Factor encyclopedia
184 evidence factors across 13 categories. Click any factor for methodology, measurement, and which protocols carry it.
Category
Severity
ID ★ Factor Category Carried
RD-F-001 ★ Audit scope mismatch Code & audits 80 of 80 RD-F-002 Audit recency Code & audits 80 of 80 RD-F-003 Resolved-without-proof findings Code & audits 80 of 80 RD-F-004 Audit count Code & audits 80 of 80 RD-F-005 Audit firm tier Code & audits 80 of 80 RD-F-006 Audit-to-deploy gap Code & audits 80 of 80 RD-F-007 Bug bounty presence & max payout Code & audits 80 of 80 RD-F-008 Ignored bounty disclosure Code & audits 80 of 80 RD-F-009 Formal verification coverage Code & audits 80 of 80 RD-F-010 Static-analyzer high-severity count Code & audits 80 of 80 RD-F-011 SELFDESTRUCT reachable from non-admin path Code & audits 80 of 80 RD-F-012 delegatecall with user-controlled target Code & audits 80 of 80 RD-F-013 Arbitrary call with user-controlled target Code & audits 80 of 80 RD-F-014 Reentrancy guard on external-calling functions Code & audits 80 of 80 RD-F-015 ERC-777/1155/721 hook without reentrancy guard Code & audits 80 of 80 RD-F-016 Divide-before-multiply pattern Code & audits 80 of 80 RD-F-017 Mixed-decimals math without explicit scaling Code & audits 80 of 80 RD-F-018 Signed/unsigned arithmetic confusion Code & audits 80 of 80 RD-F-019 ecrecover zero-address return unchecked Code & audits 80 of 80 RD-F-020 EIP-712 domain separator missing chainId Code & audits 80 of 80 RD-F-021 UUPS _authorizeUpgrade correctly permissioned Code & audits 80 of 80 RD-F-022 ★ Public initialize() without initializer modifier Code & audits 80 of 80 RD-F-023 Constructor calls _disableInitializers() Code & audits 80 of 80 RD-F-024 Code complexity vs audit coverage Code & audits 80 of 80 RD-F-025 Admin key custody type Governance & admin 80 of 80 RD-F-026 Upgrade multisig signer configuration (M/N) Governance & admin 80 of 80 RD-F-027 ★ Single admin EOA Governance & admin 80 of 80 RD-F-028 ★ Low-threshold multisig vs TVL Governance & admin 80 of 80 RD-F-029 Multisig signers co-hosted Governance & admin 80 of 80 RD-F-030 Hot-wallet signer flag Governance & admin 80 of 80 RD-F-031 Signer rotation recency Governance & admin 80 of 80 RD-F-032 Timelock duration on upgrades Governance & admin 80 of 80 RD-F-033 Timelock on sensitive actions Governance & admin 80 of 80 RD-F-034 Guardian/pause-keeper distinct from upgrader Governance & admin 80 of 80 RD-F-035 Role separation: upgrade ≠ fee ≠ oracle Governance & admin 80 of 80 RD-F-036 ★ Flash-loanable voting weight Governance & admin 80 of 80 RD-F-037 Quorum achievable via single-entity flash loan Governance & admin 80 of 80 RD-F-038 Proposal execution delay < 24h Governance & admin 80 of 80 RD-F-039 ★ delegatecall/call in proposal execution without allowlist Governance & admin 80 of 80 RD-F-040 Emergency-veto multisig present Governance & admin 80 of 80 RD-F-041 ★ Rescue/emergencyWithdraw without timelock Governance & admin 80 of 80 RD-F-042 ★ Admin has mint() with unlimited max Governance & admin 80 of 80 RD-F-043 ★ Admin = deployer EOA after 7 days Governance & admin 80 of 80 RD-F-044 Admin wallet interacts with flagged addresses Governance & admin 80 of 80 RD-F-045 Constructor args match governance proposal Governance & admin 80 of 80 RD-F-046 ★ Contract unverified on Etherscan/Sourcify Governance & admin 80 of 80 RD-F-047 Governance token concentration (Gini) Governance & admin 80 of 80 RD-F-048 Oracle providers used Oracle & external dependencies 80 of 80 RD-F-049 Oracle role per asset Oracle & external dependencies 80 of 80 RD-F-050 Dependency graph (protocols depended upon) Oracle & external dependencies 80 of 80 RD-F-051 Fallback behavior on oracle failure Oracle & external dependencies 80 of 80 RD-F-052 Breakage analysis per dependency Oracle & external dependencies 80 of 80 RD-F-053 ★ Oracle source = spot DEX pool (no TWAP) Oracle & external dependencies 80 of 80 RD-F-054 TWAP window duration Oracle & external dependencies 80 of 80 RD-F-055 Oracle pool depth (USD) Oracle & external dependencies 80 of 80 RD-F-056 Single-pool oracle (no medianization) Oracle & external dependencies 80 of 80 RD-F-057 Circuit breaker on price deviation Oracle & external dependencies 80 of 80 RD-F-058 Max-deviation threshold (bps) Oracle & external dependencies 80 of 80 RD-F-059 Oracle staleness check present Oracle & external dependencies 80 of 80 RD-F-060 Chainlink aggregator min/max bound misconfig Oracle & external dependencies 80 of 80 RD-F-061 LP token balanceOf used for pricing Oracle & external dependencies 80 of 80 RD-F-062 External keeper/relayer not redundant Oracle & external dependencies 80 of 80 RD-F-063 TVL (current + 30d trend) Economic risk 80 of 80 RD-F-064 TVL concentration (top-10 wallet share) Economic risk 80 of 80 RD-F-065 Liquidity depth per major asset Economic risk 80 of 80 RD-F-066 Utilization rate (lending protocols) Economic risk 80 of 80 RD-F-067 Historical bad-debt events Economic risk 80 of 80 RD-F-068 Collateralization under stress Economic risk 80 of 80 RD-F-069 Algorithmic / under-collateralized stablecoin Economic risk 80 of 80 RD-F-070 ★ Empty cToken-style market (zero supply/borrow) Economic risk 80 of 80 RD-F-071 Seed-deposit requirement for new market listing Economic risk 80 of 80 RD-F-072 Market-listing governance threshold Economic risk 80 of 80 RD-F-073 Oracle-manipulation-proof borrow cap Economic risk 80 of 80 RD-F-074 ERC-4626 virtual-share offset (OZ ≥4.9) Economic risk 80 of 80 RD-F-075 First-depositor / share-inflation guard Economic risk 80 of 80 RD-F-076 Protocol age (days) Operational history 80 of 80 RD-F-077 Prior exploit count Operational history 80 of 80 RD-F-078 Chronic-exploit flag (≥3 incidents) Operational history 80 of 80 RD-F-079 Same-root-cause repeat exploit Operational history 80 of 80 RD-F-080 Days since last exploit Operational history 80 of 80 RD-F-081 Post-exploit response score Operational history 80 of 80 RD-F-082 Post-mortem published within 30 days Operational history 80 of 80 RD-F-083 Auditor re-engaged after last exploit Operational history 80 of 80 RD-F-084 TVL stability (CoV over 90d) Operational history 80 of 80 RD-F-085 Incident response time (minutes) Operational history 80 of 80 RD-F-086 Pause activations (trailing 12 months) Operational history 80 of 80 RD-F-087 Pause > 7 consecutive days Operational history 80 of 80 RD-F-088 Re-deployed to new addresses in last year Operational history 80 of 80 RD-F-089 Insurance coverage active Operational history 80 of 80 RD-F-090 Mixer withdrawal → protocol interaction Real-time signals 80 of 80 RD-F-091 Partial-drain test transactions Real-time signals 80 of 80 RD-F-092 Unusual mempool pattern from deployer wallet Real-time signals 80 of 80 RD-F-093 Abnormal gas-price willingness from attacker wallet Real-time signals 80 of 80 RD-F-094 New contract with similar bytecode to exploit template Real-time signals 80 of 80 RD-F-095 Known-exploit function-selector replay Real-time signals 80 of 80 RD-F-096 New ERC-20 approval to unverified contract from whale Real-time signals 80 of 80 RD-F-097 Sybil surge of identical-pattern transactions Real-time signals 80 of 80 RD-F-098 TVL anomaly — % drop in <1h Real-time signals 80 of 80 RD-F-099 Oracle price deviation >X% from secondary Real-time signals 80 of 80 RD-F-100 Flash loan >$10M targeting protocol tokens Real-time signals 80 of 80 RD-F-101 Large governance proposal queued Real-time signals 80 of 80 RD-F-102 Admin/upgrade transaction in mempool Real-time signals 80 of 80 RD-F-103 Bridge signer-set change proposed/executed Real-time signals 80 of 80 RD-F-104 Stablecoin depeg >2% on shared-LP venue Real-time signals 80 of 80 RD-F-105 DNS/CDN/frontend hash drift Real-time signals 80 of 80 RD-F-106 Cross-chain bridge unverified mint pattern Real-time signals 80 of 80 RD-F-107 Admin EOA signing from new geography/device Real-time signals 80 of 80 RD-F-108 GitHub force-push to sensitive branch Real-time signals 80 of 80 RD-F-109 Social-media impersonation scam spike Real-time signals 80 of 80 RD-F-110 Unusual pending/executed proposal ratio Real-time signals 80 of 80 RD-F-111 Team doxx status Dev identity & insider risk 80 of 80 RD-F-112 Team public accountability surface Dev identity & insider risk 80 of 80 RD-F-113 Team other-protocol involvement history Dev identity & insider risk 80 of 80 RD-F-114 Deployer address prior on-chain history Dev identity & insider risk 80 of 80 RD-F-115 Prior rug/exit-scam affiliation Dev identity & insider risk 80 of 80 RD-F-116 Contributor tenure at admin-permissioned PR Dev identity & insider risk 80 of 80 RD-F-117 ENS/NameStone identity bound to deployer Dev identity & insider risk 80 of 80 RD-F-118 Handle reuse across failed/rugged projects Dev identity & insider risk 80 of 80 RD-F-119 Commit timezone consistent with stated geography Dev identity & insider risk 80 of 80 RD-F-120 Video-off/voice-consistency flag Dev identity & insider risk 80 of 80 RD-F-121 Contributor OSINT depth score Dev identity & insider risk 80 of 80 RD-F-122 Contributor paid to DPRK-cluster wallet Dev identity & insider risk 80 of 80 RD-F-123 ★ Sudden admin-rescue/ACL change without discussion Dev identity & insider risk 80 of 80 RD-F-124 ★ Deployer wallet mixer-funded within 30 days Dev identity & insider risk 80 of 80 RD-F-125 ★ Deployer linked within 3 hops to DPRK/Lazarus Dev identity & insider risk 80 of 80 RD-F-126 Is-a-fork-of Fork / dependency lineage 80 of 80 RD-F-127 Upstream patch not merged Fork / dependency lineage 80 of 80 RD-F-128 Upstream vulnerability disclosure (last 90d) Fork / dependency lineage 80 of 80 RD-F-129 Code divergence from upstream (%) Fork / dependency lineage 80 of 80 RD-F-130 Fork depth (generations from original audit) Fork / dependency lineage 80 of 80 RD-F-131 Fork retains upstream audit coverage Fork / dependency lineage 80 of 80 RD-F-132 Fork has different economic parameters than upstream Fork / dependency lineage 80 of 80 RD-F-133 Dependency manifest uses unpinned versions Fork / dependency lineage 80 of 80 RD-F-134 Dependency had malicious-release incident (last 90d) Fork / dependency lineage 80 of 80 RD-F-135 Shared-library version with known-vuln status Fork / dependency lineage 80 of 80 RD-F-136 Deployed bytecode matches signed release tag Post-deploy hygiene & change mgmt 80 of 80 RD-F-137 Upgrade frequency (per 90 days) Post-deploy hygiene & change mgmt 80 of 80 RD-F-138 Hot-patch deploys without timelock (last 30 days) Post-deploy hygiene & change mgmt 80 of 80 RD-F-139 ★ Post-audit code changes without re-audit Post-deploy hygiene & change mgmt 80 of 80 RD-F-140 Fix-merged-but-not-deployed gap Post-deploy hygiene & change mgmt 80 of 80 RD-F-141 Test-mode parameters in deploy Post-deploy hygiene & change mgmt 80 of 80 RD-F-142 Storage-layout collision risk across upgrades Post-deploy hygiene & change mgmt 80 of 80 RD-F-143 ★ Reinitializable implementation (no _disableInitializers) Post-deploy hygiene & change mgmt 80 of 80 RD-F-144 CREATE2 factory permits same-address redeploy Post-deploy hygiene & change mgmt 80 of 80 RD-F-145 Deployed bytecode reproducibility Post-deploy hygiene & change mgmt 80 of 80 RD-F-146 New contract deploys in last 30 days Post-deploy hygiene & change mgmt 80 of 80 RD-F-147 Protocol has bridge surface Cross-chain & bridge 80 of 80 RD-F-148 Bridge validator count (M) Cross-chain & bridge 80 of 80 RD-F-149 Bridge validator threshold (k-of-M) Cross-chain & bridge 80 of 80 RD-F-150 Bridge validator co-hosting Cross-chain & bridge 80 of 80 RD-F-151 ★ Bridge ecrecover checks result ≠ address(0) Cross-chain & bridge 80 of 80 RD-F-152 Bridge binds message to srcChainId Cross-chain & bridge 80 of 80 RD-F-153 Bridge tracks nonce-consumed mapping Cross-chain & bridge 80 of 80 RD-F-154 ★ Default bytes32(0) acceptable as valid root Cross-chain & bridge 80 of 80 RD-F-155 Bridge validator-set rotation recency Cross-chain & bridge 80 of 80 RD-F-156 Bridge uses same key custody for >30% validators Cross-chain & bridge 80 of 80 RD-F-157 Bridge TVL per validator ratio Cross-chain & bridge 80 of 80 RD-F-158 Known-threat-actor cluster has touched protocol Threat intelligence & recon 80 of 80 RD-F-159 Attacker wallet pre-strike probe (low-gas failing txs) Threat intelligence & recon 80 of 80 RD-F-160 GitHub malicious-dependency incident touching protocol deps Threat intelligence & recon 80 of 80 RD-F-161 Protocol-impersonator domain registered (typosquat) Threat intelligence & recon 80 of 80 RD-F-162 Known-exploit-template selector deployed by any address Threat intelligence & recon 80 of 80 RD-F-163 Avg attacker reconnaissance time for peer-class protocols Threat intelligence & recon 80 of 80 RD-F-164 Leaked credential on paste/sentry site Threat intelligence & recon 80 of 80 RD-F-165 Protocol social channel has scam-coordinator flag Threat intelligence & recon 80 of 80 RD-F-166 Deprecated contracts still holding value Operational history 80 of 80 RD-F-167 Deprecated contract paused but pause reversible by live admin Governance & admin 80 of 80 RD-F-168 Stale-approval exposure on deprecated router Post-deploy hygiene & change mgmt 79 of 80 RD-F-170 Solc version used (known-bug versions flagged) Tooling / compiler / AI 80 of 80 RD-F-171 Bytecode similarity to audited upstream with behavior deviation Tooling / compiler / AI 80 of 80 RD-F-172 Repo shows AI-tool co-authorship in critical files Tooling / compiler / AI 80 of 80 RD-F-173 Team self-disclosure of AI-generated Solidity Tooling / compiler / AI 80 of 80 RD-F-174 Dependency tree uses EOL Solidity version Tooling / compiler / AI 80 of 80 RD-F-175 Disclosure channel exists Response & disclosure hygiene 80 of 80 RD-F-176 Disclosure SLA public Response & disclosure hygiene 80 of 80 RD-F-177 Prior known-ignored disclosure Response & disclosure hygiene 80 of 80 RD-F-178 CVE/GHSA advisory issued against protocol Response & disclosure hygiene 80 of 80 RD-F-179 LayerZero OFT DVN config (count, threshold, diversity) Cross-chain & bridge 80 of 80 RD-F-180 ★ Immutable oracle address Oracle & external dependencies 80 of 80 RD-F-181 Permissionless-pool lending oracle Oracle & external dependencies 80 of 80 RD-F-182 Security-Council threshold reduction (RT) Real-time signals 80 of 80 RD-F-183 Bug bounty scope gap on highest-TVL contracts Code & audits 80 of 80 RD-F-184 Real-capital social-engineering persona Dev identity & insider risk 80 of 80 RD-F-185 Bridge rate-limiter / chain-pause as positive mitigant Post-deploy hygiene & change mgmt 80 of 80