defirisk.co
rubric v1.7.0

Known-threat-actor cluster has touched protocol

Uniswap (v2 + v3)'s assessment for RD-F-158 — scored yellow on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.

Evidence summary #

V2+V3 combined: Allium confirmed ~$39M routed through Uniswap pools during Bybit hack laundering (Feb-Mar 2025, Lazarus Group/DPRK). Adversarial venue use — Lazarus swapping stolen tokens via the public DEX. NOT protocol exploitation, NOT admin-key compromise, NOT reconnaissance against V2/V3 attack surface. Outside 30-day assessment window. No active threat-actor interaction with V2/V3 contracts in current 30-day window. Yellow: documented adversarial venue use (not red: no core-contract attack interaction).

Detail #

Signal threshold: wallet in confirmed exploit-attributed cluster interacts with protocol core contracts within 30 days. For Uniswap V2+V3: the Bybit/Lazarus interaction was standard swap transactions through the public DEX (no admin interaction, no governance manipulation, no core-contract attack). The February-March 2025 date is >12 months before assessment date (2026-05-12) — outside the 30-day window. Red would require: Lazarus wallet interacting with GovernorBravoDelegator, Timelock, or V2/V3 Factory in a way consistent with targeted attack planning. Venue-use (swap transactions) does not meet this threshold. No current-window (May 2026) threat-actor interaction with Uniswap contracts detected from public sources. Tier-C signal: advisory only, never flips grade solo.

Sources #

Methodology #

Detect whether an address from the curator-maintained threat-actor cluster (past exploiters, labeled attacker families) interacted with this protocol in the last 30 days.

See the full factor methodology and distribution across all protocols →

rubric_version v1.7.0 protocol uniswap factor RD-F-158 score yellow collected_at 2026-05-12 10:36:11