JustLend DAO

Compound v2-architecture money-market lending protocol deployed exclusively on TRON (TVM, non-EVM). Supports supply and borrow of TRX, USDT, USDC, BTC, ETH, and 30+ TRC-20 assets via jToken receipts. Sub-products include sTRX (liquid staked TRX) and Energy Rental. Governance via on-chain GovernorBravo + 48h Timelock using JST/WJST voting token. Launched December 2020 as TRON's first official lending protocol. JST buyback-and-burn program active since 2025. NOVEL SUBSTRATE: Tronscan (https://tronscan.org) is the canonical explorer; no Gnosis Safe, no EVM tooling.

Sector lending

TVL $3.6B

Reviewed May 17, 2026

Factors 184

Categories 13

Risk score 31.1

DeploymentsTron · —

Risk profile at a glance

2 red · 2 yellow · 8 green

25 24 17 13 15 22 16 10 13 12 8 5 4

Categories & evidence

184 factors · 13 categories

Code & audits Yellow 42 25 of 25

RD-F-008 green Ignored bounty disclosure No confirmed prior exploits on JustLend. No post-mortem exists documenting an ignored disclosure. Rekt parser returned 0 results. DefiLlama hacks field empty.

Governance & admin Green 13 24 of 24

RD-F-033 yellow Timelock on sensitive actions Most sensitive actions (oracle change, collateral factor, market listing, implementation upgrade) route through Timelock admin. However, _reduceReserves() on jTokens routes through reserveAdmin (separate role — identity unconfirmed, may not be Timelock-controlled). pauseGuardian can halt markets without Timelock delay. Partial timelock coverage. RD-F-034 yellow Guardian/pause-keeper distinct from upgrader pauseGuardian role exists in Comptroller (distinct from upgrader/admin). Comptroller _setPauseGuardian() sets it; _setMintPaused()/_setBorrowPaused() require pauseGuardian or admin. Role separation confirmed at contract level. However, identity of current pauseGuardian address not confirmed via direct Tronscan state read — confidence is medium on whether this is an EOA or the Timelock itself. RD-F-035 yellow Role separation: upgrade ≠ fee ≠ oracle Partial role separation: upgrade/oracle/collateral roles controlled by Timelock admin. reserveAdmin on jTokens is a separate role (identity unconfirmed). pauseGuardian is separate from admin. anchorAdmin on PriceOracle is separate (identity unconfirmed). Oracle and upgrade appear to share the same Timelock-admin path. Full separation cannot be confirmed without on-chain state reads. RD-F-039 yellow delegatecall/call in proposal execution without allowlist Timelock executes proposals via target.call() (not delegatecall). GovernorBravoDelegator fallback uses delegatecall internally for routing to implementation — this is the proxy mechanism, not proposal execution. No target allowlist exists: proposals can target any address. Standard Compound-Bravo posture. Risk is mitigated by 600M WJST quorum requirement but not eliminated. Scored yellow not red because call (not delegatecall) limits blast radius to value transfer / external call, not Timelock storage corruption. RD-F-040 yellow Emergency-veto multisig present No emergency-veto multisig on TRON. GovernorBravo has a whitelistGuardian role for whitelist management but this is not a full emergency veto. TronSpark article notes 'Removal of the guardian' as a GovernorBravo feature — suggesting prior guardian was removed when GovernorAlpha -> GovernorBravo migrated. No veto-capable multisig exists. RD-F-041 yellow Rescue/emergencyWithdraw without timelock _reduceReserves(uint reduceAmount) on CToken/JToken is callable by reserveAdmin (not admin/Timelock). SlowMist sTRX audit flagged: 'ReserveAdmin can call claimReserves and reservePayBadDebt functions at will.' Team response: 'ReserveAdmin would be transferred to governance and timelock.' On-chain confirmation not obtainable via available Tronscan API. Function transfers protocol interest reserves only (not user-deposited principal). No dedicated emergencyWithdraw/rescue/sweep function confirmed in Comptroller or jToken source. Yellow not red: (1) only reserves, not user principal; (2) committed transfer to Timelock per audit response; (3) no single-tx full-drain of user funds confirmed. RD-F-026 n/a Upgrade multisig signer configuration (M/N) No Gnosis Safe or equivalent multisig on TRON. Effective admin is GovernorBravo DAO governance (600M WJST quorum, 3-day vote, 48h timelock). M/N multisig threshold field is structurally inapplicable on TRON substrate where no Safe Transaction Service exists. RD-F-028 n/a Low-threshold multisig vs TVL TRON substrate — no Gnosis Safe, no multisig threshold. Effective governance is full DAO (600M WJST quorum, 200M proposal threshold, 3-day vote). The low-threshold-multisig factor is structurally inapplicable on this substrate. RD-F-029 n/a Multisig signers co-hosted No multisig exists on TRON substrate. Signer co-hosting factor structurally inapplicable. RD-F-030 n/a Hot-wallet signer flag No multisig exists on TRON substrate. Hot-wallet signer flag structurally inapplicable. RD-F-031 n/a Signer rotation recency No multisig signer set to rotate on TRON substrate. Signer rotation recency structurally inapplicable. RD-F-044 gray Admin wallet interacts with flagged addresses reserveAdmin identity not confirmed on-chain. Main admin is Timelock contract (not an EOA). No TRON equivalent of EVM-native Chainalysis clustering available. Cannot assess admin wallet interactions with flagged addresses without knowing reserveAdmin / pauseGuardian / anchorAdmin addresses. RD-F-045 gray Constructor args match governance proposal GovernorBravoDelegator constructor args (timelock_, wjst_, admin_, implementation_) visible in source. No governance proposal deploying these contracts found in forum (forum returns category-level data only). Specific JIP proposal text not accessible without forum authentication. Constructor arg matching cannot be verified without the original deployment proposal. RD-F-047 gray Governance token concentration (Gini) WJST token at TXk9LnTnLN7oH96H3sKxJayMxLxR9M4ZD6. No TRON-native Gini calculator or holder distribution tool accessible from this assessment. Justin Sun / TRON Foundation likely hold material share of JST given ecosystem role. Exact concentration cannot be determined without TRON archival node access.

RD-F-025 green Admin key custody type Full DAO+timelock custody. GovernorBravo + 48h Timelock is the admin path. CertiK 2022 audit confirmed ownership transfer: Unitroller/CEther/CErc20Delegator -> Timelock -> GovernorBravo. Protocol states 'no admin key, no rug vectors.' Tronscan API confirms GovernorBravoDelegator is_proxy=true with proxy_implementation TB5EbocVaTwYj6v8Vd3Vw5CRoDss8oNMP8 and Timelock TRWNvb15NmfNKNLhQpxefFz7cNjrYjEw7x has standard Compound Timelock method signatures.

RD-F-027 green Single admin EOA Not a single EOA. Admin path confirmed: deployer TV3Wg2zNUBzGJsJNCEUZ2W9YVsFK2AAcLB transferred ownership to Timelock TRWNvb15NmfNKNLhQpxefFz7cNjrYjEw7x (48h delay), which was then transferred to GovernorBravo TEqiF5JbhDPD77yjEfnEMncGRZNDt2uogD per CertiK 2022 audit. Protocol states 'no admin key, no rug vectors.' GovernorBravo migration confirmed September 2022 per TronSpark.

RD-F-032 green Timelock duration on upgrades 48-hour (172,800 second) Timelock delay confirmed. setDelay() callable only by address(this) — requires queued governance transaction to change. Governance docs and profile both confirm 48h delay. Well above minimum acceptable threshold.

RD-F-036 green Flash-loanable voting weight Not flash-loanable. GovernorBravoDelegate uses wjst.getPriorVotes(voter, proposal.startBlock) — checkpoint at past block, not live balance. WJST (Comp.sol) implements full Compound-style checkpoint with getPriorVotes() binary search over stored checkpoints. Flash loans in current block cannot affect prior-block snapshots. Beanstalk-class attack not possible.

RD-F-037 green Quorum achievable via single-entity flash loan Quorum is not achievable via flash loan because voting uses prior-block checkpoints (see RD-F-036). Any flash loan attempt would not affect the historical voting power snapshot at proposal.startBlock.

RD-F-038 green Proposal execution delay < 24h Proposal execution requires 3-day voting period + 48-hour Timelock delay = minimum ~5 days from proposal creation to execution. Well above the 24-hour threshold.

RD-F-042 green Admin has mint() with unlimited max JST governance token has a fixed maximum supply of 9.9 billion — no admin-callable mint with unlimited max. jToken mint() is the user-facing supply function (not admin-controlled, anyone can call). No unlimited-supply admin mint exists at protocol level.

RD-F-043 green Admin = deployer EOA after 7 days Admin was transferred to Timelock well before the 7-day window. CertiK April 2022 audit confirmed ownership transfer from deployer to Timelock to governance. GovernorBravo migration completed September 2022. Deployer TV3Wg2zNUBzGJsJNCEUZ2W9YVsFK2AAcLB no longer controls protocol. Protocol has been live since December 2020 with multiple admin path changes confirmed.

RD-F-046 green Contract unverified on Etherscan/Sourcify All core contracts verified on Tronscan (verification status 2 for Timelock, Unitroller, GovernorBravoDelegator). Source code open-sourced on GitHub since July 2022. Immunefi bug bounty scope lists 55 contracts in scope — all assume public ABI. No unverified core contracts identified.

RD-F-167 green Deprecated contract paused but pause reversible by live admin No deprecated protocol surface identified holding material value. JustLend is a continuously operated live protocol. sTRX and Energy Rental are active sub-products. All 55 Immunefi-scope contracts are active. No deprecated contracts with paused-but-revertible state found.

Oracle & external dependencies Yellow 21 17 of 17

RD-F-049 yellow Oracle role per asset Single oracle system (Chainlink-via-poster) serves as Primary for all 30+ jToken markets. No per-asset secondary or fallback oracle is documented. PriceOracleProxy.sol maps cUSDC/cUSDT to a shared usdcOracleKey and cETH to a hardcoded 1e18 constant, but all other assets route through the same v1Oracle poster address. There is no documentation of a separate fallback oracle for any asset. RD-F-051 yellow Fallback behavior on oracle failure No fallback oracle is documented. If the poster stops submitting prices, the last stored price persists indefinitely in the prices mapping with no timeout or revert. SimplePriceOracle.sol stores prices as a simple mapping(address => uint) with no timestamp. PriceOracleProxy.sol has no secondary source. No documentation of halt-on-stale or last-known-price-with-timeout behavior. RD-F-052 yellow Breakage analysis per dependency Breakage analysis: (1) Chainlink relay fails or poster halts: stale prices accepted indefinitely, enabling under-collateralized borrows — all $3.586B TVL at oracle-correctness risk. (2) Poster key compromised: attacker posts arbitrary prices for any market, enabling fake collateral borrows — catastrophic loss potential. (3) Governance-forced oracle swap via malicious _setPriceOracle() proposal: entire oracle stack replaced — full TVL at risk with 48h timelock window. (4) USDD stablecoin depeg: USDD market mispriced during oracle lag, triggering liquidation cascade on USDD borrowers. The single-poster architecture is the highest-severity single point of failure. RD-F-057 yellow Circuit breaker on price deviation No circuit breaker on price deviation is documented or visible in JustLend's oracle contracts. SimplePriceOracle.sol stores prices directly without any deviation check against a secondary reference. PriceOracleProxy.sol does not implement a deviation-based halt. The poster submits prices without on-chain validation against an anchor or secondary source. RD-F-059 yellow Oracle staleness check present No staleness check is visible in the oracle contracts. SimplePriceOracle.sol stores prices in a mapping(address => uint) without any timestamp or updatedAt field. PriceOracleProxy.sol reads prices without checking Chainlink's updatedAt return value. If the poster goes offline, stale prices persist indefinitely. The protocol documentation makes no mention of staleness validation. Confidence medium because Tronscan direct source read was blocked — GitHub source may not reflect TVM-deployed state exactly. RD-F-062 yellow External keeper/relayer not redundant The oracle price-update system relies on a single designated poster address. The docs describe poster() as returning 'Address of the current poster.' There is no documented redundancy (multiple posters, backup poster, or automatic Chainlink pull). If the poster key is lost, compromised, or the operator goes offline, price updates stop. No failover mechanism is documented. This is a single point of failure in the keeper/relayer layer. RD-F-180 yellow Immutable oracle address [★ CRITICAL-CANDIDATE per PD-017 — track for T-14 post-launch promotion. Current score YELLOW.] The Comptroller stores the oracle address as a mutable state variable that can be replaced by the admin via _setPriceOracle(). The admin path is GovernorBravo (TEqiF5JbhDPD77yjEfnEMncGRZNDt2uogD) + Timelock (TRWNvb15NmfNKNLhQpxefFz7cNjrYjEw7x, 48h delay) — governance-replaceable. However, PriceOracleProxy.sol stores v1PriceOracle as an immutable constructor parameter (no setter): changing the underlying Chainlink relay requires deploying a new PriceOracleProxy and then calling _setPriceOracle() on the Comptroller. Two-step replaceable — not immutable, but not a single-tx swap either. Score = yellow (replaceable via governance redeployment; 48h timelock delays but does not prevent emergency response). RD-F-054 n/a TWAP window duration Not applicable — JustLend does not use a DEX-TWAP oracle. The oracle is Chainlink Data Feeds (pushed by poster). TWAP window duration is not a relevant parameter for this oracle architecture. Chainlink uses deviation threshold + heartbeat updates, not a protocol-side TWAP window. RD-F-055 n/a Oracle pool depth (USD) Not applicable — oracle is not DEX-pool derived. Underlying oracle pool depth is not a relevant metric for Chainlink-sourced pushed prices. The relevant quality metric is Chainlink node operator quorum and feed redundancy, which is managed at the Chainlink protocol level, not the JustLend contract level. RD-F-056 n/a Single-pool oracle (no medianization) Not applicable — no single DEX pool is used. Chainlink Data Feeds aggregate from multiple independent data sources (not a single venue). The single-pool / medianization factor does not apply to Chainlink-tier oracle feeds. RD-F-058 gray Max-deviation threshold (bps) No circuit breaker exists (see RD-F-057), so there is no max-deviation threshold to verify. Gray because the absence of a threshold is structurally determined by the absence of a circuit breaker (F057=yellow), not by a data gap, but the specific threshold value cannot be read (because it does not exist). Cannot confirm absence via Tronscan direct read — API returned empty for oracle contracts. RD-F-060 gray Chainlink aggregator min/max bound misconfig Chainlink publishes minAnswer/maxAnswer bounds on aggregator contracts. However, JustLend's pushed-price oracle architecture bypasses the Chainlink aggregator min/max guard at the contract layer — prices are submitted directly to SimplePriceOracle mapping by the poster, not read directly from Chainlink's AggregatorV3Interface. Whether the poster's off-chain logic enforces min/max bounds is unknown. Tronscan API returned empty for both oracle contract addresses; Tronscan HTML returned 403. Cannot verify TRON-deployed Chainlink aggregator min/max configuration. RD-F-061 n/a LP token balanceOf used for pricing Not applicable — JustLend's oracle does not use LP token balanceOf for pricing. The oracle is Chainlink-sourced via a poster role. No balanceOf-based price derivation is used in SimplePriceOracle.sol or PriceOracleProxy.sol.

RD-F-048 green Oracle providers used JustLend uses Chainlink Data Feeds as its oracle provider via a designated poster role. Prices are pushed on-chain to SimplePriceOracle.sol (TMiNCmvD3zdsv6mk7niBU6NPBzVNjYMQTV). TRON DAO joined Chainlink Scale in October 2024 and officially adopted Chainlink Data Feeds as the exclusive oracle solution in May 2025, replacing WINkLink. Docs confirm: 'Chainlink Data Feeds are the key component of this process.' Chainlink uses AggregatorV3Interface-compatible contracts on TRON mainnet.

RD-F-050 green Dependency graph (protocols depended upon) Key external dependencies: (1) Chainlink Data Feeds on TRON (oracle — Chainlink Scale, adopted Oct 2024); (2) TRON blockchain consensus (substrate); (3) sTRX liquid staking module TU3kjFuhtEo42tsCBtfYUAZxoqQ4yuSLQ5 (sub-product, SlowMist audited); (4) USDD stablecoin market (issued by TRON DAO Reserve); (5) JST/WJST governance token. No bridge or cross-chain dependencies. Protocol is self-contained on TRON with no material external protocol composability risk beyond the oracle.

RD-F-053 green Oracle source = spot DEX pool (no TWAP) JustLend does NOT use a spot DEX pool as the oracle source. The oracle is a pushed-price model: a designated poster role reads Chainlink Data Feeds (aggregated multi-source, not a single DEX pool) and submits prices on-chain via setPrice(). Chainlink Data Feeds use AggregatorV3Interface on TRON mainnet (e.g. BTC/USD, ETH/USD) — these are not DEX spot prices. F053 critical check: green.

RD-F-181 green Permissionless-pool lending oracle JustLend is a curated-listing Compound-fork. New markets are listed only via GovernorBravo governance proposals (200M WJST threshold, 600M quorum, ~3-day vote, 48h Timelock). There is no permissionless pool creation — users cannot add arbitrary token pools or oracle sources. The permissionless-pool oracle attack vector (Rhea Finance NEAR class: fake pools created by users to manipulate collateral prices) does not apply to JustLend.

Economic risk Red 54 13 of 13

RD-F-070 red Empty cToken-style market (zero supply/borrow) [★ CRITICAL] JustLend is a confirmed Compound v2 fork. CToken.sol source confirms: (1) exchangeRateStoredInternal() returns initialExchangeRateMantissa when _totalSupply == 0 with no guard; (2) mintFresh() has no minimum totalSupply check; (3) initialize() mints no seed tokens. Comptroller _supportMarket() initializes collateralFactorMantissa = 0 with no seed deposit requirement. The 2022 CertiK audit found no critical empty-market finding; team stated intent to 'lock up a little bit of the underlying assets in each market' but no code-level implementation found. Hundred Finance (April 2023, ~$7.4M) and Sonne Finance (May 2024, ~$20M) exploited the identical cToken empty-market donation vector. Any JustLend jToken market reaching totalSupply == 0 is exploitable. Long-tail markets with thin activity are highest risk. RD-F-071 red Seed-deposit requirement for new market listing No seed-deposit requirement for new market listing found in source code or governance documentation. Comptroller _supportMarket() requires only admin authorization; initializes market with collateralFactorMantissa=0. No minimum deposit enforced before borrow-enable. This is the standard Compound v2 pattern with no modification. Combined with the empty-market vulnerability (RD-F-070), this represents a compounded risk: new markets can be listed and immediately exploited if they reach zero supply. RD-F-073 red Oracle-manipulation-proof borrow cap No borrow cap logic found in JustLend Comptroller source. Compound v2 original architecture did not include borrow caps; JustLend's source confirms this is unchanged. Without per-asset borrow caps, borrowing is limited only by collateral factor and account health. In an oracle manipulation scenario on a lower-liquidity TRON asset (e.g., JST, SUN, WBTT), an attacker could post inflated collateral and borrow uncapped amounts. This is a structural Compound v2 limitation and a material gap for oracle-manipulation-proof capital protection. RD-F-075 red First-depositor / share-inflation guard No first-depositor guard found. CToken.sol has no: (a) seed deposit on deploy/initialize, (b) virtual-share offset, (c) minimum totalSupply floor in mintFresh(). The only zero-supply handling is exchangeRateStoredInternal() returning initialExchangeRateMantissa — this is not a protection; it is the mechanism that enables exchange-rate manipulation. A malicious first depositor can mint 1 wei of jTokens, then donate underlying assets directly to inflate the exchange rate, causing the next depositor's minted shares to be 0 (or near-0) due to integer truncation. The 2022 CertiK audit acknowledged but did not resolve this. No post-2022 fix found in source code. RD-F-066 yellow Utilization rate (lending protocols) Overall utilization rate 4.97% ($178.2M borrowed against $3,586M supplied). This is anomalously low for a protocol of this TVL — standard Compound v2 forks on EVM run 40-70% utilization in active markets. Low utilization is consistent with TRON yield-farming dynamics (users supply primarily for JST/TRX incentives rather than to support borrowing demand). It also means individual market utilization varies widely. Very low utilization indicates potential yield-farming-dominated TVL inflating the supply figure relative to organic lending demand. Yellow because the anomalous rate warrants investigation but is not a direct safety failure. RD-F-064 gray TVL concentration (top-10 wallet share) Top-10 depositor concentration not obtainable. TRON lacks a Dune Analytics equivalent for depositor breakdown. Tronscan API returned 403 for contract reads. No third-party depositor concentration analysis found for JustLend. TRON ecosystem is characterized by fewer, larger institutional participants in USDT flows (>4.5M USDT txs/day), suggesting potential concentration risk, but no quantifiable primary data available. RD-F-065 n/a Liquidity depth per major asset JustLend does not operate AMM pools. Underlying collateral liquidity varies widely: USDT on TRON is highly liquid (TRON is the primary USDT transfer network, $2T+ USDT transfers Q1 2026). TRX has deep TRON-native DEX liquidity. However, long-tail TRON ecosystem collateral assets (JST, SUN, WBTT, BTT, NFT) have limited global exit liquidity and thin TRON-native DEX depth. Yellow because long-tail liquidation exit risk is material. Exact 2%/5% depth figures not obtainable (TRON DEX subgraph inaccessible). RD-F-068 gray Collateralization under stress Cannot construct per-market stress scenario. Comptroller collateral factors not publicly enumerated (docs provide only formula, not values). Tronscan `markets()` reads blocked. Key risk factors identified but not quantified: (1) USDD collateral is TRX-backed (~40% of USDD reserves) with depeg history (fell to $0.96 in 2022); (2) Long-tail TRON assets held as collateral have high volatility relative to estimated collateral factors; (3) Liquidation bonus 8% (confirmed), close factor 50% (confirmed). No stress test constructable without per-market getCash()/totalSupply() data. RD-F-069 n/a Algorithmic / under-collateralized stablecoin JustLend is a lending protocol, not a stablecoin issuer. It lists USDD as a borrowable/suppliable market but does not itself issue USDD. Per taxonomy Cat 4 PD-024: this factor applies only to algorithmic/under-collateralized stablecoin issuers. RD-F-074 n/a ERC-4626 virtual-share offset (OZ ≥4.9) JustLend jTokens are TRC-20 receipts using the Compound v2 cToken exchange-rate accounting model on TRON (TVM). ERC-4626 is an Ethereum standard; jTokens on TRON are not ERC-4626 vaults and the OZ ≥ 4.9 virtual-share offset mechanism is architecture-specific to ERC-4626 and not applicable here. The Compound v2 cToken exchange-rate model has its own first-depositor vulnerability path (assessed under RD-F-070 and RD-F-075).

RD-F-063 green TVL (current + 30d trend) TVL $3.586B as of 2026-05-17 (DefiLlama). 30-day change -1.28%. 90-day mean ~$3.381B (data cache). All-time peak ~$7.82B October 2025 (54% decline from peak). Single-chain TRON protocol. Data is current and well-sourced.

RD-F-067 green Historical bad-debt events No confirmed bad debt events found across all sources checked: Rekt parser = 0, DefiLlama hacks field = [] (data cache). Web search returned no JustLend-specific bad debt socialization events. Only user-reported issues were minor liquidation transaction failures (TRON DAO Forum, July 2025) attributed to race conditions. 5+ years of operation without a confirmed bad-debt event is positive operational signal.

RD-F-072 green Market-listing governance threshold New market listings require on-chain GovernorBravo proposal: 200M WJST proposal threshold, 600M vote quorum, ~3-day voting period, 48h timelock. High-threshold governance process — not permissionless. New assets require community approval (e.g., JIP-28 for wBTC as collateral). Classification: high-threshold DAO governance. The administrative path (Unitroller admin calling _supportMarket()) may still allow admin-bypass without governance in theory — governance-admin-analyst should confirm whether _supportMarket() is callable directly by admin or only via timelock.

Operational history Green 6 15 of 15

RD-F-089 yellow Insurance coverage active No active insurance coverage found for JustLend DAO on any major platform. Nexus Mutual is EVM-native and does not cover TRON-native protocols. Sherlock provides EVM-native coverage only. No TRON-native smart contract insurance platform offering coverage at $3.586B TVL scale was identified. Yellow rather than red: the absence is structurally driven by TRON substrate (no EVM insurance protocols cover TRON DeFi), not an explicit team opt-out from available coverage. JustLend risk docs acknowledge smart contract risk but disclose no insurance partnerships. RD-F-081 n/a Post-exploit response score No prior exploit has occurred; post-exploit response score cannot be assessed. RD-F-082 n/a Post-mortem published within 30 days No prior exploit; no post-mortem to evaluate for timeliness. RD-F-083 n/a Auditor re-engaged after last exploit No prior exploit; re-audit-after-exploit cannot be evaluated. RD-F-084 gray TVL stability (CoV over 90d) DefiLlama daily TVL series available in cache spanning Nov 2021 to May 2026. 30d change = -1.28%, 90d mean = $3.381B vs current $3.586B. Qualitative estimate: CoV appears low (stable band $3.2-3.7B over trailing 90d). Precise sigma/mu computation requires programmatic statistical analysis of the full daily series, not performed in this session. Honest gray rather than estimated green. RD-F-085 n/a Incident response time (minutes) No prior incident; incident response time cannot be measured. RD-F-086 gray Pause activations (trailing 12 months) No pause events found in news/incident databases. JustLend is TRON-native; pause-event enumeration requires Tronscan-based event log scanning not performed programmatically in this session. No reports of JustLend pausing operations found in web search. Honest gray: absence of news evidence is corroborating but not confirmatory. RD-F-087 gray Pause > 7 consecutive days No evidence of a sustained pause event (>7 consecutive days) found. TRON substrate requires on-chain event scanning not performed in this session. RD-F-088 gray Re-deployed to new addresses in last year No protocol-wide contract migration or re-deployment found in evidence. GitHub last commit 2026-03-24 with no migration announcement. No v2 re-deployment announcement found. However, full verification requires Tronscan deployment history not enumerated in this session. RD-F-166 n/a Deprecated contracts still holding value No formally deprecated JustLend contracts found holding >$100K in assets. Protocol has operated as a single continuous deployment since December 2020. Supply-cap governance adjustments are parameter-level market risk management within the existing Comptroller, not contract-level deprecations. Per instruction spec: 'parameter-level restriction (supply cap->0, market deprecated by governance) is NOT a contract-level deprecation.' TRON stale-approval scanning (Revoke.cash) is EVM-only and not applicable to TRON substrate. No TRON-native equivalent scan was performed but no evidence of a sunset migration with stuck TVL was found across all evidence sources.

RD-F-076 green Protocol age (days) JustLend SBM launched 2020-12-07 on TRON mainnet. Age at assessment: ~1,988 days (~65 months). Materially exceeds the 12-month A-grade eligibility threshold. Protocol has been live through multiple market cycles including the LUNA collapse (May 2022), FTX (Nov 2022), and the 2024-2025 bull market.

RD-F-077 green Prior exploit count Zero confirmed protocol-contract exploits. Hacksdatabase (311 entries), rekt.news, De.Fi REKT database, SlowMist Hacked, DefiLlama hacks array all return empty for JustLend. October 2022 BSC/JUST-ecosystem incident excluded per U22 (wrong chain — BSC not TRON; BNB not TRON assets; no confirmed JustLend contract involvement per primary source).

RD-F-078 green Chronic-exploit flag (≥3 incidents) Zero confirmed exploits. Chronic flag (>=3 exploits) does not trigger.

RD-F-079 green Same-root-cause repeat exploit Zero incidents; same-root-cause repeat pattern cannot exist.

RD-F-080 green Days since last exploit No prior exploit on record; days-since-last-exploit field is effectively infinity / not applicable. Green per taxonomy intent for zero-exploit-count protocols.

Real-time signals Green 17 22 of 22

RD-F-101 yellow Large governance proposal queued Governance proposal queued — applicable; flagged-pattern posture yellow. GovernorBravoDelegator TEqiF5JbhDPD77yjEfnEMncGRZNDt2uogD is on-chain on TRON; ProposalCreated/ProposalQueued events exist. No queued proposals identified from public sources as of 2026-05-17 (last major governance action: JST buyback and burn approved Oct 2024). Flash-loan-quorum feasibility via pure TRON flash loan is low (no major TRON flash-loan providers) but whale coordination or large WJST accumulation could feasibly meet 600M quorum threshold — Justin Sun moved 300M JST to HTX in 2024. Governance concentration risk is real; active threat is not confirmed today. T-09 pipeline not monitoring TRON governor events. RD-F-109 yellow Social-media impersonation scam spike Social-media impersonation scam-spike — applicable; posture yellow. Active impersonation infrastructure confirmed: (1) justlend-dao.com presents as 'JustLend DAO' phishing site; (2) multiple typedream/teachable wallet phishing pages confirmed via web search 2026-05-17; (3) TRON DAO X account (adjacent ecosystem) was compromised via social engineering May 2, 2025 — hacker solicited $45K from followers. TRON ecosystem is a documented social engineering target (SlowMist fake TronLink extension campaign May 2026). No confirmed JustLend-specific X account compromise found in this session. P2 signal; pipeline not wired. RD-F-090 gray Mixer withdrawal → protocol interaction Mixer withdrawal to protocol interaction signal — partially applicable on TRON substrate. Tornado Cash is EVM-only; TRON laundering by Lazarus Group is documented (Chainalysis 2024 report: laundering strategy shifted to TRON). No specific public evidence of mixer-funded wallet interacting with JustLend core contracts. Requires TRM Labs or Chainalysis TRON-native cluster analysis — not available in public-proxy form. TRON-native anonymization pathways exist (cross-chain hops from EVM mixer to TRON via bridges) but are not traced to JustLend specifically in any public source. RD-F-091 gray Partial-drain test transactions Partial-drain test transactions — T-09 phase-2 signal. JustLend has no known exploits (Rekt = 0, DefiLlama hacks = []). TRON block scanning for partial-drain patterns not in production pipeline. On-chain transaction pattern analysis is substrate-agnostic in principle but requires TRON-specific block scanner tooling not yet wired. RD-F-092 n/a Unusual mempool pattern from deployer wallet Unusual mempool pattern from deployer wallet — not applicable on TRON substrate. TRON has no EVM mempool; Flashbots/Blocknative/geth txpool listener does not operate on TRON. TRON uses Energy/Bandwidth model, not gas. EVM mempool monitoring tools are irrelevant on this substrate. RD-F-093 n/a Abnormal gas-price willingness from attacker wallet Abnormal gas-price willingness — not applicable on TRON substrate. TRON uses Energy/Bandwidth resource model, not gas. The priority-fee EMA baseline concept and gas-price willingness signal are EVM-specific and do not translate to TRON. RD-F-094 n/a New contract with similar bytecode to exploit template New contract deployment with similar bytecode — not applicable on TRON substrate. EVM bytecode similarity tools (4-byte sig DB, Etherscan similarity scoring) do not apply to TVM bytecode. No public equivalent TVM bytecode-similarity scanning service exists in the methodology toolchain. RD-F-095 gray Known-exploit function-selector replay Function-selector call-pattern (known-exploit replay) — T-09 phase-2 signal. TRON does use 4-byte function selectors per TVM ABI encoding, so the concept is applicable in principle. However, no TVM-specific known-exploit-template selector library exists in the methodology toolchain. Production pipeline not wired for TRON event monitoring. RD-F-096 n/a New ERC-20 approval to unverified contract from whale New ERC-20 approval to unverified contract — not applicable on TRON substrate. Signal specification references ERC-20 token approval mechanics (EVM). TRON uses TRC-20 standard. The signal as defined in the T-09 spec is EVM-centric (ERC-20 approval events, Etherscan unverified-contract detection). Substrate mismatch — signal would need a TRC-20 specific redesign. RD-F-097 gray Sybil surge of identical-pattern transactions Sybil surge of identical-pattern transactions — applicable in principle on TRON (substrate-agnostic concept). On-chain clustering of identical transaction patterns is possible via Tronscan. However, production monitoring pipeline is not wired for TRON sybil-clustering. T-09 phase-2 signal. No active sybil surge found in public data. RD-F-099 gray Oracle price deviation >X% from secondary Oracle price deviation vs secondary source — T-09 phase-2 signal. TRON DAO migrated from WINkLink to Chainlink Data Feeds (Chainlink Scale program, October 2024; confirmed operational May 2025). JustLend uses PriceOracleProxy TCKp2AzuhzV4B4Ahx1ej4mvQgHZ1kH7F7k with Chainlink TRON feeds. Secondary source mapping (TRON-native DEX TWAP or alternate Chainlink feed) not established for JustLend markets. T-09 secondary-oracle map not completed for TRON chain. Pipeline not wired. RD-F-100 n/a Flash loan >$10M targeting protocol tokens Flash loan origination targeting protocol — not applicable on TRON substrate. TRON lacks the EVM flash-loan provider ecosystem (no Aave V3, Balancer, Uniswap V3 flash, Morpho-native flash on TRON mainnet). The Compound v2 fork pattern commonly exploited via flash loans in EVM context does not have an equivalent TRON flash-loan infrastructure. T-09 signal specification references EVM flash-loan sources explicitly. RD-F-102 n/a Admin/upgrade transaction in mempool Admin/upgrade tx in mempool — not applicable on TRON substrate. TRON has no EVM mempool; Flashbots stream, Blocknative, and geth txpool listener do not operate on TRON. TRON transaction propagation uses a different networking model with no equivalent public mempool interface. RD-F-103 n/a Bridge signer-set change proposed/executed Bridge signer-set change — not applicable. JustLend has no bridge surface: data cache layerzero.present = false, has_bridge_surface = false (profile.meta.json). JustLend is TRON-only; no protocol-operated bridge, no LayerZero OApp, no cross-chain functionality. Cat 10 is N/A for this protocol. RD-F-105 gray DNS/CDN/frontend hash drift DNS/frontend hash drift — T-09 phase-2 signal; applicable (substrate-agnostic). No current drift detected on justlend.org. Active impersonation domains exist (justlend-dao.com confirmed phishing; multiple typedream/teachable wallet pages). These are separate impersonator domains, not drift of the legitimate justlend.org domain. Legitimate frontend hash baseline not established in pipeline; no change-management feed configured. RD-F-106 n/a Cross-chain bridge unverified mint pattern Cross-chain bridge tx pattern — not applicable. JustLend is TRON-only with no bridge surface. Data cache: layerzero.present = false, has_bridge_surface = false. No cross-chain functionality exists in the protocol. RD-F-107 n/a Admin EOA signing from new geography/device Admin EOA signing from new geography/device fingerprint — not applicable. This signal requires off-chain signing telemetry (MPC session data, device fingerprints) not available for any protocol publicly, and is EVM-centric in current tooling implementations. TRON admin signing patterns are not monitored by any public tool. Conceptually applicable but requires infrastructure that does not exist in the methodology scope. RD-F-108 gray GitHub force-push to sensitive branch GitHub force-push/sensitive-branch push — T-09 phase-2 signal; applicable (substrate-agnostic). JustLend has public GitHub org (github.com/justlend/justlend-protocol). Last commit 2026-03-24 (data cache). No public alert of force-push or sensitive-branch compromise. GitHub monitoring not in production pipeline. Security.md absent (data cache security_md_present = false). RD-F-110 gray Unusual pending/executed proposal ratio Unusual pending/executed proposal ratio — T-09 phase-2 signal; applicable in principle. TRON GovernorBravo governance exists. Public governance forum (forum.justlend.org) shows normal activity. No anomalous proposal spike visible from public data. TRON governor event monitoring not in production pipeline. RD-F-182 gray Security-Council threshold reduction (RT) Security-Council threshold reduction event (batch-24 RT signal, Cat 6B) — T-09 v1.1 candidate, not production-live. Applicable conditionally: JustLend has GovernorBravo + Timelock governance. The Drift Protocol precursor pattern (3/5→2/5 SC multisig threshold reduction + timelock removal, 6 days before DPRK exploit) is the signal's reference event. Whether JustLend has a Security Council-style multisig with an admin() role on Timelock TRWNvb15NmfNKNLhQpxefFz7cNjrYjEw7x or Unitroller TGjYzgCyPobsNS9n6WcbdLVR9dH7mWqFx7 is unresolved — data cache deployer.address = null, governance.type = 'unknown'. No threshold-reduction event detected from public governance forum or proposal history. Requires Tronscan curator read of admin() on both contracts before this signal can be calibrated. This is a T-09 v1.1 candidate signal not in the production v1 shortlist.

RD-F-098 green TVL anomaly — % drop in <1h TVL anomaly signal — applicable and no anomaly currently. DefiLlama tracks JustLend TVL on TRON; signal is substrate-agnostic (TVL data, not EVM events). Current TVL $3.586B (2026-05-17); 30d change -1.28%; 1d change -0.13%. 30-day median approximately $3.381B (data cache). Current TVL is approximately 6.1% above the 30d median — well within normal range. T-09 tier-A signal (instant grade flip at >30% drop in 1h vs 30d median). Signal would fire if threshold crossed but is not firing today.

RD-F-104 green Stablecoin depeg >2% on shared-LP venue Stablecoin depeg signal — applicable; no depeg currently. JustLend markets include USDT-TRC20, USDC, and USDD (TRON-native stablecoin). USDT and USDC currently stable (no >2% depeg as of 2026-05-17). USDD has had historical peg stress (May 2022 depeg event, recovered). Current USDD status: approximately $1.00 per public data. Signal would fire if any of these stablecoins depegs >2% on ≥2 venues for ≥30 min and protocol's exposure ≥5% of TVL.

Dev identity & insider risk Green 17 16 of 16

RD-F-111 yellow Team doxx status Protocol-level developers are fully pseudonymous GitHub handles (huffstarrr81256, supersmartguy01, ghacct930) with zero OSINT trail, no LinkedIn, no conference presence. GitHub org has 0 public members. Justin Sun is a doxxed ecosystem figurehead (Wikipedia, LinkedIn, Forbes) but is not identified as a direct contract deployer or protocol developer. JUST Foundation describes team as coming from Alibaba/Tencent/IBM without naming individuals. CertiK KYC: 'Not verified'. DeFiSafety 2023 asserts at least two names are findable on LinkedIn, but those names were not surfaced via accessible sources in this assessment. RD-F-112 yellow Team public accountability surface Justin Sun has extensive public accountability surface (LinkedIn, Wikipedia, Forbes 411th richest, conference talks at Consensus HK 2025 and WebX 2025, WTO Ambassador role for Grenada). Protocol-level developers have near-zero verifiable accountability surface — GitHub handles only, no LinkedIn, no conference appearances. DeFiSafety 2023 claims at least two team names are on LinkedIn, but the specific names were not accessible in this assessment (DeFiSafety page returns 403). Blended accountability is low for actual code contributors. RD-F-116 yellow Contributor tenure at admin-permissioned PR Most recent admin-permissioned code change: PR#26 by ghacct930 (merged Mar 24, 2026 — 'security: remove dev private key from config'). GitHub account ghacct930 (user ID 227980261) has 0 public repositories, 0 followers, no bio, and appears to be a recently-created account. Pull Shark badge indicates some prior PR activity elsewhere, but no verifiable tenure as a JustLend contributor before this PR. Low tenure for the most recent privileged code-level change. RD-F-121 yellow Contributor OSINT depth score Justin Sun: 5/5 (LinkedIn, Wikipedia, Forbes, conference appearances, diplomatic role). huffstarrr81256: 1/5 (GitHub handle only). supersmartguy01: 1/5 (GitHub handle, two unrelated public repos). ghacct930: 1/5 (GitHub handle only). Blended score weighted to actual code contributors is 1-2/5. Ecosystem figurehead OSINT depth is high; developer OSINT depth is minimal. RD-F-123 yellow Sudden admin-rescue/ACL change without discussion No sudden admin-rescue or ACL change without preceding public discussion found in last 180 days. Governance forum shows proposal-first pattern: oracle upgrade discussed Dec 2024 before execution; USDDOLD market disable discussed Jul 2025; collateral factor changes discussed Aug 2024; parameter updates Aug 2023 — all have forum threads. GitHub PR history shows 4 closed PRs; PR#26 (Mar 2026, remove dev private key) is routine security hygiene, not an ACL change requiring governance discussion. GovernorBravo 48h timelock structurally constrains unilateral execution. On-chain admin event enumeration (all _setPendingAdmin / _acceptAdmin calls) is NOT exhaustively verified due to Tronscan tooling constraints — scored yellow for partial evidence rather than green. RD-F-125 yellow Deployer linked within 3 hops to DPRK/Lazarus No confirmed DPRK/Lazarus cluster proximity for either JustLend deployer address. TRON blockchain carries OFAC-designated DPRK wallets (Amnokgang Technology Development Company, March 2026, four TRON addresses designated), but no path from those addresses to JustLend deployers TV3Wg2... or TXp6YN... has been confirmed. Justin Sun's SEC civil action (filed March 2023) settled March 2026: Rainberry paid $10M, all personal claims against Sun dismissed with prejudice — NO OFAC component, NO DPRK nexus (per U15 framing). Full 3-hop trace blocked by Tronscan API constraints (401/403). No open-source, OFAC SDN, or Chainalysis public-report reference connects JustLend deployers to DPRK cluster. Score: yellow per U15 — civil/settled action without confirmed OFAC/DPRK nexus does not trigger red or the rubric-level F-grade discretionary override. RD-F-117 n/a ENS/NameStone identity bound to deployer TRON substrate has no ENS registry or NameStone equivalent. The factor measures ENS/NameStone identity binding to a deployer address, which is structurally inapplicable on TRON. Per U7: score not_applicable, no gap_reason. RD-F-119 gray Commit timezone consistent with stated geography GitHub commit history spans 2022-09-18 through 2026-03-24. Team has not publicly stated a geography. Small commit count prevents statistically meaningful tz-anomaly detection. Timezone analysis requires a stated-geography baseline to flag anomalies per factor definition. Cannot assess without curator-provided geography claim. RD-F-120 gray Video-off/voice-consistency flag No protocol-level developer (huffstarrr81256, supersmartguy01, ghacct930) identified as appearing in any public interview, video, or podcast. Absence of video appearances is not the same as video-off refusal per factor definition — the factor requires curator-observed inconsistency (declining video when expected, voice/tz inconsistency). Justin Sun participates in video extensively (no video-off flag). Factor requires curator observation to confirm or deny; automated assessment not possible. RD-F-122 gray Contributor paid to DPRK-cluster wallet No JustLend-to-contributor payment trail traceable to a DPRK cluster found. GitHub contributors are pseudonymous GitHub accounts without wallet linkage. On-chain payment tracing on TRON is blocked by Tronscan API constraints (401 on accountv2 for deployer addresses; 403 on HTML pages). Full 3-hop analysis of contributor payment wallets is not possible without paid blockchain intelligence tooling (Chainalysis, TRM Labs). No positive evidence of DPRK payment routing.

RD-F-113 green Team other-protocol involvement history Justin Sun: TRON founder (2017), HTX advisor/investor — no prior rug or exit-scam protocol affiliation confirmed. JUST Foundation launched JustSwap (now SunSwap) and JustStables — all live TRON protocols with no rug history. Protocol-level developers (huffstarrr81256, supersmartguy01, ghacct930): no prior DeFi protocol involvement traceable via OSINT. No contributor linked to prior rug, exit-scam, or failure-class event.

RD-F-114 green Deployer address prior on-chain history Unitroller deployer TV3Wg2zNUBzGJsJNCEUZ2W9YVsFK2AAcLB: Tronscan blue-tag 'JustLend DAO' on the Unitroller contract confirms protocol association. First visible Tronscan tx Sep 2021 (SCP token receipt); subsequent activity centers on JustLend governance/reward contracts. No prior rug- or exit-scam-labeled protocol found associated with this deployer. GovernorBravo deployer TXp6YNECv5BXtcHuBNku7QsCXCZBvAr5DU: Tronscan API returns sparse data; no DPRK or rug label present. No 'linked-to-prior-rug' classification applies.

RD-F-115 green Prior rug/exit-scam affiliation No team member linked to a prior rug or exit-scam protocol. Justin Sun, JUST Foundation, and the three identified GitHub contributors (huffstarrr81256, supersmartguy01, ghacct930) have no confirmed rug affiliation. The BETL scam incident (Dec 2024) where a Bulgarian crypto scammer deposited stolen funds into JustLend as jUSDT is a passive-venue event per U22/U4 — NOT a team affiliation with the scammer. REKT database: 0 JustLend entries (data cache). CertiK rug pull report does not list JustLend.

RD-F-118 green Handle reuse across failed/rugged projects GitHub handles huffstarrr81256, supersmartguy01, and ghacct930 not associated with any prior rugged or failed DeFi project via web search or GitHub profile inspection. supersmartguy01's two public repos (ChatGPT prompt fork, Cloudflare proxy) are unrelated to DeFi and show no rug-history. No handle reuse pattern across failed projects detected.

RD-F-124 green Deployer wallet mixer-funded within 30 days Unitroller deployer TV3Wg2zNUBzGJsJNCEUZ2W9YVsFK2AAcLB deployed 2020-12-05. No Tornado Cash (EVM-only, not deployed on TRON at time of deploy), Railgun (EVM-only), or TRON-native mixer interaction within 30 days pre-deploy observable. Tronscan API shows no mixer-type counterparty labels on this address. TRON had no functional on-chain mixer equivalent in December 2020. GovernorBravo deployer TXp6YNECv5BXtcHuBNku7QsCXCZBvAr5DU deployed 2022-09-12; Tronscan API returns empty for this address; no mixer label present. 30-day pre-deploy window is clear for both deployers.

RD-F-184 green Real-capital social-engineering persona No curator-flagged instance of a contributor or external integrator depositing ≥$1M of real capital to JustLend DAO or peer TRON protocols as a credibility-building precursor to social engineering. No Drift-style DPRK six-month conference infiltration pattern (UNC4736/AppleJeus) reported against JustLend. No security disclosure, public report, forum post, or law-enforcement filing describes such an event targeting JustLend. Web search for 'JustLend DPRK insider Drift Protocol style' and 'JustLend social engineering contributor attack' returns zero relevant hits. Note: M-only factor with low confidence given pseudonymous developer team — curator should re-evaluate if any contributor later identified with suspicious capital movements.

Fork / dependency lineage Green 17 10 of 10

RD-F-127 yellow Upstream patch not merged Key Compound v2 security patches post-2022 include empty-market/donation attack mitigation (exploited in Hundred Finance 2023, Sonne Finance 2024, Onyx 2023). JustLend GitHub shows no post-2022 commits addressing this specific vector (last substantive code commit: February 2023). Whether JustLend's TVM-adapted codebase has applied the empty-market mitigation is unconfirmed. Yellow rather than red: TVM-specific attack dynamics differ from EVM; no active exploit has occurred; mitigation status requires curator Tronscan verification. RD-F-129 yellow Code divergence from upstream (%) JustLend has substantial divergence from Compound v2 upstream: (1) Full TVM adaptation of all Solidity/EVM constructs; (2) GovernorBravo governance module (not in original Compound v2); (3) jToken naming; (4) TRON-native asset interfaces; (5) sTRX and Energy Rental sub-products (entirely novel). Git diff not computatable via WebFetch — requires local clone. Estimated 30–50% divergence based on qualitative assessment of TVM adaptation overhead plus novel product additions. RD-F-131 yellow Fork retains upstream audit coverage Classification: upstream-only with gap risk. CertiK April 2022 covers JustLend-specific TVM-adapted code partially. Upstream Compound v2 EVM audits (Trail of Bits) do not cover TVM execution environment. GovernorBravo module added November 2022 has no documented audit. ~30-50% code divergence means upstream audit coverage significantly diluted. Yellow: CertiK provides partial coverage but governance additions and TVM-specific code create uncovered gaps. RD-F-132 yellow Fork has different economic parameters than upstream JustLend economic parameters are TRON-specific and differ from Compound v2 upstream defaults. CertiK audit explicitly flagged admin privilege to set oracle addresses and parameter values without limits (6 major findings acknowledged-only). These parameters have not been re-audited since April 2022. Minor deviation: yellow (major deviation without audit = red; minor deviation = yellow per methodology). RD-F-133 yellow Dependency manifest uses unpinned versions package.json dependencies: dotenv ^16.0.1 (unpinned), ethers ^5.7.0 (unpinned), tronweb ^4.3.0 (unpinned). All three use ^ prefix allowing minor version bumps. OpenZeppelin is NOT a dependency. However, these are tooling packages (not deployed on-chain) — the smart contracts themselves have no npm dependencies deployed to TVM. Yellow rather than red because security-critical on-chain code (OZ equivalent) is not unpinned; the unpinned deps are tooling-only.

RD-F-126 green Is-a-fork-of JustLend is a confirmed fork of Compound v2. GitHub repository contains exact Compound v2 component names: CToken.sol, CErc20.sol, CErc20Delegator.sol, CEther.sol, Comptroller.sol, Unitroller.sol, GovernorAlpha.sol, JumpRateModel, WhitePaperInterestRateModel. jTokens are TVM equivalents of cTokens. DefiLlama Compound V2 forks list includes JustLend. Third-party analysis confirms the architecture relationship.

RD-F-128 green Upstream vulnerability disclosure (last 90d) No active Compound v2 upstream security disclosure in the last 90 days (as of May 2026) directly confirmed to affect JustLend's TVM-adapted codebase. The last significant Compound v2 fork exploit pattern was Sonne Finance (May 2024). No 2026 Compound v2 upstream advisory found.

RD-F-130 green Fork depth (generations from original audit) JustLend is a direct fork of Compound v2 (fork depth = 1). No evidence of JustLend being a fork-of-a-fork. Compound v2 is the originally-audited upstream protocol.

RD-F-134 green Dependency had malicious-release incident (last 90d) No known malicious-release advisory in trailing 90 days for dotenv, ethers, or tronweb packages. Smart contract code has no on-chain npm dependencies deployed to TVM. Only tooling packages at risk, and no active advisories found for those packages.

RD-F-135 green Shared-library version with known-vuln status JustLend does not use OpenZeppelin, Solady, or Solmate as smart contract dependencies. The three npm packages (dotenv, ethers, tronweb) are tooling-only and not deployed on-chain. No GHSA advisory found for dotenv 16.x, ethers 5.x, or tronweb 4.x affecting deployed contracts.

Post-deploy hygiene & change mgmt Green 19 13 of 13

RD-F-139 yellow Post-audit code changes without re-audit Post-audit changes deployed without identified re-audit of the changed components. The 2022 CertiK audit covers pre-GovernorBravo architecture. Post-audit significant changes: (1) GovernorBravo contracts added November 2022 — not covered by CertiK audit; (2) BUSD market addition February 2023; (3) March 2026 security config changes. SlowMist covers sTRX only; ChainSecurity 2024 covers stUSDT only. No audit identified covering the GovernorBravo governance infrastructure. Yellow not red: GovernorBravo follows standard Compound-Bravo (well-understood pattern); Timelock is minimal contract; no novel high-risk code detected in post-audit additions. RD-F-140 yellow Fix-merged-but-not-deployed gap CertiK audit: 6 major findings — 2 resolved, 2 mitigated, 1 acknowledged, 1 partially resolved. The acknowledged and partially resolved findings may represent fixes not fully deployed. Specific details not accessible (audit PDF 403 blocked). Cannot confirm no fix-merged-but-not-deployed gap without full audit artifact access. RD-F-143 yellow Reinitializable implementation (no _disableInitializers) CToken.sol has initialize() with manual guard require(accrualBlockNumber == 0 && borrowIndex == 0) — TVM substrate equivalent of re-initialization protection (OZ _disableInitializers() is EVM-specific and not applicable here). CErc20.sol analysis indicates initialize() may reset critical parameters if state variables can be zeroed. Partial mitigation via state-variable guard but not the OZ constructor-pattern lock. Yellow: TVM substrate makes OZ test structurally inapplicable; CToken guard provides partial protection; code-security-analyst must verify CErc20 path with full TVM bytecode analysis. RD-F-185 yellow Bridge rate-limiter / chain-pause as positive mitigant No protocol-level per-window outflow rate-limiter identified on the lending markets. JustLend is TRON-only with no bridge surface (F185 primarily designed for bridge protocols). Partial mitigant: Comptroller's pauseGuardian can halt market operations (mint/borrow/transfer/seize) as a circuit-breaker. TRON DPoS validators have coordination capabilities but no protocol-specific chain-pause documented. Scored yellow: partial operational circuit-breaker (pauseGuardian) exists but no rate-limiter in the formal F185 sense. RD-F-136 gray Deployed bytecode matches signed release tag TVM bytecode comparison against signed release-tag commits requires TRON archival node and TVM bytecode tooling not available in this assessment. No signed git tags confirmed in GitHub commit history. Source code is public but bytecode reproducibility unverifiable with available EVM tools. RD-F-137 gray Upgrade frequency (per 90 days) TRON implementation-change event history requires Tronscan block explorer event API not accessible in this assessment. No significant upgrade events identified through web search in the last 90 days. Cannot confirm upgrade frequency without TRON event indexing. RD-F-138 gray Hot-patch deploys without timelock (last 30 days) No evidence of hot-patch deploys outside the Timelock path in the last 30 days. March 2026 GitHub activity was a config change (removing dev private key), not a contract deployment. Cannot confirm absence of hot-patches without TRON event indexing for implementation changes. RD-F-142 n/a Storage-layout collision risk across upgrades TVM substrate and Compound-style proxy pattern (Unitroller _setPendingImplementation/_acceptImplementation) rather than EIP-1967 transparent proxy. OZ upgrades plugin and storage-layout collision checks are EVM-specific tools not applicable to TRON TVM. Compound-v2-style upgrades preserve storage layout by design via the _become() acceptance mechanism. RD-F-144 n/a CREATE2 factory permits same-address redeploy TRON TVM does not implement CREATE2 in the same manner as EVM. TRON contract deployment uses a different mechanism. CREATE2 redeploy risk is structurally inapplicable on TRON substrate. RD-F-145 gray Deployed bytecode reproducibility TRON TVM bytecode reproducibility requires TVM-specific build toolchain (tronbox/troncompiler equivalent) not accessible in this assessment. Source code is public on GitHub. Bytecode reproducibility from public source cannot be verified with available EVM tools.

RD-F-141 green Test-mode parameters in deploy No confirmed test-mode parameters in production. March 2026 config commit removed dev private key from config file (not from deployed contract). Admin is not the deployer EOA (confirmed by CertiK audit). Oracle is not a test oracle (Chainlink adapter per docs). No test-mode flags identified.

RD-F-146 green New contract deploys in last 30 days No new contract deploys identified in the last 30 days. March 2026 GitHub activity was a config change (private key removal), not a contract deployment. No new Immunefi scope changes or JustLend deployment announcements in 2026 Q1-Q2 found.

RD-F-168 green Stale-approval exposure on deprecated router No deprecated router contracts identified. All 55 Immunefi-scope contracts are active. TRON TVM lacks an ERC-20 allowance scanner equivalent accessible from this assessment. No deprecated router mentioned in docs, GitHub, or governance forum.

Cross-chain & bridge Gray 0 12 of 12

Threat intelligence & recon Red 100 8 of 8

RD-F-161 red Protocol-impersonator domain registered (typosquat) Protocol-impersonator domain registered (typosquat) — red. Active, confirmed protocol-impersonator domain and phishing infrastructure targeting JustLend users. Official domain: justlend.org. Confirmed impersonators: (1) justlend-dao.com — URLScan first scan August 2023; presents as 'JustLend DAO — TRON's premier decentralized money market protocol' with $2.1B TVL claim; misattributes audits to CertiK, SlowMist, PeckShield; uses Cloudflare/PrivacyGuardian.org privacy protection; confirmed active phishing site. (2) web-jus-tlend-dao-wallet.typedream.app, web-justl-end-da-o-wallet.typedream.app, web-justl-endao-wal-let-cdn.typedream.app — multiple typedream-hosted phishing wallet pages. (3) auth-web-justlenddaowallet.teachable.com, web-just-len-dao-walle-t.teachable.com — teachable-hosted phishing pages. At least 6 confirmed phishing/impersonation surfaces identified in this session's web searches as of 2026-05-17. Users connecting wallets to these sites face direct fund loss risk. The 90 RD-F-158 gray Known-threat-actor cluster has touched protocol Known-threat-actor wallet cluster touching protocol — T-09 phase-2 signal; applicable for TRON substrate but requires proprietary feed. TRON is a documented Lazarus Group laundering destination (Chainalysis 2024). OFAC March 2026 designations for DPRK IT worker schemes included TRON-network cryptocurrency addresses. No public source confirms a designated TRON address interacting specifically with JustLend core contracts (Unitroller, GovernorBravo, PriceOracleProxy). Requires TRM Labs or Chainalysis TRON-native cluster analysis. OFAC public designation list was checked — no specific JustLend contract interaction confirmed. RD-F-159 n/a Attacker wallet pre-strike probe (low-gas failing txs) Mempool probe (attacker sending low-gas failing txs) — not applicable on TRON substrate. TRON has no EVM gas/mempool concept. Low-gas failing transaction pattern is an EVM-specific signal requiring EVM mempool monitoring. TRON transaction failures have different diagnostic signatures (bandwidth/energy insufficient) not equivalent to EVM low-gas failures. RD-F-160 gray GitHub malicious-dependency incident touching protocol deps GitHub-flagged malicious-dependency incident — applicable (substrate-agnostic via GitHub). JustLend has public GitHub repo (github.com/justlend/justlend-protocol); data cache package_json_present = true, security_md_present = false. No public GHSA or npm security advisory affecting justlend-protocol dependencies found in this session. Last commit 2026-03-24. P1 signal; GitHub advisory monitoring not in production pipeline. RD-F-162 gray Known-exploit-template selector deployed by any address Known-exploit-template selector-pattern deployed — P2 signal; applicable in principle for Compound v2 fork class (JustLend is a Compound v2 fork on TRON). However, TVM-specific exploit-template databases do not exist in public tooling. No TRON-native equivalent of the EVM 4-byte exploit-selector database. No public evidence of known-exploit-template contract deployed targeting JustLend markets on TRON in recent timeframe. RD-F-163 gray Avg attacker reconnaissance time for peer-class protocols Attacker wallet reconnaissance time before strike (similar class) — P2 static/contextual factor. For Compound v2-fork protocols, hack DB shows reconnaissance lead times ranging from near-zero (flash-loan governance: same-block) to 78+ days (USPD-style pre-funding). No known reconnaissance activity against JustLend specifically. For JustLend, the relevant reconnaissance axes would be: (a) WJST accumulation for governance attack; (b) oracle manipulation preparation (TRON Chainlink feed probing); (c) cross-chain bridging to fund TRON wallet. These would be observable on Tronscan but require active monitoring. Curated reconnaissance-time DB for TRON peer protocols not established. RD-F-164 gray Leaked credential on paste/sentry site Leaked credential on paste/sentry site — P2 signal; applicable in principle (JustLend GitHub org credentials, oracle poster API keys, domain DNS keys could leak). Data cache security_md_present = false — no formal credential-rotation or disclosure process documented. No public paste-site alert found in this session. Paste/credential monitoring not in production pipeline for JustLend. RD-F-165 gray Protocol social channel has scam-coordinator flag Telegram/Discord channel member flagged as scam-coordinator — P2 signal; applicable in principle. TRON ecosystem has documented social-engineering threat activity (TRON DAO X account compromise May 2025, $45K solicited; SlowMist fake TronLink extension campaign May 2026). JustLend's official Telegram/Discord channels not independently audited in this session — channel identities not confirmed in profile §9 (X account not confirmed either). Curator social watchlist monitoring not established for JustLend channels.

Tooling / compiler / AI Green 17 5 of 5

RD-F-170 yellow Solc version used (known-bug versions flagged) TronSolc 0.5.16 confirmed in tronbox.js. Standard solc 0.5.16 is not on high-severity known-bug list. However: (1) TronSolc is a DIVERGENT fork of solc compiling to TVM bytecode — bugs in TronSolc fork-specific code are not tracked in standard solc bugs.json; (2) solc 0.5.x is EOL without security updates from Solidity team; (3) TronSolc bug surface is unassessable from public advisory databases. Yellow: standard version not on known-high-bug list, but TronSolc fork divergence creates untracked risk. RD-F-174 yellow Dependency tree uses EOL Solidity version TronSolc 0.5.16 (EOL Solidity version) used for all deployed contracts. Standard Solidity 0.5.x EOL — no security updates from Solidity team since 0.5.17 (June 2020). TronSolc is the only practical compiler for existing TVM contracts given TVM's limited compatibility with newer Solidity versions. Yellow rather than red: this is a structural substrate constraint (TRON ecosystem) rather than a discretionary choice by the protocol team. RD-F-171 n/a Bytecode similarity to audited upstream with behavior deviation Bytecode diff between JustLend TVM bytecode and Compound v2 EVM bytecode is structurally impossible — TVM and EVM are different instruction set architectures. No audited TVM upstream exists to compare against. Structural not_applicable for TVM substrate.

RD-F-172 green Repo shows AI-tool co-authorship in critical files GitHub repository has 13 commits from September 2022 to March 2026. Visual inspection of commit metadata reveals no 'Co-authored-by: GitHub Copilot' or similar AI-tool co-authorship trailers. Contributors: ghacct930, supersmartguy01, huffstarrr81256. Very sparse commit history with no AI co-authorship markers found.

RD-F-173 green Team self-disclosure of AI-generated Solidity No public disclosure found in GitHub README, JustLend docs, Medium posts, or web search results that the team used AI-generated Solidity in production contracts. Protocol launched December 2020, open-sourced July 2022 — predating widespread AI code generation adoption for Solidity.

Response & disclosure hygiene Green 8 4 of 4

RD-F-176 yellow Disclosure SLA public No explicit acknowledgment-time SLA published by JustLend DAO. Immunefi listing shows 'Median 3 days' resolution time as a platform-level observed metric, not a formal commitment. No 'we acknowledge within X hours' SLA found on program page, in docs.justlend.org, or in GitHub repo. Immunefi embargo rule (no public disclosure of unpatched bugs) functions as an implicit disclosure window but a formal SLA is absent. Yellow: no public SLA, though disclosure channel exists.

RD-F-175 green Disclosure channel exists Active Immunefi bug bounty program live since 2022-08-31, covering 55 contracts across the JustLend protocol suite. Security contact email (support@justlend.org) available from GitHub README. The Immunefi program constitutes a structured public disclosure channel with triage and resolution tracking. Median resolution time 3 days per Immunefi platform data.

RD-F-177 green Prior known-ignored disclosure No prior incidents, therefore no post-mortem evidence of an ignored disclosure. CertiK Skynet continuous monitoring (since April 2022 audit) shows no security incidents. Immunefi ineligibility carve-out for bugs covered by CertiK audit is a scope limitation, not evidence of an ignored disclosure. No reports of a disclosed vulnerability being ignored pre-exploit found in any source.

RD-F-178 green CVE/GHSA advisory issued against protocol No CVE or GHSA advisory found for JustLend DAO or the justlend-protocol repository. GitHub repository has no SECURITY.md and no visible Security tab advisories. Web search for 'JustLend CVE' and 'JustLend GHSA' returned no results. Green per taxonomy: no CVE/GHSA issued.

rubric_version v1.7.0 graded_at 2026-05-17 10:25:35 factors 184 protocol justlend