Synapse Protocol · DeFi Risk

DeploymentsEthereum · $12.6M

Risk profile at a glance

6 red · 6 yellow · 1 green

Categories & evidence

184 factors · 13 categories

Code & audits Red 56 25 of 25

RD-F-003 green Resolved-without-proof findings CertiK Nerve Finance audit found zero findings (0 critical, 0 major, 0 minor). No unresolved findings from the only known audit.

RD-F-011 green SELFDESTRUCT reachable from non-admin path Source inspection of SynapseBridge.sol (Solidity 0.6.12): no SELFDESTRUCT opcode. Contract uses EIP-1967 transparent proxy but is not self-destructible.

Governance & admin Red 52 24 of 24

RD-F-028 red Low-threshold multisig vs TVL Proxy admin is a 2/3 multisig. CortexDAO Protocol and Treasury multisigs are both 2-of-6 (33% threshold). No signer identities publicly attested. 2/3 is below peer norm of 4/6 for bridge protocols. RD-F-032 red Timelock duration on upgrades Timelock at 0x647489df has min delay of 180 seconds (3 minutes). Peer minimum is 24 hours. Timelock is dormant (2 txs, last May 2022). RD-F-033 red Timelock on sensitive actions GOVERNANCE_ROLE (fee/pause) and NODEGROUP_ROLE (mint/withdraw) actions have zero timelock. Only upgrades nominally timelocked at 3 minutes, which is effectively no delay. RD-F-038 red Proposal execution delay < 24h After Snapshot vote: multisig executes manually with 3-minute timelock. Near-zero effective delay between governance approval and execution of sensitive protocol changes. RD-F-040 red Emergency-veto multisig present No emergency veto mechanism identified. GOVERNANCE_ROLE can pause but cannot veto a malicious upgrade after it passes the 3-minute timelock. RD-F-041 red Rescue/emergencyWithdraw without timelock 3-minute timelock enables upgrade-and-drain within minutes. NODEGROUP_ROLE withdraw() has zero timelock — validators can drain escrow without any delay. RD-F-042 red Admin has mint() with unlimited max NODEGROUP_ROLE can call mint() on SynapseBridge with no hard cap in the bridge contract. SYN circulating ~219M already exceeds stated max ~195.5M — cap appears unenforced on-chain. RD-F-025 yellow Admin key custody type Admin path: 2/3 proxy admin Safe + 2-of-6 DAO safes + 180s timelock. No HSM requirement confirmed. Multiple privileged roles but no single-EOA path. RD-F-026 yellow Upgrade multisig signer configuration (M/N) 5+ distinct privileged address classes: proxy admin 2/3 Safe, GOVERNANCE_ROLE (Executor 2), NODEGROUP_ROLE (MPC validators, count unconfirmed), DEFAULT_ADMIN_ROLE, CortexDAO multisigs. RD-F-031 yellow Signer rotation recency CortexDAO safe deployed June 2022; no rotation events found since. ~46 months without confirmed rotation. RD-F-034 yellow Guardian/pause-keeper distinct from upgrader GOVERNANCE_ROLE is pauser; Executor 2 also holds timelock proposer/executor role — potential overlap between pauser and upgrader. RD-F-035 yellow Role separation: upgrade ≠ fee ≠ oracle GOVERNANCE_ROLE != NODEGROUP_ROLE != proxy admin. Fee/pause share one role. Executor 2 holds multiple roles (GOVERNANCE_ROLE + timelock), reducing effective separation. RD-F-036 yellow Flash-loanable voting weight Snapshot voting uses block snapshot (flash loans cannot influence). No lock/cooldown requirement for SYN voters. Cortex DAO requires 4% locked CXD quorum — partial lock for CX only. RD-F-037 yellow Quorum achievable via single-entity flash loan Old Synapse DAO: 2.25M SYN (~1%) quorum — whale-achievable. Cortex DAO: 4% locked CXD — harder to game. Governance is Snapshot off-chain = no on-chain manipulation vector. RD-F-044 yellow Admin wallet interacts with flagged addresses Deployer EOA 0x235AF07E funded from Tornado.Cash June 2021 (OFAC-sanctioned mixer). Cross-flag from Cat 7 RD-F-124. RD-F-047 yellow Governance token concentration (Gini) ~3,041 SYN holders (CertiK Skynet). Cortex DAO: 550K CX proposal threshold is very high relative to circulating supply. Governance power is concentrated. RD-F-167 yellow Deprecated contract paused but pause reversible by live admin Legacy SynapseBridge still live with $21M TVL. GOVERNANCE_ROLE can pause. Not formally deprecated despite Synapse Labs pivot away from bridging (January 2025). RD-F-029 n/a Multisig signers co-hosted Signer identities not public; co-hosting unassessable without private data. RD-F-030 n/a Hot-wallet signer flag Hot-wallet signer status not assessable from public data. RD-F-039 n/a delegatecall/call in proposal execution without allowlist No on-chain Governor or proposal executor. Governance is Snapshot off-chain; execution is manual multisig. No delegatecall-in-proposal path exists. RD-F-045 n/a Constructor args match governance proposal No upgrade proposals with constructor args found. 25 upgrades are undocumented. Not assessable within budget.

RD-F-027 green Single admin EOA Deployer EOA 0x235AF07E renounced all roles Jan-May 2022 (~11 months post-launch). Deployer dormant since. No single-EOA admin path remains.

RD-F-043 green Admin = deployer EOA after 7 days Deployer EOA 0x235AF07E transferred all roles to multisig/timelock by May 2022. Deployer dormant since. All admin paths route through multisig.

RD-F-046 green Contract unverified on Etherscan/Sourcify SynapseBridge implementation 0x31fe393815822edacbd81c2262467402199efd0d verified on Etherscan as 'Exact Match'. MIT license. Solidity v0.6.12+commit.27d51765.

Oracle & external dependencies Yellow 22 17 of 17

RD-F-050 yellow Dependency graph (protocols depended upon) Dependencies: (1) Saddle Finance fork AMM pool contracts for swap-bridge operations; (2) Synapse Labs MPC validators (NODEGROUP_ROLE); (3) Synapse Labs GUARD_ROLE for RFQ; (4) BridgeConfigV3 for pool routing. No external DeFi protocol dependency. RD-F-051 yellow Fallback behavior on oracle failure No oracle to fail. AMM pool failure: swap operations revert (no fallback). Validator failure: bridge halts. Guard failure: RFQ dispute window uncontested. No documented fallback for any dependency failure mode. RD-F-052 yellow Breakage analysis per dependency AMM pool exploit -> mintAndSwap/withdrawAndRemove unsafe (historical Nov 2021 precedent, $8.2M at risk). 2/3 validators compromised -> legacy bridge drained. Guard absent -> RFQ fraud undetected. Pool config wrong -> routing failure. RD-F-062 yellow External keeper/relayer not redundant RFQ FastBridge: sole Guard is Synapse Labs — no backup, no redundancy. If Synapse Labs stops operating (Jan 2025 strategic pivot), disputes go uncontested. Legacy bridge validators have MPC-TSS multi-node design but exact count unconfirmed. RD-F-049 n/a Oracle role per asset No oracle providers identified. No asset/market uses Primary/Secondary/Fallback external oracle. RD-F-054 n/a TWAP window duration No TWAP oracle in any bridge path. RD-F-055 n/a Oracle pool depth (USD) No oracle pool. StableSwap AMM pools are the bridge mechanism itself, not an oracle. RD-F-056 n/a Single-pool oracle (no medianization) No oracle. AMM pool is not an oracle. RD-F-057 n/a Circuit breaker on price deviation No price oracle, hence no price-deviation circuit breaker possible or present. RD-F-058 n/a Max-deviation threshold (bps) No price oracle, no deviation threshold. RD-F-059 n/a Oracle staleness check present No oracle, hence no staleness check required or present. RD-F-060 n/a Chainlink aggregator min/max bound misconfig No Chainlink feeds used. RD-F-061 n/a LP token balanceOf used for pricing Bridge holds canonical tokens; AMM pool uses invariant math rather than balanceOf for pricing. Not applicable to bridge oracle path. RD-F-180 n/a Immutable oracle address No oracle address exists in any bridge critical path to be immutable. AMM pool addresses in BridgeConfigV3 are admin-configurable. F180 structurally inapplicable. RD-F-181 n/a Permissionless-pool lending oracle Synapse is a bridge, not a lending protocol. No lending isolation tiers or permissionless oracle acceptance at a venue-listing layer.

RD-F-048 green Oracle providers used No external oracle providers used in any bridge critical path. No Chainlink, Pyth, Redstone, API3, Uniswap TWAP, or Band feeds identified. Only price-like mechanism is StableSwap AMM invariant (in-pool math).

RD-F-053 green Oracle source = spot DEX pool (no TWAP) No spot DEX pool oracle in any bridge path. Source inspection confirms no DEX oracle in SynapseBridge.sol, FastBridge.sol, FastBridgeV2.sol, or BridgeConfigV3.sol.

Economic risk Red 56 13 of 13

RD-F-065 red Liquidity depth per major asset SYN token DEX liquidity depth (2% market impact) ~$212K across all venues. Insufficient for a bridge holding $21M. Users bridging significant amounts face high slippage on SYN redemptions. RD-F-063 yellow TVL (current + 30d trend) $21M TVL as of 2026-04-26 (DefiLlama). Below $100M green threshold. 12-month trailing peak significantly above current but in sustained 97% decline from $728M 2022 peak. RD-F-064 yellow TVL concentration (top-10 wallet share) Majority of TVL in Ethereum leg. 25+ chains deployed but liquidity is fragmented and thin outside Ethereum. RD-F-066 n/a Utilization rate (lending protocols) No lending markets. RD-F-067 n/a Historical bad-debt events No lending markets. RD-F-068 n/a Collateralization under stress No lending markets. RD-F-069 n/a Algorithmic / under-collateralized stablecoin No lending markets. RD-F-070 n/a Empty cToken-style market (zero supply/borrow) No compound-style cToken markets, no ERC-4626 vaults. Bridge holds canonical tokens in escrow. Share-inflation attack inapplicable. RD-F-071 n/a Seed-deposit requirement for new market listing No lending markets. RD-F-072 n/a Market-listing governance threshold No lending markets. RD-F-073 n/a Oracle-manipulation-proof borrow cap No lending markets. RD-F-074 n/a ERC-4626 virtual-share offset (OZ ≥4.9) nUSD/nETH are collateral-backed bridged tokens, not algorithmic stablecoins. Peg risk is bridge solvency, not stablecoin mechanism. N/A for stablecoin-mechanism factor. RD-F-075 n/a First-depositor / share-inflation guard No lending markets.

Operational history Yellow 36 15 of 15

RD-F-084 red TVL stability (CoV over 90d) TVL declined 97% from peak ~$728M (2022) to ~$21M (April 2026). Synapse Labs publicly announced January 2025 pivot to Cortex DAO and AI/infrastructure business. Legacy bridge is in maintenance mode. RD-F-076 yellow Protocol age (days) 1 incident (Nov 2021): $8.2M at risk, $0 lost. Validators blocked withdrawal before drain completed. Single incident in 60+ months of operation. RD-F-077 yellow Prior exploit count Partial disclosure only. Third-party analyses (Halborn, Rekt News) provide root-cause detail. No first-party post-mortem published by Synapse team found in public sources. RD-F-078 yellow Chronic-exploit flag (≥3 incidents) $0 user losses — validators blocked withdrawal. No formal compensation or backstop mechanism. Prevention was operational (validator action), not contractual. RD-F-079 yellow Same-root-cause repeat exploit Patch deployed within days of Nov 2021 incident. Root cause was in unaudited Saddle-fork AMM operating without review since launch. No re-audit post-patch. RD-F-081 yellow Post-exploit response score No first-party post-mortem from Synapse team found. Only third-party analyses (Halborn, Rekt News). Documentation gap for an $8.2M-at-risk event. RD-F-082 yellow Post-mortem published within 30 days Saddle Finance AMM fork deployed without independent audit. Missing virtual price check was a documented pattern in Curve/Saddle codebase. Fork without audit contributed directly to incident. RD-F-083 yellow Auditor re-engaged after last exploit Immunefi bug bounty present with $1M max critical. No confirmed payout documented. Bounty operational but undemonstrated. RD-F-089 yellow Insurance coverage active No formal insurance or backstop mechanism. No Jump/Wormhole-style replenishment precedent. Legacy bridge under minimal maintenance post-January 2025 pivot. RD-F-166 yellow Deprecated contracts still holding value Legacy SynapseBridge holds $21M TVL and is not formally deprecated or paused. Multiple deprecated chain routes existed historically. No formal migration plan for legacy users documented. RD-F-085 n/a Incident response time (minutes) No additional governance incidents (rug, coordinated attack on governance) found within budget. RD-F-086 gray Pause activations (trailing 12 months) CertiK Nerve Finance audit found zero findings; no remediation tracking required. Post-rebrand audits do not exist, so no post-audit remediation tracking is possible. RD-F-087 n/a Pause > 7 consecutive days Emergency response drills not assessable via OSINT. RD-F-088 n/a Re-deployed to new addresses in last year 25 upgrades documented; individual upgrade incidents not assessed within budget.

RD-F-080 green Days since last exploit Only 1 incident in 60+ months. No recurrence. CHRONIC criteria (>=3 same-root-cause exploits in 24 months) not met.

Real-time signals Yellow 25 22 of 22

RD-F-098 yellow TVL anomaly — % drop in <1h TVL anomaly signal miscalibrated for a protocol in 97% sustained decline. $21M current TVL means further drops are noise not signal. Bridge volume data would be a better monitoring metric. RD-F-103 yellow Bridge signer-set change proposed/executed NODEGROUP_ROLE grantRole/revokeRole events are the primary Tier-A monitoring signal for Synapse. Currently not firing. Would trigger immediately on unscheduled validator set change. RD-F-106 yellow Cross-chain bridge unverified mint pattern NODEGROUP_ROLE mint() is the historical attack vector (Nov 2021 near-miss). Currently not firing. High-priority signal for this protocol — unscheduled cross-chain mint would be immediate Tier-A alert. RD-F-090 n/a Mixer withdrawal → protocol interaction Large bridge outflow signal not assessed (static analysis only). RD-F-091 n/a Partial-drain test transactions Mempool recon signal not assessed. RD-F-092 n/a Unusual mempool pattern from deployer wallet No price oracle in critical path — price oracle deviation signal N/A. RD-F-093 n/a Abnormal gas-price willingness from attacker wallet Governance proposal spike — Snapshot off-chain; baseline not established. RD-F-094 n/a New contract with similar bytecode to exploit template Admin key transfer signal not assessed (static analysis only). RD-F-095 n/a Known-exploit function-selector replay Liquidation cascade N/A — no lending markets. RD-F-096 n/a New ERC-20 approval to unverified contract from whale Contract interaction anomaly signal not assessed. RD-F-097 n/a Sybil surge of identical-pattern transactions Flash loan event N/A — no flash-loan-capable pools in critical bridge path. RD-F-099 n/a Oracle price deviation >X% from secondary No price oracle — oracle price manipulation signal N/A. RD-F-100 n/a Flash loan >$10M targeting protocol tokens Governance voting anomaly — Snapshot off-chain; baseline not established. RD-F-101 n/a Large governance proposal queued Contract upgrade event monitoring not assessed (25 upgrades historically). RD-F-102 n/a Admin/upgrade transaction in mempool Large deployer/team wallet transfer signal not assessed. RD-F-104 n/a Stablecoin depeg >2% on shared-LP venue Cross-chain message anomaly signal not assessed. RD-F-105 n/a DNS/CDN/frontend hash drift Bridge pause event monitoring not assessed. RD-F-107 n/a Admin EOA signing from new geography/device nUSD/nETH peg monitoring not assessed. RD-F-108 n/a GitHub force-push to sensitive branch MPC validator liveness monitoring not assessed. RD-F-109 n/a Social-media impersonation scam spike Bridge pause event monitoring not assessed. RD-F-110 n/a Unusual pending/executed proposal ratio Unusual fee collection signal not assessed.

RD-F-182 green Security-Council threshold reduction (RT) Security-council threshold reduction (batch-24): 2/3 proxy admin threshold stable per L2Beat. Not firing. Threshold is already anomalously low — any reduction would be immediate Tier-A signal.

Dev identity & insider risk Yellow 48 16 of 16

RD-F-114 red Deployer address prior on-chain history Deployer EOA 0x235AF07E funded directly from Tornado.Cash 1 ETH pool on 2021-06-23. OFAC-sanctioned mixer. Direct interaction confirmed. 5 contracts deployed same day (0-day window). RD-F-124 red Deployer wallet mixer-funded within 30 days Deployer EOA 0x235AF07E funded 1 ETH from Tornado.Cash 1 ETH pool on 2021-06-23. On the same date 5 contracts deployed — 0-day window between mixer funding and deployment. Tornado.Cash is OFAC SDN-listed; primary mixer used by Lazarus Group/DPRK. RD-F-124 fires definitively. RD-F-111 yellow Team doxx status Substantially pseudonymous team. No fully named, LinkedIn-verifiable Synapse Protocol core team members confirmed in official channels. RD-F-112 yellow Team public accountability surface Limited accountability surface. No conference appearances, named technical leads, or verifiable employment history confirmed for core team. RD-F-116 yellow Contributor tenure at admin-permissioned PR Protocol 60+ months old. Core contributor set stable per GitHub history, but individual tenure not verifiable for pseudonymous contributors. RD-F-120 yellow Video-off/voice-consistency flag No public video appearances by named team members identified. Pseudonymous team avoids public-facing representation. RD-F-121 yellow Contributor OSINT depth score OSINT depth score 2/5. Pseudonymous team; limited verifiable identity signal beyond deployer funding chain. Science Corporation association is only public entity linkage. RD-F-123 yellow Sudden admin-rescue/ACL change without discussion 25 SynapseBridge upgrades documented with no on-chain governance proposals linking upgrades to Snapshot votes. Admin-change transparency is low for a pseudonymous team. RD-F-125 yellow Deployer linked within 3 hops to DPRK/Lazarus No DPRK/Lazarus/UNC4736 attribution confirmed for any Synapse team member or admin address on available OSINT. Pseudonymous team + Tornado.Cash deployer limits confidence in full exclusion without private cluster analysis. RD-F-113 n/a Team other-protocol involvement history Cannot confirm or deny prior rug/exit-scam history for pseudonymous team. No positive evidence found. RD-F-115 n/a Prior rug/exit-scam affiliation Adverse prior record cannot be assessed for pseudonymous team. RD-F-117 n/a ENS/NameStone identity bound to deployer No ENS or NameStone binding to deployer EOA. Absence not conclusive. RD-F-118 n/a Handle reuse across failed/rugged projects Social-handle reuse not assessable for pseudonymous team. RD-F-119 n/a Commit timezone consistent with stated geography Contributor timezone clustering not assessable within budget. RD-F-122 n/a Contributor paid to DPRK-cluster wallet Compensation model not determinable for pseudonymous team. RD-F-184 n/a Real-capital social-engineering persona No curator-flagged social-engineering persona with >$1M deposits identified within budget.

Fork / dependency lineage Red 67 10 of 10

RD-F-126 red Is-a-fork-of Direct fork of Saddle Finance MetaSwap (Curve MetaPool re-implementation). Source of Nov 2021 $8.2M-at-risk exploit. Never audited under Synapse branding. RD-F-127 red Upstream patch not merged Missing virtual price check in _calculateSwap() was the exploit vector — introduced via fork divergence from Curve/Saddle canonical implementation. RD-F-128 red Upstream vulnerability disclosure (last 90d) Saddle Finance security patches not confirmed systematically propagated to Synapse AMM fork. November 2021 incident was a direct result of a missing upstream safety mechanism. RD-F-130 red Fork depth (generations from original audit) Known vulnerability (missing virtual price check) exploited in Nov 2021 was a direct result of inherited upstream pattern from Curve/Saddle codebase not replicated in fork. RD-F-131 red Fork retains upstream audit coverage Fork (Saddle Finance MetaSwap) has never been audited under Synapse branding across 60+ months of operation. Only upstream Nerve Finance core contracts were audited (CertiK, 2021). RD-F-129 yellow Code divergence from upstream (%) Upstream Saddle Finance governance changes not tracked by Synapse. No public dependency-tracking process documented. RD-F-133 yellow Dependency manifest uses unpinned versions OZ dependency version pinning not confirmed as exact-pinned for Saddle-fork AMM contracts. RD-F-135 yellow Shared-library version with known-vuln status Potential non-exact-pinned OZ versions in Sanguine monorepo components; not confirmed as semver-exact for all dependencies. RD-F-132 n/a Fork has different economic parameters than upstream Pool contract admin key inheritance from Saddle Finance not fully assessed within budget.

RD-F-134 green Dependency had malicious-release incident (last 90d) No malicious-release advisory for any Synapse dependency (OpenZeppelin, Solidity, Saddle Finance) found in public sources.

Post-deploy hygiene & change mgmt Yellow 42 13 of 13

RD-F-139 red Post-audit code changes without re-audit Only confirmed audit is CertiK Nerve Finance (April 2021). 24+ post-rebrand upgrades with no publicly accessible audit reports. Every deployed upgrade since April 2021 is unaudited. RD-F-143 red Reinitializable implementation (no _disableInitializers) SynapseBridge (Solidity 0.6.12) has no _disableInitializers() call. The initialize() function's initializer modifier prevents re-initialization via proxy only. Any address can call initialize() on raw implementation 0x31fe...d0d and claim DEFAULT_ADMIN_ROLE. RD-F-185 red Bridge rate-limiter / chain-pause as positive mitigant No per-window outflow rate-limiter in SynapseBridge or FastBridge. Only global GOVERNANCE_ROLE pause. RFQ Guard (sole operator: Synapse Labs) is dispute-based, not rate-limited. Bridge rate-limiter positive mitigant is absent. RD-F-136 yellow Deployed bytecode matches signed release tag No signed release tags; no git-tag-to-bytecode provenance chain documented. Etherscan-verified only. RD-F-137 yellow Upgrade frequency (per 90 days) 25 upgrades in ~60 months (~1.2 per 90 days). High upgrade frequency for a Solidity 0.6.12 contract without modern upgrade tooling. RD-F-138 yellow Hot-patch deploys without timelock (last 30 days) No upgrades in last 30 days (last executor activity ~44 days ago). But 180s timelock makes every historical upgrade effectively a hot-patch. RD-F-142 yellow Storage-layout collision risk across upgrades 25 upgrades on Solidity 0.6.12 without OZ upgrades-plugin storage layout artifacts. High storage collision risk not publicly assessed for any of the 25 iterations. RD-F-145 yellow Deployed bytecode reproducibility No build artifacts or reproducible-build documentation found. Etherscan-verified only; no independent bytecode reproducibility confirmed. RD-F-168 yellow Stale-approval exposure on deprecated router SynapseRouter and Bridge Zap 3 are older routing contracts with potential stale user approvals. No revocation campaign documented. RD-F-140 n/a Fix-merged-but-not-deployed gap No public security advisories with pending patches identified.

RD-F-141 green Test-mode parameters in deploy No test-mode parameters identified in deployment. Role transfer completed correctly to multisig/timelock.

RD-F-144 green CREATE2 factory permits same-address redeploy No CREATE2 factory usage. Standard EIP-1967 transparent proxy (deterministic to deployer nonce). No redeployment-to-same-address risk.

RD-F-146 green New contract deploys in last 30 days No new deployments in last 30 days evident from Etherscan executor activity.

Cross-chain & bridge Green 17 12 of 12

RD-F-149 yellow Bridge validator threshold (k-of-M) Legacy bridge: 2/3 MPC-TSS threshold per public docs (off-chain; on-chain only checks NODEGROUP_ROLE membership). RFQ FastBridge: no threshold — Guard (M=1) is sole authority. 2/3 is adequate IF M is large enough; M=1 guard is critical single point. RD-F-152 yellow Bridge binds message to srcChainId RFQ FastBridge: explicit srcChainId/destChainId binding confirmed (block.chainid). Legacy SynapseBridge: kappa binding partially confirmed — full chain-specificity depends on off-chain validator implementation, not verifiable from contract source alone. RD-F-156 yellow Bridge uses same key custody for >30% validators RFQ Guard: 100% single-entity (Synapse Labs). Legacy NODEGROUP_ROLE: validator identities and key custody not publicly disclosed — co-custody cannot be assessed. RD-F-157 yellow Bridge TVL per validator ratio RFQ FastBridge: $21M TVL / 1 Guard = $21M per guard entity — extremely high concentration. Legacy bridge ratio uncomputable (validator count M not confirmed). RFQ single-guard concentration is high. RD-F-148 gray Bridge validator count (M) Legacy SynapseBridge NODEGROUP_ROLE member count not directly queried via getRoleMemberCount(). Public documentation states 2/3 MPC-TSS threshold but does not specify M. RFQ FastBridge: effective M=1 (Synapse Labs sole Guard). Evidence insufficient for definitive M count. RD-F-150 n/a Bridge validator co-hosting MPC-TSS node operators (NODEGROUP_ROLE holders) not publicly identified. No validator registry or node directory in public docs. Co-hosting assessment requires private data. RD-F-155 n/a Bridge validator-set rotation recency NODEGROUP_ROLE rotation history not queried from Etherscan events within budget. RFQ Guard rotation: no history found, sole Guard = Synapse Labs. RD-F-179 n/a LayerZero OFT DVN config (count, threshold, diversity) Synapse Protocol is not a LayerZero OApp and does not use LayerZero OFT adapters. Confirmed by profile and source inspection.

RD-F-147 green Protocol has bridge surface YES — Synapse IS the bridge across three models: legacy SynapseBridge escrow/AMM (25+ chains), SIN optimistic messaging, RFQ FastBridge intent model.

RD-F-151 green Bridge ecrecover checks result ≠ address(0) NOT APPLICABLE — Synapse legacy bridge and RFQ FastBridge do not use ecrecover for on-chain signature verification. NODEGROUP_ROLE uses AccessControl role check; RFQ has no ecrecover calls (confirmed by source inspection). Forged zero-address signature exploit cannot fire.

RD-F-153 green Bridge tracks nonce-consumed mapping Legacy SynapseBridge: kappaMap (mapping bytes32->bool) with require(!kappaMap[kappa]) — explicit replay prevention. RFQ FastBridge: nonce++ per tx; FastBridgeV2: senderNonces[sender]++ per-sender nonce. All models prevent replay.

RD-F-154 green Default bytes32(0) acceptable as valid root NOT APPLICABLE — Synapse does not use a Merkle root acceptance model. Legacy bridge uses kappa mapping. RFQ uses keccak256(request) direct tx hash. SIN uses optimistic proof/dispute. No committedRoot-style mapping exists. Nomad-class exploit inapplicable.

Threat intelligence & recon Red 100 8 of 8

RD-F-158 red Known-threat-actor cluster has touched protocol Deployer EOA 0x235AF07E funded from OFAC-sanctioned Tornado.Cash mixer on 2021-06-23. Threat-actor wallet proximity confirmed. Cannot rule out DPRK-linked funding chain without private cluster analysis (Chainalysis, TRM Labs). RD-F-159 n/a Attacker wallet pre-strike probe (low-gas failing txs) Reconnaissance patterns not assessed within static budget. RD-F-160 n/a GitHub malicious-dependency incident touching protocol deps Sandboxing/containment not in scope for static analysis. RD-F-161 n/a Protocol-impersonator domain registered (typosquat) Threat intel feed coverage — private feeds (Chainalysis, TRM) required; not assessed. RD-F-162 n/a Known-exploit-template selector deployed by any address Dark-web/OSINT monitoring not assessed. RD-F-163 n/a Avg attacker reconnaissance time for peer-class protocols Social engineering surface not assessed. RD-F-164 n/a Leaked credential on paste/sentry site Physical security of MPC validator operators not assessable via OSINT. RD-F-165 n/a Protocol social channel has scam-coordinator flag Incident response testing not assessable via OSINT.

Tooling / compiler / AI Yellow 33 5 of 5

RD-F-170 yellow Solc version used (known-bug versions flagged) SynapseBridge uses Solidity 0.6.12, which has known compiler bugs in the 0.6.x series. Outdated relative to current 0.8.29. RD-F-172 yellow Repo shows AI-tool co-authorship in critical files AI co-authorship patterns detected in FastBridgeInterceptor.sol (Sanguine monorepo). AI-generated code without manual audit review creates quality uncertainty. RD-F-174 yellow Dependency tree uses EOL Solidity version Solidity 0.6.12 is ~8 years old and significantly superseded. Modern safety improvements (0.8.x checked arithmetic, custom errors, immutable keyword) unavailable to legacy bridge contracts. RD-F-171 n/a Bytecode similarity to audited upstream with behavior deviation Rust/Wasm toolchain for non-EVM components not assessed within budget. RD-F-173 n/a Team self-disclosure of AI-generated Solidity Build artifact reproducibility documentation not found within budget.

Response & disclosure hygiene Red 67 4 of 4

RD-F-176 red Disclosure SLA public Immunefi $1M max critical bounty cap is inadequate for a protocol with $728M peak TVL and $21M current TVL. Nov 2021 incident put $8.2M at risk — bounty cap covers less than a meaningful fraction. No confirmed payout demonstrates program effectiveness. RD-F-175 yellow Disclosure channel exists No first-party acknowledgment SLA published. Immunefi is sole disclosure channel. No SECURITY.md with SLA confirmed in synapse-contracts or sanguine repos. RD-F-177 n/a Prior known-ignored disclosure No SECURITY.md with off-channel contact confirmed in public repos. RD-F-178 n/a CVE/GHSA advisory issued against protocol No explicit Synapse-issued safe-harbor clause found in public sources.

rubric_version v1.7.0 graded_at 2026-05-12 04:38:07 factors 184 protocol synapse