defirisk.co
rubric v1.7.0

Attacker wallet pre-strike probe (low-gas failing txs)

A threat intelligence & recon factor in the v1.7.0 rubric. Measured per protocol on a rt cadence.

Methodology how we score #

**What this measures** This real-time signal fires when a wallet in the threat-actor cluster sends low-gas or deliberately failing transactions to the monitored protocol — a pattern consistent with pre-strike testing of contract state, function reverts, and gas estimation for exploit transaction sizing. Detection requires mempool monitoring combined with threat-actor cluster cross-referencing. Low-gas failing transactions are identified as transactions with a gas limit below the expected minimum for the called function. Category 11 context: mempool probing is a documented reconnaissance behavior where the attacker tests the vulnerable state before committing full capital to the exploit.

**Why it matters** Radiant Capital II ($53M) includes the clearest example: a failed exploit attempt occurred six days before the successful attack, and the preparation window was ignored. The Deus DAO 2 oracle pre-poisoning transaction (four minutes before the main attack) represents a different variant of pre-strike testing. The T-01 synthesis identifies three in-sample hack precedents for this pattern. Failing transactions sent by threat-actor cluster addresses are among the highest-specificity signals available — legitimate users do not intentionally send failing transactions — but the signal requires both mempool access and a current threat-actor cluster, making it PH curation.

**Green / Yellow / Red** Green is the baseline when no threat-actor cluster addresses are sending failing transactions to the protocol in the current mempool observation window. Yellow fires when low-gas failing transactions are detected from an unclassified address at a rate inconsistent with normal testing patterns — possibly a researcher or arbitrageur probing for MEV. Red fires when a confirmed threat-actor cluster address sends one or more low-gas failing transactions to a protocol contract, particularly if the function being probed corresponds to a known vulnerability class for this protocol architecture.

**Common gray cases** Gray applies when mempool observation is not available for the protocol's chain (private mempools, some L2 sequencers), or when the threat-actor cluster lacks an entry for the specific address pattern observed.

**Notable historical examples** No cross-hacked incidents currently linked in database for this factor.

Measurement what to look for #

Detect whether a wallet in a threat-actor cluster is sending low-gas or intentionally-failing transactions to this protocol (pre-strike reconnaissance pattern).

Data & output #

Data source
Mempool + on-chain failed-tx scan for protocol contracts from CTI-flagged addresses
Output format
Green / Yellow / Red
Evidence artifact
Flagged wallet + failing tx hash + CTI cluster label + timestamp
Confidence signal
green = signal not firing; red = pre-strike probe pattern detected; gray = CTI feed or mempool monitoring not configured

Scored protocols 80 carry this factor #

Protocol RD-F-159
Aave v3 ethereum gray Across Protocol ethereum green Aerodrome Finance base gray Axelar Network ethereum gray Babylon Protocol bitcoin green Balancer (v2 + v3) ethereum green Beefy Finance ethereum gray BENQI avalanche gray BlackRock USD Institutional Digital Liquidity Fund (BUIDL) ethereum green Cap (cUSD / stcUSD) ethereum gray Centrifuge ethereum gray Chainlink CCIP ethereum gray Circle USYC binance gray Compound V3 (Comet) ethereum gray Concrete ethereum gray Convex Finance ethereum gray crvUSD (Curve Stablecoin) ethereum gray Curve Finance ethereum not_assessed deBridge ethereum gray Dolomite ethereum gray dYdX v4 (dYdX Chain) dydx gray EigenLayer ethereum gray Ethena ethereum green ether.fi ethereum green Euler V2 ethereum gray Falcon Finance ethereum gray Fluid ethereum not_assessed Frax Finance ethereum gray GMX v2 (GMX Synthetics) arbitrum gray Hyperlane ethereum gray Hyperliquid arbitrum gray Jito solana not_assessed Jupiter solana not_assessed Jupiter Perpetual Exchange solana gray JustLend DAO tron not_applicable Kamino Lend solana gray Kinetiq hyperliquid gray Lido ethereum not_assessed Liquid Collective (LsETH) ethereum gray Liquity V1 + V2 (LUSD / BOLD) ethereum gray Lista DAO bsc gray Lombard Finance ethereum gray M^0 ethereum green Maple Finance ethereum gray Marinade Finance solana gray Meteora solana green mETH Protocol ethereum gray Midas ethereum gray Morpho V1 (Morpho Blue + MetaMorpho) ethereum gray Multipli ethereum gray Ondo Finance ethereum gray OpenEden ethereum gray Orca solana gray PancakeSwap bsc gray Pendle Finance ethereum gray Polymarket polygon not_assessed QuickSwap polygon not_assessed Raydium solana not_assessed Rocket Pool ethereum green Sanctum solana gray Save (formerly Solend) solana not_applicable Sky Lending (formerly MakerDAO) ethereum gray Spark Protocol ethereum gray Spiko stellar not_assessed Stake DAO ethereum gray StakeWise v3 ethereum green Stargate Finance ethereum gray stHYPE (Valantis Labs) hyperliquid gray SUNSwap (sun.io) tron gray Superstate ethereum green Sushi (SushiSwap) — v2 + v3 + Trident + BentoBox/Kashi + SushiXSwap ethereum green Symbiotic ethereum gray Synapse Protocol ethereum not_assessed Uniswap (v2 + v3) ethereum green USDD (Decentralized USD) tron gray Usual (USD0 / bUSD0 / USUAL) ethereum gray Veda (BoringVault) ethereum gray Venus Protocol bsc gray Wormhole ethereum green Yearn Finance ethereum gray
0 red · 0 yellow · 14 green

Linked hacks no historical incidents linked #

No historical incidents are linked to this factor.
rubric_version v1.7.0 factor RD-F-159 category 11 carried 80 critical no