Leaked credential on paste/sentry site

Frax Finance's assessment for RD-F-164 — scored gray on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.

Evidence summary #

Requires manual paste-site/credential-dump monitoring. No public evidence of Frax Finance infrastructure credentials appearing on paste sites, GitHub gist leaks, or Sentry-alt credential dumps as of 2026-05-17. The Dec 2025 RedemptionQueueV2 stealth-patch allegation is a process-level bug-report handling dispute, not a credential leak. Note: Frax's bug bounty uses GitHub gist / DM submission (no third-party platform), which means there is no Immunefi-tracked submission log — this slightly elevates the chance of a disclosure going unacknowledged (as arguably happened in the Dec 2025 case). Not assessable via public tooling.

Sources #

Docs
Frax Finance bug bounty documentationFrax bug bounty: submit via private GitHub gist or DM (no Immunefi/third-party platform); no submission trackingretrieved 2026-05-17
Governance
Frax governance — RedemptionQueueV2 attribution dispute threadDec 2025 attribution dispute: RedemptionQueueV2 DoS report rejected then patched without credit — process failure, not credential leakretrieved 2026-05-17

Methodology #

Determine whether a public paste site, Sentry-alt, or credential-dump references protocol infrastructure endpoints or API keys.

See the full factor methodology and distribution across all protocols →

rubric_version v1.7.0 protocol frax factor RD-F-164 score gray collected_at 2026-05-16 20:44:31