Dolomite · DeFi Risk

DeploymentsEthereum · $129.7M

Risk profile at a glance

0 red · 7 yellow · 6 green

Categories & evidence

184 factors · 13 categories

Code & audits Yellow 38 25 of 25

RD-F-001 red Audit scope mismatch The Ethereum mainnet DolomiteMargin deployment (0x003Ca23Fd5F0ca87D01F6eC6CD14A8AE60c2b97D, deployed July 1 2025, $129.7M / 68.5% TVL) post-dates all known audits. Latest core audit is Cyfrin 2023-08-23; Guardian Jan 2024 covered modules only. No audit report commit SHA maps to the Ethereum mainnet deployed bytecode. The Berachain full deployment is similarly uncovered (Cyfrin Apr 2025 POLVaults audit covers only PoL vault modules). Only the Arbitrum deployment ($21.6M, 11.4% TVL) has plausible audit coverage continuity from the Cyfrin 2023 and Guardian 2024 engagements. RD-F-002 red Audit recency Most recent core DolomiteMargin audit is Cyfrin dated 2023-08-23. Days since that audit to 2026-05-16 = approximately 997 days (>730-day red threshold). Guardian Jan 2024 modules audit is 487 days ago (yellow range) but covers modules only, not the full core. For the Ethereum mainnet deployment (July 2025), there is no applicable audit at all. RD-F-006 red Audit-to-deploy gap Arbitrum deployment (2022-10-13): SECBIT audit was 2021-08-02, gap = ~427 days (red, >180 days). Ethereum mainnet deployment (2025-07-01): no applicable audit, gap is effectively undefined/infinite. Cyfrin 2023-08-23 to Ethereum deploy (2025-07-01) = ~677 days (red). No evidence of an audit close to the Ethereum mainnet deploy date. RD-F-007 red Bug bounty presence & max payout Dolomite operates an in-house bug bounty via security@dolomite.io with no stated maximum payout, no Immunefi listing (data-cache immunefi_slug: null), no Cantina/HackerOne/Code4rena program, and no published scope contract list. At $189.3M TVL, absence of a third-party-hosted program with published USD max payout ≥$500K is red per methodology threshold. RD-F-009 red Formal verification coverage No formal verification (Certora, Halmos, Kani, or equivalent) found for any Dolomite contracts. Web search for Dolomite FV returned no protocol-specific results. No FV specification files found in dolomite-margin or dolomite-margin-modules GitHub repos. At $189.3M TVL, 0% FV coverage is red per methodology threshold. RD-F-183 red Bug bounty scope gap on highest-TVL contracts Dolomite's in-house bug bounty (security@dolomite.io) publishes no contract scope list, no maximum payout, and no Immunefi/third-party listing. The highest-TVL contracts (DolomiteMargin 0x003Ca23Fd5F0ca87D01F6eC6CD14A8AE60c2b97D on Ethereum, $129.7M) are not explicitly covered by a named, transparent bounty scope. At $189.3M TVL with no Immunefi listing and no published scope, the bounty cannot be verified as covering the highest-TVL contracts. RD-F-003 yellow Resolved-without-proof findings Guardian Jan 2024 audit found 2 Critical + 4 High + 13 Medium + 15 Low findings (per docs.dolomite.io/audits-and-security). Dolomite docs state all findings were remediated. Cyfrin 2023 audit findings resolution status also unverifiable from public index (PDF binary). Cannot independently verify on-chain proof of high/critical finding resolution. Rated yellow (unverifiable resolutions for high/critical severity, not confirmed red because no specific unresolved finding identified). RD-F-005 yellow Audit firm tier OpenZeppelin (Tier-1) audited the upstream dYdX Solo-Margin in 2019 — not Dolomite-specific changes. For Dolomite-specific code: Cyfrin (Tier-2), SECBIT Labs (Tier-2), Guardian Audits (Tier-2), Zokyo (Tier-2), Bramah Systems (boutique). No current Tier-1 firm (Trail of Bits, ConsenSys Diligence, Spearbit, Zellic, Sigma Prime) has audited Dolomite's fork-specific modifications. Yellow: Tier-2 only for Dolomite-specific work. RD-F-013 yellow Arbitrary call with user-controlled target DolomiteMargin's callFunction mechanism allows external calls through AutoTrader contracts — a core design feature requiring operator whitelist authorization (ownerSetAutoTraderSpecial, ownerSetGlobalOperator in AdminImpl.sol). Current v2 requires global operator whitelist for liquidators/expirations. Not a fully user-controlled unfiltered call, but the mechanism does perform external calls to whitelisted contracts with user-supplied parameters. Yellow: filtered by admin-controlled allowlist. RD-F-014 yellow Reentrancy guard on external-calling functions DolomiteMargin uses a noEntry guard pattern (dYdX-heritage storage-based entry guard) rather than OZ ReentrancyGuard. OperationImpl.sol operates as a library with no inherent per-function guard. The old 2019 legacy contract was exploited via reentrancy on callFunction; the v2 architecture has a different guard pattern. Cannot fully confirm v2 reentrancy guard coverage without complete Operation.sol entry point inspection. Yellow: guard pattern exists in architecture but non-standard form and cannot be fully verified. RD-F-016 yellow Divide-before-multiply pattern SECBIT 2021 audit addressed numeric precision; getPartialRoundHalfUp function added to prevent lossy Wei/Par conversions. README explicitly documents this fix. No published Slither divide-before-multiply output available for current deployed code. Known mitigation applied but cannot independently verify absence of remaining instances without tool run. Yellow. RD-F-020 yellow EIP-712 domain separator missing chainId DolomiteMargin core does not use EIP-712 for primary operations. Some EIP-712/signature patterns exist in module and governance contracts. The per-chain deployment pattern inherently limits cross-chain replay at the core layer. Cannot confirm chainId inclusion in all periphery signature contexts without full source inspection of all module contracts. Yellow: likely non-issue for core but cannot fully confirm periphery. RD-F-024 yellow Code complexity vs audit coverage DolomiteMargin core codebase: TypeScript 59.2%, Solidity 36.9%. Modules repo: 18 packages (GMX, GLP, Pendle, Berachain PoL, oracles, interest setters, tokenomics, admin, etc.) under active development with different scope per audit. Cyfrin Aug 2023 covered core; Guardian Jan 2024 covered modules at a point in time. Module count has expanded significantly since the Jan 2024 audit. Ethereum mainnet (July 2025) adds new integration contracts not in prior audits. Audit appears adequate for Arbitrum core but borderline for the expanding module surface. RD-F-010 gray Static-analyzer high-severity count No published Slither, Mythril, or Semgrep analysis found for Dolomite's deployed bytecode. The core uses Solidity 0.5.16 with experimental ABIEncoderV2. Dolomite claims 100% line/statement/branch test coverage but that is not static analysis. Cannot assess without tool run. RD-F-021 gray UUPS _authorizeUpgrade correctly permissioned DolomiteMargin core is immutable (no UUPS pattern). Arbitrum module proxy contracts (ExpiryProxy, DepositWithdrawalProxy, GenericTraderProxyV1, LiquidatorProxyV5, EventEmitterRegistryProxy) are upgradeable but their exact proxy pattern (UUPS/Transparent/Beacon) was not confirmed via direct Arbiscan source read (403 on fetch attempt). Cannot confirm _authorizeUpgrade restriction without source inspection. RD-F-023 gray Constructor calls _disableInitializers() _disableInitializers() is not applicable to the immutable core. For modules layer (Solidity 0.8.9, upgradeable proxy pattern), cannot confirm _disableInitializers() in implementation constructors without direct source inspection of each module implementation contract. Proxy pattern uncertainty (UUPS vs Transparent) makes this gray.

RD-F-004 green Audit count 6 distinct audit firms across 7 engagements: OpenZeppelin/Zeppelin Solutions (pre-2021, dYdX Solo), Bramah Systems (pre-2021, dYdX Solo), SECBIT Labs (2021-08, Dolomite-specific), Zokyo (2023-04, GLP/Isolation modules), Cyfrin (2023-08, core + 2025-04 POLVaults), Guardian Audits (2024-01, modules). Green threshold is ≥2 distinct firms. With 6 firms covering portions of the deployed codebase across audit history, count is green. Caveat: none directly audited the Ethereum mainnet deployment.

RD-F-008 green Ignored bounty disclosure The March 2024 exploit targeted a 2019 legacy contract deprecated ~2020, not the current v2 system. Post-mortem published by Corey Caplan. No evidence of a whitehat disclosure ignored by the team prior to this exploit. The exploit vector (callFunction reentrancy on old legacy contract) was not a reported vulnerability that the team failed to act on.

RD-F-011 green SELFDESTRUCT reachable from non-admin path Direct inspection of OperationImpl.sol and DolomiteMargin.sol source confirms no SELFDESTRUCT opcode. AdminImpl.sol is a library with no selfdestruct. The dYdX Solo-Margin heritage (immutable, non-upgradeable core) makes SELFDESTRUCT absence consistent with architecture.

RD-F-012 green delegatecall with user-controlled target No user-controlled delegatecall target found in core DolomiteMargin contracts inspected. Core is non-upgradeable/immutable (constructor-based init, no proxy). Module proxy contracts (ExpiryProxy etc.) use admin-controlled upgrade patterns. The legacy exploit (2024) was on the old 2019 contract, not v2.

RD-F-015 green ERC-777/1155/721 hook without reentrancy guard DolomiteMargin core works with ERC-20 tokens using virtual Par/Wei balances in subaccounts; no ERC-777 tokensReceived or ERC-1155/721 onReceived hooks in the core layer. Module packages use custom vault wrappers without native callback hooks in the core accounting. No ERC-777/1155/721 callback vulnerability identified.

RD-F-017 green Mixed-decimals math without explicit scaling DolomiteMargin uses Wei/Par accounting model where all balances are stored in a normalized form with conversion through index values. Architecture designed to handle multi-decimal tokens through price oracle integration. OZ 2019 audit and SECBIT 2021 audit covered arithmetic safety. No mixed-decimal vulnerability flagged in any known audit.

RD-F-018 green Signed/unsigned arithmetic confusion OZ v2.5.1 SafeMath used for uint arithmetic in Solidity 0.5.x (no built-in overflow protection). SECBIT 2021 and OZ 2019 audits covered arithmetic safety without flagging signed/unsigned confusion. No such finding identified in any of the 7 audits.

RD-F-019 green ecrecover zero-address return unchecked DolomiteMargin core is a lending/margin protocol without ecrecover usage in core accounting operations. No ecrecover found in DolomiteMargin.sol, OperationImpl.sol, or AdminImpl.sol. Governance contracts (PartiallyDelayedMultiSig) use signatures internally but are administrative contracts outside the core TVL accounting layer.

RD-F-022 green Public initialize() without initializer modifier DolomiteMargin core uses constructor-based initialization — no initialize() function present in DolomiteMargin.sol or OperationImpl.sol (confirmed by source inspection). The core is non-upgradeable. Modules layer uses Hardhat/OZ upgradeable patterns; Guardian Jan 2024 and Cyfrin Apr 2025 module audits did not flag an unprotected initialize function. Green.

Governance & admin Yellow 40 24 of 24

RD-F-028 red Low-threshold multisig vs TVL 2-of-3 Safe at $189.3M TVL is abnormally low. Peer norm at >$100M TVL is 4-of-7 or 5-of-9. Any 2 of 3 team members can unilaterally execute all admin actions including parameter changes, minter designation, and module upgrades. Signer identities not publicly attested. RD-F-035 red Role separation: upgrade ≠ fee ≠ oracle The 2-of-3 GnosisSafe controls all privileged functions: oracle config (ownerSetInterestSetter), fee collection (ownerWithdrawExcessTokens), and upgrade-adjacent parameter changes — all through the same PartiallyDelayedMultiSig. No distinct role separation found for upgrade vs fee vs oracle. RD-F-040 red Emergency-veto multisig present No emergency-veto multisig documented separately from the 2-of-3 admin Safe. Quarterly governance has no fast-veto mechanism. No cancel/veto role found in DolomiteMargin admin docs distinct from the primary admin. RD-F-042 red Admin has mint() with unlimited max DOLO token (0x0F81001eF0A83ecCE5ccebf63EB302c70a39a654 Ethereum) has mint() callable by designated minters set by ownerSetMinter(). Owner is GnosisSafe 0xa75c21C5BE284122a87A37a76cc6C4DD3E55a1D4. No hardcoded supply cap in contract. Docs state 1B soft cap with 3% annual inflation after Year 4 but on-chain enforcement absent. 2-of-3 Safe can designate unlimited minters. RD-F-026 yellow Upgrade multisig signer configuration (M/N) 2-of-3 multisig (M=2, N=3). Three owner EOAs confirmed: 0x52256ef863a713Ef349ae6E97A7E8f35785145dE, 0x42acD316D82F2c016bc5570746b739E812eDD22D, 0xbDEf2b2051E2aE113297ee8301e011FD71A83738. Below peer norm of 4-of-7 or 5-of-9 at this TVL band. RD-F-031 yellow Signer rotation recency No signer-rotation events documented in accessible sources. Safe has been in use for multi-year operation. No ChangedThreshold events or threshold reduction pattern found. Scored yellow (rotation history unknown, not confirmed stable). RD-F-032 yellow Timelock duration on upgrades 1-day (86,400s) stated at launch per docs. Falls at yellow boundary (24h exactly; green requires >=48h). Docs state intent to increase incrementally. Current on-chain value not directly confirmed (Arbiscan returned 403 for readContract). RD-F-033 yellow Timelock on sensitive actions Most admin actions timelocked via PartiallyDelayedMultiSig. Four functions bypass timelock immediately: ownerSetMarketIsClosing (0xef6957d0), ownerSetMarketMaxWei (0x0cd30a0e), ownerSetInterestSetter (0x121fb72f), GLPWrappedTokenUserVaultFactory::setUserVaultImplementation (0x35598a02). These are parameter-setting not fund-drain functions but represent 4 of 5 sensitive action types not fully timelocked. RD-F-034 yellow Guardian/pause-keeper distinct from upgrader No dedicated guardian/pause-keeper role distinct from the 2-of-3 admin Safe found. DolomiteMargin is immutable with admin functions but no separate pauser role. Single multisig holds both upgrader-adjacent and pause-adjacent powers. RD-F-038 yellow Proposal execution delay < 24h Quarterly governance with ~7 day voting period and human execution by Leavitt Innovations. PartiallyDelayedMultiSig timelock is 24h (stated). Total proposal execution delay is effectively weeks (quarterly cadence) for governance. Admin-level param changes have 24h timelock which is at the yellow boundary. RD-F-041 yellow Rescue/emergencyWithdraw without timelock No explicit rescue/emergencyWithdraw function found on DolomiteMargin core (immutable architecture). ownerWithdrawExcessTokens and ownerWithdrawUnsupportedTokens handle non-user-fund excess tokens through PartiallyDelayedMultiSig with 1-day timelock. Four bypass functions do not directly drain user funds. Assessed yellow: no direct drain-without-timelock found, but bypass carve-outs exist for parameter functions. RD-F-029 gray Multisig signers co-hosted Three EOA signers identified but no ASN/custodian information publicly available. Cannot confirm independent infrastructure. RD-F-030 gray Hot-wallet signer flag On-chain hot-wallet heuristics not run within this assessment. No hot-wallet signals surfaced in profile research. RD-F-036 gray Flash-loanable voting weight veDOLO is vote-escrowed DOLO locked up to 2 years, structurally non-transferable during lock — flash-loan attack structurally mitigated if correctly implemented. However, BeraVote governor contract address not located for direct source inspection. Cannot confirm checkpoint vs live-balance vote accounting. RD-F-037 gray Quorum achievable via single-entity flash loan BeraVote governor contract not located; quorum stated at 5% of veDOLO supply. veDOLO is locked/non-transferable making flash-loan attack structurally unlikely. Cannot compute exact quorum vs flash-loan depth without governor contract address. RD-F-039 gray delegatecall/call in proposal execution without allowlist BeraVote governor contract address not located in any accessible source. No automated on-chain proposal execution confirmed — proposals pass to Leavitt Innovations LLC for manual execution. Cannot assess delegatecall/call path in proposal execution without governor contract source. RD-F-044 gray Admin wallet interacts with flagged addresses No CTI/Chainalysis feed available. No flagged interactions found in profile research. Cannot assess without cluster feed. RD-F-045 gray Constructor args match governance proposal DolomiteMargin core is immutable. No governance proposal for original deployment found. Ongoing governance proposals (BeraVote quarterly) not matched to specific constructor args. Assessment not material for immutable-core protocol. RD-F-047 gray Governance token concentration (Gini) DOLO token governance concentration not computed. Gini coefficient of veDOLO distribution not available. Distribution documentation exists but on-chain holder distribution not analyzed within this assessment.

RD-F-025 green Admin key custody type Admin key custody type is multisig+timelock. GnosisSafe 2-of-3 owns PartiallyDelayedMultiSig (86,400s / 1-day delay) on all chains. Four functions bypass the timelock but do not directly drain user funds.

RD-F-027 green Single admin EOA Admin is GnosisSafe multisig (0xa75c21C5BE284122a87A37a76cc6C4DD3E55a1D4), threshold=2, owner_count=3. Not a single EOA. Safe-API confirmed.

RD-F-043 green Admin = deployer EOA after 7 days Admin is GnosisSafe multisig (confirmed), not the deployer EOA. Deployer address is null in data-cache but admin is confirmed to be the Safe, indicating transfer occurred at or near deployment.

RD-F-046 green Contract unverified on Etherscan/Sourcify DolomiteMargin core and proxy contracts verified on Arbiscan/Etherscan. GitHub repo publicly accessible with source. data-cache security_md_present=true. Docs link to contract addresses with corresponding verified source.

RD-F-167 green Deprecated contract paused but pause reversible by live admin The 2024 exploit targeted the deprecated 2019 Loopring Trade Delegate contract (0xe2466deb9536a69bf8131ecd0c267ee41dd1cda0). Post-mortem confirms this is NOT controlled by the current admin. Current admin (GnosisSafe) has no pause authority over the old deprecated contract. F167 pattern (admin retains reversible pause over deprecated surface) does not apply here.

Oracle & external dependencies Yellow 27 17 of 17

RD-F-059 red Oracle staleness check present ChainlinkPriceOracleV1.sol calls latestAnswer() (deprecated) rather than latestRoundData(). The latestAnswer() function does not return a timestamp — consequently no updatedAt staleness check is performed. Stale prices pass through silently. For Arbitrum the L2 sequencer flag partially compensates (detects sequencer downtime but not feed-specific staleness within a live sequencer). For Ethereum mainnet (68.5% of $189M TVL = ~$130M) and Berachain (20% = ~$38M), there is NO sequencer flag — no staleness protection exists. This is a confirmed structural gap in the oracle implementation across the two largest deployments by TVL. RD-F-049 yellow Oracle role per asset Each asset has exactly one oracle entry in ChainlinkPriceOracleV1 tokenToAggregatorMap — no secondary or fallback oracle per asset. Chainlink feeds = Primary for ETH/BTC/USDC/USDT/LINK/WBTC/COMP/UNI. Chronicle = Primary for some Berachain assets. Redstone = Primary for select Berachain/Ethereum assets. Pendle TWAP = Primary for PT component of PT-token pricing. Yellow because single-oracle-per-asset design (no fallback role assigned). RD-F-050 yellow Dependency graph (protocols depended upon) Protocol dependencies: (1) GMX v2 GM token vaults and GLP staking on Arbitrum — isolation-mode; (2) Pendle vault contracts and AMM on Arbitrum; (3) Chainlink price feeds and Automation across all chains; (4) Chronicle on Berachain/Mantle; (5) Redstone on Berachain/Ethereum/Botanix; (6) Berachain PoL infrastructure; (7) Chainlink CCIP for DOLO governance token only. Yellow because multiple external dependencies confirmed; GMX adapter specifics not fully traced from source. RD-F-051 yellow Fallback behavior on oracle failure No automatic fallback oracle exists. ChainlinkPriceOracleV1 has a single tokenToAggregatorMap per token with no fallback branch. If oracle reverts, the getPrice() call reverts. If oracle returns stale data (latestAnswer with no timestamp check), the stale value passes through. The Pause Sentinel allows admin to manually disable borrowing or liquidations for an asset — reactive manual intervention, not automated failover. L2 sequencer flag provides sequencer-downtime protection on Arbitrum only. RD-F-052 yellow Breakage analysis per dependency Key breakage paths: (1) Chainlink feed stale on Ethereum mainnet (68.5% TVL) — ChainlinkPriceOracleV1 has no updatedAt check, stale price passes through, collateral mispriced; (2) Pendle AMM illiquidity — 15-min TWAP becomes manipulable, PT-collateral inflated, bad debt risk; (3) GMX DataStore failure — GM-collateral positions mispriceable or inaccessible; (4) Berachain PoL pause — pol-BERA/pol-HONEY collateral stuck; (5) Chainlink Automation failure — ERC-4626 vault prices stale; (6) CCIP curse — DOLO cross-chain transfers halt (governance-only, no TVS impact). Yellow reflects real but bounded breakage paths. RD-F-053 yellow Oracle source = spot DEX pool (no TWAP) [★ CRITICAL assessed] Major assets use Chainlink (not DEX spot pools) — strict F053 red condition not met for core TVL. However, Pendle PT assets (PT-GLP, PT-ezETH, PT-wstETH, PT-rETH, PT-eETH on Arbitrum) use a 15-minute TWAP from the Pendle AMM pool for the PT/base-asset price leg. 15 minutes is below the 30-minute safe TWAP threshold per taxonomy RD-F-054. Additionally, Berachain Kodiak TWAP sources for select Berachain assets — TWAP window not confirmed. The narrow DEX-TWAP usage in long-tail/Pendle assets with a below-threshold window warrants yellow (not red because the strict 'no TWAP at all' condition is not met for core assets). RD-F-054 yellow TWAP window duration Pendle PT TWAP window = 15 minutes (900 seconds) — confirmed from docs.dolomite.io/integrations/pendle/pendle-glp. Taxonomy threshold: <30 minutes = high risk. 15 min is below threshold. Applies to all PT assets on Arbitrum (PT-GLP, PT-ezETH, PT-wstETH, PT-rETH, PT-eETH, PT-USDe, PT-MNT). Berachain Kodiak TWAP window not documented — gap. Chainlink-priced assets do not use TWAP (not applicable for those assets). RD-F-056 yellow Single-pool oracle (no medianization) ChainlinkPriceOracleV1 calls a single Chainlink aggregator per asset via tokenToAggregatorMap[_token].latestAnswer(). No cross-venue medianization in Dolomite's oracle adapter. Chainlink internally aggregates across node operators, but Dolomite queries a single aggregator contract (not multiple oracles). For Pendle PT assets: single Pendle AMM TWAP source. Chronicle and Redstone are similarly single-source per asset in the Dolomite adapter. No median-aggregation pattern found. RD-F-057 yellow Circuit breaker on price deviation No automated price-deviation circuit breaker found in ChainlinkPriceOracleV1.sol. The L2 sequencer flag provides a sequencer-offline (not price-deviation) halt for Arbitrum. The Pause Sentinel allows admin to manually disable borrowing/liquidations for an asset after observing a problem — reactive, not automatic. No on-chain price-deviation threshold (e.g., halt if price moves >X% per block) implemented. RD-F-058 yellow Max-deviation threshold (bps) No max-deviation threshold configured in the Dolomite oracle adapter. ChainlinkPriceOracleV1.sol does not implement minAnswer/maxAnswer validation. Chainlink aggregators have internal min/max circuit breakers at the aggregator level, but Dolomite does not check them — during an asset crash where the aggregator returns minAnswer floor, Dolomite would use that floored value as the price, overstating collateral. No configured threshold in bps found. RD-F-060 yellow Chainlink aggregator min/max bound misconfig ChainlinkPriceOracleV1.sol does not check minAnswer/maxAnswer circuit breaker bounds from the Chainlink aggregator. During an asset crash scenario where the underlying price falls below the aggregator's minAnswer floor, the aggregator returns minAnswer (floored), and Dolomite uses this floored value — overstating collateral value. This is a known Chainlink integration risk pattern. The Cyfrin 2023 audit PDF is inaccessible for direct finding verification. Chainlink heartbeat and deviation thresholds are set at the feed level (enumerated in data-cache), but Dolomite does not validate against them. RD-F-055 gray Oracle pool depth (USD) Oracle pool depth requires on-chain RPC query at a reference block. No on-chain pool-depth query performed for Pendle AMM pools within this assessment. Chainlink feeds aggregate across many providers (not single-pool depth metric). Gap flagged — requires programmatic DEX subgraph query.

RD-F-048 green Oracle providers used Chainlink is the primary oracle for all major Arbitrum assets (19 feeds confirmed in data-cache). Ethereum mainnet presumed Chainlink per launch documentation and risk-management docs. Berachain uses Chronicle (BERA/USD confirmed) and Redstone for select assets. Pendle PT integrations use Pendle AMM 15-min TWAP for the PT/base leg then Chainlink/Chronicle for USD. GMX module uses GMX Data Streams custom adapter. Full multi-provider oracle map documented in risk-management docs.

RD-F-061 green LP token balanceOf used for pricing Dolomite uses ChainlinkPriceOracleV1 (Chainlink aggregator latestAnswer) and custom adapters for GLP/GM/Pendle — not raw balanceOf LP token reads. GLP pricing uses GMX's own GLP price oracle which accounts for total AUM and total supply, not direct balanceOf manipulation. No balanceOf-for-pricing pattern detected in the oracle architecture reviewed.

RD-F-062 green External keeper/relayer not redundant Chainlink Automation is used for ERC-4626 vault price pushes (plvGLP, jUSDC, mGLP). Chainlink Automation operates as a decentralized network of keeper nodes — not a single keeper. Standard Chainlink price feeds use a DON (Decentralized Oracle Network) with multiple node operators. GMX Data Streams is off-chain aggregated. No single-keeper/single-relayer critical dependency identified for core protocol operations.

RD-F-180 green Immutable oracle address [★ CRITICAL-CANDIDATE per PD-017 — evaluated; NOT counted in 19-star total; flagged for orchestrator/T-14 tracking] Oracle addresses are NOT immutable and ARE admin-replaceable. AdminImpl.sol exposes ownerSetPriceOracle(marketId, newOracle) allowing the PartiallyDelayedMultiSig admin (via 1-day timelock) to replace the oracle for any market. ChainlinkPriceOracleV1.insertOrUpdateOracleToken() allows owner to update individual Chainlink aggregator addresses per token. Oracle replacement is NOT in the timelock-bypass list per docs.dolomite.io/admin-privileges — subject to 1-day delay. Oracle addresses are mutable by admin. F180 green: not immutable, admin-replaceable wrapper exists.

RD-F-181 green Permissionless-pool lending oracle Dolomite's asset listing is governed and curated, not permissionless. New markets are added by admin via ownerAddMarket() requiring GnosisSafe/PartiallyDelayedMultiSig authorization and 1-day timelock. The oracle for each market is set at market creation by admin. Users cannot create new markets or oracle sources permissionlessly. Isolation Mode module adds a wrapper layer but asset listing within it remains curated by Dolomite governance. F181 condition (permissionless DEX-pool oracle acceptance) is not met.

Economic risk Yellow 24 13 of 13

RD-F-063 yellow TVL (current + 30d trend) Current TVL $189.3M (2026-05-16). 30-day change +33.24%; 1-day +6.84%. 90-day CoV ~0.155 indicates significant volatility. 12-month peak $1B+ during Berachain incentive surge (Feb-Apr 2025); post-peak contraction ~81%. Protocol recovering from ~$92M Arbitrum-only era following Ethereum mainnet launch July 2025. TVL trend is positive but history of extreme volatility from incentive-driven TVL influx. RD-F-064 yellow TVL concentration (top-10 wallet share) No on-chain top-10 wallet share breakdown available from cache. However, the WLFI event (April 2026) demonstrates extreme single-borrower concentration: World Liberty Financial deposited 5B WLFI tokens representing >55% of total supplied assets at peak, and borrowed ~$162M outstanding after $25M partial repayment. This single counterparty dominance is documented by Chaos Labs and multiple secondary sources. Current concentration risk remains elevated even post-partial-repayment. RD-F-065 yellow Liquidity depth per major asset Major blue-chip assets (ETH, WBTC, USDC, USDT) have adequate Chainlink-backed DEX liquidity. Long-tail isolation-mode assets present severe depth mismatch. WLFI: Chaos Labs found Dolomite holds WLFI collateral worth more than 4x the total WLFI available on Binance, making orderly liquidation at scale structurally infeasible. Pattern extends to other long-tail assets (GM tokens, PoL tokens) though at smaller scales. The protocol accepts illiquid collateral at significant scale relative to available market depth. RD-F-066 yellow Utilization rate (lending protocols) Data-cache reports total_borrowed_usd $280.4M vs total_supplied_usd $189.3M (utilization 148.12% per DefiLlama gross-borrow methodology). This cross-market figure may include leverage positions without full netting. More critically, USD1 pool was pushed to near-100% utilization by WLFI borrowing in April 2026, locking ordinary depositors who were unable to withdraw. USD1 lending rates spiked to 35.81% APR. As of assessment date (2026-05-16), the WLFI position remains partially outstanding and per-market utilization not independently verified at pool level. RD-F-068 yellow Collateralization under stress Global minimum collateralization 115-117.65% (LTV 85-86.96%) depending on chain. Under the WLFI stress scenario: $162M borrowed against WLFI collateral nominally worth $402-499M at April 2026 prices. WLFI-specific LTV set at 66%. WLFI price was ~$0.072 on 2026-05-07, down ~80% from 2025 highs, approaching (but not yet at) the 75% drop required to trigger liquidation. If liquidated at scale, WLFI's thin market depth (position size exceeds 4x Binance availability) would prevent orderly unwind, causing protocol net-collateralization to fall below 100% on the WLFI-exposed pool. No insurance fund of sufficient scale exists to backstop this. Partial $25M repayment reduced but did not eliminate the risk. Long-tail GM/PoL assets are secondary concerns at current TVL levels. RD-F-073 yellow Oracle-manipulation-proof borrow cap Dolomite has per-asset supply caps via getMarketMaxWei. For major assets with deep Chainlink feeds (ETH/BTC/USDC/USDT), borrow caps appear calibrated to liquid oracle depth. However, the WLFI case demonstrates inadequate calibration for long-tail assets: the 5.1B token supply cap for WLFI was set at a level that allowed the protocol to accumulate collateral exceeding 4x the total WLFI available on Binance. This means oracle manipulation resistance (the asset's position in a thin market relative to the oracle feed depth) was not adequately factored into cap-setting for this asset class. Pattern may extend to other long-tail isolation assets. Exact borrow caps for all assets require getMarketMaxWei on-chain reads (not performed here; oracle-dep-analyst scope for feed-depth calibration). RD-F-074 yellow ERC-4626 virtual-share offset (OZ ≥4.9) dTokens are confirmed ERC-4626 vault tokens per docs.dolomite.io/developer-documentation/dolomite-margin-dtokens. DolomiteERC4626.sol (packages/base/contracts/general/DolomiteERC4626.sol) does NOT implement _decimalsOffset(). Inheritance chain: IDolomiteERC4626, Initializable, ProxyContractHelpers, ReentrancyGuardUpgradeable, OnlyDolomiteMargin - no OpenZeppelin ERC4626 base. GitHub search for decimalsOffset in dolomite-margin-modules returns 0 results (confirmed 2026-05-16). No virtual-share offset protection is present. Share conversion uses Dolomite's Par/Wei interest-index mechanism (weiToPar / parToWei). The index-based accounting differs from a naive totalAssets/totalSupply ratio and provides some structural mitigation vs canonical ERC-4626 inflation. Scored yellow rather than red: confirmed gap in explicit OZ >= 4.9 protection; architectural differences from canonical vulnerable pattern warrant further audit-level investigation before red designation. RD-F-075 yellow First-depositor / share-inflation guard No first-depositor seed deposit, dead-share burn, or virtual-share offset guard found in DolomiteERC4626. Convertibility uses weiToPar/parToWei via Dolomite's interest index. No explicit minimum-deposit floor enforced in the dToken layer. The index-based Par/Wei accounting differs structurally from the canonical cToken inflation attack: an attacker cannot inflate share price by simply donating tokens because accounting tracks index-adjusted principal, not raw balance ratio. However, the interaction between dToken ERC-4626 share accounting and Dolomite's Par/Wei index during the very first deposit of a new market has not been fully validated by available audit evidence covering the dToken layer. Cyfrin 2023-08 covers DolomiteMargin core; Guardian 2024-01 covers modules. A specific first-deposit path audit of the dToken layer is not confirmed in available audit scope. Conservatively yellow. RD-F-069 n/a Algorithmic / under-collateralized stablecoin Dolomite does not issue a stablecoin. USD1 is World Liberty Financial's stablecoin, not Dolomite's protocol product. Dolomite is a lending market that accepts USD1 as a borrowable/collateral asset. Not applicable by protocol-type classification. RD-F-070 n/a Empty cToken-style market (zero supply/borrow) NOT APPLICABLE. Dolomite is derived from dYdX Solo-Margin (github.com/dydxprotocol/solo), NOT from Compound V2. The DolomiteMargin core uses a per-account Wei/Par balance model: Par tracks principal shares per subaccount; Wei tracks actual asset value after interest index application via Interest.parToWei() / Interest.totalParToWei(). No fungible cToken is minted per depositor; no shared pool exists whose share-price can be inflated by a first-depositor donation. The empty-cToken donation attack vector targets the Compound V2 architecture specifically (shared totalSupply/totalBorrow pool where first-depositor can inflate exchange rate via direct transfer). This attack surface is architecturally absent in the dYdX-Solo-Margin-derived design. Verified from OperationImpl.sol source inspection. A distinct ERC-4626 first-depositor risk exists in dTokens and is assessed separately under F074/F075.

RD-F-067 green Historical bad-debt events No documented bad debt events in the current Dolomite v2 system (Arbitrum/Ethereum/Berachain deployments launched Oct 2022 onward). Rekt database has no Dolomite entry. The March 2024 $1.8M exploit targeted a deprecated pre-2020 Ethereum legacy contract (old DolomiteMarginProtocol) via stale approval drain, NOT the current v2 system. Current v2 has not socialised losses. WLFI borrower event (April 2026, $162M outstanding) is a prospective risk, not a crystallised bad debt event. March 2026 liquidation rake (10% of liquidation penalty) builds a nascent safety buffer but is embryonic in size relative to potential exposure.

RD-F-071 green Seed-deposit requirement for new market listing No mandatory minimum seed deposit requirement for new market listings. Markets are added by admin governance (2-of-3 multisig + PartiallyDelayedMultiSig). The dYdX-Solo-Margin-derived model does not use a cToken factory requiring seed deposits to prevent share-price inflation, because the base accounting (Par/Wei per-account) is not vulnerable to the donation attack that seed deposits prevent. Market parameters are set via admin governance with supply caps, borrow caps, LTV, and isolation mode levels as the primary risk controls. No evidence of a seed-deposit requirement in docs, audits, or governance.

RD-F-072 green Market-listing governance threshold New market listings require admin multisig approval (2-of-3 Gnosis Safe + PartiallyDelayedMultiSig with 1-day timelock for most changes). Market parameters (isolation mode level, supply cap, borrow cap, LTV, liquidation spread premium) are all admin-controlled. Not permissionless. The governance threshold is effectively high-threshold in that all new markets require team approval. However, there is no separate community DAO vote required - the same 2-of-3 multisig that controls protocol parameters controls market listing. The WLFI listing was done via admin action. Scored green: the threshold is real (multisig required), not permissionless.

Operational history Green 18 15 of 15

RD-F-089 red Insurance coverage active No active coverage found on Nexus Mutual, Sherlock, Unslashed, or equivalent platform. Data-cache bug_bounty.platform: null. Targeted insurance search returned no Dolomite coverage. Protocol uses Chainalysis Crypto Incident Response (post-breach IR retainer) which is incident response tooling, not insurance coverage. At $189.3M TVL, absence of any coverage is a clear red per threshold (red = no active coverage). Chainalysis CIR does not compensate users for losses. RD-F-077 yellow Prior exploit count One confirmed incident: 2024-03-20, approximately $1.8M (1,245,271 USDC + 94,423 DAI + 165.9 WETH) from 187 victims. Legacy pre-2020 Ethereum contract (DolomiteMarginProtocol, address starting 0xe2466) exploited via stale approvals through Loopring Trade Delegate and missing reentrancy guard in OrderHelper.check(). Current v2 system unaffected. Full user restitution: 90% recovered from exploiter by 2024-03-24, 10% covered by Dolomite treasury; all users made whole by 2024-03-26. Hacksdatabase: no Dolomite entry. Rekt: incidents: []. One exploit with full recovery = yellow. RD-F-083 yellow Auditor re-engaged after last exploit Post-mortem contains no mention of post-incident auditor re-engagement. Guardian Audits 2024-01-11 pre-dates the exploit. Cyfrin POLVaults 2025-04-24 post-dates the incident but covers Berachain PoL vaults specifically, not an incident-triggered general re-audit of v2. No confirmed Tier-1 or Tier-2 re-audit specifically triggered by the March 2024 incident found. Scoring yellow: no confirmed external incident-review audit; however, the exploited contract was already deprecated and the v2 system continued without compromise. Cyfrin performed subsequent audit (scope-limited). RD-F-084 yellow TVL stability (CoV over 90d) 90-day TVL CoV = 0.155 (mean $175.5M, std $27.2M) per profile section 4 derived from DefiLlama daily series. Threshold: green < 0.15; yellow 0.15-0.35. CoV of 0.155 sits inside the yellow band. Underlying driver: TVL growth from approximately $92M in Q4 2025 to $189M in May 2026 from Ethereum mainnet expansion July 2025 — a structurally positive growth trend, not operational instability. 30-day TVL change: +33.24%. RD-F-088 yellow Re-deployed to new addresses in last year Ethereum mainnet DolomiteMargin deployment at 0x003Ca23Fd5F0ca87D01F6eC6CD14A8AE60c2b97D went live July 1, 2025 (approximately 10.5 months ago). This is a new chain deployment (additive, not retiring prior contracts), now holding $129.7M (68.5% of total TVL). The Ethereum deployment was not covered by any pre-existing audit (all audits pre-date July 2025). Scoring yellow: new deployment within the 12-month window introducing fresh attack surface (especially the dominant TVL chain); additive rather than retirement; DolomiteMargin core is described as immutable (same audited codebase as Arbitrum), which partially mitigates deployment-drift risk. Not red because no migration retired prior contracts and the core codebase is unchanged. RD-F-166 yellow Deprecated contracts still holding value Deprecated DolomiteMarginProtocol contract (0xe2466..., Ethereum mainnet, deployed 2019, wound down 2020) was exploited in March 2024 for $1.8M via stale user approvals. The contract itself holds no depositor TVL above $100k; the $1.8M loss came from user wallets via approvals. Team disabled the Trade Execution Coordinator promptly and issued public revoke guidance. As of 2026-05-16, Revoke.cash confirms users who have not revoked approvals remain exposed. Scoring yellow (not red): the deprecated contract's direct holdings are below $100k materiality threshold; the approval surface risk has been partially mitigated (coordinator disabled); public guidance issued. Residual risk: users who retain active approvals to 0xe2466 cannot be force-revoked. This is the materialised-once form of deprecated-surface risk.

RD-F-076 green Protocol age (days) Protocol launched on Arbitrum on 2022-10-13 per Medium launch post and DefiLlama TVL epoch 1665964800. As of 2026-05-16 = approximately 1,311 days (43 months). Threshold: green >= 365 days. Well above threshold.

RD-F-078 green Chronic-exploit flag (≥3 incidents) Only one incident in record. Count = 1, which is strictly less than 3. Chronic flag does not trigger.

RD-F-079 green Same-root-cause repeat exploit Only one incident in record. Repeat root-cause pattern cannot occur with a single incident. No same-root-cause repeat.

RD-F-080 green Days since last exploit Last exploit date: 2024-03-20. Days since: 2026-05-16 minus 2024-03-20 = approximately 787 days. Threshold: green > 365 days. Well within green.

RD-F-081 green Post-exploit response score Post-exploit response scored across four sub-dimensions: (1) Compensation completeness = 5/5: 100% of 187 victims made whole by 2024-03-26 (90% recovered from exploiter, 10% from treasury). (2) Transparency = 4/5: post-mortem published 9 days post-exploit, named root cause, technical mechanism, victim count, and named author. (3) Root-cause depth = 4/5: specific code-level analysis of OrderHelper.check() gas-optimisation flaw and filledAmountS non-zero return value bypass; Loopring Trade Delegate interaction chain documented. (4) Operational recovery speed = 5/5: system suspended within less than 1 hour of notification. Composite average >= 4 = green.

RD-F-082 green Post-mortem published within 30 days Post-mortem published 2024-03-29. Exploit date 2024-03-20. Days between = 9 days. Threshold: green = published within 30 days. Confirmed green.

RD-F-085 green Incident response time (minutes) Post-mortem states team disabled contract and suspended system within less than 1 hour of notification. Threshold: green <= 60 minutes. Confirmed green. The team-controlled Trade Execution Coordinator was suspended within the response window.

RD-F-086 green Pause activations (trailing 12 months) No pause events found for the current v2 DolomiteMargin contracts in the trailing 12 months (May 2025 to May 2026). Data-cache rekt.incidents: [] and no news or governance posts regarding v2 pause activations found. The March 2024 operational suspension of the legacy Trade Execution Coordinator predates the 12-month window. Score: green = 0 pauses.

RD-F-087 green Pause > 7 consecutive days No pause of the current v2 system found in the trailing 12 months. The legacy system suspension (March 2024) is outside the 12-month window and affected only the deprecated Trade Execution Coordinator, not the current DolomiteMargin v2 contracts. Green.

Real-time signals Green 19 22 of 22

RD-F-090 yellow Mixer withdrawal → protocol interaction T-09 phase-2 signal tier. The March 2024 exploit attacker wallet (0x5eAA7DaDa44d59549A6c58008b2bd3C7F81d2502) was funded from Tornado Cash relayer reltor.eth (0x4750BCfcC340AA4B31be7e71fa072716d28c29C5) twelve days before the exploit, confirming the historical precursor pattern. Per U4 rule, attacker wallet use is not team contamination. No current mixer-funded wallet interaction with live v2 DolomiteMargin contracts detected in public sources. Yellow: confirmed historical instance on legacy surface; current v2 shows no active signal. Requires Chainalysis/TRM feed for live detection. RD-F-099 yellow Oracle price deviation >X% from secondary T-09 phase-2 signal tier. Arbitrum oracle feeds enumerated (19 Chainlink feeds; ETH/USD heartbeat 1755s 0.05% deviation; BTC/USD heartbeat 1755s 0.05%; USDC/USD heartbeat 255s 0.1%). No oracle staleness or deviation event detected on enumerated Arbitrum feeds. Critical gap: Ethereum mainnet ($129.7M, 68.5% TVL) and Berachain ($37.9M, 20% TVL) oracle feed addresses are NOT enumerated — 88.5% of TVL on chains not fully scoped. Secondary-source mapping for these chains is required before the signal can be deployed credibly. RD-F-100 yellow Flash loan >$10M targeting protocol tokens T-09 phase-2 signal tier. No $10M+ flash-loan targeting Dolomite v2 oracle or governance contracts detected in public sources. Yellow: the protocol's large TVL ($189M) and complex module ecosystem (GMX, GLP, Pendle PT, Berachain PoL integrations) creates meaningful oracle-interaction surface for flash-loan corroboration. BeraVote uses quarterly cadence, reducing flash-loan governance attack surface somewhat. No active flash-loan exploit detected today. RD-F-102 yellow Admin/upgrade transaction in mempool T-09 phase-2 signal tier. Admin map: GnosisSafe (0xa75c21, 2/3) executes via PartiallyDelayedMultiSig (0x52d7BC) for most changes, but 4 bypass functions execute directly without timelock. If the signal were live, bypass-function executions (ownerSetMarketIsClosing, ownerSetMarketMaxWei, ownerSetInterestSetter, setUserVaultImplementation) would satisfy the primary fire condition (no matching queued proposal preceding the Safe tx). No protocol-declared rotation schedule or suppression allowlist found publicly. No current anomalous admin tx observed. Yellow: bypass functions create a structural monitoring challenge requiring suppression allowlist configuration before the signal can operate with acceptable FP rates. RD-F-105 yellow DNS/CDN/frontend hash drift T-09 phase-2 signal tier. Official domain: dolomite.io. 2020 historical incident: API key exposed on frontend (add.xyz statement, 2020-07-29) — pre-v2 architecture, unrelated to current DNS/frontend monitoring surface. No 2025-2026 DNS/CDN drift incident found. No published frontend hash or IPFS CID found in Dolomite docs. No change-management allowlist publicly documented. Yellow: no active drift detected, but protocol does not publish a frontend hash baseline, meaning drift could go undetected without an external monitoring stack. RD-F-091 gray Partial-drain test transactions T-09 phase-2 signal tier (v2/deferred per T-09 §3.3). No partial-drain test transaction pattern detected against current v2 DolomiteMargin contracts in public sources. 2024 exploit was a single targeted drain on a legacy contract, not a multi-phase partial-drain. Requires live mempool monitoring not currently implemented. RD-F-092 gray Unusual mempool pattern from deployer wallet T-09 phase-2 signal tier (v2/deferred). Deployer address is null in data cache; creation tx of DolomiteMargin Arbitrum (0x6Bd780E7fDf01D77e4d475c821f1e7AE05409072) was not fetched. Cannot assess deployer wallet mempool pattern without identifying the deployer address. Requires direct Arbiscan lookup. RD-F-093 gray Abnormal gas-price willingness from attacker wallet T-09 phase-2 signal tier (v2/deferred). Requires live mempool listener to detect abnormal gas-price willingness. No static assessment possible. No public data on anomalous gas patterns from attacker wallets against current Dolomite v2 contracts. RD-F-094 gray New contract with similar bytecode to exploit template T-09 phase-2 signal tier (v2/deferred). Requires continuous on-chain new-deploy sweep for bytecode similarity detection. No static assessment possible. No public reports of similar-bytecode contracts targeting current Dolomite v2 DolomiteMargin. RD-F-095 gray Known-exploit function-selector replay T-09 phase-2 signal tier (v2/deferred). The 2024 exploit used callFunction on a 2019 legacy contract not present in current v2 architecture. No known-exploit-replay selector pattern applicable to current v2 DolomiteMargin detected. Requires active mempool + tx history monitoring. RD-F-096 gray New ERC-20 approval to unverified contract from whale T-09 phase-2 signal tier (v2/deferred). The 2024 exploit was caused by stale ERC-20 approvals to a deprecated 2019 contract; Dolomite published revoke.cash guidance post-exploit. For current v2: no evidence of high-TVL user granting new approvals to unverified contracts. Requires continuous mempool monitoring not currently implemented. RD-F-097 gray Sybil surge of identical-pattern transactions T-09 phase-2 signal tier (v2/deferred). No sybil surge pattern detected in public sources for current Dolomite v2 lending markets. Requires on-chain clustering analysis not currently implemented. RD-F-104 n/a Stablecoin depeg >2% on shared-LP venue Dolomite issues no stablecoin. The T-09 §4.2 signal fires when a protocol has material exposure to a stablecoin it issues or primarily holds in reserves (depeg > 2%, sustained > 30 min, exposure >= 5% TVL). Dolomite is a lending protocol that accepts USDC/USDT as collateral, but the depeg-as-issuer-reserve-failure pattern does not apply. Stablecoin collateral value channel is captured by RD-F-099 oracle deviation signal, not RD-F-104. RD-F-106 n/a Cross-chain bridge unverified mint pattern Not applicable. Per-chain DolomiteMargin deployments are independent — no protocol-operated TVS bridge moves user collateral cross-chain. CCIP is used for DOLO governance token (burn-and-mint with CCIP attestation verification, not unverified mint). The unverified-mint-on-destination pattern (Nomad class) does not apply to Dolomite's architecture. RD-F-107 gray Admin EOA signing from new geography/device Requires off-chain signing telemetry (device fingerprint, geographic IP) from hardware wallet or signing service — not publicly available. Admin signers are GnosisSafe multisig (2/3); each tx requires 2 of 3 EOA signers. No public telemetry available for geographic or device fingerprint of signing activity. RD-F-108 gray GitHub force-push to sensitive branch GitHub force-push monitoring requires continuous GitHub API monitoring subscription. Last commit to dolomite-exchange/dolomite-margin was 2026-04-22 per data cache. No public reports of unauthorized branch push or force-push. Requires pipeline implementation for continuous monitoring. RD-F-109 gray Social-media impersonation scam spike No social-media scam-spike monitoring currently deployed. Dolomite has high brand recognition (Top-10 DeFi lending at $1B+ TVL peak; DOLO TGE April 2025) creating meaningful impersonation attack surface. No current scam-spike incident found in public OSINT. Requires continuous social-media monitoring pipeline not currently implemented. RD-F-110 gray Unusual pending/executed proposal ratio BeraVote governor contract address not surfaced in public sources. Governance type is timelock_only per data cache (no OZ Governor address in data cache). Cannot compute pending/executed proposal ratio without governor contract address. Protocol opacity for BeraVote on-chain governor.

RD-F-098 green TVL anomaly — % drop in <1h T-09 v1 launch signal, Tier A. Current TVL $189.3M; 1d change +6.84%; 30d change +33.24%. Estimated 30d median baseline approximately $142M. Current TVL/baseline ratio approximately 1.33 — well above the 0.70 fire threshold. Sector TVL trend is positive. Signal would NOT fire today. Gradual TVL decline from $1B+ peak (Feb-Apr 2025) to $189M was a 12+ month contraction, not a 60-minute drop event; does not trigger the 60-minute primary condition.

RD-F-101 green Large governance proposal queued T-09 v1 launch signal, Tier B. Governance type: timelock_only (data cache). No OpenZeppelin Governor or Snapshot space. BeraVote governor address not surfaced in public sources. No flagged-pattern proposal (admin-change selectors, delegatecall, flash-loanable quorum) detected in public sources. Structural caveat: 4 bypass functions on PartiallyDelayedMultiSig execute without any proposal queue, creating a permanent signal coverage gap for those specific functions (ownerSetMarketIsClosing, ownerSetMarketMaxWei, ownerSetInterestSetter, setUserVaultImplementation).

RD-F-103 green Bridge signer-set change proposed/executed T-09 v1 launch signal, Tier A. Bridge surface: Chainlink CCIP for DOLO governance token only (burn-and-mint, not user TVS). No user-TVS bridge exists. As of assessment date, no public reports of unscheduled CCIP RMN signer-set change affecting the DOLO token bridge. For user TVS: signal is not applicable (independent per-chain DolomiteMargin deployments with no cross-chain TVS bridge).

RD-F-182 green Security-Council threshold reduction (RT) Cat 6B batch-24 addition. T-09 v1.1 candidate. Signal definition: Security Council multisig threshold reduction (e.g., 3/5 to 2/5), timelock removal, or new-signer addition within 14 days of prior change. Dolomite admin structure: GnosisSafe 2/3 (threshold=2, owners=3 per data cache). No Security Council model used. PartiallyDelayedMultiSig has structural bypass functions but these are design-time features, not recent threshold changes. No public evidence of pending GnosisSafe threshold reduction. No Drift-class SC weakening event detected. Green: no threshold-reduction event observed and no pending change found in public sources.

Dev identity & insider risk Green 2 16 of 16

RD-F-123 yellow Sudden admin-rescue/ACL change without discussion [CRITICAL] The 2-of-3 GnosisSafe + PartiallyDelayedMultiSig structure allows operational admin changes (market listings, parameter updates, interest rate setter changes) without mandatory public forum discussion. Four timelock-bypass functions are explicitly documented: ownerSetMarketIsClosing (0xef6957d0), ownerSetMarketMaxWei (0x0cd30a0e), ownerSetInterestSetter (0x121fb72f), GLPWrappedTokenUserVaultFactory::setUserVaultImplementation (0x35598a02) - all execute immediately without the 1-day delay. Governance docs state operational admin is by protocol operators without DAO vote. GitHub safe-transactions folder exists across 10 chains confirming regular admin activity. BeraVote/DIP process is active for major decisions (DIP-02 Aug 2025, DIP-03 Aug 2025 visible). No specific undisclosed admin-rescue or governance-weakening ACL change identified (no Drift-class 3/5->2/5 + timelock removal found). Rated yellow: bypass is structurally documented and operationally justified, but full safe- RD-F-117 gray ENS/NameStone identity bound to deployer ENS lookup not mechanically completed (Arbiscan/Etherscan direct address pages return 403 via WebFetch). No ENS binding found in any search result for deployer 0x4427040bBbc8084Acf86ff409e84a83B3FaD9e85 or the 3 Safe signer EOAs. Protocol identity is established via team legal names (Corey Caplan, Adam Knuckey) and Leavitt Innovations LLC, not via ENS-bound deployer addresses. ENS registry not directly queried successfully. RD-F-184 gray Real-capital social-engineering persona No evidence of any 'team contributor' or 'external integrator' persona building credibility via >=1M USD real-capital deposits to Dolomite or peer protocols for social-engineering purposes. The only notable large-position story related to Dolomite is World Liberty Financial (WLFI) borrowing on Dolomite as a lending protocol user - this is a legitimate protocol-usage case, not social engineering. The Drift Protocol UNC4736 pattern (6-month conference build-up + real-capital deposits + Solana durable-nonce pre-signing) has no analogous documented case for Dolomite. Team founders are long-tenured (8+ years) with continuous public identities - not recently-inserted personas. Assessed gray: M-only factor requiring curator confidence beyond on-chain trail; no positive indicator found; Drift comparator (explicit in F184 definition) does not apply.

RD-F-111 green Team doxx status Founders Corey Caplan (CEO/CTO) and Adam Knuckey (COO) are fully doxxed by real name. Both graduated Lehigh University 2018 (dual CS+Business degree). Corey: GitHub coreycaplan3 with @dolomite-exchange org membership, Consensus 2025 speaker, World Liberty Financial named advisor (Sep 2024 public announcement), Flywheel DeFi and Talking Cryptocurrency podcast appearances. Adam: LinkedIn (270 connections), Twitter @adam_knuckey, Medium blog @adam_dolomite, defiprime published interview. Leavitt Innovations LLC is the named executing entity contracted by Dolomite Foundation. Category: real-name doxxed.

RD-F-112 green Team public accountability surface Corey Caplan: LinkedIn (active posts 2023-2025), GitHub (35 repos, @dolomite-exchange org member), Twitter @coreycaplan3, Consensus 2025 speaker slot (CoinDesk), WLFI advisor publicly announced Sep 2024, multiple podcasts, blog presence. Adam Knuckey: LinkedIn (270 connections), Twitter @adam_knuckey, Medium blog @adam_dolomite, defiprime published interview, ZoomInfo/RocketReach business contact info. Both names appear in Tracxn, CityBiz, PRWeb $2.5M seed press release. Public accountability surface is above average for a DeFi protocol.

RD-F-113 green Team other-protocol involvement history Corey Caplan: advisor at World Liberty Financial (Sep 2024); founder of Caplan Innovations LLC (prior software engineering LLC); Loopring Protocol development work 2017-2018 (legitimate, non-rugged DEX). Adam Knuckey: Loopring Protocol 2017-2018 work (built Android DEX). No prior rug, exit-scam, or failed-protocol affiliation found for either founder. Both have a single continuous DeFi track record rooted in Dolomite and its dYdX-fork lineage. Leavitt Innovations LLC is the only corporate entity tied to both founders.

RD-F-114 green Deployer address prior on-chain history Deployer 0x4427040bBbc8084Acf86ff409e84a83B3FaD9e85 (inferred, confidence medium) is associated exclusively with Dolomite deployments on Arbitrum per web search (identified as DolomiteAmmFactory creator). No prior rug, exit-scam, or malicious deployment found. No hacksdatabase entry for this deployer. Rekt.news has no Dolomite deployer entry. Confidence limited by Arbiscan 403 blocking full transaction history enumeration.

RD-F-115 green Prior rug/exit-scam affiliation Searched 'Dolomite rug OR exit scam OR abandoned OR fraud 2022-2025' - zero results linking Dolomite team to a rug or exit scam. Neither Corey Caplan nor Adam Knuckey appears in any rug-list or exit-scam database accessible via public search. No Rekt entry for team. No hacksdatabase rug entry. Both founders have long continuous track records (2018-present). The March 2024 legacy-contract exploit was external attacker (not team-initiated).

RD-F-116 green Contributor tenure at admin-permissioned PR Corey Caplan has been building Dolomite since 2018 (8+ years as of 2026). GitHub coreycaplan3 shows active contributions, Arctic Code Vault Contributor badge, and dolomite-exchange org membership since early. The longest-tenured contributor (CEO/CTO) is also the admin keyholder. No evidence of a recent short-tenure contributor being granted admin-permissioned access to the GnosisSafe or codebase. Rated green with medium confidence (no PR-level tenure data extracted).

RD-F-118 green Handle reuse across failed/rugged projects Twitter handles @coreycaplan3 and @adam_knuckey traced continuously to Dolomite. @coreycaplan3 history includes Loopring-era work (2017-2018), a legitimate non-rugged protocol. No alias change, handle reuse from a prior failed project, or association with a rebranded scam project found across all search passes. The GitHub username coreycaplan3 predates Dolomite and links to Loopring/Android DEX work.

RD-F-119 green Commit timezone consistent with stated geography Corey Caplan stated geography: New York, United States (theorg.com profile). Adam Knuckey stated geography: Hoboken (ZoomInfo). Both are US-based. GitHub commit timezone analysis not mechanically computed, but no DPRK-class timezone anomaly (consistent 0200-0800 UTC pattern) flagged in any source. Early Loopring repos from 2017-2018 on GitHub show US-consistent activity patterns. Rated green with medium confidence.

RD-F-120 green Video-off/voice-consistency flag Corey Caplan has appeared on: Consensus 2025 public stage (CoinDesk flagship conference), World Liberty Financial public video/announcement, Flywheel DeFi podcast, Talking Cryptocurrency podcast, YouTube 'Dolomite - A next-gen Money Market on Arbitrum'. No reports of video-off, voice inconsistency, or identity mismatch in any public appearance. Adam Knuckey: defiprime published written interview with named profile photo. No anomaly flagged.

RD-F-121 green Contributor OSINT depth score Corey Caplan OSINT depth 4/5: LinkedIn (active), GitHub (35 repos, org member, active), Consensus 2025 conference speaker, WLFI named advisor (publicly announced by WLFI X account with 1M+ followers), published podcasts, verifiable Lehigh degree. Adam Knuckey OSINT depth 3/5: LinkedIn (active, 270 connections), Twitter (active @adam_knuckey), Medium blog, defiprime interview, ZoomInfo/RocketReach professional contact. Combined score above average for DeFi protocol.

RD-F-122 green Contributor paid to DPRK-cluster wallet Leavitt Innovations LLC is contracted by Dolomite Foundation (Cayman Islands entity) for development and maintenance - a traditional LLC corporate structure with presumed fiat/bank payment routing, not on-chain wallet-to-wallet payments. No on-chain treasury payment wallet identified in any public document. No evidence of on-chain payment routing from Dolomite treasury to any DPRK-labeled cluster. DPRK search pass for all team members returned zero hits. Rated green (low confidence) given doxxed US-based LLC structure and absence of any positive DPRK indicator.

RD-F-124 green Deployer wallet mixer-funded within 30 days [CRITICAL] Deployer 0x4427040bBbc8084Acf86ff409e84a83B3FaD9e85 (inferred, medium confidence): no Tornado Cash, Railgun, or equivalent mixer interaction found within 30 days of deploy. Four parallel OSINT/search passes returned zero mixer proximity hits for deployer or any of the 3 Safe signer EOAs (0x52256ef..., 0x42acD31..., 0xbDEf2b2...). No Chainalysis, TRM Labs, or OFAC public report names this deployer as mixer-proximate. DOLO token deployer is the GnosisSafe itself (constructor _owner = Safe address 0xa75c21C5BE284122a87A37a76cc6C4DD3E55a1D4) - not a fresh EOA. Direct Arbiscan funding trace blocked by 403 (medium confidence ceiling).

RD-F-125 green Deployer linked within 3 hops to DPRK/Lazarus [CRITICAL] Zero evidence of DPRK/Lazarus/Lazarus-cluster proximity for deployer, Safe signer EOAs, or named team members. Search 'Dolomite OR Corey Caplan OR Adam Knuckey DPRK OR Lazarus OR North Korea' returned only generic Lazarus/DPRK news articles with no Dolomite connection. Corey Caplan is a publicly announced advisor at World Liberty Financial (US presidential family-aligned DeFi project, Sep 2024) and Consensus 2025 speaker - profile is inconsistent with DPRK infiltration pattern. The March 2024 legacy-contract exploit was confirmed external attacker (stale approval reentrancy on pre-2020 contract deprecated 2022), NOT insider/DPRK action per protocol context note U4. OFAC SDN list does not include Dolomite, Leavitt Innovations, or named founders. Chainalysis published DPRK reports do not mention Dolomite. Confidence: medium (3-hop mechanical trace blocked by Arbiscan 403; negative evidence is unambiguous across all open sources).

Fork / dependency lineage Yellow 23 10 of 10

RD-F-133 red Dependency manifest uses unpinned versions The dolomite-margin core package.json uses @openzeppelin/contracts: '^2.5.1' — a caret range permitting any OZ 2.x version. This means OZ is NOT pinned to an exact version. Additionally, @uniswap/lib: '^4.0.1-alpha' uses a caret range. The modules layer uses @nomicfoundation/hardhat-foundry: '^1.1.3' with a caret range. OpenZeppelin is unpinned in the core manifest. RD-F-129 yellow Code divergence from upstream (%) README documents substantial auxiliary additions: getPartialRoundHalfUp, numberOfMarketsWithBorrow optimization, marketsWithNonZeroBalanceSet hash set, isRecyclable field, maxWei deposit caps, accountMaxNumberOfMarketsWithBalances limit, global operator whitelist for liquidators/expirations, compiler upgrade 0.5.7→0.5.16. Additionally, the separate dolomite-margin-modules repo (18 packages) adds a full upgradeable module layer. Estimated divergence: 30-50% across combined codebase (yellow range). Cannot perform exact git diff via WebFetch; estimate from documentation. RD-F-131 yellow Fork retains upstream audit coverage Classification: upstream + delta-audit for Arbitrum. OZ/Bramah audited dYdX Solo upstream; SECBIT 2021 audited Dolomite-specific changes (delta); Cyfrin 2023 audited current DolomiteMargin suite; Guardian 2024 audited modules. This covers the Arbitrum deployment adequately. However, the Ethereum mainnet ($129.7M, July 2025) and full Berachain deployment have no direct audit coverage. Cyfrin Apr 2025 covers POLVaults on Berachain only. Yellow: dominant TVL chain (Ethereum) lacks coverage. RD-F-132 yellow Fork has different economic parameters than upstream Dolomite adds significant new economic parameters vs dYdX Solo: maxWei deposit caps, accountMaxNumberOfMarketsWithBalances (32 limit), expanded market support (hundreds vs ~10), operator whitelist for liquidations/expirations. SECBIT 2021 and Cyfrin 2023 covered these parameter changes for the Arbitrum deployment. However, the Ethereum mainnet (July 2025) specific parameter configurations (new asset markets: WBTC, USD1, srUSD, rUSD, weETH, CRV, AAVE, LINK, sUSDe) are not covered by any audit. Yellow: Arbitrum parameters audited; Ethereum-specific parameters unaudited. RD-F-135 yellow Shared-library version with known-vuln status OZ v2.5.1 (core): Very old version (2019-era). Known OZ issues (ERC777 reentrancy, ERC20 non-standard return) exist in some 2.x versions but DolomiteMargin does not use those patterns. No active critical GHSA advisory specifically targeting OZ 2.5.1 for the SafeMath/utility usage patterns in DolomiteMargin found. For modules (OZ version not determinable from available data). Yellow: old OZ version but no active critical advisory confirmed for the specific usage pattern.

RD-F-126 green Is-a-fork-of Dolomite explicitly declares itself a fork of dYdX Solo-Margin (github.com/dydxprotocol/solo). GitHub repo metadata confirms 'forked from dydxprotocol/solo'. README documents all changes from upstream. This is a transparent, well-documented fork with full upstream attribution.

RD-F-127 green Upstream patch not merged dYdX Solo-Margin was archived on January 13, 2023 (read-only). No new security patches, advisories, or updates have been issued since archival. With 0 new upstream patches since Dolomite's independent audit chain (SECBIT 2021, Cyfrin 2023, Guardian 2024) was established, there are no upstream patches to merge. The upstream patch risk is neutralized by archival.

RD-F-128 green Upstream vulnerability disclosure (last 90d) dYdX Solo-Margin repository has been archived since Jan 13, 2023. No GitHub Security Advisories found for dydxprotocol/solo in the last 90 days or any period since 2023 archival. No active vulnerability disclosure channel for the upstream. Zero upstream disclosures in last 90 days.

RD-F-130 green Fork depth (generations from original audit) Fork depth = 1. Dolomite is a direct fork of dYdX Solo-Margin, which was audited by OpenZeppelin/Zeppelin Solutions (2019) and Bramah Systems. Dolomite then obtained its own audits (SECBIT 2021, Cyfrin 2023, Guardian 2024). Depth 0-1 is green per methodology.

RD-F-134 green Dependency had malicious-release incident (last 90d) No npm/GHSA advisory found for @openzeppelin/contracts v2.5.1 or @uniswap/lib v4.0.1-alpha indicating a malicious release in the last 90 days. OZ v2.5.x is a long-lived, established version with no recent supply-chain attack.

Post-deploy hygiene & change mgmt Yellow 36 13 of 13

RD-F-139 red Post-audit code changes without re-audit Ethereum mainnet deployment (July 1, 2025, $129.7M = 68.5% of TVL) post-dates all audits. Most recent core audit: Cyfrin August 2023. Cyfrin POLVaults v2.0 (April 2025) covers only Berachain PoL modules. No audit covers the Ethereum mainnet DolomiteMargin instance or associated module contracts. Material new chain deployment without audit coverage for the largest TVL surface. RD-F-168 red Stale-approval exposure on deprecated router March 2024 exploit confirmed large stale-approval exposure on the deprecated 2019 Loopring Trade Delegate contract (0xe2466deb9536a69bf8131ecd0c267ee41dd1cda0). 187 users affected, $1.8M drained. Stale approvals from pre-2020 users persisted 4+ years. Despite the exploit and partial recovery, approvals on the old contract were not systematically revoked by protocol — users who did not independently revoke remain exposed. RD-F-136 yellow Deployed bytecode matches signed release tag No GPG-signed release tags confirmed for DolomiteMargin repo. data-cache github.last_commit_date=2026-04-22. hardhat_config_present=false, foundry_toml_present=false. Bytecode matches unsigned commit tags at best; signed release tag practice not evidenced. RD-F-137 yellow Upgrade frequency (per 90 days) DolomiteMargin core is immutable — no Upgraded events possible for core layer. Module proxy upgrades (ExpiryProxy, DepositWithdrawalProxy, etc.) not tracked in data-cache. Upgrade frequency unknown for module layer. Scored yellow (unknown, not confirmed stable). RD-F-140 yellow Fix-merged-but-not-deployed gap Guardian 2024-01 audit found 2 Critical + 4 High findings; docs state remediated. Specific remediation deployment confirmation not verified within this assessment. No known-undeployed fixes surfaced but cannot confirm all Guardian findings deployed. RD-F-142 yellow Storage-layout collision risk across upgrades DolomiteMargin core immutable — storage layout collision N/A for core. Module proxy contracts (ExpiryProxy, DepositWithdrawalProxy, etc.) could have storage collision risk. OZ version 2.5.1 (data-cache) does not include upgrades plugin storage layout guards. No OZ upgrades plugin verification found. RD-F-143 yellow Reinitializable implementation (no _disableInitializers) DolomiteMargin core is immutable — F143 structurally N/A for core layer. Module proxy contracts use upgradeable pattern. OZ version 2.5.1 (data-cache) predates _disableInitializers() (introduced OZ 4.3.1, released 2022). Module implementations very likely lack this protection. Cannot confirm definitively without Slither run. Handoff to code-security-analyst required. RD-F-146 yellow New contract deploys in last 30 days Deployer address unknown (data-cache deployer.address=null). Cannot enumerate new deploys from deployer. Dolomite actively deploying across 7+ chains; Ethereum mainnet deployed July 2025 (>30 days before assessment date 2026-05-16). No fresh deploys <30 days confirmed but deployer trace impossible. RD-F-145 gray Deployed bytecode reproducibility No hardhat config or foundry config found (data-cache foundry_toml_present=false, hardhat_config_present=false). Build instructions not explicitly documented in accessible sources. Bytecode reproducibility unverified. RD-F-185 n/a Bridge rate-limiter / chain-pause as positive mitigant Dolomite has no protocol-operated TVS bridge. CCIP is used only for DOLO token cross-chain transfers, not user collateral. F185 (bridge rate-limiter / chain-pause as positive mitigant) is not applicable to the core lending protocol. DOLO CCIP token bridge is Chainlink-managed.

RD-F-138 green Hot-patch deploys without timelock (last 30 days) No hot-patch events documented. Core is immutable (no hot-patches possible). Module proxies route through PartiallyDelayedMultiSig with 1-day timelock. No hot-patches bypassing timelock detected in research.

RD-F-141 green Test-mode parameters in deploy No test-mode parameters found. Deployer address unknown but admin is confirmed as GnosisSafe (not deployer EOA). No test oracle, infinite allowance, or test-mode config indicators found.

RD-F-144 green CREATE2 factory permits same-address redeploy No CREATE2 factory pattern identified in DolomiteMargin architecture. Immutable core, module-layer proxies deployed via standard factory. No selfdestruct+CREATE2 redeploy pattern found.

Cross-chain & bridge Green 15 12 of 12

RD-F-148 yellow Bridge validator count (M) CCIP uses OCR3 (Off-Chain Reporting v3) for the Commit DON with multiple independent node operators. The RMN (Risk Management Network) is a separate independent signer set. Exact validator count for the Ethereum-Berachain-Arbitrum DOLO lanes is not publicly enumerated — Chainlink Labs does not publish per-lane signer counts. Based on CCIP architecture documentation and prior chainlink-ccip protocol assessment: multiple operators confirmed; exact M number not verifiable per-lane. Yellow per prior pattern (F148 yellow for chainlink-ccip fill). RD-F-149 yellow Bridge validator threshold (k-of-M) CCIP uses OCR3 BFT threshold (2f+1 of 3f+1) for commit phase. Typical Chainlink DON with f=3: threshold ~7-of-10. Exact threshold for DOLO-specific CCIP lanes not confirmed publicly. CCIP is NOT a 1-of-N or small-N multisig — substantially more robust than single-validator approval. Per prior chainlink-ccip assessment pattern: threshold robust by design but per-lane k-of-M not independently verifiable. Yellow for non-confirmable specifics. RD-F-150 yellow Bridge validator co-hosting Chainlink CCIP node operators are diverse enterprise-grade operators. Chainlink's node operator program discloses general operator diversity. Not co-located in a single datacenter per general Chainlink architecture. However, exact ASN mapping for DOLO-lane-specific validators is not performed (requires OSINT on non-public operator composition). Yellow based on structural diversity argument with unconfirmed specifics. RD-F-155 yellow Bridge validator-set rotation recency CCIP node operator sets are managed by Chainlink Labs. DON configuration can be updated via Chainlink's admin process. For DOLO-specific CCIP lanes, no public signer-set rotation event log is available. Rotation recency cannot be independently verified — Chainlink Labs manages this as an internal operational matter. Yellow for opacity by design (same pattern as chainlink-ccip protocol fill). RD-F-156 yellow Bridge uses same key custody for >30% validators CCIP node operators are independent enterprises with their own key custody. Chainlink Labs does not self-custody more than 30% of validator keys for CCIP DONs — design principle of the Chainlink network. However, specific custody breakdown for DOLO lanes is not independently verifiable. Structural argument against single-custodian concentration is strong, but not empirically confirmed for this specific deployment. RD-F-179 n/a LayerZero OFT DVN config (count, threshold, diversity) Dolomite does NOT use LayerZero. Data-cache layerzero.present = false. CCIP (not LayerZero) is the cross-chain messaging layer for DOLO token. F179 is LayerZero-OFT-specific per taxonomy definition. Not applicable to CCIP-based bridges.

RD-F-147 green Protocol has bridge surface Yes, protocol has a bridge surface. Chainlink CCIP is used for DOLO governance token cross-chain transfers (burn-and-mint) across Ethereum, Berachain, and Arbitrum. Explicitly confirmed: Dolomite uses Chainlink Automation and CCIP to transfer the DOLO protocol token. Per-chain DolomiteMargin deployments are independent and do NOT bridge user TVS. Bridge surface = governance token only, not TVS bridge.

RD-F-151 green Bridge ecrecover checks result ≠ address(0) [★ CRITICAL] Chainlink CCIP v1.5 RMNRemote.sol (Code4rena 2024-11 codebase) includes explicit guard: 'signerAddress = ecrecover(digest, ECDSA_RECOVERY_V, signatures[i].r, signatures[i].s); if (signerAddress == address(0)) revert InvalidSignature();' Zero-address ecrecover return is explicitly rejected. Wormhole-class bug is not present in CCIP's signer verification layer.

RD-F-152 green Bridge binds message to srcChainId CCIP messages include sourceChainSelector in the commit root and message struct. Each CCIP lane has a dedicated OffRamp that verifies per-source-chain separation. Messages are bound to their source chain identifier — cross-chain replay across different source chains is prevented by the per-lane architecture.

RD-F-153 green Bridge tracks nonce-consumed mapping CCIP OffRamp tracks sequence numbers (nonces) per source chain to prevent replay. Each message carries a unique sequenceNumber that is consumed on execution. The OffRamp maintains a mapping of executed message sequence numbers per source chain. Replay protection is a core CCIP design feature.

RD-F-154 green Default bytes32(0) acceptable as valid root [★ CRITICAL] CCIP v1.5 OffRamp.sol commit function: 'bytes32 merkleRoot = root.merkleRoot; if (merkleRoot == bytes32(0)) revert InvalidRoot();' — zero-value merkle root is explicitly rejected before acceptance. Nomad-class bug ($190M) is not present in CCIP. Confirmed from Code4rena 2024-11 codebase and prior chainlink-ccip protocol fill.

RD-F-157 green Bridge TVL per validator ratio CCIP bridges DOLO governance token only, not user TVS ($189M lending collateral is per-chain, not bridged). DOLO token market cap in the $50-100M range. Per-validator TVS ratio is governance-token-only, not lending market TVS. A CCIP compromise affecting DOLO would cause governance disruption, not a lending market drain. Bounded impact compared to a TVS bridge.

Threat intelligence & recon Yellow 25 8 of 8

RD-F-158 yellow Known-threat-actor cluster has touched protocol T-09 phase-2 advisory signal, Tier C. The March 2024 exploit attacker wallet (0x5eAA7DaDa44d59549A6c58008b2bd3C7F81d2502) interacted with a Dolomite-branded legacy contract and is exploiter-labeled. No DPRK/Lazarus attribution for this specific event found in public sources (TRM Labs, Chainalysis, Elliptic). Attacker use of TC ≠ team contamination (U4 rule). For current v2 contracts: no known-threat-actor interaction detected in public sources. Dolomite has contracted Chainalysis CIR for incident response monitoring. Yellow: historical exploiter-label against Dolomite brand exists in threat-actor databases; live detection requires Chainalysis/TRM licensed feed not yet deployed. RD-F-161 yellow Protocol-impersonator domain registered (typosquat) Official domain: dolomite.io. Assessment window for 90-day typosquat registration: 2026-02-15 to 2026-05-16. No WHOIS/DomainTools feed accessible to confirm or deny typosquat registrations — this is a persistent structural gap (process-learnings: WHOIS lookups require DomainTools API). Public OSINT search found no confirmed reports of active typosquat domains targeting dolomite.io in this period. Yellow: protocol has high brand recognition ($1B+ TVL peak, DOLO TGE widely covered, Decrypt Top-10 DeFi lending coverage) creating elevated typosquat incentive; absence of monitoring means active typosquats could exist undetected. Requires DomainTools or equivalent for green confirmation. RD-F-163 yellow Avg attacker reconnaissance time for peer-class protocols For the March 2024 Dolomite exploit: attacker wallet funded from Tornado Cash relayer (reltor.eth, 0x4750BCfcC340AA4B31be7e71fa072716d28c29C5) 12 days before the March 20, 2024 strike (funding approximately March 8). Reconnaissance window: 12 days. This is a focused pre-strike funding pattern — shorter than USPD 78-day class reconnaissance but longer than same-day flash-loan attacks. The exploit targeted a legacy contract with stale approvals (passive reconnaissance via blockchain history reading), not active mempool probing. Yellow: non-zero reconnaissance window confirmed; shorter than USPD class, suggesting an opportunistic rather than nation-state-class attack against the legacy surface. RD-F-159 gray Attacker wallet pre-strike probe (low-gas failing txs) Requires live mempool monitoring to detect low-gas failing txs from threat-actor cluster wallets against Dolomite v2 contracts. No public data on current probe patterns. Pipeline-unimplemented for this monitoring surface. RD-F-162 gray Known-exploit-template selector deployed by any address No active known-exploit-template selector pattern applicable to current v2 DolomiteMargin detected in public sources. The 2024 exploit used callFunction on a 2019 legacy contract not present in v2 architecture. Continuous on-chain deploy sweep required for this signal; pipeline-unimplemented. RD-F-164 gray Leaked credential on paste/sentry site The 2020 add.xyz breach involved an exposed API key on the frontend (historical, pre-v2 architecture). No current paste-site or Sentry credential leak for Dolomite v2 infra found in public OSINT. Requires paste-feed and credential-dump monitoring not currently implemented. RD-F-165 gray Protocol social channel has scam-coordinator flag Discord referenced in Dolomite governance docs (URL not confirmed in this assessment). No scam-coordinator flag found in public OSINT for Dolomite-adjacent Discord or Telegram channels. Requires curator social watchlist monitoring not currently deployed.

RD-F-160 green GitHub malicious-dependency incident touching protocol deps Dolomite uses OpenZeppelin 2.5.1 (data cache github.oz_contracts_version). OZ 2.5.1 is an older version (circa 2020) but has no active malicious-release incident in current GitHub security advisories as of 2026-05-16. The dolomite-margin-modules repo uses more recent dependencies. No GitHub security advisory flagging a malicious release in Dolomite's dependency tree found in public sources. Green — no current malicious-dependency incident detected.

Tooling / compiler / AI Green 13 5 of 5

RD-F-170 yellow Solc version used (known-bug versions flagged) Two compiler versions: (1) Core DolomiteMargin: Solidity v0.5.16+commit.9c3226ce (confirmed on Etherscan for 0x003Ca23Fd5F0ca87D01F6eC6CD14A8AE60c2b97D), optimizer 10,000 runs, Istanbul EVM. 0.5.16 is the final 0.5.x patched version — KeccakCaching bug fixed in 0.5.10, IncorrectByteInstructionOptimization fixed in 0.5.7. (2) Modules: Solidity 0.8.9 (hardhat-base-config.ts), optimizer 200 runs, yul=false. UserDefinedValueTypesBug (0.8.8) was fixed in 0.8.9 — 0.8.9 itself is clean. Both versions are old (0.5.16 is 2020, 0.8.9 is 2021) but no high/critical bugs directly applicable to these contract patterns found. Experimental ABIEncoderV2 in 0.5.16 core is a known area of interest — covered by OZ and Cyfrin audits. RD-F-174 yellow Dependency tree uses EOL Solidity version DolomiteMargin core uses Solidity 0.5.16 — the 0.5.x series is effectively EOL (no security patches since 0.5.17 final, ~2020). The core ($129.7M Ethereum, immutable) cannot be upgraded to a newer compiler without full redeployment. Modules use 0.8.9 which is not EOL but is old (2021). Yellow: 0.5.16 is EOL but the immutable architecture means compiler update requires redeployment; no active 0.5.16-specific critical bug for this contract type identified.

RD-F-171 green Bytecode similarity to audited upstream with behavior deviation Dolomite explicitly declares its upstream (dYdX Solo). Deviations are fully documented in the README as additive changes (new functions, compiler upgrade, new fields). No behavior-deviating state-mutation reordering indicating AI-generated copy risk identified. Core accounting logic in OperationImpl is structurally faithful to upstream with documented additions.

RD-F-172 green Repo shows AI-tool co-authorship in critical files GitHub commit history for dolomite-margin shows single-author commits by coreycaplan3/Corey — most recent: 2024-08-21 SHA 1008ad9 'Added Bramah Systems Audit Report', 2024-04-12 SHA 3a228ea 'quick comment'. No 'co-authored-by: GitHub Copilot' or similar AI-tool co-authorship trailers found in inspected commit history.

RD-F-173 green Team self-disclosure of AI-generated Solidity No public blog, tweet, or documentation found where Dolomite team discloses use of AI-generated Solidity in production security-critical code. Web search for 'Dolomite AI-generated code' returned no protocol-specific results.

Response & disclosure hygiene Green 8 4 of 4

RD-F-176 yellow Disclosure SLA public 72-hour acknowledgment SLA publicly stated on bug bounty docs page. 30-day researcher confidentiality window stated. However, no full disclosure timeline published for: fix development SLA, public disclosure timeline after fix, or payout tier amounts (OWASP methodology referenced but no USD amounts). Program is self-hosted with no independent third-party verification. Max payout not disclosed — for a $189M TVL protocol, undisclosed payout limits reduce transparency of the program's materiality. Scoring yellow: acknowledgment SLA published (positive indicator) but fix-and-disclosure cadence and payout tiers absent.

RD-F-175 green Disclosure channel exists Dedicated bug bounty page at docs.dolomite.io/bug-bounty with security@dolomite.io as contact. 72-hour acknowledgment SLA stated. Program active (self-hosted). A functional disclosure channel exists even without third-party platform hosting.

RD-F-177 green Prior known-ignored disclosure No post-mortem or third-party report documents a case where a disclosed vulnerability was reported to the Dolomite team and ignored before exploitation. The March 2024 incident was a zero-day exploitation of a legacy contract — no evidence of prior private disclosure before the exploit. Green.

RD-F-178 green CVE/GHSA advisory issued against protocol No CVE or GHSA advisory found against Dolomite in NVD, GitHub Security Advisories, or web search. The March 2024 incident involved a 2019 legacy contract that was not maintained as a library subject to CVE cataloguing. Green = no CVE/GHSA issued.

rubric_version v1.7.0 graded_at 2026-05-16 12:19:02 factors 184 protocol dolomite