defirisk.co
rubric v1.7.0

Admin has mint() with unlimited max

Stake DAO's assessment for RD-F-042 — scored red on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.

Evidence summary #

[★ CRITICAL] SDT token (0x73968b9a57c6E53d41345FD57a6E6ae27d6CDB2F) has mint(address _to, uint256 _amount) with no hard cap enforced in contract code. No cap(), MAX_SUPPLY, or maxSupply() function in ABI. Docs claim 100M FDS but not enforced on-chain. Current totalSupply ~69.6M SDT. Mint is owner-only (Ownable). Owner identity unconfirmed — may be deployer EOA or governance multisig. No timelock confirmed on the mint path.

Sources #

  • Docs
    SDT Token DocumentationDocs claim 100M FDS hard cap: 'There SDT has a total fully diluted supply of 100,000,000 SDT' — advisory only, not enforced on-chainretrieved 2026-05-16
  • Etherscan
    SDT Token Contract — EtherscanSDT token ABI: mint(address,uint256) with no cap check; no cap() or maxSupply() function; Ownable patternretrieved 2026-05-16

Methodology #

Determine whether an admin-callable `mint` on a protocol token has no supply cap or an unlimited maximum supply.

See the full factor methodology and distribution across all protocols →

rubric_version v1.7.0 protocol stake-dao factor RD-F-042 score red collected_at 2026-05-16 12:29:20