defirisk.co
rubric v1.7.0

Liquid Collective (LsETH)

Institutional-grade Ethereum liquid staking protocol. Users deposit ETH and receive LsETH (cToken-style ERC-20 rebasing receipt). Stake is delegated round-robin to a permissioned consortium of enterprise node operators (Coinbase Cloud, Figment, Staked, Blockdaemon) coordinated by Alluvial. Governance is multisig-only: three Gnosis Safes (proxy_admin 4-of-7, governor 4-of-7 with same signers, executor 2-of-3). No on-chain Governor, no Timelock, no Snapshot, no active TLC token-based governance as of profile date. Original codebase (River protocol). No bug bounty program at ~$767M TVS.

Sector lst
TVL $766.9M
Reviewed May 16, 2026
Factors 184
Categories 13
Risk score 27.8
DeploymentsEthereum · $766.9M
01

Risk profile at a glance

0 red · 5 yellow · 7 green
25 24 17 13 15 22 16 10 13 12 8 5 4
02

Categories & evidence

184 factors · 13 categories
Code & audits Green 12 25 of 25
RD-F-007 red Bug bounty presence & max payout No formal bug bounty program active at $767M TVS. Vulnerability disclosure policy explicitly states 'We are currently designing our bug bounty program.' No Immunefi, Cantina contest, or Sherlock program found. Only a security@liquidcollective.io email channel exists with a promise of retroactive rewards once a program is designed. RD-F-183 red Bug bounty scope gap on highest-TVL contracts No formal bug bounty program exists at $767M TVS. The vulnerability disclosure policy explicitly states 'We are currently designing our bug bounty program.' This is the absence of any program — not a scope-exclusion gap within an existing program. All River proxy contracts holding user ETH (0x8c1BEd5b...) have no whitehat economic incentive for responsible disclosure. At $767M TVS this is the most material standalone code-security gap. Retroactive rewards are promised once the program launches but no timeline is specified. RD-F-001 yellow Audit scope mismatch Nine audits across 2022-2024 with Certora Nov 2024 as the most recent. River proxy last upgraded 2024-11-20 within the audit window. However, v1.3.0 BYOV feature commits (Feb-Apr 2026) post-date all published audits and no independent re-audit of the new BYOV validator-management logic has been published as of 2026-05-17. Post-audit fix commits in Mar 2026 reference prior audit finding IDs traceable to Certora findings. Partial mismatch: core v1.2.x audited; v1.3.0 BYOV additions not independently re-audited. RD-F-014 yellow Reentrancy guard on external-calling functions River.1.sol uses balance-delta validation pattern rather than explicit nonReentrant for _pullELFees, _pullCoverageFunds, _pullCLFunds. WLSETH.1.sol has nonReentrant on transfer and transferFrom added in commit 964f0e3 (Apr 2026). Not all external-calling functions carry explicit guards — River.1.sol relies on checks-effects pattern. Multiple Spearbit reviews would have flagged exploitable reentrancy; none found. Yellow for partial coverage without full guard adoption. RD-F-010 gray Static-analyzer high-severity count No published Slither/Mythril/Semgrep run output available for this protocol. Certora FV and multiple Spearbit reviews serve as proxy evidence but do not constitute raw static-analysis tool output. Cannot count high-severity findings without tool execution on verified source. Marked [?] needs tool run per methodology. RD-F-018 gray Signed/unsigned arithmetic confusion No symbolic execution output available. Solidity 0.8.x overflow protection mitigates common signed/unsigned confusion. Certora FV provides additional mathematical correctness proofs for arithmetic paths. Cannot confirm absence without tool execution. RD-F-021 n/a UUPS _authorizeUpgrade correctly permissioned Protocol uses Transparent Upgradeable Proxy (TUPProxy) pattern, not UUPS. The _authorizeUpgrade function is only relevant for UUPS proxies. Upgrade authority routes through the ProxyAdmin Safe (0x8EE3fC0Bcd7B57429203751C5bE5fdf1AB8409f3). UUPS factor not applicable.
RD-F-002 green Audit recency Most recent audit is Certora November 2024 — approximately 181 days before assessment date (2026-05-17). Within the 365-day green threshold for audit recency.
RD-F-003 green Resolved-without-proof findings May 2023 Cantina/Spearbit review found 2 Critical + 1 High all marked Fixed with 91.8% remediation rate. Post-audit v1.3.0 commits in March 2026 explicitly reference audit finding IDs demonstrating traceable resolution. No findings marked resolved without verifiable on-chain evidence identified across accessible audit summaries.
RD-F-004 green Audit count Three distinct audit firms cover on-chain bytecode: Halborn (1 engagement Jul 2022), Spearbit (7 engagements 2022-2023), Certora (1 engagement Nov 2024). Quantstamp May 2024 covered offchain components only. Protocol meets the 2+ distinct firm threshold easily.
RD-F-005 green Audit firm tier Spearbit is Tier-1; Certora is Tier-1 (formal verification specialist). Halborn is Tier-2. Protocol has at least two Tier-1 firms covering deployed code across multiple engagements.
RD-F-006 green Audit-to-deploy gap Certora audit signed November 2024; River proxy last upgraded 2024-11-20 per Etherscan — within the same calendar month. Approximate gap 0-30 days, well within the 60-day green threshold.
RD-F-008 green Ignored bounty disclosure No prior exploits documented. Data cache rekt.incidents empty. No post-mortem evidence of ignored disclosure. Factor is N/A to prior incidents — scored green per taxonomy guidance (no prior incidents, cannot assess → N/A-equivalent green).
RD-F-009 green Formal verification coverage Certora Nov 2024 used the Certora Prover (CVL specification language). The certora/specs directory contains 19 specification files covering AllowlistV1, ConsensusLayerDepositManagerV1, CoverageFundV1, Firewall, OperatorRegistryV1, RedeemManagerV1, RiverV1, SharesManagerV1, and UserDepositManagerV1. Certora confirmed 'Prover demonstrated implementation is correct with respect to formal rules.' This is genuine Prover-based FV with broad contract coverage. A dedicated RiverV1DivideOnlyByConstant.spec also shows mathematical invariant coverage.
RD-F-011 green SELFDESTRUCT reachable from non-admin path No selfdestruct opcode found in source inspection of River.1.sol, ELFeeRecipient.1.sol, Withdraw.1.sol, Oracle.1.sol, RedeemManager.1.sol, or CoverageFund.1.sol. TUPProxy extends OZ TransparentUpgradeableProxy which does not contain selfdestruct. Protocol does not use selfdestruct anywhere in core contracts.
RD-F-012 green delegatecall with user-controlled target Source inspection found no user-controlled delegatecall in River.1.sol, Oracle.1.sol, OperatorsRegistry.1.sol, or RedeemManager.1.sol. TUPProxy uses standard OZ TransparentUpgradeableProxy delegatecall to fixed implementation address. No user-supplied delegatecall target found.
RD-F-013 green Arbitrary call with user-controlled target Source inspection found no arbitrary .call(target, data) where target is user-supplied. External calls in River.1.sol target fixed state-variable addresses retrieved via getter functions (RedeemManagerAddress.get(), ELFeeRecipientAddress.get()). No user-controlled call targets found.
RD-F-015 green ERC-777/1155/721 hook without reentrancy guard Protocol accepts ETH (not ERC-777/1155/721 tokens). LsETH is a custom ERC-20 rebasing token without ERC-777 callback hooks. No ERC-777, ERC-1155, or ERC-721 integration found in core contracts.
RD-F-016 green Divide-before-multiply pattern Certora FV specs include RiverV1DivideOnlyByConstant.spec which specifically verifies division-by-constant-only constraints in River — a formal proof against certain divide-before-multiply patterns. No raw Slither output available but FV provides stronger coverage for the core arithmetic.
RD-F-017 green Mixed-decimals math without explicit scaling LsETH protocol deals exclusively with ETH (18 decimals) and LsETH (18 decimals). No multi-decimal token pair arithmetic exists in core contracts. SharesManager.1.sol manages shares in the same 18-decimal space throughout.
RD-F-019 green ecrecover zero-address return unchecked No ecrecover calls found in River.1.sol, Oracle.1.sol, RedeemManager.1.sol, or OracleManager.1.sol. TLC.1.sol uses OZ ERC20Permit which inherits OZ ECDSA library that includes the zero-address guard. No unguarded ecrecover usage identified.
RD-F-020 green EIP-712 domain separator missing chainId TLC.1.sol uses OZ ERC20Permit via __ERC20Permit_init(NAME). OZ EIP712 implementation includes chainId in the domain separator by default. No custom domain separator implementation found that omits chainId.
RD-F-022 green Public initialize() without initializer modifier Custom Initializable.sol constructor sets Version.set(type(uint256).max) locking all implementation contracts against re-initialization — equivalent to OZ _disableInitializers(). All initXxxV1() functions use external init(n) modifier that checks and increments version atomically preventing re-use. No unprotected public initialize() found across River.1.sol, Oracle.1.sol, RedeemManager.1.sol, OperatorsRegistry.1.sol, CoverageFund.1.sol, ELFeeRecipient.1.sol, Withdraw.1.sol, Allowlist.1.sol.
RD-F-023 green Constructor calls _disableInitializers() Custom Initializable.sol constructor sets Version to type(uint256).max which functionally disables all init(n) calls on implementation contracts — equivalent to OZ _disableInitializers(). All implementation contracts inherit this via Initializable base class.
RD-F-024 green Code complexity vs audit coverage Nine sequential audits across 4 years provide deep incremental coverage — Spearbit PR-specific reviews targeted individual code changes. Certora FV adds mathematical coverage across 19 spec files. Audit cadence tracks code complexity growth. LOC-per-audit-day ratio not computed but audit continuity is exceptional for a protocol of this size.
Governance & admin Yellow 44 24 of 24
RD-F-028 red Low-threshold multisig vs TVL CRITICAL: At $766.86M TVS, the Executor Safe is 2-of-3 EOA signers with zero execution delay — critically low. The Proxy Admin Safe (4-of-7) controls ALL proxy upgrades with no timelock. Peer norm at this TVL: Lido (8-of-11 + 48h TL), Aave v3 guardian (5-of-9), Rocket Pool oDAO (14-of-19 + 2d TL). 4-of-7 no-delay at $767M is materially below peer norm. The Executor Safe at 2-of-3 is especially low — only 2 of 3 EOA signers needed to execute protocol operations with no delay. RD-F-032 red Timelock duration on upgrades 0 hours timelock. No Timelock contract identified anywhere in the governance stack. Data cache confirms governance.timelock_address: null and timelock_delay_seconds: null. Proxy Admin Safe executes upgrades immediately upon 4-of-7 signature collection. Governor Safe executes protocol parameter changes immediately upon 4-of-7 signatures. No queue, no delay, no guardian veto window. RD-F-033 red Timelock on sensitive actions No timelock on any sensitive action. River.1.sol: setAllowlist(), setKeeper(), setGlobalFee(), setCollector(), setELFeeRecipient(), setCoverageFund(), setMetadataURI() — all onlyAdmin with no delay. TUPProxy: pause()/unpause() admin-callable without delay. Oracle: addMember/removeMember/setQuorum — onlyAdmin with no delay. OperatorsRegistry: addOperator/setOperatorStatus/setOperatorLimits — onlyAdmin with no delay. All sensitive actions execute immediately through the Governor Safe (4-of-7, no TL) or Proxy Admin Safe (4-of-7, no TL). RD-F-038 red Proposal execution delay < 24h Zero execution delay on all governance actions. No proposal queuing, no timelock, no minimum delay between signature collection and execution. The three Safes execute transactions immediately. This is confirmed by data cache (timelock_delay_seconds: null) and on-chain structure — TUPProxy and River contracts accept admin calls with no delay check. RD-F-040 red Emergency-veto multisig present No dedicated emergency-veto multisig or guardian role exists. TUPProxy admin (Proxy Admin Safe) holds pause authority but is the same entity with full upgrade authority — not an independent check. No separate veto entity exists that could block a malicious Proxy Admin Safe upgrade proposal. The only 'emergency' mechanism is the same Safe that could be the threat vector. RD-F-041 red Rescue/emergencyWithdraw without timelock CRITICAL: No dedicated emergencyWithdraw or rescue function in River.1.sol, Withdraw.1.sol, CoverageFund.1.sol, or RedeemManager.1.sol. However, the Proxy Admin Safe can upgrade any proxy implementation to arbitrary code with no timelock — 4-of-7 signatures sufficient to drain all $767M in one transaction. TUPProxy admin can also pause all protocol contracts immediately, blocking all withdrawals. The upgrade path (no timelock, no guardian veto) is the critical drain vector — it is structurally equivalent to an untimelocked rescue function at this scale. RD-F-025 yellow Admin key custody type Three Gnosis Safe multisigs with no timelock: Proxy Admin Safe (4-of-7), Governor Safe (4-of-7, identical signers), Executor Safe (2-of-3). Governance type is multisig_only per data cache. No on-chain governor, no timelock, no Snapshot space. Categorical step below multisig+timelock. RD-F-026 yellow Upgrade multisig signer configuration (M/N) Proxy Admin Safe: verified 4-of-7 (threshold=4, owner_count=7 per Safe API in data cache). Governor Safe: 4-of-7 (identical 7 owners). Executor Safe: 2-of-3 (threshold=2, owner_count=3). All three confirmed via Safe Transaction Service API (api_status: found). No EOA admin; all multisig. RD-F-030 yellow Hot-wallet signer flag Executor signer 0x33c390 shows 18 total transactions with occasional ETH movements — possible warm wallet. Proxy Admin signers show very low activity (0x78E7f3 has zero txs), consistent with cold/hardware signing practice. One known Executor signer is funded by Coinbase Prime 1 (institutional on-ramp). Cannot rule out web-wallet usage by unlabeled Executor signers. No characteristic high-frequency Metamask pattern detected on the 7-signer Proxy Admin set. RD-F-034 yellow Guardian/pause-keeper distinct from upgrader No distinct guardian role with an independent address. TUPProxy admin (= Proxy Admin Safe) holds both upgrade AND pause authority. River.1.sol onlyAdmin functions are controlled by the Governor Safe (same 7-signer set as Proxy Admin Safe). Firewall.sol provides a per-selector allowlist for the Executor Safe, giving some function-level separation between Executor and Governor roles. However, the two most powerful roles (upgrade and protocol-admin) are controlled by addresses sharing identical signer sets — no meaningful guardian independence. RD-F-035 yellow Role separation: upgrade ≠ fee ≠ oracle Partial on-paper role separation: Proxy Admin Safe (upgrade authority) vs Governor Safe (protocol parameters) vs Executor Safe (operations via Firewall). However, Proxy Admin Safe and Governor Safe have IDENTICAL 7-signer sets — any 4 of the same 7 signers can act as either Safe. Effective key separation between upgrade and parameter roles is zero. Only the Executor Safe has a distinct 3-signer set (separate from the 7). RD-F-042 yellow Admin has mint() with unlimited max No bare admin-callable mint() on LsETH. LsETH shares minted internally via _mintShares()/_mintRawShares() triggered only by Allowlist-gated deposits and earnings reporting. TLC governance token has fixed 1B supply (INITIAL_SUPPLY = 1_000_000_000e18), all minted at initTLCV1 — no ongoing mint. Admin controls the Allowlist (setAllowlist — onlyAdmin, no timelock) which governs who can deposit and thus trigger share minting — indirect admin influence over the minting path but not a direct unlimited mint function. Yellow because admin has indirect control over deposit eligibility without timelock. RD-F-029 gray Multisig signers co-hosted Signer identities for all 7 Proxy Admin signers are not publicly disclosed. All 7 EOAs lack ENS names or Etherscan labels. One signer (0x78E7f3) shows zero transactions, consistent with cold storage but unconfirmed. Executor signer 0x33c390 funded by Coinbase Prime 1 — suggests institutional custody on that signer. Cannot confirm co-hosting status or independent custody for the majority of signers. Assessment is blocked by protocol opacity on signer identity. RD-F-036 n/a Flash-loanable voting weight No on-chain Governor, no active token-based governance, no Snapshot space. TLC governance token exists on-chain but is not used for governance (data cache governance.type: multisig_only, snapshot_space: null, governor_address: null). No flash-loanable voting surface exists by construction. RD-F-037 n/a Quorum achievable via single-entity flash loan No token-based governance quorum to achieve via flash loan. Governance is multisig-only with no Snapshot or on-chain governor. Not applicable by construction. RD-F-039 n/a delegatecall/call in proposal execution without allowlist No on-chain Governor or proposal execution contract exists. The Firewall.sol contract routes executor calls to a single immutable destination address with a per-function-selector allowlist (executorCanCall mapping). No delegatecall with proposal-supplied targets. No proposal execution path with arbitrary call targets. Not applicable by construction. RD-F-045 gray Constructor args match governance proposal Protocol has no public proposal venue (no Snapshot, no Tally, no on-chain governor, no governance forum). Upgrades are executed directly by the three Gnosis Safes without any public proposal artifact. Cannot compare constructor args to a proposal because no proposal exists. Assessment is blocked by absence of a proposal system. RD-F-047 n/a Governance token concentration (Gini) No active token-based governance. TLC token exists but is not used for governance (data cache governance.type: multisig_only). Gini of TLC voting token holdings is not a rubric input for a multisig-only governance model.
RD-F-027 green Single admin EOA No single EOA holds admin over core contracts. All three admin roles are Gnosis Safe multisigs (Proxy Admin 4-of-7, Governor 4-of-7, Executor 2-of-3). Deployer 0xbfa854... transferred admin to Safes at/before launch (Oct 4, 2022). Etherscan confirms Proxy Admin Safe created by Liquid Collective Deployer on same deploy date. Not a bare EOA by any measure.
RD-F-031 green Signer rotation recency No signer-set changes detected since protocol launch (Oct 2022). Proxy Admin Safe shows 36 total transactions, all Exec Transaction type — no AddOwner, RemoveOwner, or ChangeThreshold events visible. Governor Safe shows 94 total transactions, no threshold changes visible. Signer set has been stable for approximately 31 months. No direction-change event (threshold reduction) detected.
RD-F-043 green Admin = deployer EOA after 7 days Admin was never a deployer EOA at day 7+. Protocol deployed Oct 4, 2022 by 0xbfa854... The Proxy Admin Safe (0x8EE3fC0B) was created by the same deployer on the same day. River.1.sol initRiverV1() takes _systemAdministratorAddress as a parameter — set to Governor Safe at initialization. Admin transferred to multisig from day 1.
RD-F-044 green Admin wallet interacts with flagged addresses Executor signer 0x33c390 funded by Coinbase Prime 1 — institutional on-ramp, not a mixer or flagged address. Proxy Admin signer 0x78E7f3 shows zero transactions — no interaction with flagged addresses possible. No evidence of any signer interacting with Tornado Cash, Railgun, or addresses on curator watchlists. No mixer-funded or DPRK-linked transactions detected in available on-chain data.
RD-F-046 green Contract unverified on Etherscan/Sourcify All core contracts verified on Etherscan at launch. Halborn Jul 2022 and Spearbit Sep 2022 audits both preceded mainnet deploy (Oct 4, 2022). River proxy (0x8c1BEd5) and implementation source verified. Contracts are not hidden — full ABI publicly accessible. No unverified surface at launch.
RD-F-167 green Deprecated contract paused but pause reversible by live admin No deprecated contracts identified holding material value (>$100k). All core contracts are on current implementations (last batch upgrade Nov 20, 2024). No paused-deprecated proxy surface identified. Protocol does not have a decommissioned v1/v2 split with lingering admin-controlled pause over old surface.
Oracle & external dependencies Yellow 30 17 of 17
RD-F-057 red Circuit breaker on price deviation No circuit breaker on oracle-reported conversion rate deviation. Oracle.1.sol source contains no maxDeviationBps, priceGuard, or rate-change halt mechanism. River.1.sol contains no rate-change circuit breaker. If a quorum of Oracle Operators submit a materially false report (e.g., inflated validator balances), there is no on-chain mechanism to detect or halt the resulting mispricing of LsETH. The quorum requirement (multiple operators must agree) is a social deterrent but not a technical circuit breaker. RD-F-049 yellow Oracle role per asset The Oracle contract serves as the sole Primary oracle for LsETH conversion rate. No Secondary or Fallback oracle is identified in source or documentation. Oracle.1.sol shows a single reporting path: reportConsensusLayerData() -> quorum acceptance -> River setConsensusLayerData(). If the primary oracle quorum fails, there is no backup source. RD-F-050 yellow Dependency graph (protocols depended upon) Two material external dependencies: (1) Ethereum Beacon chain consensus layer — existential, non-redundant; Oracle Operators report Beacon state via EIP-4788; (2) Ethereum Deposit Contract (0x00000000219ab540356cBB839Cbe05303d7705Fa) — required for staking new ETH via deposit(). No Uniswap, Aave, Curve, Chainlink, bridge, or third-party lending dependency. Oracle Operator set (Coinbase Cloud, Figment, Staked, Blockdaemon) is admin-controlled internal dependency. Yellow because Beacon chain is non-redundant and non-substitutable for any ETH LST. RD-F-051 yellow Fallback behavior on oracle failure No fallback oracle identified. Oracle.1.sol source contains no try/catch around oracle calls, no secondary data source, no last-known-price mode. When quorum is not reached, the protocol continues operating on the previously-accepted rate (rate freezes). The epoch-age check (EpochTooOld) prevents submission of stale-epoch reports but does not trigger a fallback. No emergency oracle mechanism documented. RD-F-052 yellow Breakage analysis per dependency Breakage analysis: (1) Oracle Operator quorum failure — River conversion rate freezes; deposits/withdrawals proceed at stale rate; if extended outage coincides with validator slashing, rate becomes inaccurate; no automated mitigation; admin must intervene. Severity HIGH. (2) Beacon chain failure — oracle cannot report; rate freezes; systemic shared risk for all ETH LSTs. Severity CATASTROPHIC but ecosystem-shared. (3) Ethereum Deposit Contract unavailable — new staking halts; existing holders unaffected. Severity LOW. (4) Proxy Admin Safe compromise — all proxies upgradeable; potential full drain. Severity CRITICAL — addressed by governance-admin-analyst. RD-F-059 yellow Oracle staleness check present Partial staleness protection. Oracle.1.sol implements an epoch-sequence check (if (_report.epoch < lastReportedEpochValue) reverts with EpochTooOld) preventing submission of reports from prior epochs. This is an epoch-monotonicity guard, not a wall-clock staleness check. There is no updatedAt > block.timestamp - maxStaleness style guard. If Oracle Operators stop reporting, River continues using the last accepted conversion rate indefinitely with no on-chain alert or automatic halt. The 24-hour reporting cadence is an off-chain convention, not an enforced on-chain freshness bound. RD-F-180 yellow Immutable oracle address [★ CANDIDATE per PD-017 — assess and report; compose.py is authoritative ★ counter] Oracle address in River stored in mutable unstructured-storage slot (bytes32(uint256(keccak256('river.state.oracleAddress')) - 1)) via OracleAddress.sol library with get()/set() functions. GitHub search for 'setOracle' in repository returns 0 results. River.1.sol exposes no admin-callable setOracle() post-initialization. Oracle address is set once in initRiverV1() via OracleManagerV1.initOracleManagerV1(_oracleAddress); no subsequent admin setter. However River is an upgradeable proxy (TUPProxy); Proxy Admin Safe (4-of-7, no timelock) can upgrade implementation and programmatically reach OracleAddress.set(). Oracle address IS replaceable via proxy upgrade — not EVM-immutable keyword pattern. Yellow not red: technical replaceability exists (proxy upgrade path); distinguishes from full-immutable class (USR/USDX/xUSD pattern). Risk: no direct admin setter means oracle replacement requires a full upgrade (h RD-F-054 n/a TWAP window duration Protocol does not use any TWAP oracle. Rate computation is based on Beacon chain state reports from permissioned Oracle Operators, not DEX pricing. No TWAP window exists or is applicable. RD-F-055 n/a Oracle pool depth (USD) Protocol does not use any DEX pool oracle. No DEX pool depth is relevant to the LsETH conversion rate mechanism. RD-F-056 n/a Single-pool oracle (no medianization) Protocol does not use a single DEX pool oracle. The Oracle Operator quorum (multiple independent enterprise operators) provides a form of medianization for Beacon state data, but this factor addresses DEX pool venue medianization which is structurally inapplicable. RD-F-058 n/a Max-deviation threshold (bps) No circuit breaker exists (see RD-F-057 red), so no deviation threshold is configured. Factor is N/A — it measures the circuit breaker threshold when one exists. RD-F-060 n/a Chainlink aggregator min/max bound misconfig Protocol does not use Chainlink aggregators in the conversion rate path. Pipeline-flagged Chainlink feeds (18 entries) verified as false positives from EVM storage scanning — not consumed by River.1.sol or Oracle.1.sol. No AggregatorV3Interface call found in core contracts. RD-F-061 n/a LP token balanceOf used for pricing LsETH rate is computed from Beacon chain balance reports (totalETHSupply / totalLsETHSupply), not from LP token balances. No balanceOf LP call found in River.1.sol price computation path. Factor is not applicable to this oracle architecture. RD-F-181 n/a Permissionless-pool lending oracle Liquid Collective is not a lending protocol (data cache coverage_flags.lending_protocol: false). LsETH does not use spot prices from any permissionless DEX pool. The oracle uses a permissioned quorum model for Beacon chain data. RD-F-181 (permissionless-pool lending oracle) is structurally inapplicable to this LST protocol.
RD-F-048 green Oracle providers used Single internal oracle: River Oracle contract (0x895a57eD71025D51fe4080530A3489D92E230683) aggregating reports from a permissioned set of Oracle Operators (Coinbase Cloud, Figment, Staked, Blockdaemon). No Chainlink, Pyth, RedStone, Uniswap TWAP, or DEX feed used in LsETH conversion rate path. Pipeline-flagged Chainlink feeds (18 entries in data cache) verified as false positives — not consumed by River.1.sol or Oracle.1.sol. DefiLlama oracle field is 'Internal'.
RD-F-053 green Oracle source = spot DEX pool (no TWAP) [★ CRITICAL — GREEN] LsETH conversion rate is not derived from any DEX pool. No slot0(), getReserves(), latestAnswer(), latestRoundData(), or DEX-TWAP call in River.1.sol or Oracle.1.sol. GitHub search for 'setOracle' in repository returns 0 results. Oracle is a permissioned quorum reporting Ethereum Beacon chain validator balances. Docs confirm: conversionRate = totalETHSupply / totalLsETHSupply updated via oracle reports. DefiLlama oracle field: 'Internal'. Pipeline-flagged Chainlink feeds verified as false positives not consumed by core contracts.
RD-F-062 green External keeper/relayer not redundant Oracle reporting is not keeper/relayer-based. Oracle Operators directly call reportConsensusLayerData() — they are permissioned enterprise entities (Coinbase Cloud, Figment, Staked, Blockdaemon), not Gelato/Chainlink Automation bots. No IKeeperRegistrar or IAutomation interface found in Oracle.1.sol. Individual operator failure does not halt protocol (only quorum matters); multiple enterprise entities provide redundancy. No single keeper/relayer with no failover.
Economic risk Yellow 22 13 of 13
RD-F-064 yellow TVL concentration (top-10 wallet share) On-chain holder concentration data unavailable (Dune Analytics 403 — JS-rendered, per process learnings). Structural inference: LsETH is distributed exclusively through institutional custodians (Coinbase Prime, Anchorage Digital) and enterprise platforms. This model implies high address-level concentration — a small number of custodian omnibus addresses hold the majority of LsETH tokens on behalf of many enterprise end-clients. CoinGecko reports only 317,666 LsETH tokens in circulation, consistent with concentrated institutional holding. Yellow: elevated concentration risk due to custodian omnibus structure; quantified holder share not available; Dune 403 blocks primary verification. RD-F-065 yellow Liquidity depth per major asset Secondary DEX liquidity is structurally thin for the TVS size. CoinGecko reports 24h trading volume of $4,205.85 across all venues (Uniswap V3, Aerodrome SlipStream, Kraken) for a $767M TVS protocol — less than 0.001% of TVS. The LsETH price at $2,724.57 implies a ~25% premium over spot ETH ($2,179.85), correctly reflecting accrued staking rewards in the non-rebasing model. Specific 2%-depth figures for LsETH/ETH pools are not obtainable (Dune 403, JS-rendered pool pages). The institutional distribution model means most LsETH is held in custodian accounts and redeemed natively via RedeemManager (FIFO queue), not via secondary DEX markets. In a stress scenario, secondary market liquidity would be severely insufficient to absorb forced selling at NAV. Yellow: thin secondary market is a structural design feature, not a protocol failure, but creates real exit risk for non-custodian LsETH holders. RD-F-066 n/a Utilization rate (lending protocols) Liquid Collective is a liquid staking protocol (LST), not a lending protocol. There is no borrow market, no utilization rate, and no supplied/borrowed relationship. Data cache confirms borrow.present: false, total_borrowed_usd: null. Per PD-024 protocol_type_applicability, lending-only factors score not_applicable for non-lending protocols. RD-F-067 n/a Historical bad-debt events No lending market exists; no bad-debt mechanism. Slashing losses in an LST are socialized through conversion rate reduction, not through a bad-debt ledger. No slashing events documented (data cache hacks: [], profile §10 no incidents). Per PD-024, lending-only factors are not_applicable for non-lending protocols. RD-F-068 n/a Collateralization under stress No lending market; no collateralization ratio applicable. LsETH is fully backed 1:1 by staked ETH by design (conversion rate = totalETHSupply / totalLsETHSupply). The only under-collateralization vector is slashing reducing totalETHSupply, handled by conversion rate adjustment and the 3-tier slashing coverage program. Per PD-024, lending-only factors are not_applicable for non-lending protocols. RD-F-069 n/a Algorithmic / under-collateralized stablecoin LsETH is a staked-ETH receipt token, not a stablecoin (algorithmic or otherwise). The conversion rate floats upward with ETH staking rewards and is independent of any algorithmic stabilization mechanism. Per PD-024, lending-only factors are not_applicable for non-lending protocols. The stablecoin design question is structurally inapplicable to an LST. RD-F-070 n/a Empty cToken-style market (zero supply/borrow) [STAR CRITICAL — NOT_APPLICABLE] Liquid Collective is not a Compound V2 fork and has no cToken-style market-listing mechanism. The River contract (0x8c1BEd5b9a0928467c9B1341Da1D7BD5e10b6549) implements a single-asset staking pool with no listed markets, no borrow function, and no totalSupply-per-market accounting susceptible to the empty-market donation attack. The 'cToken model' label in LsETH documentation refers only to the non-rebasing exchange-rate accounting approach (conversion rate = totalETHSupply / totalLsETHSupply), not to any Compound V2 market architecture. Profile §5 confirms: original codebase, not forked from any protocol. Per PD-024 protocol_type_applicability (Compound-fork-only subset), F070 is not_applicable. The star critical flag does not fire. RD-F-071 n/a Seed-deposit requirement for new market listing No market-listing mechanism exists. LsETH is a single-asset staking receipt; there is no concept of 'listing' a new borrow market or requiring a seed deposit for a new market. Per PD-024, lending-only factors are not_applicable for non-lending protocols. RD-F-072 n/a Market-listing governance threshold No market-listing governance mechanism. The protocol is a single-asset (ETH) staking pool; there are no additional assets to list. The only structurally analogous governance action is adding a Node Operator to the OperatorsRegistry, which is a governance action scored in Cat 2, not a market-listing threshold in the Cat 4 sense. Per PD-024, lending-only factors are not_applicable for non-lending protocols. RD-F-073 n/a Oracle-manipulation-proof borrow cap No borrow function exists; no borrow cap applicable. LsETH exchange rate is derived from the internal quorum oracle (beacon balance reports), not from a DEX spot price feed. There is no per-asset borrow cap to assess. Per PD-024, lending-only factors are not_applicable for non-lending protocols. RD-F-074 n/a ERC-4626 virtual-share offset (OZ ≥4.9) LsETH is not an ERC-4626 vault. River implements a custom cToken-style exchange rate formula (conversionRate = totalETHSupply / totalLsETHSupply) and does not expose the ERC-4626 convertToShares/convertToAssets interface. No virtual-share offset pattern is present or applicable. OpenZeppelin libraries are used for proxy pattern only (TransparentUpgradeableProxy), not for ERC-4626. Per PD-024, lending-only / ERC-4626-specific factors are not_applicable for non-ERC-4626 LST protocols. RD-F-075 n/a First-depositor / share-inflation guard No first-depositor share-inflation attack surface exists. River is not a share-based vault (not ERC-4626, not a per-market share token). The conversion rate starts at 1 and increases monotonically as rewards accrue; it is set by the internal quorum oracle report (totalETHSupply / totalLsETHSupply), not by raw asset balance. There is no mechanism by which an early depositor could donate ETH to inflate shares against later depositors. Multiple Spearbit audits (2022-2023) reviewed the core exchange-rate accounting logic. Per PD-024, share-vault-specific factors are not_applicable for non-share-vault LST protocols.
RD-F-063 green TVL (current + 30d trend) Current TVS $766.86M (DefiLlama, 2026-05-16). 30d change -7.04%; 1d change -2.17%. 90-day CoV 18.2% (mean $667.95M, std $121.86M) — moderate but ETH-price-correlated volatility, not protocol-specific. 12-month peak ~$807.6M (2025-07-10). TVL trajectory is strongly upward from protocol launch (~$4M, May 2023) to current $767M, ~3-year 180x growth. 2024 year-in-review confirmed 366% TVL growth in 2024. Single-chain (Ethereum 100%). Single-asset (ETH 100%). No structural downtrend; recent 30d decline consistent with ETH market softness.
Operational history Green 6 15 of 15
RD-F-084 yellow TVL stability (CoV over 90d) TVL CoV over trailing 90 days = 0.182 (mean $667.95M, std $121.86M, 90-day window ending 2026-05-16). Threshold: green <0.15; yellow 0.15-0.35; red >0.35. Score = yellow (0.182 in yellow band). Context: variance reflects ETH price exposure and prior strong growth trajectory, not operational failure or incident-driven instability. RD-F-089 yellow Insurance coverage active Active slashing coverage via Nexus Mutual — three-layer Slashing Coverage Program: Nexus Mutual umbrella (up to $5M), Slashing Coverage Treasury (0.30% of rewards), Node Operator Commitment. CoverageFund contract 0x32aac358b627b9feaa971cc33304027a41e49a81 holds treasury. At $766.86M TVS, $5M cap = 0.65% of TVS (well below green threshold of >=5% TVL). Coverage scope is slashing-only; does not cover smart-contract exploits, oracle manipulation, or governance attacks. Score: yellow (active but <5% TVL; scope narrower than smart-contract risk). RD-F-081 n/a Post-exploit response score No prior exploits in hack database. Factor methodology specifies N/A when no prior exploits. The January 2024 ops-failure incident (exit-daemon bug, no user ETH loss) does not constitute an exploit requiring post-exploit response scoring under Cat 5 definitions. RD-F-082 n/a Post-mortem published within 30 days No prior exploits. Methodology specifies N/A when no prior incidents. Note: for the January 2024 ops-failure, a public incident update was published within ~17 days (Newsletter 012, February 16, 2024), demonstrating timely communication for non-exploit incidents. RD-F-083 n/a Auditor re-engaged after last exploit No prior exploits requiring auditor re-engagement. Methodology specifies N/A when no prior exploits. Note: Quantstamp was engaged June 2024 for offchain component audit following the January 2024 exit-daemon incident — demonstrating proactive post-incident audit culture, though the incident was not a smart-contract exploit. RD-F-085 n/a Incident response time (minutes) No prior exploits. Methodology specifies N/A when no prior incidents. For reference: in the January 2024 ops-failure, the protocol was paused on the same day unexpected exits were discovered, demonstrating rapid detection capability.
RD-F-076 green Protocol age (days) LsETH contract deployed to Ethereum mainnet on 2022-10-04 per IQ.wiki and Halborn/Spearbit audit dates. Days to 2026-05-17: approximately 957 days (~31 months). Threshold green = >=365 days; passes by wide margin.
RD-F-077 green Prior exploit count Zero exploits found across all sources: hacksdatabase (no files matching liquid-collective/lseth/alluvial), rekt.news (no results), DefiLlama hacks API (empty array in data cache), and web OSINT. The January 2024 exit-daemon operational failure caused no user ETH loss and is not classified as an exploit. Protocol has zero exploit count across 31 months live.
RD-F-078 green Chronic-exploit flag (≥3 incidents) Chronic flag requires >=3 incidents. Exploit count = 0 (derived from F077). Threshold not met.
RD-F-079 green Same-root-cause repeat exploit Zero exploits recorded. Same-root-cause repeat analysis not applicable with zero incident count. Green by definition.
RD-F-080 green Days since last exploit No exploits ever recorded. Threshold: green = >365 days or no incidents. Not applicable variant — clean history.
RD-F-086 green Pause activations (trailing 12 months) No pause events found in the trailing 12-month window (May 2025 to May 2026). The only known protocol pause was January 30 to circa February 9, 2024 — outside the assessment window. No evidence of pauses in 2025 or 2026 from web search, diligence page, or year-in-review. Score: green (0 pauses in trailing 12 months).
RD-F-087 green Pause > 7 consecutive days The only known pause (January 30 to circa February 9, 2024, approximately 10 days) occurred outside the trailing 12-month assessment window (May 2025 to May 2026). No pauses identified within the trailing 12-month window. Score: green.
RD-F-088 green Re-deployed to new addresses in last year Protocol uses upgradeable proxy pattern at fixed addresses. v1.3.0 (released April 10, 2025) was deployed as an in-place upgrade to existing proxy contracts, not a full redeployment to new addresses. GitHub releases confirm v1.2.1 to v1.3.0 maintained existing proxy addresses. No contract address migration or retirement identified in last 12 months.
RD-F-166 green Deprecated contracts still holding value No deprecated contract addresses holding material value identified. Protocol uses upgradeable proxy pattern — deprecated code versions replaced in-place via upgrades, not by retiring contract addresses. The FundedValidatorKeys event deprecated at v1.0.0 is an event emission change only (no TVL). v1.2.0 marked do-not-use but superseded via same proxy upgrade mechanism. Deployment documentation lists all contracts as active at current addresses. No separately deployed legacy contracts holding >$100K found.
Real-time signals Yellow 25 22 of 22
RD-F-101 yellow Large governance proposal queued T-09 v1 launch signal; tier-B. No on-chain Governor contract exists (governance.governor_address = null); governance is multisig-only via three Gnosis Safes. The signal's ProposalCreated/ProposalQueued event trigger is permanently inapplicable in this architecture -- no proposal queue exists. The spirit of the signal (detecting admin-role changes, upgrade transactions, and governance-weakening events) is applicable but requires RD-F-102 (mempool) rather than RD-F-101 (event-driven) as the detection mechanism. This creates a structural signal-coverage gap: no advance warning of admin changes is possible via RD-F-101. Score is yellow rather than not_applicable because the underlying risk class is real and material at $767M TVS -- the gap is architectural, not a passing test. RD-F-109 yellow Social-media impersonation scam spike Confirmed prior instance of Telegram brand impersonation. In February 2024, a scam Telegram group impersonating the official @liquid_col brand was identified and reported by the Liquid Collective team on X (Twitter post dated approximately 2024-02-16 per tweet ID 1758521166703079743). This confirms attacker interest in the brand and that the social channel is an active threat surface. Assessment date gap from incident: approximately 15 months (Feb 2024 to May 2026). No evidence of current active scam-coordinator activity in official channels. The institutional user base (institutional depositors via Coinbase Prime, Kraken, Bitcoin Suisse, Anchorage Digital) provides partial mitigation against unsophisticated social scams, but downstream retail exposure via institutional on-ramps exists. RD-F-182 yellow Security-Council threshold reduction (RT) Cat 6B batch-24 addition; T-09 v1.1 candidate signal. Drift-pattern: Security Council threshold reduction + timelock removal within 14 days of either event. For Liquid Collective: the functional equivalents are the Proxy Admin Safe (4-of-7, upgrade authority) and Executor Safe (2-of-3, execution authority). No timelock currently exists between the Safes and proxy contracts (governance.timelock_address = null). This means the timelock-removal sub-trigger of the Drift pattern is architecturally pre-satisfied -- any future Safe threshold reduction would complete the two-step precursor pattern alone. No threshold reduction event detected at assessment date: Proxy Admin Safe remains 4-of-7, Executor Safe remains 2-of-3, per data cache (fetched 2026-05-16). Score is yellow because the architecture creates structural elevated sensitivity for this signal: if any threshold reduction occurs, the Drift-pattern precursor would be complete without requiring a separate timelock-removal step. Galaxy RD-F-090 gray Mixer withdrawal → protocol interaction T-09 phase-2 signal; tier-C advisory. No mixer-to-protocol interaction found in public sources or data cache. The Allowlist contract (0xebc83Bb472b2816Ec5B5de8D34F0eFc9088BB2ce) gates all deposits via institutional KYC/AML approval, creating structural friction against mixer-funded address participation. Requires wallet-clustering feed (Chainalysis/TRM) + 30-day on-chain lookback scan; not yet live in production infrastructure. RD-F-091 gray Partial-drain test transactions T-09 v2 deferred; folded into RD-F-098 tier-B precursor sub-rule per T-09 section 3.3. No partial-drain test transactions detected in public sources. TVL trend is declining (-7.04% 30d) at a pace consistent with macro ETH market conditions, not a drain pattern. No anomalous small-value drain activity identified. RD-F-092 gray Unusual mempool pattern from deployer wallet T-09 v2 deferred. Deployer address 0xbfa8549887e6ddef8cdf83cda1ad24856496fd00 is tagged 'Liquid Collective: Deployer' on Etherscan and appears dormant post-launch (holds ~0.515 ETH residual). No unusual deployer mempool activity found. Requires live mempool monitoring infrastructure not yet in production. RD-F-093 gray Abnormal gas-price willingness from attacker wallet T-09 v2 deferred. No attacker-wallet high-gas-priority transactions targeting Liquid Collective contracts observed in public sources. Requires live mempool monitoring infrastructure with per-wallet gas-price anomaly detection not yet in production. RD-F-094 gray New contract with similar bytecode to exploit template T-09 v2 deferred. No new contract deployment with bytecode similar to Liquid Collective's River/LsETH contracts found in public sources. The River protocol is an original codebase (not a fork per profile section 5), limiting the available exploit-template attack surface. Requires on-chain new-deploy sweep with bytecode similarity matching not yet in production. RD-F-095 gray Known-exploit function-selector replay T-09 v2 deferred. No known-exploit replay selector pattern targeting Liquid Collective detected. The protocol has no prior exploit history (data cache hacks = []; Rekt incidents = []), so no target-specific selector template exists in known-exploit databases. Requires mempool + tx history scan with selector matching infrastructure. RD-F-096 gray New ERC-20 approval to unverified contract from whale T-09 v2 deferred. LsETH deposits are permissioned via the Allowlist contract (0xebc83Bb472b2816Ec5B5de8D34F0eFc9088BB2ce); institutional KYC/AML screening gates all depositor addresses. New ERC-20 approvals to unverified contracts from high-TVL depositors are harder to associate with this protocol given the permissioned access model. Requires on-chain approval-scan infrastructure not yet in production. RD-F-097 gray Sybil surge of identical-pattern transactions T-09 v2 deferred. Sybil surge of identical-pattern transactions is structurally constrained by the Allowlist contract: new addresses cannot deposit without institutional KYC/AML approval. This significantly reduces the applicable attack surface compared to permissionless protocols. No sybil activity detected in public sources. RD-F-099 gray Oracle price deviation >X% from secondary T-09 phase-2 signal. The protocol's core oracle is an internal quorum-based Beacon state reporting oracle (0x895a57eD71025D51fe4080530A3489D92E230683) -- not a DEX price oracle. The signal requires a secondary oracle source mapping; no such mapping exists for an internal quorum Beacon-state oracle. The oracle-dependency-analyst must confirm whether the Chainlink feeds in the data cache are actually consumed by core River/Oracle/RedeemManager contracts or are incidental storage patterns. No oracle deviation event identified in public sources. RD-F-100 gray Flash loan >$10M targeting protocol tokens T-09 phase-2 signal. No active on-chain Governor contract for TLC token governance; no lending market; no DEX-derived price oracle in the core protocol. Flash-loan attack surface is very low in current architecture: no flash-loanable governor, no oracle to manipulate via flash-loan. If TLC governance activates and becomes flash-loanable, applicability increases significantly. No flash-loan interaction with core contracts detected. Requires per-block scan infrastructure not yet in production. RD-F-102 gray Admin/upgrade transaction in mempool T-09 phase-2 signal; tier-B. The Proxy Admin Safe (0x8EE3fC0Bcd7B57429203751C5bE5fdf1AB8409f3, 4-of-7) holds upgrade authority over all River proxies. Any upgradeTo/upgradeToAndCall Safe confirmation tx is detectable in the mempool. Critically: no Timelock exists between the Safes and proxy contracts -- all upgrade transactions are executable without a queued governance proposal pre-announcement, making every upgrade tx appear unannounced. This increases signal sensitivity (no suppression possible via RD-F-101 co-signal). No upgrade transactions in mempool at assessment date. GitHub last commit 2026-05-15 indicates active development. v1.3.0 was last tagged release (2025-04-10). Requires mempool listener infrastructure not yet in production. RD-F-103 n/a Bridge signer-set change proposed/executed T-09 v1 launch signal. Liquid Collective is Ethereum-only with no bridge surface: layerzero.present = false; has_bridge_surface = false; no cross-chain deployments identified. Signal cannot fire; structurally not applicable to this protocol. RD-F-104 n/a Stablecoin depeg >2% on shared-LP venue T-09 v1 launch signal. LsETH is ETH-denominated; no stablecoin in the collateral or reserve composition. CoverageFund holds ETH for slashing coverage. ELFeeRecipient collects ETH network rewards. No stablecoin dependency in core protocol accounting (not a lending protocol; no stablecoin in the LST redemption path). Signal cannot fire on any stablecoin depeg event. Stablecoin depeg exposure suppression rule applies: protocol TVL exposure to any stablecoin < 5% (effectively 0%). RD-F-105 gray DNS/CDN/frontend hash drift T-09 phase-2 signal; tier-A. Primary domains are liquidcollective.io and docs.liquidcollective.io. No DNS change or frontend hash drift detected in data cache or public sources. The February 2024 brand-impersonation event was via Telegram (a social channel clone), not a DNS/frontend compromise -- confirming production domain remained clean through that incident. Baseline hash monitoring requires external monitoring infrastructure not yet in production. RD-F-106 n/a Cross-chain bridge unverified mint pattern Liquid Collective has no cross-chain bridge component; Ethereum-only protocol with no LayerZero, Wormhole, or other bridge integration. Signal cannot fire. coverage_flags.layerzero_bridge = false; no bridge surface identified in profile section 7. RD-F-107 gray Admin EOA signing from new geography/device T-09 v2 deferred; off-chain signing telemetry required. Signer identity for all 10 unique addresses across the three Safes is not publicly disclosed in protocol documentation. Cannot assess geographic or device fingerprint consistency without signing telemetry. Requires off-chain monitoring infrastructure not available from public sources. RD-F-108 gray GitHub force-push to sensitive branch T-09 v2 deferred. GitHub repo liquid-collective/liquid-collective-protocol is public and actively developed (last commit 2026-05-15). No force-push events or sensitive-branch push from non-protocol accounts found in public sources. Requires GitHub API monitor with webhook/poll for push events not yet in production infrastructure. RD-F-110 n/a Unusual pending/executed proposal ratio No on-chain Governor contract exists (governance.governor_address = null); governance is multisig-only via three Gnosis Safes. No on-chain governance proposal queue exists; there is no pending/executed proposal ratio to compute or track. Signal is structurally not applicable under the current multisig-only architecture.
RD-F-098 green TVL anomaly — % drop in <1h T-09 v1 launch signal; tier-A. Detection rule: TVL_now / TVL_baseline_30d < 0.70 within a 60-minute window. Current TVL $766.86M (2026-05-16 19:22 UTC); 30-day mean approximately $668M (90-day mean $668M per data cache); 30-day change -7.04%; 1-day change -2.17%. No single-hour drain event observed. Threshold: TVL must drop below 0.70 x ~$668M = ~$468M within 60 minutes. Current TVL is $299M above this threshold. No sector-wide LST drain events in public sources. Sector-wide suppression rule: no peer LST protocol drain events found. Signal is applicable and currently quiet.
Dev identity & insider risk Green 8 16 of 16
RD-F-116 yellow Contributor tenure at admin-permissioned PR v1.3.0 released by GitHub user @iamsahu (April 10, 2025), covering 40+ merged PRs (#296-#404). The contributor appears to be a long-standing team member given continuous repository engagement visible in release history since at least v1.0.0 (2023). Precise tenure in days cannot be confirmed without programmatic GitHub API access to first-commit timestamp for this contributor. Scored yellow: contributor is an org member not a fresh external contributor, but exact tenure not quantified. RD-F-117 yellow ENS/NameStone identity bound to deployer Deployer address 0xBFa8549887E6ddef8Cdf83Cda1Ad24856496fd00 has no ENS reverse record. Etherscan centralized label 'Liquid Collective: Deployer' is not ENS-bound. No NameStone record found. Admin Safe signers (all 10 addresses) also lack ENS-bound identities. This is the EVM path per invocation instructions (F117 here is EVM-applicable, not N/A-substrate). RD-F-123 yellow Sudden admin-rescue/ACL change without discussion No evidence of clandestine admin-rescue or ACL changes. All major upgrades (v1.0.0 through v1.3.0) are accompanied by GitHub release notes with linked PRs. Issue #447 (May 4, 2026) flags 'missing admin access control in initialization function' preceding Pectra upgrade — showing pre-upgrade discussion. Issue #84 (Aug 2022) addresses single-step ownership change governance. However, consortium governance is off-chain among Safe signers with no public governance forum — the 36 Proxy Admin Safe execution transactions cannot be individually matched to public discussion threads. This creates transparency opacity but no evidence of malicious undisclosed changes. Yellow: upgrades GitHub-tracked and pre-discussed; Safe-level execution discussion is opaque due to absent public forum. RD-F-119 gray Commit timezone consistent with stated geography GitHub commit-time distribution analysis not performed in this pass — requires GitHub API access to commit timestamp data across the repository history. The team is US-based (Alluvial incorporated in US, team profiles reference SF/US context). No anomalous timezone pattern consistent with DPRK-implant detected in cursory review. Scored gray: pipeline_unimplemented for programmatic commit-hour histogram. RD-F-122 n/a Contributor paid to DPRK-cluster wallet Off-chain payroll model — Alluvial Finance (and now Galaxy Digital post-Dec 2025 acquisition) pays contributors via corporate payroll. No on-chain payment streams to individual contributor wallets identified in the Liquid Collective contract architecture. Per invocation: 'off-chain payroll -> NOT ASSESSED beyond deployer unless on-chain payment streams exist.' Deployer wallet funding traces cleanly to Coinbase 12. No on-chain contributor payment streams to assess. RD-F-184 gray Real-capital social-engineering persona GRAY — No curator-flagged evidence of a real-capital social-engineering persona (>=1M deposits to build credibility) associated with Liquid Collective team or external integrators. The Drift Protocol precedent (UNC4736, 6-month conference/in-person buildup, >$1M deposits, pre-signed Solana durable nonce) is the comparator class per F184 definition. Liquid Collective is an institutional staking protocol; any real-capital participation by a malicious actor would be indistinguishable from normal institutional staking deposits without curator-level on-chain capital flow attribution. Cannot prove absence; M-only factor requiring curator confidence beyond this OSINT pass. Scored gray per batch-24 guidance and invocation instruction.
RD-F-111 green Team doxx status Three co-founders (Mara Schmiedt, Matt Leisinger, Nicolas Maurice) are fully real-name doxxed with verifiable prior employer trails. Mara: Forbes 30 Under 30 Europe (Finance, 2024), Coinbase Cloud Head of Sales, Bison Trails BD, ConsenSys Strategy; CoinDesk Consensus 2025 speaker; Epicenter Podcast. Nicolas: 4 years ConsenSys engineer, then CTO at Kiln. Matt: public CPO. Additional ~14 named staff on alluvial.finance/team/. No anonymous founding team. Post-acquisition (Dec 2025) Galaxy leadership (Evan Thomas, Chad Peterson) also publicly named.
RD-F-112 green Team public accountability surface Mara Schmiedt has verifiable LinkedIn employment history (Coinbase Cloud, Bison Trails, ConsenSys), multiple on-the-record interviews (Epicenter Podcast May 2024, Variant LP Day 2023 fireside chat, CoinDesk Consensus 2025), SEC meeting participation (EDGAR memo April 21, 2025). Nicolas Maurice: ConsenSys and Kiln backgrounds verifiable. Matt Leisinger: Blockworks and Fortune articles. Galaxy acquisition adds further institutional accountability. High accountability surface for principals.
RD-F-113 green Team other-protocol involvement history Nicolas Maurice's prior role as CTO at Kiln (institutional staking, legitimate going concern) verified. Mara Schmiedt and Matt Leisinger from Coinbase Cloud / Bison Trails / ConsenSys — all legitimate established entities with no adverse history. No prior rug, exit scam, or failed protocol affiliation found for any team member. Liquid Collective is the primary protocol associated with these founders. Web OSINT across rug/exit-scam queries returned zero relevant results.
RD-F-114 green Deployer address prior on-chain history Deployer 0xBFa8549887E6ddef8Cdf83Cda1Ad24856496fd00 has 91 total transactions, all Liquid Collective protocol related. Deployed: TransparentUpgradeableProxy, PendleLsETHSY, TlcMigration, OrchestratorFactory, OrchestratorV1, WithdrawV1, ConfigManager, ImmutableBeaconFactory. No history of rug-adjacent deployments, honeypot tokens, or exit-scam-labeled contracts. Funded by Coinbase 12 (confirmed CEX). Etherscan label: 'Liquid Collective: Deployer'.
RD-F-115 green Prior rug/exit-scam affiliation Web OSINT search 'Alluvial Finance Liquid Collective rug exit scam fraud' returned no relevant results. No REKT news listing for Liquid Collective or Alluvial. Founders' prior employers (Coinbase, ConsenSys, Bison Trails, Kiln) are legitimate established entities with no rug history. Protocol §10 (profile) confirms no incidents found. Data cache sources.rekt.incidents is empty.
RD-F-118 green Handle reuse across failed/rugged projects No evidence of handle reuse across failed or rugged projects for any Alluvial team member. Mara Schmiedt's LinkedIn, X, and conference profiles are consistent with her confirmed identity throughout. Matt Leisinger and Nicolas Maurice likewise show continuous identity across their professional trails. No GitHub contributor handle linked to prior rugged protocols found via OSINT.
RD-F-120 green Video-off/voice-consistency flag Mara Schmiedt appeared on video at Consensus 2025 (CoinDesk speaker listing), Variant LP Day 2023 fireside chat (alluvial.finance reference), and Epicenter Podcast (audio, May 2024). Real photos of all named co-founders on alluvial.finance/team/. No reports of video-off policy or voice inconsistency. Post-acquisition, Evan Thomas and Chad Peterson publicly named with institutional backgrounds.
RD-F-121 green Contributor OSINT depth score Co-founders score high on OSINT depth: Mara Schmiedt (Forbes 30U30, LinkedIn full employment history, multiple podcast and conference appearances, SEC engagement, IQ.wiki entry). Nicolas Maurice (ConsenSys/Kiln background verifiable via multiple sources). Matt Leisinger (public CPO, Fortune and Blockworks articles). Estimate curator score 4/5 for founding principals; broader 14-person team has roles listed but varying individual OSINT depth.
RD-F-124 green Deployer wallet mixer-funded within 30 days Deployer 0xBFa8549887E6ddef8Cdf83Cda1Ad24856496fd00 funded by Coinbase 12 (0x503828976D22510AAD0201AC7EC88293211D23DA) via tx 0x1ffea16f686cf6f615512329104eb377d961f50802df94c7ee2724f773f5a3c7 approximately 3-4 days before first deployment. Coinbase 12 is a confirmed Coinbase exchange hot wallet per Etherscan label (2.75M+ transactions). No Tornado Cash, Railgun, or other mixer interaction detected in the deployer or the single-hop funder. The 30-day window is not triggered. All checked admin signers funded from Coinbase Prime variants — same clean CEX origin.
RD-F-125 green Deployer linked within 3 hops to DPRK/Lazarus No OFAC SDN or Chainalysis-labeled DPRK/Lazarus cluster proximity detected. Deployer funds trace 1-hop to Coinbase 12 (US regulated exchange, KYC/AML enforced). All checked admin signers funded from Coinbase Prime variants. Web OSINT across 'Alluvial Finance Liquid Collective DPRK Lazarus North Korea' returned zero results connecting protocol team or addresses to DPRK actors. DPRK-related search results (KelpDAO LayerZero Apr 2026, Drift Protocol Apr 2026) are entirely unrelated to Liquid Collective. No OFAC-sanctioned address proximity at any hop for deployer or checked signers.
Fork / dependency lineage Yellow 22 10 of 10
RD-F-133 yellow Dependency manifest uses unpinned versions foundry.toml pins solc = '0.8.34' (version pinned). TLC.1.sol and WLSETH.1.sol import OpenZeppelin upgradeable contracts. NPM package.json not accessible via raw GitHub (404 returned). Exact OZ version not precisely determinable. Foundry typically manages deps via git submodules with commit-SHA pins, but submodule file also returned 404. Cannot confirm OZ pin vs floating version — yellow assigned conservatively. RD-F-135 yellow Shared-library version with known-vuln status Protocol uses Solidity 0.8.34 for new contracts (foundry.toml). Some deployed contracts (Allowlist, OperatorsRegistry) show 0.8.10 compiler in Etherscan verified metadata from earlier deployments. Solc 0.8.10 has no critical bugs affecting the proxy/staking patterns used. 0.8.34 is current and bug-clear. OpenZeppelin version not precisely determinable (package.json inaccessible). Yellow due to mixed compiler version in deployed contracts and unconfirmed OZ pin. RD-F-126 n/a Is-a-fork-of Protocol is an original implementation by Alluvial. GitHub repo has no forked-from relationship. Halborn (Jul 2022) and Spearbit (Sep 2022) audits do not reference a forked upstream. Protocol profile confirms original Solidity implementation. No fork lineage exists. RD-F-127 n/a Upstream patch not merged Not applicable — protocol is an original implementation with no upstream fork source that could publish patches. RD-F-128 n/a Upstream vulnerability disclosure (last 90d) Not applicable — protocol is original implementation with no upstream fork relationship. RD-F-129 n/a Code divergence from upstream (%) Not applicable — protocol is original. No upstream to diff against for divergence measurement. RD-F-130 n/a Fork depth (generations from original audit) Not applicable — protocol is the original implementation at fork depth zero (from itself). No multi-hop fork chain. RD-F-131 n/a Fork retains upstream audit coverage Not applicable — original codebase has its own direct audit coverage assessed in Cat 1 (RD-F-004/005). No upstream audit coverage to retain or lose. RD-F-132 n/a Fork has different economic parameters than upstream Not applicable — original codebase with no upstream audited-default parameters to diverge from.
RD-F-134 green Dependency had malicious-release incident (last 90d) No malicious-release incident identified for OpenZeppelin Contracts (primary dependency) or any other dependency in the trailing 90 days. No npm/PyPI security advisory for OZ or Foundry-era dependencies found.
Post-deploy hygiene & change mgmt Green 6 13 of 13
RD-F-139 yellow Post-audit code changes without re-audit Most recent mainnet deployment (Nov 20, 2024) is covered by Certora Nov 2024 formal verification audit. Since then, significant development in GitHub: BYOV feature scripts (Apr 2026), Solidity version bump 0.8.20->0.8.33 (Feb 2026), security fixes referencing Certora audit codes H-01/M-01/M-03/M-06/L-01/L-05 (Mar 2026). BYOV and post-Certora fixes have NOT been deployed to mainnet. March 2026 commits reference a Certora audit (internal ticket codes), suggesting a new engagement, but no public 2026 report is available at liquidcollective.io/security-audits/. Current deployed bytecode is audited; if BYOV deploys without public audit confirmation this becomes red. RD-F-143 yellow Reinitializable implementation (no _disableInitializers) Custom Initializable.sol uses version-counter init(N) pattern — does NOT call _disableInitializers(). Only TLC.1.sol calls _disableInitializers() in its constructor. River.1.sol, Oracle.1.sol, OperatorsRegistry.1.sol, Allowlist.1.sol, CoverageFund.1.sol, Withdraw.1.sol, RedeemManager.1.sol all rely solely on the version-counter pattern. The custom pattern does increment the version after initialization (preventing same-version re-init), but does not lock the bare implementation against direct init calls the OZ way. Under TUPProxy transparent proxy, the admin bypass means impl is callable directly. Yellow not red because the version counter does provide meaningful protection; confirmed exploitability not established. RD-F-136 gray Deployed bytecode matches signed release tag Most recent public release tag is v1.3.0 (commit 964f0e3, Apr 10, 2024). Most recent mainnet upgrade deployed Nov 20, 2024 to implementation 0x34E46177...D58, which corresponds to Certora audit remediation. The deployed implementation appears to be a post-v1.2.1 Certora-audited version, not v1.3.0 BYOV. Exact commit SHA of deployed implementation cannot be confirmed without bytecode diff — requires curator (code-security-analyst) to diff deployed bytecode against tagged commits. Cannot confirm signed-release-tag match for current deployment.
RD-F-137 green Upgrade frequency (per 90 days) Zero mainnet upgrades in trailing 90 days (Feb 17 – May 17, 2026). Last upgrade batch was November 20, 2024 (~18 months before assessment). Prior to that, upgrades approximately every 3-6 months aligned with audit completions. Low and deliberate upgrade cadence with each upgrade tied to an audit. OperatorsRegistry: 5 total upgrades since Oct 2022; River: 4 total upgrades since Oct 2022.
RD-F-138 green Hot-patch deploys without timelock (last 30 days) Zero hot-patch deploys in last 30 days (and zero in last 6 months). Proxy Admin Safe last transaction was ~206 days before assessment date per Etherscan label. No upgrade pattern detected. All historical upgrades appear to follow an audit-then-deploy pattern (Spearbit/Certora audits precede each upgrade batch). No bypassed-timelock pattern — though the timelock is absent by design, the upgrade cadence is not hot-patch.
RD-F-140 green Fix-merged-but-not-deployed gap No known exploitable vulnerability with a fix-merged-but-not-deployed gap found. March 2026 commits fix Certora-flagged issues (H-01 etc.) but these are in-development fixes for the upcoming BYOV release — they have not been deployed to mainnet yet, which is the intended state (fixes land with the release, not before). No Mirror-class scenario (known exploitable fix in repo, not deployed to block live exploit) identified.
RD-F-141 green Test-mode parameters in deploy No test-mode parameters identified in production deployment. Admin role set to Governor Safe (not deployer EOA) at init. Allowlist is active (KYC/AML gated — institutional permissioned access). Oracle is live quorum system with real operators. Protocol is operating in production configuration with all security parameters active.
RD-F-142 green Storage-layout collision risk across upgrades Protocol uses custom library-slot based storage (LibRiver, LibAllowlist etc.) rather than sequential struct storage — this architecture is inherently resistant to storage layout collisions across upgrades. Multiple Spearbit audits (Jul 2023, Oct 2023) and Certora (Nov 2024) reviewed the upgrade path. No storage collision finding surfaces in public audit summaries. Custom slot pattern is the industry standard collision-avoidance approach.
RD-F-144 green CREATE2 factory permits same-address redeploy No CREATE2 factory deployment pattern identified for core protocol contracts. Contracts deployed via standard TUPProxy constructor pattern at fixed addresses. No mechanism for redeployment to the same address with different bytecode identified.
RD-F-145 green Deployed bytecode reproducibility Open-source codebase publicly available on GitHub. foundry.toml specifies reproducible build configuration: solidity_version=0.8.34, optimizer_enabled=true, optimizer_runs=100. Standard Foundry build toolchain. Bytecode should be reproducible from tagged source. Code-security-analyst must perform exact bytecode diff to confirm for current deployment.
RD-F-146 green New contract deploys in last 30 days Zero new mainnet contract deployments in the last 30 days (Apr 17 – May 17, 2026). GitHub commits in this period are development activity (BYOV ABIs, docs updates) not mainnet deployments. Proxy Admin Safe last transaction was ~206 days before assessment date. No new attack surface deployed recently.
RD-F-168 green Stale-approval exposure on deprecated router No deprecated router or deprecated contracts with stale user approvals identified. Protocol uses a direct-staking model where users interact with the River proxy (not a router). No ERC-20 approval to a deprecated routing contract pattern found. No contract retirement events in available data.
RD-F-185 green Bridge rate-limiter / chain-pause as positive mitigant CoverageFund.1.sol is a simple ETH donation buffer: pullCoverageFunds() callable only by River contract, donate() accepts contributions. No automated insurance fund logic with complex invariant risk. Protocol also references Nexus Mutual slashing coverage via user agreement. No C23-class insurance fund logic bug surface identified. The CoverageFund is a minimal accounting contract, not an automated stability mechanism with complex logic.
Cross-chain & bridge Gray 0 12 of 12
RD-F-147 n/a Protocol has bridge surface Liquid Collective is a single-chain Ethereum protocol with no bridge surface. Profile §7: has_bridge_surface: false, is_a_bridge: false. Data cache coverage_flags.layerzero_bridge: false. No cross-chain messaging, bridged assets, LayerZero OFT adapters, CCIP, Wormhole, or any cross-chain endpoint identified in core contracts. All Cat 10 factors are N/A. RD-F-148 n/a Bridge validator count (M) No bridge surface — single-chain Ethereum protocol. Cat 10 fully N/A per profile §7. RD-F-149 n/a Bridge validator threshold (k-of-M) No bridge surface — single-chain Ethereum protocol. Cat 10 fully N/A per profile §7. RD-F-150 n/a Bridge validator co-hosting No bridge surface — single-chain Ethereum protocol. Cat 10 fully N/A per profile §7. RD-F-151 n/a Bridge ecrecover checks result ≠ address(0) No bridge surface — single-chain Ethereum protocol. Cat 10 fully N/A per profile §7. RD-F-151 (bridge ecrecover check) does not apply. RD-F-152 n/a Bridge binds message to srcChainId No bridge surface — single-chain Ethereum protocol. Cat 10 fully N/A per profile §7. RD-F-153 n/a Bridge tracks nonce-consumed mapping No bridge surface — single-chain Ethereum protocol. Cat 10 fully N/A per profile §7. RD-F-154 n/a Default bytes32(0) acceptable as valid root No bridge surface — single-chain Ethereum protocol. Cat 10 fully N/A per profile §7. RD-F-154 (bytes32(0) default root acceptance — Nomad class) does not apply. RD-F-155 n/a Bridge validator-set rotation recency No bridge surface — single-chain Ethereum protocol. Cat 10 fully N/A per profile §7. RD-F-156 n/a Bridge uses same key custody for >30% validators No bridge surface — single-chain Ethereum protocol. Cat 10 fully N/A per profile §7. RD-F-157 n/a Bridge TVL per validator ratio No bridge surface — single-chain Ethereum protocol. Cat 10 fully N/A per profile §7. RD-F-179 n/a LayerZero OFT DVN config (count, threshold, diversity) No LayerZero OFT adapter — single-chain Ethereum protocol with no bridge surface. Cat 10 fully N/A per profile §7. Data cache coverage_flags.layerzero_bridge: false.
Threat intelligence & recon Green 8 8 of 8
RD-F-165 yellow Protocol social channel has scam-coordinator flag Confirmed prior Telegram brand impersonation event: February 2024, a scam Telegram group impersonating the @liquid_col brand was identified and reported by the official Liquid Collective team. This was an external clone channel (impersonator), not a compromised official channel member. The official team detected and reported it promptly. No evidence of subsequent scam-coordinator flags on official channels found in public sources. Assessment date is approximately 15 months post-incident. The institutional user base provides partial mitigation, but downstream retail exposure via platform-operator on-ramps exists. Score is yellow for confirmed prior brand-impersonation Telegram activity, with no current active evidence. RD-F-159 gray Attacker wallet pre-strike probe (low-gas failing txs) T-09 v2 deferred. No mempool probe activity (low-gas failing txs) from threat-actor wallets targeting Liquid Collective contracts detected in public sources. Requires live mempool monitoring infrastructure + threat-actor cluster feed not yet in production. Allowlist access control reduces the utility of mempool probing since failing txs from non-allowlisted wallets would be expected behavior. RD-F-161 gray Protocol-impersonator domain registered (typosquat) Typosquat domain monitoring requires a domain-monitoring feed (dnstwist or equivalent); not available from public web search alone. No specific typosquat domains targeting liquidcollective.io were identified in web search results. However, the February 2024 confirmed Telegram brand impersonation (tweet ID 1758521166703079743) demonstrates attacker interest in this brand, making typosquat domain registration a plausible threat. Domain variants requiring monitoring include: liquid-collective.io, liquidcollectve.io, 1iquidcollective.io, liquidco11ective.io, alluvial.finance adjacent variants. data-cache whois = []; no WHOIS registration data collected. Registration-date-to-assessment-date delta cannot be computed without a domain monitoring feed. RD-F-162 gray Known-exploit-template selector deployed by any address T-09 v2 deferred. No known-exploit-template selector pattern deployed targeting River/LsETH contracts found in public sources. Protocol has no prior exploit history; no target-specific template exists in known exploit databases. River is an original codebase (not a fork). Requires on-chain deploy scan with selector matching against a maintained exploit-template database not yet in production. RD-F-164 gray Leaked credential on paste/sentry site T-09 v2 deferred; manual triage via paste/credential-dump monitoring feed required. No paste-site leak or credential dump involving Liquid Collective, Alluvial, or Galaxy Digital (post-acquisition December 2025) found in public web sources. The relevant surfaces include security@liquidcollective.io SIRT email, Alluvial/Galaxy internal API credentials, and Oracle Operator infrastructure keys. Requires specialized paste-monitoring feed not assessable from public sources.
RD-F-158 green Known-threat-actor cluster has touched protocol T-09 phase-2 signal; tier-C advisory. No known-threat-actor wallet interaction with River contract (0x8c1BEd5b9a0928467c9B1341Da1D7BD5e10b6549) or other core Liquid Collective contracts identified in public sources. Web search across DPRK, Lazarus, Liquid Collective, LsETH, Alluvial returns no positive results. January 2024 incident was an internal software bug (exit daemon caching + exit-condition bugs), not an attacker-wallet-driven compromise. The Allowlist contract creates an institutional KYC/AML access barrier reducing the likelihood of known-threat-actor wallet direct interaction with the protocol. Public-proxy observation finds no confirmed interaction; definitive assessment requires Chainalysis/TRM private cluster feed for all 10 signer wallets.
RD-F-160 green GitHub malicious-dependency incident touching protocol deps No GitHub advisory flagging a malicious release in any dependency consumed by Liquid Collective found in public sources or data cache. Data cache static_analysis = []. Protocol uses Solidity 0.8.34 (foundry.toml per data cache), a recent stable version not on the known-bug list. OpenZeppelin libraries in use; oz_contracts_version not captured in data cache but protocol's active audit program (9 audits including Certora formal verification in Nov 2024 and Quantstamp offchain review in May 2024) substantially reduces undetected malicious-dependency risk. No CVE/GHSA advisory found for this protocol's dependency tree.
RD-F-163 green Avg attacker reconnaissance time for peer-class protocols Reconnaissance time for peer-class LST protocols (class-level signal): USPD reconnaissance pattern suggests 14-78 days of pre-strike activity for comparable DeFi protocols. No attacker-class reconnaissance signals currently active for Liquid Collective. January 2024 exit-daemon incident was internal/operational (software bug severity 0), not attacker-driven. The Allowlist access control creates friction against standard reconnaissance patterns (wallet interactions with protocol for information gathering are gated). No prior exploit history provides no protocol-specific reconnaissance baseline. Posture: no reconnaissance activity detected.
Tooling / compiler / AI Green 8 5 of 5
RD-F-172 yellow Repo shows AI-tool co-authorship in critical files Confirmed: commit 964f0e3 (April 9, 2026) shows Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> in the git trailer. This commit modifies contracts/src/WLSETH.1.sol (production contract, 30 additions/17 deletions) adding nonReentrant modifiers to transfer and transferFrom. This is AI-tool co-authorship in a security-critical production contract file. The change is technically defensive, but procedurally notable as AI-assisted production contract modification without documented AI-specific review process. No other Copilot co-authored commits found in search. RD-F-171 n/a Bytecode similarity to audited upstream with behavior deviation Original protocol — not a copy or fork of an audited upstream. Bytecode similarity concern (AI-copy of audited code with behavioral deviation) does not apply to the canonical original implementation.
RD-F-170 green Solc version used (known-bug versions flagged) foundry.toml pins solc = '0.8.34'. The only high-severity bug fixed in 0.8.34 is TransientStorageClearingHelperCollision (introduced 0.8.28, fixed 0.8.34) — Liquid Collective uses the fixed version. Some already-deployed contracts at 0.8.10 have no critical bugs affecting staking/proxy patterns. Current development on 0.8.34 which is bug-clear.
RD-F-173 green Team self-disclosure of AI-generated Solidity No explicit public team disclosure (blog, tweet, protocol docs) of AI-generated Solidity in security-critical paths identified. The Copilot co-authorship is visible in commit metadata (RD-F-172) but no team-level disclosure statement was found. Green per factor definition: no self-disclosure exists.
RD-F-174 green Dependency tree uses EOL Solidity version foundry.toml pins 0.8.34 — current, supported, not EOL. Previously deployed contracts at 0.8.10 remain live but 0.8.10 is within the supported 0.8.x series. No EOL Vyper (pre-0.3.0) or ancient Solidity (pre-0.5) usage found.
Response & disclosure hygiene Green 8 4 of 4
RD-F-176 yellow Disclosure SLA public Vulnerability Disclosure Policy publishes acknowledgment SLA of 1 business day. However, no remediation timeline SLA is published — no commitment of X days to fix or to notify affected parties. The ack SLA is partial; the full disclosure pipeline timeline is undisclosed. Score: yellow (partial SLA only).
RD-F-175 green Disclosure channel exists Public security disclosure channel documented and active: security@liquidcollective.io per the Vulnerability Disclosure Policy published on GitHub. Policy covers all deployed Liquid Collective protocols and products. Channel is publicly documented with 1-business-day acknowledgment SLA.
RD-F-177 green Prior known-ignored disclosure No evidence of a disclosed vulnerability being ignored before a subsequent exploit. Zero exploits in protocol history; no post-mortems describing ignored disclosures. Web search and OSINT found no reports of disclosure ignored by the Liquid Collective team.
RD-F-178 green CVE/GHSA advisory issued against protocol No CVE (Common Vulnerabilities and Exposures) or GHSA (GitHub Security Advisory) issued against Liquid Collective identified in web search. GitHub security repo (liquid-collective/security) does not publish any public GHSA advisories as of assessment date. Score: green (no advisory = no adverse flag per factor definition).
rubric_version v1.7.0 graded_at 2026-05-16 19:46:26 factors 184 protocol liquid-collective