Superstate · DeFi Risk

DeploymentsEthereum · $1.0B

Risk profile at a glance

1 red · 4 yellow · 6 green

Categories & evidence

184 factors · 13 categories

Code & audits Yellow 28 25 of 25

RD-F-007 red Bug bounty presence & max payout No Immunefi bug bounty program exists (404 on immunefi.com/bug-bounty/superstate). The Superstate security disclosure policy at docs.superstate.com explicitly states: 'Researchers should not expect compensation for discovering vulnerabilities.' No formal max-payout cap, no bounty scope published. Responsible disclosure only via security@superstate.co with no SLA. RD-F-009 red Formal verification coverage No evidence of Certora Prover, Halmos, Kani, or any formal verification tool applied to Superstate's EVM contracts. No .spec files or FV configuration found in the ustb GitHub repo tree. Docs reference only the 0xMacro audit series with no FV tooling mention. Per RWA regime (PD-042): formal verification of trust-mediated logic may be not_applicable for RWA issuers, but given the on-chain EVM surface ($1B TVS) formal verification would add meaningful assurance. Scored red on merits (0% critical invariant coverage). RD-F-001 yellow Audit scope mismatch Ten 0xMacro engagements cover core EVM contracts. Current deployed USTB implementation is SuperstateTokenV5_1 at 0x1f50a1EE0ec8275d0c83b7bb08896b4b47D6E8C4 (solc 0.8.28, 1M optimizer runs). Repo HEAD commit 78e8ca22 (2025-04-14) matches audit-6 final commit, suggesting alignment, but bytecode-to-commit match cannot be independently verified via eth_getCode + solc reproduction without a programmatic run. Single-firm coverage (all 0xMacro) reduces confidence. The profile listed a different impl address (0x5419d3FA...) — a post-profiling upgrade has occurred. RD-F-002 yellow Audit recency Most recent audit covering core EVM SuperstateToken.sol is superstate-6, published 2025-04-15 (396 days before assessment date 2026-05-16). This falls in the 366-730 day yellow window. Superstate-9 (AllowListV3, pub 2025-07-31, 289 days) and superstate-10 (Dip.sol/EquityToken, pub 2025-11-11) are more recent but cover adjacent products, not the primary USTB/USCC token. RD-F-004 yellow Audit count All ten audits are by a single firm: 0xMacro. No second audit firm has independently reviewed the deployed EVM contracts. ChainSecurity reviewed Compound's SUPTB integration (Compound-side, not Superstate-side). Factor threshold: green requires 2+ distinct firms; yellow = 1 firm. RD-F-005 yellow Audit firm tier 0xMacro is a Tier-2 firm (established, named firm with public track record). No Tier-1 firm (Trail of Bits, OpenZeppelin, ConsenSys Diligence, Certora, Sigma Prime, Spearbit, Zellic) has audited Superstate's own smart contracts. Per RWA calibration peer spiko, which had Trail of Bits (Tier-1) for its EVM audit, Superstate is below peer norm on firm tier. RD-F-024 yellow Code complexity vs audit coverage Audit-6 reviewed 5 contracts over 2 days (Apr 14-15), audit-4 reviewed 5 contracts over 4 days (Nov 12-15) and found 2H+1M. The codebase has grown to v5.1 with multiple versioned contract files. Short-duration single-firm engagements on a growing protocol represent borderline coverage. For a relatively simple ERC-20 allowlisted token (not a complex AMM or lending engine) the ratio is acceptable but not best-in-class. RD-F-010 gray Static-analyzer high-severity count No published Slither/Mythril/Semgrep analysis available. Source is verified on Etherscan (SuperstateTokenV5_1 exact match). Programmatic tool run not executed. Requires tool run for definitive answer. RD-F-011 gray SELFDESTRUCT reachable from non-admin path No SELFDESTRUCT analysis available from published sources. Contract source visible on Etherscan. Slither suicidal detector run required. ERC-20 token pattern with no apparent self-destruct path from source review, but tool confirmation needed. RD-F-012 gray delegatecall with user-controlled target No delegatecall with user-controlled target found in source review of SuperstateToken.sol. Proxy pattern uses TransparentUpgradeableProxy with fixed impl address. Slither controlled-delegatecall detector needed for definitive confirmation. RD-F-013 gray Arbitrary call with user-controlled target No arbitrary call with user-controlled target found in source review. Token protocol pattern with no generic external-call logic. Slither arbitrary-send-eth and controlled-delegatecall detectors needed for definitive answer. RD-F-014 gray Reentrancy guard on external-calling functions Reentrancy guard presence requires Slither reentrancy-eth and reentrancy-no-eth detector runs. Audit-3 included MorphoLiquidationV1.sol (potential reentrancy surface) - all medium findings addressed. No programmatic analysis available. RD-F-015 n/a ERC-777/1155/721 hook without reentrancy guard SuperstateToken.sol is a custom ERC-20 token without ERC-777, ERC-1155, or ERC-721 integration. No callback hooks from these standards are used. Factor N/A by protocol design. RD-F-016 gray Divide-before-multiply pattern Divide-before-multiply requires Slither programmatic run. Audit-3 M-1 flagged oracle arithmetic issue (underflow assuming prices only increase) - addressed. That is a related but distinct pattern. Tool run needed. RD-F-017 gray Mixed-decimals math without explicit scaling USTB/USCC are single-token protocols (6 decimals each, USDC-equivalent). No cross-decimal mixed-asset arithmetic is apparent from the ERC-20 token design. NAV pricing handled through oracle feeds. Tool and source review needed for confirmation. RD-F-018 gray Signed/unsigned arithmetic confusion Signed/unsigned arithmetic confusion requires Slither + symbolic execution. No signed/unsigned findings in any of the 10 0xMacro audits (weak positive signal). Tool run needed for definitive answer. RD-F-019 gray ecrecover zero-address return unchecked Audit-2 M-1 flagged permit() EIP-2612 compliance issue (addressed in final commit). No ecrecover zero-address check finding identified. Slither ecrecover-malleable detector needed for definitive confirmation. RD-F-021 n/a UUPS _authorizeUpgrade correctly permissioned SuperstateToken uses TransparentUpgradeableProxy pattern (EIP-1967), not UUPS. Upgrade authority is held by the ProxyAdmin contract. The UUPS _authorizeUpgrade pattern is not present. Factor N/A for Transparent proxy pattern. RD-F-183 gray Bug bounty scope gap on highest-TVL contracts No Immunefi bug bounty program exists for Superstate (confirmed 404). Per factor definition: gray when no bug bounty program exists (see RD-F-007). The highest-TVL contracts (USTB Proxy $1.005B on Ethereum) are entirely outside any formal bounty scope because no bounty scope exists.

RD-F-003 green Resolved-without-proof findings Audit-4 H-1 (fee not charged) and H-2 (access controls circumvented via direct _mint bypassing _mintLogic) marked addressed in final commit. Audit-7 C-1 and C-2 (Solana missing ownership validation allowing frozen-account bypass) fixed in final commit 35496aa58f9d646046f9620bc72865d4a74978cb. All medium+ findings across 10 audits show addressed status with final commit SHAs. No finding marked resolved without a verifiable commit.

RD-F-006 green Audit-to-deploy gap Audit-6 final commit 78e8ca22 dated 2025-04-14; audit published 2025-04-15. Repo HEAD matches this commit. The deployed SuperstateTokenV5_1 at 0x1f50a1EE... uses solc 0.8.28 consistent with the current codebase compilation. Deploy gap appears to be days, well within the 60-day green threshold. Exact deploy date of the new implementation not independently confirmed but evidence is strongly consistent.

RD-F-008 green Ignored bounty disclosure No prior incidents in hacksdatabase or Rekt leaderboard for Superstate (data-cache rekt.incidents=[]). No post-mortems exist. No evidence of any disclosed vulnerability being ignored before an exploit. Protocol has operated for 27 months (USTB since Feb 2024) with zero security incidents.

RD-F-020 green EIP-712 domain separator missing chainId SuperstateToken.sol uses ERC-712 via OpenZeppelin EIP712Upgradeable base (OZ v4.9.3 pinned at commit 3d4c0d57). OZ v4.9.3 EIP712Upgradeable correctly includes chainId in the domain separator by default. Audit-2 M-1 (permit compliance) was addressed. No cross-chain replay vulnerability identified in the permit design.

RD-F-022 green Public initialize() without initializer modifier initialize(string _name, string _symbol) carries the public initializer modifier. initializeV2() carries reinitializer(2). initializeV3() carries reinitializer(3). Constructor calls _disableInitializers() explicitly. All OpenZeppelin initialization protection patterns are present. Confirmed from GitHub raw source.

RD-F-023 green Constructor calls _disableInitializers() Constructor body confirmed: MINIMUM_ACCEPTABLE_PRICE = 7 * (10 ** uint256(DECIMALS)); _disableInitializers(); The _disableInitializers() call prevents direct initialization of the implementation contract. Confirmed from GitHub raw source of SuperstateToken.sol.

Governance & admin Red 60 24 of 24

RD-F-025 red Admin key custody type Admin key custody type is EOA. Two operation-specific EOA addresses own separate ProxyAdmin contracts: USTB ProxyAdmin (0xb9d285DC...) owned by 0xad309BB6...; USCC ProxyAdmin (0x2Bb7B8B4...) owned by 0x8abC89D9.... Both are confirmed EOAs via Etherscan (no bytecode). Safe API returns 404 for both addresses. Docs confirm single 'Superstate Admin Address'; Turnkey named as key management provider but MPC threshold is not publicly attested. On-chain footprint is indistinguishable from a plain EOA. RD-F-026 red Upgrade multisig signer configuration (M/N) No multisig identified for upgrade authority. Both upgrader addresses (0xad309BB6... for USTB, 0x8abC89D9... for USCC) are plain EOAs confirmed via Etherscan. Safe API returns 404 for both. Effective M/N = 1/1 for each upgrade pathway. Parent funding contract 0x8C7Db8A9... has 176 transactions but is unverified on Etherscan and is not a Gnosis Safe. RD-F-027 red Single admin EOA [STAR CRITICAL] Two separate EOAs hold all upgrade authority: 0xad309BB6... (USTB ProxyAdmin owner) and 0x8abC89D9... (USCC ProxyAdmin owner). Both funded by same unverified parent contract 0x8C7Db8A9... approximately Dec 2024. Neither is a Gnosis Safe (Safe API 404 for both). Docs describe single 'Superstate Admin Address'. Turnkey claimed as key management but provides no on-chain multisig property. At $1.11B TVS, a single compromised key enables full proxy takeover in one transaction with no timelock. Hot-wallet usage pattern (hundreds of daily mint txs from same addresses). RD-F-032 red Timelock duration on upgrades No timelock contract exists for USTB or USCC proxy upgrades. All 4 USTB upgrades (Dec 2024, Feb 2025, Apr 2025, Jul 2025) and 4 USCC upgrades were executed directly by the owning EOA through the ProxyAdmin in a single transaction with zero delay between decision and execution. Data-cache governance.timelock_address = null. No TimelockController or equivalent contract found in superstateinc/ustb GitHub repo. Timelock duration = 0 hours. RD-F-033 red Timelock on sensitive actions No timelock on any sensitive action. Functions mint(), adminBurn(), pause(), setOracle(), setRedemptionContract(), and upgrade() all execute immediately upon owner call. SuperstateToken.sol source confirms no TimelockController import or modifier. Docs state admin actions are gated only by the Superstate Admin Address with no stated delay. Every privileged operation is single-tx, zero-delay. RD-F-035 red Role separation: upgrade ≠ fee ≠ oracle All privileged functions - mint, adminBurn, setOracle, setRedemptionContract, setStablecoinConfig, upgrade - are controlled by a single owner address per token (0xad309BB6... for USTB, 0x8abC89D9... for USCC). No role separation exists. Ownable2StepUpgradeable pattern is used without AccessControl multi-role. renounceOwnership() is explicitly reverted in the contract, preventing any future role removal. RD-F-040 red Emergency-veto multisig present No emergency-veto multisig exists. The only governance mechanism is the single admin EOA per token. No veto mechanism found in contracts, docs, or public governance materials. The admin can upgrade, mint, burn, and pause with zero veto capability. RD-F-042 red Admin has mint() with unlimited max [STAR CRITICAL] mint(address dst, uint256 amount) and bulkMint(address[], uint256[]) are callable by the owner EOA with no on-chain supply cap. renounceOwnership() is explicitly blocked (reverts) preventing role removal. The owner can mint an arbitrary number of tokens to any allowlisted address in a single transaction with no timelock. Business-level constraints (NAV attestation, fund AUM limits) are off-chain and not enforceable on-chain. The current live implementation SuperstateTokenV5_1 (0x1f50a1EE) preserves this pattern confirmed via Etherscan. RD-F-030 yellow Hot-wallet signer flag The upgrade EOAs (0xad309BB6... USTB, 0x8abC89D9... USCC) transact daily for bulk-mint operations: 0xad309BB6 has 1,263 transactions (most recent 6-7 hours before assessment), primarily USTB Mint calls; 0x8abC89D9 has 579 transactions (most recent ~10 hours before assessment), primarily USCC Mint calls. This high-frequency automated activity pattern is consistent with a hot wallet or automated key that is persistently online, increasing exposure to compromise relative to an air-gapped cold key. RD-F-034 yellow Guardian/pause-keeper distinct from upgrader pause() and accountingPause() are callable by owner (the upgrade EOA), not a separate guardian role. No dedicated guardian contract or distinct pause-keeper address found in repo or docs. However, SEC-regulated context provides external accountability: fund manager, BNY Mellon custodian, E&Y financial auditor. Scored yellow rather than red because the RWA corporate structure provides out-of-band accountability that partially offsets the absence of an on-chain guardian role (PD-042 RWA regime). RD-F-041 yellow Rescue/emergencyWithdraw without timelock [STAR in scope] No discrete rescue() or emergencyWithdraw() function found in SuperstateToken.sol. However, adminBurn(address src, uint256 amount) allows the owner to burn tokens from any address without timelock - a functionally analogous unilateral value-destruction capability for an RWA token. pause() halts all transfers instantly. No on-chain timelock on any of these. Scored yellow not red: (1) tokens represent off-chain fund shares with legal accountability, (2) adminBurn is legally constrained by SEC regulations, (3) no transfer() to admin (drain to self) pattern exists. RD-F-028 n/a Low-threshold multisig vs TVL No multisig exists for upgrade authority (F027 is red). F028 evaluates threshold vs TVL for protocols with a multisig; absent any multisig, the factor is not applicable. The governing critical finding is F027 (single EOA control). Per RWA-regime precedent (circle-usyc): when F027 is red due to pure-EOA control, F028 N/A avoids double-counting the same structural gap as two critical reds. RD-F-029 n/a Multisig signers co-hosted No multisig for upgrade authority; co-hosting assessment is not meaningful without a signer set. RD-F-031 gray Signer rotation recency No multisig signer set exists; 'signer rotation' is not applicable. The ProxyAdmin ownership was established in December 2024 when two new ProxyAdmin contracts were deployed with new EOAs funded from parent 0x8C7Db8A9.... Original ProxyAdmin (0xCb8d325C...) had ownership transferred from deployer in Dec 2023. EOA-based architecture makes signer rotation a non-construct. RD-F-036 n/a Flash-loanable voting weight No on-chain governance, no voting token, no governor contract. Corporate-governed RWA issuer per PD-042. No Snapshot space, no Compound-style Governor, no Aragon. RD-F-037 n/a Quorum achievable via single-entity flash loan No governance token or quorum mechanism; corporate-governed RWA issuer per PD-042. RD-F-038 n/a Proposal execution delay < 24h No governance proposals; corporate-governed RWA. No proposal mechanism exists; upgrades execute directly as admin transactions. RD-F-039 n/a delegatecall/call in proposal execution without allowlist No on-chain proposal execution path; corporate-governed RWA per PD-042. No governor contract, no executor contract. RD-F-045 gray Constructor args match governance proposal No governance proposals exist (corporate-governed). No on-chain proposal mechanism to cross-reference against constructor args. Factor is not applicable for corporate-governed RWA issuers without a governance voting mechanism. RD-F-047 n/a Governance token concentration (Gini) No governance token, no governance vote. Corporate-governed RWA; power concentration via governance token does not apply.

RD-F-043 green Admin = deployer EOA after 7 days Current upgrade-authority EOAs are NOT the original deployer. The original deployer (0x589254a1... labeled 'Superstate: Deployer') transferred ProxyAdmin ownership to parent contract 0x8C7Db8A9... on Dec 6, 2023. New ProxyAdmin contracts were deployed Dec 2024 with distinct EOAs (0xad309BB6... for USTB, 0x8abC89D9... for USCC). F043 bright-line (deployer still holds admin after 7d from deploy) does not apply to any current contract. No rug correlation pattern.

RD-F-044 green Admin wallet interacts with flagged addresses No mixer-funded, DPRK-labeled, or OFAC-linked transactions found in the admin EOA funding chain. EOAs funded from parent 0x8C7Db8A9... which was funded by deployer 0x589254a1... (labeled 'Superstate: Deployer'). Robert Leshner (Compound founder) is the doxxed public-facing founder; SEC-registered entity (CRD 327562). Dev-identity-analyst should confirm via Cat 7 full funding-chain trace.

RD-F-046 green Contract unverified on Etherscan/Sourcify [STAR in scope] All token contracts and ProxyAdmins are verified on Etherscan with exact bytecode match at launch. USTB proxy (0x43415eB6...) verified. USTB implementations (0x5419d3FA, 0xAa9F82, 0xADE87e, 0x3Da1ec, 0x1f50a1EE) all verified exact match. USCC proxy and implementations verified. ProxyAdmin 0xb9d285DC verified (Solidity 0.8.28, exact match). Note: unverified parent admin contract 0x8C7Db8A9... is an operational account, not the token/protocol contract subject to F046.

RD-F-167 green Deprecated contract paused but pause reversible by live admin No deprecated contracts identified in the USTB/USCC ecosystem that still hold material value. Prior implementation contracts (0x5419d3FA, 0xAa9F82, 0xADE87e, 0x3Da1ec) are superseded implementations, not separate holding contracts. AllowList versions are similarly superseded-not-holding-assets. No prior-version contract holds user token balances.

Oracle & external dependencies Yellow 28 17 of 17

RD-F-049 yellow Oracle role per asset Primary oracles identified per asset/chain but no secondary or fallback oracle documented on any chain. USTB ETH subscription: SuperstateOracle (primary). USTB ETH redemption: Chainlink EACAggregatorProxy USTB (primary). USCC ETH: Chainlink EACAggregatorProxy USCC (primary). Solana USTB/USCC: respective Pyth feeds (primary). No oracle role is documented as Secondary or Fallback — all paths primary-only. Yellow per taxonomy: 'primary only with no fallback documented.' RD-F-050 yellow Dependency graph (protocols depended upon) External dependency graph: (1) SuperstateOracle — Superstate-operated, owner-only addCheckpoint; (2) Chainlink USTB/USCC EACAggregatorProxy — Chainlink network; (3) Pyth USTB/USCC feeds — Solana; (4) USDC ERC-20 0xA0b8... — subscription/redemption payments; (5) Morpho (MorphoLiquidationV1.sol in superstate-3 scope) — liquidation; (6) Aave — USTB collateral integration; (7) NAV Fund Services (off-chain) — root data dependency. One non-redundant off-chain dependency (NAV Fund Services) with no documented fallback if it fails to publish. Yellow: one non-redundant dependency with known centralization risk. RD-F-051 yellow Fallback behavior on oracle failure No automatic fallback oracle on any chain. SuperstateOracle has CHECKPOINT_EXPIRATION_PERIOD = 430,080s (5 days) — data expires without new checkpoint. RedemptionIdle has maximumOracleDelay (staleness gate) that reverts on stale data — protective but halts operations, no fallback to secondary source. Pyth Solana: Pyth native confidence interval but no protocol-side fallback. Superstate docs: 'No explicit fallback mechanisms are documented.' Fallback classification: revert/halt rather than secondary-source. Yellow: no secondary oracle source, primary failure causes operational halt. RD-F-052 yellow Breakage analysis per dependency Breakage analysis: SuperstateOracle stale → subscription pricing (SuperstateTokenV5_1.calculateSuperstateTokenOut) fails or misprices. Chainlink USTB stale → RedemptionIdle reverts (protective) — redemptions halt. Pyth stale → Solana ops halt. USDC failure → all on-chain subscriptions/redemptions fail. Morpho failure → USTB liquidations fail (secondary risk). NAV Fund Services outage → all oracle data stale across all chains (root dependency). Partial analysis documented; major dependencies covered but no mitigations exist for root off-chain failure. Yellow: partial analysis with one critical dependency (NAV Fund Services) having no fallback. RD-F-057 yellow Circuit breaker on price deviation maximumAcceptablePriceDelta in SuperstateOracle (current value: 1,000,000 per Etherscan readContract) prevents checkpoints with excessive NAV movement from being accepted — a write-side delta guard. No documented price-deviation circuit breaker on the consumer side (RedemptionIdle, subscription contracts). RedemptionIdle uses maximumOracleDelay (staleness) not price deviation. Superstate-3 L-1 added maximum NAV validation (fixed). Yellow: write-side guard exists but no consumer-side circuit breaker. RD-F-058 yellow Max-deviation threshold (bps) maximumAcceptablePriceDelta = 1,000,000 in SuperstateOracle. Units not directly confirmed from available source access (GitHub raw files 404). If DECIMALS = 6 (confirmed from readContract), this could represent 1,000,000 / 10^6 = 1.0 = 100% max delta — an extremely wide threshold. Alternatively units may be in raw NAV units (the NAV per share grows slowly over time). Threshold is admin-settable without timelock. Yellow: configured threshold present but unit interpretation uncertain from available data; cannot confirm it is within 2000 bps (20%) guideline. RD-F-059 yellow Oracle staleness check present Staleness checks present: (1) RedemptionIdle: maximumOracleDelay (storage variable, admin-settable via setMaximumOracleDelay()) — validated in getChainlinkPrice(); 0xMacro superstate-4 L-2 fixed missing validation at subscribe time. (2) SuperstateOracle: CHECKPOINT_EXPIRATION_PERIOD = 430,080s (5 days) — appropriate for T-bill fund (no weekend NAV), but wider than 3600s DeFi-volatile-asset threshold. (3) Pyth Solana: native Pyth confidence/age check. Yellow: staleness checks present but 5-day expiration window is wide by DeFi norms for this TVL; maximumOracleDelay exact value not confirmed. RD-F-060 yellow Chainlink aggregator min/max bound misconfig Chainlink EACAggregatorProxy feeds (0x289B5036..., 0xAfFd8F55...) are Superstate-custom NAV aggregators, not standard Chainlink asset price feeds. Standard minAnswer/maxAnswer circuit-breaker bounds may be set to broad defaults. 0xMacro superstate-1 M-2 found incorrect price validation (6-decimal assumption vs 8-decimal Chainlink format) — fixed. Post-fix bounds configuration not directly verifiable without RPC access. Yellow: prior misconfig found and fixed; post-fix bound values not confirmed. RD-F-062 yellow External keeper/relayer not redundant The NAV Calculation Agent (NAV Fund Services, off-chain) functions as the sole data pusher to the SuperstateOracle. Only the Ownable2Step owner can call addCheckpoint() — single keeper, no Gelato/Chainlink Automation redundancy. Pyth feeds: Pyth publisher network provides some redundancy (multiple publishers per feed) but Superstate has no direct control. No keeper redundancy documented for the on-chain checkpoint submission. Yellow: single keeper (NAV Fund Services) with no fallback; protocol would halt on keeper failure for the 5-day checkpoint window. RD-F-180 yellow Immutable oracle address [★ F180 CANDIDATE — PD-017 held; evaluate but do not count in 19★ total; flag for T-14 orchestrator tracking] Split finding: (1) SuperstateTokenV5_1 (0x1f50a1EE...): superstateOracle declared as storage variable with explicit setOracle(address) admin setter — oracle IS admin-replaceable within current implementation. (2) RedemptionIdle impl (0x8EFBa8Af...): CHAINLINK_FEED_ADDRESS declared as 'immutable' — hardcoded at deploy time; cannot be updated within current implementation. Rotation requires proxy admin to upgrade to a new implementation. This is not a clean single-tx setOracle() path. The proxy is upgradeable (Transparent Upgradeable Proxy 0x4c21b755...), but upgrading is a heavier operation than a storage variable setter. Composite yellow: primary subscription path is cleanly swappable (green pattern); critical redemption path requires proxy upgrade to rotate (yellow pattern). Same tier as circle-usyc F180 yellow. RD-F-054 gray TWAP window duration Not applicable — protocol does not use DEX-TWAP oracles. All pricing is issuer-push NAV via Chainlink aggregator or Pyth publisher feeds. No consult() or observe() TWAP call present in any audited contract. RWA NAV oracle mechanism does not involve DEX TWAP windows. RD-F-055 gray Oracle pool depth (USD) Not applicable — no DEX pool feeds any oracle. All pricing is issuer-push NAV; pool depth metric is irrelevant for this oracle architecture. RWA NAV oracle does not have a DEX pool liquidity dependency. RD-F-056 gray Single-pool oracle (no medianization) Not applicable — no single DEX pool oracle to medianize. Chainlink aggregator medianizes across Chainlink node operators (network-level medianization) not across DEX pools. SuperstateOracle is a single-source issuer-push — 'single source' here means centralized NAV publisher, not single-DEX-pool manipulation risk. Factor definition (single-pool vs medianized DEX venues) does not apply to push-oracle architecture. RD-F-061 gray LP token balanceOf used for pricing Not applicable — no LP token balance used in any pricing path. Superstate pricing is NAV-attested via Chainlink/SuperstateOracle, not pool-reserve-derived. No ERC-20 balanceOf() used in price calculation path in any identified contract. RD-F-181 n/a Permissionless-pool lending oracle Not applicable — Superstate is not a lending protocol. Neither USTB nor USCC is a money-market or lending product; no permissionless pool creation or collateral-listing mechanism exists within the protocol. PD-042 RWA issuer factor-flip: F181 (permissionless-pool lending oracle) scores not_applicable for RWA token issuers. Morpho integration makes USTB available as collateral within Morpho, but Superstate does not operate a lending protocol itself.

RD-F-048 green Oracle providers used Six oracle feeds identified across three chains — all issuer-attested NAV, zero DEX/AMM source. Ethereum: (1) SuperstateOracle 0xe4fa682f... (issuer-push via NAV Calculation Agent); (2) Chainlink USTB EACAggregatorProxy 0x289B5036...; (3) Chainlink USCC EACAggregatorProxy 0xAfFd8F55...; (4) Chainlink USDC/USD peg check. Solana: (5) Pyth USTB EqggHKbj...; (6) Pyth USCC 823Y4cV7...

RD-F-053 green Oracle source = spot DEX pool (no TWAP) [★ CRITICAL] No DEX spot price used anywhere. USTB and USCC pricing is issuer-attested NAV via SuperstateOracle (linear interpolation of checkpoints submitted by NAV Calculation Agent) and Chainlink EACAggregatorProxy (same underlying data routed via Chainlink). No slot0(), no getReserves(), no Uniswap/Curve AMM price read in any oracle path. RWA NAV oracle pattern is immune to flash-loan AMM price manipulation. Green: all oracles use push-oracle with issuer-attestation, no DEX spot price.

Economic risk Yellow 22 13 of 13

RD-F-063 green TVL (current + 30d trend) TVL $1,110,215,759 as of 2026-05-15; +24.51% 30-day change; 90-day CoV 10.2% (mean $986M, std $100.6M). 12-month peak ~$1,184M (~2025-05-09). Strong upward trend from $38M (Mar 2024 USTB launch). USTB AUM ~$1.00B per fund page; USCC AUM ~$267-277M per Bitwise PR May 2026. Chain split: Ethereum 90.53% ($1.005B), Solana 7.15% ($79.4M), Plume 2.33% ($25.8M).

Operational history Green 9 15 of 15

RD-F-089 red Insurance coverage active No active smart-contract insurance coverage found. Immunefi API shows program_exists = false. No Nexus Mutual, Sherlock, or Unslashed cover found for USTB or USCC. At $1.11B TVL, absence of proportionate on-chain coverage is the primary Cat 5 risk finding. Structural for RWA-issuer class (circle-usyc and spiko both carry F089 red). Off-chain custodianship (BNY Mellon for Treasuries) does not substitute for on-chain smart-contract cover. RD-F-084 yellow TVL stability (CoV over 90d) 90-day TVL CoV = 10.2% (std $100.6M, mean $986M per data-cache tvl_cov_90d). CoV 10.2% is moderate — above the <5% green threshold but below 20%+ red territory. Driven by subscription/redemption flow seasonality for a T-bill fund, not protocol instability. TVL trended from ~$830M (90d ago) to $1.11B (current), a 34% increase.

RD-F-076 green Protocol age (days) USTB public launch 2024-02-01 on Ethereum; earliest on-chain deploy block 18,725,909 (~2023-12-06). Age at assessment: 471 days since public launch, ~527 days since earliest deploy. USCC launched 2024-07-22. Solana deployment live (DefiLlama $79.4M TVL). Well above A-grade minimum-age threshold.

RD-F-077 green Prior exploit count Zero confirmed incidents. Hacksdatabase grep for superstate/USTB/uscc returned zero matches across ~311 entries (2026-05-16). Rekt.news leaderboard WebFetch returned zero matches across 295 catalogued protocols. Web OSINT search returned no credible incident reports. Profile §10 incident register is empty.

RD-F-078 green Chronic-exploit flag (≥3 incidents) Zero incidents confirmed (RD-F-077). Chronic flag boolean = false. Threshold ≥3 exploits not met.

RD-F-079 green Same-root-cause repeat exploit Zero incidents confirmed. No same-root-cause repeat exploit possible with zero incidents. Boolean = false.

RD-F-080 green Days since last exploit No exploit has occurred; display-only factor not applicable. Zero incidents confirmed (RD-F-077). Scored green — no negative evidence.

RD-F-081 green Post-exploit response score No incident has occurred; post-exploit response score not applicable. Scored green — no negative evidence. Consistent with RWA-peer precedent (circle-usyc, spiko both green on this factor with zero incidents).

RD-F-082 green Post-mortem published within 30 days No incident has occurred; no post-mortem required or possible. Boolean = true by default (no incident means no 30-day post-mortem clock started). Scored green.

RD-F-083 green Auditor re-engaged after last exploit No incident requiring post-exploit re-audit. Proactive re-audit cadence maintained: 10 0xMacro audits covering each material contract upgrade (Jun 2024 through Feb 2026). Most recent audit Feb 4 2026 (superstate-10). Demonstrates active re-engagement posture, not reactive.

RD-F-085 green Incident response time (minutes) No incident has occurred; response time factor not applicable. Scored green — no negative evidence. P2 factor (display-only).

RD-F-086 green Pause activations (trailing 12 months) No deliberate pause activations observed in trailing 12 months. USTB and USCC contracts include admin-gated pause functionality, but no pause event has been executed. No incidents requiring emergency stop. Zero pause events in OSINT sweep or data-cache.

RD-F-087 green Pause > 7 consecutive days No pause event has occurred in the trailing 12 months (RD-F-086 = green, 0 activations). Boolean: protocol has NOT been paused >7 consecutive days. Scored green.

RD-F-088 green Re-deployed to new addresses in last year No full re-deployment to new contract addresses in the last 12 months. Contract upgrades via EIP-1967 transparent proxy pattern maintain stable user-facing addresses (USTB Proxy: 0x43415eB6ff9DB7E26A15b704e7A3eDCe97d31C4e; USCC Proxy: 0x14d60E7FDC0D71d8611742720E4C50E7a974020c both unchanged). Invesco transition retains same addresses per PR Newswire 2026-03-24.

RD-F-166 green Deprecated contracts still holding value No officially-deprecated contracts identified. All contracts in profile §3 are active. USTB→Invesco management transition (announced 2026-03-24, expected Q2 2026) retains the same USTB token address per press release — this is a corporate/management-parameter change, NOT a contract deprecation. Repo versioned directories (v1/v2/v3/v4 in src/) represent development history, not deprecated deployed contracts. No evidence of prior-version contracts holding residual TVL.

Real-time signals Green 10 22 of 22

RD-F-102 yellow Admin/upgrade transaction in mempool USTB upgrade EOA 0xad309BB6f13074128b4F23EF9EA2fe8552AfCA83 sent upgrade tx 0x3396a409e571eef0c12a4c46b3b01c3431a9ca7ba340bd95ebd17949faac96d3 (block 22933833, 2026-07-16) calling upgrade() on ProxyAdmin 0xCb8d325C0Af19697B8454481602097f93aa9040F. USCC upgrade EOA 0x8abC89D9b56dFD90dA18e8E18CFaC9111100bDd1 sent upgrade tx 0x332573cad1b7a57ae7c5652637f660006c7eed2655d9cd9cc43e810ff2062c85 (block 22933887, same date). No timelock exists (data-cache timelock_address = null). No governance queue precedes upgrades. T-09 suppression rule (tx from timelock fed by queued governance proposal) cannot engage. Signal WOULD FIRE on every future upgrade — structural not transient. T-09 v1 phase-2 signal; yellow for elevated posture assessment. RD-F-182 yellow Security-Council threshold reduction (RT) Batch-24 RT signal (Cat 6B). Trigger: Security Council multisig executes threshold reduction, or timelock removal, or new-signer addition within ≤14 days of either. Superstate has NO Security Council multisig structure: USTB upgrade authority is bare EOA 0xad309BB6f13074128b4F23EF9EA2fe8552AfCA83; USCC upgrade authority is bare EOA 0x8abC89D9b56dFD90dA18e8E18CFaC9111100bDd1. The literal trigger (SC threshold reduction event) cannot fire — no SC exists. However, the underlying risk is MORE severe than the batch-24 trigger pattern (EOA with no wrapper vs 2/5 SC reduction). The protocol is permanently in the 'no gate' state rather than the 'reduced gate' state that motivated F182. Scored yellow: underlying control-weakening risk class is present at maximum severity; literal trigger does not apply. Cross-reference RD-F-102 for the same structural finding. RD-F-091 n/a Partial-drain test transactions AllowList contract 0x42d75C8FdBBF046DF0Fe1Ff388DA16fF99dE8149 gates all USTB/USCC holdings and transfers. No permissionless mint/burn exists; an unauthorized wallet cannot execute a partial-drain test transaction pattern. The signal trigger (small-value drains prior to a larger drain) is structurally inapplicable to a permissioned RWA token where only allowlisted wallets can hold or transfer. RD-F-092 n/a Unusual mempool pattern from deployer wallet v1-deferred signal (T-09 §3.3). Mempool monitoring for deployer wallet 0x589254a1a3d8AE95ce984900d505D91Fd3eD167e not implemented in production pipeline. No live mempool listener exists for static T-10 assessment. Signal applicable in principle (deployer wallet is Superstate's active operations EOA) but evidence collection requires live mempool infrastructure. RD-F-093 n/a Abnormal gas-price willingness from attacker wallet v1-deferred signal (T-09 §3.3). Priority-fee monitoring for attacker wallets not implemented. No known attacker wallets identified for Superstate USTB/USCC. Signal requires live mempool access with gas-price time-series baseline. RD-F-094 n/a New contract with similar bytecode to exploit template No known exploit template class applies to the allowlisted ERC-20 + ERC-7246 + NAV-oracle architecture (original design; not a Compound/Aave fork). Permissioned token architecture means bytecode-similarity probing produces no usable reconnaissance. Not applicable (no exploit-template class applies to this permissioned original-design architecture). RD-F-095 n/a Known-exploit function-selector replay No exploit replay template exists for the USTB/USCC allowlist+ERC-7246 architecture (zero incidents in hacksdatabase; original design per profile §5). Not applicable (no exploit-replay template exists for this allowlist+ERC-7246 architecture). RD-F-096 n/a New ERC-20 approval to unverified contract from whale USTB and USCC are permissioned non-DeFi tokens; no DeFi lending/DEX router exists as an unverified contract interacting with the protocol at the token layer. The AllowList gates all interactions. New ERC-20 approval from high-TVL user to unverified contract is not a meaningful attack vector for this architecture. Not applicable (AllowList gates all interactions; no unverified-router surface). RD-F-097 n/a Sybil surge of identical-pattern transactions AllowList contract 0x42d75C8FdBBF046DF0Fe1Ff388DA16fF99dE8149 gates all protocol participation. Sybil wallets without allowlist inclusion cannot interact with USTB/USCC. Sybil surge of identical-pattern transactions has no attack surface against this permissioned architecture. Not applicable (AllowList gates participation; sybil surge has no attack surface). RD-F-100 n/a Flash loan >$10M targeting protocol tokens No DeFi flash loan market accepts USTB/USCC as collateral in the protocol's own contracts. AllowList prevents permissionless flash-loan use. The Morpho integration (MorphoLiquidationV1.sol in superstate-3 audit scope) provides redemption-side liquidation logic, not a USTB-as-flash-loan-collateral surface. Signal structurally inapplicable to a permissioned RWA token. RD-F-101 n/a Large governance proposal queued No on-chain governor contract exists (data-cache governor_address = null; no Snapshot space found; no Compound-style GovernorAlpha/Bravo, no Aragon). Superstate is corporate-governed (SEC-registered investment adviser Superstate Advisers LLC, CRD #327562). Signal infrastructure (ProposalCreated/ProposalQueued events on governor) cannot fire in absence of any governor contract. T-09 v1 launch signal; not applicable here. RD-F-103 n/a Bridge signer-set change proposed/executed Superstate uses native-per-chain issuance (confirmed: no CCIP, no LayerZero, no Wormhole bridge). data-cache layerzero.present = false. Profile §7 has_bridge_surface = false. No bridge validator/signer set exists to change. T-09 v1 launch signal; not applicable to this protocol. RD-F-105 gray DNS/CDN/frontend hash drift superstate.com uses Cloudflare for DNS/CDN (confirmed via TechList.ai). No production baseline hash established for DOM root, JS bundles, DNS records, or TLS cert. Frontend hash monitoring is not wired in the current pipeline for this protocol. No anomalous change detected at assessment date, but this is because no monitoring exists, not because the site is verified clean. Change-management allowlist not populated. T-09 v1 phase-2 signal. RD-F-106 n/a Cross-chain bridge unverified mint pattern Native-per-chain issuance confirmed; no bridge exists. Profile §7: has_bridge_surface = false, is_a_bridge = false. No cross-chain bridge activity (deposit src, unverified mint dst) is possible in absence of a bridge. Not applicable. RD-F-107 n/a Admin EOA signing from new geography/device v1-deferred signal (T-09 §3.3). Admin signing geography/device fingerprint requires off-chain signing telemetry not available publicly. Two upgrade EOAs identified (0xad309BB6... USTB, 0x8abC89D9... USCC). Prior signing history is accessible on-chain but geography inference requires Fireblocks-side data or IP-level metadata unavailable in public sources. Requires licensed partner data. RD-F-108 n/a GitHub force-push to sensitive branch v1-deferred signal. GitHub repo superstateinc/ustb — last commit 2025-04-14 (data-cache github.last_commit_date). No force-push detected at time of assessment (GitHub web UI checked). Production GitHub monitoring feed not implemented. v1-deferred; not wired in pipeline. RD-F-110 n/a Unusual pending/executed proposal ratio No on-chain governance exists (data-cache governor_address = null). Unusual pending/executed governance proposal ratio signal has no infrastructure to fire against. Not applicable.

RD-F-090 green Mixer withdrawal → protocol interaction Deployer 0x589254a1a3d8AE95ce984900d505D91Fd3eD167e funded by MoonPay 3 (exchange fiat on-ramp); no mixer label on Etherscan. Both upgrade EOAs (0xad309BB6... USTB, 0x8abC89D9... USCC) funded from institutional intermediate ~Nov 2024; no Tornado Cash or Railgun interactions found. AllowList KYC gate further reduces permissionless mixer-funded wallet interaction risk.

RD-F-098 green TVL anomaly — % drop in <1h TVL $1,110,215,759 as of 2026-05-15 (data-cache); +24.5% 30d change; CoV 10.2% trailing 90d (mean $986M, std $100.6M). No anomalous drop in progress. Permissioned redemptions via AllowList further suppresses unauthorized-exit TVL drain signal. Would not fire today. T-09 v1 launch signal (tier A).

RD-F-099 green Oracle price deviation >X% from secondary USTB Chainlink EACAggregatorProxy oracle at 0x289B5036cd942e619E1Ee48670F98d214E745AAC; USCC Chainlink oracle at 0xAfFd8F5578E8590665de561bdE9E7BAdb99300d9; SuperstateOracle at 0xe4fa682f94610ccd170680cc3b045d77d9e528a8. NAV-per-share feeds update on US business days only (stale weekend/holiday pricing is an accepted operational constraint, not a deviation event). No anomalous oracle deviation from secondary source observed at assessment date. T-09 v1 phase-2 signal.

RD-F-104 green Stablecoin depeg >2% on shared-LP venue USDC is the primary redemption currency for both USTB and USCC. Protocol exposure to USDC is material. No active USDC depeg (>2% on ≥2 venues, sustained ≥30 min) observed as of 2026-05-16. USCC crypto carry fund has additional crypto-linked exposure, but no crypto stablecoin depeg event detected. T-09 v1 launch signal (tier B).

RD-F-109 green Social-media impersonation scam spike No active social-media impersonation spike detected via OSINT at 2026-05-16. Official X account @superstatefunds (https://x.com/superstatefunds) confirmed. No public Discord or Telegram found (profile §9). Web search for 'superstate USTB USCC security threat phishing impersonation 2025 2026' returned no relevant impersonation reports. later-phase T-09 signal; current OSINT clean.

Dev identity & insider risk Green 10 16 of 16

RD-F-116 yellow Contributor tenure at admin-permissioned PR GitHub repo superstateinc/ustb shows 8 contributors: jonwalch (27 commits), aryanbhasin (25), maxwolff (22), cridmann (11), kevincheng96 (10), kc1116 (2), jakegsy (2), bxczhu (1). Most recent admin-permissioned commit ('Audit Fixes for 04142025 Report' by jakegsy, Apr 14 2025) was from a contributor with prior commits. Exact tenure in days not calculated — first-commit dates per contributor not retrieved in this pass. No fresh-account (0-prior-commit) pattern detected among recent committers. Scored yellow: adequate evidence of established contributors but contributor tenure quantified only approximately. RD-F-117 yellow ENS/NameStone identity bound to deployer No ENS name found bound to deployer EOA 0x589254a1a3d8ae95ce984900d505d91fd3ed167e. Etherscan institutional label 'Superstate: Deployer' confirms identity via Etherscan's labeling service (not ENS). For a corporate entity using Fireblocks MPC custody, ENS binding is not the typical identity mechanism. SEC registration and institutional Etherscan label serve an analogous accountability function. Not a risk signal; ENS absence is expected for institutional deployers. Scored yellow (factor applies to ENS/NameStone binding specifically; binding is absent, but alternative identity anchoring is strong). RD-F-119 yellow Commit timezone consistent with stated geography Superstate is based in the United States (San Francisco, CA — per GitHub org description). Most recent commits are from jonwalch, jakegsy, kc1116, bxczhu. Full commit-hour timezone distribution analysis not performed in this pass (requires paginated API commit timestamp fetch). No DPRK-class timezone anomaly observed from available commit metadata. Scored yellow: geographic consistency is plausible from available evidence but full quantitative timezone analysis not completed. RD-F-123 yellow Sudden admin-rescue/ACL change without discussion Superstate uses corporate governance (no public forum, no Snapshot, no DAO). The ProxyAdmin (0xCb8d325C0Af19697B8454481602097f93aa9040F) executed an upgrade tx on 2024-12-06 (tx 0x2bb6bcace2e6d878e4d606d9bc7e676fc734e45716a953bac09ea723200bab2d). GitHub repo shows 0 public issues and commit history shows most recent code changes are post-audit (commit 'Audit Fixes for 04142025 Report' by jakegsy, Apr 14 2025, tied to 0xMacro audit-6). No sudden covert admin-rescue or ACL change identified — changes are post-audit, traceable to published 0xMacro audit reports. Absence of public forum discussion is structural to corporate RWA-issuer model. Scored yellow not red: RWA-issuer corporate governance is the expected model; upgrade is tied to documented audit engagement, not a surprise insider change. RD-F-122 gray Contributor paid to DPRK-cluster wallet Cannot assess for a corporate entity with off-chain payroll. Superstate is an SEC-registered investment adviser paying employees via traditional corporate payroll — no on-chain payment streams from a protocol treasury EOA to contributor wallets are observable. The deployer EOA (0x589254...) holds 0 ETH at assessment time and shows no outgoing payment streams to contributor wallets. Factor applies to on-chain payment routing; corporate payroll model renders it not applicable at OSINT tier. Per process-learning: 'F122 cannot be meaningfully assessed at OSINT tier for companies with off-chain payroll. Mark NOT ASSESSED for contributors beyond the deployer unless on-chain payment streams exist.' RD-F-184 gray Real-capital social-engineering persona No public evidence of any AI-built or social-engineering persona with >=1M real-capital deposits linked to Superstate contributors. This factor is M-only OSINT and cannot confirm absence — the Drift Protocol comparator (UNC4736: 6-month conference / in-person build-up with real capital before Solana durable-nonce pre-signing exploit) is the reference pattern. For a maximally-doxxed team with 27+ months of public corporate operation, SEC registration, and institutional investors (Bain Capital Crypto, Haun Ventures, Galaxy Digital), the prior probability is extremely low. However, by the factor's definition, absence-of-evidence cannot be graded green. Gray per process-learning standard: 'F184 → GRAY + Drift comparator note; don't spend time confirming absence of something that by design leaves no public trace.' Requires curator-level social graph analysis to graduate to green.

RD-F-111 green Team doxx status Robert Leshner (CEO/Co-Founder): fully doxxed — real name, photo, CFA credential, BA Economics UPenn, prior Compound Finance founder, Messari Mainnet 2024 in-person speaker, active X @rleshner, Crunchbase and LinkedIn profiles, CoinDesk 2021 Most Influential. Jim Hiltner (Co-Founder/HBD): fully doxxed — real name, CFA, BBA Finance (Univ. Miami 2012), LinkedIn verified, prior UBS Wealth Management, Compound Labs, Pagaya Investments, Visible Alpha. Two additional co-founders (Reid Cuming, Dean Swennumson) named in Crunchbase. SEC-registered corporate entity (Superstate Advisers LLC, CRD #327562). Highest-tier doxx status.

RD-F-112 green Team public accountability surface Robert Leshner has the highest accountability surface in DeFi: LinkedIn, X @rleshner, Blockworks speaker profile, Messari Mainnet 2024 (in-person), Delphi podcast, CoinDesk 2021 Most Influential, multiple Fortune/CoinDesk/Yahoo Finance press features, Crunchbase founder profile, CFA credential, academic background (UPenn). Jim Hiltner: LinkedIn (verified employer history), Crunchbase, CFA credential, conference speaking post (LinkedIn). Both founders have extensive multi-platform verifiable public trails.

RD-F-113 green Team other-protocol involvement history Robert Leshner founded Compound Finance (2017–2023) — one of the most successful DeFi protocols, $10B+ TVL at peak, no rug, no exit scam, clean record. Prior career: Safe Shepherd (privacy startup), Postmates (merchant division), Discover Financial Services. Jim Hiltner was Head of Sales at Compound Labs before Superstate. No adverse protocol involvement found for any team member. No prior rugs or failed-project affiliations identified via OSINT.

RD-F-114 green Deployer address prior on-chain history Deployer EOA 0x589254a1a3d8ae95ce984900d505d91fd3ed167e is labeled 'Superstate: Deployer' on Etherscan (institutional label). 36 total transactions; all deployment-related. First tx ~December 2022 (funded by MoonPay 3). No link to any prior rugged or flagged protocol. On-chain history is clean normal-dev-history: contract deployments for USTB/USCC/ProxyAdmin/AllowList system, no suspicious interactions.

RD-F-115 green Prior rug/exit-scam affiliation No evidence of any Superstate team member linked to a prior rug or exit-scam-labeled protocol. Robert Leshner's Compound Finance is a clean, long-running DeFi protocol (no rug). Hacksdatabase grep for 'superstate', 'USTB', 'uscc' returned zero matches. Web search 'Superstate rug exit scam fraud' returned zero adverse results. OSINT finds only institutional press coverage (Fortune, CoinDesk, Bloomberg) and SEC-registration context.

RD-F-118 green Handle reuse across failed/rugged projects No evidence of social handle reuse across failed or rugged projects for any Superstate team member. @rleshner (Robert Leshner) has a continuous and consistent Twitter/X history tied to Compound Finance and then Superstate — no aliases, no prior rugged projects. @superstatefunds is the protocol's official X handle. No adverse handle cross-referencing found via OSINT.

RD-F-120 green Video-off/voice-consistency flag Robert Leshner has appeared video-on at in-person conferences including Messari Mainnet 2024 (YouTube short confirmed); Delphi podcast (audio/video format); Blockworks events. LinkedIn post shows Jim Hiltner speaking at in-person event (2026). No video-off or voice-consistency concerns observed. Team has consistent public-speaking history with real-world in-person attendance. Fully consistent with stated geography (San Francisco, US).

RD-F-121 green Contributor OSINT depth score Robert Leshner OSINT depth score: 5/5 — LinkedIn with full employment history, GitHub activity, X @rleshner (large following), conference biography (Blockworks, Messari), multiple press features (Fortune, CoinDesk, Yahoo Finance), Crunchbase founder profile, CFA credential, prior employer history (Discover Financial Services, Safe Shepherd, Postmates, Compound Finance). Jim Hiltner depth score: 4/5 — LinkedIn with full employment history, Crunchbase profile, CFA credential, prior employer list (UBS Wealth Management, Compound Labs, Pagaya Investments, Visible Alpha). Highest OSINT depth for a DeFi protocol team.

RD-F-124 green Deployer wallet mixer-funded within 30 days Deployer EOA 0x589254a1a3d8ae95ce984900d505d91fd3ed167e was funded by MoonPay 3 (0xd108fd0e8c8e71552a167e7a44ff1d345d233ba6) approximately December 2022 — more than 12 months before the ProxyAdmin deploy (~December 2023). MoonPay is a regulated fiat-to-crypto on-ramp (money transmitter), not a privacy mixer. No Tornado Cash, Railgun, or mixer interaction found in the 36-transaction history. The 30-day pre-deploy window is clean. [★ CRITICAL — GREEN]

RD-F-125 green Deployer linked within 3 hops to DPRK/Lazarus No DPRK/Lazarus proximity detected via any channel. Deployer funded by MoonPay (regulated fiat on-ramp, fiat origin implies no on-chain DPRK hop). Superstate is SEC-registered (CRD #327562) with institutional investors including Bain Capital Crypto, Haun Ventures, Brevan Howard Digital, Galaxy Digital (Series B, Jan 2026). Robert Leshner is a maximally-doxxed public figure with decade-long consistent public presence. Web search 'Superstate Lazarus DPRK North Korea exit scam fraud' returned zero relevant results connecting the team or protocol to DPRK-labeled entities. OFAC SDN: no match on known team members or addresses. No DPRK/Lazarus proximity within any observable hop. [★ CRITICAL — GREEN] No discretionary F downgrade required.

Fork / dependency lineage Gray 0 10 of 10

RD-F-126 n/a Is-a-fork-of Superstate USTB/USCC is an original design. No upstream fork. GitHub repo superstateinc/ustb has no fork marker. README describes in-house AllowList + ERC-7246-extended architecture. No bytecode similarity to Aave/Compound/Uniswap evident. Protocol is an original RWA token issuance system. RD-F-127 n/a Upstream patch not merged No upstream fork identified (see F126). Factor not applicable. RD-F-128 n/a Upstream vulnerability disclosure (last 90d) No upstream fork identified. Factor not applicable. RD-F-129 n/a Code divergence from upstream (%) No upstream fork to measure divergence from. Factor not applicable. RD-F-130 n/a Fork depth (generations from original audit) Original design with zero fork hops. Factor not applicable. RD-F-131 n/a Fork retains upstream audit coverage No upstream audit to inherit or gap from. Protocol has 10 direct audits covering its own original codebase. Factor not applicable for original-design protocols. RD-F-132 n/a Fork has different economic parameters than upstream No upstream to compare economic parameters against. Factor not applicable. RD-F-133 n/a Dependency manifest uses unpinned versions Factor is Cat 8 fork/dependency lineage context for fork-inherited library drift. For original-design protocols this factor is not_applicable under the fork-lineage framing. Note for curator: all 5 submodules in superstateinc/ustb are pinned to specific commit SHAs (OZ upgradeable at 3d4c0d57 = v4.9.3; OZ contracts at c343ee37; onchain-redemptions at 5986d9b6). No unpinned version ranges found. RD-F-134 n/a Dependency had malicious-release incident (last 90d) Factor assesses fork-inherited dependency malicious-release risk. Not applicable for original-design protocols. OZ v4.9.3 (pinned) has no active malicious-release advisory (GHSA-g4vp-m682-qqmp is a functional edge case, not malicious release). RD-F-135 n/a Shared-library version with known-vuln status Factor assesses fork-inherited shared library vulnerability status. Not applicable for original-design protocols. For reference: OZ v4.9.3 GHSA-g4vp-m682-qqmp (ERC2771Context) is not applicable to SuperstateToken which does not use ERC-2771.

Post-deploy hygiene & change mgmt Green 17 13 of 13

RD-F-136 yellow Deployed bytecode matches signed release tag GitHub superstateinc/ustb does not publish formal signed release tags for each deployed version. Last public commit is 2025-04-14 (data-cache). The July 2025 upgrade to SuperstateTokenV5_1 (block 22933833) post-dates the last known public GitHub commit; if deployed from a private branch, bytecode reproducibility from public repo is unverifiable for the current live implementation. Etherscan shows exact-match verification for deployed contracts, providing partial assurance, but no signed git tag provides a cryptographic anchor between source and deployed bytecode. RD-F-137 yellow Upgrade frequency (per 90 days) USTB proxy: 4 upgrades in approximately 7 months (Dec 2024, Feb 2025, Apr 2025, Jul 2025) = approximately 1.7 upgrades per 90-day window. USCC proxy: 4 upgrades over the same period. This is an elevated cadence for a $1.11B TVS protocol. Each upgrade extends the window between audit completion and bytecode deployment. No upgrade appears to have had public justification published. RD-F-138 yellow Hot-patch deploys without timelock (last 30 days) No timelock exists on any upgrade path. All upgrades execute as single-transaction ProxyAdmin calls with zero delay. The July 16, 2025 upgrade (to SuperstateTokenV5_1) was executed without a timelock at block 22933833. Assessment date is 2026-05-16; the Jul 2025 upgrade is outside the last 30 days but the structural absence of timelock on all upgrades persists. Scored yellow (structural gap) rather than red (no upgrade in last 30d identified). RD-F-139 yellow Post-audit code changes without re-audit [STAR in scope] Ten 0xMacro audits covering USTB/USCC (superstate-1 through superstate-10). Audits 9 (Nov 2025) and 10 (Feb 2026) have private scope - specific contracts unknown. The July 2025 upgrade to SuperstateTokenV5_1 occurred after audit-6 (Apr 2025 - last public-scope audit of SuperstateToken.sol). Audits 9 and 10 were published after the July upgrade and plausibly cover it, but private scope prevents external verification. Continuous audit engagement is clear; full per-version coverage is unverifiable. Distinct from circle-usyc RED (zero audits) - scored yellow for partial evidence. RD-F-142 yellow Storage-layout collision risk across upgrades Multiple upgrade generations (v1 through v5_1) exist across 4 upgrades in 7 months. OpenZeppelin Upgrades plugin storage-layout analysis was not evidenced in public audit artifacts. SuperstateToken uses Ownable2StepUpgradeable and OZ upgradeable base; additive storage layout maintenance is standard OZ practice but not publicly verified for each version. 0xMacro audits (superstate-5, superstate-6) cover SuperstateToken.sol but do not cite storage layout checks in their public scopes. RD-F-145 yellow Deployed bytecode reproducibility All Etherscan-verified implementations carry exact-match bytecode verification, confirming reproducibility from published source at the time of verification. However, the July 2025 implementation SuperstateTokenV5_1 was deployed from a commit that may not appear in the public GitHub repo (last public commit 2025-04-14, per data-cache). If changes were made in a private branch before the Jul 2025 deploy, reproducibility from public source is not currently verifiable for the live implementation. RD-F-185 n/a Bridge rate-limiter / chain-pause as positive mitigant Superstate uses native-per-chain token issuance with no cross-chain bridge contract. Profile confirms has_bridge_surface=false; no CCIP, LayerZero, or Wormhole endpoint found. No bridge surface means no rate-limiter is relevant. F185 is a positive-mitigant factor for bridge protocols; not applicable here.

RD-F-140 green Fix-merged-but-not-deployed gap No evidence of a known vulnerability with a PR merged in repo but not in deployed code. All audit findings from superstate-1 through superstate-7 are documented as addressed. Most recent public-scope audit (superstate-6) found only 2 code-quality issues (Q-1 and Q-2), both marked fixed. Solana audit (superstate-7): 2 Critical, 1 High, all fixed.

RD-F-141 green Test-mode parameters in deploy No test-mode parameters identified in deployed contracts. Admin is not the deployer (transferred at launch). Oracle addresses are live Chainlink feeds and the custom SuperstateOracle. No infinite allowances or debug flags identified. The deploy_fireblocks.sh script uses Foundry production patterns with no test-mode switches in the environment variables.

RD-F-143 green Reinitializable implementation (no _disableInitializers) [STAR in scope] The current SuperstateToken.sol (GitHub main branch) calls _disableInitializers() in the constructor: constructor() { MINIMUM_ACCEPTABLE_PRICE = 7 * (10 ** uint256(DECIMALS)); _disableInitializers(); }. This prevents direct initialization of the implementation contract. Earlier deployed versions (0xADE87e81) also confirmed to have _disableInitializers(). No reinitializer vulnerability identified in deployed code.

RD-F-144 green CREATE2 factory permits same-address redeploy No CREATE2 factory pattern identified in the USTB/USCC deployment architecture. Standard ProxyAdmin + TransparentUpgradeableProxy (EIP-1967) used. No factory contract or deterministic deployment infrastructure found in superstateinc/ustb repo tree.

RD-F-146 green New contract deploys in last 30 days No new contract deployments identified for USTB/USCC core contracts in the last 30 days (assessment date 2026-05-16). Last major deployment was July 16, 2025 (SuperstateTokenV5_1 upgrade). Opening Bell equity token (adjacent product, separate audit superstate-8 May 2025) is out of USTB/USCC scope.

RD-F-168 green Stale-approval exposure on deprecated router No deprecated router or swap-path contract identified in the USTB/USCC ecosystem. AllowListProxy and RedemptionIdle proxy are current-version contracts, not deprecated routers. Users interact with fund tokens (USTB/USCC) directly; no swap router pattern exists that would accumulate stale user ERC-20 approvals.

Cross-chain & bridge Gray 0 12 of 12

Threat intelligence & recon Green 11 8 of 8

RD-F-158 yellow Known-threat-actor cluster has touched protocol No confirmed Lazarus/DPRK or other threat-actor cluster touch found in public data. Web search 'Lazarus DPRK Superstate USTB Robert Leshner 2024 2025' returned zero relevant results. AllowList KYC gate provides structural barrier against unauthorized wallet interaction. However: Superstate USTB ($1.1B AUM) is a high-value passive store of value — an attacker who has already monetized an exploit elsewhere could hold USTB as an off-chain-backed stable asset. This is the standard §15 U4 passive-venue risk class for regulated RWA funds (same as circle-usyc assessment). Passive-venue use ≠ team contamination. Scored yellow per §15 U4 guidance: active threat unconfirmed; class risk acknowledged. RD-F-161 yellow Protocol-impersonator domain registered (typosquat) Official domain superstate.com. Potential typosquat variants: superstateinc.com (GitHub org, likely team-registered), superstatefunds.com, superstate.io, superstateco.com. WHOIS not queryable via WebFetch; full permutation scan not performed due to pipeline gap (DomainTools API or similar required). F161 trigger: typosquat registered within last 90 days. No active confirmed typosquat found. However: $1.1B AUM brand with March 2026 Invesco partnership announcement represents elevated impersonation risk; production domain monitoring is not implemented. Assessment date 2026-05-16; superstate.com registration date estimated 2022-2023 based on company founding (April 2023). Registration-date-to-assessment delta: estimated 1,000–1,100 days — well outside 90-day window for original domain. Scored yellow for monitoring gap: cannot rule out a new typosquat registered within the last 90 days without live DomainTools monitoring. RD-F-163 gray Avg attacker reconnaissance time for peer-class protocols Peer-class (tokenized RWA permissioned funds with allowlist gates): no documented pre-strike reconnaissance patterns exist in hacksdatabase for this protocol class. The USPD 78-day reconnaissance precedent (Dec 2025) was against a DeFi protocol. For an allowlisted RWA fund, attacker reconnaissance would focus on admin key compromise rather than on-chain pattern reconnaissance. Thin evidence base for this specific class; scored gray as not_applicable to the DeFi reconnaissance pattern. RD-F-164 gray Leaked credential on paste/sentry site Superstate uses Sentry for error monitoring (per TechList.ai). Sentry credential leaks are a known class (F164 trigger: leaked credential on paste/sentry site matching protocol infra). No confirmed leak found via OSINT at assessment date. Production paste/cred-dump monitoring feed not implemented in pipeline. Cannot rule out a recent credential leak without live monitoring.

RD-F-159 green Attacker wallet pre-strike probe (low-gas failing txs) AllowList gate means low-gas probe txs from non-allowlisted wallets to USTB/USCC contracts would revert at the allowlist check and yield zero usable reconnaissance. No probe patterns from threat-actor wallets found in accessible transaction data. Signal diminished by architecture.

RD-F-160 green GitHub malicious-dependency incident touching protocol deps Key dependencies: OpenZeppelin upgradeable (standard Solidity library), Foundry. No active GitHub security advisory against OZ upgradeable packages found at assessment date. No flagged malicious dependency release in trailing 90 days identified. Dependency pinning gap (foundry.toml optimizer_runs=1 per data-cache; version not pinned) is a Cat 8 issue flagged to code-security-analyst, not a malicious-release event.

RD-F-162 green Known-exploit-template selector deployed by any address No known exploit template class applies to the USTB/USCC allowlisted ERC-20 + ERC-7246 + NAV-oracle architecture. Hacksdatabase returned zero matches for superstate/USTB/uscc. No exploit-template-matching contract deployment found. Original design with no upstream fork reduces exploit template risk.

RD-F-165 green Protocol social channel has scam-coordinator flag No public Discord or Telegram found for Superstate (profile §9 confirms; web search returned no Discord/Telegram). Official channel is X: @superstatefunds and email/docs only. No curator scam-coordinator watchlist entry found. No adjacent social channel admin found to assess.

Tooling / compiler / AI Green 8 5 of 5

RD-F-170 yellow Solc version used (known-bug versions flagged) Current USTB and USCC implementations deploy with solc v0.8.28+commit.7893614a (optimizer 1M runs). TransientStorageClearingHelperCollision is a high-severity bug in solc 0.8.28-0.8.33 (fixed in 0.8.34). However, this bug requires two simultaneous conditions: (1) transient storage usage (tstore/tload/transient keyword) AND (2) IR-based code generator (viaIR=true). GitHub raw foundry.toml confirms both are commented out (#via-ir = true; #optimizer = true). SuperstateToken.sol source contains no transient storage usage. Deployed Etherscan metadata confirms no viaIR in the build. The bug is therefore non-applicable to the deployed contracts. Scored yellow (on known-bug list with high bug that is non-applicable due to absent prerequisites) per conservative application of the yellow criterion. RD-F-171 n/a Bytecode similarity to audited upstream with behavior deviation No applicable audited upstream exists (original-design protocol, Cat 8 all N/A). AI-generated bytecode copy pattern assessment requires an upstream to compare against. Factor not applicable.

RD-F-172 green Repo shows AI-tool co-authorship in critical files GitHub API review of the 5 most recent commits (78e8ca22, dee62bb5, 7cd394fc, 22198512, 71654a8d) shows standard commit messages from corporate engineering team. No AI co-authorship trailers (no 'co-authored-by: github-copilot[bot]' or ChatGPT Code Interpreter signatures) found in reviewed commits. Protocol is built by experienced team (Robert Leshner, ex-Compound Finance).

RD-F-173 green Team self-disclosure of AI-generated Solidity No disclosure of AI-generated Solidity in security-critical paths found in Superstate docs, Twitter/X, or any public statement. The full documentation corpus (docs.superstate.com/llms-full.txt) does not mention AI-generated code. Team background (Robert Leshner - Compound founder, SEC-registered adviser) is consistent with professional engineering standards.

RD-F-174 green Dependency tree uses EOL Solidity version Current deployed implementations use solc v0.8.28 (USTB impl SuperstateTokenV5_1) and v0.8.28 (USCC impl 0x9b7282Cb). Solidity 0.8.x is the current supported branch (non-EOL). The older implementation 0x5419d3FA uses v0.8.20 but is no longer the active implementation pointed to by the proxy. OZ upgradeable v4.9.3 (pinned submodule) is a supported release.

Response & disclosure hygiene Yellow 33 4 of 4

RD-F-176 red Disclosure SLA public No public disclosure-acknowledgment SLA found. Superstate docs commit to 'timely initial response' and 'timely remediation' without specifying any duration (e.g., no 24h or 72h acknowledgment window). No SLA is published in docs, on the security page, or in any accessible policy document. Matched circle-usyc and spiko peer pattern exactly — both scored F176 red for similar indefinite-timely language. Red is appropriate. RD-F-175 yellow Disclosure channel exists A security-disclosure contact exists at security@superstate.co per official documentation. However, no formal bug-bounty program on Immunefi or equivalent platform is active. The disclosure channel is email-only — no structured intake, no formal scope, no triage team name. For a $1.11B TVL protocol, email-only disclosure without a platform-hosted program is below peer norms. Yellow per RWA-peer precedent (circle-usyc, spiko). A disclosure path exists, but lacks formalization. Safe-harbor clause present (CFAA/DMCA protections per docs).

RD-F-177 green Prior known-ignored disclosure No evidence of a prior disclosed vulnerability that was ignored before exploit. Zero incidents on record. The Solana AllowList critical findings (0xMacro superstate-7, Apr 2025) were found during audit, fixed at commit 35496aa5, and published with Fixed status — this is the correct audit process working, not an ignored disclosure. No post-mortem exists that documents a dismissed or ignored security report.

RD-F-178 green CVE/GHSA advisory issued against protocol No CVE, GHSA, or equivalent public advisory has been issued against Superstate USTB or USCC smart contracts. Web search returned no matches. The 0xMacro audit findings (all 10 engagements) were disclosed via audit report publication, not via CVE/GHSA advisory process. No critical finding was deployed unpatched to production.

rubric_version v1.7.0 graded_at 2026-05-16 01:13:18 factors 184 protocol superstate