ether.fi · DeFi Risk

DeploymentsEthereum · $5.1B

Risk profile at a glance

0 red · 2 yellow · 11 green

Categories & evidence

184 factors · 13 categories

Code & audits Green 7 25 of 25

RD-F-001 yellow Audit scope mismatch 27 audit engagements across 8 firms (2023-02 to 2026-03); Certora FV retainer with 15 reports, most recent reaudit of core contracts 2026-01-29 (88 days before assessment). No signed git release tags exist in the repo, making exact commit-to-bytecode matching imprecise. Deployed Etherscan bytecode for core contracts compiled with solc 0.8.13 while foundry.toml configures 0.8.27 — a version mismatch indicating legacy contracts have not been recompiled at the current toolchain version. Certora ongoing FV retainer provides rolling coverage compensating for the lack of formal release tagging. RD-F-003 yellow Resolved-without-proof findings Hats Finance (2023-12) found 1 medium (reentrancy in LiquidityPool requestWithdraw, reportedly remediated) and 12 lows. Nethermind NM-0217 restaking audit found 2 best-practice items, both fixed. Certora FV proofs cover specified invariants mathematically. Full resolution verification of findings in PDF-format audits (Zellic 2024-01, 2024-03; Decurity 2024-04; Halborn 2024-06, 2024-08) cannot be confirmed without curator PDF review. No evidence of unresolved findings causing exploits. RD-F-006 yellow Audit-to-deploy gap No signed git release tags exist. Exact audit-end-to-deploy lag cannot be computed programmatically. Temporal clustering of Certora reports and profile-noted upgrade dates (EtherFiNodesManager impl 2026-02-02, weETH impl 2025-08-07) suggests features are deployed within ~60 days of the associated FV report. Cannot confirm precisely without curator cross-referencing Certora report dates to deployment transaction timestamps. RD-F-014 yellow Reentrancy guard on external-calling functions Hats Finance 2023-12 audit found reentrancy in LiquidityPool requestWithdraw (medium severity, reportedly remediated). Liquifier.sol uses nonReentrant on depositWithERC20() and unwrapL2Eth() but NOT on withdrawEther(), which makes an external call to the liquidity pool — a residual reentrancy surface. WithdrawRequestNFT uses checks-effects-interactions pattern correctly. Without full Slither run, exhaustive reentrancy coverage cannot be confirmed. RD-F-183 yellow Bug bounty scope gap on highest-TVL contracts Immunefi program active with $300K max payout and 60 assets in scope. Core contracts appear to be primary scope. However, the full enumeration of all 60 assets was not accessible due to JS rendering of the Immunefi page — specifically, whether weETH OFT adapter contracts (LayerZero adapters across 19 chains) are explicitly included cannot be confirmed from the publicly accessible page content. The profile notes a Paladin audit of the OFT adapter migration (2024-09-30), but bug bounty scope is separate from audit coverage. Curator must verify all 60 assets include weETH OFT adapters to confirm no Kelp DAO-style scope gap. RD-F-010 gray Static-analyzer high-severity count No Slither/Mythril/Semgrep output publicly available. Hats Finance 2023-12 audit found 1 medium (reentrancy in LiquidityPool requestWithdraw, reportedly remediated) and 12 lows from manual review. Certora FV proofs cover declared invariants but do not replace static analysis tooling for all patterns. [?] needs tool run for definitive high-severity finding count. RD-F-016 gray Divide-before-multiply pattern No Slither output publicly available. Divide-before-multiply pattern requires Slither detector run on deployed source. Cannot assess without tool run. [?] needs tool run.

RD-F-002 green Audit recency Most recent Certora report is Priority Queue (2026-03-05, 54 days before assessment). Most recent core-contracts re-audit is Certora (2026-01-29, 88 days). EigenLayer slashing integration covered by Certora (2025-04-12, 384 days). Continuous Certora FV retainer provides rolling coverage for recent features; last non-Certora audit (Halborn) dated 2024-08 for older modules.

RD-F-004 green Audit count 8 distinct audit firms: CertiK (2023-02), Omniscia (2023-05), Nethermind (2023-07 + NM-0217x2), Solidified (2023-10), Hats Finance (2023-12), Zellic (2024-01, 2024-03), Decurity (2024-04), Halborn (2024-06, 2024-08), Paladin (2024-09), Certora (15 reports 2024-10 through 2026-03). Total 27+ engagements. Well above the 3-firm floor for this TVL tier ($5.1B).

RD-F-005 green Audit firm tier Certora (Tier-1 FV specialist), Zellic (Tier-1 DeFi boutique), Nethermind (Tier-2 large firm) represent high-quality coverage. Halborn (Tier-2), Decurity (Tier-2 boutique), Paladin (Tier-2 boutique), Hats Finance (competitive audit platform), CertiK (Tier-2 large firm). Strong blend with Certora as dominant ongoing partner.

RD-F-007 green Bug bounty presence & max payout Active Immunefi bug bounty program. Max payout: $300,000 for critical smart contract vulnerabilities. 60 assets in scope. PoC required; KYC mandatory for payouts. Program URL confirmed in data cache sources.bug_bounty.

RD-F-008 green Ignored bounty disclosure No evidence of any disclosed vulnerability that was ignored before an exploit. Rekt leaderboard shows 0 incidents (data cache sources.rekt.incidents = []). No protocol-level exploits found in any public database. ether.fi has a clean exploit history.

RD-F-009 green Formal verification coverage Certora active retainer: 15 FV reports from 2024-10 to 2026-03 covering eETH share inflation, withdrawal fee, v2.49 core, EigenLayer slashing integration, V3.Prelude, Pectra features, weETH adapter, safe key gen + consensus role, core contracts re-audit, and priority queue. EtherFiOracle.spec present in certora/specs directory. Core contracts (LiquidityPool, eETH, weETH) formally verified in 2026-01-29 re-audit. One of the strongest ongoing FV postures in the LRT sector.

RD-F-011 green SELFDESTRUCT reachable from non-admin path No selfdestruct opcode found in any of the 12 sampled production contracts (LiquidityPool, EETH, WeETH, EtherFiNodesManager, StakingManager, EtherFiNode, EtherFiOracle, WithdrawRequestNFT, EtherFiAdmin, Liquifier, MembershipManager, NodeOperatorManager). GitHub authenticated code search not available; exhaustive scan requires tool run, but no selfdestruct found in the most critical contracts.

RD-F-012 green delegatecall with user-controlled target No delegatecall with user-controlled target found in sampled contracts. EtherFiNodesManager's forwardExternalCall() implements allowlist validation before execution. EtherFiNode uses LibCall.callContract() with hardcoded or manager-controlled targets. No user-supplied target delegatecall pattern observed across 12 sampled contracts.

RD-F-013 green Arbitrary call with user-controlled target No arbitrary .call(user_target, user_data) pattern observed in sampled contracts. EtherFiNodesManager forwardExternalCall uses allowlist validation. EtherFiNode uses LibCall.callContract() with controlled targets. No user-supplied external call targets found in core contracts.

RD-F-015 green ERC-777/1155/721 hook without reentrancy guard WithdrawRequestNFT (ERC-721) uses checks-effects-interactions pattern in _claimWithdraw — NFT burned and accounting updated before external liquidityPool.withdraw() call. No ERC-777 integration identified in core contracts. MembershipManager loyalty tier system uses no ERC-777 hooks.

RD-F-017 green Mixed-decimals math without explicit scaling Core tokens (ETH, eETH, weETH) all use 18 decimals. Liquifier handles stETH (18 decimals) conversion. No mixed-decimal token math anomaly identified in sampled source. Certora FV reports for eETH share inflation and withdrawal fee cover core token math invariants.

RD-F-018 green Signed/unsigned arithmetic confusion Solidity 0.8.x checked arithmetic prevents silent overflow/underflow. No signed-to-unsigned confusion pattern identified in sampled contracts. Certora FV arithmetic invariants provide additional assurance. Cannot confirm exhaustively without symbolic execution.

RD-F-019 green ecrecover zero-address return unchecked No ecrecover usage found in any of 9 sampled core contracts (LiquidityPool, EETH, WeETH, EtherFiNodesManager, StakingManager, EtherFiNode, EtherFiOracle, WithdrawRequestNFT). GitHub authenticated code search not available for exhaustive scan, but no ecrecover found in all critical-path contracts sampled.

RD-F-020 green EIP-712 domain separator missing chainId No EIP-712 signed-message patterns found in sampled core contracts. Core deposit/withdrawal flow does not use off-chain signatures. Without tool run, cannot confirm all contracts, but no EIP-712 usage observed in critical-path contracts.

RD-F-021 green UUPS _authorizeUpgrade correctly permissioned All sampled UUPS implementation contracts correctly implement _authorizeUpgrade(address) gated on roleRegistry.onlyProtocolUpgrader(msg.sender): LiquidityPool (line 572), EETH, WeETH (line 146), EtherFiOracle, WithdrawRequestNFT, EtherFiAdmin, NodeOperatorManager, RoleRegistry. No open or unchecked _authorizeUpgrade found across all sampled contracts.

RD-F-022 green Public initialize() without initializer modifier All sampled contracts with initialize() use the external initializer modifier: LiquidityPool (line 177), EETH (line 74), WeETH (line 64), EtherFiOracle, WithdrawRequestNFT, EtherFiAdmin, NodeOperatorManager, RoleRegistry, Liquifier. All constructors call _disableInitializers() to prevent implementation-level re-initialization. EtherFiNodesManager and StakingManager do not expose initialize() at all (use constructors). EtherFiNode uses a traditional constructor. Clean across all 12 sampled contracts — no one-tx exploit surface found.

RD-F-023 green Constructor calls _disableInitializers() All sampled UUPS implementation contracts call _disableInitializers() in their constructor: LiquidityPool, EETH, WeETH, EtherFiOracle, WithdrawRequestNFT, EtherFiAdmin, StakingManager, NodeOperatorManager, MembershipManager, RoleRegistry (10 contracts confirmed). Standard OZ protection pattern correctly applied.

RD-F-024 green Code complexity vs audit coverage 27 audit engagements across 8 firms for a codebase of >20 significant contracts. Certora FV retainer produces rolling per-feature formal verification. Audit coverage density (reports per contract) is above average for this TVL tier. No evidence of significantly under-audited modules.

Governance & admin Green 13 24 of 24

RD-F-028 yellow Low-threshold multisig vs TVL 4-of-7 at $5.1B TVL. Threshold is borderline for this TVL tier (peer norm >$1B LRT is 5-of-9+). More critically, all 7 signer addresses are unlabeled EOAs — no public identity attestation. One signer (0x9506429A) shows hot-wallet behavior (funded by Kraken, 21 txs). Governance docs do not disclose committee member identities, reducing effective accountability. RD-F-030 yellow Hot-wallet signer flag Signer 0x9506429A exhibits hot-wallet behavioral pattern: funded by Kraken, 21 transactions, uses ENS, DeFi protocols, cross-chain bridging. At least 1 of 7 signers shows hot-wallet profile. Other 6 signers not fully analyzed. RD-F-032 yellow Timelock duration on upgrades On-chain getMinDelay() = 3,600 seconds (1 hour). At $5.1B TVL this is materially below industry standard. Lido uses 24h, MakerDAO uses 48h, Compound uses 48h. A 1-hour window provides minimal user-exit protection if a malicious upgrade is proposed. Profile noted a potential '3-day operational policy' but on-chain minimum is the binding constraint. RD-F-033 yellow Timelock on sensitive actions Upgrades require EtherFiTimelock (1h) + 4-of-7 Safe — timelocked. However: weETH.recoverETH(), weETH.recoverERC20(), weETH.recoverERC721() are callable by WEETH_OPERATING_ADMIN_ROLE WITHOUT timelock. EtherFiNodesManager.sweepFunds() callable by ETHERFI_NODES_MANAGER_ADMIN_ROLE WITHOUT timelock. Pause/unpause operations bypass timelock by design (PROTOCOL_PAUSER role). RD-F-038 yellow Proposal execution delay < 24h Timelock minimum delay is 1 hour — below 24h threshold. A colluding 4-of-7 Safe could execute a malicious upgrade in under 2 hours (Safe approval + Timelock delay). No separate voting period exists in the on-chain execution path. RD-F-040 yellow Emergency-veto multisig present No separate emergency-veto multisig identified distinct from the 4-of-7 Safe. The Safe serves both upgrade proposer and emergency-pause execution. No independent veto body with a separate key set exists to stop a malicious proposal before the 1-hour timelock expires. RD-F-041 yellow Rescue/emergencyWithdraw without timelock weETH.recoverETH() and weETH.recoverERC20() callable by WEETH_OPERATING_ADMIN_ROLE without timelock. EtherFiNodesManager.sweepFunds() callable by ETHERFI_NODES_MANAGER_ADMIN_ROLE without timelock. Treasury.withdraw() callable by owner (Ownable) without timelock. These are untimelocked fund-recovery paths. Not red because (a) OPERATING_ADMIN and NODES_MANAGER_ADMIN roles are likely multisig-held (pending confirmation), and (b) weETH recover functions are bounded to accidentally-sent tokens (eETH is explicitly excluded from recoverERC20 scope in the source). RD-F-047 yellow Governance token concentration (Gini) ETHFI fixed supply ~1B. Snapshot proposals require only 1M ETHFI approval threshold — very low relative to circulating supply, suggesting governance is dominated by large holders. No Gini coefficient computed (on-chain holder scan not performed). Off-chain Snapshot is advisory only; binding execution through Safe regardless. RD-F-029 gray Multisig signers co-hosted Cannot be assessed without signer identity linkage. All 7 signer addresses are unlabeled EOAs. No ASN/data-center attribution possible via OSINT alone. RD-F-037 n/a Quorum achievable via single-entity flash loan No on-chain Governor. Snapshot voting is advisory/off-chain. Flash-loan quorum attack inapplicable. RD-F-044 gray Admin wallet interacts with flagged addresses Not assessed. Requires Chainalysis/TRM-level cluster analysis against all 7 unlabeled signer addresses. Etherscan lookups insufficient for mixer/watchlist cross-referencing. RD-F-045 n/a Constructor args match governance proposal No Compound-style on-chain proposal system with constructor-arg verification. Governance is Snapshot + Safe — no constructor-arg proposal matching path.

RD-F-025 green Admin key custody type Admin key custody type is multisig+timelock: 4-of-7 Gnosis Safe (0xcdd57D11476c22d265722F68390b036f3DA48c21) is the sole proposer and executor of EtherFiTimelock (0x9f26d4C9...). TIMELOCK_ADMIN_ROLE is renounced (zero address). No EOA has direct upgrade authority.

RD-F-026 green Upgrade multisig signer configuration (M/N) 4-of-7 multisig. Owners: 0x9506429A, 0x4507cfB4, 0x5c8c76F2, 0x0fCe5cd3, 0x648aA14e, 0x2f2806e8, 0x173286Fa. Gnosis Safe v1.3.0.

RD-F-027 green Single admin EOA Admin is a 4-of-7 Gnosis Safe, not a single EOA. Safe API confirms owner_count=7, threshold=4. No single-signer upgrade path identified.

RD-F-031 green Signer rotation recency No Security Council separate from the 4-of-7 Safe. EtherFiTimelock TIMELOCK_ADMIN_ROLE is zero address (renounced) — no one can unilaterally reduce multisig threshold or grant/revoke timelock roles without Safe approval.

RD-F-034 green Guardian/pause-keeper distinct from upgrader PROTOCOL_PAUSER role is distinct from PROTOCOL_UPGRADER role. EtherFiAdmin.pause() uses PROTOCOL_PAUSER. Upgrade authorization uses onlyProtocolUpgrader() via RoleRegistry. These are separate roles assignable to distinct addresses.

RD-F-035 green Role separation: upgrade ≠ fee ≠ oracle RoleRegistry implements RBAC with fine-grained role separation: PROTOCOL_UPGRADER, LIQUIDITY_POOL_ADMIN_ROLE (fee recipient), ETHERFI_ORACLE_EXECUTOR_ADMIN_ROLE (oracle config), and dozens of contract-specific roles. These are distinct and assignable to different addresses.

RD-F-036 green Flash-loanable voting weight No on-chain Governor contract. ETHFI voting is off-chain Snapshot only (etherfi-dao.eth). Execution flows through 4-of-7 Safe + Timelock — no flash-loanable voting weight applies.

RD-F-039 green delegatecall/call in proposal execution without allowlist No on-chain proposal executor contract. Execution flows: Safe → OZ TimelockController.execute() → target.call(). OZ TimelockController uses `call` (not `delegatecall`) on the target. No general-purpose arbitrary-target proposal executor with delegatecall found.

RD-F-042 green Admin has mint() with unlimited max ETHFI governance token has fixed supply (~1B tokens minted at deploy); no mint function post-deployment. eETH mintShares() is gated to onlyPoolContract (LiquidityPool contract address), not an admin EOA/multisig. weETH wrap() is user-callable but mints only proportional to eETH deposited — not admin-unlimited.

RD-F-043 green Admin = deployer EOA after 7 days Protocol launched May 2023. Current admin is the 4-of-7 Safe deployed February 16, 2024. Deployer (ether.fi: Deployer 5, 0x8d5aac5d...) is not current admin. Admin transfer occurred long before 7 days post-deploy.

RD-F-046 green Contract unverified on Etherscan/Sourcify All major in-scope contracts verified on Etherscan with Exact Match. LiquidityPool (0x308861A4): verified. eETH (0x35fA1647): verified. weETH (0xCd5fE23C): verified, impl 0x2d10683E verified. EtherFiNodesManager (0x8B71140A): verified, impl 0x789CbBe0 verified (solc 0.8.27). EtherFiAdmin (0x0EF8fa47): verified. RoleRegistry proxy: verified, impl 0x3A75019F verified.

RD-F-167 green Deprecated contract paused but pause reversible by live admin No deprecated contract surfaces identified in core scope. All UUPS upgrades maintain same proxy address with new implementations; deprecated implementations are unreachable. No admin retains pause over a deprecated surface.

Oracle & external dependencies Yellow 21 17 of 17

RD-F-049 yellow Oracle role per asset EtherFiOracle is the sole Primary oracle for eETH rebase (validator balance, reward accounting, exit events). No secondary or fallback oracle documented. Liquifier uses an optional Curve pool spot price for stETH→eETH conversion when quoteStEthWithCurve flag is true; default is 1:1 (no oracle). Single-oracle architecture on the core rebase path. RD-F-050 yellow Dependency graph (protocols depended upon) Hard dependencies: EigenLayer (EigenPod system for all ~$5.13B restaked ETH via EtherFiNodesManager calls to IDelegationManager and IEigenPod), SSV Network (DVT key splitting for ~6,500+ validators via StakingManager), Obol Network (DVT cohort first deployed Aug 2023). Soft dependencies: Lido stETH (Liquifier conversion path), Curve stETH/ETH pool (if quoteStEthWithCurve enabled), LayerZero endpoint infrastructure for cross-chain weETH. Any EigenLayer protocol failure directly affects ether.fi depositor ETH. RD-F-051 yellow Fallback behavior on oracle failure No fallback oracle exists for EtherFiOracle. If committee quorum is not reached, reports remain in pending ConsensusState with consensusReached = false; rebase does not execute. Protocol enters suspended state. Admin can call unpublishReport() for intervention. No automatic transition to a secondary oracle or last-known-price fallback. Liquifier fallback is the default 1:1 ratio when Curve path is disabled. RD-F-052 yellow Breakage analysis per dependency EigenLayer failure/slashing: up to $5.13B TVL exposed; loss socialized across all depositors, no insurance fund documented. SSV failure: validator missed attestations, forced exits, beacon exit queue delay. EtherFiOracle quorum failure: eETH rebase halts completely. Lido stETH depeg: Liquifier 1:1 default overpays for stETH. LayerZero DVN compromise: unbacked weETH minted up to per-chain rate limit (20–10,000 weETH/4h). RD-F-054 yellow TWAP window duration EtherFiOracle uses committee consensus, not a TWAP window — N/A for the core rebase path. Liquifier Curve spot path has zero TWAP window when enabled (spot price, not time-averaged). The default 1:1 path has no TWAP concern. TWAP window = 0 minutes for the Curve spot path when active. RD-F-056 yellow Single-pool oracle (no medianization) EtherFiOracle: N/A — committee-based consensus across multiple oracle members, not a single pool. Liquifier Curve path: reads single Curve stETH/ETH pool, no medianization across venues when active. Core accounting path (committee oracle) has inherent medianization via multi-member consensus. RD-F-057 yellow Circuit breaker on price deviation No circuit breaker on EtherFiOracle output found. Reports are published when quorum reached; no automated halt on anomalous reward values. Liquifier implements _min(fairValue, marketValue) which prevents overvaluation but is not a price-deviation circuit breaker. LiquidityPool source review found no circuit breaker on oracle output. RD-F-059 yellow Oracle staleness check present EtherFiOracle enforces _isFinalized() check (epoch+2 minimum before publication), preventing premature reports. No updatedAt > now - X staleness guard found on the LiquidityPool consumer side. Committee-based model assumes freshness via quorum liveness — if committee reports regularly, staleness is not a concern; if quorum fails, rebase halts (protocol suspended) rather than using a stale price. No consumer-side staleness rejection implemented. RD-F-055 gray Oracle pool depth (USD) Not applicable to EtherFiOracle (committee-based, no pool). Curve stETH/ETH pool depth is historically large (~$100M+) but current depth not verified and the Liquifier Curve path is admin-toggled off by default. Cannot confirm current pool depth without on-chain data access. RD-F-058 gray Max-deviation threshold (bps) No configured max-deviation threshold found on core oracle path. Circuit breaker not present (see F057); therefore no threshold to report. Cannot assess peripheral Chainlink feeds for sub-products which are out-of-scope. RD-F-060 gray Chainlink aggregator min/max bound misconfig Chainlink feeds in data cache (USDT/USD, ETH/USD, USDC/USD, etc.) are peripheral sub-products (ether.fi Liquid vault, Cash card product) per profile §7, not the core LRT rebase path. Cannot assess minAnswer/maxAnswer misconfig for out-of-scope contracts. Core rebase does not use Chainlink. RD-F-181 n/a Permissionless-pool lending oracle ether.fi is an LRT protocol, not a lending protocol. No market-listing mechanism exists. No permissionless collateral acceptance. No isolation-tier config. F181 failure mode (permissionless DEX pool → fake token collateral accepted as lending collateral) does not apply by protocol-type construction.

RD-F-048 green Oracle providers used Two oracle systems: (1) EtherFiOracle at 0x57AaF0004C716388B21795431CD7D5f9D3Bb6a41 — internal committee-based oracle for validator accounting and eETH rebase; (2) Liquifier: default 1:1 Lido rate for stETH conversion, optional Curve stETH/ETH pool spot price (admin-toggled off by default). Chainlink feeds in data cache are peripheral sub-products (ether.fi Liquid vault, Cash card), not the core LRT rebase path.

RD-F-053 green Oracle source = spot DEX pool (no TWAP) Core eETH accounting uses committee-based EtherFiOracle, not a DEX spot price. F053 critical pattern does not apply to the core rebase path. Liquifier optional Curve path (ICurvePoolQuoter1.get_dy) reads Curve stETH/ETH spot price with no TWAP when quoteStEthWithCurve = true, but this admin-toggled deposit conversion path does not drive liquidations or core accounting. Default is 1:1. Critical factor green.

RD-F-061 green LP token balanceOf used for pricing Not found in core protocol path. LiquidityPool does not price assets via LP token balanceOf. Donation-manipulable LP pricing pattern not present.

RD-F-062 green External keeper/relayer not redundant EtherFiOracle uses committee-based quorum — multiple committee members serve as oracle reporters, providing redundancy. No single-keeper dependency. No Gelato or Chainlink Automation dependency found in core LRT path. Committee membership tracked via numActiveCommitteeMembers with quorum enforcement.

RD-F-180 green Immutable oracle address [★ F180 CRITICAL-CANDIDATE — green, not triggered] EtherFiOracle at 0x57AaF0004C716388B21795431CD7D5f9D3Bb6a41 is a UUPS upgradeable proxy. Oracle address is admin-replaceable via RoleRegistry (0x62247D29B4B9BECf4BB73E0c722cf6445cfC7cE9) and EtherFiTimelock. Not an immutable oracle address. The F180 failure mode does not apply. No Chainlink address marked immutable found in core accounting path.

Economic risk Yellow 22 13 of 13

RD-F-063 green TVL (current + 30d trend) TVL $5.13B as of 2026-04-28 (+4.04% over 30 days). 12-month peak ~$9.17B (December 2024). Ranked 4th-largest LRT/LST protocol. Meets A-grade TVL threshold by orders of magnitude. Recovery trend positive after ETH price drawdown. No protocol-specific outflows detected.

Operational history Green 14 15 of 15

RD-F-089 red Insurance coverage active Nexus Mutual partnership enables users to purchase bundled smart contract cover (EigenLayer + ether.fi + Pendle; ether.fi Liquid Bundled). However, no protocol-level cover contract or dedicated insurance fund has been identified. Cover capacity is distributed across individual purchasers, not a protocol-wide backstop. $300K Immunefi max payout = 0.006% of $5.13B TVL. Nexus Mutual total capacity well below $5B. Per process-learnings: 'Insurance gap (F089) is near-default red for large protocols.' Red confirmed. RD-F-084 yellow TVL stability (CoV over 90d) Precise σ/μ CoV not calculable — DefiLlama TVL time-series returns 403 (known structural gap). Proxy: TVL peaked ~$9.17B (Dec 2024), current $5.13B — ~44% peak-to-trough drawdown. The decline is ETH-price-correlated rather than protocol-specific; ether.fi retained 2.58M staked ETH while peers declined. +4.04% 30d recovery noted. Yellow scored for the high observed peak-to-trough, medium confidence. RD-F-166 yellow Deprecated contracts still holding value T-NFT (0x7B5ae07E2AF1C861BcC4736D23f5f66A61E0cA5e) and B-NFT (0x6599861e55abd28b91dd9d86A826eC0cC8D72c2c) contracts represent the pre-LiquidityPool v1 architecture (retired when pooled eETH model launched Nov 2023). Both still listed on deployed-contracts page without explicit 'deprecated' annotation. B-NFTs originally bonded 2 ETH per validator (v1 model). On-chain balance quantification not confirmed. Yellow (not red): NFT-type structure limits concentrated exposure vs. a pooled value contract; no evidence of >$100K single-contract ETH balance confirmed; but functionally-deprecated surface is still listed as active without formal deprecation notice. Curator follow-up required. RD-F-078 n/a Chronic-exploit flag (≥3 incidents) 0 protocol-level exploits. Chronic flag (≥3 exploits) does not trigger. No CHRONIC badge warranted. RD-F-079 n/a Same-root-cause repeat exploit No exploits on record; same-root-cause repeat exploit is definitionally inapplicable. RD-F-080 n/a Days since last exploit No exploits on record; 'days since last exploit' metric is undefined. Display as 'No exploit on record.'

RD-F-076 green Protocol age (days) First mainnet deploy 2023-05-02 (EtherFiNodesManager 0x8B71140AD2e5d1E7018d2a7f8a288BD3CD38916F). Age at 2026-04-28: ~1,092 days (~36 months). Exceeds 12-month A-grade floor and 24-month 'stressed protocol' threshold.

RD-F-077 green Prior exploit count Zero protocol-level exploits in 36 months of operation. Two operational incidents (no fund loss): Mode L2 bridge misconfiguration May 2024 (funds stuck, fully recovered Aug 2024); attempted domain takeover Sep 2024 (thwarted, no malicious frontend served). Hacksdatabase: 0 hits for ether.fi/etherfi. REKT leaderboard: 0 entries. DeFi hack databases: no entries. User-level phishing (Mar 2024, ~$2M individual loss) is not a protocol exploit.

RD-F-081 green Post-exploit response score No protocol-level exploits; formal post-exploit response score is N/A by construction. Two operational incidents demonstrate positive response behavior: (a) Mode bridge (May 2024): Nethermind consulted, Mode team coordinated rescue tx, funds fully recovered by Aug 2024; (b) domain takeover (Sep 2024): thwarted in ~2h52m, Seal911/Doppel/Distrust partners engaged, no malicious exposure, post-mortem published. Zero user fund loss across both incidents.

RD-F-082 green Post-mortem published within 30 days Both documented operational incidents have published post-mortems: (a) Mode bridge incident documented in etherfi-protocol/postmortems GitHub repo; (b) domain takeover documented on ether.fi Gitbook security section. No protocol exploit means no 30-day window test is formally required, but incident documentation quality is positive.

RD-F-083 green Auditor re-engaged after last exploit No protocol-level exploits; re-audit-after-exploit is N/A by construction. Nethermind consulted for Mode bridge incident. Certora formal verification continuous since Oct 2024 (15 reports through Mar 2026) — ongoing independent auditor engagement well in excess of the minimum standard.

RD-F-085 green Incident response time (minutes) Most recent material incident: Sep 2024 domain takeover. Response timeline: recovery notification 16:38 UTC; account locked and nameservers restored ~19:30 UTC = ~172 minutes (2h52m) to full resolution. No exploit means no exploit-to-statement metric applies. Team engaged Seal911, Doppel, Distrust partners during response.

RD-F-086 green Pause activations (trailing 12 months) No deliberate protocol pause activations found in trailing 12 months. EtherFiAdmin + RoleRegistry support pausing (Certora 2025-03 v2.49 audit covers this). Hypernative integration (May 2024) provides automated monitoring to support pause decisions. No Paused events publicly documented or reported in 2024-2026.

RD-F-087 green Pause > 7 consecutive days No pause event observed or reported in trailing 12 months; >7-day consecutive pause did not occur. Derived from RD-F-086 evidence.

RD-F-088 green Re-deployed to new addresses in last year No full contract set redeployment in trailing 12 months. UUPS in-place upgrades (EtherFiNodesManager impl 2026-02-02; weETH impl 2025-08-07) are proxy upgrades, not address migrations. OFT adapter migration (Paladin audit 2024-09-30) was a bridge-surface migration, not full protocol redeployment.

Real-time signals Green 7 22 of 22

RD-F-102 yellow Admin/upgrade transaction in mempool Structurally applicable: EtherFiAdmin (0x0EF8fa4760Db8f5Cd4d993f3e3416f30f942D705) + EtherFiTimelock (0x9f26d4C958fD811A1F59B01B86Be7dFFc9d20761, getMinDelay=3600s) means upgrade txs traverse mempool with a 1-hour execution window. No unauthorized admin/upgrade txs observed. Rated yellow because the 1-hour timelock minimum compresses the mempool-observation signal window to a critically narrow span — any production monitoring of this signal must achieve sub-60-minute alert-to-human latency to be actionable. This is a structural constraint that reduces the protective value of the signal for this protocol. RD-F-103 yellow Bridge signer-set change proposed/executed LayerZero OFT deployed on 18+ L2 chains; DVN set is the functional signer-set equivalent. Post-Kelp incident (Apr 18, 2026), ether.fi paused bridging and upgraded DVN 2→4 with 4/4 threshold. LayerZero multisig authority removed from on-chain config. Rate limiting tightened. Prior configuration was 2/2 — narrow but not 1/1. Rated yellow: improvement significant but DVN configuration on 18+ chains remains ongoing attack surface; any future unscheduled DVN change should be tier-A grade-eligible. RD-F-109 yellow Social-media impersonation scam spike Multiple fake ether.fi domains documented active as of Nov 2025 (claim-ether[.]fi, ethar[.]fi, etc.) running ETHFI giveaway scams that drain wallets. Persistent impersonation ecosystem active across X/Twitter, fake domains, and phishing overlays. This is a persistent low-level condition rather than an acute spike but warrants yellow given breadth of documented fake infrastructure. RD-F-182 yellow Security-Council threshold reduction (RT) Applicable: EtherFiTimelock (0x9f26d4C958fD811A1F59B01B86Be7dFFc9d20761) getMinDelay=3600s (1-hour); Timelock proposer/executor Safe (0xcdd57D11476c22d265722F68390b036f3DA48c21) deployed 2024-02-16, 154 txs. No current threshold reduction event observed. Rated yellow because: (1) 1-hour minimum timelock is already at the lower practical bound — any further reduction collapses exploit window to minutes; (2) Drift Protocol comparator (6-day window between 3/5→2/5 threshold change and $285M exploit) cannot apply here — with 1-hour timelock, exploitation could follow threshold reduction within the same hour; (3) Safe multisig threshold/owners not publicly retrievable (api_status: not_found in data cache), creating a monitoring blind spot. Custom calibration required for production alerting: signal must fire within minutes of threshold-reduction event, not within hours. RD-F-091 n/a Partial-drain test transactions No partial-drain test-transaction pattern identified in public data. Protocol has 1-hour timelock minimum; no anomaly in recent tx history surfaced. V1-deferred signal. RD-F-107 gray Admin EOA signing from new geography/device Off-chain signing telemetry signal — not publicly observable. Requires MPC/session-key provider data or internal ether.fi operations confirmation. Not assessable from public OSINT at T-10 tier.

RD-F-090 green Mixer withdrawal → protocol interaction No mixer-funded wallet interaction with ether.fi protocol core contracts identified in public data. Deployer wallet (0xf8a86ea1ac39ec529814c377bd484387d395421e) funded via Safe smart account — clean provenance. Tier-C signal; requires licensed CTI feed for production operation.

RD-F-092 green Unusual mempool pattern from deployer wallet Deployer 0xf8a86ea1ac39ec529814c377bd484387d395421e is not active in ongoing governance execution — Timelock proposer/executor is a separate Safe (0xcdd57D11476c22d265722F68390b036f3DA48c21). No anomalous deployer mempool pattern identified. V2-deferred signal.

RD-F-093 green Abnormal gas-price willingness from attacker wallet No elevated gas-price pattern from attacker-class wallets targeting ether.fi contracts observed in public data. V2-deferred signal.

RD-F-094 green New contract with similar bytecode to exploit template ether.fi is an original codebase (not a fork of Compound/Aave); exploit-template mimicry is less applicable. No similar-bytecode deploy targeting ether.fi protocol identified. V2-deferred signal.

RD-F-095 green Known-exploit function-selector replay No prior protocol-level exploits exist for ether.fi — no exploit-replay template baseline applicable. Rekt incidents empty. V2-deferred signal.

RD-F-096 green New ERC-20 approval to unverified contract from whale No specific whale-approval anomaly identified targeting ether.fi. This is a user-level signal rather than protocol-level. V2-deferred signal.

RD-F-097 green Sybil surge of identical-pattern transactions No sybil transaction burst pattern observed targeting ether.fi. LRT protocol architecture does not present the permissionless-pool vulnerability profile where sybil setup is a known precursor. V2-deferred signal.

RD-F-098 green TVL anomaly — % drop in <1h TVL $5.13B; -0.89% (1d); +4.04% (30d). No severe drop detected. Apr 2026 bridge precautionary pause caused temporary weETH cross-chain outflow but core Ethereum LiquidityPool TVL was unaffected. Tier-A threshold (TVL_now/TVL_baseline_30d < 0.70 in 60 min) not breached.

RD-F-099 green Oracle price deviation >X% from secondary Core eETH rebase uses internal EtherFiOracle (committee quorum), not Chainlink. External Chainlink feeds are for peripheral Liquid/Cash sub-products only. Committee oracle functioning normally; no rebase anomaly reported. Signal applies only to Chainlink-based peripheral products.

RD-F-100 green Flash loan >$10M targeting protocol tokens Governance is Snapshot-based off-chain voting with no on-chain Governor contract — flash loans cannot inflate governance voting weight. LiquidityPool is ETH-denominated restaking, not flash-loanable collateral for protocol exploitation. Flash-loan governance attack is structurally N/A. No flash-loan targeting events observed.

RD-F-101 green Large governance proposal queued No suspicious governance proposals observed on etherfi-dao.eth Snapshot space or governance.ether.fi forum as of 2026-04-28. Recent proposals appear to be routine protocol parameter or product changes. No calldata matching admin-role-change, delegatecall, or young-wallet patterns observed.

RD-F-104 green Stablecoin depeg >2% on shared-LP venue Core eETH/weETH is not a stablecoin. No stablecoin collateral in LiquidityPool. Liquifier holds stETH (ETH-denominated, not subject to the 2% stablecoin depeg threshold). Peripheral Liquid vault out of scope. Signal not applicable to core protocol.

RD-F-105 green DNS/CDN/frontend hash drift No confirmed DNS hijack or frontend hash change on primary domain www.ether.fi. Multiple fake impersonation domains documented (claim-ether[.]fi, ethar[.]fi, ciaim-ether[.]fi, etc.) but these are separate registered domains, not hijacks of the primary domain. Production hash monitoring not confirmed as implemented.

RD-F-106 green Cross-chain bridge unverified mint pattern Post-Kelp upgrade: 4/4 DVN threshold makes cross-chain forged-mint without 4-DVN consensus infeasible. No anomalous cross-chain mint patterns observed. weETH uses OFT standard with Lockbox on Ethereum — burn/mint pattern with native supply control.

RD-F-108 green GitHub force-push to sensitive branch GitHub repo etherfi-protocol/smart-contracts is active with last commit 2026-04-28. No force-push events to main or production tags observed in available commit history. Repository public and monitored.

RD-F-110 green Unusual pending/executed proposal ratio Governance uses Snapshot off-chain voting (etherfi-dao.eth). On-chain ratio analysis at Snapshot level shows active proposals numbered 1 through 11+; no unusual accumulation of pending vs executed. Data cache governance.type: timelock_only.

Dev identity & insider risk Green 3 16 of 16

RD-F-123 yellow Sudden admin-rescue/ACL change without discussion ether.fi uses a 1-hour minimum timelock (EtherFiTimelock 0x9f26d4C958fD811A1F59B01B86Be7dFFc9d20761) for contract upgrades, with Safe multisig (0xcdd57D11476c22d265722F68390b036f3DA48c21, 154 txns) as proposer/executor. Governance forum (governance.ether.fi) contains no dedicated ACL, RoleRegistry, or access-control-change discussion threads — forum focuses on tokenomics and treasury governance. No governance-forum thread found within ±14 days of known upgrade events (EtherFiNodesManager impl 2026-02-02; weETH impl 2025-08-07 per profile §2). Safe Exec Transactions could not be decoded to individual payloads via public fetch. Not scored RED because: (1) the 1-hour timelock provides on-chain notice; (2) Certora ongoing FV programme (15 reports 2024-2026) implies pre-deploy technical review; (3) the ether.fi governance model separates operational technical upgrades from Snapshot governance votes; (4) no specific undiscussed admin-rescue-type event was affirmatively identified. Scored YEL RD-F-116 gray Contributor tenure at admin-permissioned PR GitHub org etherfi-protocol has 0 public members; individual contributor identities are not publicly disclosed beyond co-founders. The contributor tenure at time of the most recent admin-permissioned code change cannot be assessed via public OSINT. The repo has been continuously active since February 2023 (first CertiK audit) and last committed 2026-04-28, indicating a stable contributor base, but specific tenure data is unavailable. RD-F-119 gray Commit timezone consistent with stated geography Protocol is headquartered in Cayman Islands (UTC-5 / Eastern North America time zone). GitHub repo etherfi-protocol/smart-contracts has continuous commits spanning 2023-02 to 2026-04-28. No DPRK-characteristic off-hours commit cluster reported. GitHub contributor graphs are JS-rendered and not accessible via WebFetch (process-learnings FAILED pattern). Commit-time distribution cannot be independently verified. No anomaly flagged; positive confirmation unavailable. Scored GRAY. RD-F-122 gray Contributor paid to DPRK-cluster wallet Cannot be meaningfully assessed at OSINT tier for an entity with off-chain payroll (ether.fi Foundation, Cayman Islands entity). No on-chain contributor payment streams visible. The protocol's on-chain treasury (0x6329004E903B7F420245E7aF3f355186f2432466) shows no outbound transfers to DPRK-labeled addresses in available data. Per process-learnings: F122 is a persistent NOT ASSESSED finding for entities without on-chain payroll. Scored GRAY. RD-F-184 gray Real-capital social-engineering persona No curator-flagged evidence of a 'team contributor' or 'external integrator' persona with >=1M USD of attributed real-capital deposits used to build social-engineering credibility (Drift/UNC4736 reference pattern). ether.fi has no reported insider-persona compromise. Public founders (Silagadze, Kopp) have multi-year pre-crypto track records and extensive public trails inconsistent with the Drift attack pattern (6-month conference build-up, Solana durable-nonce pre-signing). F184 is M-only OSINT by design and leaves no public trace when absent; per process-learnings the correct disposition is GRAY with the Drift comparator as the reference. Scored GRAY.

RD-F-111 green Team doxx status Mike Silagadze (Founder/CEO) is fully doxxed: real name, LinkedIn with full employment history, University of Waterloo BASc, conference speaker appearances (ETH Denver, Blockworks), media interviews (Cayman Enterprise City, Crunchbase, IQ.wiki). Rok Kopp (Co-founder/CGO) is fully doxxed: LinkedIn with Top Hat and CaptainU / Groupon history. Technical contributors beyond founders: GitHub org has 0 public members; individual identities not disclosed. Team doxx status for leadership: real-name / doxxed.

RD-F-112 green Team public accountability surface Silagadze has 6+ verifiable public trails: LinkedIn (ky.linkedin.com/in/ethermike), Twitter @MikeSilagadze, Blockworks speaker profile, ETH Denver speaker profile, Apple Podcasts interview (#238), Cayman Enterprise City profile, Inovia VC (prior investor) profile, UseTheBitcoin profile, Grokipedia entry. Kopp has LinkedIn with full history plus Blockworks speaker and IQ.wiki. Technical team accountability surface unavailable (private GitHub org). Overall score anchored to founders who have deep public accountability trails.

RD-F-113 green Team other-protocol involvement history Silagadze: prior company Top Hat (edtech SaaS, ~500 employees, institutional VC-backed, exited); ether.fi is his first DeFi protocol. Kopp: prior Top Hat VP Enterprise Sales; no prior DeFi protocol involvement. No prior rug-pull or failed protocol launch linked to either founder. $23M Series A (Feb 2024) led by Bullish Capital and CoinFund with OKX Ventures, Consensys, Foresight, Amber — institutional VC backing implies reputational DD on founders. Earlier $5.3M seed co-led by North Island Ventures and Chapter One.

RD-F-114 green Deployer address prior on-chain history Primary deployer 0xf8a86ea1ac39ec529814c377bd484387d395421e: Etherscan label 'ether.fi: Deployer'; first transaction 2023-07-10; used exclusively for ether.fi contract deployments across Ethereum and Base (BaseScan label 'ether.fi: Deployer 1'). etherfi-deployer.eth (0xfa371b6fdcb18d65e88c4c785d61801e176a9ae7): first activity 2024-03-18; ENS-bound. Both deployer addresses show normal-dev-history pattern. No links to prior rug or scam-labeled contracts on either address.

RD-F-115 green Prior rug/exit-scam affiliation Web search for 'ether.fi rug scam exit fraud' returned zero protocol-specific results. Neither Silagadze nor Kopp linked to prior rug via OSINT. Rekt database returns empty incident list for ether.fi (data cache sources.rekt.incidents = []). No rug-deployer class pattern observed on either deployer address.

RD-F-117 green ENS/NameStone identity bound to deployer ENS name 'etherfi-deployer.eth' is bound to deployer address 0xfa371b6fdcb18d65e88c4c785d61801e176a9ae7 (active since 2024-03-18). This provides an ENS-resolvable identity anchor for the secondary deployer. Primary deployer 0xf8a86ea1ac39ec529814c377bd484387d395421e does not carry an ENS name but holds the Etherscan off-chain label 'ether.fi: Deployer'. Partial ENS binding present; scored green given ENS binding on at least one deployer address.

RD-F-118 green Handle reuse across failed/rugged projects No evidence of social handle reuse across failed or rugged projects. @MikeSilagadze Twitter account has a coherent identity tied to Top Hat (pre-2022) and ether.fi (2022-present). @ether_fi Twitter account is the protocol account. No alternate aliases associated with prior rug-labeled projects found via OSINT search.

RD-F-120 green Video-off/voice-consistency flag Mike Silagadze has multiple video and podcast appearances: Apple Podcasts episode #238 'Mike Silagadze, CEO of ether.fi, on ETH, Re-Staking, and Building Start-Ups'; Blockworks conference speaker; ETH Denver 2023 speaker. Physical presence at conferences is documented. Rok Kopp similarly has Blockworks speaker profile. No curator observation of video-off policy or timezone inconsistency with stated Cayman Islands / North American domicile.

RD-F-121 green Contributor OSINT depth score Mike Silagadze OSINT depth score: 5/5. LinkedIn with full employment history (Top Hat CEO 2012-2021, ether.fi 2022-present), University of Waterloo BASc Electrical Engineering 2007, conference talks (ETH Denver, Blockworks, Consensus Toronto 2025), podcast appearances, Crunchbase, media coverage (CoinDesk, Cayman Enterprise City, Mondaq), prior company with institutional VCs (Inovia) and verifiable growth story (~500 employees). Rok Kopp OSINT depth score: 4/5. Full LinkedIn history, Blockworks speaker, IQ.wiki. Technical team beyond founders: score unavailable. Protocol-level score anchored to high-scoring founders.

RD-F-124 green Deployer wallet mixer-funded within 30 days Deployer 0xf8a86ea1ac39ec529814c377bd484387d395421e was funded by 0xf40bcc0845528873784f36e5c105e62a93ff7021, Etherscan-labelled 'Smart Account by Safe'. Funding occurred 2023-07-10 (first deployer tx). No Tornado Cash or Railgun interaction observed in the funding path. The 30-day pre-deploy window is clean — funding source is an institutional Safe multisig, not a mixer. etherfi-deployer.eth funded by 0x077D360f11d220e4d5d831430c81c26c9be7c4a4 on 2024-03-18, also no mixer involvement. RD-F-124 critical factor: CLEAN.

RD-F-125 green Deployer linked within 3 hops to DPRK/Lazarus No DPRK / Lazarus cluster proximity found at any hop level. Deployer 0xf8a86ea1ac39ec529814c377bd484387d395421e funded by institutional Safe (1-hop: protocol-owned multisig). OFAC SDN list: no match for deployer or any protocol-associated address. Chainalysis public label on deployer: 'ether.fi: Deployer' (institutional). Web search 'ether.fi DPRK Lazarus North Korea developer' returned zero protocol-specific results. April 2026 reporting on Lazarus/Kelp DAO ($292M exploit) explicitly did not implicate ether.fi. Founders (Silagadze, Kopp) have multi-year Canadian/North American tech track records inconsistent with DPRK patterns. No nation-state proximity evidence at any available evidence tier. RD-F-125 critical factor: CLEAN. No rubric F-trigger applies.

Fork / dependency lineage Green 11 10 of 10

RD-F-135 yellow Shared-library version with known-vuln status OZ v4.8.0 (contracts) and v4.8.2 (upgradeable): no critical CVEs in these versions; v4.8.2 is above the v4.8.1 security patch threshold. Solady commit 8583a6e: no specific CVE found. EigenLayer-contracts dependency: EigenLayer underwent significant slashing upgrade in 2025; the pinned SHA's compatibility with the deployed EigenLayer system is covered by the Certora 2025-04-12 EigenLayer Slashing FV report. The OZ v4.8.x versions do not include v5.x virtual share inflation protection (irrelevant as eETH/weETH are not ERC-4626). The residual risk is the EigenLayer dependency — any critical vulnerability in EigenLayer's deployed contracts (which ether.fi calls via EigenPod interfaces) would directly affect ether.fi. RD-F-126 n/a Is-a-fork-of ether.fi is an original protocol. The GitHub repo has no fork relationship in its metadata (it shows 51 forks of ether.fi's code, but is not itself a fork). README describes a novel per-node EigenPod proxy architecture. No protocol predates ether.fi at mainnet scale with this architecture. RD-F-127 n/a Upstream patch not merged Not applicable — ether.fi is an original codebase, not a fork. No upstream exists to publish patches. RD-F-128 n/a Upstream vulnerability disclosure (last 90d) Not applicable — ether.fi is an original codebase. No upstream fork disclosure applies. RD-F-129 n/a Code divergence from upstream (%) Not applicable — ether.fi is an original codebase. Code divergence from an upstream cannot be computed. RD-F-130 n/a Fork depth (generations from original audit) Not applicable — ether.fi is an original codebase. Fork depth = 0 (not a fork at all). RD-F-131 n/a Fork retains upstream audit coverage Not applicable — ether.fi is not a fork. Upstream audit coverage inheritance does not apply. RD-F-132 n/a Fork has different economic parameters than upstream Not applicable — ether.fi is not a fork. No upstream audited-defaults to deviate from.

RD-F-133 green Dependency manifest uses unpinned versions The .gitmodules file pins openzeppelin-contracts to branch v4.8.0 and openzeppelin-contracts-upgradeable to branch v4.8.2. The git tree confirms all 6 submodule dependencies are pinned to specific commit SHAs: forge-std (77041d2), OZ (0457042), OZ-upgradeable (f6c4c9c), solady (8583a6e), v3-core (e3589b1), v3-periphery (80f26c8). EigenLayer-contracts is commit-SHA pinned in the tree (via the submodule SHA mechanism) but not branch-constrained in .gitmodules — this is the correct posture for a dependency that undergoes active development. Build is reproducible at current commit. No ^ or ~ floating version references (Foundry uses git submodules, not npm packages).

RD-F-134 green Dependency had malicious-release incident (last 90d) No malicious-release incident found for any of the 6 GitHub-hosted git submodule dependencies (forge-std, OZ contracts, OZ upgradeable, solady, v3-core, v3-periphery, eigenlayer-contracts) in trailing 90 days as of 2026-04-28. These are GitHub-hosted git submodules (not npm registry packages), which significantly reduces supply-chain attack surface.

Post-deploy hygiene & change mgmt Green 10 13 of 13

RD-F-137 yellow Upgrade frequency (per 90 days) Upgrade cadence is approximately monthly across the protocol suite. In the last 90 days (Feb–Apr 2026): EtherFiNodesManager upgraded 2026-02-02; Priority Queue contracts deployed Mar 2026. In last 12 months: weETH upgraded twice (Mar and Aug 2025), EtherFiAdmin upgraded twice (Mar and Aug 2025), EtherFiNodesManager upgraded Feb 2026. High but manageable upgrade frequency; each change is audited by Certora. RD-F-139 yellow Post-audit code changes without re-audit EtherFiNodesManager upgraded 2026-02-02 (impl 0x789CbBe0..., tx 0x9eeb5aca...). Most recent Certora audits: 2026-01-29 (Reaudit Core Contracts) — 4 days before the upgrade — and 2026-01-20 (Liquid-Refer/KING/Cross-Pod). No audit explicitly named for the February 2026 implementation found. The temporal gap means the specific deployed bytecode cannot be confirmed as audited. Partially mitigated by continuous Certora engagement (15 reports in 18 months) and fast cycle time. RD-F-146 yellow New contract deploys in last 30 days Priority Queue suite deployed ~March 2026: EtherFiRedemptionManager (0xdadef1ff...), PriorityWithdrawalQueue, and UUPSProxy contracts are new surface. Certora Priority Queue audit dated 2026-03-05 covers this deployment. New attack surface is now live and recently audited. RD-F-136 gray Deployed bytecode matches signed release tag No formally signed release-tag → deployed bytecode mapping found in the GitHub repo. Commits present but no signed release artifacts or formal reproducibility attestation published. Certora uses a fork of the repo but public bytecode-matching documentation not found. RD-F-142 gray Storage-layout collision risk across upgrades UUPS upgrades performed multiple times across major contracts (weETH: 4 upgrades, EtherFiAdmin: 5 upgrades, EtherFiNodesManager: multiple). OZ upgrades plugin presumably used internally but no public storage layout collision report found. Cannot confirm absence of collision risk externally. RD-F-145 gray Deployed bytecode reproducibility Foundry build system with pinned solc versions (0.8.13, 0.8.27) and 1500 optimizer runs. Bytecode should be reproducible in theory. No formal reproducibility attestation or verification artifact published. Gray pending curator verification.

RD-F-138 green Hot-patch deploys without timelock (last 30 days) No evidence of hot-patch deploys bypassing timelock in last 30 days. EtherFiTimelock shows only 2 total transactions; most recent ~5 days before assessment. Priority Queue deployment (Mar 2026) used standard safe+timelock path. No bypass events found.

RD-F-140 green Fix-merged-but-not-deployed gap No specific open fix-merged-not-deployed gap identified. Priority Queue audit (2026-03-05) is post-deployment and shows an active audit → deploy cycle. No obviously undeployed security PR identified in recent commits.

RD-F-141 green Test-mode parameters in deploy No test-mode artifacts found. All contracts use RoleRegistry with production RBAC. LiquidityPool uses IRoleRegistry for all admin paths. No test oracle, infinite allowance, or admin=deployer remnants observed in source.

RD-F-143 green Reinitializable implementation (no _disableInitializers) All core UUPS implementation contracts call _disableInitializers() in their constructor: LiquidityPool (confirmed), EETH/eETH (confirmed, line in constructor), weETH (confirmed line 56), EtherFiAdmin (confirmed), StakingManager (confirmed), EtherFiNodesManager (confirmed), WithdrawRequestNFT (confirmed line 104), EtherFiRedemptionManager (confirmed), RoleRegistry (confirmed). No reinitializable implementation found.

RD-F-144 green CREATE2 factory permits same-address redeploy No CREATE2 factory redeployment pattern identified for core protocol contracts. Standard deployer EOA deployment pattern observed.

RD-F-168 green Stale-approval exposure on deprecated router No deprecated router or protocol contracts identified in core scope. All UUPS upgrades maintain same proxy addresses (existing user approvals remain valid and are not stale on a deprecated surface). No deprecated router found.

RD-F-185 green Bridge rate-limiter / chain-pause as positive mitigant EtherFiRedemptionManager implements a configurable per-window outflow rate limiter (setCapacity, setRefillRatePerSecond, setLowWatermarkInBpsOfTvl admin functions). No chain-pause capability exists (Ethereum mainnet). Rate limiter deployed and configurable by ETHERFI_REDEMPTION_MANAGER_ADMIN_ROLE. Certora Priority Queue audit (2026-03-05) covers this contract.

Cross-chain & bridge Green 6 12 of 12

RD-F-157 yellow Bridge TVL per validator ratio Total weETH bridged cross-chain: approximately 5–10% of $5.13B TVL (exact cross-chain holding not in data cache, which shows 100% Ethereum TVL). Estimated $250–500M across 4 DVNs = ~$62–125M per DVN validator. Moderate risk concentration ratio — not catastrophic, but meaningful at this TVL scale. RD-F-179 yellow LayerZero OFT DVN config (count, threshold, diversity) LayerZero OFT DVN config post-SecurityUpgrade: 4-of-4 required DVNs (LayerZero 0x589d, Nethermind 0xa59B, Horizen 0x3802, Canary 0xa4fE) across 20 chains. No optional DVNs. Rate-limiters implemented: 20 weETH/4h (restricted, 11 chains: zkSync, Scroll, Blast, etc.), 2,000 weETH/4h (standard, 6 chains: Linea, Monad), 3,000–10,000 weETH/4h (high-throughput: Base, OP). PAUSER_ROLE emergency stop present. YELLOW rationale: (1) SecurityUpgrade.s.sol lives in archive/OFTSecurityUpgrade/ directory, meaning this was a historical upgrade — pre-upgrade DVN config (possibly weaker) was in production for an unknown period; (2) LayerZero Labs is one of the 4 required DVNs, meaning LayerZero Labs itself must validate messages — partial operator self-custody of validation. The F185 positive mitigant (rate limiter) is present. RD-F-155 gray Bridge validator-set rotation recency SecurityUpgrade.s.sol represents the post-upgrade 4-DVN config. The upgrade script exists in archive/OFTSecurityUpgrade/ subdirectory, indicating a prior DVN configuration was changed. Rotation date not verified from available sources. No governance forum post on DVN rotation found.

RD-F-147 green Protocol has bridge surface Confirmed bridge surface: weETH bridged across 20+ chains. Two architectures: (1) LayerZero OFT (EtherFiOFTAdapterUpgradeable on Ethereum, EtherfiOFTUpgradeable on L2s) for Base, Linea, Scroll, BNB, Optimism, zkSync, Swell, Avalanche, Blast, Berachain, Monad, HyperEVM, and others. (2) Arbitrum canonical bridge (StandardArbERC20, ClonableBeaconProxy pattern) for Arbitrum One.

RD-F-148 green Bridge validator count (M) LayerZero path: 4 required DVNs per SecurityUpgrade.s.sol: LayerZero (0x589dEDbD617e0CBcB916A9223F4d1300c294236b), Nethermind (0xa59BA433ac34D2927232918Ef5B2eaAfcF130BA5), Horizen (0x380275805876Ff19055EA900CDb2B46a94ecF20D), Canary (0xa4fE5A5B9A846458a70Cd0748228aED3bF65c2cd). Applied to all 20 configured chains. Arbitrum canonical: Arbitrum validator set (not protocol-controlled).

RD-F-149 green Bridge validator threshold (k-of-M) LayerZero OFT: 4-of-4 required DVN threshold (all 4 must validate). requiredDVNCount: 4, optionalDVNCount: 0, optionalDVNThreshold: 0. Maximum strictness — no optional DVN bypass. Kelp DAO 1/1 catastrophic edge case does not apply. Arbitrum canonical: optimistic fraud proof mechanism (7-day challenge window).

RD-F-150 green Bridge validator co-hosting 4 DVNs are distinct organizations: LayerZero Labs (protocol team), Nethermind (UK security/infrastructure firm), Horizen (decentralized protocol), Canary (independent validator). No evidence of shared ASN/datacenter. OSINT inference only — not verified via infrastructure network scan.

RD-F-151 green Bridge ecrecover checks result ≠ address(0) [★ CRITICAL — green] LayerZero OFT application contracts (EtherfiOFTUpgradeable, EtherFiOFTAdapterUpgradeable) do not implement ecrecover at the application layer. Cryptographic message authentication is handled by LayerZero V2 endpoint DVN infrastructure, not application-layer signature checks. No ecrecover call found in inspected source. Wormhole-class zero-address ecrecover vulnerability not present.

RD-F-152 green Bridge binds message to srcChainId LayerZero V2 OFT standard binds each message to srcEid (endpoint ID per chain) by design. Cross-chain messages are chain-bound at the LayerZero protocol level. EtherfiOFTUpgradeable extends OFTUpgradeable which inherits LayerZero V2 per-path message routing. Arbitrum canonical: srcChainId enforced at L1 gateway level.

RD-F-153 green Bridge tracks nonce-consumed mapping LayerZero V2 endpoint handles replay protection via ordered-message delivery semantics per OApp path. Application-level nonce tracking not required under V2 ordered delivery. Arbitrum canonical: sequence-numbered messages, replay-protected at gateway level.

RD-F-154 green Default bytes32(0) acceptable as valid root [★ CRITICAL — green] LayerZero V2 OFT does not use Merkle roots as message authentication. Authentication is DVN-threshold-based (4-of-4 required). The Nomad $190M bug class (default bytes32(0) root accepted as valid) is architecturally inapplicable to this DVN-based pattern. No Merkle root acceptance pattern found in EtherfiOFTUpgradeable or EtherFiOFTAdapterUpgradeable.

RD-F-156 green Bridge uses same key custody for >30% validators 4 DVNs are 4 distinct organizations: LayerZero Labs, Nethermind, Horizen, Canary. No single custodian holds >30% of the DVN set (each organization is 25% = 1-of-4). No shared custody pattern identified. Each entity manages its own signing infrastructure independently.

Threat intelligence & recon Green 11 8 of 8

RD-F-161 yellow Protocol-impersonator domain registered (typosquat) Multiple confirmed impersonator domains documented: claim-ether[.]fi, ciaim-ether[.]fi, ciaim-ether[.]com, ciaim-etherfi[.]com, app-etherpoints[.]fi, ethercoindefi[.]app, ethar[.]fi. Active as of Nov 2025 running ETHFI giveaway phishing campaigns that drain user wallets. PCRisk article updated Nov 19, 2025. Multiple domains span 2+ years of persistent impersonation activity. Delta from most-recently-documented registration to assessment (2026-04-28) is ~160 days — outside the 90-day trigger window for those specific domains but the ongoing ecosystem warrants yellow. New registrations likely ongoing; production WHOIS/DomainTools monitoring required. RD-F-163 yellow Avg attacker reconnaissance time for peer-class protocols Peer-class sector assessment: LRT protocols are elevated-targeting territory post-Kelp ($292M DPRK Apr 2026). Bybit hack (Feb 2025, $1.46B) involved multi-week supply-chain positioning. Drift Protocol ($285M Apr 2026) involved 6-month persona build-up. For ether.fi with $5.13B TVL and $9.17B peak TVL, a 30–90 day reconnaissance window is sector-consistent with peer incidents. No ether.fi-specific recon activity confirmed, but sector elevation warrants yellow. RD-F-164 gray Leaked credential on paste/sentry site M-only signal requiring dedicated paste-site/credential-dump monitoring. No confirmed paste-site or credential-dump referencing ether.fi infrastructure endpoints or keys identified in public data. Production pipeline would need DomainTools/PasteHunter or similar. RD-F-165 gray Protocol social channel has scam-coordinator flag M-only signal requiring curator social watchlist. ether.fi operates Discord at discord.gg/etherfi. Multiple fake domains and phishing sites indicate active social-engineering operations against community, but no specific Discord/Telegram channel admin flagged on a curator scam-coordinator watchlist identified from public data.

RD-F-158 green Known-threat-actor cluster has touched protocol No confirmed known-threat-actor wallet cluster interaction with ether.fi protocol core contracts identified in public data. KelpDAO ($292M Lazarus, Apr 18 2026) used rsETH (peer LRT) — same sector, same LayerZero OFT architecture, but no direct ether.fi touch confirmed. Signal requires licensed CTI feed; public-proxy observation: no confirmed interaction.

RD-F-159 green Attacker wallet pre-strike probe (low-gas failing txs) No low-gas failing transaction pattern from attacker-labeled wallets targeting ether.fi protocol contracts identified in public mempool data.

RD-F-160 green GitHub malicious-dependency incident touching protocol deps Protocol uses OpenZeppelin contracts (actively maintained), EigenLayer interfaces, SSV Network interfaces, LayerZero OFT standard. No GitHub security advisory flagging a malicious release in any of these dependencies identified as of 2026-04-28.

RD-F-162 green Known-exploit-template selector deployed by any address No protocol-level exploits in ether.fi history; no exploit-template baseline for the specific ether.fi contract architecture. No known-exploit-template selector-pattern deployed by any address targeting ether.fi identified in public data.

Tooling / compiler / AI Green 8 5 of 5

RD-F-170 yellow Solc version used (known-bug versions flagged) Deployed bytecode for core contracts (LiquidityPool, eETH, weETH, EtherFiNodesManager) is compiled with Solidity 0.8.13 (confirmed via Etherscan verified source metadata). Solidity 0.8.13 carries the StorageWriteRemovalBeforeConditionalTermination bug (medium/high severity), affecting versions 0.8.13-0.8.16, fixed in 0.8.17. The bug triggers when Yul optimizer is enabled and code contains storage writes before functions calling return(...) or stop() in inline assembly. The foundry.toml configures 0.8.27 (no known bugs, clean), suggesting newer contracts are compiled with 0.8.27 but legacy proxy implementations have not been recompiled. Yellow rather than red because: (a) the bug requires specific inline-assembly patterns that may not be present in ether.fi's contract code, and (b) Certora FV provides compensating assurance on core invariants. RD-F-171 n/a Bytecode similarity to audited upstream with behavior deviation Not applicable — ether.fi is an original codebase, not an AI-assisted copy of an audited upstream. Bytecode similarity to audited-upstream-with-behavior-deviation does not apply to original protocols.

RD-F-172 green Repo shows AI-tool co-authorship in critical files No AI-tool co-authorship markers (Co-authored-by: GitHub Copilot or similar) found in the 10 most recent commits sampled (2026-03-16 through earlier). Primary committers are pankajjagtapp and seongyun-ko with standard commit messages. GitHub authenticated code search required for exhaustive historical scan.

RD-F-173 green Team self-disclosure of AI-generated Solidity No public blog post, tweet, or documentation from the ether.fi team discloses AI-generated Solidity in security-critical paths. Technical documentation and audit disclosures make no such claim. No relevant OSINT found.

RD-F-174 green Dependency tree uses EOL Solidity version Deployed contracts use Solidity 0.8.13 — not an EOL version. Solidity Foundation considers 0.8.x active/supported. OpenZeppelin v4.8.x is still maintained. No EOL Solidity version (0.4.x, 0.5.x, 0.6.x) detected. The 0.8.13 version is below current 0.8.27 recommended but is within the supported range.

Response & disclosure hygiene Green 8 4 of 4

RD-F-176 yellow Disclosure SLA public No acknowledgment-time SLA published in ether.fi's own documentation (Gitbook, website, help center). Immunefi 'Category 3: Approval Required' disclosure policy requires team approval before public release but does not specify a response time window. No protocol-specific SLA (e.g., '72h ack') found. Yellow — disclosure channel exists but no explicit SLA reduces hygiene posture.

RD-F-175 green Disclosure channel exists Immunefi bug bounty program at https://immunefi.com/bug-bounty/etherfi/ is the public disclosure channel. Active program; 60 assets in scope; KYC + PoC required; Immunefi Standard Badge holder. Smart contract critical: $10K–$300K; high: $5K–$15K; medium: $1K–$5K; low: $1K flat. Web/App critical: $5K–$25K. Channel is publicly listed and functional.

RD-F-177 green Prior known-ignored disclosure No evidence of a pre-known disclosed vulnerability that was subsequently exploited. Zero protocol exploits eliminates the primary source of this finding. No historical disclosed-and-ignored advisory found in Immunefi public records, GitHub advisories, or media coverage. Both operational incidents (Mode bridge; domain takeover) were not preceded by a known-and-ignored disclosure.

RD-F-178 green CVE/GHSA advisory issued against protocol No CVE or GHSA advisory issued against ether.fi protocol contracts. GitHub Advisory Database: no ether.fi entries. CISA catalog: no entries. Web search 'ether.fi CVE GHSA': no results. Two operational incidents are documented in protocol's own channels, not via formal CVE/GHSA process (appropriate for non-exploit operational events).

rubric_version v1.7.0 graded_at 2026-05-12 04:38:07 factors 184 protocol ether-fi