QuickSwap
Dual-version AMM DEX on Polygon: V2 is an exact Uniswap v2 fork; V3 is a concentrated-liquidity AMM powered by the licensed Algebra protocol. Multi-chain via independent per-chain deployments.
DeploymentsPolygon · $430.8M
01
Risk profile at a glance
2 red · 3 yellow · 7 green 02
Categories & evidence
184 factors · 13 categoriesCode & audits Yellow 26 25 of 25
RD-F-002 red Audit recency V2 core: ABDK FV completed Apr 2020, ~6 years before assessment — exceeds 730-day red threshold but contracts are immutable. V3 Algebra core: Code4rena Sep 2022 contest (last comprehensive audit), ~43 months prior to assessment — exceeds 730-day red threshold. No re-audit of V3 Algebra core found since Sep 2022. Both exceed the 730-day red threshold. RD-F-007 red Bug bounty presence & max payout No active Immunefi program for QuickSwap (cache immunefi_slug: null; Immunefi search returned no QuickSwap listing). QuickSwap ran: (a) $50K UI alpha bounty (2022, Google Forms), (b) $100K V3 beta bounty (Sep 2022, Google Forms, team discretion, paid in QUICK, time-limited 'until V3 mainnet launch'). Neither program is currently active at assessment date (May 2026). At $451M TVL, absence of a formal active bug bounty program at max payout >=50K with defined scope is a red finding. RD-F-183 red Bug bounty scope gap on highest-TVL contracts No active Immunefi program (cache immunefi_slug: null; Immunefi search returned no QuickSwap listing). The V3 $100K bounty (Sep 2022, Google Forms) was time-limited ('until V3 mainnet launch') and team-discretion payout — now expired. At $451M TVL in May 2026, the highest-TVL contracts (Algebra V1 pool instances on Polygon holding ~95% of TVL) have no currently active formal bug bounty program with defined scope. DeFiSafety references an informal '$50K static bug bounty' but no live program confirmed. This is a material F183 scope gap — the highest-TVL contracts are not covered by any active formal bounty program. RD-F-001 yellow Audit scope mismatch Code4rena Sep 2022 contest covered Algebra V1 core (13 contracts, 1833 LoC) but EXPLICITLY excluded periphery (SwapRouter, NonfungiblePositionManager). Both periphery contracts are deployed as PROXY contracts on Polygon (SwapRouter: 0xf5b509bB0909a69B1c207E495f687a596C168E12; NonfungiblePositionManager: 0x8eF88E4c7CfbbaC1C163f7eddd4B578792201de6, both solc 0.7.6, verified). No publicly accessible audit PDF covers the QuickSwap V3 periphery proxy implementations. V2 core (0x5757371414417b8C6CAad45bAeF941aBc7d3Ab32, solc 0.5.16) retains full ABDK Uniswap V2 formal-verification coverage (Jan-Apr 2020, commit 8160750) since it is line-for-line identical to upstream. Overall: V2 core audit scope matched; V3 core audit scope matched for core only; V3 periphery proxies have no accessible audit = partial scope mismatch. RD-F-003 yellow Resolved-without-proof findings C4 Sep 2022: 1 HIGH (H-01 cooldown manipulation, confirmed by sponsor) and 12 MEDIUM findings. Resolution status: C4 public report marks findings as confirmed/acknowledged but does not provide on-chain bytecode verification for each fix. H-01 was confirmed — post-launch deployment of AlgebraFactory (0x411b0fAcC3489691f28ad58c47006AF5E3Ab3A28) is the live version; no independent on-chain proof that H-01 was patched before the Oct 7, 2022 launch vs. after. M-10 (initialize front-running) was disputed by sponsor. Algebra Hacken PDF not publicly accessible for individual finding verification. V2: ABDK FV found issues resolved at commit 8160750; QuickSwap V2 core is at that exact zero-divergence state — no unresolved V2 findings. Scoring yellow for V3 due to unverifiable H-01 resolution timeline. RD-F-005 yellow Audit firm tier No Tier-1 audit firm (Trail of Bits, OpenZeppelin, ConsenSys Diligence, Certora, Sigma Prime, Spearbit, Zellic) identified for QuickSwap's deployed code. Firms identified: ABDK Consulting (Tier-2 — established formal verification firm, MakerDAO DAI FV background), Hacken (Tier-2 — established web3 security firm), Hexens (Tier-2 — established), Code4rena (community contest platform, not a traditional firm). ContractSecurity.io: boutique/unknown. Highest tier achieved: Tier-2. ABDK has strong formal-verification credentials but is not in the Tier-1 list as defined. RD-F-006 yellow Audit-to-deploy gap V3 Algebra core: C4 contest ended Oct 1, 2022; QuickSwap V3 launched Oct 7, 2022 — gap of ~6 days (green). ABDK+Hexens pre-launch audits: blog published Aug 16, 2022, V3 launched Oct 7, 2022 — gap ~51 days (green). V2 core: ABDK FV completed Apr 2020; V2 Factory deployed Oct 2020 — gap ~6 months (>60d, red threshold). Mixed picture: V3 gap is clean, V2 gap exceeds threshold. Scored yellow overall as V2's gap is historical and the code is now immutable. RD-F-009 yellow Formal verification coverage V2 core: ABDK Consulting produced formal specifications and proofs using act specification language and K framework for UniswapV2Pair and UniswapV2Factory — this constitutes formal verification of critical invariants (constant-product invariant, flash-swap accounting). QuickSwap V2 inherits this coverage by zero-divergence. V3/Algebra: no Certora/Kani/Halmos formal verification found. Hacken, Hexens, and ABDK audits are traditional security audits, not formal verification. Yellow: V2 has FV coverage; V3 Algebra (the majority of current TVL usage) does not. RD-F-010 yellow Static-analyzer high-severity count No published Slither/Mythril/Semgrep run on QuickSwap deployed bytecode accessible at assessment time. C4 Sep 2022 contest (118 warden submissions) identified 1 HIGH + 12 MEDIUM in Algebra V1 core — the HIGH (H-01 cooldown manipulation) is a confirmed high-severity finding that serves as proxy evidence for at least 1 high-severity finding prior to fix. V2 contracts (immutable, Uniswap V2 pattern) have well-studied static analysis profile — no open high-severity Slither findings documented in public analysis. Scored yellow due to: H-01 high-severity finding from C4, inability to independently run tools, V3 periphery entirely unassessed by any published analysis. RD-F-016 yellow Divide-before-multiply pattern C4 identified M-05 (exp() function inaccuracy when x/g is not small) and M-11 (biased volatility estimator) in Algebra V1 DataStorage/AdaptiveFee contracts — these represent mathematical precision issues related to division-order in adaptive fee calculations. Not a classical Slither divide-before-multiply detector pattern, but related arithmetic correctness concerns in price/fee computation paths. V2 (immutable Uniswap V2): ABDK FV covered arithmetic correctness. Scored yellow for V3 due to confirmed mathematical precision issues in fee-calculation paths. RD-F-024 yellow Code complexity vs audit coverage V3 Algebra core: 1,833 LoC in 13 contracts, C4 contest Sep 26-Oct 1 (5 days). With 118 warden submissions, coverage is reasonable for a competitive audit. V2 core: ABDK 4-month review with FV — thorough coverage. Gap: V3 periphery (SwapRouter, NonfungiblePositionManager proxy implementations) at $451M TVL has no publicly accessible audit coverage. The proxy implementation complexity (multi-chain router, ERC-721 NFT management) at this TVL level makes the periphery audit gap a legitimate complexity concern. RD-F-021 gray UUPS _authorizeUpgrade correctly permissioned V2 core and V3 Algebra core (factory, pools): immutable/directly-deployed contracts, no UUPS proxy pattern. V3 periphery (SwapRouter, NonfungiblePositionManager): deployed as proxy contracts on Polygon. The upgrade authorization for these periphery proxies has not been assessed in any publicly accessible audit. Cannot determine _authorizeUpgrade restriction from remote inspection without accessing the proxy's implementation source and admin slot. RD-F-022 n/a Public initialize() without initializer modifier AlgebraPool.initialize() is exposed as `external override` without OZ `initializer` modifier, but AlgebraPool instances are NOT proxy implementations — each pool is deployed DIRECTLY by AlgebraFactory (one contract per pair, no upgradeable proxy). The C4 issue #84 flagging initialize() front-running was DISPUTED by sponsor, consistent with direct-deploy design where each pool is initialized once by its creator. The `require(globalState.price == 0, 'AI')` state guard functions as a one-time lock. V2 core: no initialize() pattern. The RD-F-022 exploit scenario (proxy implementation takeover via unprotected initialize) does not apply to QuickSwap's architecture. RD-F-023 gray Constructor calls _disableInitializers() V2 core: no proxy, no initialize pattern. V3 Algebra core: direct per-pool deployment — _disableInitializers() is an OZ pattern for proxy implementations, N/A for directly-deployed pool contracts. V3 periphery (SwapRouter, NonfungiblePositionManager proxies): these are proxy contracts but their implementation constructor and _disableInitializers() call status are not documented in any publicly accessible audit.
RD-F-004 green Audit count At least 4 distinct audit firms/platforms cover deployed QuickSwap code: (1) ABDK Consulting — V2 core FV (2020); (2) Code4rena community contest — V3 Algebra core (Sep 2022); (3) Hacken — Algebra Finance audit (confirmed 1 engagement on Hacken index); (4) Hexens — Algebra pre-launch audit (6 bugs found, per Aug 2022 blog). Additionally: ABDK covered Algebra pre-launch alongside Hexens; ContractSecurity.io covered V2 periphery+QUICK token (2021, URL inaccessible but independently cited); Omniscia covered TokenSwap.sol (utility contract). Distinct firms with confirmed coverage: ABDK, Hacken, Hexens, C4 wardens, ContractSecurity.io = 5+.
RD-F-008 green Ignored bounty disclosure No post-mortem evidence documenting a disclosed vulnerability reported to the team that was ignored before a DEX-level exploit. The October 2022 incident affected Market.xyz lending surface (not QuickSwap DEX); root cause was a Curve LP oracle vulnerability in the lending product, not a withheld disclosure. Hack database: 0 QuickSwap DEX entries. Rekt leaderboard: 0 entries.
RD-F-011 green SELFDESTRUCT reachable from non-admin path SELFDESTRUCT not present in Uniswap V2 core (UniswapV2Factory, UniswapV2Pair) — standard constant-product AMM design, no self-destruct. Algebra V1 core (13 C4 audit scope contracts): no SELFDESTRUCT finding identified in C4 contest or Hacken/ABDK/Hexens audit references. V3 periphery: no SELFDESTRUCT finding disclosed. V2 source is verified on Polygonscan with exact match.
RD-F-012 green delegatecall with user-controlled target V2 UniswapV2Factory/Pair (solc 0.5.16): standard constant-product AMM, no delegatecall usage in core contracts. Algebra V1 core: no user-controlled delegatecall finding in C4 contest (118 wardens, no such finding reported). Direct-deploy per-pool architecture (no proxy) means delegatecall is not the pool deployment pattern.
RD-F-013 green Arbitrary call with user-controlled target Standard AMM external calls: V2 makes safeTransfer calls to token contracts (fixed at pair creation, not user-supplied targets). V3 Algebra core: C4 M-04 flags safeTransfer lacks ERC20 contract existence check (call to token address, not a user-supplied arbitrary target). No fully user-controlled call(target, data) pattern identified in core contracts across any audit findings.
RD-F-014 green Reentrancy guard on external-calling functions V2: UniswapV2Pair uses custom `lock` modifier (reentrancy guard via `_unlocked` state variable) on swap/mint/burn. V3 Algebra: AlgebraPool uses `globalState.unlocked` flag as reentrancy protection set during pool operations. C4 found no reentrancy HIGH — the M-03 (swapping impaired with activeIncentive) is about incentive callback ordering, classified medium not reentrancy exploit.
RD-F-015 green ERC-777/1155/721 hook without reentrancy guard QuickSwap V2/V3 core handles ERC-20 tokens only in swap path. NonfungiblePositionManager (ERC-721 for LP positions) is periphery, out of C4 audit scope. C4 M-07 covers rebasing/deflationary ERC-20 incompatibility (not ERC-777/1155 callback hooks). No unguarded callback integration identified in core contracts.
RD-F-017 green Mixed-decimals math without explicit scaling V2 (constant-product): handles tokens in their native decimal units via reserve-based pricing. V3 (Algebra CL): sqrtPriceX96 tick-based pricing is decimal-agnostic by design. C4 M-07 (rebasing token) and M-09 (extra input tokens) are about token-amount accounting for non-standard ERC-20s, not decimal-scaling mismatches in core math. No confirmed mixed-decimals arithmetic vulnerability.
RD-F-018 green Signed/unsigned arithmetic confusion V2: ABDK FV covered arithmetic correctness including signed/unsigned handling. V3 Algebra: TickMath uses int24 (ticks) and uint160 (sqrtPrice) — standard Uniswap V3-like math patterns. No signed/unsigned confusion finding in C4 contest or Algebra audit references.
RD-F-019 green ecrecover zero-address return unchecked V2 core (UniswapV2Factory/Pair): no ecrecover usage in core contracts (no permit/signature paths). V3 Algebra core (13 C4 scope contracts): no ecrecover usage identified in core pool contracts. Periphery NonfungiblePositionManager may use EIP-712/permit but is out of C4 scope. No ecrecover-related finding in any accessible audit.
RD-F-020 green EIP-712 domain separator missing chainId V2 UniswapV2Factory/Pair core: no EIP-712 domain separator in core contracts. V3 Algebra core: no EIP-712 domain separator finding in C4 contest. V3 periphery (NonfungiblePositionManager): deployed on Polygon (chainId 137), likely includes chainId in any EIP-712 domain but not audited in C4 scope. No confirmed missing chainId finding.
Governance & admin Red 53 24 of 24
RD-F-028 red Low-threshold multisig vs TVL On-chain required=2 (2-of-4 threshold) against $451M TVL. Peer norm at >$100M TVL is 5/8 or 4/7 minimum. 2 compromised or colluding signers suffice to execute arbitrary transactions with zero delay. Documentation claims 3-of-4 which conflicts with on-chain value — on-chain state is authoritative. RD-F-032 red Timelock duration on upgrades No timelock contract exists anywhere in QuickSwap's architecture. Cache timelock_address=null confirmed true negative. Admin multisig executes with zero delay. No TimelockController, no Compound Timelock, no custom timelock found on Polygon or any other chain. RD-F-033 red Timelock on sensitive actions No timelock on any sensitive admin action. V3 AlgebraFactory functions setFarmingAddress(), setVaultAddress(), setBaseFeeConfiguration(), setOwner() — all onlyOwner with zero delay. V2 Factory setFeeTo(), setFeeToSetter() — callable by feeToSetter EOA with zero delay. Treasury multisig executes with 2 sigs, no delay. RD-F-034 red Guardian/pause-keeper distinct from upgrader No guardian or pause-keeper role separate from the main admin/owner exists. V2 (Uniswap v2 fork) has no pause function by design. V3/Algebra Factory has no pause mechanism in source. All admin powers are held by the single multisig or deployer EOA without role separation. RD-F-035 red Role separation: upgrade ≠ fee ≠ oracle No role separation across upgrade, fee, oracle, or operational functions. V3 AlgebraFactory single owner controls setOwner, setFarmingAddress, setVaultAddress, setBaseFeeConfiguration. V2 Factory feeToSetter (deployer EOA) controls all fee functions. QuickSwap DEX has no oracle (no F035 oracle-role dimension), but fee, vault, and farming powers are all collapsed into a single role. RD-F-036 red Flash-loanable voting weight Snapshot quickvote.eth uses erc20-balance-of strategy on transferable QUICK tokens with quorum=0. No checkpoint, no vote-escrow, no lock mechanism. QUICK is a freely transferable ERC-20 (Polygon bridge child token). Voting power = current balance = flash-loanable by construction. dQUICK (staked QUICK) is NOT used as the voting token per profile. With quorum=0, any vote can pass with a single QUICK token if the attacker acquires sufficient QUICK momentarily. RD-F-037 red Quorum achievable via single-entity flash loan Quorum = 0 (confirmed via Snapshot API). Any vote can pass with zero minimum participation threshold. Flash-loan of QUICK tokens available on Polygon DEXes (QuickSwap pools themselves hold QUICK liquidity) would dominate any proposal without quorum barrier. RD-F-038 red Proposal execution delay < 24h No on-chain execution delay. Governance is Snapshot-only (advisory, no on-chain enforcement). The multisig executes with 2 signatures and zero timelock delay. Effective proposal-to-execution delay = 0. RD-F-040 red Emergency-veto multisig present No emergency-veto multisig or guardian exists. The single 2-of-4 treasury multisig holds all protocol powers. No secondary emergency address, no circuit-breaker, no emergency-pause capability identified across any QuickSwap contract. RD-F-041 red Rescue/emergencyWithdraw without timelock No timelock exists anywhere. Treasury multisig (2-of-4, no delay) can execute arbitrary token transfers including draining the 100M QUICK ($976K) and $6,845 USDC held in the multisig itself. V3 Factory owner can redirect vault/farming addresses (fee flows) with zero delay. V2 Factory feeToSetter (deployer EOA) can redirect protocol fees with zero delay. Full drain achievable in one transaction by 2 colluding signers. RD-F-025 yellow Admin key custody type Admin is a MultiSigWalletWithDailyLimit (Gnosis Multisig v1, Solidity 0.4.19) at 0xdB74C5D4F154BBD0B8e0a28195C68ab2721327e5. Classification: multisig without timelock. V2 factory feeToSetter is still deployer EOA 0x476307... (secondary admin surface). Not a modern Gnosis Safe proxy. RD-F-026 yellow Upgrade multisig signer configuration (M/N) On-chain required=2, total owners=4 (2/4 threshold). Signers publicly named as Nick Mudge, Sameep Singhania, Roc Zacharias (LDA), Sandeep Nailwal (Polygon). Documentation claims 3-of-4 but on-chain state reads required=2. On-chain state is authoritative. RD-F-029 yellow Multisig signers co-hosted Four public signers: Nick Mudge (protocol founder/deployer), Sameep Singhania (co-founder, stepped down to advisor 2024), Roc Zacharias (LDA marketing partner), Sandeep Nailwal (Polygon co-founder). Two are core team insiders; cross-team concentration risk. No confirmed shared ASN/custodian. RD-F-030 yellow Hot-wallet signer flag Signer 0xFa05752... (Roc Zacharias) last on-chain activity June 2021 (1,800+ days ago — 4 transactions total). Signer 0x47d4f182... (Nick Mudge) last active December 2022. Two of four signers show prolonged inactivity consistent with cold-storage or abandoned wallets. Two other signers (0xdb6519... and 0x02491D...) show recent 2024-2025 activity. RD-F-031 yellow Signer rotation recency No evidence of signer rotation since multisig creation approximately 5 years ago. Signer 0xFa05752... has not interacted with the multisig since June 2021 — effectively a dormant key. Sameep Singhania transitioned to advisor in 2024 but no signer replacement is publicly documented. Threshold may also have been reduced from the originally-documented 3-of-4 to 2-of-4 at some point via changeRequirement(), though no specific event is traceable. RD-F-042 yellow Admin has mint() with unlimited max New QUICK (0xB5C064...) is a Polygon bridge child token. Supply changes occur via Polygon bridge gateway deposit() mechanism, not via a direct admin-callable mint(). QuickSwap docs document a 1B token cap. No direct unlimited admin mint() found on the QUICK token. Yellow because V2 feeToSetter (deployer EOA) can redirect all LP fees to any address (indirect value extraction by admin without limit). No unlimited direct mint confirmed. RD-F-043 yellow Admin = deployer EOA after 7 days Deployer EOA 0x476307... executed two transferOwnership transactions on June 17, 2025. However, V2 Factory feeToSetter still reads as deployer EOA at profile date — this role was NOT transferred to the multisig. Partial transfer completed for some contracts but not all, leaving deployer EOA with retained unilateral V2 admin power. RD-F-047 yellow Governance token concentration (Gini) QUICK token has 53,306 holders per Polygonscan. No Gini coefficient computed. Treasury multisig holds 100M QUICK representing significant insider concentration. Low quorum (=0) on Snapshot means small holder coalitions determine governance outcomes. Token concentration likely high given team/treasury holdings.
RD-F-027 green Single admin EOA Treasury admin is a 4-owner multisig (0xdB74C5D4...), not a single EOA. V2 Factory feeToSetter is a single deployer EOA but that role controls protocol fees rather than direct treasury access, scored in F041/F043.
RD-F-039 green delegatecall/call in proposal execution without allowlist Not applicable by architecture. No on-chain Governor or executor contract exists. Snapshot proposals are advisory only; the multisig manually executes approved actions. No delegatecall or call in a proposal execution path exists in QuickSwap's governance architecture.
RD-F-044 green Admin wallet interacts with flagged addresses No evidence found of admin multisig or deployer EOA interactions with mixer-funded or OFAC-labeled addresses in visible Polygonscan transaction history. Limited confidence due to incomplete on-chain investigation scope.
RD-F-045 green Constructor args match governance proposal V3 deployment was proposed via Snapshot governance vote (99.98% in favor per Medium post, June 2022). V2 is a zero-change Uniswap v2 fork with no governance-proposed constructor args to mismatch. No material discrepancy found between proposal parameters and deployment.
RD-F-046 green Contract unverified on Etherscan/Sourcify All core contracts verified on Polygonscan: V2 Factory, V3 AlgebraFactory, V3 Swap Router, QUICK token (new), admin multisig. Public ABI available for all key contracts.
RD-F-167 green Deprecated contract paused but pause reversible by live admin QuickSwap Lend (Market.xyz) was permanently closed October 2022 and holds no material value. V2 Router01 is deprecated but is a stateless router holding no user funds. No deprecated contract with material value retained by a live admin role identified.
Oracle & external dependencies Green 4 17 of 17
RD-F-050 yellow Dependency graph (protocols depended upon) Primary external dependency: Algebra Protocol CL engine (AlgebraFactory 0x411b0fAcC3489691f28ad58c47006AF5E3Ab3A28, AlgebraPool contracts on Polygon). QuickSwap V3 swap logic runs entirely within Algebra core; a vulnerability there directly affects V3 TVL (~$430M primary Polygon). Secondary optional dependency: Gamma Strategies for automated LP management (opt-in, not in swap critical path). No oracle dependency, no bridge dependency, no Aave/Compound/Curve dependency in core contracts. Scored yellow due to the material Algebra Protocol dependency (externally-licensed codebase). RD-F-052 yellow Breakage analysis per dependency Algebra Protocol core failure: V3 pool interactions halt, V3 LP positions locked; V2 unaffected (independent codebase). Gamma Strategies failure: managed LP positions affected, direct LP positions unaffected. No oracle dependency, so no oracle-failure breakage scenario. Polygon chain halt: all Polygon pools halt (~95.4% TVL). Multi-chain deployments are independent — failure on one chain does not propagate to others. Scored yellow because the Algebra dependency is material but not an oracle-specific breakage. RD-F-181 n/a Permissionless-pool lending oracle QuickSwap is a DEX, not a lending protocol. F181 measures whether a lending protocol accepts spot prices from permissionlessly-created DEX pools (Rhea Finance NEAR April 2026 attack vector: fake pools seeded, worthless collateral accepted). A DEX has no borrow engine, no collateral acceptance path, and no oracle-acceptance layer at the venue-listing layer. Not applicable by protocol-type definition.
RD-F-048 green Oracle providers used QuickSwap DEX uses NO external oracle providers. V2 (UniswapV2Pair) derives price from internal reserve ratios via constant-product formula. V3/Algebra derives price from internal tick state. No Chainlink, Pyth, Redstone, or any external feed consumed in the swap execution path. Data cache defillama.oracle is null. The 9 Chainlink feeds detected by the pipeline scanner are general Polygon network feeds not consumed by QuickSwap core contracts, confirmed as false positives by the profiler.
RD-F-049 green Oracle role per asset No external oracle serves any asset or market. Price per trading pair is the pool's own internal reserve ratio (V2) or current tick price (V3/Algebra). No Primary/Secondary/Fallback oracle role exists because no external feed is consumed.
RD-F-051 green Fallback behavior on oracle failure Not applicable as an oracle-failure fallback question — QuickSwap consumes no external oracle. AMM price is always derivable from pool state. Swaps fail gracefully via user-set slippage tolerance (amountOutMin) if price impact is too large, but this is not an oracle-fallback mechanism.
RD-F-053 green Oracle source = spot DEX pool (no TWAP) [STAR CRITICAL — GREEN] QuickSwap IS the AMM pool, not a consumer of a spot DEX oracle. V2 UniswapV2Pair.sol swap() reads only internal _reserve0/_reserve1 — no oracle interface calls. V3/Algebra AlgebraPool _calculateSwap() uses internal tick math with no oracle imports. The 9 Chainlink feeds in the data cache are general Polygon network feeds not consumed by QuickSwap core contracts (confirmed false positives by profiler). The October 2022 oracle-manipulation incident affected Market.xyz lending (permanently closed), not the DEX core contracts. F053 requires oracle CONSUMPTION; QuickSwap is an oracle SOURCE.
RD-F-054 green TWAP window duration Not applicable — QuickSwap does not consume a TWAP oracle. V2 pool emits cumulative price accumulators for external consumption, but does not read a TWAP feed during swap execution. No TWAP window to assess.
RD-F-055 green Oracle pool depth (USD) Not applicable — no oracle pool dependency. QuickSwap pool liquidity depth determines manipulation resistance for downstream lenders using QuickSwap as their oracle source, but that is a risk for those lenders, not for QuickSwap's Cat 3 rating. QuickSwap does not consume a DEX pool oracle.
RD-F-056 green Single-pool oracle (no medianization) Not applicable — QuickSwap does not consume a single-pool or any-pool oracle. No medianization assessment needed.
RD-F-057 green Circuit breaker on price deviation Not applicable as an oracle circuit breaker — no oracle price reference exists. Standard AMM slippage protection (user-set amountOutMin in Router) prevents excessive price impact per transaction, but this is not a protocol-level oracle deviation circuit breaker.
RD-F-058 green Max-deviation threshold (bps) Not applicable — no circuit breaker referencing an oracle exists. Slippage tolerance is user-set per-transaction.
RD-F-059 green Oracle staleness check present Not applicable — no external oracle is consumed, so no updatedAt staleness check is needed. AMM price is always current (derived from pool state at transaction time).
RD-F-060 green Chainlink aggregator min/max bound misconfig Not applicable — QuickSwap does not call any Chainlink aggregator. The 9 Chainlink feeds in the data pipeline output (BTC/USD, ETH/USD, USDC/USD, etc. on Polygon) are general Polygon network feeds, confirmed false positives. UniswapV2Pair.sol source inspection confirms no Chainlink interface import. No minAnswer/maxAnswer misconfiguration possible.
RD-F-061 green LP token balanceOf used for pricing Not applicable — QuickSwap DEX does not use LP token balanceOf for pricing. V2 pair contracts track reserves separately via internal _reserve0/_reserve1 state variables updated in _update() after each interaction, explicitly preventing donation-manipulation. V3/Algebra uses tick state, not balanceOf. This is the canonical manipulation-resistance design of Uniswap v2 forks.
RD-F-062 green External keeper/relayer not redundant Not applicable in the core swap path — V2 and V3 swaps are entirely user-initiated, no keeper required. Gamma Strategies LP management (opt-in integration) may use keepers for automated rebalancing, but this is a third-party service not in the protocol's critical swap path. No single-keeper dependency in core contracts.
RD-F-180 green Immutable oracle address [STAR CRITICAL — GREEN] QuickSwap does not consume any external oracle address, immutable or otherwise. The failure mode captured by F180 (a protocol locked into a depegged oracle it cannot replace because the address is immutable) cannot occur for a DEX with no oracle dependency. No immutable oracle address, no hardcoded feed address, no closed-source oracle embedding exists in QuickSwap V2 (UniswapV2Pair — no oracle storage variable) or V3/Algebra (AlgebraPool — no oracle interface import). Green by absence of the failure mode. Two distinct primary sources confirm oracle-free architecture.
Economic risk Red 56 13 of 13
RD-F-064 red TVL concentration (top-10 wallet share) Extreme double-layer concentration: (1) Single pool LGNS/DAI at pool address 0x882df4b0fb50a229c3b4124eb18c759911485bfb holds approximately $391M of the $430M Polygon TVL (~87% of total protocol TVL). LGNS (Longinus) is a long-tail token with ~24% of total supply held by a single 'ORIGIN' address (2.15B LGNS tokens). If LGNS price drops materially, TVL could collapse from $451M to approximately $60M. (2) Chain concentration: Polygon 95.44% of TVL, creating correlated chain-level risk. The effective non-LGNS, non-concentrated liquidity base is the low tens of millions per DefiLlama V3 sub-protocol data ($19.18M) plus minor V2 major-pair pools. RD-F-063 yellow TVL (current + 30d trend) Current TVL $451,399,708 per DefiLlama API as of 2026-05-16T08:14:10Z. 30d change -14.39%; 90d CoV 0.073 (mean $495M, std $36.2M). TVL is declining from a ~$520M 12-month peak. Critically, the headline TVL is dominated by a single LGNS/DAI pool (~$391M reserves), meaning the true diversified liquidity is in the low tens of millions. Yellow: TVL magnitude is real but composition-inflated by a long-tail pool; 30d trend is negative at -14.4%. RD-F-065 yellow Liquidity depth per major asset Top V2 non-LGNS pools on Polygon: USDC/USDT $630K, WPOL/USDC $570K, WPOL/WETH $456K, WETH/USDT $146K, LINK/WETH $161K, USDC/QUICK $78K. Top V3 pools: USDC/DAI $214K, USDC/USDT $249K, WPOL/WETH V3 $89K. Trades above ~$50-100K in any major pair will cause material price impact. Thin by Ethereum DEX standards but consistent with Polygon ecosystem norms for a Polygon-native DEX serving retail flow. Yellow: adequate for typical Polygon retail use cases, insufficient for institutional or large-block trades. RD-F-066 n/a Utilization rate (lending protocols) Utilization rate is lending-protocol-specific. QuickSwap is a DEX (Uniswap-v2 fork + Algebra CL). No lending markets exist. Cache confirms borrow.present=false. The legacy QuickSwap Lend product was permanently closed October 2022 and is not part of the current protocol scope. PD-024 protocol_type_applicability: N/A for DEX. RD-F-067 n/a Historical bad-debt events Historical bad debt events are lending-protocol-specific. QuickSwap DEX has no lending markets. The October 2022 QuickSwap Lend oracle exploit ($220K) affected a separately-deployed Compound-fork Market.xyz product which is permanently closed; bad debt in that context is not part of current DEX scope. PD-024 protocol_type_applicability: N/A for DEX. RD-F-068 n/a Collateralization under stress Collateralization ratio analysis applies to lending/CDP protocols. QuickSwap is a DEX with no collateral or borrow mechanics. PD-024 protocol_type_applicability: N/A for DEX. RD-F-069 n/a Algorithmic / under-collateralized stablecoin Algorithmic / under-collateralized stablecoin design factor does not apply to DEX protocols. QuickSwap does not issue any stablecoin. PD-024 protocol_type_applicability: N/A for DEX. RD-F-070 n/a Empty cToken-style market (zero supply/borrow) RD-F-070 is scoped to Compound V2-fork protocols only per taxonomy §Cat 4 'Compound-fork-only' note. QuickSwap is not a Compound fork: V2 is a Uniswap v2 exact line-for-line fork (constant-product AMM); V3 is the Algebra concentrated-liquidity protocol. Neither version has cToken-style market accounting, supply/borrow tracking, or the redemption-ratio mechanics that create the donation-attack / empty-market share-price inflation vector. The October 2022 QuickSwap Lend product that used a Compound-fork (via Market.xyz) was permanently closed and is not part of the current protocol. No empty-market vector exists on the DEX. RD-F-071 n/a Seed-deposit requirement for new market listing Seed-deposit requirement for market listing is a lending-protocol-specific control. QuickSwap has no lending markets requiring seed deposits. PD-024 protocol_type_applicability: N/A for DEX. RD-F-072 n/a Market-listing governance threshold Market-listing governance threshold is classified as lending-only under PD-024 per taxonomy §Cat 4. Although QuickSwap V2 has permissionless pool creation (anyone can list any token pair without governance approval), this is the standard Uniswap V2 design and is not a lending-market listing governance question. The economic risk from permissionless listing (long-tail tokens, rug-pull pairs) is already captured under F064 (TVL concentration). PD-024 protocol_type_applicability: N/A for DEX. RD-F-073 n/a Oracle-manipulation-proof borrow cap Oracle-manipulation-proof borrow cap requires a lending protocol with per-asset borrow caps. QuickSwap has no lending markets and no borrow caps. PD-024 protocol_type_applicability: N/A for DEX. RD-F-074 n/a ERC-4626 virtual-share offset (OZ ≥4.9) ERC-4626 vault virtual-share offset applies to ERC-4626 compliant vaults. The dQUICK Dragon's Lair staking contract (0x958d208Cdf087843e9AD98d23823d32E17d723A1) is not ERC-4626 compliant. It was deployed ~2021, predating ERC-4626 finalization (September 2022). The mechanism is an xSUSHI-style ratio accounting: users deposit QUICK and receive dQUICK at the current QUICK-in-contract / dQUICK-supply ratio. QuickSwap docs confirm variable dQUICK:QUICK ratio. No ERC-4626 interface functions (convertToShares, convertToAssets, _decimalsOffset) are referenced in any QuickSwap documentation or blog post about Dragon's Lair. The DEX core contracts (V2 Factory/Router, V3 Algebra) are not vaults at all. RD-F-075 n/a First-depositor / share-inflation guard First-depositor / share-inflation guard is scoped to ERC-4626 vault patterns. dQUICK Dragon's Lair is not ERC-4626 (same basis as F074). The xSUSHI-style ratio mechanism does have a theoretical first-depositor inflation issue if the pool is empty, but: (1) F075 specifically targets ERC-4626 vault designs; (2) the Dragon's Lair has been continuously active since 2021 and holds material QUICK (pool not empty); (3) the xSUSHI pattern vulnerability is distinct from the ERC-4626 first-depositor attack. This factor is not_applicable under PD-024 ERC-4626 vault sub-bucket scoping. DEX core contracts (V2/V3) have no vault/share accounting at all.
Operational history Green 15 15 of 15
RD-F-089 red Insurance coverage active No active DeFi insurance coverage found for QuickSwap. Data cache bug_bounty.platform: null (no Immunefi program found by pipeline). Web searches for QuickSwap on Nexus Mutual, Sherlock, Unslashed, and equivalent providers returned no coverage. At $451M TVL, the absence of proportionate on-chain insurance is a structural gap. This is near-default RED for a DEX of this size with no disclosed insurance coverage. RD-F-084 yellow TVL stability (CoV over 90d) 90-day TVL coefficient of variation = 0.073 (std $36.2M, mean $495.4M) per data cache. Not severely volatile (CoV < 0.2), but the protocol shows a clear declining trend: TVL down 14.39% in the past 30 days (cache tvl_30d_change_pct: -14.39%). Range over 90 days approximately $420M-$520M. Yellow: stability is moderate but the sustained decline prevents green. RD-F-166 yellow Deprecated contracts still holding value The QuickSwap Lend / Market.xyz lending module was permanently closed in October 2022 following the oracle manipulation exploit. The module's contracts were deployed by Market.xyz (a third-party operator), not QuickSwap's own deployer — QuickSwap's action was to halt its interface and advise user withdrawal. Market.xyz contracts remain on-chain; residual balances and active user approvals cannot be confirmed as zero without direct contract reads (Polygonscan HTML 403). The old QUICK legacy token (0x831753DD7087CaC61aB5644b308642cc1c33Dc13) is a migrated but still-circulating token with an active swap contract — this is not a stuck-value deprecated surface in the F166 sense. Yellow: surface is closed and announced, reducing risk materially, but third-party contract state is not fully confirmed at zero; curator on-chain verification required. RD-F-081 gray Post-exploit response score No DEX-surface exploit has occurred, so there is no 'last incident' against which to score post-exploit response. Factor requires an incident reference point. Gray per rubric guidance for incident-dependent factors with no DEX incident. For informational context: the Lend incident response (same-day announcement, permanent product closure) would score approximately 4/5 if assessed. RD-F-082 gray Post-mortem published within 30 days No DEX-surface exploit occurred; no post-mortem is required or assessable for the DEX. For the Lend incident: the team published rapid announcements and attributed root cause to Market.xyz oracle design, referencing ChainSecurity analysis. Whether a formal QuickSwap-authored post-mortem meeting the 30-day threshold was published is unconfirmed from available sources. RD-F-083 gray Auditor re-engaged after last exploit No DEX-surface exploit occurred; auditor re-engagement after exploit cannot be assessed. For the Lend incident: the product was permanently closed rather than patched, making a re-audit of the lending surface moot. No evidence of a re-audit of DEX contracts following the Lend incident. RD-F-085 gray Incident response time (minutes) No DEX-surface exploit occurred; incident response time in minutes cannot be assessed for the DEX. For the Lend incident (informational): team announcements appeared within approximately 24 hours of the October 24, 2022 exploit, and the lending product was shut down within that window — a rapid response by any standard.
RD-F-076 green Protocol age (days) QuickSwap V2 Factory deployed on Polygon 2020-10-09, giving ~2,046 days (~67 months) of live mainnet operation as of 2026-05-16. Substantially exceeds the 12-month minimum for operational-age green. V3/Algebra launched 2022-10-07 (~1,318 days live). Both versions continuously operational.
RD-F-077 green Prior exploit count QuickSwap DEX core has zero confirmed exploits. Hacksdatabase grep for 'quickswap', 'quick', 'dragon' returns zero DEX incidents. Rekt leaderboard (cache rekt.incidents: []) and DefiLlama hacks feed (cache hacks: []) both return empty. The October 2022 incident targeted the separately-operated Market.xyz lending module (a QuickSwap-branded but third-party-contracted Compound-fork). Per protocol scope, the assessed surface is the DEX: exploit count = 0.
RD-F-078 green Chronic-exploit flag (≥3 incidents) Zero DEX exploits confirmed. Chronic flag (>=3 incidents) does not fire. Hacksdatabase, Rekt leaderboard, and DefiLlama hacks all return empty for QuickSwap DEX.
RD-F-079 green Same-root-cause repeat exploit No same-root-cause repeat exploit on the DEX. The single QuickSwap-branded incident (October 2022 Lend oracle manipulation) is a one-time event on a now-permanently-closed surface. No recurrence.
RD-F-080 green Days since last exploit DEX core: no exploit ever. If the Lend incident is attributed to the QuickSwap brand, days since last = ~1,300 days (2022-10-24 to 2026-05-16), well above any red threshold. Either way, green.
RD-F-086 green Pause activations (trailing 12 months) No pause activations observed on the QuickSwap DEX in the trailing 12 months. The V2 Factory (Uniswap v2 fork) has no pause function by design. The V3/Algebra Factory has pause functionality but no activation evidence found. The October 2022 Lend closure was an interface-level shutdown, not a smart-contract pause event on the DEX. Zero deliberate pause activations in the 12-month window.
RD-F-087 green Pause > 7 consecutive days No DEX pause exceeding 7 consecutive days found in the trailing 12 months. The DEX has operated continuously since 2020. No evidence of any pause event in the 12-month window prior to 2026-05-16.
RD-F-088 green Re-deployed to new addresses in last year No DEX redeployment to new contract addresses in the trailing 12 months. V2 Factory has operated at 0x5757371414417b8C6CAad45bAeF941aBc7d3Ab32 since October 2020. V3/Algebra contracts stable since October 2022. The old-to-new QUICK token migration (via Token Swap contract 0x333068D06563a8DfDBF330A0e04A9d128e98bf5a) is a token migration, not a protocol redeployment event.
Real-time signals Green 4 22 of 22
RD-F-105 yellow DNS/CDN/frontend hash drift Confirmed prior exploit class: May 14, 2022, GoDaddy DNS hijack — attacker social-engineered GoDaddy support to modify DNS, ran phishing frontend ~5h, $107,600.68 user loss. QuickSwap migrated DNS to Cloudflare registrar/DNS post-attack (per blog post-mortem). Current SSL issued by Google Trust Services (valid per May 2026 WHOIS data). No publicly confirmed JS-bundle hash-baseline monitoring in place. Hexagate governance vote passed September 2023 (community voted in favour); renewal proposal October/November 2024 — phishing/frontend monitoring was listed as a Hexagate capability. If Hexagate is active, this signal may be partially covered. Implementation status not definitively confirmed from public sources. Score: yellow — infrastructure improved, prior exploit class confirmed, hash-baseline monitoring posture uncertain. RD-F-092 gray Unusual mempool pattern from deployer wallet Deployer EOA (0x476307...) has 22,362 historical transactions but is not the current active admin — the 2-of-4 multisig (0xdB74C5D4...) holds admin rights. Deployer EOA unusual-pattern signal requires live mempool monitoring infrastructure. T-09 v2 deferred. Static review shows no recent anomalous activity from the deployer EOA. RD-F-093 n/a Abnormal gas-price willingness from attacker wallet Requires live mempool monitoring and threat-actor wallet cluster list to detect abnormal gas-price willingness from attacker wallets. T-09 v2 deferred. No public reporting of attacker-wallet abnormal gas-price pattern targeting QuickSwap in static assessment. RD-F-094 n/a New contract with similar bytecode to exploit template Requires on-chain new-deploy sweep with exploit-template bytecode similarity DB. T-09 v2 deferred. No public reporting of exploit-template bytecode deployment targeting QuickSwap in trailing 90 days. RD-F-095 n/a Known-exploit function-selector replay Requires live mempool monitoring and known-exploit-template selector DB. T-09 v2 deferred. No public reporting of known-exploit-template selector replay pattern targeting QuickSwap in trailing 90 days. RD-F-096 n/a New ERC-20 approval to unverified contract from whale Signal requires live mempool monitoring of ERC-20 approvals from high-TVL users to unverified contracts. T-09 v2 deferred. Prior exploit context: May 2022 GoDaddy DNS hijack involved fraudulent router approvals ($107.6K). This approval-vector risk is real for QuickSwap but the signal cannot be assessed in static context. RD-F-097 n/a Sybil surge of identical-pattern transactions Requires live on-chain clustering to detect Sybil burst of identical-pattern transactions. T-09 v2 deferred. No static evidence of current Sybil transaction surge targeting QuickSwap pools. RD-F-099 n/a Oracle price deviation >X% from secondary QuickSwap DEX has no external oracle in its swap routing path. V2 is a constant-product AMM (price determined by pool reserves only). V3/Algebra uses tick-based concentrated-liquidity with no external oracle for swap execution. The protocol closed its only oracle-consuming surface (Market.xyz lending) in October 2022. Oracle price deviation signal requires a protocol that consumes an external oracle for safety-critical reads (collateral pricing, liquidation triggering). Structurally not applicable for this AMM DEX shape. RD-F-100 n/a Flash loan >$10M targeting protocol tokens Signal requires flash-loan receiver to interact with protocol's oracle, lending market, or governor in same tx. QuickSwap: no oracle (AMM), no active lending market (Market.xyz closed October 2022 after $220K exploit), Snapshot-only governance (not on-chain-interactable). Flash loans routinely originate from QuickSwap pools for arb but net outflow is clean round-trip. The signal's mechanism (flash-loan receiver touches oracle or lending market) is structurally inapplicable to this DEX shape. RD-F-102 gray Admin/upgrade transaction in mempool V2 core (Factory/Router) immutable — no upgrade path. V3 Algebra admin surface has 2-of-4 multisig (0xdB74C5D4...) as admin. Admin-tx-in-mempool signal requires live mempool listener (T-09 phase-2 signal tier). Static review: multisig last active January 24, 2026 (routine Confirm/Execute Transaction operations). No pending upgrade-selector tx visible. Detection window note: no timelock means any admin tx executes within minutes of second confirmation — compressed detection window. RD-F-103 n/a Bridge signer-set change proposed/executed QuickSwap has no bridge surface. has_bridge_surface: false, is_a_bridge: false (confirmed in profile meta and data cache). Multi-chain deployments are independent per-chain native deployments without a protocol-operated canonical bridge. No bridge validator set, no guardian set contract. Signal requires a bridge validator/signer set contract to monitor. RD-F-106 n/a Cross-chain bridge unverified mint pattern QuickSwap has no bridge surface (has_bridge_surface: false). Signal requires cross-chain bridge mint-without-proof event monitoring on a bridge contract. Not applicable. RD-F-107 n/a Admin EOA signing from new geography/device Requires off-chain signing telemetry (MPC provider device fingerprints, session-key geography data) not publicly accessible. T-09 v2 deferred. No data source accessible in static context. Multisig uses legacy MultiSigWalletWithDailyLimit (Solidity 0.4.19) — no session-key metadata available. RD-F-108 gray GitHub force-push to sensitive branch QuickSwap V2 core repo (github.com/QuickSwap/quickswap-core) last commit 2022-12-27 — effectively frozen. Force-push to frozen repo low-probability. V3 periphery repos not fully assessed for recent sensitive-branch push patterns. No public reporting of suspicious force-push to QuickSwap repos. Live GitHub API monitoring not implemented for production signal. T-09 v2 deferred. RD-F-109 gray Social-media impersonation scam spike No coordinated social-media impersonation scam-spike found in OSINT pass (May 2026). QuickSwap is a recognized Polygon DEX brand (@QuickswapDEX on X). General industry context: 700+ typosquat domains targeted top-20 crypto exchanges in 2023. No specific coordinated X/Discord/Telegram campaign identified against QuickSwap. Live social-media monitoring not implemented. T-09 v2 deferred.
RD-F-090 green Mixer withdrawal → protocol interaction Deployer wallet (0x476307DaC3FD170166e007FCaA14F0A129721463) funded by unlabeled personal Polygon wallet (0xb36cDD7c974c48b5c7797d4f9a74bd80773977FF), no mixer label or Tornado Cash connection visible in Polygonscan static review. Multisig signer 0x47d4f182F4267DcC06161238501c47E8B340A625 funded by unlabeled wallet ~5yr 75 days ago, no mixer evidence. Three additional signer wallets unverified (gap flagged for curator). T-09 phase-2 signal tier — advisory only, never flips grade solo. No mixer-to-protocol-contract interaction pattern found in static assessment.
RD-F-091 green Partial-drain test transactions No partial-drain test-transaction pattern identified in static review. TVL declined -14.39% over trailing 30 days at a gradual macro rate (not intra-block drain pattern). No small precursor drain sequence found in public data. 90d CoV = 0.073 (relatively stable). T-09 v2 deferred signal.
RD-F-098 green TVL anomaly — % drop in <1h TVL $451.4M as of 2026-05-16. Trailing 30d change: -14.39% (gradual decline, not within T-09 threshold of >30% drop in 1h vs 30d baseline). 90d CoV = 0.073 (stable range). No sudden drain anomaly observed. Tier-A signal (instant grade flip). T-09 v1 production-live signal. Detection threshold: TVL_now / TVL_baseline_30d < 0.70 in 60-min window. Current ratio: ~0.909 (from 30d mean $495M to current $451M over 30 days) — well above the 0.70 threshold. Would not fire today.
RD-F-101 green Large governance proposal queued Snapshot-only governance (space: quickvote.eth). No on-chain governor, no on-chain execution queue, no timelock. Malicious-pattern detection rule requires on-chain calldata (upgradeToAndCall, grantRole, etc.) — Snapshot proposals produce off-chain JSON, not on-chain calldata, so the signal's primary detection mechanism is structurally inapplicable. Recent visible Snapshot proposals: Somnia deployment (May 2026), QUICK tokenomics refresh (May 2026), Base expansion (May 2026), Hexagate renewal — all routine chain-expansion governance. No malicious-pattern proposal identified. Score green on posture: no flagged-pattern proposals currently visible.
RD-F-104 green Stablecoin depeg >2% on shared-LP venue QuickSwap DEX hosts substantial USDC and USDT LP pairs. Polygon stablecoin composition: USDC ~51%, USDT ~28% of Polygon stablecoin supply. USDC and USDT are at peg as of 2026-05-16 (no >2% depeg event active). Signal threshold: |price - peg| / peg > 2% sustained 30 min AND protocol exposure >= 5% TVL. No depeg condition active on either major stablecoin. T-09 v1 production-live signal.
RD-F-110 green Unusual pending/executed proposal ratio Snapshot governance space (quickvote.eth) shows regular proposal cadence: Somnia deployment (May 2026), QUICK tokenomics refresh (May 2026), Base expansion (May 2026), Hexagate renewal, Quadrata integration — all within expected governance activity volume. No unusual spike in pending vs. executed ratio. Quorum = 0 means all proposals technically pass — ratio anomaly monitoring is less meaningful than for quorum-governed systems. T-09 v2 deferred for live monitoring.
RD-F-182 green Security-Council threshold reduction (RT) F182 (Security-Council threshold reduction event, Cat 6B batch-24). QuickSwap does not have a formal Security Council; the 2-of-4 MultiSigWalletWithDailyLimit is the admin. Threshold reduction from 2-of-4 to 1-of-4, timelock removal (no timelock exists), or new-signer addition within 14 days of threshold change would trigger. Polygonscan review of multisig: no RequirementChange or OwnerAddition/OwnerRemoval events visible in recent 25 transactions. Threshold confirmed at 2-of-4. Last admin action: January 24, 2026 (routine confirmation). Key note: because there is NO timelock, the detection window for any threshold change followed by malicious tx is maximally compressed (seconds to minutes). Current posture: no threshold-change event observed; signal not firing.
Dev identity & insider risk Green 8 16 of 16
RD-F-116 yellow Contributor tenure at admin-permissioned PR V2 and V3 core contracts are immutable - no admin-permissioned PRs possible for the on-chain protocol. GitHub quickswap-core last commit 2022-12-27 (per profile) - frozen. Protofire took over development mid-2025 with no named individual engineers publicly disclosed. Front-end (interface-v2) is actively maintained but is not a smart contract surface. Contributor tenure for the new Protofire operational team layer is unknown. Yellow because operational continuity and key-contributor tenure for the new development structure (Protofire) cannot be assessed publicly. RD-F-121 yellow Contributor OSINT depth score Named founders score high: Mudge 5/5 (GitHub, EIP authorship, conferences, LinkedIn, Twitter), Singhania 4/5 (podcast, media, LinkedIn), Nailwal 5/5 (Polygon co-founder, extensive media), Zacharias 4/5 (CEO named firm, conferences). Protofire as a firm scores 3/5 (established firm, 201+ projects, no individual engineer names disclosed). Operational signer wallets score 1/5 (not publicly mapped to named individuals). Composite is yellow because the operational development layer (Protofire individual engineers) and signer wallet identities are opaque. RD-F-123 yellow Sudden admin-rescue/ACL change without discussion DEX core contracts are immutable - no admin-rescue function exists. Treasury multisig (0xdB74C5D4F154BBD0B8e0a28195C68ab2721327e5) controls QUICK holdings and fee-setter. Multisig owner set stable across visible Polygonscan transaction history (no owner change transactions detected). June 2025 Sameep Singhania transition to advisory and Protofire taking development lead was announced via public governance blog post and Snapshot vote - not a silent change. However: (a) NO on-chain timelock means any multisig action executes with zero delay; (b) Solidity 0.4.19 legacy contract has no structured event log for governance tracking; (c) whether operational signer wallets were updated for the Protofire transition is not publicly confirmed. Yellow: public announcement mitigates insider-implant concern but no-timelock and unclear signer-identity continuity reduce confidence. RD-F-119 gray Commit timezone consistent with stated geography GitHub org has no public members per GitHub org page assessment. Commit-time timezone analysis blocked by JS-rendered GitHub contributor graphs (process-learnings FAILED pattern). Mudge is US-based, Singhania is India-based, Protofire is distributed - three distinct timezones make aggregate TZ analysis less meaningful even if commit data were accessible. Cannot produce a meaningful TZ-consistency finding without the underlying data. RD-F-122 n/a Contributor paid to DPRK-cluster wallet Cannot be meaningfully assessed at OSINT tier for off-chain payroll teams. QuickSwap operates with off-chain contributor compensation; no on-chain contributor payment streams are publicly identifiable beyond the treasury multisig. Per process-learnings: 'Mark NOT ASSESSED for contributors beyond the deployer unless on-chain payment streams exist.' The deployer EOA has no on-chain path to a DPRK-labeled cluster in the 1-hop review. RD-F-184 gray Real-capital social-engineering persona No evidence found of any QuickSwap team contributor or external integrator deploying >=1M real capital to build credibility ahead of a social-engineering attack. The Drift Protocol comparator (UNC4736 6-month conference/in-person build-up, Solana durable-nonce pre-signing) has no analog in publicly available QuickSwap OSINT. Per process-learnings: 'Mark GRAY + note the Drift comparator as the reference pattern. Don't spend time trying to confirm absence of something that by design leaves no public trace.' Gray by design opacity of the attack class, not by protocol opacity - requires active curator monitoring rather than one-time OSINT.
RD-F-111 green Team doxx status Both co-founders (Nick Mudge, Sameep Singhania) are real-name doxxed with extensive public trails. Multisig signers Sandeep Nailwal (Polygon co-founder) and Roc Zacharias (Lunar Digital Assets CEO) are also publicly identified. On-chain multisig signer wallets are pseudonymous but attributed to named individuals via governance blog posts. Development now led by Protofire (named firm). Overall doxx tier: real-name principals with pseudonymous operational signer wallets.
RD-F-112 green Team public accountability surface High public accountability surface: Mudge has EIP-2535 standard authorship, conference talks, GitHub presence, LinkedIn. Singhania has multiple podcast episodes, media interviews, and LinkedIn. Nailwal is Polygon co-founder with extensive media presence. Zacharias has LinkedIn, conference speaker profiles. Protofire is a named Web3 firm with 201+ client projects. Gap: Protofire individual engineers are not named publicly.
RD-F-113 green Team other-protocol involvement history Mudge: EIP-2535 author, mokens.io, ERC1538/ERC998 - clean track record. Singhania: Ginete Technologies co-founder - no rug history. Nailwal: Polygon co-founder - no negative history found. Zacharias: Lunar Digital Assets CEO, incubated QuickSwap and other Polygon ecosystem projects - no rug or fraud association found. Protofire: established Web3 dev firm working with Ethereum Foundation, Chainlink, Gnosis. No team member linked to prior rug or failed project.
RD-F-114 green Deployer address prior on-chain history Deployer 0x476307DaC3FD170166e007FCaA14F0A129721463 is labeled 'QuickSwap: Deployer' and 'Contract Deployer' on Polygonscan. 22,361 transactions; holds 97,200 QUICK tokens. Set as _feeToSetter in QuickSwap Factory and _vaultAddress in AlgebraFactory (per profile). No prior rug-associated label. Historical activity consistent with protocol deployment and management. No hacksdatabase entries for this address.
RD-F-115 green Prior rug/exit-scam affiliation Targeted search 'QuickSwap exit scam rug pull fraud team' returned only generic educational content - no QuickSwap-specific rug results. No team member linked to a prior rug via OSINT. Hacksdatabase search (per profile): 0 QuickSwap DEX entries. Rekt leaderboard: 0 entries per data cache.
RD-F-117 green ENS/NameStone identity bound to deployer Nick Mudge's ENS 'nick.mudge.eth' is referenced in Polygonscan creation info for the admin multisig contract (per profile §11: 'The contract was originally deployed via nick.mudge.eth per Polygonscan creation info'). The deployer EOA is labeled 'QuickSwap: Deployer' on Polygonscan. ENS-linked identity provides a verifiable on-chain anchor to a public figure with deep accountability trail (EIP-2535 authorship, conference presence, LinkedIn).
RD-F-118 green Handle reuse across failed/rugged projects No evidence of social handle reuse across failed or rugged projects for any identified team member. Mudge (@mudgen on Twitter/X, GitHub) is consistently and exclusively associated with EIP-2535 and QuickSwap across all platforms. Singhania (@sameepsi) is consistently associated with Ginete Technologies and QuickSwap. Nailwal and Zacharias have clean, well-established and stable identities across platforms.
RD-F-120 green Video-off/voice-consistency flag Multiple video interviews confirmed for named team members. Sameep Singhania: YouTube ('Sameep Singhania - Co-Founder Of Quickswap - Decentralization and Crypto For Businesses'), Spotify/BlockHash podcast. Nick Mudge: YouTube ('Peep an EIP #7: EIP-2535: Diamond Standard with Nick Mudge'). No curator observation of voice/video inconsistency, declined video pattern, or timezone-inconsistent claims across the reviewed content.
RD-F-124 green Deployer wallet mixer-funded within 30 days Deployer 0x476307DaC3FD170166e007FCaA14F0A129721463 was funded by 0xb36cDD7c974c48b5c7797d4f9a74bd80773977FF approximately 5 years and 232 days before assessment. This funding wallet has 37,477 transactions, shows QUICK/WPOL DeFi activity, and carries no Tornado Cash, Railgun, or mixer label on Polygonscan. The 30-day window around the Oct 2020 deploy is clear: no mixer-funded source found. The funding relationship pre-dates deploy by over 5 years, ruling out the tight pre-deploy window specified by F124.
RD-F-125 green Deployer linked within 3 hops to DPRK/Lazarus OSINT search 'QuickSwap Sameep Singhania DPRK Lazarus North Korea' returned zero relevant results - only generic DPRK sanctions content with no QuickSwap connection. All four admin signer wallets reviewed on Polygonscan show normal DeFi activity with no OFAC-sanctioned counterparties visible at 1-hop. OFAC SDN list: no QuickSwap address found. No Chainalysis public advisory flags any QuickSwap address. No Lazarus cluster proximity found in available public data. U4 instruction applied: attacker-using-QuickSwap-as-drain-venue does NOT flag F125.
Fork / dependency lineage Green 3 10 of 10
RD-F-131 yellow Fork retains upstream audit coverage V2: retains FULL Uniswap V2 audit coverage (ABDK FV) with zero divergence. Additionally covered by ContractSecurity.io (2021, periphery+QUICK token). V3 Algebra core: independent multi-firm audit coverage (C4, Hacken, ABDK, Hexens). V3 periphery (SwapRouter proxy, NonfungiblePositionManager proxy): NO publicly accessible audit coverage found. The un-audited V3 periphery at $451M TVL is the material gap. Scored yellow: V2 and V3 core are well-covered; V3 periphery is the uncovered gap.
RD-F-126 green Is-a-fork-of Dual codebase: V2 = explicit line-for-line Uniswap V2 fork (README: 'not even a single line of code has been changed'; Polygonscan contract name 'UniswapV2Factory'; package.json name '@uniswap/v2-core' v1.0.1). V3 = built on Algebra protocol (independently-licensed CL AMM, NOT a Uniswap V3 fork). Both upstreams clearly identified and documented. Fork declaration is unambiguous for V2; V3 dependency (Algebra) explicitly licensed and announced.
RD-F-127 green Upstream patch not merged V2: Uniswap V2 core is also immutable (no post-deploy patches); no upstream security patch to miss. QuickSwap V2 core frozen at Dec 2022 (last commit). V3/Algebra: Algebra has released Algebra Integral (newer architecture) with additional audits (MixBytes, Bailsec, Paladin). The QuickSwap Polygon V3 appears to run Algebra V1. No documented critical security patch to Algebra V1 core found that QuickSwap has failed to apply. Algebra Integral updates appear to be new-version features, not backports of V1 security fixes. Scored green with medium confidence — no confirmed critical patch missed, but the Algebra V1 vs Integral version relationship is not exhaustively documented.
RD-F-128 green Upstream vulnerability disclosure (last 90d) No public vulnerability disclosure found for Uniswap V2 core or Algebra V1 in the 90 days prior to assessment (Feb-May 2026). Uniswap V2 is a mature protocol with no recent disclosures. Algebra Integral advisories cover newer architecture not the V1 deployed on QuickSwap. No GitHub Security Advisory in QuickSwap/quickswap-core or code-423n4/2022-09-quickswap repos.
RD-F-129 green Code divergence from upstream (%) V2: ~0% divergence from Uniswap V2 core — confirmed by (a) contract name 'UniswapV2Factory' on Polygonscan, (b) package.json name '@uniswap/v2-core' v1.0.1, (c) solc 0.5.16 with 999,999 optimizer runs matching Uniswap V2 original settings, (d) 'exact match' bytecode verification on Polygonscan. V3/Algebra: Not a Uniswap V3 fork — independently designed CL AMM. The V3 'divergence' question is moot; Algebra is the upstream, not a fork of anything else.
RD-F-130 green Fork depth (generations from original audit) V2: depth = 0 — direct fork of Uniswap V2 which was formally verified by ABDK (Jan-Apr 2020). Audit heritage fully inherited for the zero-divergence fork. V3/Algebra: not applicable in the traditional fork-depth sense — Algebra is an independently designed protocol, not a Uniswap V3 fork (depth concept doesn't apply). Algebra itself has direct audit coverage (C4, Hacken, ABDK, Hexens), equivalent to depth-0 for its own codebase.
RD-F-132 green Fork has different economic parameters than upstream V2: parameters (0.3% fee, k-invariant constant-product) identical to Uniswap V2 — no parameter delta from audited upstream. V3/Algebra: Algebra is not a Uniswap V3 fork — the dynamic-fee adaptive model is Algebra-original and was audited as such. Not a 'parameter deviation from audited defaults' scenario.
RD-F-133 green Dependency manifest uses unpinned versions V2 (quickswap-core): package.json has `dotenv` (^8.2.0) and `truffle-hdwallet-provider` (^1.0.17) as deps but these are deployment tooling only — no OZ or Solady Solidity library imports (V2 core is self-contained Uniswap V2 style). V3 Algebra (cryptoalgebra/Algebra): uses Hardhat monorepo. Deployed V3 contracts are immutable — dependency pinning at deploy time cannot be changed. For the immutable deployed bytecode, unpinned dependencies are only a build-time concern, not a live risk. No finding of unpinned OZ/Solady for security-critical deployed contracts.
RD-F-134 green Dependency had malicious-release incident (last 90d) No npm/PyPI/crates.io malicious-release advisory affecting QuickSwap's dependencies found for Feb-May 2026. V2 deps (dotenv, truffle) have no known malicious-release in that window. V3 Algebra npm/Hardhat ecosystem: no confirmed malicious-release advisory in the 90-day window.
RD-F-135 green Shared-library version with known-vuln status V2: solc 0.5.16 known bugs — 7 bugs, all LOW or VERY LOW severity. UniswapV2Factory/Pair does not use experimental ABIEncoderV2 or signed storage arrays, so the most relevant bugs (SignedArrayStorageCopy, ABIEncoderV2LoopYulOptimizer) are not triggered by this contract pattern. V3: solc 0.7.6 known bugs — 7 bugs, all LOW or VERY LOW severity. MemoryArrayCreationOverflow (LOW) and privateCanBeOverridden (LOW) are the highest-severity bugs for 0.7.6; neither is a HIGH/CRITICAL advisory for AMM contract patterns. No OZ/Solady version with active HIGH/CRITICAL CVE identified.
Post-deploy hygiene & change mgmt Yellow 27 13 of 13
RD-F-139 red Post-audit code changes without re-audit Code4rena Sep 26-Oct 1 2022 audit found 1 HIGH + 12 MEDIUM in V3/Algebra periphery. V3 launched Oct 7 2022 (6 days after audit end). H-01 (malicious liquidity provision to reset cooldown) was confirmed by sponsors with recommendation only — no confirmed pre-launch fix. 12 MEDIUM findings acknowledged but remediation status at deploy time is not publicly verifiable. A senior developer resigned in Oct 2022 citing the team's refusal to conduct a comprehensive front-end security audit. New Base chain deployment (Aug 2025) lacks a confirmed dedicated security review. QuickSwap-voting aggregator contracts deployed with no identified audit. RD-F-136 yellow Deployed bytecode matches signed release tag V2 core GitHub repo (QuickSwap/quickswap-core) last commit 2022-12-27 — consistent with the claimed zero-change Uniswap v2 fork and immutable deployed bytecode. V3/Algebra: no signed release-tag SHA mapped to deployed bytecode found in public evidence. Partial assessment — V2 plausibly matches but V3 unverified. RD-F-140 yellow Fix-merged-but-not-deployed gap H-01 fix status pre-launch is unclear — sponsor acknowledged but no verifiable on-chain evidence of fix merged and deployed before Oct 7 2022 launch. V2 core is frozen (last commit Dec 2022). No other known fix-merged-but-not-deployed gap identified beyond H-01 ambiguity. RD-F-141 yellow Test-mode parameters in deploy V2 Factory deployed with feeToSetter = deployer EOA — this deploy-time configuration was never transferred to the multisig (persists to this day). Not a test-mode parameter per se, but represents incomplete post-deploy hardening. V3 factory deployer ownership was partially transferred June 2025 but recipient of one transfer is unresolvable. RD-F-145 yellow Deployed bytecode reproducibility V2 core: claimed zero-change Uniswap v2 fork reproducible from Uniswap v2 audited source. V3/Algebra: Code4rena contest repo provides audited source but no verified correspondence to deployed bytecode via a documented build config. No public reproducible build artifact found. Truffle used for V2 (package.json present, no Foundry), reducing build reproducibility confidence. RD-F-146 yellow New contract deploys in last 30 days Base chain deployment confirmed August 2025 per search results (V2+V4 factories newly deployed). QuickSwap-voting aggregator (Hardhat project) appears to have been deployed/updated for multi-chain support. Multiple new chain deployments ongoing per governance proposals (Algebra V4 expansion). Fresh attack surface from Base and other recent chain deployments without confirmed audit coverage. RD-F-142 n/a Storage-layout collision risk across upgrades Not applicable by construction. V2 core (Uniswap v2 fork) and V3/Algebra core are immutable contracts deployed without proxy upgrade patterns. Storage layout collision risk requires upgradeable proxy architecture — not present here. RD-F-143 n/a Reinitializable implementation (no _disableInitializers) Not applicable by construction. V2 (Uniswap v2 fork) and V3/Algebra core are immutable non-proxy contracts. No Initializable inheritance exists in these contracts. _disableInitializers() is irrelevant for non-proxy immutable contracts. The AlgebraFactory uses a constructor (not initialize()) and has no proxy pattern. RD-F-185 n/a Bridge rate-limiter / chain-pause as positive mitigant QuickSwap is a DEX, not a bridge. No protocol-operated cross-chain bridge exists. No bridge rate-limiter applicable. F185 (bridge rate-limiter/chain-pause as positive mitigant) is structurally not applicable to a DEX architecture. has_bridge_surface=false, is_a_bridge=false per profile.
RD-F-137 green Upgrade frequency (per 90 days) V2 core and V3/Algebra core are immutable contracts with zero proxy upgrade events in any 90-day window by construction. No Upgraded events exist on Polygonscan for core contracts. New chain deployments (Base Aug 2025) are fresh deploys, not upgrades of existing contracts.
RD-F-138 green Hot-patch deploys without timelock (last 30 days) No hot-patch deploys to core contracts in last 30 days. Immutable V2 and V3/Algebra architecture prevents in-place hot-patching. No timelock bypass events found because no timelock exists and no upgrade pattern exists for immutable contracts.
RD-F-144 green CREATE2 factory permits same-address redeploy No CREATE2 factory permitting redeploy to same address identified in QuickSwap core architecture. Standard factory deployment patterns used in V2 and V3. No evidence of CREATE2 redeployment risk.
RD-F-168 green Stale-approval exposure on deprecated router Router01 is deprecated per QuickSwap docs but is stateless (holds no user funds by design). Stateless routers cannot drain user funds without explicit user approval and initiation. Old QUICK token has a stale approval surface from the TokenSwap converter but TVL is minimal. No material stale-approval risk from deprecated QuickSwap contracts.
Cross-chain & bridge Gray 0 12 of 12
RD-F-147 n/a Protocol has bridge surface QuickSwap does not operate a bridge. Multi-chain presence is via independent native deployments on each chain (Polygon, Base, Immutable zkEVM, Manta, Soneium, etc.) with no protocol-operated canonical bridge. Profile flags has_bridge_surface: false, is_a_bridge: false. Data cache layerzero.present: false, layerzero_bridge: false. RD-F-148 n/a Bridge validator count (M) No bridge, no validator set to count. Multi-chain via independent per-chain deployments. RD-F-149 n/a Bridge validator threshold (k-of-M) No bridge, no threshold to assess. RD-F-150 n/a Bridge validator co-hosting No bridge, no validators to co-host. RD-F-151 n/a Bridge ecrecover checks result ≠ address(0) No bridge signature verification path exists. ecrecover check is not applicable to a protocol with no bridge surface. RD-F-152 n/a Bridge binds message to srcChainId No cross-chain message passing. srcChainId binding not applicable. RD-F-153 n/a Bridge tracks nonce-consumed mapping No bridge replay protection needed — no bridge exists. RD-F-154 n/a Default bytes32(0) acceptable as valid root No Merkle root / bridge inbox. Nomad default-value root acceptance pattern is not applicable to a protocol with no bridge surface. RD-F-155 n/a Bridge validator-set rotation recency No validator set to rotate. RD-F-156 n/a Bridge uses same key custody for >30% validators No validators. RD-F-157 n/a Bridge TVL per validator ratio No bridge TVL or validators. RD-F-179 n/a LayerZero OFT DVN config (count, threshold, diversity) LayerZero not present. Data cache layerzero.present: false, dvn_addresses: [], dvn_threshold: null, layerzero_bridge: false. QuickSwap does not use LayerZero OFT for multi-chain token routing; each chain has independent token deployments.
Threat intelligence & recon Green 11 8 of 8
RD-F-161 yellow Protocol-impersonator domain registered (typosquat) Official domain: quickswap.exchange (registered 2020-09-21, Cloudflare registrar). Assessment date: 2026-05-16. 90-day window: 2026-02-15 to 2026-05-16. Known active phishing domain: quickswap-exchange.com — registered January 10, 2025 (491 days before assessment, outside 90-day window). ScamAdviser trust score: 0/100 (Very Likely Unsafe). Flagged by: Gridinsoft (malware), DNSFilter (threat), iQ Abuse Scan (spam). Uses gmail contact (paparok341@gmail.com). Registrar has high fraud-site percentage. Active phishing infrastructure confirmed targeting QuickSwap users. Per strict 90-day threshold: domain registration outside window, so green per threshold; however active phishing domain is confirmed and elevated posture is appropriate. Score yellow: active phishing domain confirmed (outside 90-day registration window but still active threat), persistent typosquat risk for a recognized Polygon brand, WHOIS monitoring gap for 90-day window (pipeline gap flagged). RD-F-159 n/a Attacker wallet pre-strike probe (low-gas failing txs) Requires live mempool monitoring and threat-actor cluster list to detect low-gas failing probe transactions. T-09 v1.x deferred. No static evidence of probe-tx pattern targeting QuickSwap. RD-F-162 n/a Known-exploit-template selector deployed by any address Requires on-chain new-deploy sweep with exploit-template selector DB. T-09 v2 deferred. No public reporting of exploit-template contract deployment targeting QuickSwap V2 or V3 in trailing 90 days. RD-F-163 gray Avg attacker reconnaissance time for peer-class protocols Class-level reconnaissance-time statistic for AMM DEX protocols. USPD 78-day recon pattern applies broadly. QuickSwap-specific: May 2022 DNS hijack involved social engineering of registrar (not on-chain wallet recon). On-chain recon timelines for AMM DEX exploits vary by attack type: flash-loan arb (minutes to hours), supply-chain compromise (weeks to months). Specific peer-class DEX recon-time data requires hack DB curator synthesis — cannot be meaningfully derived from static OSINT alone. RD-F-164 n/a Leaked credential on paste/sentry site Requires paste-site feed subscription (Pastebin, GitHub Gist, Sentry-alt, credential dumps). M-only OSINT. No evidence of QuickSwap infra credential leak in OSINT pass. GoDaddy 2022 hijack was social engineering (no credential dump). No current paste-site alert for quickswap.exchange keys or API endpoints found. RD-F-165 n/a Protocol social channel has scam-coordinator flag Requires curator social watchlist covering Discord/Telegram channel admins flagged as scam coordinators. QuickSwap Discord and Telegram URLs not confirmed at profile time. No public report of QuickSwap social channel admin flagged as scam coordinator in OSINT pass.
RD-F-158 green Known-threat-actor cluster has touched protocol No Lazarus/DPRK-labeled wallet interaction with QuickSwap core DEX contracts (Factory 0x5757..., Router 0xa5E0..., Algebra core 0x411b0fAcC3...) found in OSINT pass (May 2026). Bybit Feb 2025 Lazarus laundering ($1.5B) specifically named OKX DEX aggregator; QuickSwap not named. Oct 2022 lending exploit attacker moved proceeds via Tornado Cash — but (a) this was post-exploit laundering, not pre-strike recon, (b) the lending product is permanently closed, and (c) the attacker is not a known DPRK cluster per public attribution. Advisory-only tier (T-09 tier-C) regardless; signal never flips grade solo.
RD-F-160 green GitHub malicious-dependency incident touching protocol deps QuickSwap V2 core repo (github.com/QuickSwap/quickswap-core) last commit 2022-12-27 — frozen dependency surface. Uniswap v2 vintage npm packages are stable and not subject to active malicious-release campaigns. No GitHub security advisory for npm packages in QuickSwap's V2 dependency tree found in trailing 90 days (Feb-May 2026). V3 periphery npm deps not fully assessed but no public advisory found.
Tooling / compiler / AI Green 13 5 of 5
RD-F-170 yellow Solc version used (known-bug versions flagged) V2 core contracts: solc 0.5.16 — on known-bug list with 7 bugs (SignedArrayStorageCopy LOW, ABIEncoderV2LoopYulOptimizer LOW, 5 others LOW/VERY LOW). UniswapV2Factory/Pair do NOT use experimental ABIEncoderV2 or signed-int storage arrays so the most relevant bugs are not triggered. V3 core/periphery: solc 0.7.6 — on known-bug list with 7 bugs (FreeFunctionRedefinition LOW, MemoryArrayCreationOverflow LOW, 5 VERY LOW). No HIGH/CRITICAL bugs on known-bug list for either version relevant to these contract types. Both versions are on the known-bug list (methodology: yellow = on list with low/medium severity bugs only). Scored yellow per methodology threshold. RD-F-174 yellow Dependency tree uses EOL Solidity version solc 0.5.16 (V2) and solc 0.7.6 (V3) are both EOL/unsupported Solidity versions (current mainline is 0.8.x series). However: (1) both versions have no HIGH/CRITICAL known bugs for these contract patterns, (2) the deployed contracts are fully immutable and cannot be recompiled, (3) V2 has run without incident for ~67 months on these EOL versions. The EOL risk is theoretical for already-deployed immutable bytecode — no forward-compatibility concern exists for immutable contracts. Scored yellow per methodology (on EOL version) but risk is significantly mitigated by immutability.
RD-F-171 green Bytecode similarity to audited upstream with behavior deviation V2: ~100% similarity to Uniswap V2 audited code with ZERO behavioral deviation — zero-divergence confirmed (same contract name, same package version, same compiler settings, Polygonscan exact match). No AI-copy risk. V3/Algebra: independently designed CL AMM (not a Uniswap V3 bytecode copy). Shares interface patterns (tick-based, sqrtPrice) but is architecturally distinct in DataStorage, AdaptiveFee, and volatility modules. No high-similarity + behavior-deviation pattern.
RD-F-172 green Repo shows AI-tool co-authorship in critical files QuickSwap-core repo effectively frozen since Dec 2022 — no commits in 2023-2026 period when GitHub Copilot co-authorship trailers became widespread. No AI tool co-authorship metadata identified in examined commit history. Algebra repo uses Hardhat + TypeScript toolchain; no AI co-authored-by trailers found. The pre-2023 frozen state of V2 core predates widespread AI code generation adoption.
RD-F-173 green Team self-disclosure of AI-generated Solidity No team disclosure of AI-generated Solidity in production contracts found across QuickSwap blog, Algebra Medium blog, audit controversy coverage, Hexagate governance proposal. The Aug 2022 Algebra audit blog and V3 launch communications discuss traditional security audits, not AI-generated code. No disclosure identified.
Response & disclosure hygiene Yellow 33 4 of 4
RD-F-176 red Disclosure SLA public No published acknowledgment-time SLA found anywhere in QuickSwap's documentation, GitHub, or bug bounty program descriptions. The Google Forms-based programs contained no stated response timeline. No 'we will respond within X hours/days' commitment exists in any publicly accessible channel. Red: no public disclosure SLA. RD-F-175 yellow Disclosure channel exists Two historical bug bounty programs identified: (1) V3 Beta up to $100K in New QUICK via Google Forms (launched October 2022, duration: beta to mainnet); (2) New UI Alpha up to $50K via Google Forms. Neither is hosted on Immunefi, Cantina, or Sherlock. Both appear time-limited rather than permanent. No currently-active program confirmed (data cache bug_bounty.platform: null, url: null). No SECURITY.md in GitHub repo (cache security_md_present: false). No security@ email or designated SIRT contact found in docs. DeFiSafety references '$50K static bug bounty' likely referring to the historical UI program. Yellow: informal disclosure channels exist historically but no persistent, standard industry-channel program is currently active.
RD-F-177 green Prior known-ignored disclosure No evidence found of a disclosed vulnerability that was reported to QuickSwap and ignored before an exploit. The October 2022 Lend incident: PeckShield reportedly identified the oracle vulnerability on October 11, two weeks before the October 24 exploit. However, no credible source states this constituted a formal responsible disclosure to the QuickSwap or Market.xyz team that was ignored — PeckShield's October 11 note appears to be an external analyst observation, not a formal disclosure. No post-mortem or third-party report asserts ignored disclosure. Scored green per grounding discipline; curator should verify the October 11 PeckShield note specifics.
RD-F-178 green CVE/GHSA advisory issued against protocol No CVE or GHSA advisory found for QuickSwap protocol contracts. Web searches for QuickSwap CVE and GHSA returned no relevant results. The October 2022 Lend incident was not assigned a formal CVE. Green: no formal public advisory issued against the protocol.
rubric_version v1.7.0 graded_at 2026-05-16 12:18:21 factors 184 protocol quickswap