defirisk.co
rubric v1.7.0

Circle USYC

Permissioned tokenized money-market fund token (ERC-20/BEP-20/SPL-2022) representing shares in the Hashnote International Short Duration Yield Fund, investing in short-duration US Treasury Bills and reverse repos. Formerly Hashnote USYC; acquired by Circle in January 2025. Issued by Circle International Bermuda Limited, regulated by Bermuda Monetary Authority. Permissioned — KYC/AML required; non-US persons only.

Sector rwa
TVL $3.0B
Reviewed May 15, 2026
Factors 184
Categories 13
Risk score 47.5
DeploymentsBinance · $2.9B
01

Risk profile at a glance

3 red · 4 yellow · 5 green
25 24 17 13 15 22 16 10 13 12 8 5 4
02

Categories & evidence

184 factors · 13 categories
Code & audits Red 67 25 of 25
RD-F-001 red Audit scope mismatch No named smart-contract security audit firm or public report has been located. The USYC documentation states the ERC-20 token is 'externally audited and verified on Etherscan' but provides no firm name, date, or report URL. Cohen and Company (listed as 'Auditor' in service-providers docs) is the fund's financial/accounting auditor, not a smart-contract security firm. No audit PDF, commit SHA, or report link found on Certora, Halborn, or any major audit firm index. 9 upgrades recorded on the ETH proxy; the most recent on 2025-12-09 would not be covered by any pre-2025 audit. RD-F-002 red Audit recency No audit sign-off date determinable because no smart-contract security audit report has been publicly located. Red per methodology (>730 days or no audit found). RD-F-004 red Audit count Zero distinct named smart-contract security audit firms identified. Cohen and Company is a financial/accounting auditor, not a smart-contract security firm. Search of Certora reports, Halborn audits, Quantstamp, OpenZeppelin, and Spearbit public indexes returned no Hashnote or USYC engagements. RD-F-005 red Audit firm tier No identifiable smart-contract security audit firm for USYC. Red per methodology (boutique/unknown only — zero security firms identified). RD-F-007 red Bug bounty presence & max payout No active bug bounty program. Data cache confirms bug_bounty.platform null and url null. No Immunefi listing found for USYC (immunefi_slug null). No HackerOne, Cantina, or Sherlock program identified. Circle general security contact (security@circle.com) is not a structured bug bounty program. RD-F-024 red Code complexity vs audit coverage No audit has been identified. The codebase spans at least 6 proxied contracts on Ethereum (USYC proxy, Teller proxy, CrossChainTeller, Oracle, RolesAuthorityProxy plus their implementations), equivalent contracts on BSC, plus Solana SPL-2022 and Noble IBC. Zero verifiable audit-day coverage — code-complexity-to-audit ratio is infinite. RD-F-021 yellow UUPS _authorizeUpgrade correctly permissioned YieldCoin implementation uses UUPS pattern with _authorizeUpgrade delegating to RolesAuthority contract (0x902D906b8d988092213bE799B18Bd2cbd64F808C). Not open to arbitrary callers — role-based access control gates upgrades. However, the RolesAuthority is itself an upgradeable proxy last upgraded 2025-11-20, and upgrade authority over the RolesAuthority appears held by the Hashnote Deployer EOA with no observed timelock. The function is not misconfigured (not open), but the delegated-to-upgradeable-proxy-without-timelock creates a nuanced yellow. RD-F-023 yellow Constructor calls _disableInitializers() ETH YieldCoin implementation constructor explicitly calls _disableInitializers() per verified Etherscan source: 'constructor(address _authority) { if (_authority == address(0)) revert BadAddress(); _disableInitializers(); }'. BSC USYCSatellite constructor ambiguous from WebFetch — response said 'does not explicitly call _disableInitializers()' but may rely on OZ Initializable state variable pattern instead. Given 96% of TVL is on BSC, the ambiguity on the BSC satellite is materially relevant. Yellow pending direct BSC source inspection. RD-F-003 gray Resolved-without-proof findings Cannot assess — no audit PDF accessible; no findings table to cross-check against on-chain bytecode. Data gap. RD-F-006 gray Audit-to-deploy gap No audit sign-off date determinable; cannot compute audit-to-deploy gap. Data gap. RD-F-009 n/a Formal verification coverage Not applicable under PD-042 RWA regime. USYC is a permissioned ERC-20 tokenized fund token; there are no DeFi-trustless invariants (AMM invariants, borrow caps, liquidation cascades) to formally verify. Protocol logic is permissioned-transfer with allowlist check plus UUPS upgrade. PD-042 flags formal-verification coverage as a DeFi-tooling-norm factor not applicable for protocol_type: rwa. RD-F-010 gray Static-analyzer high-severity count Source code is Etherscan-verified for all core EVM contracts. No published Slither, Mythril, or Semgrep output covering USYC contracts found. Tool run needed but not available in this assessment. RD-F-011 gray SELFDESTRUCT reachable from non-admin path Source verified on Etherscan; contracts are simple permissioned ERC-20 plus UUPS upgrade pattern where SELFDESTRUCT is unlikely, but no Slither suicidal detector run available to confirm absence. RD-F-012 gray delegatecall with user-controlled target Source verified but no static analysis run available to check for user-controlled delegatecall. ERC-20 token pattern makes this unlikely but unconfirmed. RD-F-013 gray Arbitrary call with user-controlled target Teller implementation (0xF8724D6b9E6fF55Bc4496fddb3437DC691CD26EB) verified on Etherscan but no static analysis run available to check for arbitrary-call with user-controlled target. RD-F-014 gray Reentrancy guard on external-calling functions Teller contract calls external USDC and USYC token contracts. Source verified but no Slither reentrancy analysis available. OZ pattern usage suggests familiarity with security primitives, but no direct evidence of nonReentrant coverage confirmed. RD-F-015 n/a ERC-777/1155/721 hook without reentrancy guard USYC is a standard ERC-20 token. No ERC-777 tokensReceived, ERC-1155 onReceived, or ERC-721 onReceived hook integration. Subscription and redemption use USDC (ERC-20), not a callback-bearing token standard. RD-F-016 gray Divide-before-multiply pattern Source verified but no Slither divide-before-multiply detector run available. RD-F-017 gray Mixed-decimals math without explicit scaling USYC is 18-decimal; USDC is 6-decimal. Teller performs subscription and redemption math between them. Source verified but no manual review or tool run available to confirm explicit decimal scaling. Gray — needs tool run. RD-F-018 gray Signed/unsigned arithmetic confusion Source verified; no tool run available for signed/unsigned arithmetic analysis. RD-F-019 gray ecrecover zero-address return unchecked Standard ERC-20 token pattern; ecrecover calls unlikely in primary transfer/mint path. CrossChainTeller may use signed messages. Source verified but no Slither ecrecover-malleable detector run available. RD-F-020 gray EIP-712 domain separator missing chainId YieldCoin core ERC-20 ABI does not show a permit() function suggesting no EIP-712 domain separator in the token itself. CrossChainTeller may use EIP-712 signed messages but domain separator not directly inspected. Source verified but needs targeted code review. RD-F-183 gray Bug bounty scope gap on highest-TVL contracts No bug bounty program exists (F007 red). Gray per methodology: the scope-gap question (whether highest-TVL contracts are excluded from bounty scope) is moot when there is no bounty program to scope. The BSC USYC token (0x8D0fA28f221eB5735BC71d3a0Da67EE5bC821311, ~$2.86B TVL) would be the highest-TVL contract to bring into scope if a program existed.
RD-F-008 green Ignored bounty disclosure No prior security incidents identified for USYC or Hashnote. Hack database returns 0 matches; rekt.news incidents empty; DefiLlama hacks empty. No evidence of any ignored bounty disclosure because no prior incident has occurred.
RD-F-022 green Public initialize() without initializer modifier Ethereum YieldCoin implementation initialize() uses onlyInitializing modifier from OZ Initializable; prevents re-initialization. BSC USYCSatellite initialize() uses the same onlyInitializing modifier pattern per verified source. Teller implementation uses OZ Initializable checks. No unprotected initialize() found on any verified implementation.
Governance & admin Red 74 24 of 24
RD-F-025 red Admin key custody type All EVM proxy upgrade authority is held by EOAs. Ethereum USYC upgrades executed by 0x13FF8Cabb86eDf94a2dF4f98773bda4005182dD6 (unlabeled EOA funded by Hashnote Deployer). BSC USYC proxy constructor sets admin to 0xb2b98e8672d4aad438f6ffec581cfe6f745496ff (Hashnote Deployer EOA). No multisig, no timelock, no DAO. Categorical: EOA. RD-F-026 red Upgrade multisig signer configuration (M/N) No multisig identified for any role. Both upgrade-executing addresses are EOAs. Display: 1/1 (EOA). Data cache safe_multisigs: []. Profile confirms no Safe multisig exists (honest-null). RD-F-027 red Single admin EOA [CRITICAL] EOA 0x13FF8Cabb86eDf94a2dF4f98773bda4005182dD6 executed both recent Ethereum USYC upgrades (Dec 2025 tx 0x3a1fae1d, Jul 2025 tx 0xe6604cdd) directly. BSC proxy admin is Hashnote Deployer EOA 0xb2b98e86. No multisig intermediary on any chain. Address 0x13FF8Ca was funded by deployer EOA and has only 2 txs total - confirmed EOA not contract. RD-F-032 red Timelock duration on upgrades No timelock exists on any EVM chain. Upgrades executed directly from EOA with zero delay. Data cache timelock_address: null, timelock_delay_seconds: null. 9 Ethereum upgrades all executed with no observed queuing period. RD-F-033 red Timelock on sensitive actions No timelock on any sensitive action: mint via setMinterAllowance, pause via RolesAuthority, sweep/rescue, setOracle, upgradeTo. All gated only by owner EOA check. YieldCoin sweep() and RolesAuthority pause() confirmed as direct owner calls with no timelock intermediary. RD-F-034 red Guardian/pause-keeper distinct from upgrader RolesAuthority pause() is callable by owner, which is the same address chain as upgrade authority. No distinct guardian multisig. Role separation between pauser and upgrader not implemented. RD-F-040 red Emergency-veto multisig present No emergency-veto multisig found. Data cache safe_multisigs: []. No Safe address in docs or on-chain. No guardian role with a distinct multisig address. The only emergency capability is the RolesAuthority pause(), controlled by the same EOA as upgrade authority. RD-F-041 red Rescue/emergencyWithdraw without timelock [CRITICAL] sweep(address _token, uint256 _amount, address _recipient) exists on YieldCoin (Ethereum implementation 0xBF0f2F3a) and Teller implementation (0xF8724D6b). Callable by owner (EOA) directly with no timelock. A single tx from the owner EOA can drain all protocol-held assets. Both contracts have been confirmed as UUPS-upgradeable, adding a second drain vector via malicious upgrade. RD-F-043 red Admin = deployer EOA after 7 days [CRITICAL] EOA admin from May 2023 deployment through May 2026 - over 36 months. Circle acquired Hashnote Jan 2025 but no admin-key rotation to a corporate multisig is observable. A new sub-EOA (0x13FF8Ca) was funded in Jul 2025 post-acquisition but this is EOA-to-EOA delegation, not EOA-to-multisig transfer. RD-F-030 yellow Hot-wallet signer flag No multisig exists for formal hot-wallet assessment. The upgrade-executing EOA 0x13FF8Cabb86eDf94a2dF4f98773bda4005182dD6 has only 2 total transactions and was freshly funded by the deployer in Jul 2025 - consistent with a hot operational key, not cold storage. RD-F-031 yellow Signer rotation recency No signer set to rotate. The upgrade-executing address changed from the original deployer EOA to a new sub-EOA (0x13FF8Ca) in Jul 2025, post-Circle acquisition (Jan 2025). This EOA-to-EOA change does not represent a security improvement. No public explanation of the change. RD-F-035 yellow Role separation: upgrade ≠ fee ≠ oracle No clear role separation between upgrade, fee collection, and oracle configuration. Teller source shows setOracle(), setFeeRecipient(), setFees() all routed through same authority. An operational address 0xDbE01f44 executes setUserRole calls suggesting some operational delegation, but the upgrade authority remains with the EOA chain. RD-F-042 yellow Admin has mint() with unlimited max mint() is gated by per-minter minterAllowance mapping. Admin can call setMinterAllowance() to increase allowances, which is an indirect inflation path but requires two steps. No explicit hard total supply cap. The allowance system provides meaningful constraint but admin can expand it unilaterally without timelock. RD-F-028 n/a Low-threshold multisig vs TVL No multisig exists to assess threshold. Corporate governance with no Safe or on-chain multisig identified. Per PD-042 RWA regime: factor presupposes a multisig; with honest-null confirmed, structural issue is captured by RD-F-027 (single EOA). RD-F-029 n/a Multisig signers co-hosted No multisig exists to assess co-hosting of signers. RD-F-036 n/a Flash-loanable voting weight Not applicable by RWA regime (PD-042). Corporate-governed protocol with no on-chain Governor, no voting token, no DAO. Flash-loanable voting is structurally inapplicable. RD-F-037 n/a Quorum achievable via single-entity flash loan Not applicable - no on-chain governor, no governance token, no quorum threshold to assess. RD-F-038 n/a Proposal execution delay < 24h Not applicable - no on-chain governance proposals or execution delays to measure. RD-F-039 n/a delegatecall/call in proposal execution without allowlist Not applicable by RWA regime (PD-042). No on-chain governance executor, no proposal execution path, no delegatecall in governance context. RD-F-044 gray Admin wallet interacts with flagged addresses Not assessed - no Chainalysis-style feed available and no OSINT evidence of flagged address interactions found in available sources. Data cache deployer.funded_by: null. RD-F-045 n/a Constructor args match governance proposal Not applicable - no governance proposals exist to compare constructor args against. Corporate deployment without proposal process. RD-F-047 n/a Governance token concentration (Gini) Not applicable - no governance token, no voting power concentration to measure. RD-F-167 n/a Deprecated contract paused but pause reversible by live admin Not applicable - no deprecated surfaces identified. USYC has no predecessor version. Data cache has_legacy_v1: false. All contracts are live and active.
RD-F-046 green Contract unverified on Etherscan/Sourcify All core EVM contracts are Etherscan/BSCScan verified with Exact Match status. USYC ETH proxy, implementation, BSC proxy, BSC implementation, RolesAuthorityProxy, Teller proxy, and Teller implementation all confirmed verified. Source is publicly readable.
Oracle & external dependencies Red 50 17 of 17
RD-F-051 red Fallback behavior on oracle failure No fallback oracle or circuit-breaker logic identified. Single push-oracle reporter (immutable _reporter 0x9fde717a21c5b272B8956d3AA0c3551E1FFd23D7). No try/catch, no secondary source, no last-known-price fallback confirmed in Teller or oracle contract source. If reporter address stops transmitting, stale NAV is accepted silently. Issuer-attested RWA oracle design - no independent fallback by design. Red per taxonomy threshold (no fallback documented). RD-F-057 red Circuit breaker on price deviation No circuit breaker on price deviation identified. Teller implementation ABI does not include a circuit-breaker or price-guard function. For an RWA NAV oracle that moves monotonically upward, this is less critical than for volatile assets, but the absence of any deviation guard leaves the protocol exposed to incorrect reporter submissions. No maxDeviationBps or priceGuard pattern confirmed. RD-F-059 red Oracle staleness check present No on-chain staleness check confirmed in Teller source. The GenericNextPriceAggregator stores _updatedAt from transmit() and returns it via latestRoundData(), but no staleness guard at the consumer (Teller) layer was confirmable from the ABI. For an issuer-controlled push oracle, if the reporter goes offline or is compromised, stale NAV is accepted silently. This is a material gap: BSC holds $2.86B TVL and BSC-side oracle architecture is not fully confirmed. RD-F-048 yellow Oracle providers used Single issuer-controlled push oracle provider (Circle/Hashnote GenericAggregatorProxy at 0x74f2199AEb743f68f05943e5715A33EaF2b61f53, impl GenericNextPriceAggregator at 0x6DeaA761bc131Ac5f1D562EE71819E846EF11624). AggregatorV3Interface-compatible. Not Chainlink, Pyth, Redstone, or any independent third-party provider. Data cache oracle_feeds contains globally-scraped Chainlink feeds not consumed by USYC (profile §7 advisory confirmed). Yellow because issuer-attested oracle with no independent verification. RD-F-049 yellow Oracle role per asset NAV oracle (0x74f2199AEb743f68f05943e5715A33EaF2b61f53) is sole primary oracle for USYC pricing. No secondary or fallback oracle identified in Teller or token contract. YieldCoin impl ABI shows OracleSet event confirming oracle is admin-configurable but only one oracle address is used. Single-oracle design with no fallback. RD-F-050 yellow Dependency graph (protocols depended upon) Dependency graph: (1) USDC ERC-20/BEP-20 for subscriptions/redemptions - all value flows through USDC; (2) Circle CCTP attestation infrastructure for cross-chain operations (BSC 96% TVL); (3) RolesAuthorityProxy 0x902D906b8d988092213bE799B18Bd2cbd64F808C for access control; (4) GenericAggregatorProxy NAV oracle. All four dependencies are Circle-owned or Circle-controlled. Issuer-concentration risk: Circle failure cascades across all dependencies. Yellow due to single-issuer concentration across critical dependencies. RD-F-052 yellow Breakage analysis per dependency Breakage analysis: (1) NAV oracle stale - Teller uses stale NAV for subscription/redemption pricing; users over/under-charged vs actual fund NAV; impact HIGH for transacting users; (2) CCTP attestation failure - cross-chain operations for BSC (96% of $2.97B TVL) halt; redemptions from BSC to Ethereum blocked; impact HIGH; (3) USDC depeg - in-flight subscriptions/redemptions mispriced; (4) RolesAuthority compromise - global freeze possible. Analysis is partial - BSC-side oracle dependency not fully confirmed. Yellow: major dependencies covered, some cross-chain nuance unresolved. RD-F-062 yellow External keeper/relayer not redundant The oracle reporter (immutable _reporter = 0x9fde717a21c5b272B8956d3AA0c3551E1FFd23D7 in GenericNextPriceAggregator) is functionally a single-keeper push oracle. If this address fails to transmit, prices go stale. No redundancy mechanism or failover identified. The Teller has setOracle (ABI confirmed) allowing oracle contract swap, but within the current live oracle contract the reporter is immutable. Single-keeper dependency without redundancy confirmed. RD-F-180 yellow Immutable oracle address [★ F180 critical-CANDIDATE per PD-017 — flag for T-14 promotion review] Partial immutability pattern: the Teller implementation has a setOracle function (ABI confirmed), so the oracle contract address is admin-swappable at the Teller level. However, within the live oracle contract (GenericNextPriceAggregator), the _reporter address is declared immutable (set at deployment to 0x9fde717a21c5b272B8956d3AA0c3551E1FFd23D7). To replace the reporter, Circle must deploy a new oracle implementation and upgrade the proxy. No timelock on the Teller setOracle call was confirmed. Score: yellow — oracle address replaceable (not fully immutable at contract level) but reporter within oracle is immutable; no timelock on oracle swap. RD-F-054 n/a TWAP window duration USYC does not use a DEX TWAP oracle. Push oracle model with no TWAP window. Factor is structurally inapplicable to issuer-controlled push oracles. RD-F-055 n/a Oracle pool depth (USD) No DEX pool feeds the oracle. Factor measures DEX pool depth for TWAP oracles. Not applicable to issuer-controlled push oracle. RD-F-056 n/a Single-pool oracle (no medianization) No DEX pool oracle at all. Factor measures single-pool vs medianized oracle for DEX-based oracles. Not applicable to issuer-controlled push oracle. RD-F-058 n/a Max-deviation threshold (bps) No circuit breaker exists (see RD-F-057 red). Factor requires a circuit breaker to have a threshold to measure. Not applicable. RD-F-060 n/a Chainlink aggregator min/max bound misconfig USYC does not use Chainlink aggregators as its primary oracle. The NAV oracle is a custom GenericAggregatorProxy (issuer-controlled). Data cache oracle_feeds Chainlink entries are globally scraped and not consumed by USYC (confirmed per profile §7 advisory). Factor is for Chainlink min/max bound misconfig - not applicable. RD-F-061 n/a LP token balanceOf used for pricing No LP token balanceOf used for pricing. USYC uses issuer-attested NAV push oracle. Factor measures donation-manipulable LP token pricing - not applicable to this oracle model. RD-F-181 n/a Permissionless-pool lending oracle USYC is not a lending protocol (protocol_type: rwa; data cache lending_protocol: false). F181 measures whether a lending protocol accepts spot prices from permissionlessly-created DEX pools. PD-042 RWA factor flip: this DeFi-trustless-invariant factor does not apply to an issuer-attested tokenized fund with a push oracle.
RD-F-053 green Oracle source = spot DEX pool (no TWAP) [★ CRITICAL] No spot DEX pool oracle. USYC NAV oracle (GenericNextPriceAggregator) is an issuer-controlled push oracle where a designated reporter pushes values via transmit(uint256 _answer, uint256 _updatedAt). No slot0(), no getReserves(), no DEX pool dependency. Not manipulable via flash loan. Confirmed via Etherscan source of oracle implementation contract.
Economic risk Yellow 22 13 of 13
RD-F-064 yellow TVL concentration (top-10 wallet share) No on-chain top-10 holder percentage obtainable from public sources (BSCScan/Etherscan holder lists require JS rendering). Structural analysis indicates high concentration risk: 96.19% of TVL on BSC; Venus Protocol (BSC Compound-fork, $1.6B+ TVL) is known to integrate USYC as collateral per Circle BNB Chain blog. A single DeFi consumer exit or liquidation cascade could trigger concentrated simultaneous redemptions that test intraday settlement capacity. Scored yellow on structural grounds; exact percentage not verified. RD-F-065 yellow Liquidity depth per major asset Primary exit is direct redemption via Circle Teller contract into USDC; near-real-time (T+0) under instant-redemption capacity, T+1 above capacity. No public disclosure of the capacity threshold. Redemption fee: 0.03%. Oracle updates once daily on US business days at 9am ET only; after-hours and weekend redemptions face stale-price or next-day settlement. Secondary market effectively zero: CoinGecko reports $112K/24h trading volume vs $2.97B market cap, with trading halted on all listed venues 16 days before assessment date. The single-exit-route-only structure creates liquidity risk in any scenario where the Teller is paused, USDC is disrupted, or redemption volume exceeds T-bill settlement capacity. Scored yellow: primary redemption mechanism is sound under ordinary conditions but fragile under stress (holiday weekend + large simultaneous redemptions + Teller pause). RD-F-066 n/a Utilization rate (lending protocols) USYC is a tokenized money-market fund token, not a lending protocol. No borrow market exists. Data cache confirms borrow.present: false. PD-024: lending-only factor. RD-F-067 n/a Historical bad-debt events No lending market means no bad-debt mechanism. PD-024: lending-only factor. USYC has no lending positions, no liquidations, and no socialized-loss mechanism. RD-F-068 n/a Collateralization under stress USYC is not a CDP or lending protocol. No collateral/loan positions exist. The fund holds T-bills in segregated prime brokerage accounts; token holders have a beneficial interest in the fund, not a collateralized borrow position. PD-024: lending-only factor. RD-F-069 n/a Algorithmic / under-collateralized stablecoin USYC is not a stablecoin. It is a NAV-appreciating tokenized money-market fund. Token price rises monotonically from ~$1.00 at issuance, currently ~$1.12, as T-bill yield accrues. No algorithmic mechanism; backed 1:1 by segregated prime brokerage assets (US Treasury Bills and reverse repo). PD-024: not a stablecoin design factor. RD-F-070 n/a Empty cToken-style market (zero supply/borrow) RD-F-070 is Compound-fork-only per PD-024 taxonomy note. USYC is a permissioned tokenized money-market fund token, not a Compound V2 fork. There are no cToken-style markets, no totalSupply/totalBorrow slots, no donation-attack surface, and no share-based vault accounting. Process-learnings BUIDL precedent (line ~691) explicitly confirms F070 not_applicable for permissioned RWA tokens. RD-F-071 n/a Seed-deposit requirement for new market listing No market-listing process exists in USYC. Subscriptions are individual investor onboardings via KYC-gated Teller contract; there is no concept of listing a new market with a seed deposit requirement. PD-024: lending-only factor. RD-F-072 n/a Market-listing governance threshold No permissionless or governance-controlled market listings in USYC. The fund has a single asset class (US T-bills and reverse repo); there is no mechanism for listing new collateral markets. PD-024: lending-only factor. RD-F-073 n/a Oracle-manipulation-proof borrow cap No borrow market exists; no borrow cap to manipulate. PD-024: lending-only factor. RD-F-074 n/a ERC-4626 virtual-share offset (OZ ≥4.9) USYC is not an ERC-4626 vault. It is a plain ERC-20 (Ethereum) / BEP-20 (BSC) token with NAV-based pricing updated daily via a dedicated oracle contract. No share-calculation formula of the ERC-4626 type exists; token supply is managed by a permissioned Teller contract that mints/burns at current NAV price. The virtual-share-offset anti-inflation mechanism is not applicable to this architecture. RD-F-075 n/a First-depositor / share-inflation guard USYC is not a share-based vault. Minting requires passing KYC/OFAC screening via the RolesAuthority/Entitlements contract and goes through the Teller at current NAV price. No first-depositor share-inflation attack surface exists by construction: the permissioned minting mechanism ensures no attacker can be the first depositor in an empty vault context. PD-024: lending-only; also not an ERC-4626 vault pattern.
RD-F-063 green TVL (current + 30d trend) TVL $2,974,735,589 as of 2026-05-15 (DefiLlama API). 30-day change +5.57%. 1-day change -0.24%. 90-day CoV 0.183 (mean $2.47B, std $453M) reflecting rapid but consistent growth ramp from ~$1.87B in Jan 2026 to ~$2.97B in May 2026 — all-time high at assessment date. No TVL cliff or sudden withdrawal pattern visible.
Operational history Green 15 15 of 15
RD-F-089 red Insurance coverage active No active on-chain insurance coverage identified on Nexus Mutual, Unslashed, Sherlock, or equivalent. Data cache bug_bounty.platform: null and max_payout_usd: null. No Immunefi or equivalent program found. TVL at assessment: $2.97B. Near-default red for large protocols without on-chain smart-contract cover. Off-chain fund-level insurance (custody, prime broker) is likely but is not equivalent to on-chain smart-contract cover under the factor definition. RD-F-084 yellow TVL stability (CoV over 90d) Data cache TVL CoV (90-day window 2026-02-16 to 2026-05-15): CoV = 0.183, mean = $2.47B, std = $452.8M. Threshold: green < 0.15; yellow 0.15-0.35; red > 0.35. CoV 0.183 falls in yellow band. Elevated CoV is driven by strong upward TVL growth from BSC deployment ramp (near $0 to $2.86B since Nov 2025), not operational instability or distress. RD-F-081 n/a Post-exploit response score No prior incidents exist. Factor measures curator-scored response quality for the most recent incident. With zero incidents the trigger condition is absent. Not_applicable (structural absence of trigger, not a data gap). RD-F-082 n/a Post-mortem published within 30 days No prior incidents exist. Factor measures whether a post-mortem was published within 30 days of the most recent incident. With zero incidents there is no post-mortem trigger. Not_applicable. RD-F-083 n/a Auditor re-engaged after last exploit No prior incidents exist. Factor measures whether a reputable auditor re-engaged after the most recent exploit. With zero incidents the trigger condition is absent. Not_applicable. RD-F-085 n/a Incident response time (minutes) No prior incidents exist. Factor measures minutes from exploit first-tx to first official team statement on the most recent incident. With zero incidents the trigger condition is absent. Not_applicable. RD-F-086 gray Pause activations (trailing 12 months) On-chain Paused/Unpaused event enumeration on Ethereum Entitlements/RolesAuthority (0x902D906b8d988092213bE799B18Bd2cbd64F808C) and BSC Entitlements (0x6B7d54003f73bE979cf92BF369432aC534853692) was not completed within assessment scope. Data cache does not surface pause events. No public reports of USYC freeze. Scored gray (not assessed) rather than assuming green. RD-F-087 gray Pause > 7 consecutive days Derived from F086: pause event log not enumerated. Cannot confirm absence of a pause exceeding 7 consecutive days. Scored gray.
RD-F-076 green Protocol age (days) First mainnet deploy 2023-05-31 (Ethereum USYC ERC-20 token 0x136471a34f6ef19fE571EFFC1CA711fdb8E49f2b). Assessment date 2026-05-16. Age approximately 1,081 days (~36 months). Threshold: green >= 365 days. Protocol exceeds A-grade floor.
RD-F-077 green Prior exploit count Zero incidents found. Hacksdatabase grep (23 batches, case-insensitive circle/usyc/hashnote) returned 8 files -- all confirmed false-positive collisions with Circle USDC/CCTP, none affecting USYC or Hashnote. Data cache hacks: []. Rekt incidents: []. Two targeted web searches returned no USYC/Hashnote incident reports. Count: 0.
RD-F-078 green Chronic-exploit flag (≥3 incidents) Derived from RD-F-077: 0 incidents. Chronic flag (>=3 incidents) does not fire. Boolean: false.
RD-F-079 green Same-root-cause repeat exploit Derived from RD-F-077: 0 incidents. Same-root-cause repeat exploit flag cannot fire with zero incidents. Boolean: false.
RD-F-080 green Days since last exploit No incidents on record. Days since last exploit: not applicable (no exploit has ever occurred). Threshold: green = >365 days or no incidents. Protocol has no recorded incident since May 2023 deploy.
RD-F-088 green Re-deployed to new addresses in last year Profile section 3 confirms stable contract addresses across all chains. Ethereum USYC token proxy 0x136471a34f6ef19fE571EFFC1CA711fdb8E49f2b unchanged since 2023-05-31. BSC (Nov 2025) and Solana (Oct 2025) deployments are additive new-chain launches, not address-replacing redeployments of existing functionality. No retirement of prior contract sets identified. Threshold: green = no redeployment replacing existing contracts in last 12 months.
RD-F-166 green Deprecated contracts still holding value No contracts have been officially deprecated by Circle or Hashnote for USYC. USYC smart contracts documentation lists active mainnet contracts only. Profile section 3 enumerates all known contracts across Ethereum, BSC, Solana, and Noble -- none flagged as deprecated. No deprecation announcements found in Circle blog posts or press releases. Threshold: green = no deprecated contracts holding value.
Real-time signals Green 8 22 of 22
RD-F-102 yellow Admin/upgrade transaction in mempool T-09 v1 phase-2 deferred; tier-B. Signal is applicable and structurally elevated. EOA 0xb2b98e8... holds upgrade authority on USYC Ethereum token proxy (9 upgrades, last 2025-12-09), Teller proxy, RolesAuthorityProxy, and BSC USYC proxy. No timelock exists on any proxy. The T-09 suppression rule (matching queued governance proposal in preceding 48h) cannot engage because there is no governance queue for USYC - every upgrade tx will appear unsuppressed. Signal WOULD fire on next upgrade tx. No upgrade tx detected since 2025-12-09 (5+ months ago). Structural posture: elevated because suppression mechanism is unavailable. RD-F-090 gray Mixer withdrawal → protocol interaction T-09 phase-2 deferred; tier-C advisory only. USYC's Entitlements OFAC oracle (Chainalysis) screens all token interactions for sanctioned addresses at the protocol level. Tornado Cash OFAC sanctions were lifted 2025-03-21 so formerly-clear exclusion is now in flux. No mixer-funded wallet interaction with USYC observed via public OSINT. Deployer EOA 0xb2b98e8... shows no mixing-service history on Etherscan. Licensed wallet-clustering feed (Chainalysis/TRM) required for definitive assessment. RD-F-091 n/a Partial-drain test transactions USYC is a permissioned ERC-20/BEP-20 with Entitlements access control requiring all interacting addresses to pass KYC and OFAC oracle screening. Unauthorized partial drains (the trigger condition for this signal) cannot occur without first compromising the admin EOA or bypassing the Entitlements oracle. The classic small-test-tx-before-large-drain pattern requires a permissionless attack surface that does not exist for USYC. RD-F-092 gray Unusual mempool pattern from deployer wallet T-09 v2 deferred. Deployer EOA 0xb2b98e8... is the active upgrade authority on all EIP-1967 proxies. BNBScan shows routine SetMinterAllow operations by admin EOA 0xDbE01f447040f78ccbc8dfd101bec1a2c21f800d within last 23-110 days - normal operational activity. No unusual deployment burst or anomalous approval sequence identified. Mempool monitoring infrastructure required for production deployment of this signal. RD-F-093 n/a Abnormal gas-price willingness from attacker wallet USYC has no permissionless on-chain state that can be manipulated via gas-price racing. All meaningful state changes (minting, burning, upgrading, allowlist modifications) require admin or whitelisted-caller access controlled by the Entitlements/RolesAuthority system. An attacker cannot leverage gas-price priority to front-run or exploit USYC functions. RD-F-094 n/a New contract with similar bytecode to exploit template USYC's permissioned architecture means a deployed similar-bytecode attack contract would be blocked by the Entitlements access control before it could interact with any meaningful protocol state. No open permissionless function surfaces exist for exploit-template contracts to target. The signal requires an exploitable permissionless attack surface which USYC structurally lacks. RD-F-095 n/a Known-exploit function-selector replay Selector replay requires that the same call with same parameters produces the same exploit result. USYC's Entitlements system requires all callers to be in the allowlist or hold admin role. Replaying a selector from a non-whitelisted address reverts on the Entitlements check regardless of selector pattern. RD-F-096 n/a New ERC-20 approval to unverified contract from whale Signal is user-level behavior monitoring (whale approval to unverified contract). USYC cannot be deposited into arbitrary unverified contracts - the Entitlements system blocks transfers to non-whitelisted recipient addresses. A USYC holder cannot grant a meaningful approval to an unverified contract because any resulting transfer would fail the Entitlements check. RD-F-097 n/a Sybil surge of identical-pattern transactions USYC requires KYC/OFAC onboarding for every interacting address through the RolesAuthorityProxy. A sybil actor cannot create multiple identical-pattern addresses interacting with USYC without completing individual KYC for each address. The onboarding friction structurally prevents sybil-style identical-pattern transaction creation. RD-F-099 gray Oracle price deviation >X% from secondary T-09 v1 phase-2 deferred; tier-B. USYC NAV oracle at 0x74f2199AEb743f68f05943e5715A33EaF2b61f53 (Ethereum) provides on-chain fund NAV (~$1.065/token). No secondary oracle for comparison has been mapped. USYC oracle tracks fund NAV, not a spot price - standard oracle-deviation signal applicability differs from lending-protocol use case. Phase-2 secondary oracle mapping work required. No deviation observed from public OSINT. RD-F-100 n/a Flash loan >$10M targeting protocol tokens USYC has no permissionless DeFi interaction surface. Teller contract for subscription/redemption is whitelisted-caller only. Flash loans cannot interact with USYC core functions. No flash-loan-exploitable oracle or governance system exists. The signal requires a permissionless protocol surface enabling flash-loan-receiver interaction with protocol core contracts. RD-F-101 n/a Large governance proposal queued No on-chain governor contract exists for USYC. USYC governance is corporate (Circle International Bermuda Ltd, regulated by BMA). No Snapshot space, no governor contract, no proposal queue. data-cache confirms: governor_address: null, snapshot_space: null. RD-F-101 signal requires a ProposalCreated/ProposalQueued event source which does not exist for this protocol. RD-F-103 n/a Bridge signer-set change proposed/executed Circle's Cross Chain Teller is a proprietary issuer-controlled mechanism, not a public validator-set bridge. There is no Guardian set, no LayerZero DVN, no Wormhole-style signer set. The Cross Chain Teller for Ethereum-BSC coordination does not have a public signer registry matchable to the SignerAdded/SignerRemoved event pattern that RD-F-103 targets. The profile confirms this is NOT LayerZero (layerzero.present: false) and NOT CCTP. RD-F-105 gray DNS/CDN/frontend hash drift T-09 v1 phase-2 deferred; tier-A. Signal is applicable - official domains are circle.com/usyc, usyc.hashnote.com, usyc.docs.hashnote.com, developers.circle.com. Circle operates status.circle.com. No monitoring baseline hash established. No public reports of DNS anomaly or frontend compromise for Circle USYC domains in 2023-2026 OSINT. Circle is a regulated entity filing for NYSE IPO - suggests mature DNS hygiene but no independent verification performed. RD-F-106 gray Cross-chain bridge unverified mint pattern T-09 v2 deferred. Circle's proprietary Cross Chain Teller for Ethereum-BSC does not fit standard bridge-signal monitoring (validator proof, deposit/mint event pairing). A fraudulent mint on BSC without corresponding Ethereum lock would require compromising the Circle-controlled teller authority EOA rather than forging a bridge proof. Signal requires custom teller-specific monitoring extension not yet built. No cross-chain anomaly observed. RD-F-107 gray Admin EOA signing from new geography/device T-09 v2 deferred; M-only factor requiring off-chain signing telemetry. Admin EOA 0xb2b98e8... geography/device signing pattern not assessable from public OSINT. No public telemetry service tracks EOA signing geography. No anomaly observed from public Etherscan/BNBScan transaction history. This is structurally a manual curator-only factor. RD-F-108 gray GitHub force-push to sensitive branch T-09 v2 deferred. USYC contract source repo not publicly identified. circlefin GitHub org has 87 public repos but none identified as USYC production contract source. GitHub push monitoring for USYC production contracts cannot be established without knowing the source repo. Closed-source nature confirmed: no public GitHub repo for USYC contracts found (profile section 9 confirms this gap). RD-F-109 gray Social-media impersonation scam spike T-09 v2 deferred. Signal applicable - Circle is a high-recognition brand; @circle on X/Twitter has significant institutional following. USYC as $2.97B product with institutional appeal is a prime target for impersonation. No USYC-specific Discord or Telegram identified (per profile section 9). No active scam-spike observed in OSINT. Circle brand maturity provides some defensive posture. Social monitoring infrastructure required for production. Curator social watchlist assessment not available. RD-F-110 n/a Unusual pending/executed proposal ratio No on-chain governance mechanism exists for USYC. No governor contract, no Snapshot space, no proposal stream. The pending/executed proposal ratio signal requires a governor contract as its data source. Profile confirms: governor_address: null; snapshot_space: null.
RD-F-098 green TVL anomaly — % drop in <1h T-09 v1 launch; tier-A signal. TVL is at ATH $2.97B. 30-day mean approximately $2.47B (profile 90d CoV data: mean $2.47B, std $453M for 2026-02-16 to 2026-05-15). TVL_now/TVL_30d_median approximately 1.20 - well above the 0.70 threshold. 1-day change -0.24% (routine). 96.19% of TVL on BSC ($2.86B), 3.71% on Ethereum ($110M). No TVL anomaly condition met. Signal infrastructure is applicable to this protocol given DefiLlama tracking. Suppression note: USYC redemption flows are institutional and may produce scheduled large outflows - pre-announcement suppression rule would need to account for fund redemption notices.
RD-F-104 green Stablecoin depeg >2% on shared-LP venue T-09 v1 launch; tier-B. USYC uses USDC as subscription/redemption currency via Teller contracts. USDC is at peg ($1.00) as of assessment date. A USDC depeg >2% would disrupt redemption mechanics but would not affect the fund's underlying asset backing (T-Bills and reverse repos). Primary signal condition (depeg >2% sustained 30 min AND protocol exposure >5% TVL) not met. USDC at peg, no depeg event ongoing.
RD-F-182 green Security-Council threshold reduction (RT) T-09 v1.1 candidate (not yet in v1 production shortlist); Cat 6B batch-24. Signal analogous to a Security Council threshold-reduction applies to USYC via the Entitlements/RolesAuthorityProxy permission system. No multisig exists to have its threshold reduced - admin is already an EOA (worst-case baseline). Most recent relevant upgrades: Ethereum USYC proxy last upgraded 2025-12-09; RolesAuthorityProxy last upgraded 2025-11-20. No recent permission-weakening events (both 5+ months ago). No new threshold-reduction, timelock-removal, or signer-addition event observed. Structural note: monitoring architecture must extend to cover RolesAuthority permission-change events directly for this protocol type, as there is no SC multisig to track threshold changes on.
Dev identity & insider risk Green 6 16 of 16
RD-F-117 yellow ENS/NameStone identity bound to deployer No ENS or NameStone identity is bound to deployer EOA 0xb2b98e8672d4aad438f6ffec581cfe6f745496ff. Etherscan displays the address with the 'Hashnote: Deployer' label (Etherscan's own system label, not an on-chain ENS binding). For a fully-doxxed corporate entity this is not an identity-risk concern, but the factor definition requires checking the ENS binding specifically. Factor is yellow because the deployer lacks an ENS name - mitigation is that identity is established through many other verifiable means. RD-F-123 yellow Sudden admin-rescue/ACL change without discussion 9 EIP-1967 proxy upgrades confirmed on the Ethereum USYC token contract (0x136471a34f6ef19fE571EFFC1CA711fdb8E49f2b) since May 2023, most recent 2025-12-09. Similar upgrades on RolesAuthorityProxy (last upgrade 2025-11-20). No public governance forum, Snapshot, DAO, or GitHub issue/PR exists for USYC. All upgrades executed by deployer EOA without observable public preceding discussion. Per PD-042 RWA context: absence of public discussion is structurally expected for a corporate-governed regulated issuer, not an anomaly. No insider-implant signal pattern observed (no suspicious rapid-change/reverse, no malicious ACL narrowing). Scored yellow not red because: (1) Circle is NYSE-listed regulated entity with BMA oversight and fiduciary duties; (2) no suspicious timing/pattern visible; (3) RWA corporate governance model makes DAO-norm comparison inappropriate per PD-042. RD-F-116 gray Contributor tenure at admin-permissioned PR No public USYC GitHub repository exists in the circlefin org (87 public repos reviewed; none are USYC contract source). Contributor tenure for admin-permissioned code changes cannot be assessed at OSINT tier. Internal corporate HR governance (employment tenure, code review processes) presumably governs this but is not externally verifiable. RD-F-119 gray Commit timezone consistent with stated geography No public USYC-specific GitHub repository exists; commit-hour timezone analysis is not possible for the USYC codebase. circlefin public repos show typical US business-hours commit patterns consistent with Circle's San Francisco/Miami headquartered teams. DPRK-implant timezone anomaly flag cannot be triggered on closed-source corporate repos. RD-F-122 gray Contributor paid to DPRK-cluster wallet Cannot be meaningfully assessed at OSINT tier. Circle and Hashnote operate with off-chain payroll (traditional employment). No on-chain payment streams to contributor wallets have been identified. Per process-learnings dev-identity-analyst FAILED guidance: F122 is not assessable for companies with off-chain payroll. No on-chain evidence of any DPRK-routing found incidentally. RD-F-184 gray Real-capital social-engineering persona No on-chain evidence of a real-capital social-engineering persona (>=1M deposits) to USYC or peer protocols for credibility-building. USYC is a permissioned KYC-gated product (non-US persons, OFAC-screened), reducing the permissionless-persona-build-up attack surface compared to open DeFi protocols. Per process-learnings dev-identity-analyst SAVE-TIME-NEXT-TIME: F184 is gray + Drift comparator noted. The Drift comparator pattern (UNC4736 real-capital >$1M 6-month conference/persona build-up before Solana durable-nonce pre-signing, Apr 2026) is the reference class; no equivalent on-chain evidence exists for USYC. Absence cannot be definitively proven for a curator-only M factor.
RD-F-111 green Team doxx status All named Hashnote founders (Leo Mizuhara, David Shapiro, Alex Walchli) are real-name doxxed with verified multi-year TradFi and institutional-tech careers. Leo Mizuhara: 12 yrs Bank of America (MD), 5 yrs DRW FICC Systematic Trading, now VP Product at Circle post-acquisition. David Shapiro: CTO Scout Security (ASX IPO), VP Eng Latch Inc (NASDAQ IPO). Alex Walchli: Director of Engineering ZeroHash. Circle parent exec team (Allaire, Disparte, Chandhok, Tarbert) fully disclosed in NYSE IPO S-1. Highest pseudonymity tier: real-name with institutional track record.
RD-F-112 green Team public accountability surface Leo Mizuhara has multiple independent verifiable public trails: Bloomberg profile, AIMA member profile, LinkedIn (former DRW/BofA, current Circle VP Product), Blockworks contributor, NFT Paris 2024 speaker, CopperCasts podcast (Ep052 2024), Security Token Show video interview (Jan 2025), FINTECH.TV interview. David Shapiro: Equilar ExecAtlas, Rootdata, co-founder track record at two publicly-listed companies. Alex Walchli: ZeroHash Director of Engineering. Count of verifiable public trails per member: Leo 7+, David 4+, Alex 3+.
RD-F-113 green Team other-protocol involvement history No prior DeFi protocol involvement by any named founder. All prior roles are in TradFi (BofA, DRW trading desk), regulated IoT hardware (Scout Security), enterprise SaaS (Latch), and regulated crypto infrastructure (ZeroHash). No prior rugged DeFi protocol affiliations. REKT news and hacksdatabase return zero results for any named founder or deployer address.
RD-F-114 green Deployer address prior on-chain history Deployer EOA 0xb2b98e8672d4aad438f6ffec581cfe6f745496ff shows 324 outgoing transactions, all USYC-protocol-specific: YieldTokenAggregator deployments, CrossChainTeller deployments, SetTreasury, SetFees, SetLimits, SetUserRole admin operations. No contracts deployed on other protocols. No prior-rug-class deployment patterns. Categorical finding: normal-dev-history for a dedicated corporate deployer.
RD-F-115 green Prior rug/exit-scam affiliation Targeted web search for 'Hashnote rug pull exit scam fraud' returns no results. hacksdatabase has no Hashnote or USYC entry. All named team members have clean institutional employer histories. Circle (acquirer) is NYSE-listed regulated entity. No rug-class OSINT evidence found.
RD-F-118 green Handle reuse across failed/rugged projects No social handle reuse across failed or rugged projects found for any team member. Leo Mizuhara's public presence (Twitter, LinkedIn, conference profiles) is consistently tied to Hashnote/Circle identity. David Shapiro and Alex Walchli have no prior DeFi-protocol alias associations identified in OSINT.
RD-F-120 green Video-off/voice-consistency flag Leo Mizuhara has conducted multiple verified on-camera public appearances: Security Token Show video interview (YouTube, Jan 2025) discussing Circle acquisition; FINTECH.TV video interview; CopperCasts podcast Ep052 (2024) with voice/identity confirmed; in-person Digital Asset Summit 2024 panel appearance with named co-panelists (Strijers/Deribit, Roberts/Copper, Kermsky/Cumberland). No video-off or voice-inconsistency flags.
RD-F-121 green Contributor OSINT depth score Curator OSINT depth score: Leo Mizuhara 5/5 (Bloomberg, AIMA, LinkedIn, Blockworks contributor, NFT Paris speaker, multiple podcast appearances, Crunchbase founder profile, Asia Web3 Alliance); David Shapiro 4/5 (Equilar ExecAtlas, Rootdata, IPO company CTO track record); Alex Walchli 3/5 (LinkedIn, prior Director of Engineering at regulated ZeroHash). Average 4/5 which is above green threshold.
RD-F-124 green Deployer wallet mixer-funded within 30 days Deployer EOA funded by a single 1.3 ETH transfer from 0xD8Fe1aC0aa13E6D83116aB0107a34787fC3e96Be on 2023-05-31 (same day as first deployment). Funder address carries no Etherscan label (not mixer-tagged, not exchange-tagged). No Tornado Cash or Railgun interactions found in deployer transaction history (324 outgoing txns reviewed across 7 pages). 30-day pre-deploy window contains only this one funding event with no mixer activity. Institutional context (Cumberland Labs $5M incubation, DRW backing, Leo Mizuhara from DRW) makes mixer-funded origin implausible; no evidence supports mixer origin.
RD-F-125 green Deployer linked within 3 hops to DPRK/Lazarus No DPRK or Lazarus cluster proximity found at any hop distance. Targeted search across OFAC SDN list, Chainalysis published DPRK reports (March 2026 OFAC IT workers update, April 2023 designations, Axie/Ronin reports), and US Treasury press releases: zero hits for Hashnote, USYC, Circle, Leo Mizuhara, David Shapiro, Alex Walchli, or deployer address 0xb2b98e8672d4aad438f6ffec581cfe6f745496ff. All team members have fully traceable traditional-finance identities (BofA, DRW, Scout Security, Latch, ZeroHash) inconsistent with DPRK implant profiles. Circle is NYSE-listed (CRCL) with full SEC disclosure. No rubric-level F-downgrade applies.
Fork / dependency lineage Gray 0 10 of 10
RD-F-126 n/a Is-a-fork-of USYC is not a fork. Original purpose-built implementation by Hashnote/Circle engineers. No upstream DeFi protocol parent identified. The Entitlements + RolesAuthority architecture has no correspondence to any standard DeFi protocol pattern. RD-F-127 n/a Upstream patch not merged No upstream fork parent exists. Factor measures whether upstream published a patch not merged into this fork; inapplicable for an original implementation. RD-F-128 n/a Upstream vulnerability disclosure (last 90d) No upstream fork parent. Factor measures upstream vulnerability disclosures affecting this fork in last 90 days; inapplicable for an original implementation. RD-F-129 n/a Code divergence from upstream (%) No upstream to diff against. Factor measures % lines changed from stated upstream at fork point; inapplicable for an original implementation with no fork parent. RD-F-130 n/a Fork depth (generations from original audit) Fork depth is 0 (original implementation, not a fork). Factor measures number of fork hops from an originally-audited protocol. USYC is the original; not applicable. RD-F-131 n/a Fork retains upstream audit coverage Not a fork — no upstream audit to inherit or extend. Factor measures whether the fork retains upstream audit coverage; inapplicable. RD-F-132 n/a Fork has different economic parameters than upstream Not a fork. Factor measures whether the fork has different economic parameters than upstream audited-defaults creating an audit gap; inapplicable for an original implementation. RD-F-133 n/a Dependency manifest uses unpinned versions No public GitHub repo for USYC contracts (circlefin org has 87 repos, none USYC-specific). Data cache confirms github.repo_url null and foundry_toml_present false. The Cat 8 framing for this factor is fork-lineage dependency pinning; USYC is an original protocol with no public repo, making the factor not applicable in the fork-lineage sense. RD-F-134 n/a Dependency had malicious-release incident (last 90d) Not a fork. Factor measures whether a fork-lineage npm/PyPI/crates.io dependency had a malicious release in last 90 days; inapplicable for an original implementation without fork lineage. RD-F-135 gray Shared-library version with known-vuln status USYC contracts use OpenZeppelin Initializable, UUPS upgradeable, and EIP-1967 proxy primitives — genuine shared-library dependencies. No public repo to inspect exact OZ version pinning (foundry_toml_present false; github.repo_url null). Cannot assess OZ version or CVE status without repo access. Gray — not truly not_applicable since OZ is a real dependency, but not assessable without repo.
Post-deploy hygiene & change mgmt Yellow 33 13 of 13
RD-F-139 red Post-audit code changes without re-audit [CRITICAL] No public audit report with firm name, date, or URL found. Docs claim externally audited but name no firm. 9 Ethereum upgrades (most recent Dec 2025), plus BSC deployment (Nov 2025) and Teller (Nov 2025), all lack verifiable corresponding audit artifacts. Etherscan shows No Contract Security Audit Submitted on implementation. DefiLlama audits: []. RD-F-143 red Reinitializable implementation (no _disableInitializers) [CRITICAL] RolesAuthority implementation (0xb59B1568 on ETH, 0x8Cadc832 on BSC) does not call _disableInitializers() in constructor per Etherscan source analysis. BSC implementation 0x191Fb6f3 also lacks this call per BSCScan source review. Both are UUPS-upgradeable implementations backing $2.97B TVL. If the implementation addresses can be reinitialized, attacker who gains owner position can take over access control. RD-F-141 yellow Test-mode parameters in deploy Constructor arguments show legitimate production initialization. However BSC proxy constructor initializes admin as deployer EOA, consistent with a test-mode admin=deployer pattern that was never transferred. No test oracle or infinite allowance detected in ABI. RD-F-142 yellow Storage-layout collision risk across upgrades Cannot fully assess - no public repo for OZ upgrades plugin analysis. 9 upgrades on Ethereum proxy without any public storage-layout audit documentation. UUPS pattern used which requires careful storage layout management across upgrades. RD-F-185 yellow Bridge rate-limiter / chain-pause as positive mitigant Teller source includes setLimits() which may implement per-window deposit/withdrawal rate limits. BSC chain has theoretical validator-set emergency-pause capability. No publicly documented protocol-level rate-limiter found. Partial positive mitigant noted but cannot confirm protocol-level implementation without public source or docs. RD-F-136 gray Deployed bytecode matches signed release tag No public GitHub repo found for USYC contracts. circlefin org has 87 public repos, none are USYC contract source. Reproducibility from signed release-tag cannot be verified. RD-F-140 gray Fix-merged-but-not-deployed gap Cannot assess - no public GitHub repo to check for merged-but-not-deployed fixes. RD-F-145 gray Deployed bytecode reproducibility Cannot verify reproducibility - no public GitHub repo with build toolchain configuration. RD-F-168 n/a Stale-approval exposure on deprecated router Not applicable - no deprecated routers or contracts identified. All USYC contracts appear live and active. No predecessor protocol version exists.
RD-F-137 green Upgrade frequency (per 90 days) 9 upgrades over 36 months on Ethereum USYC = approximately 1 upgrade per 4 months. BSC proxy has no upgrades since Nov 2025 deployment. In the last 90 days: 0 upgrades on either chain.
RD-F-138 green Hot-patch deploys without timelock (last 30 days) No upgrades in last 30 days (last upgrade Dec 2025, ~5 months ago). All historical upgrades were hot-patches by construction (no timelock), but none occurred in the 30-day window.
RD-F-144 green CREATE2 factory permits same-address redeploy No CREATE2 factory usage in USYC deployment pattern. Standard deployer-EOA contract creation used across all contracts.
RD-F-146 green New contract deploys in last 30 days No new contract deploys identified in the last 30 days. Last major deployments were BSC contracts (Nov 2025, ~180 days ago) and Teller (Nov 2025).
Cross-chain & bridge Green 11 12 of 12
RD-F-153 yellow Bridge tracks nonce-consumed mapping CCTP itself implements replay protection at the attestation layer (Circle's infrastructure tracks message consumption server-side). The CrossChainTeller relies on CCTP's replay protection rather than implementing an independent on-chain nonce-consumed mapping. No independent nonce map visible in CrossChainTeller source. Yellow: replay protection exists via CCTP infrastructure layer, but the Teller contract itself does not independently track nonces, creating a dependency on Circle's off-chain infrastructure for this guarantee. RD-F-148 n/a Bridge validator count (M) Taxonomy mismatch: CCTP attestation is performed by Circle's own infrastructure - no independent validator set with a countable M. Circle is effectively the sole attesting entity. Factor assumes independent-validator-set architecture (e.g., Wormhole guardians, Axelar validators) which does not exist in CCTP. The equivalent validator count is 1 (Circle). Not_applicable; underlying single-issuer concentration risk assessed in Cat 2. RD-F-149 n/a Bridge validator threshold (k-of-M) Taxonomy mismatch: no k-of-M signer threshold in CCTP. Circle attestation is binary (Circle attests or does not). Factor assumes independent-validator-set with threshold configuration. Not applicable. RD-F-150 n/a Bridge validator co-hosting Taxonomy mismatch: no independent validator set to assess co-hosting for. Circle attestation infrastructure is by definition single-entity. Co-hosting assessment requires multiple independent validators. Not applicable. RD-F-151 n/a Bridge ecrecover checks result ≠ address(0) [★ CRITICAL] Taxonomy mismatch: CrossChainTeller uses Circle CCTP attestation for message validation, not ecrecover. Source inspection of both Ethereum and BSC CrossChainTeller contracts confirmed no ecrecover usage for bridge message validation. CCTP processes message attestations through Circle's infrastructure (redeemComplete(message, attestation)). Wormhole-class ecrecover-zero-address vulnerability pattern structurally absent. Not_applicable. RD-F-154 n/a Default bytes32(0) acceptable as valid root [★ CRITICAL] Taxonomy mismatch: CCTP does not use Merkle roots for message validation. No bytes32 root acceptance pattern exists in CrossChainTeller source. Nomad-class vulnerability ($190M) requires a Merkle-root-based validation scheme which CCTP does not use. CrossChainTeller uses Circle CCTP message+attestation pairs. Not_applicable. RD-F-155 n/a Bridge validator-set rotation recency Taxonomy mismatch: no independent validator set exists. CCTP attestation is Circle-controlled. Circle can update its attestation infrastructure without an on-chain validator-set rotation event. Factor measures independent-validator-set rotation recency. Not applicable; the relevant administrative control risk is assessed under Cat 2. RD-F-156 n/a Bridge uses same key custody for >30% validators Taxonomy mismatch: no independent validator set. Circle is sole attesting entity. Factor measures key custody co-hosting across independent validators. Not applicable. RD-F-157 n/a Bridge TVL per validator ratio Taxonomy mismatch: no independent validator set. If treating Circle as 1 validator, TVL/validator = $2.97B (extreme concentration). However the factor assumes independent validators that can be individually compromised. The underlying single-issuer concentration risk is properly assessed under Cat 2 (admin key posture). Not_applicable for independent-validator-set interpretation. RD-F-179 n/a LayerZero OFT DVN config (count, threshold, diversity) USYC does not use LayerZero OFT adapter. Data cache confirmed: layerzero.present: false, oapp_address: null, dvn_addresses: []. CrossChainTeller uses Circle CCTP, not LayerZero. F179 applies only to LayerZero OFT integrations. Not applicable.
RD-F-147 green Protocol has bridge surface Yes, USYC uses cross-chain bridge surface. Circle CrossChainTeller contracts on Ethereum (0x5dbeCcECEbCdC2ce3258f6E638373d2923560c7d) and BSC (0xf38979E05650be7926EA07BB59C48Fb9b1DB3D08) coordinate USYC issuance/redemption across chains via Circle CCTP (v2 interfaces ICCTP2Message/ICCTP2Token). Not LayerZero, not Wormhole. Profile §7 confirms has_bridge_surface: true.
RD-F-152 green Bridge binds message to srcChainId CCTP uses domain-based chain separation. CrossChainTeller implements setDomain() function to configure supported domains with their caller addresses. The deposit() and redeem() functions include domain parameter providing per-chain separation equivalent to srcChainId binding. CCTP domain routing is a functional chain-separation guarantee.
Threat intelligence & recon Yellow 33 8 of 8
RD-F-158 yellow Known-threat-actor cluster has touched protocol T-09 phase-2 deferred; tier-C advisory. No confirmed threat-actor cluster interaction with USYC core contracts observed via public OSINT (Etherscan/BNBScan transaction history). Deployer and known admin EOAs show no attacker-cluster contacts in public data. Passive venue flag (section 15 U4): USYC is held as collateral in Venus Protocol BSC ($2.86B concentration). A DPRK or organized exploit of Venus Protocol BSC would result in USYC flowing to attacker-controlled addresses - this is passive venue exposure, not team contamination, and is scored yellow in Cat 11 per methodology. Venus BSC experienced a $27M exploit in September 2025 that did not directly drain USYC per available post-incident reporting. Licensed TI feed (Chainalysis/TRM private cluster) required for definitive assessment. RD-F-161 yellow Protocol-impersonator domain registered (typosquat) Structural elevation factor for high-recognition brands (per process-learnings.md). Circle is a top-tier regulated brand ($CRCL NYSE IPO filed 2025; USDC issuer ~$42B market cap). Official USYC domains: circle.com (historical registration since 1994), hashnote.com (pre-acquisition), usyc.hashnote.com. Production pipeline DomainTools/WhoisXML API not available in this agent run - WHOIS lookup is a repeatable gap per process-learnings.md. Explicit 90-day registration-date delta (2026-02-15 to 2026-05-16) cannot be computed without a domain-monitoring feed. No specific documented typosquat incident for USYC/Circle in web OSINT search results. Elevated risk assessment based on brand recognition, $2.97B TVL, and recent BSC expansion to new institutional user base creating new typosquat attack surface. RD-F-159 gray Attacker wallet pre-strike probe (low-gas failing txs) Mempool monitoring infrastructure required for this signal. USYC's permissioned architecture structurally limits probe effectiveness - failing txs from non-whitelisted addresses would revert on the Entitlements check immediately, providing limited reconnaissance value to an attacker. No probe pattern observed from public data. Licensed threat-actor cluster list required. RD-F-160 gray GitHub malicious-dependency incident touching protocol deps USYC contract source repo not publicly identified (circlefin GitHub org has 87 repos but none verified as USYC production source). Cannot assess dependency tree for malicious releases. Standard EVM dependencies (OZ proxy primitives - the only identified deps from profile) have no current malicious release advisories per public GitHub advisory feed. RD-F-162 gray Known-exploit-template selector deployed by any address USYC is a bespoke permissioned RWA token - standard DeFi exploit-template database (reentrancy loops, flash-loan oracle attacks) does not apply to this protocol class. A targeted exploit template would need to attack the Entitlements bypass, proxy upgrade, or minting authority - all requiring admin-key compromise rather than permissionless contract interaction. No on-chain deploy sweep performed. No public reports of known-exploit-template targeting permissioned RWA token architecture. RD-F-163 gray Avg attacker reconnaissance time for peer-class protocols No prior USYC/Hashnote security incidents (profile section 10: zero incidents). No peer-class comparison data available in hack DB for permissioned RWA token exploits. The USPD 78-day baseline applies to DeFi protocols; for admin-key-compromise class attacks on regulated token issuers, the reconnaissance period may be weeks to months (Bybit class: multi-week build-up; Drift DPRK class: months). Curator derivation from analogous incidents required for a baseline. RD-F-164 gray Leaked credential on paste/sentry site No credential dump for USYC/Hashnote/Circle USYC infrastructure found in publicly accessible sources. Have I Been Pwned does not list Circle USYC as compromised dataset per OSINT. Paste site monitoring cannot be systematically assessed without a dedicated feed. Circle as a BMA-regulated entity presumably uses enterprise-grade secret management but no independent verification performed. M-only factor; production assessment deferred to curator with feed access. RD-F-165 gray Protocol social channel has scam-coordinator flag No USYC-specific Discord or Telegram channel identified (profile section 9 confirms: no USYC-specific Discord or Telegram found). Official social presence is @circle on X/Twitter - institutional/verified account. No curator social watchlist entry for Circle/USYC channels found. Circle's institutional brand and lack of a community-run Discord reduces the scam-coordinator infiltration surface relative to typical DeFi protocols, but fake Circle X accounts are a common industry pattern.
Tooling / compiler / AI Green 0 5 of 5
RD-F-171 gray Bytecode similarity to audited upstream with behavior deviation No public USYC GitHub repo to diff bytecode against any upstream. USYC is an original implementation with no declared upstream, so bytecode-similarity-to-audited-upstream AI-copy risk check is not performable. RD-F-172 gray Repo shows AI-tool co-authorship in critical files No public USYC-specific GitHub repo in circlefin org. Data cache confirms github.repo_url null. Cannot inspect commit history for Copilot or ChatGPT co-authored-by markers. RD-F-173 gray Team self-disclosure of AI-generated Solidity No public team statement (blog, tweet, docs) mentioning AI-generated Solidity in USYC security-critical paths was found in Circle or Hashnote blogs. No disclosure. Gray — absence of public disclosure is not confirmation of absence; closed-source repo prevents independent verification.
RD-F-170 green Solc version used (known-bug versions flagged) Ethereum proxy and BSC proxy use Solidity v0.8.17+commit.8df45f5f. ETH YieldCoin implementation, Teller implementation, CrossChainTeller, and RolesAuthorityProxy use v0.8.26+commit.8a97fa7a (Cancun EVM). BSC RolesAuthorityProxy uses v0.8.23+commit.f704f362. Per Etherscan solcbuginfo: v0.8.17 has no active high-severity bugs (StorageWriteRemovalBeforeConditionalTermination was fixed in 0.8.17). v0.8.26 predates TransientStorageClearingHelperCollision (introduced 0.8.28). v0.8.23 is in the clean range. All three versions are safe.
RD-F-174 green Dependency tree uses EOL Solidity version All deployed contracts use Solidity 0.8.17, 0.8.23, or 0.8.26 — all actively maintained versions within the 0.8.x series. None are EOL. The 0.8.x series is the primary supported Solidity branch as of May 2026.
Response & disclosure hygiene Yellow 33 4 of 4
RD-F-176 red Disclosure SLA public No published acknowledgment SLA for USYC vulnerability disclosures found in USYC docs, Circle developer docs, or any public security page. Circle Arc BBP references a 5-business-day first-response target but only for Arc testnet submissions. No SLA text confirmed for USYC smart contract reports. Threshold: red = no SLA published. Expected for an RWA issuer; factor measures published-SLA presence, not regulatory compliance. RD-F-175 yellow Disclosure channel exists Disclosure channel exists: Circle HackerOne BBP (https://hackerone.com/circle-bbp) and security@circle.com general security email. However, scope documentation does not explicitly confirm USYC on-chain smart contracts are in scope. The April 2026 Arc BBP ($5,000 critical cap) attracted backlash and is a distinct program. No USYC-specific SIRT page or Immunefi program exists (data cache bug_bounty.platform: null). RWA adjudication per PD-042: yellow reflects scope ambiguity, not DeFi-norm non-compliance. Channel exists but applicability to USYC contract reports is unconfirmed from public documentation.
RD-F-177 green Prior known-ignored disclosure Zero prior incidents across full operating history. No post-mortem evidence of an ignored disclosure exists. No rekt.news, third-party write-up, or OSINT source references a disclosure-to-Circle that was ignored before an exploit. Threshold: green = no evidence of ignored disclosure.
RD-F-178 green CVE/GHSA advisory issued against protocol No CVE, GHSA, or equivalent public advisory issued against USYC or Hashnote contracts. Hacksdatabase scan and web OSINT returned no advisory records. Data cache hacks: [] confirms no known vulnerability published via these channels. Threshold: green = no advisory or all advisories patched.
rubric_version v1.7.0 graded_at 2026-05-15 23:41:23 factors 184 protocol circle-usyc