defirisk.co
rubric v1.7.0

Empty cToken-style market (zero supply/borrow)

BENQI's assessment for RD-F-070 — scored yellow on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.

Evidence summary #

STAR CRITICAL FACTOR. BENQI Liquidity Market is a Compound V2 fork (qiToken = cToken architecture). The donation/empty-market exchange-rate-inflation vulnerability class applies structurally. Conditions for exploit: a market must have near-zero totalSupply, enabling a small minter to acquire nearly all shares, then donate tokens directly to the contract to inflate the exchange rate, then drain other markets. Active qiToken markets are NOT empty — aggregate supplied $277.64M, borrowed $50.19M, with individual markets (qiAVAX holding ~495K-502K AVAX per Snowtrace tx history) having substantial non-zero supply. However: (1) BENQI GitHub repo (last commit 2023-01-11) predates post-Sonne-Finance (May 2024) and post-Hundred-Finance (April 2023) mitigations; no evidence of virtual-share offset or enforced minimum seed-deposit code introduced; (2) qiBUSD market may be deprecated with near-zero supply (BUSD discontinued Feb 2023) — status unconfirmed on-chain; (3) Isolated Markets (newer ~2024)

Sources #

Methodology #

Determine whether any listed Compound V2-fork market has `totalSupply == 0` and `totalBorrow == 0`, the precondition for a donation-exploit.

See the full factor methodology and distribution across all protocols →

rubric_version v1.7.0 protocol benqi factor RD-F-070 score yellow collected_at 2026-05-16 11:02:12