Midas
EU RWA tokenization platform issuing regulatory-compliant onchain investment products (mTBILL, mBASIS, mBTC, mEDGE, mMEV, mRE7, mFONE) backed by institutional-grade assets.
DeploymentsEthereum · $103.0M
01
Risk profile at a glance
0 red · 6 yellow · 6 green 02
Categories & evidence
184 factors · 13 categoriesCode & audits Green 14 25 of 25
RD-F-009 red Formal verification coverage No formal verification (Certora Prover, Kani, Halmos, or equivalent) found in any Sherlock or Hacken audit documentation. Neither Sherlock 2024-05 nor 2024-08 README references formal proofs as part of prior security reviews. Hacken audit does not reference FV. 0% formal verification coverage of declared critical invariants. RD-F-001 yellow Audit scope mismatch Four audit engagements exist with public commit SHAs: Hacken Dec-2023 (commit d84b0ed), Sherlock 2024-05 (commit 0b1644f519876cadc1d6ca0e02fdfe8a32cefa12), a second Hacken engagement (scope/date unconfirmed), and Sherlock 2024-08 (commit 4abcc5b26cb80a725132c6b21f4d03228d804a59). Two post-audit implementation upgrades confirmed on Etherscan: mTBILL impl (0xD4998Cc1ba435298c521f250b81856b1f25c8455) upgraded 2024-09-04, and Issuance Vault impl (0xC8AF8477f3caa89f60fe9d1f48eee5433c55982b) upgraded 2025-12-11 via tx 0x78c25177e211f66359969323ed065761d7aa875ee60c3f012d5dda198c431b5f. Both post-audit upgrades are on the private RedDuck-Software/midas-contracts repo with no confirmed covering re-audit. Bytecode diff between Sherlock audit commits and current deployed impls is structurally unverifiable from public sources. Yellow (not red) because Midas IS audited with multi-firm coverage — the gap is post-audit drift on two implementations, not absent audits across the board. RD-F-002 yellow Audit recency Most recent Sherlock audit contest (2024-08) archived 2025-03-02; sign-off approximately August 2024. Current date 2026-05-16 is approximately 21 months from sign-off, exceeding the 12-month green threshold but within the 24-month yellow band. No re-audit of the December 2025 Issuance Vault upgrade has been identified. RD-F-005 yellow Audit firm tier Hacken is a Tier-2 firm (established, named firm with public track record). Sherlock is a crowd-audit platform classified Tier-2 for this assessment. No Tier-1 audit firm (Trail of Bits, OpenZeppelin, ConsenSys Diligence, Certora, Sigma Prime, Spearbit, Zellic) is confirmed for Midas deployed code. Yellow by firm tier threshold. RD-F-010 yellow Static-analyzer high-severity count No published Slither/Mythril/Semgrep output from any third party. Sherlock 2024-08 competitive audit (10+ auditors) identified 6 medium findings including M-4 (Corruptible Upgradability — missing storage gaps), all fixed. Sherlock 2024-05 identified H-1 (blacklist bypass, acknowledged) and M-1 (storage gap, fixed). No unresolved high/critical static-analysis findings visible in published audit results. Cannot run tools locally on private main repo. Confidence low due to absence of direct tool output; yellow rather than gray because competitive audits serve as a proxy for static analysis coverage. RD-F-017 yellow Mixed-decimals math without explicit scaling Hacken Dec-2023 High finding F-2023-0292 'USD Tokens With Custom Decimals Are Not Handled Properly' was Accepted (not Fixed). This represents a live acknowledged decimal handling gap. DecimalsCorrectionLibrary.sol exists for normalization but the High finding was not remediated. Sherlock 2024-08 expanded token coverage (WBTC, USDC with different decimals) which may partially address the risk, but without full Hacken report content the residual gap is unverifiable. Yellow as an acknowledged high-severity decimal handling risk remains live. RD-F-024 yellow Code complexity vs audit coverage Four audit engagements covering the full contract suite (24 contracts in Sherlock 2024-08 scope). Test coverage 100% per Sherlock 2024-05 README (109/109 statements). Audit breadth appears adequate for the contract count. However, the private main repo prevents independent LOC/complexity assessment via Slither metrics, and the second Hacken engagement has unconfirmed date/scope. Yellow as a conservative assessment given private repo opacity on current HEAD complexity versus audited commit complexity. RD-F-015 n/a ERC-777/1155/721 hook without reentrancy guard Midas mTokens are ERC-20 standard tokens. No ERC-777/1155/721 callback integration documented in any audit scope. Sherlock 2024-08 scope explicitly lists standard ERC-20 implementations. ERC-777/1155/721 hook vulnerability is architecturally moot for this contract set. RD-F-019 n/a ecrecover zero-address return unchecked No ecrecover usage in the core mToken/vault architecture — the deposit/redemption flow uses role-based access control, not signature verification. No audit finding references ecrecover. Architecturally not applicable to this protocol type. RD-F-020 n/a EIP-712 domain separator missing chainId No EIP-712 domain separator usage documented in the core mToken/vault scope per Sherlock 2024-08 README. No permit() or meta-transaction flow in scope. EIP-712 domain separator check is architecturally not applicable to this protocol's current deployed scope. RD-F-021 n/a UUPS _authorizeUpgrade correctly permissioned Midas uses TransparentUpgradeableProxy (EIP-1967) pattern, NOT UUPS. Upgrades are controlled by the ProxyAdmin, not by _authorizeUpgrade on the implementation contract. The UUPS _authorizeUpgrade factor is architecturally not applicable to the Transparent Proxy pattern.
RD-F-003 green Resolved-without-proof findings All findings marked 'Fixed' in Sherlock 2024-08 (M-1 through M-6) have corresponding PR references (#64–#69) in the judging repo. Sherlock 2024-05 M-1 (storage gap) fixed with PR. Hacken Dec-2023 findings marked 'Fixed' have evidence of resolution; findings marked 'Accepted' are correctly categorized as accepted risks (not marked as resolved). No finding appears in the state of 'Resolved' without verifiable on-chain or commit-level proof.
RD-F-004 green Audit count Two distinct audit firms: Hacken (2 engagements) and Sherlock (2 contests). Total 4 distinct engagements. Meets the green threshold of ≥2 distinct firms with deployed-code coverage.
RD-F-006 green Audit-to-deploy gap Hacken audit (sign-off 2024-01-11) covered the initial December 2023 deployment — negligible gap. Sherlock 2024-08 (sign-off approximately August 2024) covered the minter/redeemer contracts; the Issuance Vault proxy was deployed 2024-09-24 per Etherscan — approximately 50–60 days after audit sign-off, within the green ≤60-day threshold.
RD-F-007 green Bug bounty presence & max payout Active bug bounty via Sherlock (audits.sherlock.xyz/bug-bounties/122) and Cantina (cantina.xyz/code/d77405e5-99ce-4ba5-846c-885820b030e1/overview) since 2026-03-24. Maximum payout $500,000 USDC. Scope explicitly covers mToken contracts, access control, deposit/redemption vaults, DataFeed, LayerZero OFT, Axelar vault. Meets green threshold (≥$500K active program).
RD-F-008 green Ignored bounty disclosure Midas RWA has no prior protocol exploits (profile §10 confirmed — Midas Capital incidents are a separate unrelated protocol). No post-mortem exists that could document an ignored disclosure. No evidence of any disclosure-before-exploit pattern exists.
RD-F-011 green SELFDESTRUCT reachable from non-admin path No published analysis flags SELFDESTRUCT in Midas contracts. The contract architecture (ERC-20 token + vault + access control) has no typical reason to include SELFDESTRUCT. Sherlock competitive audits with 10+ auditors found no SELFDESTRUCT finding across 24 contracts in scope.
RD-F-012 green delegatecall with user-controlled target No published audit finding references user-controlled delegatecall. Midas contract architecture (token + vault + AC roles) does not implement governance executor patterns. No Sherlock or Hacken finding flags this pattern across 4 audit engagements.
RD-F-013 green Arbitrary call with user-controlled target No published audit finding references arbitrary external call with user-controlled target. The deposit/redemption vault architecture does not expose generic call proxying. Six medium findings in Sherlock 2024-08 do not include this pattern.
RD-F-014 green Reentrancy guard on external-calling functions No reentrancy finding in Sherlock 2024-05 or 2024-08. Contracts use SafeERC20 for token transfers (confirmed via Etherscan bytecode metadata referencing _callOptionalReturn). Competitive audit with multiple researchers found no reentrancy vulnerability across vault and token contracts.
RD-F-016 green Divide-before-multiply pattern No divide-before-multiply finding in Sherlock 2024-05 or 2024-08. DecimalsCorrectionLibrary.sol handles decimal normalization and was reviewed without this finding. Hacken audit did not flag divide-before-multiply.
RD-F-018 green Signed/unsigned arithmetic confusion No signed/unsigned arithmetic confusion finding in Sherlock 2024-05 or 2024-08. No symbolic execution outputs published. No Hacken finding flags this. Negative finding from competitive audit coverage.
RD-F-022 green Public initialize() without initializer modifier Midas uses a MidasInitializable base contract that calls _disableInitializers() in the constructor, preventing re-initialization of the implementation. All initialize() functions use the OZ initializer modifier — confirmed: mBASIS ABI shows 'function initialize(address _accessControl) public initializer'; mTBILL shows initialize(address) and initializeV2() patterns consistent with OZ upgradeable. Sherlock 2024-08 M-4 (Corruptible Upgradability via missing storage gaps in non-pure parent contracts) is a different vulnerability class from missing initializer protection — M-4 was fixed. No missing initializer modifier finding in any of the 4 audit engagements.
RD-F-023 green Constructor calls _disableInitializers() MidasInitializable base contract calls _disableInitializers() in its constructor per search evidence. Confirmed by the contract pattern: mTBILL, mBASIS, mBTC all expose only initialize() functions (not constructors) in their ABIs on Etherscan, consistent with the OZ Initializable + _disableInitializers pattern. No audit finding flags missing _disableInitializers.
RD-F-183 green Bug bounty scope gap on highest-TVL contracts Active bug bounty via Sherlock + Cantina since 2026-03-24, $500K max payout. LinkedIn announcement confirms scope: 'all mToken contracts, access control, deposit vaults, redemption vaults, data feeds, Layer Zero OFT, Axelar vault.' Highest-TVL contracts (mTBILL token, mBASIS token, DepositVault, RedemptionVault) are explicitly in scope. No known high-TVL contract exclusions identified. Cantina program page requires authentication but scope alignment confirmed via the LinkedIn announcement which references full contract suite coverage.
Governance & admin Yellow 47 24 of 24
RD-F-026 red Upgrade multisig signer configuration (M/N) Gnosis Safe 0xB60842E9: threshold=1, total owners=3 (1-of-3). Owners: 0x8003544D (EOA), 0x82B30194 (itself a Safe 1.4.1 proxy), 0xC50BD843 (EOA). Any single signer can unilaterally execute upgrades routed through the Safe. ProxyAdmin owner EOA is effectively 1/1. Red: 1-of-3 is below peer-cohort norm for $161M TVL. RD-F-027 red Single admin EOA ProxyAdmin 0xbf25b58c is owned by EOA 0x875c06A295C41c27840b9C9dfDA7f3d819d8bC6A (confirmed: no bytecode, compiler=0). This EOA directly executed the Sep-4-2024 mTBILL upgrade (tx 0xf04945...) and Apr-23-2025 unknown proxy upgrade (tx 0x36f1cca4...) without passing through the Safe or Timelock. Operational role-grant admin 0xd4195CF4 is also an EOA (funded by Old Deployer, active grant/revoke calls within 9 hours of assessment). Single EOA effectively holds upgrade authority on the core mTBILL/vault contract set. [★ CRITICAL] RD-F-028 red Low-threshold multisig vs TVL Safe 0xB60842E9 is configured 1-of-3 for a protocol with $161M TVL. Peer norm for this TVL band is ≥4-of-7 (superstate uses 4-of-7; spiko uses 3-of-5). A single signer can unilaterally propose and execute via the Safe-mediated upgrade path (TimelockController requires Safe-signed calls but any one of the 3 owners can sign). Abnormally low threshold vs TVL. [★ CRITICAL] RD-F-033 red Timelock on sensitive actions Mapping of sensitive actions to timelock status: (1) Upgrade: only Dec-2025 used timelock; Sep-2024 and Apr-2025 bypassed. (2) Mint (M_TBILL_MINT_OPERATOR_ROLE): no timelock. (3) Rescue/withdrawToken (onlyVaultAdmin): no timelock. (4) Pause (M_TBILL_PAUSE_OPERATOR_ROLE): no timelock. (5) Oracle/DataFeed swap: no timelock confirmed. At most 1 of 5 sensitive action types has been timelocked (and inconsistently at that). Red: ≤2 timelocked. RD-F-041 red Rescue/emergencyWithdraw without timelock ManageableVault.withdrawToken(address token, uint256 amount, address withdrawTo) is present and callable by any address with vaultRole() (DEPOSIT_VAULT_ADMIN_ROLE for DepositVault, REDEMPTION_VAULT_ADMIN_ROLE for RedemptionVault). No timelock on this function. A compromised vault-admin role-holder can drain vault assets in one transaction without any delay. No timelock guard confirmed in ManageableVault inheritance chain (Sherlock 2024-05 and 2024-08 source both confirm). [★ CRITICAL] RD-F-025 yellow Admin key custody type ProxyAdmin (0xbf25b58c) is owned by EOA 0x875c06A2 (no bytecode; executed Sep-2024 and Apr-2025 upgrades directly). A Gnosis Safe 0xB60842E9 (1-of-3) is proposer/executor on TimelockController 0xe3eee3e0 (48h delay) for the Dec-2025 upgrade path only. Operational role admin is EOA 0xd4195CF4 making active grant/revoke calls. Architecture is multisig-without-full-timelock on the safe path, and direct-EOA on the ProxyAdmin path. Yellow: multisig exists but the critical ProxyAdmin ownership remains with an EOA. RD-F-030 yellow Hot-wallet signer flag EOA 0x8003544D (primary signer, executes Safe transactions) has 166 txs with varied gas patterns; last active 14 days ago. No hardware-wallet-consistent behavioral signature evident (consistent nonce velocity, varied gas). EOA 0x875c06A2 (ProxyAdmin owner) has 74 txs, last active 345 days ago — lower velocity suggesting less-hot behavior. Neither shows confirmed cold-storage signing pattern. Yellow: ambiguous, defaulting to hot-wallet-possible assessment. RD-F-032 yellow Timelock duration on upgrades TimelockController 0xe3eee3e0 has minDelay=172800s (48h) — meets green threshold per methodology. However: (1) Only one of three post-launch upgrades used this timelock (Dec-2025 Issuance Vault); (2) Sep-2024 mTBILL upgrade and Apr-2025 upgrade bypassed via direct ProxyAdmin EOA; (3) The timelock was only deployed ~249 days ago. Yellow: timelock exists and meets duration criteria, but enforcement is inconsistent — prior upgrades bypassed it. RD-F-034 yellow Guardian/pause-keeper distinct from upgrader Pauser role (M_TBILL_PAUSE_OPERATOR_ROLE) and upgrade role (ProxyAdmin owner EOA 0x875c06A2) are architecturally distinct roles. Roles are assigned separately via MidasAccessControl. However, DEFAULT_ADMIN_ROLE holder can grant any role including pause and upgrade, so effective separation depends on whether the same address holds DEFAULT_ADMIN_ROLE and both roles. Specific pause-role holder address not confirmed from public data. Yellow: roles architecturally distinct but collapsable via DEFAULT_ADMIN_ROLE. RD-F-035 yellow Role separation: upgrade ≠ fee ≠ oracle Three roles assessed: (1) Upgrade role: ProxyAdmin owner EOA 0x875c06A2 (or Safe 0xB60842E9 for Dec-2025 path). (2) Fee admin: DEPOSIT_VAULT_ADMIN_ROLE / REDEMPTION_VAULT_ADMIN_ROLE holders (distinct from upgrader). (3) Oracle/DataFeed config: separate role per ManageableVault. Roles are architecturally separate but all grantable by DEFAULT_ADMIN_ROLE holder who can collapse them. Two of three roles are demonstrably distinct from upgrader. Yellow: 2-of-3 distinctness confirmed. RD-F-042 yellow Admin has mint() with unlimited max mTBILL.mint() requires M_TBILL_MINT_OPERATOR_ROLE. No token-level supply cap (Hacken Dec-2023: 'total supply of mTBILL is not limited'). The Dec-2025 Issuance Vault upgrade (0xC8AF8477) introduces maxSupplyCap at the vault level with a setMaxSupplyCap() setter and revert on 'MV: max supply cap exceeded', partially constraining new issuance through the vault. However the underlying mTBILL.mint() at the token level remains uncapped — a role-holder could mint directly. Yellow: vault-level cap mitigates the most obvious path; token-level mint is still role-only uncapped. RD-F-029 gray Multisig signers co-hosted Three Safe signers identified: 0x8003544D (EOA), 0x82B30194 (Safe proxy), 0xC50BD843 (EOA). No public ASN/custodian data available for these addresses. Cannot confirm or deny co-hosting. Insufficient evidence for a binary determination. RD-F-036 n/a Flash-loanable voting weight No on-chain governance exists. Midas is a corporate-governed RWA issuer (Midas Software GmbH, Berlin) with no governance token, no Snapshot space, no on-chain governor contract. Flash-loan voting attack surface does not exist. PD-042 RWA factor-flip: this factor measures DAO-governance norms inapplicable to corporate RWA issuers. RD-F-037 n/a Quorum achievable via single-entity flash loan No on-chain governance. No governance token. No quorum threshold. PD-042 RWA factor-flip applies. Same rationale as F036. RD-F-038 n/a Proposal execution delay < 24h No on-chain governance proposal mechanism. No governor contract, no voting period, no execution delay applicable. PD-042 RWA factor-flip applies. RD-F-039 n/a delegatecall/call in proposal execution without allowlist No governance proposal executor exists. No on-chain governor or timelock-proposal-executor with arbitrary target execution. TimelockController 0xe3eee3e0 executes only Safe-signed calls — no proposal payload delegation from token holders. PD-042 RWA factor-flip applies. RD-F-040 n/a Emergency-veto multisig present No on-chain governance with cancellable proposals. Emergency control exists only via the PAUSE_OPERATOR_ROLE. No veto or cancel mechanism for governance proposals because there are no governance proposals. PD-042 RWA factor-flip applies. RD-F-044 gray Admin wallet interacts with flagged addresses EOA 0x875c06A2 (ProxyAdmin owner) and 0xd4195CF4 (operational admin) have no public Chainalysis/TRM cluster attribution available for independent verification. No OFAC/mixer interaction label visible on Etherscan. 0xd4195CF4 is labeled 'Funded By: Midas RWA: Old Deployer'. No evidence of flagged address interaction found in web search or Etherscan labels, but absence of evidence is not evidence of absence without a TRM feed. RD-F-047 n/a Governance token concentration (Gini) No governance token exists. mTBILL, mBASIS, mBTC are yield-bearing investment tokens, not governance tokens. Midas uses role-based access control (MidasAccessControl), not token-weighted governance. Gini coefficient measurement is inapplicable. RD-F-167 n/a Deprecated contract paused but pause reversible by live admin No deprecated contracts identified for Midas RWA. Protocol launched December 2023 with a single in-place upgradeable contract set; upgrades use proxy pattern (no contract retirement/deprecation). Old Deployer EOA (0xa0819ae4) holds no production admin roles. No deprecated production contracts with assets found.
RD-F-031 green Signer rotation recency Safe 0xB60842E9 created approximately 1 year and 10 days ago. No AddedOwner, RemovedOwner, or ChangedThreshold events visible in transaction history; nonce=145 indicating active use without signer-set changes. No threshold reduction in recent history. Signer set appears stable.
RD-F-043 green Admin = deployer EOA after 7 days ProxyAdmin (0xbf25b58c) ownership was transferred from Old Deployer (0xa0819ae4) to 0x875c06A2 on 2024-02-08 block 19183949 — same block as ProxyAdmin contract creation. Deployer EOA no longer holds ProxyAdmin or admin role. Admin was transferred within 1 day of deploy. Current admin 0x875c06A2 is not the original deployer. [★ CRITICAL — green]
RD-F-045 green Constructor args match governance proposal No on-chain governance proposals for Midas (corporate-governed). Mainnet.json deployment manifest from Sherlock 2024-05 repo lists ProxyAdmin 0xbf25b58c and mTBILL proxy 0xDD629E52 — matching live Etherscan addresses. No evidence of deviation between declared deployment addresses and live contracts. All constructor args are decodable and match production configuration (USDC payment token, production mTBILL address).
RD-F-046 green Contract unverified on Etherscan/Sourcify All core Midas contracts on Ethereum are source-verified on Etherscan: mTBILL proxy (0xDD629E52), mTBILL impl (0xD4998Cc1), mBASIS (0x2a8c22E3), mBTC (0x007115416), Issuance Vault (0x99361435), Issuance Vault impl Dec-2025 (0xC8AF8477), MidasAccessControl proxy (0x0312A9D1), ProxyAdmin (0xbf25b58c). Sherlock audit repos provide public audited code at commit SHAs. [★ CRITICAL — green]
Oracle & external dependencies Yellow 28 17 of 17
RD-F-049 yellow Oracle role per asset mTBILL NAV: MTBillCustomAggregatorFeed (primary, sole — no secondary or fallback). mBASIS NAV: MBasisCustomAggregatorFeed (primary, sole). Payment tokens (USDC, WBTC): per-token DataFeed.sol wrapped Chainlink feed (primary, sole per tokensConfig mapping in DepositVault). No secondary or fallback oracle identified for any asset. Single-oracle-per-asset design increases operational risk on oracle admin failure or Chainlink IB01/USD halt. RD-F-050 yellow Dependency graph (protocols depended upon) External dependencies: (1) Midas oracle admin key (M_TBILL_CUSTOM_AGGREGATOR_FEED_ADMIN_ROLE, approx 0xEc581705...50BF64792) for continuous NAV price updates; (2) Chainlink IB01/USD aggregator for underlying T-bill price; (3) USDC/Circle for payment token; (4) off-chain custodians: Maerki Baumann & Co. AG (Switzerland) and Fordefi/Fortuna Custody; (5) BlackRock Treasury Bond fund (mTBILL underlying); (6) LayerZero OFT infrastructure (DVNs, executor) for cross-chain delivery; (7) Axelar ITS for additional cross-chain routes. Multi-layer dependency cascade: off-chain custodian failure → NAV attestation breaks → mToken backing compromised even if smart contracts intact. RD-F-051 yellow Fallback behavior on oracle failure No fallback oracle identified for any mToken or payment token. If MTBillCustomAggregatorFeed stops receiving price updates, the vault functions continue calling getDataInBase18() which returns the last stored round data without reversion — CustomAggregatorFeed lacks a staleness check (confirmed by Sherlock 2024-08 review: 'The contract lacks timestamp validation'). DataFeed.sol has a 3-day HEALTHY_DIFF staleness guard for the Chainlink IB01/USD wrapper, but this does not apply to the mToken NAV oracle (CustomAggregatorFeed). Hacken Dec 2023 finding F-2023-0288 ('Missing oracle refresh checks') was marked Fixed, but the fix appears to have targeted DataFeed.sol's HEALTHY_DIFF, not CustomAggregatorFeed's missing staleness. RD-F-052 yellow Breakage analysis per dependency Breakage analysis: (1) Oracle admin key loss/compromise → silent stale prices, mint/redeem at wrong NAV (no staleness check in CustomAggregatorFeed). (2) Chainlink IB01/USD halt > 3 days → DataFeed.sol reverts, blocking vault operations. (3) USDC depeg/Circle pause → deposit/redemption halt. (4) Custodian failure (Maerki Baumann) → off-chain backing inaccessible; on-chain contracts intact but mTokens unbacked. (5) LayerZero OFT DVN compromise → unbacked mToken mint on destination chains (DVN config unknown — see F179). (6) Axelar validator compromise → forged cross-chain messages enabling unbacked mints. RD-F-057 yellow Circuit breaker on price deviation Partial circuit breaker exists: setRoundDataSafe() validates that a new price submission falls within maxAnswerDeviation before accepting. This is an input-side guard (prevents extreme price updates by admin), not a protocol-level circuit breaker that halts deposits/redemptions on large price moves. No evidence of protocol-level pause triggered by oracle price deviation. Vault operations do not automatically halt on oracle price anomaly. RD-F-058 yellow Max-deviation threshold (bps) maxAnswerDeviation parameter exists in CustomAggregatorV3CompatibleFeed initialize(). The parameter is set at deployment and controls the deviation tolerance for setRoundDataSafe(). Specific deployed value on the live MTBillCustomAggregatorFeed (0x056339C044055819E8Db84E71f5f2E1F536b2E5b) was not retrieved — would require on-chain read call. The parameter exists structurally but its configured value is unknown without direct RPC. RD-F-059 yellow Oracle staleness check present Mixed — DataFeed.sol (wrapping Chainlink IB01/USD) has a staleness check (_HEALTHY_DIFF = 3 days), but Sherlock judging 2024-05 issue #110 flagged this as too long vs. actual Chainlink heartbeat (Sponsor Confirmed, Will Fix). MTBillCustomAggregatorFeed (the primary mToken NAV oracle at 0x056339C044055819E8Db84E71f5f2E1F536b2E5b) was found to have NO staleness mechanism per Sherlock 2024-08 review ('The contract lacks timestamp validation. It simply returns the updatedAt value from stored round data without checking freshness'). Hacken Dec 2023 F-2023-0288 (missing oracle refresh checks, Fixed) appears to have targeted DataFeed.sol only. Net: primary mToken NAV oracle lacks staleness check. RD-F-060 yellow Chainlink aggregator min/max bound misconfig Sherlock judging 2024-05 issue #110 confirmed absence of minAnswer/maxAnswer circuit-breaker validation in DataFeed.sol (Chainlink IB01/USD wrapper). If the IB01/USD feed hits its Chainlink-configured min/max bounds, DataFeed.sol returns the artificial bound value as the market price. The fix was Sponsor Confirmed but deployed status is unknown without bytecode comparison. MTBillCustomAggregatorFeed initializes with minAnswer/maxAnswer params but their specific deployed values are unknown. RD-F-062 yellow External keeper/relayer not redundant Midas standard redemption process involves off-chain operational agents for T-bill sales and USDC return. The oracle NAV price update (setRoundData) relies on a single admin role (M_TBILL_CUSTOM_AGGREGATOR_FEED_ADMIN_ROLE) with no confirmed redundancy or fallback keeper. If the oracle admin fails to update prices, the CustomAggregatorFeed returns stale data indefinitely (no staleness reversion). Instant redemption vaults are on-chain but rely on oracle freshness. RD-F-180 yellow Immutable oracle address [★ CRITICAL-CANDIDATE per T-12 PD-017 — FLAG for orchestrator] Oracle addresses are NOT immutable — F180 does not fire red. (1) MTBillCustomAggregatorFeed is a TransparentUpgradeableProxy — proxy admin can upgrade implementation, changing oracle logic. (2) DataFeed.sol exposes changeAggregator() callable by DEFAULT_ADMIN_ROLE, allowing the underlying Chainlink feed address to be replaced. (3) ManageableVault.sol sets mTokenDataFeed at initialization with no explicit setter, but the vault is also an upgradeable proxy — the mTokenDataFeed address can change via proxy upgrade. No timelock on oracle changes. Oracle swappability prevents the immutability lock-in scenario (USR/USDX/xUSD pattern) but creates admin-key-as-oracle-control risk. Score yellow: admin-swappable without timelock. RD-F-054 n/a TWAP window duration Midas uses an issuer-push oracle (setRoundData), not a TWAP-based DEX oracle. TWAP window duration is not applicable to this oracle design. RD-F-055 n/a Oracle pool depth (USD) No DEX pool underlies the mToken oracle. Pricing is issuer-attested. Chainlink IB01/USD is an aggregator-based feed, not a liquidity pool. Pool depth assessment is not applicable. RD-F-056 n/a Single-pool oracle (no medianization) No pool-based oracle. MTBillCustomAggregatorFeed is admin-push (no pool); DataFeed.sol wraps a Chainlink multi-node aggregator (16 operators). Single-pool medianization risk is not applicable. RD-F-061 n/a LP token balanceOf used for pricing Midas does not use LP token balanceOf for NAV pricing. mToken NAV is issuer-attested via admin-push oracle (setRoundData). No LP token pricing surface exists. RD-F-181 n/a Permissionless-pool lending oracle Midas is an RWA tokenized-asset issuer, not a lending protocol. mToken pricing is issuer-attested (admin-push), not derived from permissionless DEX pool spot prices. The permissionless-pool-lending-oracle failure pattern (Rhea Finance NEAR $18.4M) has no surface in this architecture.
RD-F-048 green Oracle providers used Midas uses a proprietary issuer-push oracle (MTBillCustomAggregatorFeed at proxy 0x056339C044055819E8Db84E71f5f2E1F536b2E5b, impl 0x0d84eC93e9a734184c7f59f61342f432444efc1b) for mToken NAV pricing. The CustomAggregatorV3CompatibleFeed implements Chainlink's AggregatorV3 interface but receives prices via admin-push (setRoundData), not from an external feed. DataFeed.sol (Sherlock 2024-05 scope) wraps Chainlink IB01/USD aggregator (0x32d1463EB53b73C095625719Afa544D5426354cB, 16 oracle nodes, 2% deviation threshold) for the underlying T-bill reference price. Pipeline cache's 18 Chainlink feeds are advisory false-positives and do not reflect Midas's actual oracle architecture.
RD-F-053 green Oracle source = spot DEX pool (no TWAP) [★ CRITICAL — GREEN] mToken NAV pricing uses MTBillCustomAggregatorFeed, an issuer-push oracle where prices are submitted by a permissioned admin role (M_TBILL_CUSTOM_AGGREGATOR_FEED_ADMIN_ROLE) via setRoundData(). No DEX spot price manipulation surface exists. The underlying IB01/USD Chainlink feed uses 16 oracle nodes with 2% deviation threshold — not a DEX pool. The 244-transaction history on the oracle proxy (Set Round Data pattern) confirms the push-model operation. F053 does not fire: oracle source is not a spot DEX pool, TWAP is not needed in this architecture.
Economic risk Yellow 33 13 of 13
RD-F-063 yellow TVL (current + 30d trend) TVL current $161.42M (above $100M green threshold). 30-day trend is -23.44%, exceeding the 20% decline threshold for yellow. Protocol is in sustained TVL decline from its confirmed ~$274.6M peak (Jan/Feb 2026), representing a ~41% drawdown. Context is RWA sector capital rotation, not a protocol-specific adverse event. 90-day CoV = 0.171 (mean $221.3M, std $37.9M). Yellow: TVL above $100M but 30-day decline >20%. RD-F-065 yellow Liquidity depth per major asset mTokens have thin secondary-market liquidity relative to TVL. mTBILL on Ethereum: ~$1.1M monthly trading volume, 49.4M tokens in circulation at NAV $1.06 per RWA.xyz — secondary depth is well below 2% of $52.6M circulating value (approximately 2% monthly turnover, not instantaneous depth). mTBILL on Base: ~$19.2K monthly volume — negligible. Other mTokens (mMEV, mEDGE, mBASIS, mBTC, mRE7YIELD) have no publicly available secondary-market depth data. Primary redemption is functional (instant, 0% fee via RedemptionVault) but KYC-gated, restricted to whitelisted non-US investors, and contingent on issuer operational continuity. Yellow: secondary-market depth at 2% impact is below 2% of TVL for major mTokens; primary redemption is the functional exit but is not permissionless. RD-F-064 gray TVL concentration (top-10 wallet share) mToken issuance is KYC-gated and permissioned (greenlist). Top-10 holder share is not computable from public deposit-event logs or standard subgraph queries: the DepositVault tracks per-user deposits internally but no public subgraph or Dune Analytics query enumerates top-holder concentration across all mTokens and 28+ chains. On-chain holder count for mTBILL is approximately 280 addresses on Ethereum (Etherscan holders tab), suggesting institutional-level concentration is plausible but the exact share is not derivable. Cannot grade. RD-F-066 n/a Utilization rate (lending protocols) Midas is an RWA tokenized-asset issuer, not a lending protocol. No borrow markets exist. Data cache borrow.present: false. PD-024 non-lending protocol factor-flip applies. RD-F-067 n/a Historical bad-debt events Not applicable as a lending-protocol bad-debt factor. Midas has no pool-level socialized-loss mechanism — mTokens are fully-backed RWA; NAV decline is borne by token holders individually, not socialized. No bad-debt events in Midas RWA history. Midas Capital incidents (2023, ~$1.26M total) belong to a separate unrelated protocol (Compound V2 fork) confirmed by profile §10 and hacksdatabase disambiguation. PD-024 non-lending factor-flip applies. RD-F-068 n/a Collateralization under stress Not applicable — Midas has no on-chain collateral pool subject to the 50%-drop stress simulation. mToken backing is off-chain: T-bills held by Maerki Baumann & Co. AG (Switzerland), BTC/ETH by Fortuna Custody, CEX positions for mBASIS. No Compound/Aave-style on-chain collateral pool. PD-024 non-lending factor-flip applies. RD-F-069 n/a Algorithmic / under-collateralized stablecoin Not applicable — mTokens are not stablecoins and are not algorithmically stabilized. mTBILL is fully backed by U.S. Treasury bills (BlackRock fund via Maerki Baumann custodian); mBASIS is backed by strategy assets (basis trade, fully allocated); mBTC is backed by BTC. NAV-attested by issuer daily. No algorithmic stability mechanism or fractional backing. PD-024 + PD-042 RWA issuer factor-flip applies. RD-F-070 n/a Empty cToken-style market (zero supply/borrow) Not applicable — Midas is an original RWA tokenized-asset issuer, not a Compound V2-style lending fork. No cToken architecture, no markets() call, no totalSupply/totalBorrow pairing in the Compound sense. The Issuance Vault (DepositVault impl 0xC8AF8477f3caa89f60fe9d1f48eee5433c55982b) is confirmed as a bespoke permissioned request-queue contract exposing depositInstant, depositRequest, approveRequest functions — not ERC-4626 and not a cToken. The Midas Capital incidents in the hacksdatabase (2023-01 ~$660K; 2023-06 ~$600K) involve a Compound V2 fork empty-market attack on a DIFFERENT protocol (Midas Capital), not Midas RWA. The donation/empty-market vector requires a share-based vault architecture that does not exist in the Midas RWA codebase. PD-024 + PD-042 non-lending/RWA factor-flip applies. RD-F-071 n/a Seed-deposit requirement for new market listing Not applicable — Midas does not operate a Compound-style market-listing mechanism. mTokens are launched as new products by the corporate issuer (Midas Software GmbH); no permissioned-or-permissionless market-listing process with seed deposits exists. PD-024 non-lending factor-flip. RD-F-072 n/a Market-listing governance threshold Not applicable — no Compound-style market listing exists in the Midas architecture. New mToken products are launched by the corporate issuer as business decisions; not through on-chain governance proposals. PD-024 non-lending factor-flip. RD-F-073 n/a Oracle-manipulation-proof borrow cap Not applicable — Midas has no borrowing function and no DEX-TWAP oracle for borrow-cap calculation. Midas uses an issuer-attested NAV DataFeed for minting/redemption pricing, not a DEX spot oracle subject to borrow-cap manipulation. Data cache borrow.present: false. PD-024 non-lending factor-flip. RD-F-074 n/a ERC-4626 virtual-share offset (OZ ≥4.9) Not applicable — Midas DepositVault (Issuance Vault) is a bespoke permissioned contract, confirmed not to be an ERC-4626 vault. Etherscan read of impl 0xC8AF8477f3caa89f60fe9d1f48eee5433c55982b shows functions depositInstant, depositRequest, approveRequest — no ERC-4626 deposit/mint/withdraw/redeem interface. mTokens (mTBILL, mBASIS, mBTC) are plain ERC-20 tokens minted by the issuer via MINTER_ROLE, not ERC-4626 shares with a totalAssets/totalSupply ratio subject to first-depositor inflation. The virtual-share offset mitigation is inapplicable by architecture. RD-F-075 n/a First-depositor / share-inflation guard Not applicable — same architectural reason as F074. DepositVault is not a share-based vault; mTokens are issuer-minted ERC-20 tokens with no totalAssets/totalSupply ratio subject to first-depositor share-inflation. The MINTER_ROLE (granted to the issuer's operational key) directly mints mTokens; there is no share-calculation path that an attacker could manipulate via a first-deposit donation. Bespoke DepositVault confirmed by Etherscan read and Sherlock 2024-08 audit scope (minter/redeemer role architecture).
Operational history Green 18 15 of 15
RD-F-089 red Insurance coverage active No active DeFi protocol insurance coverage found for Midas RWA on Nexus Mutual, Unslashed, or Sherlock Shield (the protocol coverage product, distinct from Sherlock's audit/bounty business). Sherlock operates the Midas bug bounty program (audits.sherlock.xyz/bug-bounties/122) but no Sherlock Shield smart-contract coverage was found for Midas RWA contracts. No Nexus Mutual cover listed for midas-rwa. This is a structural gap common to RWA tokenized-asset issuers: off-chain collateral (T-bills, basis trades held at regulated custodians) is not coverable by on-chain DeFi insurance products. TVL at assessment = $161.42M; 0% coverage. RD-F-084 yellow TVL stability (CoV over 90d) 90-day TVL CoV = 0.171 per data cache (fetched 2026-05-16). Mean ~$221.3M, std ~$37.9M over 2026-02-14 to 2026-05-16. This falls in the yellow band (0.15–0.35). The TVL decline from ~$274M peak (Jan/Feb 2026) to $161M current (~41% drawdown) reflects RWA sector capital rotation, not a protocol-specific adverse event. No exploit or governance incident contributed to the volatility. RD-F-086 yellow Pause activations (trailing 12 months) One documented service pause in the trailing 12 months: Midas suspended its LayerZero OFT cross-chain service in April 2025 due to the rsETH/KelpDAO incident, resuming April 19 with gradual restoration of all mToken minting and redemption services. The pause had a documented reason (mitigate cross-chain risk from partner protocol incident) and was publicly announced. One pause with documented reason falls in yellow band (1–2 pauses with documented reason). No additional pauses found. RD-F-087 yellow Pause > 7 consecutive days The April 2025 LayerZero OFT service pause has a confirmed resumption date of April 19 per the Phemex News article. The exact suspension start date is not publicly disclosed in available sources. The article describes the pause as a protective measure tied to the rsETH incident timeline and implies gradual resumption 'by end of day' April 19. The balance of evidence suggests a short operational pause (days, not weeks), but the start date is unconfirmed. Unable to conclusively confirm or deny >7 consecutive days. Scored yellow given the uncertainty; if curator confirms start date >12 April, score may shift to red. RD-F-081 gray Post-exploit response score No prior exploits for Midas RWA. Post-exploit response score is not applicable: there is no incident to score against. RD-F-082 gray Post-mortem published within 30 days No prior exploits for Midas RWA. Post-mortem timeline is not applicable: there is no incident requiring a post-mortem. RD-F-083 gray Auditor re-engaged after last exploit No prior exploits for Midas RWA. Re-audit after exploit is not applicable: there is no incident that would trigger a post-incident re-audit requirement. RD-F-085 gray Incident response time (minutes) No prior exploits for Midas RWA. Incident response time is not applicable: there is no incident with a first-tx timestamp to measure against.
RD-F-076 green Protocol age (days) Midas RWA first mainnet deployment December 2023 per RWA.xyz inception data and Hacken audit timeline (sign-off 2024-01-11 for Dec 2023 deployment). Age at 2026-05-16 = approximately 532 days (~17.7 months), exceeding the 365-day green threshold.
RD-F-077 green Prior exploit count Zero protocol-level exploits for Midas RWA. The hacksdatabase entries midas-capital-rekt.md and midas-rekt2.md belong to Midas Capital (Fuse/Compound V2-fork lending protocol on Polygon/BSC, 2023-01-15 ~$660K and 2023-06-17 ~$600K) — an entirely separate defunct protocol. DefiLlama confirms 'Hacks: None recorded' for Midas RWA. Protocol data cache rekt.incidents confirmed as Midas Capital only.
RD-F-078 green Chronic-exploit flag (≥3 incidents) Zero incidents for Midas RWA. Chronic flag threshold is >=3 incidents. 0 < 3, so flag does not apply.
RD-F-079 green Same-root-cause repeat exploit Zero incidents for Midas RWA. Same-root-cause repeat requires at least two incidents with the same root-cause cluster. No incidents exist, so no repeat root cause is possible.
RD-F-080 green Days since last exploit No prior exploits for Midas RWA. Per methodology: green = >365 days or no incidents. 0-incident history qualifies as green.
RD-F-088 green Re-deployed to new addresses in last year No full redeployment to new addresses in the last 12 months. The mTBILL token implementation was upgraded via the proxy implementation slot (2024-09-04) and the Issuance Vault implementation was deployed as a new implementation (2024-09-24) — both are proxy upgrades, not protocol-level redeployments requiring user migration. Core proxy addresses (0xDD629E5241CbC5919847783e6C96B2De4754e438 for mTBILL, 0x99361435420711723aF805F08187c9E6bF796683 for Issuance Vault) remain unchanged. No deprecation announcements found.
RD-F-166 green Deprecated contracts still holding value No deprecated contracts identified for Midas RWA. The protocol is approximately 17 months old. The upgrade pattern is TransparentUpgradeableProxy — old implementations are superseded at the proxy level but the proxy contracts themselves remain live and are not 'deprecated.' No protocol-issued deprecation announcement was found in docs, GitHub, or public communications. The Issuance Vault implementation upgrade (2024-09-24) replaced the implementation slot but left the proxy contract active and in use — not a deprecation.
Real-time signals Green 17 22 of 22
RD-F-103 yellow Bridge signer-set change proposed/executed Bridge signer-set change signal. T-09 v1 launch / Tier A (instant grade flip). Applicable: Midas has confirmed LayerZero OFT and Axelar vault bridge surface per bug bounty scope (2026-03-24) which explicitly lists 'Layer Zero OFT, Axelar vault' as in-scope contracts. Confirmed active usage: Midas paused and resumed its LayerZero OFT service on 2026-04-19 in response to the KelpDAO rsETH exploit ($292M, Lazarus Group attack on LayerZero 1/1 DVN). Current posture: pipeline config has layerzero_oapp_address: null — specific OFT adapter addresses not registered; signal cannot fire. For Axelar: uses DPoS validator set (top-75 by AXL stake), not a static k-of-N signer multisig; validator elections use different event structure requiring separate monitoring logic. No bridge contract events monitored. Yellow because: this is a T-09 v1 Tier-A grade-flipping signal for a confirmed active bridge surface, but the pipeline is not wired due to missing contract address registration. The monitoring ga RD-F-106 yellow Cross-chain bridge unverified mint pattern Cross-chain bridge unverified mint pattern. Not in T-09 v1 shortlist; T-09 §3.3 defers this to v2 pending bridge-coverage becoming first-class. Applicable: Midas has confirmed LayerZero OFT surface; unverified mint on a destination chain is the exact attack vector used in the KelpDAO rsETH exploit ($292M, 2026-04-18), which uses the same bridge infrastructure class. Midas paused OFT service on 2026-04-19, confirming active usage. DVN configuration for Midas's specific OFT adapters is unassessed — adapter addresses not located in pipeline config (layerzero_oapp_address: null). Post-resume DVN configuration not publicly confirmed; 47% of LayerZero OApps used 1/1 DVN at time of Dune Analytics analysis (post-KelpDAO, Apr 2026). Yellow because: signal architecture is directly exposed to this attack class with material uncertainty about current DVN config; OFT surface confirmed active; monitoring not wired; adapter addresses unknown. RD-F-090 gray Mixer withdrawal → protocol interaction Mixer-withdrawal-to-protocol-interaction signal. EVM protocol; mixer-funded wallets could in principle acquire mTokens. Midas requires KYC greenlist approval (MidasAccessControl.greenlistedUsers) before any DepositVault interaction, structurally blocking anonymous mixer-funded deposits. No CTI feed configured. No public evidence of mixer-funded wallet interactions with Midas contracts. Deployer funded via MoonPay fiat on-ramp (clean). Production pipeline not implemented; monitoring infrastructure for this signal class (CTI feed + interaction indexer) is not deployed for this protocol. RD-F-091 gray Partial-drain test transactions Partial-drain test-transaction pattern. EVM; on-chain RedemptionVault transactions are applicable surface. No pattern-matcher deployed. No historical pre-drain pattern known (Midas RWA has zero prior exploits). Production pipeline not implemented; on-chain pattern-matching infrastructure for this signal class is not deployed for this protocol. RD-F-092 gray Unusual mempool pattern from deployer wallet Unusual mempool pattern from deployer wallet. Deployer 0xa0819ae43115420beb161193b8d8ba64c9f9facc is active (630+ transactions per Etherscan label 'Midas RWA: Old Deployer'). No mempool baseline behavioral model deployed. Production pipeline not implemented; mempool stream and baseline behavioral model for deployer wallets is not configured for this protocol. RD-F-093 gray Abnormal gas-price willingness from attacker wallet Abnormal gas-price willingness from attacker wallet. EVM protocol; mempool-based gas-price anomaly detection is applicable. No mempool EMA baseline configured. Production pipeline not implemented; mempool stream and gas-price EMA baseline is not deployed for this protocol. RD-F-094 gray New contract with similar bytecode to exploit template New contract with bytecode similarity to exploit template. TransparentUpgradeableProxy pattern in use; DepositVault/RedemptionVault architecture applicable surface. No bytecode similarity index maintained for RWA-issuer class. Production pipeline not implemented; on-chain new-deploy sweep and bytecode similarity index is not deployed for this protocol. RD-F-095 gray Known-exploit function-selector replay Known-exploit function-selector replay signal. EVM protocol applicable. No selector pattern index maintained for RWA-issuer class. Production pipeline not implemented; selector pattern index infrastructure is not deployed for this protocol class. RD-F-096 gray New ERC-20 approval to unverified contract from whale New ERC-20 approval to unverified contract from whale. mToken holders can grant ERC-20 approvals; TVL whales exist. No whale list or approval monitor configured. Production pipeline not implemented; whale list and mempool approval-event monitoring is not deployed for this protocol. RD-F-097 gray Sybil surge of identical-pattern transactions Sybil surge signal. Applicability structurally limited for Midas: mToken deposits require KYC greenlist approval (MidasAccessControl), blocking permissionless sybil activity at the DepositVault layer. No clustering algorithm deployed. Production pipeline not implemented; on-chain tx clustering infrastructure is not deployed for this protocol. RD-F-099 gray Oracle price deviation >X% from secondary Oracle price deviation signal. T-09 phase-2. Applicable: Midas DataFeed publishes daily NAV attestations per mToken; secondary cross-check against RWA.xyz or DeFiLlama RWA prices is feasible but not configured. NAV is issuer-attested at daily cadence, not per-block AMM spot price; this changes the deviation signal's character (daily staleness vs per-block manipulation). No secondary oracle reference feed mapped in pipeline. Production pipeline not implemented; per-asset secondary-source map and per-protocol oracle-usage map are prerequisites per T-09 §3.2 gating work. RD-F-100 gray Flash loan >$10M targeting protocol tokens Flash loan >$10M targeting protocol tokens. T-09 phase-2. Applicability structurally limited for Midas: mTokens are non-rebasing ERC-20 yield tokens; NAV oracle is issuer-attested daily (not DEX spot), so flash loans cannot manipulate the oracle within a single transaction. No lending/borrowing protocol creates a flash-loan arbitrage surface. The KYC greenlist requirement also limits flash-loan-funded attack paths through DepositVault. No flash-loan monitor configured. Production pipeline not implemented; protocol-token map and flash-loan-source allowlist are prerequisites per T-09 §3.2 gating work. RD-F-101 n/a Large governance proposal queued Large governance proposal queued signal. Midas is corporate-governed (Midas Software GmbH) with no on-chain governor contract, no Snapshot space, no governance token, and no proposal queue mechanism. Signal is architecturally inapplicable — no governance infrastructure exists to produce or queue proposals. RD-F-102 gray Admin/upgrade transaction in mempool Admin/upgrade tx in mempool signal. T-09 phase-2. Applicable: Midas contracts use TransparentUpgradeableProxy pattern (confirmed for mTBILL, mBASIS, mBTC, Issuance Vault on Etherscan). ProxyAdmin holds upgrade rights. Known upgrades: Issuance Vault 2025-12-11; mTBILL impl 2024-09-04 — both would have triggered this signal if the pipeline were live. No current pending upgrades publicly known. Mempool listener not configured. Production pipeline not implemented; mempool listener stack and admin/keeper allowlist per protocol are prerequisites per T-09 §3.2 gating work. RD-F-105 gray DNS/CDN/frontend hash drift DNS/CDN/frontend hash drift signal. T-09 phase-2. Applicable: midas.app is an active frontend. No frontend JS hash monitor or DNS monitoring (CertStream/PhishFort) configured for this protocol. Production pipeline not implemented; external monitoring stack and change-management allowlist are prerequisites per T-09 §3.2 gating work. RD-F-107 gray Admin EOA signing from new geography/device Admin EOA signing from new geography/device. Requires off-chain signing telemetry integration that is not available without team opt-in. Per methodology template note: 'Practically ungatherable without team opt-in. Default gray.' Production pipeline not implemented; this signal requires team integration that is not available in a static T-10 assessment. RD-F-108 gray GitHub force-push to sensitive branch GitHub force-push to sensitive branch. Main repo RedDuck-Software/midas-contracts is private (github_private: true per data cache). GitHub webhook monitoring is not feasible without repo access grant. Signal requires GitHub API webhook access to protected branches; private repo prevents this. Production pipeline not implemented. RD-F-109 gray Social-media impersonation scam spike Social-media impersonation scam spike. Applicable: Midas is a $50M Series-A brand with @MidasRWA on X, Telegram @midasrwa, active social presence. No social monitoring feed (Bolster/PhishFort/Chainabuse) configured for this protocol. Web search for active phishing campaigns targeting Midas returned no specific evidence. Production pipeline not implemented; social-media monitoring feed and keyword pattern-matching are not deployed for this protocol. RD-F-110 n/a Unusual pending/executed proposal ratio Unusual pending/executed proposal ratio. Midas has no on-chain governor, no Snapshot space, and no governance token. Signal is architecturally inapplicable — no proposal infrastructure exists to produce a pending/executed ratio. RD-F-182 gray Security-Council threshold reduction (RT) Security-Council threshold-reduction RT signal (batch-24, v1.1 candidate). Applicable in principle: Midas has an admin Safe controlling upgrade and admin operations. A threshold reduction on that Safe within 14 days of a timelock removal or new-signer addition would be the Drift-Protocol-class DPRK-precursor pattern. Architectural reason for gray: the admin Safe address is not publicly disclosed and not registered in the pipeline config (safe_addresses: [] in data cache). Without the Safe contract address, governance contract event subscription (ChangedThreshold, RemovedOwner, AddedOwner events) is impossible. No recent governance-weakening events identified in public data. Signal is applicable to this protocol class; the specific pipeline gap is that the admin Safe address must first be traced via MidasAccessControl RoleGranted events (governance-admin-analyst task) before this signal can be wired.
RD-F-098 green TVL anomaly — % drop in <1h TVL anomaly (severe drop) signal. T-09 v1 launch / Tier A. TVL as of 2026-05-16: $161.42M (DeFiLlama). 1-day change: -0.06%. 30-day change: -23.44% (sustained capital-rotation decline from ~$211M 30-day mean baseline). Signal threshold per T-09 §4.1: TVL_now / TVL_baseline_30d < 0.70 evaluated over 60-minute trailing window. Observed: $161.42M / ~$211M baseline = 76.5% ratio, which is above the 70% threshold; moreover the decline is over 30 days, not 60 minutes. No single-hour drop approaching 30% detected. Signal not firing. DeFiLlama real-time TVL endpoint is applicable source for wiring.
RD-F-104 green Stablecoin depeg >2% on shared-LP venue Stablecoin depeg signal. T-09 v1 launch / Tier B. USDC is the primary payment token for mToken deposits/redemptions. No active depeg event as of 2026-05-16; USDC and USDT at peg. Midas mTokens are backed by Treasuries, not stablecoins — a USDC depeg would affect deposit/redemption flow mechanics but not mToken NAV directly. Protocol exposure to stablecoins is operational (flow), not collateral. Signal not firing.
Dev identity & insider risk Green 14 16 of 16
RD-F-117 red ENS/NameStone identity bound to deployer Deployer 0xa0819ae43115420beb161193b8d8ba64c9f9facc has no ENS reverse record. Etherscan public name tag 'Midas RWA: Old Deployer' is a public label applied by Etherscan community, not an ENS/NameStone reverse resolution. No NameStone binding found. For an institutional deployer this is typical and not a safety concern, but the factor definition scores red when no ENS/NameStone binding exists. RD-F-120 yellow Video-off/voice-consistency flag Fabrice Grinda has extensive documented personal identity (active blog at fabricegrinda.com with personal photo and multi-decade public record; Forbes #1 angel 2018; named in media). Dennis Dinkelmeyer appears in named press quotes across multiple Series A articles. No video-off pattern or voice inconsistency flagged. Specific on-camera video interview URLs with Dinkelmeyer or Bourgois not retrieved within assessment budget. Yellow rather than green due to absence of confirmed on-camera appearance URL for all named co-founders. RD-F-123 yellow Sudden admin-rescue/ACL change without discussion Two post-audit implementation upgrades confirmed on-chain: (1) mTBILL impl 0xD4998Cc1ba435298c521f250b81856b1f25c8455 deployed by 'Midas RWA: Old Deployer' approximately September 2024; (2) Issuance Vault impl updated at block 23990751 approximately December 2025 (155 days before assessment date). No public governance discussion, engineering changelog, or blog post identified for either upgrade. Midas operates as a corporate issuer with no DAO forum. However: corporate RWA issuers (circle-usyc / spiko / superstate precedent per PD-042) routinely upgrade without DAO discussion; no emergency/rescue nature or concealment signal observed. Yellow per corporate RWA norm — not red absent a concealment signal. RD-F-116 gray Contributor tenure at admin-permissioned PR Main repository RedDuck-Software/midas-contracts is private (github_private:true per data cache). GitHub PR history for admin-permissioned code changes not publicly accessible. The two post-audit upgrades (mTBILL impl 2024-09, Issuance Vault 2025-12) are on-chain events without linked public PRs. Cannot enumerate PR author tenure. RD-F-119 gray Commit timezone consistent with stated geography Main repo RedDuck-Software/midas-contracts is private — commit timestamp distribution not enumerable. RedDuck Software GitHub org lists Ukraine as location (UTC+2/+3); Midas Software GmbH is Berlin/Germany (UTC+1/+2). These timezones are geographically consistent with stated geography and inconsistent with DPRK UTC+9 pattern. However, formal commit-hour analysis cannot be performed on private repo. Sherlock audit repos (public read-only forks) contain insufficient commit metadata for timezone distribution analysis. RD-F-122 gray Contributor paid to DPRK-cluster wallet Admin wallet addresses not publicly disclosed (config safe_addresses:[], cache safe_multisigs:[] per data cache — governance-admin-analyst must trace RoleGranted events). Contributor payment wallet addresses unknown. No DPRK cluster proximity found for deployer or its 1-hop funding wallet in public CTI. Cannot assess contributor payment routing without wallet identities. Paid Chainalysis/TRM CTI feed not available. RD-F-184 gray Real-capital social-engineering persona No curator-flagged 'team contributor' or 'external integrator' persona with $1M+ real-capital deposits identified for Midas. Drift Protocol comparator (UNC4736/DPRK Apr 2026, $285M) involved nation-state implant using conference credentialing — no analogous signal found for Midas. Midas team is fully doxxed (EU RWA startup) with verifiable TradFi/DeFi credentials. Attacker-venue-use is not team contamination (U4 pre-mark). Factor requires cross-source verification framework not yet available.
RD-F-111 green Team doxx status CEO Dennis Dinkelmeyer (real name; Goldman Sachs + Capital Group prior employment), CPO Romain Bourgois (real name; ex-Ondo Finance Head of Product, Criteo), Executive Chairman Fabrice Grinda (real name; FJ Labs founder, Forbes #1 angel 2018). All three co-founders are fully doxxed with verifiable prior professional histories across multiple independent sources including CoinDesk Series A coverage, LinkedIn profiles, and founder blog posts.
RD-F-112 green Team public accountability surface Dennis Dinkelmeyer: Goldman Sachs + Capital Group prior employment (named in press), Twitter @DDinkelmeyer, quoted in Series A. Fabrice Grinda: FJ Labs founder, Forbes #1 angel 2018, decade-long public blog, extensive investor portfolio. Romain Bourgois: LinkedIn with Criteo (9 yrs) + Ondo Finance, RootData profile. Each core member has 3+ independent verifiable public trails. Average accountability surface score well above threshold.
RD-F-113 green Team other-protocol involvement history Romain Bourgois: ex-Ondo Finance Head of Product (OUSG, USDY, Flux Finance — legitimate RWA protocol, currently active). Fabrice Grinda: FJ Labs marketplace angel portfolio (no rug-affiliated protocol identified). Dennis Dinkelmeyer: TradFi background (Goldman Sachs / Capital Group), no prior DeFi protocol involvement. No rug or exit-scam affiliations found for any named team member.
RD-F-114 green Deployer address prior on-chain history Deployer 0xa0819ae43115420beb161193b8d8ba64c9f9facc has 734 total transactions. Activity is protocol-deployment-focused from first tx ~October 2022 through last tx ~182 days before assessment (ownership transfer). Etherscan labels address 'Midas RWA: Old Deployer'. No prior rug-deployer labels from Etherscan public name tags or any public CTI source found. Deployer appears purpose-built for Midas RWA protocol operations with clean normal-dev-history classification.
RD-F-115 green Prior rug/exit-scam affiliation No team member linked to prior rug or exit-scam-labeled protocol. Romain Bourgois prior role at Ondo Finance (legitimate, ongoing protocol). Fabrice Grinda FJ Labs portfolio contains no known rug protocols in any public record. Dennis Dinkelmeyer: TradFi-only prior background (Goldman Sachs / Capital Group), no DeFi rug history. No adverse finding from rekt.news, OSINT, or press search.
RD-F-118 green Handle reuse across failed/rugged projects X/Twitter @MidasRWA and @DDinkelmeyer checked. No prior association with rugged or failed DeFi protocols under different aliases found. Midas branding is distinct from Midas Capital (defunct Fuse/Compound-fork — confirmed different entity per profile ANOMALY 1). No handle reuse detected across any named team member or official protocol handle.
RD-F-121 green Contributor OSINT depth score Dennis Dinkelmeyer: Goldman Sachs + Capital Group employment history, Twitter presence, named in major media — OSINT depth score 4. Fabrice Grinda: FJ Labs founder, Forbes #1 angel, decade-plus of public blog posts, extensive portfolio documentation — OSINT depth score 5. Romain Bourgois: LinkedIn with Criteo (9 yrs product leadership) + Ondo Finance (Head of Product), RootData profile — OSINT depth score 4. Average score ~4.3, above the green threshold of 4.
RD-F-124 green Deployer wallet mixer-funded within 30 days Full Etherscan transaction history examined for deployer 0xa0819ae43115420beb161193b8d8ba64c9f9facc (734 txs, first ~October 2022, last ~182 days before assessment). First protocol deploy December 1, 2023 (tx 0xcc3bc394e97390cdf4817cae06c82afb4e620dcb2cefcceaa3c14d46c3a0f987). No Tornado Cash withdrawal, Railgun interaction, or mixer-cluster label found in any transaction. 30-day window before 2023-12-01 shows clean deployment activity only. Funding source (0x77E75c2a92061c9c61282d04495766ca6f98784e) is a retail DeFi wallet funded via MoonPay (regulated fiat on-ramp) — not a mixer.
RD-F-125 green Deployer linked within 3 hops to DPRK/Lazarus Deployer 0xa0819ae43... funded by 0x77E75c2a... (MoonPay-sourced retail wallet; 36 txs; no DPRK/OFAC label). RedDuck Software (Ukraine-based blockchain consultancy, github.com/RedDuck-Software) confirmed as development firm — no DPRK attribution in any public CTI report or OFAC SDN list. Web searches for deployer address + DPRK/Lazarus/North Korea returned no hits. OFAC SDN list does not contain deployer address or funding wallet. Honest null: full paid Chainalysis/TRM 3-hop graph not available; finding is 'no evidence of DPRK proximity' via public sources, consistent with green per evidence available.
Fork / dependency lineage Gray 0 10 of 10
RD-F-126 n/a Is-a-fork-of Midas is an original codebase developed by RedDuck Software. Confirmed by Hacken Dec-2023 audit (covers bespoke role-based access-control + DepositVault/RedemptionVault architecture), Sherlock 2024-05 README (describes original deposit/redemption system for mTBILL), and profile §5. No upstream protocol identified. Not a fork. RD-F-127 n/a Upstream patch not merged No upstream exists; Midas is an original issuer codebase. Upstream patch tracking is architecturally not applicable. RD-F-128 n/a Upstream vulnerability disclosure (last 90d) No upstream exists; Midas is an original issuer codebase. Upstream vulnerability disclosure tracking is architecturally not applicable. RD-F-129 n/a Code divergence from upstream (%) No upstream exists; code divergence from upstream is architecturally not applicable for an original issuer. RD-F-130 n/a Fork depth (generations from original audit) Fork depth is architecturally not applicable — Midas is an original issuer (depth = 0 by definition; no fork chain exists). RD-F-131 n/a Fork retains upstream audit coverage Fork audit coverage retention is architecturally not applicable — Midas has independent fresh audits (Hacken + Sherlock), not upstream audit inheritance. The factor's premise (fork relying on upstream audit) does not apply. RD-F-132 n/a Fork has different economic parameters than upstream Fork economic parameter deviation is architecturally not applicable — Midas has no upstream whose parameters to deviate from. Original issuer. RD-F-133 n/a Dependency manifest uses unpinned versions This factor measures fork-lineage dependency manifest pinning. As an original issuer with no upstream lineage to track, this factor is not applicable. Additionally the main repo is private (U6 safe_api_gap), preventing independent manifest inspection. RD-F-134 n/a Dependency had malicious-release incident (last 90d) This factor measures fork-lineage dependency malicious-release incidents. As an original issuer with no upstream lineage, and with a private repo preventing dependency list inspection, this factor is not applicable per the original-issuer architecture. RD-F-135 n/a Shared-library version with known-vuln status This factor measures shared-library vulnerability status in the fork-lineage context. As an original issuer, the fork-lineage framing is not applicable. OZ upgradeable contracts are used (confirmed from Etherscan ABI), but the specific OZ version string is not determinable from public sources (private repo). The Cat 12 (F170) compiler version assessment covers the solc-level risk.
Post-deploy hygiene & change mgmt Yellow 30 13 of 13
RD-F-139 red Post-audit code changes without re-audit Three post-audit upgrades with no confirmed covering re-audit: (1) Sep-4-2024: mTBILL impl upgraded 0xefED40D1 → 0xD4998Cc1, executed by direct EOA, 27 days after Sherlock 2024-08 contest (commit 4abcc5b, closed ~Aug-2024). (2) Apr-23-2025: unknown proxy 0x9b2c5e30 upgraded to impl 0xd0BdEf8 via direct EOA — no public audit covering this. (3) Dec-11-2025: Issuance Vault 0x99361435 upgraded to 0xC8AF8477 via Safe+Timelock — no confirmed public covering audit found. Private repo prevents diff quantification. Additionally, Hacken Dec-2023 finding F-2023-0292 (decimal handling, High severity, Accepted/not fixed) remains active in deployed contracts. Material post-audit drift without audit coverage confirmed. [★ CRITICAL] RD-F-185 red Bridge rate-limiter / chain-pause as positive mitigant Bridge surface confirmed: LayerZero OFT + Axelar Vault per bug bounty scope 2026-03-24. No rate-limiter contract or chain-level pause mechanism found in Midas public documentation or Sherlock audit repos. Specific LayerZero OFT adapter addresses not found (pipeline false-negative: layerzero_oapp_address=null). No mitigant (rate-limiter nor chain-pause) confirmed. Low-confidence red (absence of evidence for mitigant, given bridge surface exists at $161M TVL across 28+ chains). RD-F-142 yellow Storage-layout collision risk across upgrades Sherlock 2024-08 finding M-4: 'Corruptible Upgradability Pattern — Pausable, Greenlistable, Blacklistable, WithSanctionsList, CustomAggregatorV3CompatibleFeed lack __gap storage slots.' Status: Fixed (PR #64). Dec-2025 Issuance Vault (0xC8AF8477) was deployed after this fix, providing moderate assurance. However, private repo prevents independent verification that all gap slots were added correctly across the full inheritance chain. Minor residual uncertainty. RD-F-145 yellow Deployed bytecode reproducibility Private main repo and no published reproducible build instructions for post-audit implementations. Compiler is Solidity 0.8.9 (visible in Etherscan source metadata). Sherlock audit commits (0b1644f, 4abcc5b) provide reference bytecode for the audited versions, but post-audit deployed implementations (Sep-2024, Apr-2025, Dec-2025) come from private repo commits with no public build reproducibility declaration. RD-F-136 gray Deployed bytecode matches signed release tag Main repo RedDuck-Software/midas-contracts is private — no public release tags accessible to verify signed-tag-to-bytecode correspondence. Sherlock audit repos cover commits 0b1644f (Sherlock 2024-05) and 4abcc5b (Sherlock 2024-08), but the Sep-2024 mTBILL upgrade (impl 0xD4998Cc1) and Dec-2025 vault upgrade (impl 0xC8AF8477) are post-audit deployments from private commits with no matching public release tag. RD-F-140 gray Fix-merged-but-not-deployed gap Private main repo prevents verification of merged PRs vs deployed bytecode. Sherlock 2024-08 judging README confirms all 6 findings were Fixed (PRs #64–#69), but whether the Dec-2025 impl (0xC8AF8477) includes all fixes is unverifiable without repo access. Cannot determine fix-merged-but-not-deployed status. RD-F-144 n/a CREATE2 factory permits same-address redeploy No CREATE2 factory deployment pattern identified. Contracts deployed via standard OpenZeppelin TransparentUpgradeableProxy pattern. No selfdestruct + CREATE2 redeploy path in codebase. RD-F-168 n/a Stale-approval exposure on deprecated router No deprecated routers or vault contracts identified. Midas launched December 2023 with a single proxy-upgradeable contract set that has been upgraded in-place (no contract retirements). No prior routing contract that users would have approved exists.
RD-F-137 green Upgrade frequency (per 90 days) ProxyAdmin has 3 upgrade transactions over the entire protocol lifespan (Sep-2024 x2, Apr-2025 x1). Issuance Vault had 1 upgrade Dec-2025. Across any 90-day window, upgrade count is 0–2 (routine maintenance cadence). No high-churn upgrade pattern detected.
RD-F-138 green Hot-patch deploys without timelock (last 30 days) No upgrades in the 30-day window ending 2026-05-16. Last upgrade was Dec-11-2025 (155 days ago). No hot-patches detected in last 30 days.
RD-F-141 green Test-mode parameters in deploy Constructor args decoded on Etherscan for all core contracts show production USDC/mTBILL addresses and production MidasAccessControl address. No test oracle or admin=deployer config in production. Admin transferred from deployer on same day as deployment (F043 finding). Mainnet.json deployment manifest from Sherlock 2024-05 repo confirms production addresses match live contracts.
RD-F-143 green Reinitializable implementation (no _disableInitializers) MidasInitializable (abstract base inherited by all core contracts) calls _disableInitializers() in its constructor, confirmed by Hacken Dec-2023 audit ('MidasInitializable implements constructor() that calls _disableInitializers()') and Sherlock 2024-05 repo (abstract/MidasInitializable.sol). mTBILL implementation 0xD4998Cc1 inherits MidasInitializable (confirmed via Etherscan source file tree). Implementation contracts are protected from unauthorized re-initialization. [★ CRITICAL — green]
RD-F-146 green New contract deploys in last 30 days No new contract deploys from known Midas deployer addresses in the 30-day window ending 2026-05-16. Old Deployer 0xa0819ae4 last active 182 days ago. ProxyAdmin EOA 0x875c06A2 last active 345 days ago (May-2025 ownership transfer). Last upgrade was Dec-11-2025 (155 days ago).
Cross-chain & bridge Green 17 12 of 12
RD-F-148 yellow Bridge validator count (M) Two distinct bridge mechanisms: (1) LayerZero OFT: messages authenticated via DVN (Decentralized Verifier Network) attestation on the OFT adapter — DVNs attest to packet hashes; executor delivers. DVN count/composition unknown (OFT adapter address not identified). (2) Axelar ITS: messages authenticated via Axelar's proof-of-stake validator set (~75 validators) through the Axelar gateway's approveMessages() function. The mTBILL token (OZ ERC-20, no LZ inheritance) uses a separate OFT adapter for cross-chain locking/minting. No custom signature verification outside these frameworks confirmed. RD-F-149 yellow Bridge validator threshold (k-of-M) LayerZero: DVN count and composition unknown — OFT adapter address not located on any chain. Axelar: approximately 75 active validators in proof-of-stake set (publicly verifiable on Axelar network). Axelar's validator set is materially larger and more distributed than typical multisig bridge setups. LayerZero DVN count is the primary unknown. Yellow given unknown LayerZero DVN size — if 1-of-1, would be red. RD-F-157 yellow Bridge TVL per validator ratio Midas cross-chain TVL: $161M total. Non-Ethereum TVL estimated at approximately $56M (Base 11%, Plasma 11%, Monad 8%, Arbitrum 5%, others per DefiLlama chain distribution). Axelar validators: approximately 75 active. Axelar-bridged TVL ratio: approximately $750K per validator — within normal range for PoS bridge security. LayerZero ratio: cannot compute (DVN count unknown). Yellow due to LayerZero DVN count unknown — if 1-of-1 DVN, the effective ratio is $56M per single DVN, which is extremely high. RD-F-150 n/a Bridge validator co-hosting Not assessable. LayerZero DVN addresses are unknown (OFT adapter address not identified). Axelar validator co-hosting analysis would require dedicated OSINT (ASN/datacenter mapping) beyond this assessment scope. RD-F-151 n/a Bridge ecrecover checks result ≠ address(0) [★ CRITICAL] Not assessed due to protocol opacity. LayerZero OFT adapter contract addresses for mTBILL/mBASIS are not publicly available. Cannot inspect the lzReceive() implementation or DVN verification logic for Midas's specific OFT deployment to check for ecrecover return-zero validation. Axelar ITS uses a fundamentally different authentication pattern (PoS validator signatures via approveMessages(), not raw ecrecover on arbitrary payloads) — the Wormhole-class ecrecover zero-address vulnerability is architecturally less directly applicable to Axelar's gateway, which uses PoS-based multisig validation. The LayerZero surface remains the primary gap. Evidence gap: protocol_opacity (OFT adapter address not disclosed). RD-F-154 n/a Default bytes32(0) acceptable as valid root [★ CRITICAL] Not assessed for LayerZero OFT surface (OFT adapter address unknown; cannot inspect lzReceive implementation). For Axelar ITS: Axelar does not use a Merkle root acceptance pattern in the Nomad sense. Axelar's approveMessages() receives signed message batches from the validator set — there is no bytes32 root default-value vulnerability in this architecture. The F154 Nomad pattern (accepting bytes32(0) as valid root) is architecturally absent from Axelar ITS. For LayerZero V2: DVN attestation is also not root-based in the Nomad sense (DVNs attest to packet hashes, not Merkle roots). The Nomad-specific vulnerability class is less directly applicable to both LayerZero V2 and Axelar ITS architectures. Not_assessed conservatively for the full OFT adapter implementation — cannot confirm without source inspection. RD-F-155 n/a Bridge validator-set rotation recency Axelar validator set rotates dynamically via staking (not assessed in detail). LayerZero: DVN 'rotation' equates to DVN address changes in OApp pathway config (admin action). Midas-specific configuration and rotation recency unknown — OFT adapter address not identified. RD-F-156 n/a Bridge uses same key custody for >30% validators Axelar validators use independent key setups with no identified shared custodian concentration. LayerZero DVN key custody unknown (DVN addresses not identified for Midas's OFT adapter). Assessment not complete for either mechanism without full DVN enumeration. RD-F-179 n/a LayerZero OFT DVN config (count, threshold, diversity) LayerZero OFT DVN configuration cannot be assessed — OFT adapter contract addresses for mTBILL/mBASIS are not publicly available (pipeline: layerzero_oapp_address: null; docs.midas.app: 403; Etherscan: no labeled Midas OFT adapter found). Without the OFT adapter address, the DVN configuration (required DVN count, optional DVN threshold, operator diversity) cannot be read from the LayerZero endpoint. This is the primary Cat 10 evidence gap. Context: post-Kelp DAO ($292M, April 2026), 1-of-1 DVN configurations are the key scrutiny point (Blockaid DVN audit gist confirms requiredDVNCount + optionalDVNThreshold <= 1 = catastrophic exposure). Midas's DVN config is material given approximately $56M estimated cross-chain TVL. If 1-of-1 DVN, this factor would be red.
RD-F-147 green Protocol has bridge surface Confirmed. mTokens are delivered cross-chain via LayerZero OFT adapters and Axelar ITS vault. Bug-bounty scope (2026-03-24) explicitly lists 'Layer Zero OFT' and 'Axelar vault' as in-scope contracts. Axelar blog confirms mXRP (Midas product) delivered via Axelar ITS with ITS contract addresses (ITS: 0xB5FB4BE02232B1bBA4dC8f81dc24C26980dE9e3C). DefiLlama shows mTokens on 28+ chains. Protocol is bridge-touching, not a bridge itself.
RD-F-152 green Bridge binds message to srcChainId LayerZero V2 OFT: the protocol enforces per-pathway configuration using Endpoint IDs (EID) — each pathway is {srcEid, dstEid}; packets are structurally bound to source chain EID. This is a structural property of LayerZero V2, not adapter-specific config. Axelar ITS: Axelar messages include source chain ID in the Axelar message struct by design. Both mechanisms bind messages to source chain. Midas-specific configuration cannot be verified without OFT adapter address, but the underlying frameworks enforce srcChainId binding.
RD-F-153 green Bridge tracks nonce-consumed mapping LayerZero V2: the LayerZero endpoint tracks nonce/packet ordering — packets are ordered per pathway and cannot be re-submitted (nonce-consumed tracking at endpoint level). This is a structural property of the LayerZero V2 protocol. Axelar gateway: command IDs on the Axelar gateway are tracked via an executed mapping and cannot be re-executed (replay protection at gateway contract level). Both mechanisms provide replay protection at the infrastructure layer.
Threat intelligence & recon Yellow 33 8 of 8
RD-F-158 yellow Known-threat-actor cluster has touched protocol Known-threat-actor cluster has touched protocol. T-09 phase-2 / Tier C. No CTI feed configured; no direct attribution of Lazarus/DPRK wallets interacting with Midas contracts. Rationale for yellow: the KelpDAO rsETH exploit (2026-04-18) was attributed to North Korea's Lazarus Group (Chainalysis) and exploited LayerZero infrastructure — the same cross-chain bridge class that Midas actively uses for mToken transfers. Midas paused its LayerZero OFT service on 2026-04-19 in direct response, confirming shared infrastructure dependency. Per assessment instruction: DPRK venue-use (same infrastructure class) routes to F158 yellow, not team contamination. The signal would have been advisory-yellow during 2026-04-18/19 for sector-level Lazarus activity on shared infrastructure. As of 2026-05-16 (27 days post-incident), no active Lazarus wallet interaction with Midas contracts is confirmed. Assessment: yellow for sector-level DPRK proximity through shared LayerZero infrastructure; no direct Midas RD-F-163 yellow Avg attacker reconnaissance time for peer-class protocols Average attacker reconnaissance time for peer-class protocols. T-01 hack database has thin sample data for the RWA-issuer attack class specifically (tokenized treasury issuers have not been the primary DeFi exploit target historically; fewer than 3 confirmed in-sample exploits in this specific class). Qualitative analogues: DPRK/Lazarus social-engineering attacks against institutional DeFi — Drift Protocol Apr 2026: 6-month persona build before $285M exploit; KelpDAO Apr 2026: infrastructure reconnaissance preceded attack. Taxonomy threshold: green ≥30 days average, yellow 7–29 days, red <7 days average for the class. RWA-issuer class reconnaissance is qualitatively expected to be ≥30 days (DPRK social-engineering pattern), but formal measurement is not possible with current DB sample. Yellow assigned for thin sample rather than confident green assignment. RD-F-159 gray Attacker wallet pre-strike probe (low-gas failing txs) Attacker wallet pre-strike probe signal. No CTI feed or mempool monitor configured. No public evidence of pre-strike probing of Midas contracts. KYC greenlist requirement (MidasAccessControl) structurally limits ability of unknown attacker wallets to interact with DepositVault/RedemptionVault without prior whitelisting. Production pipeline not implemented; CTI feed and mempool monitoring infrastructure not deployed for this protocol. RD-F-160 gray GitHub malicious-dependency incident touching protocol deps GitHub malicious-dependency incident. Protocol uses OpenZeppelin contracts and foundry/npm dependencies. Main repo RedDuck-Software/midas-contracts is private (github_private: true) — dependency manifest not accessible via public API. No GitHub Security Advisory (GHSA) feed configured against Midas dependencies. Sherlock audit repos (2024-05, 2024-08) reference OpenZeppelin upgradeable contracts (Solidity v0.8.x) — no known active GHSA advisory against these versions as of 2026-05-16. Production pipeline not implemented; dependency manifest not accessible from private repo. RD-F-161 gray Protocol-impersonator domain registered (typosquat) Protocol-impersonator domain registered (typosquat). Applicable: Midas is a $50M Series-A RWA brand with midas.app as primary domain; high-value target for typosquatters. WHOIS lookup for midas.app returned no data (registry does not expose WHOIS for .app TLD). Web search for likely typosquat domains (midasrwa.com, midas-rwa.com, midasapp.io) returned no specific evidence of active phishing campaigns targeting Midas RWA as of 2026-05-16. Search is inconclusive — absence of evidence is not confirmation of absence. 90-day assessment window: 2026-02-16 to 2026-05-16. Domain monitoring feed (CertStream/PhishFort) not configured for this protocol. Production pipeline not implemented; external monitoring is a prerequisite per T-09 §3.2 gating work for RD-F-105 (DNS drift), which covers this domain surface. RD-F-162 gray Known-exploit-template selector deployed by any address Known-exploit-template selector deployed by any address. EVM protocol; DepositVault/RedemptionVault architecture applicable surface. No selector-pattern index maintained for RWA-issuer class. No public reports of exploit-template deployments targeting Midas-architecture contracts. Production pipeline not implemented; on-chain deploy sweep and selector-set comparison infrastructure not deployed. RD-F-164 gray Leaked credential on paste/sentry site Leaked credential on paste/sentry site. No paste monitoring (Have I Been Pwned / PasteHunter) or GitHub secret scanner configured against Midas infrastructure. Main repo private — cannot scan for leaked credentials in codebase. No public reports of Midas credential leaks. Production pipeline not implemented; paste monitoring feed is not configured for this protocol. RD-F-165 gray Protocol social channel has scam-coordinator flag Protocol social channel has scam-coordinator flag. Applicable: Midas operates Telegram @midasrwa and Discord channels. No curator social watchlist check performed. No public reports of scam-coordinator activity in Midas channels as of 2026-05-16. Production pipeline not implemented; curator scam-coordinator watchlist not configured for this protocol.
Tooling / compiler / AI Green 11 5 of 5
RD-F-170 yellow Solc version used (known-bug versions flagged) All deployed Midas contracts (mTBILL impl, mBASIS impl, mBTC impl, Issuance Vault impl) use Solidity v0.8.9+commit.e5eed63a, confirmed via Etherscan verified-source metadata for each contract. Solidity v0.8.9 appears on the known-bug list for AbiReencodingHeadOverflowWithStaticArrayCleanup (medium severity, SOL-2022-6), which corrupts 32 leading bytes of the first dynamic component when ABI-encoding a tuple with a static calldata array as the last component. Fixed in v0.8.16. The contracts have not been upgraded to a patched compiler version. The bug's applicability to Midas's specific function signatures requires local analysis not possible from public sources; however the version is confirmed on the known-bug list with medium severity. Yellow (not red) — medium severity bug, not high/critical. RD-F-171 n/a Bytecode similarity to audited upstream with behavior deviation Midas is an original codebase with no audited upstream to compare bytecode against. The AI-generated copy risk pattern (high bytecode similarity + behavioral deviation from audited upstream) requires an upstream reference that does not exist for an original issuer. RD-F-172 gray Repo shows AI-tool co-authorship in critical files Main repo is private (RedDuck-Software/midas-contracts, github_private:true per data cache). GitHub commit co-authorship metadata for security-critical files is inaccessible. No public disclosure of AI-tool co-authorship found in Sherlock audit READMEs or Hacken audit documentation. Data unavailable — cannot assess.
RD-F-173 green Team self-disclosure of AI-generated Solidity No public disclosure by Midas team of AI-generated Solidity in any blog post, LinkedIn, Twitter/X, or documentation found. The team is a professional EU RWA startup (CEO Dennis Dinkelmeyer formerly Goldman Sachs/Capital Group). No AI-generated Solidity disclosure identified from any source.
RD-F-174 green Dependency tree uses EOL Solidity version All contracts use Solidity v0.8.9+commit.e5eed63a. Solidity 0.8.x series is not officially EOL (End of Life) — the 0.8.x series is the current major version line. v0.8.9 is old and has known medium bugs (see F170), but it is not on the EOL/unsupported list by strict definition. Green by strict EOL criteria — the compiler is not unsupported, only older with known bugs.
Response & disclosure hygiene Yellow 25 4 of 4
RD-F-176 red Disclosure SLA public No public acknowledgment-time SLA found for Midas RWA. The LinkedIn bug bounty announcement states 'responsible disclosure is always incentivised' but does not publish a specific SLA (e.g., '72h ack'). The Sherlock and Cantina program pages do not specify a Midas RWA-specific response-time commitment. Note: the HackerOne/midas page (hackerone.com/midas) belongs to MIDAS Room Booking Software (security.midas.network) — an entirely separate product with a 24h response SLA — and must not be attributed to Midas RWA. Docs.midas.app returned 403 for automated fetch; no SLA found via alternative search paths.
RD-F-175 green Disclosure channel exists Active dual-platform bug bounty launched 2026-03-24: Sherlock (audits.sherlock.xyz/bug-bounties/122, status LIVE as of 2026-05-12, max $500,000 USDC) and Cantina (cantina.xyz/code/d77405e5-99ce-4ba5-846c-885820b030e1/overview). Scope covers full Midas contract suite including mToken contracts, access control, deposit/redemption vaults, DataFeeds, LayerZero OFT adapters, Axelar vault, and web interface. The program is actively maintained (~7.5 weeks live at assessment date). This constitutes an active, publicly-documented disclosure channel with active monitoring by two security platforms.
RD-F-177 green Prior known-ignored disclosure No prior exploits for Midas RWA. No evidence of any disclosed vulnerability that was reported to the Midas RWA team and not actioned before an exploit. The zero-incident record means there is no post-mortem in which an ignored disclosure could appear.
RD-F-178 green CVE/GHSA advisory issued against protocol No CVE or GHSA advisory found for Midas RWA or the RedDuck-Software/midas-contracts codebase. The Sherlock 2024-08 audit disclosed 6 medium and 0 high/critical findings — these were remediated and disclosed via the Sherlock contest mechanism (not CVE/GHSA). No NVD or GHSA entry for 'midas-rwa' found. Per methodology: green = no advisory or all advisories patched.
rubric_version v1.7.0 graded_at 2026-05-16 09:34:57 factors 184 protocol midas