Ignored bounty disclosure

Frax Finance's assessment for RD-F-008 — scored red on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.

Evidence summary #

Researcher 'clarkcorrin' (DonnyOregon) credibly alleges: DoS vulnerability in FraxEtherRedemptionQueueV2 reported Dec 4-5, 2025; Frax responded 'no bug found'; the exact mitigation was subsequently implemented; team ceased communication when confronted. Corroborated by: (1) Medium/coinsbench detailed post with forensic analysis; (2) Frax governance forum post from the researcher. The CannotRedeemZero error is confirmed present in deployed ABI as of assessment date. Frax denies any changes but the contradiction with on-chain behavioral evidence makes the denial implausible. No exploit occurred (DoS vector). But the pattern — report denied, silently patched, bounty withheld — satisfies the F008 definition.

Sources #

URL
FRAX FINANCE: The Stealth Patch & The Stolen BountyResearcher forensic analysis of the disclosure and patch timelineretrieved 2026-05-17
Governance
Attribution Dispute - RedemptionQueueV2 DoS VulnerabilityFrax governance attribution dispute post confirming researcher's claim timelineretrieved 2026-05-17

Methodology #

Determine whether any prior post-mortem documents a disclosed vulnerability that was reported to the team and not actioned before exploit.

See the full factor methodology and distribution across all protocols →

rubric_version v1.7.0 protocol frax factor RD-F-008 score red collected_at 2026-05-16 20:44:31