Lista DAO
DeploymentsBNB Chain · —
01
Risk profile at a glance
0 red · 7 yellow · 6 green 02
Categories & evidence
184 factors · 13 categoriesCode & audits Green 15 25 of 25
RD-F-009 red Formal verification coverage No Certora, Halmos, Kani, or Echidna formal verification evidence found in the GitHub repo or any audit PDF summary. The protocol has 21 audits using traditional manual + automated analysis only. No /certora or /specs directory exists. Formal verification is absent. RD-F-001 yellow Audit scope mismatch Most recent cluster audit is BlockSec/Bailsec Nov 27 2024 (release v5.1 commit bc21c3f). Post-Nov 2024 commits (~Aug 2025) add xSolvBTC PriceFeed, PufETH PriceFeed, clisBNB renaming, and EVM version CI fix — these oracle contracts are unaudited. No audit PDF commit SHA matched to current deployed bytecode. Interaction proxy (0xB6..) compiled with solc 0.8.2; implementation (0xCe..) compiled with solc 0.8.10, confirming staged upgrade history. Lista Lending (~April 2025, ~$189.5M borrowed) has no audit PDF in /audits/ directory. RD-F-002 yellow Audit recency Most recent audit sign-off: Nov 27, 2024 (BlockSec slisBNB Provider + Bailsec slisBNB Provider). Days since: ~166 days as of 2026-05-12 — within 365-day green window. However significant unaudited commits exist post-audit (new price feed contracts for xSolvBTC, PufETH). Scored yellow due to material post-audit code drift despite recency. RD-F-005 yellow Audit firm tier No Tier-1 firm (Trail of Bits, OpenZeppelin, ConsenSys Diligence, Certora, Sigma Prime, Spearbit, Zellic) has audited this protocol. Best firms are BlockSec, PeckShield, SlowMist — all established Tier-2 firms. Certik is Tier-2 with contested reputation. Tier-2 only coverage. RD-F-017 yellow Mixed-decimals math without explicit scaling ResilientOracle provides normalized price data. Interaction.sol uses WAD/RAY fixed-point from MakerDAO core. However, with 20+ collateral types (BTCB, wstETH, ezETH, USDT, slisBNB, etc.) across various decimal configurations, full decimal-normalization verification requires static analysis tool run not conducted here. RD-F-019 yellow ecrecover zero-address return unchecked OZ 4.6.0 is in the affected range of GHSA-4h98-2769-gh6h (ECDSA signature malleability, HIGH severity, affected >=4.1.0 <4.7.3). hay.sol and LisUSD.sol implement EIP-712 permit signatures. If OZ ECDSA library is used for signature verification, the HIGH advisory may apply. Marked yellow as exploitability depends on whether signatures (vs nonces) are used as replay protection. RD-F-023 yellow Constructor calls _disableInitializers() PSM.sol and DynamicDutyCalculator.sol correctly call _disableInitializers() in their constructors. However, older core contracts — Interaction.sol, vat.sol, jug.sol, hay.sol, flash.sol — do NOT have a constructor calling _disableInitializers(). These are the highest-TVL contracts (CDP vault state). Implementation contracts are directly re-initializable if not protected by access control on the initialize function. New 2024-era contracts have correct protection; 2022-era CDP core does not. RD-F-024 yellow Code complexity vs audit coverage 21 audits across 8 firms cover different modules (OFT, AMO, PSM, Emission Voting, slisBNB Provider, Oracle). CDP core (vat/jug/spot/dog/clip/Interaction) has NOT been re-audited since 2022. Lista Lending (~April 2025, ~$189.5M borrowed) has NO audit PDF in /audits/. The codebase has grown substantially (20+ collateral types, new modules) with fragmented rather than comprehensive audit coverage. RD-F-003 gray Resolved-without-proof findings Audit PDFs are binary and not readable via WebFetch. Cannot verify resolved-vs-unresolved findings without PDF reader or tool run. No secondary source documents an unresolved finding. Gray per grounding discipline. RD-F-010 gray Static-analyzer high-severity count No published Slither/Mythril/Semgrep output found. Contracts are source-verified on BscScan enabling tool runs, but none have been conducted in this assessment. Needs tool run. RD-F-021 n/a UUPS _authorizeUpgrade correctly permissioned Protocol uses TransparentUpgradeableProxy pattern, not UUPS. BscScan confirms Interaction contract (0xB6..) is a TransparentUpgradeableProxy (contract name confirmed on BscScan). Upgrade is controlled via ProxyAdmin, not _authorizeUpgrade(). F021 tests UUPS-specific risk which does not apply here.
RD-F-004 green Audit count 8 distinct audit firms confirmed: SlowMist, PeckShield, Certik, Veridise, BlockSec, Salus, Bailsec, Supremacy across 20 engagements on main repo plus 1 BlockSec engagement on synclub-contracts. Significantly exceeds the >=2-firm threshold.
RD-F-006 green Audit-to-deploy gap Nov 2024 audits deployed within 4 days of audit sign-off (release v5.0 Nov 26, v5.1 Nov 26, audit dates Nov 22-27). 2022 audits deployed ~81-101 days after sign-off (May audit -> Aug 2022 launch). Recent cadence is excellent; historical cadence acceptable.
RD-F-007 green Bug bounty presence & max payout Immunefi program active since June 16, 2022, last updated April 24, 2026. Max payout: $1,000,000 (Critical = 10% of affected funds, capped at $1M, floor $100K). 134 assets in scope on BSC. Program clearly active and well-resourced.
RD-F-008 green Ignored bounty disclosure No evidence found that the Dec 2022 Ankr/Helio incident was preceded by an unactioned bounty disclosure. The incident was an external cascade (Ankr deployer key compromise causing aBNBc price collapse) that exploited Helio oracle latency. Halborn post-mortem confirms mechanics as cascade rather than pre-disclosed bug. No other ignored-disclosure incidents found.
RD-F-011 green SELFDESTRUCT reachable from non-admin path No SELFDESTRUCT opcode found in reviewed contracts (Interaction, vat, jug, hay, flash, LisUSD, PSM, DynamicDutyCalculator, AuctionProxy). MakerDAO-derived core does not use SELFDESTRUCT. Full codebase not exhaustively reviewed — confidence medium.
RD-F-012 green delegatecall with user-controlled target Review of Interaction.sol, vat.sol, hay.sol, flash.sol, PSM.sol showed no delegatecall with user-controlled target. External calls use predefined interface references (VatLike, DogLike, etc.) with admin-set contract addresses. No Slither run available.
RD-F-013 green Arbitrary call with user-controlled target No fully user-controlled call target found in reviewed contracts. FlashBuy performs DEX routing via audited paths. Core CDP contracts use struct-based state mutation. No arbitrary-send-eth pattern identified in reviewed scope.
RD-F-014 green Reentrancy guard on external-calling functions Interaction.sol implements custom nonReentrant modifier (boolean flag _entered, lines 116-121) applied to deposit(), borrow(), payback(), withdraw(). Functionally equivalent to OZ ReentrancyGuard for these core functions. PSM.sol uses OZ pause-based protection. No missing reentrancy guards found in core functions.
RD-F-015 green ERC-777/1155/721 hook without reentrancy guard No ERC-777 integration found in reviewed contracts. Collateral tokens are ERC-20 (BNB derivatives, wstETH, BTCB, slisBNB). No tokensReceived or onReceived callback patterns in the CDP or stablecoin contracts.
RD-F-016 green Divide-before-multiply pattern MakerDAO-derived arithmetic uses RAY (10^27) fixed-point math. Reviewed contracts (vat.sol, jug.sol) use rdiv/rmul helper patterns that multiply before dividing, consistent with MakerDAO's safe arithmetic patterns. No divide-before-multiply identified in reviewed scope.
RD-F-018 green Signed/unsigned arithmetic confusion Solidity 0.8.x built-in overflow/underflow protection active. MakerDAO-derived math uses unchecked blocks in vat.sol for performance (explicit in source). No signed/unsigned confusion identified in reviewed contracts. Cannot fully confirm without Slither run.
RD-F-020 green EIP-712 domain separator missing chainId hay.sol initializes with chainId_ parameter in initialize(uint256 chainId_, string memory symbol_, uint256 supplyCap_). LisUSD.sol uses OZ upgradeable EIP-712 pattern with chainId in domain separator. Both stablecoin contracts correctly include chainId in domain separator.
RD-F-022 green Public initialize() without initializer modifier All reviewed implementation contracts expose initialize() with the OZ initializer modifier: Interaction.sol (public initializer), vat.sol (public initializer), jug.sol (external initializer), hay.sol (external initializer), flash.sol (external initializer), LisUSD.sol (initializer ~line 106), PSM.sol (initializer), DynamicDutyCalculator.sol (external initializer). No unprotected initialize() found in any reviewed contract.
RD-F-183 green Bug bounty scope gap on highest-TVL contracts Immunefi program (last updated April 24, 2026) has 134 assets in scope covering DeFi protocols, lending, stablecoins (lisUSD), and yield aggregators on BSC. No highest-TVL contract is explicitly excluded. The program excludes prior-audit-documented vulnerabilities (reasonable exclusion, not a scope gap). Bounty scope appears to cover core CDP and lending contracts.
Governance & admin Yellow 26 24 of 24
RD-F-034 red Guardian/pause-keeper distinct from upgrader No distinct PAUSER_ROLE found. Interaction.sol uses removeCollateralType() (sets live=2 STOPPED) controlled by wards — same as upgrader role. No guardian/pause-keeper separate from admin. Single admin path for both pause and upgrade actions. RD-F-037 red Quorum achievable via single-entity flash loan No on-chain Governor contract; Snapshot voting is off-chain with no quorum enforcement. Emergency vote window is 1 hour (confirmed from LIP-022 November 2025). No formal quorum protecting against coordinated low-participation manipulation. Off-chain governance with no quorum floor. RD-F-028 yellow Low-threshold multisig vs TVL 3-of-6 multisig at $1.19B TVS. Peer norm for this TVL band ($1B+) is 4-of-7 or higher (Aave Guardian 5-of-10, Morpho higher). One threshold below peer norm. Not critically low but borderline for this TVL tier. RD-F-032 yellow Timelock duration on upgrades Timelock minDelay = 86400 seconds = 24 hours exactly. Methodology threshold: >=48h green; 24-47h yellow; <24h red. 24h is the yellow lower bound. RD-F-033 yellow Timelock on sensitive actions Timelock gates lending cluster operations (upgrades go through it). CDP Interaction.sol admin functions (rely/deny, removeCollateralType, parameter changes) use wards-based direct access WITHOUT routing through the Timelock. setSupplyCap on lisUSD is not timelocked. Partial coverage: 2-3 of 5 action types timelocked. RD-F-035 yellow Role separation: upgrade ≠ fee ≠ oracle Interaction.sol uses unified wards mapping for all admin operations including oracle config, fee rates, and upgrade — roles not separated at CDP level. At Timelock level: multisig holds PROPOSER+EXECUTOR; deployer EOA holds DEFAULT_ADMIN_ROLE. Partial separation exists at Timelock layer only. RD-F-036 yellow Flash-loanable voting weight veLISTA uses a time-lock mechanism (up to 52-week lock, Curve veToken model, launched July 2024). Voting weight from locked position — cannot be flash-loaned in same transaction since tokens must be locked in a prior epoch. Flash-loan resistance is structural. However Snapshot voting strategy type (erc20-votes checkpoint vs erc20-balance-of(veLISTA)) not confirmed via GraphQL endpoint which returned loading state. RD-F-038 yellow Proposal execution delay < 24h Execution path: Snapshot vote (typically 3-7 days off-chain) + 24h Timelock delay before execution. The Timelock delay component is 24h (yellow threshold). Total pipeline exceeds 24h when Snapshot voting is included, but the protocol-controlled delay is exactly 24h at the yellow boundary. RD-F-040 yellow Emergency-veto multisig present CANCELLER_ROLE on Timelock held by deployer EOA 0xd7e38800. This is an EOA, not a separate multisig. Cancel power exists but is held by a single EOA, not a distinct guardian multisig. No emergency veto multisig separate from the proposer multisig. RD-F-041 yellow Rescue/emergencyWithdraw without timelock GitHub search for rescue/emergencyWithdraw returned zero results in lista-dao-contracts. Interaction.sol has no named rescue function. However, rely()/deny() in Interaction.sol allows admin to arbitrarily grant/revoke permissions without timelock — functional admin escalation path without a named rescue function. No single-call full-drain path confirmed. RD-F-042 yellow Admin has mint() with unlimited max lisUSD (hay.sol) enforces a supplyCap in mint(). Cap exists and is enforced. However, setSupplyCap() is callable by MANAGER role (auth modifier) without timelock — admin can raise cap atomically then mint. Cap management not timelocked; functional cap is mutable instantly by authorized role. RD-F-045 yellow Constructor args match governance proposal Timelock constructor args match expected parameters (delay=86400, proposers=[multisig], executors=[multisig]). Role changes April 8, 2025 (2 GrantRole + 1 RevokeRole executed by deployer EOA) not linked to a public Snapshot proposal. Minor governance action without documented public justification. RD-F-047 yellow Governance token concentration (Gini) LISTA token has 142,100 holders on BSCScan. Distribution: Community 40%, Investors+Advisors 19%, Binance Megadrop 10%, Airdrop 10%, Team 3.5%, DAO Treasury 8%, Ecosystem 9%. Only ~28% of 1B total supply circulating at assessment. Large team/investor vesting tranches suggest non-trivial concentration. Gini not calculable from available data (holder list JS-rendered). RD-F-029 gray Multisig signers co-hosted Six signer addresses known. No co-hosting evidence determinable from available on-chain patterns or accessible OSINT in this pass. Insufficient data to assess ASN/custodian diversity. RD-F-030 gray Hot-wallet signer flag Individual signer EOA behavior not assessed. Multisig execTxs submitted by relay addresses 0x535EC9c0 and 0xd1EcB316 which obscure individual signer signing patterns. Insufficient data for hot-wallet classification.
RD-F-025 green Admin key custody type Admin/owner of key contracts is multisig+timelock combination. 3-of-6 Gnosis Safe 0x8d388136 holds PROPOSER+EXECUTOR roles on 24h OZ TimelockController 0x2e2807F8. CDP Interaction.sol uses wards mapping where multisig holds ward permissions.
RD-F-026 green Upgrade multisig signer configuration (M/N) 3-of-6 multisig. Safe API confirmed threshold=3, owners_count=6, nonce=2211. Six signer addresses listed in profile. M/N = 3/6.
RD-F-027 green Single admin EOA Admin is 3-of-6 multisig, not an EOA. Deployer EOA 0xd7e38800 holds only CANCELLER_ROLE and DEFAULT_ADMIN_ROLE on Timelock — not PROPOSER/EXECUTOR. No single EOA can execute privileged operations without multisig co-signers.
RD-F-031 green Signer rotation recency No AddedOwner/RemovedOwner/ChangedThreshold events detected on the multisig in last 90 days. April 8, 2025 Timelock role events were Timelock-level role grants (not multisig signer changes). Consistent with no recent signer rotation.
RD-F-039 green delegatecall/call in proposal execution without allowlist No on-chain Governor. Execution via OZ TimelockController which uses standard call() to target contracts, not unconstrained delegatecall. PROPOSER role is the multisig — no arbitrary governance proposers. No proposal-payload delegatecall pattern.
RD-F-043 green Admin = deployer EOA after 7 days PROPOSER+EXECUTOR on Timelock held by multisig 0x8d388136, not deployer EOA. CDP Interaction.sol wards include multisig as primary admin. Deployer EOA 0xd7e38800 retains CANCELLER_ROLE only. Transfer to multisig confirmed by Safe nonce=2211 showing active governance history.
RD-F-044 green Admin wallet interacts with flagged addresses Multisig recent transactions: routine execTxs with negligible BNB amounts. Deployer EOA transactions: role grants, contract deployments, whitelist updates — no OFAC-listed or known-rug address interactions visible from BSCScan review.
RD-F-046 green Contract unverified on Etherscan/Sourcify Core contracts all verified on BscScan: Interaction proxy 0xB68443Ee (impl 0xCe338985 verified), lisUSD proxy 0x0782b6d8 (impl 0xF5bd9b19 verified), Timelock 0x2e2807F8 (verified directly), Governance Multisig 0x8d388136 (Gnosis Safe standard verified).
RD-F-167 green Deprecated contract paused but pause reversible by live admin No deprecated-and-paused contracts with live admin capable of unpausing identified. HAY→lisUSD migration: lisUSD proxy (0x0782b6d8) has single upgrade since near-launch. No evidence of old Helio contracts holding significant value under paused state with reversible admin.
Oracle & external dependencies Yellow 21 17 of 17
RD-F-050 yellow Dependency graph (protocols depended upon) CDP depends on ResilientOracle (Chainlink, Pyth, API3), spot.sol poke() keeper architecture, and LayerZero OFT for slisBNB cross-chain. Lista Lending depends on market-creator-specified oracles with no enforced whitelist. HelioOracle legacy manual-price path adds a centralized dependency. Dependency graph is diffuse due to permissionless Lista Lending oracle selection. RD-F-051 yellow Fallback behavior on oracle failure ResilientOracle has explicit try-catch cascade: Main fails → fallback vs pivot. All fail → revert. Individual adapter level (SlisBnbOracle, BnbOracle) has NO staleness check — delegates entirely to ResilientOracle. Lista Lending markets have no protocol-level fallback; market oracle failure halts that market. Yellow because adapter-level staleness absent and Lista Lending fallback is none. RD-F-052 yellow Breakage analysis per dependency CDP ResilientOracle requires all 3 sources to fail simultaneously before reverting — strong redundancy. Key gap: if timeDeltaTolerance is not set conservatively, stale prices could be accepted silently. Lista Lending: single immutable oracle per market; market oracle failure halts that market with no protocol intervention. AVAX/USD and COMP/USD: 86,400s heartbeat (24h price freeze window). RD-F-055 yellow Oracle pool depth (USD) Chainlink off-chain aggregated feeds — not DEX-pool-depth-dependent for major assets (BNB, ETH, BTC, USDT, USDC). AVAX/USD and COMP/USD have 86,400s heartbeat on BSC — these feeds may have lower node-count on BSC vs mainnet. BSC Chainlink feed quality for low-volume assets warrants curator review. No direct DEX pool depth risk for primary assets. RD-F-057 yellow Circuit breaker on price deviation BoundValidator.sol implements ratio-bound deviation check: if reported price deviates from anchor (PIVOT) beyond upperBoundAnchorRatio or below lowerBoundAnchorRatio, price is treated as invalid. Mechanism is present. Yellow because bounds are admin-updatable without confirmed timelock (owner can call setValidateConfig() to change bounds). RD-F-059 yellow Oracle staleness check present ResilientOracle has timeDeltaTolerance staleness check (returns INVALID_PRICE if block.timestamp - updatedAt > tolerance). Confirmed at aggregator level. However: PythOracle.sol uses getPriceUnsafe() with no staleness check at adapter level. BnbOracle.sol and SlisBnbOracle.sol have no adapter-level staleness check. AVAX/USD and COMP/USD have 86,400s (24h) Chainlink heartbeat — stale window very wide. Yellow: staleness present at aggregator but absent at several adapter and feed levels. RD-F-060 yellow Chainlink aggregator min/max bound misconfig Chainlink V3 AggregatorV3Interface used for major feeds (BNB, ETH, BTC — 60s heartbeat); V3 feeds on BSC are less likely to have dangerous MinAnswer/MaxAnswer circuit-breaker misconfiguration than V1/V2. BoundValidator provides compensating control. Yellow for AVAX/USD and COMP/USD (86,400s feeds) which may use older feed formats with MinAnswer/MaxAnswer risks; curator should verify. RD-F-062 yellow External keeper/relayer not redundant CDP spot.sol poke() must be called periodically to update collateral prices (MakerDAO architecture) — keeper-dependent. If keepers stop calling poke(), collateral prices go stale in spot.sol even if oracle feeds are fresh. Lista Lending: pull-based oracle reads at borrow time, not keeper-dependent. 45 months of operation suggests active keeper network but no formal keeper redundancy documentation found. RD-F-180 yellow Immutable oracle address YELLOW — F180 critical-CANDIDATE held per T-12 PD-017; flag for T-14 post-launch promotion tracking. ResilientOracle proxy itself is upgradeable (oracle addresses mutable via setOracle() — GREEN). However: (1) BnbOracle.sol and SlisBnbOracle.sol hardcode `address constant public RESILIENT_ORACLE_ADDR = 0xf3afD82A4071f272F403dC176916141f44E6c750` — immutable at adapter level; (2) PythOracle.sol: `IPyth immutable public pyth`; (3) API3Oracle.sol: `public immutable api3Proxy`; (4) Lista Lending markets: per documentation 'Once a market is deployed, its oracle address cannot be modified' — per-market oracle lock-in. Yellow: ResilientOracle wrapper is replaceable but individual adapters and all Lista Lending market oracles are hardcoded/immutable. RD-F-181 yellow Permissionless-pool lending oracle Lista Lending markets are permissionless — any curator can deploy a market specifying any oracle address with no whitelist enforcement. No TWAP requirement, no liquidity floor, no token-age minimum enforced. Once deployed, oracle is immutable per market. Matches F181 pattern. Yellow not red: Morpho-style market isolation prevents cross-market contagion; each market's risk is bounded to that market's collateral pool. RD-F-058 gray Max-deviation threshold (bps) BoundValidator uses percentage ratios rather than fixed bps values. Default bound values not confirmed from available evidence (would require direct on-chain call to validateConfigs mapping). Structural mechanism confirmed but actual configured thresholds not assessable without on-chain RPC reads.
RD-F-048 green Oracle providers used ResilientOracle aggregator (BSC 0xf3afD82A4071f272F403dC176916141f44E6c750) uses three oracle layers: Chainlink as MAIN (14 confirmed BSC feed pairs), Pyth Network as PIVOT, and API3 dAPI as FALLBACK. HelioOracle (legacy owner-set) and Lista Lending market-specific oracles also present. Multi-provider confirmed.
RD-F-049 green Oracle role per asset ResilientOracle implements explicit MAIN/PIVOT/FALLBACK roles via OracleRole enum. TokenConfig struct maps three oracle roles per asset. Chainlink = MAIN, API3 = PIVOT/FALLBACK, Pyth = FALLBACK. Lista Lending has single immutable oracle per market (curator-specified).
RD-F-053 green Oracle source = spot DEX pool (no TWAP) NOT a spot DEX pool oracle. ResilientOracle uses Chainlink off-chain aggregated feeds as MAIN (not a spot DEX pool) with Pyth/API3 as PIVOT/FALLBACK. Dec 2024 migration from Redstone to Chainlink for BNB/USD confirmed. IUniswapV2Pair interface exists in codebase but is not the primary price mechanism. Lista Lending markets can theoretically specify spot DEX oracles but this is curator-level risk per isolated market.
RD-F-054 green TWAP window duration ResilientOracle does not use TWAP — it uses Chainlink off-chain aggregated spot prices, Pyth network prices, and API3 dAPI prices. No DEX TWAP in the primary oracle stack. TWAP window factor is not applicable because the oracle source is off-chain aggregated, not DEX-based.
RD-F-056 green Single-pool oracle (no medianization) ResilientOracle explicitly performs cross-source validation: MAIN price validated against PIVOT using BoundValidator ratio-bounds. FALLBACK validated against PIVOT. Not a single-pool or single-source design. Multi-source medianization via cascading validation confirmed.
RD-F-061 green LP token balanceOf used for pricing ResilientOracle is NOT based on LP token balanceOf. LST price adapters (slisBNB, wstETH) use exchange-rate calculations combined with underlying asset Chainlink feeds — not raw balanceOf. IUniswapV2Pair interface exists in codebase but no confirmed balanceOf-based pricing path for major collateral.
Economic risk Yellow 37 13 of 13
RD-F-072 red Market-listing governance threshold Lista Lending market creation is explicitly permissionless — confirmed by multiple independent sources: 'Anyone can create a market, without needing governance approval.' Any actor can create a market with any collateral, loan asset, LLTV, oracle, and interest rate model. This is intentional Morpho Blue-style design philosophy. Risk: malicious or misconfigured markets can attract TVL from vault depositors if curators are not vigilant. No governance threshold or minimum TVL requirement gates market creation. RD-F-075 red First-depositor / share-inflation guard MasterVault.sol custom vault: no virtual share offset, no explicit first-depositor seed deposit found in source, no floor-check on shares/assets ratio. Share calculation is `shares = _assessFee(amount, depositFee)` — a fixed fee deduction, not a ratio-based conversion tied to totalAssets. No _decimalsOffset override. No seed deposit evident in constructor or initializer. Under a scenario where all strategy funds are temporarily drained and a new depositor is first, share-inflation manipulation may be possible. Red: no first-depositor guard mechanism identifiable in source code. RD-F-065 yellow Liquidity depth per major asset slisBNB/WBNB pool on BSC (THENA) shows $589.69M depth — adequate for primary LST collateral liquidations. BNB/USD natively deep on BSC via PancakeSwap and Binance. BTCB adequate as primary BSC BTC token. Emerging collateral types (PT-clisBNB, solvBTC, LP tokens) have unknown/thinner depth. Yellow for long-tail collateral uncertainty. RD-F-067 yellow Historical bad-debt events One documented bad-debt event: Dec 2022 Helio Protocol (predecessor) ~$15M HAY bad debt from Ankr aBNBc oracle-latency cascade. Users were fully compensated (Ankr deployed $15M). Team and operational continuity confirmed through rebrand to Lista DAO. No post-rebrand bad-debt events identified. Yellow: one event with full compensation. RD-F-068 yellow Collateralization under stress lisUSD CDP collateral estimated ~70-75% BNB-family assets (slisBNB, wBETH, native BNB) with minimum CR ~150% (66% LTV). Under a 50% BNB/slisBNB price shock, simultaneous undercollateralization of most CDP positions would occur. The Dec 2022 Helio incident (aBNBc = slisBNB predecessor collapse → $15M bad debt) is the direct structural precedent. PSM/AMO provide peg stability tools but cannot absorb correlated collateral cascade. Stress simulation not executable without RPC; structural analysis confirms yellow-class risk. The 34% buffer above LTV is insufficient for a 50% price drop on correlated assets. RD-F-073 yellow Oracle-manipulation-proof borrow cap First-party Lista Lending vaults use multi-oracle aggregation (Chainlink + Binance Oracle + Redstone + API3), providing meaningful manipulation resistance for established markets. CDP component uses Chainlink + HelioOracle aggregation. However, permissionless third-party market creation allows any oracle specification — a malicious market could use a thin DEX TWAP oracle with a borrow cap set near oracle pool depth. Per-asset borrow caps not enumerable without RPC. Yellow: first-party markets likely safe; permissionless market oracle risk unverifiable. RD-F-064 gray TVL concentration (top-10 wallet share) TVL depositor concentration not enumerable — Dune Analytics returns 403 (universal gap per process-learnings), no subgraph query available. Protocol has 12M+ BNB staked across many users per end-2025 reporting, suggesting broad distribution, but top-10 wallet share cannot be computed without on-chain RPC access. RD-F-070 gray Empty cToken-style market (zero supply/borrow) NOT APPLICABLE — Lista Lending is Morpho Blue-inspired permissionless isolated-market architecture, NOT a Compound V2 cToken/Comptroller fork. Confirmed by: (1) profile.meta.json fork_lineage lending_component 'Morpho-inspired (NOT Compound)'; (2) GitHub contracts directory shows no Comptroller/cToken files, uses MakerDAO vat/jug/spot/dog/clip for CDP; (3) multiple independent sources (BSC News, AccessNewswire, docs) confirm permissionless isolated market pairs, not pooled cToken markets; (4) MasterVault.sol does not use cToken share accounting. The donation-exploit precondition (empty cToken market totalSupply=0) does not exist in this architecture. RD-F-071 gray Seed-deposit requirement for new market listing NOT APPLICABLE — seed-deposit requirement for Compound V2-style cToken new market listing. Lista Lending uses Morpho Blue-inspired isolated market pair architecture, not cToken pools. No cToken totalSupply seed requirement concept exists in this design. Share-inflation at the vault/meta-vault level is captured by F075 (first-depositor guard). The factor's measurement target (cToken-style seed deposit before borrow-enable) does not apply to permissionless isolated pair markets. RD-F-074 gray ERC-4626 virtual-share offset (OZ ≥4.9) NOT APPLICABLE — MasterVault.sol is NOT an ERC-4626 vault. It inherits OwnableUpgradeable + PausableUpgradeable + ReentrancyGuardUpgradeable but not ERC4626Upgradeable (source confirms a commented-out ERC4626 import). Custom fee-deduction share model only. OZ version in package.json is 4.6.0 (pre-4.9) but irrelevant since ERC-4626 is not implemented. No _decimalsOffset present. Lista Lending vaults use permissionless isolated market architecture, not standard ERC-4626.
RD-F-063 green TVL (current + 30d trend) TVL $1.188B as of 2026-05-12 (DefiLlama API). 30-day trend +8.03% (recovering). 90-day CoV 0.088 (mean $1.228B, std $108M) — moderate volatility, well above $100M green threshold. Chain split 99.06% BSC / 0.94% Ethereum.
RD-F-066 green Utilization rate (lending protocols) Aggregate utilization rate 15.95% (total borrowed $189.459M / total supplied $1.188B). Well below 80% yellow threshold. No market-level withdrawal freeze risk at aggregate level. Individual market utilization not enumerable without RPC but overall picture strongly green.
RD-F-069 green Algorithmic / under-collateralized stablecoin lisUSD is over-collateralized CDP stablecoin modelled after MakerDAO. Minimum collateralization ratio ~150% confirmed by multiple sources. Fully backed by exogenous crypto collateral (BNB, slisBNB, BTCB, wBETH, stablecoins). Not algorithmic — no unbacked minting mechanism. PSM provides peg stability via asset swaps. Clearly over-collateralized design.
Operational history Green 19 15 of 15
RD-F-089 red Insurance coverage active No active insurance coverage found for Lista DAO on Nexus Mutual, Sherlock, or Unslashed. TVL $1.19B; green threshold requires ≥5% TVL coverage ($59.5M minimum). BSC-native protocol; Nexus Mutual coverage historically concentrated on Ethereum mainnet protocols. No Sherlock coverage listing found. Per process-learnings, F089 is near-default red for large BSC protocols without confirmed DeFi insurance. Red: no active coverage confirmed. RD-F-077 yellow Prior exploit count One incident in combined Helio/Lista lineage: 2022-12-02 Ankr/Helio cascade. Ankr deployer-key compromise allowed malicious aBNBc infinite-mint; aBNBc price collapsed; Helio oracle lag allowed attacker to borrow ~$15M HAY against worthless aBNBc collateral. Recovery: Ankr deployed $15M to cover Helio bad debt + Helio team executed ~6.8M HAY buyback; HAY re-pegged; users made whole. Yellow per methodology (1 prior exploit with full recovery via cross-protocol agreement). Post-rebrand Lista DAO (Feb 2024 onward): zero direct exploits found. Hack DB cross-reference: confirmed in hacksdatabase/hacks/ankr-helio-rekt.md (BNB Chain, 2022-12-02, ~$15M HAY bad debt). Rekt DB under current slug: empty (sources.rekt.incidents=[]). RD-F-081 yellow Post-exploit response score Curator score ~3.25/5 across four sub-dimensions: (1) Compensation completeness 4/5 — users made whole via Ankr $15M + Helio ~6.8M HAY buyback, HAY re-pegged. (2) Transparency 3/5 — first public Medium post 14 days after exploit (2022-12-16), deferred detailed root-cause analysis to a promised follow-up. (3) Root-cause analysis depth 2/5 — best technical analysis by Halborn (third party), not the protocol team. Team language limited to 'oracle price lag' without specifying design changes. (4) Operational recovery speed 4/5 — protocol paused same day; collateral replacement (aBNBc → ankrBNB) committed to immediately. Composite ~3.25 → yellow (green requires ≥4). RD-F-082 yellow Post-mortem published within 30 days Helio team published Medium update on 2022-12-16 (14 days after exploit) — within the 30-day window. However, this was a response/status update, not a comprehensive technical post-mortem. A follow-up post-mortem with root-cause depth was promised but not confirmed published within 30 days. The most complete technical analysis was Halborn's third-party blog (also within 30 days). Yellow: a public team statement published within 30 days but lacking root-cause depth expected of green. RD-F-085 yellow Incident response time (minutes) Dec-2022 exploit occurred 2022-12-02. Protocol paused same day (confirmed by team statement). First official public team statement: Medium post 2022-12-16 (14 days later). On-chain pause timestamp on BSC not verified to minute-level precision. Green threshold: ≤60 min to first official team statement. Yellow: on-chain response (pause) within hours same day; first public communication 14 days later, well exceeding the 60-minute green threshold for external communication. RD-F-088 yellow Re-deployed to new addresses in last year Major Helio→Lista migration events (HAY→lisUSD, SnBNB→slisBNB) occurred in 2023–2024, outside the trailing 12-month window. Within the May 2025 – May 2026 window: Lista Lending launched ~April 2025 introducing a new Morpho-inspired contract cluster. This is an additive launch (not retirement of existing contracts) but constitutes new contract deployment within the window. Documentation: CoinTelegraph press release confirms launch. Yellow: new product deployment with documented announcement, no unexplained contract retirement. RD-F-166 gray Deprecated contracts still holding value Helio-era contracts (HAY CDP system, aBNBc collateral adapters) were superseded by Lista rebrand and collateral migration. Collateral replacement from aBNBc to ankrBNB confirmed post-exploit. Specific deprecated contract addresses not enumerated in profiler output; on-chain balance verification not performed. Cannot confirm or deny whether pre-rebrand contracts hold >$100K. Gray: deprecated contract identification requires curator enumeration of specific pre-rebrand contract addresses and on-chain balance checks.
RD-F-076 green Protocol age (days) Helio Protocol (predecessor entity, same team) launched on BSC 2022-08-19. Age as of 2026-05-12: ~1,361 days (~45 months). Green threshold is ≥365 days. TVL first data point 2022-08-30 at $17.2M per DefiLlama data cache.
RD-F-078 green Chronic-exploit flag (≥3 incidents) Incident count from F077: 1. Green threshold is <3 incidents. PD-022 CHRONIC flag requires ≥3 same-root-cause exploits in 24 months — not met. No chronic flag.
RD-F-079 green Same-root-cause repeat exploit Only one incident in the combined lineage (Dec 2022). No repeat root cause is possible with a single incident. Green threshold: no repeat root cause.
RD-F-080 green Days since last exploit Last (and only) incident: 2022-12-02. Days since 2026-05-12: ~1,257 days (~41 months). Green threshold: >365 days since last incident. Exceeds by 3× margin.
RD-F-083 green Auditor re-engaged after last exploit Multiple post-incident audits conducted in 2024. Oracle-specific audits directly address the design flaw: PeckShield slisBNB Oracle (2024-04-18), PeckShield Multi-Oracles (2024-04-30). Additional 2024 audits: BlockSec OFT (2024-06-19), AMO (2024-08-06), Emission Voting (2024-10-21), PSM (2024-11-22), slisBNB Provider (2024-11-27); Salus AMO/Emission/PSM/slisBNB (2024); Bailsec slisBNB Provider (2024-11-27). Tier-2 firms engaged. Green threshold: Tier-1/2 re-audit post-incident.
RD-F-084 green TVL stability (CoV over 90d) 90-day CoV from data cache: 0.088296 (mean $1.228B, std $108M, trailing 90 days ending 2026-05-12). Green threshold: CoV <0.15. Current CoV 0.088 well within green. Note: TVL was ~$1.5B in Feb 2026, declining to ~$1.19B by May 2026 but remaining stable in absolute terms.
RD-F-086 green Pause activations (trailing 12 months) No pause activations identified in trailing 12 months (May 2025 – May 2026). Data cache contains no structured pause event data. OSINT search found no pause events for Lista DAO in 2025–2026. Green threshold: 0 pauses.
RD-F-087 green Pause > 7 consecutive days No pause events in last 12 months identified. Green threshold: no pause >7 consecutive days in last 12 months. Condition trivially satisfied by zero pause activations.
Real-time signals Green 4 22 of 22
RD-F-109 yellow Social-media impersonation scam spike Social-media impersonation: no confirmed coordinated campaign (5+ accounts or verified drain reports) found in public OSINT as of 2026-05-12. However, the legacy Telegram channel t.me/helio_money remains active as the official Lista DAO community channel under the Helio Protocol brand name, creating a persistent brand-confusion and impersonation surface. This is a structural yellow — ambient risk present even without an active campaign. RD-F-090 gray Mixer withdrawal → protocol interaction Mixer-to-protocol interaction signal not configured (CTI feed absent). Public OSINT proxy shows no confirmed mixer-funded wallets actively interacting with lista-dao core contracts on BSCScan as of 2026-05-12. BNB Chain ecosystem has general mixer-exposure risk but no lista-dao-specific finding. RD-F-091 gray Partial-drain test transactions Partial-drain test transaction pattern matcher not deployed. TVL trend flat-to-down -8% over 90 days with CoV 0.088 — consistent with market conditions, not a pre-drain probe pattern. No unusual small-value outflows from fresh wallets observed in public record. RD-F-092 gray Unusual mempool pattern from deployer wallet Deployer wallet 0xd7e38800201d6a42c408bf79d8723740c4e7f631 shows Grant Role, Revoke Role, Update Whitelist function calls consistent with admin role management. No unusual deployment burst observed. Baseline behavioral model not deployed for continuous monitoring. RD-F-093 gray Abnormal gas-price willingness from attacker wallet Mempool monitoring not configured for lista-dao. No public MEV-race or abnormal gas-price signal observed for the protocol's contracts. Gas-price monitoring requires continuous mempool stream subscription. RD-F-094 gray New contract with similar bytecode to exploit template Bytecode similarity index not maintained for lista-dao or its MakerDAO-derived CDP class. No new contracts with obvious Lista CDP exploit-template signatures found in public record as of 2026-05-12. RD-F-095 gray Known-exploit function-selector replay Selector pattern index not maintained for lista-dao or MakerDAO-CDP class exploit templates. Dec 2022 oracle-cascade exploit has known selector patterns but no replay detected in public record. RD-F-096 gray New ERC-20 approval to unverified contract from whale Whale list and approval-event monitoring not configured for lista-dao. Signal requires whale depositor address list and real-time Approval event stream. RD-F-097 gray Sybil surge of identical-pattern transactions Sybil clustering algorithm not deployed for lista-dao. Snapshot governance uses off-chain veLISTA votes; on-chain sybil pattern less applicable for Snapshot model. No unusual identical-tx spike observed in public record. RD-F-103 gray Bridge signer-set change proposed/executed Bridge signer-set change signal applicable (slisBNB LayerZero OFT active BSC ↔ Ethereum per U6 override) but gray because LayerZero OFT DVN addresses not confirmed for lista-dao. Pipeline false-negative: layerzero.present=false in data cache despite OFT confirmed operational. No public announcement of DVN/signer-set change found. Bridge event monitoring not deployed. Signal is T-09 v1 launch scope; gap flagged for oracle-dependency-analyst to resolve OFT addresses. RD-F-106 gray Cross-chain bridge unverified mint pattern Cross-chain bridge unverified mint signal applicable (LayerZero OFT for slisBNB) but bridge event indexer not configured. OFT audited by BlockSec and PeckShield (June 2024). No unverified mint event reported in public record. OFT DVN addresses not confirmed — limits monitoring configurability. RD-F-107 gray Admin EOA signing from new geography/device Admin EOA geography/device signing signal requires off-chain telemetry with team opt-in. No team integration available. Practically always gray per methodology template. No off-chain signing anomaly reported. RD-F-108 gray GitHub force-push to sensitive branch GitHub force-push signal not configured (GitHub webhook monitoring not deployed for lista-dao). Active repo with last commit 2026-05-07. No unauthorized push publicly reported. Signal requires GitHub API webhook subscription. RD-F-110 gray Unusual pending/executed proposal ratio Unusual proposal-ratio signal not applicable for on-chain Governor monitoring (no on-chain Governor exists; governance is Snapshot off-chain + manual multisig execution). No on-chain subgraph for proposal-ratio monitoring. Snapshot-only governance means this signal cannot fire via the defined detection method.
RD-F-098 green TVL anomaly — % drop in <1h TVL anomaly signal not firing. 90-day CoV = 0.088 (mean $1.228B, std $108M). Current TVL $1.19B on 2026-05-12 with 1-day change -1.92%. No drop approaching the 30% threshold over any 1-hour window. Signal is in T-09 v1 launch scope and applicable.
RD-F-099 green Oracle price deviation >X% from secondary Oracle price deviation signal not firing. 14 Chainlink feeds on BSC confirmed operational; multi-oracle (Chainlink + Binance Oracle + Redstone) for Lista Lending. No deviation detected on observable public feeds. T-09 v1 phase-2 signal; secondary-oracle mapping not yet configured for production.
RD-F-100 green Flash loan >$10M targeting protocol tokens Flash-loan targeting signal not firing. No flash-loan event detected targeting lista-dao contracts as of 2026-05-12. Lista Lending and CDP are flash-loan-accessible surfaces but no exploit event recorded in data cache (rekt.incidents: []) or public OSINT.
RD-F-101 green Large governance proposal queued Governance proposal queued signal not firing. No malicious-pattern proposal detected in Snapshot listavote.eth. No on-chain Governor exists (Snapshot off-chain + timelock 0x2e2807F88c381cb0cc55c808a751fc1e3fccbb85). No suspicious timelock queue observed. T-09 v1 launch signal.
RD-F-102 green Admin/upgrade transaction in mempool Admin/upgrade tx in mempool signal not firing. 24h timelock on Lista Lending admin path. No suspicious pending admin/upgrade transaction observed in public BSCScan record as of 2026-05-12. T-09 v1 phase-2 signal; mempool listener not deployed for production.
RD-F-104 green Stablecoin depeg >2% on shared-LP venue Stablecoin depeg signal not firing. lisUSD (protocol's own stablecoin) not depegged as of 2026-05-12. USDT and USDC both at peg on Chainlink feeds. No active depeg on any collateral stablecoin. T-09 v1 launch signal.
RD-F-105 green DNS/CDN/frontend hash drift DNS/frontend hash drift signal not firing. lista.org is the official frontend domain, registered 2010 under Amazon Registrar (stable, established registrar), last updated 2026-05-05. No DNS change detected. T-09 v1 phase-2 signal; frontend monitoring not deployed for production.
RD-F-182 green Security-Council threshold reduction (RT) Security-Council threshold reduction signal not firing. 3-of-6 multisig 0x8d388136d578dCD791D081c6042284CED6d9B0c6 threshold remains unchanged at 3-of-6 in public BSCScan record. No ChangedThreshold, AddedOwner, or RemovedOwner event detected within a 14-day window in available record. Safe/Gnosis monitoring not deployed for continuous RT coverage.
Dev identity & insider risk Green 10 16 of 16
RD-F-111 yellow Team doxx status CEO named as 'Toru/Tetsu Watanabe' across multiple secondary sources (TechNode, Bitget, Gate.com) in context of the Binance Labs $10M investment announcement. COO named as 'Tai Rui Huang' / 'Terry Huang' with Binance Labs background. LinkedIn company page lists 14 employees including Terry Huang, Tyler Tsai, Grigoriy Gorvat, Ni Ka. GitHub contributors use real-name-adjacent handles (jing.xin@lista.org). No official team page with full bios confirmed. Category: consistent-pseudonym with partial real-name disclosure. Combined-slug note (U9): team continuity confirmed Helio to Lista era — same operators. Yellow for partial-doxx without a primary-source team page. RD-F-112 yellow Team public accountability surface CEO Tetsu/Toru Watanabe: named in Binance Labs press context across 3+ independent secondary sources; no standalone confirmed LinkedIn profile linking to this protocol found. COO Tai Rui Huang: Binance Labs experience described; LinkedIn profile visible as 'Terry Huang' on company page. GitHub primary developer 'rick' (jing.xin@lista.org) provides real-name anchor. No conference talk bibliography, no prior-employer history independently confirmed for CEO. Accountability surface is low relative to $1.19B TVL. Yellow: partial accountability surface with institutional-investor attestation as the key anchoring signal. RD-F-121 yellow Contributor OSINT depth score Curator-scored 2/5. CEO Tetsu/Toru Watanabe: partial real-name confirmed across 3+ secondary sources; no standalone LinkedIn profile linked to this protocol confirmed; no conference talk or prior-employer history independently verified. COO Tai Rui Huang / Terry Huang: Binance Labs experience described across multiple sources; visible on LinkedIn company page. Developer 'rick' (jing.xin@lista.org): real email anchor, consistent GitHub activity. Positive signals: Binance Labs institutional backing provides some accountability anchor; 14 LinkedIn employees visible. Negative signals: no primary-source team page; CEO LinkedIn unconfirmed; multisig signers fully pseudonymous. Score 2/5 = yellow. RD-F-123 yellow Sudden admin-rescue/ACL change without discussion [★ CRITICAL FACTOR] Profile §11 identifies 3 transactions on April 8, 2025 on the Lending TimeLock: two GRANT_ROLE and one REVOKE_ROLE from creator address 0xd7e38800.... GitHub issues list for lista-dao-contracts returned empty (no issues at all, not selective absence). No Snapshot proposal or public community discussion corresponding to these April 8, 2025 role grants was located. Scoring yellow (not red) because: (a) the transactions appear to be TimeLock initialization/setup (granting PROPOSER_ROLE + EXECUTOR_ROLE to multisig, revoking deployer's admin role), not an emergency admin-rescue of live-TVL contracts; (b) the protocol's apparent practice of zero GitHub issues means absence of discussion is structural, not targeted suppression; (c) the change is consistent with normal TimeLock deployment pattern. If any subsequent post-deploy ACL change on live-TVL contracts occurs without Snapshot or public discussion, this factor should flip to red. RD-F-117 gray ENS/NameStone identity bound to deployer BSC EVM substrate. ENS is Ethereum-native. BNS (Binance Name Service / .bnb names via Web3 Name Service) is the BSC analog. No BNS name or ENS-equivalent binding found on deployer 0xd7e38800... or multisig 0x8d388136... per BSCScan fetch. U7 pre-mark applied: substrate is BSC; no ENS-equivalent found. Scoring gray with gap_reason 'not_applicable_substrate' — BSC name services have minimal adoption vs ENS; absence of binding is the expected state for most BSC protocols. RD-F-120 gray Video-off/voice-consistency flag No curator-recorded evidence of video-off or voice inconsistency. No public interview footage of Lista DAO / Helio Protocol team identified in OSINT. BLS Tokyo 2025 search returned no Lista DAO speaker appearances. Insufficient OSINT data to make a positive or negative finding. Scoring gray (data unavailable).
RD-F-113 green Team other-protocol involvement history Helio Protocol (predecessor, same team) — no prior rug or exit-scam affiliation. Web search for 'Lista DAO OR Helio Money' + 'rug OR exit scam OR team dump OR fraud' returned zero protocol-specific hits; only generic rug-pull educational content. The Dec 2022 Ankr-Helio cascade was an oracle-latency cascade caused by Ankr's external key compromise — not a rug by the Helio/Lista team. Ankr deployed $15M to cover bad debt; team response was constructive. Synclub merger (Feb 2024) adds LST history with no adverse findings. No disqualifying prior-involvement history identified.
RD-F-114 green Deployer address prior on-chain history Operative-version (Lista era, U9) deployer 0xd7e38800201d6a42c408bf79d8723740c4e7f631: BSCScan shows this address created the Lending TimeLock in April 2025. Funded ~January 2025 from 0x89e68b97...867f358Ae (no entity label, no mixer label). Activity appears limited to Lista DAO protocol operations. No prior rug-linked contract deployments identified. No Chainalysis or Nansen entity label. Category: normal-dev-history (limited but clean). Note: the Helio 2022-era deployer is a different address and was not assessed per U9 (operative-version assessment applies).
RD-F-115 green Prior rug/exit-scam affiliation No evidence of any team member linked to a prior rug or exit-scam-labeled protocol. OSINT search 'Lista DAO OR Helio Money rug OR exit scam' returned zero protocol-specific hits. The Dec 2022 Ankr-Helio cascade was caused by Ankr's external deployer key compromise, not a team rug. Helio team responded constructively (Ankr compensation, oracle redesign). No known rugged projects in the Helio/Lista/Synclub lineage.
RD-F-116 green Contributor tenure at admin-permissioned PR GitHub public members API returned empty array. Commit log analysis (10 most recent commits): primary contributors 'rick' (jing.xin@lista.org), 'razww', 'ricklista', 'qingyang-lista' show activity from Dec 2025 through Apr 2026. Oldest visible commit in 10-commit window is Dec 23, 2025. No short-tenure anomaly (< 30 day contributor making admin-permissioned changes). Confidence is low due to limited window (10 commits visible); inferred tenure of ≥4 months for primary contributors based on observable activity. No insider-implant signal detected.
RD-F-118 green Handle reuse across failed/rugged projects No evidence of handle reuse across failed or rugged projects. @lista_dao Twitter handle was previously the Helio Protocol account — same team, rebrand, not a prior rug under different alias. t.me/helio_money Telegram channel remains active under the rebranded name. GitHub org 'lista-dao' (previously 'helio-money') — same organizational lineage. No OSINT evidence of any named team member or GitHub contributor handle being associated with a prior failed project under different aliases.
RD-F-119 green Commit timezone consistent with stated geography GitHub commit API analysis of 10 most recent commits: all timestamps have UTC+8 offset (China Standard Time / Singapore Standard Time). Commit local times: 05:10, 04:15, 09:50, 03:39, 09:45, 06:04, 05:43, 02:00, 06:37, 03:17 (UTC+8). These are normal business-hours and early-morning commits consistent with Asia-Pacific operations (Singapore, Hong Kong, mainland China). Team geography: BSC-native, Binance Labs-backed (Binance HQ Singapore). UTC+8 is expected. No DPRK timezone anomaly (DPRK = UTC+9, and Lazarus implant patterns typically show anomalous overnight commits or inconsistent timezone claims). Pattern is consistent with stated BNB Chain / Binance ecosystem geography.
RD-F-122 green Contributor paid to DPRK-cluster wallet No on-chain or OSINT evidence of any protocol payment wallet routing to DPRK/Lazarus cluster within 3 hops. BSCScan shows no OFAC/Lazarus labels on deployer or multisig. Web search for Lista DAO + DPRK/Lazarus/North Korea returned zero protocol-specific hits. No Chainalysis published report links Lista DAO contributors to DPRK cluster. OFAC SDN: no Lista DAO entities listed (confirmed by absence across DPRK-context searches). U4 pre-mark applied: the April 2026 Kelp DAO exploit involving slisBNB as a passive laundering venue does not constitute contributor wallet contamination under F122.
RD-F-124 green Deployer wallet mixer-funded within 30 days [★ CRITICAL FACTOR] Operative-version deployer 0xd7e38800201d6a42c408bf79d8723740c4e7f631 (U9 applied). BSCScan shows this address was funded approximately 1 year and 117 days before profile date (2026-05-12), i.e., approximately 2025-01-15 (mid-January 2025). The Lending TimeLock was created ~April 2025 (approximately 1 year 34 days before profile date = approximately 2025-04-08). Funding preceded deploy by approximately 75 days — well outside the 30-day critical window. Funding source: 0x89e68b97...867f358Ae — no Tornado Cash, Railgun, or mixer label on BSCScan. No warning tags on deployer or funder. Clean result on all dimensions of F124.
RD-F-125 green Deployer linked within 3 hops to DPRK/Lazarus [★ CRITICAL FACTOR] No on-chain path ≤ 3 hops from deployer or any multisig signer to DPRK/Lazarus cluster identified. Web search for 'Lista DAO OR Helio Protocol' + 'DPRK OR Lazarus OR North Korea' returned zero protocol-specific hits. All DPRK-related results concern the April 2026 Kelp DAO LayerZero DVN exploit (separate protocol, separate attack vector). BSCScan fetches of deployer and admin multisig show no OFAC/Lazarus labels. OFAC SDN: no Lista DAO entities. Chainalysis public proxy: no published report linking Lista DAO to DPRK cluster. U4 pre-mark strictly applied: if slisBNB appeared in any DPRK money-laundering flow as a passive intermediate venue (per Kelp DAO exploit context), this constitutes a Cat 11 (F158) signal only — it does not trigger F125 deployer-proximity finding. NO escalation to orchestrator required.
RD-F-184 green Real-capital social-engineering persona No evidence of any 'team contributor' or 'external integrator' persona deploying ≥$1M real capital to Lista DAO or peer protocols as part of a social-engineering build-up. The F184 reference case is the Drift Protocol UNC4736 pattern (Lazarus persona deployed >$1M over 6 months, in-person conferences, Solana durable-nonce pre-signing). No analogous pattern identified for Lista DAO personnel. The Binance Labs $10M investment (Aug 2023) is an institutional arm's-length venture investment from a named firm, not a persona-based capital deployment for credibility building. GitHub contributors and named team members show no social-engineering persona signals. Note: this factor is M-only, P1, and confidence is inherently low in the absence of active OSINT investigation; the green reflects absence of evidence rather than confirmed absence.
Fork / dependency lineage Yellow 27 10 of 10
RD-F-129 red Code divergence from upstream (%) Lista's CDP fork has materially diverged from MakerDAO upstream: (1) Solidity 0.5.x -> 0.8.x; (2) Immutable -> upgradeable proxy pattern (OZ OwnableUpgradeable, initializer); (3) Removed LibNote; (4) Added entirely custom modules (CerosRouter, CeVault, HelioProvider, HelioRewards, HelioOracle, AMO, PSM, FlashBuy, EmissionVoting, DynamicDutyCalculator, ResilientOracle, slisBNB/LisBNB staking, LayerZero OFT); (5) Modified access control model; (6) BNB-specific collateral types. Estimated >50% LOC divergence from MakerDAO upstream. Original upstream audit coverage no longer applies to the materially modified codebase. RD-F-127 yellow Upstream patch not merged MakerDAO core (vat/jug) uses Solidity 0.5.x immutable contracts with no active patching cadence. No critical security patch from MakerDAO upstream identified as unmerged. However, the architectural divergence (upgradeable proxies, OZ Ownable, removed LibNote) means upstream patches may not apply cleanly and cannot be cleanly evaluated. Scored yellow due to architectural incompatibility making upstream patch applicability indeterminate. RD-F-131 yellow Fork retains upstream audit coverage 2022 audits (SlowMist, PeckShield, Certik, Veridise) covered initial fork but predate the oracle vulnerability that enabled the Dec 2022 incident. 2024 module-specific audits cover AMO, PSM, OFT, slisBNB Provider, Oracle. CDP core (vat/jug/Interaction) has no post-2022 audit. Lista Lending (April 2025) has NO audit. Classification: upstream-only for CDP core (gap risk) + partial delta audits for newer modules. No single comprehensive fresh audit of current codebase. RD-F-132 yellow Fork has different economic parameters than upstream Lista's fork differs significantly from MakerDAO original: (1) Dynamic stability fee (DynamicDutyCalculator vs MakerDAO's static fee); (2) AMO module for peg maintenance; (3) PSM adapted for BSC; (4) BNB-native and LST collateral types; (5) Upgradeable pattern vs immutable MakerDAO. AMO and PSM have 2024 BlockSec/Salus audits covering these parameter deviations. Oracle changes have 2024 PeckShield coverage. Core economic model changes are partially audited. RD-F-133 yellow Dependency manifest uses unpinned versions package.json: @openzeppelin/contracts pinned at 4.6.0 (locked — good), @openzeppelin/contracts-upgradeable pinned at 4.6.0 (locked — good), @chainlink/contracts uses ^0.4.1 (not pinned — will resolve to latest compatible minor). .gitmodules: forge-std submodule has NO pinned commit SHA. OZ (security-critical) is pinned; forge-std (development tooling) and Chainlink are not fully pinned. RD-F-135 yellow Shared-library version with known-vuln status @openzeppelin/contracts 4.6.0 is affected by GHSA-4h98-2769-gh6h (ECDSA signature malleability, HIGH severity, affected >=4.1.0 <4.7.3, patched 4.7.3). Lista's package.json pins OZ exactly at 4.6.0 — squarely in the affected range. hay.sol and LisUSD.sol implement EIP-712 permit. Exploitability depends on whether signatures themselves (vs nonces) are used as replay protection. Marked yellow pending verification of permit implementation.
RD-F-126 green Is-a-fork-of CDP component: direct fork of MakerDAO confirmed via AGPL-3.0-or-later copyright to Rain <rainbreak@riseup.net> in vat.sol/jug.sol and explicit FIXME: altered from production version comment. README declares MakerDAO integration. Lending: Morpho-inspired (declared via press release). LST: original development. Fork clearly declared.
RD-F-128 green Upstream vulnerability disclosure (last 90d) No public MakerDAO/DAI CDP vulnerability disclosure in the last 90 days identified. MakerDAO active development focuses on Sky/Endgame rebranding; no CDP core vat/jug security advisories found in the 90-day window (Feb–May 2026).
RD-F-130 green Fork depth (generations from original audit) CDP component is a direct fork (depth 1) of MakerDAO DSS, which has multiple independent audits (Trail of Bits, Runtime Verification, etc.). Lending is Morpho-inspired concept (depth 1) but not a direct code fork. LST is original (depth 0). Primary value-bearing CDP component: depth 1.
RD-F-134 green Dependency had malicious-release incident (last 90d) No known malicious-release advisory for @openzeppelin/contracts 4.6.0, @chainlink/contracts ^0.4.1, or forge-std in the trailing 90 days (Feb–May 2026). GitHub Security Advisories search returned no active malicious-release incidents for these packages.
Post-deploy hygiene & change mgmt Yellow 33 12 of 13
RD-F-139 red Post-audit code changes without re-audit Last publicly listed audit: November 27, 2024 (BlockSec + Bailsec for slisBNB Provider + VotingIncentive). GitHub lista-dao-contracts commits from August 7, 2025 include xSolvBTC PriceFeed/Oracle additions and CI evm_version fixes. Data cache last_commit_date: 2026-05-07 confirms ongoing post-audit development. No 2025 audit reports in /audits/ directory (listing confirmed: latest files dated 241127). Material post-audit code changes deployed without confirmed re-audit coverage. RD-F-143 red Reinitializable implementation (no _disableInitializers) LisUSD/hay.sol implementation does NOT call _disableInitializers() in constructor — confirmed from GitHub hay.sol and BscScan implementation 0xF5bd9b19. Interaction.sol also confirmed missing _disableInitializers(). Both use initialize() with OZ initializer modifier protecting proxy instances but not the raw implementation contracts. Any address can call initialize() directly on the implementation, potentially granting themselves ADMIN role. RD-F-185 red Bridge rate-limiter / chain-pause as positive mitigant slisBNB LayerZero OFT bridge has no per-window outflow rate-limiter (not standard in OFT v1). No protocol-level chain pause mechanism for the bridge. BSC has validator-level governance but no protocol-controlled emergency pause for the OFT contract. RD-F-136 yellow Deployed bytecode matches signed release tag No GPG-signed release tags found for lista-dao-contracts. Repository has commits but no signed releases visible from commits page. Unsigned development commits exist (xSolvBTC, AMO, PSM modules). Bytecode cannot be matched to a signed tag. RD-F-145 yellow Deployed bytecode reproducibility No build instructions or deterministic build toolchain documentation found in lista-dao-contracts main repo. lista-new-contracts uses Foundry but is a separate repo. Cannot confirm independent bytecode reproducibility without a local build attempt. RD-F-146 yellow New contract deploys in last 30 days Deployer EOA 0xd7e38800 has been actively deploying new contracts (SlisBNBProvider, HelioProviderV2, MoolahVaultFactory per BSCScan review). Active deployment cadence confirmed. Estimated 3-5 new deploys in recent period based on BSCScan activity.
RD-F-137 green Upgrade frequency (per 90 days) lisUSD proxy (core stablecoin): last Upgraded event September 2022 — no recent upgrades. Stake Manager proxy: deployed ~2 years 317 days ago, no recent Upgraded events visible. Core contracts show very low upgrade frequency, well within 0-2 in 90 days threshold.
RD-F-138 green Hot-patch deploys without timelock (last 30 days) No Upgraded events on core contracts in last 30 days. Timelock activity in last 30 days: no CallExecuted events visible (only April 2025 role grants). No hot-patch pattern detected.
RD-F-140 green Fix-merged-but-not-deployed gap No known specific vulnerability PR with merged-but-not-deployed fix identified. Post-Dec 2022 Ankr/Helio incident, oracle fix (switch to ankrBNB collateral) was deployed. No current open fix-merged-not-deployed gap identified from available evidence.
RD-F-141 green Test-mode parameters in deploy Timelock initialized with production addresses (multisig as proposer/executor, delay=86400). lisUSD proxy constructor: deployer=Lista DAO Deployer 1 (0x311b9e2e), not a test address. No test-oracle addresses or infinite allowances visible.
RD-F-142 green Storage-layout collision risk across upgrades lisUSD: only one Upgraded event found (Sept 2022). Single upgrade means minimal storage-layout collision risk. No OZ upgrades plugin output available for remote assessment. Low risk for CDP component.
RD-F-144 green CREATE2 factory permits same-address redeploy No CREATE2 factory pattern identified in reviewed contracts. CDP uses standard TransparentUpgradeableProxy. No selfdestruct + redeploy vector found in core contracts.
Cross-chain & bridge Green 10 12 of 12
RD-F-157 yellow Bridge TVL per validator ratio Ethereum bridge TVL: ~$11.1M (0.94% of total TVL). If single DVN: $11.1M / 1 = $11.1M per validator — high concentration. Transfer limiter in ListaOFT contract caps daily exposure per address and per chain. Yellow: $11M TVL at risk if single DVN compromised; transfer limiter is partial but not full mitigation. RD-F-179 yellow LayerZero OFT DVN config (count, threshold, diversity) DVN configuration NOT CONFIRMED via available tooling — pipeline returned dvn_addresses: [] and dvn_threshold: null (false negative confirmed). Direct on-chain getConfig() call to EndpointV2 required. OFT deployed July 2024 — prior to Kelp DAO (Apr 2026) public awareness of 1/1 DVN risk. Audits (BlockSec + PeckShield, June 2024) pre-date heightened 1/1 DVN scrutiny. setEnforcedOptions() function confirmed in ABI suggests customization was likely applied but DVN count not readable. 47% of LZ OApps post-Kelp analysis use 1/1 DVN. Transfer limiter (daily cap per-address, per-chain) provides partial exposure control. Yellow: real but unconfirmed 1/1 risk; transfer limiter partially mitigates. F179 is NOT a critical factor; not counted in 19 star critical total. RD-F-148 gray Bridge validator count (M) LayerZero V2 DVN-based verification. DVN count not confirmed via on-chain reads — pipeline returned empty dvn_addresses: [] and dvn_threshold: null (false negative). On-chain getConfig() call to EndpointV2 required to confirm RequiredDVNCount. See F179 for LZ-specific DVN assessment. RD-F-149 gray Bridge validator threshold (k-of-M) DVN threshold not confirmed. Pipeline false negative. Transfer limiter in ListaOFT contract (daily cap per-address, per-chain) provides partial exposure mitigation regardless of DVN threshold. On-chain getConfig() call required for definitive assessment. See F179. RD-F-150 gray Bridge validator co-hosting DVN operators not confirmed. If LayerZero Labs is the sole required DVN (1/1 default pattern), effectively 100% of validation is from one custodian. Without DVN identity confirmation, co-hosting assessment is not possible. RD-F-155 gray Bridge validator-set rotation recency DVN set rotation not assessable without knowing configured DVNs. If LayerZero Labs only, no public rotation events documented. Cannot assess rotation recency without DVN identity confirmation. RD-F-156 gray Bridge uses same key custody for >30% validators DVN operators not confirmed. If single LayerZero Labs DVN: effectively 100% from one custodian but that is structural to 1/1 DVN (captured in F179). If multi-DVN: custody diversity not assessable. Cannot assess without DVN identity confirmation.
RD-F-147 green Protocol has bridge surface YES — slisBNB is bridged BSC to Ethereum via LayerZero OFT. ListaOFTAdapter (0x82f5bcD1473BDa5794239D01073797093a413f02 on BSC) locks slisBNB on BSC; ListaOFT (0x44388Ef3bc730BDE8670a3b4831281dd7E89C584 on Ethereum) mints slisBNB on Ethereum. Both source-verified. Pipeline layerzero.present: false is a confirmed false negative (U6 pattern).
RD-F-151 green Bridge ecrecover checks result ≠ address(0) LayerZero V2 OFT architecture does not use raw ecrecover in the OFT or OFTAdapter contracts. Verification is handled at the LayerZero EndpointV2 / DVN layer using MessageLib abstraction. ListaOFT and ListaOFTAdapter source-verified on both chains — no custom signature verification logic found. Wormhole-class ecrecover vulnerability pattern does not apply to LZ V2 OFT design.
RD-F-152 green Bridge binds message to srcChainId LayerZero V2 EndpointV2 enforces origin chain ID (Origin.srcEid) in all message delivery. Each packet includes endpoint IDs (srcEid, dstEid). OFT validates peer addresses per chain via peers[dstEid]. Chain binding enforced at the protocol layer. setPeer() and peers() functions confirmed in ListaOFTAdapter ABI.
RD-F-153 green Bridge tracks nonce-consumed mapping LayerZero V2 EndpointV2 tracks message nonces per-pathway via nextNonce() and in-flight nonce enforcement. Each message has a monotonically increasing nonce; double-delivery is prevented at the EndpointV2 level. OFT contracts rely on EndpointV2 replay protection.
RD-F-154 green Default bytes32(0) acceptable as valid root LayerZero V2 does not use Merkle roots for message validation — it uses DVN packet hash attestation, not a stored root-mapping. Nomad bytes32(0) default root pattern does not apply to LZ V2 architecture. No bytes32 root storage or root-acceptance logic in OFT contracts.
Threat intelligence & recon Yellow 33 8 of 8
RD-F-161 yellow Protocol-impersonator domain registered (typosquat) Typosquat domain analysis: lista.org is official domain (registered 2010-06-28, Amazon Registrar, 16-year-old stable domain). listadao.org registered 2025-09-06 via Dynadot (Dynadot, privacy-shielded) — slug-exact-match registration post-TGE (approx 8 months before assessment), no official Lista DAO ownership claim found. lista.fi WHOIS unavailable. lista.finance registered (IP 18.165.98.66 Amazon CloudFront) but creation date unknown. listadao.org is the highest-confidence typosquat candidate; 90-day bright-line registration threshold not met (8 months old) but within the curator-flagged zone for post-prominence slug registrations. RD-F-163 yellow Avg attacker reconnaissance time for peer-class protocols Peer-class reconnaissance time assessment for CDP + lending protocol class. Oracle-manipulation attacks (which constitute the primary risk class for lista-dao given Dec 2022 incident history) are typically same-block to hours — near-instant, <7 days. Key-compromise-dependent attacks (e.g., Bybit-style, Ronin-style) involve 14–78 days of reconnaissance. Lista-dao is exposed to both classes. Mixed-class peer-group average: estimated 7–29 days (yellow threshold). Insufficient hack DB sample specific to BSC CDP protocols to compute precise mean. RD-F-165 yellow Protocol social channel has scam-coordinator flag Protocol social channel scam-coordinator flag: no confirmed flagged admin found in t.me/helio_money or @lista_dao X account as of 2026-05-12. However, legacy Telegram channel t.me/helio_money remains branded as Helio Protocol despite Lista DAO rebrand — persistent brand-confusion surface that reduces the effort required for scam coordinators to impersonate official channels. Yellow reflects the structural gap and channel hygiene risk rather than a confirmed threat. RD-F-158 gray Known-threat-actor cluster has touched protocol Known-threat-actor cluster signal not configured (CTI feed absent). Public OSINT: Bybit hack Feb 2025 Lazarus laundering used BNB Smart Chain broadly (PancakeSwap $263M of $400M laundered); no public report names lisUSD or slisBNB contracts as specific laundering venues. U4 applies — passive ecosystem venue use does not constitute a direct lista-dao touch. CTI feed required for production confidence. RD-F-159 gray Attacker wallet pre-strike probe (low-gas failing txs) Attacker wallet pre-strike probe signal not configured. No pre-strike probe pattern (low-gas failing transactions from CTI-flagged addresses) detected on lista-dao contracts in public record. CTI feed and mempool monitoring required for production. RD-F-160 gray GitHub malicious-dependency incident touching protocol deps GitHub malicious-dependency incident signal not assessed at depth for this agent. No active GHSA advisory for a malicious release in lista-dao's dependency set found in public search. GitHub security_md_present=false (no SECURITY.md). Detailed dependency manifest analysis required by code-security-analyst. Flagged as gap. RD-F-162 gray Known-exploit-template selector deployed by any address Exploit-template selector deployment signal not configured. Selector-pattern index not maintained for lista-dao or MakerDAO-CDP class. No new contracts matching oracle-flash-loan or CDP exploit templates reported in public record as of 2026-05-12. RD-F-164 gray Leaked credential on paste/sentry site Leaked credential on paste/sentry site signal not configured. No active credential leak (API keys, infrastructure endpoints) for lista-dao found in public search. GitHub security_md_present=false and changelog_present=false indicate limited operational security documentation but no confirmed credential exposure found.
Tooling / compiler / AI Green 17 5 of 5
RD-F-170 yellow Solc version used (known-bug versions flagged) Main repo (foundry.toml): Solidity 0.8.10. Known bugs affecting 0.8.10 not yet fixed in that version: (1) AbiReencodingHeadOverflowWithStaticArrayCleanup — medium, fixed 0.8.16; (2) StorageWriteRemovalBeforeConditionalTermination — medium, fixed 0.8.17; (3) DataLocationChangeInInternalOverride — very low, fixed 0.8.14. Medium-severity bugs require specific language constructs to trigger. EVM version set to 'shanghai' in foundry.toml (unusual for BSC but affects compilation target only). synclub-contracts uses 0.8.4 (older, carries more known bugs). No high/critical bugs in 0.8.10 specifically identified. RD-F-174 yellow Dependency tree uses EOL Solidity version Main repo (lista-dao-contracts): Solidity 0.8.10 — not EOL, in 0.8.x supported line. synclub-contracts: Solidity 0.8.4 — older but still in 0.8.x supported line. Neither is EOL. However, 0.8.4 (Apr 2021, synclub-contracts) is significantly older and carries more known bugs than 0.8.10. Marked yellow because 0.8.4 is a much older version in a security-relevant repo (BNB staking with real TVL). RD-F-171 gray Bytecode similarity to audited upstream with behavior deviation CDP contracts have structural similarity to MakerDAO (direct fork) with material changes: upgradeable proxy pattern vs MakerDAO immutable, removed LibNote, pending custom events. Full bytecode comparison requires local clone of both repos. Cannot assess behavioral deviation without tool run.
RD-F-172 green Repo shows AI-tool co-authorship in critical files No AI co-authorship metadata found in commit history. Contributors (lawson-ccy, ricklista, raz-w-20230331) show typical developer commit patterns. No 'Co-authored-by: GitHub Copilot' or ChatGPT Code Interpreter trailers visible in the recent commit log reviewed.
RD-F-173 green Team self-disclosure of AI-generated Solidity No public disclosure of AI-generated Solidity found on Medium blog, X (@lista_dao), or docs.bsc.lista.org. Team blog posts focus on product updates and protocol mechanics without mentioning AI code generation.
Response & disclosure hygiene Yellow 25 4 of 4
RD-F-176 red Disclosure SLA public No publicly stated acknowledgment-time SLA found on Immunefi program page or protocol documentation. No SECURITY.md in GitHub repository (security_md_present=false per data cache). No security@ contact email found in docs or website. Immunefi standard terms govern implicitly but no explicit Lista-specific SLA published. Red threshold: no SLA published.
RD-F-175 green Disclosure channel exists Immunefi bug bounty program active at https://immunefi.com/bug-bounty/listadao/. Max payout $1,000,000 (Critical: 10% of funds, $100K min / $1M max; High: up to $10K; Medium: up to $5K). Active since June 16, 2022. 134 assets in scope covering lista-dao-contracts, synclub-contracts, lista-token repos. Last updated May 27, 2025 per Immunefi. Payout in USDT/USDC/lisUSD. Green threshold: public disclosure channel exists and actively monitored.
RD-F-177 green Prior known-ignored disclosure No evidence found that a disclosed vulnerability was reported to Helio/Lista team and ignored prior to exploitation. Dec-2022 incident caused by Ankr external deployer-key compromise and Helio oracle latency — not a previously-reported code vulnerability. Halborn post-mortem and Helio team statements do not reference any prior responsible-disclosure that was not actioned. Hack DB field 'Exploited code in scope? No — deployer key compromise is an operational security failure, not a code vulnerability.' Green: no evidence of ignored disclosure.
RD-F-178 green CVE/GHSA advisory issued against protocol No CVE or GHSA advisory found for lista-dao/lista-dao-contracts, lista-dao/synclub-contracts, or lista-dao/lista-token repositories. OSINT search and GHSA advisory database returned no results for Helio Protocol or Lista DAO as advisory subject. Dec-2022 incident was off-chain key compromise (Ankr), not a code vulnerability in Helio contracts — no advisory expected. Green: no advisory found.
rubric_version v1.7.0 graded_at 2026-05-12 19:23:53 factors 184 protocol lista-dao