defirisk.co
rubric v1.7.0

Prior known-ignored disclosure

Frax Finance's assessment for RD-F-177 — scored yellow on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.

Evidence summary #

The Dec 2025 FraxEtherRedemptionQueueV2 dispute is the central evidence item. Confirmed facts: (a) researcher reported DoS (zero-amount ticket permanently blocks FIFO redemption queue) in contract 0xfDC69e6BE352BD5644C438302DE4E311AAD5565b on Dec 4-5, 2025; (b) Frax security team denied the finding ('no bug found') on Dec 5, 2025; (c) researcher discovered behavioral change circa Dec 16 — consistent with stealth patch between Dec 5-16; (d) Frax team denied making any contract changes and ceased communication; (e) no bounty paid; (f) governance forum thread #3818 posted Dec 17, 2025 documents the dispute. Allegation: vulnerability was patched without credit or bounty, constituting mishandled/ignored disclosure. Limitations: primary source is the researcher's own Medium post and governance thread — Frax has not provided a counterstatement on record; on-chain bytecode mismatch not independently confirmed within this scope. Yellow rather than red: allegation is documented and credible (thr

Sources #

Methodology #

Determine whether evidence exists in prior-incident post-mortems that a disclosed vulnerability was reported to the team and not actioned before exploit.

See the full factor methodology and distribution across all protocols →

rubric_version v1.7.0 protocol frax factor RD-F-177 score yellow collected_at 2026-05-16 20:44:31