★ Empty cToken-style market (zero supply/borrow)
Chainlink CCIP's assessment for RD-F-070 — scored not_applicable on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.
Evidence summary #
Not applicable — CCIP is not a Compound V2 fork and has no cToken-style market with share-based accounting. The empty-cToken-style donation exploit requires: (1) a share-based vault where totalSupply can be zero; (2) an exchange rate formula that divides by totalSupply; (3) ability to donate tokens to inflate the exchange rate. CCIP token pools use a lock/burn/mint/unlock model with no share pricing, no totalSupply/totalBorrow accounting, and no exchange rate formula. The taxonomy (03-taxonomy.md §Category 4 PD-024 resolution) formally classifies RD-F-070 as 'Compound-fork-only (subset of lending-only); N/A for non-Compound-fork protocols; critical still applies when protocol IS a Compound fork.' CCIP is an original design by Chainlink Labs (profile §5 Fork Lineage: not forked / original) built on OCR2 consensus, not a fork of any lending protocol. No donation attack vector exists in this architecture.
Sources #
- DocsCCIP Architecture | Chainlink DocumentationCCIP architecture overview — token pool model is lock/burn/mint/unlock, no share-based vault accounting, no cToken analogueretrieved 2026-05-16
- 03-taxonomy.md Cat 4 PD-024 note RD-F-070; chainlink-ccip 00-profile.md §5Taxonomy 03-taxonomy.md §Category 4 PD-024 resolution — RD-F-070 Compound-fork-only; not_applicable for non-Compound-fork; protocol profile §5 Fork Lineage: original designretrieved 2026-05-16
Methodology #
Determine whether any listed Compound V2-fork market has `totalSupply == 0` and `totalBorrow == 0`, the precondition for a donation-exploit.
See the full factor methodology and distribution across all protocols →