defirisk.co
rubric v1.7.0

Cross-chain bridge unverified mint pattern

A real-time signals factor in the v1.7.0 rubric. Measured per protocol on a rt cadence.

Methodology how we score #

**What this measures** This real-time signal fires when cross-chain activity is detected that is consistent with an unverified mint on the destination chain — specifically, when a large mint event on the destination chain occurs without a corresponding verifiable deposit or lock event on the source chain within the expected message-delivery latency window. The signal requires cross-chain indexing to correlate source-chain deposit events with destination-chain mint events. Category 6 context: the "mint without corresponding lock" pattern is the fundamental exploit signature of bridge replay and validation-bypass attacks.

**Why it matters** Nomad Bridge ($190M, 2022) — the bytes32(0) valid-root exploit — enabled any address to mint tokens on the destination chain without any source-chain deposit, once the bug was discovered. Wormhole ($320M, 2022) involved a signature-verification bypass that enabled fabricated guardian messages to trigger mints. The Meter Passport bridge exploit and Harmony Bridge incident both show variants of this pattern. Cross-chain indexing to detect mint-without-lock events is technically complex (PH curation) but provides the only real-time detection window for bridge validation exploits. Without this signal, bridge attacks are invisible until TVL is already drained.

**Green / Yellow / Red** Green is the baseline when all destination-chain mint events have corresponding verifiable source-chain deposit events within the expected delivery window. Yellow fires when a mint event arrives within the expected window but the source-chain confirmation count is below the safe threshold (e.g., four blocks on Ethereum for large amounts). Red fires when a mint event on the destination chain has no corresponding source-chain deposit within five times the expected delivery window — indicating either a validation bypass or a proof-fabrication attack.

**Common gray cases** Gray applies when the bridge uses a zero-knowledge proof system where proof verification on-chain does not correspond one-to-one with indexable source-chain events, or when source-chain monitoring coverage is incomplete for the specific chain pair.

**Notable historical examples** No cross-hacked incidents currently linked in database for this factor.

Measurement what to look for #

Detect cross-chain activity consistent with an unverified mint on the destination chain (deposit on source without corresponding verified proof on dest).

Data & output #

Data source
Bridge event indexer + cross-chain message verification state
Output format
Green / Yellow / Red
Evidence artifact
Source-chain deposit tx + destination-chain mint tx + proof verification status
Confidence signal
green = signal not firing; red = mint without verified proof detected; gray = protocol has no cross-chain bridge (N/A)

Scored protocols 80 carry this factor #

Protocol RD-F-106
Aave v3 ethereum not_assessed Across Protocol ethereum green Aerodrome Finance base not_applicable Axelar Network ethereum green Babylon Protocol bitcoin not_applicable Balancer (v2 + v3) ethereum gray Beefy Finance ethereum green BENQI avalanche not_applicable BlackRock USD Institutional Digital Liquidity Fund (BUIDL) ethereum not_applicable Cap (cUSD / stcUSD) ethereum gray Centrifuge ethereum gray Chainlink CCIP ethereum green Circle USYC binance gray Compound V3 (Comet) ethereum green Concrete ethereum not_applicable Convex Finance ethereum not_applicable crvUSD (Curve Stablecoin) ethereum not_applicable Curve Finance ethereum not_assessed deBridge ethereum gray Dolomite ethereum not_applicable dYdX v4 (dYdX Chain) dydx not_applicable EigenLayer ethereum not_applicable Ethena ethereum green ether.fi ethereum green Euler V2 ethereum gray Falcon Finance ethereum not_applicable Fluid ethereum not_assessed Frax Finance ethereum gray GMX v2 (GMX Synthetics) arbitrum gray Hyperlane ethereum yellow Hyperliquid arbitrum gray Jito solana not_assessed Jupiter solana not_applicable Jupiter Perpetual Exchange solana not_applicable JustLend DAO tron not_applicable Kamino Lend solana not_applicable Kinetiq hyperliquid not_applicable Lido ethereum green Liquid Collective (LsETH) ethereum not_applicable Liquity V1 + V2 (LUSD / BOLD) ethereum not_applicable Lista DAO bsc gray Lombard Finance ethereum green M^0 ethereum yellow Maple Finance ethereum green Marinade Finance solana not_applicable Meteora solana not_applicable mETH Protocol ethereum green Midas ethereum yellow Morpho V1 (Morpho Blue + MetaMorpho) ethereum not_applicable Multipli ethereum gray Ondo Finance ethereum gray OpenEden ethereum not_applicable Orca solana not_applicable PancakeSwap bsc not_assessed Pendle Finance ethereum not_assessed Polymarket polygon not_applicable QuickSwap polygon not_applicable Raydium solana not_assessed Rocket Pool ethereum not_applicable Sanctum solana not_applicable Save (formerly Solend) solana not_applicable Sky Lending (formerly MakerDAO) ethereum gray Spark Protocol ethereum green Spiko stellar not_assessed Stake DAO ethereum not_applicable StakeWise v3 ethereum not_applicable Stargate Finance ethereum gray stHYPE (Valantis Labs) hyperliquid not_applicable SUNSwap (sun.io) tron not_applicable Superstate ethereum not_applicable Sushi (SushiSwap) — v2 + v3 + Trident + BentoBox/Kashi + SushiXSwap ethereum green Symbiotic ethereum not_applicable Synapse Protocol ethereum yellow Uniswap (v2 + v3) ethereum not_applicable USDD (Decentralized USD) tron not_applicable Usual (USD0 / bUSD0 / USUAL) ethereum gray Veda (BoringVault) ethereum yellow Venus Protocol bsc not_assessed Wormhole ethereum yellow Yearn Finance ethereum not_applicable
0 red · 6 yellow · 13 green

Linked hacks no historical incidents linked #

No historical incidents are linked to this factor.
rubric_version v1.7.0 factor RD-F-106 category 6 carried 80 critical no