Upstream patch not merged

Ondo Finance's assessment for RD-F-127 — scored red on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.

Evidence summary #

Compound v2 empty-market donation-exploit (Sonne Finance May 2024 $20M) requires seed-deposit-burn at market initialization. C4 Jan 2023 M-02 ('First Deposit Bug') found Medium; resolution status unconfirmed. Bounty exclusion language ambiguous. Patch status at fOUSG/fUSDC market initialization is unconfirmed from public data.

Sources #

Etherscan
https://etherscan.io/address/0x1dD7950c266fB1be96180a8FDb0591F70200E018retrieved 2026-04-28
Audit
https://code4rena.com/reports/2023-01-ondo/retrieved 2026-04-28
URL
https://immunefi.com/bug-bounty/fluxfinance/information/retrieved 2026-04-28
URL
https://www.halborn.com/blog/post/explained-the-sonne-finance-hack-may-2024retrieved 2026-04-28

Methodology #

Determine whether the upstream fork source has published a known-vulnerability patch that has not been merged into this fork's deployed code.

See the full factor methodology and distribution across all protocols →

rubric_version v1.7.0 protocol ondo-finance factor RD-F-127 score red collected_at 2026-05-14 12:01:55