defirisk.co
rubric v1.7.0

Known-exploit function-selector replay

A real-time signals factor in the v1.7.0 rubric. Measured per protocol on a rt cadence.

Methodology how we score #

**What this measures** This real-time signal fires when a transaction to the monitored protocol matches a known-exploit-replay template — a specific sequence of function selectors, calldata shapes, or inter-contract call patterns that matches a previously documented exploit execution against this protocol or a protocol of the same class. The signal library is maintained from post-mortem calldata analysis. Category 6 context: selector-pattern matching is an exploit-in-progress signal — it fires when the exploit transaction is already in the mempool, providing a last-moment alert window before block confirmation.

**Why it matters** Copy-cat exploits within the Compound fork family are the clearest evidence that selector-pattern replay detection would have value: AutoShark was exploited eight hours after PancakeBunny using the same attack pattern, and Merlin Labs was exploited one week later using an identical pattern. If a selector-pattern alert had fired after PancakeBunny, protocols running the same code would have had a warning window to pause. Onyx Protocol was exploited twice with the same empty-market vector — the second exploit eleven months after the first used the identical calldata pattern, meaning a replay template from the first exploit would have fired on the second.

**Green / Yellow / Red** Green is the baseline when all transactions to the protocol contain no selector patterns matching the exploit-replay library. Yellow fires when a transaction contains a partial selector-pattern match — individual selectors appear in the exploit library but the full sequence does not match. Red fires when a transaction matches a complete known-exploit-replay template, particularly if the transaction is submitted by a fresh wallet or follows a flash loan origination.

**Common gray cases** Gray applies when the protocol's legitimate functionality overlaps significantly with selector patterns in the exploit library (e.g., a lending protocol that legitimately uses flash loans for liquidations), making false positive rates unacceptably high.

**Notable historical examples** No cross-hacked incidents currently linked in database for this factor.

Measurement what to look for #

Detect whether a call-pattern matches a known-exploit replay template (specific selector sequence and calldata shape) against this protocol.

Data & output #

Data source
Mempool + tx history selector pattern index
Output format
Green / Yellow / Red
Evidence artifact
Flagged tx hash + selector sequence matched + replay template ID
Confidence signal
green = signal not firing; red = replay pattern detected; gray = selector pattern index not maintained for this protocol class

Scored protocols 80 carry this factor #

Protocol RD-F-095
Aave v3 ethereum not_assessed Across Protocol ethereum gray Aerodrome Finance base gray Axelar Network ethereum green Babylon Protocol bitcoin gray Balancer (v2 + v3) ethereum gray Beefy Finance ethereum green BENQI avalanche gray BlackRock USD Institutional Digital Liquidity Fund (BUIDL) ethereum not_applicable Cap (cUSD / stcUSD) ethereum gray Centrifuge ethereum gray Chainlink CCIP ethereum not_applicable Circle USYC binance not_applicable Compound V3 (Comet) ethereum gray Concrete ethereum gray Convex Finance ethereum gray crvUSD (Curve Stablecoin) ethereum gray Curve Finance ethereum not_assessed deBridge ethereum gray Dolomite ethereum gray dYdX v4 (dYdX Chain) dydx not_applicable EigenLayer ethereum green Ethena ethereum green ether.fi ethereum green Euler V2 ethereum not_assessed Falcon Finance ethereum gray Fluid ethereum green Frax Finance ethereum gray GMX v2 (GMX Synthetics) arbitrum gray Hyperlane ethereum gray Hyperliquid arbitrum gray Jito solana not_assessed Jupiter solana not_assessed Jupiter Perpetual Exchange solana not_applicable JustLend DAO tron gray Kamino Lend solana green Kinetiq hyperliquid gray Lido ethereum green Liquid Collective (LsETH) ethereum gray Liquity V1 + V2 (LUSD / BOLD) ethereum green Lista DAO bsc gray Lombard Finance ethereum gray M^0 ethereum not_applicable Maple Finance ethereum gray Marinade Finance solana not_applicable Meteora solana not_applicable mETH Protocol ethereum green Midas ethereum gray Morpho V1 (Morpho Blue + MetaMorpho) ethereum green Multipli ethereum gray Ondo Finance ethereum green OpenEden ethereum gray Orca solana not_applicable PancakeSwap bsc not_assessed Pendle Finance ethereum not_assessed Polymarket polygon not_assessed QuickSwap polygon not_assessed Raydium solana not_assessed Rocket Pool ethereum gray Sanctum solana green Save (formerly Solend) solana not_applicable Sky Lending (formerly MakerDAO) ethereum gray Spark Protocol ethereum green Spiko stellar not_assessed Stake DAO ethereum green StakeWise v3 ethereum green Stargate Finance ethereum gray stHYPE (Valantis Labs) hyperliquid gray SUNSwap (sun.io) tron gray Superstate ethereum not_applicable Sushi (SushiSwap) — v2 + v3 + Trident + BentoBox/Kashi + SushiXSwap ethereum yellow Symbiotic ethereum green Synapse Protocol ethereum not_applicable Uniswap (v2 + v3) ethereum gray USDD (Decentralized USD) tron gray Usual (USD0 / bUSD0 / USUAL) ethereum green Veda (BoringVault) ethereum gray Venus Protocol bsc not_assessed Wormhole ethereum green Yearn Finance ethereum gray
0 red · 1 yellow · 19 green

Linked hacks no historical incidents linked #

No historical incidents are linked to this factor.
rubric_version v1.7.0 factor RD-F-095 category 6 carried 80 critical no