defirisk.co
rubric v1.7.0

TVL anomaly — % drop in <1h

A real-time signals factor in the v1.7.0 rubric. Measured per protocol on a rt cadence.

Methodology how we score #

**What this measures** This real-time signal fires when the protocol's total value locked drops by more than a configurable threshold percentage within a one-hour window relative to the trailing 30-day baseline. The threshold is calibrated per protocol tier to balance sensitivity against false positives from legitimate large withdrawals. TVL is tracked via continuous DefiLlama integration and on-chain reserve reads. Category 6 context: TVL anomaly is the most broadly applicable exploit-in-progress signal — by the time a drain is occurring, TVL is falling in real time and this signal can alert remaining depositors before the drain completes.

**Why it matters** Approximately 73% of the hack dataset involved hacks rated Medium or High detectability, meaning a real-time monitor watching TVL anomalies would have fired during the majority of incidents. Cetus Protocol ($223M, 2025) saw USDC depegging to zero on Sui and mass SUI dumps within minutes of pool drain — a TVL monitor would have fired immediately. Harvest Finance ($33.8M, 2020) triggered a bank run of roughly $700M TVL immediately post-attack. KyberSwap Elastic ($48M) saw TVL fall from $71M to under $3M during the attack. The signal is most valuable for partially-drained protocols where early detection can preserve remaining funds.

**Green / Yellow / Red** Green is the baseline when TVL moves within the expected range of normal user activity relative to the 30-day baseline. Yellow fires when TVL drops 5–15% within one hour — elevated but potentially explainable by large-withdrawal normal behavior. Red fires when TVL drops more than 15% within one hour, or when the rate of decline accelerates across consecutive monitoring windows — the exploit-in-progress pattern.

**Common gray cases** Gray applies during market stress events (broad crypto drawdowns) when TVL falls across all protocols simultaneously, making protocol-specific signals unreliable, or when the protocol is small enough that a single large user withdrawal produces false positives.

**Notable historical examples** - **Cetus Protocol** ($223M, 2025): USDC depegging to zero on Sui; sequential pool drains detectable by TVL monitor. - **KyberSwap Elastic** ($48M, 2023): TVL fell from $71M to under $3M during the attack window. - **Harvest Finance** ($33.8M, 2020): $700M TVL bank run immediately post-attack; each manipulation cycle preceded by large Curve swaps. - **Saga** ($7M, 2026): $37M to $13.6M TVL drop with $D depeg during exploit.

Measurement what to look for #

Detect whether TVL drops >X% within 1 hour versus the trailing 30-day baseline (X configurable per protocol TVL tier).

Data & output #

Data source
DeFiLlama real-time TVL endpoint + rolling 30d baseline model
Output format
Green / Yellow / Red
Evidence artifact
TVL time-series snapshot + drop % + threshold config + timestamp
Confidence signal
green = signal not firing; yellow = drop between low-alert and high-alert threshold; red = drop exceeds high-alert threshold; gray = TVL monitoring not configured

Scored protocols 80 carry this factor #

Protocol RD-F-098
Aave v3 ethereum yellow Across Protocol ethereum green Aerodrome Finance base green Axelar Network ethereum green Babylon Protocol bitcoin green Balancer (v2 + v3) ethereum yellow Beefy Finance ethereum green BENQI avalanche green BlackRock USD Institutional Digital Liquidity Fund (BUIDL) ethereum green Cap (cUSD / stcUSD) ethereum green Centrifuge ethereum green Chainlink CCIP ethereum green Circle USYC binance green Compound V3 (Comet) ethereum yellow Concrete ethereum yellow Convex Finance ethereum green crvUSD (Curve Stablecoin) ethereum green Curve Finance ethereum green deBridge ethereum gray Dolomite ethereum green dYdX v4 (dYdX Chain) dydx yellow EigenLayer ethereum green Ethena ethereum yellow ether.fi ethereum green Euler V2 ethereum not_assessed Falcon Finance ethereum green Fluid ethereum green Frax Finance ethereum green GMX v2 (GMX Synthetics) arbitrum not_assessed Hyperlane ethereum green Hyperliquid arbitrum green Jito solana green Jupiter solana green Jupiter Perpetual Exchange solana green JustLend DAO tron green Kamino Lend solana yellow Kinetiq hyperliquid green Lido ethereum green Liquid Collective (LsETH) ethereum green Liquity V1 + V2 (LUSD / BOLD) ethereum green Lista DAO bsc green Lombard Finance ethereum green M^0 ethereum green Maple Finance ethereum yellow Marinade Finance solana green Meteora solana green mETH Protocol ethereum green Midas ethereum green Morpho V1 (Morpho Blue + MetaMorpho) ethereum green Multipli ethereum gray Ondo Finance ethereum green OpenEden ethereum green Orca solana green PancakeSwap bsc green Pendle Finance ethereum green Polymarket polygon green QuickSwap polygon green Raydium solana green Rocket Pool ethereum green Sanctum solana green Save (formerly Solend) solana gray Sky Lending (formerly MakerDAO) ethereum green Spark Protocol ethereum green Spiko stellar green Stake DAO ethereum green StakeWise v3 ethereum green Stargate Finance ethereum gray stHYPE (Valantis Labs) hyperliquid gray SUNSwap (sun.io) tron green Superstate ethereum green Sushi (SushiSwap) — v2 + v3 + Trident + BentoBox/Kashi + SushiXSwap ethereum green Symbiotic ethereum green Synapse Protocol ethereum yellow Uniswap (v2 + v3) ethereum green USDD (Decentralized USD) tron yellow Usual (USD0 / bUSD0 / USUAL) ethereum green Veda (BoringVault) ethereum green Venus Protocol bsc green Wormhole ethereum yellow Yearn Finance ethereum green
0 red · 11 yellow · 62 green

Linked hacks 10 historical incidents #

illustrativeSaga (SagaEVM / Saga Dollar) — IBC Precompile Input Validation Bypass → Infinite Mint2026-01-21 · $7M · IBC Precompile Input Validation Bypass → Infinite Mint · TVL anomaly — % drop in <1h vs 30d baseline [via realtime_signals/TVL exit early: Y — $37M → $13.6M TVL drop; $D depeg to $0.73 during/after exploit]
illustrativeOdin.Fun — AMM Liquidity Manipulation (Governance Token Price Pump + Drain)2025-08-12 · $7M · AMM Liquidity Manipulation (Governance Token Price Pump + Drain) · TVL anomaly — % drop in <1h vs 30d baseline [via realtime_signals/TVL exit early (Y/N): Y — BTC reserve monitoring would show drawdown]
illustrativeCetus Protocol — Integer Overflow / Division-by-Near-Zero in Concentrated Liquidity Math2025-05-22 · $223M · Integer Overflow / Division-by-Near-Zero in Concentrated Liquidity Math · TVL anomaly — % drop in <1h vs 30d baseline [via realtime_signals/TVL exit early (Y/N + detail): YES** — HODLFM flagged USDC depegging to zero on Sui and mass SUI token dumps within minutes of pools being drained. The sequential drain ac...] || Low detectability — RT signals would NOT have caught (negative-evidence) [via realtime_signals/Detectability Reasoning: Each individual exploit was atomic (single tx). However, the sequential nature (every Cetus pool drained one after another) and the immediat...]
illustrativeKyberSwap Elastic — Tick Manipulation + Double Liquidity Counting — Precision Arithmetic Edge Case2023-11-22 · $48M · Tick Manipulation + Double Liquidity Counting — Precision Arithmetic Edge Case · TVL anomaly — % drop in <1h vs 30d baseline [via realtime_signals/TVL exit early: Y — TVL fell from $71M to <$3M on KyberSwap Elastic during attack] || Low detectability — RT signals would NOT have caught (negative-evidence) [via realtime_signals/Detectability rating: Low] || Low detectability — alternate field name [via realtime_signals/Detectability rating: Low]
illustrativeBalancer V2 (+ Beethoven X fork) — Linear pool rounding-down logic → cached rate manipulation → boosted pool drain2023-08-27 · $2M · Linear pool rounding-down logic → cached rate manipulation → boosted pool drain · TVL anomaly — % drop in <1h vs 30d baseline [via realtime_signals/TVL exit early (Y/N): Y — majority of at-risk TVL was withdrawn in the 5-day window; only remaining stragglers were drained]
illustrativeMultichain (formerly Anyswap) — Private Key Compromise (MPC Address) — suspected backend breach or insider2023-07-07 · $126M · Private Key Compromise (MPC Address) — suspected backend breach or insider · TVL anomaly — % drop in <1h vs 30d baseline [via realtime_signals/TVL exit early (Y/N): Y — some TVL flight post-force-majeure in May]
illustrativeHedera (Network-level — Hashgraph Smart Contract Service) — Smart Contract Service (HTS) Code Bug — Uniswap V2 Port Exploit2023-03-09 · $515K · Smart Contract Service (HTS) Code Bug — Uniswap V2 Port Exploit · TVL anomaly — % drop in <1h vs 30d baseline [via realtime_signals/TVL exit early (Y/N): Y — post-attack panic caused $12M TVL exit, not pre-exploit signal] || Low detectability — RT signals would NOT have caught (negative-evidence) [via realtime_signals/Detectability: Low]
illustrativeAlchemix — Logic bug in alETH collateral accounting — ETH collateral position assigned zero debt → users could withdraw collateral without repaying loan2021-06-16 · $5 · Logic bug in alETH collateral accounting — ETH collateral position assigned zero debt → users could withdraw collateral without repaying loan · TVL anomaly — % drop in <1h vs 30d baseline [via realtime_signals/TVL exit early (Y/N): Y — ETH collateral being withdrawn without corresponding debt repayment would be detectable]
illustrativeAlpha Finance / Alpha Homora V2 (leveraged yield farming) — Debt accounting manipulation via rounding bug + public `resolveReserve` function + custom "evil spell"; insider knowledge of unannounced sUSD pool required2021-02-13 · $38M · Debt accounting manipulation via rounding bug + public `resolveReserve` function + custom "evil spell"; insider knowledge of unannounced sUSD pool required · TVL anomaly — % drop in <1h vs 30d baseline [via realtime_signals/TVL exit early: Y — SBF withdrew $400M FTT from Cream Finance; Three Arrows Capital sent $3M ALPHA to Binance shortly after the exploit broke publicly (like...] || Low detectability — RT signals would NOT have caught (negative-evidence) [via realtime_signals/Detectability rating: Low] || Low detectability — alternate field name [via realtime_signals/Detectability rating: Low]
illustrativeHarvest Finance — Flash loan + Curve Y-pool spot price manipulation → inflated fToken share valuation → vault drain2020-10-26 · $34M · Flash loan + Curve Y-pool spot price manipulation → inflated fToken share valuation → vault drain · TVL anomaly — % drop in <1h vs 30d baseline [via realtime_signals/TVL exit early: Y — bank run of ~$700M TVL followed immediately post-attack; no pre-attack TVL signal] || Low detectability — RT signals would NOT have caught (negative-evidence) [via realtime_signals/Detectability reasoning: The 32-cycle attack over 7 minutes generated extremely large and anomalous Curve Y-pool swaps repeatedly — a monitoring system watching for ...]
rubric_version v1.7.0 factor RD-F-098 category 6 carried 80 critical no