defirisk.co
rubric v1.7.0

New contract with similar bytecode to exploit template

A real-time signals factor in the v1.7.0 rubric. Measured per protocol on a rt cadence.

Methodology how we score #

**What this measures** This real-time signal fires when a newly deployed contract on the same chain has bytecode similarity above a configurable threshold (default: 85% Jaccard similarity on function-selector sets) to a known-exploit-template contract targeting this protocol's architecture. The signal is generated by continuously sweeping new contract deployments and comparing their selector sets and bytecode patterns against a curated library of exploit-template contracts from prior incidents. Category 6 context: deploying an exploit contract is a final preparation step before the attack — this signal fires during the setup phase, typically within hours of the actual exploit execution.

**Why it matters** Post-mortem analysis of flash-loan and reentrancy exploits consistently reveals that the attacker deployed an attack contract in the same block or a few blocks before the exploit transaction. The Beanstalk governance exploit ($181M) involved a malicious contract created within the same governance window. Protocol-specific exploit templates — particularly for Compound V2 fork empty-market attacks, flash-loan reentrancy patterns, and oracle manipulation sequences — are reused across the Compound fork family with minimal modification. A bytecode-similarity sweep against these templates provides a credible pre-exploit detection window.

**Green / Yellow / Red** Green is the baseline when no new contract deployments in the trailing 24 hours match known-exploit templates above the similarity threshold. Yellow fires when a new deployment shows elevated similarity (70–85%) but does not match any single template with high confidence. Red fires when a new contract deployment matches a known-exploit template at or above 85% similarity, particularly if deployed by a fresh or mixer-funded wallet.

**Common gray cases** Gray applies when the protocol operates on a chain where new contract deployment volume is so high (e.g., high-activity L2s) that false positive rates make the signal operationally impractical, or when the exploit-template library lacks coverage for this protocol's architecture.

**Notable historical examples** No cross-hacked incidents currently linked in database for this factor.

Measurement what to look for #

Detect whether a freshly deployed contract has high bytecode similarity to a known exploit template targeting this protocol class.

Data & output #

Data source
On-chain new-deploy sweep + bytecode similarity index (Jaccard on selector sets)
Output format
Green / Yellow / Red
Evidence artifact
New contract address + similarity score + reference template ID
Confidence signal
green = signal not firing; red = similarity score above threshold to known template; gray = bytecode similarity index not maintained

Scored protocols 80 carry this factor #

Protocol RD-F-094
Aave v3 ethereum not_assessed Across Protocol ethereum gray Aerodrome Finance base gray Axelar Network ethereum green Babylon Protocol bitcoin green Balancer (v2 + v3) ethereum gray Beefy Finance ethereum green BENQI avalanche gray BlackRock USD Institutional Digital Liquidity Fund (BUIDL) ethereum gray Cap (cUSD / stcUSD) ethereum gray Centrifuge ethereum gray Chainlink CCIP ethereum gray Circle USYC binance not_applicable Compound V3 (Comet) ethereum gray Concrete ethereum gray Convex Finance ethereum gray crvUSD (Curve Stablecoin) ethereum gray Curve Finance ethereum not_assessed deBridge ethereum gray Dolomite ethereum gray dYdX v4 (dYdX Chain) dydx not_applicable EigenLayer ethereum green Ethena ethereum green ether.fi ethereum green Euler V2 ethereum not_assessed Falcon Finance ethereum gray Fluid ethereum green Frax Finance ethereum gray GMX v2 (GMX Synthetics) arbitrum gray Hyperlane ethereum gray Hyperliquid arbitrum gray Jito solana not_assessed Jupiter solana not_assessed Jupiter Perpetual Exchange solana not_applicable JustLend DAO tron not_applicable Kamino Lend solana green Kinetiq hyperliquid gray Lido ethereum green Liquid Collective (LsETH) ethereum gray Liquity V1 + V2 (LUSD / BOLD) ethereum green Lista DAO bsc gray Lombard Finance ethereum gray M^0 ethereum green Maple Finance ethereum gray Marinade Finance solana not_applicable Meteora solana not_applicable mETH Protocol ethereum green Midas ethereum gray Morpho V1 (Morpho Blue + MetaMorpho) ethereum yellow Multipli ethereum gray Ondo Finance ethereum gray OpenEden ethereum gray Orca solana gray PancakeSwap bsc not_assessed Pendle Finance ethereum not_assessed Polymarket polygon not_assessed QuickSwap polygon not_assessed Raydium solana not_assessed Rocket Pool ethereum gray Sanctum solana green Save (formerly Solend) solana gray Sky Lending (formerly MakerDAO) ethereum gray Spark Protocol ethereum green Spiko stellar not_assessed Stake DAO ethereum green StakeWise v3 ethereum gray Stargate Finance ethereum gray stHYPE (Valantis Labs) hyperliquid gray SUNSwap (sun.io) tron gray Superstate ethereum not_applicable Sushi (SushiSwap) — v2 + v3 + Trident + BentoBox/Kashi + SushiXSwap ethereum green Symbiotic ethereum green Synapse Protocol ethereum not_assessed Uniswap (v2 + v3) ethereum gray USDD (Decentralized USD) tron gray Usual (USD0 / bUSD0 / USUAL) ethereum green Veda (BoringVault) ethereum gray Venus Protocol bsc not_assessed Wormhole ethereum green Yearn Finance ethereum gray
0 red · 1 yellow · 19 green

Linked hacks no historical incidents linked #

No historical incidents are linked to this factor.
rubric_version v1.7.0 factor RD-F-094 category 6 carried 80 critical no