defirisk.co
rubric v1.7.0

Quorum achievable via single-entity flash loan

A governance & admin factor in the v1.7.0 rubric. Measured per protocol on a s cadence.

Methodology how we score #

**What this measures** This factor evaluates whether the total quorum required for a governance vote is achievable by a single entity using a flash loan in the governance token. The assessment compares the governance quorum threshold (in token units) against the maximum single-transaction borrowable depth in the governance token across all major flash loan venues (Aave, Uniswap, Balancer) at the reference block. If the largest flash-loanable notional exceeds the quorum threshold, the flash-loan attack is theoretically viable from a capital standpoint.

**Why it matters** Even when voting power requires a balance snapshot rather than a spot balance (which is assessed under RD-F-036), quorum achievability via flash loan identifies a second-order risk: a protocol where quorum is denominated in a token that is deeply liquidity-pooled may face governance attacks that are cheap enough to be economically viable for a well-capitalized attacker. This factor is subordinate to RD-F-036 — it is most relevant for protocols that use snapshotted voting but have a quorum threshold that is very low relative to flash loan depth.

**Green / Yellow / Red** Green is assigned when the quorum threshold exceeds the maximum flash-loanable notional in the governance token by at least 5x, or when the governance token is not flash-loanable on any major venue. Yellow covers cases where the threshold is 2–5x the maximum flash loan depth. Red is assigned when the quorum threshold is achievable or nearly achievable (within 120% of) via a single flash loan transaction.

**Common gray cases** This factor is grayed when the governance token is not listed on any venue offering flash loans, or when quorum is denominated in a non-transferable token (vote-locked positions, time-weighted balances).

**Notable historical examples** No cross-hacked incidents currently linked in database for this factor.

Measurement what to look for #

Determine whether the governance quorum threshold is ≤ the largest available flash-loan notional in the governance token at reference DEX depth.

Data & output #

Data source
Governance contract `quorumNumerator()` or equivalent + governance token total supply + Uniswap/Aave/Balancer flash-loan pool depth via subgraph
Output format
Green / Yellow / Red
Evidence artifact
Quorum threshold % + token supply + flash-loan depth (USD) + derived comparison
Confidence signal
green = quorum materially exceeds max flash-loan depth; yellow = quorum within 2× of flash-loan depth; red = flash-loan alone can reach quorum; gray = no on-chain governance or governance token not flash-loanable

Scored protocols 80 carry this factor #

Protocol RD-F-037
Aave v3 ethereum green Across Protocol ethereum gray Aerodrome Finance base green Axelar Network ethereum green Babylon Protocol bitcoin not_applicable Balancer (v2 + v3) ethereum green Beefy Finance ethereum not_applicable BENQI avalanche not_applicable BlackRock USD Institutional Digital Liquidity Fund (BUIDL) ethereum not_applicable Cap (cUSD / stcUSD) ethereum not_applicable Centrifuge ethereum green Chainlink CCIP ethereum not_applicable Circle USYC binance not_applicable Compound V3 (Comet) ethereum green Concrete ethereum not_applicable Convex Finance ethereum not_applicable crvUSD (Curve Stablecoin) ethereum yellow Curve Finance ethereum green deBridge ethereum gray Dolomite ethereum gray dYdX v4 (dYdX Chain) dydx not_applicable EigenLayer ethereum not_applicable Ethena ethereum green ether.fi ethereum not_applicable Euler V2 ethereum green Falcon Finance ethereum green Fluid ethereum not_applicable Frax Finance ethereum green GMX v2 (GMX Synthetics) arbitrum yellow Hyperlane ethereum not_applicable Hyperliquid arbitrum yellow Jito solana green Jupiter solana green Jupiter Perpetual Exchange solana yellow JustLend DAO tron green Kamino Lend solana not_applicable Kinetiq hyperliquid not_applicable Lido ethereum green Liquid Collective (LsETH) ethereum not_applicable Liquity V1 + V2 (LUSD / BOLD) ethereum green Lista DAO bsc red Lombard Finance ethereum green M^0 ethereum green Maple Finance ethereum green Marinade Finance solana green Meteora solana not_applicable mETH Protocol ethereum not_applicable Midas ethereum not_applicable Morpho V1 (Morpho Blue + MetaMorpho) ethereum green Multipli ethereum not_applicable Ondo Finance ethereum green OpenEden ethereum not_applicable Orca solana yellow PancakeSwap bsc red Pendle Finance ethereum gray Polymarket polygon not_applicable QuickSwap polygon red Raydium solana not_applicable Rocket Pool ethereum green Sanctum solana green Save (formerly Solend) solana yellow Sky Lending (formerly MakerDAO) ethereum green Spark Protocol ethereum green Spiko stellar not_applicable Stake DAO ethereum green StakeWise v3 ethereum red Stargate Finance ethereum gray stHYPE (Valantis Labs) hyperliquid not_applicable SUNSwap (sun.io) tron green Superstate ethereum not_applicable Sushi (SushiSwap) — v2 + v3 + Trident + BentoBox/Kashi + SushiXSwap ethereum yellow Symbiotic ethereum not_applicable Synapse Protocol ethereum yellow Uniswap (v2 + v3) ethereum green USDD (Decentralized USD) tron not_applicable Usual (USD0 / bUSD0 / USUAL) ethereum not_applicable Veda (BoringVault) ethereum not_applicable Venus Protocol bsc green Wormhole ethereum gray Yearn Finance ethereum green
4 red · 8 yellow · 31 green

Linked hacks no historical incidents linked #

No historical incidents are linked to this factor.
rubric_version v1.7.0 factor RD-F-037 category 2 carried 80 critical no