defirisk.co
rubric v1.7.0

New contract deploys in last 30 days

A post-deploy hygiene & change mgmt factor in the v1.7.0 rubric. Measured per protocol on a e cadence.

Methodology how we score #

**What this measures** This factor counts the number of new contracts deployed for the protocol in the trailing 30 days — fresh attack surface that has had minimal battle-testing time. The count is derived from on-chain new-deploy events associated with addresses in the protocol's ownership or factory registry. New deploys represent code that is neither covered by prior exploit history nor, in most cases, by the protocol's most recent audit if the audit predates the deployment.

**Why it matters** New contract deployments in the trailing 30 days are one of the most reliable short-term risk elevation signals in the evidence base. The synthesis identifies "newly deployed or unannounced contract" as the third-most common risk factor by incident count across the dataset, appearing in 9 hacks. Euler's donateToReserves vulnerability was introduced in a deployment upgrade. Compound's proposal-62 bug was in a fresh Comptroller upgrade. Hedgey Finance's post-audit vulnerability was in a newly deployed contract version. The 30-day window captures the period of maximum risk: the code is live on mainnet, accumulating TVL, but has not been tested by the adversarial environment for long enough to surface edge-case vulnerabilities through natural use.

**Green / Yellow / Red** Green is assigned when no new contracts were deployed in the trailing 30 days, or when any new deployment was fully covered by a professional audit completed after the deploy. Yellow covers 1–2 new deployments with documented audit coverage of the changed components, or peripheral contracts with no direct access to user funds. Red is assigned when 3 or more new contracts were deployed in the trailing 30 days without audit coverage, or when any new deployment directly handles user funds or admin authority without post-deploy audit.

**Common gray cases** This factor is grayed when the protocol's deployment architecture uses a factory pattern that generates large numbers of user-specific contracts (e.g., Uniswap pools), where the factory-deployed count is not meaningful as a protocol-level risk signal.

**Notable historical examples** - **Euler Finance** ($197M, 2023): Vulnerability introduced in the donateToReserves upgrade deployed prior to exploit. - **Compound Finance** ($147M at risk, 2021): Proposal 62 fresh Comptroller upgrade introduced the distribution bug. - **Hedgey Finance** ($44.7M, 2024): Post-audit contract version deployed without re-audit; vulnerability resided in the new version. - **PancakeBunny** ($45M, 2021): VaultFlipToFlip upgrade unaudited by Haechi.

Measurement what to look for #

Count the number of new contract deploys associated with this protocol's deployer address in the trailing 30 days.

Data & output #

Data source
Etherscan `txlist` for deployer address filtered by `contractAddress != null` + last 30 days
Output format
Green / Yellow / Red
Evidence artifact
List of new contract addresses + deploy tx hashes + timestamps
Confidence signal
green = 0–2 new deploys (normal cadence); yellow = 3–5 new deploys; red = ≥6 new deploys (large fresh attack surface without explanation); gray = deployer address not identified

Scored protocols 80 carry this factor #

Protocol RD-F-146
Aave v3 ethereum yellow Across Protocol ethereum gray Aerodrome Finance base yellow Axelar Network ethereum green Babylon Protocol bitcoin green Balancer (v2 + v3) ethereum gray Beefy Finance ethereum yellow BENQI avalanche green BlackRock USD Institutional Digital Liquidity Fund (BUIDL) ethereum green Cap (cUSD / stcUSD) ethereum yellow Centrifuge ethereum yellow Chainlink CCIP ethereum yellow Circle USYC binance green Compound V3 (Comet) ethereum yellow Concrete ethereum yellow Convex Finance ethereum green crvUSD (Curve Stablecoin) ethereum green Curve Finance ethereum yellow deBridge ethereum green Dolomite ethereum yellow dYdX v4 (dYdX Chain) dydx green EigenLayer ethereum green Ethena ethereum yellow ether.fi ethereum yellow Euler V2 ethereum green Falcon Finance ethereum green Fluid ethereum yellow Frax Finance ethereum yellow GMX v2 (GMX Synthetics) arbitrum gray Hyperlane ethereum yellow Hyperliquid arbitrum gray Jito solana yellow Jupiter solana yellow Jupiter Perpetual Exchange solana not_assessed JustLend DAO tron green Kamino Lend solana green Kinetiq hyperliquid yellow Lido ethereum yellow Liquid Collective (LsETH) ethereum green Liquity V1 + V2 (LUSD / BOLD) ethereum green Lista DAO bsc yellow Lombard Finance ethereum yellow M^0 ethereum green Maple Finance ethereum green Marinade Finance solana green Meteora solana yellow mETH Protocol ethereum green Midas ethereum green Morpho V1 (Morpho Blue + MetaMorpho) ethereum yellow Multipli ethereum yellow Ondo Finance ethereum yellow OpenEden ethereum green Orca solana not_applicable PancakeSwap bsc green Pendle Finance ethereum yellow Polymarket polygon yellow QuickSwap polygon yellow Raydium solana yellow Rocket Pool ethereum green Sanctum solana green Save (formerly Solend) solana gray Sky Lending (formerly MakerDAO) ethereum yellow Spark Protocol ethereum yellow Spiko stellar green Stake DAO ethereum yellow StakeWise v3 ethereum yellow Stargate Finance ethereum gray stHYPE (Valantis Labs) hyperliquid yellow SUNSwap (sun.io) tron green Superstate ethereum green Sushi (SushiSwap) — v2 + v3 + Trident + BentoBox/Kashi + SushiXSwap ethereum gray Symbiotic ethereum green Synapse Protocol ethereum green Uniswap (v2 + v3) ethereum green USDD (Decentralized USD) tron green Usual (USD0 / bUSD0 / USUAL) ethereum green Veda (BoringVault) ethereum yellow Venus Protocol bsc yellow Wormhole ethereum gray Yearn Finance ethereum gray
0 red · 36 yellow · 33 green

Linked hacks 82 historical incidents #

relatedKelp DAO (rsETH liquid restaking) — Forged cross-chain message via LayerZero EndpointV2 lzReceive — exploitation of 1/1 DVN (single-validator) configuration2026-04-18 · $292M · Forged cross-chain message via LayerZero EndpointV2 lzReceive — exploitation of 1/1 DVN (single-validator) configuration · New deploys in last 30 days — fresh attack surface [via dashboard_risk_factors/Exploited code newly deployed/upgraded?: N — the 1/1 DVN configuration had been in place at least since Jan 2025 (when flagged); this was a long-latent misconfiguration, not a new d...]
relatedDango (custom-L1 perpetual DEX; Grug engine on Tendermint) — Missing sign/positivity check on `donate()` input in the insurance-fund contract — negative value reversed accounting direction2026-04-13 · $2M · Missing sign/positivity check on `donate()` input in the insurance-fund contract — negative value reversed accounting direction · New deploys in last 30 days — fresh attack surface [via dashboard_risk_factors/Exploited code newly deployed/upgraded?: Y — perps contract live ~90 days at exploit (since Alpha Mainnet)]
relatedHyperbridge (Polkadot-native interoperability rollup built by Polytope Labs; Token Gateway / HandlerV1) — Smart-contract proof-verification bypass — MMR bounds-check failure + missing proof-to-request binding + zero challenge period + single-step admin transfer2026-04-13 · $3M · Smart-contract proof-verification bypass — MMR bounds-check failure + missing proof-to-request binding + zero challenge period + single-step admin transfer · New deploys in last 30 days — fresh attack surface [via dashboard_risk_factors/Exploited code newly deployed/upgraded?: N — the HandlerV1 design flaws were longstanding, not from a recent upgrade]
relatedSilo Finance (V2, soUSDC managed vault on Arbitrum) — Immutable hardcoded wstUSR oracle (pricing depegged asset ~10x reality) + supply-cap bypass via `receiver` parameter + `totalAssets()` summing externally-donated shares2026-04-03 · $392K · Immutable hardcoded wstUSR oracle (pricing depegged asset ~10x reality) + supply-cap bypass via `receiver` parameter + `totalAssets()` summing externally-donated shares · New deploys in last 30 days — fresh attack surface [via dashboard_risk_factors/Exploited code newly deployed/upgraded?: Y — V2 managed-vault architecture ~12 months old; wstUSR market configuration newer]
relatedDrift Protocol (Solana perpetual futures DEX) — Multi-month social engineering + Solana durable-nonce pre-signing + fake-collateral-token / attacker-controlled oracle2026-04-01 · $285M · Multi-month social engineering + Solana durable-nonce pre-signing + fake-collateral-token / attacker-controlled oracle · New deploys in last 30 days — fresh attack surface [via dashboard_risk_factors/Exploited code newly deployed/upgraded?: Y — Security Council migrated to 2/5 threshold with zero timelock approximately 6 days before exploit]
relatedSolv Protocol (BRO vault) — ERC-3525 Callback Reentrancy — Double Mint (onERC721Received fires before state update)2026-03-05 · $3M · ERC-3525 Callback Reentrancy — Double Mint (onERC721Received fires before state update) · New deploys in last 30 days — fresh attack surface [via dashboard_risk_factors/Exploited code newly deployed/upgraded?: Y — BRO vault was a newer product added after main audits]
relatedMakina Finance — Permissionless share price oracle update (updateTotalAum) + flash loan Curve pool manipulation → share price inflation → LP drain2026-01-20 · $4M · Permissionless share price oracle update (updateTotalAum) + flash loan Curve pool manipulation → share price inflation → LP drain · New deploys in last 30 days (fresh attack surface) [via cross-hack: Factor 4: Newly Deployed or Unannounced Contract]
relatedUSPD — CPIMP (Clandestine Proxy In the Middle of Proxy) — front-run proxy initialization, shadow admin installation, 78-day dormancy, then mint + drain2025-12-04 · $1M · CPIMP (Clandestine Proxy In the Middle of Proxy) — front-run proxy initialization, shadow admin installation, 78-day dormancy, then mint + drain · New deploys in last 30 days — fresh attack surface [via dashboard_risk_factors/Exploited code newly deployed/upgraded?: Yes — proxy deployment (the deployment event itself was the vulnerability)]
relatedGANA Payment — Leaked Owner Key + EIP-7702 Delegator Contract (onlyEOA Bypass)2025-11-20 · $3M · Leaked Owner Key + EIP-7702 Delegator Contract (onlyEOA Bypass) · New deploys in last 30 days — fresh attack surface [via dashboard_risk_factors/Exploited code newly deployed/upgraded?: Y — entire protocol was 9 days old; all code was newly deployed]
relatedNew Gold Protocol (NGP) — Flash loan + spot price oracle manipulation + broken transfer logic (dead address bypass of buy limits)2025-09-17 · $2M · Flash loan + spot price oracle manipulation + broken transfer logic (dead address bypass of buy limits) · New deploys in last 30 days — fresh attack surface [via dashboard_risk_factors/Exploited code newly deployed/upgraded?: Y — all code freshly deployed]
relatedCredix — Admin Privilege Abuse — Bridge Role Minting Unbacked Collateral2025-08-05 · $5M · Admin Privilege Abuse — Bridge Role Minting Unbacked Collateral · New deploys in last 30 days — fresh attack surface [via dashboard_risk_factors/Exploited code newly deployed/upgraded?: Unknown — Credix was new to Sonic chain; deployment recency unconfirmed]
illustrativeGMX V1 — Cross-Contract Reentrancy via Order-Keeper Callback2025-07-09 · Cross-Contract Reentrancy via Order-Keeper Callback · New deploys in last 30 days (fresh attack surface) [via cross-hack: Factor 4: Newly Deployed or Unannounced Contract] || New deploys in last 30 days — fresh attack surface [via dashboard_risk_factors/Exploited code newly deployed/upgraded?: No new deployment — but code significantly changed since last audit]
relatedResupplyFi — ERC4626 Donation Attack (Vault Inflation / Zero Exchange Rate)2025-06-25 · $10M · ERC4626 Donation Attack (Vault Inflation / Zero Exchange Rate) · New deploys in last 30 days — fresh attack surface [via dashboard_risk_factors/Exploited code newly deployed/upgraded?: Yes — wstUSR market contract deployed ~2 hours before exploit]
relatedHacken ($HAI token) — Bridge private key leak from decommissioned server → unauthorized token minting → dump2025-06-20 · $170K · Bridge private key leak from decommissioned server → unauthorized token minting → dump · New deploys in last 30 days — fresh attack surface [via dashboard_risk_factors/Exploited code newly deployed/upgraded?: Y — bridge architectural migration in progress at time of incident; old server credentials not rotated]
relatedCork Protocol — Fake token injection → exchange rate manipulation via unvalidated CorkHook input2025-05-28 · $12M · Fake token injection → exchange rate manipulation via unvalidated CorkHook input · New deploys in last 30 days — fresh attack surface [via dashboard_risk_factors/Exploited code newly deployed/upgraded: Unknown — CorkHook appears to have been a core component not covered by audits rather than a new deployment]
relatedMobiusDAO — Decimal handling double-multiplication bug in minting function — pennies-to-quadrillions inflation2025-05-11 · $2M · Decimal handling double-multiplication bug in minting function — pennies-to-quadrillions inflation · New deploys in last 30 days (fresh attack surface) [via cross-hack: Factor 4: Newly Deployed or Unannounced Contract] || New deploys in last 30 days — fresh attack surface [via dashboard_risk_factors/Exploited code newly deployed/upgraded?: Y — all code freshly deployed; 3 days old]
relatedAbracadabra Money — Logic bug — phantom collateral / post-liquidation state inconsistency2025-03-25 · $13M · Logic bug — phantom collateral / post-liquidation state inconsistency · New deploys in last 30 days — fresh attack surface [via dashboard_risk_factors/Exploited code newly deployed/upgraded: Y — gmCauldron integration with GMX was a relatively new module]
relatedZoth (RWA yield protocol) — Admin key compromise → malicious proxy contract upgrade → vault drain2025-03-21 · $8M · Admin key compromise → malicious proxy contract upgrade → vault drain · New deploys in last 30 days — fresh attack surface [via dashboard_risk_factors/Exploited code newly deployed/upgraded?: Y — the attacker deployed a malicious implementation contract and upgraded the proxy to it immediately before the drain]
relatedzkLend — Empty market accumulator inflation via flash loan donation mechanism + rounding error → collateral inflation → drain2025-02-11 · $10M · Empty market accumulator inflation via flash loan donation mechanism + rounding error → collateral inflation → drain · New deploys in last 30 days — fresh attack surface [via dashboard_risk_factors/Exploited code newly deployed/upgraded?: Partially — wstETH market was newly added to Starknet; the combination of new empty market + existing accumulator logic created the exploit ...]
relatedPolter Finance — Spot price oracle manipulation (SpookySwap V2/V3) → inflated BOO collateral → draining borrow2024-11-16 · $9M · Spot price oracle manipulation (SpookySwap V2/V3) → inflated BOO collateral → draining borrow · New deploys in last 30 days (fresh attack surface) [via cross-hack: Factor 4: Newly Deployed or Unannounced Contract] || New deploys in last 30 days — fresh attack surface [via dashboard_risk_factors/Exploited code newly deployed/upgraded?: Y — BOO market was a new addition]
relatedRadiant Capital — Compromised multisig private keys → malicious contract upgrade → pool ownership transfer → drain2024-10-16 · $53M · Compromised multisig private keys → malicious contract upgrade → pool ownership transfer → drain · New deploys in last 30 days — fresh attack surface [via dashboard_risk_factors/Exploited code newly deployed/upgraded?: Y — malicious upgrade was the attack vector; but the underlying contract's upgrade mechanism was a design feature]
relatedBedrock (uniBTC vault) — Unregistered NATIVE_BTC in SigmaSupplier → disabled supply cap → ETH-to-BTC 1:1 minting (infinite mint)2024-09-25 · $2M · Unregistered NATIVE_BTC in SigmaSupplier → disabled supply cap → ETH-to-BTC 1:1 minting (infinite mint) · New deploys in last 30 days (fresh attack surface) [via cross-hack: Factor 4: Newly Deployed or Unannounced Contract]
relatedShezmu — Unrestricted Collateral Minting in CDP Vault2024-09-20 · $5M · Unrestricted Collateral Minting in CDP Vault · New deploys in last 30 days — fresh attack surface [via dashboard_risk_factors/Exploited code newly deployed/upgraded?: Y — contract upgrade 17 days before exploit (may be related)]
relatedPenpie — Reentrancy via fake Pendle market → staking balance inflation → excess reward drain2024-09-03 · $27M · Reentrancy via fake Pendle market → staking balance inflation → excess reward drain · New deploys in last 30 days (fresh attack surface) [via cross-hack: Factor 4: Newly Deployed or Unannounced Contract] || New deploys in last 30 days — fresh attack surface [via dashboard_risk_factors/Exploited code newly deployed/upgraded?: Likely Y — the `batchHarvestMarketRewards()` function appears to be a later addition]
relatedRonin Network (Bridge) — Uninitialized Variable in Contract Upgrade (initializeV3 Skipped)2024-08-06 · $12M · Uninitialized Variable in Contract Upgrade (initializeV3 Skipped) · New deploys in last 30 days — fresh attack surface [via dashboard_risk_factors/Exploited code newly deployed/upgraded?: Yes — bridge upgrade deployed 6 days before exploit]
relatedRho Market — Oracle misconfiguration (deployment error) → MEV bot price manipulation → USDC/USDT drain2024-07-19 · Oracle misconfiguration (deployment error) → MEV bot price manipulation → USDC/USDT drain · New deploys in last 30 days — fresh attack surface [via dashboard_risk_factors/Exploited code newly deployed/upgraded?: Y — newly deployed oracle configuration contained the error]
relatedSonne Finance — Compound V2 empty-market donation attack — permissionless governance execution + exchange rate manipulation2024-05-14 · $20M · Compound V2 empty-market donation attack — permissionless governance execution + exchange rate manipulation · New deploys in last 30 days — fresh attack surface [via dashboard_risk_factors/Exploited code newly deployed/upgraded?: Y — New VELO market was being activated; the vulnerability existed in the base Compound V2 fork code activated by the new market]
relatedHedgey Finance — Unverified User Input — Flash Loan Enabled Approval Manipulation2024-04-19 · $45M · Unverified User Input — Flash Loan Enabled Approval Manipulation · New deploys in last 30 days — fresh attack surface [via dashboard_risk_factors/Exploited code newly deployed/upgraded?: Yes — post-audit contract version]
relatedGrand Base — Deployer wallet private key leak → unauthorized token minting → dump2024-04-15 · $2M · Deployer wallet private key leak → unauthorized token minting → dump · New deploys in last 30 days — fresh attack surface [via dashboard_risk_factors/Exploited code newly deployed/upgraded?: N — token contract had existing minting rights; no new deployment]
relatedPrismaFi — Flash Loan + Missing Input Validation (Migration Helper)2024-03-28 · $12M · Flash Loan + Missing Input Validation (Migration Helper) · New deploys in last 30 days — fresh attack surface [via dashboard_risk_factors/Exploited code newly deployed/upgraded?: Yes — MigrateTroveZap contract deployed within the week before the attack]
relatedUnizen — Unvalidated external call in upgraded DEX Aggregation contract — approval drain2024-03-08 · $2M · Unvalidated external call in upgraded DEX Aggregation contract — approval drain · New deploys in last 30 days — fresh attack surface [via dashboard_risk_factors/Exploited code newly deployed/upgraded?: Yes — gas optimization upgrade deployed immediately before exploit]
relatedWooFi (WooPPV2) — Flash loan → WOO oracle price manipulation → pool swap drain2024-03-05 · $9M · Flash loan → WOO oracle price manipulation → pool swap drain · New deploys in last 30 days — fresh attack surface [via dashboard_risk_factors/Exploited code newly deployed/upgraded?: N — the core WooPPV2 contract predates the exploit; the new risk factor was the newly added WOO lending market which changed the economic at...]
relatedSeneca Protocol — Approval Exploit — Arbitrary transferFrom via Constructed Calldata2024-02-28 · $6M · Approval Exploit — Arbitrary transferFrom via Constructed Calldata · New deploys in last 30 days — fresh attack surface [via dashboard_risk_factors/Exploited code newly deployed/upgraded?: N — core Chamber contract; no recent upgrade]
relatedSocket (Bungee Bridge) — Unvalidated user input in new route — transferFrom injection via approval drain2024-01-16 · $3M · Unvalidated user input in new route — transferFrom injection via approval drain · New deploys in last 30 days — fresh attack surface [via dashboard_risk_factors/Exploited code newly deployed/upgraded?: Y — Vulnerable route added 3 days before exploit]
relatedOKX DEX (OKX Decentralized Exchange Aggregator) — Compromised proxy admin key → malicious implementation upgrade → claimTokens() drain of user approvals2023-12-13 · $3M · Compromised proxy admin key → malicious implementation upgrade → claimTokens() drain of user approvals · New deploys in last 30 days — fresh attack surface [via dashboard_risk_factors/Exploited code newly deployed/upgraded?: Y — malicious upgrade deployed by attacker]
relatedYearn Finance (yETH LST stableswap pool + yETH-WETH Curve pool) — Invariant corruption via remove_liquidity(0) + update_rates() calls → Newton-Raphson arithmetic underflow → 235 trillion yETH minted from dust deposit → single-asset drain2023-11-30 · $9M · Invariant corruption via remove_liquidity(0) + update_rates() calls → Newton-Raphson arithmetic underflow → 235 trillion yETH minted from dust deposit → single-asset drain · New deploys in last 30 days — fresh attack surface [via dashboard_risk_factors/Exploited code newly deployed/upgraded?: N — abandoned legacy code, no recent changes]
relatedUnibot — Unvalidated arbitrary call in new router — transferFrom injection via approval drain2023-10-31 · $640K · Unvalidated arbitrary call in new router — transferFrom injection via approval drain · New deploys in last 30 days — fresh attack surface [via dashboard_risk_factors/Exploited code newly deployed/upgraded?: Yes — new router deployed 3 days before exploit]
relatedOnyx Protocol — Compound V2 empty-market donation attack — governance-added PEPE market exploited via rounding + exchange rate inflation2023-10-31 · $2M · Compound V2 empty-market donation attack — governance-added PEPE market exploited via rounding + exchange rate inflation · New deploys in last 30 days — fresh attack surface [via dashboard_risk_factors/Exploited code newly deployed/upgraded?: Y — Proposal 22 added the PEPE market days before the exploit]
relatedStars Arena — Reentrancy2023-10-07 · $3M · Reentrancy · New deploys in last 30 days — fresh attack surface [via dashboard_risk_factors/Exploited code newly deployed/upgraded?: Y — second exploit used contract deployed as "fix" for first exploit, hours before attack]
relatedExactly Protocol — Unvalidated market address in periphery — fake market injection → _msgSender hijack → collateral drain + reentrancy2023-08-18 · $7M · Unvalidated market address in periphery — fake market injection → _msgSender hijack → collateral drain + reentrancy · New deploys in last 30 days — fresh attack surface [via dashboard_risk_factors/Exploited code newly deployed/upgraded?: Y — DebtManager was a new periphery feature added without undergoing an audit first]
relatedRocketSwap — Bruteforced server private keys → farming contract drain via proxy admin + high-risk permissions2023-08-14 · $869K · Bruteforced server private keys → farming contract drain via proxy admin + high-risk permissions · New deploys in last 30 days — fresh attack surface [via dashboard_risk_factors/Exploited code newly deployed/upgraded?: Y — farming contracts were newly deployed on Base]
relatedZunami Protocol — Flash loan + SDT token swap → totalHoldings price calculation manipulation → zETH/UZD LP price manipulation → drain2023-08-13 · $2M · Flash loan + SDT token swap → totalHoldings price calculation manipulation → zETH/UZD LP price manipulation → drain · New deploys in last 30 days — fresh attack surface [via dashboard_risk_factors/Exploited code newly deployed/upgraded?: Yes — MimCurveStakeDAO strategy was added after the primary audit]
relatedSteadefi — Compromised Deployer Key → Ownership Transfer2023-08-07 · $1M · Compromised Deployer Key → Ownership Transfer · New deploys in last 30 days — fresh attack surface [via dashboard_risk_factors/Exploited code newly deployed/upgraded?: N — standard vault ownership pattern exploited; no recent upgrade]
relatedDeFiLabs — Backdoor Function in Staking Contract (Insider Rug Pull)2023-07-27 · $2M · Backdoor Function in Staking Contract (Insider Rug Pull) · New deploys in last 30 days — fresh attack surface [via dashboard_risk_factors/Exploited code newly deployed/upgraded?: Y — vPoolv6 was a new contract version, deployed and actively used but never audited]
relatedEraLend (formerly Nexon Finance) — Read-Only Reentrancy (SyncSwap LP Callback — Stale Reserves Oracle)2023-07-25 · $3M · Read-Only Reentrancy (SyncSwap LP Callback — Stale Reserves Oracle) · New deploys in last 30 days — fresh attack surface [via dashboard_risk_factors/Exploited code newly deployed/upgraded?: Unknown — recent zkSync Era launch]
relatedJimbo's Protocol — Flash loan + missing slippage control in rebalancing function → liquidity drain2023-05-28 · $8M · Flash loan + missing slippage control in rebalancing function → liquidity drain · New deploys in last 30 days (fresh attack surface) [via cross-hack: Factor 4: Newly Deployed or Unannounced Contract]
relatedSwaprum — Rug Pull via Malicious Contract Upgrade2023-05-18 · $3M · Rug Pull via Malicious Contract Upgrade · New deploys in last 30 days — fresh attack surface [via dashboard_risk_factors/Exploited code newly deployed/upgraded?: Y — malicious upgrade deployed immediately before drain]
relatedDeus DAO / DEI stablecoin — Mis-ordered Parameters in burnFrom — Public Approval Override2023-05-06 · $7M · Mis-ordered Parameters in burnFrom — Public Approval Override · New deploys in last 30 days (fresh attack surface) [via cross-hack: Factor 4: Newly Deployed or Unannounced Contract] || New deploys in last 30 days — fresh attack surface [via dashboard_risk_factors/Exploited code newly deployed/upgraded?: Y — the vulnerable burnFrom function was introduced in an upgrade approximately 1 month before the exploit]
relatedMerlin DEX — Insider rug — max approval drain via privileged Feeto address2023-04-25 · $2M · Insider rug — max approval drain via privileged Feeto address · New deploys in last 30 days — fresh attack surface [via dashboard_risk_factors/Exploited code newly deployed/upgraded?: Y — pools deployed fresh for the LGE]
relatedSushiSwap — Malicious Callback / Arbitrary Approval Drain2023-04-08 · $3M · Malicious Callback / Arbitrary Approval Drain · New deploys in last 30 days — fresh attack surface [via dashboard_risk_factors/Exploited code newly deployed/upgraded?: Y — RouteProcessor2 was 4 days old at time of exploit]
relatedSafemoon — Upgrade introduced public burn() function → LP token burn → pool price manipulation → BNB drain2023-03-28 · $9M · Upgrade introduced public burn() function → LP token burn → pool price manipulation → BNB drain · New deploys in last 30 days — fresh attack surface [via dashboard_risk_factors/Exploited code newly deployed/upgraded?: Y — the vulnerability was introduced by the upgrade deployed 6 hours before the attack]
relatedKokomo Finance — Insider rug — deployer upgraded implementation to malicious contract → drained WBTC deposits2023-03-26 · $4M · Insider rug — deployer upgraded implementation to malicious contract → drained WBTC deposits · New deploys in last 30 days (fresh attack surface) [via cross-hack: Factor 4: Newly Deployed or Unannounced Contract]
illustrativeEuler Finance — Donation Function Bypassing Health Check (Logic Bug in EIP-14 upgrade)2023-03-13 · $197M · Donation Function Bypassing Health Check (Logic Bug in EIP-14 upgrade) · New deploys in last 30 days — fresh attack surface [via dashboard_risk_factors/Exploited code newly deployed/upgraded (Y/N + detail): YES** — The vulnerability was introduced in EIP-14 (the `donateToReserves` function), deployed as an upgrade prior to the hack. Not in the o...]
relatedHope Finance — Insider Exit Scam — Malicious Fake Router Pre-Deployed2023-02-20 · $2M · Insider Exit Scam — Malicious Fake Router Pre-Deployed · New deploys in last 30 days — fresh attack surface [via dashboard_risk_factors/Exploited code newly deployed/upgraded?: Yes — fresh launch deployment]
relatedDexible — Unvalidated router — selfSwap() transferFrom injection via approval drain2023-02-17 · $2M · Unvalidated router — selfSwap() transferFrom injection via approval drain · New deploys in last 30 days — fresh attack surface [via dashboard_risk_factors/Exploited code newly deployed/upgraded?: Y — v2 contracts introduced the selfSwap() function days before exploit]
relatedMidas Capital — Read-only reentrancy on Curve LP token virtual price — inflated collateral valuation2023-01-15 · $660K · Read-only reentrancy on Curve LP token virtual price — inflated collateral valuation · New deploys in last 30 days — fresh attack surface [via dashboard_risk_factors/Exploited code newly deployed/upgraded?: Y — newly added collateral type (WMATIC-stMATIC Curve LP) enabled shortly before exploit]
relatedTeam Finance — Flawed migrate() function — Uniswap V2→V3 migration with skewed price manipulation2022-10-27 · $16M · Flawed migrate() function — Uniswap V2→V3 migration with skewed price manipulation · New deploys in last 30 days — fresh attack surface [via dashboard_risk_factors/Exploited code newly deployed/upgraded?: Y — The V2→V3 migration feature was a relatively recent addition]
relatedTempleDAO / STAX Finance — Missing access control in migrateStake() — unvalidated oldStaking parameter2022-10-11 · $2M · Missing access control in migrateStake() — unvalidated oldStaking parameter · New deploys in last 30 days — fresh attack surface [via dashboard_risk_factors/Exploited code newly deployed/upgraded?: Yes — STAX was a newer application layer built atop TempleDAO, deployed June 2022]
relatedGym Network (GymNet) — Missing caller verification — fake deposits via unchecked balance inflation → withdraw drain2022-06-10 · $2M · Missing caller verification — fake deposits via unchecked balance inflation → withdraw drain · New deploys in last 30 days — fresh attack surface [via dashboard_risk_factors/Exploited code newly deployed/upgraded?: Y — new Single Pool Contract with Claim and Pool feature deployed 2 days before exploit]
relatedFei Protocol / Rari Capital (Fuse) — Re-entrancy via `exitMarket()` in Compound fork missing check-effects-interaction pattern2022-04-30 · $80M · Re-entrancy via `exitMarket()` in Compound fork missing check-effects-interaction pattern · New deploys in last 30 days — fresh attack surface [via dashboard_risk_factors/Exploited code newly deployed/upgraded?: Y — the March 2022 partial patch modified CToken and Comptroller but left `exitMarket()` uncovered]
relatedDeus DAO — Dual oracle manipulation — VWAP oracle pre-poisoned via flash swap, then on-chain AMM oracle manipulated via flash loan — to inflate DEI collateral value and borrow far beyond real collateral worth2022-04-28 · $13M · Dual oracle manipulation — VWAP oracle pre-poisoned via flash swap, then on-chain AMM oracle manipulated via flash loan — to inflate DEI collateral value and borrow far beyond real collateral worth · New deploys in last 30 days — fresh attack surface [via dashboard_risk_factors/Exploited code newly deployed/upgraded: YES** — the Muon oracle was newly integrated specifically after the first exploit as a security fix (announced live March 19, 2022; exploite...]
relatedBadger DAO (Bitcoin-yield vaults on Ethereum) — Front-end injection (Cloudflare account compromise) → malicious `increaseAllowance()` approvals → vault token drain2021-12-02 · $120M · Front-end injection (Cloudflare account compromise) → malicious `increaseAllowance()` approvals → vault token drain · New deploys in last 30 days — fresh attack surface [via dashboard_risk_factors/Exploited code newly deployed/upgraded: N — existing vault contracts; the attack vector was the front-end, not a new contract]
relatedMonoX — Native token self-swap price inflation — tokenIn/tokenOut identity bypass2021-11-30 · $31M · Native token self-swap price inflation — tokenIn/tokenOut identity bypass · New deploys in last 30 days — fresh attack surface [via dashboard_risk_factors/Exploited code newly deployed/upgraded?: Y — MONO token was recently launched (weeks before hack)]
relatedSnowdog (SnowdogDAO) — Insider front-running — privileged challengeKey knowledge + custom AMM sniping2021-11-25 · $21M · Insider front-running — privileged challengeKey knowledge + custom AMM sniping · New deploys in last 30 days — fresh attack surface [via dashboard_risk_factors/Exploited code newly deployed/upgraded?: Y — Entire protocol was 8 days old; custom AMM deployed specifically for the buyback]
illustrativeCompound Finance — Governance-introduced bug — updated Comptroller vault incorrectly distributed COMP rewards; any user could call `drip()` to refill the vulnerable vault from the Reservoir2021-09-29 · $147M · Governance-introduced bug — updated Comptroller vault incorrectly distributed COMP rewards; any user could call `drip()` to refill the vulnerable vault from the Reservoir · New deploys in last 30 days (fresh attack surface) [via cross-hack: Factor 4: Newly Deployed or Unannounced Contract] || New deploys in last 30 days — fresh attack surface [via dashboard_risk_factors/Exploited code newly deployed/upgraded: Y — bug was introduced by Proposal 62, a fresh Comptroller upgrade]
relatedCream Finance — ERC777 reentrancy via newly integrated AMP token — reentrant `borrow()` before state update2021-08-30 · $19M · ERC777 reentrancy via newly integrated AMP token — reentrant `borrow()` before state update · New deploys in last 30 days — fresh attack surface [via dashboard_risk_factors/Exploited code newly deployed/upgraded: YES** — AMP token integration deployed via governance proposal Feb 10, 2021; exploit Aug 30, 2021. The integration was ~6.5 months old but w...]
relatedCream Finance — ERC-777 Reentrancy (Token Integration Vulnerability)2021-08-30 · $19M · ERC-777 Reentrancy (Token Integration Vulnerability) · New deploys in last 30 days (fresh attack surface) [via cross-hack: Factor 4: Newly Deployed or Unannounced Contract] || New deploys in last 30 days — fresh attack surface [via dashboard_risk_factors/Exploited code newly deployed/upgraded?: Y — AMP token integration added via governance Feb 10, 2021, six months before exploit; the new token type introduced the reentrancy surface]
relatedPunk Protocol — Unprotected initialize() — delegateCall Forge Address Override2021-08-10 · $9M · Unprotected initialize() — delegateCall Forge Address Override · New deploys in last 30 days — fresh attack surface [via dashboard_risk_factors/Exploited code newly deployed/upgraded?: Yes — protocol just launched]
relatedTHORChain — Fake deposit via fake Asgard vault + malicious memo — Bifrost refund logic abuse2021-07-26 · $8M · Fake deposit via fake Asgard vault + malicious memo — Bifrost refund logic abuse · New deploys in last 30 days — fresh attack surface [via dashboard_risk_factors/Exploited code newly deployed/upgraded?: Yes — same MCCN Bifrosts, new vulnerability found by different attacker in same unaudited component]
relatedTHORChain — ETH Bifrost override loop — msg.value spoofing via wrapped router2021-07-16 · $5M · ETH Bifrost override loop — msg.value spoofing via wrapped router · New deploys in last 30 days — fresh attack surface [via dashboard_risk_factors/Exploited code newly deployed/upgraded?: Yes — MCCN Bifrosts were a new deployment, never audited]
relatedSafeDollar — Infinite Mint via Fee-on-Transfer Reward Accounting Bug2021-06-28 · $248K · Infinite Mint via Fee-on-Transfer Reward Accounting Bug · New deploys in last 30 days — fresh attack surface [via dashboard_risk_factors/Exploited code newly deployed/upgraded?: Y — protocol was newly launched]
relatedStableMagnet — Malicious Unverified Library (SwapUtils) — Rugpull with Approval Drain2021-06-24 · $27M · Malicious Unverified Library (SwapUtils) — Rugpull with Approval Drain · New deploys in last 30 days — fresh attack surface [via dashboard_risk_factors/Exploited code newly deployed/upgraded?: Y — malicious library was the original deployment]
relatedPancakeBunny — Flash loan + spot price manipulation → inflated LP token valuation → excess BUNNY minting2021-05-19 · $45M · Flash loan + spot price manipulation → inflated LP token valuation → excess BUNNY minting · New deploys in last 30 days (fresh attack surface) [via cross-hack: Factor 4: Newly Deployed or Unannounced Contract] || New deploys in last 30 days — fresh attack surface [via dashboard_risk_factors/Exploited code newly deployed/upgraded?: Y — VaultFlipToFlip was a new upgrade not audited by Haechi]
relatedbEarnFi (BvaultsBank) — Logic bug — token denomination mismatch between vault and strategy layers2021-05-16 · $18M · Logic bug — token denomination mismatch between vault and strategy layers · New deploys in last 30 days — fresh attack surface [via dashboard_risk_factors/Exploited code newly deployed/upgraded: Unknown — rekt report does not specify recent deployment]
relatedValue DeFi — Uninitialized Pool Re-initialization (Missing initialized = true)2021-05-05 · $10M · Uninitialized Pool Re-initialization (Missing initialized = true) · New deploys in last 30 days — fresh attack surface [via dashboard_risk_factors/Exploited code newly deployed/upgraded?: Y — vStake pool was a new deployment (migration from old implementation)]
relatedUranium Finance — Math bug — constant product formula check broken by inconsistent parameter change (1000→10000)2021-04-28 · $57M · Math bug — constant product formula check broken by inconsistent parameter change (1000→10000) · New deploys in last 30 days — fresh attack surface [via dashboard_risk_factors/Exploited code newly deployed/upgraded?: Y — Bug introduced in v2 migration ~10 days before exploit]
relatedAlpha Finance / Alpha Homora V2 (leveraged yield farming) — Debt accounting manipulation via rounding bug + public `resolveReserve` function + custom "evil spell"; insider knowledge of unannounced sUSD pool required2021-02-13 · $38M · Debt accounting manipulation via rounding bug + public `resolveReserve` function + custom "evil spell"; insider knowledge of unannounced sUSD pool required · New deploys in last 30 days (fresh attack surface) [via cross-hack: Factor 4: Newly Deployed or Unannounced Contract] || New deploys in last 30 days — fresh attack surface [via dashboard_risk_factors/Exploited code newly deployed/upgraded: Y — HomoraBankV2 with sUSD pool was newly deployed and not yet publicly accessible]
relatedYearn Finance (yDAI v1 vault) — Flash loan + Curve 3pool spot price manipulation → vault share price arbitrage → DAI drain during migration2021-02-04 · $11M · Flash loan + Curve 3pool spot price manipulation → vault share price arbitrage → DAI drain during migration · New deploys in last 30 days — fresh attack surface [via dashboard_risk_factors/Exploited code newly deployed/upgraded?: N — the vulnerability was enabled by a configuration change (migration fee removal), not a new deployment]
relatedCompounder Finance — Malicious Strategy Contracts — Backdoor Withdrawal (Insider Rug Pull)2020-12-02 · $12M · Malicious Strategy Contracts — Backdoor Withdrawal (Insider Rug Pull) · New deploys in last 30 days — fresh attack surface [via dashboard_risk_factors/Exploited code newly deployed/upgraded?: Y — 7 malicious strategy contracts were deployed post-audit specifically to enable the rug]
relatedPickle Finance — Fake jar injection — missing whitelist in Controller's jar-swap function2020-11-22 · $20M · Fake jar injection — missing whitelist in Controller's jar-swap function · New deploys in last 30 days — fresh attack surface [via dashboard_risk_factors/Exploited code newly deployed/upgraded?: Y — ControllerV4 added Oct 23, 2020, post-audit]
relatedOrigin Protocol (OUSD) — Flash loan + fake token injection → missing mintMultiple() validation → reentrancy → rebase inflation → drain2020-11-17 · $8M · Flash loan + fake token injection → missing mintMultiple() validation → reentrancy → rebase inflation → drain · New deploys in last 30 days — fresh attack surface [via dashboard_risk_factors/Exploited code newly deployed/upgraded?: Y — the validation bug was introduced during a refactoring pass (gas optimization) shortly before the hack]
relatedEminence Finance (EMN) — Flash loan + bonding curve arbitrage (buy/burn/sell cycle)2020-09-28 · $15M · Flash loan + bonding curve arbitrage (buy/burn/sell cycle) · New deploys in last 30 days (fresh attack surface) [via cross-hack: Factor 4: Newly Deployed or Unannounced Contract] || New deploys in last 30 days — fresh attack surface [via dashboard_risk_factors/Exploited code newly deployed/upgraded?: Y — deployed day of exploit]
rubric_version v1.7.0 factor RD-F-146 category 9 carried 80 critical no