Avg attacker reconnaissance time for peer-class protocols

A threat intelligence & recon factor in the v1.7.0 rubric. Measured per protocol on a s cadence.

Methodology how we score #

**What this measures** This static factor records the average number of days of documented reconnaissance activity — on-chain probing, test transactions, mixer wallet preparation — by attacker-labeled wallets before executing a strike on peer-class protocols in the hack database. The value is derived from curator analysis of the hack database and is protocol-class-specific: lending protocols, bridge protocols, and DEXes each have documented reconnaissance lead times. Output is a days-value benchmark for the class, updated when new post-mortem evidence expands the database. Category 11 context: the reconnaissance window benchmark tells curators how much advance warning time is theoretically available and frames the urgency of real-time signal response.

**Why it matters** The T-01 synthesis documents the detection window distribution across 37 hacks: High detectability hacks had reconnaissance windows up to 12 days (Badger DAO's malicious approvals), Medium detectability hacks typically had hours to days of pre-exploit on-chain activity, and Low/None detectability hacks had zero advance signal. For the lending protocol class, oracle manipulation setup is typically executed within the same transaction or within minutes, while governance attack preparation can span 24 hours or more. Bridge exploits involving social engineering (DPRK implant class) have the longest reconnaissance windows — months to years. The benchmark informs alert threshold calibration for Cat 6 signals for this protocol class.

**Green / Yellow / Red** Green is informational — a longer reconnaissance window benchmark is more favorable as it provides more actionable alert time. Yellow applies when the benchmark for the class is less than 24 hours — most signals will fire during or after the exploit. Red applies when the class benchmark is under one hour — Cat 6 signals become primarily exploit-in-progress rather than precursor alerts.

**Common gray cases** Gray applies when the hack database has insufficient examples of the specific protocol class to compute a reliable benchmark (fewer than three in-sample exploits), or when the protocol combines multiple classes making the applicable benchmark ambiguous.

**Notable historical examples** No cross-hacked incidents currently linked in database for this factor.

Measurement what to look for #

Report the average number of days of attacker reconnaissance activity before a strike on peer-class protocols (lending/DEX/bridge/perps), sourced from the hack database.

Data & output #

Data source

In-house hack DB reconnaissance field (T-01 cluster analysis) + curator analysis

Output format

Green / Yellow / Red

Evidence artifact

Hack DB query results + mean reconnaissance days for protocol class + class definition

Confidence signal

green = ≥30 days average reconnaissance time for this class (sufficient warning window); yellow = 7–29 days; red = <7 days (near-instant-strike class); gray = insufficient hack DB sample for this class

Scored protocols 80 carry this factor #

Protocol RD-F-163

Aave v3 ethereum yellow Across Protocol ethereum yellow Aerodrome Finance base yellow Axelar Network ethereum yellow Babylon Protocol bitcoin gray Balancer (v2 + v3) ethereum yellow Beefy Finance ethereum green BENQI avalanche green BlackRock USD Institutional Digital Liquidity Fund (BUIDL) ethereum gray Cap (cUSD / stcUSD) ethereum gray Centrifuge ethereum gray Chainlink CCIP ethereum green Circle USYC binance gray Compound V3 (Comet) ethereum green Concrete ethereum yellow Convex Finance ethereum gray crvUSD (Curve Stablecoin) ethereum yellow Curve Finance ethereum yellow deBridge ethereum gray Dolomite ethereum yellow dYdX v4 (dYdX Chain) dydx yellow EigenLayer ethereum yellow Ethena ethereum yellow ether.fi ethereum yellow Euler V2 ethereum not_assessed Falcon Finance ethereum green Fluid ethereum yellow Frax Finance ethereum green GMX v2 (GMX Synthetics) arbitrum gray Hyperlane ethereum yellow Hyperliquid arbitrum yellow Jito solana gray Jupiter solana yellow Jupiter Perpetual Exchange solana yellow JustLend DAO tron gray Kamino Lend solana yellow Kinetiq hyperliquid gray Lido ethereum yellow Liquid Collective (LsETH) ethereum green Liquity V1 + V2 (LUSD / BOLD) ethereum green Lista DAO bsc yellow Lombard Finance ethereum green M^0 ethereum gray Maple Finance ethereum yellow Marinade Finance solana gray Meteora solana gray mETH Protocol ethereum gray Midas ethereum yellow Morpho V1 (Morpho Blue + MetaMorpho) ethereum yellow Multipli ethereum gray Ondo Finance ethereum green OpenEden ethereum gray Orca solana green PancakeSwap bsc gray Pendle Finance ethereum gray Polymarket polygon green QuickSwap polygon gray Raydium solana not_assessed Rocket Pool ethereum yellow Sanctum solana yellow Save (formerly Solend) solana yellow Sky Lending (formerly MakerDAO) ethereum yellow Spark Protocol ethereum green Spiko stellar green Stake DAO ethereum gray StakeWise v3 ethereum gray Stargate Finance ethereum gray stHYPE (Valantis Labs) hyperliquid yellow SUNSwap (sun.io) tron yellow Superstate ethereum gray Sushi (SushiSwap) — v2 + v3 + Trident + BentoBox/Kashi + SushiXSwap ethereum green Symbiotic ethereum yellow Synapse Protocol ethereum not_assessed Uniswap (v2 + v3) ethereum green USDD (Decentralized USD) tron yellow Usual (USD0 / bUSD0 / USUAL) ethereum yellow Veda (BoringVault) ethereum gray Venus Protocol bsc yellow Wormhole ethereum gray Yearn Finance ethereum yellow

Linked hacks no historical incidents linked #

No historical incidents are linked to this factor.

rubric_version v1.7.0 factor RD-F-163 category 11 carried 80 critical no