defirisk.co
rubric v1.7.0

Static-analyzer high-severity count

Sushi (SushiSwap) — v2 + v3 + Trident + BentoBox/Kashi + SushiXSwap's assessment for RD-F-010 — scored gray on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.

Evidence summary #

No Slither/Mythril/Semgrep run results found in published analysis for SushiSwap's deployed contracts. data-cache static_analysis field is empty []. The RouteProcessor2 exploit root cause (arbitrary .call with user-controlled target + token approval drain) would be detectable by Slither 'arbitrary-send-eth' detector. No pre-deploy static analysis output was published or discovered. Tool run required for definitive count.

Sources #

  • Internal
    00-data-cache.json — static_analysis sectiondata-cache static_analysis: [] (empty)retrieved 2026-05-17
  • URL
    SolidityScan SushiSwap Hack AnalysisSolidityScan RP2 exploit analysis — arbitrary call exploit; confirms Slither-detectable pattern was not caught pre-deployretrieved 2026-05-17

Methodology #

Count the number of unique high-severity detector findings from Slither + Mythril + Semgrep run against the deployed verified source (after deduplication across tools).

See the full factor methodology and distribution across all protocols →

rubric_version v1.7.0 protocol sushi factor RD-F-010 score gray collected_at 2026-05-16 19:50:37