defirisk.co
rubric v1.7.0

Empty cToken-style market (zero supply/borrow)

JustLend DAO's assessment for RD-F-070 — scored red on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.

Evidence summary #

[★ CRITICAL] JustLend is a confirmed Compound v2 fork. CToken.sol source confirms: (1) exchangeRateStoredInternal() returns initialExchangeRateMantissa when _totalSupply == 0 with no guard; (2) mintFresh() has no minimum totalSupply check; (3) initialize() mints no seed tokens. Comptroller _supportMarket() initializes collateralFactorMantissa = 0 with no seed deposit requirement. The 2022 CertiK audit found no critical empty-market finding; team stated intent to 'lock up a little bit of the underlying assets in each market' but no code-level implementation found. Hundred Finance (April 2023, ~$7.4M) and Sonne Finance (May 2024, ~$20M) exploited the identical cToken empty-market donation vector. Any JustLend jToken market reaching totalSupply == 0 is exploitable. Long-tail markets with thin activity are highest risk.

Sources #

  • GitHub
    JustLend Protocol — Comptroller.solComptroller.sol: _supportMarket() initializes collateralFactorMantissa=0 with no seed deposit enforcement; allMarkets[] populated via _addMarketInternal(); no borrow cap logic presentretrieved 2026-05-17
  • GitHub
    JustLend Protocol — CToken.solCToken.sol: exchangeRateStoredInternal() returns initialExchangeRateMantissa when _totalSupply == 0; mintFresh() has no floor check; initialize() does not mint seed tokensretrieved 2026-05-17
  • URL
    CertiK — Sonne Finance Incident AnalysisSonne Finance exploit (May 2024, ~$20M) — same Compound v2 empty-market precision-loss vectorretrieved 2026-05-17
  • URL
    Compound Community Forum — Hundred Finance Exploit and Compound v2Hundred Finance Compound v2 empty market exploit (April 2023, ~$7.4M) — identical attack vector via empty cToken market + donationretrieved 2026-05-17
  • Audit
    CertiK Skynet — JustLend Security Assessment 2022CertiK Security Assessment JustLend April 8 2022 — 6 major findings (centralization/privilege); no critical empty-market specific finding; team stated intent to 'lock up a little bit of the underlying assets' as remediation per web-referenced audit summaryretrieved 2026-05-17

Methodology #

Determine whether any listed Compound V2-fork market has `totalSupply == 0` and `totalBorrow == 0`, the precondition for a donation-exploit.

See the full factor methodology and distribution across all protocols →

rubric_version v1.7.0 protocol justlend factor RD-F-070 score red collected_at 2026-05-17 10:25:32