defirisk.co
rubric v1.7.0

Upstream vulnerability disclosure (last 90d)

A fork / dependency lineage factor in the v1.7.0 rubric. Measured per protocol on a e cadence.

Methodology how we score #

**What this measures** This factor monitors whether the upstream protocol that this fork descends from has published a public vulnerability disclosure in the trailing 90 days that affects code the fork shares with the upstream. The assessment runs on an episodic, event-driven cadence: when a new upstream security advisory is published, the factor is re-evaluated for all downstream forks in the coverage list. The data source is GitHub security advisories, the upstream protocol's official disclosure channels, and security advisory feeds.

**Why it matters** A fresh upstream vulnerability disclosure is an active risk elevation for all downstream forks. The 90-day trailing window captures the highest-risk period: within days of a public disclosure, sophisticated attackers scan GitHub for all forks of the affected code. The cross-hack dataset shows that fork-propagation attacks happen within 8 hours to 7 days of the original exploit in the most aggressive cases. For a depositor-facing dashboard, a live flag that 'an upstream vulnerability affecting this fork was disclosed N days ago' is one of the most actionable risk signals available -- it is a leading indicator of exploit risk with a known short time window.

**Green / Yellow / Red** Green: no upstream vulnerability disclosures in the trailing 90 days affect code shared with this fork. Yellow: an upstream disclosure exists for a medium-severity issue that affects shared code; the fork team has acknowledged the disclosure and provided a patch ETA. Red: an upstream high or critical vulnerability disclosure in the trailing 90 days affects code shared with this fork and no patch has been deployed.

**Common gray cases** This factor is gray for original protocols with no upstream, or when the upstream does not maintain a public security advisory channel and no disclosures are assessable.

**Notable historical examples** The factor's value is as a leading indicator that is most powerful in the days immediately following an upstream disclosure.

Measurement what to look for #

Determine whether the upstream has a public vulnerability disclosure in the last 90 days that affects this fork's deployed code.

Data & output #

Data source
GitHub Security Advisories for upstream repo + curator monitoring of upstream protocol security announcements
Output format
Green / Yellow / Red
Evidence artifact
Advisory URL + disclosure date + affected code path + whether this fork is affected
Confidence signal
green = no active upstream disclosure in last 90 days; yellow = upstream disclosure exists but this fork's config mitigates it; red = upstream disclosure directly affects this fork's deployed code; gray = upstream not identified

Scored protocols 80 carry this factor #

Protocol RD-F-128
Aave v3 ethereum not_applicable Across Protocol ethereum not_applicable Aerodrome Finance base green Axelar Network ethereum not_applicable Babylon Protocol bitcoin not_applicable Balancer (v2 + v3) ethereum not_applicable Beefy Finance ethereum not_applicable BENQI avalanche green BlackRock USD Institutional Digital Liquidity Fund (BUIDL) ethereum not_applicable Cap (cUSD / stcUSD) ethereum not_applicable Centrifuge ethereum not_applicable Chainlink CCIP ethereum not_applicable Circle USYC binance not_applicable Compound V3 (Comet) ethereum not_applicable Concrete ethereum not_applicable Convex Finance ethereum not_applicable crvUSD (Curve Stablecoin) ethereum not_applicable Curve Finance ethereum not_applicable deBridge ethereum not_applicable Dolomite ethereum green dYdX v4 (dYdX Chain) dydx not_applicable EigenLayer ethereum not_applicable Ethena ethereum not_applicable ether.fi ethereum not_applicable Euler V2 ethereum not_applicable Falcon Finance ethereum not_applicable Fluid ethereum not_applicable Frax Finance ethereum not_applicable GMX v2 (GMX Synthetics) arbitrum not_applicable Hyperlane ethereum not_applicable Hyperliquid arbitrum not_applicable Jito solana green Jupiter solana not_applicable Jupiter Perpetual Exchange solana not_applicable JustLend DAO tron green Kamino Lend solana not_applicable Kinetiq hyperliquid not_applicable Lido ethereum not_applicable Liquid Collective (LsETH) ethereum not_applicable Liquity V1 + V2 (LUSD / BOLD) ethereum not_applicable Lista DAO bsc green Lombard Finance ethereum not_applicable M^0 ethereum not_applicable Maple Finance ethereum not_applicable Marinade Finance solana not_applicable Meteora solana not_applicable mETH Protocol ethereum not_applicable Midas ethereum not_applicable Morpho V1 (Morpho Blue + MetaMorpho) ethereum not_applicable Multipli ethereum not_applicable Ondo Finance ethereum green OpenEden ethereum not_applicable Orca solana not_applicable PancakeSwap bsc green Pendle Finance ethereum not_applicable Polymarket polygon green QuickSwap polygon green Raydium solana not_applicable Rocket Pool ethereum not_applicable Sanctum solana not_applicable Save (formerly Solend) solana green Sky Lending (formerly MakerDAO) ethereum not_applicable Spark Protocol ethereum green Spiko stellar not_applicable Stake DAO ethereum not_applicable StakeWise v3 ethereum not_applicable Stargate Finance ethereum not_applicable stHYPE (Valantis Labs) hyperliquid not_applicable SUNSwap (sun.io) tron green Superstate ethereum not_applicable Sushi (SushiSwap) — v2 + v3 + Trident + BentoBox/Kashi + SushiXSwap ethereum green Symbiotic ethereum not_applicable Synapse Protocol ethereum red Uniswap (v2 + v3) ethereum not_applicable USDD (Decentralized USD) tron not_applicable Usual (USD0 / bUSD0 / USUAL) ethereum not_applicable Veda (BoringVault) ethereum not_applicable Venus Protocol bsc red Wormhole ethereum not_applicable Yearn Finance ethereum not_applicable
2 red · 0 yellow · 14 green

Linked hacks no historical incidents linked #

No historical incidents are linked to this factor.
rubric_version v1.7.0 factor RD-F-128 category 8 carried 80 critical no