defirisk.co
rubric v1.7.0

Mixer withdrawal → protocol interaction

A real-time signals factor in the v1.7.0 rubric. Measured per protocol on a rt cadence.

Methodology how we score #

**What this measures** This real-time signal fires when a wallet that has recently withdrawn from Tornado Cash, Railgun, or a comparable privacy mixer interacts with the monitored protocol. The signal is generated by cross-referencing the mempool and on-chain transaction history against a continuously updated mixer-cluster feed: any protocol interaction from a mixer-funded address within a configurable recency window (default 72 hours) triggers the alert. Category 6 context: this is a precursor signal — it fires before an exploit materializes, providing an early warning window for depositors to assess elevated risk.

**Why it matters** Across the dataset, attacker addresses in the majority of on-chain exploits were funded via Tornado Cash or equivalent mixers shortly before the attack. Infini ($49.5M, 2025) shows the pattern most cleanly: 1 ETH Tornado Cash to a new wallet immediately before the rogue dev address executed the drain. KyberSwap Elastic ($48M, 2023) and BonqDAO ($120M) both show Tornado Cash or FixedFloat funding of attacker addresses in the pre-attack window. The signal does not distinguish legitimate privacy users from attackers — it is a rate-of-alert mechanism — but the combination of mixer funding and subsequent protocol interaction elevates the probability of malicious intent.

**Green / Yellow / Red** Green is the baseline state when no mixer-funded address has interacted with the protocol in the trailing 72 hours. Yellow fires when one or more mixer-funded addresses have interacted with the protocol but transaction patterns are consistent with normal DEX or lending use. Red fires when a mixer-funded address interacts with the protocol in a pattern consistent with known pre-strike behavior — unusually large positions, repeated small transactions probing contract state, or governance proposal creation.

**Common gray cases** Gray applies when the mixer-cluster feed is more than 24 hours stale or when the protocol operates on a chain where mempool monitoring coverage is incomplete.

**Notable historical examples** - **Kelp DAO (rsETH)** ($292M, 2026): Six attacker wallets funded via Tornado Cash approximately 10 hours before exploit. - **Euler Finance** ($197M, 2023): Associated attacker address had prior BSC exploit proceeds deposited to Tornado Cash. - **BonqDAO** ($120M, 2023): Attacker funded via Tornado Cash before attack. - **Infini** ($49.5M, 2025): 1 ETH Tornado Cash to new wallet immediately before attack execution. - **KyberSwap Elastic** ($48M, 2023): Tornado Cash and FixedFloat funding across chains prior to six-chain simultaneous exploit.

Measurement what to look for #

Detect whether a wallet that recently withdrew from Tornado Cash, Railgun, or similar mixer has interacted with this protocol.

Data & output #

Data source
Chainalysis/TRM cluster feed (mixer-withdrawal label) + on-chain tx indexer for protocol contract interactions
Output format
Green / Yellow / Red
Evidence artifact
Flagged wallet address + mixer withdrawal tx hash + protocol interaction tx hash + timestamp
Confidence signal
green = signal not firing; red = signal firing (mixer-funded wallet active on protocol); gray = CTI feed not configured for this protocol

Scored protocols 80 carry this factor #

Protocol RD-F-090
Aave v3 ethereum yellow Across Protocol ethereum green Aerodrome Finance base gray Axelar Network ethereum gray Babylon Protocol bitcoin gray Balancer (v2 + v3) ethereum green Beefy Finance ethereum gray BENQI avalanche gray BlackRock USD Institutional Digital Liquidity Fund (BUIDL) ethereum not_applicable Cap (cUSD / stcUSD) ethereum gray Centrifuge ethereum green Chainlink CCIP ethereum gray Circle USYC binance gray Compound V3 (Comet) ethereum yellow Concrete ethereum gray Convex Finance ethereum gray crvUSD (Curve Stablecoin) ethereum gray Curve Finance ethereum not_assessed deBridge ethereum gray Dolomite ethereum yellow dYdX v4 (dYdX Chain) dydx gray EigenLayer ethereum gray Ethena ethereum green ether.fi ethereum green Euler V2 ethereum not_assessed Falcon Finance ethereum gray Fluid ethereum green Frax Finance ethereum gray GMX v2 (GMX Synthetics) arbitrum green Hyperlane ethereum yellow Hyperliquid arbitrum yellow Jito solana not_assessed Jupiter solana gray Jupiter Perpetual Exchange solana gray JustLend DAO tron gray Kamino Lend solana gray Kinetiq hyperliquid gray Lido ethereum not_assessed Liquid Collective (LsETH) ethereum gray Liquity V1 + V2 (LUSD / BOLD) ethereum gray Lista DAO bsc gray Lombard Finance ethereum green M^0 ethereum green Maple Finance ethereum gray Marinade Finance solana gray Meteora solana green mETH Protocol ethereum green Midas ethereum gray Morpho V1 (Morpho Blue + MetaMorpho) ethereum gray Multipli ethereum gray Ondo Finance ethereum gray OpenEden ethereum gray Orca solana gray PancakeSwap bsc gray Pendle Finance ethereum green Polymarket polygon not_assessed QuickSwap polygon green Raydium solana green Rocket Pool ethereum gray Sanctum solana gray Save (formerly Solend) solana gray Sky Lending (formerly MakerDAO) ethereum gray Spark Protocol ethereum gray Spiko stellar gray Stake DAO ethereum green StakeWise v3 ethereum gray Stargate Finance ethereum gray stHYPE (Valantis Labs) hyperliquid gray SUNSwap (sun.io) tron gray Superstate ethereum green Sushi (SushiSwap) — v2 + v3 + Trident + BentoBox/Kashi + SushiXSwap ethereum gray Symbiotic ethereum gray Synapse Protocol ethereum not_assessed Uniswap (v2 + v3) ethereum yellow USDD (Decentralized USD) tron gray Usual (USD0 / bUSD0 / USUAL) ethereum green Veda (BoringVault) ethereum gray Venus Protocol bsc yellow Wormhole ethereum gray Yearn Finance ethereum gray
0 red · 7 yellow · 17 green

Linked hacks 40 historical incidents #

illustrativeKelp DAO (rsETH liquid restaking) — Forged cross-chain message via LayerZero EndpointV2 lzReceive — exploitation of 1/1 DVN (single-validator) configuration2026-04-18 · $292M · Forged cross-chain message via LayerZero EndpointV2 lzReceive — exploitation of 1/1 DVN (single-validator) configuration · Mixer withdrawal → protocol interaction [via realtime_signals/Pre-exploit on-chain signals: Six attacker wallets funded via Tornado Cash ~10 hours before exploit (07:35 UTC); no documented anomalous rsETH-bridge or OFTAdapter activi...]
illustrativeHyperbridge (Polkadot-native interoperability rollup built by Polytope Labs; Token Gateway / HandlerV1) — Smart-contract proof-verification bypass — MMR bounds-check failure + missing proof-to-request binding + zero challenge period + single-step admin transfer2026-04-13 · $3M · Smart-contract proof-verification bypass — MMR bounds-check failure + missing proof-to-request binding + zero challenge period + single-step admin transfer · Mixer withdrawal → protocol interaction [via realtime_signals/Pre-exploit on-chain signals: Attacker deployed 15+ test contracts against live protocol state over ~1 month; custom zk-SNARK keys pre-staged 8.5 months earlier; attacker...]
illustrativeDrift Protocol (Solana perpetual futures DEX) — Multi-month social engineering + Solana durable-nonce pre-signing + fake-collateral-token / attacker-controlled oracle2026-04-01 · $285M · Multi-month social engineering + Solana durable-nonce pre-signing + fake-collateral-token / attacker-controlled oracle · Mixer withdrawal → protocol interaction [via realtime_signals/Pre-exploit on-chain signals: CVT minted March 12 with 80% supply concentration to one address; $500 Raydium seed pool with wash-trading volume; 4 durable-nonce accounts ...]
illustrativeUSPD — CPIMP (Clandestine Proxy In the Middle of Proxy) — front-run proxy initialization, shadow admin installation, 78-day dormancy, then mint + drain2025-12-04 · $1M · CPIMP (Clandestine Proxy In the Middle of Proxy) — front-run proxy initialization, shadow admin installation, 78-day dormancy, then mint + drain · Mixer withdrawal → protocol interaction [via realtime_signals/Pre-exploit on-chain signals: Two-step proxy deployment visible in mempool Sept 16 (gap between deploy + initialize); privileged role grant to secondary contract Sept 17;...]
illustrativeBunni — Precision/Rounding Error in Custom Liquidity Distribution Function (LDF)2025-09-01 · $8M · Precision/Rounding Error in Custom Liquidity Distribution Function (LDF) · Mixer withdrawal → protocol interaction [via realtime_signals/Pre-exploit on-chain signals: Abnormally small token balances in pools (25 wei); repeated cyclical deposit/withdrawal patterns; 1,000+ transaction logs from single addres...]
illustrativeBetterBank — LP Manipulation + Bonus Minting Exploit (Unregistered LP Pair Bypass)2025-08-25 · $5M · LP Manipulation + Bonus Minting Exploit (Unregistered LP Pair Bypass) · Mixer withdrawal → protocol interaction [via realtime_signals/Pre-exploit on-chain signals: Attacker deployed 3 custom contracts before the attack; Tornado Cash funding of attack wallet]
illustrativeCredix — Admin Privilege Abuse — Bridge Role Minting Unbacked Collateral2025-08-05 · $5M · Admin Privilege Abuse — Bridge Role Minting Unbacked Collateral · Mixer withdrawal → protocol interaction [via realtime_signals/Pre-exploit on-chain signals: Y — ACLManager role grant (BRIDGE + Admin) to attacker address was visible on-chain 6 days before exploit; Tornado Cash-funded setup address...]
illustrativeGMX V1 — Cross-Contract Reentrancy via Order-Keeper Callback2025-07-09 · Cross-Contract Reentrancy via Order-Keeper Callback · Mixer withdrawal → protocol interaction [via realtime_signals/Pre-exploit on-chain signals: Attacker wallet funded via Mayan Swift Bridge 48h prior; attack contract deployed day-of]
illustrativeResupplyFi — ERC4626 Donation Attack (Vault Inflation / Zero Exchange Rate)2025-06-25 · $10M · ERC4626 Donation Attack (Vault Inflation / Zero Exchange Rate) · Mixer withdrawal → protocol interaction [via realtime_signals/Pre-exploit on-chain signals: New market deployed ~2 hours before exploit (detectable on-chain); Tornado Cash funding of attacker address]
illustrativeForce Bridge (Nervos Network) — Access control compromise — admin key leak → privileged unlock() drain across two chains2025-06-01 · $4M · Access control compromise — admin key leak → privileged unlock() drain across two chains · Mixer withdrawal → protocol interaction [via realtime_signals/Pre-exploit on-chain signals: Wallet funded via KuCoin on May 31 (day before sunset announcement); multiple failed access control attempts on June 1 before success; ~6-ho...]
illustrativeCork Protocol — Fake token injection → exchange rate manipulation via unvalidated CorkHook input2025-05-28 · $12M · Fake token injection → exchange rate manipulation via unvalidated CorkHook input · Mixer withdrawal → protocol interaction [via realtime_signals/Pre-exploit on-chain signals: Attacker address funded via Swapuz (service provider); malicious contract deployed shortly before exploit. No liquidity exit signals reporte...]
illustrativeKiloEx — Missing signature verification in MinimalForwarder → unvalidated oracle price update → multi-chain drain2025-04-14 · $7M · Missing signature verification in MinimalForwarder → unvalidated oracle price update → multi-chain drain · Mixer withdrawal → protocol interaction [via realtime_signals/Pre-exploit on-chain signals: Tornado Cash funding of attacker wallet (April 13, one day prior); no other on-chain signals before attack]
illustrative1inch (Fusion v1 resolver contracts) — Integer underflow in deprecated assembly — calldata pointer corruption → resolver address forgery2025-03-05 · $5M · Integer underflow in deprecated assembly — calldata pointer corruption → resolver address forgery · Mixer withdrawal → protocol interaction [via realtime_signals/Pre-exploit on-chain signals: Attacker wallet funded via Tornado Cash before attack; no other pre-staging]
illustrativeInfini (Crypto Neobank) — Retained Admin Privileges — Rogue Developer Backdoor2025-02-24 · $50M · Retained Admin Privileges — Rogue Developer Backdoor · Mixer withdrawal → protocol interaction [via realtime_signals/Pre-exploit on-chain signals: 1 ETH Tornado Cash → new wallet immediately before attack; exploit contract deployment from rogue dev address]
illustrativeThe Idols NFT — Self-Transfer Reward Loop (Logic Bug in Token Transfer Hook)2025-01-14 · $324K · Self-Transfer Reward Loop (Logic Bug in Token Transfer Hook) · Mixer withdrawal → protocol interaction [via realtime_signals/Pre-exploit on-chain signals: Repeated self-transfer transactions (sender = receiver) on the NFT contract; stETH balance declining in reward reserves]
illustrativeVelocore — Fee Multiplier Manipulation + Underflow → Liquidity Token Mint2024-06-02 · $7M · Fee Multiplier Manipulation + Underflow → Liquidity Token Mint · Mixer withdrawal → protocol interaction [via realtime_signals/Pre-exploit on-chain signals: Tornado Cash funding + bridge to Linea/zkSync; direct invocation of velocore__execute() with non-standard parameters]
illustrativeSeneca Protocol — Approval Exploit — Arbitrary transferFrom via Constructed Calldata2024-02-28 · $6M · Approval Exploit — Arbitrary transferFrom via Constructed Calldata · Mixer withdrawal → protocol interaction [via realtime_signals/Pre-exploit on-chain signals: Attacker address funded via FixedFloat 5 months prior and dormant; no on-chain activity immediately before]
illustrativeGamma Strategies — Flash Loan — LP Token Price Manipulation (Price Threshold Bypass)2024-01-04 · $5M · Flash Loan — LP Token Price Manipulation (Price Threshold Bypass) · Mixer withdrawal → protocol interaction [via realtime_signals/Pre-exploit on-chain signals: Y — Tornado Cash-funded attacker address appeared ~2.5 hours before attack; attack contract deployed pre-exploit]
illustrativeYearn Finance (yETH LST stableswap pool + yETH-WETH Curve pool) — Invariant corruption via remove_liquidity(0) + update_rates() calls → Newton-Raphson arithmetic underflow → 235 trillion yETH minted from dust deposit → single-asset drain2023-11-30 · $9M · Invariant corruption via remove_liquidity(0) + update_rates() calls → Newton-Raphson arithmetic underflow → 235 trillion yETH minted from dust deposit → single-asset drain · Mixer withdrawal → protocol interaction [via realtime_signals/Pre-exploit on-chain signals: Heavy Tornado Cash activity + unusual LST token movements across Yearn, Rocket Pool, Origin, and Dinero noted by Togbe minutes before the ex...]
illustrativeKyberSwap Elastic — Tick Manipulation + Double Liquidity Counting — Precision Arithmetic Edge Case2023-11-22 · $48M · Tick Manipulation + Double Liquidity Counting — Precision Arithmetic Edge Case · Mixer withdrawal → protocol interaction [via realtime_signals/Pre-exploit on-chain signals: Tornado Cash + FixedFloat funding across chains; large flash loan originations at attack time]
illustrativeYearn Finance (iearn yUSDT) — Misconfiguration (copy/paste error) in yUSDT — wrong Fulcrum USDC address used instead of USDT → share price manipulation → 1.2 quadrillion yUSDT minted2023-04-13 · $10M · Misconfiguration (copy/paste error) in yUSDT — wrong Fulcrum USDC address used instead of USDT → share price manipulation → 1.2 quadrillion yUSDT minted · Mixer withdrawal → protocol interaction [via realtime_signals/Pre-exploit on-chain signals: Last-minute warning posted on Twitter (by storming0x); Tornado Cash funding of attacker]
illustrativeEuler Finance — Donation Function Bypassing Health Check (Logic Bug in EIP-14 upgrade)2023-03-13 · $197M · Donation Function Bypassing Health Check (Logic Bug in EIP-14 upgrade) · Mixer withdrawal → protocol interaction [via realtime_signals/Pre-exploit on-chain signals: Partial** — An associated attacker address had previously exploited BSC-based EPMAX and deposited proceeds to Tornado Cash. This address his...]
illustrativeBonqDAO — Oracle Manipulation (Tellor Price Feed — Instant Value)2023-02-01 · $120M · Oracle Manipulation (Tellor Price Feed — Instant Value) · Mixer withdrawal → protocol interaction [via realtime_signals/Pre-exploit on-chain signals: Attacker funded via Tornado Cash before attack; 10 TRB staked on TellorFlex (small, unusual stake from fresh wallet)]
illustrativeInverse Finance — Oracle Price Manipulation (Flash Loan)2022-06-16 · $6M · Oracle Price Manipulation (Flash Loan) · Mixer withdrawal → protocol interaction [via realtime_signals/Pre-exploit on-chain signals: Attacker funded via Tornado Cash 2 minutes before exploit — a known pre-attack pattern]
illustrativeFortress Protocol (lending arm of JetFuel Finance) — Oracle Manipulation + Malicious Governance Proposal2022-05-09 · $3M · Oracle Manipulation + Malicious Governance Proposal · Mixer withdrawal → protocol interaction [via realtime_signals/Pre-exploit on-chain signals: Y — malicious governance proposal to add FTS as collateral was visible on-chain for 3 days before execution; Tornado Cash-funded attacker ad...]
illustrativeSaddle Finance — Flash Loan + LP Token Price Manipulation (Old MetaSwapUtils Library)2022-05-01 · $11M · Flash Loan + LP Token Price Manipulation (Old MetaSwapUtils Library) · Mixer withdrawal → protocol interaction [via realtime_signals/Pre-exploit on-chain signals: Flash loan activity; repeated sUSD/LP swap pattern in metapool]
illustrativeInverse Finance — SushiSwap TWAP Oracle Manipulation — Thin Liquidity Governance Token2022-04-02 · $16M · SushiSwap TWAP Oracle Manipulation — Thin Liquidity Governance Token · Mixer withdrawal → protocol interaction [via realtime_signals/Pre-exploit on-chain signals: Tornado Cash withdrawal; 500 ETH buy of INV on thin SushiSwap pool causing 50x price spike]
illustrativeVoltage Finance / Ola Finance — ERC677 callAfterTransfer() reentrancy in Compound fork — borrow before balance update2022-03-31 · $4M · ERC677 callAfterTransfer() reentrancy in Compound fork — borrow before balance update · Mixer withdrawal → protocol interaction [via realtime_signals/Pre-exploit on-chain signals: Tornado Cash funding; contract deployment; then rapid multi-asset borrowing sequence]
illustrativeQubit Finance — Zero-Address safeTransferFrom Logic Bug (Cross-Chain Bridge Deposit)2022-01-28 · $80M · Zero-Address safeTransferFrom Logic Bug (Cross-Chain Bridge Deposit) · Mixer withdrawal → protocol interaction [via realtime_signals/Pre-exploit on-chain signals: Tornado Cash funding of attacker address shortly before exploit]
illustrativeVisor Finance — Vulnerable require() in vVISR deposit() — self-referential ownership bypass → unlimited share minting2021-12-22 · $8M · Vulnerable require() in vVISR deposit() — self-referential ownership bypass → unlimited share minting · Mixer withdrawal → protocol interaction [via realtime_signals/Pre-exploit on-chain signals: Tornado Cash funding of attacker address minutes before; custom contract deployment]
illustrativeSnowdog (SnowdogDAO) — Insider front-running — privileged challengeKey knowledge + custom AMM sniping2021-11-25 · $21M · Insider front-running — privileged challengeKey knowledge + custom AMM sniping · Mixer withdrawal → protocol interaction [via realtime_signals/Pre-exploit on-chain signals: Two new wallets funded via FTX day before buyback; liquidity migration from TraderJoe to custom AMM; treasury accumulation to $44M visible o...]
illustrativeIndexed Finance — Flash Loan — Rebalancing Delay Pool Oracle Manipulation2021-10-14 · $16M · Flash Loan — Rebalancing Delay Pool Oracle Manipulation · Mixer withdrawal → protocol interaction [via realtime_signals/Pre-exploit on-chain signals: Tornado Cash funding hours before; large flash loan origination at attack time]
illustrativeCream Finance — ERC-777 Reentrancy (Token Integration Vulnerability)2021-08-30 · $19M · ERC-777 Reentrancy (Token Integration Vulnerability) · Mixer withdrawal → protocol interaction [via realtime_signals/Pre-exploit on-chain signals: Flash loan activity visible on-chain; repeated pattern across 17 transactions suggesting an iterative, manual/scripted attack rather than a ...]
illustrativeTHORChain — Fake deposit via fake Asgard vault + malicious memo — Bifrost refund logic abuse2021-07-26 · $8M · Fake deposit via fake Asgard vault + malicious memo — Bifrost refund logic abuse · Mixer withdrawal → protocol interaction [via realtime_signals/Pre-exploit on-chain signals: Attack observation noted at 21:42 GMT on 2021-07-22 (4 days before main exploit); series of preparatory transactions; Tornado Cash funding]
illustrativeSafeDollar — Infinite Mint via Fee-on-Transfer Reward Accounting Bug2021-06-28 · $248K · Infinite Mint via Fee-on-Transfer Reward Accounting Bug · Mixer withdrawal → protocol interaction [via realtime_signals/Pre-exploit on-chain signals: 101 repeated deposit/withdraw transactions in the same farm pool]
illustrativeMerlin Labs — External token balance spoofing → excess native token minting2021-05-26 · $680K · External token balance spoofing → excess native token minting · Mixer withdrawal → protocol interaction [via realtime_signals/Pre-exploit on-chain signals: 36 repeated calls to getReward() interspersed with external CAKE sends — pattern would stand out in mempool/event monitoring]
illustrativexToken Market — Flash loan + SNX/BNT price manipulation → xSNX/xBNT share price inflation → drain2021-05-12 · $24M · Flash loan + SNX/BNT price manipulation → xSNX/xBNT share price inflation → drain · Mixer withdrawal → protocol interaction [via realtime_signals/Pre-exploit on-chain signals: Flashbots MEV private transaction (front-ran by attacker's own bundle — not visible in public mempool); large SNX sell pressure on Uniswap V...]
illustrativeSpartan Protocol — Flash loan + inflated pool balance → LP burn liquidity share manipulation2021-05-01 · $31M · Flash loan + inflated pool balance → LP burn liquidity share manipulation · Mixer withdrawal → protocol interaction [via realtime_signals/Pre-exploit on-chain signals: Large flash loan (100K WBNB) from PancakeSwap; repeated swap-add-burn pattern across multiple transactions; significant WBNB/SPARTA pool imb...]
illustrativeYearn Finance (yDAI v1 vault) — Flash loan + Curve 3pool spot price manipulation → vault share price arbitrage → DAI drain during migration2021-02-04 · $11M · Flash loan + Curve 3pool spot price manipulation → vault share price arbitrage → DAI drain during migration · Mixer withdrawal → protocol interaction [via realtime_signals/Pre-exploit on-chain signals: Repeated flash loans from dYdX + Aave; massive Compound borrows; dramatic Curve 3pool composition shifts; repeated yDAI vault deposits/withd...]
illustrativeAkropolis (Delphi savings pool) — Flash loan + fake token reentrancy — malicious ERC20 deposit triggers re-entrant deposit() before balance update2020-11-12 · $2M · Flash loan + fake token reentrancy — malicious ERC20 deposit triggers re-entrant deposit() before balance update · Mixer withdrawal → protocol interaction [via realtime_signals/Pre-exploit on-chain signals: Repeated $50K batch attacks for ~8 hours before discovery]
rubric_version v1.7.0 factor RD-F-090 category 6 carried 80 critical no