Audit-to-deploy gap
A code & audits factor in the v1.7.0 rubric. Measured per protocol on a s cadence.
Methodology how we score #
**What this measures** This factor records the number of days between the audit report's sign-off date and the mainnet deployment of the audited bytecode. A gap greater than 60 days is flagged as a drift risk, because teams frequently make undisclosed changes to code between audit completion and deployment, rendering the audit partially or fully stale before the contract is even live. The data source is audit PDF metadata cross-referenced with on-chain deploy timestamps.
**Why it matters** The audit-to-deploy gap creates an unmonitored window during which code can be silently modified. Euler Finance ($197M, 2023) introduced the donateToReserves function -- the exploited function -- between the audit completion and the actual deployment of the upgraded contract. Nomad Bridge ($190M, 2022) upgraded its Replica contract in June 2022 after earlier audits; the specific initialisation parameter vulnerability was in the post-audit change. The synthesis finding is direct: when a team has months between audit sign-off and deployment, it is common practice to 'polish' the code, and those polishing changes are the surface where bugs most frequently live.
**Green / Yellow / Red** Green: deployed bytecode was pushed to mainnet within 30 days of audit sign-off, with no substantive code changes between the audited commit and the deployed binary. Yellow: the audit-to-deploy gap is 30 to 60 days, with minor, documented changes reviewed by a curator or in a follow-up audit note. Red: the audit-to-deploy gap exceeds 60 days, or the deployed bytecode differs from the audited commit by more than trivial configuration changes with no explanation on record.
**Common gray cases** Curators cannot grade this factor when the audit report does not carry a clear sign-off date, or when the protocol deploys to multiple chains with varying timelines and the per-chain gap cannot be reliably calculated.
**Notable historical examples** - **Euler Finance** ($197M, 2023): The donateToReserves function was introduced in a post-audit upgrade, not in the original audited code. - **Nomad Bridge** ($190M, 2022): Post-audit upgrade to Replica contract in June 2022 introduced the exploited initialisation bug. - **Compound Finance** ($147M, 2021): Proposal 62 Comptroller upgrade was deployed after the prior audit window closed. - **Fei/Rari Fuse** ($80M, 2022): The March 2022 partial patch modified code after audit, leaving exitMarket() uncovered. - **Munchables** ($62.5M, 2024): Blast L2 deployment used an unverified implementation contract upgraded post-audit.
Measurement what to look for #
Measure the number of days between the audit report sign-off date and the mainnet deploy of the audited bytecode.
Data & output #
Data source
Audit PDF sign-off date + Etherscan first-deploy transaction timestamp for the audited contract
Output format
Green / Yellow / Red
Evidence artifact
Sign-off date + deploy tx hash + days-delta integer
Confidence signal
green = ≤60 days; yellow = 61–180 days; red = >180 days (code may have drifted between audit and deploy); gray = either date not determinable
Scored protocols 80 carry this factor #
Protocol RD-F-006
Aave v3 ethereum yellow Across Protocol ethereum green Aerodrome Finance base yellow Axelar Network ethereum yellow Babylon Protocol bitcoin green Balancer (v2 + v3) ethereum yellow Beefy Finance ethereum yellow BENQI avalanche yellow BlackRock USD Institutional Digital Liquidity Fund (BUIDL) ethereum gray Cap (cUSD / stcUSD) ethereum yellow Centrifuge ethereum green Chainlink CCIP ethereum yellow Circle USYC binance gray Compound V3 (Comet) ethereum yellow Concrete ethereum green Convex Finance ethereum green crvUSD (Curve Stablecoin) ethereum yellow Curve Finance ethereum yellow deBridge ethereum yellow Dolomite ethereum red dYdX v4 (dYdX Chain) dydx green EigenLayer ethereum green Ethena ethereum green ether.fi ethereum yellow Euler V2 ethereum yellow Falcon Finance ethereum yellow Fluid ethereum yellow Frax Finance ethereum red GMX v2 (GMX Synthetics) arbitrum yellow Hyperlane ethereum green Hyperliquid arbitrum green Jito solana green Jupiter solana yellow Jupiter Perpetual Exchange solana green JustLend DAO tron yellow Kamino Lend solana green Kinetiq hyperliquid green Lido ethereum yellow Liquid Collective (LsETH) ethereum green Liquity V1 + V2 (LUSD / BOLD) ethereum green Lista DAO bsc green Lombard Finance ethereum green M^0 ethereum green Maple Finance ethereum green Marinade Finance solana green Meteora solana gray mETH Protocol ethereum green Midas ethereum green Morpho V1 (Morpho Blue + MetaMorpho) ethereum green Multipli ethereum gray Ondo Finance ethereum yellow OpenEden ethereum yellow Orca solana green PancakeSwap bsc yellow Pendle Finance ethereum yellow Polymarket polygon green QuickSwap polygon yellow Raydium solana green Rocket Pool ethereum yellow Sanctum solana yellow Save (formerly Solend) solana yellow Sky Lending (formerly MakerDAO) ethereum yellow Spark Protocol ethereum green Spiko stellar yellow Stake DAO ethereum green StakeWise v3 ethereum green Stargate Finance ethereum green stHYPE (Valantis Labs) hyperliquid green SUNSwap (sun.io) tron gray Superstate ethereum green Sushi (SushiSwap) — v2 + v3 + Trident + BentoBox/Kashi + SushiXSwap ethereum red Symbiotic ethereum yellow Synapse Protocol ethereum red Uniswap (v2 + v3) ethereum green USDD (Decentralized USD) tron yellow Usual (USD0 / bUSD0 / USUAL) ethereum green Veda (BoringVault) ethereum yellow Venus Protocol bsc yellow Wormhole ethereum yellow Yearn Finance ethereum yellow Linked hacks 128 historical incidents #
causalKelp DAO (rsETH liquid restaking) — Forged cross-chain message via LayerZero EndpointV2 lzReceive — exploitation of 1/1 DVN (single-validator) configuration2026-04-18 · $292M · Forged cross-chain message via LayerZero EndpointV2 lzReceive — exploitation of 1/1 DVN (single-validator) configuration · Audit-deploy gap (RD-F-006 time between audit and deploy) [via dashboard_risk_factors/Exploited code newly deployed/upgraded?: N — the 1/1 DVN configuration had been in place at least since Jan 2025 (when flagged); this was a long-latent misconfiguration, not a new d...] || Audit-deploy gap — alternate field name [via dashboard_risk_factors/Exploited code newly deployed/upgraded?: N — the 1/1 DVN configuration had been in place at least since Jan 2025 (when flagged); this was a long-latent misconfiguration, not a new d...]
causalDango (custom-L1 perpetual DEX; Grug engine on Tendermint) — Missing sign/positivity check on `donate()` input in the insurance-fund contract — negative value reversed accounting direction2026-04-13 · $2M · Missing sign/positivity check on `donate()` input in the insurance-fund contract — negative value reversed accounting direction · Audit-deploy gap (RD-F-006 time between audit and deploy) [via dashboard_risk_factors/Exploited code newly deployed/upgraded?: Y — perps contract live ~90 days at exploit (since Alpha Mainnet)] || Audit-deploy gap — alternate field name [via dashboard_risk_factors/Exploited code newly deployed/upgraded?: Y — perps contract live ~90 days at exploit (since Alpha Mainnet)]
causalHyperbridge (Polkadot-native interoperability rollup built by Polytope Labs; Token Gateway / HandlerV1) — Smart-contract proof-verification bypass — MMR bounds-check failure + missing proof-to-request binding + zero challenge period + single-step admin transfer2026-04-13 · $3M · Smart-contract proof-verification bypass — MMR bounds-check failure + missing proof-to-request binding + zero challenge period + single-step admin transfer · Audit-deploy gap (RD-F-006 time between audit and deploy) [via dashboard_risk_factors/Exploited code newly deployed/upgraded?: N — the HandlerV1 design flaws were longstanding, not from a recent upgrade] || Audit-deploy gap — alternate field name [via dashboard_risk_factors/Exploited code newly deployed/upgraded?: N — the HandlerV1 design flaws were longstanding, not from a recent upgrade]
causalSilo Finance (V2, soUSDC managed vault on Arbitrum) — Immutable hardcoded wstUSR oracle (pricing depegged asset ~10x reality) + supply-cap bypass via `receiver` parameter + `totalAssets()` summing externally-donated shares2026-04-03 · $392K · Immutable hardcoded wstUSR oracle (pricing depegged asset ~10x reality) + supply-cap bypass via `receiver` parameter + `totalAssets()` summing externally-donated shares · Audit-deploy gap (RD-F-006 time between audit and deploy) [via dashboard_risk_factors/Exploited code newly deployed/upgraded?: Y — V2 managed-vault architecture ~12 months old; wstUSR market configuration newer] || Audit-deploy gap — alternate field name [via dashboard_risk_factors/Exploited code newly deployed/upgraded?: Y — V2 managed-vault architecture ~12 months old; wstUSR market configuration newer]
causalDrift Protocol (Solana perpetual futures DEX) — Multi-month social engineering + Solana durable-nonce pre-signing + fake-collateral-token / attacker-controlled oracle2026-04-01 · $285M · Multi-month social engineering + Solana durable-nonce pre-signing + fake-collateral-token / attacker-controlled oracle · Audit-deploy gap (RD-F-006 time between audit and deploy) [via dashboard_risk_factors/Exploited code newly deployed/upgraded?: Y — Security Council migrated to 2/5 threshold with zero timelock approximately 6 days before exploit] || Audit-deploy gap — alternate field name [via dashboard_risk_factors/Exploited code newly deployed/upgraded?: Y — Security Council migrated to 2/5 threshold with zero timelock approximately 6 days before exploit]
causalSolv Protocol (BRO vault) — ERC-3525 Callback Reentrancy — Double Mint (onERC721Received fires before state update)2026-03-05 · $3M · ERC-3525 Callback Reentrancy — Double Mint (onERC721Received fires before state update) · Audit-deploy gap (RD-F-006 time between audit and deploy) [via dashboard_risk_factors/Exploited code newly deployed/upgraded?: Y — BRO vault was a newer product added after main audits] || Audit-deploy gap — alternate field name [via dashboard_risk_factors/Exploited code newly deployed/upgraded?: Y — BRO vault was a newer product added after main audits]
causalMoonwell — Oracle Misconfiguration (Missing ETH/USD Multiplier)2026-02-15 · $2M · Oracle Misconfiguration (Missing ETH/USD Multiplier) · Audit-deploy gap — alternate field name [via dashboard_risk_factors/Code newly deployed/upgraded?: Yes — Chainlink OEV oracle wrappers newly deployed via MIP-X43]
causalMakina Finance — Permissionless share price oracle update (updateTotalAum) + flash loan Curve pool manipulation → share price inflation → LP drain2026-01-20 · $4M · Permissionless share price oracle update (updateTotalAum) + flash loan Curve pool manipulation → share price inflation → LP drain · Audit-deploy gap — alternate field name [via dashboard_risk_factors/Code newly deployed/upgraded?: Y — Dialectic's DUSD/USDC Curve pool integration deployed post-audit in late October 2025; exploit occurred 6 weeks after deployment] || Time between audit end and deploy [via cross-hack: Factor 4: Newly Deployed or Unannounced Contract]
causalAevo (formerly Ribbon Finance) — Proxy upgrade removed oracle access control — oracle price settable to arbitrary value → vault fully drained in atomic loop2025-12-12 · $3M · Proxy upgrade removed oracle access control — oracle price settable to arbitrary value → vault fully drained in atomic loop · Audit-deploy gap — alternate field name [via dashboard_risk_factors/Code newly deployed/upgraded?: Yes — oracle upgrade deployed 6 days before exploit]
causalUSPD — CPIMP (Clandestine Proxy In the Middle of Proxy) — front-run proxy initialization, shadow admin installation, 78-day dormancy, then mint + drain2025-12-04 · $1M · CPIMP (Clandestine Proxy In the Middle of Proxy) — front-run proxy initialization, shadow admin installation, 78-day dormancy, then mint + drain · Audit-deploy gap (RD-F-006 time between audit and deploy) [via dashboard_risk_factors/Exploited code newly deployed/upgraded?: Yes — proxy deployment (the deployment event itself was the vulnerability)] || Audit-deploy gap — alternate field name [via dashboard_risk_factors/Exploited code newly deployed/upgraded?: Yes — proxy deployment (the deployment event itself was the vulnerability)]
causalGANA Payment — Leaked Owner Key + EIP-7702 Delegator Contract (onlyEOA Bypass)2025-11-20 · $3M · Leaked Owner Key + EIP-7702 Delegator Contract (onlyEOA Bypass) · Audit-deploy gap (RD-F-006 time between audit and deploy) [via dashboard_risk_factors/Exploited code newly deployed/upgraded?: Y — entire protocol was 9 days old; all code was newly deployed] || Audit-deploy gap — alternate field name [via dashboard_risk_factors/Exploited code newly deployed/upgraded?: Y — entire protocol was 9 days old; all code was newly deployed]
causalNew Gold Protocol (NGP) — Flash loan + spot price oracle manipulation + broken transfer logic (dead address bypass of buy limits)2025-09-17 · $2M · Flash loan + spot price oracle manipulation + broken transfer logic (dead address bypass of buy limits) · Audit-deploy gap (RD-F-006 time between audit and deploy) [via dashboard_risk_factors/Exploited code newly deployed/upgraded?: Y — all code freshly deployed] || Audit-deploy gap — alternate field name [via dashboard_risk_factors/Exploited code newly deployed/upgraded?: Y — all code freshly deployed]
causalBunni — Precision/Rounding Error in Custom Liquidity Distribution Function (LDF)2025-09-01 · $8M · Precision/Rounding Error in Custom Liquidity Distribution Function (LDF) · Audit-deploy gap — alternate field name [via dashboard_risk_factors/Code newly deployed/upgraded?: Yes — codebase continuously evolving; changes made during and after multiple audit windows]
causalCredix — Admin Privilege Abuse — Bridge Role Minting Unbacked Collateral2025-08-05 · $5M · Admin Privilege Abuse — Bridge Role Minting Unbacked Collateral · Audit-deploy gap (RD-F-006 time between audit and deploy) [via dashboard_risk_factors/Exploited code newly deployed/upgraded?: Unknown — Credix was new to Sonic chain; deployment recency unconfirmed] || Audit-deploy gap — alternate field name [via dashboard_risk_factors/Exploited code newly deployed/upgraded?: Unknown — Credix was new to Sonic chain; deployment recency unconfirmed]
GMX V1 — Cross-Contract Reentrancy via Order-Keeper Callback2025-07-09 · Cross-Contract Reentrancy via Order-Keeper Callback · Audit-deploy gap (RD-F-006 time between audit and deploy) [via dashboard_risk_factors/Exploited code newly deployed/upgraded?: No new deployment — but code significantly changed since last audit] || Audit-deploy gap — alternate field name [via dashboard_risk_factors/Exploited code newly deployed/upgraded?: No new deployment — but code significantly changed since last audit] || Time between audit end and deploy [via cross-hack: Factor 4: Newly Deployed or Unannounced Contract] || (+1 more matches)
causalResupplyFi — ERC4626 Donation Attack (Vault Inflation / Zero Exchange Rate)2025-06-25 · $10M · ERC4626 Donation Attack (Vault Inflation / Zero Exchange Rate) · Audit-deploy gap (RD-F-006 time between audit and deploy) [via dashboard_risk_factors/Exploited code newly deployed/upgraded?: Yes — wstUSR market contract deployed ~2 hours before exploit] || Audit-deploy gap — alternate field name [via dashboard_risk_factors/Exploited code newly deployed/upgraded?: Yes — wstUSR market contract deployed ~2 hours before exploit]
causalHacken ($HAI token) — Bridge private key leak from decommissioned server → unauthorized token minting → dump2025-06-20 · $170K · Bridge private key leak from decommissioned server → unauthorized token minting → dump · Audit-deploy gap (RD-F-006 time between audit and deploy) [via dashboard_risk_factors/Exploited code newly deployed/upgraded?: Y — bridge architectural migration in progress at time of incident; old server credentials not rotated] || Audit-deploy gap — alternate field name [via dashboard_risk_factors/Exploited code newly deployed/upgraded?: Y — bridge architectural migration in progress at time of incident; old server credentials not rotated]
causalCork Protocol — Fake token injection → exchange rate manipulation via unvalidated CorkHook input2025-05-28 · $12M · Fake token injection → exchange rate manipulation via unvalidated CorkHook input · Audit-deploy gap (RD-F-006 time between audit and deploy) [via dashboard_risk_factors/Exploited code newly deployed/upgraded: Unknown — CorkHook appears to have been a core component not covered by audits rather than a new deployment] || Audit-deploy gap — alternate field name [via dashboard_risk_factors/Exploited code newly deployed/upgraded: Unknown — CorkHook appears to have been a core component not covered by audits rather than a new deployment]
causalMobiusDAO — Decimal handling double-multiplication bug in minting function — pennies-to-quadrillions inflation2025-05-11 · $2M · Decimal handling double-multiplication bug in minting function — pennies-to-quadrillions inflation · Audit-deploy gap (RD-F-006 time between audit and deploy) [via dashboard_risk_factors/Exploited code newly deployed/upgraded?: Y — all code freshly deployed; 3 days old] || Audit-deploy gap — alternate field name [via dashboard_risk_factors/Exploited code newly deployed/upgraded?: Y — all code freshly deployed; 3 days old] || Time between audit end and deploy [via cross-hack: Factor 4: Newly Deployed or Unannounced Contract]
causalLNDFi (LND.fi) — Admin Backdoor (Malicious Code Injection by Contractor / DPRK Dev)2025-05-09 · $1M · Admin Backdoor (Malicious Code Injection by Contractor / DPRK Dev) · Audit-deploy gap — alternate field name [via dashboard_risk_factors/Code newly deployed/upgraded?: Yes — fresh deployment with injected backdoor]
causalLoopscale (formerly Bridgesplit) — Oracle Price Manipulation (RateX PT Token Pricing)2025-04-26 · $6M · Oracle Price Manipulation (RateX PT Token Pricing) · Audit-deploy gap — alternate field name [via dashboard_risk_factors/Code newly deployed/upgraded?: Yes — recently launched (16 days); new RateX PT pricing logic]
causalAbracadabra Money — Logic bug — phantom collateral / post-liquidation state inconsistency2025-03-25 · $13M · Logic bug — phantom collateral / post-liquidation state inconsistency · Audit-deploy gap (RD-F-006 time between audit and deploy) [via dashboard_risk_factors/Exploited code newly deployed/upgraded: Y — gmCauldron integration with GMX was a relatively new module] || Audit-deploy gap — alternate field name [via dashboard_risk_factors/Exploited code newly deployed/upgraded: Y — gmCauldron integration with GMX was a relatively new module]
causalZoth (RWA yield protocol) — Admin key compromise → malicious proxy contract upgrade → vault drain2025-03-21 · $8M · Admin key compromise → malicious proxy contract upgrade → vault drain · Audit-deploy gap (RD-F-006 time between audit and deploy) [via dashboard_risk_factors/Exploited code newly deployed/upgraded?: Y — the attacker deployed a malicious implementation contract and upgraded the proxy to it immediately before the drain] || Audit-deploy gap — alternate field name [via dashboard_risk_factors/Exploited code newly deployed/upgraded?: Y — the attacker deployed a malicious implementation contract and upgraded the proxy to it immediately before the drain]
causalInfini (Crypto Neobank) — Retained Admin Privileges — Rogue Developer Backdoor2025-02-24 · $50M · Retained Admin Privileges — Rogue Developer Backdoor · Audit-deploy gap (RD-F-006 time between audit and deploy) [via dashboard_risk_factors/Exploited code newly deployed/upgraded?: No (contract deployed 114 days prior)] || Audit-deploy gap — alternate field name [via dashboard_risk_factors/Exploited code newly deployed/upgraded?: No (contract deployed 114 days prior)]
causalByBit — Frontend Spoofing / Blind Signing — Malicious Safe Multisig Implementation Upgrade2025-02-21 · $1.4B · Frontend Spoofing / Blind Signing — Malicious Safe Multisig Implementation Upgrade · Audit-deploy gap — alternate field name [via dashboard_risk_factors/Code newly deployed/upgraded?: Yes — attacker deployed and installed malicious Safe implementation contract]
causalzkLend — Empty market accumulator inflation via flash loan donation mechanism + rounding error → collateral inflation → drain2025-02-11 · $10M · Empty market accumulator inflation via flash loan donation mechanism + rounding error → collateral inflation → drain · Audit-deploy gap (RD-F-006 time between audit and deploy) [via dashboard_risk_factors/Exploited code newly deployed/upgraded?: Partially — wstETH market was newly added to Starknet; the combination of new empty market + existing accumulator logic created the exploit ...] || Audit-deploy gap — alternate field name [via dashboard_risk_factors/Exploited code newly deployed/upgraded?: Partially — wstETH market was newly added to Starknet; the combination of new empty market + existing accumulator logic created the exploit ...]
causalClober DEX — Reentrancy (Post-Audit Code Change)2024-12-10 · $500K · Reentrancy (Post-Audit Code Change) · Audit-deploy gap — alternate field name [via dashboard_risk_factors/Code newly deployed/upgraded?: Yes — post-audit code change added the vulnerable `burnHook` callback]
causalPolter Finance — Spot price oracle manipulation (SpookySwap V2/V3) → inflated BOO collateral → draining borrow2024-11-16 · $9M · Spot price oracle manipulation (SpookySwap V2/V3) → inflated BOO collateral → draining borrow · Audit-deploy gap (RD-F-006 time between audit and deploy) [via dashboard_risk_factors/Exploited code newly deployed/upgraded?: Y — BOO market was a new addition] || Audit-deploy gap — alternate field name [via dashboard_risk_factors/Exploited code newly deployed/upgraded?: Y — BOO market was a new addition] || Time between audit end and deploy [via cross-hack: Factor 4: Newly Deployed or Unannounced Contract]
causalRadiant Capital — Compromised multisig private keys → malicious contract upgrade → pool ownership transfer → drain2024-10-16 · $53M · Compromised multisig private keys → malicious contract upgrade → pool ownership transfer → drain · Audit-deploy gap (RD-F-006 time between audit and deploy) [via dashboard_risk_factors/Exploited code newly deployed/upgraded?: Y — malicious upgrade was the attack vector; but the underlying contract's upgrade mechanism was a design feature] || Audit-deploy gap — alternate field name [via dashboard_risk_factors/Exploited code newly deployed/upgraded?: Y — malicious upgrade was the attack vector; but the underlying contract's upgrade mechanism was a design feature]
causalBedrock (uniBTC vault) — Unregistered NATIVE_BTC in SigmaSupplier → disabled supply cap → ETH-to-BTC 1:1 minting (infinite mint)2024-09-25 · $2M · Unregistered NATIVE_BTC in SigmaSupplier → disabled supply cap → ETH-to-BTC 1:1 minting (infinite mint) · Audit-deploy gap — alternate field name [via dashboard_risk_factors/Code newly deployed/upgraded?: Yes — uniBTC vault was a recently deployed/upgraded contract that was not audited] || Time between audit end and deploy [via cross-hack: Factor 4: Newly Deployed or Unannounced Contract] || Time between audit end and deploy [via cross-hack: Factor 21: Post-Audit Code Change Without Re-Audit]
causalOnyx Protocol (2nd incident) — Compound V2 empty-market donation attack — VUSD governance-added market2024-09-25 · $4M · Compound V2 empty-market donation attack — VUSD governance-added market · Audit-deploy gap — alternate field name [via dashboard_risk_factors/Code newly deployed/upgraded?: Y — VUSD market newly added via governance]
causalGriffin AI ($GAIN token) — Fake LayerZero Peer Initialization (Cross-Chain Minting Exploit)2024-09-24 · $3M · Fake LayerZero Peer Initialization (Cross-Chain Minting Exploit) · Audit-deploy gap — alternate field name [via dashboard_risk_factors/Code newly deployed/upgraded?: Yes — brand new token launch]
causalShezmu — Unrestricted Collateral Minting in CDP Vault2024-09-20 · $5M · Unrestricted Collateral Minting in CDP Vault · Audit-deploy gap (RD-F-006 time between audit and deploy) [via dashboard_risk_factors/Exploited code newly deployed/upgraded?: Y — contract upgrade 17 days before exploit (may be related)] || Audit-deploy gap — alternate field name [via dashboard_risk_factors/Exploited code newly deployed/upgraded?: Y — contract upgrade 17 days before exploit (may be related)]
causalPenpie — Reentrancy via fake Pendle market → staking balance inflation → excess reward drain2024-09-03 · $27M · Reentrancy via fake Pendle market → staking balance inflation → excess reward drain · Audit-deploy gap (RD-F-006 time between audit and deploy) [via dashboard_risk_factors/Exploited code newly deployed/upgraded?: Likely Y — the `batchHarvestMarketRewards()` function appears to be a later addition] || Audit-deploy gap — alternate field name [via dashboard_risk_factors/Exploited code newly deployed/upgraded?: Likely Y — the `batchHarvestMarketRewards()` function appears to be a later addition] || Time between audit end and deploy [via cross-hack: Factor 4: Newly Deployed or Unannounced Contract] || (+1 more matches)
causalRonin Network (Bridge) — Uninitialized Variable in Contract Upgrade (initializeV3 Skipped)2024-08-06 · $12M · Uninitialized Variable in Contract Upgrade (initializeV3 Skipped) · Audit-deploy gap (RD-F-006 time between audit and deploy) [via dashboard_risk_factors/Exploited code newly deployed/upgraded?: Yes — bridge upgrade deployed 6 days before exploit] || Audit-deploy gap — alternate field name [via dashboard_risk_factors/Exploited code newly deployed/upgraded?: Yes — bridge upgrade deployed 6 days before exploit]
causalAstroport (on Terra Phoenix chain) — IBC hooks reentrancy — reintroduced known vulnerability in June upgrade after April patch; timeout callback re-enters token minting2024-07-30 · $6M · IBC hooks reentrancy — reintroduced known vulnerability in June upgrade after April patch; timeout callback re-enters token minting · Audit-deploy gap — alternate field name [via dashboard_risk_factors/Code newly deployed/upgraded?: Yes — June Terra chain upgrade accidentally reintroduced vulnerability]
causalRho Market — Oracle misconfiguration (deployment error) → MEV bot price manipulation → USDC/USDT drain2024-07-19 · Oracle misconfiguration (deployment error) → MEV bot price manipulation → USDC/USDT drain · Audit-deploy gap (RD-F-006 time between audit and deploy) [via dashboard_risk_factors/Exploited code newly deployed/upgraded?: Y — newly deployed oracle configuration contained the error] || Audit-deploy gap — alternate field name [via dashboard_risk_factors/Exploited code newly deployed/upgraded?: Y — newly deployed oracle configuration contained the error]
causalLiFi Protocol (Jumper Exchange) — Call Injection via Unvalidated Swap Function2024-07-16 · $10M · Call Injection via Unvalidated Swap Function · Audit-deploy gap — alternate field name [via dashboard_risk_factors/Code newly deployed/upgraded?: Yes — new facet deployed July 11, 5 days before exploit]
causalSonne Finance — Compound V2 empty-market donation attack — permissionless governance execution + exchange rate manipulation2024-05-14 · $20M · Compound V2 empty-market donation attack — permissionless governance execution + exchange rate manipulation · Audit-deploy gap (RD-F-006 time between audit and deploy) [via dashboard_risk_factors/Exploited code newly deployed/upgraded?: Y — New VELO market was being activated; the vulnerability existed in the base Compound V2 fork code activated by the new market] || Audit-deploy gap — alternate field name [via dashboard_risk_factors/Exploited code newly deployed/upgraded?: Y — New VELO market was being activated; the vulnerability existed in the base Compound V2 fork code activated by the new market]
causalAlexLab (XLink Bridge) — Phishing-compromised deployer private key → malicious proxy upgrades → vault drain2024-05-14 · $4M · Phishing-compromised deployer private key → malicious proxy upgrades → vault drain · Audit-deploy gap — alternate field name [via dashboard_risk_factors/Code newly deployed/upgraded?: Yes — attacker deployed malicious upgrades during the attack]
causalPike Finance — Storage Layout Collision → Unauthorized Proxy Upgrade / Ownership Takeover2024-04-26 · $2M · Storage Layout Collision → Unauthorized Proxy Upgrade / Ownership Takeover · Audit-deploy gap — alternate field name [via dashboard_risk_factors/Code newly deployed/upgraded?: Yes — emergency patch deployed after first exploit]
causalHedgey Finance — Unverified User Input — Flash Loan Enabled Approval Manipulation2024-04-19 · $45M · Unverified User Input — Flash Loan Enabled Approval Manipulation · Audit-deploy gap (RD-F-006 time between audit and deploy) [via dashboard_risk_factors/Exploited code newly deployed/upgraded?: Yes — post-audit contract version] || Audit-deploy gap — alternate field name [via dashboard_risk_factors/Exploited code newly deployed/upgraded?: Yes — post-audit contract version] || Time between audit end and deploy [via cross-hack: Factor 21: Post-Audit Code Change Without Re-Audit]
causalGrand Base — Deployer wallet private key leak → unauthorized token minting → dump2024-04-15 · $2M · Deployer wallet private key leak → unauthorized token minting → dump · Audit-deploy gap (RD-F-006 time between audit and deploy) [via dashboard_risk_factors/Exploited code newly deployed/upgraded?: N — token contract had existing minting rights; no new deployment] || Audit-deploy gap — alternate field name [via dashboard_risk_factors/Exploited code newly deployed/upgraded?: N — token contract had existing minting rights; no new deployment]
causalPrismaFi — Flash Loan + Missing Input Validation (Migration Helper)2024-03-28 · $12M · Flash Loan + Missing Input Validation (Migration Helper) · Audit-deploy gap (RD-F-006 time between audit and deploy) [via dashboard_risk_factors/Exploited code newly deployed/upgraded?: Yes — MigrateTroveZap contract deployed within the week before the attack] || Audit-deploy gap — alternate field name [via dashboard_risk_factors/Exploited code newly deployed/upgraded?: Yes — MigrateTroveZap contract deployed within the week before the attack]
causalMunchables — Malicious Insider — Storage Slot Manipulation via Upgradeable Proxy2024-03-26 · $63M · Malicious Insider — Storage Slot Manipulation via Upgradeable Proxy · Audit-deploy gap — alternate field name [via dashboard_risk_factors/Code newly deployed/upgraded?: Yes — Blast L2 new deployment; proxy upgraded to unverified implementation]
causalUnizen — Unvalidated external call in upgraded DEX Aggregation contract — approval drain2024-03-08 · $2M · Unvalidated external call in upgraded DEX Aggregation contract — approval drain · Audit-deploy gap (RD-F-006 time between audit and deploy) [via dashboard_risk_factors/Exploited code newly deployed/upgraded?: Yes — gas optimization upgrade deployed immediately before exploit] || Audit-deploy gap — alternate field name [via dashboard_risk_factors/Exploited code newly deployed/upgraded?: Yes — gas optimization upgrade deployed immediately before exploit]
causalWooFi (WooPPV2) — Flash loan → WOO oracle price manipulation → pool swap drain2024-03-05 · $9M · Flash loan → WOO oracle price manipulation → pool swap drain · Audit-deploy gap (RD-F-006 time between audit and deploy) [via dashboard_risk_factors/Exploited code newly deployed/upgraded?: N — the core WooPPV2 contract predates the exploit; the new risk factor was the newly added WOO lending market which changed the economic at...] || Audit-deploy gap — alternate field name [via dashboard_risk_factors/Exploited code newly deployed/upgraded?: N — the core WooPPV2 contract predates the exploit; the new risk factor was the newly added WOO lending market which changed the economic at...]
causalSeneca Protocol — Approval Exploit — Arbitrary transferFrom via Constructed Calldata2024-02-28 · $6M · Approval Exploit — Arbitrary transferFrom via Constructed Calldata · Audit-deploy gap (RD-F-006 time between audit and deploy) [via dashboard_risk_factors/Exploited code newly deployed/upgraded?: N — core Chamber contract; no recent upgrade] || Audit-deploy gap — alternate field name [via dashboard_risk_factors/Exploited code newly deployed/upgraded?: N — core Chamber contract; no recent upgrade]
causalIonic Money (formerly Midas) — Fake Collateral Listing (Social Engineering → On-chain Exploit)2024-02-04 · $7M · Fake Collateral Listing (Social Engineering → On-chain Exploit) · Audit-deploy gap — alternate field name [via dashboard_risk_factors/Code newly deployed/upgraded?: New collateral listing (governance/admin action)]
causalSocket (Bungee Bridge) — Unvalidated user input in new route — transferFrom injection via approval drain2024-01-16 · $3M · Unvalidated user input in new route — transferFrom injection via approval drain · Audit-deploy gap (RD-F-006 time between audit and deploy) [via dashboard_risk_factors/Exploited code newly deployed/upgraded?: Y — Vulnerable route added 3 days before exploit] || Audit-deploy gap — alternate field name [via dashboard_risk_factors/Exploited code newly deployed/upgraded?: Y — Vulnerable route added 3 days before exploit]
causalRadiant Capital (1st incident) — Compound V2 / Aave V2 empty-market rounding error — new USDC market with totalSupply = 02024-01-02 · $5M · Compound V2 / Aave V2 empty-market rounding error — new USDC market with totalSupply = 0 · Audit-deploy gap — alternate field name [via dashboard_risk_factors/Code newly deployed/upgraded?: Y — new USDC market activated via governance]
causalOKX DEX (OKX Decentralized Exchange Aggregator) — Compromised proxy admin key → malicious implementation upgrade → claimTokens() drain of user approvals2023-12-13 · $3M · Compromised proxy admin key → malicious implementation upgrade → claimTokens() drain of user approvals · Audit-deploy gap (RD-F-006 time between audit and deploy) [via dashboard_risk_factors/Exploited code newly deployed/upgraded?: Y — malicious upgrade deployed by attacker] || Audit-deploy gap — alternate field name [via dashboard_risk_factors/Exploited code newly deployed/upgraded?: Y — malicious upgrade deployed by attacker]
causalYearn Finance (yETH LST stableswap pool + yETH-WETH Curve pool) — Invariant corruption via remove_liquidity(0) + update_rates() calls → Newton-Raphson arithmetic underflow → 235 trillion yETH minted from dust deposit → single-asset drain2023-11-30 · $9M · Invariant corruption via remove_liquidity(0) + update_rates() calls → Newton-Raphson arithmetic underflow → 235 trillion yETH minted from dust deposit → single-asset drain · Audit-deploy gap (RD-F-006 time between audit and deploy) [via dashboard_risk_factors/Exploited code newly deployed/upgraded?: N — abandoned legacy code, no recent changes] || Audit-deploy gap — alternate field name [via dashboard_risk_factors/Exploited code newly deployed/upgraded?: N — abandoned legacy code, no recent changes]
causalOnyx Protocol — Compound V2 empty-market donation attack — governance-added PEPE market exploited via rounding + exchange rate inflation2023-10-31 · $2M · Compound V2 empty-market donation attack — governance-added PEPE market exploited via rounding + exchange rate inflation · Audit-deploy gap (RD-F-006 time between audit and deploy) [via dashboard_risk_factors/Exploited code newly deployed/upgraded?: Y — Proposal 22 added the PEPE market days before the exploit] || Audit-deploy gap — alternate field name [via dashboard_risk_factors/Exploited code newly deployed/upgraded?: Y — Proposal 22 added the PEPE market days before the exploit]
causalUnibot — Unvalidated arbitrary call in new router — transferFrom injection via approval drain2023-10-31 · $640K · Unvalidated arbitrary call in new router — transferFrom injection via approval drain · Audit-deploy gap (RD-F-006 time between audit and deploy) [via dashboard_risk_factors/Exploited code newly deployed/upgraded?: Yes — new router deployed 3 days before exploit] || Audit-deploy gap — alternate field name [via dashboard_risk_factors/Exploited code newly deployed/upgraded?: Yes — new router deployed 3 days before exploit]
Platypus Finance (3rd exploit) — Flash loan + LP-AVAX pool cash/liability manipulation → slippage-inflated swap output2023-10-12 · $2M · Flash loan + LP-AVAX pool cash/liability manipulation → slippage-inflated swap output · Time between audit end and deploy [via cross-hack: Factor 21: Post-Audit Code Change Without Re-Audit]
causalStars Arena — Reentrancy2023-10-07 · $3M · Reentrancy · Audit-deploy gap (RD-F-006 time between audit and deploy) [via dashboard_risk_factors/Exploited code newly deployed/upgraded?: Y — second exploit used contract deployed as "fix" for first exploit, hours before attack] || Audit-deploy gap — alternate field name [via dashboard_risk_factors/Exploited code newly deployed/upgraded?: Y — second exploit used contract deployed as "fix" for first exploit, hours before attack]
causalHypr Network — Bridge Contract Reinitialization (OP Stack Unpatched Dev Branch)2023-09-12 · $220K · Bridge Contract Reinitialization (OP Stack Unpatched Dev Branch) · Audit-deploy gap — alternate field name [via dashboard_risk_factors/Code newly deployed/upgraded?: Yes — newly launched L2 bridge, 2 days old]
causalExactly Protocol — Unvalidated market address in periphery — fake market injection → _msgSender hijack → collateral drain + reentrancy2023-08-18 · $7M · Unvalidated market address in periphery — fake market injection → _msgSender hijack → collateral drain + reentrancy · Audit-deploy gap (RD-F-006 time between audit and deploy) [via dashboard_risk_factors/Exploited code newly deployed/upgraded?: Y — DebtManager was a new periphery feature added without undergoing an audit first] || Audit-deploy gap — alternate field name [via dashboard_risk_factors/Exploited code newly deployed/upgraded?: Y — DebtManager was a new periphery feature added without undergoing an audit first]
causalRocketSwap — Bruteforced server private keys → farming contract drain via proxy admin + high-risk permissions2023-08-14 · $869K · Bruteforced server private keys → farming contract drain via proxy admin + high-risk permissions · Audit-deploy gap (RD-F-006 time between audit and deploy) [via dashboard_risk_factors/Exploited code newly deployed/upgraded?: Y — farming contracts were newly deployed on Base] || Audit-deploy gap — alternate field name [via dashboard_risk_factors/Exploited code newly deployed/upgraded?: Y — farming contracts were newly deployed on Base]
causalZunami Protocol — Flash loan + SDT token swap → totalHoldings price calculation manipulation → zETH/UZD LP price manipulation → drain2023-08-13 · $2M · Flash loan + SDT token swap → totalHoldings price calculation manipulation → zETH/UZD LP price manipulation → drain · Audit-deploy gap (RD-F-006 time between audit and deploy) [via dashboard_risk_factors/Exploited code newly deployed/upgraded?: Yes — MimCurveStakeDAO strategy was added after the primary audit] || Audit-deploy gap — alternate field name [via dashboard_risk_factors/Exploited code newly deployed/upgraded?: Yes — MimCurveStakeDAO strategy was added after the primary audit]
causalSteadefi — Compromised Deployer Key → Ownership Transfer2023-08-07 · $1M · Compromised Deployer Key → Ownership Transfer · Audit-deploy gap (RD-F-006 time between audit and deploy) [via dashboard_risk_factors/Exploited code newly deployed/upgraded?: N — standard vault ownership pattern exploited; no recent upgrade] || Audit-deploy gap — alternate field name [via dashboard_risk_factors/Exploited code newly deployed/upgraded?: N — standard vault ownership pattern exploited; no recent upgrade]
causalKannagi Finance — Insider rug — privileged admin withdrawal on behalf of users (MainChef address)2023-07-29 · $1M · Insider rug — privileged admin withdrawal on behalf of users (MainChef address) · Audit-deploy gap — alternate field name [via dashboard_risk_factors/Code newly deployed/upgraded?: Y — newly launched]
causalDeFiLabs — Backdoor Function in Staking Contract (Insider Rug Pull)2023-07-27 · $2M · Backdoor Function in Staking Contract (Insider Rug Pull) · Audit-deploy gap (RD-F-006 time between audit and deploy) [via dashboard_risk_factors/Exploited code newly deployed/upgraded?: Y — vPoolv6 was a new contract version, deployed and actively used but never audited] || Audit-deploy gap — alternate field name [via dashboard_risk_factors/Exploited code newly deployed/upgraded?: Y — vPoolv6 was a new contract version, deployed and actively used but never audited]
causalEraLend (formerly Nexon Finance) — Read-Only Reentrancy (SyncSwap LP Callback — Stale Reserves Oracle)2023-07-25 · $3M · Read-Only Reentrancy (SyncSwap LP Callback — Stale Reserves Oracle) · Audit-deploy gap (RD-F-006 time between audit and deploy) [via dashboard_risk_factors/Exploited code newly deployed/upgraded?: Unknown — recent zkSync Era launch] || Audit-deploy gap — alternate field name [via dashboard_risk_factors/Exploited code newly deployed/upgraded?: Unknown — recent zkSync Era launch]
causalConic Finance — Read-only reentrancy in CurveLPOracleV2 (ETH/WETH mismatch bypassed reentrancy guard) + sandwich attack on imbalanced pool2023-07-21 · $4M · Read-only reentrancy in CurveLPOracleV2 (ETH/WETH mismatch bypassed reentrancy guard) + sandwich attack on imbalanced pool · Audit-deploy gap — alternate field name [via dashboard_risk_factors/Code newly deployed/upgraded?: Yes — CurveLPOracleV2 was a new contract deployed shortly before the hack]
causalAtlantis Loans — Governance attack on abandoned protocol — attacker passed malicious proposal granting token contract control, then upgraded to drain addresses with active approvals2023-06-10 · $3M · Governance attack on abandoned protocol — attacker passed malicious proposal granting token contract control, then upgraded to drain addresses with active approvals · Audit-deploy gap — alternate field name [via dashboard_risk_factors/Code newly deployed/upgraded?: Yes — attacker deployed malicious upgrade post-governance takeover]
causalJimbo's Protocol — Flash loan + missing slippage control in rebalancing function → liquidity drain2023-05-28 · $8M · Flash loan + missing slippage control in rebalancing function → liquidity drain · Audit-deploy gap — alternate field name [via dashboard_risk_factors/Code newly deployed/upgraded?: Y — v2 launched 3 days prior; v1 had already collapsed] || Time between audit end and deploy [via cross-hack: Factor 4: Newly Deployed or Unannounced Contract]
causalSwaprum — Rug Pull via Malicious Contract Upgrade2023-05-18 · $3M · Rug Pull via Malicious Contract Upgrade · Audit-deploy gap (RD-F-006 time between audit and deploy) [via dashboard_risk_factors/Exploited code newly deployed/upgraded?: Y — malicious upgrade deployed immediately before drain] || Audit-deploy gap — alternate field name [via dashboard_risk_factors/Exploited code newly deployed/upgraded?: Y — malicious upgrade deployed immediately before drain]
causalDeus DAO / DEI stablecoin — Mis-ordered Parameters in burnFrom — Public Approval Override2023-05-06 · $7M · Mis-ordered Parameters in burnFrom — Public Approval Override · Audit-deploy gap (RD-F-006 time between audit and deploy) [via dashboard_risk_factors/Exploited code newly deployed/upgraded?: Y — the vulnerable burnFrom function was introduced in an upgrade approximately 1 month before the exploit] || Audit-deploy gap — alternate field name [via dashboard_risk_factors/Exploited code newly deployed/upgraded?: Y — the vulnerable burnFrom function was introduced in an upgrade approximately 1 month before the exploit] || Time between audit end and deploy [via cross-hack: Factor 4: Newly Deployed or Unannounced Contract]
causalLevel Finance — Logic bug — referral reward claimMultiple() epoch not checked for reuse2023-05-01 · $1M · Logic bug — referral reward claimMultiple() epoch not checked for reuse · Audit-deploy gap — alternate field name [via dashboard_risk_factors/Code newly deployed/upgraded?: Y — vulnerable code introduced via proxy upgrade on April 18, 2023] || Time between audit end and deploy [via cross-hack: Factor 21: Post-Audit Code Change Without Re-Audit]
causalMerlin DEX — Insider rug — max approval drain via privileged Feeto address2023-04-25 · $2M · Insider rug — max approval drain via privileged Feeto address · Audit-deploy gap (RD-F-006 time between audit and deploy) [via dashboard_risk_factors/Exploited code newly deployed/upgraded?: Y — pools deployed fresh for the LGE] || Audit-deploy gap — alternate field name [via dashboard_risk_factors/Exploited code newly deployed/upgraded?: Y — pools deployed fresh for the LGE]
causalSushiSwap — Malicious Callback / Arbitrary Approval Drain2023-04-08 · $3M · Malicious Callback / Arbitrary Approval Drain · Audit-deploy gap (RD-F-006 time between audit and deploy) [via dashboard_risk_factors/Exploited code newly deployed/upgraded?: Y — RouteProcessor2 was 4 days old at time of exploit] || Audit-deploy gap — alternate field name [via dashboard_risk_factors/Exploited code newly deployed/upgraded?: Y — RouteProcessor2 was 4 days old at time of exploit]
causalSafemoon — Upgrade introduced public burn() function → LP token burn → pool price manipulation → BNB drain2023-03-28 · $9M · Upgrade introduced public burn() function → LP token burn → pool price manipulation → BNB drain · Audit-deploy gap (RD-F-006 time between audit and deploy) [via dashboard_risk_factors/Exploited code newly deployed/upgraded?: Y — the vulnerability was introduced by the upgrade deployed 6 hours before the attack] || Audit-deploy gap — alternate field name [via dashboard_risk_factors/Exploited code newly deployed/upgraded?: Y — the vulnerability was introduced by the upgrade deployed 6 hours before the attack] || Time between audit end and deploy [via cross-hack: Factor 21: Post-Audit Code Change Without Re-Audit]
causalKokomo Finance — Insider rug — deployer upgraded implementation to malicious contract → drained WBTC deposits2023-03-26 · $4M · Insider rug — deployer upgraded implementation to malicious contract → drained WBTC deposits · Audit-deploy gap — alternate field name [via dashboard_risk_factors/Code newly deployed/upgraded?: Y — newly launched; malicious implementation deployed as part of the attack] || Time between audit end and deploy [via cross-hack: Factor 4: Newly Deployed or Unannounced Contract]
Euler Finance — Donation Function Bypassing Health Check (Logic Bug in EIP-14 upgrade)2023-03-13 · $197M · Donation Function Bypassing Health Check (Logic Bug in EIP-14 upgrade) · Audit-deploy gap (RD-F-006 time between audit and deploy) [via dashboard_risk_factors/Exploited code newly deployed/upgraded (Y/N + detail): YES** — The vulnerability was introduced in EIP-14 (the `donateToReserves` function), deployed as an upgrade prior to the hack. Not in the o...] || Audit-deploy gap — alternate field name [via dashboard_risk_factors/Exploited code newly deployed/upgraded (Y/N + detail): YES** — The vulnerability was introduced in EIP-14 (the `donateToReserves` function), deployed as an upgrade prior to the hack. Not in the o...]
causalHedera (Network-level — Hashgraph Smart Contract Service) — Smart Contract Service (HTS) Code Bug — Uniswap V2 Port Exploit2023-03-09 · $515K · Smart Contract Service (HTS) Code Bug — Uniswap V2 Port Exploit · Audit-deploy gap — alternate field name [via dashboard_risk_factors/Code newly deployed/upgraded?: The Uniswap V2 ports to HTS were relatively new]
causalHope Finance — Insider Exit Scam — Malicious Fake Router Pre-Deployed2023-02-20 · $2M · Insider Exit Scam — Malicious Fake Router Pre-Deployed · Audit-deploy gap (RD-F-006 time between audit and deploy) [via dashboard_risk_factors/Exploited code newly deployed/upgraded?: Yes — fresh launch deployment] || Audit-deploy gap — alternate field name [via dashboard_risk_factors/Exploited code newly deployed/upgraded?: Yes — fresh launch deployment]
causalDexible — Unvalidated router — selfSwap() transferFrom injection via approval drain2023-02-17 · $2M · Unvalidated router — selfSwap() transferFrom injection via approval drain · Audit-deploy gap (RD-F-006 time between audit and deploy) [via dashboard_risk_factors/Exploited code newly deployed/upgraded?: Y — v2 contracts introduced the selfSwap() function days before exploit] || Audit-deploy gap — alternate field name [via dashboard_risk_factors/Exploited code newly deployed/upgraded?: Y — v2 contracts introduced the selfSwap() function days before exploit]
causalPlatypus Finance — Flash loan + emergencyWithdraw() solvency check bypass — collateral withdrawal without repaying borrowed USP2023-02-16 · $9M · Flash loan + emergencyWithdraw() solvency check bypass — collateral withdrawal without repaying borrowed USP · Audit-deploy gap — alternate field name [via dashboard_risk_factors/Code newly deployed/upgraded?: Y — USP stablecoin and associated collateral contracts newly launched]
causalBonqDAO — Oracle Manipulation (Tellor Price Feed — Instant Value)2023-02-01 · $120M · Oracle Manipulation (Tellor Price Feed — Instant Value) · Audit-deploy gap — alternate field name [via dashboard_risk_factors/Code newly deployed/upgraded?: Yes — oracle contracts were post-audit additions]
causalMidas Capital — Read-only reentrancy on Curve LP token virtual price — inflated collateral valuation2023-01-15 · $660K · Read-only reentrancy on Curve LP token virtual price — inflated collateral valuation · Audit-deploy gap (RD-F-006 time between audit and deploy) [via dashboard_risk_factors/Exploited code newly deployed/upgraded?: Y — newly added collateral type (WMATIC-stMATIC Curve LP) enabled shortly before exploit] || Audit-deploy gap — alternate field name [via dashboard_risk_factors/Exploited code newly deployed/upgraded?: Y — newly added collateral type (WMATIC-stMATIC Curve LP) enabled shortly before exploit]
causalAnkr (aBNBc) + Helio Money (HAY stablecoin) — Deployer private key compromise → malicious aBNBc contract upgrade → permissionless infinite mint → PancakeSwap pool drain + Helio collateral collapse2022-12-02 · $5M · Deployer private key compromise → malicious aBNBc contract upgrade → permissionless infinite mint → PancakeSwap pool drain + Helio collateral collapse · Audit-deploy gap — alternate field name [via dashboard_risk_factors/Code newly deployed/upgraded?: Yes — malicious upgrade was deployed during the attack]
causalTeam Finance — Flawed migrate() function — Uniswap V2→V3 migration with skewed price manipulation2022-10-27 · $16M · Flawed migrate() function — Uniswap V2→V3 migration with skewed price manipulation · Audit-deploy gap (RD-F-006 time between audit and deploy) [via dashboard_risk_factors/Exploited code newly deployed/upgraded?: Y — The V2→V3 migration feature was a relatively recent addition] || Audit-deploy gap — alternate field name [via dashboard_risk_factors/Exploited code newly deployed/upgraded?: Y — The V2→V3 migration feature was a relatively recent addition]
causalTempleDAO / STAX Finance — Missing access control in migrateStake() — unvalidated oldStaking parameter2022-10-11 · $2M · Missing access control in migrateStake() — unvalidated oldStaking parameter · Audit-deploy gap (RD-F-006 time between audit and deploy) [via dashboard_risk_factors/Exploited code newly deployed/upgraded?: Yes — STAX was a newer application layer built atop TempleDAO, deployed June 2022] || Audit-deploy gap — alternate field name [via dashboard_risk_factors/Exploited code newly deployed/upgraded?: Yes — STAX was a newer application layer built atop TempleDAO, deployed June 2022]
causalAcala Network — Misconfiguration of iBTC/aUSD liquidity pool — incorrect parameter in newly launched pool triggered unbounded aUSD minting2022-08-14 · $2M · Misconfiguration of iBTC/aUSD liquidity pool — incorrect parameter in newly launched pool triggered unbounded aUSD minting · Audit-deploy gap — alternate field name [via dashboard_risk_factors/Code newly deployed/upgraded?: Yes — iBTC/aUSD pool launched same day as exploit]
causalNomad Bridge — Initialisation Error — Zero-Address Trusted Root (Merkle Proof Bypass)2022-08-02 · $190M · Initialisation Error — Zero-Address Trusted Root (Merkle Proof Bypass) · Audit-deploy gap — alternate field name [via dashboard_risk_factors/Code newly deployed/upgraded?: Yes — Replica contract upgraded June 2022]
causalNirvana Finance — Flash Loan + AMM Price Manipulation (Treasury Drain)2022-07-28 · $4M · Flash Loan + AMM Price Manipulation (Treasury Drain) · Audit-deploy gap — alternate field name [via dashboard_risk_factors/Code newly deployed/upgraded?: Yes — recently launched]
causalGym Network (GymNet) — Missing caller verification — fake deposits via unchecked balance inflation → withdraw drain2022-06-10 · $2M · Missing caller verification — fake deposits via unchecked balance inflation → withdraw drain · Audit-deploy gap (RD-F-006 time between audit and deploy) [via dashboard_risk_factors/Exploited code newly deployed/upgraded?: Y — new Single Pool Contract with Claim and Pool feature deployed 2 days before exploit] || Audit-deploy gap — alternate field name [via dashboard_risk_factors/Exploited code newly deployed/upgraded?: Y — new Single Pool Contract with Claim and Pool feature deployed 2 days before exploit]
causalFei Protocol / Rari Capital (Fuse) — Re-entrancy via `exitMarket()` in Compound fork missing check-effects-interaction pattern2022-04-30 · $80M · Re-entrancy via `exitMarket()` in Compound fork missing check-effects-interaction pattern · Audit-deploy gap (RD-F-006 time between audit and deploy) [via dashboard_risk_factors/Exploited code newly deployed/upgraded?: Y — the March 2022 partial patch modified CToken and Comptroller but left `exitMarket()` uncovered] || Audit-deploy gap — alternate field name [via dashboard_risk_factors/Exploited code newly deployed/upgraded?: Y — the March 2022 partial patch modified CToken and Comptroller but left `exitMarket()` uncovered]
causalDeus DAO — Dual oracle manipulation — VWAP oracle pre-poisoned via flash swap, then on-chain AMM oracle manipulated via flash loan — to inflate DEI collateral value and borrow far beyond real collateral worth2022-04-28 · $13M · Dual oracle manipulation — VWAP oracle pre-poisoned via flash swap, then on-chain AMM oracle manipulated via flash loan — to inflate DEI collateral value and borrow far beyond real collateral worth · Audit-deploy gap (RD-F-006 time between audit and deploy) [via dashboard_risk_factors/Exploited code newly deployed/upgraded: YES** — the Muon oracle was newly integrated specifically after the first exploit as a security fix (announced live March 19, 2022; exploite...] || Audit-deploy gap — alternate field name [via dashboard_risk_factors/Exploited code newly deployed/upgraded: YES** — the Muon oracle was newly integrated specifically after the first exploit as a security fix (announced live March 19, 2022; exploite...]
causalAgave DAO + Hundred Finance (dual attack) — ERC677 callAfterTransfer() reentrancy — flash loan collateral → nested borrow calls before debt balance update → multi-asset drain2022-03-15 · $12M · ERC677 callAfterTransfer() reentrancy — flash loan collateral → nested borrow calls before debt balance update → multi-asset drain · Audit-deploy gap — alternate field name [via dashboard_risk_factors/Code newly deployed/upgraded?: No — established forks; no recent upgrades]
causalDeus DAO (1st incident) — Flash loan → spot price manipulation of Solidex USDC/DEI AMM pool (used as oracle) → user positions liquidated2022-03-15 · $3M · Flash loan → spot price manipulation of Solidex USDC/DEI AMM pool (used as oracle) → user positions liquidated · Audit-deploy gap — alternate field name [via dashboard_risk_factors/Code newly deployed/upgraded?: Yes — DEI lending contract was newly launched]
causalDeus DAO (DEI lending contract) — Flash loan oracle manipulation via Solidly AMM pool → user position liquidation2022-03-15 · $3M · Flash loan oracle manipulation via Solidly AMM pool → user position liquidation · Audit-deploy gap — alternate field name [via dashboard_risk_factors/Code newly deployed/upgraded?: Yes — newly launched DEI lending contract]
causalBent Finance — Insider Contract Manipulation (Malicious Balance Adjustment)2021-12-21 · $2M · Insider Contract Manipulation (Malicious Balance Adjustment) · Audit-deploy gap — alternate field name [via dashboard_risk_factors/Code newly deployed/upgraded?: Yes — cvxCRV contract was updated on Nov 30 (the update that enabled the exploit)]
causalGrim Finance — Reentrancy2021-12-18 · $30M · Reentrancy · Audit-deploy gap — alternate field name [via dashboard_risk_factors/Code newly deployed/upgraded?: Yes — new fork deployment]
causalBrincFi — Insider backdoor — rescueTokens() admin drain via ownership transfer + malicious contract upgrade2021-12-14 · $1M · Insider backdoor — rescueTokens() admin drain via ownership transfer + malicious contract upgrade · Audit-deploy gap — alternate field name [via dashboard_risk_factors/Code newly deployed/upgraded?: Yes — malicious implementation upgrade was the attack vehicle]
causal8ight Finance — Admin key compromise — private key shared via Facebook chat and Google Drive → treasury drain2021-12-07 · $2M · Admin key compromise — private key shared via Facebook chat and Google Drive → treasury drain · Audit-deploy gap — alternate field name [via dashboard_risk_factors/Code newly deployed/upgraded?: No recent changes]
causalBadger DAO (Bitcoin-yield vaults on Ethereum) — Front-end injection (Cloudflare account compromise) → malicious `increaseAllowance()` approvals → vault token drain2021-12-02 · $120M · Front-end injection (Cloudflare account compromise) → malicious `increaseAllowance()` approvals → vault token drain · Audit-deploy gap (RD-F-006 time between audit and deploy) [via dashboard_risk_factors/Exploited code newly deployed/upgraded: N — existing vault contracts; the attack vector was the front-end, not a new contract] || Audit-deploy gap — alternate field name [via dashboard_risk_factors/Exploited code newly deployed/upgraded: N — existing vault contracts; the attack vector was the front-end, not a new contract]
causalMonoX — Native token self-swap price inflation — tokenIn/tokenOut identity bypass2021-11-30 · $31M · Native token self-swap price inflation — tokenIn/tokenOut identity bypass · Audit-deploy gap (RD-F-006 time between audit and deploy) [via dashboard_risk_factors/Exploited code newly deployed/upgraded?: Y — MONO token was recently launched (weeks before hack)] || Audit-deploy gap — alternate field name [via dashboard_risk_factors/Exploited code newly deployed/upgraded?: Y — MONO token was recently launched (weeks before hack)]
causalSnowdog (SnowdogDAO) — Insider front-running — privileged challengeKey knowledge + custom AMM sniping2021-11-25 · $21M · Insider front-running — privileged challengeKey knowledge + custom AMM sniping · Audit-deploy gap (RD-F-006 time between audit and deploy) [via dashboard_risk_factors/Exploited code newly deployed/upgraded?: Y — Entire protocol was 8 days old; custom AMM deployed specifically for the buyback] || Audit-deploy gap — alternate field name [via dashboard_risk_factors/Exploited code newly deployed/upgraded?: Y — Entire protocol was 8 days old; custom AMM deployed specifically for the buyback]
Compound Finance — Governance-introduced bug — updated Comptroller vault incorrectly distributed COMP rewards; any user could call `drip()` to refill the vulnerable vault from the Reservoir2021-09-29 · $147M · Governance-introduced bug — updated Comptroller vault incorrectly distributed COMP rewards; any user could call `drip()` to refill the vulnerable vault from the Reservoir · Audit-deploy gap (RD-F-006 time between audit and deploy) [via dashboard_risk_factors/Exploited code newly deployed/upgraded: Y — bug was introduced by Proposal 62, a fresh Comptroller upgrade] || Audit-deploy gap — alternate field name [via dashboard_risk_factors/Exploited code newly deployed/upgraded: Y — bug was introduced by Proposal 62, a fresh Comptroller upgrade] || Time between audit end and deploy [via cross-hack: Factor 4: Newly Deployed or Unannounced Contract]
causalJayPegs Automart (via SushiSwap MISO platform) — Supply Chain Attack (Malicious Contractor Code Injection)2021-09-17 · $3M · Supply Chain Attack (Malicious Contractor Code Injection) · Audit-deploy gap — alternate field name [via dashboard_risk_factors/Code newly deployed/upgraded?: Yes — fresh auction contract deployment with injected malicious wallet address]
causalCream Finance — ERC-777 Reentrancy (Token Integration Vulnerability)2021-08-30 · $19M · ERC-777 Reentrancy (Token Integration Vulnerability) · Audit-deploy gap (RD-F-006 time between audit and deploy) [via dashboard_risk_factors/Exploited code newly deployed/upgraded?: Y — AMP token integration added via governance Feb 10, 2021, six months before exploit; the new token type introduced the reentrancy surface] || Audit-deploy gap — alternate field name [via dashboard_risk_factors/Exploited code newly deployed/upgraded?: Y — AMP token integration added via governance Feb 10, 2021, six months before exploit; the new token type introduced the reentrancy surface] || Time between audit end and deploy [via cross-hack: Factor 4: Newly Deployed or Unannounced Contract]
causalCream Finance — ERC777 reentrancy via newly integrated AMP token — reentrant `borrow()` before state update2021-08-30 · $19M · ERC777 reentrancy via newly integrated AMP token — reentrant `borrow()` before state update · Audit-deploy gap (RD-F-006 time between audit and deploy) [via dashboard_risk_factors/Exploited code newly deployed/upgraded: YES** — AMP token integration deployed via governance proposal Feb 10, 2021; exploit Aug 30, 2021. The integration was ~6.5 months old but w...] || Audit-deploy gap — alternate field name [via dashboard_risk_factors/Exploited code newly deployed/upgraded: YES** — AMP token integration deployed via governance proposal Feb 10, 2021; exploit Aug 30, 2021. The integration was ~6.5 months old but w...]
causalPunk Protocol — Unprotected initialize() — delegateCall Forge Address Override2021-08-10 · $9M · Unprotected initialize() — delegateCall Forge Address Override · Audit-deploy gap (RD-F-006 time between audit and deploy) [via dashboard_risk_factors/Exploited code newly deployed/upgraded?: Yes — protocol just launched] || Audit-deploy gap — alternate field name [via dashboard_risk_factors/Exploited code newly deployed/upgraded?: Yes — protocol just launched]
causalPopsicle Finance (Sorbetto Fragola) — Fee Accounting Bug — LP Token Transfer Without Reward Checkpoint2021-08-04 · $20M · Fee Accounting Bug — LP Token Transfer Without Reward Checkpoint · Audit-deploy gap — alternate field name [via dashboard_risk_factors/Code newly deployed/upgraded?: Relatively new deployment]
causalTHORChain — Fake deposit via fake Asgard vault + malicious memo — Bifrost refund logic abuse2021-07-26 · $8M · Fake deposit via fake Asgard vault + malicious memo — Bifrost refund logic abuse · Audit-deploy gap (RD-F-006 time between audit and deploy) [via dashboard_risk_factors/Exploited code newly deployed/upgraded?: Yes — same MCCN Bifrosts, new vulnerability found by different attacker in same unaudited component] || Audit-deploy gap — alternate field name [via dashboard_risk_factors/Exploited code newly deployed/upgraded?: Yes — same MCCN Bifrosts, new vulnerability found by different attacker in same unaudited component]
causalPancakeBunny (Polygon deployment — polyBUNNY) — Flash Loan + Reward Minting Manipulation (Performance Fee Inflation)2021-07-18 · $2M · Flash Loan + Reward Minting Manipulation (Performance Fee Inflation) · Audit-deploy gap — alternate field name [via dashboard_risk_factors/Code newly deployed/upgraded?: Yes — Polygon is a new chain deployment]
causalTHORChain — ETH Bifrost override loop — msg.value spoofing via wrapped router2021-07-16 · $5M · ETH Bifrost override loop — msg.value spoofing via wrapped router · Audit-deploy gap (RD-F-006 time between audit and deploy) [via dashboard_risk_factors/Exploited code newly deployed/upgraded?: Yes — MCCN Bifrosts were a new deployment, never audited] || Audit-deploy gap — alternate field name [via dashboard_risk_factors/Exploited code newly deployed/upgraded?: Yes — MCCN Bifrosts were a new deployment, never audited]
causalAnySwap (Multichain) V3 — ECDSA repeated k-value (same R signature) → MPC private key back-calculation2021-07-10 · $8M · ECDSA repeated k-value (same R signature) → MPC private key back-calculation · Audit-deploy gap — alternate field name [via dashboard_risk_factors/Code newly deployed/upgraded?: Yes — V3 was new prototype code; MPCNode had a recent patch that introduced the bug]
causalMerlin Labs (REKT 3) — Reward Minting Manipulation (Balance Inflation)2021-06-29 · $330K · Reward Minting Manipulation (Balance Inflation) · Audit-deploy gap — alternate field name [via dashboard_risk_factors/Code newly deployed/upgraded?: Yes — Alpaca single-asset vaults, described as "test" deployment]
causalSafeDollar — Infinite Mint via Fee-on-Transfer Reward Accounting Bug2021-06-28 · $248K · Infinite Mint via Fee-on-Transfer Reward Accounting Bug · Audit-deploy gap (RD-F-006 time between audit and deploy) [via dashboard_risk_factors/Exploited code newly deployed/upgraded?: Y — protocol was newly launched] || Audit-deploy gap — alternate field name [via dashboard_risk_factors/Exploited code newly deployed/upgraded?: Y — protocol was newly launched]
causalStableMagnet — Malicious Unverified Library (SwapUtils) — Rugpull with Approval Drain2021-06-24 · $27M · Malicious Unverified Library (SwapUtils) — Rugpull with Approval Drain · Audit-deploy gap (RD-F-006 time between audit and deploy) [via dashboard_risk_factors/Exploited code newly deployed/upgraded?: Y — malicious library was the original deployment] || Audit-deploy gap — alternate field name [via dashboard_risk_factors/Exploited code newly deployed/upgraded?: Y — malicious library was the original deployment]
causalAlchemix — Logic bug in alETH collateral accounting — ETH collateral position assigned zero debt → users could withdraw collateral without repaying loan2021-06-16 · $5 · Logic bug in alETH collateral accounting — ETH collateral position assigned zero debt → users could withdraw collateral without repaying loan · Audit-deploy gap — alternate field name [via dashboard_risk_factors/Code newly deployed/upgraded?: Yes — alETH collateral type was newly deployed]
causalAutoShark Finance — Flash loan + SharkMinter balance spoofing → excess native token minting2021-06-01 · $745K · Flash loan + SharkMinter balance spoofing → excess native token minting · Audit-deploy gap — alternate field name [via dashboard_risk_factors/Code newly deployed/upgraded?: N — newly deployed protocol (few days old)]
causalMerlin Labs (REKT 2) — Oracle Mispricing2021-05-27 · $550K · Oracle Mispricing · Audit-deploy gap — alternate field name [via dashboard_risk_factors/Code newly deployed/upgraded?: Yes — priceCalculator was deployed same day as first hack as a fix]
causalPancakeBunny — Flash loan + spot price manipulation → inflated LP token valuation → excess BUNNY minting2021-05-19 · $45M · Flash loan + spot price manipulation → inflated LP token valuation → excess BUNNY minting · Audit-deploy gap (RD-F-006 time between audit and deploy) [via dashboard_risk_factors/Exploited code newly deployed/upgraded?: Y — VaultFlipToFlip was a new upgrade not audited by Haechi] || Audit-deploy gap — alternate field name [via dashboard_risk_factors/Exploited code newly deployed/upgraded?: Y — VaultFlipToFlip was a new upgrade not audited by Haechi] || Time between audit end and deploy [via cross-hack: Factor 4: Newly Deployed or Unannounced Contract] || (+1 more matches)
causalbEarnFi (BvaultsBank) — Logic bug — token denomination mismatch between vault and strategy layers2021-05-16 · $18M · Logic bug — token denomination mismatch between vault and strategy layers · Audit-deploy gap (RD-F-006 time between audit and deploy) [via dashboard_risk_factors/Exploited code newly deployed/upgraded: Unknown — rekt report does not specify recent deployment] || Audit-deploy gap — alternate field name [via dashboard_risk_factors/Exploited code newly deployed/upgraded: Unknown — rekt report does not specify recent deployment]
causalValue DeFi — Uninitialized Pool Re-initialization (Missing initialized = true)2021-05-05 · $10M · Uninitialized Pool Re-initialization (Missing initialized = true) · Audit-deploy gap (RD-F-006 time between audit and deploy) [via dashboard_risk_factors/Exploited code newly deployed/upgraded?: Y — vStake pool was a new deployment (migration from old implementation)] || Audit-deploy gap — alternate field name [via dashboard_risk_factors/Exploited code newly deployed/upgraded?: Y — vStake pool was a new deployment (migration from old implementation)]
causalUranium Finance — Math bug — constant product formula check broken by inconsistent parameter change (1000→10000)2021-04-28 · $57M · Math bug — constant product formula check broken by inconsistent parameter change (1000→10000) · Audit-deploy gap (RD-F-006 time between audit and deploy) [via dashboard_risk_factors/Exploited code newly deployed/upgraded?: Y — Bug introduced in v2 migration ~10 days before exploit] || Audit-deploy gap — alternate field name [via dashboard_risk_factors/Exploited code newly deployed/upgraded?: Y — Bug introduced in v2 migration ~10 days before exploit]
causalAlpha Finance / Alpha Homora V2 (leveraged yield farming) — Debt accounting manipulation via rounding bug + public `resolveReserve` function + custom "evil spell"; insider knowledge of unannounced sUSD pool required2021-02-13 · $38M · Debt accounting manipulation via rounding bug + public `resolveReserve` function + custom "evil spell"; insider knowledge of unannounced sUSD pool required · Audit-deploy gap (RD-F-006 time between audit and deploy) [via dashboard_risk_factors/Exploited code newly deployed/upgraded: Y — HomoraBankV2 with sUSD pool was newly deployed and not yet publicly accessible] || Audit-deploy gap — alternate field name [via dashboard_risk_factors/Exploited code newly deployed/upgraded: Y — HomoraBankV2 with sUSD pool was newly deployed and not yet publicly accessible] || Time between audit end and deploy [via cross-hack: Factor 4: Newly Deployed or Unannounced Contract]
causalYearn Finance (yDAI v1 vault) — Flash loan + Curve 3pool spot price manipulation → vault share price arbitrage → DAI drain during migration2021-02-04 · $11M · Flash loan + Curve 3pool spot price manipulation → vault share price arbitrage → DAI drain during migration · Audit-deploy gap (RD-F-006 time between audit and deploy) [via dashboard_risk_factors/Exploited code newly deployed/upgraded?: N — the vulnerability was enabled by a configuration change (migration fee removal), not a new deployment] || Audit-deploy gap — alternate field name [via dashboard_risk_factors/Exploited code newly deployed/upgraded?: N — the vulnerability was enabled by a configuration change (migration fee removal), not a new deployment]
causalCover Protocol (formerly SAFE / SAFE2) — Infinite Mint — Blacksmith Farming Contract Withdrawal Bug2020-12-28 · $9M · Infinite Mint — Blacksmith Farming Contract Withdrawal Bug · Audit-deploy gap — alternate field name [via dashboard_risk_factors/Code newly deployed/upgraded?: Yes — team multisig added new Balancer pool to Blacksmith contract hours before the exploit]
causalCompounder Finance — Malicious Strategy Contracts — Backdoor Withdrawal (Insider Rug Pull)2020-12-02 · $12M · Malicious Strategy Contracts — Backdoor Withdrawal (Insider Rug Pull) · Audit-deploy gap (RD-F-006 time between audit and deploy) [via dashboard_risk_factors/Exploited code newly deployed/upgraded?: Y — 7 malicious strategy contracts were deployed post-audit specifically to enable the rug] || Audit-deploy gap — alternate field name [via dashboard_risk_factors/Exploited code newly deployed/upgraded?: Y — 7 malicious strategy contracts were deployed post-audit specifically to enable the rug]
causalPickle Finance — Fake jar injection — missing whitelist in Controller's jar-swap function2020-11-22 · $20M · Fake jar injection — missing whitelist in Controller's jar-swap function · Audit-deploy gap (RD-F-006 time between audit and deploy) [via dashboard_risk_factors/Exploited code newly deployed/upgraded?: Y — ControllerV4 added Oct 23, 2020, post-audit] || Audit-deploy gap — alternate field name [via dashboard_risk_factors/Exploited code newly deployed/upgraded?: Y — ControllerV4 added Oct 23, 2020, post-audit] || Time between audit end and deploy [via cross-hack: Factor 21: Post-Audit Code Change Without Re-Audit]
causalOrigin Protocol (OUSD) — Flash loan + fake token injection → missing mintMultiple() validation → reentrancy → rebase inflation → drain2020-11-17 · $8M · Flash loan + fake token injection → missing mintMultiple() validation → reentrancy → rebase inflation → drain · Audit-deploy gap (RD-F-006 time between audit and deploy) [via dashboard_risk_factors/Exploited code newly deployed/upgraded?: Y — the validation bug was introduced during a refactoring pass (gas optimization) shortly before the hack] || Audit-deploy gap — alternate field name [via dashboard_risk_factors/Exploited code newly deployed/upgraded?: Y — the validation bug was introduced during a refactoring pass (gas optimization) shortly before the hack]
causalEminence Finance (EMN) — Flash loan + bonding curve arbitrage (buy/burn/sell cycle)2020-09-28 · $15M · Flash loan + bonding curve arbitrage (buy/burn/sell cycle) · Audit-deploy gap (RD-F-006 time between audit and deploy) [via dashboard_risk_factors/Exploited code newly deployed/upgraded?: Y — deployed day of exploit] || Audit-deploy gap — alternate field name [via dashboard_risk_factors/Exploited code newly deployed/upgraded?: Y — deployed day of exploit] || Time between audit end and deploy [via cross-hack: Factor 4: Newly Deployed or Unannounced Contract]
rubric_version v1.7.0 factor RD-F-006 category 1 carried 80 critical no