deBridge · DeFi Risk

DeploymentsEthereum · $200.0M

Risk profile at a glance

1 red · 3 yellow · 7 green

Categories & evidence

184 factors · 13 categories

Code & audits Green 17 25 of 25

RD-F-009 red Formal verification coverage No formal verification (Certora, Kani, Halmos) found in debridge-contracts-v1 or dln-contracts repos. No FV specification files found. Entirely absent. RD-F-001 yellow Audit scope mismatch Most recent EVM audit: Halborn "DLN EVM Upgrades" dated 2024-12-30 (PDF: `DLN-EVM_Upgrades_SSC.pdf` in debridge-security repo). DlnSource proxy at `0xeF4fB24...` was upgraded to impl `0x322B481...` (solc 0.8.28) on 2025-12-08 (tx `0x25b203...`). DlnDestination proxy at `0xe7351fd...` was upgraded to impl `0xE540eb6...` (solc 0.8.28) on 2026-02-13 (tx `0xf18791...`). These deployed implementations post-date the last confirmed EVM audit by 5–14 months. No subsequent audit PDF found in debridge-... RD-F-005 yellow Audit firm tier Halborn is Tier-2 (established firm with substantial public track record; not in T-01's enumerated Tier-1 list of ToB/OZ/ConsenSys/Certora/Sigma Prime/Spearbit/Zellic). Zokyo is Tier-2. Neodyme is Tier-2/boutique (Solana-specialized, respected but smaller). Ackee is Tier-2. No Tier-1 firm (Trail of Bits, OpenZeppelin, Certora, etc.) audits found. Status: yellow (Tier-2 only, no Tier-1 audit of deployed EVM code). RD-F-006 yellow Audit-to-deploy gap For DLN EVM Upgrades: Halborn signed off 2024-12-30. DlnSource impl `0x322B481` deployed (as upgrade target) 2025-12-08 — that is 343 days after the audit. DlnDestination impl `0xE540eb6` deployed 2026-02-13 — 410 days after. These exceed the ≤60-day green threshold significantly and exceed the ≤180-day yellow threshold, pointing to red for the gap. For DeBridgeGate (2022 audit to 2022 deploy), gap was within normal range. Overall driven by DLN implementations: red threshold breached. RD-F-007 yellow Bug bounty presence & max payout Active Immunefi bug bounty program. Critical: $200,000; High: $40,000; Medium: $5,000. Program live since 2022-01-21. Covers smart contracts on Ethereum, BNB Chain, Polygon, Arbitrum, Avalanche, Fantom, Heco. Max payout $200K is between $50K–$499K, placing this at yellow threshold per template (green requires ≥$500K). RD-F-013 yellow Arbitrary call with user-controlled target CallProxy.sol implements `call()` and `callERC20()` which accept user-supplied `_receiver` (target address) and `_data` (calldata) with no target allowlist beyond an `isContract()` check. These functions are restricted to `DEBRIDGE_GATE_ROLE` callers only, so direct user access is gated. However, the DeBridgeGate's `claim()` function passes user-decoded `_autoParams.data` directly to CallProxy — meaning the ultimate target and calldata are user-controlled, albeit routed through an ACL-control... RD-F-019 yellow ecrecover zero-address return unchecked SignatureVerifier.sol uses `ecrecover(_submissionId.getUnsignedMsg(), v, r, s)` and then checks `if (getOracleInfo[oracle].isValid)` without an explicit `oracle != address(0)` guard before the validity check. If address(0) were ever registered as a valid oracle (unlikely in a correctly-operated system, but a residual risk), invalid signatures would produce a false positive. The `submissionId` includes chainId-specific data making cross-chain replay moot, but the zero-address check is absent. ... RD-F-023 yellow Constructor calls _disableInitializers() DlnBase.sol (parent of DlnSource and DlnDestination): `constructor() { _disableInitializers(); }` — correctly calls `_disableInitializers()` in parent constructor, which propagates protection to both DlnSource and DlnDestination. DeBridgeGate impl uses the older `constructor() initializer {}` pattern (equivalent protection for OZ 4.x). CrosschainForwarder implementation at 0x3c857eD... (sol 0.8.28): no `_disableInitializers()` in constructor per inspection — uses `initializer` modifier on `in... RD-F-183 yellow Bug bounty scope gap on highest-TVL contracts Immunefi program lists 90 assets in scope across Ethereum, BNB Chain, Polygon, Arbitrum, Avalanche, Fantom, Heco. Specific contract enumeration in scope not confirmed from Immunefi page (API returned truncated data). The DeBridgeGate proxy (0x43dE...) is the highest-TVL contract on the protocol (~$6.26M aggregate as of 2026-05-07, DefiLlama; down from a ~$200M peak in 2022–2023) and is the core subject of the entire protocol; DLN is 0-TVL by architecture so DeBridgeGate is necessarily the largest TVL surface regardless of magnitude. No explicit exclusion of DeBridgeGate or DLN contracts identified from the Immunefi page content. DLN contracts (DlnSource, DlnDestination) are cross-chain bridging infrastructure and the unconfirmed scope is the basis for yellow. RD-F-003 gray Resolved-without-proof findings No evidence of Halborn findings marked "Resolved" but unverifiable on-chain. The audit PDFs are publicly available in debridge-security repo but their full findings tables were not directly parsed (PDF not machine-readable from web fetch). The protocol has an ongoing relationship with Halborn (33 audits) suggesting systematic resolution tracking. Cannot definitively enumerate all resolved findings. RD-F-010 gray Static-analyzer high-severity count No published Slither/Mythril output found in the debridge-security repo or any public analysis post. Static analysis was not run programmatically for this assessment. The DLN EVM audit (Halborn 2024-12-30) and prior audits would capture some of these findings; audit PDFs not machine-parseable here. Notable structural patterns reviewed manually: CallProxy uses `.call()` with user-controlled receiver and data (no allowlist); SignatureVerifier uses `ecrecover` without explicit address(0) guard; ... RD-F-016 gray Divide-before-multiply pattern No Slither run conducted. Manual review of DeBridgeGate fee arithmetic did not reveal obvious divide-before-multiply patterns in critical paths. DLN contracts use basis-point-style fee calculations. Cannot confirm clean without tool run. RD-F-021 n/a UUPS _authorizeUpgrade correctly permissioned deBridge does NOT use UUPS pattern. DeBridgeGate, DlnSource, DlnDestination, and CrosschainForwarder all use EIP-1967 TransparentUpgradeableProxy pattern with a separate ProxyAdmin contract. `_authorizeUpgrade` is irrelevant. N-A for UUPS-specific check; upgrade path is governed by the ProxyAdmin (5-of-8 multisig per profile).

RD-F-002 green Audit recency Most recent EVM audit: 2024-12-30 (Halborn DLN EVM Upgrades) — 117 days before assessment date 2026-04-26. Last Solana audit: Halborn DLN Solana Contracts, 2024-11-15 — 162 days before assessment. Both within the ≤365-day green threshold. However, the deployed implementations are newer than the audit date (see RD-F-001).

RD-F-004 green Audit count At least 4 distinct firms have audited deBridge: Halborn (EVM, Solana, infrastructure — 30+ reports), Zokyo (2021-11-08 EVM), Neodyme (2022-05-17 Solana), Ackee (2022-05-17 Solana, updated 2023-04-13). Zellic claim in task brief is unverified — no Zellic reports found in debridge-security repo or https://github.com/Zellic/publications as of 2026-04-26. Effective confirmed count: 4 firms. Green threshold is ≥2.

RD-F-008 green Ignored bounty disclosure No evidence of any prior bounty disclosure that was ignored before an exploit. Protocol has no documented smart contract exploits (confirmed across Rekt.news, DeFiLlama hacks database, and protocol blog as of 2026-04-26). Only incident was the August 2022 Lazarus Group phishing attempt — no funds lost, no smart contract vector involved, and deBridge disclosed it within 24 hours.

RD-F-011 green SELFDESTRUCT reachable from non-admin path No SELFDESTRUCT opcode found in reviewed source files (DeBridgeGate.sol, DlnSource.sol, DlnDestination.sol, DlnBase.sol, CallProxy.sol). Protocol uses upgradeable proxy pattern; SELFDESTRUCT would destroy the proxy. No such function was identified in manual inspection.

RD-F-012 green delegatecall with user-controlled target No delegatecall with user-controlled target found. CallProxy.sol explicitly states it "reverts if a transaction tries to use a delegatecall." DeBridgeGate.sol uses no delegatecall. DlnSource/DlnDestination use standard OZ upgradeable pattern (proxy delegation is internal, not user-callable).

RD-F-014 green Reentrancy guard on external-calling functions DeBridgeGate.sol: `send()` and `sendMessage()` carry `nonReentrant` modifier. DlnSource/DlnDestination inherit `ReentrancyGuardUpgradeable` and critical state-mutating functions are guarded. CallProxy is called only from within guarded DeBridgeGate functions. No reentrancy finding identified in manual inspection.

RD-F-015 green ERC-777/1155/721 hook without reentrancy guard No ERC-777 tokensReceived, ERC-1155 onReceived, or ERC-721 onReceived integration found in core contracts. DeBridgeGate handles standard ERC-20 and native ETH transfers only. No hook-based token integration identified.

RD-F-017 green Mixed-decimals math without explicit scaling deBridge/DLN is primarily a bridge protocol, not a lending protocol with cross-asset arithmetic. DLN source/destination deal with token amounts specified by the maker — cross-decimal arithmetic risk is lower than in DEX/lending protocols. No obvious multi-token decimal normalization issue found in manual inspection of DlnSource.sol.

RD-F-018 green Signed/unsigned arithmetic confusion No signed/unsigned arithmetic confusion found in manual inspection. Contracts use uint256 consistently for token amounts and fees. No evidence from Halborn audits of such findings (no audit post-mortem documents this class).

RD-F-020 green EIP-712 domain separator missing chainId SignatureVerifier uses `SignatureUtil.getUnsignedMsg()` which produces `keccak256(abi.encodePacked("\x19Ethereum Signed Message:\n32", _submissionId))` — EIP-191 format, not EIP-712 structured data. No domain separator with chainId is used in the signing layer. However, the submissionId itself is constructed from `abi.encodePacked(SUBMISSION_PREFIX, debridgeId, getChainId(), chainIdTo, amount, receiver, nonce)` — chain information is embedded in the signed payload itself. Cross-chain replay i...

RD-F-022 green Public initialize() without initializer modifier DeBridgeGate impl (0x797161): `constructor() initializer {}` — constructor marks itself as initializer using OZ ≤4.5 pattern, preventing direct re-initialization; `initialize()` also carries `initializer` modifier. DlnBase.sol (parent of DlnSource and DlnDestination): `constructor() { _disableInitializers(); }` — best-practice OZ ≥4.6 pattern. DlnSource.sol `initialize()`: `public initializer`. DlnDestination.sol `initialize()`: `public initializer`. CrosschainForwarder impl: `initializer` mo...

RD-F-024 green Code complexity vs audit coverage 33 audit reports from 4 firms covering EVM, Solana, SDK, infrastructure, and operations. Audit coverage relative to code size appears substantial. DLN contracts (DlnSource.sol ~500 LOC, DlnDestination.sol ~400 LOC) were audited by a dedicated engagement in 2023-04-13 and supplementary audits (External Call 2023-09-25, EVM Bridge 2024-06-18, EVM Upgrades 2024-12-30). Code complexity is moderate for a bridge protocol. No evidence of audit-scope-to-LOC ratio red flag.

Governance & admin Yellow 31 24 of 24

RD-F-032 red Timelock duration on upgrades No timelock contract exists for any deBridge deployment on any chain. All upgrades are executed directly by the 5-of-8 multisig with zero queuing delay. RD-F-033 red Timelock on sensitive actions No timelock on any sensitive action type. Mint/pause/fee/oracle-config/upgrade are all directly executable by multisig in a single transaction. withdrawFee, pause, setSignatureVerifier, updateAsset, upgradeTo are all untimelocked. RD-F-025 yellow Admin key custody type 5-of-8 Gnosis Safe multisig controls upgrades and all admin roles on Ethereum. No timelock. Classification: multisig (without timelock). RD-F-026 yellow Upgrade multisig signer configuration (M/N) ETH: 5-of-8 confirmed via Safe API. BNB/Polygon/Arbitrum/Fantom multisig (0xa52842cd...) threshold/owners unconfirmed — Safe API returned 404. Avalanche (0x8ac842...) unconfirmed. RD-F-028 yellow Low-threshold multisig vs TVL 5-of-8 meets quantitative peer norm for a bridge. All 8 signer EOAs are anonymous with no public attestation linking addresses to named team members, reducing effective trust below nominal 5-of-8. RD-F-034 yellow Guardian/pause-keeper distinct from upgrader GOVMONITORING_ROLE (pause) is nominally distinct from DEFAULT_ADMIN_ROLE (upgrade/config) in the contract. However, both roles are controlled by the same 5-of-8 multisig in practice — no separate key holder identified for the pause role. RD-F-035 yellow Role separation: upgrade ≠ fee ≠ oracle Upgrade, fee, and oracle roles are technically distinct constants in the contract. In practice, all collapse to the 5-of-8 multisig — one key set controls all three role types. RD-F-040 yellow Emergency-veto multisig present No veto/cancel mechanism against multisig actions. GOVMONITORING_ROLE can pause protocol as partial brake but cannot cancel a malicious multisig upgrade. RD-F-041 yellow Rescue/emergencyWithdraw without timelock No rescue/sweep/emergencyWithdraw function found in any core contract. withdrawCollectedFees/withdrawFee are fee-only (not full-drain) but are multisig-gated with no timelock. Yellow: no full-drain function, no timelock on admin fee functions. RD-F-047 yellow Governance token concentration (Gini) DBR token launched Oct 2024. As of Apr 2026, 53% of supply still locked (team, VCs, foundation). Top holder concentration almost certainly above 0.85 Gini with locked allocations dominating. Gini not directly computed. RD-F-167 yellow Deprecated contract paused but pause reversible by live admin DeBridgeGate (legacy DMP product) holds ~$2M in locked assets on Ethereum. Not formally deprecated — still in active use. Admin retains full pause and upgrade control. Marginally applicable: older surface but not formally sunset. RD-F-029 gray Multisig signers co-hosted Cannot determine. 8 signer EOAs have sparse on-chain activity; no ASN or custodian data extractable from public sources. No CTI feed available. RD-F-030 gray Hot-wallet signer flag Cannot determine. Insufficient signing history on signer EOAs to assess behavioral pattern. RD-F-036 gray Flash-loanable voting weight No on-chain Governor contract on any EVM chain. Governance is off-chain forum + multisig execution. Flash-loan voting attack surface is absent. RD-F-037 gray Quorum achievable via single-entity flash loan No on-chain Governor. Not applicable. RD-F-038 gray Proposal execution delay < 24h No on-chain Governor. Concept does not apply. Multisig can execute in one tx with zero delay. RD-F-039 gray delegatecall/call in proposal execution without allowlist No on-chain Governor or proposal executor. delegatecall-in-proposal attack surface not present. RD-F-044 gray Admin wallet interacts with flagged addresses Cannot assess. 8 signer EOAs have sparse on-chain activity. No CTI feed available for flagged-address checking. RD-F-045 gray Constructor args match governance proposal Cannot assess. No governance proposal text found for any original contract deployment. Protocol launched pre-DAO with no Snapshot/Tally record.

RD-F-027 green Single admin EOA Admin role held by 5-of-8 Gnosis Safe multisig (0x6bec1faF33183e1Bc316984202eCc09d46AC92D5). Not an EOA.

RD-F-031 green Signer rotation recency No AddedOwner/RemovedOwner/ChangedThreshold events detected in last 90 days. Signer set appears stable. Nonce=71; last execTx ~6 days ago was not a signer-set change.

RD-F-042 green Admin has mint() with unlimited max DBR token (0xfbe0b87c9b01cc30145ebd7cc65fcddbd7dcc061) has no mint function; fixed supply of 1B tokens all minted at deployment. No other protocol-issued mintable token with unlimited cap found.

RD-F-043 green Admin = deployer EOA after 7 days Admin role held by 5-of-8 Gnosis Safe (created ~4 years ago). DeBridgeGate deployer (0xd6F0Dabb...) is not the current admin. Transfer to multisig occurred at or near protocol launch.

RD-F-046 green Contract unverified on Etherscan/Sourcify All core contracts verified on Etherscan: DeBridgeGate proxy + impl, DlnSource proxy + impl, DlnDestination proxy + impl, CrosschainForwarder. Source code publicly readable.

Oracle & external dependencies Green 8 17 of 17

RD-F-051 yellow Fallback behavior on oracle failure No price oracle fallback needed. If >=5 of 12 validators fail, DMP bridge halts with no fallback to secondary validator set. Bridge freeze is the intended safe failure mode (prevents under-signed execution). DLN has no oracle; solver departure triggers order expiry with refund. RD-F-052 yellow Breakage analysis per dependency DMP: SignatureVerifier failure or validator set compromise -> bridge halt or drain. Arweave unavailability -> keeper sig retrieval degraded (bridge may continue via alternative sig delivery). Uniswap V2 failure -> fee conversion fails (non-critical). DLN: solver exit -> unfulfilled orders expire with source-chain fund return. RD-F-054 n/a TWAP window duration No TWAP used anywhere in deBridge contracts. RD-F-055 n/a Oracle pool depth (USD) No DEX oracle pool used for pricing. Uniswap V2 used only for auxiliary fee conversion. RD-F-056 n/a Single-pool oracle (no medianization) No pricing oracle in use. RD-F-057 n/a Circuit breaker on price deviation No price oracle, so no price-deviation circuit breaker needed. Bridge has blockSubmission() admin function and excess confirmations (10/12) for large transfers as functional analog. RD-F-058 n/a Max-deviation threshold (bps) No price oracle circuit breaker. RD-F-059 n/a Oracle staleness check present No time-based price oracle staleness check needed. Validator signature freshness governed by block confirmation counts (chain-specific). RD-F-060 n/a Chainlink aggregator min/max bound misconfig No Chainlink feed consumed by protocol. RD-F-061 n/a LP token balanceOf used for pricing deBridge does not use LP token balanceOf for pricing. RD-F-181 n/a Permissionless-pool lending oracle deBridge is a bridge, not a lending protocol. No permissionless pool lending oracle exists.

RD-F-048 green Oracle providers used No external price oracle (Chainlink, Pyth, Redstone, Uniswap TWAP) consumed by any deBridge contract for bridge execution. DMP validator committee is a message-validity oracle, not a price oracle. FeeProxy uses Uniswap V2 spot reserves for auxiliary fee-token conversion only. Data-cache Chainlink feeds are pipeline false positives confirmed via source inspection.

RD-F-049 green Oracle role per asset No price oracle per asset. Validator committee: message-validity oracle (Primary bridge approval). Uniswap V2: auxiliary fee conversion only (not collateral/pricing role).

RD-F-050 green Dependency graph (protocols depended upon) DMP: SignatureVerifier, OraclesManager, Arweave (off-chain sig storage), WethGate, CallProxy. DLN: off-chain solvers. Shared: Uniswap V2 for fee conversion. No upstream lending protocol, LST, or stablecoin protocol dependency.

RD-F-053 green Oracle source = spot DEX pool (no TWAP) deBridge does NOT use a spot DEX pool as a price oracle for bridge or collateral logic. FeeProxy uses Uniswap V2 spot reserves for auxiliary fee token swaps only (not collateral-pricing). No lending function. Not a collateral-risk oracle exposure.

RD-F-062 green External keeper/relayer not redundant DMP: permissionless keeper role -- any user can collect validator signatures from Arweave and submit to DeBridgeGate, providing redundancy. No Chainlink Automation or Gelato dependency. DLN: multiple competing solvers (permissionless).

RD-F-180 green Immutable oracle address signatureVerifier in DeBridgeGate is updatable via setSignatureVerifier(address _verifier) (DeBridgeGate.sol line 831), restricted to admin role. Not immutable. No lending oracle in protocol. F180 does not apply to this bridge-validator-committee design. [F180 critical-CANDIDATE per T-12 PD-017; promoted to star by T-14 2026-04-22. Evaluated GREEN for deBridge -- no escalation needed.]

Economic risk Gray 0 13 of 13

RD-F-063 gray TVL (current + 30d trend) DMP surface TVL: ~$200M as of 2026-04-20 per coverage list. DefiLlama direct fetch blocked (403). TVL represents only DeBridgeGate-locked assets in transit; DLN surface is $0 by architectural design. $200M exceeds $100M coverage threshold. 30-day trend is unavailable — data gap. RD-F-064 gray TVL concentration (top-10 wallet share) Not assessed. DeBridgeGate contracts on Ethereum and other chains hold tokens on behalf of bridge users; the relevant concentration metric is per-asset balance of individual depositors. DefiLlama on-chain scan unavailable. Cannot determine if a single large depositor dominates. The 0-TVL DLN surface has no depositor concentration risk. Gap flagged for curator — on-chain enumeration of DeBridgeGate token balances required. RD-F-065 gray Liquidity depth per major asset Two surfaces require distinct treatment. (1) DMP gate assets: standard ERC-20s and native ETH locked in transit — their external DEX liquidity is a function of the underlying tokens (USDT, USDC, ETH etc.), not deBridge-specific. These are liquid. (2) DBR token (governance): 2% buy-side depth of $91K (Meteora DEX), $8.9K (HTX), $24K (Gate) — total on-chain 2% depth sub-$300K against a $72M market cap. This is very thin; a $1M DBR sell would require >10% slippage on on-chain venues. DBR is not ... RD-F-066 gray Utilization rate (lending protocols) N/A — deBridge is a bridge, not a lending protocol. No borrow/supply markets exist. RD-F-067 gray Historical bad-debt events N/A — no lending markets; no collateral liquidation mechanism. RD-F-068 gray Collateralization under stress N/A — no collateral framework. RD-F-069 gray Algorithmic / under-collateralized stablecoin N/A — deBridge does not issue a stablecoin. DBR is a governance/utility token. RD-F-070 n/a Empty cToken-style market (zero supply/borrow) Not assessed in legacy .md report. deBridge is a bridge/cross-chain protocol, not a Compound V2 fork, so RD-F-070 (empty cToken-style market) is N/A in practice. Original .md extraction did not include this factor. RD-F-071 gray Seed-deposit requirement for new market listing N/A — no lending markets; no market-listing concept applies. RD-F-072 gray Market-listing governance threshold N/A — no lending markets. RD-F-073 gray Oracle-manipulation-proof borrow cap N/A — no borrow caps; no lending. RD-F-074 gray ERC-4626 virtual-share offset (OZ ≥4.9) N/A — no ERC-4626 vaults. DeBridgeGate uses direct token custody (lock/release), not a vault share model. RD-F-075 gray First-depositor / share-inflation guard N/A — no share-based vault. Not applicable for the same reason as RD-F-074.

Operational history Green 0 15 of 15

RD-F-081 gray Post-exploit response score August 2022 incident response: - Root cause named: Yes — LNK-based Windows backdoor, Lazarus Group TTPs documented - Remediation: Attack analyzed without command execution; no fund risk - User communication: Public Twitter thread by co-founder Alex Smirnov within ~2 days; used as industry-wide warning - Compensation: N/A — no user funds lost - Deduction: No formal structured post-mortem on deBridge.com; disclosure was Twitter thread only Score 4/5: excellent transparency and community orienta... RD-F-084 gray TVL stability (CoV over 90d) Quantitative TVL volatility data not available (DefiLlama returned 403 at profile time). The DLN "0-TVL" architecture means TVL-drop as a distress signal is miscalibrated for this protocol. Qualitative: TRON integration August 2025, cross-chain MCP server March 2026, Season 3 points program active — operational expansion indicators. No TVL-flight or deprecation signals found. Scored yellow due to inability to compute σ/μ metric. No negative signal observed, but quantitative verification incom... RD-F-089 n/a Insurance coverage active No active Nexus Mutual, Unslashed, Sherlock, or equivalent coverage for deBridge found. Nexus Mutual allows coverage for any Ethereum address but no deBridge-specific listing confirmed. The 0-TVL DLN architecture reduces perceived coverage demand. No negative finding confirmed, but evidence of active coverage is absent. RD-F-166 n/a Deprecated contracts still holding value `debridge-contracts-obsolete` GitHub repo represents the sole deprecated surface. Contains source code only — no deployed contract addresses for balance check. Legacy Chainlink-oracle-based WhiteDebridge appears retired cleanly. No deprecated contract with ≥$100K residual assets found. Source: https://github.com/debridge-finance/debridge-contracts-obsolete --- ## Category 13 — Response & disclosure hygiene (4 factors)

RD-F-076 green Protocol age (days) DeBridgeGate mainnet launch: 2022-02-17 (BusinessWire: https://www.businesswire.com/news/home/20220217005237/en/deBridge-Announces-Mainnet-Launch-of-Cross-Chain-Interoperability-Protocol). Age at assessment: ~1,529 days (~50 months). Far exceeds the 12-month A-grade eligibility floor. DLN deployed 2022-12-12, adding ~1,231 days. Protocol survived multiple DeFi cycles without compromise.

RD-F-077 green Prior exploit count Incident count: 1 event — attempted social engineering / spear-phishing, no on-chain exploit, $0 lost. Sole entry in all public databases. Single incident with zero loss is the best possible outcome for a protocol handling $200M+ TVL and $20B+ cumulative cross-chain volume over 50 months. Sources: https://www.coindesk.com/business/2022/08/05/north-koreas-lazarus-hackers-blamed-in-debridge-finance-cyberattack

RD-F-078 green Chronic-exploit flag (≥3 incidents) CHRONIC criterion definitively not met. One incident on record. PD-022 CHRONIC badge trigger (≥ 3 same-root-cause exploits in 24 months, ≥ 2 post-disclosure) not remotely approached.

RD-F-079 green Same-root-cause repeat exploit Only one incident on record. Repeat criterion cannot be met. No pattern of repeated exploitation.

RD-F-080 green Days since last exploit The last (and only) incident was 2022-08-03 — ~1,362 days ago as of 2026-04-26. No on-chain exploit has ever occurred. A 3.7-year gap with no funds-at-risk incident is a strong positive signal.

RD-F-082 green Post-mortem published within 30 days Twitter thread by Alex Smirnov published ~2 days after attack (2022-08-05). Halborn supplementary analysis published. Coverage: CoinDesk, CoinTelegraph, BleepingComputer, Decrypt, ITPro. The 30-day threshold is met by a wide margin. Disclosure format is Twitter thread rather than structured report, but technically meets the threshold. Source: https://www.bleepingcomputer.com/news/security/debridge-finance-crypto-platform-targeted-by-lazarus-hackers/

RD-F-083 green Auditor re-engaged after last exploit Following the August 2022 phishing, Halborn published their own technical analysis. The debridge-security repo shows continuous Halborn engagement from September 2022 through December 2024 (10+ post-incident audits). The auditor relationship was deepened, not disrupted. Source: https://github.com/debridge-finance/debridge-security

RD-F-085 green Incident response time (minutes) Attack occurred ~2022-08-03; public disclosure 2022-08-05 (~48 hours). For a social-engineering incident requiring internal forensics, 48 hours is a fast, proactive response. Technical details, file hashes, attack chain, and Lazarus Group attribution were all shared proactively — not reactively.

RD-F-086 green Pause activations (trailing 12 months) No evidence of protocol-level pause activations found. DeBridgeGate supports pause functionality (standard Halborn-audited pattern) but no deliberate pause in trailing 12 months identified. Protocol maintained continuous operational availability. Source: https://docs.debridge.com/dmp-details/dmp/protocol-overview

RD-F-087 green Pause > 7 consecutive days No protocol-level pause of any duration identified for deBridge in any public source.

RD-F-088 green Re-deployed to new addresses in last year No protocol-wide redeployment to new address set found. DlnDestination upgraded 2026-02-13 and DlnSource 2025-12-08 are in-place proxy upgrades at same proxy addresses — normal upgrade, not emergency migration. Source: https://etherscan.io/address/0xe7351fd770a37282b91d153ee690b63579d6dd7f (profile §3)

Real-time signals Green 17 22 of 22

RD-F-104 green Stablecoin depeg >2% on shared-LP venue **Phase:** v1 launch · Tier B **Applicable:** Low — DeBridgeGate holds stablecoins as pass-through bridge assets but has no LP pool dependency. DLN uses native stablecoins on destination chain; 0-TVL means no pool imbalance exists in the protocol. No stablecoin constitutes ≥5% of the protocol's TVL in a dependency-critical pool. **Current posture:** USDT and USDC remain near-peg as of assessment date. Even during a depeg event, deBridge's architecture (pass-through bridge, 0-TVL DLN) would ha...

Dev identity & insider risk Gray 0 16 of 16

RD-F-111 gray Team doxx status **green** RD-F-112 gray Team public accountability surface **green** RD-F-113 gray Team other-protocol involvement history **green** RD-F-114 gray Deployer address prior on-chain history **green** RD-F-115 gray Prior rug/exit-scam affiliation **green** RD-F-116 gray Contributor tenure at admin-permissioned PR **green** RD-F-117 gray ENS/NameStone identity bound to deployer **yellow** RD-F-118 gray Handle reuse across failed/rugged projects **green** RD-F-119 gray Commit timezone consistent with stated geography **gray** RD-F-120 gray Video-off/voice-consistency flag **green** RD-F-121 gray Contributor OSINT depth score **green** RD-F-122 gray Contributor paid to DPRK-cluster wallet **green** RD-F-123 n/a Sudden admin-rescue/ACL change without discussion Not assessed in legacy .md extraction — Sudden admin-rescue / ACL change absent issue/PR discussion. Not in legacy .md report — requires GitHub + on-chain review. RD-F-124 n/a Deployer wallet mixer-funded within 30 days Not assessed in legacy .md extraction — Deployer wallet mixer-funded within 30 days of deploy. Not in legacy .md report — requires on-chain tracing. RD-F-125 n/a Deployer linked within 3 hops to DPRK/Lazarus Not assessed in legacy .md extraction — Deployer address linked within 3 hops to DPRK/Lazarus cluster. Not in legacy .md report — requires Chainalysis-style clustering. RD-F-184 gray Real-capital social-engineering persona **green**

Fork / dependency lineage Yellow 22 10 of 10

RD-F-133 yellow Dependency manifest uses unpinned versions `debridge-contracts-v1/package.json`: `"@openzeppelin/contracts": "^4.3.2"` and `"@openzeppelin/contracts-upgradeable": "^4.3.2"` — both use caret ranges (semi-unpinned). `dln-contracts/package.json`: `"@openzeppelin/contracts-upgradeable": "^4.7.3"` — also caret-ranged. Caret allows minor/patch updates within major version, which is generally acceptable for OZ but technically unpinned. The deployed bytecode (Etherscan-verified) shows compiled artifacts, so the caret range is only a concern f... RD-F-135 yellow Shared-library version with known-vuln status debridge-contracts-v1: OZ `^4.3.2` deployed as OZ 4.x. Known GHSA for OZ 4.3.2-range: GHSA-5vp3-v4hc-gx76 (UUPSUpgradeable uninitialized impl) — fixed IN 4.3.2, so pinned at ≥4.3.2 means fix is included. GHSA-4h98-2769-gh6h (ECDSA malleability) affects <4.7.3 — deBridge-contracts-v1 uses OZ 4.3.2+ range, potentially below 4.7.3. However DeBridgeGate does NOT use ECDSA library directly (uses ecrecover in SignatureVerifier without OZ ECDSA library), so this advisory may not apply. dln-contracts... RD-F-126 n/a Is-a-fork-of deBridge is an original protocol. GitHub repo `debridge-finance/debridge-contracts-v1` has no fork attribution in README. Protocol originated at Chainlink Global Hackathon (April 2021) and was independently developed. No bytecode similarity to any upstream bridge (Hop, Across, Stargate, etc.) identified. Not a fork. RD-F-127 n/a Upstream patch not merged N-A — Not a fork. No upstream to track patches from. RD-F-128 n/a Upstream vulnerability disclosure (last 90d) N-A — Not a fork. No upstream security advisories to propagate. RD-F-129 n/a Code divergence from upstream (%) N-A — Not a fork. No upstream to compute divergence from. RD-F-130 n/a Fork depth (generations from original audit) N-A — Not a fork. Fork depth = 0 (original). RD-F-131 n/a Fork retains upstream audit coverage N-A — Not a fork. Protocol received independent audits throughout its lifecycle. RD-F-132 n/a Fork has different economic parameters than upstream N-A — Not a fork. No upstream parameter comparison applicable.

RD-F-134 green Dependency had malicious-release incident (last 90d) No malicious-release advisory identified for OpenZeppelin contracts (the primary dependency), Hardhat, or ethers.js in the trailing 90 days as of 2026-04-26. No npm security advisory flagged for any deBridge dependency packages in standard advisory feeds.

Post-deploy hygiene & change mgmt Yellow 30 13 of 13

RD-F-136 red Deployed bytecode matches signed release tag No GPG-signed release tags found in debridge-contracts-v1 or dln-contracts GitHub repos. No signed-release artifact process identified. RD-F-143 red Reinitializable implementation (no _disableInitializers) DeBridgeGate impl (0x797161bc...), DlnSource impl (0x322B481...), and DlnDestination impl (0xE540eb6B...) constructors do NOT call _disableInitializers(). All three core implementation contracts are potentially reinitializable if accessed directly — proxy takeover vector. RD-F-137 yellow Upgrade frequency (per 90 days) DlnSource had 3 upgrades in ~145 days (Jul 16, Sep 15, Dec 8 2025). DlnDestination had 1 upgrade (Feb 13, 2026). DeBridgeGate impl stable >90d. DlnSource frequency is elevated (3 upgrades in 5 months). RD-F-139 yellow Post-audit code changes without re-audit DlnSource upgraded Sep 2025, Dec 2025. DlnDestination upgraded Feb 2026. Most recent Halborn EVM audit is Dec 30, 2024. Feb 2026 DlnDestination upgrade has no confirmed audit coverage. Yellow (not red) given deBridge's strong Halborn delta-audit cadence. RD-F-145 yellow Deployed bytecode reproducibility Build instructions not documented to enable independent bytecode reproduction. hardhat_config present but no locked solc binary or deterministic build environment spec published. OZ version 4.3.2 pinned. RD-F-185 yellow Bridge rate-limiter / chain-pause as positive mitigant DeBridgeGate has per-asset maxAmount cap (static single-tx cap, not time-windowed outflow rate-limiter) and a pause() function (chain-pause capability). DLN is 0-TVL intent-based — rate-limiting not applicable to DLN side. Yellow: emergency pause present; time-windowed outflow rate-limiter absent. RD-F-140 gray Fix-merged-but-not-deployed gap Cannot assess. No public security advisories or undeployed security PRs found in debridge-contracts-v1 or dln-contracts repos. RD-F-142 gray Storage-layout collision risk across upgrades Cannot assess. No public OZ upgrades-plugin storage layout check output found. DlnSource had 3 upgrades in 5 months (Jul–Dec 2025), creating elevated storage-layout collision risk that is not confirmed or cleared.

RD-F-138 green Hot-patch deploys without timelock (last 30 days) No upgrades identified in the last 30 days (as of 2026-04-28). Most recent upgrade was DlnDestination on 2026-02-13 (~74 days ago). No hot-patches in the strict last-30d window.

RD-F-141 green Test-mode parameters in deploy No test-mode parameters detected from ABI inspection of all three core implementation contracts. Production-grade role assignments and contract addresses visible.

RD-F-144 green CREATE2 factory permits same-address redeploy No CREATE2 factory with selfdestruct-redeploy pattern identified. Standard TransparentUpgradeableProxy pattern used.

RD-F-146 green New contract deploys in last 30 days No significant burst of new contract deployments in the last 30 days. Most recent execTx on ETH multisig ~6 days ago was not a new deploy.

RD-F-168 green Stale-approval exposure on deprecated router DeBridgeGate and CrosschainForwarder remain active (not formally deprecated). No revoke-notice or wind-down events found. Factor does not fire.

Cross-chain & bridge Green 13 12 of 12

RD-F-148 yellow Bridge validator count (M) DMP: 12 validators in the oracle/validator set. DLN: no validator set (permissionless solvers). 12 is a small committee for a protocol with 26+ chain deployments and $20B+ cumulative volume. RD-F-149 yellow Bridge validator threshold (k-of-M) DMP normal: 8 of 12 (67% threshold). High-value/high-volume: 10 of 12 (83%). OraclesManager enforces minConfirmations >= oracleAddresses.length/2 + 1 (strict majority). Compromise of 8 validators enables drain. RD-F-151 yellow Bridge ecrecover checks result ≠ address(0) ANTI-PATTERN PRESENT: SignatureVerifier.sol (0xfE7De3c1e1BD252C67667B56347cABFC6df08dF4, Solidity v0.8.7) recovers oracle = ecrecover(...) then checks getOracleInfo[oracle].isValid WITHOUT explicit require(oracle != address(0)). Implicit protection relies on storage default (address(0) not in oracle set). Wormhole-class anti-pattern confirmed. Contrast: DeBridgeToken.sol in same repo DOES have explicit require(recoveredAddress != address(0)) -- inconsistency. Rated yellow not red: no evidence address(0) is registered as valid oracle. CURATOR MUST VERIFY on-chain getOracleInfo[address(0)].isValid at SignatureVerifier address. If true, escalate to RED CRITICAL. RD-F-150 gray Bridge validator co-hosting Cannot verify -- validator identity and infrastructure not publicly disclosed. Known validators include Stakin and HashQuark, suggesting some geographic diversity, but comprehensive ASN/datacenter analysis impossible without full validator address set. RD-F-155 gray Bridge validator-set rotation recency Cannot precisely verify without on-chain query of OraclesManager oracle-add/remove events. Protocol launched February 2022; no public disclosure of validator set changes found. RD-F-156 gray Bridge uses same key custody for >30% validators Cannot verify -- validator key custody not publicly disclosed. Stakin and HashQuark known; others unknown. RD-F-179 n/a LayerZero OFT DVN config (count, threshold, diversity) NOT APPLICABLE: deBridge does not use LayerZero. Protocol runs its own threshold-signature validator committee (DMP) and intent-based solver network (DLN). data-cache layerzero.present: false.

RD-F-147 green Protocol has bridge surface YES -- deBridge IS a bridge with two surfaces: DMP (threshold-signature message bridge) and DLN (intent-based, 0-TVL). Bridge-touching: true.

RD-F-152 green Bridge binds message to srcChainId YES: Submission ID = abi.encodePacked(SUBMISSION_PREFIX, _debridgeId, getChainId(), _chainIdTo, _amount, _receiver, nonce) -- both source and destination chain IDs are embedded. Cross-chain replay structurally prevented at the hash level.

RD-F-153 green Bridge tracks nonce-consumed mapping YES: mapping(bytes32 => bool) public isSubmissionUsed in DeBridgeGate. Claim flow: if (isSubmissionUsed[submissionId]) revert SubmissionUsed(); isSubmissionUsed[submissionId] = true. Validators also enforce ascending nonce ordering.

RD-F-154 green Default bytes32(0) acceptable as valid root NOT APPLICABLE in Nomad sense: deBridgeGate is NOT a Merkle-root-based system. It is a threshold-signature submission system with no committedRoot, acceptableRoot, or confirmAt mapping. Nomad bytes32(0)-as-valid-root class vulnerability does not exist in this architecture.

RD-F-157 green Bridge TVL per validator ratio DMP TVL (DefiLlama, 2026-05-07): ~$6.26M aggregate across DeBridgeGate's tracked chains (down from ~$10.76M one week prior in the data cache and from a ~$200M peak in 2022–2023). 12 validators. TVL/validator: ~$522K at current scale, ~$897K at the data-cache snapshot, ~$16.7M at the 2022–2023 peak. All current values well below typical yellow/red bridge-concentration thresholds. Historically higher during peak volume periods ($20B+ cumulative bridged). DLN component is 0-TVL by architecture and unaffected.

Threat intelligence & recon Red 100 8 of 8

RD-F-158 red Known-threat-actor cluster has touched protocol **Phase:** v1 phase 2 · Tier C (advisory only — never flips letter grade solo) **Threshold:** Address from threat-actor cluster interacted with the protocol within last 30 days AND cluster has ≥1 confirmed exploit attribution AND interaction is a state change or non-trivial read. **Finding:** *Layer 1 — Direct team targeting (August 2022):* Lazarus Group conducted a targeted spear-phishing campaign against deBridge employees on August 5, 2022. The attack spoofed co-founder Alex Smirnov's emai... RD-F-159 gray Attacker wallet pre-strike probe (low-gas failing txs) **Phase:** v1 deferred (P1) **Applicable:** Yes — if threat actors are actively assessing deBridge as a target, mempool probe transactions are a pre-strike reconnaissance pattern. **Current posture:** No low-gas failing transaction pattern from threat-actor cluster addresses detected in public data. The April 2026 Drift laundering used deBridge for actual bridge transactions, not reconnaissance probing. **Would fire today:** No — no current probe pattern detected. **Note:** Requires Chainalys... RD-F-160 gray GitHub malicious-dependency incident touching protocol deps **Phase:** v1 deferred (P1) **Applicable:** Yes — debridge-finance repos consume npm/GitHub dependencies. A supply-chain attack on a dependency would be relevant. **Current posture:** No GitHub advisory flagging a malicious release in deBridge's dependency tree detected as of 2026-04-26. The recent Halborn audits (through 2024-12-30) would have been sensitive to supply-chain issues. **Would fire today:** No — no current advisory found. **Source:** https://github.com/debridge-finance/debridge-... RD-F-161 gray Protocol-impersonator domain registered (typosquat) **Phase:** v1 deferred (P1) **Applicable:** Yes — "debridge" is a distinct brand name with multiple plausible typosquats (debridge.finance, debridgeprotocol.com, etc.). **Current posture:** No known typosquat domain detected in public search data. The Halborn Cloudflare/infrastructure review (2022-05-26) addressed some frontend security surface, but domain monitoring was not confirmed as an ongoing process. **Would fire today:** Gray — not assessable without domain-monitoring feed subscriptio... RD-F-162 gray Known-exploit-template selector deployed by any address **Phase:** v1 deferred (P2) **Applicable:** Yes — if a Ronin-style attack template targeting threshold-signature bridge validators were deployed, this signal would apply. **Current posture:** No protocol-specific exploit template for deBridge's OraclesManager/SignatureVerifier identified in public security research. deBridge has no prior on-chain exploit, so no in-sample template exists. **Would fire today:** Gray — no template and no deployment found. --- RD-F-163 gray Avg attacker reconnaissance time for peer-class protocols **Phase:** v1 deferred (P2; backward-looking annotation rather than trigger) **Applicable:** Informational context — for bridge protocols of this class (threshold-signature validators), the Harmony Horizon exploit involved months of key compromise; the Ronin exploit involved ~100 days of validator key acquisition; the Drift DPRK attack involved ~6 months of social engineering. The deBridge August 2022 phishing attempt occurred approximately 6 months after mainnet launch (Feb 2022) — consisten... RD-F-164 gray Leaked credential on paste/sentry site **Phase:** v1 deferred (P2; M-only OSINT, manual triage) **Applicable:** Yes — validator node infrastructure credentials or API keys would be high-value targets. **Current posture:** No public paste-site or credential-dump reference to deBridge infrastructure endpoints identified in this assessment. Gap: requires paid credential-monitoring feed (HaveIBeenPwned Enterprise, SpyCloud, etc.). **Would fire today:** Gray — not assessable without credential-monitoring feed. --- RD-F-165 gray Protocol social channel has scam-coordinator flag **Phase:** v1 deferred (P2; off-chain, subjective) **Applicable:** Yes — deBridge has official Discord and Telegram channels (locations not directly verified in profile; gap noted in 00-profile.md §9). **Current posture:** No scam-coordinator flag for deBridge community channels found in public data. **Would fire today:** Gray — not assessable. ---

Tooling / compiler / AI Green 8 5 of 5

RD-F-174 yellow Dependency tree uses EOL Solidity version DeBridgeGate (0.8.17), DlnSource/DlnDestination (0.8.28), CrosschainForwarder (0.8.28): all are within the currently supported Solidity 0.8.x release line. Current latest is 0.8.35+ (as of 2026); 0.8.17 is not EOL (0.8.x is actively maintained as a minor version stream). Solidity 0.6.11 is listed in debridge-contracts-v1 hardhat.config.ts as an override for legacy dependencies — this is potentially EOL but appears to be test/mock contracts, not production bridge contracts. RD-F-171 n/a Bytecode similarity to audited upstream with behavior deviation N-A for fork-similarity check (no audited upstream). Cannot assess AI-generated copy-paste from an audited protocol since deBridge is original code with no upstream. Manual inspection of DlnSource/DlnDestination shows OZ upgradeable patterns and custom bridge logic without structural similarity to known audited upstream contracts.

RD-F-170 green Solc version used (known-bug versions flagged) DeBridgeGate impl (0x797161): `v0.8.17+commit.8df45f5f` — 0.8.17 fixed the StorageWriteRemoval optimizer bug introduced in 0.8.13; no active known bugs at 0.8.17 per solc bugs.json. DlnSource impl (0x322B481): `v0.8.28+commit.7893614a`. DlnDestination impl (0xE540eb6): `v0.8.28+commit.7893614a`. CrosschainForwarder impl (0x3c857eD): `v0.8.28+commit.7893614a`. Solc 0.8.28 has a known bug: TransientStorageClearingHelperCollisionBug (HIGH severity, fixed in 0.8.34, affects contracts using `--via...

RD-F-172 green Repo shows AI-tool co-authorship in critical files Inspected commit history for debridge-contracts-v1 (last commit 2024-10-23, by `merrymari`/`artyukh`) and dln-contracts (last commit 2024-06-04, by `artyukh`). No `Co-authored-by: GitHub Copilot` or `Co-authored-by: ChatGPT` trailers found in visible commit messages. No AI tool co-authorship metadata in inspected commits.

RD-F-173 green Team self-disclosure of AI-generated Solidity No public disclosure found in deBridge blog, docs, or Twitter/X of AI-generated Solidity in security-critical contracts. Protocol blog covers bridge architecture, DBR token, and security audit announcements; no AI-codegen mentions.

Response & disclosure hygiene Green 8 4 of 4

RD-F-176 yellow Disclosure SLA public No acknowledgment-time SLA published by deBridge. Immunefi /information/ page shows no response-time commitment. No protocol-specific SLA document identified. Industry benchmark: mature programs (Wormhole, Aave, LayerZero) publish 72h–30d remediation windows. Gap vs. peers. Source: https://immunefi.com/bug-bounty/debridge/information/

RD-F-175 green Disclosure channel exists Immunefi bug bounty program (https://immunefi.com/bug-bounty/debridge/) live since 2022-01-21. 90 assets in scope across 7 chains. Last updated 2025-10-08. Continuously maintained, third-party-hosted disclosure channel. Researchers have a clear submission path. No supplementary SECURITY.md or security@ email found in code repos, but Immunefi fills the channel requirement.

RD-F-177 green Prior known-ignored disclosure No evidence of any disclosed vulnerability that was ignored prior to exploitation. August 2022 incident was self-identified and proactively disclosed. No journalist or researcher has published accounts of deBridge failing to respond to responsible disclosure. Sources: CoinDesk, CoinTelegraph, Rekt.news, BleepingComputer, Halborn — no negative findings.

RD-F-178 green CVE/GHSA advisory issued against protocol No CVE, GHSA, or equivalent public advisory issued against deBridge in any database. GitHub Advisory Database (GHSA) query for "debridge-finance" returned no results. CISA KEV returned no results. Neutral-positive signal: no publicly catalogued vulnerability class assigned to deBridge's codebase. --- ## Issues surfaced 1. **RD-F-084 TVL stability — data gap:** No trailing-90d TVL time-series obtainable (DefiLlama blocked). Curator should pull time-series directly. 2. **RD-F-089 insurance —...

rubric_version v1.7.0 graded_at 2026-05-12 04:38:07 factors 184 protocol debridge