★ Empty cToken-style market (zero supply/borrow)

Centrifuge's assessment for RD-F-070 — scored gray on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.

Evidence summary #

NOT a Compound V2 fork. Centrifuge does not use cToken-style markets. ERC-7540 async vaults use epoch-based price oracle (not balanceOf-derived share price), so the classic cToken donation exploit path is structurally different. Share-inflation via donation is attenuated by permissioned pool creation, permissioned depositor lists (KYC-gated), and price set by hub oracle not by share/totalSupply ratio. Gray — not a Compound fork; share-inflation path attenuated by permissioned architecture.

Sources #

URL
https://docs.centrifuge.io/developer/protocol/guides/create-a-pool/retrieved 2026-04-27
GitHub
https://github.com/code-423n4/2023-09-centrifuge/blob/main/src/LiquidityPool.solretrieved 2026-04-27

Methodology #

Determine whether any listed Compound V2-fork market has `totalSupply == 0` and `totalBorrow == 0`, the precondition for a donation-exploit.

See the full factor methodology and distribution across all protocols →

rubric_version v1.7.0 protocol centrifuge factor RD-F-070 score gray collected_at 2026-04-30 21:19:10