Ondo Finance
Multi-product RWA tokenization platform: OUSG (tokenized US Treasuries for accredited investors), USDY (yield note for non-US non-accredited), Ondo Global Markets (tokenized US equities/ETFs, launched Sept 2025), and Flux Finance (Compound v2-fork lending accepting OUSG as collateral).
DeploymentsEthereum · $2.1B
01
Risk profile at a glance
0 red · 2 yellow · 9 green 02
Categories & evidence
184 factors · 13 categoriesCode & audits Green 13 25 of 25
RD-F-001 yellow Audit scope mismatch Spearbit/Cantina March 2025 covers OUSG/USDY at commit 1b072be with bytecode match; Flux Finance last audited Code4rena Jan 2023 with no public commit SHA, making post-audit bytecode traceability infeasible for that component. RD-F-002 yellow Audit recency OUSG/USDY most recent audit Spearbit March 2025 (~43 days); Flux Finance last full audit Code4rena January 2023 (~39 months, well beyond 730-day red threshold). Yellow rollup due to mixed recency across the two code surfaces. RD-F-003 yellow Resolved-without-proof findings No high/critical finding on live code marked resolved without on-chain proof; however, older Code4rena fixes (Jan 2023) lack verifiable commit SHAs making independent fix-commit confirmation infeasible. RD-F-006 yellow Audit-to-deploy gap Spearbit March 2025 signed off 2025-03-16; specific deploy timestamps for the audited contracts not independently retrieved. Gap cannot be confirmed within 60-day green threshold due to missing deploy timestamps. RD-F-010 yellow Static-analyzer high-severity count No published Slither/Mythril output. Published audits found Highs: C4 Jan 2023 (1H), C4 Apr 2024 (1H); all appear remediated. No independent tool run performed; yellow because confirmed Highs existed and tool-run verification absent. RD-F-016 yellow Divide-before-multiply pattern No divide-before-multiply finding in any reviewed audit. No published Slither output available. Yellow — cannot confirm absence without independent tool run. RD-F-017 yellow Mixed-decimals math without explicit scaling Code4rena Apr 2024 H-01: OUSGInstantManager calculates OUSG to mint based on USDC quantity (6 decimals) without checking USDC's current price — a cross-decimal pricing assumption bug. Classified High severity, marked resolved. RD-F-024 yellow Code complexity vs audit coverage No single holistic full-codebase audit exists post-Jan 2023; coverage is product-by-product and incremental. C4 Jan 2023 covered 4,365 LOC; subsequent audits are targeted. Multi-audit approach partially compensates. RD-F-183 yellow Bug bounty scope gap on highest-TVL contracts Immunefi Ondo Finance: $1M max, 88 assets in scope. Full in-scope contract list not confirmed from public page. OUSG proxy (~$2B TVL) explicit in-scope status unverified. Yellow — large program but highest-TVL contract coverage not independently confirmed. RD-F-009 gray Formal verification coverage No Certora, Halmos, or Kani formal verification found in public Ondo or Flux Finance documentation, GitHub repos, or audit reports. Protocol has not declared a published critical-invariant set.
RD-F-004 green Audit count Minimum 6 distinct auditing entities for OUSG/USDY (Code4rena x3, Zokyo, Cyfrin, Halborn, Spearbit/Cantina); 12 distinct firms across all active Ondo products. Far exceeds green threshold of >=2 distinct firms.
RD-F-005 green Audit firm tier Spearbit (via Cantina, March 2025) is Tier-1; Zellic (Dec 2025, GM Solana) is Tier-1. At least one Tier-1 firm has audited deployed code within the last 12 months.
RD-F-007 green Bug bounty presence & max payout Immunefi Ondo Finance: active, max payout $1,000,000 (88 assets in scope). Immunefi Flux Finance: active, max payout $550,000. Both exceed $500K green threshold.
RD-F-008 green Ignored bounty disclosure No security exploits on record; Rekt DB incidents list empty per data cache; profile §10 confirms zero security incidents as of April 2026. No evidence of any disclosed vulnerability ignored before exploit.
RD-F-011 green SELFDESTRUCT reachable from non-admin path No SELFDESTRUCT findings in any reviewed audit (6+ contests). USDY.sol source confirms no selfdestruct. Flux Finance follows Compound v2 patterns which do not use selfdestruct in core lending logic.
RD-F-012 green delegatecall with user-controlled target No user-controlled delegatecall findings in any reviewed audit. Flux Finance Unitroller uses delegatecall only for standard proxy implementation routing, not user-controlled.
RD-F-013 green Arbitrary call with user-controlled target No arbitrary external call with user-controlled target/data findings in any reviewed audit. OUSG/USDY routes through RWAHub/manager contracts with defined interfaces.
RD-F-014 green Reentrancy guard on external-calling functions No reentrancy findings across 6+ audit contests. OZ upgradeable patterns include ReentrancyGuardUpgradeable where applicable. No reentrancy exploit has occurred.
RD-F-015 green ERC-777/1155/721 hook without reentrancy guard OUSG, USDY, fOUSG, fUSDC are standard ERC-20 tokens. No ERC-777/1155/721 callback integration found in any reviewed audit or source inspection.
RD-F-018 green Signed/unsigned arithmetic confusion No signed/unsigned arithmetic confusion findings in any reviewed audit or Spearbit 2025 review.
RD-F-019 green ecrecover zero-address return unchecked Code4rena Jan 2023 M-04 flagged KYCRegistry signature replay (replay attack, not zero-address return). No ecrecover zero-address unchecked finding in any audit. GovernorBravo follows well-audited Compound v2 pattern.
RD-F-020 green EIP-712 domain separator missing chainId No chainId-absent domain separator finding in any audit. Code4rena Jan 2023 M-04 (signature replay) was general replay protection; no specific EIP-712 chainId-absent finding.
RD-F-021 green UUPS _authorizeUpgrade correctly permissioned OUSG and USDY use EIP-1967 Transparent Proxy (not UUPS). Flux Finance Unitroller uses Compound v2 proxy pattern. No UUPS pattern on core contracts — factor not applicable as a risk vector.
RD-F-022 green Public initialize() without initializer modifier USDY.sol uses OZ `initializer` modifier on initialize() and calls `_disableInitializers()` in constructor (confirmed via GitHub). OUSG implementation confirms OZ Initializable pattern. No unprotected initialize() found on live implementations.
RD-F-023 green Constructor calls _disableInitializers() USDY.sol constructor confirmed to call `_disableInitializers()` (GitHub source). OUSG implementation consistent with OZ upgradeable pattern. Flux Finance cToken contracts (Solidity 0.5.17) are not upgradeable proxies and not subject to this check.
Governance & admin Green 18 24 of 24
RD-F-026 yellow Upgrade multisig signer configuration (M/N) Management Multisig: 4/7. Treasury Multisig: 4/7. Flux Timelock admin (0x118919e891D0205A7492650AD32E727617FA9452) is a GnosisSafeProxy but threshold/owners not confirmed (Safe API 403). RD-F-028 yellow Low-threshold multisig vs TVL 4-of-7 management multisig controls $3.56B TVL. Numerically adequate but 7 signer EOAs have no publicly attested identities. Comparable TVL-tier protocols typically run 5/9 or higher. RD-F-032 yellow Timelock duration on upgrades Layer A (OUSG/USDY): no timelock on upgrades — ProxyAdmin (0xBA80Aa44cC25E85CC30359150dfB1C7D041CF6d5) is standard Ownable, upgrades execute immediately. Layer B (Flux Finance): 86,400 seconds = 24 hours timelock. RD-F-034 yellow Guardian/pause-keeper distinct from upgrader PAUSER_ROLE is a distinct named role from DEFAULT_ADMIN_ROLE in AccessControl, but the management multisig holds DEFAULT_ADMIN_ROLE and can reassign any role — functional separation is limited. No separate guardian confirmed for Flux Finance. RD-F-035 yellow Role separation: upgrade ≠ fee ≠ oracle CONFIGURER_ROLE, PAUSER_ROLE, DEFAULT_ADMIN_ROLE are named distinctly in AccessControl, but all ultimately controlled by the management multisig which holds DEFAULT_ADMIN_ROLE and can reassign any role. RD-F-039 yellow delegatecall/call in proposal execution without allowlist Compound Timelock uses target.call{value}(callData) — NOT delegatecall. RD-F-039 criterion for red (delegatecall) is not met. No target allowlist exists (any address can be proposal target via regular call), which is residual governance attack surface but not delegatecall-class risk. RD-F-040 yellow Emergency-veto multisig present No emergency-veto multisig identified for Flux Finance governance. Docs mention DAO 'might elect committees or multisigs' for emergencies but no dedicated veto structure confirmed. RD-F-042 yellow Admin has mint() with unlimited max OUSG and USDY tokens have MINTER_ROLE with no on-chain supply cap. ONDO governance token has 10B hard cap. RWA token minting is economically bounded by real-world collateral, and minting is gated to management multisig role. Assessed yellow not red. RD-F-167 yellow Deprecated contract paused but pause reversible by live admin OUSG Manager legacy (0xF16c188c2D411627d39655A60409eC6707D3d5e8) labeled 'legacy' but showed transaction activity as recently as April 2024. Management multisig still holds admin roles, extending admin scope into a potentially superseded contract. RD-F-029 gray Multisig signers co-hosted Not assessed — signer identities are not publicly known; co-hosting analysis cannot be performed. RD-F-030 gray Hot-wallet signer flag Not assessed — requires on-chain behavioral heuristics per signer address. RD-F-033 n/a Timelock on sensitive actions [PD-042 rescore 2026-05-12, v1.7.0+] Timelock on admin actions is incompatible with the regulatory response model: the issuer must be able to act immediately on court-ordered freeze, sanctions compliance, or fund-rules changes. Scored not_applicable per PD-042 (Cat 2 RWA-issuer subset). Residual operational risk of key compromise is captured by multisig-coverage factors (yellow rather than N/A).
ORIGINAL EVIDENCE (preserved from v1.6.0 grading): Layer A: No timelock on mint, pause, retrieveTokens, setOracle, or upgrade for OUSG/USDY/InstantManager contracts. The dominant $3.5B+ TVL operates with no timelock protection. Layer B (Flux Finance): 24h timelock only. RD-F-041 n/a Rescue/emergencyWithdraw without timelock [PD-042 rescore 2026-05-12, v1.7.0+] Forcible seize / burn / retrieve-token paths are the defining feature of a regulated tokenized RWA, REQUIRED by KYC, sanctions, and court-order compliance regimes. Treating them as a rug-risk signal misframes the protocol type. Scored not_applicable per PD-042 (Cat 2 RWA-issuer subset).
ORIGINAL EVIDENCE (preserved from v1.6.0 grading): [CRITICAL] ousgInstantManager.sol exposes retrieveTokens(address token, address to) callable by DEFAULT_ADMIN_ROLE with no timelock. USDY InstantManager has the same pattern. Management multisig (4/7) can drain contract balances in one transaction. RWAHub.sol confirms no timelock on any admin functions. RD-F-044 gray Admin wallet interacts with flagged addresses Not assessed — requires Chainalysis-style feed against management and treasury multisig signer addresses. RD-F-045 gray Constructor args match governance proposal Not assessed — Flux Finance FIP-00 genesis proposal describes economic parameters but constructor arguments for deployed contracts were not cross-verified. RD-F-047 gray Governance token concentration (Gini) Not fully assessed. Proposal threshold 100M ONDO (2.05% of circulating — very high). Quorum 1M ONDO (0.02% of circulating — very low). Gini coefficient not computed.
RD-F-025 green Admin key custody type Layer A uses 4/7 Gnosis Safe multisig (0xAEd4caF2E535D964165B4392342F71bac77e8367). Layer B uses DAO + Timelock. No single EOA admin.
RD-F-027 green Single admin EOA No single EOA holds admin on either governance layer. Management multisig is 4/7 Safe; Flux Finance uses DAO + Timelock.
RD-F-031 green Signer rotation recency Management multisig created Dec 21, 2022; most recent activity Feb 2026. No signer-set change events detected. 7 signers appear unchanged since creation.
RD-F-036 green Flash-loanable voting weight ONDO token uses Compound-style getPriorVotes(address, blockNumber) with block-number checkpoints. Voting power sampled at a prior block. Flash loans cannot inflate voting weight at proposal creation block.
RD-F-037 green Quorum achievable via single-entity flash loan ONDO uses block-number checkpoints — flash loan attack blocked. Quorum of 1,000,000 ONDO is low but requires large holder coordination, not a flash loan.
RD-F-038 green Proposal execution delay < 24h Flux Finance minimum execution time = voting period (3 days) + timelock (1 day) = 4 days minimum. Not less than 24 hours.
RD-F-043 green Admin = deployer EOA after 7 days Management multisig deployed Dec 21, 2022 — before OUSG mainnet launch Jan 26, 2023. Admin was multisig from day 1 of the live product.
RD-F-046 green Contract unverified on Etherscan/Sourcify All key Ethereum contracts verified on Etherscan with public ABIs: OUSG token, USDY token, GovernorBravoDelegator, Timelock, Flux Comptroller, fOUSG, fUSDC.
Oracle & external dependencies Yellow 20 17 of 17
RD-F-048 yellow Oracle providers used **Two distinct oracle systems.** (1) OUSG/USDY custom oracle: Pricer.sol (OUSG NAV, trusted EOA daily post) and RWADynamicOracle.sol `0xa0219aa5b31e65bc920b5b6dfb8edf0988121de0` (USDY, SETTER_ROLE sets time ranges). (2) Flux Finance: 6 Chainlink feeds (COMP, ETH, BTC, LINK, USDC, USDT). (3) Sanctions screening: Chainalysis oracle (SanctionsListClient.sol). (4) Ondo GM SyntheticSharesOracle (admin NAV). RD-F-049 yellow Oracle role per asset OUSG: Pricer.sol = Primary + only source (no fallback). USDY: RWADynamicOracle.sol = Primary + only source. Flux Finance: each Chainlink feed is Primary + only source per asset. Chainalysis: Primary gate for sanctions (blocking function). No secondary or fallback defined for any asset. RD-F-051 yellow Fallback behavior on oracle failure **No on-chain fallback for OUSG/USDY oracles.** If Pricer.sol becomes unavailable or posts zero/stale value, OUSG minting reverts. If RWADynamicOracle is paused, USDY minting reverts. No secondary price source configured. For Flux Finance Chainlink feeds: Compound v2 fork pattern — no fallback, operations revert on stale/zero oracle. Chainalysis oracle: reverts if unavailable, blocking USDY minting entirely. RD-F-052 yellow Breakage analysis per dependency See dependency failure analysis table above. Critical paths: OUSG/USDY oracle failure = mint/redeem halt; Chainalysis failure = USDY mint blocked; LayerZero failure = cross-chain blocked. Flux Finance Chainlink failure = Flux lending ops affected (separate TVL, smaller). OUSG/USDY core products have ~$2B+ at risk from oracle/custody failure. RD-F-057 yellow Circuit breaker on price deviation **No circuit breaker on OUSG Pricer.** RWADynamicOracle has `pauseOracle()` (admin-triggered) but no automatic circuit breaker triggering on price deviation detection. Flux Finance Comptroller does not implement a circuit breaker beyond standard Compound v2 mechanics (no deviation-based halt). RD-F-058 yellow Max-deviation threshold (bps) No deviation-based circuit breaker configured for OUSG or USDY oracle. Not applicable in the traditional sense — these are NAV oracles, not DEX spot prices. Flux Finance inherits Compound v2 defaults with no per-asset deviation threshold. RD-F-059 yellow Oracle staleness check present **No on-chain staleness check for OUSG Pricer or USDY RWADynamicOracle.** The RWADynamicOracle serves prices based on time-range formula — if a range expires without being replaced, the formula continues from last configured range but may be stale relative to actual NAV. No `updatedAt` freshness enforcement in the consuming contracts (InstantManager). Flux Finance uses Chainlink feeds; evidence suggests Compound v2 fork pattern — FluxOracle uses `latestAnswer()` (deprecated) rather than `late... RD-F-060 yellow Chainlink aggregator min/max bound misconfig Applies only to Flux Finance Chainlink feeds. Compound v2 forks commonly inherit the ETH/USD floor-bug class. Chainlink aggregators for ETH/USD (`0x5f4eC3Df9cbd43714FE2740f5E3616155c5b8419`) have configured min/max bounds at the aggregator level. The FluxOracle implementation (Compound v2 fork) may not check these bounds explicitly if it uses `latestAnswer()`. The NetherMind April 2023 audit covered Flux oracle pricing (1 Medium, 4 Low) but specific min/max-bound misconfig not flagged as a fi... RD-F-062 yellow External keeper/relayer not redundant **Chainalysis oracle as a single-point gating dependency for USDY minting.** If Chainalysis oracle is unreachable, USDY mint reverts with no fallback. The protocol also relies on the admin oracle EOA for daily OUSG NAV posts — single-key operation not confirmed as redundant. No keeper/Gelato dependency identified for core ops. RD-F-054 n/a TWAP window duration Not applicable — no TWAP oracle used. OUSG/USDY use custom NAV-based oracles. Flux Finance uses Chainlink push feeds, which do not use TWAP. RD-F-055 n/a Oracle pool depth (USD) Not applicable — no DEX pool underlying any oracle in use.
RD-F-050 green Dependency graph (protocols depended upon) Mapped above. Key external dependencies: (1) Chainalysis (sanctions gating for mint); (2) LayerZero EndpointV2 (cross-chain); (3) BlackRock BUIDL (off-chain custodian for OUSG backing); (4) Chainlink (Flux Finance only). Ondo core products (OUSG/USDY) are NOT dependent on Chainlink — this is a common misconception.
RD-F-053 green Oracle source = spot DEX pool (no TWAP) **Neither custom oracle uses a spot DEX pool.** Pricer.sol is an off-chain-calculated NAV posted daily. RWADynamicOracle.sol is a time-range interpolation formula with admin-set interest rates. Chainlink feeds (Flux) are not DEX pools. The custom oracle design is a *different* risk class (centralized trust, not DEX manipulation), addressed primarily in F051 and F059. Literal ★ RD-F-053 criterion (spot DEX source) not met.
RD-F-056 green Single-pool oracle (no medianization) Not applicable for the custom NAV oracles. For Flux Finance Chainlink feeds: single feed per asset (no medianization), but this is standard for Chainlink and does not create the DEX-pool manipulation vector.
RD-F-061 green LP token balanceOf used for pricing No LP token pricing pattern identified. OUSG/USDY use custom NAV oracles, not LP token balances. Flux Finance uses Chainlink feeds, not LP balances.
RD-F-180 green Immutable oracle address **GREEN — oracle IS admin-replaceable, but without timelock.** The OUSG InstantManager (`0x93358db73B6cd4b98D89c8F5f230E81a95c2643a`) includes `setOndoOracle()` callable by `CONFIGURER_ROLE`, allowing the oracle address to be updated. The RWADynamicOracle address in USDY InstantManager is similarly admin-settable. This means the F180 "immutable oracle / cannot be replaced" failure mode does NOT apply. The oracle can be replaced. However, there is NO timelock on this change — the oracle can be...
RD-F-181 green Permissionless-pool lending oracle Not applicable. Flux Finance is not a permissionless lending market where any user can list assets with arbitrary oracle sources. Asset listing is governed by Ondo DAO (GovernorBravo) with restricted access. OUSG/USDY pricing uses admin-controlled custom oracles — no permissionless pool oracle acceptance. The Rhea Finance pattern (fake pools, permissionless oracle) does not apply.
Economic risk Green 7 13 of 13
RD-F-068 yellow Collateralization under stress OUSG-collateralized positions in Flux Finance use a 92% collateral factor (LTV), implying a liquidation threshold above which positions are seized. Under a stress scenario: (a) OUSG NAV drops rapidly (e.g., if underlying T-bills or BUIDL face a temporary liquidity event), (b) Flux's NAV oracle (daily update) cannot mark OUSG down intra-day, and (c) the liquidator pool is restricted to KYC-whitelisted users. These three factors compound: a sharp NAV decline may not be reflected in the oracle i... RD-F-064 gray TVL concentration (top-10 wallet share) Not assessed via on-chain scan (outside agent time budget). For RWA products, "TVL concentration" is structurally distinct from DeFi lending protocols — OUSG has a $100K minimum and KYC requirement, meaning institutional holders dominate; top-10 wallet concentration is expected to be high but structurally mitigated by the KYC/redemption gate rather than creating a bank-run dynamic. USDY has no minimum for non-US users, distribution across 13+ chains. Not a red flag at this protocol type. RD-F-065 gray Liquidity depth per major asset OUSG and USDY liquidity is primarily via Ondo's own direct redemption, not DEX pools. OUSG instant redemption backed by BlackRock BUIDL supports same-day USDC settlement (T+0 via Circle); USDY has similar path. There is no DEX pool providing primary price discovery — the assets are NAV-pegged, not market-traded. Secondary DeFi liquidity (e.g., fUSDC/fDAI on Curve, OUSG on Morpho as collateral) exists at small size relative to TVL. 2%/5% slippage depth metric is not meaningful for NAV-pegged r... RD-F-066 gray Utilization rate (lending protocols) Applies to Flux Finance only (the lending sub-product). Flux Finance TVL is tracked separately by DefiLlama under the `flux-finance` slug; the ondo-finance data cache shows `borrow.present: false` which means DefiLlama does not aggregate borrow data under the `ondo-finance` slug. Specific utilization data for fUSDC/fDAI markets not retrieved within time budget. Historical context: Flux Finance TVL peaked around $50-70M in late 2023, has declined since as OUSG yield has exceeded borrow rates. ... RD-F-070 n/a Empty cToken-style market (zero supply/borrow) Not assessed in legacy .md report. Flux Finance is a Compound V2 fork but this specific factor (empty cToken market) requires on-chain verification of totalSupply/totalBorrow for each listed market. Not covered in the original ops-history extraction. RD-F-071 gray Seed-deposit requirement for new market listing No code-level seed-deposit requirement found. FIP-00 genesis governance proposal does not specify a minimum seed deposit. Flux Finance documentation recommends manual seed deposit by the team but does not enforce it in code. This is a structural gap: any governance proposal to add a new market could leave it empty until manually seeded. No evidence of a comptroller-level minimum supply check before borrow-enable. RD-F-073 gray Oracle-manipulation-proof borrow cap OUSG cannot be borrowed (collateral-only). Stablecoin markets (USDC, DAI) use Chainlink oracle feeds (confirmed in data cache: USDC/USD at 0x8fFfFfd4AfB6115b954Bd326cbe7B4BA576818f6, USDT/USD at 0x3E7d1eAB13ad0104d2750B8863b489D65364e32D). Chainlink feed deviation threshold for USDC is 0.25%, heartbeat 82,800s (~23h). For OUSG collateral: the custom NAV Pricer is a trusted EOA posting daily prices — this is a centralized oracle, not manipulable via DEX pool depth but vulnerable to admin key c... RD-F-074 gray ERC-4626 virtual-share offset (OZ ≥4.9) OUSG and USDY are NOT ERC-4626 vaults. They use a custom RWAHub/USDYManager architecture with off-chain asset management and asynchronous mint/redemption. The OZ ≥ 4.9 virtual-share offset check is not applicable. Flux Finance uses Compound v2 cToken mechanics (not ERC-4626), where the protection pattern is seed deposits rather than virtual-share offsets. Ondo's GitHub shows `oz_contracts_version: "4.8.3"` (data cache) — below OZ 4.9, but this version is used for peripheral utility contracts,... RD-F-075 gray First-depositor / share-inflation guard For Flux Finance cToken markets: no on-chain first-depositor guard exists. Acknowledged out-of-scope in bug bounty. Manual mitigation (team seeds the market) is the only protection. For OUSG/USDY: not applicable (not share-based vaults). For OUSG in Flux as collateral: when fOUSG market was initialized, it appears the team manually seeded it (current balance ~$38.7M); no evidence of exploitation to date. Structural gap remains for any future market listing.
RD-F-063 green TVL (current + 30d trend) Current TVL: $3.558B. 30d trend: +22.19%. 1d: +0.08%. Ondo is at or near all-time high as of April 2026. TVL is rapidly growing — up from ~$1B in mid-2024 to $3.5B+ by April 2026. Composition is pure RWA (OUSG ~$600M est., USDY ~$700M+, Global Markets ~$323M BSC, ~$323M XRPL, plus multi-chain USDY).
RD-F-067 green Historical bad-debt events No bad debt events documented for Flux Finance or Ondo core products. Rekt database shows `incidents: []`. No bad debt events appear in any web search of Ondo Finance security incidents. The protocol has operated since January 2023 (39 months) without a documented bad-debt socialization event. The KYC-gated OUSG collateral creates a restricted liquidator pool (structural risk noted under RD-F-068), but no realized bad debt has occurred.
RD-F-069 green Algorithmic / under-collateralized stablecoin USDY is NOT an algorithmic or under-collateralized stablecoin. It is a yield-bearing note backed 103% by physical assets (bank deposits ~65% + short-term US Treasuries ~35% + 3% overcollateralization buffer). OUSG is fully backed by BlackRock BUIDL (T-bill money market fund). Neither product uses algorithmic stabilization mechanisms. Ondo Global Markets tokens are fully synthetic/collateralized representations of TradFi assets.
RD-F-072 green Market-listing governance threshold Flux Finance uses Ondo DAO (GovernorBravo fork) to govern market listings. Proposal threshold: 100,000,000 ONDO tokens (1% of total supply of 10B). Quorum: 1,000,000 ONDO. Voting period: 3 days. This is a relatively **high threshold** (100M ONDO), reducing permissionless listing risk. New markets cannot be listed without a substantial token holder vote. The genesis markets (fOUSG, fUSDC, fDAI) were listed via FIP-00 governance vote. This is the correct model: listing is governance-gated, not ...
Operational history Gray 0 15 of 15
RD-F-076 gray Protocol age (days) Live since January 26, 2023 (OUSG mainnet deploy). Age at assessment: 820 days (approximately 39 months). Source: profile §2; RWA.xyz OUSG inception date. PASS — exceeds 12-month A-grade floor by 3x. **Green.** RD-F-077 gray Prior exploit count Zero. No on-chain exploits, hacks, or governance attacks found across all available sources (Rekt DB, DeFiYield, SlowMist web search, Immunefi disclosed bounties, protocol blog, hacksdatabase/). Data cache `rekt.incidents: []`. **Green.** RD-F-078 gray Chronic-exploit flag (≥3 incidents) False. Zero exploits → chronic threshold of 3 not met. **Green.** RD-F-079 gray Same-root-cause repeat exploit False. Zero exploits → no repeat root-cause pattern possible. **Green.** RD-F-080 gray Days since last exploit N/A — no exploits on record. Field value: N/A (treat as green for display). **Green (N/A).** RD-F-081 gray Post-exploit response score N/A — no exploits on record; no response to score. **Green (N/A).** RD-F-082 gray Post-mortem published within 30 days N/A — no exploits on record; no post-mortem applicable. The Ondo security blog post ("Ondo Security Philosophy — Why Ondo Stayed Live," `https://ondo.finance/blog/ondo-security-philosophy`) addresses the Kelp DAO incident on April 19, 2026, confirming Ondo Bridge was unaffected — this is a proactive security communication, not a post-mortem. **Green (N/A).** RD-F-083 gray Auditor re-engaged after last exploit N/A — no exploits on record. Note: ongoing audit cadence is strong (24+ engagements across 12 firms through Feb 2026 — see profile §8). **Green (N/A).** RD-F-084 gray TVL stability (CoV over 90d) Data cache shows +22.19% over 30 days; TVL at or near all-time high ($3.56B). No evidence of sudden TVL drops. The 30-day trend is strongly positive, consistent with organic growth rather than distress. Full 90-day σ/μ calculation not available from data cache alone. [?] Incomplete — pipeline did not capture trailing 90-day TVL time series. Based on available signal: **Yellow (data gap)** — quantitative CoV not computable; directional signal is strongly positive. RD-F-085 gray Incident response time (minutes) N/A — no incidents on record. The Kelp DAO response on April 19, 2026 (Ondo's bridge security statement) was published same day as the Kelp DAO attack and before user-visible impact — demonstrating responsive communication capability. **Green (N/A).** RD-F-086 gray Pause activations (trailing 12 months) No pause activations found in trailing 12 months or historically. On-chain event search not automated for this assessment but no public record of Ondo Finance pausing any contract found. [?] Web search and blog confirm continuous operation. **Green (no evidence of pauses).** RD-F-087 gray Pause > 7 consecutive days False. No pause events found. **Green.** RD-F-088 gray Re-deployed to new addresses in last year Partial evidence: OUSG Manager (legacy) `0xF16c188c2D411627d39655A60409eC6707D3d5e8` was superseded by OUSG InstantManager 2 (`0x93358db73B6cd4b98D89c8F5f230E81a95c2643a`). The redeployment appears to have occurred in 2023–2024 (InstantManager 2 is listed as current in April 2024 Code4rena audit scope). This is an expected protocol evolution (new product version), not an emergency redeploy. **Yellow** — redeployment occurred but predates 12-month window and appears routine. RD-F-089 gray Insurance coverage active No Nexus Mutual, Unslashed, Sherlock, or equivalent active coverage found for Ondo Finance. Web search and data cache do not show an active cover. Given Ondo's RWA/institutional model (permissioned, accredited investors), traditional DeFi insurance covers may not be structurally applicable. [?] Not confirmed via insurance provider APIs — gap. **Yellow (not found).** RD-F-166 gray Deprecated contracts still holding value Finding: OUSG Manager legacy contract holds 0 ETH and 0 tokens (dormant since April 15, 2024). OSTB/OHYG deprecated products: contract addresses not publicly resolvable; DefiLlama shows $0 TVL for any v1 products. No material value confirmed in any deprecated surface. **Green.** --- ### Category 13 — Response & disclosure hygiene (4 factors)
Real-time signals Green 0 22 of 22
RD-F-090 gray Mixer withdrawal → protocol interaction Partially. OUSG/USDY KYC gate limits permissioned-mint surface; Flux Finance and secondary markets are open. RD-F-094 gray New contract with similar bytecode to exploit template Applicable — exploit contract impersonating Ondo's RWAHub or Flux Finance's cToken contracts is a plausible attack vector. RD-F-096 gray New ERC-20 approval to unverified contract from whale Applicable to ONDO token and USDY approvals. RD-F-099 gray Oracle price deviation >X% from secondary Bifurcated: (A) Flux Finance Chainlink feeds — yes, standard RD-F-099 applies; (B) OUSG/USDY Pricer/RWADynamicOracle — not applicable (daily NAV, no secondary). RD-F-103 gray Bridge signer-set change proposed/executed [2026-05-12 re-scored gray per PD-042 source-backfill audit] Curator's original yellow assessment cited USDY LayerZero OFT 4-DVN config. Ondo's data cache (`00-data-cache.json`) reports `layerzero.present: false` and `dvn_addresses: []` — the pipeline did not detect a LayerZero OApp / OFT registration for the protocol, so the curator's DVN-specific claim cannot be anchored to a primary source in this session. Re-scoring to gray with `requires_curator_input` until manual lookup of USDY's LayerZero OFT address can attach a verified source.
ORIGINAL ASSESSMENT (preserved): Yes — USDY LayerZero OFT 4-DVN configuration. DVN configuration change = equivalent of signer-set change. RD-F-106 gray Cross-chain bridge unverified mint pattern [2026-05-12 re-scored gray per PD-042 source-backfill audit] Curator's original green assessment claimed USDY LayerZero OFT cross-chain transfer activity. Data cache shows `layerzero.present: false` for Ondo — no LayerZero OApp / OFT registration detected by the pipeline. Re-scoring to gray with `requires_curator_input` until manual lookup of USDY's LayerZero deployment can attach a verified source.
ORIGINAL ASSESSMENT (preserved): Applicable to USDY LayerZero OFT cross-chain transfers. RD-F-107 gray Admin EOA signing from new geography/device Applicable to the trusted EOA posting daily NAV to Pricer.sol. Off-chain signing telemetry unavailable for public assessment. RD-F-110 gray Unusual pending/executed proposal ratio Applies to Flux Finance GovernorBravo. RD-F-182 gray Security-Council threshold reduction (RT) Applicable — management multisig is Ondo's equivalent of a "Security Council." A 4/7 → 3/7 threshold reduction or new-signer addition would fire this signal. Flux Finance timelock (1-day, at `0x2c5898da4DF1d45EAb2B7B192a361C3b9EB18d9c`) removal or shortening would also qualify. Context: Drift Protocol DPRK attack (April 2026) used SC threshold reduction 6 days before exploit — identical pattern to what this signal detects.
RD-F-091 green Partial-drain test transactions Applicable to Flux Finance lending markets. OUSG/USDY redemptions are permissioned (T+0 via InstantManager; T+2 standard) and don't match attacker partial-drain pattern.
RD-F-092 green Unusual mempool pattern from deployer wallet Applicable — deployer `0xe2d0f9dcc81267c36a47d9e26adf479501124bbe` and "Deployer 3" (referenced in multisig executions) are the relevant addresses.
RD-F-093 green Abnormal gas-price willingness from attacker wallet Applicable to Ethereum mainnet contracts. No signals in public data.
RD-F-095 green Known-exploit function-selector replay Applicable to Flux Finance (Compound v2 fork — known exploit templates exist for Compound v2 empty-market attacks).
RD-F-097 green Sybil surge of identical-pattern transactions Applicable to USDY minting if KYC gate is bypassed or to Flux Finance borrowing.
RD-F-098 green TVL anomaly — % drop in <1h Yes — with calibration. RWA subscription/redemption-driven TVL means batch-redemption days can produce 5–10% drops. Threshold should be >25–30% in 1h for protocol-stress (vs 30% standard).
RD-F-100 green Flash loan >$10M targeting protocol tokens Limited applicability to OUSG/USDY (permissioned minting). Applies to Flux Finance.
RD-F-101 green Large governance proposal queued Applies to Flux Finance GovernorBravo only. OUSG/USDY not covered — corporate multisig control.
RD-F-102 green Admin/upgrade transaction in mempool Yes — management multisig admin transactions for OUSG/USDY proxy contracts; timelock for Flux Finance.
RD-F-104 green Stablecoin depeg >2% on shared-LP venue Limited — OUSG/USDY backed by T-bills, not stablecoins. Flux Finance USDC dependency exists.
RD-F-105 green DNS/CDN/frontend hash drift Yes — ondo.finance, docs.ondo.finance.
RD-F-108 green GitHub force-push to sensitive branch Applicable — ondoprotocol/usdy repo. Last commit June 2024 (10+ months stale).
RD-F-109 green Social-media impersonation scam spike Applicable — "Ondo Finance" is a high-profile brand.
Dev identity & insider risk Green 7 16 of 16
RD-F-116 yellow Contributor tenure at admin-permissioned PR GitHub ondoprotocol org members list is private (0 public members). Cannot directly verify tenure of admin-PR authors. ondoprotocol/usdy last commit June 12, 2024 — no fresh-contributor admin change event identified. Circumstantial: team operational since 2021 implies seasoned tenure. RD-F-119 yellow Commit timezone consistent with stated geography GitHub org members list is private (0 public members). Direct commit-timezone analysis not performed. Team's stated geography (San Francisco HQ, New York for Schmidt) is consistent with LinkedIn profiles and conference attendance. No public anomaly flag for DPRK or offshore implant. RD-F-123 yellow Sudden admin-rescue/ACL change without discussion Layer A (management multisig controlling OUSG/USDY) has no public discussion forum; corporate admin changes are internal decisions. Signer 0x74a4C329 (created ~Oct 2025) may represent an undisclosed signer rotation. No acute admin-rescue or emergency ACL-change event confirmed. Flux Finance (Layer B) adequately provides public discussion via GovernorBravo + 1-day Timelock (Tally). GitHub ondoprotocol/usdy: 0 issues. RD-F-117 gray ENS/NameStone identity bound to deployer No ENS name found bound to deployer wallets (0xe2d0f9 or 0x8cc5e5) via web search. Management multisig holds 3 ENS NFTs per Etherscan token holdings (prior assessment). Etherscan company-name labels on deployer wallets provide de facto identity resolution but are not ENS/NameStone protocol bindings.
RD-F-111 green Team doxx status Nathan Allman (CEO), Justin Schmidt (President/COO), Ian De Bode (CSO) fully doxxed with verifiable real names, photos, LinkedIn profiles, and prior employer histories. US-incorporated company (Ondo Finance Inc., Delaware). SEC investigation closed without charges November 2025.
RD-F-112 green Team public accountability surface Nathan Allman: keynote speaker Consensus 2025, Solana Accelerate 2025, Chainlink SmartCon 2025, CNBC, Bloomberg, CoinDesk, Thinking Crypto podcast, X @nathanlallman. Justin Schmidt: LinkedIn, Bloomberg Law feature. 5+ verifiable public trails per senior executive.
RD-F-113 green Team other-protocol involvement history No prior DeFi protocol rug or adverse history for any named team member. Nathan Allman background: Goldman Sachs Digital Assets (2019-2021) then Ondo (founded 2021). Justin Schmidt: Goldman then Talos then Ondo. No prior adverse protocol affiliations.
RD-F-114 green Deployer address prior on-chain history Deployer-A (0xe2d0f9dcc81267c36a47d9e26adf479501124bbe): first tx April 13, 2022; 23 total tx; all Ondo-related; Etherscan labeled 'Ondo Finance: Deployer'. Deployer-B (0x8cc5e5E8e2ea561db672f8eb1191336bd5c11bc7): funded by 'Ondo Finance Whitehat' wallet; 514 tx; all Ondo-related. No pre-Ondo activity indicating repurposed attacker wallet.
RD-F-115 green Prior rug/exit-scam affiliation No rug or exit-scam affiliations found. Rekt DB shows 0 incidents for Ondo Finance. SEC investigation closed without charges November 2025. TVL-inflation allegations from Lekker Capital (April 2025) were analytical valuation criticism, not evidence of insider misconduct.
RD-F-118 green Handle reuse across failed/rugged projects No evidence of social handle reuse across rugged or failed projects for any team member. All senior team members are real-name individuals with continuously traceable TradFi employment histories predating crypto involvement.
RD-F-120 green Video-off/voice-consistency flag Nathan Allman: confirmed multiple on-camera video appearances — Consensus 2025 stage, Solana Accelerate 2025 keynote, Chainlink SmartCon 2025 (YouTube), CNBC, Bloomberg, Thinking Crypto podcast. Justin Schmidt: LinkedIn photo, Bloomberg profile photo. No curator reports of video-off or voice inconsistency.
RD-F-121 green Contributor OSINT depth score Nathan Allman 5/5: LinkedIn, conference speaker bios, Twitter/X, Bloomberg/CNBC, IQ.wiki, ZoomInfo, Consensus 2025, podcasts. Justin Schmidt 5/5: LinkedIn, Bloomberg feature, MIT profile, The Org. Ian De Bode 4/5: Blockworks, The Org. Among the most deeply documented DeFi leadership teams assessed.
RD-F-122 green Contributor paid to DPRK-cluster wallet No evidence that any team member's payment wallet has a path ≤3 hops to a DPRK-labeled cluster. Dedicated web search returned no results. Ondo uses Chainalysis Sanctions Oracle for USDY screening — institutional compliance orientation inconsistent with DPRK network proximity.
RD-F-124 green Deployer wallet mixer-funded within 30 days Deployer-A funded April 13, 2022; ONDO token deployed April 28, 2022 (15-day gap); funder unlabeled but no mixer flag on Etherscan. Deployer-B funded by 'Ondo Finance Whitehat' internal wallet; no mixer. All 7 management multisig signers spot-checked: 0 mixer/Tornado Cash labels. Web search 'Ondo Finance Tornado Cash mixer' returned no results.
RD-F-125 green Deployer linked within 3 hops to DPRK/Lazarus No DPRK/Lazarus proximity found. OFAC SDN: no Ondo address in public designations. Chainalysis KelpDAO April 2026 report identifies Kelp as the DPRK target; Ondo's 4-DVN architecture was explicitly not affected. Team is fully doxxed Goldman/McKinsey alumni with US regulatory clearance (SEC probe closed Nov 2025 without charges). No Chainalysis or Elliptic public report links Ondo to Lazarus cluster.
RD-F-184 green Real-capital social-engineering persona No evidence of a social-engineering persona using ≥$1M deposits to infiltrate Ondo Finance. Ondo's KYC/whitelisting requirement for OUSG (Qualified Purchasers) and USDY (AML/FinCEN) creates a structural barrier against anonymous persona-building. No Rekt DB entry or OSINT hit for this pattern targeting Ondo.
Fork / dependency lineage Yellow 30 10 of 10
RD-F-127 red Upstream patch not merged Compound v2 empty-market donation-exploit (Sonne Finance May 2024 $20M) requires seed-deposit-burn at market initialization. C4 Jan 2023 M-02 ('First Deposit Bug') found Medium; resolution status unconfirmed. Bounty exclusion language ambiguous. Patch status at fOUSG/fUSDC market initialization is unconfirmed from public data. RD-F-133 red Dependency manifest uses unpinned versions ondoprotocol/usdy package.json: "@openzeppelin/contracts": "^4.8.3" — caret constraint allows minor/patch updates within OZ major version 4. OZ contracts are security-critical; this is NOT an exact-version pin. Red per methodology. RD-F-129 yellow Code divergence from upstream (%) Flux Finance diverges from Compound v2 in KYC/sanctions checks on all critical token functions, custom OndoPriceOracle, modified seize share (2.8% to 1.75%/0%), modified blocksPerYear. Core economic logic retained. Estimated 15-25% LOC divergence. RD-F-131 yellow Fork retains upstream audit coverage Compound v2 upstream: Trail of Bits + OpenZeppelin audits + Certora FV (inherited). Flux Finance delta-audit: Code4rena January 2023. C4 Jan 2023 M-02 (donation vulnerability) resolution status unconfirmed. Delta-audit is 39 months old. RD-F-132 yellow Fork has different economic parameters than upstream Flux Finance modifies protocol seize share (2.8% to 1.75%/0%), blocksPerYear in JumpRateModelV2, and governance-set collateral factors/borrow caps differ from Compound v2 defaults. Covered by the 39-month-old delta-audit.
RD-F-126 green Is-a-fork-of Flux Finance: explicitly documented Compound v2 fork; upstream commit SHAs identified (cToken: a3214f6, other: 3affca8). GovernorBravoDelegator: Compound Governor Bravo fork. OUSG/USDY: original design. Upstream clearly identified.
RD-F-128 green Upstream vulnerability disclosure (last 90d) No active Compound v2 core vulnerability disclosures in the last 90 days (Jan 31 – April 28, 2026). Sonne Finance (May 2024) and Onyx Protocol (Oct 2023) exploits are outside the 90-day window.
RD-F-130 green Fork depth (generations from original audit) Flux Finance: direct fork of Compound v2 (depth = 1). Compound v2 audited by Trail of Bits and OpenZeppelin, formally verified by Certora. GovernorBravoDelegator: direct fork of Compound Governor Bravo (depth = 1). OUSG/USDY: original design.
RD-F-134 green Dependency had malicious-release incident (last 90d) No npm/PyPI malicious-release advisory found for OpenZeppelin, hardhat, ethers.js, or other Ondo protocol dependencies in the last 90 days (Jan 31 – April 28, 2026).
RD-F-135 green Shared-library version with known-vuln status OZ 4.8.x has no current critical or high GHSA advisories as of April 2026. Flux Finance cToken contracts use Solidity 0.5.17 with Compound v2 vendored dependencies; no active GHSA for Compound v2 core contracts.
Post-deploy hygiene & change mgmt Green 11 13 of 13
RD-F-143 yellow Reinitializable implementation (no _disableInitializers) Mixed: USDY.sol and rOUSG.sol call _disableInitializers() (green). CashKYCSenderReceiver (0x1CEB44b6e515abf009e0ccb6ddafd723886cf3Ff, current OUSG proxy impl) analyzed via Etherscan — does not confirm _disableInitializers() call in constructor. Assessed yellow pending code-security-analyst static analysis confirmation. RD-F-146 yellow New contract deploys in last 30 days USDY InstantManager deployed approximately 140 days ago. Global Markets contracts recently deployed. Multiple ongoing deployments across non-EVM chains. Continuous attack surface expansion. RD-F-168 yellow Stale-approval exposure on deprecated router OUSG Manager legacy (0xF16c188c2D411627d39655A60409eC6707D3d5e8) labeled legacy but active through April 2024. Extent of outstanding user allowances to this contract not confirmed. Stale approvals may persist. RD-F-136 gray Deployed bytecode matches signed release tag Not assessed — ondoprotocol/usdy repo has no confirmed signed release tags that can be compared against deployed bytecode. RD-F-140 gray Fix-merged-but-not-deployed gap Not assessed — requires comparing GitHub merged PRs against deployed bytecode. Cannot confirm without bytecode diff tooling. RD-F-142 gray Storage-layout collision risk across upgrades Not assessed — limited upgrade history (one upgrade each for OUSG and USDY) reduces collision risk, but no OZ upgrades plugin report found. RD-F-145 gray Deployed bytecode reproducibility Not assessed — Foundry and Hardhat configs present in repo but no published build artifacts found for bytecode verification.
RD-F-137 green Upgrade frequency (per 90 days) OUSG proxy last upgrade Feb 2023; USDY proxy last upgrade Jul 2023. No proxy upgrades in last 90 days for primary token contracts.
RD-F-138 green Hot-patch deploys without timelock (last 30 days) No proxy upgrades detected for OUSG or USDY tokens in last 30 days. No hot-patches detected in assessment window.
RD-F-139 green Post-audit code changes without re-audit 24+ audit engagements across 8 firms with recent coverage: Halborn (Feb 2025) and Spearbit/Cantina (Mar 2025) for OUSG/USDY Ethereum core. Proxy upgrades are covered by subsequent audits. No evidence of deployed changes without re-audit.
RD-F-141 green Test-mode parameters in deploy No audit finding flagged test-mode parameters. Code4rena Jan 2023, Sep 2023, Apr 2024 and Cyfrin Apr 2024 audits found no test-mode config in deployed code.
RD-F-144 green CREATE2 factory permits same-address redeploy No CREATE2 factory use identified in reviewed contracts. Standard deploy pattern used.
RD-F-185 green Bridge rate-limiter / chain-pause as positive mitigant [POSITIVE MITIGANT] Ondo Bridge (LayerZero OFT) has documented rate-limiter: 450,000 USDY/day per EVM pathway, 250,000 USDY/day per Solana pathway. Emergency pause controlled by Ondo-controlled multisig.
Cross-chain & bridge Green 8 12 of 12
RD-F-155 yellow Bridge validator-set rotation recency Ondo DVN was newly launched in May 2025 (within ~11 months of this assessment). This represents a recent addition to the validator set. The other three DVNs (Axelar, Polyhedra, LayerZero Labs) have been active since the initial USDY OFT launch. The addition of Ondo DVN in May 2025 is a validator set expansion (adding, not removing). [?] Exact dates of initial Axelar/Polyhedra/LZ Labs DVN configuration for Ondo not confirmed. RD-F-157 yellow Bridge TVL per validator ratio USDY cross-chain TVL: Ethereum OFT holds assets bridged to Mantle ($29M), Arbitrum ($5.6M), Solana ($203M) = ~$238M total cross-chain USDY. 4 DVNs. TVL/validator = ~$59.5M per DVN. This is a material per-validator exposure. However, the 4/4 threshold means a single DVN compromise cannot result in loss — all 4 would need to collude. Risk is proportionately lower than the raw TVL/validator ratio suggests. RD-F-179 yellow LayerZero OFT DVN config (count, threshold, diversity) **4 DVNs, 4/4 threshold, high diversity.** DVNs: Axelar (PoS blockchain, independent validator set), Polyhedra (ZK-proof-based, cryptographic verification), LayerZero Labs DVN (centralized operator), Ondo DVN (custom, Ondo-operated, launched May 2025). Threshold: 4/4 (all must attest). Diversity assessment: 2 decentralized/cryptographic verifiers (Axelar, Polyhedra) + 2 centralized operators (LayerZero Labs, Ondo). The centralized operators cannot collude to approve a message without the dece...
RD-F-147 green Protocol has bridge surface Yes. USDY uses LayerZero OFT for transfers between Ethereum, Mantle, Arbitrum, and Solana. Ondo GM uses a separate BridgeRegistrar (BNB Chain ↔ Ethereum, audited Cantina October 2025). Bridge surface confirmed in profile §7.
RD-F-148 green Bridge validator count (M) For the USDY LayerZero OFT, the security model uses 4 DVNs: Axelar, Polyhedra, LayerZero Labs DVN, and Ondo DVN (custom). Count = 4. All 4 are required (4/4 threshold, see F149). For the GM BridgeRegistrar, validator structure not confirmed via contract inspection.
RD-F-149 green Bridge validator threshold (k-of-M) **4/4 threshold for USDY LayerZero OFT.** All four DVNs must attest before a cross-chain USDY transfer is processed. This is the maximum possible security configuration — no single DVN failure can approve a forged message. Contrast: Kelp DAO catastrophic 1/1 DVN. Ondo's 4/4 is the opposite extreme. Source: LayerZero blog ("requiring verification of each USDY transfer from Axelar, Polyhedra, LayerZero Labs, and Ondo DVNs"). [?] On-chain verification of the DVN configuration in the LayerZero En...
RD-F-150 green Bridge validator co-hosting Axelar (PoS blockchain), Polyhedra (ZK proof network), LayerZero Labs (centralized operator), Ondo DVN (custom, Ondo-operated) are four operationally distinct entities with different technical architectures (PoS vs ZK vs centralized relay vs custom). Co-hosting of validator infrastructure across these four distinct providers is not plausible.
RD-F-151 green Bridge ecrecover checks result ≠ address(0) **GREEN — LayerZero v2 DVN architecture does not use raw `ecrecover` in the OFT adapter.** The `OndoMintBurnAdapter` validates messages through `lzReceive()` + `OnlyEndpoint` enforcement — the calling validation is that messages must originate from the authorized LayerZero EndpointV2. The DVNs call `verify()` on the destination Message Library at the protocol level. If individual DVN implementations internally use secp256k1 multisig (they may use ecrecover-style internally), the OFT adapter i...
RD-F-152 green Bridge binds message to srcChainId LayerZero v2 OFT messages include the source chain endpoint ID (EID) in the Origin struct passed to `lzReceive(origin, guid, message, executor, options)`. The `OndoMintBurnAdapter` enforces peer validation — messages are only accepted from known peer adapters on authorized source chains. Source chain binding is enforced at the EndpointV2 level.
RD-F-153 green Bridge tracks nonce-consumed mapping LayerZero v2 EndpointV2 maintains an internal nonce-sequencing mechanism per OApp pathway (srcChainId, srcAddress, nonce). Messages are delivered in-order and cannot be replayed. The LayerZero protocol-level nonce tracking is well-documented and the primary replay protection mechanism. The `OndoMintBurnAdapter` does not need an additional nonce mapping — it relies on EndpointV2's enforced delivery guarantees.
RD-F-154 green Default bytes32(0) acceptable as valid root **GREEN — Nomad-class zero-root vulnerability does not apply.** LayerZero v2 uses a payload-hash-per-message verification model, not a Merkle root inclusion model. DVNs verify the specific `payloadHash` of each message; there is no global "root" state that could default to bytes32(0). The exploit surface for Nomad ($190M, defaulting to accepting any message when root was uninitialized) does not exist in this architecture.
RD-F-156 green Bridge uses same key custody for >30% validators Ondo DVN is Ondo-operated — Ondo controls 1 of 4 validators (25%). LayerZero Labs controls 1 of 4 (25%). These are distinct corporate entities with different key infrastructure. Axelar is a decentralized PoS network; Polyhedra is a ZK circuit-based system. No single custodian controls more than 1/4 of validators. However, Ondo + LayerZero Labs together represent 2/4 = 50% of "centralized-operator" validators vs. 2/4 decentralized. The 4/4 threshold means this is not an exploit — all 4 must ag...
Threat intelligence & recon Green 0 8 of 8
RD-F-158 gray Known-threat-actor cluster has touched protocol Threshold: any address from curator-maintained threat-actor cluster interacted with protocol within last 30 days. Observed state: no confirmed threat-actor wallet interaction found in public sources. Lazarus Group active against LayerZero OFT protocols (Kelp DAO April 2026), but LayerZero confirmed zero contagion to Ondo's 4-DVN setup. Requires live clustering feed (Chainalysis/TRM) for definitive assessment. | gray RD-F-159 gray Attacker wallet pre-strike probe (low-gas failing txs) No mempool probe evidence found targeting Ondo Finance contracts. Not assessable without live clustering feed. RD-F-160 gray GitHub malicious-dependency incident touching protocol deps Threshold: security advisory flagging malicious release in dep consumed by Ondo. OZ contracts version `4.8.3` (from data cache) — no current CVE advisory found for this version targeting Ondo's usage pattern. Chainalysis oracle dependency: no malicious-release advisory found. | green RD-F-161 gray Protocol-impersonator domain registered (typosquat) No typosquat domain confirmed found. Spot check performed; no impersonator domain identified. Not assessable without continuous domain monitoring. RD-F-162 gray Known-exploit-template selector deployed by any address Threshold: contract deployed with function-selector pattern matching a known exploit template for Compound v2 or RWA protocols. Observed state: no evidence found. Compound v2 exploit templates (empty-market, oracle manipulation) are documented; Flux Finance is a Compound v2 fork and is a target class. | gray RD-F-164 gray Leaked credential on paste/sentry site Threshold: public paste site or credential dump references Ondo infra endpoints/keys. Observed state: no leaked credential incidents found in public sources. | green
RD-F-163 green Avg attacker reconnaissance time for peer-class protocols No active reconnaissance pattern found targeting Ondo Finance. LayerZero confirmed zero contagion from Kelp DAO. Team doxx and SEC clearance reduce insider threat vector.
RD-F-165 green Protocol social channel has scam-coordinator flag No Discord/Telegram scam-coordinator flag. Ondo does not operate public Discord, reducing this monitoring surface.
Tooling / compiler / AI Green 7 5 of 5
RD-F-174 yellow Dependency tree uses EOL Solidity version Solidity 0.8.16 (OUSG/USDY): active 0.8.x stable branch. Solidity 0.5.17 (Flux Finance): outside actively maintained track; receives no new updates. No specific unpatched critical bug known for 0.5.17 in its deployed context.
RD-F-170 green Solc version used (known-bug versions flagged) OUSG impl and USDY: v0.8.16+commit.07a7930e. Flux Finance Comptroller, fOUSG, GovernorBravo: v0.5.17+commit.d19bba13. No critical/high compiler bugs applicable to these contract patterns in either version.
RD-F-171 green Bytecode similarity to audited upstream with behavior deviation Not risk-bearing for OUSG/USDY (original design). For Flux Finance: KYC additions are additive guards on existing functions, not state-mutation reordering. No audit flagged state-mutation ordering anomalies.
RD-F-172 green Repo shows AI-tool co-authorship in critical files ondoprotocol/usdy commits (last commit Aug 10, 2023, SHA 3912ca0698c2992e4db997d0855e62588c44e2c0): human authors 'tom2o17' and 'Ali Azam'; no AI co-authored-by trailer visible. No Copilot or ChatGPT Code Interpreter co-authorship metadata found.
RD-F-173 green Team self-disclosure of AI-generated Solidity No public disclosure from Ondo Finance team of AI-generated Solidity in production security-critical contracts. Searched Ondo blog and docs.
Response & disclosure hygiene Gray 0 4 of 4
RD-F-175 gray Disclosure channel exists Yes. Immunefi bug bounty program at `https://immunefi.com/bug-bounty/ondofinance/` with 88 in-scope assets, $1M max payout. General contact at support@ondo.finance referenced in docs. Source: profile §9; Immunefi page (verified). **Green.** RD-F-176 gray Disclosure SLA public No. No public acknowledgment-time SLA found for the Immunefi program or in Ondo's documentation. Immunefi program specifies "Category 3: Approval Required" for publication but no timeframe for initial acknowledgment. Source: Immunefi program information page (verified via WebFetch). **Yellow.** RD-F-177 gray Prior known-ignored disclosure No evidence found. No post-mortem exists (zero incidents) and no public record of a disclosed vulnerability being ignored prior to exploitation. Web search confirms no security incidents. **Green.** RD-F-178 gray CVE/GHSA advisory issued against protocol No CVE, GHSA, or equivalent public advisory found against Ondo Finance contracts. Web search and data cache confirm zero exploits and no public advisory records. [?] GHSA database not directly queried for ondoprotocol/usdy or flux-finance/contracts — gap, but given zero exploits this is low probability. **Green (no evidence of CVE/advisory).** --- ## Supplemental findings and flags ### GitHub freeze period (Cat 5 context) The `ondoprotocol/usdy` GitHub repo (the primary public OUSG/USDY codeb...
rubric_version v1.7.0 graded_at 2026-05-14 12:01:57 factors 184 protocol ondo-finance