defirisk.co
rubric v1.7.0

Is-a-fork-of

A fork / dependency lineage factor in the v1.7.0 rubric. Measured per protocol on a s cadence.

Methodology how we score #

**What this measures** This factor identifies the upstream protocol that the assessed protocol forked from, if any. The determination is made via bytecode similarity comparison, function selector set analysis, and explicit declarations in the protocol's documentation or README. A fork relationship is recorded when at least 60% of core contract bytecode matches a known upstream, or when the team explicitly declares a fork origin. The upstream identity is stored as a structured reference (e.g., 'Compound Finance v2', 'Aave v3') and drives downstream factors in Category 8.

**Why it matters** Fork lineage is the anchor for the entire Category 8 assessment: knowing the upstream source determines which known vulnerability classes are relevant, which patches need to be verified as merged, and what audit gap exists between the upstream's security review and the fork's deployment. The cross-hack dataset shows that forked protocols are disproportionately represented in exploit records -- Compound forks alone account for at least four separate exploits of the same CEI reentrancy pattern across Cream Finance, Hundred Finance, Fei/Rari Fuse, and Voltage/Ola. A fork with a clear, well-known lineage gets a more precise risk assessment; an undisclosed or obfuscated fork origin is itself a risk indicator.

**Green / Yellow / Red** Green: the protocol explicitly discloses its upstream fork source with a specific commit hash or version reference, and the declared lineage is confirmed by bytecode similarity analysis. Yellow: the protocol acknowledges it is a fork but does not specify the upstream version or commit; lineage is determined by curator analysis. Red: the protocol does not disclose fork status but bytecode similarity analysis indicates a fork of a known protocol, suggesting undisclosed lineage (a transparency risk). Alternatively: no fork (original code) is Green for this field specifically.

**Common gray cases** This factor is gray only when the protocol's source code is not verified and bytecode similarity analysis cannot be reliably performed. For fully novel protocols with no fork origin, the field value is 'Original' (not gray).

**Notable historical examples** - **Compound Finance** ($147M, 2021): Original; the source of downstream forks exploited via the same CEI reentrancy pattern. - **Fei/Rari Fuse** ($80M, 2022): Compound Finance fork; exploited via the same exitMarket() reentrancy present in the upstream. - **EasyFi** ($59M, 2021): Compound Finance fork; admin key risk inherited from fork architecture. - **Radiant Capital** ($53M, 2024): Aave v2 fork; multisig compromise risk not mitigated by the fork's governance changes. - **Uranium Finance** ($57.2M, 2021): Uniswap V2 fork on BSC; constant-product invariant modification introduced the exploited vulnerability.

Measurement what to look for #

Identify the upstream protocol this is a fork of (if any) via bytecode similarity, function-selector set overlap, or team declaration.

Data & output #

Data source
Bytecode similarity tool (Etherscan bytecode compare / Slither inheritance graph) + GitHub fork detection + protocol docs
Output format
Green / Yellow / Red
Evidence artifact
Upstream protocol name + similarity score or declaration URL
Confidence signal
green = upstream clearly identified and documented; yellow = strong similarity but no explicit declaration; red = upstream not declared but bytecode similarity >80% (hidden fork); gray = not a fork (N/A) or similarity tool inconclusive

Scored protocols 80 carry this factor #

Protocol RD-F-126
Aave v3 ethereum not_applicable Across Protocol ethereum not_applicable Aerodrome Finance base green Axelar Network ethereum not_applicable Babylon Protocol bitcoin not_applicable Balancer (v2 + v3) ethereum not_applicable Beefy Finance ethereum not_applicable BENQI avalanche green BlackRock USD Institutional Digital Liquidity Fund (BUIDL) ethereum not_applicable Cap (cUSD / stcUSD) ethereum not_applicable Centrifuge ethereum not_applicable Chainlink CCIP ethereum not_applicable Circle USYC binance not_applicable Compound V3 (Comet) ethereum not_applicable Concrete ethereum not_applicable Convex Finance ethereum not_applicable crvUSD (Curve Stablecoin) ethereum not_applicable Curve Finance ethereum not_applicable deBridge ethereum not_applicable Dolomite ethereum green dYdX v4 (dYdX Chain) dydx not_applicable EigenLayer ethereum not_applicable Ethena ethereum not_applicable ether.fi ethereum not_applicable Euler V2 ethereum not_applicable Falcon Finance ethereum not_applicable Fluid ethereum not_applicable Frax Finance ethereum not_applicable GMX v2 (GMX Synthetics) arbitrum not_applicable Hyperlane ethereum not_applicable Hyperliquid arbitrum not_applicable Jito solana green Jupiter solana not_applicable Jupiter Perpetual Exchange solana not_applicable JustLend DAO tron green Kamino Lend solana green Kinetiq hyperliquid not_applicable Lido ethereum not_applicable Liquid Collective (LsETH) ethereum not_applicable Liquity V1 + V2 (LUSD / BOLD) ethereum not_applicable Lista DAO bsc green Lombard Finance ethereum not_applicable M^0 ethereum not_applicable Maple Finance ethereum not_applicable Marinade Finance solana not_applicable Meteora solana not_applicable mETH Protocol ethereum not_applicable Midas ethereum not_applicable Morpho V1 (Morpho Blue + MetaMorpho) ethereum not_applicable Multipli ethereum not_applicable Ondo Finance ethereum green OpenEden ethereum not_applicable Orca solana not_applicable PancakeSwap bsc green Pendle Finance ethereum not_applicable Polymarket polygon green QuickSwap polygon green Raydium solana not_applicable Rocket Pool ethereum not_applicable Sanctum solana not_applicable Save (formerly Solend) solana green Sky Lending (formerly MakerDAO) ethereum not_applicable Spark Protocol ethereum green Spiko stellar not_applicable Stake DAO ethereum not_applicable StakeWise v3 ethereum not_applicable Stargate Finance ethereum green stHYPE (Valantis Labs) hyperliquid not_applicable SUNSwap (sun.io) tron green Superstate ethereum not_applicable Sushi (SushiSwap) — v2 + v3 + Trident + BentoBox/Kashi + SushiXSwap ethereum green Symbiotic ethereum not_applicable Synapse Protocol ethereum red Uniswap (v2 + v3) ethereum not_applicable USDD (Decentralized USD) tron not_applicable Usual (USD0 / bUSD0 / USUAL) ethereum not_applicable Veda (BoringVault) ethereum not_applicable Venus Protocol bsc green Wormhole ethereum not_applicable Yearn Finance ethereum not_applicable
1 red · 0 yellow · 17 green

Linked hacks 92 historical incidents #

causalDango (custom-L1 perpetual DEX; Grug engine on Tendermint) — Missing sign/positivity check on `donate()` input in the insurance-fund contract — negative value reversed accounting direction2026-04-13 · $2M · Missing sign/positivity check on `donate()` input in the insurance-fund contract — negative value reversed accounting direction · Is-a-fork-of (Cat 8 anchor) [via dashboard_risk_factors/Forked?: N — from-scratch L1 using custom Grug engine; not a fork of Hyperliquid, dYdX, or any existing perp DEX]
causalSilo Finance (V2, soUSDC managed vault on Arbitrum) — Immutable hardcoded wstUSR oracle (pricing depegged asset ~10x reality) + supply-cap bypass via `receiver` parameter + `totalAssets()` summing externally-donated shares2026-04-03 · $392K · Immutable hardcoded wstUSR oracle (pricing depegged asset ~10x reality) + supply-cap bypass via `receiver` parameter + `totalAssets()` summing externally-donated shares · Is-a-fork-of (Cat 8 anchor) [via dashboard_risk_factors/Forked?: N — original protocol; V2 meta-vault pattern is conceptually similar to MetaMorpho but not a fork]
relatedVenus Protocol — Donation Attack → Supply Cap Bypass → Collateral Inflation → Recursive Borrow Loop2026-03-15 · $4M · Donation Attack → Supply Cap Bypass → Collateral Inflation → Recursive Borrow Loop · Is-a-fork-of (Cat 8 anchor) [via dashboard_risk_factors/Forked?: Y — forked from Compound]
causalMoonwell — Oracle Misconfiguration (Missing ETH/USD Multiplier)2026-02-15 · $2M · Oracle Misconfiguration (Missing ETH/USD Multiplier) · Is-a-fork-of (Cat 8 anchor) [via dashboard_risk_factors/Forked?: Yes — Compound V2 fork]
causalSaga (SagaEVM / Saga Dollar) — IBC Precompile Input Validation Bypass → Infinite Mint2026-01-21 · $7M · IBC Precompile Input Validation Bypass → Infinite Mint · Is-a-fork-of (Cat 8 anchor) [via dashboard_risk_factors/Forked?: Y — built on Ethermint (Cosmos EVM layer); vulnerability confirmed to originate there]
causalTMXTribe — Logic Bug — Mint/Stake/Swap Loop2026-01-05 · $1M · Logic Bug — Mint/Stake/Swap Loop · Is-a-fork-of (Cat 8 anchor) [via dashboard_risk_factors/Forked?: Y — GMX fork]
causalShibarium (Bridge) — Flash Loan Validator Capture → Fraudulent Checkpoint → Bridge Drain2025-09-12 · $3M · Flash Loan Validator Capture → Fraudulent Checkpoint → Bridge Drain · Is-a-fork-of (Cat 8 anchor) [via dashboard_risk_factors/Forked?: Y — Polygon PoS-derived architecture]
causalCredix — Admin Privilege Abuse — Bridge Role Minting Unbacked Collateral2025-08-05 · $5M · Admin Privilege Abuse — Bridge Role Minting Unbacked Collateral · Is-a-fork-of (Cat 8 anchor) [via dashboard_risk_factors/Forked?: Appears to be an Aave-style lending architecture (ACLManager, POOL_ADMIN, BRIDGE roles are characteristic of Aave v3); fork of Aave v3 archi...]
relatedGMX V1 — Cross-Contract Reentrancy via Order-Keeper Callback2025-07-09 · Cross-Contract Reentrancy via Order-Keeper Callback · Is-a-fork-of (Cat 8 anchor) [via dashboard_risk_factors/Forked?: Yes (GMX V1 widely forked across DeFi — all forks inherited same vulnerability)]
causalResupplyFi — ERC4626 Donation Attack (Vault Inflation / Zero Exchange Rate)2025-06-25 · $10M · ERC4626 Donation Attack (Vault Inflation / Zero Exchange Rate) · Is-a-fork-of (Cat 8 anchor) [via dashboard_risk_factors/Forked?: Y — integrates crvUSD/Curve infrastructure; ERC4626-based]
causalLNDFi (LND.fi) — Admin Backdoor (Malicious Code Injection by Contractor / DPRK Dev)2025-05-09 · $1M · Admin Backdoor (Malicious Code Injection by Contractor / DPRK Dev) · Is-a-fork-of (Cat 8 anchor) [via dashboard_risk_factors/Forked?: Yes — Aave V3 fork]
causalLoopscale (formerly Bridgesplit) — Oracle Price Manipulation (RateX PT Token Pricing)2025-04-26 · $6M · Oracle Price Manipulation (RateX PT Token Pricing) · Is-a-fork-of (Cat 8 anchor) [via dashboard_risk_factors/Forked?: Original protocol (not a fork)]
causalZoth (RWA yield protocol) — Admin key compromise → malicious proxy contract upgrade → vault drain2025-03-21 · $8M · Admin key compromise → malicious proxy contract upgrade → vault drain · Is-a-fork-of (Cat 8 anchor) [via dashboard_risk_factors/Forked?: Unknown — RWA yield protocol; specific fork status not referenced]
causalPolter Finance — Spot price oracle manipulation (SpookySwap V2/V3) → inflated BOO collateral → draining borrow2024-11-16 · $9M · Spot price oracle manipulation (SpookySwap V2/V3) → inflated BOO collateral → draining borrow · Is-a-fork-of (Cat 8 anchor) [via dashboard_risk_factors/Forked?: Y — fork of Geist Finance (itself an Aave fork)]
causalRadiant Capital — Compromised multisig private keys → malicious contract upgrade → pool ownership transfer → drain2024-10-16 · $53M · Compromised multisig private keys → malicious contract upgrade → pool ownership transfer → drain · Is-a-fork-of (Cat 8 anchor) [via dashboard_risk_factors/Forked?: Y — Aave v2 fork]
causalOnyx Protocol (2nd incident) — Compound V2 empty-market donation attack — VUSD governance-added market2024-09-25 · $4M · Compound V2 empty-market donation attack — VUSD governance-added market · Is-a-fork-of (Cat 8 anchor) [via dashboard_risk_factors/Forked?: Y — Compound V2 fork]
causalGriffin AI ($GAIN token) — Fake LayerZero Peer Initialization (Cross-Chain Minting Exploit)2024-09-24 · $3M · Fake LayerZero Peer Initialization (Cross-Chain Minting Exploit) · Is-a-fork-of (Cat 8 anchor) [via dashboard_risk_factors/Forked?: Uses LayerZero OFT standard (not a fork per se, but relies on shared infrastructure)]
causalAstroport (on Terra Phoenix chain) — IBC hooks reentrancy — reintroduced known vulnerability in June upgrade after April patch; timeout callback re-enters token minting2024-07-30 · $6M · IBC hooks reentrancy — reintroduced known vulnerability in June upgrade after April patch; timeout callback re-enters token minting · Is-a-fork-of (Cat 8 anchor) [via dashboard_risk_factors/Forked?: Yes — Astroport is a fork of its own earlier version; Terra using custom ibc-go fork]
causalETHTrustFund (ETF) — Insider Rug Pull — Deployer Drains Treasury Smart Contract2024-07-21 · $2M · Insider Rug Pull — Deployer Drains Treasury Smart Contract · Is-a-fork-of (Cat 8 anchor) [via dashboard_risk_factors/Forked?: Y — OHM (Olympus DAO) fork; rebasing bond mechanism]
causalRho Market — Oracle misconfiguration (deployment error) → MEV bot price manipulation → USDC/USDT drain2024-07-19 · Oracle misconfiguration (deployment error) → MEV bot price manipulation → USDC/USDT drain · Is-a-fork-of (Cat 8 anchor) [via dashboard_risk_factors/Forked?: Y — Compound Finance fork]
causalVelocore — Fee Multiplier Manipulation + Underflow → Liquidity Token Mint2024-06-02 · $7M · Fee Multiplier Manipulation + Underflow → Liquidity Token Mint · Is-a-fork-of (Cat 8 anchor) [via dashboard_risk_factors/Forked?: Y — Balancer-style CPMM architecture]
causalSonne Finance — Compound V2 empty-market donation attack — permissionless governance execution + exchange rate manipulation2024-05-14 · $20M · Compound V2 empty-market donation attack — permissionless governance execution + exchange rate manipulation · Is-a-fork-of (Cat 8 anchor) [via dashboard_risk_factors/Forked?: Y — Compound V2 fork]
causalPrismaFi — Flash Loan + Missing Input Validation (Migration Helper)2024-03-28 · $12M · Flash Loan + Missing Input Validation (Migration Helper) · Is-a-fork-of (Cat 8 anchor) [via dashboard_risk_factors/Forked?: Yes — fork of Liquity Protocol with modifications]
causalCurio (CurioDAO) — Voting power privilege escalation via MakerDAO fork governance bug → mass CGT token minting2024-03-23 · $16M · Voting power privilege escalation via MakerDAO fork governance bug → mass CGT token minting · Is-a-fork-of (Cat 8 anchor) [via dashboard_risk_factors/Forked: YES** — MakerDAO governance fork (IDSChief, IDSPause)]
causalSeneca Protocol — Approval Exploit — Arbitrary transferFrom via Constructed Calldata2024-02-28 · $6M · Approval Exploit — Arbitrary transferFrom via Constructed Calldata · Is-a-fork-of (Cat 8 anchor) [via dashboard_risk_factors/Forked?: Y — "battle-tested code" (their words); LST collateral CDP fork]
causalIonic Money (formerly Midas) — Fake Collateral Listing (Social Engineering → On-chain Exploit)2024-02-04 · $7M · Fake Collateral Listing (Social Engineering → On-chain Exploit) · Is-a-fork-of (Cat 8 anchor) [via dashboard_risk_factors/Forked?: Yes — Midas was a lending protocol; architecture similar to Compound forks]
causalRadiant Capital (1st incident) — Compound V2 / Aave V2 empty-market rounding error — new USDC market with totalSupply = 02024-01-02 · $5M · Compound V2 / Aave V2 empty-market rounding error — new USDC market with totalSupply = 0 · Is-a-fork-of (Cat 8 anchor) [via dashboard_risk_factors/Forked?: Y — Aave V2 fork]
causalLevana Protocol — Oracle Price Delta Manipulation (Timing + Network Congestion)2023-12-13 · $1M · Oracle Price Delta Manipulation (Timing + Network Congestion) · Is-a-fork-of (Cat 8 anchor) [via dashboard_risk_factors/Forked?: Original protocol (not a fork)]
causalYearn Finance (yETH LST stableswap pool + yETH-WETH Curve pool) — Invariant corruption via remove_liquidity(0) + update_rates() calls → Newton-Raphson arithmetic underflow → 235 trillion yETH minted from dust deposit → single-asset drain2023-11-30 · $9M · Invariant corruption via remove_liquidity(0) + update_rates() calls → Newton-Raphson arithmetic underflow → 235 trillion yETH minted from dust deposit → single-asset drain · Is-a-fork-of (Cat 8 anchor) [via dashboard_risk_factors/Forked?: N — custom stableswap math, not a fork of standard Curve]
causalOnyx Protocol — Compound V2 empty-market donation attack — governance-added PEPE market exploited via rounding + exchange rate inflation2023-10-31 · $2M · Compound V2 empty-market donation attack — governance-added PEPE market exploited via rounding + exchange rate inflation · Is-a-fork-of (Cat 8 anchor) [via dashboard_risk_factors/Forked?: Yes — Compound Finance fork]
causalStars Arena — Reentrancy2023-10-07 · $3M · Reentrancy · Is-a-fork-of (Cat 8 anchor) [via dashboard_risk_factors/Forked?: Y — FriendTech clone]
causalHypr Network — Bridge Contract Reinitialization (OP Stack Unpatched Dev Branch)2023-09-12 · $220K · Bridge Contract Reinitialization (OP Stack Unpatched Dev Branch) · Is-a-fork-of (Cat 8 anchor) [via dashboard_risk_factors/Forked?: Yes — OP Stack fork (Optimism)]
relatedBalancer V2 (+ Beethoven X fork) — Linear pool rounding-down logic → cached rate manipulation → boosted pool drain2023-08-27 · $2M · Linear pool rounding-down logic → cached rate manipulation → boosted pool drain · Is-a-fork-of (Cat 8 anchor) [via dashboard_risk_factors/Forked?: No — original Balancer; Beethoven X is a Balancer fork that was also hit]
causalSteadefi — Compromised Deployer Key → Ownership Transfer2023-08-07 · $1M · Compromised Deployer Key → Ownership Transfer · Is-a-fork-of (Cat 8 anchor) [via dashboard_risk_factors/Forked?: Y — leveraged yield farming model similar to Alpaca Finance, Beefy]
causalEraLend (formerly Nexon Finance) — Read-Only Reentrancy (SyncSwap LP Callback — Stale Reserves Oracle)2023-07-25 · $3M · Read-Only Reentrancy (SyncSwap LP Callback — Stale Reserves Oracle) · Is-a-fork-of (Cat 8 anchor) [via dashboard_risk_factors/Forked?: Y — code recycled from SyncSwap; lending architecture borrowed from established patterns]
causalMidas Capital — Compound V2 empty-market donation attack — exchange rate inflation + rounding error in redeemUnderlying2023-06-17 · $600K · Compound V2 empty-market donation attack — exchange rate inflation + rounding error in redeemUnderlying · Is-a-fork-of (Cat 8 anchor) [via dashboard_risk_factors/Forked?: Yes — Compound V2 / Fuse fork]
causalAtlantis Loans — Governance attack on abandoned protocol — attacker passed malicious proposal granting token contract control, then upgraded to drain addresses with active approvals2023-06-10 · $3M · Governance attack on abandoned protocol — attacker passed malicious proposal granting token contract control, then upgraded to drain addresses with active approvals · Is-a-fork-of (Cat 8 anchor) [via dashboard_risk_factors/Forked?: Likely a Compound/Aave fork (BSC lending)]
causalSwaprum — Rug Pull via Malicious Contract Upgrade2023-05-18 · $3M · Rug Pull via Malicious Contract Upgrade · Is-a-fork-of (Cat 8 anchor) [via dashboard_risk_factors/Forked?: Y — standard AMM fork]
causalMerlin DEX — Insider rug — max approval drain via privileged Feeto address2023-04-25 · $2M · Insider rug — max approval drain via privileged Feeto address · Is-a-fork-of (Cat 8 anchor) [via dashboard_risk_factors/Forked?: Y — concentrated liquidity DEX; custom code for zkSync]
causalHundred Finance — ERC-4626-style cToken exchange rate manipulation + rounding error2023-04-15 · $7M · ERC-4626-style cToken exchange rate manipulation + rounding error · Is-a-fork-of (Cat 8 anchor) [via dashboard_risk_factors/Forked?: Yes — Compound V2 fork]
causalSushiSwap — Malicious Callback / Arbitrary Approval Drain2023-04-08 · $3M · Malicious Callback / Arbitrary Approval Drain · Is-a-fork-of (Cat 8 anchor) [via dashboard_risk_factors/Forked?: Y — originally forked from Uniswap V2]
causalSafemoon — Upgrade introduced public burn() function → LP token burn → pool price manipulation → BNB drain2023-03-28 · $9M · Upgrade introduced public burn() function → LP token burn → pool price manipulation → BNB drain · Is-a-fork-of (Cat 8 anchor) [via dashboard_risk_factors/Forked?: Y — BEP-20 token with custom transfer mechanics (PancakeSwap liquidity)]
causalKokomo Finance — Insider rug — deployer upgraded implementation to malicious contract → drained WBTC deposits2023-03-26 · $4M · Insider rug — deployer upgraded implementation to malicious contract → drained WBTC deposits · Is-a-fork-of (Cat 8 anchor) [via dashboard_risk_factors/Forked?: Yes — Compound V2 fork]
causalHope Finance — Insider Exit Scam — Malicious Fake Router Pre-Deployed2023-02-20 · $2M · Insider Exit Scam — Malicious Fake Router Pre-Deployed · Is-a-fork-of (Cat 8 anchor) [via dashboard_risk_factors/Forked?: Yes (Tomb fork / algorithmic stablecoin template)]
causaldForce Network — Read-Only Reentrancy (Curve wstETH/ETH LP Oracle Manipulation)2023-02-13 · $4M · Read-Only Reentrancy (Curve wstETH/ETH LP Oracle Manipulation) · Is-a-fork-of (Cat 8 anchor) [via dashboard_risk_factors/Forked?: Compound fork (dForce lending is Compound-inspired)]
causalMidas Capital — Read-only reentrancy on Curve LP token virtual price — inflated collateral valuation2023-01-15 · $660K · Read-only reentrancy on Curve LP token virtual price — inflated collateral valuation · Is-a-fork-of (Cat 8 anchor) [via dashboard_risk_factors/Forked?: Yes — Compound V2 / Fuse fork architecture]
causalLodestar Finance — Oracle Price Manipulation (LP Token Donation)2022-12-10 · $7M · Oracle Price Manipulation (LP Token Donation) · Is-a-fork-of (Cat 8 anchor) [via dashboard_risk_factors/Forked?: Yes — Compound fork]
causalMoola Markets — Price Manipulation (Native Token Collateral)2022-10-19 · $8M · Price Manipulation (Native Token Collateral) · Is-a-fork-of (Cat 8 anchor) [via dashboard_risk_factors/Forked?: Yes — Aave fork (Celo deployment)]
causalTempleDAO / STAX Finance — Missing access control in migrateStake() — unvalidated oldStaking parameter2022-10-11 · $2M · Missing access control in migrateStake() — unvalidated oldStaking parameter · Is-a-fork-of (Cat 8 anchor) [via dashboard_risk_factors/Forked?: No — TempleDAO was an OHM-fork that had pivoted to FRAX stablecoin farming; STAX was original code]
causalSovryn — External call reentrancy via callTokensToSend — token price inflation via mid-transaction mint → overclaim via burn2022-10-04 · $1M · External call reentrancy via callTokensToSend — token price inflation via mid-transaction mint → overclaim via burn · Is-a-fork-of (Cat 8 anchor) [via dashboard_risk_factors/Forked?: Y — lending pool design influenced by Compound/Aave patterns adapted for RSK] || Is-a-fork-of (BTC-DeFi taxonomy partial — see PD-032) [via cross-hack: Factor 44: Bitcoin L2 / Sidechain Legacy Code Without Standard Security Patterns]
causalGym Network (GymNet) — Missing caller verification — fake deposits via unchecked balance inflation → withdraw drain2022-06-10 · $2M · Missing caller verification — fake deposits via unchecked balance inflation → withdraw drain · Is-a-fork-of (Cat 8 anchor) [via dashboard_risk_factors/Forked?: Y — built on top of Alpaca Finance (yield strategy layer)]
relatedVenus Protocol + Blizz Finance (two protocols, one event) — Oracle Min-Price Floor Exploit (Stale Price Feed During Depeg)2022-05-12 · $14M · Oracle Min-Price Floor Exploit (Stale Price Feed During Depeg) · Is-a-fork-of (Cat 8 anchor) [via dashboard_risk_factors/Forked?: Y — Venus forked from Compound; Blizz forked from Aave]
causalFortress Protocol (lending arm of JetFuel Finance) — Oracle Manipulation + Malicious Governance Proposal2022-05-09 · $3M · Oracle Manipulation + Malicious Governance Proposal · Is-a-fork-of (Cat 8 anchor) [via dashboard_risk_factors/Forked?: Y — JetFuel Finance / Compound-style lending fork on BSC]
causalMad Meerkat Finance (MM.Finance) — DNS Hijack / Front-End Attack (Router Address Substitution)2022-05-04 · $2M · DNS Hijack / Front-End Attack (Router Address Substitution) · Is-a-fork-of (Cat 8 anchor) [via dashboard_risk_factors/Forked?: Yes — Cronos DEX fork (Uniswap V2-style)]
causalSaddle Finance — Flash Loan + LP Token Price Manipulation (Old MetaSwapUtils Library)2022-05-01 · $11M · Flash Loan + LP Token Price Manipulation (Old MetaSwapUtils Library) · Is-a-fork-of (Cat 8 anchor) [via dashboard_risk_factors/Forked?: Yes — Curve Finance fork (extensively)]
causalFei Protocol / Rari Capital (Fuse) — Re-entrancy via `exitMarket()` in Compound fork missing check-effects-interaction pattern2022-04-30 · $80M · Re-entrancy via `exitMarket()` in Compound fork missing check-effects-interaction pattern · Is-a-fork-of (Cat 8 anchor) [via dashboard_risk_factors/Forked?: Y — Compound Finance fork (Fuse uses modified Compound codebase)]
causalDeus DAO — Dual oracle manipulation — VWAP oracle pre-poisoned via flash swap, then on-chain AMM oracle manipulated via flash loan — to inflate DEI collateral value and borrow far beyond real collateral worth2022-04-28 · $13M · Dual oracle manipulation — VWAP oracle pre-poisoned via flash swap, then on-chain AMM oracle manipulated via flash loan — to inflate DEI collateral value and borrow far beyond real collateral worth · Is-a-fork-of (Cat 8 anchor) [via dashboard_risk_factors/Forked: No specific fork origin noted]
causalVoltage Finance / Ola Finance — ERC677 callAfterTransfer() reentrancy in Compound fork — borrow before balance update2022-03-31 · $4M · ERC677 callAfterTransfer() reentrancy in Compound fork — borrow before balance update · Is-a-fork-of (Cat 8 anchor) [via dashboard_risk_factors/Forked?: Yes — Compound fork (via Ola Finance "Compound-like instance" architecture)]
causalCashio — Infinite mint via incomplete collateral validation — fake account chain bypasses all verification2022-03-23 · $48M · Infinite mint via incomplete collateral validation — fake account chain bypasses all verification · Is-a-fork-of (Cat 8 anchor) [via dashboard_risk_factors/Forked: Unknown — novel Solana stablecoin design, not a direct fork of Ethereum equivalents]
causalAgave DAO + Hundred Finance (dual attack) — ERC677 callAfterTransfer() reentrancy — flash loan collateral → nested borrow calls before debt balance update → multi-asset drain2022-03-15 · $12M · ERC677 callAfterTransfer() reentrancy — flash loan collateral → nested borrow calls before debt balance update → multi-asset drain · Is-a-fork-of (Cat 8 anchor) [via dashboard_risk_factors/Forked?: Yes — both are forks (Aave V2 and Compound respectively)]
causalMeter (Passport Bridge) — Deposit method calldata bypass — unwrapped native token assumption not enforced in secondary deposit path2022-02-05 · $8M · Deposit method calldata bypass — unwrapped native token assumption not enforced in secondary deposit path · Is-a-fork-of (Cat 8 anchor) [via dashboard_risk_factors/Forked?: Yes — ChainSafe ChainBridge fork with custom modifications]
causalQubit Finance — Zero-Address safeTransferFrom Logic Bug (Cross-Chain Bridge Deposit)2022-01-28 · $80M · Zero-Address safeTransferFrom Logic Bug (Cross-Chain Bridge Deposit) · Is-a-fork-of (Cat 8 anchor) [via dashboard_risk_factors/Forked?: Y — BSC lending protocol; Compound-adjacent architecture]
causalArbix Finance — Insider rug pull — deployer drained user vaults and disappeared, then dumped native token via PancakeSwap2022-01-04 · $10M · Insider rug pull — deployer drained user vaults and disappeared, then dumped native token via PancakeSwap · Is-a-fork-of (Cat 8 anchor) [via dashboard_risk_factors/Forked?: Yes — common BSC yield aggregator fork pattern]
causalGrim Finance — Reentrancy2021-12-18 · $30M · Reentrancy · Is-a-fork-of (Cat 8 anchor) [via dashboard_risk_factors/Forked?: Yes — Beefy Finance fork]
causal8ight Finance — Admin key compromise — private key shared via Facebook chat and Google Drive → treasury drain2021-12-07 · $2M · Admin key compromise — private key shared via Facebook chat and Google Drive → treasury drain · Is-a-fork-of (Cat 8 anchor) [via dashboard_risk_factors/Forked?: Yes — Olympus DAO fork]
causalSnowdog (SnowdogDAO) — Insider front-running — privileged challengeKey knowledge + custom AMM sniping2021-11-25 · $21M · Insider front-running — privileged challengeKey knowledge + custom AMM sniping · Is-a-fork-of (Cat 8 anchor) [via dashboard_risk_factors/Forked?: Y — OHM fork (Snowbank); custom AMM forked from Uniswap V2]
causalIndexed Finance — Flash Loan — Rebalancing Delay Pool Oracle Manipulation2021-10-14 · $16M · Flash Loan — Rebalancing Delay Pool Oracle Manipulation · Is-a-fork-of (Cat 8 anchor) [via dashboard_risk_factors/Forked?: Yes (Balancer BPool fork with custom rebalancing logic)]
relatedCompound Finance — Governance-introduced bug — updated Comptroller vault incorrectly distributed COMP rewards; any user could call `drip()` to refill the vulnerable vault from the Reservoir2021-09-29 · $147M · Governance-introduced bug — updated Comptroller vault incorrectly distributed COMP rewards; any user could call `drip()` to refill the vulnerable vault from the Reservoir · Is-a-fork-of (Cat 8 anchor) [via dashboard_risk_factors/Forked: N — Compound is the original; many others forked from it]
causalCream Finance — ERC777 reentrancy via newly integrated AMP token — reentrant `borrow()` before state update2021-08-30 · $19M · ERC777 reentrancy via newly integrated AMP token — reentrant `borrow()` before state update · Is-a-fork-of (Cat 8 anchor) [via dashboard_risk_factors/Forked: Compound V2 fork]
causalCream Finance — ERC-777 Reentrancy (Token Integration Vulnerability)2021-08-30 · $19M · ERC-777 Reentrancy (Token Integration Vulnerability) · Is-a-fork-of (Cat 8 anchor) [via dashboard_risk_factors/Forked?: Y — Cream Finance is a fork of Compound Finance]
causalPunk Protocol — Unprotected initialize() — delegateCall Forge Address Override2021-08-10 · $9M · Unprotected initialize() — delegateCall Forge Address Override · Is-a-fork-of (Cat 8 anchor) [via dashboard_risk_factors/Forked?: Yes — built on Compound infrastructure]
causalPancakeBunny (Polygon deployment — polyBUNNY) — Flash Loan + Reward Minting Manipulation (Performance Fee Inflation)2021-07-18 · $2M · Flash Loan + Reward Minting Manipulation (Performance Fee Inflation) · Is-a-fork-of (Cat 8 anchor) [via dashboard_risk_factors/Forked?: Yes — Polygon deploy is essentially same codebase as BSC]
causalMerlin Labs (REKT 3) — Reward Minting Manipulation (Balance Inflation)2021-06-29 · $330K · Reward Minting Manipulation (Balance Inflation) · Is-a-fork-of (Cat 8 anchor) [via dashboard_risk_factors/Forked?: Yes — PancakeBunny fork]
causalSafeDollar — Infinite Mint via Fee-on-Transfer Reward Accounting Bug2021-06-28 · $248K · Infinite Mint via Fee-on-Transfer Reward Accounting Bug · Is-a-fork-of (Cat 8 anchor) [via dashboard_risk_factors/Forked?: Y — fork of algorithmic stablecoin model (Basis/ESD family)]
causalStableMagnet — Malicious Unverified Library (SwapUtils) — Rugpull with Approval Drain2021-06-24 · $27M · Malicious Unverified Library (SwapUtils) — Rugpull with Approval Drain · Is-a-fork-of (Cat 8 anchor) [via dashboard_risk_factors/Forked?: Y — Curve/Saddle stableswap fork]
causalEleven Finance (11) — emergencyBurn() missing balance accounting — ghost withdrawal double-spend2021-06-14 · $5M · emergencyBurn() missing balance accounting — ghost withdrawal double-spend · Is-a-fork-of (Cat 8 anchor) [via dashboard_risk_factors/Forked?: Yes — forked from PancakeBunny / standard BSC yield aggregator pattern]
causalAutoShark Finance — Flash loan + SharkMinter balance spoofing → excess native token minting2021-06-01 · $745K · Flash loan + SharkMinter balance spoofing → excess native token minting · Is-a-fork-of (Cat 8 anchor) [via dashboard_risk_factors/Forked?: Yes — direct fork of PancakeBunny (which had been exploited 8 hours earlier by the same vector)]
causalLevyathan Finance — Exposed Private Key + Minting + emergencyWithdraw Bug2021-06-01 · $2M · Exposed Private Key + Minting + emergencyWithdraw Bug · Is-a-fork-of (Cat 8 anchor) [via dashboard_risk_factors/Forked?: Yes — generic yield farm fork (MasterChef style)]
causalBelt Finance — Flash Loan + Price/Share Manipulation (Incorrect Share Valuation)2021-05-29 · $6M · Flash Loan + Price/Share Manipulation (Incorrect Share Valuation) · Is-a-fork-of (Cat 8 anchor) [via dashboard_risk_factors/Forked?: Yes — described as "fork of a fork"]
causalBurgerSwap — Reentrancy via non-standard BEP-20 + missing x*y=k invariant check2021-05-28 · $7M · Reentrancy via non-standard BEP-20 + missing x*y=k invariant check · Is-a-fork-of (Cat 8 anchor) [via dashboard_risk_factors/Forked?: Yes — Uniswap V2 fork with the x*y≥k invariant check deliberately or accidentally removed]
causalMerlin Labs (REKT 2) — Oracle Mispricing2021-05-27 · $550K · Oracle Mispricing · Is-a-fork-of (Cat 8 anchor) [via dashboard_risk_factors/Forked?: Yes — PancakeBunny fork]
causalMerlin Labs — External token balance spoofing → excess native token minting2021-05-26 · $680K · External token balance spoofing → excess native token minting · Is-a-fork-of (Cat 8 anchor) [via dashboard_risk_factors/Forked?: Yes — PancakeBunny fork]
causalPancakeBunny — Flash loan + spot price manipulation → inflated LP token valuation → excess BUNNY minting2021-05-19 · $45M · Flash loan + spot price manipulation → inflated LP token valuation → excess BUNNY minting · Is-a-fork-of (Cat 8 anchor) [via dashboard_risk_factors/Forked?: Y — BSC yield aggregator forking concepts from Yearn and Bunny-style vaults]
causalbEarnFi (BvaultsBank) — Logic bug — token denomination mismatch between vault and strategy layers2021-05-16 · $18M · Logic bug — token denomination mismatch between vault and strategy layers · Is-a-fork-of (Cat 8 anchor) [via dashboard_risk_factors/Forked: Y — described as "copied code" from other BSC protocols; typical BSC fork pattern]
causalValue DeFi — Bancor Power Function Misuse (Weighted AMM Invariant Bypass)2021-05-08 · $11M · Bancor Power Function Misuse (Weighted AMM Invariant Bypass) · Is-a-fork-of (Cat 8 anchor) [via dashboard_risk_factors/Forked?: Y — Bancor formula adapted; Uniswap V2 base with weighted pool extension]
causalValue DeFi — Uninitialized Pool Re-initialization (Missing initialized = true)2021-05-05 · $10M · Uninitialized Pool Re-initialization (Missing initialized = true) · Is-a-fork-of (Cat 8 anchor) [via dashboard_risk_factors/Forked?: Y — code migrated/forked from own earlier implementation]
causalUranium Finance — Math bug — constant product formula check broken by inconsistent parameter change (1000→10000)2021-04-28 · $57M · Math bug — constant product formula check broken by inconsistent parameter change (1000→10000) · Is-a-fork-of (Cat 8 anchor) [via dashboard_risk_factors/Forked?: Y — Uniswap V2 fork on BSC]
causalEasyFi (Easy Network) — Admin key theft via compromised machine (malicious MetaMask binary)2021-04-19 · $59M · Admin key theft via compromised machine (malicious MetaMask binary) · Is-a-fork-of (Cat 8 anchor) [via dashboard_risk_factors/Forked?: Y — Compound Finance fork]
causalBT Finance + Growth DeFi (two separate hacks, one article) — BT Finance: Flash Loan Price Manipulation; Growth DeFi: Fake Token LP Injection2021-02-09 · $2M · BT Finance: Flash Loan Price Manipulation; Growth DeFi: Fake Token LP Injection · Is-a-fork-of (Cat 8 anchor) [via dashboard_risk_factors/Forked?: Y — both are yield aggregator forks of common patterns]
causalCompounder Finance — Malicious Strategy Contracts — Backdoor Withdrawal (Insider Rug Pull)2020-12-02 · $12M · Malicious Strategy Contracts — Backdoor Withdrawal (Insider Rug Pull) · Is-a-fork-of (Cat 8 anchor) [via dashboard_risk_factors/Forked?: Y — Yearn Finance fork (yield aggregator architecture with Vaults, Strategies, and StrategyController)]
causalPickle Finance — Fake jar injection — missing whitelist in Controller's jar-swap function2020-11-22 · $20M · Fake jar injection — missing whitelist in Controller's jar-swap function · Is-a-fork-of (Cat 8 anchor) [via dashboard_risk_factors/Forked?: Y — Pickle Jars are a fork of Yearn's yVaults]
causalHarvest Finance — Flash loan + Curve Y-pool spot price manipulation → inflated fToken share valuation → vault drain2020-10-26 · $34M · Flash loan + Curve Y-pool spot price manipulation → inflated fToken share valuation → vault drain · Is-a-fork-of (Cat 8 anchor) [via dashboard_risk_factors/Forked?: Y — inspired by Yearn Finance vault architecture]
rubric_version v1.7.0 factor RD-F-126 category 8 carried 80 critical no