defirisk.co
rubric v1.7.0

Breakage analysis per dependency

A oracle & external dependencies factor in the v1.7.0 rubric. Measured per protocol on a s cadence.

Methodology how we score #

**What this measures** This factor contains short curator-written analyses — one per dependency identified in RD-F-050 — describing which protocol functions halt or degrade if that dependency fails, and at what severity (core function impaired vs. peripheral feature reduced). This is a qualitative, curator-maintained field with no automated source.

**Why it matters** A dependency graph (RD-F-050) names the connections; breakage analysis explains what those connections mean for depositors. A protocol may depend on a bridge only for a non-critical claim function, or may depend on a stablecoin oracle for its entire borrow-collateral calculation. These are materially different risk profiles that the dependency list alone does not distinguish. The synthesis dataset shows that composability failures (Cluster F) account for $350M+ in losses precisely because downstream protocols did not understand how deeply they depended on upstream price validity. Breakage analysis makes that impact explicit for the dashboard user.

**Green / Yellow / Red** Green is scored when a curator has completed breakage analysis for each critical dependency and assessed impact as peripheral or gracefully degraded (no core function loss). Yellow is scored when one or more critical dependencies have incomplete breakage analysis or where failure of a dependency would partially impair core protocol function. Red is scored when failure of any single dependency would fully impair the protocol's core function (borrowing, liquidation, or settlement).

**Common gray cases** Gray is applied when the breakage analysis cannot be completed within the assessment time budget due to insufficient documentation or source complexity.

**Notable historical examples** - **Alpha Finance** ($37.5M, 2021): Breakage from Cream Finance dependency — causal path for the exploit. - **Conic Finance** ($4.2M, 2023): Curve LP oracle dependency; Curve pool manipulation propagated directly to Conic collateral values. - **Sturdy Finance** ($0.8M, 2023): Balancer LP oracle dependency; B-stETH-STABLE pool had been publicly flagged as manipulable four months before the exploit. - **Midas Capital** ($0.66M, 2023): Curve LP collateral dependency exploited via oracle manipulation of underlying pool.

Measurement what to look for #

Produce a short per-dependency text describing which protocol functions halt or degrade and impact severity if each declared dependency fails.

Data & output #

Data source
Curator analysis of dependency graph (from F050) + protocol docs + source inspection
Output format
Green / Yellow / Red
Evidence artifact
Curator note per dependency: function name → degradation description + severity classification
Confidence signal
green = breakage analysis documented with mitigations for all critical deps; yellow = partial analysis (major deps covered); red = no breakage analysis and at least one critical dep with prior failure event; gray = dependency graph not completed (see F050)

Scored protocols 80 carry this factor #

Protocol RD-F-052
Aave v3 ethereum yellow Across Protocol ethereum yellow Aerodrome Finance base green Axelar Network ethereum yellow Babylon Protocol bitcoin green Balancer (v2 + v3) ethereum yellow Beefy Finance ethereum yellow BENQI avalanche yellow BlackRock USD Institutional Digital Liquidity Fund (BUIDL) ethereum yellow Cap (cUSD / stcUSD) ethereum yellow Centrifuge ethereum yellow Chainlink CCIP ethereum yellow Circle USYC binance yellow Compound V3 (Comet) ethereum yellow Concrete ethereum yellow Convex Finance ethereum yellow crvUSD (Curve Stablecoin) ethereum yellow Curve Finance ethereum yellow deBridge ethereum yellow Dolomite ethereum yellow dYdX v4 (dYdX Chain) dydx yellow EigenLayer ethereum yellow Ethena ethereum yellow ether.fi ethereum yellow Euler V2 ethereum not_assessed Falcon Finance ethereum yellow Fluid ethereum yellow Frax Finance ethereum yellow GMX v2 (GMX Synthetics) arbitrum yellow Hyperlane ethereum yellow Hyperliquid arbitrum yellow Jito solana yellow Jupiter solana yellow Jupiter Perpetual Exchange solana yellow JustLend DAO tron yellow Kamino Lend solana yellow Kinetiq hyperliquid yellow Lido ethereum yellow Liquid Collective (LsETH) ethereum yellow Liquity V1 + V2 (LUSD / BOLD) ethereum yellow Lista DAO bsc yellow Lombard Finance ethereum yellow M^0 ethereum yellow Maple Finance ethereum yellow Marinade Finance solana yellow Meteora solana yellow mETH Protocol ethereum yellow Midas ethereum yellow Morpho V1 (Morpho Blue + MetaMorpho) ethereum yellow Multipli ethereum yellow Ondo Finance ethereum yellow OpenEden ethereum yellow Orca solana green PancakeSwap bsc yellow Pendle Finance ethereum yellow Polymarket polygon yellow QuickSwap polygon yellow Raydium solana green Rocket Pool ethereum yellow Sanctum solana yellow Save (formerly Solend) solana yellow Sky Lending (formerly MakerDAO) ethereum yellow Spark Protocol ethereum yellow Spiko stellar yellow Stake DAO ethereum yellow StakeWise v3 ethereum yellow Stargate Finance ethereum gray stHYPE (Valantis Labs) hyperliquid yellow SUNSwap (sun.io) tron green Superstate ethereum yellow Sushi (SushiSwap) — v2 + v3 + Trident + BentoBox/Kashi + SushiXSwap ethereum yellow Symbiotic ethereum yellow Synapse Protocol ethereum yellow Uniswap (v2 + v3) ethereum green USDD (Decentralized USD) tron yellow Usual (USD0 / bUSD0 / USUAL) ethereum yellow Veda (BoringVault) ethereum yellow Venus Protocol bsc yellow Wormhole ethereum gray Yearn Finance ethereum yellow
0 red · 71 yellow · 6 green

Linked hacks 9 historical incidents #

relatedMakina Finance — Permissionless share price oracle update (updateTotalAum) + flash loan Curve pool manipulation → share price inflation → LP drain2026-01-20 · $4M · Permissionless share price oracle update (updateTotalAum) + flash loan Curve pool manipulation → share price inflation → LP drain · Breakage analysis [via cross-hack: Factor 6: Cross-Protocol / Composability Complexity]
relatedAbracadabra Money — Logic bug — phantom collateral / post-liquidation state inconsistency2025-03-25 · $13M · Logic bug — phantom collateral / post-liquidation state inconsistency · Breakage analysis [via cross-hack: Factor 6: Cross-Protocol / Composability Complexity]
relatedConic Finance — Read-only reentrancy in CurveLPOracleV2 (ETH/WETH mismatch bypassed reentrancy guard) + sandwich attack on imbalanced pool2023-07-21 · $4M · Read-only reentrancy in CurveLPOracleV2 (ETH/WETH mismatch bypassed reentrancy guard) + sandwich attack on imbalanced pool · Breakage analysis [via cross-hack: Factor 6: Cross-Protocol / Composability Complexity]
relatedSturdy Finance — Read-only reentrancy on Balancer LP (B-stETH-STABLE) → manipulated collateral price → undercollateralized borrow drain2023-06-12 · $800K · Read-only reentrancy on Balancer LP (B-stETH-STABLE) → manipulated collateral price → undercollateralized borrow drain · Breakage analysis [via cross-hack: Factor 6: Cross-Protocol / Composability Complexity]
relatedDeus DAO / DEI stablecoin — Mis-ordered Parameters in burnFrom — Public Approval Override2023-05-06 · $7M · Mis-ordered Parameters in burnFrom — Public Approval Override · Breakage analysis [via cross-hack: Factor 6: Cross-Protocol / Composability Complexity]
relatedMidas Capital — Read-only reentrancy on Curve LP token virtual price — inflated collateral valuation2023-01-15 · $660K · Read-only reentrancy on Curve LP token virtual price — inflated collateral valuation · Breakage analysis [via cross-hack: Factor 6: Cross-Protocol / Composability Complexity]
relatedbEarnFi (BvaultsBank) — Logic bug — token denomination mismatch between vault and strategy layers2021-05-16 · $18M · Logic bug — token denomination mismatch between vault and strategy layers · Breakage analysis [via cross-hack: Factor 6: Cross-Protocol / Composability Complexity]
relatedRari Capital — Fake token + protocol callback exploit (ibETH injection via Alpha Homora) → ETH pool drain2021-05-08 · $10M · Fake token + protocol callback exploit (ibETH injection via Alpha Homora) → ETH pool drain · Breakage analysis [via cross-hack: Factor 6: Cross-Protocol / Composability Complexity]
relatedAlpha Finance / Alpha Homora V2 (leveraged yield farming) — Debt accounting manipulation via rounding bug + public `resolveReserve` function + custom "evil spell"; insider knowledge of unannounced sUSD pool required2021-02-13 · $38M · Debt accounting manipulation via rounding bug + public `resolveReserve` function + custom "evil spell"; insider knowledge of unannounced sUSD pool required · Breakage analysis [via cross-hack: Factor 6: Cross-Protocol / Composability Complexity]
rubric_version v1.7.0 factor RD-F-052 category 3 carried 80 critical no