defirisk.co
rubric v1.7.0

Repo shows AI-tool co-authorship in critical files

A tooling / compiler / ai factor in the v1.7.0 rubric. Measured per protocol on a e cadence.

Methodology how we score #

**What this measures** This factor detects whether any critical contracts (contracts holding user funds or implementing core financial logic) have commits in the protocol's repository where the commit message or trailer includes AI-tool co-authorship markers (e.g., Co-authored-by: GitHub Copilot, Co-authored-by: ChatGPT Code Interpreter). The check is performed via GitHub API inspection and is updated on a slow continuous cadence.

**Why it matters** AI co-authorship in security-critical files is a signal that the code was generated or modified with AI assistance rather than written entirely by a human developer who is accountable for its correctness. The risk is not that AI-generated code is inherently insecure -- it often is not -- but that AI tools can introduce subtle bugs in patterns they have seen frequently (e.g., inverting a comparison, omitting a boundary check, reordering a state update) and that neither the developer nor the auditor has incentive to scrutinize these changes with the same rigor as novel code. The Moonwell incident ($1.78M, 2026) is the first confirmed case in the dataset where AI-coauthored code in a security-critical contract contributed to an exploited vulnerability.

**Green / Yellow / Red** Green: no AI-tool co-authorship markers detected in any commits touching security-critical contract files. Yellow: AI co-authorship markers detected in non-critical files (e.g., documentation, test utilities, peripheral scripts) but not in core financial logic. Red: AI co-authorship markers detected in commits touching contracts that hold user funds, implement core financial logic, or control access to admin functions.

**Common gray cases** Some developers use AI assistance without leaving co-authorship markers, making this a lower-bound indicator rather than a comprehensive detection. A green score on this factor does not exclude AI involvement; it only confirms that disclosed AI co-authorship is absent.

**Notable historical examples** - **Moonwell** ($1.78M, 2026): AI-coauthored code in a security-critical contract contributed to the exploited vulnerability path.

Measurement what to look for #

Determine whether critical security files show commits with AI-tool co-authorship metadata (GitHub Copilot, ChatGPT Code Interpreter).

Data & output #

Data source
GitHub API commit details for security-critical files: check `co-authored-by` trailers for AI-tool signatures
Output format
Green / Yellow / Red
Evidence artifact
GitHub commit SHA list + co-authored-by trailer content for flagged files
Confidence signal
green = no AI co-authorship in security-critical files; yellow = AI co-authorship in peripheral (non-security-critical) files; red = AI co-authorship detected in core security-critical contract files; gray = repo is private or commit history inaccessible

Scored protocols 80 carry this factor #

Protocol RD-F-172
Aave v3 ethereum green Across Protocol ethereum green Aerodrome Finance base gray Axelar Network ethereum green Babylon Protocol bitcoin green Balancer (v2 + v3) ethereum green Beefy Finance ethereum green BENQI avalanche green BlackRock USD Institutional Digital Liquidity Fund (BUIDL) ethereum gray Cap (cUSD / stcUSD) ethereum green Centrifuge ethereum green Chainlink CCIP ethereum green Circle USYC binance gray Compound V3 (Comet) ethereum green Concrete ethereum green Convex Finance ethereum green crvUSD (Curve Stablecoin) ethereum green Curve Finance ethereum green deBridge ethereum green Dolomite ethereum green dYdX v4 (dYdX Chain) dydx green EigenLayer ethereum green Ethena ethereum green ether.fi ethereum green Euler V2 ethereum green Falcon Finance ethereum gray Fluid ethereum green Frax Finance ethereum green GMX v2 (GMX Synthetics) arbitrum green Hyperlane ethereum green Hyperliquid arbitrum green Jito solana green Jupiter solana gray Jupiter Perpetual Exchange solana gray JustLend DAO tron green Kamino Lend solana green Kinetiq hyperliquid green Lido ethereum green Liquid Collective (LsETH) ethereum yellow Liquity V1 + V2 (LUSD / BOLD) ethereum green Lista DAO bsc green Lombard Finance ethereum green M^0 ethereum green Maple Finance ethereum green Marinade Finance solana green Meteora solana gray mETH Protocol ethereum green Midas ethereum gray Morpho V1 (Morpho Blue + MetaMorpho) ethereum green Multipli ethereum green Ondo Finance ethereum green OpenEden ethereum green Orca solana green PancakeSwap bsc green Pendle Finance ethereum green Polymarket polygon green QuickSwap polygon green Raydium solana green Rocket Pool ethereum green Sanctum solana yellow Save (formerly Solend) solana green Sky Lending (formerly MakerDAO) ethereum green Spark Protocol ethereum green Spiko stellar green Stake DAO ethereum green StakeWise v3 ethereum green Stargate Finance ethereum yellow stHYPE (Valantis Labs) hyperliquid gray SUNSwap (sun.io) tron green Superstate ethereum green Sushi (SushiSwap) — v2 + v3 + Trident + BentoBox/Kashi + SushiXSwap ethereum green Symbiotic ethereum green Synapse Protocol ethereum yellow Uniswap (v2 + v3) ethereum green USDD (Decentralized USD) tron gray Usual (USD0 / bUSD0 / USUAL) ethereum gray Veda (BoringVault) ethereum green Venus Protocol bsc green Wormhole ethereum green Yearn Finance ethereum gray
0 red · 4 yellow · 64 green

Linked hacks 1 historical incident #

causalMoonwell — Oracle Misconfiguration (Missing ETH/USD Multiplier)2026-02-15 · $2M · Oracle Misconfiguration (Missing ETH/USD Multiplier) · Repo shows AI-tool co-authorship in critical files (Cat 12) [via cross-hack: Factor 63: AI-Coauthored Code in Security-Critical Components]
rubric_version v1.7.0 factor RD-F-172 category 12 carried 80 critical no