defirisk.co
rubric v1.7.0

Dependency graph (protocols depended upon)

A oracle & external dependencies factor in the v1.7.0 rubric. Measured per protocol on a s cadence.

Methodology how we score #

**What this measures** This factor produces a list of external protocols whose failure would directly impair this protocol's operation — including LST providers, bridge dependencies, stablecoin issuers, and AMM pools used as oracle sources. The dependency graph is maintained by curators with on-chain inference and serves as a differentiating data layer not produced by any current competitor.

**Why it matters** DeFi composability means that a protocol's security is bounded by its weakest dependency. The synthesis dataset shows that composability failures (Cluster F: AMM/DEX as systemic oracle) account for over $350M in losses. Alpha Finance lost $37.5M because its leveraged yield farming strategy depended on Cream Finance's lending pool in a way that neither team had fully modelled. Sturdy Finance's oracle depended on a Balancer pool type that had been publicly flagged as manipulable four months before the exploit. Without a dependency map, depositors and risk analysts cannot trace the true failure surface of a protocol.

**Green / Yellow / Red** Green is scored when the protocol's dependency graph is fully documented, each dependency has a failure-impact assessment, and no dependency is a single-point-of-failure for the protocol's core function. Yellow is scored when the dependency list is documented but failure-impact analysis is missing or when one or more undocumented dependencies are identified by curators. Red is scored when the protocol has undocumented critical dependencies that, if they failed, would directly impair core protocol function.

**Common gray cases** Gray is applied when the protocol interacts with generic token standards where external dependencies cannot be enumerated without dynamic tracing.

**Notable historical examples** - **Alpha Finance** ($37.5M, 2021): Leveraged yield farming strategy's composability with Cream Finance lending was the causal path for the exploit. - **bEarnFi** ($18M, 2021): Multi-layer vault cross-protocol accounting failure between strategy and underlying protocol. - **Abracadabra Money** ($13M, 2025): gmCauldron upgrade introduced a dependency on GMX V2's GM token that created phantom collateral. - **Rari Capital** ($10M, 2021): Fuse pool dependency on Alpha Homora V2 allowed token injection into the lending pool.

Measurement what to look for #

List all external protocols whose failure would directly impair this protocol (LST providers, bridges, stablecoin issuers, keepers).

Data & output #

Data source
Curator analysis of source imports + on-chain contract calls in deployed code + protocol docs
Output format
Green / Yellow / Red
Evidence artifact
Curator-maintained dependency list with protocol slug + failure-impact description per dep
Confidence signal
green = all dependencies are highly reliable with redundancy; yellow = one non-redundant dependency with known risk; red = critical dependency with no fallback and documented prior failure; gray = dependency map not completed

Scored protocols 80 carry this factor #

Protocol RD-F-050
Aave v3 ethereum yellow Across Protocol ethereum green Aerodrome Finance base green Axelar Network ethereum yellow Babylon Protocol bitcoin green Balancer (v2 + v3) ethereum green Beefy Finance ethereum yellow BENQI avalanche green BlackRock USD Institutional Digital Liquidity Fund (BUIDL) ethereum yellow Cap (cUSD / stcUSD) ethereum yellow Centrifuge ethereum yellow Chainlink CCIP ethereum green Circle USYC binance yellow Compound V3 (Comet) ethereum green Concrete ethereum yellow Convex Finance ethereum red crvUSD (Curve Stablecoin) ethereum yellow Curve Finance ethereum yellow deBridge ethereum green Dolomite ethereum yellow dYdX v4 (dYdX Chain) dydx yellow EigenLayer ethereum yellow Ethena ethereum yellow ether.fi ethereum yellow Euler V2 ethereum yellow Falcon Finance ethereum yellow Fluid ethereum yellow Frax Finance ethereum yellow GMX v2 (GMX Synthetics) arbitrum green Hyperlane ethereum yellow Hyperliquid arbitrum green Jito solana yellow Jupiter solana yellow Jupiter Perpetual Exchange solana green JustLend DAO tron green Kamino Lend solana green Kinetiq hyperliquid yellow Lido ethereum green Liquid Collective (LsETH) ethereum yellow Liquity V1 + V2 (LUSD / BOLD) ethereum green Lista DAO bsc yellow Lombard Finance ethereum yellow M^0 ethereum green Maple Finance ethereum yellow Marinade Finance solana yellow Meteora solana yellow mETH Protocol ethereum yellow Midas ethereum yellow Morpho V1 (Morpho Blue + MetaMorpho) ethereum green Multipli ethereum yellow Ondo Finance ethereum green OpenEden ethereum green Orca solana green PancakeSwap bsc yellow Pendle Finance ethereum yellow Polymarket polygon yellow QuickSwap polygon yellow Raydium solana green Rocket Pool ethereum yellow Sanctum solana yellow Save (formerly Solend) solana green Sky Lending (formerly MakerDAO) ethereum yellow Spark Protocol ethereum yellow Spiko stellar yellow Stake DAO ethereum red StakeWise v3 ethereum yellow Stargate Finance ethereum gray stHYPE (Valantis Labs) hyperliquid yellow SUNSwap (sun.io) tron green Superstate ethereum yellow Sushi (SushiSwap) — v2 + v3 + Trident + BentoBox/Kashi + SushiXSwap ethereum green Symbiotic ethereum yellow Synapse Protocol ethereum yellow Uniswap (v2 + v3) ethereum green USDD (Decentralized USD) tron yellow Usual (USD0 / bUSD0 / USUAL) ethereum yellow Veda (BoringVault) ethereum yellow Venus Protocol bsc green Wormhole ethereum gray Yearn Finance ethereum yellow
2 red · 50 yellow · 26 green

Linked hacks 9 historical incidents #

causalMakina Finance — Permissionless share price oracle update (updateTotalAum) + flash loan Curve pool manipulation → share price inflation → LP drain2026-01-20 · $4M · Permissionless share price oracle update (updateTotalAum) + flash loan Curve pool manipulation → share price inflation → LP drain · Dependency graph [via cross-hack: Factor 6: Cross-Protocol / Composability Complexity]
causalAbracadabra Money — Logic bug — phantom collateral / post-liquidation state inconsistency2025-03-25 · $13M · Logic bug — phantom collateral / post-liquidation state inconsistency · Dependency graph [via cross-hack: Factor 6: Cross-Protocol / Composability Complexity]
causalConic Finance — Read-only reentrancy in CurveLPOracleV2 (ETH/WETH mismatch bypassed reentrancy guard) + sandwich attack on imbalanced pool2023-07-21 · $4M · Read-only reentrancy in CurveLPOracleV2 (ETH/WETH mismatch bypassed reentrancy guard) + sandwich attack on imbalanced pool · Dependency graph [via cross-hack: Factor 6: Cross-Protocol / Composability Complexity]
causalSturdy Finance — Read-only reentrancy on Balancer LP (B-stETH-STABLE) → manipulated collateral price → undercollateralized borrow drain2023-06-12 · $800K · Read-only reentrancy on Balancer LP (B-stETH-STABLE) → manipulated collateral price → undercollateralized borrow drain · Dependency graph [via cross-hack: Factor 6: Cross-Protocol / Composability Complexity]
causalDeus DAO / DEI stablecoin — Mis-ordered Parameters in burnFrom — Public Approval Override2023-05-06 · $7M · Mis-ordered Parameters in burnFrom — Public Approval Override · Dependency graph [via cross-hack: Factor 6: Cross-Protocol / Composability Complexity]
causalMidas Capital — Read-only reentrancy on Curve LP token virtual price — inflated collateral valuation2023-01-15 · $660K · Read-only reentrancy on Curve LP token virtual price — inflated collateral valuation · Dependency graph [via cross-hack: Factor 6: Cross-Protocol / Composability Complexity]
causalbEarnFi (BvaultsBank) — Logic bug — token denomination mismatch between vault and strategy layers2021-05-16 · $18M · Logic bug — token denomination mismatch between vault and strategy layers · Dependency graph [via cross-hack: Factor 6: Cross-Protocol / Composability Complexity]
causalRari Capital — Fake token + protocol callback exploit (ibETH injection via Alpha Homora) → ETH pool drain2021-05-08 · $10M · Fake token + protocol callback exploit (ibETH injection via Alpha Homora) → ETH pool drain · Dependency graph [via cross-hack: Factor 6: Cross-Protocol / Composability Complexity]
causalAlpha Finance / Alpha Homora V2 (leveraged yield farming) — Debt accounting manipulation via rounding bug + public `resolveReserve` function + custom "evil spell"; insider knowledge of unannounced sUSD pool required2021-02-13 · $38M · Debt accounting manipulation via rounding bug + public `resolveReserve` function + custom "evil spell"; insider knowledge of unannounced sUSD pool required · Dependency graph [via cross-hack: Factor 6: Cross-Protocol / Composability Complexity]
rubric_version v1.7.0 factor RD-F-050 category 3 carried 80 critical no