defirisk.co
rubric v1.7.0

Prior known-ignored disclosure

Yearn Finance's assessment for RD-F-177 — scored green on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.

Evidence summary #

No confirmed case of a properly-disclosed vulnerability that was received through official channels and not actioned before exploit. Incident #2 (2023-04-13 yUSDT): Twitter warning by storming0x was posted minutes before exploit execution — this was simultaneous alert, not a prior responsible disclosure; moreover the contract was immutable (patching impossible regardless). Incident #1 (2021-02-04): The migration window (zero-fee) was a deliberate team decision, not an externally-disclosed vulnerability that was ignored. All other incidents involved bugs in immutable legacy contracts where prior disclosure would not have enabled patching. No post-mortem acknowledges received-but-ignored structured disclosure.

Sources #

  • Internal
    Yearn Finance 2nd Exploit — disclosure contexthacksdatabase/hacks/yearn2-rekt.md — last-minute Twitter warning simultaneous with execution; immutable contract contextretrieved 2026-05-16
  • URL
    Yearn Security GitHub — disclosures directoryYearn Security disclosures repo — no evidence of ignored prior disclosures in published post-mortemsretrieved 2026-05-16

Methodology #

Determine whether evidence exists in prior-incident post-mortems that a disclosed vulnerability was reported to the team and not actioned before exploit.

See the full factor methodology and distribution across all protocols →

rubric_version v1.7.0 protocol yearn-finance factor RD-F-177 score green collected_at 2026-05-16 08:34:32