Upstream patch not merged

JustLend DAO's assessment for RD-F-127 — scored yellow on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.

Evidence summary #

Key Compound v2 security patches post-2022 include empty-market/donation attack mitigation (exploited in Hundred Finance 2023, Sonne Finance 2024, Onyx 2023). JustLend GitHub shows no post-2022 commits addressing this specific vector (last substantive code commit: February 2023). Whether JustLend's TVM-adapted codebase has applied the empty-market mitigation is unconfirmed. Yellow rather than red: TVM-specific attack dynamics differ from EVM; no active exploit has occurred; mitigation status requires curator Tronscan verification.

Sources #

URL
Sonne Finance post-mortem — Compound v2 fork donation attackSonne Finance post-mortem — Compound v2 donation attack exploited May 2024retrieved 2026-05-17
GitHub
JustLend GitHub commit history — no upstream patch evidenceGitHub commits — no post-2023 security patch commits visible for empty-market vectorretrieved 2026-05-17
URL
Compound forum — empty market exploit and v2 guidanceHundred Finance / Compound v2 empty market exploit discussion — upstream patch guidance issued 2023retrieved 2026-05-17

Methodology #

Determine whether the upstream fork source has published a known-vulnerability patch that has not been merged into this fork's deployed code.

See the full factor methodology and distribution across all protocols →

rubric_version v1.7.0 protocol justlend factor RD-F-127 score yellow collected_at 2026-05-17 10:25:32