★ Empty cToken-style market (zero supply/borrow)

Across Protocol's assessment for RD-F-070 — scored red on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.

Evidence summary #

[★ CRITICAL] RED: HubPool uses lpTokensToMint=(l1TokenAmount×1e18)/_exchangeRateCurrent(l1Token). When pool totalSupply=0, _exchangeRateCurrent returns 1e18 (1:1 rate). No virtual share offset, no seed deposit on pool enablement. A first depositor into a newly-enabled empty pool can execute a donation attack. Existing pools (WETH, WBTC, USDC, DAI) have non-zero supply — not immediately vulnerable. Any new pool added via governance is vulnerable at initialization.

Sources #

GitHub
https://github.com/across-protocol/contractsretrieved 2026-04-28
URL
https://etherscan.io/address/0xc186fa914353c44b2e33ebe05f21846f1048bedaretrieved 2026-04-28

Methodology #

Determine whether any listed Compound V2-fork market has `totalSupply == 0` and `totalBorrow == 0`, the precondition for a donation-exploit.

See the full factor methodology and distribution across all protocols →

rubric_version v1.7.0 protocol across-protocol factor RD-F-070 score red collected_at 2026-04-30 21:19:18