hedge partially lost; Reserve Fund covers negative funding shortfall. (5) stETH depeg: LST collateral value impaired; Reserve Fund buffer applies. (6) Chainlink PoR staleness: informational only — no execution halt triggered; USDe solvency reporting delayed. RD-F-057 yellow Circuit breaker on price deviation Partial circuit breaker. The off-chain 5% Pyth/Redstone price check acts as a soft circuit breaker on minting. The on-chain EthenaMinting contract has a configurable StablesDeltaLimit (USDe/USDT divergence circuit) settable by Dev Multisig, documented as defaulting to 0 (disabled). GATEKEEPER_ROLE provides manual halt capability. Chainlink PoR feeds have no on-chain circuit breaker. The on-chain circuit breaker (StablesDeltaLimit) appears to be inactive by default, reducing automated protection. RD-F-058 yellow Max-deviation threshold (bps) Minting oracle 5% check: 500 bps (5%) deviation from Pyth/Redstone reference triggers order rejection. On-chain StablesDeltaLimit: configurable by Dev Multisig; docs state default is 0 (no stables-delta circuit applied). Exact current deployed value not confirmed in available sources — gap for curator. The 5% off-chain threshold is wider than typical lending protocol oracle deviation tolerances, but appropriate given the basis-trade architecture where USDe is not liquidation-sensitive to collateral price within normal ranges. RD-F-059 yellow Oracle staleness check present No on-chain staleness check confirmed in EthenaMinting V2 source. The contract has no require(updatedAt > block.timestamp - X) pattern. Staleness management is entirely off-chain: Pyth and Redstone provide real-time feeds managed by their respective infrastructure. Chainlink PoR feeds (attestation-only) have heartbeats from 3600s to 86400s — no on-chain staleness enforcement in Ethena contracts consuming these feeds. The absence of on-chain staleness enforcement is a moderate concern, mitigated by the off-chain GATEKEEPER_ROLE monitoring. RD-F-060 yellow Chainlink aggregator min/max bound misconfig The 19 Chainlink feeds in the data cache are used for PoR attestation only (not execution-critical for mint/redeem). The canonical ETH/USD feed (0x5f4eC3Df9cbd43714FE2740f5E3616155c5b8419) is the most liquid Chainlink feed on mainnet with standard min/max configuration. Since Ethena's contracts do not enforce these feeds on-chain in the execution path, a min/max bound misconfiguration would only affect attestation accuracy rather than cause direct fund loss. Moderate concern but not execution-critical. RD-F-062 yellow External keeper/relayer not redundant GATEKEEPER_ROLE is the primary on-chain emergency halt keeper. Off-chain minting infrastructure (Pyth/Redstone feed aggregation, order signing backend) relies on Ethena's own backend systems. Whether the GATEKEEPER_ROLE is held by a redundant multi-party arrangement vs. single team key is not confirmed in available sources. If the off-chain backend experiences an outage, no redundant third-party relayer is declared. Single-backend dependency for the off-chain minting validation layer is a keeper-redundancy gap. RD-F-180 yellow Immutable oracle address [★ CRITICAL-CANDIDATE, PD-017] UNVERIFIABLE. EthenaMinting V2 has no oracle address field in on-chain storage; minting oracle is entirely off-chain (Pyth/Redstone API). No immutable oracle declaration exists in the deployed EthenaMinting contract. The Chainlink PoR feed addresses are not declared as immutable in any Ethena smart contract. Oracle replaceability at the off-chain infrastructure layer cannot be confirmed from on-chain evidence alone. If Ethena's backend has hardcoded Pyth/Redstone feed IDs that cannot be swapped without a redeployment, F180 would apply. Curator must obtain off-chain infrastructure documentation or governance-forum-posted oracle configuration procedures to resolve this gap. Score yellow pending curator confirmation.
RD-F-048 green Oracle providers used Two distinct oracle systems: (1) Off-chain minting validation via Pyth and Redstone (within 5% of order price, no on-chain call); (2) On-chain Proof of Reserves attestation via 19 Chainlink feeds (ETH/USD, BTC/USD, USDT/USD, USDC/USD, LINK, UNI, COMP, AVAX) plus Chaos Labs Edge oracle and LlamaRisk/Harris & Trotter (weekly). No DEX-based oracle in the stack. Multiple independent providers across both systems.
RD-F-049 green Oracle role per asset ETH/USD: Chainlink PoR (primary 0x5f4eC3Df9cbd43714FE2740f5E3616155c5b8419 + secondary 0x5147eA642CAEF7BD9c1265AadcA78f997AbB9649); BTC/USD: Chainlink PoR (primary 0xF4030086522a5bEEa4988F8cA5B36dbC97BeE88c + secondary 0x8adE2c8d55F7ee2C9234ad868D44a60Eb9C07f8c); USDT/USD: 3 Chainlink feeds for redundancy; USDC/USD: 3 Chainlink feeds. All Chainlink feeds are attestation-only (PoR), not used for on-chain mint/redeem execution. Minting execution uses Pyth + Redstone (off-chain). Dual-provider design for minting oracle; multi-feed design for PoR.
RD-F-053 green Oracle source = spot DEX pool (no TWAP) NOT APPLICABLE. EthenaMinting V2 (0xe3490297a08d6fC8Da46Edb7B6142E4F461b62D3) contains zero on-chain oracle calls. Source code inspection of code4rena-2023-10-ethena/EthenaMinting.sol and bbp-public-assets repo confirms no latestAnswer(), latestRoundData(), DEX price reads, or any oracle interface. USDe peg is maintained by delta-neutral basis trade, not oracle-driven liquidation. F053 does not fire. This is the most fundamental structural distinction of Ethena vs. lending protocols: there is no on-chain oracle in the critical execution path.
RD-F-054 green TWAP window duration NOT APPLICABLE. No on-chain TWAP oracle used in EthenaMinting. The off-chain Pyth/Redstone price check is point-in-time with 5% tolerance, not a TWAP-based system. Ethena's architecture does not rely on any on-chain TWAP for core protocol operations.
RD-F-055 green Oracle pool depth (USD) NOT APPLICABLE. Ethena does not use DEX pool prices as oracle source. Chainlink feeds are institutional aggregated (not derived from single pool depth). Pyth/Redstone use multi-venue aggregation. No DEX pool depth is relevant to oracle manipulation risk in Ethena's architecture.
RD-F-056 green Single-pool oracle (no medianization) NOT APPLICABLE. No single DEX pool oracle used anywhere in the Ethena stack. Pyth aggregates across multiple venues with multi-publisher consensus. Chainlink uses multi-node aggregation (not single-pool). Medianization across venues is inherent in Pyth and Chainlink architectures.
RD-F-061 green LP token balanceOf used for pricing NOT APPLICABLE. No LP token pricing in the Ethena system. EthenaMinting uses signed-order pricing (off-chain determined, EIP-712 signed). No balanceOf pricing for any token in core protocol logic.
RD-F-181 green Permissionless-pool lending oracle NOT APPLICABLE. Ethena is not a lending protocol with permissionless market listing. USDe minting accepts only governance-whitelisted collateral assets (ETH, BTC, stETH, USDT, USDC — MINTER_ROLE and COLLATERAL_MANAGER controlled). No mechanism exists by which a user could permissionlessly list a fake token and use spot price from a permissionless DEX pool as collateral. The Rhea Finance permissionless-pool attack pattern cannot be replicated in Ethena's architecture.
Economic risk Yellow 22 13 of 13
RD-F-063 yellow TVL (current + 30d trend) TVL current: $3.79B (DefiLlama 2026-04-28T13:14:34Z). 30-day change: -35.58%. 1-day: +1.07%. 12-month peak ~$14B USDe standalone (Sep 2025). Sustained contraction following Oct 2025 market crash ($8B outflows over 2 months). Q1 2026 gross protocol profit: $614K — extreme compression from $1.2B annualized revenue at Dec 2024 peak. Negative 30-day trend is the primary yellow driver. RD-F-064 yellow TVL concentration (top-10 wallet share) Precise top-10 depositor on-chain scan not performed (programmatic tool unavailable). Proxy evidence: Aave V3 holds $4.7B in Ethena-related deposits, representing >55% of peak USDe supply — a single-protocol concentration that creates reflexive unwind risk during USDe contraction. Additional concentration in Morpho, Pendle, and large institutional minters. Ethena itself holds $580M of backing assets (USDC + USDtb) deployed into Aave, creating a reflexive loop between USDe backing and DeFi composability. Rated yellow on proxy evidence of high protocol-level concentration; exact top-10 wallet share unquantified. RD-F-065 yellow Liquidity depth per major asset Secondary market USDe liquidity: ~$196M in Curve pools (March 2026), ~$20M sUSDe on Curve. Primary exit mechanism is direct protocol redemption (7-day sUSDe cooldown). October 2025 stress event: $2B processed via primary redemption in 24 hours; Curve/Uniswap/Fluid held <30 bps of peg. Bybit hack (Feb 2025): $123M redeemed in largest single-day event (~2% of $6B supply). Secondary depth ~5% of current TVL — adequate for normal flows, constrained for coordinated mass exits. Rated yellow: secondary liquidity is meaningful but not deep relative to TVL; primary redemption bears the structural load. RD-F-069 yellow Algorithmic / under-collateralized stablecoin USDe is not purely algorithmic (no reflexive token backing like UST/LUNA) and is not under-collateralized in the traditional sense. However, it is mechanistically distinct from fiat-backed stablecoins: peg stability depends on (a) positive or neutral perpetual funding rates across Binance/OKX/Bybit/Deribit/Bitget, (b) CEX counterparty solvency, and (c) OES custodian integrity (Copper, Ceffu, Anchorage Digital, Kraken). Reserve Fund: $62M as of end-March 2026, ~1.64% of current $3.79B TVL. Risk Committee estimates $5-7M needed under stress — ~9-12x covered at current TVL. Worst-case historical negative funding streak: 13 consecutive days; only 8.84% of days had combined negative (LST + funding) revenue. Peg stress events: April 2024 (~$0.995), February 2025 Bybit hack ($0.982-$0.988 briefly), October 2025 Binance-specific event ($0.65 on Binance, <30 bps on Curve/Uniswap/Fluid). Rated yellow: not purely algorithmic, but funding-rate dependency and CEX/custodian structural risks place it RD-F-066 n/a Utilization rate (lending protocols) Ethena is a synthetic dollar issuer, not a lending protocol. No on-chain borrow/supply market exists. DefiLlama data cache confirms borrow.present: false. Factor is lending-only per taxonomy PD-024. RD-F-067 n/a Historical bad-debt events Ethena does not operate a lending market. No socialized bad debt events have occurred. Bybit hack (Feb 2025): Ethena confirmed 101% overcollateralization throughout; $30M unrealized P&L realized within 90 minutes with no protocol loss. Factor is lending-only per taxonomy PD-024. RD-F-068 n/a Collateralization under stress Not applicable as a traditional collateralization ratio factor. Ethena maintains delta-neutral collateralization via basis trade; USDe has no traditional LTV/liquidation ratio. Post-Bybit confirmation: 101% overcollateralized. The analogous risk (correlated spot + perp market crash simultaneous with OES settlement delay) is captured in F069. Factor is lending-specific per taxonomy PD-024. RD-F-070 n/a Empty cToken-style market (zero supply/borrow) Compound V2-fork-only factor per taxonomy PD-024. Ethena is an original implementation with no Compound fork lineage (confirmed in 00-profile.md §5). No cToken markets, no market-listing architecture. sUSDe is an ERC-4626 yield vault over USDe (not a market-listing system). Star-critical flag does not apply to non-Compound-fork protocols. RD-F-071 n/a Seed-deposit requirement for new market listing Ethena does not list markets. Minting USDe is restricted to whitelisted market makers via EthenaMinting contract. No governance-listed market system exists. Factor is lending-specific per taxonomy PD-024. RD-F-072 n/a Market-listing governance threshold Ethena does not operate a permissionless or governance-listed market system. Collateral type additions (BTC 2024, SOL 2025) are controlled by the internal Risk Committee and executed via the 5-of-11 Dev Multisig — not an on-chain governance proposal process equivalent to Compound/Aave market listing. Factor is lending-specific per taxonomy PD-024. RD-F-073 n/a Oracle-manipulation-proof borrow cap No borrowing exists within Ethena protocol. Third-party protocols (Aave V3, Morpho) that accept sUSDe as collateral set their own borrow caps independently of Ethena. Factor is lending-specific per taxonomy PD-024.
RD-F-074 green ERC-4626 virtual-share offset (OZ ≥4.9) sUSDe (StakedUSDeV2, 0x9D39A5DE30e57443BfF2A8307A4256c8797A3497) is an ERC-4626 vault. Etherscan contract code review shows Solidity 0.8.19 with no canonical OZ ≥ 4.9 _decimalsOffset() function (no virtual share offset in the OZ pattern). However, first-depositor inflation attack is mitigated via MinSharesViolation error gating in previewDeposit/previewMint, plus initial protocol-controlled seed deposit at vault deployment. Functional protection is present despite not using the canonical OZ offset approach. Green with caveat: implementation path differs from canonical OZ ≥ 4.9 — code-security-analyst should verify full equivalence.
RD-F-075 green First-depositor / share-inflation guard sUSDe (StakedUSDeV2) includes MinSharesViolation error in previewDeposit and previewMint, gating deposits that would yield zero or below-minimum shares. Additionally, Ethena controlled the initial seed deposit to the vault at deployment, preventing any empty-vault state for external depositors. Code4rena Nov 2024 invitational found 2 medium issues; neither involved share-inflation or first-depositor exploitation. Guard is present and operational.
Operational history Green 17 15 of 15
RD-F-089 red Insurance coverage active No active third-party insurance coverage proportionate to $3.79B TVL found. Nexus Mutual and Sherlock do not offer coverage at this scale for Ethena's novel delta-neutral architecture. The internal Reserve Fund (~$42M USDtb per profile §6) is a self-insurance mechanism covering negative funding carry, not a third-party smart contract exploit cover. $42M Reserve Fund vs $3.79B TVL = 1.1% internal coverage ratio. Structural finding consistent with all large-TVL DeFi protocols in this tier. RD-F-084 yellow TVL stability (CoV over 90d) TVL declined approximately 35% in trailing 30 days (data cache tvl_30d_change_pct: -35.58). Profile §4 confirms TVL fell from ~$5.85B (late Jan 2026) to $3.79B (Apr 28, 2026) — ~35% decline over ~90 days. CoV likely exceeds the stable-protocol range. Context: decline is macro-driven (broader DeFi deleveraging + USDe supply contraction post-Oct 2025 crash, peak TVL ~$14B in Sep 2025), not a protocol operational failure. Yellow: elevated volatility attributable to macro conditions rather than protocol dysfunction. RD-F-086 yellow Pause activations (trailing 12 months) 1 documented pause activation in trailing 12 months: LayerZero OFT bridge suspension on 2026-04-18 (precautionary, resolved 2026-04-20, ~48 hours). The core EthenaMinting V2 contract and USDe minting were NOT paused. The bridge suspension was a targeted action on the OFT cross-chain surface, not a full protocol pause. Scored yellow: 1 activation, even precautionary, is an event of note. RD-F-166 yellow Deprecated contracts still holding value EthenaMinting V1 (0x2cc440b721d2cafd6d64908d6d8c4acc57f8afc3) is deprecated per docs (error code 27 triggers migration to V2). It is a minting/redeeming gateway, not a collateral-holding vault. Unlikely to hold user funds directly (collateral is held off-chain at OES custodians). The $100K material value threshold in F166 definition refers to assets held — V1 gateway likely does not clear this threshold. However, user ERC-20 approvals to V1 may persist. Data cache coverage_flags.has_legacy_v1: true. Scored yellow: deprecated surface present but F166 red criterion (>$100K assets held) not confirmed. Curator action: verify via Revoke.cash-style scan of V1 address 0x2cc440b interactions. RD-F-078 n/a Chronic-exploit flag (≥3 incidents) 0 exploits total. CHRONIC badge criterion (≥3 same-root-cause exploits in 24 months) is not met. Vacuously false. RD-F-079 n/a Same-root-cause repeat exploit 0 exploits. Same-root-cause repeat criterion is vacuously false. No prior incidents to cluster. RD-F-080 n/a Days since last exploit No exploit on record. Days since last exploit = not applicable. Display: No exploit in 434 days of operation as of 2026-04-28.
RD-F-076 green Protocol age (days) Live since 2024-02-19 (Epoch 1 Shard Campaign mainnet launch). Age at assessment ~434 days (~14.5 months), clearing the A-grade ≥12-month floor. sUSDe vault (StakedUSDeV2) deployed 2023-11-14 as pre-launch staging; public mainnet launch date used as canonical start.
RD-F-077 green Prior exploit count 0 smart contract exploits in 26 months of operation as of 2026-04-28. Four operational stress events documented (Apr 2024 de-peg, May 2024 funding, Oct 2025 Binance venue de-peg, Apr 2026 bridge suspension) — all operational/market events with zero adversarial exploit of protocol contracts and zero user fund loss. Searched hacksdatabase (no 'ethena' match), REKT DB (data cache rekt.incidents: []), DefiLlama hacks (data cache hacks: []).
RD-F-081 green Post-exploit response score No smart contract exploit has occurred, making post-exploit response scoring technically not applicable. Response to operational stress events was timely: Apr 2024 de-peg — public statement next day by head of growth; Apr 2026 bridge suspension — announcement within hours, restoration within 48h with DVN configuration upgrade. No deduction warranted.
RD-F-082 green Post-mortem published within 30 days No smart contract exploit has occurred, so no post-mortem obligation exists. For the Apr 2026 bridge suspension, Ethena issued public statements during and after the event. The event was a precautionary action (no loss), so a formal post-mortem was not required. No deduction warranted.
RD-F-083 green Auditor re-engaged after last exploit No exploit has occurred. Ethena has maintained active multi-firm audit cadence post-launch: Pashov V2 (May 2024), Code4rena invitational (Nov 2024), Pashov sENA (Sep 2024), Quantstamp/Cyfrin/Pashov USDtb (Oct 2024). This ongoing audit engagement is independent of any incident trigger.
RD-F-085 green Incident response time (minutes) No exploit, so response time for last exploit is not applicable. For the Apr 2026 bridge suspension (most material operational event), Ethena announced the suspension within hours of the Kelp DAO exploit (Apr 18, 2026); restoration confirmed Apr 20, 2026 with DVN upgrade. For the Apr 2024 de-peg, public communication came within ~24 hours. Both within acceptable operational response windows.
RD-F-087 green Pause > 7 consecutive days The Apr 2026 bridge suspension lasted approximately 48 hours before restoration. No pause event exceeding 7 consecutive days has been documented in the trailing 12 months. Core USDe minting was never paused.
RD-F-088 green Re-deployed to new addresses in last year No full redeployment of core contract addresses in the trailing 12 months (April 2025–April 2026). USDe (0x4c9E...), sUSDe (0x9D39...), and EthenaMinting V2 (0xe349...) addresses are stable. The V1→V2 upgrade of EthenaMinting occurred prior to the 12-month window (V2 deployed ~2024-01-28, public launch 2024-02-19).
Real-time signals Green 5 22 of 22
RD-F-098 yellow TVL anomaly — % drop in <1h TVL is $3.79B as of 2026-04-28; 30-day change -35.58% (baseline ~$5.88B 30 days ago); 1-day change +1.07%. The 1h window is currently stable — tier-A fire criterion (>30% drop in 1h) is not met today. Historical stress test (Oct 2025 '1011' event): TVL fell from $14.3B to $6.55B over ~72 hours (-54%), with the tier-B precursor rule firing repeatedly during the event. The signal is applicable and detection math shows elevated sensitivity: current TVL is already 35.6% below the 30d baseline, meaning any further acute drain would quickly approach the tier-B precursor threshold. Protocol is above baseline alert sensitivity for this signal. RD-F-105 yellow DNS/CDN/frontend hash drift Confirmed prior breach: Sep 18, 2024 — Ethena domain registrar (for ethena.fi) was compromised via social engineering of the registrar, attacker changed admin email, hosted a phishing site for approximately 2 hours before automated detection and industry partner response restored the domain within 2 hours. Domain subsequently migrated to a more secure registrar. User compensation processed for affected users. Ongoing threat: multiple impersonator phishing sites documented in 2025-2026 (Claim Ethena Scam Jul/Nov 2025, ENA Rewards Scam Feb 2026). These are third-party impersonators, not DNS drift of ethena.fi itself, but demonstrate ongoing campaign pressure on the Ethena brand that makes DNS/frontend integrity monitoring critical. RD-F-109 yellow Social-media impersonation scam spike Sustained impersonation campaign documented: Claim Ethena Scam (Jul 2025, Nov 2025 — fake airdrop claiming sites), ENA Rewards Scam (Feb 2026 — draining wallet connector). The Sep 2024 domain registrar compromise was the most severe instance (actual ethena.fi phishing). The campaign is ongoing across 18+ months with multiple documented instances. Chainalysis 2026 Crypto Crime Report notes crypto impersonation scams surged 1400% YoY in 2025. Signal is tier-C (advisory only, does not flip grade) per T-09 classification. RD-F-101 gray Large governance proposal queued No on-chain Governor contract exists for Ethena (governor_address: null per data cache; governance.type: snapshot_only). The RD-F-101 signal as specced detects ProposalCreated/ProposalQueued events on on-chain governor contracts — structurally inapplicable to Snapshot-only governance. The equivalent risk vector for Ethena (multisig threshold change + execution) is captured by RD-F-182. RD-F-107 gray Admin EOA signing from new geography/device Off-chain signing telemetry (geography/device fingerprint for Safe multisig signers) is not assessable via public OSINT. Ethena's admin operations are via Safe 5-of-11 multisig — geographic fingerprinting of Safe signers requires MPC/session-key provider data (not publicly available). Structural gray for this signal class. RD-F-110 gray Unusual pending/executed proposal ratio No on-chain Governor contract exists for Ethena (governor_address: null). The RD-F-110 signal monitors pending/executed proposal ratios on on-chain governance contracts — structurally inapplicable to Snapshot-only governance architecture. Snapshot votes are off-chain; pending-to-executed ratio is not detectable via on-chain event monitoring.
RD-F-090 green Mixer withdrawal → protocol interaction Deployer 0x8de54b1cefedeab1766b947c7d9a9963436e8fae funded by 0x3Aa3Fd1B...D30430b00 approximately 2 years 164 days ago with no Tornado Cash or mixer labels visible across 76 transactions. Deployer 1 (0x32a12e3f8b1e1f521bb4fbc47ca473d10d0477de) funded by 0xfE3A0DFa875cd62170c7c8e0c4447c94d5ca7c19 approximately 2 years 53 days ago with no mixer interaction. Dev Multisig 0x3B0AAf6e6fCd4a7cEEf8c92C32DFeA9E64dC1862 shows 590 total transactions with no mixer labels. No public reports of mixer-funded wallet interactions with EthenaMinting or sUSDe. Partial gap: individual signer wallet 3-hop proximity check requires Chainalysis partner feed.
RD-F-091 green Partial-drain test transactions No known partial-drain test-transaction pattern against Ethena core contracts. EthenaMinting uses institutional whitelisted minter addresses (MINTER_ROLE gate) — the architecture does not expose a publicly callable drain function. OES custody model (spot collateral off-exchange at Copper, Ceffu, Anchorage, Kraken) means an on-chain partial-drain pattern is not the applicable attack vector. Pause mechanism via GATEKEEPER_ROLE is available to interrupt activity.
RD-F-092 green Unusual mempool pattern from deployer wallet Primary deployer 0x8de54b1cefedeab1766b947c7d9a9963436e8fae shows 76 total transactions — pattern consistent with a maintenance-mode deployment wallet (approvals, DeFi protocol interactions, no unusual burst sequence). No unusual mempool pattern detected from deployer addresses. Deployer 1 (0x32a12e3f...) activity pattern matches ENA token and StakedENA deployment sequence with no anomalies.
RD-F-093 green Abnormal gas-price willingness from attacker wallet No on-chain attack attempts detected against Ethena core contracts. EthenaMinting V2 is role-gated to whitelisted minters — MEV-race attack surface is limited to institutional counterparties who cannot arbitrarily trigger transactions. No abnormal gas-price patterns from attacker-attributed wallets reported in public sources for Ethena.
RD-F-094 green New contract with similar bytecode to exploit template No known exploit template for Ethena's delta-neutral OES custody architecture exists in public exploit databases. USDe (ERC-20 with MINTER_ROLE-gated mint) and EthenaMinting (redemption gateway) have no prior exploits from which a bytecode-similar exploit template could be derived. No reports of similar-bytecode contract deployments targeting Ethena.
RD-F-095 green Known-exploit function-selector replay No prior Ethena core-contract exploit exists to create a known-exploit-replay template. EthenaMinting V2 function selectors are standard role-gated minting/redemption patterns. No public exploit replay template targeting Ethena's architecture exists in known-exploit databases. Code4rena Nov 2024 invitational found 0 high findings (2 medium, 12 low/NC — both medium findings involve blacklisted-user-burn and non-whitelisted redemption, not selector-replay class).
RD-F-096 green New ERC-20 approval to unverified contract from whale EthenaMinting uses whitelisted minter addresses — retail user interactions are limited to sUSDe ERC-4626 vault deposits (verified contract). No reports of high-TVL user approval anomalies to unverified contracts in Ethena's interaction surface. The institutional minting gateway prevents unverified-contract approval attack vectors at the minting layer.
RD-F-097 green Sybil surge of identical-pattern transactions EthenaMinting's institutional whitelisted-minter architecture structurally prevents sybil-surge transaction patterns at the minting layer. sUSDe staking is publicly accessible as an ERC-4626 vault, but deposit patterns show normal distribution and no sybil-surge attack vector exists without minting access. No sybil-surge anomalies detected.
RD-F-099 green Oracle price deviation >X% from secondary Chainlink ETH/USD feed (0x5f4eC3Df9cbd43714FE2740f5E3616155c5b8419) operates at 3600s heartbeat, 0.5% deviation threshold. No oracle deviation anomaly detected as of 2026-04-28. Chainlink BTC/USD, USDT/USD, USDC/USD feeds also within normal operational parameters. EthenaMinting uses Chainlink to validate collateral pricing at mint/redeem — not for liquidations (no liquidation mechanism in the OES model).
RD-F-100 green Flash loan >$10M targeting protocol tokens Ethena has no on-chain lending market; EthenaMinting is gated to whitelisted institutional minters only. Flash-loan attack surface is structurally limited — an attacker cannot flash-loan their way to unauthorized minting without being on the whitelist. Governance is Snapshot-only with no on-chain flash-loanable voting mechanism. No flash-loan interactions with Ethena core contracts detected.
RD-F-102 green Admin/upgrade transaction in mempool Dev Multisig 5-of-11 (0x3B0AAf6e6fCd4a7cEEf8c92C32DFeA9E64dC1862) shows routine Exec Transaction calls — most recent transaction 11 minutes before assessment. No evidence of unusual admin transaction patterns in mempool. USDe (0x4c9EDD...) and EthenaMinting (0xe3490...) are non-proxy contracts (no upgradeTo selector). sUSDe (0x9D39...) is also non-proxy. Primary admin functions are MINTER_ROLE management and pause actions, not bytecode upgrades.
RD-F-103 green Bridge signer-set change proposed/executed LayerZero OFT DVN configuration was upgraded from 2-of-2 to 4-of-4 in April 2026, announced and documented as a response to the KelpDAO rsETH incident. The upgrade was pre-announced (not unscheduled). Current posture: 4-of-4 DVN with $10M/hour per-chain rate limit across all 18 chains. No unscheduled signer or threshold changes detected since restoration.
RD-F-104 green Stablecoin depeg >2% on shared-LP venue USDe/USD is trading within 0.1% of peg on Curve/Uniswap (Curve pool depth $400M+). On-chain DEX venues (Curve, Uniswap, Fluid) stayed within 30 bps even during the Oct 2025 Binance-only slip, which Ethena founder characterized as a venue-specific glitch, not a structural depeg. Reserve Fund is $62M vs conservative tail-risk requirement of $7M (approximately 9x coverage). Collateral stablecoins (USDT, USDC) are trading within normal ranges. No active depeg detected.
RD-F-106 green Cross-chain bridge unverified mint pattern Ethena uses LayerZero OFT — lock-and-mint model where USDe/sUSDe is locked on source chain and minted on destination via DVN verification. Post-KelpDAO upgrade to 4-of-4 DVN significantly raises the bar for forged-message attacks (would require compromising 4 independent DVNs simultaneously plus RPC poisoning). Rate limit of $10M/hour per chain limits potential damage even if an attack were attempted. No anomalous cross-chain minting events detected.
RD-F-108 green GitHub force-push to sensitive branch Ethena's main public repos (github.com/ethena-labs org, code4rena contest repos) show activity consistent with protocol operations. Most recent commits to ethena-minting-client and usdm-minting-client repos on 2026-04-27 — tooling repos, not contract code. The primary audit repo (code4rena/2023-10-ethena) last commit 2024-02-19 is archival. No force-push events or non-protocol account sensitive-branch pushes reported.
RD-F-182 green Security-Council threshold reduction (RT) Dev Multisig threshold confirmed at 5-of-11 via Safe API (data cache: threshold=5, owner_count=11, address 0x3B0AAf6e6fCd4a7cEEf8c92C32DFeA9E64dC1862). No threshold reduction event detected. The April 2026 DVN upgrade for the LayerZero bridge was a security *increase* (2 → 4 DVNs), not a threshold reduction. No on-chain Timelock contract is published (docs reference a 7-day conceptual time-lock but no contract address found), so timelock removal is not observable on-chain. Reserve Fund multisig is 4-of-10 (confirmed). Context: the Drift Protocol precedent (3/5 → 2/5 SC threshold + timelock removal 6 days before $285M DPRK exploit) anchors this signal — Ethena's 5-of-11 is a stronger quorum. No reduction detected.
Dev identity & insider risk Green 11 16 of 16
RD-F-112 yellow Team public accountability surface Guy Young has high public accountability surface: 6-year verifiable TradFi employment history (Cerberus Capital Management), multiple named media appearances, conference keynotes, active Twitter. Corporate entity Ethena Labs registered with institutional VC backing creates audit trail. However, broader team of ~16 employees (per LinkedIn company page) lacks individual-level public enumeration beyond the CEO. No named CTO, CFO, or other C-suite roles found in OSINT sources. Partial accountability surface at team level. RD-F-117 yellow ENS/NameStone identity bound to deployer No ENS name found bound to either primary deployer (0x8de54b1cefedeab1766b947c7d9a9963436e8fae) or Deployer 1 (0x32a12e3f8b1e1f521bb4fbc47ca473d10d0477de) based on Etherscan display and web OSINT. Deployers are identified via Etherscan public name tags ('Ethena: Deployer') only — not via ENS/NameStone identity binding. Absence of ENS binding is a minor negative signal but not dispositive given the institutional nature of the team and the fact that the deployer addresses are already publicly labeled. RD-F-121 yellow Contributor OSINT depth score Guy Young scores approximately 4/5 on OSINT depth: high LinkedIn depth (6-year named employer, verifiable TradFi background), 5+ named conference appearances, named media interviews at CoinDesk/CoinTelegraph/The Defiant, active Twitter since 2023. One point off for limited public enumeration of other named team members beyond the CEO. Broader team OSINT depth is unknown due to private GitHub org and limited LinkedIn disclosure for other staff. RD-F-123 yellow Sudden admin-rescue/ACL change without discussion [★ CRITICAL — YELLOW] No specific undiscussed ACL or admin multisig change event positively identified in 180-day assessment window. Monthly governance updates (April-June 2025) reviewed; contain no contract admin change records. However three unresolved gaps: (1) The DEFAULT_ADMIN_ROLE multisig (docs: '7 signatures required, internal + external stakeholders') is not reconciled with the Safe-API-confirmed 5-of-11 Dev Multisig — composition and address of the 7-signer multisig not publicly documented at contract level; (2) No published on-chain Timelock address means the docs-referenced 7-day time-lock on core function changes cannot be independently verified; (3) The April 2026 LayerZero DVN upgrade from 2-of-2 to 4-of-4 was announced publicly post-facto but its governance approval path is undocumented in the forum. Not scored red because no specific undiscussed ACL change has been positively confirmed. Yellow reflects admin role opacity and missing Timelock verification. RD-F-116 gray Contributor tenure at admin-permissioned PR GitHub org (github.com/ethena-labs) has zero public members — membership is private. Contributor tenure for admin-permissioned PRs cannot be assessed at OSINT tier without GitHub API authenticated access or voluntary team disclosure. Not assessable. RD-F-119 gray Commit timezone consistent with stated geography GitHub ethena-labs org has no public members; commit timezone analysis is not possible without authenticated GitHub API access. Ethena states a geographically distributed team (US/UK/Asia basis inferred from investor composition and conference speaker appearances). Data cache shows last commit to main code4arena repo 2024-02-19; ethena-minting-client active as of 2026-04-27. No DPRK-timezone anomaly flag found in public OSINT. Not assessable at OSINT tier. RD-F-122 gray Contributor paid to DPRK-cluster wallet Cannot be meaningfully assessed at OSINT tier. Ethena Labs is a registered corporate entity with off-chain payroll. No on-chain payment streams to named team contributors exist in public OSINT. Contributor wallet routing to DPRK cluster is not verifiable from Etherscan or web OSINT alone. Per process-learnings: 'F122 cannot be meaningfully assessed at OSINT tier for companies with off-chain payroll.' Curator would need access to contributor wallet addresses and hop-trace tooling (Chainalysis/Arkham) to assess. RD-F-184 gray Real-capital social-engineering persona No F184-class social-engineering persona detected in the Ethena Labs context. The Drift Protocol April 2026 UNC4736 attack ($285M, 6-month in-person operation with $1M+ real capital deposits) is the reference case for this factor; no analogous pattern has been reported for Ethena Labs. The October 2024 '180M ENA misuse' allegation was an on-chain community dispute about foundation token staking, not an external infiltration persona. Scored gray per process-learnings: 'F184 — Mark GRAY + note the Drift comparator as the reference pattern. Don't spend time trying to confirm absence of something that by design leaves no public trace.'
RD-F-111 green Team doxx status Guy Young (CEO/founder) is real-name doxxed: LinkedIn verified with Cerberus Capital Management employment 2016-2022, active speaker at TOKEN2049, Blockworks, Digital Asset Summit, Proof of Talk; Twitter @leptokurtic_ active since protocol founding. Institutional investor roster (Dragonfly, Brevan Howard Digital, Franklin Templeton, PayPal Ventures, Binance Labs, Maelstrom, Bybit, OKX, Deribit, Gemini, Kraken) creates co-investor accountability surface. Deployer addresses are pseudonymous (Etherscan labels only), consistent with TradFi-to-DeFi transition team structure.
RD-F-113 green Team other-protocol involvement history Guy Young: no prior DeFi protocol founding before Ethena; prior career exclusively TradFi at Cerberus Capital Management (2016-2022). No rug or exit-scam affiliations found in OSINT. Ethena is his first DeFi protocol. Other team members' prior involvement not individually enumerated in public OSINT, but no adverse signals found. The fake-ENA-token rug ($290K, April 2024 BNB Chain) was by an unrelated copycat deployer, confirmed not linked to Ethena Labs team.
RD-F-114 green Deployer address prior on-chain history Primary deployer (0x8de54b1cefedeab1766b947c7d9a9963436e8fae): first tx ~2 yrs 164 days ago (circa Jan 2022); activity consistent with normal-dev-history — Ethena-specific token interactions, no linked rug contracts or exit-scam-labeled deployments identified in OSINT. Deployer 1 (0x32a12e3f8b1e1f521bb4fbc47ca473d10d0477de): first tx 2024-03-05, solely Ethena ecosystem interactions. Both wallets carry Etherscan 'Ethena: Deployer' public name tags with no adverse annotations.
RD-F-115 green Prior rug/exit-scam affiliation No evidence found linking any Ethena Labs team member to a prior rug or exit-scam-labeled protocol. The April 2024 fake-ENA-token rug ($290K on BNB Chain / PancakeSwap) was by an unrelated copycat deployer, not Ethena Labs. The October 2024 '180M ENA misuse' allegation by on-chain researcher Nomad was investigated and retracted after Guy Young confirmed directly to CoinTelegraph that the tokens involved were unlocked foundation tokens adhering to original vesting schedules.
RD-F-118 green Handle reuse across failed/rugged projects No evidence of Twitter handle @leptokurtic_ or 'Guy Young' brand appearing in prior rugged or failed project contexts. GitHub org ethena-labs shows no overlapping handle with prior failed protocols. No OSINT links Ethena team handles to prior project aliases under different identities. The founder's public brand is exclusively associated with Ethena since 2023.
RD-F-120 green Video-off/voice-consistency flag Guy Young has participated in multiple public video appearances and recorded interviews at TOKEN2049, Blockworks, The Defiant podcast, Proof of Talk Summit, and Digital Asset Summit with no reports of video-avoidance, audio inconsistency, or timezone mismatch. No curator-recorded video-off events found. Broader team video presence not individually assessed.
RD-F-124 green Deployer wallet mixer-funded within 30 days [★ CRITICAL — GREEN, medium confidence] No Tornado Cash, Railgun, or mixer labels visible on any hop in the deployer funding chain. Primary deployer (0x8de54b1ce...) funded ~2 years pre-deploy with no mixer labels. Deployer 1 (0x32a12e3f...) funded 2024-03-05 (tx hash 0x125331daf...), approximately 1 day before ENA token deploy (~2024-03-06) — within the 30-day RD-F-124 window. Funding source 0xfE3A0DFa... is unlabeled (no CEX tag, no mixer tag) and was itself funded from 0x3Aa3Fd1B...D30430b00 (~unlabeled). No positive mixer identification found. Flagged as medium confidence: absence of Etherscan mixer label is not equivalent to Chainalysis-tier clean confirmation.
RD-F-125 green Deployer linked within 3 hops to DPRK/Lazarus [★ CRITICAL — GREEN, medium confidence] No evidence of deployer wallet proximity to DPRK/Lazarus cluster found in OFAC SDN list, Chainalysis published cluster reports, or web OSINT. The Kelp DAO April 2026 LayerZero exploit (attributed to Lazarus/UNC4736 by The Block/LayerZero) caused Ethena to pause its OFT bridge as a precautionary measure — this is DPRK as an external attacker against ecosystem infrastructure, not a team-side linkage. ETH Rangers/Ethereum Foundation DPRK developer exposure initiative has not publicly named Ethena Labs as a target as of 2026-04-28. The Drift Protocol UNC4736 $285M April 2026 attack (6-month social-engineering) is not linked to Ethena. No team member or deployer wallet connection to DPRK cluster confirmed. No discretionary F downgrade required.
Fork / dependency lineage Yellow 22 10 of 10
RD-F-133 yellow Dependency manifest uses unpinned versions OpenZeppelin contracts are included as Foundry submodules (lib/openzeppelin-contracts and lib/openzeppelin-contracts-upgradeable confirmed in the Code4rena repo lib directory). Foundry submodules pin at a specific commit SHA when initialized via `forge install`. However, the exact OZ version or pinned SHA is not publicly disclosed (no accessible .gitmodules). Partial evidence of pinning via Foundry convention, but not independently confirmed. Unpinned version cannot be ruled out if `forge update` has been run post-initialization. RD-F-135 yellow Shared-library version with known-vuln status OpenZeppelin version appears to be 4.x (compatible with Solidity 0.8.19 and draft-ERC20Permit import pattern visible in StakedUSDe). OZ 4.x is current-stable with no known CVEs affecting ERC-20/ERC-4626/Ownable2Step/AccessControl modules. Notably, Ethena's sUSDe does NOT use OZ 4.9's virtual share offset (_decimalsOffset()) — instead uses MIN_SHARES constant (1 ether) as first-depositor guard. This is a valid alternative mitigation for the ERC-4626 inflation attack, but the specific OZ submodule commit SHA is not publicly confirmed. The DoS vector via MIN_SHARES (Code4rena 2023 M-04) was Acknowledged but mitigated only by deployment practice. RD-F-126 n/a Is-a-fork-of Ethena is an original implementation. The delta-neutral synthetic-dollar architecture (basis trade via CEX shorts + OES custody) does not derive from any prior DeFi codebase. Confirmed by Code4rena contest README, all audit scopes, and Ethena documentation describing the novel architecture. RD-F-127 n/a Upstream patch not merged No upstream fork source exists. Ethena is an original codebase. This factor does not apply. RD-F-128 n/a Upstream vulnerability disclosure (last 90d) No upstream fork source exists. This factor does not apply by construction. RD-F-129 n/a Code divergence from upstream (%) No upstream to diverge from. Ethena is an original codebase. This factor does not apply. RD-F-130 n/a Fork depth (generations from original audit) Ethena is the origin (fork depth 0 by definition; no fork hops from any previously audited protocol). This factor does not apply. RD-F-131 n/a Fork retains upstream audit coverage Original codebase — no upstream audit coverage to inherit or retain. Fresh audits by 7 firms directly cover Ethena's own contracts. RD-F-132 n/a Fork has different economic parameters than upstream Original codebase — no upstream to differ from. This factor does not apply.
RD-F-134 green Dependency had malicious-release incident (last 90d) No malicious release incident affecting OpenZeppelin contracts, forge-std, or LayerZero OFT dependency in the trailing 90 days (as of 2026-04-28) is documented in public security advisories. No confirmed supply chain attack on Ethena's dependencies.
Post-deploy hygiene & change mgmt Green 8 13 of 13
RD-F-139 yellow Post-audit code changes without re-audit EthenaMinting V2 (0xe3490...) deployed approximately January 2024 per Etherscan; Pashov V2 audit dated May 2024 — approximately 4 months post-initial deploy creating an audit-lag window. Code4rena November 2024 invitational (0 high, 2 medium; mitigation review confirmed). Post-2024 OFT adapter deployments to 18 chains (Sep 2025+) lack confirmed audit coverage. Active commits through April 2026 on minting client repos — peripheral code uncertainty. RD-F-146 yellow New contract deploys in last 30 days Active development confirmed through April 2026 (ethena-minting-client, usdm-minting-client commits 2026-04-27). LayerZero OFT 18-chain deployment ongoing through 2025. April 2026: bridge suspended and restored with DVN upgrade (operational configuration change). Fresh attack surface from OFT adapter deployments exists. RD-F-136 gray Deployed bytecode matches signed release tag No signed release tags found in public repos. code4arena repos are audit-time snapshots, not operational release management. Main ethena-labs GitHub org contains private repos where release management is not publicly accessible. No bytecode-to-release-tag attestation can be confirmed at OSINT tier. RD-F-138 n/a Hot-patch deploys without timelock (last 30 days) No proxy upgrades to track. Configuration changes (role grants, limit updates, custodian additions) execute via Dev Multisig direct transactions. No hot-patch deployments identified in last 30 days from public sources. Since no timelock exists, any change would bypass it by default — but no emergency hot-patches confirmed in last 30 days. RD-F-142 n/a Storage-layout collision risk across upgrades Not applicable. All core contracts (USDe, EthenaMinting V2, StakedUSDeV2, ENA) are non-upgradeable direct implementations. No proxy upgrade pattern is used; no storage layout collision risk exists by construction. RD-F-144 n/a CREATE2 factory permits same-address redeploy No evidence of CREATE2 factory usage for core contract deployments. Standard CREATE-style deployment used. No redeploy-to-same-address risk identified in any audit or deployment history. RD-F-145 gray Deployed bytecode reproducibility No documented reproducible build process found. Public repos are audit-time snapshots without reproducibility instructions. Data cache: foundry_toml_present=false, hardhat_config_present=false, changelog_present=false on public contest repo. Main org repos are private. Cannot confirm or deny.
RD-F-137 green Upgrade frequency (per 90 days) Core contracts (USDe, StakedUSDeV2, ENA) are non-upgradeable direct implementations — no proxy upgrade events possible. EthenaMinting V2 is also a direct implementation. 0 proxy upgrade events in trailing 90 days. Configuration changes execute as direct transactions, not contract upgrades.
RD-F-140 green Fix-merged-but-not-deployed gap Code4rena November 2024 found 2 medium findings. SpicyMeatball mitigation review confirmed all mitigations implemented with no new issues. No evidence of known undeployed fixes in any audit or public source.
RD-F-141 green Test-mode parameters in deploy All core contracts verified on Etherscan with production-appropriate configurations. No test oracle, infinite allowance, or deployer-as-admin configurations. Multiple audit firms (Zellic, Quantstamp, Spearbit, Pashov, Code4rena) found no critical or high issues across all audits.
RD-F-143 green Reinitializable implementation (no _disableInitializers) Not applicable by construction — all core contracts use constructors (not initialize()), no proxy pattern, no OZ Initializable. Etherscan code fetch confirms no _disableInitializers() needed. Reinit vector does not exist.
RD-F-168 green Stale-approval exposure on deprecated router EthenaMinting V1 replaced by V2 in July 2024. EthenaMinting uses EIP-712 order signing model (not blanket approve/allowance model) for the core mint/redeem flow. Stale allowances to V1 are therefore minimal by design. No confirmed stale approval issue identified.
RD-F-185 green Bridge rate-limiter / chain-pause as positive mitigant Positive mitigant confirmed. $10M/hour per-chain rate limit on LayerZero OFT transfers. Bridge successfully paused in April 2026 (demonstrating emergency pause capability). DVN upgraded from 2-of-2 to 4-of-4 before restoration. Meaningful outflow rate-limiting and chain-pause positive controls in place.
Cross-chain & bridge Green 11 12 of 12
RD-F-148 yellow Bridge validator count (M) LayerZero DVN-based (not custom bridge). Post-Kelp incident (April 2026): upgraded from 2-of-2 to 4-of-4 DVN configuration across all 18 chains. DVN operator identities not publicly disclosed in available sources. Prior configuration (2-of-2, September 2025 — April 2026) was minimal but functional. The upgrade is a material improvement. 4 DVNs required for message verification now. Full diversity of operators unverifiable. RD-F-157 yellow Bridge TVL per validator ratio Total USDe supply $3.79B; cross-chain OFT subset estimated (most USDe on Ethereum, OFT covers liquidity distribution). Rate limit of $10M/hour per chain constrains per-window risk. With 4 DVNs post-upgrade, TVL-per-DVN risk is bounded by rate limiter rather than total cross-chain TVL. Even in a worst-case coordinated attack across all 18 chains simultaneously, the rate limiter imposes a meaningful delay. However the aggregate risk window across 18 chains at $10M/hour each = $180M/hour theoretical maximum before rate limit kicks in — this is non-trivial relative to bridge TVL. RD-F-179 yellow LayerZero OFT DVN config (count, threshold, diversity) Current (post-April 22, 2026): 4-of-4 DVN configuration on all 18 chains. Significantly improved from 2-of-2 (pre-Kelp). Issues: (1) DVN operator identities not publicly disclosed — cannot verify operator independence; (2) 4-of-4 creates bridge-halt liveness risk (demonstrated during April 2026 suspension); (3) upgrade was reactive, not proactive — governance was not ahead of this known risk (Aave governance forum flagged 1/1 DVN risk 15 months before Kelp exploit); (4) specific DVN selections may include LayerZero's own DVN, raising centralization questions. Rate limit ($10M/hour per chain) is a meaningful positive mitigant per RD-F-185. Overall: materially improved from prior state but DVN operator diversity is unverifiable and governance proactivity was lacking. RD-F-150 gray Bridge validator co-hosting DVN operator identities and infrastructure are not publicly disclosed by Ethena or LayerZero in available sources. Cannot confirm whether any of the 4 DVNs share ASN/datacenter. LayerZero maintains an approved DVN provider list (docs.layerzero.network/v2/deployments/dvn-addresses) but Ethena's specific DVN selections post-April 2026 upgrade are not named in any announcement. Gap flagged — unresolvable from available public evidence. RD-F-151 gray Bridge ecrecover checks result ≠ address(0) Ethena uses LayerZero OFT standard (not a custom bridge with bespoke ecrecover logic). LayerZero V2 uses a DVN-based message verification scheme that does not rely on raw ecrecover in user-visible contracts. Ethena itself does not implement custom signature verification — it delegates entirely to LayerZero. The Wormhole-class F151 bug requires a protocol that directly calls ecrecover without zero-address check. No such pattern identified in Ethena OFT adapter code. Risk is inherited from LayerZero V2 (separately audited by multiple firms, no ecrecover zero-address bug reported). Cannot fully verify LayerZero's internal verification path from available sources. RD-F-156 gray Bridge uses same key custody for >30% validators DVN operator identities not disclosed publicly for Ethena's post-upgrade configuration. Cannot assess whether >30% of the 4 DVN operators share a single key custodian. This is a material gap: if 3 of 4 DVNs use the same infrastructure provider, the effective security of the 4-of-4 configuration is significantly lower than the threshold implies. Curator must identify Ethena's specific DVN provider selection from LayerZero ecosystem partners.
RD-F-147 green Protocol has bridge surface YES. USDe and sUSDe deployed as LayerZero OFTs across 18 chains. Ethereum OFT adapter: 0x4c9EDD5852cd905f086C759E8383e09bff1E68B3 (canonical USDe). Arbitrum OFT: 0x5d3a1ff2b6bab83b63cd9ad0787074081a52ef34. LayerZero Ethereum endpoint: 0x66a71dcef29a0ffbdbe3c6a460a3b5bc225cd675. Cross-chain bridge surface confirmed. Cat 10 fully populated.
RD-F-149 green Bridge validator threshold (k-of-M) Current (post-April 22, 2026): 4-of-4 DVN threshold — all 4 DVN operators must verify a message before it is accepted. From a security perspective this is the strongest possible threshold given M=4. Liveness tradeoff: 4-of-4 means any single DVN failure halts the bridge (as demonstrated during the April 2026 suspension). This is accepted as a security-over-liveness design choice. The prior 2-of-2 threshold (September 2025 — April 18, 2026) was the pre-upgrade state; the current state is materially stronger.
RD-F-152 green Bridge binds message to srcChainId LayerZero V2 OFT messages include srcChainId (encoded as source endpoint ID) as part of the message struct. LayerZero's architecture enforces per-chain separation via distinct endpoint contracts per chain. Cross-chain replay between chains is not possible as each destination endpoint only accepts messages from its registered source endpoints. Ethena's OFT adapter relies on this LayerZero protocol-level protection.
RD-F-153 green Bridge tracks nonce-consumed mapping LayerZero V2 tracks nonces at the endpoint level to prevent replay attacks. The lzReceive path enforces ordered message delivery with nonce tracking in the LayerZero endpoint contract (Ethereum: 0x66a71dcef29a0ffbdbe3c6a460a3b5bc225cd675). Ethena's OFT adapter relies on this protocol-level nonce protection. No custom nonce handling in Ethena's own contracts is required given LayerZero's built-in protection.
RD-F-154 green Default bytes32(0) acceptable as valid root NOT APPLICABLE. LayerZero OFT V2 does not use Merkle root verification for message validation. The Nomad bytes32(0) vulnerability class (default Merkle root accepted as valid) requires an architecture that validates messages against a stored root. LayerZero's DVN attestation model does not use Merkle roots. F154 does not apply to the LayerZero OFT stack.
RD-F-155 green Bridge validator-set rotation recency LayerZero DVN configuration was rotated in April 2026 (from 2-of-2 to 4-of-4) following the Kelp DAO incident — a deliberate security upgrade. Most recent rotation: April 2026 (less than 1 month ago). Prior configuration had been stable since OFT deployment in September 2025. The upgrade was reactive but executed promptly (within ~4 days of the Kelp incident, April 18-22, 2026).
Threat intelligence & recon Yellow 28 8 of 8
RD-F-161 red Protocol-impersonator domain registered (typosquat) Multiple documented Ethena-impersonating phishing sites active across 2025-2026. Feb 2026 instance ('ENA Rewards Scam') is within the 90-day window from assessment date (2026-04-28). Jul 2025 and Nov 2025 'Claim Ethena Scam' instances also documented. Sep 2024 confirmed domain registrar compromise of ethena.fi itself (most severe — social engineering changed admin email, phishing site live for ~2 hours, remediated by migrating registrar). Additionally, app-ethena.github.io impersonation site was observed in search results. The sustained campaign pattern (4+ documented instances across 18 months, including one compromise of the actual domain) warrants red classification. RD-F-158 yellow Known-threat-actor cluster has touched protocol No confirmed direct on-chain interaction by Lazarus-attributed wallets with Ethena core contracts (EthenaMinting, USDe, sUSDe, Dev Multisig) as of 2026-04-28. Ecosystem adjacency is elevated: (1) Lazarus/TraderTraitor attributed to KelpDAO/LayerZero exploit Apr 2026 — Ethena shares LayerZero OFT infrastructure and suspended its own bridge as precaution; (2) Bybit Feb 2025 DPRK hack — Bybit holds Ethena short perp positions, potential wash venue proximity; (3) No specific Ethena-core-contract Lazarus wallet interaction in public Chainalysis reports. Yellow reflects elevated ecosystem proximity without confirmed direct touch. Definitive assessment requires Chainalysis/TRM private cluster feed. RD-F-163 yellow Avg attacker reconnaissance time for peer-class protocols No direct reconnaissance activity detected against Ethena core contracts. For the synthetic-dollar / CEX-custody protocol class, the applicable threat model differs from standard on-chain DeFi reconnaissance: (1) USPD-style 78-day on-chain wallet reconnaissance is less applicable to Ethena's architecture (no exploitable on-chain mechanism without CEX/OES compromise); (2) The Drift Protocol precedent (Security Council threshold change 6 days before $285M DPRK exploit) is directly applicable — Ethena's Dev Multisig threshold reduction would be the equivalent pre-strike indicator, none detected; (3) LayerZero infrastructure reconnaissance (as in the Kelp attack — RPC node compromise + DDoS) could apply to Ethena's OFT bridges but is not observable via public on-chain methods. Yellow: protocol class is actively targeted, no direct signal detected but off-chain reconnaissance vectors are not publicly observable. RD-F-164 gray Leaked credential on paste/sentry site Manual curator-only check; not assessable via public OSINT within this assessment. Ethena does not publish a SIRT email or security contact (gap documented in profile §9). The Sep 2024 domain registrar attack was social engineering of registrar credentials (not a paste-site credential leak), but demonstrates that Ethena's infrastructure credentials are a target. Requires paste/credential-dump monitoring feed (e.g., Have I Been Pwned enterprise, SpyCloud) — structural gray for static assessment. RD-F-165 gray Protocol social channel has scam-coordinator flag Manual curator-only check; not assessable via public OSINT. Ethena Discord (discord.com/invite/ethena) is active. Multiple impersonation campaigns documented suggest community channel surveillance is warranted, but individual admin/moderator flagging requires dedicated social watchlist partner. Structural gray for static assessment without social watchlist tool access.
RD-F-159 green Attacker wallet pre-strike probe (low-gas failing txs) No evidence of systematic low-gas failing transactions to EthenaMinting or sUSDe vault from known attacker wallets. EthenaMinting rejects non-whitelisted callers at the MINTER_ROLE gate — reconnaissance via failing transactions would yield minimal intelligence about internal state (calls simply revert with access control error). No public mempool analysis reports flagging Ethena-targeted probe transactions.
RD-F-160 green GitHub malicious-dependency incident touching protocol deps Ethena uses OpenZeppelin Contracts (ERC-20, ERC-4626, AccessControl) and LayerZero OFT standard. No active GHSA or security advisory against the OZ versions in use (Solidity v0.8.19-0.8.20 era). No npm supply-chain advisories against ethena-labs packages detected in GitHub advisory feeds. LayerZero protocol itself is not subject to a malicious-release advisory (the KelpDAO exploit was an infrastructure/configuration compromise, not a malicious npm release).
RD-F-162 green Known-exploit-template selector deployed by any address No prior Ethena core-contract exploit exists from which to derive an exploit template. The delta-neutral OES custody architecture has no published flash-loan or selector-replay exploit template in known exploit databases. No contracts with function-selector patterns matching a Ethena-class exploit template have been reported as deployed. Code4rena contest repos for Ethena (2023-10-ethena, 2024-11-ethena-labs) have not generated post-contest exploit derivations.
Tooling / compiler / AI Green 0 5 of 5
RD-F-171 n/a Bytecode similarity to audited upstream with behavior deviation Not applicable by construction — Ethena is an original codebase with no audited-upstream to be similar to. No AI-copy risk pattern (high bytecode similarity to another protocol with behavior deviation) can apply. Code4rena and all 7 audit firms reviewed the code without flagging AI-copy patterns.
RD-F-170 green Solc version used (known-bug versions flagged) USDe: v0.8.19+commit.7dd6d404 (paris EVM, 20k optimizer runs). EthenaMinting V2: v0.8.20+commit.a1b79de6 (shanghai EVM, 20k optimizer runs). StakedUSDeV2: v0.8.19 (paris EVM). ENA: v0.8.20. Known bugs for 0.8.19/0.8.20: LostStorageArrayWriteOnSlotOverflow (Low, fixed 0.8.32), VerbatimInvalidDeduplication (Low, fixed 0.8.23), FullInlinerNonExpressionSplitArgumentEvaluationOrder (Low, fixed 0.8.21), MissingSideEffectsOnSelectorAccess (Low, fixed 0.8.21). High-severity TransientStorageClearingHelperCollision (affects 0.8.28-0.8.33 with viaIR) does NOT apply. All known bugs are Low severity and do not affect Ethena's usage patterns.
RD-F-172 green Repo shows AI-tool co-authorship in critical files No public evidence of AI-tool co-authorship (Copilot, ChatGPT Code Interpreter) in commits to critical contract files in the code-423n4/2023-10-ethena or ethena-labs repositories. No 'Co-authored-by: GitHub Copilot' or similar markers observed in available repo content. Main ethena-labs org repos are operational (minting clients, SDK) rather than core smart contracts.
RD-F-173 green Team self-disclosure of AI-generated Solidity No public disclosure by Ethena Labs (blog, X/Twitter, documentation) mentioning AI-generated Solidity in security-critical paths has been found. The protocol uses a formal multi-firm audit process inconsistent with AI-generated code practices.
RD-F-174 green Dependency tree uses EOL Solidity version All four core contracts use Solidity 0.8.19 or 0.8.20, both active/supported versions (not EOL). Foundry toolchain confirmed (foundry.toml present: optimizer=true, optimizer_runs=20000, evm_version=shanghai). forge-std is a development dependency, not a production dependency. No EOL Solidity version usage.
Response & disclosure hygiene Green 8 4 of 4
RD-F-176 yellow Disclosure SLA public No protocol-level acknowledgment SLA is published in Ethena's own documentation or Immunefi program page. Immunefi provides its own platform-level SLA framework and requires Category 3: Approval Required for responsible publication of critical findings, but Ethena has not published a specific 72h acknowledgment or triage timeline commitment. Scored yellow: disclosure channel exists but no explicit published SLA from the protocol.
RD-F-175 green Disclosure channel exists Immunefi bug bounty program live since 2024-04-04 at https://immunefi.com/bug-bounty/ethena/. Constitutes a public security disclosure channel. 9 smart contracts in scope including USDe, EthenaMinting V2, StakedUSDe, StakedUSDeV2. Max payout $3M critical smart contract. Announced via official Ethena X/Twitter on 2024-04-04. No dedicated security@ethena.fi or SIRT page found (security_md_present: false per data cache), but Immunefi channel satisfies the disclosure channel criterion.
RD-F-177 green Prior known-ignored disclosure No evidence that Ethena has received a disclosed vulnerability report and ignored it prior to an exploit. No smart contract exploits have occurred, making this criterion not applicable by construction (no post-mortem exists that could document a prior-ignored disclosure). No public forum posts or researcher disclosures claiming an ignored report were found in available OSINT. The Apr 2026 bridge suspension was triggered by a third-party exploit (Kelp DAO) — not an Ethena-specific ignored disclosure.
RD-F-178 green CVE/GHSA advisory issued against protocol No CVE, GHSA, or equivalent public advisory has been issued against Ethena's core contracts. The Code4rena November 2024 invitational found 0 high, 2 medium, 12 low/NC findings — these are internal audit findings, not public advisories. No GHSA entries found for Ethena contract addresses in available OSINT.
rubric_version v1.7.0 graded_at 2026-05-12 04:38:07 factors 184 protocol ethena