defirisk.co
rubric v1.7.0

SUNSwap (sun.io)

Multi-version DEX/AMM operating exclusively on TRON (TVM substrate, base58 T... addresses, tronscan.org explorer). Four live versions: V1 (constant-product Uniswap-V2-style, originally deployed as JustSwap 2020-08-18, rebranded SUNSwap Oct 2021, ~$51.5M TVL); V2 (concentrated-liquidity-lite, launched 2021-12-20, ~$240M TVL — operative/highest-TVL version); V3 (full CLMM Uniswap-V3-style, launched ~2024-01-15, ~$112M TVL); V4 (singleton+hooks Uniswap-V4-style, launched 2026-03-02, TVL not yet tracked by DefiLlama — newest/least-audited surface). Combined TVL ~$403M across versions. Governance via SUN DAO (on-chain veSUN vote-escrow, launched 2024-07-30). No Gnosis Safe (TRON has none); no Snapshot (sun-dao.eth is an unrelated BSC project). SEC v. Justin Sun civil action settled ~2026-03-05 (Rainberry $10M, all claims against Sun personally and Tron/BitTorrent Foundations dismissed with prejudice; ZERO OFAC/DPRK nexus). Fraudulent impersonator sswapap.vip/sswapep.vip confirmed by Washington State DFI (Cat-11 brand-impersonation signal, NOT a protocol exploit). GitHub org: sun-protocol (25 public repos). Part of Justin Sun / TRON ecosystem (sister protocols: JustLend, USDD, JUST).

Sector dex
TVL $403.0M
Reviewed May 17, 2026
Factors 184
Categories 13
Risk score 34.3
DeploymentsTron · $111.6M
01

Risk profile at a glance

2 red · 4 yellow · 6 green
25 24 17 13 15 22 16 10 13 12 8 5 4
02

Categories & evidence

184 factors · 13 categories
Code & audits Red 52 25 of 25
RD-F-001 red Audit scope mismatch SlowMist 2020 audit covers V1/JustSwap only. V2 (~$240M TVL), V3 (~$112M), and V4 (singleton+hooks, 76d old) have no publicly confirmed third-party audit with a mapped commit SHA. No audit PDF found for V2/V3/V4 in any GitHub repo, SlowMist KB, CertiK (404), or Hacken portfolio. TRON substrate prevents Etherscan-style bytecode verification. RD-F-002 red Audit recency Most recent confirmed public audit is SlowMist V1/JustSwap from 2020-08-17 — approximately 2,099 days before assessment. Operative V2 launched Dec 2021 with no confirmed audit; V3 (Jan 2024) and V4 (Mar 2026) also unaudited. RD-F-004 red Audit count 1 distinct firm (SlowMist) has a publicly accessible audit report covering only V1. No confirmed audit for V2, V3, or V4. CertiK Skynet monitoring (not a formal audit) page 404. Hacken claim unsubstantiated — sunswap not in Hacken portfolio. RD-F-007 red Bug bounty presence & max payout No active bug bounty program found on Immunefi (404), HackerOne, Bugcrowd, or HackenProof. One secondary source mentions $500K program without primary citation — unverified and not located on any bounty platform. RD-F-009 red Formal verification coverage No formal verification (Certora, Kani, Halmos) found in any sun-protocol GitHub repository. No FV report or invariant spec published anywhere. RD-F-024 red Code complexity vs audit coverage V3 (concentrated liquidity tick math, position management, multiple fee tiers) and V4 (singleton + hooks + flash accounting + 6 TRON-specific additions) are highly complex. Neither has any confirmed public audit. Code complexity is high; audit coverage is zero for operative surfaces. RD-F-183 red Bug bounty scope gap on highest-TVL contracts No active bug bounty program confirmed on Immunefi (404), HackenProof (not listed), HackerOne, or Bugcrowd. No economic incentive for whitehat disclosure on any surface including $240M V2 Factory/Router, $112M V3, or newly-launched V4 PoolManager with hooks. Secondary $500K claim unverified. RD-F-005 yellow Audit firm tier SlowMist is a Tier-2 firm (established, Asia-focused, public track record). Single confirmed audit (V1 only) is Tier-2. No Tier-1 audit (Trail of Bits, OZ, ConsenSys, Certora, Spearbit, Zellic) confirmed for any version. RD-F-003 gray Resolved-without-proof findings SlowMist V1 audit found 2 issues described as addressed; on-chain proof infeasible on TRON substrate. V2/V3/V4 have no audit PDF — factor cannot be applied to operative surfaces. RD-F-006 gray Audit-to-deploy gap SlowMist V1 audit dated 2020-08-17; V1 deployed 2020-08-18 (1-day gap — green). But this applies only to V1. V2/V3/V4 have no confirmed audit from which to measure deploy gap. Factor is gray for operative surfaces. RD-F-008 gray Ignored bounty disclosure No prior exploits confirmed for SUNSwap core protocol. Cannot assess ignored-bounty-disclosure pattern with no incidents from which to derive this finding. RD-F-010 gray Static-analyzer high-severity count No published static analysis (Slither/Mythril/Semgrep) output found for any SUNSwap version. TRON substrate prevents tronscan-based tooling; GitHub source available but no published tool-run output located. RD-F-016 gray Divide-before-multiply pattern V2/V3/V4 inherit from Uniswap upstream — no divide-before-multiply finding documented in upstream Uniswap V2/V3 audits. No Slither output available for TRON-deployed contracts. Source available on GitHub but no published tool-run exists. RD-F-017 gray Mixed-decimals math without explicit scaling DEX AMM inherently handles tokens of different decimals. V2/V3/V4 inherit Uniswap's decimal-handling approach. TRC-20 tokens have 6-decimal convention (vs ERC-20 18-decimal) — a deviation but router-layer concern. No published tool output for sunswap. RD-F-018 gray Signed/unsigned arithmetic confusion V2 uses Solidity >=0.6.12 <0.8.0 (no native overflow protection). V4 uses 0.8.26 (native overflow checks). No published signed/unsigned confusion finding for any sunswap version; Uniswap V2/V3 upstream audits have not found this pattern. RD-F-019 n/a ecrecover zero-address return unchecked V2/V3/V4 AMM core contracts (Factory, Pair, Router, Pool) are not signature-verification contracts and do not use ecrecover. Pure AMM swap/liquidity-provision logic has no ecrecover call paths. RD-F-020 n/a EIP-712 domain separator missing chainId V2/V3/V4 AMM core contracts do not use EIP-712 signed messages for core swap operations. Permit2 integration exists in V4 periphery but is a separate surface not in the core factory/pair/router/pool scope. RD-F-021 n/a UUPS _authorizeUpgrade correctly permissioned V2/V3/V4 core AMM contracts are non-upgradeable (no proxy pattern). Factory/Pair/Pool contracts are immutable deploys. UUPS pattern does not apply to any core contract surface. RD-F-023 n/a Constructor calls _disableInitializers() V2/V3/V4 core AMM contracts are not upgradeable proxied implementations. _disableInitializers() is an OZ pattern for proxy implementation contracts. Factory/Pair/Pool are immutable deploys — factor structurally moot.
RD-F-011 green SELFDESTRUCT reachable from non-admin path V2 Pair and Factory contracts do not contain SELFDESTRUCT in AMM constant-product logic. V4 PoolManager (Uniswap V4 singleton-derived) does not use SELFDESTRUCT. No published finding of SELFDESTRUCT in any sunswap version.
RD-F-012 green delegatecall with user-controlled target Uniswap V2-derived AMM pattern does not use delegatecall to user-controlled targets. V4 hooks call external hook contracts but hook address is fixed at pool initialization (not user-supplied per-tx). No user-controlled delegatecall target found in core contracts.
RD-F-013 green Arbitrary call with user-controlled target V4 hook address is set at pool initialization (not user-supplied per-swap). Core PoolManager calls the hook at lifecycle points but hook address is fixed at pool creation. V2/V3 core have no external call with user-controlled targets.
RD-F-014 green Reentrancy guard on external-calling functions V2 Pair implements custom lock mutex (uint private unlocked=1) applied to mint/burn/swap/skim/sync — standard Uniswap V2 reentrancy guard pattern. V4 uses flash accounting (differences settled end-of-tx) reducing reentrancy surface. V3 follows Uniswap V3 well-audited upstream pattern.
RD-F-015 green ERC-777/1155/721 hook without reentrancy guard AMM core (V2/V3/V4) operates on TRC-20 tokens (ERC-20 equivalent). No ERC-777/1155/721 callback integration found. TRC-20 does not natively support ERC-777 callbacks on TRON. V2 lock mutex mitigates reentrancy regardless.
RD-F-022 green Public initialize() without initializer modifier SunswapV2Pair.initialize() is gated by require(msg.sender == factory). This is the standard Uniswap V2 factory-check pattern — functionally equivalent access control; factory only calls initialize() once at CREATE2 pair-creation time. No exploitable unprotected initializer.
Governance & admin Yellow 29 24 of 24
RD-F-032 red Timelock duration on upgrades No timelock on any upgrade or admin operation. V3 factory setOwner() executes immediately. V4 CLPoolManagerOwner pause/unpause/setProtocolFeeController execute immediately. ProtocolFeeController all admin functions execute immediately. Data cache confirms timelock_address: null. SUN DAO weekly Thursday snapshot provides parameter cadence (~7d) for gauge weights only — not a timelock on admin operations. RD-F-033 red Timelock on sensitive actions No timelock on any sensitive action: setOwner (V3 factory), pausePoolManager/unpausePoolManager/setProtocolFeeController (V4 CLPoolManagerOwner), collectProtocolFee/setProtocolFee/setProtocolFeeSplitRatio (V4 ProtocolFeeController) — all execute immediately without queuing delay. V1/V2/V3 immutable factories have no sensitive admin actions beyond setOwner which is also untimed. RD-F-027 yellow Single admin EOA V3 factory deployer TCXrf8SwGjcmQYY1FcFnV3LUXSQpqod3bi and V4 deployer TU3rMHyWHzeEJBReWLzHko728hbz6MtfNg both confirmed as EOAs (accountType:0). V2 factory deployer TR6NdXm7ga2r4rdTrGfqEPjvBpT93QHYpm is EOA. veSUN creator TAFotzexiiUJzGkBHDy9Jbn7rVHoYyWuLA also EOA. No confirmed on-chain transfer of factory admin to a SUN DAO contract. Scored yellow not red: SUN DAO institutional claim (launched 2024-07-30) partially mitigates centralization; V2/V3 long production history (Dec 2021, Jun 2023) without rug event; admin function scope limited to fee/owner/pause, not LP principal drain. RD-F-035 yellow Role separation: upgrade ≠ fee ≠ oracle V4 partial role separation: CLPoolManagerOwner manages pool manager ownership/pause; separate ProtocolFeeController manages fees (Ownable2Step). setProtocolFeeController() callable by CLPoolManagerOwner owner. V3 setOwner() consolidates all roles in one address. V1/V2 immutable single-owner factories. No oracle config role (DEX has no oracle admin). Partial separation in V4 but incomplete (same deployer owns both CLPoolManagerOwner and ProtocolFeeController). RD-F-040 yellow Emergency-veto multisig present No formal emergency-veto multisig. V4 has a pauser role (distinct from owner) that can pause PoolManager — partial emergency capability. No veto-committee or veto-multisig documented in sun-dao-contracts or sunswap docs. The pauser role is a positive mitigant but falls short of a formal emergency-veto multisig. RD-F-041 yellow Rescue/emergencyWithdraw without timelock V4 ProtocolFeeController has collectProtocolFee(address,address,uint256) immediately callable by owner — no timelock — allowing drain of accumulated protocol fees. CLPoolManagerOwner has pausePoolManager() with no timelock. V1/V2/V3 immutable factories: no rescue/emergencyWithdraw in factory source; LP funds are not directly accessible by factory owner (immutable pool pattern). Risk is protocol fee accumulation drain, not LP principal. Scored yellow (not red) because LP principal funds are not at immediate admin-drain risk. RD-F-043 yellow Admin = deployer EOA after 7 days V4 deployer TU3rMHyWHzeEJBReWLzHko728hbz6MtfNg confirmed EOA; V4 CLPoolManagerOwner creator is this same EOA; 76 days since V4 launch (2026-03-02) with no confirmed multisig transfer. V3 factory deployer TCXrf8SwGjcmQYY1FcFnV3LUXSQpqod3bi confirmed EOA; V3 launched Jun 2023 with no confirmed admin transfer. SUN DAO governance launched Jul 2024 but no factory owner() transfer to DAO contract confirmed on-chain. Yellow: SUN DAO institutional claim partially mitigates; long production history without rug event. RD-F-046 yellow Contract unverified on Etherscan/Sourcify V4 PoolManager TVjuTE3V5bMVdpfNhid8kD2v35T2k1u1Br: tronscanapi confirms not verified (no audit report URL, audit department, or audit date listed). V4 ProtocolFeeController TEays9UfJn2EqKjkN7hWUWewBGpGxTzWEv: not verified per tronscanapi. V3 Factory TThJt8zaJzJMhCEScH7zWKnp5buVZqys9x: verified (verify_status:2). V2 Factory TKWJdrQkqHisa1X8HUdHEfREvTzw4pMAaY: not verified. V4 (newest and highest-risk surface) is unverified on tronscan but GitHub source is publicly accessible. Yellow not red: source code availability on GitHub partially mitigates ABI-opacity concern for TRON substrate. RD-F-026 gray Upgrade multisig signer configuration (M/N) No multisig of any kind confirmed for AMM factories or V4 admin path. TRON has no Gnosis Safe deployment. safe_multisigs: [] in data cache. Deployer addresses confirmed as single EOA accounts (accountType:0 via tronscanapi). TRON-native multisig-equivalent not available through standard pipeline tooling. RD-F-028 gray Low-threshold multisig vs TVL No multisig exists for AMM factory admin on TRON — TRON has no Gnosis Safe. Admin is single EOA pattern (F027). Threshold analysis is not applicable without a multisig structure. TRON-native multisig-equivalent tooling not available through pipeline. Gray per protocol_opacity, not absence-of-finding — the underlying centralization risk is captured by F027 yellow. RD-F-029 n/a Multisig signers co-hosted No multisig exists for AMM admin; factor requires a multisig to assess co-hosting. N/A. RD-F-030 n/a Hot-wallet signer flag No multisig exists for AMM admin; hot-wallet signer assessment requires a multisig. N/A. RD-F-031 gray Signer rotation recency No multisig for AMM admin. Single deployer EOA pattern. No signer rotation events to track. veSUN admin has two-step transfer mechanism but no recent ownership transfers identified on-chain. RD-F-039 n/a delegatecall/call in proposal execution without allowlist SUN DAO governance is veSUN gauge-weight voting, not a proposal-execution engine with delegatecall or arbitrary call. GaugeController admin functions are discrete (add_type, add_gauge, change_type_weight, change_gauge_weight, transfer_ownership) — no delegatecall or call with user-supplied target. N/A by factor definition. RD-F-042 n/a Admin has mint() with unlimited max SUNSwap is a DEX/AMM. Factory and router admin controls do not include mint() on LP or protocol tokens. V3 factory exposes only setOwner(), createPool(), enableFeeAmount(). V4 CLPoolManagerOwner exposes only pause/ownership/feeController. N/A per factor definition for DEX protocol type. RD-F-044 gray Admin wallet interacts with flagged addresses Deployer EOAs (TU3rMHyWHzeEJBReWLzHko728hbz6MtfNg, TCXrf8SwGjcmQYY1FcFnV3LUXSQpqod3bi, TAFotzexiiUJzGkBHDy9Jbn7rVHoYyWuLA) not cross-checked against OFAC/sanctions/mixer watchlist. No OFAC designation in search results. SEC v. Sun settlement has zero OFAC/DPRK nexus. Requires Chainalysis-class API for definitive assessment. RD-F-045 gray Constructor args match governance proposal No governance proposals found for V1/V2/V3 factory deployments (all pre-SUN DAO). V4 deployed Mar 2026 post-SUN DAO but no public deployment governance proposal found on forum.sun.io. SUN DAO forum governance category accessible via search but specific V4 deployment vote not located. Constructor args not verifiable against proposals. RD-F-047 gray Governance token concentration (Gini) SUN token Gini coefficient not available from DeepDAO or governance-analysis.org (both cover EVM governance only). TRON-native holder analytics not accessible via standard tooling. veSUN voting power depends on lock duration × amount locked. Historical concentration likely given TRON ecosystem structure but unquantifiable without TRON-native analytics.
RD-F-025 green Admin key custody type Multi-version: V1/V2/V3 factories use immutable Uniswap-fork pattern with deployer-set owner() (single EOA key). V4 uses CLPoolManagerOwner contract owned by deployer EOA TU3rMHyWHzeEJBReWLzHko728hbz6MtfNg. SUN DAO veSUN governance (launched 2024-07-30) manages gauge weights but does not directly control AMM factory admin. Effective custody type: EOA for core AMM admin; partial DAO for gauge weight parameters.
RD-F-034 green Guardian/pause-keeper distinct from upgrader V4 CLPoolManagerOwner implements a separate pauser role distinct from owner. pausePoolManager() callable by pauser OR owner; unpausePoolManager() restricted to owner only. This separation exists in V4. V1/V2/V3 are immutable with no pause function (no upgrader role either). Partial role separation in V4 satisfies this factor for the active version.
RD-F-036 green Flash-loanable voting weight SUN DAO uses veSUN vote-escrow (Curve-style Vyper VotingEscrow). Voting power is time-weighted lock-based: tokens must be locked 26 weeks to 4 years. _checkpoint() function records historical voting power; point_history and user_point_history provide block-level snapshots; balanceOfAt() queries historical voting power. @nonreentrant('lock') prevents reentrancy. Flash loan cannot acquire veSUN: tokens must be locked before governance voting. Green by construction.
RD-F-037 green Quorum achievable via single-entity flash loan veSUN is lock-based, eliminating flash-loan quorum attack vector. SUN tokens available on DEXes but cannot be converted to voting power atomically — must be locked 26+ weeks. Quorum cannot be achieved via single-block flash loan.
RD-F-038 green Proposal execution delay < 24h SUN DAO governance is gauge-weight voting with weekly Thursday 08:00 SGT snapshots. Effective ~7-day cadence for parameter changes. No rapid single-block proposal execution path. No Governor Bravo-style instant execution. GaugeController changes by admin are immediate but admin is a separate EOA role, not proposal-execution governance.
RD-F-167 green Deprecated contract paused but pause reversible by live admin Smart Router deprecated prior addresses (docs.sun.io lists deprecated router addresses) but factories are immutable (no pause capability). V4 CLPoolManagerOwner pause applies to the live V4 PoolManager, not deprecated surfaces. No deprecated contracts with retained reversible pause identified. Partially mitigated; no admin-scope extension to deprecated surfaces confirmed.
Oracle & external dependencies Green 0 17 of 17
RD-F-049 n/a Oracle role per asset No oracle roles exist. SUNSwap is a DEX/AMM that IS a price source; it does not consume external oracle feeds and therefore has no Primary/Secondary/Fallback oracle role assignments for any asset or market. RD-F-051 n/a Fallback behavior on oracle failure No external oracle is consumed by any SUNSwap contract. The question of fallback behavior on oracle failure is structurally void — there is no oracle failure mode to fall back from. Confirmed by source inspection of SunswapV2Pair.sol, PoolManager.sol, and V4Router.sol. RD-F-054 n/a TWAP window duration No external TWAP oracle is consumed. V2 exposes price0/1CumulativeLast accumulators for external consumers to derive TWAP, but these are outbound outputs, not inputs to SUNSwap's own logic. No TWAP window duration is relevant for SUNSwap's own pricing. RD-F-055 n/a Oracle pool depth (USD) No external DEX pool oracle feeds into SUNSwap pricing. Pool depth is relevant to the quality of prices SUNSwap PROVIDES to external consumers (e.g., JustLend), not to any oracle dependency of SUNSwap itself. RD-F-056 n/a Single-pool oracle (no medianization) No oracle venue is used. The concept of single-pool vs. medianized oracle venue is inapplicable to a protocol that does not consume any external price feed. RD-F-057 n/a Circuit breaker on price deviation No circuit breaker on price deviation exists or is needed. AMM swap pricing is determined by pool reserve ratios (x*y=k constant product for V1/V2; tick-based for V3/V4 CLMM) — no external reference price is checked. Price deviation circuit breakers are only relevant when an external oracle reference exists. RD-F-058 n/a Max-deviation threshold (bps) No circuit breaker exists (see RD-F-057). Max-deviation threshold in bps is therefore not applicable. RD-F-059 n/a Oracle staleness check present No oracle staleness check exists or is needed. No external oracle data enters any SUNSwap contract, so there is no `updatedAt` timestamp to validate. Confirmed by zero oracle imports in V2/V4 core contracts. RD-F-060 n/a Chainlink aggregator min/max bound misconfig No Chainlink aggregator feeds are used. minAnswer/maxAnswer misconfiguration cannot apply. Confirmed by zero Chainlink interface imports across all inspected contracts. RD-F-061 n/a LP token balanceOf used for pricing SUNSwap does not derive pricing from LP token balanceOf. V2/V3 pricing is reserve-based (stored reserve state variables updated via _update() on each interaction, not live balanceOf() — donation manipulation via direct transfer does not affect reserve accounting in the same tx). V4 uses VaultToken accounting. The donation-manipulation vector is therefore not applicable as an oracle pricing path. RD-F-180 n/a Immutable oracle address [★ CRITICAL — NOT_APPLICABLE] No oracle address exists in any SUNSwap contract to be immutable or admin-replaceable. Source inspection of PoolManager.sol, SunswapV2Pair.sol, V4Router.sol, and sun-dao-contracts confirms zero oracle state variables, zero oracle interface imports, zero setOracle() or equivalent function. The RD-F-180 failure mode (oracle address locked, cannot reprice post-depeg) is structurally void for a protocol with no oracle adapter whatsoever. Score: not_applicable per methodology — factor's structural precondition (oracle dependency exists) is absent. RD-F-181 n/a Permissionless-pool lending oracle RD-F-181 (permissionless-pool lending oracle / isolation-tier config) is a lending-protocol-specific factor. SUNSwap is a DEX/AMM with no borrow, collateral, or liquidation logic. The factor definition — 'lending protocol accepts spot prices from a DEX where any user can permissionlessly create new pools' — is structurally inapplicable to a DEX that IS the pool venue, not a lending consumer of pool prices. Per process-learnings §oracle-dependency-analyst: 'Factor definition makes it N/A for DEX protocols by construction.'
RD-F-048 green Oracle providers used No external oracle providers used across any SUNSwap version. Source inspection of SunswapV2Pair.sol (imports: ISunswapV2Pair, SunswapV2ERC20, Math, UQ112x112, IERC20, ISunswapV2Factory, ISunswapV2Callee, TransferHelper — zero oracle interfaces), V4 PoolManager.sol (all-internal imports — zero oracle), V4Router.sol (IVault, ICLPoolManager, internal types only — zero oracle), sun-dao-contracts (no oracle references), and smart-exchange-router (on-chain DEX state only) confirms no Chainlink, Pyth, Redstone, or TWAP-feed consumption.
RD-F-050 green Dependency graph (protocols depended upon) Dependency graph: Smart Exchange Router depends on V1/V2/V3 pools, PSM, and SunCurve for optimal routing. SUN DAO Gauge/GaugeController/Minter/Distribution form the reward-distribution dependency chain. V4 hooks introduce per-pool external dependencies (none currently canonical/oracle-linked). No bridge dependency. Failure of routing dependencies (PSM, SunCurve) degrades optimal path routing but does not impair core pool swap execution. Failure of Gauge system halts SUN emissions but does not affect swap liquidity.
RD-F-052 green Breakage analysis per dependency Per-dependency breakage analysis: (1) Smart Exchange Router failure: routing quality degrades, direct pool swaps unaffected, no fund loss — router is a peripheral aggregator, not a liquidity custodian. (2) PSM failure: SER PSM-leg routes fail; direct V2/V3 stablecoin swaps remain accessible. (3) SunCurve failure: SER stablecoin routing degrades; AMM pool routes still accessible. (4) GaugeController/Gauge failure: SUN emissions halt, LP reward accrual stops; swap execution and LP positions unaffected. (5) Individual V4 hook failure: that hook-enabled pool's swaps revert; PoolManager singleton continues for all other pools — hook failure is isolated by the singleton architecture.
RD-F-053 green Oracle source = spot DEX pool (no TWAP) [★ CRITICAL — GREEN] SUNSwap is a price source, not a price consumer. No spot DEX pool oracle is consumed by any V1/V2/V3/V4 contract. SunswapV2Pair.sol import list: ISunswapV2Pair, SunswapV2ERC20, Math, UQ112x112, IERC20, ISunswapV2Factory, ISunswapV2Callee, TransferHelper — zero oracle interfaces. V4 PoolManager.sol: all-internal type imports, zero external oracle. V4Router.sol: IVault + ICLPoolManager (internal) only. V4 hooks could implement oracle reads as a custom extension (confirmed by AiCoin article: 'easily integrating on-chain oracles' described as optional developer hook capability, not core architecture), but no canonical/default periphery hook does so. price0CumulativeLast/price1CumulativeLast in V2 are TWAP accumulators exposed for external consumers — outbound oracle provision, not inbound oracle consumption.
RD-F-062 green External keeper/relayer not redundant No mandatory keeper/relayer dependency identified for core AMM operations. Pool swaps are executed on-demand by users. SUN DAO Gauge reward distribution may be triggered by user claims or a keeper, but no single-keeper single-point-of-failure exists per sun-dao-contracts README. [?] Exact keeper architecture for Gauge reward distribution not fully confirmed from available source.
Economic risk Yellow 22 13 of 13
RD-F-065 yellow Liquidity depth per major asset Major pairs have deep liquidity: V3 USDT/WTRX $78.1M pool with $38.3M 24h volume (top pool by volume); V2 USDT/WTRX $96.4M pool; combined USDT/WTRX exposure ~$174M+. V2 SUN/WTRX $18.4M; V3 sTRX/WTRX $7.2M; V3 USDT/HTX $5.9M. Long-tail pools (OSK/WTRX ~$190K; PePe/WTRX ~$301K; SUNDOG/WTRX ~$838K) have very shallow liquidity with high slippage risk for any significant trade. Monthly DEX volume >$3B (May 2025 record $3.8B). HTX and WTRX account for ~75% of trading volume. Exact 2%/5% slippage depth not retrievable via available tooling (no TRON DEX subgraph); scored yellow on pool-size proxy. Major pairs green-equivalent; long-tail shallow drives overall yellow. RD-F-072 yellow Market-listing governance threshold SUNSwap V1, V2, and V3 are fully permissionless pool-listing AMMs — any TRC-20 token holder can deploy a pool with no governance approval required. SUN-DAO gauge-weight voting governs reward distribution to existing pools only; it does NOT gate pool creation. V4 maintains the same permissionless model. GeckoTerminal confirms co-existence of institutional-depth pools (USDT/WTRX $78–96M) alongside long-tail/meme pools (OSK, PePe, SUNDOG at $190K–$838K) — standard permissionless DEX risk. SunPump meme launchpad migrates tokens to SunSwap, increasing volume of low-quality pool deployments on TRON. Additional ecosystem risk: JustLend uses SUNSwap pool spot prices as oracle feeds per TRON DeFi ecosystem reporting — thin-pool price manipulation on SUNSwap can propagate to JustLend mispricings, amplifying the blast radius. Scored yellow: permissionless listing is standard AMM practice (not worse than Uniswap V2) but the TRON ecosystem oracle-consumer dependency elevates the manipulation surfac RD-F-064 gray TVL concentration (top-10 wallet share) Top-10 LP wallet concentration cannot be computed: Dune Analytics has no TRON coverage; TronScan HTML returns 403; no TRON DEX subgraph queryable via public API. V3 CLMM positions are NFT-represented (NonfungiblePositionManager) which inherently fragments concentration by price range. V2 constant-product LP tokens: concentration unknown without on-chain enumeration via TronGrid API. Production pipeline requires TronGrid API or tronscan.org transaction trace to enumerate LP positions. RD-F-066 n/a Utilization rate (lending protocols) SUNSwap is a DEX/AMM (not a lending protocol). No borrow markets exist. Cache confirms borrow.present=false. PD-024: lending-specific factors score not_applicable for non-lending protocols. RD-F-067 n/a Historical bad-debt events DEX/AMM — no borrow markets, no bad debt mechanism. PD-024 lending-only N/A. RD-F-068 n/a Collateralization under stress DEX/AMM — no collateral positions or collateralization ratio. PD-024 lending-only N/A. RD-F-069 n/a Algorithmic / under-collateralized stablecoin SUNSwap is not a stablecoin issuer. V1.5 StableSwap pools are a pool type within the AMM enabling stablecoin swaps; they do not create an algorithmic stablecoin. USDD is a TRON DAO product outside this DEX's scope. PD-024 lending-only N/A. RD-F-070 n/a Empty cToken-style market (zero supply/borrow) SUNSwap is a Uniswap-family AMM (V1=Uniswap V2-style constant-product; V2=Uniswap V3-style CLMM-lite; V3=full Uniswap V3 CLMM; V4=Uniswap V4 singleton+hooks). There are no cToken markets, no totalSupply==0/totalBorrow==0 market state, and no share-based vault structure enabling the Compound V2 donation-exploit pattern. Not a Compound V2 fork. Per taxonomy §Cat 4: Compound-fork-only factor — N/A for non-Compound-fork protocols. RD-F-071 n/a Seed-deposit requirement for new market listing DEX/AMM — no market-listing requiring a seed deposit for borrow-enable. PD-024 lending-only N/A. RD-F-073 n/a Oracle-manipulation-proof borrow cap DEX/AMM — no borrow caps. SUNSwap is a price source, not a price consumer with borrow caps to validate. PD-024 lending-only N/A. RD-F-074 n/a ERC-4626 virtual-share offset (OZ ≥4.9) SUNSwap V1–V4 are Uniswap-family AMM pool contracts on TVM (TRON Virtual Machine), not ERC-4626 vaults. V1 uses constant-product LP tokens; V2/V3 use NFT-represented positions (NonfungiblePositionManager); V4 uses singleton pool manager. No ERC-4626 vault wrapper exists or has been confirmed. TVM does not implement ERC-4626 as an on-chain standard. PD-024 lending-only N/A. RD-F-075 n/a First-depositor / share-inflation guard No ERC-4626-style vault shares exist in SUNSwap's architecture. V1 LP tokens follow Uniswap V2 mechanics (minimum liquidity burned to address(0) on first deposit, preventing zero-totalSupply donation attack). V2/V3 CLMM: positions are NFT-represented — no fungible-share inflation surface by construction. V4 singleton: Hooks architecture does not introduce a share-based vault surface. The first-depositor share-inflation attack requires assets/totalSupply vault accounting; none of SUNSwap's versions implement this pattern. PD-024 lending-only N/A.
RD-F-063 green TVL (current + 30d trend) Combined V1+V2+V3 TVL ~$422.9M as of 2026-05-17 (V2: $260.2M; V3: $111.6M; V1: $51.5M). 90-day CoV = 0.039 (very stable; mean $246.8M per pipeline parent slug). Historical peak V2: ~$376.5M (Nov 2024). Trend: flat-to-up in 2026. All TVL on Tron chain (single-chain concentration noted but not an instability flag). Pipeline slug tvl_usd=null due to non-EVM detection limitation; per-version API endpoints are authoritative.
Operational history Green 19 15 of 15
RD-F-166 red Deprecated contracts still holding value Two deprecated Smart Router addresses (TJ4NNy8xZEqsowCBhLvZ45LCqPdGjkET5j and TFVisXFaijZfeyeSjCEVkHfex7HGdTxzF9) are explicitly listed as deprecated on official SUN.io docs (docs.sun.io/developers/swap/smart-router). These are approval surfaces — users granted TRC-20 token allowances to these router contracts. Neither the Sep 2024 router upgrade announcement nor the Feb 2026 Universal Router/Permit2 announcement included guidance for users to revoke approvals to deprecated addresses. TRON-native approval scanners (Revoke.cash, DeBank) do not support TVM contracts; stale approval count cannot be quantified but structural exposure exists. V1 pool contracts ($51.8M TVL) are NOT deprecated by the protocol and are therefore excluded from this finding. RD-F-088 yellow Re-deployed to new addresses in last year New Smart Router contracts deployed within last 12 months: Universal Router (TSJEtPuqHpvSaVnSwvCsngaeBxrGUzp95Q) and Permit2 (TTJxU3P8rHycAyFY4kVtGNfmnMH4ezcuM9) on 2026-02-05; prior router TCFNp179Lg46D16zKoumd4Poa2WFFdtqYj deployed Sep 2024. Core TVL-bearing AMM contracts (V1/V2/V3 factory/pool) were NOT redeployed — they are stable. Yellow: new peripheral address deployments within 12 months represent new attack surface, but core contracts unchanged. RD-F-089 yellow Insurance coverage active No active Nexus Mutual, Sherlock, or Unslashed coverage found for SUNSwap TRON contracts. EVM-native DeFi insurance products generally do not cover TRON-substrate protocols as a matter of product design (Nexus Mutual covers Ethereum smart contracts; TRON is out of scope). This represents both a genuine absence AND a structural inaccessibility specific to the TRON substrate. Yellow rather than red because the limitation is partly architectural (no TRON-native insurance market) rather than purely a team decision. RD-F-081 n/a Post-exploit response score No prior exploits — factor requires a prior incident to score post-exploit response quality. Not applicable. RD-F-082 n/a Post-mortem published within 30 days No prior exploits — factor requires a prior incident to assess whether a post-mortem was published within 30 days. Not applicable. RD-F-083 n/a Auditor re-engaged after last exploit No prior exploits — factor requires a prior incident to assess whether an auditor was re-engaged post-exploit. Not applicable. RD-F-085 n/a Incident response time (minutes) No prior exploits — incident response time metric requires a prior incident. Not applicable. RD-F-086 gray Pause activations (trailing 12 months) Pause/emergency-stop activation history cannot be verified via standard tooling. TRON-substrate: tronscan.org HTML returns 403; on-chain event log scanning for pause events on TVM contracts is not accessible via WebFetch. No public announcements of protocol pauses found in search results or profile. Cannot distinguish confirmed-zero from data-inaccessibility. RD-F-087 gray Pause > 7 consecutive days Extended-pause detection (>7 consecutive days) requires on-chain event log scanning which is not accessible for TRON-substrate contracts via available tooling. No public announcements of extended pauses found. Same TRON tooling constraint as F086.
RD-F-076 green Protocol age (days) First mainnet deploy 2020-08-18 (JustSwap V1, rebranded to SUNSwap Oct 2021). As of 2026-05-17: ~2,098 days (~69 months) from V1 origin; operative V2 launched 2021-12-20 (~1,244 days / ~41 months). Both well above 365-day A-grade floor. Protocol has been under continuous live stress for an extended period with combined TVL ~$403M.
RD-F-077 green Prior exploit count Zero confirmed protocol-level exploits on SUNSwap (sun.io) contracts across ~69 months of live time. Hacksdatabase grep for 'sunswap', 'justswap', 'sun.io', 'TRON DEX' returned zero matches. Data cache rekt.incidents=[], defillama.hacks=[]. REKT News leaderboard confirms no sunswap entry. SlowMist Hacked search confirms no entry. Disambiguation applied: Grinex drain (used SUNSwap as drain venue but SUNSwap not exploited), sswapap.vip scam (impersonator not the protocol), SEC v. Sun (civil action not exploit).
RD-F-078 green Chronic-exploit flag (≥3 incidents) Exploit count = 0 (per F077). Chronic flag (>=3 incidents) = false by definition.
RD-F-079 green Same-root-cause repeat exploit No incidents on record, so same-root-cause repeat exploit = false. No incident data to pattern-match.
RD-F-080 green Days since last exploit No exploit ever recorded — days-since-last-exploit is effectively infinite. Factor scores green (clean record).
RD-F-084 green TVL stability (CoV over 90d) TVL coefficient of variation over trailing 90 days = 0.039 (3.86%). Well within green threshold. Mean $246.8M, std $9.53M. Pipeline slug 'sunswap' tracks V2-oriented subset; combined per-version TVL ~$403M also stable. Very low volatility indicates operational stability.
Real-time signals Green 17 22 of 22
RD-F-104 yellow Stablecoin depeg >2% on shared-LP venue T-09 v1 signal. SUNSwap pools have dominant USDT TRC-20 exposure — USDT = 98.5% of TRON stablecoin supply as of March 2025; TRON hosts >46% of global USDT supply (~$78B as of Q3 2025). Exposure to USDT TRC-20 far exceeds the 5% TVL threshold (USDT is primary liquidity pair across V1/V2/V3). USDD (TRON's algo-adjacent stablecoin, V2.0 redesigned 2024) is secondary exposure. Currently USDT peg intact. Historical USDD depeg events in 2022-2023 (USDD 1.0) created material TRON DEX stress. A USDT TRC-20 depeg >2% would fire this signal immediately for SUNSwap given structural dominance. Sector-wide suppression rule would apply for global USDT depeg but not for TRON-local USDD depeg event. RD-F-109 yellow Social-media impersonation scam spike T-09 phase-2 signal. Confirmed active impersonation ecosystem: Washington State DFI fraud alert confirms sswapap.vip as advance-fee fraud scheme impersonating SunSwap (victims lost >$9,000; recruited via external social channels). Multiple third-party safety evaluations flagging sswapap.vip-class scams as SunSwap-branded. This demonstrates an active impersonation ecosystem with social component (DFI notes victims were introduced via dating websites — classic pig-butchering social engineering). Signal would fire at elevated level given confirmed scam infrastructure. RD-F-090 gray Mixer withdrawal → protocol interaction Tornado Cash is EVM-chain; not directly applicable to TRON-native SUNSwap contracts. Justin Sun personal EVM wallet received TC dust-attack (Aug 2022, unsolicited coordinated attack). No voluntary mixer withdrawal to TRON SUNSwap contracts confirmed. T-09 phase-2 advisory-only signal (Tier C). TRON-native mixer equivalent cluster not in standard Chainalysis TC definition. Pipeline not wired for TRON-chain mixer cluster detection. RD-F-091 gray Partial-drain test transactions No partial-drain test transaction patterns detected against SunSwap contracts in public sources. T-09 phase-2 signal folded into RD-F-098 tier-B precursor rule. Requires TronGrid on-chain pattern matching not yet implemented for TRON chain. RD-F-092 gray Unusual mempool pattern from deployer wallet Deployer wallet identity not confirmed for TRON-native contracts (V1/V2/V3/V4). TRON mempool monitoring tooling differs from EVM; requires TronGrid event subscription. T-09 phase-2 signal. No confirmed unusual deployer activity in available public sources. RD-F-093 gray Abnormal gas-price willingness from attacker wallet TRON uses Energy/Bandwidth model, not gas. Standard EVM gas-price willingness signal does not map to TVM substrate. Energy consumption spike equivalent is the TRON analogue but requires TronGrid event subscription not yet implemented. T-09 phase-2 signal. RD-F-094 gray New contract with similar bytecode to exploit template No new deploy with exploit-template bytecode similarity to SunSwap contracts found in public sources. T-09 phase-2 signal. Requires TronGrid new-deploy sweep and bytecode similarity engine for TRON chain — not yet implemented. RD-F-095 gray Known-exploit function-selector replay No known-exploit replay pattern detected against SunSwap contracts. Function selector patterns apply to TVM but require TRON-chain call-pattern monitor. T-09 phase-2 signal not yet implemented for TRON chain. RD-F-096 gray New ERC-20 approval to unverified contract from whale TRC-20 approval (TRON equivalent of ERC-20 approve) is applicable; no suspicious high-TVL user approvals to unverified contracts detected. T-09 phase-2 signal. TRON substrate requires TronGrid event subscription. Per T-09, user-level not protocol-level signal. RD-F-097 gray Sybil surge of identical-pattern transactions No sybil surge detected. SunSwap V2/V3 have significant organic volume (~$495M 7-day per AiCoin). T-09 phase-2 signal. Requires TRON on-chain clustering engine not yet implemented. RD-F-099 n/a Oracle price deviation >X% from secondary SUNSwap V1/V2/V3 is an AMM DEX that IS a price source; it does not consume external price oracles for its core swap function. T-09 signal definition requires protocol uses primary oracle feed for safety-critical reads (lending collateral, liquidation price). SUNSwap is oracle-producer not oracle-consumer. V4 hooks could theoretically call external oracles but no default hook confirmed. Structural N/A for AMM protocol type. RD-F-100 gray Flash loan >$10M targeting protocol tokens Applicable — TRON has flash loan providers (JustLend); SunSwap V4 Lightning Accounting enables within-transaction mechanics. No $10M+ flash-loan attack targeting SunSwap contracts confirmed. T-09 phase-2 signal (grade-eligible only when corroborated). Requires TronGrid block-scan + TRON flash-loan source mapping not yet implemented for TRON chain. RD-F-101 gray Large governance proposal queued T-09 v1 signal. SUN DAO on-chain governance active since 2024-07-30 via veSUN. No malicious-pattern proposal detected. TRON-native governor (not EVM Governor Bravo) — TVM ABI calldata parsing required for selector-level flagged-pattern detection. Governance forum.sun.io shows routine activity. Pipeline gap: TRON-native governor event monitoring not implemented. RD-F-102 gray Admin/upgrade transaction in mempool T-09 phase-2 signal. V1/V2/V3 AMM factory contracts appear immutable (Uniswap-fork pattern; no proxy detected). V4 PoolManager singleton has protocolFeeController (TEays9UfJn2EqKjkN7hWUWewBGpGxTzWEv) with potential admin actions. No suspicious admin tx detected. TRON mempool monitoring requires TronGrid event subscription — not EVM mempool listener. Structural limitation: limited applicable upgrade surface on immutable AMM versions. RD-F-103 n/a Bridge signer-set change proposed/executed SUNSwap is a TRON-native DEX with no bridge surface. Profile §7 confirms has_bridge_surface=false. No LayerZero OApp, no cross-chain message passing. Structural N/A for non-bridge protocol. RD-F-106 n/a Cross-chain bridge unverified mint pattern No bridge surface. SUNSwap is a TRON-native DEX; no cross-chain bridge tx monitoring applicable. RD-F-107 gray Admin EOA signing from new geography/device Requires off-chain signing telemetry (MPC/session-key logs). Admin wallet addresses for TRON-native contracts not confirmed in public sources. No public proxy available. T-09 phase-2 signal. RD-F-108 gray GitHub force-push to sensitive branch sun-protocol GitHub org has 25 public repos including V4 core/periphery. GitHub API monitoring is chain-agnostic. No force-push or non-protocol account push to sensitive branches detected in available sources. T-09 phase-2 signal. Requires GitHub API monitor per repo with webhook or polling — not yet implemented. RD-F-110 gray Unusual pending/executed proposal ratio SUN DAO governance active. No unusual proposal ratio detected. T-09 phase-2 signal derived from RD-F-101 analytics. Requires TRON-native governor event subscription for proposal-level baseline computation. RD-F-182 n/a Security-Council threshold reduction (RT) SUNSwap has no Security Council multisig. TRON has no Gnosis Safe deployment; AMM factory contracts (V1/V2/V3) appear immutable; V4 protocolFeeController is a single address not a k-of-N Security Council. RD-F-182 fires on Security Council threshold reduction (e.g., 3/5 to 2/5) — structurally inapplicable here. Batch-24 Cat 6B addition per taxonomy v1.1.
RD-F-098 green TVL anomaly — % drop in <1h T-09 v1 launch signal. TVL CoV=0.039 over trailing 90 days (very low volatility; mean $246.8M per pipeline slug; combined per-version ~$403M). No anomalous drop event (>30% in 60-minute window vs 30d baseline) observed in available data. TVL stable and trending flat. TRON substrate pipeline wiring gap noted (TronGrid TVL subgraph needed for live monitoring) but current posture is clean — no anomaly to report.
RD-F-105 green DNS/CDN/frontend hash drift T-09 phase-2 signal. sunswap.com and sun.io are live frontends; DNS/TLS cert monitoring is chain-agnostic. No current DNS drift detected at sunswap.com or sun.io in available searches as of 2026-05-17. The confirmed impersonation domain sswapap.vip is a separate domain (not a DNS hijack of legitimate sunswap.com) — scored as F161 brand impersonation, not F105 DNS drift. Frontend hash drift on the legitimate domain: not observed.
Dev identity & insider risk Green 15 16 of 16
RD-F-112 yellow Team public accountability surface Justin Sun has an extensive verifiable public accountability surface: WTO diplomatic credential, Forbes billionaire list, SEC docket (LR-26496), Peking University / UPenn academic record, Ripple Labs employment (2013), multiple keynote appearances. GitHub commit authors (Leon.Zhang, Will Guan, parson.hu, suniodev) have @tron.network corporate email attestation but no standalone LinkedIn profiles, conference bios, or career history independent of the TRON org. The deep engineering team's accountability surface is low beyond institutional email domain. Score yellow: strong at the principal level, low at the protocol-engineer level. RD-F-113 yellow Team other-protocol involvement history Justin Sun's other protocol involvement: TRON (founder 2017, live), Poloniex (acquired 2019, suffered $120M hack Nov-2023), HTX/Huobi (acquired, also hacked), USDD stablecoin, BitTorrent/Rainberry (SEC case party, paid $10M settlement), World Liberty Financial ($75M investor 2024-2025). Multiple Sun-affiliated platforms were hacked in a 2-month span per CoinTelegraph coverage. No prior rug-pull or exit-scam label for any SUNSwap deployer. Score yellow: involvement with multiple hacked platforms in the same ecosystem (not rugs, but operational-security pattern) warrants yellow without red. RD-F-121 yellow Contributor OSINT depth score Justin Sun scores 5/5 on OSINT depth: Forbes #411 billionaire, Wikipedia page, SEC docket, academic credentials, diplomatic credential, conference bios, IMDB page. Protocol-level contributors (Leon.Zhang, Will Guan, parson.hu, suniodev) score approximately 2/5: identifiable by @tron.network corporate email and GitHub handle but no standalone LinkedIn profiles, conference history, or career records beyond TRON org commits located. Yellow reflects strong principal-level depth offset by minimal deep-team depth. RD-F-123 yellow Sudden admin-rescue/ACL change without discussion SUN DAO governance launched 2024-07-30 (CryptoSlate); forum launched July 2024 (forum.sun.io/c/governance/5). Forum governance section evidence: latest substantive post is meme-coin discussion (July 2025, 25 replies) - thin governance-discussion record. V3 Factory deployed Feb 2023 and V4 PoolManager deployed Aug 2024 (same month DAO launched) with no confirmed corresponding governance forum threads for their admin-permission events. Pre-DAO AMM factory admin (2020-2024) operated under deployer-EOA pattern without public discussion records. No confirmed admin-rescue events found, but TRON substrate opacity limits verification that admin actions had corresponding discussions. V3 deployer has two-key active permission (multi-sig control structure not publicly identified). Score YELLOW for thin governance-discussion record and unverifiable pre-DAO admin-change history. RD-F-124 yellow Deployer wallet mixer-funded within 30 days V2 Factory deployer TR6NdXm7ga2r4rdTrGfqEPjvBpT93QHYpm created 2021-12-12 (one day before V2 Factory deploy per TronScan). Earliest incoming tx: 1 TRX from unlabeled address TFnSGP4rnG2uTEcevykikJYeecf1zekGS9 on 2021-12-12. All 21 incoming transactions show TronScan risk:false with no mixer or sanctioned-address labels. TRON has no Tornado Cash equivalent with public on-chain cluster labeling. V2 Router/V4 PoolManager deployer TU3rMHyWHzeEJBReWLzHko728hbz6MtfNg: created 2024-08-09, no mixer labels. V3 Factory deployer TCXrf8SwGjcmQYY1FcFnV3LUXSQpqod3bi: created 2023-02-10, no mixer labels. Score YELLOW due to partial opacity (first-hop funder is unlabeled; cannot confirm CEX/custodial source from public data) rather than confirmed mixer interaction. RD-F-125 yellow Deployer linked within 3 hops to DPRK/Lazarus Per U15 / §7-rule-5 framing: YELLOW, NOT red. The U.S. SEC filed a civil action (LR-26496, 2023-03-22) against Justin Sun personally, Tron Foundation, BitTorrent Foundation, Rainberry Inc. for alleged market manipulation and unregistered securities. SETTLED ~2026-03-05: Rainberry paid $10M civil penalty; all claims against Justin Sun, Tron Foundation, BitTorrent Foundation dismissed WITH PREJUDICE (CoinDesk 2026-03-05; Crowdfund Insider 2026-03-05). This is a settled US SEC CIVIL action with ZERO OFAC SDN designation, ZERO DPRK/Lazarus cluster nexus, and ZERO sanctions linkage. The 2022-08-13 Tornado Cash dust attack on Sun's Ethereum address was a third-party attack (0.1 ETH sent unsolicited); his Aave account reinstated same day; this is NOT self-initiated mixer use. All deployer addresses show TronScan risk:false with no sanctioned contacts at 1-hop. No Chainalysis/TRM published report links any SUNSwap insider to DPRK/Lazarus cluster. No F-grade discretionary downgrade applies per RD-F-117 n/a ENS/NameStone identity bound to deployer TRON blockchain has no ENS registry or NameStone equivalent. Base58-encoded TRON addresses do not support ENS-style name resolution. TronScan supports address tagging but no public ENS-equivalent name is bound to any deployer address. Factor is structurally not applicable on the TRON non-EVM substrate. RD-F-122 n/a Contributor paid to DPRK-cluster wallet On-chain payment streams to GitHub commit authors are not publicly identifiable on TRON substrate (no on-chain payroll contract equivalent; TRON payroll is off-chain). The three deployer addresses (TR6NdXm7ga2r4rdTrGfqEPjvBpT93QHYpm, TU3rMHyWHzeEJBReWLzHko728hbz6MtfNg, TCXrf8SwGjcmQYY1FcFnV3LUXSQpqod3bi) show risk:false on TronScan 1-hop analysis with no DPRK-labeled contacts. 2-3 hop analysis is not available via public TronScan API without authenticated Chainalysis-TRON cluster feed. Cannot confirm or rule out beyond 1-hop proximity. No public evidence linking any contributor payment wallet to DPRK cluster. RD-F-184 gray Real-capital social-engineering persona No curator-flagged persona with real-capital deposits >=​$1M to SUNSwap or peer protocols in a social-engineering credential-building pattern has been identified in any public source as of 2026-05-17. The Drift/UNC4736 reference pattern (6-month conference build-up with >$1M capital deposits preceding durable-nonce pre-signing attack) has no documented equivalent for the SUNSwap ecosystem. Justin Sun's $75M investment in World Liberty Financial is high-profile and public, serving opposite of a covert persona. Factor is P1, M-only OSINT by definition; requires curator confidence beyond on-chain trail. Per process-learnings: mark GRAY + Drift comparator note; do not spend time confirming absence of a covertly designed pattern.
RD-F-111 green Team doxx status Ecosystem principal Justin Sun (Sun Yuchen, b. 1990-07-30) is fully doxxed: real name, academic credentials (Peking University BA History 2011, UPenn MA East Asian Studies), Forbes #411 billionaire ($8.5B Apr-2026), WTO Grenada ambassador (2021-2023), multiple conference keynotes, SEC docket appearances. Protocol-level contract deployers are pseudonymous EOAs; GitHub commit authors use @tron.network corporate email domain (Leon.Zhang, Will Guan, parson.hu), providing institutional-level attestation. Category assessed as: real-name principal + pseudonymous-with-track-record org staff.
RD-F-114 green Deployer address prior on-chain history V2 Factory deployer TR6NdXm7ga2r4rdTrGfqEPjvBpT93QHYpm: TronScan accountType:0 EOA, created 2021-12-12, 24 total transactions, risk:false. V2 Router/V4 PoolManager deployer TU3rMHyWHzeEJBReWLzHko728hbz6MtfNg: EOA, created 2024-08-09, 125 transactions, risk:false. V3 Factory deployer TCXrf8SwGjcmQYY1FcFnV3LUXSQpqod3bi: EOA, created 2023-02-10, 953 transactions, holds SunSwap V3 and V4 position NFTs, risk:false. All three categorized as normal-dev-history per TronScan. No rug-linked prior history found in hacksdatabase or OSINT.
RD-F-115 green Prior rug/exit-scam affiliation No confirmed prior rug or exit-scam linkage for any identified SUNSwap deployer or GitHub commit author. Justin Sun's platforms experienced hacks (Poloniex, HTX) and the SEC alleged wash trading, but these are security failures / civil regulatory actions, not rug-pull events. The hacksdatabase contains no SUNSwap entry. No OSINT source attributes a prior rug to the SUNSwap team or deployers.
RD-F-116 green Contributor tenure at admin-permissioned PR GitHub org sunswapteam was active pre-2021 (sunswap2.0-contracts, interface repos); sun-protocol org established ~late 2021 (suniodev account created 2021-11-30). Leon.Zhang (leon.zhang@tron.network) commits span Nov 2025 through Mar 2026 across v3, v4, and dao repos continuously. Will Guan (will.guan@tron.network, GitHub: Will-Guan) merge commit 2025-12-14. Initial committers suniodev + sun.dev@sunswap.com contributed from Dec 2021. Developer tenure is multi-year (4+ years for the org, 6+ months for recent active contributors), consistent with legitimate institutional development.
RD-F-118 green Handle reuse across failed/rugged projects GitHub handles suniodev and sunswapteam org show no prior rug-labeled project associations. Justin Sun's public handles (@justinsuntron / @justinsun) are consistently associated with TRON ecosystem only; no handle-reuse pattern across failed/rugged projects found in OSINT. suniodev created 2021-11-30 appears to be a dedicated protocol handle.
RD-F-119 green Commit timezone consistent with stated geography 20 commits extracted from sunswap-v4-core (Nov 2025 - Mar 2026): all timestamps UTC-Z normalized. Commit working hours visible as 06:00-14:30 UTC, consistent with UTC+8 timezone (China / Singapore). TRON Foundation is Singapore-registered; Justin Sun is Chinese-born; sun-protocol org developers using @tron.network emails align with Asia-Pacific timezone. No North Korea (UTC+9) or anomalous pattern detected. Caveat: UTC-Z normalization limits timezone identification confidence; this is a weak supporting signal only.
RD-F-120 green Video-off/voice-consistency flag Justin Sun has extensive documented public video presence: multiple conference keynotes at Token2049, Consensus, and other major crypto events; Twitter Spaces appearances; YouTube interviews; IMDB biography page. No video-consistency concerns, voice anomalies, or video-off patterns reported in any OSINT source. Protocol-level engineers (Leon.Zhang etc.) do not have public video presence, which is normal for backend/smart-contract engineers and not a risk signal.
Fork / dependency lineage Green 15 10 of 10
RD-F-131 red Fork retains upstream audit coverage Upstream Uniswap V2/V3/V4 well-audited, but TRON-substrate adaptations (TRC-20 interface, TVM energy, WTRX/native-TRX, V4 Subscriber+Custom Accounting) constitute new code not covered by upstream audits. No delta-audit confirmed for any TRON-specific changes. Operative V2 surface has zero audit coverage. RD-F-129 yellow Code divergence from upstream (%) V2: <15% divergence estimated (TRON-substrate adaptations: TRC-20, TVM energy, WTRX). V4 adds 6 TRON-specific innovations (Native TRX, Subscriber mechanism) suggesting ~20-30% divergence in peripheral features. Precise % unconfirmable without git-diff across organizations. RD-F-132 n/a Fork has different economic parameters than upstream SUNSwap is a DEX/AMM protocol — no lending collateral-factor or LTV parameters exist. This factor is lending-parameter-focused (LTV, collateral factor deviations from upstream) and is structurally moot for AMM/DEX forks.
RD-F-126 green Is-a-fork-of V1/V2 forks Uniswap V2; V3 forks Uniswap V3 (CLMM); V4 forks Uniswap V4 (singleton+hooks); V1.5 forks Curve StableSwap. sunswap-v2-contracts package.json includes @uniswap/v2-core and @uniswap/v2-periphery references confirming upstream lineage.
RD-F-127 green Upstream patch not merged No specific published security patches from Uniswap for V2/V3/V4 core AMM found unmerged in sunswap. Uniswap V2 core has no disclosed critical vulnerabilities. KyberSwap Elastic vulnerability was a KyberSwap-specific divergence, not an upstream Uniswap V3 bug. No specific unpatched upstream vulnerability confirmed.
RD-F-128 green Upstream vulnerability disclosure (last 90d) No public vulnerability disclosure from Uniswap for V2/V3/V4 core AMM in last 90 days (Feb–May 2026). No active GHSA for Uniswap v2-core, v3-core, or v4-core affecting the operative period. Uniswap V4 passed 9 audits + $2.35M security competition.
RD-F-130 green Fork depth (generations from original audit) V2: depth 1 (direct fork of Uniswap V2). V3: depth 1 (direct fork of Uniswap V3). V4: depth 1 (direct fork of Uniswap V4). Operative V2 is depth 1. No intermediate fork layer — all are direct Uniswap forks.
RD-F-133 green Dependency manifest uses unpinned versions V3: OZ 3.4.1-solc-0.7-2 pinned exact; V4: OZ 5.5.0 pinned via postinstall, solmate pinned to specific commit SHA (89365b8...), forge-std v1.12.0 tagged. Security-critical libs are pinned. Hardhat uses caret ranges but is a dev tool.
RD-F-134 green Dependency had malicious-release incident (last 90d) No malicious-release GHSA advisory for OZ 3.4.1, OZ 5.5.0, solmate (specific commit 89365b8), or forge-std v1.12.0 in trailing 90 days (Feb–May 2026). Well-maintained, widely-used libraries with active security monitoring.
RD-F-135 green Shared-library version with known-vuln status V3: OZ 3.4.1-solc-0.7-2 — legacy but no active high/critical GHSA for ERC-20/SafeMath components used in AMM pairs. V4: OZ 5.5.0 — recent version, no active high-severity GHSA. Solmate at specific commit — no known active CVE.
Post-deploy hygiene & change mgmt Yellow 22 13 of 13
RD-F-139 red Post-audit code changes without re-audit Multiple deployed versions with no public audit evidence: V2 router/factory (Dec 2021) — no public audit found; V3 suite (Jun 2023) — no public audit found (V3 launch announcement makes no audit mention); Smart Router Sep 2024 upgrade to TJ4NNy8xZEqsowCBhLvZ45LCqPdGjkET5j — no audit mention; V4 launch Mar 2026 — no public audit found (sunswap-v4-core repo has no audits/ directory). Only publicly accessible audit: SlowMist 2020 for V1/JustSwap. Sunswap.com claims 'multiple security audits by SlowMist, CertiK, and Hacken' but no V2/V3/V4 reports publicly accessible at any firm URL, GitHub, or protocol docs directory. Data cache confirms single unspecified audit entry. RD-F-145 yellow Deployed bytecode reproducibility Source code publicly available on GitHub (sun-protocol org). V3 uses Hardhat+Solidity (OZ 3.4.1-solc-0.7-2); V4 uses Hardhat+Foundry with Solidity 0.8.26. No CI/CD build artifacts or deterministic build verification confirmed. TRON-substrate bytecode verification is less standardized than EVM. Theoretically reproducible but not confirmed in practice. RD-F-168 yellow Stale-approval exposure on deprecated router Smart Router has deprecated prior addresses (docs.sun.io lists deprecated router addresses). September 2024 upgrade created a fresh deprecated surface (prior router address). Users who approved prior routers still have active unlimited approvals. No explicit revoke notice found in sunio.zendesk.com announcements. This is a post-deploy hygiene failure: protocol did not publish a revoke-notice or emit off-ramp events for deprecated router approvals. RD-F-185 yellow Bridge rate-limiter / chain-pause as positive mitigant SUNSwap is not a bridge (F185 primarily targets bridges). V4 CLPoolManagerOwner provides a pausePoolManager() capability as positive mitigant — immediately callable by owner/pauser with no delay. TRON chain has super representative governance capable of emergency chain actions. No per-window rate-limiter on swap outflows exists (not applicable as DEX vs bridge). Partial positive mitigant: V4 pause exists; no bridge-style rate-limiter. RD-F-136 gray Deployed bytecode matches signed release tag TRON-native; Etherscan-style bytecode verification unavailable. V3 Factory has verify_status:2 on tronscan (consistent with GitHub source). V4 PoolManager unverified on tronscan. No signed release tags found on GitHub repos. Last commit date 2026-03-04 (sunswap-v3-contracts). Cannot confirm bytecode-to-commit correspondence without tronscan-specific bytecode comparison tool. RD-F-140 gray Fix-merged-but-not-deployed gap No specific vulnerability fix PRs merged to GitHub repos but not deployed could be identified. GitHub repos have no public issue tracker security-patch commits visible in accessible listings. Cannot confirm absence of fix-merged-but-not-deployed gap without full commit history review. RD-F-142 n/a Storage-layout collision risk across upgrades V1/V2/V3 factories and pool contracts are immutable (no proxy, no upgrade path). V4 PoolManager also appears non-upgradeable (NoDelegateCall.sol prevents delegatecall). No upgrade path exists, so storage layout collision risk is not applicable by construction. RD-F-143 n/a Reinitializable implementation (no _disableInitializers) V1/V2/V3 factories use constructor pattern (not initializer); no proxy. V4 PoolManager has no proxy pattern; no initialize() function; NoDelegateCall.sol actively prevents delegatecall. _disableInitializers() is not needed and not applicable by construction across all versions.
RD-F-137 green Upgrade frequency (per 90 days) V1/V2/V3 core factories are immutable (no proxy, no upgrade events). V4 core contracts also immutable. Smart Router upgrade Sep 2024 = 1 upgrade outside trailing 90d window. V4 launch Mar 2026 = new deployment, not upgrade. No upgrades in trailing 90 days identified.
RD-F-138 green Hot-patch deploys without timelock (last 30 days) No hot-patch deploys in last 30 days identified. V4 launched 2026-03-02 (76 days before assessment date 2026-05-17, outside 30-day window). Smart Router last upgraded Sep 2024. No announcements of contract changes in last 30 days found via search of sunio.zendesk.com and news sources.
RD-F-141 green Test-mode parameters in deploy V3 factory: standard Uniswap V3 fork; constructor sets owner=msg.sender (production pattern); fee tier mappings are standard production values (500/10, etc.). V4 PoolManager: singleton pattern; no test-mode flag visible in contract structure. No evidence of test-mode parameters in deployed contracts from GitHub source review.
RD-F-144 green CREATE2 factory permits same-address redeploy No custom permissionless CREATE2 factory identified. V3 pool deployment uses UniswapV3PoolDeployer.sol (controlled by factory, not permissionless). V4 uses singleton PoolManager — pools are not separately deployed. No CREATE2 redeploy vulnerability surface identified.
RD-F-146 green New contract deploys in last 30 days V4 launched 2026-03-02 (76 days before assessment date 2026-05-17, outside 30-day window). No new contract deployments in last 30 days identified via search and announcement review of sunio.zendesk.com and news sources.
Cross-chain & bridge Gray 0 12 of 12
RD-F-147 n/a Protocol has bridge surface TRON-native DEX, no protocol-operated cross-chain bridge. Profile §7: has_bridge_surface=false, is_a_bridge=false. No LayerZero OApp detected (pipeline layerzero.present=false). SUNSwap V1/V2/V3/V4 operate exclusively on TRON mainnet. RD-F-148 n/a Bridge validator count (M) TRON-native DEX, no protocol-operated cross-chain bridge. Profile §7: has_bridge_surface=false, is_a_bridge=false. RD-F-149 n/a Bridge validator threshold (k-of-M) TRON-native DEX, no protocol-operated cross-chain bridge. Profile §7: has_bridge_surface=false, is_a_bridge=false. RD-F-150 n/a Bridge validator co-hosting TRON-native DEX, no protocol-operated cross-chain bridge. Profile §7: has_bridge_surface=false, is_a_bridge=false. RD-F-151 n/a Bridge ecrecover checks result ≠ address(0) TRON-native DEX, no protocol-operated cross-chain bridge. Profile §7: has_bridge_surface=false, is_a_bridge=false. RD-F-152 n/a Bridge binds message to srcChainId TRON-native DEX, no protocol-operated cross-chain bridge. Profile §7: has_bridge_surface=false, is_a_bridge=false. RD-F-153 n/a Bridge tracks nonce-consumed mapping TRON-native DEX, no protocol-operated cross-chain bridge. Profile §7: has_bridge_surface=false, is_a_bridge=false. RD-F-154 n/a Default bytes32(0) acceptable as valid root TRON-native DEX, no protocol-operated cross-chain bridge. Profile §7: has_bridge_surface=false, is_a_bridge=false. RD-F-155 n/a Bridge validator-set rotation recency TRON-native DEX, no protocol-operated cross-chain bridge. Profile §7: has_bridge_surface=false, is_a_bridge=false. RD-F-156 n/a Bridge uses same key custody for >30% validators TRON-native DEX, no protocol-operated cross-chain bridge. Profile §7: has_bridge_surface=false, is_a_bridge=false. RD-F-157 n/a Bridge TVL per validator ratio TRON-native DEX, no protocol-operated cross-chain bridge. Profile §7: has_bridge_surface=false, is_a_bridge=false. RD-F-179 n/a LayerZero OFT DVN config (count, threshold, diversity) TRON-native DEX, no protocol-operated cross-chain bridge. Profile §7: has_bridge_surface=false, is_a_bridge=false. No LayerZero OApp (pipeline layerzero.present=false). RD-F-179 applies specifically to LayerZero OFT integrations; SUNSwap has none.
Threat intelligence & recon Yellow 42 8 of 8
RD-F-161 red Protocol-impersonator domain registered (typosquat) CONFIRMED. Washington State DFI issued a formal fraud alert confirming sswapap.vip as an advance-fee scam fraudulently impersonating the legitimate sunswap.com/sun.io DEX. A Washington resident accessed the platform at www.sswapap.vip and lost >$9,000. The scheme prevented withdrawals until a $50,000 additional deposit was made (undisclosed condition). DFI explicitly labels this as a fraudulent digital asset trading platform named SunSwap — impersonating the real protocol. A second related impersonator domain sswapep.vip is also named in protocol profile §10. The DFI alert represents a state-regulator-level confirmation of active brand impersonation. Per taxonomy F161 definition: a typosquat of the official domain is registered within last 90 days. Precise registration date not obtained (domain monitoring feed required); WA DFI alert confirms active exploitation which supersedes the 90-day window heuristic. Impersonation scheme includes social engineering (victims recruited via dating RD-F-158 yellow Known-threat-actor cluster has touched protocol T-09 v1 signal (Cat 11). No confirmed Lazarus/DPRK-labeled TRON address interaction with SunSwap contracts. Justin Sun personal EVM wallet received 0.1 ETH unsolicited from Tornado Cash (Aug 2022 dust attack targeting 600+ wallets including Brian Armstrong and Jimmy Fallon — coordinated, involuntary). Aave temporarily blocked then reinstated Sun's account within 24h. ZERO voluntary mixer interaction confirmed. SEC civil action (Mar 2023 - settled March 2026) had ZERO OFAC/DPRK nexus; dismissed with prejudice. TRON network broadly is high-volume laundering venue (Chainalysis annual reports) but per U4/U22 adversary using DEX pools ≠ team contamination. Requires Chainalysis partner feed for definitive TRON-contract-level cluster assessment. RD-F-163 yellow Avg attacker reconnaissance time for peer-class protocols Class-level metric for similar DEX AMM protocols. USPD baseline reconnaissance window = 78 days (T-09 evidence). V4 PoolManager singleton (TVjuTE3V5bMVdpfNhid8kD2v35T2k1u1Br) launched 2026-03-02 — 76 days old as of 2026-05-17, placing it within the reconnaissance window for similar-class new-surface attacks. V4 hooks architecture (arbitrary external calls at swap lifecycle) introduces a new attack surface that reconnaissance actors would investigate. No confirmed active reconnaissance. Analytical annotation — not a live trigger. Yellow reflects elevated attention window for V4 new surface. RD-F-159 gray Attacker wallet pre-strike probe (low-gas failing txs) TRON uses Energy model not gas; low-energy failing tx pattern is the TVM analogue of low-gas mempool probe but requires TronGrid event subscription. V4 PoolManager singleton (launched 2026-03-02, 76 days old) is a credible reconnaissance target. No probe pattern detected in public sources. RD-F-162 gray Known-exploit-template selector deployed by any address V4 hooks allow arbitrary external calls; Uniswap-V4-style reentrancy attack templates are a known threat class (Zealynx Security finding). No confirmed exploit-template contract targeting SunSwap detected. Requires TRON on-chain deploy scan and exploit-template DB for TVM bytecode patterns — not yet implemented. RD-F-164 gray Leaked credential on paste/sentry site No credential leak for sunswap/sun.io infra detected in publicly available sources. Absence of a bug bounty program (not found on Immunefi, HackerOne, Bugcrowd per profile §9) may mean credentials/vulnerabilities leak to paste sites without whitehad incentive to report. Requires paste-site/Sentry credential-dump feed subscription not accessible via web search alone. RD-F-165 gray Protocol social channel has scam-coordinator flag sswapap.vip fraud scheme recruits victims via external social channels (dating websites per DFI alert) — indirect but related to social channel scam-coordinator pattern. No specific protocol-adjacent Telegram/Discord admin flagged on curator scam-coordinator watchlist in public sources. Requires curator social watchlist and manual monitoring of SunSwap community channels.
RD-F-160 green GitHub malicious-dependency incident touching protocol deps No malicious-dependency advisory flagging sun-protocol deps detected as of 2026-05-17. V4 uses Solidity 0.8.26 with hardhat/foundry; V2/V3 use OZ 3.4.1-solc-0.7-era; sun-dao-contracts use Vyper. No GitHub Security Advisory for sunswap-v4-core or sun-dao-contracts found in available public sources. Low-to-medium confidence — requires GitHub API advisory subscription for production monitoring.
Tooling / compiler / AI Green 13 5 of 5
RD-F-170 yellow Solc version used (known-bug versions flagged) V2/V3 use Solidity 0.7.6 (EOL/legacy; only Low-severity DirtyBytesArrayToStorage bug active). V4 uses 0.8.26 (current; one Low-severity bug). Vyper 0.2.8 and 0.3.10 — both outside July-2023 reentrancy range (0.2.15–0.3.0). Yellow due to EOL solc 0.7.x on V2/V3 operative surfaces. RD-F-174 yellow Dependency tree uses EOL Solidity version V2/V3 operative contracts (~$352M combined TVL) compiled on Solidity 0.7.6 which is EOL (last 0.7.x release 2021; all security work in 0.8.x+). V4 uses 0.8.26 (current). No forward-compatibility migration of V2/V3 to 0.8.x has been made.
RD-F-171 green Bytecode similarity to audited upstream with behavior deviation V2: high bytecode similarity to Uniswap V2 with TRON-substrate adaptations; mutex lock pattern preserved as in upstream. V4: 6 TRON-specific additions are deliberate extensions, not AI-copy deviations (state-mutation reorderings). No AI-copy risk pattern identified.
RD-F-172 green Repo shows AI-tool co-authorship in critical files Recent 20 commits across V4 core and V2 repos show no AI co-authorship. All commits by Leon.Zhang, Will Guan, parson.hu (tron.network emails). No Co-authored-by: Copilot or similar AI-tool trailers found.
RD-F-173 green Team self-disclosure of AI-generated Solidity No public disclosure from the SUN.io/sunswap team (blog, @OfficialSUNio Twitter/X, or docs) indicating AI-generated Solidity in security-critical paths. Commit authors are tron.network domain, consistent with internal team workflow.
Response & disclosure hygiene Red 50 4 of 4
RD-F-175 red Disclosure channel exists No active bug bounty program on Immunefi, HackerOne, or Bugcrowd confirmed for SUNSwap / sun.io / sun protocol as of 2026-05-17. Data cache bug_bounty.platform=null, bug_bounty.url=null. No SECURITY.md in any sun-protocol GitHub repository (data cache github.security_md_present=false; GitHub security page for sunswap-finance/sunswap-core confirms no SECURITY.md). sunswap.com/docs and docs.sun.io both return 403. No security.txt found. Confirmed absence of any public disclosure channel on a ~$403M multi-version DEX with V4 hooks surface 76 days old. RD-F-176 red Disclosure SLA public No acknowledgment-time SLA published in any accessible primary source. No Immunefi program (which would carry SLA). sunswap.com/docs and docs.sun.io both return 403. No governance forum post references a disclosure policy or SLA. The absence of a disclosure channel (F175 red) is the structural prerequisite; no secondary SLA evidence exists independently. A protocol with no disclosure channel has no SLA by definition.
RD-F-177 green Prior known-ignored disclosure No prior exploits on record means no opportunity for an ignored disclosure in the context of a subsequent exploit. No post-mortems exist referencing a prior disclosure. No third-party reporting of a disclosure that was ignored before an exploit. Clean record on this factor.
RD-F-178 green CVE/GHSA advisory issued against protocol No CVE, GHSA, or equivalent public advisory found against SUNSwap / sun.io / JustSwap. No exploit has occurred that would typically trigger an advisory issuance. GitHub Security Advisory search for sun-protocol org found no advisories. General search for 'sunswap CVE' / 'sunswap GHSA' returned no results.
rubric_version v1.7.0 graded_at 2026-05-17 18:25:49 factors 184 protocol sunswap