Pendle Finance · DeFi Risk

DeploymentsEthereum · $750.0M

Risk profile at a glance

0 red · 6 yellow · 7 green

Categories & evidence

184 factors · 13 categories

Code & audits Green 16 25 of 25

RD-F-009 red Formal verification coverage No formal verification (Certora, Kani, Halmos) found for Pendle V2. Security docs and audits directory contain no FV reports. Protocol has not declared formal invariants for FV coverage. RD-F-001 yellow Audit scope mismatch Ackee audited commit 9d93fc1 (Apr-May 2022). Spearbit July 2024 fixes verified in commit 14c9f26a (PR 526). ChainSecurity Aug 2024 covers V2 Core. Etherscan shows 'Exact Match' for inspected implementation contracts. No material mismatch found but SHA cross-checks not independently verifiable across all factory versions V3-V6 on 6 chains via WebFetch. RD-F-003 yellow Resolved-without-proof findings Spearbit high-severity finding (LP supply manipulation via truncation syUsed/ptUsed) resolved and verified in commit 14c9f26a of PR 526. ChainSecurity low-severity issues resolution status not fully confirmed (PDF binary). No high/critical finding left unresolved per available evidence. Ackee 3 medium findings addressed per blog but commit verification not feasible. RD-F-006 yellow Audit-to-deploy gap Ackee audit ended ~May 2022; V2 mainnet launch Nov 29, 2022 — initial launch gap ~193 days (>180d threshold). Subsequent incremental audits (Spearbit July 2024, ChainSecurity Aug 2024) were timed to component deployments but exact deploy-to-audit timing not confirmable via WebFetch. RD-F-007 yellow Bug bounty presence & max payout Active Immunefi bug bounty program confirmed. Maximum payout $250,000 USD. Rewards in PENDLE/USDC/USDT. PoC required. Below the $500K green threshold for a $1.44B TVL protocol. Cantina bounty also active. RD-F-014 yellow Reentrancy guard on external-calling functions No explicit nonReentrant modifier visible in inspected router action contracts (ActionAddRemoveLiqV3, TokenHelper). Protocol relies on checks-effects-interactions pattern. Penpie exploit (Sept 2024) involved reentrancy in Penpie's code, NOT Pendle core. Multiple audits covered this area without flagging unresolved reentrancy in core. RD-F-023 yellow Constructor calls _disableInitializers() VotingEscrowPendleMainchain uses initializer modifier in constructor (functionally equivalent to _disableInitializers() but not the explicit OZ call). No explicit _disableInitializers() call confirmed in inspected contracts. No audit finding about missing _disableInitializers(). Conservative yellow due to partial evidence. RD-F-024 yellow Code complexity vs audit coverage 150+ Solidity files across 8+ components. At least 9 distinct audit engagements covering different subsystems. Spearbit 15-day engagement; ChainSecurity at V2 Core level; WatchPug multi-part with follow-ups. Coverage appears commensurate but factory V3-V6 evolution means newer versions may have thinner coverage. Borderline yellow. RD-F-183 yellow Bug bounty scope gap on highest-TVL contracts Immunefi program confirmed ($250K max). Scope page returned 404 — cannot confirm explicit inclusion/exclusion of highest-TVL contracts (Router 0x888..., Market contracts). Cantina bounty also active. Scope likely covers core but per-market SY wrappers and factory versions V3-V6 scope ambiguous. Yellow due to inability to confirm full-scope coverage of all high-TVL contract addresses. RD-F-010 n/a Static-analyzer high-severity count No independent Slither/Mythril/Semgrep tool run available. Published audits serve as proxy but are not equivalent to a programmatic tool run on deployed verified source. Cannot confirm high-severity count without tool run. Needs programmatic assessment. RD-F-021 n/a UUPS _authorizeUpgrade correctly permissioned Pendle V2 does not use UUPS proxy pattern for core contracts. Router is a diamond-facet pattern. Market Factory V3 is a factory (not UUPS impl). No UUPS pattern identified in deployed core contracts.

RD-F-002 green Audit recency Most recent audit: Spearbit July 26, 2024 (~277 days to 2026-04-29) and ChainSecurity Aug 15, 2024 (~257 days). Both within 365-day green threshold.

RD-F-004 green Audit count 8+ distinct audit firms/wardens: Ackee, WatchPug (4 reports), Dedaub, Dingbats, CMichel, 0xleastwood, ChainSecurity (x2), Spearbit, HickupHH3. Well exceeds ≥2 threshold.

RD-F-005 green Audit firm tier Spearbit is Tier-1. ChainSecurity is Tier-2 (established firm). WatchPug is top-ranked Code4rena independent warden. At least one Tier-1 audit (Spearbit) of deployed code confirmed.

RD-F-008 green Ignored bounty disclosure No evidence of a disclosed vulnerability ignored prior to exploit. Rekt database shows no Pendle core incidents. Penpie exploit (Sept 2024) was against Penpie's own reentrancy bug, not Pendle core.

RD-F-011 green SELFDESTRUCT reachable from non-admin path No SELFDESTRUCT in inspected Pendle V2 contracts (ActionAddRemoveLiqV3, router architecture). No audit finding mentioning SELFDESTRUCT in any of 9+ audit engagements.

RD-F-012 green delegatecall with user-controlled target Router uses diamond-facet pattern where facets are pre-registered (not user-supplied). delegatecall targets are whitelisted facet implementations. No user-controlled delegatecall target found in audits or source inspection.

RD-F-013 green Arbitrary call with user-controlled target SY wrappers call protocol-specific underlying contracts (not user-supplied). Router aggregates through registered facets. No audit finding about unfiltered user-controlled call targets in core contracts.

RD-F-015 green ERC-777/1155/721 hook without reentrancy guard No ERC-777 integration with unguarded callbacks identified in core Pendle contracts. ERC-721/1155 not part of PT/YT/SY core mechanics. SY standard (EIP-5115) isolates underlying token behavior.

RD-F-016 green Divide-before-multiply pattern ChainSecurity audit covered arithmetic operations and found no high-severity arithmetic issues. Pendle uses WAD-based math libraries (PMath, MarketMathCore) that enforce scaling before division. No Slither tool run available but audit proxy confirms no divide-before-multiply in pricing paths.

RD-F-017 green Mixed-decimals math without explicit scaling SY standard (EIP-5115) normalizes yield token decimals to 18. PT/YT pricing uses fixed-point WAD math. ChainSecurity audit scope included functional correctness. No mixed-decimal arithmetic finding in any audit.

RD-F-018 green Signed/unsigned arithmetic confusion Spearbit identified and resolved LP truncation issue (syUsed/ptUsed, commit 14c9f26a). No remaining signed/unsigned confusion confirmed in any published audit of deployed code.

RD-F-019 green ecrecover zero-address return unchecked No ecrecover usage in core Pendle V2 market/router contracts from inspection. PENDLE token uses governance-based permit pattern (not raw ecrecover in critical path). No audit finding on unguarded ecrecover.

RD-F-020 green EIP-712 domain separator missing chainId Pendle uses EIP-712 with chainId in domain separator for permit-style calls. No audit finding about missing chainId. Pendle deploys same router address cross-chain via CREATE2 with chain-specific domain context.

RD-F-022 green Public initialize() without initializer modifier VotingEscrowPendleMainchain uses initializer modifier in constructor. Market Factory V3 uses BoringOwnableUpgradeable with Initializable. Router action contracts are diamond facets with no separate initialize() needed. No evidence of unprotected public initialize() on any live implementation. Tree inspection found only PendleCrossChainOracleBaseApp_Init.sol with initialize in name (cross-chain helper, not core market).

Governance & admin Yellow 48 24 of 24

RD-F-027 red Single admin EOA [★ CRITICAL] ProxyAdmin contract (0xA28c08f165116587D4F3E708743B4dEe155c5E64) owner is the Pendle Deployer 1 EOA (0x1FcCC097db89A86Bfc474A1028F93958295b1Fb7). This single EOA can upgrade all transparent proxies — including the governance proxy — in one transaction with no timelock. EOA was active as of 2026-04-27. RD-F-028 red Low-threshold multisig vs TVL Low-quorum multisig admin custody. Dev Multisig (0xE6F0489ED91dc27f40f9dbe8f81fccbFC16b9cb1) requires 2-of-5 signatures; Treasury Multisig (0x8270400d528c34e1596EF367eeDEc99080A1b592) requires 2-of-6 signatures - both verified live via Safe Transaction Service API on 2026-05-07. Two compromised signers can move funds or execute governable-module changes on either Safe; both thresholds sit far below peer norm of 4/7 or 5/8 for a $1.44B TVL protocol. (OAK Research's published 2/4 figure for the dev multisig is stale - the on-chain Safe currently has 5 owners; threshold remains 2.) One signer (0x231FC5b039d66BA234CB90357082Bf16Be79B17c) is shared across both Safes, further concentrating control. RD-F-032 red Timelock duration on upgrades No timelock contract confirmed for Pendle V2. Data cache shows timelock_address: null. Deployment JSON contains no timelock entry. governanceProxy upgraded on 2025-09-18 directly without queued timelock operation. All upgrades execute immediately. RD-F-033 red Timelock on sensitive actions No timelock on: (a) proxy upgrades — ProxyAdmin owner is EOA; (b) router facet updates — owner-callable setSelectorToFacets executes immediately; (c) sPENDLE parameter changes — setCooldownDurationAndFee and setFeeReceiver execute immediately; (d) governance role changes — grantRole/revokeRole on governanceProxy execute immediately. RD-F-043 red Admin = deployer EOA after 7 days [★ CRITICAL] ProxyAdmin owner is Pendle Deployer 1 EOA (0x1FcCC097db89A86Bfc474A1028F93958295b1Fb7), approximately 29 months after V2 mainnet launch. Deployer EOA made a transaction to the Governance Safe 42 hours before assessment date (2026-04-27), confirming it is still active with admin power. No evidence of ProxyAdmin ownership transfer to a multisig. RD-F-025 yellow Admin key custody type Hybrid admin custody: ProxyAdmin owned by Deployer 1 EOA (single EOA for proxy upgrades); Governance Safe 3-of-5; Dev Multisig 2-of-5; Treasury 2-of-6. Effective upgrade posture is EOA despite multisig presence elsewhere. RD-F-026 yellow Upgrade multisig signer configuration (M/N) Dev Multisig: 2-of-5. Governance Safe: 3-of-5. Treasury: 2-of-6. ProxyAdmin is EOA (1-of-1 for upgrades). All confirmed via Safe Transaction Service API. RD-F-034 yellow Guardian/pause-keeper distinct from upgrader governanceProxy exposes GUARDIAN role distinct from DEFAULT_ADMIN_ROLE, with pause() function. Some role separation exists. However, ProxyAdmin EOA could upgrade governanceProxy impl to remove this separation. Partial separation. RD-F-035 yellow Role separation: upgrade ≠ fee ≠ oracle Partial role separation: upgrade = ProxyAdmin EOA; fee = Treasury Safe; gauge/emission = Dev Multisig. However, ProxyAdmin EOA could upgrade any proxied contract to redirect fees or emissions. Cross-chain adds LayerZero governance messaging complexity. RD-F-036 yellow Flash-loanable voting weight [★] sPENDLE governance via Snapshot off-chain. Snapshot takes a block-level snapshot of sPENDLE balances at proposal creation — preventing same-block flash-loan attacks. However, sPENDLE has no hard lock (14-day withdrawal cooldown only), allowing pre-staged whale accumulation. vePENDLE's 2-year lock was stronger flash-loan protection; the Jan 2026 transition materially weakened this posture. RD-F-039 yellow delegatecall/call in proposal execution without allowlist [★] No on-chain governor executes arbitrary proposal payloads. However, ActionMiscV3.sol simulate() executes target.delegatecall(data) with user-supplied target, then invariably reverts. The revert ensures no state change. Latent risk: if a future upgrade removes the revert, this becomes an open delegatecall. Currently yellow, not red, due to always-revert pattern. RD-F-040 yellow Emergency-veto multisig present governanceProxy has GUARDIAN role with pause() function. Governance Safe (3-of-5) can veto Snapshot proposal execution by refusing to execute. Pendle paused contracts during Penpie incident (Sep 2024) demonstrating operational pause capability. No formal veto committee with separate mandate. RD-F-167 yellow Deprecated contract paused but pause reversible by live admin vePENDLE (0x4f30A9D41B80ecC5B94306AB4364951AE3170210) is deprecated but admin retains control. Multiple deprecated market factory versions (V3, V4 coexisting with V6) not formally renounced. No explicit admin-renouncement on deprecated contracts found. RD-F-029 gray Multisig signers co-hosted Five signer addresses for Dev Multisig retrieved but ASN/custody not publicly attested. Signer identities unknown. Cannot confirm or deny co-hosting. RD-F-030 gray Hot-wallet signer flag Hot-wallet heuristics not applied to signer addresses. Signer overlap (0x231FC5... and 0xF51736... appear in both Dev Multisig and Governance Safe) noted as concentration risk. Not assessed for hot-wallet behavior. RD-F-031 gray Signer rotation recency Dev Multisig deployed 2023-11-27. No evidence of threshold change or signer rotation since deployment from available public data. Exact rotation history requires querying AddedOwner/RemovedOwner events. RD-F-037 gray Quorum achievable via single-entity flash loan Snapshot quorum not retrievable (JS-rendered). Cannot assess whether a single entity could achieve quorum via token accumulation. Likely yellow given 14-day window for token accumulation against unknown quorum threshold. RD-F-038 n/a Proposal execution delay < 24h Snapshot governance is off-chain and advisory; multisig executes outcomes with no enforced delay. No on-chain governor or timelock constrains execution speed. Multisig could execute a passed Snapshot proposal immediately. [v1-deferred Pass 3] RD-F-044 n/a Admin wallet interacts with flagged addresses No evidence of admin wallet interaction with flagged mixer-funded or sanctioned addresses found in available public data. Deferred to dev-identity-analyst for deeper Cat 7 assessment. [v1-deferred Pass 3] RD-F-045 gray Constructor args match governance proposal No on-chain governance proposal for constructor args — deployments executed by multisig off-chain. Cannot verify args match a publicly stated proposal. RD-F-047 gray Governance token concentration (Gini) Holder Gini not computed. Notable: one address (0x231FC5b039d66BA234CB90357082Bf16Be79B17c) is a signer on both Dev Multisig and Governance Safe — potential governance concentration. Full Gini assessment requires on-chain holder scan.

RD-F-041 green Rescue/emergencyWithdraw without timelock [★] No rescue, emergencyWithdraw, sweep, or recover function found in the deployed router (ActionMiscV3.sol, ActionBase.sol), StakedPendle.sol, or MarketFactory contracts. GitHub search returned zero matches for these terms across the entire pendle-core-v2-public repository.

RD-F-042 green Admin has mint() with unlimited max [★] PENDLE token has no mint() function. Max supply ~281.5M PENDLE confirmed on Etherscan readContract. sPENDLE minting via stake() only (1:1 PENDLE → sPENDLE). Emission via claimLiquidityEmissions() follows a fixed schedule, not an admin-callable unlimited mint.

RD-F-046 green Contract unverified on Etherscan/Sourcify [★] All core contracts verified on Etherscan: Router 0x888..., PENDLE token, sPENDLE proxy, governanceProxy, Market Factory V3. Public source code and ABI available.

Oracle & external dependencies Yellow 24 17 of 17

RD-F-049 yellow Oracle role per asset Oracle roles identified: Internal AMM TWAP = Primary for all PT/LP markets. Chainlink wstETH/stETH + rETH/ETH = Primary SY rate on Arbitrum/Optimism. RedStone weETH = Primary SY rate for weETH Arbitrum market. On-chain protocol state = Primary SY rate on Ethereum. LinearDiscountOracle = Primary for Spark-integrated markets. No secondary or fallback oracle confirmed for any individual feed — single-source per market is the design. RD-F-050 yellow Dependency graph (protocols depended upon) Critical external dependencies identified: Lido (stETH markets, largest Ethereum TVL segment), Ethena (sUSDe markets), EtherFi (weETH markets), MakerDAO/Spark (sDAI markets), Aave (aToken SY wrappers), LayerZero (governance + OFT bridge), Chainlink (L2 SY rate feeds on Arbitrum/Optimism), RedStone (weETH Arbitrum). Yellow because dependency graph is broad — failure of any major LST provider would impair the corresponding Pendle markets. PT holders are bounded by maturity (1:1 for the underlying), partially containing blast radius. RD-F-051 yellow Fallback behavior on oracle failure No documented fallback mechanism in core oracle contracts. getOracleState() returns oldestObservationSatisfied boolean but does not auto-pause or redirect to secondary. Oracle library has no last-known-price fallback. SY wrappers have no fallback if underlying rate getter reverts. Manual pause via dev multisig is the only fallback mechanism. Yellow rather than red because the TWAP design is inherently more manipulation-resistant than spot feeds, and the bounded maturity redemption limits worst-case loss. RD-F-052 yellow Breakage analysis per dependency Breakage analysis: (a) SY rate getter fails → market mis-pricing, requires new SY wrapper + migration; (b) LayerZero oracle/relayer unavailable → rewards sync stalls, no direct fund loss; (c) Chainlink L2 feed stale → L2 market mis-valuation, contained to affected market; (d) Pendle TWAP sparse/manipulated → lending protocol oracle attack risk; (e) PENDLE OFT DVN compromised → unbacked PENDLE supply inflation. Yellow because no single failure results in immediate catastrophic protocol loss for core Pendle TVL, though lending protocol contagion is a material concern. RD-F-054 yellow TWAP window duration TWAP duration is a uint32 parameter passed by callers — not enforced by the oracle contract. Pendle docs recommend 900-1800 seconds minimum. duration=0 reads instantaneous rate (manipulable). getOracleState() validates cardinality adequacy for requested duration. Aave governance discussions cite 1-day (86400s) TWAP for lending use cases. Yellow because recommended durations are in acceptable range (900-1800s meets the 30-min taxonomy threshold) but enforcement is caller-responsibility only — misconfigured integrators face manipulation risk. RD-F-055 yellow Oracle pool depth (USD) Pendle TWAP oracle draws from its own AMM liquidity. Thin markets (near-expiry, small TVL) are more manipulable. Major markets (stETH, sUSDe) have material depth at $1.44B total TVL. Arbitrum alone ~$481M. Near-expiry markets with reduced LP activity present higher manipulation risk. Chainlink and RedStone feeds are not pool-depth dependent. RD-F-056 yellow Single-pool oracle (no medianization) Each Pendle market has its own isolated AMM TWAP accumulator — single-source, no cross-venue medianization. This is architecturally inherent to yield-tokenization design. Each market's TWAP is isolated to that market's liquidity depth. Chainlink and RedStone feeds use multi-source aggregation but these are the SY rate feeds, not the PT pricing oracle. RD-F-057 yellow Circuit breaker on price deviation No price-deviation circuit breaker in the Pendle oracle contract. Contract reverts on TwapDurationTooLarge (cardinality limit) but has no price-movement halt. Chaos Labs external PT Risk Oracle for Aave has a liquidity killswitch (LP concentration at 96%) but this is external to Pendle core. Manual pause via dev multisig is the only Pendle-side emergency mechanism. RD-F-059 yellow Oracle staleness check present getOracleState() provides oldestObservationSatisfied boolean but does not auto-reject stale reads. Callers must query and act on this flag themselves. PendlePYOracleLib has no timeout enforcement. Pendle docs recommend calling getOracleState() before consuming rates but this is caller responsibility. Chainlink feeds have standard heartbeat staleness (3600s) enforced by Chainlink's aggregator. Yellow because staleness check exists but is passive/advisory, not enforced at the oracle level. RD-F-062 yellow External keeper/relayer not redundant LayerZero V1 governance messaging uses default oracle+relayer (LayerZero Labs operated, no redundancy). Source code of PendleMsgSendEndpointUpg.sol confirms default send/receive version. PENDLE OFT (V2) DVN configuration not confirmed — may use LayerZero default DVN (single operator). Core protocol operations (PT/YT minting, LP actions) are permissionless on each chain and require no external keeper. Yellow because keeper dependency exists for cross-chain governance coordination but not for primary protocol operations. RD-F-180 yellow Immutable oracle address [★ F180 CANDIDATE — tracked per T-12 PD-017; DO NOT count in 19-★ rubric total; flag for orchestrator T-14 tracking] PY-YT-LP Oracle (0x5542be50420E88dd7D5B4a3D488FA6ED82F6DAc2) is a TransparentUpgradeableProxy — the core oracle IS admin-replaceable via ProxyAdmin (0xA28c08f165116587D4F3E708743B4dEe155c5E64). HOWEVER: individual SY wrapper contracts per market have their rate-getter logic baked in bytecode; changing the rate source for a specific market requires deploying a new SY wrapper and migrating the market. This is partial-F180: main oracle contract is replaceable (proxy), but per-market SY oracle sources are functionally immutable without market redeploy. YELLOW not RED because blast radius is per-market bounded (not all Pendle TVL), PT value is bounded by maturity redemption, and new markets can be created with corrected SY wrappers. RD-F-058 gray Max-deviation threshold (bps) No max-deviation threshold configured in the Pendle oracle itself because no circuit breaker exists. N/A for this factor — circuit breaker is absent so threshold is undefined. External integrators have their own thresholds outside Pendle's control. RD-F-060 gray Chainlink aggregator min/max bound misconfig Chainlink feeds used by Pendle SY wrappers (wstETH/stETH, rETH/ETH) are exchange-rate feeds not USD price feeds. Min/max bounds for exchange-rate feeds are less critical than for USD feeds (floor-bug class is less severe for LST-to-ETH ratio). Specific min/max bounds not verified on-chain due to incomplete feed address confirmation (data-cache oracle_feeds contain ETH/USD, BTC/USD, LINK/USD, USDC/USD, USDT/USD feeds which appear from oracle discovery and may not be Pendle-specific SY feeds). Gray due to insufficient on-chain verification.

RD-F-048 green Oracle providers used Pendle uses six oracle mechanisms: (1) Internal AMM cumulative ln-implied-APY TWAP accumulator for PT/LP pricing; (2) On-chain protocol state getters for Ethereum LSTs (Lido stETH.getPooledEthByShares, Ethena sUSDe.convertToAssets, MakerDAO Pot.chi); (3) Chainlink wstETH/stETH and rETH/ETH feeds on Arbitrum/Optimism for cross-chain rate conversion; (4) RedStone push-mode oracle for weETH on Arbitrum; (5) Internal LinearDiscountOracle for Spark/sDAI markets; (6) PendleChainlinkOracleFactory adapters exposing TWAP to external lending protocols. All oracle types confirmed via deployment JSONs, source code, and official documentation.

RD-F-053 green Oracle source = spot DEX pool (no TWAP) [★ CRITICAL — GREEN] No spot-DEX-pool-without-TWAP pattern in core pricing. Pendle AMM accumulates cumulative ln-implied-APY internally (AMM-native TWAP, not spot DEX pool read). SY rates use on-chain protocol state (Lido, Ethena, MakerDAO) or standard Chainlink feeds. LinearDiscountOracle uses fixed discount rate. No single-DEX-spot-price-oracle pattern identified in any pricing path.

RD-F-061 green LP token balanceOf used for pricing Not found in Pendle oracle design. AMM TWAP accumulates from trade events (cumulative implied rate from AMM interactions), not from balanceOf of LP tokens. SY rates come from underlying protocol state calls. LP-token-balanceOf manipulation attack vector is not applicable to Pendle's AMM-accumulator design.

RD-F-181 green Permissionless-pool lending oracle Pendle does not accept spot prices from permissionlessly-created DEX pools. The TWAP oracle reads from Pendle's own AMM markets, created via the Market Factory (whitelisted creation requiring SY wrapper deployment). Not a permissionless pool-creation venue. The Rhea Finance class of attack (permissionless pool creation → fake token → oracle acceptance) does not apply to Pendle's architecture.

Economic risk Yellow 28 13 of 13

RD-F-064 yellow TVL concentration (top-10 wallet share) Asset-level concentration is materially elevated. At ATH, >50% of Ethena sUSDe's global supply was deposited in Pendle. Top 3-5 assets (sUSDe, stETH, weETH, USDG) are estimated to represent 80-90% of TVL. Wallet-level top-10 scan was not achievable (Dune 403, DefiLlama HTML 403). Yellow because the asset concentration is real and documented but full wallet-level Gini is unavailable. RD-F-065 yellow Liquidity depth per major asset Liquidity is heterogeneous across markets and maturities. Active short-dated major markets (USDG $57.7M, sNUSD $27.4M, sUSDe $13.4M) are reasonably deep. Long-dated and long-tail markets are thin — documented example: September 2026 pool shows $8M liquidity with 5% slippage on a $100K trade. Maturity cliff effect: liquidity concentrates in PT as expiry approaches, reducing SY-side exit depth. Thin markets create exit risk for large holders and increase oracle manipulation risk in Pendle's own TWAP oracle. RD-F-072 yellow Market-listing governance threshold Permissionless market creation. Any user or protocol can deploy a new Pendle PT/YT/LP market for any SY asset via the Market Factory contracts (V3-V6 factory versions across chains). The official Pendle UI applies a curation review for visibility, but on-chain creation is fully unconstrained — no governance vote, no whitelist, no minimum liquidity requirement before launch. This enables long-tail or illiquid underlying assets to be listed, creating risk that PT holders are locked into markets where the underlying SY has insufficient secondary liquidity at expiry. Taxonomy designates this factor as lending-only per PD-024, but the Pendle AMM permissionless listing risk is structurally analogous and material. Assessed yellow rather than N/A with this taxonomy flag. v1.6 candidate for expanding the factor's scope to cover permissionless AMM market creation. RD-F-074 yellow ERC-4626 virtual-share offset (OZ ≥4.9) Pendle's LP AMM accounting is not ERC-4626 — it uses exchange-rate-based SYUtils.sol conversion with MINIMUM_LIQUIDITY = 1000 LP locked at first deposit (Uniswap-V2 pattern). This mitigates the direct ERC-4626 virtual-share inflation attack for LP tokens. However, Pendle's SY wrapper contracts wrap external ERC-4626 vaults (Aave aTokens, Ethena sUSDe, Lido stETH, etc.). While the protocol uses OZ 4.9.3 (which includes the virtual-share offset in its ERC-4626 implementation), it cannot be confirmed from available evidence that all individual SY wrapper contracts across hundreds of deployed markets on 6+ chains uniformly implement the OZ 4.9.3 virtual-share offset. Coverage uncertainty across the SY wrapper population produces a yellow rating. RD-F-075 yellow First-depositor / share-inflation guard LP market layer: first-depositor guard exists via MINIMUM_LIQUIDITY = 1000 LP tokens locked in MarketMathCore.sol at first deposit (Uniswap-V2 dead-shares pattern). SY wrapper layer: MINIMUM_LIQUIDITY is also added to protocol reserves to protect against front-running the initial deposit per MixBytes analysis. However, there are hundreds of individual SY wrapper contracts across 6+ chains and factory versions V3-V6. Full verification that every deployed SY wrapper uniformly implements this guard was not achievable from available evidence. Some older (V3) or long-tail SY wrappers may have weaker protection. Yellow due to coverage uncertainty — not due to a confirmed absent guard. RD-F-066 n/a Utilization rate (lending protocols) Pendle is not a lending protocol. There is no borrow/supply mechanism and no utilization rate. PT/YT/LP markets are fixed-maturity yield AMM pools. Per taxonomy PD-024, this factor is lending-only. RD-F-067 n/a Historical bad-debt events No collateralized lending function exists in Pendle core markets; no bad debt mechanism is present. The Penpie exploit (September 2024, $27M) was against a third-party wrapper, not Pendle core — confirmed by rekt.incidents:[] in data cache and profile §10 framing. Per taxonomy PD-024, this factor is lending-only. RD-F-068 n/a Collateralization under stress Pendle does not operate a collateralized debt system. PT/YT/LP mechanics involve no user-posted collateral with health ratios. Per taxonomy PD-024, this factor is lending-only and N/A for AMM/yield protocols. RD-F-069 n/a Algorithmic / under-collateralized stablecoin Pendle is not a stablecoin protocol. The protocol tokenizes yield from yield-bearing assets and does not issue any stablecoin (algorithmic or otherwise). Per taxonomy PD-024, this factor is lending-only. RD-F-070 n/a Empty cToken-style market (zero supply/borrow) [★ CRITICAL — NOT APPLICABLE] Pendle is not a Compound V2 fork and has no cToken-style markets. The empty-cToken-market donation exploit pattern does not apply. First-depositor protection for LP markets is implemented via MINIMUM_LIQUIDITY = 10^3 (1000 LP tokens) locked at first deposit in MarketMathCore.sol — following the Uniswap V2 dead-shares pattern. No PT/YT/LP share-based accounting creates the cToken-style share-inflation vector. Profile confirms original implementation, not a fork. Taxonomy explicitly designates RD-F-070 as 'Compound-fork-only.' Pendle-specific counterparty analog (PT redemption risk if SY underlying depegs) is noted in narrative but does not trigger this factor. RD-F-071 n/a Seed-deposit requirement for new market listing Per taxonomy PD-024, seed-deposit requirement for new-market listing is a lending-only factor. Pendle is not a lending protocol. Informational context: the LP market MINIMUM_LIQUIDITY = 1000 LP tokens locked at first deposit serves an analogous purpose at the AMM layer, but this factor definition concerns lending market listing governance. RD-F-073 n/a Oracle-manipulation-proof borrow cap Pendle core markets have no borrow caps. There is no borrowing mechanism in PT/YT/LP markets. Per taxonomy PD-024, oracle-manipulation-proof borrow cap is a lending-only factor.

RD-F-063 green TVL (current + 30d trend) TVL = $1,594,207,212 (~$1.59B) as of 2026-05-07 per DefiLlama API. ATH was $5.78B (May 2024). 30-day trend positive (~+10% vs late-April low). TVL exceeds the $100M current threshold and the $250M 12-month peak threshold. TVL is composed of real deposited yield-bearing assets (stETH, sUSDe, weETH, USDG, etc.) across 6+ chains — no synthetic inflation.

Operational history Green 12 15 of 15

RD-F-084 yellow TVL stability (CoV over 90d) TVL CoV not directly computable (DeFiLlama API >10MB for Pendle). Qualitative assessment based on known trajectory: V2 launch ~0 TVL → $1B Feb 2024 → $5.78B ATH May 2024 → $8.7B Q3 2025 peak → $1.96B Q3-Q4 2025 low → $1.59B current 2026-05-07. Significant maturity-driven cliff effects evident. 90-day trailing window appears more stable (current TVL $1.4-1.6B range), but full 12-month window shows high volatility. Yellow is conservative bounded estimate (CoV likely 0.15-0.35 for trailing 90d; >0.35 for 12-month window). Exact CoV requires DeFiLlama daily API paginated fetch. RD-F-086 yellow Pause activations (trailing 12 months) One documented pause: 2024-09-03 18:45 UTC (all Pendle contracts paused in response to Penpie exploit), unpaused 2024-09-04 00:50 UTC (~6 hours). Reason documented: precautionary measure to protect $105M adjacent TVL. The Penpie incident falls ~19 months before assessment date, outside the strict 12-month trailing window (April 2025–April 2026). Without on-chain RPC enumeration of Paused events in the strict trailing window, cannot confirm definitively that no additional pauses occurred. Yellow reflects incomplete on-chain verification. If trailing 12-month window is confirmed clean, should be green. RD-F-089 yellow Insurance coverage active Nexus Mutual bundled protocol cover includes Pendle (alongside EigenLayer and Ether.fi), protecting against smart contract hacks/exploits, oracle manipulation/failure, severe liquidation failure, and governance attacks. Coverage is available for user purchase on Nexus Mutual/OpenCover. Active user-purchased coverage for Pendle strategies confirmed to exist. However: (a) exact coverage amount not determinable from available sources; (b) this is user-side insurance, not protocol-held coverage; (c) no Sherlock protocol-level coverage for Pendle confirmed; (d) coverage amount vs TVL ratio unknown. Yellow: coverage exists but scope/amount unconfirmed relative to TVL. RD-F-166 yellow Deprecated contracts still holding value vePENDLE contract (0x4f30A9D41B80ecC5B94306AB4364951AE3170210) is in partially-deprecated state: new locks paused 2026-01-29, governance role transferred to sPENDLE. Existing 2-year lock positions remain until natural expiry — this is the protocol's stated design, not an operational lapse. Profile §6 notes Governance Safe holds ~22M PENDLE (~$30M); residual locked PENDLE in vePENDLE almost certainly exceeds $100K. Yellow (not red) because: (a) migration was publicly announced and communicated; (b) residual value represents user-locked PENDLE with clear expiry path, not stranded dust; (c) no emergency or involuntary lock situation. On-chain balance verification not performed — yellow reflects incomplete verification. RD-F-081 gray Post-exploit response score No Pendle-core exploits to assess. Gray is the correct state for this factor when no prior incidents exist. N/A by construction. Informational note: Pendle's response to the adjacent Penpie incident (detection-to-pause ~22 minutes, SEAL 911 engagement, proactive downstream communication, public post-mortem same day) would score 4-5/5 if assessed, but this is not a Pendle-core incident. RD-F-082 gray Post-mortem published within 30 days No Pendle-core exploits to assess. Gray per methodology template: 'gray = no prior incidents (N/A)'. RD-F-083 gray Auditor re-engaged after last exploit No Pendle-core exploits to assess. Gray per methodology template: 'gray = no prior exploits (N/A)'. RD-F-085 gray Incident response time (minutes) No Pendle-core exploits to assess. Gray per methodology: 'gray = no prior incidents (N/A)'. Informational: Pendle's response to adjacent Penpie incident was ~22 minutes from first attack tx to pause — would be green (<60 min threshold) if this were a Pendle incident.

RD-F-076 green Protocol age (days) Pendle V1 mainnet launched 2021-06-17 (~59 months ago). V2 relaunch 2022-11-29 (~29 months). Both exceed the 365-day green threshold. Protocol is continuously live with no gaps in operation. GitHub last commit 2026-04-03 confirms active maintenance.

RD-F-077 green Prior exploit count Zero Pendle-core exploits found. Hacksdatabase (84 entries) contains Penpie (#33) but not Pendle. Rekt.news leaderboard: no Pendle entry; Penpie listed at #75 under its own slug. Data cache rekt.incidents: []. The 2024-09-03 Penpie incident ($27M) is a third-party integration exploit — Penpie's reentrancy bug, not Pendle's SY/PT/YT/Market contracts. Correctly excluded from Pendle's incident count.

RD-F-078 green Chronic-exploit flag (≥3 incidents) Derived from F077: 0 Pendle-core incidents. Chronic flag (<3 incidents threshold) does not fire. Badge: CLEAN.

RD-F-079 green Same-root-cause repeat exploit Zero Pendle-core incidents. Same-root-cause repeat exploit cannot apply with 0 incidents. N/A-by-construction.

RD-F-080 green Days since last exploit No prior Pendle-core incidents. Days since last exploit is effectively infinite (>365 days threshold for green). Green by construction from 0-incident history.

RD-F-087 green Pause > 7 consecutive days Single documented pause lasted ~6 hours (2024-09-03 18:45 UTC to 2024-09-04 00:50 UTC) — well under the 7-day threshold. No other extended pause events documented. Green with high confidence.

RD-F-088 green Re-deployed to new addresses in last year No evidence of protocol-wide redeployment to new addresses in the last 12 months. The sPENDLE governance migration (completed 2026-01-29) added a new contract but did not retire or replace existing core protocol contracts. Market factories V3-V6 represent incremental additions across chains over time, not emergency redeployments. Protocol is live and actively maintained. Profile §2 confirms no deprecation signals.

Real-time signals Green 8 22 of 22

RD-F-090 green Mixer withdrawal → protocol interaction Cat 6A precursor signal. Threshold: wallet withdrew from mixer within 30 days AND interacts with Pendle core contracts with >$100K value AND flagged by >=2 attribution sources. Deployer wallets (0x1FcCC097..., 0x196e6d50...) show no mixer-funded transactions per Etherscan review. Penpie attacker (Sept 2024) laundered to Tornado Cash post-exploit — this is NOT a pre-exploit mixer-funded wallet interacting with Pendle core; attack was against Penpie contracts. No live public alert of mixer-funded wallet on Pendle core. Phase-2 signal (advisory-only, tier-C, never grade-eligible alone).

RD-F-098 green TVL anomaly — % drop in <1h TVL anomaly signal. Threshold: TVL drops >30% in 60-minute window vs 30d baseline. Current TVL ~$1.44B; 90-day trend ~-12% (gradual, not anomalous drain). No anomalous TVL drain events in Rekt DB (zero Pendle entries). Signal applicable and wired (v1 launch signal). Not currently firing.

RD-F-099 green Oracle price deviation >X% from secondary Oracle deviation signal (v1 phase-2). Threshold: >1% deviation primary vs secondary on protocol-used oracle, sustained >=4 blocks. Pendle's PY-YT-LP TWAP oracle (0x5542be50...) uses 900–1800s TWAP — resistant to single-block manipulation. No public oracle anomaly alert from Aave/Morpho/Venus PT market monitoring. Oct 2025 USDe depeg did not trigger a Pendle oracle misquote per available evidence. Signal applicable, posture clean.

RD-F-100 green Flash loan >$10M targeting protocol tokens Flash-loan targeting signal (v1 phase-2). Threshold: flash loan >=$ 10M origination with receiver interacting with protocol oracle/market/governor. Penpie's Sept 2024 exploit used Balancer flash loans but the receiver was Penpie's staking contract (not Pendle's core AMM, SY contracts, or TWAP oracle). Rekt DB shows zero Pendle core entries. No flash-loan attack against Pendle core reported.

RD-F-103 green Bridge signer-set change proposed/executed Bridge signer-set change signal (v1 launch). Threshold: SignerAdded/SignerRemoved/ThresholdChanged event on tracked bridge contract with no governance pre-announcement in preceding 24h. Pendle uses LayerZero endpoints (Arbitrum: 0x3c2269..., Mantle: 0xb6319cc...) and canonical chain bridges. No unscheduled signer-set change events flagged in trailing 30 days. Data cache has a pipeline gap (layerzero.present: false) — DVN configuration not retrieved; curator should verify via LayerZero Scan. Signal posture: no current event firing.

RD-F-105 green DNS/CDN/frontend hash drift DNS/frontend hash drift signal (v1 phase-2). Threshold: hash of DNS record set, TLS cert, JS bundles, or IPFS CID differs from last-known-good baseline AND no change-management allowlist match. Official domain pendle.finance: nameservers ns49/50.domaincontrol.com, WHOIS last updated 2021-01-27 — consistent with original registration, no evidence of unscheduled DNS change. Confirmed phishing domain pendle-finance.com (registered March 2024, DV SSL) flagged by ScamAdviser — this is a Cat 11 F161 finding (typosquat), not a drift on the official domain. Official frontend posture: clean.

Dev identity & insider risk Green 2 16 of 16

RD-F-123 yellow Sudden admin-rescue/ACL change without discussion No confirmed instance of a sudden admin-rescue or ACL change without preceding discussion found. The sPENDLE governance migration (largest recent change) was publicly announced via Medium post with community discussion. GitHub issues show open governance discussions (#44). However: (1) no governance forum exists (forum.pendle.finance 404), eliminating an archived pre-discussion trail for admin changes; (2) the Dev Multisig (2-of-5) operates without a timelock (data cache: timelock_address = null), enabling rapid ACL changes without buffer; (3) admin signer identities are not publicly labeled. Assessed yellow: structural gap exists but no confirmed undiscussed ACL-change event identified in the last 180 days. RD-F-117 gray ENS/NameStone identity bound to deployer No ENS primary name resolved to Deployer 1 (0x1FcCC097) or Deployer 2 (0x196e6d50) based on Etherscan address pages. The funding source for Deployer 1 (secretrick.eth) holds an ENS name, but this is the funding source not the deployer. No NameStone binding identified. Factor is gray (no ENS binding present — no signal in either direction).

RD-F-111 green Team doxx status TN Lee (CEO) and Vu Nguyen (co-founder/Chief Engineer) are doxxed with real names, verifiable LinkedIn profiles, prior employment history at Kyber Network and Digix respectively, and podcast/conference appearances. Engineering lead UncleGrandpa925 self-identifies as Singapore-based with named role. ngfam (Nghia Pham) uses real name on GitHub. Two founding-era co-founders (GT, YK) remain pseudonymous with no public identity trail. Classification: real-name with track record for lead team; pseudonym-no-track-record for GT/YK. Pendle Labs is a Singapore-registered entity.

RD-F-112 green Team public accountability surface TN Lee has LinkedIn, Crunchbase, Kyber Network founding team reference, The Defiant video podcast, multiple news articles. Vu Nguyen has verifiable IMO gold medal academic record (3x), NUS CS degree, Digix work history. UncleGrandpa925 has GitHub profile, Twitter, competitive programming background. Multiple verifiable trails per lead team member. GT/YK have no independent trails. Overall accountability surface is strong for the doxxed members who hold public roles.

RD-F-113 green Team other-protocol involvement history TN Lee: Kyber Network founding team member (Head of Business, 2+ years; reputable DEX, no rug history). Vu Nguyen: prior CTO and Lead Smart Contract Developer at Digix DAO (RWA gold tokenization protocol; no rug). UncleGrandpa925: ks-helper-sc (KyberSwap helper) — not a rug. Protocol launched as 'Benchmark' in 2020 before rebranding to Pendle — same team, continuous operation. Hacksdatabase has no Pendle-core entry. No team member has prior rug or exit-scam affiliation. Vu Nguyen's Digix-CTO history corroborated across multiple independent crypto-research outlets.

RD-F-114 green Deployer address prior on-chain history Deployer 1 (0x1FcCC097db89A86Bfc474A1028F93958295b1Fb7): labeled 'Pendle: Deployer 1' on Etherscan; 4,092 txs; active across 10 chains; normal developer deployment history; no prior rug-linked contracts. Deployer 2 (0x196e6d50df6289e1f82838e84774b2b0c8f4af62): V1 token deployer; funded by Binance; inactive since Feb 2024; normal dev history. Hacksdatabase: no Pendle deployer address linked to prior exploits.

RD-F-115 green Prior rug/exit-scam affiliation Web search for 'Pendle Finance rug OR exit scam OR insider fraud' returned zero protocol-specific results. TN Lee's prior work at Kyber Network (reputable, ongoing since 2017) shows no rug pattern. Vu Nguyen's prior work at Digix shows no rug pattern. Protocol is 5+ years old with continuous operation and public team. No team member linked to a prior rug via OSINT.

RD-F-116 green Contributor tenure at admin-permissioned PR Top two contributors have very long tenures: UncleGrandpa925 (955 commits, Engineering Lead, multi-year history) and ngfam/Nghia Pham (845 commits). Most recent admin-permissioned code changes in the repo were by these long-tenure contributors. No evidence of short-tenure contributor pushing admin-permissioned changes.

RD-F-118 green Handle reuse across failed/rugged projects No evidence of any social handle associated with Pendle team members being linked to prior rugged/failed projects under different aliases. TN Lee's online presence is continuous from Kyber Network era. UncleGrandpa925 GitHub history is continuous DeFi/smart-contract development. GT and YK pseudonymous but no cross-protocol failed-project association identified. Protocol's own prior name 'Benchmark' was a clean rebrand to 'Pendle' by the same team.

RD-F-119 green Commit timezone consistent with stated geography Commit history shows clustering at early UTC hours consistent with Singapore Time (SGT = UTC+8), matching the stated team location (Singapore/Vietnam). Top contributors UncleGrandpa925 (GitHub location: Singapore) and ngfam/Nghia Pham (Vietnam) are geographically consistent with observed commit time distribution. No tz anomaly flag raised.

RD-F-120 green Video-off/voice-consistency flag TN Lee has participated in on-video podcast interviews including The Defiant podcast (video interview confirmed). YouTube search returns 'Pendle Finance Deep Dive With Founder TN Lee'. No video-off or voice-inconsistency flag applies. Vu Nguyen has less public video exposure but is referenced in written profiles. No anomalous pattern identified.

RD-F-121 green Contributor OSINT depth score Curator-scored OSINT depth: TN Lee 4/5 (LinkedIn + Crunchbase + Kyber history + multiple podcasts/news), Vu Nguyen 4/5 (IMO gold medal record + NUS CS degree + Digix work), UncleGrandpa925 3/5 (GitHub + Twitter + named role), GT/YK 1/5 each (pseudonymous, no trail). Team average ~3.3/5. Lead team members with admin keys are well above threshold.

RD-F-122 green Contributor paid to DPRK-cluster wallet No evidence found of contributor payment wallets routing to DPRK cluster. DPRK/Lazarus OSINT search for 'Pendle Finance' returned zero protocol-specific results. Deployer 1 funded by secretrick.eth (no cluster labels); Deployer 2 funded by Binance (CEX, clean). Full 3-hop trace for all 10 multisig signers is a residual gap but primary screening is clean. Confidence: medium (full on-chain graph not available via public tooling).

RD-F-124 green Deployer wallet mixer-funded within 30 days No mixer funding detected for either deployer. Deployer 1 (0x1FcCC097) funded by secretrick.eth approximately 4 years before assessment — well outside the 30-day pre-deploy window. secretrick.eth shows no Tornado Cash interaction in its transaction history. Deployer 2 (0x196e6d50) funded by Binance (labeled CEX withdrawal) approximately 5 years ago. Both deployers definitively clear of the RD-F-124 30-day mixer-funding window.

RD-F-125 green Deployer linked within 3 hops to DPRK/Lazarus No DPRK/Lazarus proximity identified. OSINT search for 'Pendle Finance' + DPRK/Lazarus/North Korea returned zero protocol-specific results. Deployer 1 funded by secretrick.eth (individual DeFi user, no OFAC or Chainalysis cluster label on Etherscan). Deployer 2 funded by Binance (definitionally clear, labeled CEX). No OFAC SDN hits on any identified Pendle address. Residual gap: full 3-hop graph for 10 multisig signers not completed via public tooling. Confidence: medium.

RD-F-184 green Real-capital social-engineering persona No curator-flagged evidence of a real-capital social-engineering persona. The Penpie exploit (Sept 2024) involved an external attacker targeting Penpie's integration layer, not a Pendle team contributor building credibility via deposits. The March 2024 Twitter account hijacking was a social engineering attack ON the team (no fund loss, recovered in 2 hours), not a campaign BY a team contributor. No insider persona deploying ≥$1M to build credibility identified. Confidence: low (M-only factor; observable signals for negative finding are limited).

Fork / dependency lineage Green 11 10 of 10

RD-F-133 yellow Dependency manifest uses unpinned versions OZ pinned to exact version 4.9.3 (no caret). Chainlink contracts use ^0.8.0 (caret range). LayerZero packages use caret ranges (^3.1.4, ^3.0.75). Critical security library (OZ) is pinned; external protocol packages (Chainlink, LZ) unpinned but these are primarily ABI/interface packages. RD-F-126 n/a Is-a-fork-of Pendle V2 is an original protocol — not a fork of any upstream codebase. Profile §5: 'Forked from: Not forked / original implementation.' RD-F-127 n/a Upstream patch not merged N/A — no upstream fork source exists. RD-F-128 n/a Upstream vulnerability disclosure (last 90d) N/A — no upstream fork. RD-F-129 n/a Code divergence from upstream (%) N/A — no upstream to diverge from. RD-F-130 n/a Fork depth (generations from original audit) N/A — depth is 0 (original protocol, not a fork). RD-F-131 n/a Fork retains upstream audit coverage N/A — no upstream audit to retain or diverge from. RD-F-132 n/a Fork has different economic parameters than upstream N/A — no upstream to compare against.

RD-F-134 green Dependency had malicious-release incident (last 90d) No malicious-release advisory affecting OZ 4.9.3, Chainlink 0.8.x, or LayerZero packages in trailing 90 days found. OZ 4.9.3 is a stable release.

RD-F-135 green Shared-library version with known-vuln status OZ 4.9.3: GHSA-g4vp-m682-qqmp (ERC2771Context) was PATCHED IN 4.9.3 — this version is the fix. OZ 4.9.4 introduced GHSA-699g-q6qh-q4v8 (Multicall double-execute) but Pendle is on 4.9.3 (unaffected). No high/critical active GHSA advisory for OZ 4.9.3 as used by Pendle.

Post-deploy hygiene & change mgmt Yellow 22 13 of 13

RD-F-137 yellow Upgrade frequency (per 90 days) governanceProxy upgraded 2025-09-18. sPENDLE proxy deployed Jan 2026. Multiple factory versions deployed across chains (V3–V6). Trailing 90-day upgrade frequency is elevated given active development. No confirmed on-chain upgrade events in the specific 90-day window from available data. RD-F-139 yellow Post-audit code changes without re-audit [★] sPENDLE module audit (WatchPug.pdf in audits/sPendle/) exists but exact scope date vs deployment date cannot be confirmed (PDF binary). governanceProxy upgraded 2025-09-18 with no corresponding audit file in repository. Spearbit-2024 and ChainSecurity-2024 cover 2024 main codebase; post-2024 factory versions (V5/V6) and the governance proxy upgrade may not be covered. Yellow pending curator confirmation of sPENDLE audit date. RD-F-142 yellow Storage-layout collision risk across upgrades governanceProxy has undergone 3 implementation changes. Storage layout compatibility not publicly verifiable (no OZ upgrades-plugin output published). sPENDLE proxy also upgradeable. Risk elevated by absence of formal upgrade governance with layout checks. RD-F-146 yellow New contract deploys in last 30 days Active deployment: GitHub last commit 2026-04-03. Pendle's market-per-maturity model generates frequent new market contract deploys (PT/YT/LP per underlying per expiry). Potentially dozens of new deploys per 30-day window, creating ongoing new attack surface. RD-F-168 yellow Stale-approval exposure on deprecated router vePENDLE deprecated without confirmed revoke-notice to users. Multiple deprecated factory versions (V3, V4) coexist with V6 across chains — stale user approvals likely outstanding. No off-ramp guidance found in public docs. RD-F-185 yellow Bridge rate-limiter / chain-pause as positive mitigant governanceProxy has pause() function (GUARDIAN role) providing chain-level pause capability. No confirmed per-window outflow rate-limiter on LayerZero OFT adapter found. Partial mitigant: pause exists but rate-limiting is not confirmed. RD-F-136 gray Deployed bytecode matches signed release tag No signed release-tag deployment flow identified. changelog_present: false in data cache. Pendle does not appear to publish signed release tags for deployment verification. RD-F-138 n/a Hot-patch deploys without timelock (last 30 days) No timelock exists (confirmed F032/F033). Any upgrade is structurally a hot-patch without timelock. No specific upgrade confirmed in last 30 days from available data, but the structural architecture permits immediate hot-patching at any time. [v1-deferred Pass 3] RD-F-140 n/a Fix-merged-but-not-deployed gap No evidence of a known-undeployed fix. SECURITY.md absent (data cache) — no formal security process, but no post-mortem disclosures referencing a merged-but-undeployed fix found. [v1-deferred Pass 3] RD-F-145 gray Deployed bytecode reproducibility No build reproducibility documentation or formal build-artifact hash published. changelog_present: false. No signed release-tag flow identified.

RD-F-141 green Test-mode parameters in deploy No test-mode parameters identified. Contracts use production ownership patterns (BoringOwnable with multisig transfers). Router uses production facet routing. No admin=deployer or infinite allowance test patterns found in source.

RD-F-143 green Reinitializable implementation (no _disableInitializers) [★] StakedPendle.sol (implementation of sPENDLE proxy 0x999999999991E178D52Cd95AFd4b00d066664144) calls _disableInitializers() in its constructor. Confirmed from source code at commit 7bde3ec (2026-01-20). Reinitializer attack on the sPENDLE implementation is blocked.

RD-F-144 green CREATE2 factory permits same-address redeploy Pendle uses CREATE2 for deterministic cross-chain deployment (same Router address across 6 chains). No selfdestruct in core contracts. CREATE2 redeployment to same address requires selfdestruct first — not present.

Cross-chain & bridge Yellow 21 12 of 12

RD-F-148 yellow Bridge validator count (M) For LayerZero V1 governance messaging: default oracle+relayer config — effectively a single oracle (LayerZero Labs) and single relayer (LayerZero Labs). Validator count = 2 entities (oracle + relayer) but both operated by LayerZero Labs, effectively 1 independent party. For canonical chain bridges: security determined by each chain's validator set (Arbitrum, Optimism validators — not Pendle-controlled). For PENDLE OFT (V2): DVN count not confirmed on-chain. RD-F-149 yellow Bridge validator threshold (k-of-M) LayerZero V1 governance messaging: effectively 1-of-1 threshold (single oracle attests, single relayer delivers — both LayerZero Labs default). V1 does not offer configurable k-of-N multi-validator threshold. PENDLE OFT (V2) DVN threshold: not confirmed. Ecosystem analysis post-KelpDAO indicates 47% of LZ OApps use 1-of-1 config; Pendle named as second-highest at-risk asset. RD-F-150 yellow Bridge validator co-hosting LayerZero V1 governance path: both default oracle and relayer are operated by LayerZero Labs — confirmed same-entity co-hosting for this path. For PENDLE OFT (V2): DVN operator diversity not confirmed. If using LayerZero default DVN (single operator), same co-hosting risk. Canonical chain bridges: security determined by chain teams (different entities). Yellow rather than red because governance messaging path doesn't directly custody user funds. RD-F-153 yellow Bridge tracks nonce-consumed mapping LayerZero V1 handles nonce tracking at the endpoint layer. Pendle's lzReceive accepts _nonce parameter but does not maintain its own nonce-consumed mapping — relies on LayerZero endpoint for replay protection. This is an inherited dependency risk: if LayerZero endpoint has a nonce bug, Pendle's governance messages could be replayed. Yellow because relay protection exists (at LZ endpoint layer) but Pendle's own code does not independently enforce it. RD-F-156 yellow Bridge uses same key custody for >30% validators LayerZero V1 governance path: both default oracle and relayer are LayerZero Labs operated — effectively 100% single-custody for this path (>30% threshold exceeded). Known property of LayerZero V1 architecture. PENDLE OFT (V2): DVN custodian diversity not confirmed. Yellow because governance messaging path doesn't directly custody user funds (rewards/voting sync only). RD-F-157 yellow Bridge TVL per validator ratio PENDLE OFT (V2) on HyperEVM/Berachain: PENDLE market cap ~$229M with portion on OFT chains. If DVN count = 1 (unconfirmed), TVL-per-validator ratio is extremely high. Governance messaging path (LZ V1): coordinates rewards/voting, not direct user-fund custody, so lower direct TVL-per-validator concern. Yellow because total exposure is meaningful and DVN diversity unconfirmed. RD-F-179 yellow LayerZero OFT DVN config (count, threshold, diversity) PENDLE OFT (LayerZero V2, July 2025): DVN configuration for Ethereum↔HyperEVM↔Berachain pathways not confirmed via direct on-chain read in this assessment. Post-KelpDAO ecosystem analysis (April 2026) explicitly names Pendle as second-highest at-risk asset by market cap (~$229M) among protocols with potentially vulnerable DVN configurations. 47% of LayerZero OApps used 1-of-1 DVN at time of analysis. LayerZero forced ecosystem migration post-KelpDAO. The legacy governance messaging path (PendleMsgSendEndpointUpg.sol) is LayerZero V1 — predates DVN model entirely, uses single oracle+relayer (no DVN). Yellow because specific OFT DVN configuration unconfirmed; ecosystem risk signal is strong but on-chain verification incomplete. CURATOR ACTION REQUIRED: run Blockaid DVN audit script against PENDLE OFT contracts on HyperEVM/Berachain — if 1-of-1 confirmed, upgrade to RED. RD-F-155 gray Bridge validator-set rotation recency LayerZero V1 default oracle and relayer: no rotation events found since March 2023 deployment (3+ years, same config). PENDLE OFT (V2) DVN set: configured at July 2025 deployment; no post-deploy rotation events confirmed. LayerZero Labs operator set is not within Pendle's control. Gray due to inability to confirm specific validator/DVN rotation events from available sources.

RD-F-147 green Protocol has bridge surface Yes — Pendle has confirmed bridge surface: (1) LayerZero V1 governance messaging since March 2023, 39,000+ messages across 9 chains for vePENDLE/sPENDLE balance sync and reward distribution. (2) PENDLE OFT on LayerZero V2 deployed July 2025 on Ethereum, HyperEVM, Berachain (burn-and-mint). (3) Canonical chain bridges (Arbitrum, Optimism, Base native; Portal for BSC; Mantle native). Profile §7 confirms has_bridge_surface: true.

RD-F-151 green Bridge ecrecover checks result ≠ address(0) [★ CRITICAL — GREEN] Pendle's bridge contracts (PendleMsgReceiveEndpointUpg.sol) do not use ecrecover for message verification. Authentication via onlyLzEndpoint modifier (msg.sender == LayerZero endpoint) and mustOriginateFromSendEndpoint (srcChainId + trusted remote address check). No ecrecover call present in Pendle's bridge verification path. This ★ factor does not fire.

RD-F-152 green Bridge binds message to srcChainId mustOriginateFromSendEndpoint modifier verifies srcChainId matches expected sendEndpointChainId. Cross-chain replay between Pendle chains is prevented at the message level. Chain-bound message validation confirmed in source code.

RD-F-154 green Default bytes32(0) acceptable as valid root [★ CRITICAL — GREEN] Pendle's bridge architecture does not use a Merkle-root-based bridge design. No bytes32 root acceptance pattern in PendleMsgReceiveEndpointUpg.sol. The mustOriginateFromSendEndpoint modifier checks address and chain ID (not a root). Nomad-class default-root bug does not apply to this architecture. This ★ factor does not fire.

Threat intelligence & recon Green 11 8 of 8

RD-F-161 yellow Protocol-impersonator domain registered (typosquat) Protocol-impersonator domain (typosquat) (Cat 11). Threshold: typosquat of official domain registered within last 90 days. Confirmed phishing domain: pendle-finance.com, registered March 7, 2024 (>24 months before assessment — outside 90-day fire window per taxonomy). DV SSL via Let's Encrypt (as of search date). Flagged by ScamAdviser as high-scam-probability. Domain remains active as of 2026-04-29. Yellow: the domain exists and poses an ongoing phishing risk to users, even though its registration date is outside the 90-day threshold. Pendle's high brand recognition ($1.44B TVL) makes it a persistent phishing target. RD-F-159 gray Attacker wallet pre-strike probe (low-gas failing txs) Mempool probe signal (Cat 11). Threshold: wallet in threat-actor cluster sends failing/low-gas txs to Pendle core contracts. Not detectable via static assessment — requires live mempool monitoring + threat-actor cluster list. No public mempool-probe alerts against Pendle identified. RD-F-160 gray GitHub malicious-dependency incident touching protocol deps GitHub-flagged malicious-dependency (Cat 11). Threshold: security advisory flags malicious release in a dep consumed by this protocol. Pendle uses OZ v4.9.3 (data cache); Hardhat project with npm dependencies. No GHSA/CVE advisory for OZ v4.9.3 known. Full npm dependency tree not assessed (PH-level). Requires automated dependency-monitoring feed. RD-F-163 gray Avg attacker reconnaissance time for peer-class protocols Attacker reconnaissance time for peer-class protocols (Cat 11). Definition: avg days of reconnaissance by attacker-labeled wallets before strike on yield-tokenization class protocols. Penpie's attack appeared to be a rapid opportunistic exploit (no extended reconnaissance trail identified on Pendle or Penpie core). USPD 78-day class is DPRK-specific (no DPRK attribution here). Yield-tokenization class is newer — insufficient peer-class hack DB data for a robust reconnaissance-time distribution. Curator annotation only. RD-F-164 gray Leaked credential on paste/sentry site Leaked credential on paste/sentry site (Cat 11). Requires proprietary paste/credential-dump monitoring feed. Pendle has no SECURITY.md (data cache: security_md_present: false), limiting responsible disclosure. Not assessable from public sources. RD-F-165 gray Protocol social channel has scam-coordinator flag Telegram/Discord channel member flagged as scam-coordinator (Cat 11). Requires curator social watchlist. Discord at discord.gg/pendlefinance. No public evidence of channel admin compromise. The phishing domain pendle-finance.com indicates scam ecosystem activity but no specific channel admin flag identified from available sources.

RD-F-158 green Known-threat-actor cluster has touched protocol Known-threat-actor wallet cluster touching protocol (Cat 11). Threshold: wallet in curated threat-actor cluster interacts with Pendle core contracts within last 30 days AND cluster has >=1 confirmed exploit attribution. No public evidence of DPRK/Lazarus or other confirmed threat-actor cluster interacting with Pendle core contracts. Penpie attacker (Sept 2024) is not attributed to DPRK/Lazarus in any available analysis (Halborn, ThreeSigma, DailyCoin) — attack was opportunistic DeFi reentrancy, not nation-state. Penpie attacker wallets interacted with Penpie contracts, not Pendle core. Signal requires proprietary TI feed for full assurance — noted limitation.

RD-F-162 green Known-exploit-template selector deployed by any address Known-exploit-template selector-pattern deployed (Cat 11). Threshold: contract deployed with selector matching known-exploit template for this protocol class. Penpie's Sept 2024 exploit used a malicious SY token to exploit Penpie's permissionless market registration — this is a Penpie-specific selector pattern, not a Pendle core exploit template. No known-exploit template for Pendle core contracts (Router, PT/YT factory, PY-YT-LP Oracle) has been documented. No current deployment of such a template publicly identified.

Tooling / compiler / AI Green 8 5 of 5

RD-F-174 yellow Dependency tree uses EOL Solidity version PENDLE token uses solc 0.7.6 (EOL). However, the PENDLE token is an immutable non-upgradeable ERC-20 — no future security patches needed or possible. All V2 core contracts use 0.8.x (non-EOL, supported). Conservative yellow because token is core infrastructure on an EOL version. RD-F-171 n/a Bytecode similarity to audited upstream with behavior deviation N/A — Pendle V2 is an original protocol with no audited upstream to compare against for AI-copy risk bytecode similarity detection.

RD-F-170 green Solc version used (known-bug versions flagged) Hardhat config primary: solc 0.8.30 + Shanghai EVM. Key router contracts compiled with 0.8.28 (Etherscan confirmed). Market Factory V3: 0.8.23. PENDLE token: 0.7.6 (immutable, no security concern). The TransientStorageClearingHelperCollision bug (solc 0.8.28-0.8.33 + viaIR) requires delete on transient state variables — no transient storage usage found in Pendle V2 contracts, so the bug condition is not met. No other high/critical known bugs apply to 0.8.23-0.8.30 for Pendle's contract patterns.

RD-F-172 green Repo shows AI-tool co-authorship in critical files No AI-tool co-authorship metadata found in Pendle's core-v2 repository. GitHub commit history and file browsing showed standard human-authored commit messages with no AI tool (GitHub Copilot, ChatGPT Code Interpreter) co-authored-by trailers.

RD-F-173 green Team self-disclosure of AI-generated Solidity No public disclosure of AI-generated Solidity in Pendle's security-critical contracts found. Protocol blog (medium.com/pendle), docs, and Twitter/X searched — no AI-Solidity disclosure.

Response & disclosure hygiene Yellow 25 4 of 4

RD-F-176 red Disclosure SLA public No acknowledgment-time SLA published on either Immunefi or Cantina program pages. Cantina page specifies disclosure process requirements (no public disclosure without team consent, local fork testing only, PoC required) but states no SLA. Pendle security docs page (docs.pendle.finance/pendle-v2/Security) contains only audit list with no SLA. SECURITY.md absent from GitHub repo (data cache security_md_present: false). Red: no SLA published.

RD-F-175 green Disclosure channel exists Two concurrent active bug bounty programs: (1) Immunefi — max $250K, public, PoC required, active. (2) Cantina — max $1M for critical (10% of economic impact, min $100K), covers Pendle V2 contracts across 9 chains, SEAL safe harbor adopted. Cantina notes >$20K in goodwill awards to researchers, evidencing active monitoring and response. Both are publicly accessible disclosure channels.

RD-F-177 green Prior known-ignored disclosure No evidence of any instance where a disclosed vulnerability was reported to Pendle and not actioned before an exploit. The Penpie incident was in Penpie's codebase; Pendle's response was prompt. No post-mortems, rekt.news entries, security researcher disclosures, or governance forum posts document a Pendle-specific ignored disclosure. Green: no evidence of ignored disclosure.

RD-F-178 green CVE/GHSA advisory issued against protocol No CVE or GHSA advisory found for Pendle Finance or its GitHub repository (pendle-finance/pendle-core-v2-public). Web search for 'Pendle Finance GHSA CVE advisory 2022 2023 2024' returned no protocol-specific advisories. Data cache confirms no hack entries (rekt.incidents: []). Green: no advisory found or all advisories patched.

rubric_version v1.7.0 graded_at 2026-05-12 04:38:07 factors 184 protocol pendle