defirisk.co
rubric v1.7.0

Empty cToken-style market (zero supply/borrow)

A economic risk factor in the v1.7.0 rubric. Measured per protocol on a e cadence.

Critical factor. A Red on this factor alone is sufficient to gate a protocol to grade D or F regardless of other category rollups.

Methodology how we score #

**What this measures** This factor detects whether any Compound V2-fork lending market has totalSupply at or near zero with a non-zero collateral factor enabled. An empty market -- one with no initial supply locked -- creates a critical arithmetic vulnerability in the exchange rate calculation underpinning every borrow and liquidation function.

**Why it matters** When a cToken market has zero supply, its exchange rate is computed from scratch on the first deposit. An attacker who donates a small amount of the underlying asset directly to the cToken contract before anyone supplies can inflate the exchange rate by orders of magnitude. A second depositor of even 2 wei then holds shares worth far more than deposited; using those inflated shares as collateral, the attacker drains the entire lending pool. This attack class has been executed across at least nine protocols including Hundred Finance, Sonne Finance, Onyx Protocol, and Radiant Capital. The yAudit firm explicitly flagged this risk in Sonne Finance's own audit report before the exploit; the permissionless governance execution gap was not addressed.

**Green / Yellow / Red** Green: all cToken markets have non-trivial supply locked at deploy time, or code enforces a minimum seed deposit before a market's collateral factor can be non-zero. Yellow: markets exist activated via governance with zero or minimal seed-deposit window, mitigated by other controls. Red: one or more live markets has totalSupply at or near zero with a non-zero collateral factor and no on-chain guard preventing exchange-rate inflation.

**Common gray cases** Curators may encounter markets where totalSupply is very low but non-zero (a few hundred wei from a genesis deposit). This is scored conditional yellow unless the seed deposit is economically sufficient to prevent the attack at current TVL levels; curator judgment required.

**Notable historical examples** - **Hundred Finance** (.4M, 2023): Attacker donated 500 WBTC to empty hWBTC market, inflated exchange rate, drained pool with 2 wei. - **Sonne Finance** (0M, 2024): Governance-activated empty market; attacker front-ran activation despite a yAudit warning in the protocol's own audit report. - **Onyx Protocol** (.1M, 2023): Governance-added PEPE market with no seed deposit; same vector repeated in a second incident months later. - **Radiant Capital 1st** (.5M, 2024): Aave V2 fork; native USDC market exploited in a 6-second activation window.

**★ Critical factor** This factor alone is sufficient to trigger a D or F grade under rubric v1.7.0. Any live Compound V2-fork market with totalSupply at or near zero and a non-zero collateral factor is scored as an immediate critical flag regardless of all other category outcomes.

Measurement what to look for #

Determine whether any listed Compound V2-fork market has `totalSupply == 0` and `totalBorrow == 0`, the precondition for a donation-exploit.

Data & output #

Data source
`totalSupply()` and `totalBorrow()` calls on each market contract via RPC
Output format
Green / Yellow / Red · critical gate active
Evidence artifact
Market address + `totalSupply` value + `totalBorrow` value + block number
Confidence signal
green = all markets have seed deposit / non-zero supply; red = any market has zero supply AND zero borrow (donation exploit setup); gray = protocol is not a Compound V2-style lending fork (N/A)

Scored protocols 80 carry this factor #

Protocol RD-F-070
Aave v3 ethereum green Across Protocol ethereum red Aerodrome Finance base not_applicable Axelar Network ethereum not_applicable Babylon Protocol bitcoin not_applicable Balancer (v2 + v3) ethereum gray Beefy Finance ethereum not_applicable BENQI avalanche yellow BlackRock USD Institutional Digital Liquidity Fund (BUIDL) ethereum not_applicable Cap (cUSD / stcUSD) ethereum not_applicable Centrifuge ethereum gray Chainlink CCIP ethereum not_applicable Circle USYC binance not_applicable Compound V3 (Comet) ethereum gray Concrete ethereum not_applicable Convex Finance ethereum not_applicable crvUSD (Curve Stablecoin) ethereum not_applicable Curve Finance ethereum not_applicable deBridge ethereum not_assessed Dolomite ethereum not_applicable dYdX v4 (dYdX Chain) dydx not_applicable EigenLayer ethereum not_applicable Ethena ethereum not_applicable ether.fi ethereum not_applicable Euler V2 ethereum not_applicable Falcon Finance ethereum not_applicable Fluid ethereum not_applicable Frax Finance ethereum not_applicable GMX v2 (GMX Synthetics) arbitrum not_applicable Hyperlane ethereum not_applicable Hyperliquid arbitrum not_applicable Jito solana not_applicable Jupiter solana not_applicable Jupiter Perpetual Exchange solana not_applicable JustLend DAO tron red Kamino Lend solana gray Kinetiq hyperliquid not_applicable Lido ethereum not_applicable Liquid Collective (LsETH) ethereum not_applicable Liquity V1 + V2 (LUSD / BOLD) ethereum not_applicable Lista DAO bsc gray Lombard Finance ethereum gray M^0 ethereum not_applicable Maple Finance ethereum green Marinade Finance solana not_applicable Meteora solana not_applicable mETH Protocol ethereum not_applicable Midas ethereum not_applicable Morpho V1 (Morpho Blue + MetaMorpho) ethereum gray Multipli ethereum not_applicable Ondo Finance ethereum not_assessed OpenEden ethereum not_applicable Orca solana not_applicable PancakeSwap bsc not_applicable Pendle Finance ethereum not_applicable Polymarket polygon not_applicable QuickSwap polygon not_applicable Raydium solana not_applicable Rocket Pool ethereum not_applicable Sanctum solana not_applicable Save (formerly Solend) solana not_applicable Sky Lending (formerly MakerDAO) ethereum gray Spark Protocol ethereum yellow Spiko stellar not_applicable Stake DAO ethereum not_applicable StakeWise v3 ethereum yellow Stargate Finance ethereum gray stHYPE (Valantis Labs) hyperliquid not_applicable SUNSwap (sun.io) tron not_applicable Superstate ethereum not_applicable Sushi (SushiSwap) — v2 + v3 + Trident + BentoBox/Kashi + SushiXSwap ethereum not_applicable Symbiotic ethereum not_applicable Synapse Protocol ethereum not_applicable Uniswap (v2 + v3) ethereum not_applicable USDD (Decentralized USD) tron not_applicable Usual (USD0 / bUSD0 / USUAL) ethereum not_applicable Veda (BoringVault) ethereum not_applicable Venus Protocol bsc red Wormhole ethereum not_applicable Yearn Finance ethereum not_applicable
3 red · 3 yellow · 2 green

Linked hacks 3 historical incidents #

relatedCurve LlamaLend — Empty-market donation attack on a freshly-listed lending market2026-03-02 · $240K · Empty-market donation attack on a freshly-listed lending market · Same empty-market donation pattern as Venus zkSync incident
relatedBalancer V2 (Composable Stable Pools) — `_upscale()` rounding-down compounded across 65+ micro-swaps2025-11-03 · $128M · `_upscale()` rounding-down compounded across 65+ micro-swaps · Composable Stable Pool _upscale() rounding-down compounded across batch swaps; root cause of $128M loss
causalVenus Protocol (zkSync Era deployment) — Empty-market donation attack on a freshly-deployed market with no virtual liquidity / no `_decimalsOffset()` first-depositor protection2025-03-29 · $902K · Empty-market donation attack on a freshly-deployed market with no virtual liquidity / no `_decimalsOffset()` first-depositor protection · Empty-market donation attack — canonical RD-F-070 evidence pattern
rubric_version v1.7.0 factor RD-F-070 category 4 carried 80 critical yes