Frax Finance

Multi-product DeFi umbrella: (1) frxUSD/FRAX stablecoin issued via Algorithmic Market Operations (AMOs) — post-v3 fully collateralized, backed partly by BlackRock BUIDL; (2) frxETH/sfrxETH liquid staking token; (3) Fraxlend isolated-pair lending; (4) Fraxswap TWAMM DEX; (5) Fraxtal OP Stack L2 (launched 2024-02-08); (6) FraxFerry + LayerZero OFT cross-chain infrastructure. Governance via frxGov dual-governor: FraxGovernorOmega (optimistic, day-to-day operative path) + FraxGovernorAlpha (high-quorum community veto), both backed by veFXS vote-escrow. Original protocol — not a fork. No third-party bug bounty platform; self-hosted program up to $10M. Combined-version-slug: one grade covers the whole Frax stack.

Sector evm_cdp_multi_product

TVL $298.6M

Reviewed May 17, 2026

Factors 184

Categories 13

Risk score 30.5

DeploymentsFraxtal · $6.0M

Risk profile at a glance

0 red · 7 yellow · 6 green

25 24 17 13 15 22 16 10 13 12 8 5 4

Categories & evidence

184 factors · 13 categories

Code & audits Yellow 36 25 of 25

RD-F-004 green Audit count 7 distinct audit firms with public reports: Trail of Bits (7 engagements 2021-2024), Certora (BAMM Oct/Dec 2024 FV+MR), ChainSecurity (BAMM + sfrxUSD/FXB Jul 2025), Zellic (frxUSD/FraxNet Jul/Sep 2025 + USD stablecoin Feb 2026), Code4rena (frxETH Sep 2022), CertiK (Nov 2020), Frax Security Cartel (5 engagements 2024-2025). Shipyard/Macro Apr 2022 has no public report. Strong multi-firm audit count.

RD-F-005 green Audit firm tier Tier-1 firms engaged: Trail of Bits (7 engagements, highest-tier Level 4 effort) and Certora (BAMM FV+audit). Tier-2: ChainSecurity, Zellic, Code4rena, CertiK. 'Frax Security Cartel' — independence not verifiable; no public member list found across multiple searches; reports hosted in protocol's own GitHub repo rather than an independent firm index. However, the presence of ToB (Tier-1) and Certora (Tier-1) for core contracts is sufficient for green on this factor. The Frax Security Cartel independence concern is flagged in issues.

RD-F-022 green Public initialize() without initializer modifier No unprotected public initialize() on any live implementation contract found. FraxlendPair V1: has initialize() with AlreadyInitialized guard (custom pattern, not OZ modifier — but non-upgradeable standalone contract so re-init risk is limited to a separate attack vector). frxUSD OFT adapter: TransparentUpgradeableProxy with 'Initialized' events in ABI suggesting OZ initializer pattern used on implementation. sfrxETH: non-upgradeable ERC-4626 with constructor. FraxEtherRedemptionQueueV2: non-upgradeable with constructor. FraxGovernorAlpha/Omega: non-upgradeable. No one-tx exploit surface identified.

Governance & admin Yellow 20 24 of 24

RD-F-028 yellow Low-threshold multisig vs TVL 3-of-5 at $298M TVL is at the lower bound of peer norm for this TVL tier (peers like Aave/Compound use 5-of-9 or 4-of-6). All 5 signers are reportedly core Frax team members — one organizational cluster with no demonstrated signer independence or hardware-wallet attestation. Signer identities: 0x6933BCC3, 0xcbc616D5, 0x17e06ce6, 0xc8dE9f45, 0x6e74053a. RD-F-029 yellow Multisig signers co-hosted All 5 signers are core Frax team members with high probability of organizational co-location. No ASN/data-center lookup performed. No hardware-wallet diversity documentation found publicly. RD-F-032 yellow Timelock duration on upgrades Alpha TimelockController (0x821794): min delay ~86,400s (~1 day). Omega path: effective delay = 2-day veto window only (no post-veto timelock). frxUSD: NO timelock on admin actions per LlamaRisk explicit confirmation. Operative path (Omega + frxUSD) has 48h effective delay at best, 0h for direct multisig executions on frxUSD. Falls short of the 48-72h best-practice tier for $298M TVL protocols. RD-F-033 yellow Timelock on sensitive actions Alpha path: yes, 1-day OZ TimelockController gates high-impact changes. Omega path (day-to-day): 2-day veto window only — no mandatory post-veto timelock. frxUSD mint/pause/upgrade/addMinter: explicitly NO timelock per LlamaRisk. The operative day-to-day path and the stablecoin's sensitive actions lack timelock gating. Only Alpha-governed (rare) changes have timelock. RD-F-034 yellow Guardian/pause-keeper distinct from upgrader No dedicated guardian/pauser role separate from the Comptroller 3-of-5 multisig. The Omega rejection mechanism (veFXS veto) serves as a soft guardian but requires 4% quorum to activate. FraxCompatibilityFallbackHandler is a Safe handler, not a guardian. The same 3-of-5 multisig is both day-to-day executor and upgrade authority. RD-F-035 yellow Role separation: upgrade ≠ fee ≠ oracle Omega cannot modify its own governance params (only Alpha can — partial role separation). However: upgrade authority for frxUSD = Comptroller 3-of-5; oracle config (legacy) = stale EOA-controlled timelock; minter management = frxUSD owner (Comptroller 3-of-5). The same multisig effectively holds upgrade + minter + pause + AMO-add roles. Partial separation exists at governor level but not at execution level. RD-F-039 yellow delegatecall/call in proposal execution without allowlist FraxGovernorOmega has both a delegateCallAllowlist and safeAllowlist in its contract (confirmed from Etherscan source). Execute() calls safe.approveHash() on allowlisted Safes — not arbitrary targets. Alpha uses OZ standard call (not delegatecall) for proposal execution. Allowlist existence mitigates the risk. However, allowlist contents were not confirmed via direct on-chain read (JS-rendered tab inaccessible). Yellow not green due to unverified allowlist population. RD-F-040 yellow Emergency-veto multisig present FraxGovernorOmega's rejectTransaction() allows any veFXS holder to veto proposals if 4% quorum is met and majority votes against. veFXS community collectively constitutes the veto mechanism. No dedicated standalone guardian address with pre-execution emergency veto exists. Veto power is collective/governance-based, not a single multisig guardian. RD-F-041 yellow Rescue/emergencyWithdraw without timelock frxUSD contracts have NO timelock on admin actions per LlamaRisk explicit statement. The Comptroller 3-of-5 Safe can call pause(), upgrade proxy, addMinter(), removeMinter() on frxUSD without any mandatory delay. Omega-routed actions have a 2-day veto window, but direct Safe executions (not routed via Omega) have no delay. Emergency/rescue-equivalent functions executable by multisig in a single transaction. Not red because (a) requires 3-of-5 multisig coordination (not a single EOA), (b) frxETH sfrxETH are immutable (largest historical TVL surface has no rescue functions), (c) Omega veto is an active community check for governance-routed actions. RD-F-042 yellow Admin has mint() with unlimited max frxUSD includes minter_mint(address, uint256) callable by addresses added via addMinter(address). The contract owner (Comptroller 3-of-5) can call addMinter() to add any address, which can then mint arbitrary amounts. No hard on-chain supply cap enforced in the contract — caps are governance-set per custodian but contract does not enforce a global hard ceiling. Architecture permits expanding minting authority to unlimited if the multisig chose to do so. Not currently unlimited, but pathway exists. RD-F-047 yellow Governance token concentration (Gini) veFXS distribution: core team reportedly holds a large veFXS block. No Gini coefficient calculation performed. Frax team concentration sufficient to potentially pass Omega short-circuit proposals (>51%) or influence quorum outcomes. Community veFXS is also significant. Concentration risk elevated relative to truly decentralized protocols. RD-F-167 yellow Deprecated contract paused but pause reversible by live admin Legacy FXS Timelock (0x8412ebf45) has admin = EOA 0x510B35338c8e3b53F12aa109C38995Acd9127aE0 (confirmed EOA, not contract). Last active Sept 2022 (~3.5 years dormant). Holds 69 FRAX (~$68). One source states this timelock controls all configurations for all Frax Oracles on L1. If true, the stale EOA can modify Frax Oracle configs for legacy oracle contracts. The deprecated-surface admin extension pattern: a deprecated legacy timelock still potentially holding live oracle admin rights under an EOA that is dormant but not revoked. RD-F-030 gray Hot-wallet signer flag Owner addresses not individually analyzed for hot-wallet patterns (gas usage, nonce frequency, signing method). No on-chain heuristic tool available in this assessment. Cannot confirm or deny hardware-wallet usage. RD-F-031 gray Signer rotation recency No on-chain event scan for SignerAdded/SignerRemoved on Comptroller Safe performed. Sam Kazemian reportedly moved to advisory role late 2024 but whether this triggered a signer rotation is unconfirmed. No threshold-reduction event detected via search. RD-F-044 gray Admin wallet interacts with flagged addresses Comptroller multisig owner addresses (0x6933BCC3, 0xcbc616D5, 0x17e06ce6, 0xc8dE9f45, 0x6e74053a) not screened against Chainalysis-style watchlist. No on-chain cluster feed available in this assessment. Cannot assess flag status. RD-F-045 gray Constructor args match governance proposal frxGov deployment was preceded by FIP-332 governance forum proposal. Exact constructor arg verification (frxGov deployed params vs FIP-332 stated params) not performed — requires direct bytecode + proposal comparison. Trail of Bits frxGov audit provides indirect coverage. Curator review needed for formal verification.

RD-F-025 green Admin key custody type Frax uses the frxGov dual-governor (FraxGovernorAlpha + FraxGovernorOmega) backed by veFXS vote-escrow. Day-to-day execution via Omega (optimistic) controlling the 3-of-5 Comptroller Gnosis Safe. High-impact changes via Alpha (40% quorum, ~1-day timelock). Classified: multisig + partial-DAO governance — not a single EOA.

RD-F-026 green Upgrade multisig signer configuration (M/N) Frax Comptroller: 3-of-5 Gnosis Safe (threshold=3, owner_count=5 per data-cache). frxUSD proxy admin is the same 3-of-5 Safe. LlamaRisk confirms '3 out of 5 quorum required'. No lower-threshold sub-multisig found.

RD-F-027 green Single admin EOA No single EOA holds primary admin. Frax Comptroller is a 3-of-5 Gnosis Safe (0xB1748C79). frxUSD proxy admin = same 3-of-5 Safe. Legacy timelock admin is EOA 0x510B35... but that timelock is stale (Sept 2022) and controls minimal value.

RD-F-036 green Flash-loanable voting weight veFXS is non-transferable and requires locking FXS for up to 4 years. Voting power uses checkpoint-based historical tracking (veFXS.totalSupplyAt(block.number)). Flash loans cannot acquire or inflate veFXS within a single block. The Beanstalk-class governance flash-loan attack is structurally blocked by the lock mechanism.

RD-F-037 green Quorum achievable via single-entity flash loan Alpha quorum = 40% of total veFXS supply. veFXS is non-transferable and time-locked — cannot be flash-loan-acquired. Even Omega's 4% quorum is protected by the same checkpoint mechanism. Single-entity achieving 40% via flash loan is structurally impossible.

RD-F-038 green Proposal execution delay < 24h Alpha path: voting delay + voting period + 1-day timelock = multiple days total, well above 24h. Omega path: 2-day veto window minimum before execution — also above 24h. Both governance paths exceed the 24h threshold.

RD-F-043 green Admin = deployer EOA after 7 days Protocol is 65+ months old (launched Dec 2020). Primary deployer EOA 0xa448833bece66fd8803ac0c390936c79b5fd6edf transferred control long before any current assessment. frxGov launched 2023 with Comptroller multisig as admin. frxUSD launched Jan 2025 with Comptroller multisig as proxy admin from deployment. No active contract found with deployer EOA as current admin.

RD-F-046 green Contract unverified on Etherscan/Sourcify All primary contracts verified on Etherscan with Source Code Verified Exact Match: FraxGovernorAlpha 0xe8Ab863E, FraxGovernorOmega 0x953791D7, FraxGuard 0xed53eb15, frxUSD proxy 0xcacd6fd2, frxUSD impl 0x0000000048d2c8, sfrxETH 0xac3E0184, FraxEtherRedemptionQueueV2 0xfDC69e6BE (note: Dec 2025 bytecode discrepancy allegation exists but Etherscan shows Exact Match formally). Public ABIs exist for all contracts.

Oracle & external dependencies Yellow 22 17 of 17

RD-F-180 red Immutable oracle address [★ CANDIDATE — PD-017 HELD; compose.py counts as ★] Fraxlend pair oracle addresses (_oracleMultiply and _oracleDivide) are stored as immutable constructor arguments per pair deployment. No setOracle() or oracle-update admin function exists at the pair level. Confirmed by: (1) Code4rena 2022 Fraxlend audit describes _oracleMultiply/_oracleDivide as pair-deploy-time parameters; (2) Etherscan ABI for FRAX/FXS pair (0xDbe88DBAc39263c47629ebbA02b3eF4cf0752A72) shows oracleMultiply() and oracleDivide() as view functions with no corresponding setter; (3) Fraxlend factory creates new pairs with fixed oracles — existing pairs cannot update feeds. If a Chainlink feed used by an existing Fraxlend pair is deprecated, compromised, or the collateral depegs, the pair cannot be repriced — borrowers remain exposed at stale prices until liquidity migrates to a new pair. The FraxlendWhitelist controls new-pair oracle eligibility but has no effect on existing pairs. This is the exact USR/USDX/xUSD/USD0++ RD-F-050 yellow Dependency graph (protocols depended upon) Dependency graph partially mapped. frxUSD depends on BlackRock BUIDL (Securitize custodian), RedStone oracle, Circle CCTP; failure of any breaks frxUSD minting/redemption. Fraxlend depends on Chainlink feeds (all active pairs). AMO depends on Curve and Convex. Fraxtal depends on OP Stack infrastructure. Cross-chain depends on LayerZero. Yellow because the full AMO contract dependency list (dozens of contracts) was not enumerated from on-chain sources in this assessment — curator must verify complete AMO dependency list. RD-F-051 yellow Fallback behavior on oracle failure Fraxlend dual-oracle: if one feed is isBadData, borrowing halts — no soft fallback to last-known-price. BUIDL NAV (RedStone TSSO): single authoritative source by design (no fallback for regulated NAV data). USDC/USDT Chainlink feeds: no confirmed fallback if stale. AMO uses governance-approved reference rates as fallback mechanism. Yellow because some oracle paths have no fallback (BUIDL TSSO, AMO stablecoin feeds) and the Fraxlend halt-on-bad-data design, while protective, means zero oracle = zero lending. RD-F-052 yellow Breakage analysis per dependency Breakage analysis per dependency: (1) Chainlink ETH/USD failure — Fraxlend ETH-collateral pairs halt new borrows and liquidations (HIGH). (2) RedStone BUIDL NAV oracle failure — frxUSD RWA collateral cannot be priced; minting/redemption freezes (HIGH). (3) Securitize BUIDL redemption pathway failure (regulatory/banking) — frxUSD peg defense loses off-chain rails; peg break risk under stress (HIGH). (4) Curve AMO failure — FRAX supply management disrupted; principal recoverable (MEDIUM). (5) LayerZero OFT failure — cross-chain frxUSD transfers halt (MEDIUM). (6) Convex failure — yield loss only (LOW). Yellow because multiple HIGH-impact breakage paths exist with limited mitigation, particularly the BUIDL off-chain redemption path which has no on-chain fallback. RD-F-057 yellow Circuit breaker on price deviation Fraxlend implements a dual-oracle divergence halt: if the two oracle feeds diverge beyond a threshold, borrowing is halted — this is functionally a circuit breaker. However, the specific bps threshold is governance-controlled and not confirmed from on-chain reads. sfrxETH has a 30% bound (sfrxEth will never be overvalued by more than 30%). USDC/USDT feeds have no confirmed circuit breaker. Yellow because circuit breaker exists for Fraxlend (the highest-risk path) but specific threshold is unconfirmed and stablecoin feeds have no confirmed circuit breaker. RD-F-059 yellow Oracle staleness check present Fraxlend staleness checks confirmed per documentation: prices considered bad/stale if Chainlink signals bad or 'price is too old'; uses latestRoundData() (not deprecated latestAnswer()). isBadData flag propagates from dual-oracle comparison. However, specific maxStaleness value in seconds not confirmed from on-chain read. BUIDL RedStone TSSO has up to 24h staleness inherent in daily NAV updates — unclear whether Frax's staleness gate triggers on 24h-old BUIDL NAV. Yellow because staleness checks exist for Fraxlend but threshold values are unconfirmed; BUIDL NAV path may have 24h staleness tolerance. RD-F-054 n/a TWAP window duration Not applicable. Fraxlend and Frax Oracle use Chainlink aggregator feeds as primary oracle — not TWAP-based DEX oracles. TWAP window duration is irrelevant to Chainlink aggregator design. Frax Oracle uses 24h update cycle with addRoundData for freshness, which is an attestation cycle, not a TWAP window. RD-F-055 n/a Oracle pool depth (USD) Not applicable. Fraxlend's primary oracles are Chainlink aggregators, not DEX liquidity pools. DEX pool depth is irrelevant to Chainlink aggregator price formation (prices aggregated from multiple node operators, not from pool reserves). RD-F-056 n/a Single-pool oracle (no medianization) Not applicable. No single-pool oracle is used. Fraxlend uses Chainlink aggregators (multi-node aggregate) and a dual-feed pessimistic design — medianization across venues is inherent in Chainlink aggregator architecture. The DEX-pool single-venue oracle pattern is not used. RD-F-058 gray Max-deviation threshold (bps) The specific basis-point threshold for the Fraxlend dual-oracle circuit breaker was described qualitatively as 'small few percentage points' in search results but not confirmed from on-chain reads of contract state. Requires on-chain call to the oracle/pair contract to read the configured deviation threshold. Cannot assess without on-chain read. RD-F-060 gray Chainlink aggregator min/max bound misconfig Cannot assess without on-chain read of minAnswer/maxAnswer for each Chainlink aggregator feed used by Fraxlend. Data-cache oracle_feeds identifies the Chainlink addresses but does not capture min/max bound configuration. The dual-oracle design provides partial protection (attacker must manipulate both feeds simultaneously), but bound misconfiguration remains possible on individual feeds. Requires on-chain call to each aggregator's minAnswer()/maxAnswer() functions.

RD-F-048 green Oracle providers used Multiple Chainlink feeds confirmed from data-cache (ETH/USD 0x5f4eC3Df9cbd43714FE2740f5E3616155c5b8419, USDC/USD 0x8fFfFfd4AfB6115b954Bd326cbe7B4BA576818f6, USDT/USD 0x3E7d1eAB13ad0104d2750B8863b489D65364e32D, BTC/USD 0xF4030086522a5bEEa4988F8cA5B36dbC97BeE88c, plus LINK, COMP, UNI, AVAX). Frax Oracle system (dual-oracle, Chainlink-compatible, audited ToB Oct 2023). RedStone Trusted Single Source Oracle for BUIDL NAV (frxUSD RWA collateral). sfrxETH rate is internal ERC-4626 math. Multiple distinct oracle providers across the product stack.

RD-F-049 green Oracle role per asset Roles per asset: ETH/USD and BTC/USD are primary lending collateral oracles in Fraxlend (dual-feed, pessimistic). USDC/USD and USDT/USD are primary AMO stablecoin collateral valuation. BUIDL NAV (RedStone TSSO) is primary for frxUSD RWA backing. sfrxETH rate is internal (no external oracle). IORB oracle is secondary reference rate for AMO. Each product's oracle role is distinct and documented.

RD-F-053 green Oracle source = spot DEX pool (no TWAP) [★ CRITICAL — GREEN] Fraxlend uses dual Chainlink feeds (_oracleMultiply / _oracleDivide) confirmed by Code4rena 2022 audit: 'The _updateExchangeRate function calls latestRoundData() on both the oracleMultiply and oracleDivide Chainlink oracles.' No spot DEX pool oracle in any product. frxUSD uses Chainlink and governance reference rates. sfrxETH rate is internal ERC-4626 math. Fraxswap is a DEX but does not use an external spot oracle for its own TWAMM pricing. No protocol in the Frax stack reads a raw spot DEX pool price without TWAP or fallback.

RD-F-061 green LP token balanceOf used for pricing No evidence of LP token balanceOf used in any oracle price path. Fraxlend uses Chainlink aggregators for collateral pricing. Frax Oracle uses dual Chainlink feeds. Curve AMO positions are managed via governance calls — LP token balances are used for position accounting, not for pricing collateral. No balanceOf-based price path identified across the Frax product stack.

RD-F-062 green External keeper/relayer not redundant Fraxlend core operations are permissionless — borrowers and liquidators can call functions without an external keeper. Chainlink Automation is not used for core pair functions. AMO operations are triggered by the governance Comptroller (not a single keeper). Frax Oracle price updates via addRoundData can be called by whitelisted parties (not a single required keeper). No single-keeper dependency identified for core protocol functionality.

RD-F-181 green Permissionless-pool lending oracle Fraxlend uses a FraxlendWhitelist contract that gates which oracle contracts can be used when creating new lending pairs. Only governance-whitelisted oracle addresses may be used at pair creation. This prevents permissionless-pool oracles from being accepted — any user who wants to create a Fraxlend pair must use a pre-approved oracle from the whitelist. The whitelist mechanism satisfies the venue-acceptance governance gate required by F181. Confidence: high based on Code4rena 2022 audit confirming the whitelist check at construction.

Economic risk Yellow 24 13 of 13

RD-F-063 yellow TVL (current + 30d trend) Current TVL $298.58M (DefiLlama 2026-05-16). 30d change -5.12%; 1d change -3.86%; 90d CoV 0.073 (mean $294.3M, std $21.5M). Down 88% from $2.483B ATH (2022-03-03) — managed design migration from fractional-algorithmic FRAX to fully-collateralized frxUSD, not an exploit. Continues above $100M coverage threshold. Yellow for ongoing downtrend and 88% ATH drawdown despite non-distress causation. RD-F-065 yellow Liquidity depth per major asset frxUSD on-chain DEX liquidity: ~$10.7M total across Ethereum DEXs. Sell liquidity within 0.16% slippage: ~$5.5M; buy within 0.19% slippage: ~$3.25M (LlamaRisk Jul 2025). Thin for a $298M TVL protocol — a $10M+ frxUSD exit requires custodian redemption (1 business day latency). frxETH/sfrxETH: historically Curve frxETH/ETH pool had deep liquidity; current depth not quantified here. Yellow for frxUSD: on-chain liquidity is thin relative to outstanding supply, creating off-chain redemption dependency. RD-F-068 yellow Collateralization under stress frxUSD collateralization ratio: ~103.7% as of July 2025 (LlamaRisk). Target >=100% CR per FIP-188. The 3.7% surplus buffer is thin. Stress scenario: if BUIDL/USTB RWA redemptions cluster simultaneously with large on-chain frxUSD sell pressure, the custodian redemption latency (1 business day) could create a short-window net-asset-value gap. On-chain DEX liquidity ($10.7M) insufficient to absorb large sells without RWA pathway. Fraxlend pairs: 75% max LTV (immutable) provides 25pp collateral headroom — adequate at current utilization. Yellow for frxUSD: 3.7% surplus + 1-business-day RWA redemption latency creates stress-scenario collateral gap risk. RD-F-069 yellow Algorithmic / under-collateralized stablecoin Scored on CURRENT frxUSD design (U2). frxUSD is fully collateralized: >=100% CR target (actual ~103.7%), backed by RWA T-bills (BUIDL/BlackRock, USTB/Superstate, USCC, AUSD, WTGXX, JTRSY). This is NOT an algorithmic stablecoin design in its current form. Historical context: FRAX v1/v2 (2020–2024) was fractional-algorithmic (partially FXS-backed via AMO); March 2023 USDC/SVB contagion caused brief FRAX depeg due to USDC collateral exposure. Migration to fully-collateralized model (FIP-419, Jan 2025) completed. Current risk: RWA off-chain dependency — Securitize BUIDL requires qualified-purchaser whitelist ($5M min, 0.15% fee), no 24/7 redemption guarantee, settlement latency 1 business day. frxUSD custodian pathway is fragmented. Yellow (not red): design is fully-collateralized, not algorithmic; but RWA off-chain redemption latency and whitelist restrictions are structural risks that distinguish this from a purely on-chain stablecoin. RD-F-071 yellow Seed-deposit requirement for new market listing No documented minimum seed deposit requirement found for Fraxlend market creation. Docs describe Fraxlend as permissionless — 'anyone can create a market between a pair of ERC-20 tokens.' The FraxlendPairDeployer contract parameters (e.g., minimum initial supply before borrow-enable) were not on-chain read in this assessment. Absence of documented seed-deposit requirement is a gap relative to best practice (seed deposit prevents first-depositor inflation attacks). Yellow: no positive evidence of a seed-deposit guard; the ERC-4626 fToken architecture requires verification of share initialization behavior on first deposit. RD-F-073 yellow Oracle-manipulation-proof borrow cap Fraxlend uses Chainlink price feeds per pair (ETH/USD, USDC/USD, BTC/USD, LINK/USD, COMP/USD, AVAX/USD, UNI/USD confirmed from profile §7). Max LTV of 75% is immutable per deployment — a borrow cap proxy. No documented oracle-manipulation-resistant borrow cap formula (e.g., cap <= oracle pool depth x manipulation-resistance multiplier). June 2024 Egorov/CRV event: CRV fell 24%+ in one day; Fraxlend isolated pairs handled liquidations without bad debt, suggesting the 75% LTV and DDR mechanism was adequate for that stress. However, the liquidation bonus is 10% (fixed), and extremely rapid price declines could theoretically exhaust the 25pp collateral buffer before liquidators can clear. Yellow: no formal oracle-manipulation-proof cap formula documented; 75% LTV provides meaningful buffer but is not calculated from oracle liquidity depth. RD-F-074 yellow ERC-4626 virtual-share offset (OZ ≥4.9) sfrxETH (ERC-4626, address 0xac3E018457B222d93114458476f3E3416Abbe38F) is the highest-TVL ERC-4626 vault in the Frax stack. sfrxETH.sol imports from custom xERC4626 base contract — NOT the OpenZeppelin >=4.9 ERC-4626 implementation that includes the virtual-share offset mechanism. The OZ virtual offset (introduced in OZ 4.9 to prevent share inflation attacks on first deposit) is not confirmed present. sfrxETH was launched in 2022, pre-dating OZ 4.9 virtual offset. The Code4rena 2022-09 audit reviewed frxETH/sfrxETH — if a share inflation gap existed at that scope level it would likely have been flagged, but this is not confirmed without reading the full audit PDF. Fraxlend fTokens also use ERC-4626 without documented virtual offset. Yellow: OZ virtual offset not confirmed; custom xERC4626 base warrants curator inspection. RD-F-075 yellow First-depositor / share-inflation guard No explicit first-depositor guard confirmed for sfrxETH or Fraxlend fTokens. sfrxETH: inherits custom xERC4626 base (not OZ >=4.9 virtual offset); no documented seed deposit or dead-shares mechanism. sfrxETH is not currently empty (3,915 holders, ~41,190 sfrxETH supply — Etherscan 2026-05-17), reducing live inflation attack feasibility. Fraxlend fTokens: ERC-4626 based; no minimum seed deposit documented in Fraxlend docs or README; new isolated pairs deployed with zero initial supply are theoretically vulnerable to first-depositor manipulation until liquidity is seeded. Code4rena 2022-09 audit reviewed sfrxETH and is the best available review evidence; absence of a documented guard is a structural gap. Yellow: no confirmed guard mechanism; not empty in practice for sfrxETH, but new Fraxlend pairs may be exposed on first deposit. RD-F-064 gray TVL concentration (top-10 wallet share) On-chain top-10 depositor wallet share not retrievable via free-tier API. Dune Analytics returns 403. Proxy data: frxUSD top-5% active addresses contributed >80% of on-chain transactions (LlamaRisk Jul 2025); FXS governance token: one wallet held 33.5% of supply (late 2024). Structural concentration likely in both stablecoin usage and governance token, but depositor TVL concentration cannot be quantified without Dune or on-chain query. RD-F-070 n/a Empty cToken-style market (zero supply/borrow) Fraxlend is an original isolated-pair lending design, NOT a Compound V2 fork. The empty-cToken-market / donation-attack vector requires a Compound-style shared market with a zero-supply cToken pool. Fraxlend uses: (1) isolated pairs with independent accounting (no shared totalSupply across markets); (2) ERC-4626-based fToken system, not cToken mechanics; (3) original architecture confirmed by profile §5 'not forked', fraxlend GitHub README, and Trail of Bits 2022-11 audit scope. The Compound-fork prerequisite for RD-F-070 ★ does not apply. Note: the broader ERC-4626 share-inflation class (F074/F075) IS assessed separately for sfrxETH and Fraxlend fTokens.

RD-F-066 green Utilization rate (lending protocols) Aggregate Fraxlend utilization: $8.19M borrowed vs ~$31.86M Fraxlend-specific TVL = ~25.7% utilization (Fraxlend-specific). Data cache reports 2.74% at protocol level (denominator = all Frax TVL). Target utilization range 75-85% per docs; current aggregate well below. No high-utilization lock-up risk at current volumes. 34 active tracked pairs. Individual pair utilization may vary; no specific pairs confirmed to be at critical utilization. Green for aggregate utilization significantly below distress threshold.

RD-F-067 green Historical bad-debt events June 2024 Egorov/CRV liquidation cascade: Frax Finance stated 'zero bad debt on Fraxlend due to our partial liquidation, DDR, isolated lending design.' CRV fell 24%+ triggering liquidations across 5 venues (Inverse, UwU Lend, FraxLend, Aave, LlamaLend). Fraxlend isolated-pair design and Dynamic Debt Rebalancing (DDR) prevented socialized loss. LlamaLend (Curve) incurred $10M bad debt; Fraxlend did not. No other documented bad debt events in Fraxlend history. Green: no confirmed bad debt events with socialized lender loss.

RD-F-072 green Market-listing governance threshold Fraxlend market creation is permissionless for ERC-20 asset pairs. Docs: 'isolated market which allows anyone to create a market between a pair of ERC-20 tokens.' Each pair is independent and does not require DAO governance vote to list. Permissioned vs. permissionless pair distinction exists (Comptroller multisig approval for specific pair types), but the base architecture allows open market creation. Green: low governance barrier to new market listing — appropriate for isolated-pair model where new market creation does not expose existing liquidity.

Operational history Green 15 15 of 15

RD-F-089 red Insurance coverage active At $298.58M aggregate TVS, no meaningful protocol-level insurance exists. Nexus Mutual offers two limited covers: (1) Fraxlend Protocol Cover (added April 2024) for smart contract risk, oracle failure, and severe liquidation failure on Fraxlend specifically — cover capacity not specified in available sources but Nexus covers are typically capped well below protocol TVL; (2) Frax frxUSD Depeg Cover (Product #318, added September 2, 2025) covering frxUSD depeg events ≥10% for 7+ consecutive days. Neither constitutes protocol-wide coverage at a scale meaningful relative to $298M TVS. No Immunefi-hosted or Sherlock cover program exists for the Frax stack. The protocol's own bug bounty ($10M theoretical max) is not insurance. Red: no active insurance coverage sufficient relative to TVS. RD-F-088 yellow Re-deployed to new addresses in last year The Dec 2025 FraxEtherRedemptionQueueV2 allegation (gov.frax.finance thread #3818) suggests the contract at 0xfDC69e6BE352BD5644C438302DE4E311AAD5565b was behaviorally modified between Dec 5–16, 2025, without public announcement — consistent with a silent redeploy or upgrade. The North Star Upgrade (April 2025) involved system-level changes (FXS → FRAX rebrand, associated contract interactions) but not a formal address-set retirement+redeploy of core stablecoin contracts. Yellow: the RedemptionQueueV2 redeploy is alleged but unconfirmed by Frax; if code-security-analyst confirms the bytecode mismatch, this factor should be upgraded to red. RD-F-166 yellow Deprecated contracts still holding value Multiple deprecated surfaces confirmed: (1) Frax V1 Pool contracts — explicitly marked 'deprecated in favor of FRAX V2 and later mechanisms' per docs.frax.finance/frax-v1-original/frax-pools; exact on-chain USD balance not confirmed within scope [?] but plausible residual user balances exist. (2) Legacy FXS Timelock (0x8412ebf45bAC1B340BbE8F318b928C466c4E39CA) — superseded by frxGov, admin = EOA; residual contract ownership unclear; governance-admin-analyst must verify. (3) Legacy FRAX stablecoin (now 'Legacy Frax Dollar') — NOT a paused/sunset contract but a co-existing legacy token with migration path to frxUSD; not a deprecated contract holding trapped value in the hazardous sense. Yellow: confirmed deprecated contracts exist, exact residual value not confirmed from on-chain reads for V1 pools, no confirmed >$100K concentrated stuck exposure confirmed within scope. RD-F-081 gray Post-exploit response score No on-chain contract exploit has occurred; there is no post-exploit response to score on the 1-5 curator scale. The DNS incident and X hack had prompt communications (Kazemian communicated within hours) but neither is a Cat 5 event. Gray is correct: the factor requires a prior exploit to assess. RD-F-082 gray Post-mortem published within 30 days No contract exploit has occurred. No post-mortem was published for the DNS or X incidents. The governance forum thread #3818 for the Dec 2025 disclosure dispute was filed by the researcher, not Frax. Gray: factor requires a prior exploit. RD-F-083 gray Auditor re-engaged after last exploit No prior contract exploit occurred; re-audit engagement after exploit cannot be assessed. Gray: factor requires a prior exploit. RD-F-085 gray Incident response time (minutes) No Cat 5 contract incident exists for which on-chain response time can be measured. DNS incident and X hack had prompt communications but are frontend/social events outside Cat 5 scope. The Dec 2025 disclosure denial was issued within hours — but this is a Cat 13 event, not a Cat 5 response.

RD-F-076 green Protocol age (days) Frax Finance stablecoin launched December 21, 2020 per profile §2 and DefiLlama daily series (first TVL entry 2020-12-17). Age at assessment: ~1,973 days (65 months). The protocol has operated through two bear markets, the Terra/LUNA collapse, the SVB/USDC crisis, and multiple DeFi exploit cycles without a contract-level exploit. Substantially exceeds any reasonable A-grade live-time threshold.

RD-F-077 green Prior exploit count Prior exploit count = 0. Proprietary hacks DB searched case-insensitively for frax, frxeth, frxusd, fraxlend, fraxswap, fraxtal — three file matches were all false positives (FRAX token received/held by attackers in TempleDAO and Fei-Rari exploits; not Frax protocol exploits). No rekt.news article describing a Frax contract exploit found. The three incidents in profile §10 (2023-11 DNS hijack, 2024-06 X account hack, 2025-12 RedemptionQueueV2 allegation) are frontend/social or disclosed-but-unconfirmed, none constituting an on-chain user-fund loss.

RD-F-078 green Chronic-exploit flag (≥3 incidents) Exploit count = 0. Chronic flag (≥3 prior exploits) does not apply.

RD-F-079 green Same-root-cause repeat exploit No prior exploits; same-root-cause repeat pattern cannot apply. Exploit count = 0.

RD-F-080 green Days since last exploit No prior contract exploit; this factor cannot fire negatively. Protocol has never been exploited at contract level in 65 months of operation. Scored green: days since last exploit = infinity (no exploit).

RD-F-084 green TVL stability (CoV over 90d) 90-day CoV = 0.073 (7.3%) from data-cache (mean $294.3M, std $21.5M, window 2026-02-07 to 2026-05-12). A 7.3% CoV reflects moderate and predictable TVL variation driven by the ongoing FRAX-to-frxUSD migration contraction; it does not indicate crisis-level instability. CoV < 0.15 threshold for green is met.

RD-F-086 green Pause activations (trailing 12 months) No confirmed deliberate emergency pause of core Frax contracts found in the trailing 12 months (May 2025 – May 2026). The North Star Upgrade (April 30, 2025) was a planned governance-executed upgrade, not an emergency pause. No public governance forum posts or news reports document a pause event. Fraxlend isolated pair-level pauses are possible but no public record found.

RD-F-087 green Pause > 7 consecutive days No protocol-wide pause event > 7 consecutive days found in the last 12 months. Frax Finance core contracts (stablecoin AMO, frxETH, Fraxlend registry) have operated continuously with no recorded multi-day halt in public record. TVL data-cache shows continuous non-zero TVL with no stepwise drop consistent with a pause event.

Real-time signals Green 10 22 of 22

RD-F-105 yellow DNS/CDN/frontend hash drift T-09 phase-2 signal. Historical: Nov 2023 DNS hijack of frax.com and frax.finance via Name.com registrar-level compromise — resolved within ~24h, no funds lost. Post-incident domain security posture: no public confirmation of DNSSEC deployment, no certificate-transparency monitoring feed publicly documented, no hash-baseline for production JS bundles established. No current DNS/frontend drift detected via available public channels as of 2026-05-17. Yellow posture: prior exploited attack surface (registrar-level) confirmed; structural vulnerability persists without evidence of remediation. T-09 phase-2 signal (requires external monitoring stack for production). Current state: no-fire today per observable evidence, but structural gap means the signal would not reliably alert if drift occurred. RD-F-109 yellow Social-media impersonation scam spike Social-media impersonation is an elevated threat surface for Frax Finance. Confirmed incidents: (1) 2024-06-01 X/Twitter @fraxfinance account hacked — CEO Sam Kazemian suspected insider involvement at X; account used to post content impersonating team (account takeover, not DPRK). (2) Active fake GitHub Pages sites (financefrax.github.io, web-frax-finance.github.io) found in 2026-05-17 search results — confirmed active impersonation surfaces. (3) 2023-11 DNS hijack of frax.finance created a malicious clone site (frontend impersonation). Recurring impersonation pattern across multiple vectors (X, DNS, GitHub Pages). No acute spike event occurring in real-time today, but confirmed historical pattern and active fake sites score yellow. This is a documented recurring threat surface. RD-F-090 gray Mixer withdrawal → protocol interaction T-09 phase-2 signal requiring partner attribution feed (Chainalysis/TRM). FraxGovernorAlpha deployer (0x36bf2289) funded from slap.fraxdev.eth internal dev account with no Tornado Cash tags on Etherscan. Comptroller signer 0x6933BCC3 funded ~4 years ago from exchange-pattern address, no mixer labels. No public attribution of recent mixer-funded wallets interacting with Frax core contracts found. Requires Chainalysis/TRM partner feed for definitive assessment. RD-F-091 gray Partial-drain test transactions v2-deferred signal (not in T-09 v1 or phase-2 shortlist). TVL contraction (-5.12% over 30d) is gradual and consistent with organic FRAX supply migration to fully-collateralized model, not a partial-drain test-transaction pattern. No small-value precursor drain events observed in publicly available data. RD-F-092 gray Unusual mempool pattern from deployer wallet v2-deferred signal. FraxGovernorAlpha deployer (0x36bf2289) shows governance-related activity (FraxGovernor, FraxGuard, VeFxsVotingDelegation interactions) — no unusual mempool patterns detected in public data. RD-F-093 gray Abnormal gas-price willingness from attacker wallet v2-deferred signal. No flagged wallet with abnormal gas-price willingness targeting Frax protocol core contracts observed in publicly available data. Requires live mempool monitoring infrastructure. RD-F-094 gray New contract with similar bytecode to exploit template v2-deferred signal. No new contract deployments with high bytecode similarity to known-exploit-templates targeting Frax core contracts reported in trailing 90d. Requires active on-chain new-deploy sweep infrastructure. RD-F-095 gray Known-exploit function-selector replay v2-deferred signal. No known-exploit replay selectors targeting Frax contracts identified in public mempool/transaction data. Requires active mempool monitoring with selector-pattern matching against known-exploit-template DB. RD-F-096 gray New ERC-20 approval to unverified contract from whale v2-deferred signal (user-level scope, not protocol-level). Signal fires when whale/top-TVL user grants approval to an unverified contract. Not assessed at protocol level — user-level monitoring not in scope for T-10 static assessment. RD-F-097 gray Sybil surge of identical-pattern transactions v2-deferred signal. No sybil surge patterns on Frax core contracts identified in public data. Requires active on-chain clustering infrastructure. RD-F-099 gray Oracle price deviation >X% from secondary T-09 phase-2 signal. Frax uses multiple Chainlink feeds (ETH/USD 0x5f4eC3Df, USDC/USD 0x8fFfFfd4, USDT/USD 0x3E7d1eAB, BTC/USD 0xF4030086, LINK/USD, COMP/USD, AVAX/USD, UNI/USD) and its own Frax Oracle system (Trail of Bits audit Oct 2023). No oracle deviation event publicly reported as of 2026-05-17. Real-time deviation comparison requires live feed infrastructure not available in T-10 static assessment. RD-F-100 gray Flash loan >$10M targeting protocol tokens T-09 phase-2 signal. Applicable to Fraxlend isolated-pair markets, Fraxswap TWAMM pools, sfrxETH ERC-4626 vaults. No flash-loan-origination event targeting Frax protocol markets reported in publicly available data as of 2026-05-17. No corroboration with oracle deviation or governance proposal in same block found. Requires per-block flash-loan scan infrastructure. RD-F-102 gray Admin/upgrade transaction in mempool T-09 phase-2 signal. Frax Comptroller (0xB1748C79, 3/5 Safe) shows regular Exec Transaction operational activity routed through declared governance path (Omega optimistic proposals or Alpha timelock 0x821794E6). OFT Adapter (0x566a6442) was upgraded Oct 2025 under normal protocol procedures. No unscheduled admin/upgrade mempool transaction detected outside governance flow. Requires mempool listener infrastructure for production monitoring. RD-F-106 gray Cross-chain bridge unverified mint pattern v2-deferred signal. Applicable: frxUSD OFT Adapter, FraxFerry, Fraxtal OP Stack bridge all have active cross-chain surfaces. OFT Adapter shows 2,765 normal transactions consistent with standard cross-chain frxUSD transfers. Fraxtal OP Stack bridge uses 7-day challenge period (L2→L1). No deposit-without-proof mint events found in public data trailing 90d. Requires cross-chain indexing infrastructure. RD-F-107 gray Admin EOA signing from new geography/device v2-deferred signal. Off-chain signing telemetry (MPC/session-key geography fingerprinting) not publicly available. Cannot assess admin EOA geography/device fingerprint consistency without off-chain data source. RD-F-108 gray GitHub force-push to sensitive branch v2-deferred signal. FraxFinance GitHub org has 41 repos; frax-solidity last commit 2025-10-03. No public evidence of force-push on protected branches in trailing 30d. The Dec 2025 stealth-patch allegation involves deployed bytecode differing from Etherscan-verified source — a different pattern from a force-push on the repo (more relevant to Cat 9 RD-F-136/RD-F-138). Requires GitHub API monitoring with per-protocol protected-branch list. RD-F-110 gray Unusual pending/executed proposal ratio v2-deferred signal. Three most recent visible proposals (FIP-444, FIP-443, FIP-442) are routine strategy integrations from known delegates following standard governance cadence. No unusual ratio of pending vs. executed proposals detected from available forum data. Requires governance baseline monitoring infrastructure.

RD-F-098 green TVL anomaly — % drop in <1h T-09 v1 launch signal. TVL $298.58M (2026-05-16). 30d baseline approximately $314.7M (implied from -5.12% change). 1d change -3.86%. No single-hour drop >30% from 30d baseline in available daily series. TVL CoV 0.073 over 90d indicates moderate volatility not spike pattern. Tier-A threshold (TVL_now / TVL_baseline_30d < 0.70 in 60-min window) not breached. TVL decline is gradual and consistent with FRAX supply contraction during fully-collateralized migration. Signal would not fire today.

RD-F-101 green Large governance proposal queued T-09 v1 launch signal. FraxGovernorAlpha (0xe8Ab863) and FraxGovernorOmega (0x953791D) are active on-chain governors. Most recent proposals (FIP-444 Apr 2026: sGHO/USCC strategies by nader.frax; FIP-443 Mar 2026: Aave v4/Morpho by nader.frax; FIP-442 Mar 2026: crvUSD exit by Mockingbird) are routine strategy integrations by established long-tenured delegates. No calldata with admin-role-change selectors, no new-wallet proposers (<30d old), no flash-loanable quorum achievable (veFXS is time-locked checkpoint-based, not spot-balance). Tier-B pattern-match not triggered. Signal would not fire today.

RD-F-103 green Bridge signer-set change proposed/executed T-09 v1 launch signal. has_bridge_surface=true: frxUSD LayerZero OFT Adapter (0x566a6442), FraxFerry, Fraxtal OP Stack bridge. OFT Adapter implementation upgraded Oct 2025 under apparent scheduled maintenance (ProxyAdmin 0x0990be6d controls upgrade path; 3+ prior upgrades). No unscheduled signer-set change events on FraxFerry or OFT Adapter found in publicly available data trailing 90d. FraxFerry Captain/Crewmember/First Officer model — no rotation announcement in recent governance proposals. Tier-A threshold (unscheduled change without governance pre-announcement) not observed. Signal would not fire today.

RD-F-104 green Stablecoin depeg >2% on shared-LP venue T-09 v1 launch signal. frxUSD is protocol's own stablecoin (primary depeg surface); FRAX legacy also in scope. frxUSD launched Jan 2025, backed by BlackRock BUIDL at >100% CR per FIP-419. No public frxUSD depeg event found as of 2026-05-17. Legacy FRAX v1 supply winding down under v3 migration. No >2% deviation on ≥2 venues sustained ≥30 min reported. Tier-B threshold not breached. Signal would not fire today. Note: Frax IS a stablecoin issuer, so this signal is self-applicable — frxUSD depeg would be a Cat 6B fire for its own protocol.

RD-F-182 green Security-Council threshold reduction (RT) Batch-24 Cat 6B signal (T-09 v1.1 candidate). Applicable: FraxGovernorOmega (0x953791D) controls Frax Comptroller multisig (0xB1748C79, 3/5) via FraxGuard (0xed53eb15); FraxGovernorAlpha (0xe8Ab863) controls governance parameters. Architectural protection: FraxGuard design means Omega cannot change Safe configurations or its own governance parameters — only Alpha (high-quorum, long-delay governor) can do this. Comptroller current configuration: threshold 3, owner_count 5 (per data-cache safe_multisigs[0]). No ChangedThreshold, AddedOwner, or RemovedOwner events on the Comptroller Safe found in recent Etherscan data. No timelock removal or new-signer addition within 14 days of any threshold change detected. Drift Protocol-class SC threshold reduction pattern (3/5 to 2/5 + timelock removal) not observed. Signal would not fire today.

Dev identity & insider risk Green 5 16 of 16

RD-F-113 yellow Team other-protocol involvement history No prior rug or exit-scam affiliations. However, Sam Kazemian announced in Aug 2025 that he is joining Stable (Tether-backed L1) as CTO while remaining Frax CEO. This dual-role creates a key-person divided-attention risk for Frax. Travis Moore and Jason Huan have transitioned to advisory roles with current operations led by Forselius/Vethanayagam/Rodriguez. Leadership transition from founding team to newer operators is a mild risk signal but no adverse protocol involvement history identified for any team member. RD-F-123 yellow Sudden admin-rescue/ACL change without discussion STAR CRITICAL. Dec 2025 stealth-patch event on FraxEtherRedemptionQueueV2 (0xfDC69e6BE352BD5644C438302DE4E311AAD5565b): (1) External researcher reported DoS vulnerability Dec 5 2025; (2) Frax security team denied the bug same day; (3) Contract was patched with CannotRedeemZero() revert between Dec 5-16 with no GitHub issue, PR, governance post, or public discussion; (4) Frax team denied making changes even after fix was live; (5) Reporter opened governance forum thread #3818 on Dec 17 - team-initiated discussion absent. This is a substantiated case of a deployed code change without any preceding public discussion, matching the F123 literal definition. Yellow rather than red because: the change was a security patch not an ACL/admin-role change, no funds were drained, and the insider-implant threat model (the red-signal archetype) is absent - this is a transparency failure, not a compromised-insider ACL insertion. RD-F-116 gray Contributor tenure at admin-permissioned PR GitHub org shows only 2 publicly visible members (@0xJM and @samkazemian). Individual contributor tenure for admin-permissioned code changes is not determinable via public GitHub data alone - private/team membership details not accessible. The frxGov Deployer has been operating since July 2023 (long-tenured). Last public commit on frax-solidity was 2025-10-03 per data cache, but individual commit-author data for admin-permissioned changes not retrieved. Requires curator access to GitHub repo contributor history or team membership. RD-F-184 gray Real-capital social-engineering persona No evidence of any team contributor or external integrator deploying real capital (>=1M USD) to build credibility ahead of a social-engineering attack on Frax Finance. The Jun 2024 X account hack was attributed by Kazemian to an insider at X Corp (not a DeFi social-engineer using capital credibility). No 6-month+ credibility-building campaign with large deployed positions found via OSINT. This is an M-only curator-flagged factor (P1) requiring verified attribution confidence beyond on-chain trail. Drift Protocol comparator: F184 requires documented UNC4736-class capital-build campaign - no analogous evidence found for Frax.

RD-F-111 green Team doxx status Core team is real-name doxxed. Sam Kazemian: Wikipedia entry, Forbes 30 Under 30 2023, UCLA public alumnus, multiple on-camera conference appearances, co-founder Everipedia. Travis Moore: LinkedIn, IQ.wiki profile, Italian citizenship public record, UCLA biochemistry/neuroscience graduate. Jason Huan: LinkedIn, UCLA Blockchain Organization co-founder. All three founders meet the real-name threshold. Current operating leadership (Forselius, Vethanayagam, Rodriguez) has less public depth but is publicly named in press releases.

RD-F-112 green Team public accountability surface Kazemian has 5+ verifiable public trails: Wikipedia, Forbes 30U30 2023, Bankless/Blockworks podcast appearances (video-on), Everipedia co-founder track record, UCLA alumni spotlight. Travis Moore has LinkedIn with history, IQ.wiki, conference presence, Everipedia tenure. Jason Huan has LinkedIn, UCLA Blockchain Organization documented co-founding. The founding team exceeds the threshold of 3 independent verifiable trails per member.

RD-F-114 green Deployer address prior on-chain history Deployer 1 (0xa448833bece66fd8803ac0c390936c79b5fd6edf) has extensive documented protocol contract deployment history spanning 2020 to present (FraxUnifiedFarm, staking contracts, etc.) fully consistent with normal-dev-history. frxGov Deployer (0x36bf2289deb0bab8382648fcae56ae66d5a1d3fe) deployed governance infrastructure in 2023. Deployer 6 (0x5180db0237291a6449dda9ed33ad90a38787621c, ENS: fraxcustodian.eth) deployed LST-related contracts. No linked-to-prior-rug history on any deployer address.

RD-F-115 green Prior rug/exit-scam affiliation Web search for 'Frax Finance exit scam rug pull fraud Sam Kazemian Travis Moore' returns zero credible results. Everipedia (prior project by the same founders) is a legitimately operating protocol (IQ.wiki still live). Kazemian's clarification on Iron Finance (2021) establishes that Iron Finance removed safety features he had implemented - this is not a Frax rug. No prior rug or exit-scam label attached to any team member via OSINT.

RD-F-117 green ENS/NameStone identity bound to deployer Multiple ENS identities bound to deployer-chain addresses. Deployer 6 (0x5180db02...): ENS fraxcustodian.eth. frxGov deployer funded by slap.fraxdev.eth (internal frax dev subdomain). Protocol Snapshot governance uses frax.eth. Multiple fraxdev.eth subdomains are used across the deployer infrastructure. No confirmed on-chain sam.eth -> Deployer 1 resolution found, but the fraxdev.eth subdomain infrastructure provides sufficient ENS identity binding across the deployer chain.

RD-F-118 green Handle reuse across failed/rugged projects No cross-project handle reuse found across failed or rugged projects. Sam Kazemian (@samkazemian on X/GitHub) has consistently used the same handles associated only with Frax Finance and Everipedia/IQ.wiki - both legitimate ongoing projects. Travis Moore similarly has consistent handle history. No evidence of handles previously associated with exit-scammed or rugged protocols under different aliases.

RD-F-119 green Commit timezone consistent with stated geography Team is publicly US-based (Los Angeles / California). Kazemian biography confirms Tehran-born, LA-raised, UCLA graduate, based in California. Travis Moore is from Thousand Oaks, CA. Jason Huan is UCLA-based. No commit-timezone anomaly flag found in public sources. Commit distribution not independently verified via GitHub API in this session (requires github API call), but no public reports of timezone inconsistency flag. Green by inference from stated geography alignment with extensive public record.

RD-F-120 green Video-off/voice-consistency flag Sam Kazemian has numerous on-camera interviews with video enabled - Bankless podcast, Blockworks conference appearances, Twitter Spaces with video. Face visible, voice consistent across multi-year appearances. No video-off patterns or voice/timezone inconsistency flags found in any public interview record. Travis Moore has also appeared in interviews. No curator flags of the type that triggered concern in DPRK-implant cases.

RD-F-121 green Contributor OSINT depth score Kazemian scores 5/5: Wikipedia, Forbes 30U30, multiple conference talks with video, LinkedIn verifiable career, prior employer (Everipedia) documented. Moore scores 4/5: LinkedIn with history, IQ.wiki, conference presence, Everipedia CTO documented. Huan scores 3/5: LinkedIn, UCLA org co-founder documented. Average across founding team approximately 4/5. Current leadership (Forselius) scores 2-3/5 - publicly named in multiple press releases and associated with Everipedia founding. Overall team OSINT depth is high for a DeFi protocol.

RD-F-122 green Contributor paid to DPRK-cluster wallet No DPRK/Lazarus cluster proximity found for any contributor payment wallet. Web search 'Frax Finance Lazarus cluster OFAC sanctions DPRK developer implant 2024 2025' returns no Frax-specific results. OFAC SDN list returns no Frax Finance or team member names. The protocol's deployer chain traces through internal fraxdev.eth domain addresses and established CEX-funded wallets, with no hop to any known sanctioned address.

RD-F-124 green Deployer wallet mixer-funded within 30 days STAR CRITICAL. No mixer funding within 30 days of any relevant deployment. Deployer 1 (0xa448833...) funded by abeetoken.eth approximately April 2020; FRAX/FXS tokens deployed December 2020 - gap of 8+ months, and no mixer label on abeetoken.eth in Etherscan public labels or web search. frxGov Deployer funded by slap.fraxdev.eth on 2023-07-31 (internal fraxdev.eth subdomain; not a mixer). Deployer 6 funded by internal Deployer 3 chain 5 years ago. FraxEtherRedemptionQueueV2 deployer (0x625e700...) funded by Deployer 6. No mixer interaction at any hop within the 30-day window for any deployment event.

RD-F-125 green Deployer linked within 3 hops to DPRK/Lazarus STAR CRITICAL. No DPRK/Lazarus cluster proximity within 3 hops for any deployer or signer wallet. Team is doxxed US-adjacent individuals (Kazemian: Iranian-American, UCLA, LA-based; Moore: Italian-American, LA-based; Huan: UCLA-based). Two parallel DPRK web searches ('Sam Kazemian Frax Finance DPRK OR Lazarus OR North Korea'; 'Frax Finance Lazarus cluster OFAC sanctions DPRK developer implant') returned zero protocol-specific results. No OFAC SDN entry for any team member or address. No RD-F-125 red trigger - no rubric discretionary downgrade to F applies.

Fork / dependency lineage Green 11 10 of 10

RD-F-133 yellow Dependency manifest uses unpinned versions Data cache confirms OZ contracts version 5.0.1 used. The frax-solidity foundry.toml (solc 0.8.19, viaIR=true, 100k runs) does not show a version string for OZ in the foundry.toml itself. .gitmodules file returned 404. Whether OZ 5.0.1 is pinned to a commit SHA (more secure) vs. a floating version tag was not confirmed. The frax-oft-upgradeable repo uses solc 0.8.22, 200 runs — OZ dependency pinning not independently verified. Yellow: version tag is specific (5.0.1) but commit SHA pinning status unconfirmed. RD-F-126 n/a Is-a-fork-of Frax Finance is an original protocol. FRAX/frxUSD stablecoin, frxETH/sfrxETH LST, Fraxlend isolated-pair lending, Fraxswap TWAMM DEX, and Fraxtal OP Stack L2 are all independently designed. No upstream fork relationship. Trail of Bits 2021 audit treats as original. GitHub history shows original development from 2020. Fraxswap is based on Paradigm/Dave White TWAMM whitepaper but is an original implementation, not a fork of any upstream protocol codebase. RD-F-127 n/a Upstream patch not merged No upstream fork protocol. Frax is an original codebase. Upstream patch propagation risk does not apply. RD-F-128 n/a Upstream vulnerability disclosure (last 90d) No upstream protocol to disclose a vulnerability affecting this fork. Frax is an original design. RD-F-129 n/a Code divergence from upstream (%) No upstream fork protocol to compare divergence against. Factor measures code divergence from an upstream — not applicable for original protocols. RD-F-130 n/a Fork depth (generations from original audit) Fork depth = 0 (not a fork). Frax is an original protocol. This factor is structurally not applicable. RD-F-131 n/a Fork retains upstream audit coverage No upstream audit coverage to retain or verify. Frax has its own substantial audit history (Cat 1). Fork-retains-upstream-audit pattern is structurally inapplicable. RD-F-132 n/a Fork has different economic parameters than upstream Fraxlend's economic parameters (LTV, fees, interest models) are original Frax design choices, not deviations from an upstream forked audit. No upstream audit-gap scenario applies.

RD-F-134 green Dependency had malicious-release incident (last 90d) No known malicious release incident in trailing 90 days affecting OZ 5.x, LayerZero OApp standard, or other direct Frax dependencies. OpenZeppelin security center checked — no active advisory for OZ 5.0.1. No npm/PyPI malicious-release incident found for these packages.

RD-F-135 green Shared-library version with known-vuln status OZ contracts 5.0.1: no active CVE or GHSA advisory found. The Bytes.lastIndexOf OOB bug (Jul 2025, OZ 5.x new utility library) and Base64 dirty-memory bug (Feb 2024, OZ 4.x) are not applicable to core Frax contract surfaces (stablecoin, lending, LST, governance do not use these specific library functions). LayerZero OApp standard: no known CVE found. Green with low confidence that no undisclosed vulnerability exists.

Post-deploy hygiene & change mgmt Yellow 31 13 of 13

RD-F-139 red Post-audit code changes without re-audit CRITICAL: Two confirmed post-audit changes without documented re-audit. (1) FraxEtherRedemptionQueueV2 (0xfDC69e6BE): Dec 5, 2025 researcher reported CannotRedeemZero DoS vulnerability; Frax team denied bug; deployed bytecode subsequently exhibited the proposed fix (zero-amount rejection) while Etherscan-verified source lacks this check — source/bytecode discrepancy; no governance announcement, no re-audit, no bounty paid. (2) frxUSD launched Jan 2025: no frxUSD-targeted audit in public audit list; nearest applicable audit (Trail of Bits Oct 2023) covers FXB/sFRAX/frxETH Redemption Queue V1, not frxUSD. April 2, 2026 upgrade of frxUSD also lacks confirmed re-audit. RD-F-136 yellow Deployed bytecode matches signed release tag frxGov contracts audited against their GitHub repo by Trail of Bits (2023-07 audit) — bytecode likely matches audited commit. FraxEtherRedemptionQueueV2 Etherscan shows Source Code Verified Exact Match but Dec 2025 stealth-patch allegation claims deployed bytecode behavior differs from verified source (zero-amount rejection present in bytecode, absent in source). No signed release-tag commit found for frxUSD. Partial coverage confirmed; discrepancy alleged for frxETH redemption queue. RD-F-137 yellow Upgrade frequency (per 90 days) frxUSD proxy underwent upgrade April 2, 2026 (43 days before assessment date). Fraxtal North Star hardfork in 2025. OFT adapters across 25+ chains use ProxyAdmin — upgrade frequency unknown. At least 1 proxy upgrade in last 90 days (frxUSD, April 2 2026). frxGov contracts are immutable logic contracts (no upgrade events). Rate is non-zero and material. RD-F-138 yellow Hot-patch deploys without timelock (last 30 days) frxUSD has no timelock on admin actions (LlamaRisk confirmed). The April 2, 2026 upgrade was executed without mandatory timelock delay — direct multisig execution path available. Whether this specific upgrade was routed through Omega (2-day veto window) or direct multisig execution is unconfirmed. At minimum, no mandatory timelock delay exists on frxUSD upgrades. RD-F-142 yellow Storage-layout collision risk across upgrades frxUSD uses TransparentUpgradeableProxy — upgrade April 2, 2026 occurred. No OZ upgrades-plugin storage-layout collision check report found publicly. frx-OFT-upgradeable uses ProxyAdmin across 25+ chains — storage layout compatibility not confirmed. Storage layout collision risk present but unquantified. RD-F-143 yellow Reinitializable implementation (no _disableInitializers) frxUSD implementation (0x0000000048d2c8baf31742f6765383278bada4d5): Etherscan source shows bare constructor() {} with no _disableInitializers() call. Implementation can be initialized directly, bypassing the proxy — reinit risk on the implementation itself. sfrxETH 0xac3E0184 is immutable (not a proxy) — no reinit risk. FRAX token is immutable. frx-OFT-upgradeable implementations: _disableInitializers() status unconfirmed. Primary risk surface is frxUSD implementation. RD-F-145 yellow Deployed bytecode reproducibility Trail of Bits frxGov audit 2023-07 provided bytecode-level coverage for governance contracts. frxUSD: no public build artifact or reproducibility confirmation. FraxEtherRedemptionQueueV2: Dec 2025 allegation raises reproducibility concern — deployed behavior differs from verified source, suggesting some change is not reproducible from the published source code. RD-F-146 yellow New contract deploys in last 30 days frxUSD proxy upgrade on April 2, 2026 (43 days before assessment date — just outside last 30 days). Fraxtal L2 and OFT adapters across 25+ chains have ongoing deployments. At least 1 new implementation deploy within last 45 days. Fraxtal L2 North Star hardfork in 2025 introduced new system contracts. RD-F-168 yellow Stale-approval exposure on deprecated router Frax has deprecated Fraxswap V1 Router (0x1c6ca5dee) and Multihop V2 Router (0x25e9aca5). Legacy AMO contracts (dozens) may have user approvals outstanding from 2021-2023. No active allowance scan conducted. Protocol's migration from FRAX v1 to v3 did not include documented user-approval revoke guidance found publicly. Stale approvals to deprecated routers represent an ongoing hygiene risk. RD-F-185 yellow Bridge rate-limiter / chain-pause as positive mitigant Fraxtal L2 is an OP Stack rollup: sequencer has emergency-stop capability controllable by Frax team. FraxFerry bridge has permissioned operator-controlled pause. No per-window outflow rate-limiter documented for frxUSD LayerZero OFT adapter. Chain-pause exists for Fraxtal L2 but not for Ethereum mainnet frxUSD operations. Partial positive mitigant: bridge pause capability present but rate-limiter absent for primary OFT surface.

RD-F-140 green Fix-merged-but-not-deployed gap No confirmed instance of a merged fix not deployed. The opposite direction is the concern (F139): deployed changes not in verified source. No public reports of a PR-merged-but-not-deployed-to-production gap found.

RD-F-141 green Test-mode parameters in deploy No evidence of test-mode parameters in production contracts. frxGov contracts use production parameters (verified by Trail of Bits frxGov audit 2023-07). veFXS and Comptroller multisig are production-configured. No test oracle, infinite allowance, or dev-flag found in verified source code.

RD-F-144 green CREATE2 factory permits same-address redeploy No evidence of CREATE2 factory deployment used by Frax governance contracts. FraxGovernorAlpha and Omega deployed via standard deployment. No CREATE2 redeploy pattern identified in protocol contracts.

Cross-chain & bridge Yellow 42 12 of 12

RD-F-148 red Bridge validator count (M) Applies to FraxFerry and Fraxtal OP Stack bridge (non-LZ bridges; F179 covers LZ). Fraxtal: single whitelisted proposer (EOA) — validator count effectively 1 per L2BEAT ('projects without a proper proof system fully rely on single entities to safely update the state'). FraxFerry: 3 named roles (Captain, Crew, First Officer) controlled by Frax team — not an independent validator set. No evidence of ≥7 independent validators for either non-LZ bridge surface. Red based on Fraxtal single-proposer and FraxFerry team-controlled role structure. RD-F-149 red Bridge validator threshold (k-of-M) Fraxtal: single whitelisted proposer EOA — no k-of-M threshold (effectively 1-of-1). FraxFerry: veto-based model (any crew member can dispute Captain's batch, not a signing threshold) — not a k-of-M signing scheme; security relies on at least one crew member being online and non-colluding. Neither bridge meets the green criterion (threshold >= ceil(M/2)+1) or yellow (threshold >= ceil(M/3)). Red for both non-LZ bridges due to effective 1-of-1 proposer control. RD-F-156 red Bridge uses same key custody for >30% validators FraxFerry: all three bridge roles (Captain, Crew, First Officer) are Frax-team-controlled — 100% same custodian (far exceeds >30% threshold). Fraxtal: single proposer EOA and single sequencer EOA both controlled by Frax team — same custodian. LayerZero OFT bridge: multiple independent DVN operators (Horizen, Blockdaemon-Animoca, Polyhedra, LZ Labs, Frax DVN) — distributed custody. However scoring against highest-risk bridge surface (FraxFerry and Fraxtal both exceed >30% single-custodian threshold), so red. The frxUSD LZ OFT path has better custody distribution but does not override the centralized control of FraxFerry and Fraxtal. RD-F-150 yellow Bridge validator co-hosting Fraxtal: single proposer EOA and single sequencer EOA — both controlled by Frax team (co-hosting trivially true as single entity). FraxFerry: Captain/Crew/First Officer all controlled by Frax team. LayerZero DVN: multiple independent operators (Horizen, Frax DVN, LZ Labs, Blockdaemon-Animoca, Polyhedra) — not co-hosted per available information. Yellow because FraxFerry and Fraxtal have 100% single-entity control (effective co-hosting), but the LayerZero OFT path (which carries frxUSD) uses independent DVN operators. RD-F-151 yellow Bridge ecrecover checks result ≠ address(0) [★ bridge] FraxFerry uses a batch-hash model: Captain proposes batch hash, Crew validates, First Officer executes. No per-message ecrecover signature is used in the FraxFerry path — transactions are validated by hash comparison, not individual ecrecover calls. Fraxtal OP Stack bridge inherits standard OP Stack dispute game mechanics (not ecrecover-based validator signatures). LayerZero OFT uses DVN attestation (not ecrecover per message). The ecrecover zero-address failure pattern is structurally not applicable to the primary bridge surfaces. Yellow rather than green because FraxFerry source bytecode was not independently verified in this assessment (ToB 2022-11 audit PDF not extractable; batch-hash model confirmed only from docs). RD-F-154 yellow Default bytes32(0) acceptable as valid root [★ bridge] FraxFerry uses transaction-hash batch validation — not a Merkle root acceptance model. The Nomad-class bytes32(0) zero-root acceptance pattern is structurally not applicable (no Merkle root). Fraxtal OP Stack dispute game uses Merkle roots for state transitions; standard OP Stack implementation explicitly rejects zero roots in the dispute game resolution logic. LayerZero OFT uses DVN message packet hashes, not Merkle roots. No zero-root acceptance path identified across any of the three bridge surfaces. Yellow rather than green because Fraxtal has no active fraud proof system (state roots submitted by single whitelisted proposer with no challenge mechanism actually working per L2BEAT), which means even a correctly-rejecting zero-root check provides limited protection when the entire state-root validation is centralized. RD-F-157 yellow Bridge TVL per validator ratio Fraxtal bridge: TVL ~$5.95M / 1 proposer = $5.95M per validator (below $50M green threshold, but effectively unlimited risk because single proposer can finalize any state root). FraxFerry: explicitly capped by contract liquidity (design safety per docs: 'risk is capped by token amounts in bridge contracts'). LayerZero OFT: ~$298M total TVL; 4+ independent DVN operators required = ~$75M per DVN (within yellow $50M–$200M range). Scoring yellow for highest-risk non-LZ surfaces: Fraxtal single-proposer means TVL per validator is $5.95M by ratio but functionally unlimited trust in one actor. RD-F-179 yellow LayerZero OFT DVN config (count, threshold, diversity) LayerZero OFT adapter 0x566a6442A5A6e9895B9dCA97cC7879D632c6e4B0. Data-cache pipeline reported dvn_addresses:[] and dvn_threshold:null (pipeline present=false). Secondary evidence from Frax biweekly updates confirms required DVNs include LayerZero Labs DVN, Blockdaemon-Animoca, Horizen Labs, and Polyhedra (4 required DVNs), with optionalDVNThreshold set to 0. This is a multi-DVN required configuration — not a 1/1 setup (KelpDAO-class risk does not apply). 4 independent required DVNs with all required for message delivery satisfies the green structural criterion (>=3 independent DVNs, threshold>=2). Yellow rather than green because: (1) on-chain DVN config was not directly verified via getConfig() call — pipeline returned empty; (2) exact mainnet threshold versus testnet threshold not confirmed; (3) 'Frax DVN' operator independence from Frax Finance team not confirmed (may not be fully independent). Orchestrator should flag for on-chain verification before grade lock. RD-F-155 gray Bridge validator-set rotation recency FraxFerry: Captain/Crew/First Officer roles are Frax-team-controlled; no public validator-set rotation event log accessible. Fraxtal: no distributed validator set — single EOA proposer, no rotation mechanism. LayerZero DVN: Frax DVN deployed for mainnet per biweekly updates but DVN operator rotation events not tracked in public-accessible event logs. Cannot confirm rotation recency without on-chain event query.

RD-F-147 green Protocol has bridge surface Frax Finance has three distinct bridge surfaces: (1) LayerZero OFT adapter for frxUSD (0x566a6442A5A6e9895B9dCA97cC7879D632c6e4B0 — TransparentUpgradeableProxy, confirmed by Etherscan showing LayerZero Endpoint V2 interactions); (2) FraxFerry permissioned bridge for FRAX/frxETH; (3) Fraxtal OP Stack native bridge (L1 Standard Bridge Proxy 0x34c0bd5877a5ee7099d0f5688d65f4bb9158bde2). Bridge surface = TRUE, Cat 10 fully populated per profile §7.

RD-F-152 green Bridge binds message to srcChainId FraxFerry: transaction hashes include source chain context (amounts, recipients, source chain implicit in deployment). Fraxtal OP Stack: L2-to-L1 messages are chain-ID bound per OP Stack standard (withdrawal transactions include chainId in the message hash). LayerZero OFT: LZ endpoint binds messages to srcEid (source endpoint ID = source chain ID); messages from chain A cannot be replayed as if from chain B. All three bridge surfaces include source chain binding in message validation.

RD-F-153 green Bridge tracks nonce-consumed mapping FraxFerry: batch-index model — each batch has a unique index; same batch hash consumed on execution prevents replay. The Captain cannot re-propose an already-executed batch. Fraxtal OP Stack: WithdrawalTransaction hash mapping prevents replay of the same L2-to-L1 message. LayerZero OFT: nonce tracking at the LZ endpoint level per pathway (srcEid + sender + dstEid) prevents message replay. All three surfaces have nonce/hash-consumed replay prevention.

Threat intelligence & recon Green 11 8 of 8

RD-F-161 yellow Protocol-impersonator domain registered (typosquat) Typosquat / impersonator domain assessment for frax.finance. Domain-monitoring feed not available for definitive 90d WHOIS registration check. However: (1) Fake GitHub Pages sites (financefrax.github.io, web-frax-finance.github.io) found active in 2026-05-17 search results — confirmed hosted impersonation surfaces. (2) The Nov 2023 DNS hijack created a temporary registrar-level domain impersonation. Registration delta for typosquat check: 00-profile.md profiled 2026-05-17, this assessment 2026-05-17, delta = 0 days. A dedicated typosquat WHOIS registration within 90d cannot be confirmed or denied without domain-monitoring feed. Yellow: fake GitHub Pages hosting is confirmed impersonation; dedicated recently-registered typosquat domain status requires feed for definitive check. RD-F-158 gray Known-threat-actor cluster has touched protocol T-09 phase-2 signal requiring curated TI feed (Chainalysis/TRM Labs). No DPRK/Lazarus cluster wallets documented as interacting with Frax core contracts in any public TI report. Frax has not appeared in Chainalysis DPRK-tracking publications. Available Etherscan data on deployer (0x36bf2289, funded from internal dev account) and sampled Comptroller signer (0x6933BCC3, funded from exchange-pattern address ~4 years ago) show no OFAC-proximity flags. Requires curated threat-actor wallet cluster list for definitive assessment. RD-F-159 gray Attacker wallet pre-strike probe (low-gas failing txs) Requires live mempool monitoring overlaid with threat-actor cluster feed. No public evidence of low-gas failing txs from threat-actor wallets on Frax contracts found in available public data. Not assessable without partner feed infrastructure. RD-F-162 gray Known-exploit-template selector deployed by any address Requires active on-chain deploy scan for exploit-template selector patterns targeting Frax contract class (CDP, isolated lending, TWAMM, LST). No known-exploit-template contract deployments targeting Frax found in publicly available data as of 2026-05-17. The Dec 2025 RedemptionQueueV2 stealth-patch targeted a DoS (zero-ticket queue-blocking) vector, not a financial-drain exploit template of the selector-replay class this factor measures. RD-F-164 gray Leaked credential on paste/sentry site Requires manual paste-site/credential-dump monitoring. No public evidence of Frax Finance infrastructure credentials appearing on paste sites, GitHub gist leaks, or Sentry-alt credential dumps as of 2026-05-17. The Dec 2025 RedemptionQueueV2 stealth-patch allegation is a process-level bug-report handling dispute, not a credential leak. Note: Frax's bug bounty uses GitHub gist / DM submission (no third-party platform), which means there is no Immunefi-tracked submission log — this slightly elevates the chance of a disclosure going unacknowledged (as arguably happened in the Dec 2025 case). Not assessable via public tooling. RD-F-165 gray Protocol social channel has scam-coordinator flag Requires curator social watchlist feed. No public reports of Frax Discord/Telegram admin flagged as scam-coordinator in trailing 90d. The 2024-06 X account hack involved platform-level compromise of @fraxfinance (not a Discord/Telegram coordinator pattern). Frax's social threat surface is elevated (documented DNS hijack 2023 + X account hack 2024 + active fake GitHub Pages 2026) but the specific Discord/Telegram coordinator-watchlist pattern is not assessable without curator feed.

RD-F-160 green GitHub malicious-dependency incident touching protocol deps No GitHub security advisory (GHSA) or equivalent flagging a malicious release in key Frax dependencies in trailing 90d. Key dependencies: OpenZeppelin v5.0.1, OP Stack (Optimism), LayerZero OApp standard, Foundry. No malicious npm/PyPI release in Frax dependency tree reported in public advisory feeds as of 2026-05-17. Note: if a malicious release were found in OZ v5.0.1, OP Stack, or LayerZero OApp within trailing 90d, this factor would flip to red.

RD-F-163 green Avg attacker reconnaissance time for peer-class protocols Baseline reconnaissance time for Frax protocol class (CDP/stablecoin + LST + isolated lending + bridge): USPD-style patterns average 78 days (hack DB T-01). DNS/frontend-class (relevant to Frax's prior incidents): Curve DNS 2022 exploitation window 30 min–4h. Frax's 2023 DNS hijack was resolved in ~24h with no funds lost. The 2024-06 X account hack had no on-chain reconnaissance fingerprint. No active reconnaissance patterns against Frax core contracts identified in current posture as of 2026-05-17. At 65 months operational with no on-chain exploit, Frax is not currently on a known attacker's active on-chain reconnaissance trajectory per public evidence. Historical incidents were off-chain/social rather than on-chain pre-strike patterns.

Tooling / compiler / AI Green 13 5 of 5

RD-F-170 yellow Solc version used (known-bug versions flagged) Main frax-solidity repo: solc 0.8.19 (foundry.toml confirmed), viaIR=true, 100k optimizer runs. Individual deployed contracts: sfrxETH and FraxlendPair V1 use solc 0.8.16; FraxGovernorAlpha uses 0.8.19; frxUSD OFT adapter uses 0.8.22; FraxEtherRedemptionQueueV2 uses solc 0.8.28+Cancun. The TransientStorageClearingHelperCollision high-severity bug (Feb 2026 disclosure, affects solc 0.8.28-0.8.33 with viaIR=true, using delete on transient storage) potentially affects FraxEtherRedemptionQueueV2 if it: (a) was compiled with viaIR=true AND (b) uses delete on transient state variables. The Etherscan verification for this contract shows 800 optimizer runs, Cancun EVM — viaIR flag not confirmed from metadata. Condition (b) not verified without full source inspection. All other contracts (0.8.16-0.8.22) are outside the 0.8.28-0.8.33 affected range. Yellow pending viaIR+transient-storage verification for FraxEtherRedemptionQueueV2. RD-F-174 yellow Dependency tree uses EOL Solidity version Core Solidity contracts use 0.8.16-0.8.28 — modern 0.8.x series, not EOL. The frax-governance repo uses Vyper 0.2.12 (per README) for veFXS. Vyper 0.2.12 is an aged version of Vyper (pre-dating 0.3.x series). Vyper had a known reentrancy bug in versions 0.2.15-0.3.0 — 0.2.12 is BEFORE the affected range, so not in the known-vuln window. However, 0.2.12 is significantly aged (Vyper is now at 0.4.x). The veFXS contract is governance-critical. Yellow: veFXS on aged Vyper 0.2.12 is not in a known-CVE version but is significantly behind current Vyper releases.

RD-F-171 green Bytecode similarity to audited upstream with behavior deviation Frax is an original protocol; no upstream audit to compare bytecode similarity against for AI-copy risk. The frax-oft-upgradeable implementation (FraxOFTMintableAdapterUpgradeable) has expected bytecode similarity to LayerZero's reference OFT standard — this is by design, not an AI-generated deviation. No evidence of behavior deviation from reference implementations found.

RD-F-172 green Repo shows AI-tool co-authorship in critical files Inspection of frax-solidity commit history (master branch, most recent commits Oct 2025, Aug 2025, Jun 2025): no 'Co-authored-by: copilot' or AI tool attribution tags visible. Primary contributor is 'FortisFortuna' (GitHub ID 33413876) with standard commit messages. The Microsoft VS Code Copilot silent-co-author injection episode (4M commits) is noted; no evidence of it affecting Frax Finance repos visible in commit history sample.

RD-F-173 green Team self-disclosure of AI-generated Solidity No public disclosure by Frax Finance team of AI-generated Solidity in security-critical code paths found across governance forum, biweekly project updates, or other public channels searched.

Response & disclosure hygiene Yellow 25 4 of 4

RD-F-175 yellow Disclosure channel exists A public disclosure channel exists at docs.frax.finance/smart-contracts/bug-bounty: submission via private GitHub gist shared through Twitter DM, Telegram, Discord, or Signal. Channel is publicly documented. However: (1) no dedicated security@ email; (2) no third-party platform (Immunefi) with formal program management; (3) the Dec 2025 RedemptionQueueV2 incident demonstrates inconsistent channel response — the channel was used but resulted in denial and cessation of contact. Yellow: channel exists and is documented, but active-monitoring evidence is mixed given the Dec 2025 outcome. RD-F-176 yellow Disclosure SLA public Frax bug bounty page states 'a maximum turnaround time of 5 days due to timelock+mitigation' — this is a published SLA. However: (1) it covers payment turnaround, not acknowledgment; (2) the Dec 2025 RedemptionQueueV2 case shows the SLA was not honored — report denied within hours (Dec 5), no bounty paid, no follow-up; (3) no separate published acknowledgment SLA (e.g., 'acknowledge within 24h'). Yellow: SLA is stated but narrow (payment SLA only, not acknowledgment SLA), and the Dec 2025 case provides evidence the stated SLA was not followed. RD-F-177 yellow Prior known-ignored disclosure The Dec 2025 FraxEtherRedemptionQueueV2 dispute is the central evidence item. Confirmed facts: (a) researcher reported DoS (zero-amount ticket permanently blocks FIFO redemption queue) in contract 0xfDC69e6BE352BD5644C438302DE4E311AAD5565b on Dec 4-5, 2025; (b) Frax security team denied the finding ('no bug found') on Dec 5, 2025; (c) researcher discovered behavioral change circa Dec 16 — consistent with stealth patch between Dec 5-16; (d) Frax team denied making any contract changes and ceased communication; (e) no bounty paid; (f) governance forum thread #3818 posted Dec 17, 2025 documents the dispute. Allegation: vulnerability was patched without credit or bounty, constituting mishandled/ignored disclosure. Limitations: primary source is the researcher's own Medium post and governance thread — Frax has not provided a counterstatement on record; on-chain bytecode mismatch not independently confirmed within this scope. Yellow rather than red: allegation is documented and credible (thr

RD-F-178 green CVE/GHSA advisory issued against protocol No CVE or GHSA advisory found against Frax Finance or the FraxFinance GitHub organization. The Dec 2025 RedemptionQueueV2 vulnerability was not published as a formal CVE or GHSA advisory — the researcher used Medium and the governance forum, not GHSA/NVD. No public GHSA search result for FraxFinance org vulnerabilities. Green: no active formal advisory against the protocol.

rubric_version v1.7.0 graded_at 2026-05-17 11:40:22 factors 184 protocol frax