Symbiotic

Permissionless EVM shared-security primitive providing modular restaking infrastructure. Core components: Vaults (hold restaked collateral), Operators (infrastructure providers), Networks (consumer protocols setting their own slashing), Resolvers (slashing veto arbiters), Delegators (collateral allocation managers). Core contracts are non-upgradeable on Ethereum. EigenLayer direct competitor; distinguishes by permissionlessness, any-ERC-20 collateral, and immutable core design.

Sector lrt

TVL $472.0M

Reviewed May 16, 2026

Factors 184

Categories 13

Risk score 14.7

DeploymentsEthereum · —

Risk profile at a glance

0 red · 3 yellow · 9 green

25 24 17 13 15 22 16 10 13 12 8 5 4

Categories & evidence

184 factors · 13 categories

Code & audits Green 18 25 of 25

RD-F-003 green Resolved-without-proof findings ChainSecurity states only minor issues uncovered and security is high. Certora FV confirms implementation adheres to formal specifications. No public evidence of any finding marked Resolved that cannot be verified on-chain. Immutable contracts mean the deployed bytecode is the final state - any resolution is embedded at deploy.

RD-F-004 green Audit count Six distinct audit firm engagements on the core repo: Statemind, ChainSecurity, Zellic, OtterSec, Certora (with FV), and Cantina code competition ($120K prize pool). Two additional firm engagements (Statemind and ChainSecurity) on the DefaultCollateral repo. Total 8 firm-engagements across two repos. Exceptionally strong audit breadth.

RD-F-007 green Bug bounty presence & max payout Active Immunefi bug bounty program live since February 21 2025. Maximum payout $500,000 USD. Payment in USDT on Ethereum. Reward structure: 10% of funds directly affected up to $500K hard cap. Five contracts confirmed in scope: OperatorRegistry (0xAd817a), OperatorNetworkOptInService (0x7133), OperatorVaultOptInService (0xb361), NetworkRegistry (0xC773), NetworkMiddlewareService (0xD7dC).

RD-F-008 green Ignored bounty disclosure No incidents in hack database. No Rekt incidents. No post-mortem evidence of any prior disclosed vulnerability being ignored before exploit. Protocol is incident-free as of assessment date. Absence of evidence is not evidence of absence, but no contrary signal found.

RD-F-024 green Code complexity vs audit coverage Six independent firms audited the core repo plus Certora formal verification. The total audit coverage breadth (5 manual firms + 1 code competition + FV) is extremely strong. No audit firm flagged code complexity as a concern or insufficient coverage. ChainSecurity found only minor issues; Certora FV passed all specified invariants.

Governance & admin Yellow 22 24 of 24

RD-F-032 red Timelock duration on upgrades No TimelockController or equivalent deployed for Symbiotic core protocol. Factory whitelist/blacklist changes execute immediately via Safe majority. Data cache confirms governance.timelock_address=null. The immutable-core design explicitly omits timelocks — new implementations can be whitelisted with no delay. RD-F-033 red Timelock on sensitive actions No timelock on any sensitive action type. Factory whitelist (implementation addition) is immediately executable by Safe owner. DefaultCollateral limitIncreaser increaseLimit() executes immediately. No mint/pause/rescue/setOracle/upgrade are timelocked. The protocol has no TimelockController. RD-F-026 gray Upgrade multisig signer configuration (M/N) Gnosis Safe 0x815eD3e4c7660ce138bc44ad7e638f23a50aec5b controls factory owner role. Threshold and owners not publicly disclosed. Safe created 2025-09-09, 4 exec transactions total. No Safe API data returned (cache safe_multisigs=[]). Cannot confirm M/N configuration. RD-F-028 gray Low-threshold multisig vs TVL Gnosis Safe 0x815eD3e4 controls VaultFactory/DelegatorFactory/SlasherFactory implementation whitelist. At $472M TVS, opaque governance of the implementation whitelist is material. Safe threshold and owners not publicly disclosed; Safe was created 2025-09-09 and has only 4 exec transactions. Cannot assess against peer-norm threshold for $472M TVS. RD-F-029 gray Multisig signers co-hosted Safe signers unknown — no public disclosure of signer identities or infrastructure. Cannot assess co-hosting. Protocol does not publish signer roster for the factory owner Safe. RD-F-030 gray Hot-wallet signer flag Signer identities undisclosed for Safe 0x815eD3e4. Cannot assess hot-wallet behavioral pattern. Data cache safe_multisigs=[] confirms Safe API returned no signer data. RD-F-034 n/a Guardian/pause-keeper distinct from upgrader No pause mechanism exists at the core protocol layer. OperatorRegistry and NetworkRegistry are permissionless with no pause function. DefaultCollateral has no pause. Vault-level pause is a per-vault curator option (user-deployed, not protocol-controlled). Guardian/pauser role distinction is not applicable to this architecture. RD-F-035 n/a Role separation: upgrade ≠ fee ≠ oracle No upgrade role (core is immutable), no fee role (no protocol fee in current design), no oracle role (no oracle in core layer). Role separation among upgrade/fee/oracle is not applicable to Symbiotic's immutable permissionless architecture. RD-F-036 n/a Flash-loanable voting weight No on-chain governor exists. SYMBIOTIC token (TGE Nov 2024) has no confirmed governance contract consuming voting power. No Snapshot space, Tally, or Aragon governance identified. Flash-loan voting attack surface is structurally zero. RD-F-037 n/a Quorum achievable via single-entity flash loan No on-chain governance. No quorum threshold to assess. Not applicable by construction. RD-F-038 n/a Proposal execution delay < 24h No governance proposal system. No voting delay or period. Not applicable. RD-F-039 n/a delegatecall/call in proposal execution without allowlist No governance executor contract. No proposal execution pathway. delegatecall/call in proposal execution is not applicable to a protocol with no on-chain governance. RD-F-040 n/a Emergency-veto multisig present No governance system to veto. VetoSlasher pattern gives vault resolvers veto over individual slashing events (not protocol-level governance). No cancel/guardian mechanism over factories. Not applicable to immutable-core design. RD-F-041 n/a Rescue/emergencyWithdraw without timelock No rescue, emergencyWithdraw, sweep, skim, or equivalent function found in OperatorRegistry, NetworkOptInService, DefaultCollateralFactory, DefaultCollateral instances, or Vault contracts. Core is non-upgradeable; no such function pathway exists at protocol level. RD-F-042 n/a Admin has mint() with unlimited max No protocol-level admin mint function. DefaultCollateral uses _mint() internally on user deposit (ERC-4626 pattern) — not admin-callable. No protocol token with admin-controlled unlimited mint. SYMBIOTIC token has a 1B cap and is not used in protocol operations. RD-F-045 n/a Constructor args match governance proposal No governance proposal mechanism for Symbiotic core deploys. Permissionless deploy — no DAO authorized the deployment via proposal. Immutable core: no upgrade proposals to compare constructor args against. Not applicable to this governance architecture. RD-F-047 gray Governance token concentration (Gini) No on-chain governance consuming SYMBIOTIC token voting power identified. SYMBIOTIC token exists (TGE Nov 2024, 1B supply) but no governor contract consuming it was found. Gini of holder distribution is not load-bearing for protocol risk since there is no on-chain governance.

RD-F-025 green Admin key custody type Core registries (OperatorRegistry, NetworkRegistry) are permissionless with no admin. Factory contracts (VaultFactory, DelegatorFactory, SlasherFactory) are owned by a Gnosis Safe. DefaultCollateral limitIncreaser role is mutable but undisclosed. Classification: partial multisig — factory layer only; registries are fully immutable/permissionless.

RD-F-027 green Single admin EOA No core function is held by a single EOA. Factory ownership transferred from deployer EOA 0x9AbC5492 to Gnosis Safe 0x815eD3e4c7660ce138bc44ad7e638f23a50aec5b. OperatorRegistry and NetworkRegistry are permissionless with no admin at all. Admin EOA pattern is absent.

RD-F-031 green Signer rotation recency Safe 0x815eD3e4 was created 2025-09-09. Only 4 exec transactions total, no threshold-reduction event observed in any of the 4 transactions. No signer rotation or threshold change detected within 14 days of factory ownership transfer.

RD-F-043 green Admin = deployer EOA after 7 days Deployer EOA 0x9AbC5492 transferred factory ownership to Safe 0x815eD3e4c7660ce138bc44ad7e638f23a50aec5b per on-chain transaction history. Ownership transfer transactions explicitly listed in deployer tx history. OperatorRegistry and NetworkRegistry have no transferable admin to begin with. Current admin is Safe, not deployer EOA.

RD-F-044 green Admin wallet interacts with flagged addresses Factory owner Safe 0x815eD3e4 was funded via Safe Proxy Factory (contract-to-contract). Deployer EOA 0x9AbC5492 received funding from Binance (not a mixer). No OFAC-listed, mixer-deposit, or rug-deployer address interaction identified in available on-chain history.

RD-F-046 green Contract unverified on Etherscan/Sourcify All assessed core contracts verified on Etherscan with Exact Match status: OperatorRegistry (0xAd817a6B...), NetworkOptInService (0x7133415b...), DefaultCollateralFactory (0x1BC8FCFb...), DC_wstETH (0xC3294004...), DC_rETH (0x03Bf48b8...), DC_wBETH (0x422F5acC...). No unverified core contract found.

RD-F-167 green Deprecated contract paused but pause reversible by live admin No deprecated surfaces identified. Symbiotic's immutable core design means no v1-to-v2 migration has occurred for core contracts. DefaultCollateral Migrator (0x8f152feaa99eb6656f902e94bd4e7bcf563d4a43) is a migration helper for collateral, not a deprecated surface with retained admin pause. Protocol is original with no prior-version architecture.

Oracle & external dependencies Yellow 33 17 of 17

RD-F-050 yellow Dependency graph (protocols depended upon) Dependency graph: Symbiotic holds ERC-20 collateral issued by external LST protocols (wstETH/Lido dominant, cbETH/Coinbase, rETH/RocketPool, wBETH/Binance, sUSDe/Ethena). wstETH_Burner.sol calls Lido WITHDRAWAL_QUEUE for ETH settlement of slashed wstETH. Failure of Lido (or any LST issuer) impairs the corresponding collateral pool at face value — no repricing or halt mechanism exists. Lido withdrawal queue disruption delays settlement but does not block vault accounting. This is a non-redundant critical dependency with no fallback repricing mechanism. Yellow (not red) because no documented prior failure of these specific dependencies has occurred. RD-F-052 yellow Breakage analysis per dependency Breakage analysis documented. wstETH failure (Lido exploit or halt): vault balances in wstETH become impaired; slashing continues in degraded-value units; no protocol-halt or repricing. Lido withdrawal queue failure: delays slashed-ETH settlement via wstETH_Burner only; vault accounting unaffected. cbETH/rETH/wBETH/sUSDe LST failures: analogous to wstETH, proportional to their vault share. Consumer networks/resolvers failing: affects their security guarantees, not core vault accounting. Yellow because no documented prior failure event for a critical dep, but breakage analysis shows no mitigation mechanism. RD-F-048 n/a Oracle providers used Symbiotic core holds all collateral at nominal ERC-20 balance with no oracle provider. Source inspection of Vault.sol, DefaultCollateral.sol, Slasher.sol confirms zero oracle imports (no AggregatorV3Interface, Pyth, or DEX price feed). Data-cache oracle field = null. Protocol type = restaking primitive, not a lending protocol requiring per-asset oracle pricing. RD-F-049 n/a Oracle role per asset No oracle role mapping (primary/secondary/fallback) exists because Symbiotic uses no oracle for any asset. Collateral is tracked at nominal ERC-20 unit denomination exclusively. Confirmed by source inspection of all core contracts. RD-F-051 n/a Fallback behavior on oracle failure No oracle is used, so oracle fallback behavior is not applicable. There is no try/catch or stale-check oracle logic in any core contract. If a collateral ERC-20 issuer fails, no protocol-level fallback triggers — this is by design for the restaking primitive model. RD-F-053 n/a Oracle source = spot DEX pool (no TWAP) [★ CRITICAL — NOT_APPLICABLE] Symbiotic core does not use any DEX pool as a price oracle. No slot0(), getReserves(), consult(), or observe() call found in any core contract. Collateral is tracked at nominal ERC-20 balance. Verified across Vault.sol, DefaultCollateral.sol, Slasher.sol, VetoSlasher.sol, BaseSlasher.sol, FullRestakeDelegator.sol. No spot-DEX oracle risk present in the core primitive. RD-F-054 n/a TWAP window duration Protocol does not use TWAP oracles. Not applicable. RD-F-055 n/a Oracle pool depth (USD) Protocol does not use DEX pool oracle. Oracle pool depth not applicable. RD-F-056 n/a Single-pool oracle (no medianization) No single-pool oracle or medianization question applies — protocol uses no DEX oracle. RD-F-057 n/a Circuit breaker on price deviation No oracle feed to circuit-break against. Not applicable. RD-F-058 n/a Max-deviation threshold (bps) No circuit breaker (no oracle). Not applicable. RD-F-059 n/a Oracle staleness check present No oracle read to check for staleness. Not applicable. RD-F-060 n/a Chainlink aggregator min/max bound misconfig Symbiotic does not consume any Chainlink feed. The oracle_feeds[] in the data cache are Etherscan scanner network-level associations, not Symbiotic protocol deployments. Source inspection confirms no AggregatorV3Interface import in any core contract. RD-F-061 n/a LP token balanceOf used for pricing No LP token pricing in core. ERC-20 balanceOf is called for quantity tracking (how many tokens are staked), not price computation. No donation-manipulable pricing path exists. RD-F-062 n/a External keeper/relayer not redundant Symbiotic core does not depend on a keeper or relayer for vault/slashing operations. No Gelato, Chainlink Automation, or custom keeper import in Vault.sol, Slasher.sol, or FullRestakeDelegator.sol. Consumer networks may use keepers for their own operations, but that is outside the core primitive scope. RD-F-180 n/a Immutable oracle address [★ CANDIDATE PD-017 — NOT_APPLICABLE] No oracle address variable exists in any Symbiotic core contract, whether declared immutable or otherwise. The replaceability question is structurally moot: there is no oracle address to replace. Verified across Vault.sol, DefaultCollateral.sol, VetoSlasher.sol, BaseSlasher.sol — all confirmed oracle-address-free. Consumer networks that embed their own immutable oracle addresses face this risk independently; Symbiotic primitive does not. PD-017 note: factor evaluated as instructed per orchestrator scope; not_applicable is the correct disposition. RD-F-181 n/a Permissionless-pool lending oracle Symbiotic is a restaking primitive, not a lending protocol. F181 (permissionless-pool lending oracle acceptance) is structurally inapplicable: no lending market, no oracle-venue acceptance logic, no borrow mechanism. coverage_flags.lending_protocol = false.

Economic risk Yellow 33 13 of 13

Operational history Green 13 15 of 15

RD-F-089 red Insurance coverage active No active insurance coverage protecting Symbiotic depositors found at $472M TVL. The Nexus Mutual / Symbiotic partnership (November 2025) is a capital-infrastructure arrangement where Symbiotic Vaults provide underwriting capital TO Nexus Mutual — not coverage on Symbiotic. Nexus Mutual's '20+ New Cover Listings' blog post does not list Symbiotic as a covered protocol. No Sherlock trailing-coverage program for Symbiotic found. Data cache bug_bounty.platform = null (no insurance integration in pipeline). The restaking-primitive category structurally lacks proportional cover at this TVL scale — no provider currently offers sufficient-scale smart-contract cover for restaking middleware at $472M. RD-F-081 gray Post-exploit response score No prior incidents exist. Methodology: gray = no prior exploits (N/A). Post-exploit response score cannot be assessed without an incident. RD-F-082 gray Post-mortem published within 30 days No prior incidents exist. Methodology: gray = no prior incidents (N/A). Post-mortem publication timeliness cannot be assessed without an incident. RD-F-083 gray Auditor re-engaged after last exploit No prior incidents exist. Methodology: gray = no prior exploits (N/A). Auditor re-engagement post-incident cannot be assessed without an incident. RD-F-085 gray Incident response time (minutes) No prior incidents exist. Methodology: gray = no prior incidents (N/A). Incident response time cannot be measured without an incident. RD-F-086 gray Pause activations (trailing 12 months) Symbiotic's core contracts are immutable and non-upgradeable by design. No protocol-level pause mechanism exists. Paradigm post confirms: 'Symbiotic will never have a central multisig, slashing committee, or other permissioning mechanisms.' Individual vault curators may have vault-level pause, but no global Paused/Unpaused event exists at the core protocol layer. Methodology: gray = protocol has no pause mechanism. RD-F-087 gray Pause > 7 consecutive days No protocol-level pause mechanism exists in Symbiotic's immutable core design. No Paused/Unpaused events can fire at the core layer. Methodology: gray = no pause events in last 12 months (architecture-level N/A for protocols with no pause capability). RD-F-166 n/a Deprecated contracts still holding value No officially-deprecated contracts identified. Symbiotic's immutable-core design means contracts cannot be upgraded or deprecated in the traditional sense — all deployed contracts remain live by construction. Two deployment phases (June 2024 DefaultCollateral, January 2025 core) are both live and intended to remain so indefinitely. No protocol announcement of any deprecated surface found in docs, blog, or GitHub. The threshold condition (deprecated contracts holding > $100K) is structurally not met for a protocol with no sunset surface.

RD-F-076 green Protocol age (days) Protocol age 705 days from earliest mainnet deploy (2024-06-11 DefaultCollateral Phase 1) to assessment date (2026-05-16). Full-slashing-enabled mainnet age 475 days (2025-01-28). Both counts exceed the 365-day green threshold. Data-cache first TVL entry ts=1718064000 (2024-06-11) confirms deploy date.

RD-F-077 green Prior exploit count Zero distinct Symbiotic-core incidents found. Searched: proprietary hacks DB (zero hits on case-insensitive grep 'symbiotic' across all ~190 files), Rekt News leaderboard (295 entries reviewed, Symbiotic absent), DefiLlama hacks API (cache.defillama.hacks = []), Rekt cache (cache.rekt.incidents = []), and OSINT web search. KelpDAO exploit (April 2026, $292M) is dependency-context only — root cause was KelpDAO's LayerZero 1-of-1 DVN configuration, not Symbiotic core contracts.

RD-F-078 green Chronic-exploit flag (≥3 incidents) Derived from F077 count = 0. Zero incidents, chronic flag false. Green = < 3 incidents.

RD-F-079 green Same-root-cause repeat exploit Zero incidents. No repeat root cause possible. Green = no repeat root cause.

RD-F-080 green Days since last exploit No incidents ever recorded. Per methodology: green = > 365 days or no incidents. Condition met.

RD-F-084 green TVL stability (CoV over 90d) 90-day trailing CoV = 0.123 (mean $449M, std $55M, sample_count=90, window 2026-02-17 to 2026-05-16 per data cache). Methodology: green = CoV < 0.15. Threshold met. Long-term context: TVL declined ~83% from $2.70B peak (Nov 2024) to current $472M, but the 90-day trailing window captures the post-peak stabilization phase where volatility is lower. Strict methodology applies trailing 90-day CoV.

RD-F-088 green Re-deployed to new addresses in last year No full redeployment of core contracts in the last 12 months. Phase 1 (DefaultCollateral contracts, June 2024) and Phase 2 (core registry contracts, January 2025) remain at original deployed addresses. Immutable core architecture makes redeployment structurally impossible for core contracts. No migration announcement found in docs, blog, or GitHub. Green = no full redeployment in last 12 months.

Real-time signals Green 7 22 of 22

RD-F-105 yellow DNS/CDN/frontend hash drift DNS/frontend drift signal is elevated due to confirmed historical X account compromise (Oct 4-7, 2024) by unknown threat actor who posted phishing links mimicking symbiotic.fi for 3+ days. Phishing domain ailocations-symbioticfi[.]com confirmed active and documented by security researchers. Protocol uses symbiotic.fi as primary frontend. No confirmed current DNS or JS-hash drift as of 2026-05-16, but: (1) historical compromise establishes threat-actor targeting interest; (2) active phishing domain remains live; (3) SYMBIOTIC token airdrop (TGE Nov 2024) sustains above-baseline impersonation activity. No public baseline JS hash published by protocol; change-management allowlist status unknown. RD-F-109 yellow Social-media impersonation scam spike Social-media impersonation spike signal elevated. Confirmed: (1) @symbioticfi X account was compromised Oct 4-7 2024 by unknown threat actor who posted phishing links for 3+ days before recovery; (2) phishing domain ailocations-symbioticfi[.]com confirmed active mimicking symbiotic.fi; (3) SYMBIOTIC token TGE November 2024 created sustained scam-airdrop surface. Symbiotic is a Paradigm-backed high-profile restaking brand making it a persistent impersonation target. Historical X compromise confirms active threat-actor targeting interest. No single confirmed current real-time spike as of 2026-05-16 but background impersonation level is above protocol-peer baseline. RD-F-090 gray Mixer withdrawal → protocol interaction Mixer-to-protocol interaction signal requires live wallet clustering feed (Chainalysis/TRM). Symbiotic is a permissionless restaking primitive accepting any ERC-20 from any address, so mixer-funded wallets could in principle deposit. No specific confirmed mixer-to-Symbiotic interaction pattern found in public-proxy OSINT as of 2026-05-16. Signal is T-09 phase-2 and requires attribution feed not yet live. RD-F-096 gray New ERC-20 approval to unverified contract from whale New ERC-20 approval to unverified contract from high-TVL Symbiotic user cannot be assessed without live mempool and explorer monitoring. Symbiotic vaults hold wstETH, cbETH, wBETH, rETH, sUSDe. High-TVL users exist ($472M total). Signal requires real-time mempool monitoring pipeline not available in static assessment. RD-F-099 n/a Oracle price deviation >X% from secondary Symbiotic core contracts do not consume price oracles. Collateral is accepted at nominal ERC-20 balance, not at a USD oracle price. No Chainlink or DEX TWAP feed confirmed as a direct Symbiotic core dependency. Oracle deviation signal is structurally inapplicable. oracle_used_by_core = false per data cache and profile. RD-F-100 n/a Flash loan >$10M targeting protocol tokens Flash-loan signal fires when receiver contract interacts with protocol oracle, lending market, or governor in the same transaction. Symbiotic core has none of these: oracle_used_by_core = false, no lending market, governor_exists = false. No AMM or price-sensitive surface at the core layer. Signal's fire condition cannot be met architecturally. Vault-level flash-loan risk is user-deployed configuration, not assessed here. RD-F-101 n/a Large governance proposal queued No on-chain governor contract exists for Symbiotic. governor_exists = false, snapshot_space = null per profile and data cache. Core contracts are immutable. Signal requires ProposalCreated events on a tracked governor; no such contract is deployed. RD-F-102 gray Admin/upgrade transaction in mempool Core contracts are immutable — no upgrade path exists, so admin/upgrade tx targeting core is structurally impossible. Mutable surface (deposit-cap registry, collateral factory) does exist but the admin identity is not publicly disclosed (multisig_address: null, multisig_disclosed: false per profile). Cannot build the admin map required to monitor mempool for admin-role txs on the mutable surface. Signal would be dark for the mutable periphery even if pipeline were live. RD-F-103 n/a Bridge signer-set change proposed/executed Symbiotic is Ethereum-only with no bridge surface. has_bridge_surface = false, is_a_bridge = false, cross_chain = false per data cache and profile. Bridge signer-set change signal requires a bridge contract; none exists for this protocol. RD-F-106 n/a Cross-chain bridge unverified mint pattern Symbiotic is Ethereum-only with no cross-chain surface. cross_chain = false, has_bridge_surface = false. Cross-chain bridge tx pattern signal (unverified mint on destination chain) is structurally inapplicable. RD-F-107 gray Admin EOA signing from new geography/device Admin EOA signing from new geography requires known admin address and off-chain signing telemetry. Symbiotic's mutable admin identity is not publicly disclosed (multisig_address: null, multisig_disclosed: false). Core contracts are immutable — no admin EOA can modify them. Cannot assess without disclosed admin address and off-chain signing telemetry integration. RD-F-108 gray GitHub force-push to sensitive branch GitHub force-push to sensitive branch requires live GitHub API monitoring. Core contracts are immutable post-deploy, so a force-push would affect future code not deployed bytecode. No force-push anomaly found in public OSINT. Signal requires live GitHub event subscription not yet wired up. RD-F-110 n/a Unusual pending/executed proposal ratio No on-chain governor contract exists. governor_exists = false, snapshot_space = null. Pending-to-executed proposal ratio signal requires a governance contract producing ProposalCreated events; no such contract exists for Symbiotic. RD-F-182 n/a Security-Council threshold reduction (RT) Security-Council threshold reduction RT signal (batch-24, Cat 6B). Signal fires when a bridge or protocol Security Council multisig executes a threshold reduction or timelock removal. Symbiotic has no publicly disclosed Security Council multisig, no governor, no timelock (timelock_exists: false, governor_exists: false, multisig_address: null). Core contracts are immutable — no upgrade path, no threshold to reduce. The Drift Protocol attack vector that motivated F182 (3/5 to 2/5 Security Council change + timelock removal, 6 days before DPRK exploit) cannot replicate on Symbiotic's architecture. If governance-admin-analyst identifies a previously undisclosed Security Council structure on the mutable periphery, this assessment should be revisited.

RD-F-091 green Partial-drain test transactions No partial-drain test-transaction pattern detected for Symbiotic. Data cache confirms hacks array is empty (defillama.hacks = []). No prior exploit exists for Symbiotic core contracts, eliminating the historical basis for a precursor-pattern match. Protocol has been live since June 2024 with no incident record.

RD-F-092 green Unusual mempool pattern from deployer wallet Both deployer EOAs (0xb2cd39c30963f287f86e4298d1f497514fe15c0e for DefaultCollateral phase, 0x9AbC5492c462b855156cd3adc593ae6b3fda0702 for core contracts phase) completed their deploy sequences in June 2024 and January 2025 respectively. Core contracts are immutable post-deploy. No post-deploy unusual mempool pattern surfaced in public OSINT. Deployers cannot modify immutable core.

RD-F-093 green Abnormal gas-price willingness from attacker wallet No abnormal gas-price willingness pattern detected from attacker-labeled wallets interacting with Symbiotic contracts. No active exploit or MEV-race event. No incidents in data cache. Signal threshold (priority fee >=5x EMA from attacker wallet) is not breached as far as public-proxy assessment can determine.

RD-F-094 green New contract with similar bytecode to exploit template No similar-bytecode exploit-template deployment targeting Symbiotic core contracts detected. Symbiotic is an original design (not a fork); no prior exploit template exists to replicate. No incident history to generate a comparable template.

RD-F-095 green Known-exploit function-selector replay No known-exploit-replay selector pattern applicable. Symbiotic core has zero prior exploits; no exploit-template selector sequence exists to replay. Protocol is original design with 6 audit firms and Certora formal verification.

RD-F-097 green Sybil surge of identical-pattern transactions No sybil surge of identical-pattern transactions reported against Symbiotic. Permissionless restaking is not a typical sybil-attack target at the protocol level (immutable core contracts). No sybil pattern detected in public OSINT.

RD-F-098 green TVL anomaly — % drop in <1h TVL anomaly signal threshold (TVL_now / TVL_30d_baseline < 0.70 in 60-min window) not breached. Current TVL $472M (2026-05-16). 30d change -5.18% (gradual decline, not a single-hour anomaly). 90-day CoV = 0.123 (moderate volatility from long-term decline from $2.7B peak Nov 2024). Data-cache daily TVL series shows no sharp single-session drop. Signal would not fire today.

RD-F-104 green Stablecoin depeg >2% on shared-LP venue Stablecoin depeg signal fires only when protocol exposure to a depegged stable is >=5% of TVL. Symbiotic's only stablecoin collateral is sUSDe (DefaultCollateral sUSDe at 0x19d0D8e6294B7a04a2733FE433444704B791939A). sUSDe share of $472M total TVL is estimated well below 5% based on collateral composition (wstETH is dominant). No active sUSDe depeg as of 2026-05-16. Signal suppression rule applies.

Dev identity & insider risk Green 5 16 of 16

RD-F-117 yellow ENS/NameStone identity bound to deployer No ENS reverse-record found for either deployer EOA (0x9AbC... or 0xb2cd...) via Etherscan address overview pages. No ENS name visible in address labels. Web search for symbiotic.eth or putyatin.eth returned no results. ENS binding absent. Mitigating factor: both founders are fully named/doxxed at real-name level, so ENS is a corroborative signal, not a substitute. Yellow rather than red given strong real-name identity. RD-F-123 yellow Sudden admin-rescue/ACL change without discussion CRITICAL STAR FACTOR. Core contracts are non-upgradeable (immutable bytecode) per Paradigm blog and Symbiotic design. GitHub commits review shows no admin-rescue or ACL changes in the core repo. The mutable surface is deposit-cap parameters on DefaultCollateral contracts (Phase 1). Cap increases (June 11 and July 3, 2024) were communicated via X/Twitter and media — publicly announced but via social media, not a structured governance forum or GitHub issue/PR discussion. No silent on-chain changes found. Yellow: informal announcement process rather than absence of announcement. RD-F-122 n/a Contributor paid to DPRK-cluster wallet Symbiotic is a VC-funded company ($5.8M seed + $29M Series A). No on-chain contributor payment streams identified. Payroll is off-chain per standard VC-funded startup structure. Cannot meaningfully assess 3-hop proximity for off-chain payroll recipients beyond the deployer EOAs (already assessed in F125). Consistent with process-learnings guidance: F122 is not_assessed for VC-funded companies with off-chain payroll unless on-chain payment streams exist. RD-F-184 gray Real-capital social-engineering persona No curator-flagged pattern of real-capital social-engineering persona identified for Symbiotic. No reports of a team contributor or external integrator accumulating >=1M USD in Symbiotic deposits to build credibility ahead of a social-engineering attack. Drift Protocol (April 2026 $285M DPRK exploit) is the reference comparator; no analogous pattern reported for Symbiotic in any searched source. Factor is manual-curation-only (M) at P1 priority; gray by design for protocols with no positive OSINT trigger.

RD-F-111 green Team doxx status Both co-founders fully named and doxxed: Misha Putyatin (CEO, Dubai) and Algys Ievlev (co-founder/Head of Audit, Dubai). Both named in Blockworks, CoinDesk, Paradigm blog, RootData, LinkedIn, and Crunchbase. Real-name level identity confirmed. Lead developer (GitHub: 1kresh) is pseudonymous with a consistent long-term handle but no legal name.

RD-F-112 green Team public accountability surface Putyatin named in 5+ major outlets with attributed quotes; RootData and X profile. Ievlev on LinkedIn (201 connections), Crunchbase, GitHub (Statemind and Symbiotic orgs). Both previously co-founded/led MixBytes (reputation-anchored blockchain audit firm). Series A press release includes Putyatin quotes to multiple outlets. Strong public accountability surface for both named founders.

RD-F-113 green Team other-protocol involvement history Putyatin: prior CEO MixBytes (reputable blockchain audit firm). Ievlev: prior CTO MixBytes, founder and Head of Audit Statemind (audited Lido, Curve, instadapp, Yearn, 1inch). No prior rug or exit-scam affiliation found for either founder. Prior history is exclusively in security/audit roles — a strongly positive signal. Statemind audited Symbiotic itself (noted as potential conflict; not an insider risk red flag).

RD-F-114 green Deployer address prior on-chain history Phase 2 deployer 0x9AbC...: 70 outgoing transactions visible on Etherscan — all consistent with protocol deployment (VaultFactory, OperatorRegistry, Safe proxy interactions). Phase 1 deployer 0xb2cd...: single outgoing transaction (DefaultCollateralFactory creation). Neither deployer shows prior rug-linked activity or anomalous pre-deploy on-chain history. Clean normal-dev-deployment profile for both.

RD-F-115 green Prior rug/exit-scam affiliation No prior rug or exit-scam affiliation found for any named Symbiotic team member. Web search for Symbiotic rug/exit-scam returned only generic educational content. Data cache rekt.incidents is empty. Founders' prior employers (MixBytes, Statemind) are still-operating audit firms with no rug history. No hacksdatabase match found.

RD-F-116 green Contributor tenure at admin-permissioned PR Lead contributor 1kresh has 483 commits to symbioticfi/core — extensive long-term contribution history consistent with a core team member. algys (co-founder Ievlev) shows 8 commits. Streator shows 38 commits. No evidence of a recent low-tenure contributor being granted admin merge permissions on sensitive ACL contracts. Commit distribution indicates stable, established contributor set.

RD-F-118 green Handle reuse across failed/rugged projects No evidence of any Symbiotic team handle (Twitter @symbioticfi, GitHub 1kresh, GitHub algys, Misha Putyatin, Algys Ievlev) being associated with a prior rugged or failed project under a different alias. Statemind and MixBytes are both still-operating audit firms with no rug/exit-scam record. Named founders' public identities trace back to security firms only.

RD-F-119 green Commit timezone consistent with stated geography GitHub profile 1kresh lists location as Dubai, UAE (GMT+4). Named founders Putyatin and Ievlev are publicly stated to live in Dubai (Blockworks: both studied in Moscow, now live in Dubai). Commit-hour distribution not directly computed, but timezone self-declaration is consistently stated across multiple independent sources and is corroborated by 1kresh's GitHub location field. No tz-anomaly flag found.

RD-F-120 green Video-off/voice-consistency flag No video-off or voice-inconsistency pattern identified. Misha Putyatin is quoted directly in CoinDesk, Blockworks, and Chainwire press releases for the Series A funding round. Quotes are attributed with full name and founder title. No curator note flagging interview anomalies. Ievlev has LinkedIn presence with endorsements. Pattern is consistent with a genuinely public-facing named founder pair.

RD-F-121 green Contributor OSINT depth score Putyatin: named in 5+ major publications, X/Twitter, RootData profile, quoted directly in multiple press releases. Ievlev: LinkedIn (201 connections), Crunchbase biography, GitHub dual-org member (Statemind + Symbiotic), Blockworks quote. Depth score ~4/5 — strong verifiable public trail for both named founders. Lead dev 1kresh is pseudonymous with consistent GitHub identity — partial OSINT depth, mitigated by named-founder accountability.

RD-F-124 green Deployer wallet mixer-funded within 30 days CRITICAL STAR FACTOR. Phase 2 deployer (0x9AbC...): funded by Binance 15 (0x21a31ee1afc51d94c2efccaa2092ad1028285549) — a labeled Binance exchange hot-wallet confirmed by Etherscan label and characteristics (25,051 ETH, 14.7M transactions). Funding occurred January 2025, within 30d of January 28 2025 deploy; CEX funding is clean, no mixer proximity. Phase 1 deployer (0xb2cd...): funded June 3 2024 (same day as deploy) by 0xBab4Ba70... — unlabeled single-purpose intermediate address; no Tornado Cash, Railgun, or mixer label found on Etherscan; no mixer interactions observed in deployer transaction history. 30-day window check: clean on both deployers.

RD-F-125 green Deployer linked within 3 hops to DPRK/Lazarus CRITICAL STAR FACTOR. Phase 2 deployer: 1-hop to Binance 15 (licensed CEX, non-sanctioned). Phase 1 deployer: 1-hop to unlabeled single-purpose wallet (no DPRK/Lazarus label); 2nd hop not resolvable via public Etherscan. No OFAC SDN listing found for any Symbiotic-associated address or named founder. Web search for Symbiotic DPRK/Lazarus/North Korea returned no relevant results. No Chainalysis or public cluster report links any Symbiotic address to DPRK. Note: Drift Protocol April 2026 DPRK attack used DeFi protocols as drain venues — this is attacker-use-of-protocol, not team-level contamination, and does not implicate Symbiotic team (per process-learnings U4 guidance).

Fork / dependency lineage Green 0 10 of 10

RD-F-126 n/a Is-a-fork-of Symbiotic is an original protocol, not a fork. GitHub metadata shows symbioticfi/core has no upstream fork relationship. Founders built from scratch. No bytecode similarity to Aave, Compound, or other major protocols documented. RD-F-127 n/a Upstream patch not merged Not a fork. No upstream protocol exists from which to inherit unmerged security patches. RD-F-128 n/a Upstream vulnerability disclosure (last 90d) Not a fork. No upstream protocol exists whose vulnerability disclosures would propagate to this codebase. RD-F-129 n/a Code divergence from upstream (%) Not a fork. No upstream baseline exists to compute code divergence against. RD-F-130 n/a Fork depth (generations from original audit) Not a fork. Fork depth = 0 by definition (original protocol). No fork-of-fork risk. RD-F-131 n/a Fork retains upstream audit coverage Not a fork. No upstream audit coverage to inherit or gap from. This factor measures whether a fork's audit delta is covered - inapplicable for an original protocol. RD-F-132 n/a Fork has different economic parameters than upstream Not a fork. No upstream economic parameters to diverge from. Symbiotic's parameters (vault collateral caps, slashing conditions, delegator allocation weights) are protocol-native, not inherited from an audited upstream.

RD-F-133 green Dependency manifest uses unpinned versions package.json pins @openzeppelin/contracts at exactly 5.0.2 and @openzeppelin/contracts-upgradeable at exactly 5.0.2. No range operators (^ or ~) used. This is the recommended practice for security-critical dependencies.

RD-F-134 green Dependency had malicious-release incident (last 90d) No malicious npm package release incident found for @openzeppelin/contracts in trailing 90 days. OZ is a high-scrutiny, well-maintained library. No GitHub security advisory flagging malicious release for OZ 5.x in trailing 90 days.

RD-F-135 green Shared-library version with known-vuln status OpenZeppelin contracts 5.0.2 assessed by ReversingLabs Spectra: No known vulnerabilities detected. No CVE, GHSA, or NVD advisory found against OZ 5.0.2. OZ 5.0.0 was audited by OZ Security Research on October 3 2023; 5.0.2 is a patch release on that audited base.

Post-deploy hygiene & change mgmt Green 6 13 of 13

RD-F-136 yellow Deployed bytecode matches signed release tag Core contracts verified with Exact Match on Etherscan, implying bytecode matches submitted source. Full signed-git-tag verification not performed (binary diff not possible via WebFetch). 6-firm audit trail plus Cantina competition provides corroboration but independent reproducibility verification not confirmed within assessment window. RD-F-145 yellow Deployed bytecode reproducibility Etherscan Exact Match verification implies reproducibility from verified source + compiler settings (Solidity 0.8.25, viaIR=true per data cache). Independent rebuild not performed in this assessment window. Cantina competition + Certora FV provide corroboration. Partial evidence of reproducibility. RD-F-185 n/a Bridge rate-limiter / chain-pause as positive mitigant Not applicable. Symbiotic is Ethereum-only with no bridge surface (cross_chain=false, is_a_bridge=false, layerzero.present=false per data cache). F185 is defined as bridge rate-limiter or chain-pause as positive mitigant — structurally inapplicable to a non-bridge protocol.

RD-F-137 green Upgrade frequency (per 90 days) Zero upgrades. Core contracts are non-upgradeable. No Upgraded events possible on OperatorRegistry, NetworkRegistry, or DefaultCollateral. Factory-whitelisted new implementations are additive new contracts, not upgrades to existing deployed contracts. 0 upgrades per 90d.

RD-F-138 green Hot-patch deploys without timelock (last 30 days) Zero hot-patches. Core contracts cannot be patched (immutable). No new core deployments in last 30 days identified. Deployer EOA last active ~109 days ago (not 30 days). No timelock-bypass upgrade possible on immutable contracts.

RD-F-139 green Post-audit code changes without re-audit Core contracts are non-upgradeable. No code changes to the deployed bytecode of OperatorRegistry, NetworkRegistry, or DefaultCollateral are structurally possible. 6 audits cover the deployed codebase; full mainnet launch Jan 2025 post-audit. Any new vault implementation whitelisted by factory is a new contract requiring its own audit process, not a modification of existing audited bytecode.

RD-F-140 green Fix-merged-but-not-deployed gap Immutable core eliminates fix-merged-but-not-deployed gap. Any fix to OperatorRegistry, NetworkRegistry, or DefaultCollateral would require a new contract deployment (not a patch to existing bytecode). No gap between repo and deployed state is possible for the non-upgradeable contracts.

RD-F-141 green Test-mode parameters in deploy OperatorRegistry source shows no test-mode flags. DefaultCollateral deployed with functional limit values (not infinite or zero) and limitIncreaser set to a real address (not address(0)). No test-oracle, infinite-allowance, or admin=deployer pattern remains. Deployer ownership was transferred to Safe.

RD-F-142 green Storage-layout collision risk across upgrades Core contracts (OperatorRegistry, NetworkRegistry, DefaultCollateral) are non-upgradeable — storage layout collision is structurally impossible. For MigratablesFactory-managed vaults using migration pattern, factory owner controls whitelisted implementations; storage layout compatibility is the factory owner's responsibility. No storage collision flagged in any of the 6 audits.

RD-F-143 green Reinitializable implementation (no _disableInitializers) MigratableEntity.sol (parent of Vault, Delegator, Slasher implementations) explicitly calls _disableInitializers() in its constructor. DefaultCollateral.sol calls _disableInitializers() in its constructor. Confirmed from GitHub raw source. Proxy takeover via re-initialization is blocked by construction for all core contract types.

RD-F-144 green CREATE2 factory permits same-address redeploy No CREATE2 factory redeploy-to-same-address pattern identified in core contracts. OperatorRegistry and NetworkRegistry are standard contracts (not CREATE2). DefaultCollateralFactory uses ERC1167 clone pattern (ERC1167FailedCreateClone error confirms minimal proxy cloning), not CREATE2 with salt reuse.

RD-F-146 green New contract deploys in last 30 days Core deployer EOA 0x9AbC5492 last active ~109 days ago. No new core protocol contract deployments detected in trailing 30 days. Individual vault deployments by vault curators (user-deployed) are separate from protocol-controlled deploys and not counted here.

RD-F-168 green Stale-approval exposure on deprecated router No deprecated router or contract surface identified. DefaultCollateral Migrator (0x8f152feaa99...) is an active migration helper, not a deprecated contract. Protocol is original with no v1-era deprecated router surface. No stale user approvals to deprecated contracts identified.

Cross-chain & bridge Gray 0 12 of 12

RD-F-147 n/a Protocol has bridge surface Symbiotic is Ethereum-only with no bridge surface. Profile meta.json: has_bridge_surface = false, is_a_bridge = false, cross_chain = false. Data-cache: layerzero.present = false, layerzero_bridge = false. Chain breakdown: ethereum 1.0 (100%). RD-F-148 n/a Bridge validator count (M) No bridge — no validator count applicable. RD-F-149 n/a Bridge validator threshold (k-of-M) No bridge — no threshold applicable. RD-F-150 n/a Bridge validator co-hosting No bridge — no co-hosting analysis applicable. RD-F-151 n/a Bridge ecrecover checks result ≠ address(0) [★ CRITICAL — NOT_APPLICABLE] No bridge surface, no ecrecover in bridge context. Symbiotic is Ethereum-only with no cross-chain message verification code path. RD-F-152 n/a Bridge binds message to srcChainId No bridge — no srcChainId binding applicable. RD-F-153 n/a Bridge tracks nonce-consumed mapping No bridge — no nonce-consumed mapping applicable. RD-F-154 n/a Default bytes32(0) acceptable as valid root [★ CRITICAL — NOT_APPLICABLE] No bridge surface, no Merkle root acceptance logic. Nomad-class bytes32(0) vulnerability not applicable to Symbiotic core. RD-F-155 n/a Bridge validator-set rotation recency No bridge — no validator set rotation applicable. RD-F-156 n/a Bridge uses same key custody for >30% validators No bridge — no key custody analysis applicable. RD-F-157 n/a Bridge TVL per validator ratio No bridge — no TVL per validator ratio applicable. RD-F-179 n/a LayerZero OFT DVN config (count, threshold, diversity) No LayerZero OFT integration in Symbiotic core. Data-cache layerzero.present = false, layerzero_bridge = false. F179 (LayerZero DVN configuration) applies only to LayerZero OFT adapters — Symbiotic has none.

Threat intelligence & recon Green 17 8 of 8

RD-F-161 yellow Protocol-impersonator domain registered (typosquat) Protocol-impersonator domain confirmed active. Phishing domain ailocations-symbioticfi[.]com documented by PCRisk as actively mimicking symbiotic.fi to steal cryptocurrency from users. Domain was active during or shortly after the @symbioticfi X account compromise (Oct 4-7, 2024) and remains documented as a live threat. SYMBIOTIC token TGE (Nov 2024) created extended airdrop-scam surface sustaining impersonation activity. Symbiotic is a Paradigm-backed well-known restaking brand — higher-value typosquat target. 90-day registration-date window for threshold cannot be precisely confirmed; domain appears to have been registered and operational in Q4 2024. F161 assessment: yellow (confirmed active typosquat, registration delta uncertain but recent relative to assessment). RD-F-163 yellow Avg attacker reconnaissance time for peer-class protocols Attacker reconnaissance time for peer-class protocols. For restaking primitives/LRT-class: KelpDAO rsETH (Apr 2026, $293M) — attributed to TraderTraitor/Lazarus with documented social-engineering reconnaissance over months. Drift Protocol (Apr 2026, $285M) — 6-month social engineering buildup including real-capital deposits (F184 pattern). USPD-class reconnaissance: 78-day documented window. Symbiotic at $472M TVL is a high-priority reconnaissance target in the restaking sector. Paradigm-backed, named founders (Misha Putyatin, Algys Ievlev) with public LinkedIn/conference presence — social engineering surface exists. No confirmed active reconnaissance against Symbiotic detected in public sources but peer-class baseline is 14-78+ days. Elevated yellow: prominent restaking protocol in active DPRK-targeting sector. RD-F-158 gray Known-threat-actor cluster has touched protocol Known-threat-actor wallet interaction with Symbiotic core contracts cannot be confirmed or ruled out via public-proxy assessment alone. KelpDAO rsETH exploit (Apr 2026, ~$293M) attributed to TraderTraitor/DPRK Lazarus Group involved the restaking sector broadly but targeted KelpDAO's LayerZero OFT adapter bridge, not Symbiotic core contracts. DPRK adversarial-venue-use of Symbiotic vaults (routing stolen funds post-exploit) is plausible per U4 context (attacker routing funds through a Symbiotic vault = passive-venue yellow, not team complicity red). Definitive assessment requires live Chainalysis/TRM cluster feed against on-chain Symbiotic contract interaction logs. No confirmed active DPRK wallet interaction with Symbiotic core contracts found in public sources. RD-F-159 gray Attacker wallet pre-strike probe (low-gas failing txs) Mempool probe from attacker wallet (low-gas failing txs to protocol) requires live mempool monitoring + threat-actor cluster feed. No mempool probe pattern against Symbiotic contracts confirmed in public sources. Signal requires infrastructure not available in static assessment. RD-F-164 gray Leaked credential on paste/sentry site Leaked credential on paste/sentry site matching Symbiotic infra not found in public OSINT. security_md_present: false on GitHub means no disclosed private reporting path. Automated paste-site monitoring feed required for definitive assessment. No credential leak confirmed or ruled out via public-proxy observation. RD-F-165 gray Protocol social channel has scam-coordinator flag Telegram/Discord scam-coordinator flag requires curator social watchlist. @symbioticfi X account was compromised Oct 4-7 2024 (confirmed; now recovered). Discord presence not confirmed in this assessment run. No current Discord or Telegram scam-coordinator flag found in public OSINT. Requires curator social watchlist for definitive assessment.

RD-F-160 green GitHub malicious-dependency incident touching protocol deps No malicious-dependency security advisory found for Symbiotic's dependencies. Primary dependency is OpenZeppelin Contracts v5.0.2 — a well-maintained, security-advisory-monitored library. No GHSA advisory for OZ v5.0.2 as of 2026-05-16. Foundry.toml dependency pins are present (OZ v5.0.2). No npm or PyPI dependencies at risk.

RD-F-162 green Known-exploit-template selector deployed by any address No known-exploit-template selector pattern deployed targeting Symbiotic core. Symbiotic has zero prior exploits — no exploit template can exist for an incident-free protocol. The protocol is an original design (not a fork) with 8 audit engagements and Certora formal verification, reducing the likelihood of a discoverable single-exploit-template attack vector.

Tooling / compiler / AI Green 0 5 of 5

RD-F-171 n/a Bytecode similarity to audited upstream with behavior deviation Original protocol with no upstream fork. Bytecode similarity to an audited upstream as an AI-copy risk vector is not applicable here. There is no upstream to be similar to.

RD-F-170 green Solc version used (known-bug versions flagged) Solidity 0.8.25 confirmed in foundry.toml and OperatorRegistry Etherscan verified source (v0.8.25+commit.b61c2a91). Released March 14 2024. Modern, actively supported version. No known security bugs for 0.8.25 in Solidity bug registry. Not on any flagged-version list.

RD-F-172 green Repo shows AI-tool co-authorship in critical files Commit history inspection of symbioticfi/core shows no AI-tool co-authorship markers. No GitHub Copilot co-authored-by, ChatGPT attribution, or similar disclosures in visible commit messages. Recent commits by authors 1kresh and Streator with standard commit messages (documentation fixes, test adjustments).

RD-F-173 green Team self-disclosure of AI-generated Solidity No public disclosure by Symbiotic team of AI-generated Solidity in security-critical code paths found in blog posts, Twitter, or documentation. Founders are audit firm veterans (Statemind/MixBytes background), making AI-generated critical code less likely given their professional norms.

RD-F-174 green Dependency tree uses EOL Solidity version Solidity 0.8.25 is not EOL and is actively maintained. OZ 5.0.2 is current. No Vyper detected (cache vyper_detected=false). No EOL version in the dependency tree.

Response & disclosure hygiene Green 17 4 of 4

RD-F-175 yellow Disclosure channel exists Immunefi bug bounty program active at immunefi.com/bug-bounty/symbiotic/ with $500K maximum payout confirmed via search results. No separate SIRT email or security contact found. SECURITY.md absent (security_md_present: false per cache). The Immunefi program constitutes a public disclosure channel but no additional backup channel exists. Yellow = disclosure channel exists but no direct evidence of active monitoring activity (no publicly disclosed bounty payout or researcher acknowledgment in last 12 months found). Direct Immunefi page access returns 404; program confirmed via search-indexed content. RD-F-176 yellow Disclosure SLA public No Symbiotic-published acknowledgment SLA found in docs or GitHub. The Immunefi platform enforces a default SLA on participating programs (Immunefi's standard process includes initial response within 24h from Immunefi, then team handoff). Symbiotic has not published a standalone SLA commitment (e.g., '72h acknowledgment'). Per methodology: yellow = SLA stated but not tested or > 72h. The Immunefi platform SLA is a platform default — yellow is appropriate as structural SLA coverage exists through Immunefi's process, but no Symbiotic-specific published SLA text was found.

RD-F-177 green Prior known-ignored disclosure No prior incidents means no post-mortem evidence of an ignored disclosure. OSINT search found no public disclosure by security researchers of having reported a vulnerability to Symbiotic that was not acted upon. No Rekt News article attributing an ignored disclosure to Symbiotic. Green = no evidence of ignored disclosure.

RD-F-178 green CVE/GHSA advisory issued against protocol No CVE or GHSA advisory found against Symbiotic or its core GitHub repositories (symbioticfi/core, symbioticfi/collateral). OSINT search returned no advisory records. Protocol has no known disclosed vulnerabilities in public databases. Green = no advisory or all advisories patched (no advisories found).

rubric_version v1.7.0 graded_at 2026-05-16 09:25:28 factors 184 protocol symbiotic