Avg attacker reconnaissance time for peer-class protocols

Evidence summary #

V2+V3 combined: Immutable DEX/AMM class. V2 and V3 core contracts have no admin surface for reconnaissance-driven exploitation. V3 governance checkpoint voting blocks flash-loan governance attacks. Zero direct V2/V3 core exploits in 6+ years — no successful attacks from which to measure a reconnaissance window for direct exploitation of V2/V3. Bybit/Lazarus 'reconnaissance' was identifying Uniswap as a liquid public DEX (public knowledge), not targeted exploit reconnaissance. Green for the protocol's own attack surface.

Detail #

Signal assesses the average reconnaissance time before attack for peer-class protocols. For V2 and V3 as an immutable AMM class: the attack surface for external exploitation is extremely limited (no admin keys, no oracle reads, no upgrade path). The main exploitable surface is V3 governance — but checkpoint-based voting makes flash-loan governance attacks impossible. V2 TWAP oracle can be manipulated in a block by a large swap, but this is a technique exploited in *downstream consumer protocols*, not V2 itself. The absence of any V2 or V3 direct exploit in 6+ years means there is no peer-class data specific to these protocols. Bybit/Lazarus 'reconnaissance': identifying Uniswap as a liquid public swap venue for laundering requires no on-chain probe — the information is public knowledge. Green: the immutable AMM architecture with checkpoint governance makes meaningful recon-to-strike window analysis inapplicable for direct exploitation.

Sources #

Methodology #

Report the average number of days of attacker reconnaissance activity before a strike on peer-class protocols (lending/DEX/bridge/perps), sourced from the hack database.

See the full factor methodology and distribution across all protocols →