defirisk.co
rubric v1.7.0

Empty cToken-style market (zero supply/borrow)

Multipli's assessment for RD-F-070 — scored not_applicable on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.

Evidence summary #

RD-F-070 [★ CRITICAL] — NOT APPLICABLE. Multipli is not a Compound V2 fork. No cToken-style markets with shared totalSupply/totalBorrow accounting exist. The protocol is an original ERC-4626 yield-aggregator vault. The 'empty market donation attack' vector does not apply to this architecture. ERC-4626 first-depositor share-inflation risk (the related but distinct attack surface) is scored under RD-F-074 and RD-F-075.

Sources #

  • GitHub
    Multipli-libs/Barebones-MultipliVault — GitHubBarebones-MultipliVault repository README: ERC4626Upgradeable inheritance, no Compound-fork fork statementretrieved 2026-05-17
  • Internal
    00-profile.md §5 Fork lineageProfile §5: 'Not forked / original implementation (V2 ERC-4626 vaults)'; MultipliVault.sol inherits from ERC4626Upgradeable — no Compound lineageretrieved 2026-05-17

Methodology #

Determine whether any listed Compound V2-fork market has `totalSupply == 0` and `totalBorrow == 0`, the precondition for a donation-exploit.

See the full factor methodology and distribution across all protocols →

rubric_version v1.7.0 protocol multipli factor RD-F-070 score not_applicable collected_at 2026-05-17 11:48:35