Ignored bounty disclosure

Yearn Finance's assessment for RD-F-008 — scored green on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.

Evidence summary #

Four historical incidents documented; none show a case where a disclosed vulnerability was reported to Yearn and then ignored pre-exploit. The 2021 yDAI incident was discovered at execution time. The 2023 Fulcrum misconfiguration exploits involved legacy immutable contracts where no advance disclosure is documented. No evidence of ignored bounty disclosure pattern.

Sources #

URL
Rekt.news yearn2-rekt — Fulcrum address misconfiguration, no prior public disclosurerekt.news yearn2-rekt (2023-04)retrieved 2026-05-16
URL
Rekt.news yearn-rekt 2021-02-04 — no pre-exploit disclosure documentedrekt.news yearn-rekt (2021)retrieved 2026-05-16

Methodology #

Determine whether any prior post-mortem documents a disclosed vulnerability that was reported to the team and not actioned before exploit.

See the full factor methodology and distribution across all protocols →

rubric_version v1.7.0 protocol yearn-finance factor RD-F-008 score green collected_at 2026-05-16 08:34:32