Liquity V1 + V2 (LUSD / BOLD)

DeploymentsEthereum · $247.0M

Risk profile at a glance

0 red · 0 yellow · 12 green

Categories & evidence

184 factors · 13 categories

Code & audits Green 9 25 of 25

RD-F-001 yellow Audit scope mismatch v2 has 10 audit engagements with specific commit SHAs (Dedaub Aug-2024 @ 2a859733, Nov-2024 @ 96fa8431, Cantina-fixes May-2025 @ abe7cbfb). Mainnet deployment commits are e367755/b40fa9b (May 19, 2025). The fixes-review commit abe7cbfb is temporally close to deployment (6 days); deployment commit diff shows only addresses/broadcast files changed (not contract source), strongly implying contract bytecode matches fixes-review scope. Etherscan shows Exact Match verification for v2 TroveManager and BorrowerOperations. No single audit PDF explicitly cites the deployed commit SHA — gap is not fully verifiable from public sources without eth_getCode comparison. RD-F-003 yellow Resolved-without-proof findings Dedaub Aug-2024 found 1 high (H1 CollateralRegistry setTroveManager access control) and 14 mediums, all marked resolved. Recon/Gallo found 2 highs (Batch Shares Math Rebase, Insufficient Flashloan Protection), both resolved in subsequent audit rounds. Cantina competition found 0 critical/high, 2 mediums acknowledged-but-not-fixed, 36 lows acknowledged. No high/critical finding marked resolved without verifiable on-chain proof; 2 Cantina mediums left unresolved places this at yellow. RD-F-007 yellow Bug bounty presence & max payout v2/BOLD has active Cantina bounty (max 125,000 BOLD for critical, approx $125K at BOLD peg). v1 bounty discontinued after 4 years post-v2 launch (team judgment: immutable, battle-tested). Payout denominated in BOLD (not USD) introduces uncertainty; 125K BOLD is near the $100K-$500K yellow-green threshold; platform is Cantina not Immunefi. RD-F-010 yellow Static-analyzer high-severity count No published Slither/Mythril tool run against deployed v2 bytecode available. Cantina 800-researcher competition (5 weeks, Mar–Apr 2025) found 0 critical/high findings. Dedaub Nov-2024 found 0 critical/high. Dedaub fixes review found 0 critical/high. Multi-round competitive audit process is a strong proxy for low high-severity static findings. Tool run not performed locally per T-10 constraint. RD-F-014 yellow Reentrancy guard on external-calling functions StabilityPool source inspection confirms no explicit nonReentrant modifier on functions that make external token transfers (boldToken.burn, collToken.safeTransfer). The collateral tokens (WETH, wstETH, rETH) are well-behaved ERC-20s with no reentrancy callbacks, making this a low-probability risk. Cantina 800-researcher competition and all other audits found no reentrancy exploit in core. Risk is partially mitigated by architecture, but absence of explicit guards is a yellow signal. RD-F-183 yellow Bug bounty scope gap on highest-TVL contracts v2/BOLD has active Cantina bounty covering liquity/bold and liquity/V2-gov repos (max 125,000 BOLD for critical). Scope tab details not fully verifiable via WebFetch. v1 is unbountied (discontinued after v2 launch) but holds ~$174.6M TVL in immutable contracts. Per the factor's focus on highest-TVL contracts: v2 core contracts appear to be in Cantina scope; v1 core contracts are unbountied. Yellow given: (a) scope tab not fully confirmed, (b) v1 unbountied-but-immutable posture. Platform is Cantina not Immunefi. RD-F-021 n/a UUPS _authorizeUpgrade correctly permissioned Neither v1 nor v2 use the UUPS proxy upgrade pattern. All contracts are direct non-upgradeable implementations with constructor-based initialization. _authorizeUpgrade does not exist in any Liquity contract. RD-F-023 n/a Constructor calls _disableInitializers() Neither v1 nor v2 use upgradeable proxy patterns requiring _disableInitializers(). All contracts use direct constructors. The OZ _disableInitializers() pattern is irrelevant for non-proxied contracts.

RD-F-002 green Audit recency Dedaub Cantina-fixes review signed off May 13, 2025; Cantina competition ended Apr 27, 2025; ChainSecurity audited through May 2025. As of assessment date (May 16, 2026), most recent engagement is ~12 months old — within the 365-day green threshold.

RD-F-004 green Audit count v1: Trail of Bits (3 engagements) + Coinspect = 2 distinct firms. v2: Dedaub + ChainSecurity + Coinspect + Recon + Certora + Cantina (competition) = 6 distinct firms. Combined: 7 distinct audit firms across both versions. Well above the 2-firm green threshold.

RD-F-005 green Audit firm tier Trail of Bits and Certora qualify as Tier-1 under taxonomy definition. ChainSecurity is Tier-1 equivalent (Swiss firm with major protocol audit track record). Dedaub and Coinspect are Tier-2 established firms. At least two Tier-1 firms audited Liquity.

RD-F-006 green Audit-to-deploy gap Dedaub Cantina-fixes review: May 13, 2025 sign-off; deployment: May 19, 2025 = 6-day gap (well within 60-day green threshold). Cantina competition ended Apr 27, 2025; deploy May 19 = 22 days. v1: ToB Mar 2021 audit; deploy Apr 5, 2021 = ~26 days. All within green.

RD-F-008 green Ignored bounty disclosure No evidence of ignored bounty disclosure for either v1 or v2. The Feb 2025 Stability Pool vulnerability was discovered internally before mainnet launch and immediately actioned (full halt + redeployment). v1 has zero exploits in 5 years of immutable operation. Rekt database shows no incidents.

RD-F-009 green Formal verification coverage Certora formal verification for v2 (December 2024) covers batch delegation logic and interest rate management invariants — two of the most complex v2 subsystems. Certora report is publicly available. Additionally, Recon review documented extensive invariant specifications covering trove sorting, debt accounting consistency, batch PPFS monotonicity, and collateral surplus changes. This represents substantive FV coverage for an original protocol. v1 had no formal verification (Trail of Bits 2021 pre-dates widespread FV practice), but score is on the operative v2 version. Per profile §11 flag, this is a formal verification exemplar.

RD-F-011 green SELFDESTRUCT reachable from non-admin path v2 contracts (BorrowerOperations, TroveManager, StabilityPool) are non-upgradeable with constructor-based initialization. GitHub source inspection shows no selfdestruct in visible core contract code paths. v1 is 5-year battle-tested immutable with no exploit or selfdestruct finding from 3 ToB audits. No audit finding of SELFDESTRUCT in any engagement across either version.

RD-F-012 green delegatecall with user-controlled target v2 contracts do not use delegatecall to user-controlled targets. Contracts interact with fixed-address interfaces set at deployment via AddressesRegistry (ownership renounced post-setup). ToB v1 audits confirmed no user-controlled delegatecall. Cantina competition found no such vulnerability.

RD-F-013 green Arbitrary call with user-controlled target Core v2 contracts make external calls only to fixed-address contract references (boldToken, activePool, collToken) set at deployment and immutable thereafter. Recon found a flashloan callback issue in peripheral Zapper contracts (not core) which was resolved in subsequent audit rounds. No arbitrary user-controlled call target in core contracts.

RD-F-015 green ERC-777/1155/721 hook without reentrancy guard v2 collateral tokens are WETH, wstETH, and rETH — all standard ERC-20s with no ERC-777 tokensReceived or ERC-1155/ERC-721 onReceived callbacks. v1 uses native ETH only. No ERC-777/1155/721 hook integration risk in either version.

RD-F-016 green Divide-before-multiply pattern No published divide-before-multiply Slither finding for Liquity v1 or v2. LiquityMath.sol uses explicit WAD/decimal scaling throughout. Certora FV covered mathematical invariants (interest rate, batch logic). 10 audit engagements with no divide-before-multiply finding reported.

RD-F-017 green Mixed-decimals math without explicit scaling v2 uses WETH (18 dec), wstETH (18 dec), rETH (18 dec) — all same-decimal tokens; no cross-decimal arithmetic risk. v1 uses native ETH only. LiquityMath.sol uses explicit WAD normalization. Certora FV covered interest rate and batch math invariants. No audit finding of mixed-decimal arithmetic confusion.

RD-F-018 green Signed/unsigned arithmetic confusion No audit finding of signed/unsigned arithmetic confusion across 10 audit engagements. v2 uses Solidity 0.8.24 with built-in overflow/underflow checks. v1 uses 0.6.11 with explicit SafeMath-equivalent patterns. Three ToB v1 audits found no such issue.

RD-F-019 green ecrecover zero-address return unchecked v1 LUSDToken permit() uses ecrecover with standard guard (recoveredAddress != address(0)) confirmed from GitHub source. v2 BOLD token uses OZ ERC20Permit which internally handles ecrecover correctly. No audit finding of unchecked ecrecover return in either version.

RD-F-020 green EIP-712 domain separator missing chainId v1 LUSDToken EIP-712 domain separator includes chainId via _CACHED_CHAIN_ID + _buildDomainSeparator(). v2 BOLD uses OZ ERC20Permit which includes chainId in domain separator by design. Both versions are cross-chain replay protected.

RD-F-022 green Public initialize() without initializer modifier No initialize() function exists in v1 or v2 core contracts. v2 uses constructor-based immutable initialization; AddressesRegistry uses setAddresses() + _renounceOwnership(). v1 uses setAddresses() + _renounceOwnership(). No proxy pattern, no initializer risk.

RD-F-024 green Code complexity vs audit coverage 10 audit engagements including 5-week Cantina competition with 800+ researchers, Certora FV, Dedaub ×3, ChainSecurity ×2, Coinspect ×2, Recon ×1. Audit density is extremely high for codebase size. No finding suggesting audit scope was inadequate for code complexity.

Governance & admin Green 0 24 of 24

RD-F-026 n/a Upgrade multisig signer configuration (M/N) No upgrade multisig exists for any core protocol contract. The only Safe (0xf06016d822943c42e3cb7fc3a6a3b1889c1045f8) is a bounty-fund management safe with no protocol-admin authority. No M/N applicable. RD-F-027 n/a Single admin EOA No single admin EOA controls v1 or v2 core contracts. Immutable by design — no admin key exists. v2 Governance owner is renounced post initial-initiative registration via _renounceOwnership(). v2 BoldToken owner renounced post-setup. v1 deployer (0xa850535) has no ongoing authority over any v1 contract. RD-F-028 n/a Low-threshold multisig vs TVL No multisig controls core protocol contracts. The only Safe (0xf06016) is a bounty-fund safe with no protocol-admin authority. No M/N threshold to evaluate against TVL peer cohort. RD-F-029 n/a Multisig signers co-hosted No protocol-admin multisig exists. Factor requires a multisig with co-hosted signers — structurally inapplicable when no admin multisig exists. RD-F-030 n/a Hot-wallet signer flag No protocol-admin multisig signers to assess for hot-wallet behavior. Factor structurally inapplicable. RD-F-031 n/a Signer rotation recency No protocol-admin multisig signer set exists to rotate. Factor structurally inapplicable for immutable-core protocol. RD-F-032 n/a Timelock duration on upgrades No timelock is correct-by-design for an immutable protocol. No upgrade operations exist that require timelock gating. v2 Governance has no timelock for incentive-direction decisions (low-stakes: redirects 25% of revenue to initiatives, cannot drain collateral). Timelock absence is not a red here — it is architecturally consistent with the immutable design. RD-F-033 n/a Timelock on sensitive actions No sensitive admin actions (mint/pause/rescue/setOracle/upgrade) are gatable by timelock because none of these actions exist in core contracts. v1 is fully automated; v2 core is immutable. No admin-callable pause or rescue function. RD-F-034 n/a Guardian/pause-keeper distinct from upgrader No guardian, pause-keeper, or upgrader role exists. Liquity v1 and v2 cannot be paused by any party. The protocol is censorship-resistant by design. RD-F-035 n/a Role separation: upgrade ≠ fee ≠ oracle No admin roles for upgrade, fee, or oracle exist. All three role categories are structurally absent from v1 and v2 core contracts. Role separation is trivially satisfied because no roles exist. RD-F-041 n/a Rescue/emergencyWithdraw without timelock No rescue or emergencyWithdraw function exists in any v1 or v2 core contract. Immutable contracts cannot be upgraded to add such functions. No admin key exists to call such a function. The factor presupposes an admin-callable drain function — structurally impossible in Liquity's design. RD-F-043 n/a Admin = deployer EOA after 7 days No admin key held by deployer EOA for any core contract post-setup. v1 deployer (0xa850535) has no ongoing authority — setAddresses() was a one-time bootstrap that transferred addresses and granted no ongoing admin power. v2 BoldToken owner renounced via _renounceOwnership(). v2 Governance owner renounced after registerInitialInitiatives(). No deployer-EOA admin key persists beyond the initial setup window. RD-F-044 n/a Admin wallet interacts with flagged addresses No ongoing admin wallet for core protocol contracts. v1 deployer has no ongoing authority. Factor presupposes an admin wallet with persistent privileged access — structurally absent. RD-F-047 gray Governance token concentration (Gini) LQTY governance token holder distribution not computed within session budget. Time-weighted voting design (staking age multiplier) reduces practical power concentration — even large LQTY holders start at 0 voting power until staking age accrues. Exact Gini coefficient requires on-chain holder scan of LQTY token (0x6DEA81). Curator should run Dune Analytics query for top-N holder distribution. RD-F-167 n/a Deprecated contract paused but pause reversible by live admin v1 is in a legacy-immutable state — no admin role exists to retain any pause over deprecated surfaces. v1 contracts cannot be paused by any party. No deprecated contracts can be administratively controlled. Factor presupposes an admin with retained pause authority — structurally absent.

RD-F-025 green Admin key custody type Both v1 and v2 core contracts are fully immutable with no admin key. Docs explicitly confirm: 'Liquity has no admin key, and nobody can alter the rules of the system in any way.' v2 Governance owner renounced post-setup. Admin custody type = immutable (no admin) for all core contracts.

RD-F-036 green Flash-loanable voting weight v2 Governance uses time-weighted staked LQTY. New LQTY staked starts at voting power = 0. Voting power = LQTY amount x staking age (linear accrual). Flash loans cannot accumulate staking age within one block. Docs explicitly state: 'The new amount added starts off with a voting power of 0 (to prevent flash-loan-like abuses).' Epoch cutoff (final 24h upvoting-freeze) provides additional protection against last-minute manipulation.

RD-F-037 green Quorum achievable via single-entity flash loan Flash-loan quorum attack is structurally impossible. New staked LQTY = 0 voting power; flash-borrowed LQTY cannot participate in current or prior epoch snapshots. Dynamic voting threshold = 2% of prior epoch total votes, computed from prior-epoch snapshots that exclude same-block positions.

RD-F-038 green Proposal execution delay < 24h v2 Governance operates on weekly 7-day epochs. Phase 2 (final 24h): only veto increases or vote decreases permitted; upvoting is closed. Minimum effective delay from vote-lock to execution is ~24h within any epoch. No instant-execution path. Initiative rewards claimable only after epoch close.

RD-F-039 green delegatecall/call in proposal execution without allowlist v2 Governance calls initiatives via safeCallWithMinGas() with specific function selectors — not arbitrary delegatecall to proposal-supplied targets. multiDelegateCall() is an internal batching utility for user-facing batch operations (depositLQTY + allocateLQTY combinations), not an arbitrary proposal execution path with attacker-supplied targets. No target allowlist needed because call targets are registered initiative addresses, not proposal payloads.

RD-F-040 green Emergency-veto multisig present No emergency-veto multisig needed. v2 Governance has built-in epoch-cutoff anti-manipulation: final 24h allows only veto increases or vote decreases. Governance cannot drain collateral or modify core contracts — the stakes of governance manipulation are limited to incentive misallocation, not fund loss.

RD-F-042 green Admin has mint() with unlimited max BOLD token mint() is restricted to BorrowerOperations (BO) and ActivePool (AP) contract addresses — internal protocol contracts, not an admin EOA. Guard: _requireCallerIsBOorAP(). Owner cannot grant mint to arbitrary addresses. Ownership renounced post-setup via _renounceOwnership() called in setCollateralRegistry(). Minting structurally bounded by CDP collateral mechanics — no mint without corresponding collateral. LUSD (v1) similarly had no admin-callable mint.

RD-F-045 green Constructor args match governance proposal v1 and v2 are original protocols (not DAO-governed deploys). v2 was launched from a fully-documented deployer with addresses published in bold/contracts/addresses/1.json. The addresses file and the live contracts on Etherscan match. No governance proposal stated addresses that differ from deployed addresses.

RD-F-046 green Contract unverified on Etherscan/Sourcify All v1 and v2 core contracts are verified on Etherscan with exact-match source verification. v1 BorrowerOperations (0x24179C) verified Solidity 0.6.11. v2 BOLD token (0x6440f1) verified Solidity 0.8.24 exact match. v2 Governance (0x807def) verified. Protocol launched with all ABI publicly available.

Oracle & external dependencies Green 15 17 of 17

RD-F-051 yellow Fallback behavior on oracle failure v1: 5-state Chainlink+Tellor machine; both-untrusted returns lastGoodPrice (stale price risk during large ETH moves). v2: _shutDownAndSwitchToLastGoodPrice() calls shutdownFromOracleFailure() -- permanent branch halt. LST branches have intermediate fallback (ETH/USD x canonical rate) before full shutdown. The v2 fallback is a graceful terminal halt, not a live secondary oracle. Yellow: fallback exists but v2 secondary is lastGoodPrice at shutdown (stale price used in wind-down), not a live replacement oracle. RD-F-052 yellow Breakage analysis per dependency Breakage analysis: (1) Chainlink ETH/USD failure v2: WETH branch shuts down permanently; other branches unaffected; (2) Chainlink ETH/USD failure v1: Tellor fallback, then lastGoodPrice if both fail; (3) LST rate provider failure: branch shutdown; (4) Lido/Rocket Pool rate provider failure: branch shutdown. No cross-branch contagion in v2. BOLD stablecoin continues while at least one branch is live. Yellow: analysis covers major dependencies but no formal simulation; curator-derived. RD-F-057 yellow Circuit breaker on price deviation v1: 50% consecutive-round deviation triggers Tellor fallback (functional circuit breaker). v2: no explicit bps deviation circuit breaker between rounds -- only staleness check (answer > 0 and timestamp freshness). v2 branch shutdown is the ultimate circuit breaker but activates on staleness, not price deviation. No configurable maxDeviationBps variable found in v2 PriceFeed contracts. Yellow: v1 has partial circuit breaker; v2 lacks explicit deviation guard. RD-F-058 yellow Max-deviation threshold (bps) v1: ~50% deviation between consecutive Chainlink rounds documented in PriceFeed.sol. v2: no bps deviation threshold configured; only staleness-based shutdown. The effective circuit breaker in v2 is the branch-shutdown mechanism (triggered on staleness, not deviation). Exact threshold value confirmed for v1 from source. v2 has no equivalent numeric threshold to report. Yellow: v1 has a configured threshold; v2 does not. RD-F-060 yellow Chainlink aggregator min/max bound misconfig Chainlink ETH/USD feed (0x5f4eC3Df9cbd43714FE2740f5E3616155c5b8419) is one of Chainlink's highest-quality, most mature feeds (live since 2019, 0.5% deviation threshold, 3600s heartbeat per cache). minAnswer and maxAnswer bounds require on-chain RPC call to verify exact values -- not directly obtainable via WebFetch. Yellow pending curator on-chain verification. High-quality feed lowers probability of misconfig but does not substitute for verification. RD-F-180 yellow Immutable oracle address [★ CANDIDATE per PD-017 -- flag for T-14] v2 oracle addresses stored as Oracle public struct (not Solidity immutable keyword). However PriceFeed contracts are fully immutable: no proxy, no admin key, no setter functions -- no setOracle(), updateFeed(), or equivalent exists in WETHPriceFeed, MainnetPriceFeedBase, WSTETHPriceFeed, or RETHPriceFeed. No admin can change the oracle address post-deploy. This is functionally equivalent to immutability. v1 uses setAddresses() + immediate renounceOwnership() -- same functional outcome. F180 risk is real: if Chainlink ETH/USD is deprecated, no migration path exists short of users migrating to a new Liquity deployment. Mitigated by: (1) per-branch isolation (one branch failure does not cascade), (2) shutdown/lastGoodPrice graceful halt, (3) Chainlink ETH/USD is the most mature DeFi feed (low deprecation risk), (4) Tellor fallback in v1. Yellow: risk present and partially mitigated; not green (migration impossible) and not red (strong mitigations RD-F-054 n/a TWAP window duration Neither v1 nor v2 uses DEX TWAP oracles. All oracles are push-model (Chainlink, Tellor). No OracleLibrary.consult() calls in any PriceFeed contract. TWAP window factor not applicable. RD-F-055 n/a Oracle pool depth (USD) No DEX pool oracle feeds used in either v1 or v2. Chainlink push oracles only. Oracle pool depth factor not applicable. RD-F-056 n/a Single-pool oracle (no medianization) Push oracles (Chainlink) are not pool-based. The single-pool medianization factor applies to DEX-pool-based oracles. Chainlink itself aggregates multiple data providers internally. Factor not applicable to push-oracle architecture. RD-F-181 n/a Permissionless-pool lending oracle Liquity is a CDP with fixed collateral types (ETH in v1; ETH, wstETH, rETH in v2). Collateral set is hard-coded at deployment -- no user can add new collateral types or oracle venues. Not a permissionless lending market. The permissionless-pool lending oracle factor (F181) applies to protocols like Euler/Morpho where users can create new markets accepting spot prices from DEX pools. Liquity does not have this architecture.

RD-F-048 green Oracle providers used v1 LUSD: Chainlink ETH/USD (0x5f4eC3Df9cbd43714FE2740f5E3616155c5b8419) primary + Tellor fallback. v2 BOLD: Chainlink ETH/USD (WETH branch), Chainlink stETH/USD + ETH/USD (wstETH branch), Chainlink rETH/ETH + ETH/USD (rETH branch). No DEX TWAP oracles. Confirmed via Etherscan constructor arg decode for WETHPriceFeed (0xcc5f8102eb670c89a4a3c567c13851260303c24f): _ethUsdOracleAddress = 0x5f4eC3Df9cbd43714FE2740f5E3616155c5b8419.

RD-F-049 green Oracle role per asset v2: each branch has one Chainlink feed as primary, LST rate provider as canonical-rate cross-check (secondary bound). On primary failure: branch shutdown (not live fallback to another push oracle). v1: Chainlink primary, Tellor secondary/fallback with documented 5-state machine. All assets have a defined fallback path.

RD-F-050 green Dependency graph (protocols depended upon) External dependencies: (1) Chainlink ETH/USD -- all branches; (2) Chainlink stETH/USD -- wstETH branch; (3) Chainlink rETH/ETH -- rETH branch; (4) Lido wstETH stEthPerToken() -- canonical rate; (5) Rocket Pool rETH exchangeRate() -- canonical rate; (6) Tellor (v1 only). No Aave, Uniswap, or Curve dependencies in core path. Liquidations are permissionless (no keeper dependency). Branch isolation prevents single-dependency failure from cascading to other branches.

RD-F-053 green Oracle source = spot DEX pool (no TWAP) [★ CRITICAL] No spot DEX price usage in any v1 or v2 pricing path. v1 uses Chainlink ETH/USD push oracle (0x5f4eC3Df9cbd43714FE2740f5E3616155c5b8419) with Tellor fallback. v2 uses Chainlink push feeds. No slot0() or getReserves() calls found in any PriceFeed contract. Chainlink Data Feed is a push oracle aggregating multiple data sources, not a DEX pool. Green confirmed.

RD-F-059 green Oracle staleness check present v1: TIMEOUT = 14400 (4 hours) hardcoded constant. Chainlink data older than 4h triggers Tellor fallback. v2: staleness threshold set at construction per oracle. WETH branch: _ethUsdStalenessThreshold = 86400 (24h) confirmed from Etherscan constructor arg decode. _isValidChainlinkPrice checks block.timestamp - chainlinkResponse.timestamp < _stalenessThreshold AND answer > 0. Staleness check is present and verified in source. Note: 86400s (24h) is longer than the 3600s threshold marked green in taxonomy for volatile assets -- curator should flag as a borderline observation. Chainlink ETH/USD heartbeat is 1h so 24h allows up to 24 stale rounds; however this is within industry norms for ETH/USD and Chainlink guarantees updates on 0.5% deviation anyway.

RD-F-061 green LP token balanceOf used for pricing No LP token balanceOf calls in any price calculation path. v1 and v2 pricing is purely from Chainlink feed responses (latestRoundData) and LST rate provider function calls (stEthPerToken, exchangeRate). Confirmed by source inspection of all PriceFeed contracts.

RD-F-062 green External keeper/relayer not redundant Liquidations in Liquity v1 and v2 are permissionless -- any Ethereum address can call liquidate() when a trove falls below minimum collateral ratio. No single keeper or relayer dependency. No Gelato, Chainlink Automation, or custom keeper in core liquidation path. Stability Pool is primary liquidation venue (automated contract-to-contract). Redistribution is secondary. Both are fully on-chain with no external keeper.

Economic risk Green 10 13 of 13

RD-F-064 yellow TVL concentration (top-10 wallet share) TVL concentration at wallet level not quantitatively measurable in session (Dune queries blocked; on-chain trove enumeration requires curator tooling). Conservative yellow: Liquity v1 stress-test blog documents >300 troves liquidated in May 2021, indicating a distributed borrower base. No single actor known to dominate. Curator should run top-trove enumeration for green confirmation. RD-F-065 yellow Liquidity depth per major asset BOLD: Curve BOLD/USDC + Uniswap V4/V3 are primary venues. 24h volume ~$5.3M vs $31.8M supply (~17% daily turnover). PIL mechanism incentivizes ~10% of BOLD supply in AMM pools. BOLD at $1.00 peg. LUSD: Curve LUSD/3CRV; 24h volume ~$4,463 (thin, consistent with declining supply as v2 migration continues). LUSD at $1.00 peg. Full 2%/5% slippage depth not quantifiable (GeckoTerminal pool page 404; Dune blocked). Conservative yellow; quantitative depth measurement deferred to curator. RD-F-073 yellow Oracle-manipulation-proof borrow cap No explicit per-asset USD borrow cap found in documentation or contract reads. v2 uses dynamic TCR-based limits (debt creation pauses at CCR; market shuts down at SCR). v1 has no explicit borrow cap; minting is bounded by collateral supplied at MCR. Oracle-manipulation resistance comes from Chainlink with fallback (v1: Tellor; v2: composite per-branch) and oracle-staleness shutdown (e.g. 48h staleness triggers market shutdown). These mechanisms provide partial mitigation but are not equivalent to a static oracle-manipulation-proof borrow cap. Yellow: controls exist but are dynamic/implicit rather than explicit static caps. RD-F-070 n/a Empty cToken-style market (zero supply/borrow) Liquity is not a Compound V2 fork. The empty-cToken donation-attack pattern requires a fungible cToken-style market with totalSupply()/totalBorrow() that can be zeroed. Liquity uses a Trove model: each borrower holds an individual CDP (not a fungible share in a common pool). v1 uses ETH collateral in individual troves with Stability Pool + redistribution liquidation. v2 uses per-collateral-branch StabilityPools and individual troves. Neither architecture has a shared cToken market that could be left at zero supply and exploited via donation. Profile confirms original design (not forked from Compound or any Compound-fork lineage). RD-F-074 n/a ERC-4626 virtual-share offset (OZ ≥4.9) ERC-4626 vault virtual-share offset is not applicable to Liquity. Liquity v1 and v2 are original CDP designs using a Trove model, not ERC-4626 vault architecture. No ERC-4626 vault contract is involved in the core borrowing, Stability Pool, or redemption mechanism. The virtual-share inflation attack surface does not exist in this architecture. RD-F-075 n/a First-depositor / share-inflation guard First-depositor / share-inflation guard is not applicable. Liquity does not use a share-based accounting model susceptible to first-depositor inflation. Each Trove is an individual CDP with isolated accounting. The v1 Stability Pool uses an epoch+scale mechanism (not a simple share model) that prevents manipulation via direct LUSD donation. v2 Stability Pools use analogous architecture. The classic share-inflation attack (vault receives donation, first depositor's share diluted or inflated) does not apply to Liquity's architecture.

RD-F-063 green TVL (current + 30d trend) Current TVL $247.0M combined (v1 ~$174.6M + v2 ~$81.1M). 30d change -13.74% overall; 90d CoV 7.5% (mean $262.4M, std $19.7M). Ethereum-only deployment (100%). At-threshold for coverage but 12-month peak well above $250M (estimated $400M+). Historical all-time peak ~$4.52B (May 2021). TVL decline is primarily v2 post-relaunch normalization.

RD-F-066 green Utilization rate (lending protocols) v1 utilization proxy: LUSD supply ~28.7M / v1 TVL ~$174.6M collateral = ~16.4% of collateral value issued as stablecoin (well below max LTV). v2 utilization proxy: BOLD supply ~31.8M / v2 TVL ~$81.1M = ~39.2% of collateral value issued as BOLD (below 83-91% max LTV per branch). Both ratios indicate conservative borrowing behavior relative to MCR limits. Cache borrow fields returned null (pipeline CDP detection gap), assessed via stablecoin supply proxy.

RD-F-067 green Historical bad-debt events v1: Zero bad debt in 4+ years of live operation. May 2021 stress test (ETH $3,400→$1,800, ~300 troves liquidated): Stability Pool absorbed all defaulted debt, no socialized losses. Q1 2022: 12,225 ETH + 147 troves liquidated, no bad debt, never entered Recovery Mode. Rekt leaderboard: empty for Liquity. v2: Launched May 2025, no bad debt events in ~12 months live. Pre-launch Feb 2025 vulnerability was zero-loss (discovered before users at risk).

RD-F-068 green Collateralization under stress v1: MCR 110%, Recovery Mode at TCR <150%. Q1 2022 drawdown: TCR never fell below 150% (never triggered Recovery Mode). v2: WETH MCR 110%/CCR 150%/SCR 110%; wstETH/rETH MCR 120%/CCR 160%/SCR 120%. Higher LST parameters account for LST/ETH depeg risk. Shutdown mechanism halts new debt and triggers urgent redemptions at SCR. Oracle staleness (e.g. 48h for rETH) also triggers market shutdown. v2 adds a second stress axis (LST depeg) but addresses it with higher CCR/SCR thresholds. In 4+ years, v1 has never socialized a loss under stress.

RD-F-069 green Algorithmic / under-collateralized stablecoin LUSD (v1): fully over-collateralized (min 110% ETH), hard $1 floor via ETH redemption at face value, Stability Pool + redistribution backstop, 0% interest, 0.5% one-time fee. Not algorithmic. LUSD maintained peg through May 2021 ETH crash, March 2022 drawdown, March 2023 USDC depeg crisis (LUSD briefly >$1.00 as flight-to-safety demand). At $1.00 peg as of 2026-05-16. BOLD (v2): same hard-collateral model, user-set interest rates (not algorithmic), redemption targets lowest-rate troves first, PCV mechanism. At $1.00 peg. Neither is algorithmic or under-collateralized. Best-in-class non-fiat stablecoin design.

RD-F-071 green Seed-deposit requirement for new market listing No new market listing is possible on either v1 or v2. v1 is fully immutable with ETH-only collateral, permanently fixed. v2 CollateralRegistry is non-upgradeable; the three collateral branches (WETH, wstETH, rETH) are fixed at deploy and cannot be changed or extended. There is no governance mechanism to list new markets — the v2 Governance contract controls only PIL incentive direction, not protocol parameters. Seed-deposit risk does not exist because no new markets can be added.

RD-F-072 green Market-listing governance threshold Market-listing governance threshold is effectively infinite by design — no new collateral markets can be listed on either v1 or v2 post-deploy. v1 is fully immutable; v2 core contracts are non-upgradeable and the governance contract cannot modify collateral configuration. This is the strongest possible protection against low-threshold or permissionless market addition attacks.

Operational history Green 6 15 of 15

RD-F-088 yellow Re-deployed to new addresses in last year Yes — Liquity v2 was redeployed to entirely new contract addresses on 2025-05-19 (within the last 12 months from assessment date 2026-05-16), following the February 2025 Stability Pool vulnerability discovery. The redeployment was orderly: pre-announced, preceded by 5-week Cantina competition + multiple firm re-audits, users given migration guidance, and zero loss during transition. Yellow because the redeployment flag fires factually (new addresses within 12 months) and users must be aware that old contracts are superseded, but the event was handled with high-quality operational management. RD-F-089 yellow Insurance coverage active No active Nexus Mutual, Sherlock, or Unslashed cover found for Liquity v1 or v2 at $247M TVS. Web searches for insurance coverage returned no specific listing. Data cache confirms immunefi_slug: null and bug_bounty.platform: null (Immunefi pipeline found nothing). The immutable architecture reduces some insurable risk classes (no admin-key compromise risk, no post-upgrade bug risk), but remaining tail risks (oracle failure, undiscovered protocol logic bugs) are uninsured. Yellow rather than red given immutability meaningfully reduces the operational risk surface, though $247M uninsured TVS remains a material gap. RD-F-081 gray Post-exploit response score No production exploit against mainnet users has occurred in either v1 (61 months) or v2 (12 months). Post-exploit response score requires a reference incident. The Feb 2025 pre-launch Stability Pool disclosure (zero user loss) provides favorable qualitative evidence: same-day disclosure, transparent multi-stage communication, full redeploy after extensive re-auditing — but is classified as pre-launch, not a production exploit per invocation brief U2. RD-F-082 gray Post-mortem published within 30 days No production exploit has occurred; no post-mortem is required. The Tellor/ETHW blog (Sep 2022) was published promptly after the disclosure. The v2 redeployment blog series functioned as a transparent multi-stage incident report but is not a standard post-mortem for a production exploit. RD-F-083 gray Auditor re-engaged after last exploit No production exploit requiring a post-exploit re-audit has occurred. Following the Feb 2025 pre-launch Stability Pool discovery (not a production exploit), Liquity voluntarily engaged: Cantina 5-week competition (800+ researchers, Mar-Apr 2025), Dedaub cantina-fixes review (May 13, 2025), and multiple additional audit rounds — exemplary behavior recorded as favorable narrative evidence. RD-F-085 gray Incident response time (minutes) No production exploit has occurred; incident response time (minutes from exploit-first-tx to first official statement) is undefined. The Feb 2025 pre-launch disclosure was actioned same-day (within hours: Feb 12 notification, Feb 12-13 public advisory), but this is a pre-launch event, not a production exploit response.

RD-F-076 green Protocol age (days) v1 launched 2021-04-05 (1,867 days / ~61 months live as of 2026-05-16). v2 relaunched 2025-05-19 (362 days / ~12 months). Combined protocol age is 61 months. Even the operative v2 system at 12 months meets standard thresholds. Both versions are Ethereum mainnet with continuous live history.

RD-F-077 green Prior exploit count Zero production exploits on Ethereum mainnet in 61 months (v1) and 12 months (v2). Rekt leaderboard shows 0 incidents. Hacksdatabase grep for liquity/lusd/bold: 0 direct entries (PrismaFi found but is a Liquity fork, not Liquity itself). The Sep 2022 Tellor/ETHW event was non-mainnet (ETHW fork only) with $0 mainnet loss. The Feb 2025 Stability Pool discovery was a pre-exploit disclosure, not an exploit. DefiLlama hacks: [].

RD-F-078 green Chronic-exploit flag (≥3 incidents) Zero production exploits on mainnet; chronic flag (>=3 incidents) cannot fire. Boolean: false.

RD-F-079 green Same-root-cause repeat exploit No production exploits; same-root-cause repeat pattern cannot be assessed or fired. Zero incidents across 61-month v1 history and 12-month v2 history.

RD-F-080 green Days since last exploit No production exploit has occurred. Display value: N/A (no exploit event to measure from). 1,867 days since mainnet launch with zero mainnet exploit events. Treated as maximally favorable given the definition asks for days since last exploit.

RD-F-084 green TVL stability (CoV over 90d) TVL CoV (coefficient of variation) over trailing 90 days = 0.0752 (std $19.7M / mean $262.4M). This is well below the 0.2 (20%) yellow threshold. The -13.74% 30-day trend is a moderate decline from a stable baseline but does not indicate TVL instability at the 90-day level.

RD-F-086 green Pause activations (trailing 12 months) Zero pause activations in trailing 12 months. v1 has no pause mechanism by design (fully immutable; no admin key). v2 core contracts also have no admin pause function — immutability is by architectural design, not omission. The protocol is designed to be unstoppable; zero pause activations reflects this design choice.

RD-F-087 green Pause > 7 consecutive days Zero pause activations in last 12 months; a >7-consecutive-day pause is structurally impossible given the immutable no-admin-key architecture of both v1 and v2 core contracts.

RD-F-166 green Deprecated contracts still holding value v1 is NOT deprecated — it is permanently live by design and intentional coexistence (immutable, cannot be shut down). Only the pre-May-2025 v2 contract set is a candidate deprecated surface. Users were advised to withdraw from Stability Pools in Feb 2025. DefiLlama TVL attribution routes active v2 TVL ($81.1M) to the post-May-2025 contract addresses listed in profile §3, not to the old set. No residual material TVL attributed to pre-redeploy v2 contracts in available data. Caveat: exact pre-redeploy v2 addresses are not catalogued in the profile; curator on-chain balance read would confirm closure. Score provisionally green based on available evidence of orderly migration.

Real-time signals Green 0 22 of 22

RD-F-090 gray Mixer withdrawal → protocol interaction Mixer-to-protocol interaction signal (T-09 phase-2 signal tier, tier-C advisory). Liquity is a permissionless protocol; any wallet can open a trove. No confirmed mixer-funded wallet interactions with Liquity contracts identified via public CTI sources. Live assessment requires Chainalysis or TRM Labs feed; public-proxy observation yields no red flag. Signal is advisory only and never flips letter grade solo. RD-F-096 gray New ERC-20 approval to unverified contract from whale New ERC-20 approval to unverified contract from high-TVL user (T-09 phase-2 signal tier). User-level signal requiring live approval monitoring infrastructure. Not directly observable in static assessment. No current alerts from public sources. The signal monitors user-level behavior (whale approvals), not protocol-level state. RD-F-102 n/a Admin/upgrade transaction in mempool Admin/upgrade tx in mempool signal (T-09 phase-2 signal tier). Not applicable: Liquity v1 and v2 core contracts are fully immutable with no admin key, no upgrade function, no pause function. No admin mempool tx can appear for these contracts. The Bounties Safe 0xf06016d822943c42e3cb7fc3a6a3b1889c1045f8 holds bounty funds only (not a protocol admin). Immutable protocol architecture eliminates this signal entirely for core contracts. RD-F-103 n/a Bridge signer-set change proposed/executed Bridge signer-set change signal (T-09 v1 launch, tier-A). Not applicable: Liquity has no bridge surface. No cross-chain deployment. No LayerZero OApp confirmed (data cache layerzero.present: false). Ethereum-only protocol. No bridge signer set exists to monitor. RD-F-106 n/a Cross-chain bridge unverified mint pattern Cross-chain bridge tx pattern signal. Not applicable: Liquity has no bridge surface, no cross-chain deployment, no LayerZero OApp. Ethereum-only protocol. Immutable, no bridge. RD-F-107 n/a Admin EOA signing from new geography/device Admin EOA signing from new geography/device fingerprint signal. Not applicable: no admin EOA exists for Liquity core contracts (v1 or v2). All core contracts are immutable with no admin key. Signal requires an admin EOA to monitor; none exists in this architecture. RD-F-109 gray Social-media impersonation scam spike Social-media impersonation scam-spike signal (T-09 phase-2 signal tier). Applicable: yes — LUSD and BOLD are recognized DeFi brands with community following. Current posture: no confirmed social media impersonation spike for Liquity identified via public search. Recognized brand creates persistent background impersonation risk. Social-media monitoring pipeline required for live assessment; static assessment cannot confirm clean status definitively. RD-F-182 n/a Security-Council threshold reduction (RT) Security-Council threshold reduction real-time signal (batch-24 addition, Cat 6B). Not applicable: Liquity has no Security Council, no multisig admin controlling core contracts, no timelock on core contracts. The v2 Governance contract 0x807def5e7d057df05c796f4bc75c3fe82bd6eee1 is a PIL-direction contract only with no upgrade or pause authority over core contracts. The Bounties Safe 0xf06016d822943c42e3cb7fc3a6a3b1889c1045f8 holds bounty funds only (not a protocol admin). No threshold-reduction event is possible in this immutable architecture.

RD-F-091 green Partial-drain test transactions Partial-drain test-transaction precursor signal (T-09 phase-2 signal tier, methodology scope). No partial-drain precursor patterns detected in Liquity TVL history. TVL 90-day CoV = 0.075 (smooth, not step-function drain). Liquity v1 has zero protocol-layer exploits in 61-month history (2021-04-05 to 2026-05-16). No pre-strike test transaction pattern identified in any public source or Rekt database (rekt.incidents: [] per data cache).

RD-F-092 green Unusual mempool pattern from deployer wallet Unusual deployer-wallet mempool pattern signal (T-09 phase-2 signal tier). Deployer address 0xa850535D3628CD4dFEB528dC85cfA93051Ff2984 is dormant — last activity approximately 2 years and 143 days ago per Etherscan (approximately November 2023). No unusual mempool activity possible from an inactive address. Signal does not apply to a dormant deployer.

RD-F-093 green Abnormal gas-price willingness from attacker wallet Abnormal gas-price willingness from attacker wallet signal (T-09 phase-2 signal tier). No attacker wallets identified as targeting Liquity. Rekt DB shows zero incidents. No public CTI source identified any attacker preparing to exploit Liquity. Gas-price racing pattern requires a prior attacker identification which is absent here.

RD-F-094 green New contract with similar bytecode to exploit template New contract deployment with similar bytecode to protocol target (T-09 phase-2 signal tier). No exploit-template contracts for Liquity's CDP and stability-pool architecture identified in any public source. Liquity v1 and v2 are original designs (not forks of Compound or Aave), reducing applicability of pre-existing exploit-template libraries that target common clone architectures.

RD-F-095 green Known-exploit function-selector replay Known-exploit selector-pattern replay signal (T-09 phase-2 signal tier). No known exploit replay pattern exists for Liquity's CDP/stability-pool architecture. Zero protocol-layer exploits in v1 history (2021-2026). Feb 2025 v2 Stability Pool vulnerability was discovered pre-launch by the team (zero user funds at risk, not a replay of a prior attack pattern).

RD-F-097 green Sybil surge of identical-pattern transactions Sybil surge of identical-pattern transactions (T-09 phase-2 signal tier). No sybil transaction patterns identified for Liquity via public sources. Protocol has operated since April 2021 with zero protocol-layer exploits. Sybil attacks target permissionless protocols but no such pattern is documented against Liquity's trove-opening architecture.

RD-F-098 green TVL anomaly — % drop in <1h TVL anomaly severe-drop signal (T-09 v1 launch, tier-A, grade-eligible). Applicable: yes. Threshold: TVL drops >30% in 1 hour vs 30-day baseline. Current posture: TVL $246,984,776 (2026-05-16); 90-day CoV = 0.075 (low volatility); 90-day mean $262,355,285, std $19,730,354; 30-day change -13.74% is gradual over 30 days (not single-hour). Current TVL is within 1 standard deviation of 90-day mean. No single-hour spike visible in TVL history. Signal would NOT fire today.

RD-F-099 green Oracle price deviation >X% from secondary Oracle price deviation vs secondary source signal (T-09 phase-2 signal tier, tier-B). Applicable with limited actionability due to immutable PriceFeed contracts. Threshold: primary-vs-secondary deviation >1% sustained 4 blocks on a safety-critical feed. Current posture: Chainlink ETH/USD feed 0x5f4eC3Df9cbd43714FE2740f5E3616155c5b8419 (3600s heartbeat, 0.5% deviation threshold) is active and healthy per cache oracle_feeds. No secondary-source deviation detected via public monitoring. Structural note: v2 PriceFeed contracts are immutable (no admin can replace the Chainlink address), limiting remediation path but not changing the current clean posture. Signal would NOT fire today.

RD-F-100 green Flash loan >$10M targeting protocol tokens Flash-loan origination targeting protocol tokens signal (T-09 phase-2 signal tier, tier-B). Applicable with limited governance attack surface. Threshold: flash loan >$10M interacting with protocol oracle, lending market, or governor. Current posture: v2 Governance uses LQTY staking-age-weighted votes (proportional to LQTY staked x staking age), making flash-loan governance manipulation structurally impractical — spot balance flash loans cannot replicate staked-age-weighted votes. No anomalous flash-loan patterns targeting Liquity contracts identified. Signal would NOT fire today.

RD-F-101 green Large governance proposal queued Large governance proposal execution queued malicious-pattern flagged signal (T-09 v1 launch, tier-B). Applicable with very limited scope. v2 Governance contract 0x807def5e7d057df05c796f4bc75c3fe82bd6eee1 handles PIL incentive direction only via initiative registration and vote allocation. Threshold fires on calldata targeting admin-role-change, upgradeTo, delegatecall, or flash-loanable-weight proposer. Current posture: no such calldata patterns are valid in Liquity's governance — core contracts are immutable (no upgrade selectors exist as valid targets); PIL proposals only route 25% of protocol revenue to initiatives, they cannot modify admin roles or upgrade contracts. Weekly epoch-based voting; no malicious-pattern proposals identified. Signal would NOT fire today.

RD-F-104 green Stablecoin depeg >2% on shared-LP venue Stablecoin depeg dependency-linked signal (T-09 v1 launch, tier-B). Applicable with specific directional note. Threshold: depeg >2% on >=2 venues, sustained >=30 min, with >=5% protocol TVL exposure. Current posture: LUSD (v1 output) and BOLD (v2 output) are the stablecoins produced by Liquity — not the collateral input. The protocol's collateral (ETH, wstETH, rETH) is not a stablecoin, so a stablecoin-depeg in external assets (USDC, DAI) does not directly trigger this signal for Liquity's collateral composition. LUSD has maintained peg through multiple market stress events historically. BOLD is operative (May 2025). Neither LUSD nor BOLD is currently depegged. Signal would NOT fire today.

RD-F-105 green DNS/CDN/frontend hash drift DNS/frontend hash drift signal (T-09 phase-2 signal tier, tier-A). Applicable: yes — liquity.org serves the primary interface. Threshold: hash change in DNS A/CNAME, TLS cert, or JS bundle vs baseline without change-management allowlist match. Current posture: no DNS change alerts, no TLS cert rotation alerts, no frontend compromise reports for Liquity identified. No historical frontend attack on Liquity documented. Static assessment cannot definitively confirm production hash baseline without live monitoring pipeline. Green posture on available evidence.

RD-F-108 green GitHub force-push to sensitive branch GitHub force-push/sensitive-branch push signal (T-09 phase-2 signal tier). Applicable: yes (GitHub org liquity/bold and liquity/dev). Current posture: no force-push alerts identified for Liquity repos. Cache shows last commit date 2026-05-16 indicating active, healthy development. The codebase passed a 5-week 800-researcher Cantina competition (March-April 2025) indicating mature branch protection practices. No anomalous push events identified.

RD-F-110 green Unusual pending/executed proposal ratio Unusual pending/executed governance proposal ratio signal (T-09 phase-2 signal tier). Applicable in limited scope to v2 PIL governance. Current posture: v2 governance runs deterministic weekly epochs (6-day voting phase + 1-day veto-only phase); initiative-based voting with predictable cadence. No unusual pending/executed ratio identified via public sources (voting.liquity.org Discourse forum). Epoch-based deterministic cadence eliminates the 'stuck proposal' anomaly pattern this signal targets.

Dev identity & insider risk Green 2 16 of 16

RD-F-117 yellow ENS/NameStone identity bound to deployer No ENS name found bound to v2 deployer (0x83cfa33a2ee969f8add9a2acdcdc0d7e556e5ed0) or v1 deployer (0xa850535D3628CD4dFEB528dC85cfA93051Ff2984) in Etherscan lookups. Etherscan labels (Liquity V2: Deployer 2; Liquity: Deployer) are platform-assigned exchange labels, not ENS-bound identities. ENS/NameStone identity is absent. Yellow rather than red because the team is extensively doxxed via other mechanisms (real names, corporate entity, LinkedIn, conference appearances) making ENS absence a formatting gap, not an identity gap. RD-F-122 gray Contributor paid to DPRK-cluster wallet Liquity AG is a Swiss corporation with traditional employment contracts; individual team member personal wallets receiving payroll are not publicly disclosed on-chain. Factor requires tracing protocol payments to contributor wallets through on-chain hops to DPRK cluster — not assessable for off-chain-payroll teams beyond the deployer level. Deployer wallets (both v1 and v2) have been assessed under F125 with no DPRK routing found. F122 extension to personal employee wallets would require curator-level on-chain archaeology of undisclosed personal addresses. RD-F-184 gray Real-capital social-engineering persona No curator-flagged evidence of any Liquity team contributor or external integrator persona deploying 1M USD or more of real capital to build credibility ahead of a social-engineering attack. Liquity's Drift Protocol comparator (UNC4736 six-month conference/in-person build-up with large capital deposits) has no Liquity analogue in surface OSINT. Liquity AG is a well-established Swiss entity with 5+ years of public presence and multiple named, doxxed team members. F184 is M-only (curator-only), P1, and requires on-chain capital flow attribution plus cross-source verification to score non-gray. No red precursors found in surface OSINT to trigger deeper curator investigation. Scored gray pending curator on-chain archaeology of any suspicious large-capital integrator positions.

RD-F-111 green Team doxx status Liquity AG is a Swiss corporate entity (Baar, Switzerland). Founders Robert Lauko (PhD Law, University of Zurich; ex-DFINITY researcher 2yr) and Rick Pardoe (Physics/Economics degrees) are fully doxxed with real names, LinkedIn profiles, conference appearances, and extensive public professional histories. CEO Michael Svoboda, Head of Dev Bingen Eguzkitza (prior Aragon), and Software Engineer Daniel Attila Simon all named and publicly documented on liquity.org/team. Categorical classification: real-name doxxed with verifiable track record.

RD-F-112 green Team public accountability surface Robert Lauko: PhD Law (Univ. Zurich), ex-DFINITY Research Associate (2yr, consensus algorithms), Swisspreneur podcast EP240, YouTube video interview, X @robert_lauko, Crunchbase entry, IQ.wiki profile. Rick Pardoe: LinkedIn profile, X @rick_liquity, Physics/Economics degrees, GitHub RickGriff (306 commits to bold repo), CypherHunter profile. Bingen Eguzkitza: prior Aragon core contributor (publicly documented), 701 commits. Daniel Simon: 10+ yr senior developer background (prior Cognex), 750 commits. At least 4 team members have deep verifiable public trails meeting green threshold.

RD-F-113 green Team other-protocol involvement history Robert Lauko's prior role was DFINITY Research Associate (no rug or failure association; DFINITY is a reputable blockchain R&D org). Rick Pardoe has no documented prior protocol involvement before Liquity. Bingen Eguzkitza was an Aragon core contributor (Aragon is a legitimate governance framework, no rug association). No team member found linked to a prior failed or rugged protocol across OSINT review.

RD-F-114 green Deployer address prior on-chain history V2 deployer (0x83cfa33a2ee969f8add9a2acdcdc0d7e556e5ed0, labeled Liquity V2: Deployer 2): first active May 2024, transactions exclusively Liquity v2 protocol deployments (CollateralRegistry, TroveManagers, StabilityPools) and Create2Factory interactions. A UniV4MerklRewards contract was deployed Dec 2025. Normal developer history pattern with no rug-linked pattern. V1 deployer (0xa850535D3628CD4dFEB528dC85cfA93051Ff2984, labeled Liquity: Deployer): 104 lifetime transactions, all Liquity v1 lockup contracts and system deployments from 2021-2024. Both addresses: categorical classification = normal-dev-history.

RD-F-115 green Prior rug/exit-scam affiliation OSINT search for Liquity rug exit scam team fraud returned zero credible allegations. Isthiscoinascam.com rates Liquity legitimate. Protocol immutability (no admin key) structurally precludes team-exit-scam via contract manipulation. No team member linked to a prior rug event in any public database or news source reviewed.

RD-F-116 green Contributor tenure at admin-permissioned PR The liquity/bold repo uses PR-based merges. PR #1199 (redemption-shield feature, merged 2026-05-16) was merged by danielattilasimon (750 commits, multi-year tenure). PR #1197 and #1196 also merged by danielattilasimon. All merging contributors have multi-year protocol tenure and extensive commit histories. No recently-onboarded short-tenure contributor has been granted merge access on the bold or V2-gov repos. Factor is green: admin-permissioned PR authors have substantial tenure.

RD-F-118 green Handle reuse across failed/rugged projects No evidence of any Liquity team member social handle being reused from a prior failed or rugged project. Active handles (@robert_lauko on X, @rick_liquity on X, GitHub RickGriff, bingen, danielattilasimon) trace directly and consistently to Liquity and legitimate prior associations (DFINITY, Aragon). OSINT review found no alias reuse pattern.

RD-F-119 green Commit timezone consistent with stated geography Commit time analysis of liquity/bold repository (Nov 2025 to May 2026 sample): danielattilasimon clusters at 04:09-07:47 UTC (CET/CEST 06:09-09:47 local — consistent with Central European timezone from Budapest/Zurich). Cyril shows 09:54-20:12 UTC (broadly European). RickGriff at 15:04 UTC (European afternoon). No commits at DPRK-indicator hours (KST is UTC+9, so DPRK developers characteristically commit at 00:00-08:00 UTC, especially 01:00-06:00 UTC). All observed commit hours are consistent with the protocol's stated European/Swiss geography. Some pre-dawn UTC commits by danielattilasimon may indicate a slightly eastern European timezone (Budapest, UTC+2 — 06:09 local is normal start-of-day) rather than Zürich (07:09 local). No anomaly.

RD-F-120 green Video-off/voice-consistency flag Robert Lauko has appeared on camera in multiple formats: YouTube video interview Meet the Nation (youtube.com/watch?v=NjwS1hmtqAQ), Swisspreneur podcast EP240 (audio with verifiable identity), and various DeFi conference contexts. Rick Pardoe is active on X with voice-consistent public presence. No curator-recorded flag of video refusal or voice/timezone inconsistency for any Liquity team member. This is an above-average on-camera presence for a DeFi team.

RD-F-121 green Contributor OSINT depth score Curator OSINT depth scores: Robert Lauko 5/5 (PhD, DFINITY career, Swiss corporate entity, multiple video/podcast interview formats, IQ.wiki, Crunchbase, X). Rick Pardoe 4/5 (LinkedIn, GitHub RickGriff, X, CypherHunter, degrees cited on team page). Bingen Eguzkitza 4/5 (Aragon track record publicly documented, 701 commits). Daniel Simon 3/5 (named on team page, 750 commits, prior Cognex employment documented). Aggregate OSINT depth is high for a DeFi protocol, comfortably above green threshold.

RD-F-123 green Sudden admin-rescue/ACL change without discussion GREEN by construction: Liquity v1 and v2 core contracts are fully immutable with no admin key, no proxy, no upgrade path, no pause function, and no rescue function. There is no on-chain mechanism for an admin-rescue or ACL change on any core borrowing, liquidation, or stability pool contract. The v2 Governance contract (0x807def5e7d057df05c796f4bc75c3fe82bd6eee1) controls PIL incentive direction only (25% of protocol revenue to external liquidity initiatives) via LQTY staking; all changes are public, epoch-based, and visible at voting.liquity.org. Review of GitHub liquity/bold and liquity/V2-gov confirms no undiscussed emergency admin-key changes in the past 180 days. ChainSecurity governance audit (January 2025) verified governance module scope is strictly limited to PIL direction. Zero admin-change surface exists by architectural construction.

RD-F-124 green Deployer wallet mixer-funded within 30 days OPERATIVE (v2 per U9): V2 deployer 0x83cfa33a2ee969f8add9a2acdcdc0d7e556e5ed0 (Etherscan label: Liquity V2: Deployer 2) was funded from Binance 15 (CEX Etherscan label confirmed). First ETH received approximately May 2024, approximately one year before the first v2 contract deployment on 2025-05-19. The 30-day pre-deploy window (April 19 to May 19, 2025) contains zero Tornado Cash, Railgun, or other mixer interactions. A minor ETH top-up from 0x6070815C...380c78704 was observed in September 2025 (post-deploy) — this is operationally irrelevant to the 30-day pre-deploy window. V1 asymmetry note: V1 deployer (0xa850535D3628CD4dFEB528dC85cfA93051Ff2984) was funded by Liquity: Bounties safe (0xf06016d...) in April 2021 — an internal Liquity-controlled address, not a mixer. Both deployers pass F124 cleanly.

RD-F-125 green Deployer linked within 3 hops to DPRK/Lazarus V2 deployer funded from Binance 15 (major KYC-gated CEX). V1 deployer funded from internal Liquity Bounties safe. Both deployer transaction graphs show interactions exclusively with Liquity core protocol contracts and major DeFi infrastructure (Create2Factory). No OFAC SDN list entries exist for any Liquity address. Comprehensive OSINT search for Liquity Robert Lauko Rick Pardoe DPRK Lazarus North Korea returned zero relevant results — only general Lazarus Group Wikipedia/FBI/DOJ reference material returned, no Liquity connection. No published Chainalysis, Nansen, or Arkham threat intelligence report links any Liquity-affiliated address to the DPRK/Lazarus cluster. U4 rule applied: if Lazarus Group uses LUSD or BOLD as a settlement token post-exploit on another protocol, that finding routes to Cat 11 of the affected protocol, NOT to Liquity Cat 7. Full Chainalysis-grade paid graph traversal not available; high confidence from available evidence (CEX funding, clean tx graph, zero advers

Fork / dependency lineage Green 0 10 of 10

RD-F-126 n/a Is-a-fork-of Liquity v1 (2021) and v2/BOLD (2025) are original designs by Liquity AG. GitHub repos liquity/dev and liquity/bold are original repositories, not forks. Protocol introduces novel stability-pool CDP mechanism with no upstream parent protocol. RD-F-127 n/a Upstream patch not merged No upstream protocol exists. Factor not applicable for original designs. RD-F-128 n/a Upstream vulnerability disclosure (last 90d) No upstream protocol exists. Factor not applicable for original designs. RD-F-129 n/a Code divergence from upstream (%) No upstream to measure divergence against. Factor not applicable for original designs. RD-F-130 n/a Fork depth (generations from original audit) Original protocol; fork depth = 0 (not a fork at all). Factor not applicable. RD-F-131 n/a Fork retains upstream audit coverage Original protocol; no upstream audit to retain. 10 fresh independent audit engagements cover the deployed code. Factor framing (upstream audit + delta) does not apply. RD-F-132 n/a Fork has different economic parameters than upstream Original protocol; no upstream audited defaults to compare economic parameters against. Factor not applicable.

RD-F-133 green Dependency manifest uses unpinned versions v2 (liquity/bold) uses git submodules for all dependencies: Solady @ commit 362b2efd, openzeppelin-contracts @ commit bd325d56 (= OZ v4.9.5), V2-gov @ commit b880481d, forge-std @ commit 726a6ee5. Git submodule pinning records exact commit SHAs in the superproject's tree — equivalent to exact version pinning, not semver ranges. No unpinned semver dependencies detected.

RD-F-134 green Dependency had malicious-release incident (last 90d) v2 dependencies are git submodules pinned to specific commits (Solady, OZ v4.9.5, forge-std). No GitHub Security Advisory flagging malicious releases in any of these pinned library commits. OZ v4.9.5 (Dec 2023) has no known malicious-release history. Solady and forge-std have no known malicious-release history.

RD-F-135 green Shared-library version with known-vuln status OZ contracts pinned at commit bd325d56 = v4.9.5 (December 8, 2023). GitHub advisory search for OZ 4.9.x returned 0 active high/critical advisories. Solady @ commit 362b2efd: no known high/critical advisory. forge-std is a testing framework not used in production. All shared libraries on versions with no active high/critical GHSA advisory.

Post-deploy hygiene & change mgmt Green 3 13 of 13

RD-F-168 yellow Stale-approval exposure on deprecated router v1 is the legacy-immutable surface. Users who approved v1 contracts (BorrowerOperations 0x24179C, TroveManager 0xA39739 etc.) when v1 was active retain those approvals. The Liquity team cannot publish an admin-triggered revoke or pause notice — no admin key exists. v1 contracts cannot be wound down or drained by the team. The hygiene gap is real but low-severity: stale approvals to v1 contracts are not exploitable by the team (no admin power) and the contracts themselves are correct-as-designed and immutable. Risk limited to users accidentally re-interacting with v1 vs. v2. RD-F-142 n/a Storage-layout collision risk across upgrades No upgradeable proxy pattern used in v1 or v2. No storage-layout versioning needed. OZ upgrades plugin storage-collision check is structurally not applicable. RD-F-143 n/a Reinitializable implementation (no _disableInitializers) Neither v1 nor v2 uses upgradeable proxy patterns. No OZ Initializable, no _disableInitializers() required. v2 Governance.sol is not an upgradeable proxy (confirmed Etherscan source). BoldToken.sol is not a proxy. Reinitializer attack vector requires proxy architecture that Liquity explicitly does not use — structurally inapplicable. RD-F-185 n/a Bridge rate-limiter / chain-pause as positive mitigant Liquity is an Ethereum-native non-bridge protocol. F185 (bridge rate-limiter / chain-pause as positive mitigant) is structurally not applicable — there are no cross-chain routes to rate-limit and no bridge chain-pause capability is needed. The positive-mitigant spirit of F185 (protection against large outflow events) is served in Liquity's case by the absence of admin keys (no admin can be compromised to execute a rapid drain) rather than by a rate-limiter.

RD-F-136 green Deployed bytecode matches signed release tag v2 launched 2025-05-19 from audited codebase. Dedaub cantina-fixes review (May 13 2025) covered post-contest remediation; launch followed within 6 days. v2 addresses/1.json provides ground-truth deployment addresses matching GitHub main branch. Immutable post-deploy — no bytecode divergence possible.

RD-F-137 green Upgrade frequency (per 90 days) Zero upgrades in any trailing 90-day window. Both v1 (since 2021) and v2 (since May 2025) are immutable — no proxy, no Upgraded events emissible, no upgrade mechanism. v2 launched as a complete fresh deployment; no upgrades since.

RD-F-138 green Hot-patch deploys without timelock (last 30 days) Zero hot-patch deploys in trailing 30 days. Immutable contracts cannot be hot-patched by design. No admin key, no proxy, no upgrade path.

RD-F-139 green Post-audit code changes without re-audit v2 February 2025 Stability Pool vulnerability triggered complete re-audit before the May 2025 relaunch. Patched code audited by: Dedaub (Nov 2024, cantina-fixes May 2025), ChainSecurity (core through May 2025, governance Jan 2025), Coinspect v2 core (Dec 2024), Coinspect governance (Jan 2025), Certora FV (Dec 2024), Cantina 5-week competition (Mar-Apr 2025 with 800+ researchers). All changes before the May 2025 relaunch are covered by at least one audit. Post-relaunch: immutable contracts; no further changes deployable.

RD-F-140 green Fix-merged-but-not-deployed gap No fix-merged-but-not-deployed gap. v2 launched from fully-audited codebase. Immutable post-launch — no fixes can be merged-but-not-deployed into an immutable contract. v1 has been immutable since 2021 with no known unfixed vulnerabilities in deployed code.

RD-F-141 green Test-mode parameters in deploy v1 deployed in production state since 2021 with no admin key. v2 launched May 2025 after multi-round audits covering configuration and initialization. No admin = no way to set or change test-mode parameters post-deploy. Audit coverage (Dedaub, ChainSecurity) specifically reviewed initialization.

RD-F-144 green CREATE2 factory permits same-address redeploy v2 UserProxyFactory uses CREATE2 for per-user proxy deployment (UserProxy per user). These are user-level contracts, not protocol-level contracts. Core protocol contracts (BorrowerOperations, TroveManager, StabilityPool etc.) are deployed directly, not via CREATE2 factory. No risk of protocol-level CREATE2 redeploy attack on core contracts.

RD-F-145 green Deployed bytecode reproducibility v2 codebase is open-source (GitHub liquity/bold), Foundry-based with deterministic builds. addresses/1.json provides ground-truth deployment addresses. All core contracts verified on Etherscan with exact-match. No closed-source components in core borrowing/liquidation/stability pool contracts.

RD-F-146 green New contract deploys in last 30 days No new core protocol contract deployments in last 30 days. v2 fully deployed May 2025; no additional core deployments since. Per-user UserProxy contracts are created by users (not protocol-owned attack surface). Assessment date: 2026-05-16, so 30-day window is April 16 to May 16 2026.

Cross-chain & bridge Gray 0 12 of 12

Threat intelligence & recon Green 7 8 of 8

RD-F-161 yellow Protocol-impersonator domain registered (typosquat) Protocol-impersonator domain registered (typosquat) signal. Applicable: yes — Liquity is a recognized DeFi brand; LUSD and BOLD are known stablecoin names. Official domain: liquity.org. Registration-to-assessment-date delta: Liquity protocol launched April 2021 — the brand has been live 61 months as of 2026-05-16. 90-day monitoring window for new typosquats: 2026-02-15 to 2026-05-16. Current posture: no confirmed typosquat domain registration for Liquity, LUSD, or BOLD identified in public search. Recognized DeFi brand creates elevated ongoing typosquat risk. WHOIS/DomainTools monitoring not available in static assessment. Score is yellow because the brand recognition creates persistent elevated risk even without a confirmed active typosquat — the absence of evidence in public search does not constitute a confirmed clean status for this factor. RD-F-159 gray Attacker wallet pre-strike probe (low-gas failing txs) Mempool probe: attacker wallet sending low-gas failing transactions signal. Applicable: yes. Current posture: no mempool probe patterns identified for Liquity via public sources. Requires live mempool monitoring with threat-actor cluster list (Chainalysis/TRM Labs). Public-proxy observation yields no red flag. Rekt DB clean. Green posture on available evidence but signal tier requires partner feed for definitive assessment. RD-F-164 gray Leaked credential on paste/sentry site Leaked credential on paste/sentry site matching protocol infrastructure. Applicable: yes. Current posture: no leaked credentials for Liquity infrastructure identified via public search. Liquity's immutable architecture significantly reduces the impact of a credential leak — even if frontend credentials were leaked, the core protocol cannot be administratively drained (no admin keys exist on core contracts). Production credential-monitoring pipeline (paste site + sentry monitoring) required for definitive assessment. Green posture on available evidence, gray on confidence. RD-F-165 gray Protocol social channel has scam-coordinator flag Telegram/Discord channel member flagged as scam-coordinator. Applicable: yes in principle. Current posture: no Discord found for Liquity as of 2026-05-16 (profile section 9: 'Discord: Not found as of 2026-05-16'); no Telegram channel identified. Primary social surface is voting.liquity.org Discourse-based governance forum and X (Twitter). Cannot assess scam-coordinator presence on channels that are not publicly identifiable.

RD-F-158 green Known-threat-actor cluster has touched protocol Known-threat-actor wallet cluster has touched protocol signal (T-09 phase-2 signal tier, tier-C advisory). Applicable: yes — permissionless protocol. Current posture: no known-threat-actor wallet interactions with Liquity contracts identified via public CTI sources. Rekt DB shows zero incidents (rekt.incidents: [] per cache). Liquity AG is a Swiss registered corporation (Zug canton) with publicly known co-founders Robert Lauko and Rick Pardoe; well-doxxed institutional team. Series A backed by Pantera Capital, Alameda Research, and Greenfield.one (March 2021). No DPRK or Lazarus Group attribution identified in any public source for Liquity wallets or team.

RD-F-160 green GitHub malicious-dependency incident touching protocol deps GitHub-flagged malicious-dependency incident touching protocol dependencies. Applicable: yes (bold repo has package.json present per cache; Node.js tooling). Current posture: no current GHSA or npm advisory flagged against Liquity's dependency tree via public search. Cache github.package_json_present: true. Active development (last commit 2026-05-16). No supply-chain dependency incident reported for Liquity.

RD-F-162 green Known-exploit-template selector deployed by any address Known-exploit-template selector-pattern deployed by any address. Applicable: yes. Current posture: no exploit-template deployments targeting Liquity's CDP/stability-pool architecture identified. Liquity's original (non-fork) design means the Compound V2 exploit template family and Aave-fork exploit templates do not apply. No reported clone-exploit attempts against Liquity's unique architecture in any public source.

RD-F-163 green Avg attacker reconnaissance time for peer-class protocols Attacker wallet reconnaissance time before strike (days, for similar class) — reference/analytic signal. For CDP protocols similar to Liquity: USPD-class reconnaissance is typically 30-78 days per T-01 methodology. Current posture: no reconnaissance pattern indicators identified for Liquity. Zero protocol-layer attacks in 61-month v1 history. No wallets identified as conducting reconnaissance-style pre-strike activity against Liquity contracts. Immutable architecture means even successful reconnaissance would not identify admin-key-abuse vectors.

Tooling / compiler / AI Green 0 5 of 5

RD-F-171 n/a Bytecode similarity to audited upstream with behavior deviation Liquity is an original design with no audited upstream to compare against. The factor (bytecode similarity to audited upstream with behavioral deviation — AI-copy risk) is structurally inapplicable for original protocols.

RD-F-170 green Solc version used (known-bug versions flagged) v2 contracts: solc 0.8.24+commit.e11b9ed9 confirmed from Etherscan (TroveManager, BorrowerOperations, Exact Match). TransientStorageClearingHelperCollision introduced 0.8.28 — does not affect 0.8.24. StorageWriteRemovalBeforeConditionalTermination fixed 0.8.17 — does not affect 0.8.24. No high-severity bugs in 0.8.24. v1 contracts: solc 0.6.11+commit.5ef660b1 confirmed from Etherscan (BorrowerOperations, LUSD token). All known high-severity Solidity bugs pre-date 0.6.x and were fixed before 0.6.11. Both versions clean.

RD-F-172 green Repo shows AI-tool co-authorship in critical files No AI co-authorship metadata (GitHub Copilot co-authored-by trailers) detected in liquity/bold commit history. Deployment commit e367755 and surrounding commits show conventional human-authored commits from contributors bingen, cyril-dfi, bpierre. No public reporting of AI-tool co-authorship in security-critical files.

RD-F-173 green Team self-disclosure of AI-generated Solidity No public disclosure by Liquity AG, Robert Lauko, Rick Pardoe, or any team member of AI-generated Solidity in security-critical contract paths. Audit blog post discusses traditional security review methodology. No such disclosure on protocol blog, docs, or public channels.

RD-F-174 green Dependency tree uses EOL Solidity version v2 (operative system): foundry.toml specifies evm_version = 'cancun'; Etherscan confirms solc 0.8.24 — current, actively supported version, not EOL. v1: solc 0.6.11 is EOL from official Solidity support but v1 contracts are fully deployed and immutable — no re-compilation or deployment will occur. Operative v2 system uses supported version; v1 EOL concern is academic for immutable deployed code.

Response & disclosure hygiene Green 8 4 of 4

RD-F-176 yellow Disclosure SLA public No explicit acknowledgment-time SLA is published. The Cantina bounty page instructs researchers to report within 24 hours of discovery (researcher obligation) but states no team response commitment (e.g., 72h ack, 5-day triage window, 30-day remediation window). The security docs page (docs.liquity.org/v2-documentation/security) confirms security@liquity.org but includes no SLA language. In practice, the Feb 2025 pre-launch disclosure was actioned same-day — faster than most published SLAs — demonstrating strong response culture without a formal commitment.

RD-F-175 green Disclosure channel exists Disclosure channel exists: (1) security@liquity.org — confirmed in v1 bug bounty docs and v2 security docs page; (2) Active Cantina bug bounty for v2 (https://cantina.xyz/bounties/7aa23a2b-7e8b-4b88-a9bb-713dc102a11a), live since July 1, 2025, with 277 findings submitted. Both a human contact and a structured bug bounty submission channel are present.

RD-F-177 green Prior known-ignored disclosure No evidence of any disclosure being received and ignored before an exploit. The Sep 2022 Tellor disclosure (reported by @paco0x via Twitter) was actioned — Tellor implemented a 15-minute delay fix. The Feb 2025 Stability Pool discovery was actioned same-day. Hacksdatabase: 0 Liquity incident entries. No post-mortem exists referencing an ignored prior disclosure. REKT DB: 0 entries.

RD-F-178 green CVE/GHSA advisory issued against protocol No CVE or GHSA advisory has been issued against Liquity. The Sep 2022 Tellor vulnerability was disclosed via the Liquity blog but not assigned a CVE or GHSA number. No GitHub Security Advisory exists in the liquity/dev or liquity/bold repos. The Feb 2025 Stability Pool issue was disclosed via the Liquity blog without formal advisory database assignment. Under the factor definition, no CVE/GHSA = no public advisory issued = favorable (advisory issuance signals a known exploitable vulnerability that has been formally catalogued).

rubric_version v1.7.0 graded_at 2026-05-16 10:35:52 factors 184 protocol liquity