defirisk.co
rubric v1.7.0

Large governance proposal queued

A real-time signals factor in the v1.7.0 rubric. Measured per protocol on a rt cadence.

Methodology how we score #

**What this measures** This real-time signal fires when a governance proposal with a potentially protocol-impactful payload has been queued for execution — specifically: proposals that include contract upgrades, parameter changes affecting collateral factors or fee structures, new-market activations, or admin role transfers. The signal is generated by monitoring governance contract events for Proposal Queued and TimelockScheduled events, then classifying the payload against a risk-category library. Category 6 context: governance execution is both a legitimate operational mechanism and the vector for flash-loan governance attacks and rogue-proposal executions; distinguishing normal from anomalous requires payload classification.

**Why it matters** Beanstalk ($181M, 2022) is the canonical governance-attack case: malicious proposals were submitted 24 hours prior and executed via flash-loaned voting weight. Compound Finance ($147M, 2021) shows the inverse — a legitimate governance upgrade execution (Proposal 62) introduced the drip() vulnerability that was then exploited. The Drift Protocol incident ($285M, 2026) involved Security Council threshold reduction and timelock removal that were governance-adjacent actions executed before the DPRK exploit. Mirror Protocol's silent patch (May 14, 2022) executed without public disclosure. Governance proposal monitoring catches all of these as actionable alerts, regardless of whether the proposal itself is malicious or merely risky.

**Green / Yellow / Red** Green is the baseline when no governance proposals with impact payloads are currently in the execution queue. Yellow fires when a standard parameter-change or minor upgrade proposal enters the queue — operationally expected activity. Red fires when a proposal containing contract upgrade code, admin role transfers, or collateral-factor changes enters the execution queue and was not preceded by substantive community discussion, or was submitted by an address not in the protocol's known governance participant set.

**Common gray cases** Gray applies when the governance contract does not emit Proposal Queued events in a machine-readable format (e.g., custom governance without standard interfaces), or when the protocol uses off-chain governance with on-chain execution where the on-chain step provides insufficient context.

**Notable historical examples** - **Beanstalk** ($181M, 2022): Malicious governance proposals queued 24h before flash-loan execution — detectable by proposal-monitor. - **Compound Finance** ($147M, 2021): Proposal 62 execution introduced the drip() bug; monitor would have flagged the upgrade payload. - **Drift Protocol** ($285M, 2026): Security Council threshold reduction queued without governance-forum precedent. - **Nomad Bridge** ($190M, 2022): June upgrade introduced the bytes32(0) root bug — upgrade proposal execution would have flagged.

Measurement what to look for #

Detect whether a governance proposal with potentially protocol-impactful payload has been queued for execution (including Security-Council threshold-reduction variant).

Data & output #

Data source
Governance contract `ProposalQueued` events + payload-impact classifier
Output format
Green / Yellow / Red
Evidence artifact
Proposal ID + queued tx hash + payload summary + execution ETA
Confidence signal
green = signal not firing (no unusual proposals queued); yellow = proposal queued for routine maintenance; red = proposal queued with privileged payload or threshold-reduction; gray = governance event monitoring not configured

Scored protocols 80 carry this factor #

Protocol RD-F-101
Aave v3 ethereum yellow Across Protocol ethereum gray Aerodrome Finance base gray Axelar Network ethereum green Babylon Protocol bitcoin green Balancer (v2 + v3) ethereum gray Beefy Finance ethereum not_applicable BENQI avalanche not_applicable BlackRock USD Institutional Digital Liquidity Fund (BUIDL) ethereum not_applicable Cap (cUSD / stcUSD) ethereum yellow Centrifuge ethereum gray Chainlink CCIP ethereum green Circle USYC binance not_applicable Compound V3 (Comet) ethereum green Concrete ethereum not_applicable Convex Finance ethereum green crvUSD (Curve Stablecoin) ethereum green Curve Finance ethereum green deBridge ethereum gray Dolomite ethereum green dYdX v4 (dYdX Chain) dydx green EigenLayer ethereum green Ethena ethereum gray ether.fi ethereum green Euler V2 ethereum not_assessed Falcon Finance ethereum gray Fluid ethereum green Frax Finance ethereum green GMX v2 (GMX Synthetics) arbitrum green Hyperlane ethereum not_applicable Hyperliquid arbitrum gray Jito solana green Jupiter solana gray Jupiter Perpetual Exchange solana yellow JustLend DAO tron yellow Kamino Lend solana green Kinetiq hyperliquid not_applicable Lido ethereum green Liquid Collective (LsETH) ethereum yellow Liquity V1 + V2 (LUSD / BOLD) ethereum green Lista DAO bsc green Lombard Finance ethereum gray M^0 ethereum green Maple Finance ethereum green Marinade Finance solana green Meteora solana green mETH Protocol ethereum gray Midas ethereum not_applicable Morpho V1 (Morpho Blue + MetaMorpho) ethereum green Multipli ethereum not_applicable Ondo Finance ethereum green OpenEden ethereum not_applicable Orca solana green PancakeSwap bsc gray Pendle Finance ethereum gray Polymarket polygon not_applicable QuickSwap polygon green Raydium solana gray Rocket Pool ethereum green Sanctum solana gray Save (formerly Solend) solana gray Sky Lending (formerly MakerDAO) ethereum yellow Spark Protocol ethereum green Spiko stellar not_applicable Stake DAO ethereum green StakeWise v3 ethereum green Stargate Finance ethereum gray stHYPE (Valantis Labs) hyperliquid not_applicable SUNSwap (sun.io) tron gray Superstate ethereum not_applicable Sushi (SushiSwap) — v2 + v3 + Trident + BentoBox/Kashi + SushiXSwap ethereum green Symbiotic ethereum not_applicable Synapse Protocol ethereum not_assessed Uniswap (v2 + v3) ethereum green USDD (Decentralized USD) tron not_applicable Usual (USD0 / bUSD0 / USUAL) ethereum not_applicable Veda (BoringVault) ethereum gray Venus Protocol bsc green Wormhole ethereum green Yearn Finance ethereum green
0 red · 6 yellow · 36 green

Linked hacks 82 historical incidents #

illustrativeAethir (decentralized GPU compute / DePIN; ATH token bridge) — Access control — unprotected/misauthorized `transferOwnership()` on AethirOFTAdapter; either missing `onlyOwner` modifier or compromised single-EOA admin key2026-04-09 · $400K · Access control — unprotected/misauthorized `transferOwnership()` on AethirOFTAdapter; either missing `onlyOwner` modifier or compromised single-EOA admin key · Large governance proposal queued — RT signal would have fired [via realtime_signals/Governance/admin action: Y — unauthorized `transferOwnership` call on AethirOFTAdapter is itself the critical admin action]
illustrativeDrift Protocol (Solana perpetual futures DEX) — Multi-month social engineering + Solana durable-nonce pre-signing + fake-collateral-token / attacker-controlled oracle2026-04-01 · $285M · Multi-month social engineering + Solana durable-nonce pre-signing + fake-collateral-token / attacker-controlled oracle · Large governance proposal queued — RT signal would have fired [via realtime_signals/Governance/admin action: Y — Security Council threshold reduction (3/5→2/5, timelock removed) March 25–27; admin key transfer April 1]
illustrativeVenus Protocol — Donation Attack → Supply Cap Bypass → Collateral Inflation → Recursive Borrow Loop2026-03-15 · $4M · Donation Attack → Supply Cap Bypass → Collateral Inflation → Recursive Borrow Loop · Large governance proposal queued — RT signal would have fired [via realtime_signals/Governance/admin action: Y — post-exploit: Collateral Factor zeroed on six additional markets where single wallet held >60% of supplied collateral]
illustrativeIoTeX (ioTube Bridge) — Private key compromise → malicious contract upgrade → TokenSafe drain + MinterPool abuse2026-02-21 · $4M · Private key compromise → malicious contract upgrade → TokenSafe drain + MinterPool abuse · Large governance proposal queued — RT signal would have fired [via realtime_signals/Governance/admin action (Y/N): Y — upgrade() call on TransferValidator was the pivot point; observable on-chain]
illustrativeMoonwell — Oracle Misconfiguration (Missing ETH/USD Multiplier)2026-02-15 · $2M · Oracle Misconfiguration (Missing ETH/USD Multiplier) · Large governance proposal queued — RT signal would have fired [via realtime_signals/Governance/admin action (Y/N): Y — governance proposal execution directly caused the exploit]
illustrativeStep Finance — Compromised Executive Device → Stake Authorization Transfer2026-01-31 · $27M · Compromised Executive Device → Stake Authorization Transfer · Large governance proposal queued — RT signal would have fired [via realtime_signals/Governance/admin action: Y — Stake authorization transfer to unknown address is the key on-chain action; Solana staking change events to fresh wallets during APAC of...]
illustrativeAevo (formerly Ribbon Finance) — Proxy upgrade removed oracle access control — oracle price settable to arbitrary value → vault fully drained in atomic loop2025-12-12 · $3M · Proxy upgrade removed oracle access control — oracle price settable to arbitrary value → vault fully drained in atomic loop · Large governance proposal queued — RT signal would have fired [via realtime_signals/Governance/admin action (Y/N): Y — the upgrade itself was an admin action (root cause)]
illustrativeUSPD — CPIMP (Clandestine Proxy In the Middle of Proxy) — front-run proxy initialization, shadow admin installation, 78-day dormancy, then mint + drain2025-12-04 · $1M · CPIMP (Clandestine Proxy In the Middle of Proxy) — front-run proxy initialization, shadow admin installation, 78-day dormancy, then mint + drain · Large governance proposal queued — RT signal would have fired [via realtime_signals/Governance/admin action: Y — proxy upgrade on Dec 4 was the trigger (admin-controlled, but by attacker)]
illustrativeGANA Payment — Leaked Owner Key + EIP-7702 Delegator Contract (onlyEOA Bypass)2025-11-20 · $3M · Leaked Owner Key + EIP-7702 Delegator Contract (onlyEOA Bypass) · Large governance proposal queued — RT signal would have fired [via realtime_signals/Governance/admin action: Y — transferOwnership calls (8x) and reward rate manipulation are admin-level on-chain actions immediately preceding the drain]
illustrativeUXLINK — Admin key compromise → delegateCall admin takeover + unauthorized infinite token minting2025-09-22 · $41M · Admin key compromise → delegateCall admin takeover + unauthorized infinite token minting · Large governance proposal queued — RT signal would have fired [via realtime_signals/Governance/admin action: Y — delegateCall used to remove admins and install attacker as new owner]
illustrativeSwissBorg (via Kiln staking partner) — Partner API compromise — withdrawal authority transfer via hidden staking instructions2025-09-08 · $42M · Partner API compromise — withdrawal authority transfer via hidden staking instructions · Large governance proposal queued — RT signal would have fired [via realtime_signals/Governance/admin action: Y — Withdrawal authority was transferred via Kiln's compromised API; appeared as routine staking operations]
illustrativeCredix — Admin Privilege Abuse — Bridge Role Minting Unbacked Collateral2025-08-05 · $5M · Admin Privilege Abuse — Bridge Role Minting Unbacked Collateral · Large governance proposal queued — RT signal would have fired [via realtime_signals/Governance/admin action: Y — multisig granted both Admin and Bridge roles to attacker address 6 days prior; this is the root exploitable signal]
illustrativeArcadiaFi — Arbitrary swapData call via trusted rebalancer contract — attacker exploited cooldown period from decoy pause to prevent emergency shutdown during drain2025-07-14 · $4M · Arbitrary swapData call via trusted rebalancer contract — attacker exploited cooldown period from decoy pause to prevent emergency shutdown during drain · Large governance proposal queued — RT signal would have fired [via realtime_signals/Governance/admin action (Y/N): Y — the forced pause/unpause cycle was the setup]
illustrativeHacken ($HAI token) — Bridge private key leak from decommissioned server → unauthorized token minting → dump2025-06-20 · $170K · Bridge private key leak from decommissioned server → unauthorized token minting → dump · Large governance proposal queued — RT signal would have fired [via realtime_signals/Governance/admin action: Y — unauthorized minting via compromised minter role key]
illustrativeForce Bridge (Nervos Network) — Access control compromise — admin key leak → privileged unlock() drain across two chains2025-06-01 · $4M · Access control compromise — admin key leak → privileged unlock() drain across two chains · Large governance proposal queued — RT signal would have fired [via realtime_signals/Governance/admin action: Y — the exploit was itself an admin-level action; no on-chain governance signal preceding it]
illustrativeZunami Protocol — Admin key compromise → withdrawStuckToken() drain of LP collateral2025-05-14 · $500K · Admin key compromise → withdrawStuckToken() drain of LP collateral · Large governance proposal queued — RT signal would have fired [via realtime_signals/Governance/admin action: Y — admin role grant is the proximate signal; 7-minute window between grant and drain]
illustrativeLNDFi (LND.fi) — Admin Backdoor (Malicious Code Injection by Contractor / DPRK Dev)2025-05-09 · $1M · Admin Backdoor (Malicious Code Injection by Contractor / DPRK Dev) · Large governance proposal queued — RT signal would have fired [via realtime_signals/Governance/admin action (Y/N): Y — Pool Admin role assignment was the enabling action]
illustrativeZoth (RWA yield protocol) — Admin key compromise → malicious proxy contract upgrade → vault drain2025-03-21 · $8M · Admin key compromise → malicious proxy contract upgrade → vault drain · Large governance proposal queued — RT signal would have fired [via realtime_signals/Governance/admin action: Y — the malicious proxy upgrade is a critical governance/admin action; any monitor watching for deployer wallet upgrade transactions on prod...]
illustrativeInfini (Crypto Neobank) — Retained Admin Privileges — Rogue Developer Backdoor2025-02-24 · $50M · Retained Admin Privileges — Rogue Developer Backdoor · Large governance proposal queued — RT signal would have fired [via realtime_signals/Governance/admin action: Y — privileged role invocation was the entire attack mechanism]
illustrativeByBit — Frontend Spoofing / Blind Signing — Malicious Safe Multisig Implementation Upgrade2025-02-21 · $1.4B · Frontend Spoofing / Blind Signing — Malicious Safe Multisig Implementation Upgrade · Large governance proposal queued — RT signal would have fired [via realtime_signals/Governance/admin action (Y/N): Y — the exploit *was* a governance/implementation action (Safe upgrade) disguised as a routine transfer]
illustrativeMoby Trade — Private key compromise → proxy admin key stolen → vault ownership transfer → drain2025-01-08 · $1M · Private key compromise → proxy admin key stolen → vault ownership transfer → drain · Large governance proposal queued — RT signal would have fired [via realtime_signals/Governance/admin action: Y — proxy ownership transfer was the triggering on-chain event; detectable before drain began]
illustrativeOrange Finance — Admin private key compromise → proxy upgrade → privileged drain of LP vault positions2025-01-07 · $844K · Admin private key compromise → proxy upgrade → privileged drain of LP vault positions · Large governance proposal queued — RT signal would have fired [via realtime_signals/Governance/admin action (Y/N): Y — proxy upgrade by compromised admin key was the attack itself]
illustrativeTapioca DAO — Social engineering → private key compromise → vesting contract ownership takeover + stablecoin infinite mint → TAP dump + USDO/USDC LP drain2024-10-18 · $4M · Social engineering → private key compromise → vesting contract ownership takeover + stablecoin infinite mint → TAP dump + USDO/USDC LP drain · Large governance proposal queued — RT signal would have fired [via realtime_signals/Governance/admin action: Y — Emergency Rescue function called by compromised owner key; stablecoin minter role added; ownership transferred on both vesting and stabl...]
illustrativeRadiant Capital — Compromised multisig private keys → malicious contract upgrade → pool ownership transfer → drain2024-10-16 · $53M · Compromised multisig private keys → malicious contract upgrade → pool ownership transfer → drain · Large governance proposal queued — RT signal would have fired [via realtime_signals/Governance/admin action: Y — multisig transactions transferring pool ownership and upgrading implementation were the exploit itself]
illustrativeOnyx Protocol (2nd incident) — Compound V2 empty-market donation attack — VUSD governance-added market2024-09-25 · $4M · Compound V2 empty-market donation attack — VUSD governance-added market · Large governance proposal queued — RT signal would have fired [via realtime_signals/Governance/admin action (Y/N): Y — governance vote added the new VUSD market that created the empty-market opportunity]
illustrativeShezmu — Unrestricted Collateral Minting in CDP Vault2024-09-20 · $5M · Unrestricted Collateral Minting in CDP Vault · Large governance proposal queued — RT signal would have fired [via realtime_signals/Governance/admin action: Y — contract upgrade 17 days prior is notable; may have introduced or failed to patch the flaw]
illustrativeUnnamed Crypto Whale (Maker DSProxy vault) — Phishing → EOA compromise → DSProxy ownership transfer → DAI vault drain2024-08-20 · $55M · Phishing → EOA compromise → DSProxy ownership transfer → DAI vault drain · Large governance proposal queued — RT signal would have fired [via realtime_signals/Governance/admin action: Y — DSProxy ownership transfer to attacker address was the pivotal on-chain step]
illustrativeRonin Network (Bridge) — Uninitialized Variable in Contract Upgrade (initializeV3 Skipped)2024-08-06 · $12M · Uninitialized Variable in Contract Upgrade (initializeV3 Skipped) · Large governance proposal queued — RT signal would have fired [via realtime_signals/Governance/admin action: Y — bridge upgrade deployed 6 days before exploit; this was the trigger]
illustrativeETHTrustFund (ETF) — Insider Rug Pull — Deployer Drains Treasury Smart Contract2024-07-21 · $2M · Insider Rug Pull — Deployer Drains Treasury Smart Contract · Large governance proposal queued — RT signal would have fired [via realtime_signals/Governance/admin action: Y — deployer directly transferred treasury funds; admin privilege over treasury was single-key]
illustrativeRho Market — Oracle misconfiguration (deployment error) → MEV bot price manipulation → USDC/USDT drain2024-07-19 · Oracle misconfiguration (deployment error) → MEV bot price manipulation → USDC/USDT drain · Large governance proposal queued — RT signal would have fired [via realtime_signals/Governance/admin action: Y — admin deployment of a misconfigured oracle was the root cause]
illustrativeGala Games (GALA token contract) — Compromised Admin Account — Unauthorized Token Minting2024-05-21 · $22M · Compromised Admin Account — Unauthorized Token Minting · Large governance proposal queued — RT signal would have fired [via realtime_signals/Governance/admin action: Y — admin mint function exercised by compromised/unauthorized account]
illustrativeSonne Finance — Compound V2 empty-market donation attack — permissionless governance execution + exchange rate manipulation2024-05-14 · $20M · Compound V2 empty-market donation attack — permissionless governance execution + exchange rate manipulation · Large governance proposal queued — RT signal would have fired [via realtime_signals/Governance/admin action: Y — Governance proposal added new market with collateral factor; permissionless execution on Optimism]
illustrativeAlexLab (XLink Bridge) — Phishing-compromised deployer private key → malicious proxy upgrades → vault drain2024-05-14 · $4M · Phishing-compromised deployer private key → malicious proxy upgrades → vault drain · Large governance proposal queued — RT signal would have fired [via realtime_signals/Governance/admin action (Y/N): Y — proxy upgrade transactions by deployer wallet]
illustrativePike Finance — Storage Layout Collision → Unauthorized Proxy Upgrade / Ownership Takeover2024-04-26 · $2M · Storage Layout Collision → Unauthorized Proxy Upgrade / Ownership Takeover · Large governance proposal queued — RT signal would have fired [via realtime_signals/Governance/admin action (Y/N): Y — emergency upgrade between attacks introduced the storage collision]
illustrativeGrand Base — Deployer wallet private key leak → unauthorized token minting → dump2024-04-15 · $2M · Deployer wallet private key leak → unauthorized token minting → dump · Large governance proposal queued — RT signal would have fired [via realtime_signals/Governance/admin action: Y — unauthorized token minting by compromised deployer key (effective admin action)]
illustrativeMunchables — Malicious Insider — Storage Slot Manipulation via Upgradeable Proxy2024-03-26 · $63M · Malicious Insider — Storage Slot Manipulation via Upgradeable Proxy · Large governance proposal queued — RT signal would have fired [via realtime_signals/Governance/admin action (Y/N): Y — proxy upgrade to unverified implementation]
illustrativeUnizen — Unvalidated external call in upgraded DEX Aggregation contract — approval drain2024-03-08 · $2M · Unvalidated external call in upgraded DEX Aggregation contract — approval drain · Large governance proposal queued — RT signal would have fired [via realtime_signals/Governance/admin action: Y — contract upgrade was the proximate trigger (team-controlled but observable)]
illustrativeIonic Money (formerly Midas) — Fake Collateral Listing (Social Engineering → On-chain Exploit)2024-02-04 · $7M · Fake Collateral Listing (Social Engineering → On-chain Exploit) · Large governance proposal queued — RT signal would have fired [via realtime_signals/Governance/admin action (Y/N): Y — admin whitelisting of fake collateral was the enabling action]
illustrativeSocket (Bungee Bridge) — Unvalidated user input in new route — transferFrom injection via approval drain2024-01-16 · $3M · Unvalidated user input in new route — transferFrom injection via approval drain · Large governance proposal queued — RT signal would have fired [via realtime_signals/Governance/admin action: Y — New route added to bridge contract without re-audit]
illustrativeRadiant Capital (1st incident) — Compound V2 / Aave V2 empty-market rounding error — new USDC market with totalSupply = 02024-01-02 · $5M · Compound V2 / Aave V2 empty-market rounding error — new USDC market with totalSupply = 0 · Large governance proposal queued — RT signal would have fired [via realtime_signals/Governance/admin action (Y/N): Y — governance activation of the new market was the trigger event]
illustrativeOKX DEX (OKX Decentralized Exchange Aggregator) — Compromised proxy admin key → malicious implementation upgrade → claimTokens() drain of user approvals2023-12-13 · $3M · Compromised proxy admin key → malicious implementation upgrade → claimTokens() drain of user approvals · Large governance proposal queued — RT signal would have fired [via realtime_signals/Governance/admin action: Y — proxy implementation upgrade by compromised Proxy Admin Owner was the trigger event]
illustrativeHECO Bridge (Huobi ECO Chain Ethereum Bridge) — Compromised Bridge Operator Account (Private Key / Off-chain)2023-11-22 · $87M · Compromised Bridge Operator Account (Private Key / Off-chain) · Large governance proposal queued — RT signal would have fired [via realtime_signals/Governance/admin action (Y/N): Y — operator account action was the enabling event]
illustrativeOnyx Protocol — Compound V2 empty-market donation attack — governance-added PEPE market exploited via rounding + exchange rate inflation2023-10-31 · $2M · Compound V2 empty-market donation attack — governance-added PEPE market exploited via rounding + exchange rate inflation · Large governance proposal queued — RT signal would have fired [via realtime_signals/Governance/admin action: Y — governance Proposal 22 enabled the vulnerable PEPE market; detectable pre-exploit risk]
illustrativeStars Arena — Reentrancy2023-10-07 · $3M · Reentrancy · Large governance proposal queued — RT signal would have fired [via realtime_signals/Governance/admin action: Y — Proxy upgrade between exploit 1 and exploit 2 introduced the reentrancy bug; new implementation was unverified]
illustrativeRocketSwap — Bruteforced server private keys → farming contract drain via proxy admin + high-risk permissions2023-08-14 · $869K · Bruteforced server private keys → farming contract drain via proxy admin + high-risk permissions · Large governance proposal queued — RT signal would have fired [via realtime_signals/Governance/admin action: Y — farming contracts drained via internal admin address (privileged key holder action)]
illustrativeSteadefi — Compromised Deployer Key → Ownership Transfer2023-08-07 · $1M · Compromised Deployer Key → Ownership Transfer · Large governance proposal queued — RT signal would have fired [via realtime_signals/Governance/admin action: Y — Ownership transfer from deployer to attacker address is the key on-chain action; monitoring for unexpected ownership transfer events on ...]
illustrativeKannagi Finance — Insider rug — privileged admin withdrawal on behalf of users (MainChef address)2023-07-29 · $1M · Insider rug — privileged admin withdrawal on behalf of users (MainChef address) · Large governance proposal queued — RT signal would have fired [via realtime_signals/Governance/admin action (Y/N): Y — the privileged withdrawal was the attack mechanism itself]
illustrativeMultichain (formerly Anyswap) — Private Key Compromise (MPC Address) — suspected backend breach or insider2023-07-07 · $126M · Private Key Compromise (MPC Address) — suspected backend breach or insider · Large governance proposal queued — RT signal would have fired [via realtime_signals/Governance/admin action (Y/N): Y — MPC key control centralized in compromised party]
illustrativePoly Network (2nd incident) — Compromised 3-of-4 multisig → forged deposit proofs → cross-chain withdrawal drain2023-07-01 · $4M · Compromised 3-of-4 multisig → forged deposit proofs → cross-chain withdrawal drain · Large governance proposal queued — RT signal would have fired [via realtime_signals/Governance/admin action (Y/N): Y — multisig validation was the attack vector itself]
illustrativeAtlantis Loans — Governance attack on abandoned protocol — attacker passed malicious proposal granting token contract control, then upgraded to drain addresses with active approvals2023-06-10 · $3M · Governance attack on abandoned protocol — attacker passed malicious proposal granting token contract control, then upgraded to drain addresses with active approvals · Large governance proposal queued — RT signal would have fired [via realtime_signals/Governance/admin action (Y/N): Y — the malicious governance proposal was the root cause]
illustrativeTornado Cash (Governance) — Metamorphic contract (CREATE + CREATE2 + selfDestruct) — trojan horse governance proposal2023-05-20 · $750K · Metamorphic contract (CREATE + CREATE2 + selfDestruct) — trojan horse governance proposal · Large governance proposal queued — RT signal would have fired [via realtime_signals/Governance/admin action: Y — the attack IS the governance action; proposal submission + voting visible on-chain]
illustrativeSwaprum — Rug Pull via Malicious Contract Upgrade2023-05-18 · $3M · Rug Pull via Malicious Contract Upgrade · Large governance proposal queued — RT signal would have fired [via realtime_signals/Governance/admin action: Y — Contract upgrade via owner/admin function is the key action; monitoring for reward contract upgrades by the deployer address would surfa...]
illustrativeDeus DAO / DEI stablecoin — Mis-ordered Parameters in burnFrom — Public Approval Override2023-05-06 · $7M · Mis-ordered Parameters in burnFrom — Public Approval Override · Large governance proposal queued — RT signal would have fired [via realtime_signals/Governance/admin action: Y — contract upgrade deploying the flawed burnFrom function was an admin/deployer action visible on-chain]
illustrativeMerlin DEX — Insider rug — max approval drain via privileged Feeto address2023-04-25 · $2M · Insider rug — max approval drain via privileged Feeto address · Large governance proposal queued — RT signal would have fired [via realtime_signals/Governance/admin action: Y — Feeto address held permanent max approval from pool deployment]
illustrativeSafemoon — Upgrade introduced public burn() function → LP token burn → pool price manipulation → BNB drain2023-03-28 · $9M · Upgrade introduced public burn() function → LP token burn → pool price manipulation → BNB drain · Large governance proposal queued — RT signal would have fired [via realtime_signals/Governance/admin action: Y — Safemoon Deployer upgraded the token contract 6 hours before the exploit]
illustrativeKokomo Finance — Insider rug — deployer upgraded implementation to malicious contract → drained WBTC deposits2023-03-26 · $4M · Insider rug — deployer upgraded implementation to malicious contract → drained WBTC deposits · Large governance proposal queued — RT signal would have fired [via realtime_signals/Governance/admin action (Y/N): Y — the malicious implementation upgrade is the attack mechanism]
illustrativeHope Finance — Insider Exit Scam — Malicious Fake Router Pre-Deployed2023-02-20 · $2M · Insider Exit Scam — Malicious Fake Router Pre-Deployed · Large governance proposal queued — RT signal would have fired [via realtime_signals/Governance/admin action: Y — the SwapHelper config update was the trigger; signed by all 3 multisig owners]
illustrativeRaydium — Compromised pool owner private key → withdraw_pnl() fee drain + SyncNeedTake parameter manipulation2022-12-16 · $4M · Compromised pool owner private key → withdraw_pnl() fee drain + SyncNeedTake parameter manipulation · Large governance proposal queued — RT signal would have fired [via realtime_signals/Governance/admin action: Y — withdraw_pnl called by owner key; SyncNeedTake parameter modified. Both are admin-level operations]
illustrativeAnkr (aBNBc) + Helio Money (HAY stablecoin) — Deployer private key compromise → malicious aBNBc contract upgrade → permissionless infinite mint → PancakeSwap pool drain + Helio collateral collapse2022-12-02 · $5M · Deployer private key compromise → malicious aBNBc contract upgrade → permissionless infinite mint → PancakeSwap pool drain + Helio collateral collapse · Large governance proposal queued — RT signal would have fired [via realtime_signals/Governance/admin action (Y/N): Y — malicious proxy upgrade was the root cause action]
illustrativeAcala Network — Misconfiguration of iBTC/aUSD liquidity pool — incorrect parameter in newly launched pool triggered unbounded aUSD minting2022-08-14 · $2M · Misconfiguration of iBTC/aUSD liquidity pool — incorrect parameter in newly launched pool triggered unbounded aUSD minting · Large governance proposal queued — RT signal would have fired [via realtime_signals/Governance/admin action (Y/N): Y — emergency governance freeze activated rapidly (arguably this is the response, not a pre-signal)]
illustrativeNomad Bridge — Initialisation Error — Zero-Address Trusted Root (Merkle Proof Bypass)2022-08-02 · $190M · Initialisation Error — Zero-Address Trusted Root (Merkle Proof Bypass) · Large governance proposal queued — RT signal would have fired [via realtime_signals/Governance/admin action (Y/N): Y — June upgrade that introduced the bug]
illustrativeAudius — Storage collision in upgradeable proxy — governance contract reinitializable via AudiusAdminUpgradabilityProxy slot 0 collision with OpenZeppelin Initializable; attacker reinitializes, inflates own voting power, passes malicious treasury transfer proposal2022-07-23 · $6M · Storage collision in upgradeable proxy — governance contract reinitializable via AudiusAdminUpgradabilityProxy slot 0 collision with OpenZeppelin Initializable; attacker reinitializes, inflates own voting power, passes malicious treasury transfer proposal · Large governance proposal queued — RT signal would have fired [via realtime_signals/Governance/admin action (Y/N): Y — the reinitialize and delegated-vote governance action was the core mechanism]
illustrativeMirror Protocol (REKT 2) — Missing Duplicate-Call Check (Re-entrancy variant)2022-05-31 · $92M · Missing Duplicate-Call Check (Re-entrancy variant) · Large governance proposal queued — RT signal would have fired [via realtime_signals/Governance/admin action (Y/N): Y — silent patch on May 14, 2022 without disclosure]
illustrativeVenus Protocol + Blizz Finance (two protocols, one event) — Oracle Min-Price Floor Exploit (Stale Price Feed During Depeg)2022-05-12 · $14M · Oracle Min-Price Floor Exploit (Stale Price Feed During Depeg) · Large governance proposal queued — RT signal would have fired [via realtime_signals/Governance/admin action: Y (attempted) — Venus suspended activity; Blizz attempted but timelock prevented timely action]
illustrativeFortress Protocol (lending arm of JetFuel Finance) — Oracle Manipulation + Malicious Governance Proposal2022-05-09 · $3M · Oracle Manipulation + Malicious Governance Proposal · Large governance proposal queued — RT signal would have fired [via realtime_signals/Governance/admin action: Y — malicious governance proposal was the key enabling step; was active and voteable for 3 days]
illustrativeBeanstalk — Flash Loan + Governance Exploit2022-04-17 · $181M · Flash Loan + Governance Exploit · Large governance proposal queued — RT signal would have fired [via realtime_signals/Governance/admin action (Y/N + detail): YES** — Malicious governance proposals submitted 24h prior. An on-chain governance monitor watching for unusual proposal initiators or large...]
illustrativeArbix Finance — Insider rug pull — deployer drained user vaults and disappeared, then dumped native token via PancakeSwap2022-01-04 · $10M · Insider rug pull — deployer drained user vaults and disappeared, then dumped native token via PancakeSwap · Large governance proposal queued — RT signal would have fired [via realtime_signals/Governance/admin action (Y/N): Y — deployer exercised privileged vault withdrawal capability]
illustrativeBent Finance — Insider Contract Manipulation (Malicious Balance Adjustment)2021-12-21 · $2M · Insider Contract Manipulation (Malicious Balance Adjustment) · Large governance proposal queued — RT signal would have fired [via realtime_signals/Governance/admin action (Y/N): Y — the exploit *was* an admin action (manual balance manipulation via contract update)]
illustrativeBrincFi — Insider backdoor — rescueTokens() admin drain via ownership transfer + malicious contract upgrade2021-12-14 · $1M · Insider backdoor — rescueTokens() admin drain via ownership transfer + malicious contract upgrade · Large governance proposal queued — RT signal would have fired [via realtime_signals/Governance/admin action (Y/N): Y — ownership transfer is an on-chain event; contract upgrade is an on-chain event]
illustrativeSnowdog (SnowdogDAO) — Insider front-running — privileged challengeKey knowledge + custom AMM sniping2021-11-25 · $21M · Insider front-running — privileged challengeKey knowledge + custom AMM sniping · Large governance proposal queued — RT signal would have fired [via realtime_signals/Governance/admin action: Y — Team migrated all liquidity to custom AMM with challengeKey mechanism]
illustrativebZx (bzx.network) — Phishing → Private Key Compromise → Smart Contract Drain2021-11-05 · $55M · Phishing → Private Key Compromise → Smart Contract Drain · Large governance proposal queued — RT signal would have fired [via realtime_signals/Governance/admin action (Y/N): Y — compromised EOA had admin control over Polygon and BSC deployments; its use constituted an admin action]
illustrativeCompound Finance — Governance-introduced bug — updated Comptroller vault incorrectly distributed COMP rewards; any user could call `drip()` to refill the vulnerable vault from the Reservoir2021-09-29 · $147M · Governance-introduced bug — updated Comptroller vault incorrectly distributed COMP rewards; any user could call `drip()` to refill the vulnerable vault from the Reservoir · Large governance proposal queued — RT signal would have fired [via realtime_signals/Governance/admin action: Y — **this is the exploit itself**: Proposal 62 execution introduced the bug; Proposal 64 was the remediation]
illustrativeBondly Finance — Infinite Mint (Compromised or Insider Minting Key)2021-07-15 · $6M · Infinite Mint (Compromised or Insider Minting Key) · Large governance proposal queued — RT signal would have fired [via realtime_signals/Governance/admin action (Y/N): Y — the minting key had unilateral control; its use was the exploit]
illustrativeMerlin Labs (REKT 3) — Reward Minting Manipulation (Balance Inflation)2021-06-29 · $330K · Reward Minting Manipulation (Balance Inflation) · Large governance proposal queued — RT signal would have fired [via realtime_signals/Governance/admin action (Y/N): Y — new vault deployment (unannounced)]
illustrativeMerlin Labs (REKT 2) — Oracle Mispricing2021-05-27 · $550K · Oracle Mispricing · Large governance proposal queued — RT signal would have fired [via realtime_signals/Governance/admin action (Y/N): Y — emergency patch deployed between attacks]
illustrativeValue DeFi — Uninitialized Pool Re-initialization (Missing initialized = true)2021-05-05 · $10M · Uninitialized Pool Re-initialization (Missing initialized = true) · Large governance proposal queued — RT signal would have fired [via realtime_signals/Governance/admin action: Y — initialize() call to a deployed pool contract by an external address is the attack signal; governanceRecoverUnsupported() call immediate...]
illustrativeUranium Finance — Math bug — constant product formula check broken by inconsistent parameter change (1000→10000)2021-04-28 · $57M · Math bug — constant product formula check broken by inconsistent parameter change (1000→10000) · Large governance proposal queued — RT signal would have fired [via realtime_signals/Governance/admin action: Y — Team deployed v2 with the bug and announced v2.1 migration]
illustrativeEasyFi (Easy Network) — Admin key theft via compromised machine (malicious MetaMask binary)2021-04-19 · $59M · Admin key theft via compromised machine (malicious MetaMask binary) · Large governance proposal queued — RT signal would have fired [via realtime_signals/Governance/admin action: Y — Single admin key execution of transfer() function with no timelock; this IS the exploit mechanism]
illustrativePAID Network — Infinite Mint — Compromised Deployer Key (Suspected Insider)2021-03-05 · $27M · Infinite Mint — Compromised Deployer Key (Suspected Insider) · Large governance proposal queued — RT signal would have fired [via realtime_signals/Governance/admin action (Y/N): Y — ownership transfer of token contract]
illustrativeYearn Finance (yDAI v1 vault) — Flash loan + Curve 3pool spot price manipulation → vault share price arbitrage → DAI drain during migration2021-02-04 · $11M · Flash loan + Curve 3pool spot price manipulation → vault share price arbitrage → DAI drain during migration · Large governance proposal queued — RT signal would have fired [via realtime_signals/Governance/admin action: Y — the withdrawal fee had been explicitly disabled by the team for vault migration; this configuration change was the necessary preconditio...]
illustrativeCover Protocol (formerly SAFE / SAFE2) — Infinite Mint — Blacksmith Farming Contract Withdrawal Bug2020-12-28 · $9M · Infinite Mint — Blacksmith Farming Contract Withdrawal Bug · Large governance proposal queued — RT signal would have fired [via realtime_signals/Governance/admin action (Y/N): Y — the team's own multisig transaction adding a new pool created the exploitable condition]
illustrativeCompounder Finance — Malicious Strategy Contracts — Backdoor Withdrawal (Insider Rug Pull)2020-12-02 · $12M · Malicious Strategy Contracts — Backdoor Withdrawal (Insider Rug Pull) · Large governance proposal queued — RT signal would have fired [via realtime_signals/Governance/admin action: Y — malicious Strategy contracts added and approved via StrategyController timelock]
rubric_version v1.7.0 factor RD-F-101 category 6 carried 80 critical no