defirisk.co
rubric v1.7.0

USDD (Decentralized USD)

TRON DAO Reserve over-collateralized CDP stablecoin on TRON (primary; 92.45% TVS), Ethereum (6.07%), and BNB Chain (1.48%). USDD 2.0 model: users deposit TRX/sTRX/USDT at ≥130% collateral ratio to mint USDD; zero-fee PSM for 1:1 USDD↔USDC/USDT swaps. Canonical TRC-20 at TPYmHEhy5n8TCEfYGqW2rPxsghSfzghPDn; native Ethereum ERC-20 (Sept 2025) at 0x8EbdcF3d843E3A96137E84117C7989C883cE6127. Launched May 2022 as algorithmic; converted to over-collateralized June 2022. De facto controlled by Justin Sun / TRON DAO Reserve — no active on-chain DAO, no Snapshot, governance portal removed. Mint authority restricted to a 7-entity whitelisted minter committee (Poloniex, Amber Group, Ankr, Mirana, Multichain Capital, FalconX, TPS Capital). Audited by ChainSecurity (≥5 engagements) and CertiK. No public bug bounty. Rated F by Bluechip. SEC v. Sun settled March 2026 ($10M civil penalty, no criminal charges, no OFAC).

Sector cdp_stablecoin_corporate_no_dao
TVL $1.5B
Reviewed May 17, 2026
Factors 184
Categories 13
Risk score 49.0
DeploymentsTron · $1.4B
01

Risk profile at a glance

3 red · 6 yellow · 2 green
25 24 17 13 15 22 16 10 13 12 8 5 4
02

Categories & evidence

184 factors · 13 categories
Code & audits Yellow 22 25 of 25
RD-F-007 red Bug bounty presence & max payout No public bug bounty program. Immunefi 404 confirmed (not anti-bot; this is a confirmed absence). Data cache bug_bounty.platform: null, url: null. $1.475B TVS with zero formal bug bounty incentive mechanism. Red per methodology threshold. RD-F-009 red Formal verification coverage No formal verification engagement found for USDD. CertiK and ChainSecurity audit pages do not mention Certora/Kani/Halmos proofs. No public GitHub repo to check for FV spec files. WebSearch for USDD formal verification returned no results. Red: 0% formal verification coverage. RD-F-183 red Bug bounty scope gap on highest-TVL contracts No bug bounty program exists at all (Immunefi 404 confirmed; data cache bug_bounty.platform: null). The highest-TVL contracts — TRON TRC-20 (TPYmHEhy5n8TCEfYGqW2rPxsghSfzghPDn, ~$1.364B) — have zero whitehatch incentive. Per taxonomy F183: red when highest-TVL contracts are out of scope; scored red (stronger adverse finding: no program at all, not just scope gap). $1.475B TVS with no public bug bounty program of any kind. RD-F-001 yellow Audit scope mismatch ChainSecurity completed ≥5 USDD audits (latest Oct 2025, 5th engagement, covering Ethereum/BSC). Canonical Ethereum ERC-20 (0x4f8e5de400de08b164e7421b3ee387f461becd1a) is source-verified on Etherscan (Solidity 0.6.12, Exact Match). Audit PDF is binary (not parseable for commit SHA). TRON primary (TPYmHEhy5n8TCEfYGqW2rPxsghSfzghPDn) Tronscan-blocked, source unverifiable. Cannot confirm bytecode-to-commit-SHA match at the primary audit source level. Yellow: audit coverage real and multi-round but commit-level verification structurally inaccessible. RD-F-003 yellow Resolved-without-proof findings ChainSecurity PSM audit page states 'Incorrect USDT Address has been resolved.' No other unresolved medium+ findings mentioned in accessible audit summaries. Full PDF is binary (not parseable); cannot verify all resolved findings have on-chain proof. Yellow: one confirmed resolution, others not independently verifiable from accessible sources. RD-F-005 yellow Audit firm tier ChainSecurity is Tier-2 (established, named firm with public track record). CertiK is Tier-2. Neither is Tier-1 (Trail of Bits / OpenZeppelin / ConsenSys Diligence / Certora / Sigma Prime / Spearbit / Zellic per taxonomy). Yellow: Tier-2 only, no Tier-1 firm engagement confirmed. RD-F-006 yellow Audit-to-deploy gap Native Ethereum USDD launched in September 2025 (The Block, Sep 2025). ChainSecurity 5th audit completed October 30, 2025 — approximately 60 days after deployment. The deployment preceded the covering audit by ~60 days. Yellow: code was live before the covering audit completed. RD-F-019 yellow ecrecover zero-address return unchecked Ethereum ERC-20 uses EIP-2612 permit() which calls ecrecover. Cannot confirm address(0) guard without tool run. Contract is ChainSecurity-audited (multiple rounds) which reduces risk; standard permit implementations of this era do check for address(0). Yellow: permit path uses ecrecover; audit coverage provides partial assurance but cannot confirm guard without tool run. TRON TVM: EVM-specific pattern not applicable. RD-F-008 gray Ignored bounty disclosure No prior contract exploit incidents identified (Rekt DB empty, data cache rekt.incidents: []). Three USDD incidents (June 2022 depeg, March 2023 depeg, August 2024 BTC reserve removal) are economic/governance events, not contract exploits with formal disclosure channels. With no bug bounty program, there is no formal disclosure channel to 'ignore.' Cannot assess ignored disclosure where no disclosure channel exists. RD-F-010 gray Static-analyzer high-severity count TRON primary contract: TVM substrate, not EVM-compatible, Slither/Mythril not applicable (not_applicable substrate). Ethereum ERC-20 (0x4f8e5de400de08b164e7421b3ee387f461becd1a): source-verified but Slither not run in this assessment. No published static analysis results in OSINT. Gray for the Ethereum portion; not_applicable for TRON substrate. RD-F-021 n/a UUPS _authorizeUpgrade correctly permissioned Ethereum ERC-20 is a standalone non-proxy contract (confirmed: no proxy pattern, no UUPS structure). UUPS _authorizeUpgrade factor is N/A for non-upgradeable contracts. TRON TVM: EVM-specific pattern not applicable. RD-F-023 n/a Constructor calls _disableInitializers() Ethereum ERC-20 is a standalone non-proxy contract. _disableInitializers() is an OZ pattern for proxied implementation contracts only. This contract uses a standard constructor with no proxy architecture. N/A. TRON TVM: EVM-specific OZ proxy pattern not applicable.
RD-F-002 green Audit recency Most recent audit is ChainSecurity 5th engagement completed October 30, 2025. As of 2026-05-17, this is approximately 200 days — within the green threshold of ≤365 days.
RD-F-004 green Audit count Two distinct audit firms confirmed: ChainSecurity (≥5 engagements, 2022-2025) and CertiK (2022, AA rating on TRON ecosystem). Per methodology, ≥2 distinct firms = green.
RD-F-011 green SELFDESTRUCT reachable from non-admin path Ethereum ERC-20 source confirmed: simple ERC-20 with rely/deny and mint/burn. No SELFDESTRUCT opcode in this contract type. Confirmed via source inspection — functions are transfer/approve/mint/burn/permit only. TRON TVM: Slither not applicable, but TRON TRC-20 token contracts do not use SELFDESTRUCT by design. Green for assessable Ethereum surface.
RD-F-012 green delegatecall with user-controlled target Ethereum ERC-20 confirmed: no delegatecall. Standard ERC-20 with rely/deny access control. TRON TVM: EVM-specific pattern not applicable. Green for assessable Ethereum surface.
RD-F-013 green Arbitrary call with user-controlled target Ethereum ERC-20 confirmed: pure token contract (transfer/approve/permit/mint/burn); no arbitrary external call with user-controlled target. TRON TVM: EVM-specific pattern not applicable. Green.
RD-F-014 green Reentrancy guard on external-calling functions Ethereum ERC-20: simple token with no external calls in state-mutating functions. Rely/deny-controlled mint/burn does not call external contracts. No reentrancy surface. TRON TVM: EVM-specific pattern not applicable. Green.
RD-F-015 green ERC-777/1155/721 hook without reentrancy guard Ethereum ERC-20: Standard ERC-20; no ERC-777/1155/721 integration and no tokensReceived/onReceived hooks. TRON TVM: EVM-specific pattern not applicable. Green.
RD-F-016 green Divide-before-multiply pattern Ethereum ERC-20: simple add/sub arithmetic wrappers only; no complex divide-before-multiply in price-accounting paths. Pure token contract with no AMM or price math. TRON TVM: not applicable. Green.
RD-F-017 green Mixed-decimals math without explicit scaling Ethereum ERC-20: pure token with 18 decimals; no cross-token math requiring decimal normalization. TRON TVM: not applicable. Green.
RD-F-018 green Signed/unsigned arithmetic confusion Ethereum ERC-20: SafeMath-style add/sub (overflow-protected). No signed/unsigned conversion confusion in a simple ERC-20 token. TRON TVM: not applicable. Green.
RD-F-020 green EIP-712 domain separator missing chainId Ethereum ERC-20 constructor explicitly takes chainId_ parameter for EIP-712 domain separation, including chainId. This prevents cross-chain replay. TRON TVM: EVM-specific EIP-712 pattern not applicable. Green.
RD-F-022 green Public initialize() without initializer modifier Ethereum canonical ERC-20 confirmed via Etherscan source: standard constructor with chainId_ parameter; no initialize() function present; not a proxied upgradeable contract. No initializer modifier needed. TRON TVM: proxy upgrade pattern not assessable but TRC-20 tokens do not typically use proxy-initializer patterns. Green for assessable Ethereum surface.
RD-F-024 green Code complexity vs audit coverage Ethereum ERC-20 is a single-file simple token contract (~200 LOC, low cyclomatic complexity). ChainSecurity has audited ≥5 rounds over 2022-2025. Audit coverage is clearly adequate for this code size. TRON primary audited by CertiK 2022 + ChainSecurity multiple rounds. Green: multiple rounds by two firms for a low-complexity codebase.
Governance & admin Red 73 24 of 24
RD-F-027 red Single admin EOA [STAR CRITICAL] Effective unilateral admin control demonstrated by Aug-2024 unilateral removal of ~12,000 BTC (~$726M) from reserves without DAO vote — contract-independent evidence of single-entity control. No on-chain enforced multisig requirement confirmed. Canonical Ethereum ERC-20 (0x4f8e5de400de08b164e7421b3ee387f461becd1a, source-verified) uses wards system: rely() grants mint authority with no mandatory multi-party gate. TRON admin on-chain unobtainable (Tronscan 403) but unilateral reserve action confirms effective single-entity control. Red independent of contract-identity dispute. RD-F-032 red Timelock duration on upgrades No timelock contract found on any chain. Data cache governance.timelock_address: null. The Aug-2024 unilateral BTC reserve removal with no queuing delay confirms effective absence of timelock on sensitive operations. RD-F-033 red Timelock on sensitive actions No timelock on any sensitive action. Canonical Ethereum mint() (0x4f8e5de400de08b164e7421b3ee387f461becd1a, source-verified) callable by any ward in a single tx with no delay. TRON-side: no timelock found. Aug-2024 reserve removal executed without any time delay confirms absence of timelock on large asset movements. RD-F-041 red Rescue/emergencyWithdraw without timelock [STAR CRITICAL] August 2024 unilateral removal of ~12,000 BTC (~$726M) from USDD reserves without DAO vote demonstrates real-world rescue/withdrawal without timelock. No timelock on reserve movements confirmed. Canonical Ethereum ERC-20 wards allows burn/mint in single tx with no delay. Confirmed evidence of unilateral large-asset movement — contract-independent. RD-F-042 red Admin has mint() with unlimited max [STAR CRITICAL] Canonical Ethereum ERC-20 (0x4f8e5de400de08b164e7421b3ee387f461becd1a, source-verified Exact Match, 5,863 holders) uses wards-based mint() with no supply cap beyond 10B theoretical maximum; callable by any ward in a single tx. TRON TRC-20 minting by TDR-whitelisted entities; no verified on-chain supply cap. The Aug-2024 unilateral BTC reserve removal demonstrates unconstrained admin powers in practice. Red is supported by the correct canonical contract evidence, not the wrong-contract 84-holder address. RD-F-043 red Admin = deployer EOA after 7 days [STAR CRITICAL] Canonical Ethereum ERC-20 deployer 0x9c1a61a0740128f0a9f948b08995cdf3df58f1ee (labeled USDD: Deployer 1 on Etherscan) on 0x4f8e5de400de08b164e7421b3ee387f461becd1a. No evidence of multisig transfer within 7 days found. wards system means deployer initially holds all mint authority. TRON deployer unknown (Tronscan 403). Aug-2024 unilateral reserve action is contract-independent evidence of admin remaining centralized with original entity. Red is grounded in the verified canonical contract, not the 84-holder secondary address. RD-F-025 yellow Admin key custody type TRON DAO Reserve (Justin Sun de facto) holds effective admin. No Gnosis Safe. No on-chain Governor. Ethereum ERC-20 (0x4f8e5de400de08b164e7421b3ee387f461becd1a, canonical, source-verified) uses MakerDAO-style wards system. TRON side has historical 5-of-7 TDR-member narrative threshold but not on-chain verifiable. No timelock on any chain. Effective classification: entity-controlled with no enforced on-chain multisig. Yellow because some multi-party structure is claimed (5-of-7) even if unverifiable. RD-F-035 yellow Role separation: upgrade ≠ fee ≠ oracle The canonical Ethereum wards system (0x4f8e5de400de08b164e7421b3ee387f461becd1a, source-verified) grants all permissions (mint, burn, and potentially oracle/pause control) to each ward address — no role separation by design. MakerDAO-style wards is a single-permission-layer architecture. Yellow rather than red because the ward set may in practice include addresses with different operational functions, but this is undisclosed. RD-F-040 yellow Emergency-veto multisig present Emergency shutdown path exists in MakerDAO-fork Ethereum USDD code (ChainSecurity audit confirms security of emergency shutdown). However, no independent emergency-veto multisig with disclosed signers is documented. The controller of the emergency path is the same TDR entity as the main admin. Yellow because mechanism exists but is not independent. RD-F-046 yellow Contract unverified on Etherscan/Sourcify [U3 RECONCILED: red→yellow] The canonical Ethereum ERC-20 is 0x4f8e5de400de08b164e7421b3ee387f461becd1a — source-VERIFIED on Etherscan (Exact Match, Solidity 0.6.12, 5,863 holders). 0x8EbdcF3d843E3A96137E84117C7989C883cE6127 (84 holders, unverified) is a low-adoption secondary/test deployment, NOT the canonical USDD contract; the prior red was scored against the wrong address. Canonical BSC BEP-20 (0x392004BEe213F1FF580C867359C246924f21E6Ad) source is also available on BscScan. The TRON canonical TRC-20 (TPYmHEhy5n8TCEfYGqW2rPxsghSfzghPDn, 92.45% TVS) source is inaccessible via Tronscan — this is an infrastructure block (our fetch infra failing), NOT protocol opacity; TRON contracts are normally source-published on Tronscan. Yellow (not green) because the dominant chain (TRON, 92.45% TVS) source cannot be confirmed via the standard toolchain due to infra gap. Green would require Tronscan access or an alternative TRON source mirror. RD-F-026 gray Upgrade multisig signer configuration (M/N) No Gnosis Safe on any chain. TRON-side 5-of-7 TDR member threshold is documented in narrative form only — not an on-chain-readable Gnosis Safe. Ethereum wards system has no M/N threshold. Cannot report a verified on-chain M/N value. RD-F-028 n/a Low-threshold multisig vs TVL No Gnosis Safe exists on any chain. Data cache safe_multisigs: []. The 5-of-7 TDR narrative threshold is not evaluable as a Gnosis Safe threshold. Cannot evaluate multisig threshold vs TVL peer cohort. N/A by construction — no on-chain multisig threshold to evaluate. RD-F-029 n/a Multisig signers co-hosted No on-chain multisig to evaluate. N/A by construction. RD-F-030 n/a Hot-wallet signer flag No on-chain multisig to evaluate. N/A by construction. RD-F-031 n/a Signer rotation recency No on-chain multisig to evaluate. N/A by construction. RD-F-034 gray Guardian/pause-keeper distinct from upgrader Emergency shutdown path exists in MakerDAO-fork Ethereum code (ChainSecurity audit covers it) but guardian role identity not publicly disclosed. wards system allows same addresses to mint and pause. Role separation not confirmed. RD-F-036 n/a Flash-loanable voting weight No on-chain Governor. No voting mechanism. Governance portal removed ~2024. Only one vote in protocol history (May 2023). N/A by construction for corporate-governed no-DAO protocol. RD-F-037 n/a Quorum achievable via single-entity flash loan No on-chain Governor, no quorum. N/A by construction. RD-F-038 n/a Proposal execution delay < 24h No on-chain Governor, no proposals. N/A by construction. RD-F-039 n/a delegatecall/call in proposal execution without allowlist No on-chain Governor, no proposal execution path, no delegatecall in proposal payload. N/A by construction. RD-F-044 gray Admin wallet interacts with flagged addresses Cannot assess admin wallet interactions with flagged addresses. TRON admin wallet identities not publicly available (Tronscan 403). Ethereum deployer 0x9c1a61a0 not evaluated against watchlists in this session. RD-F-045 n/a Constructor args match governance proposal No governance proposal process exists. No constructor arg governance proposal to compare against. N/A by construction. RD-F-047 n/a Governance token concentration (Gini) No governance token. No voting mechanism. Not applicable by construction. RD-F-167 gray Deprecated contract paused but pause reversible by live admin Old USDD Token (0x0C10bF8FcB7Bf5412187A595ab97a3609160b5c6) is deprecated. Whether current admin retains reversible pause over this deprecated surface is not verified. Risk is low given minimal TVS on deprecated contract. Cannot verify pause state without on-chain read.
Oracle & external dependencies Yellow 22 17 of 17
RD-F-049 yellow Oracle role per asset TRX: Chainlink + WINkLink -> Median -> OSM -> Spot (primary CDP collateral pricing, confirmed). sTRX: oracle mechanism is derived from TRX price but specific derivation not fully documented. USDT collateral: likely soft-pegged 1:1 assumption in Spot contract, not confirmed. PSM assets (USDC, USDT): fixed 1:1 no oracle role. sTRX and USDT collateral oracle roles are underdocumented. RD-F-050 yellow Dependency graph (protocols depended upon) Key external dependencies: (1) Chainlink TRX/USD on TRON, (2) WINkLink TRX/USD on TRON (TR5HtpPK4gX4RFC4DCBUHfFgsGkGFEzSAb), (3) PSM USDT/USDC reserves (liquidity-dependent peg anchor), (4) JustLend (venue listing USDD — not a called dependency), (5) SunSwap V3 (liquidity venue, not oracle source). Yellow because TRON-side contract call graph not fully verifiable due to Tronscan being blocked; JustLend and SunSwap are venue dependencies not direct protocol dependencies. RD-F-051 yellow Fallback behavior on oracle failure No explicit fallback oracle documented. OSM holds last-known price if no valid update arrives (implicit stale freeze). No secondary fallback oracle or circuit-breaker-to-pause documented. Critically: ChainSecurity Jan-2025 audit confirmed 'risk of Governance Delay is Currently Disabled was accepted' — the OSM governance delay buffer that allows human intervention before a compromised oracle price propagates is currently disabled, significantly weakening fallback protection. RD-F-052 yellow Breakage analysis per dependency If both Chainlink and WINkLink fail: no new price update reaches Spot; OSM freezes at last-known price; under-collateralized vaults not liquidated; bad-debt risk. If governance delay remains disabled and oracle is compromised: malicious price propagates immediately to collateral ratio with no human backstop. If TrxOracleValue precision-loss causes systematic TRX underpricing: under-collateralization detection fails. If PSM reserves depleted: peg anchor fails (Cat 4 risk). JustLend/SunSwap failure: venue-only risk, does not impair USDD CDP or oracle. RD-F-057 yellow Circuit breaker on price deviation No circuit breaker on price deviation documented in available sources. The OSM delay is designed to provide some protection (price changes don't propagate instantly), but: (1) the governance delay is currently disabled per ChainSecurity Jan-2025 audit; (2) no explicit circuit-breaker threshold that halts the protocol on price deviation is documented. Operational monitoring is required per the audit — no automated on-chain protection. RD-F-062 yellow External keeper/relayer not redundant The oracle system requires periodic price pushes from Chainlink and WINkLink oracle nodes. If oracle nodes stop posting, the Median receives no new valid prices and OSM freezes. The ChainSecurity Jan-2025 audit recommended 'active monitoring' of oracle correctness — suggesting no automated keeper fallback is implemented. Dual oracle providers (Chainlink + WINkLink) provide partial redundancy but the governance delay is currently disabled, reducing the human-intervention window. RD-F-054 n/a TWAP window duration Not applicable to USDD's oracle design. USDD uses Chainlink/WINkLink push-model aggregated feeds (not DEX TWAP-based oracles). The OSM introduces a governance-configurable time delay (analogous in purpose to TWAP delay), but the underlying oracle source is an off-chain aggregated price feed, not a TWAP window. TWAP window duration is not a relevant parameter for this oracle architecture. RD-F-055 n/a Oracle pool depth (USD) Not applicable. USDD does not use a DEX pool as the oracle source. Chainlink/WINkLink are off-chain aggregated data providers. Pool depth of an underlying oracle DEX pool is not a relevant metric for this oracle architecture. RD-F-058 gray Max-deviation threshold (bps) No circuit-breaker threshold documented. Factor F057 found no circuit breaker exists, so no threshold value is applicable. Not publicly documented in USDD docs or audit reports. RD-F-059 gray Oracle staleness check present Staleness check parameters not publicly documented. The OSM design implies holding last-known price if no valid update arrives (implicit stale-freeze). However, explicit on-chain staleness rejection parameters (updatedAt > now - X) in Spot or Median are not confirmed in public docs. ChainSecurity Jan-2025 audit required 'active monitoring' for oracle correctness — suggesting operational monitoring rather than on-chain automated staleness rejection is the primary defense. RD-F-060 gray Chainlink aggregator min/max bound misconfig Chainlink aggregator min/max bounds for TRX/USD on TRON are not verifiable. Tronscan returns 403; TRON-side Chainlink adapter contract addresses are not publicly documented. The EVM Chainlink TRX/USD feed exists on Polygon mainnet but is a different deployment from the TRON substrate adapter. TRON-specific min/max bounds not obtainable. RD-F-061 n/a LP token balanceOf used for pricing Not applicable. USDD does not use LP token balanceOf pricing for collateral valuation. Collateral (TRX, sTRX, USDT) is priced via the Chainlink/WINkLink/Median/OSM pipeline. PSM uses a fixed 1:1 rate. No LP-token-based pricing mechanism exists in the documented USDD architecture. RD-F-180 gray Immutable oracle address [★ F180 CRITICAL-CANDIDATE — PD-017 flag] Cannot confirm on-chain. The Median contract architecture implies oracle sources are a whitelisted set configurable by admin ('maintains a whitelist of price feed contracts which are authorized to post price updates'), suggesting oracle addresses ARE replaceable via whitelist admin function. However: (a) TRON substrate blocks on-chain contract read to verify whether TrxOracleValue oracle source address is immutable/hardcoded; (b) admin control of whitelist not confirmed; (c) Tronscan returns 403. Directional lean: likely NOT red (Median whitelist architecture is admin-configurable by design — consistent with the MakerDAO-derived pattern it implements). However formal on-chain confirmation is blocked by TRON access. Orchestrator: track F180 for T-14 post-launch promotion decision if TRON-side source becomes accessible. RD-F-181 n/a Permissionless-pool lending oracle Not applicable. USDD is a CDP/stablecoin issuer with governance-whitelisted collateral types (TRX, sTRX, USDT) controlled by TRON DAO Reserve — not a permissionless-pool lending protocol. New collateral cannot be added by arbitrary users. PSM accepts only governance-approved stablecoins (USDT, USDC). The Rhea-Finance-class attack vector (permissionless fake pool creation to game oracle into accepting worthless tokens) does not apply.
RD-F-048 green Oracle providers used USDD uses Chainlink and WINkLink as dual primary oracle providers for TRX/USD collateral pricing on TRON. Both feed into a Median aggregation contract. PSM (ETH/BSC/TRON) uses a fixed 1:1 rate with no external oracle. WINkLink TRX/USD mainnet contract: TR5HtpPK4gX4RFC4DCBUHfFgsGkGFEzSAb.
RD-F-053 green Oracle source = spot DEX pool (no TWAP) NOT a spot-DEX-pool oracle. USDD uses Chainlink and WINkLink price feeds aggregated via a Median contract, then passed through an OSM (Oracle Security Module/Oracle State Machine). ChainSecurity Jan-2025 audit confirmed 'oracles modules are deployed and connected correctly; primary oracles are wired to the Median contract for deviation check and eventually linked to the OSM.' Multi-feed aggregation via Median provides manipulation resistance. F053 critical factor NOT triggered.
RD-F-056 green Single-pool oracle (no medianization) NOT a single-pool oracle. USDD uses a Median contract that aggregates from multiple whitelisted oracle sources (at minimum Chainlink and WINkLink). USDD docs confirm the Median 'maintains a whitelist of price feed contracts which are authorized to post price updates' and 'computes and updates the stored value when a new list of prices is received.' ChainSecurity Jan-2025 audit confirmed correct Median architecture deployment.
Economic risk Red 56 13 of 13
RD-F-068 red Collateralization under stress Effective collateral ratio is well below 100% once endogenous assets are excluded. Bluechip's independent assessment (last updated Oct 2025) finds: (1) TRX and sTRX are classified as endogenous collateral (issued by the same entity — TRON Foundation/Justin Sun — as USDD) and therefore 'invalid collateral'; (2) after excluding endogenous assets, USDD is under-collateralized with effective CR below 100%. Bluechip cites approximately 53% effective collateralization vs. USDD's claimed 200–300%. The Aug-2024 unilateral removal of ~12,000 BTC (~$726M) from reserves without DAO vote left the reserve 'now 100% backed by TRON except for $20M USDT' (Protos/Decrypt). The circular TRX collateral problem: if USDD faces a confidence crisis, USDD selling pressure depresses TRX price (USDD holders dump TRX to exit), reducing collateral value precisely when defense is needed. This is structurally similar to the LUNA/UST death spiral, just with a slower feedback loop. A 50% TRX price decline would push RD-F-063 yellow TVL (current + 30d trend) TVS $1.475B (DefiLlama, 2026-05-17). 30d change +2.77%; 90d CoV 0.361 (mean $1.03B, std $371M) — high volatility reflecting ~6x supply growth from $246M (March 2025 baseline). A large single-day spike (~$650M to ~$1.09B, mid-April 2026) coincides with JustLend Phase XVI supply mining incentives (28 March–25 April 2026 at ~4.75% APY), indicating incentive-driven rather than organic supply growth. Incentive-driven TVS is fragile: subsidy withdrawal risk is real, and the steep growth arc masks supply sustainability concerns. Yellow (not red) because current TVS is substantial and peg is currently maintained; yellow because supply trajectory is incentive-dependent with high CoV. RD-F-069 yellow Algorithmic / under-collateralized stablecoin USDD 2.0 is an over-collateralized CDP design (converted from algorithmic in June 2022), not a pure-algo stablecoin. However: (1) TRX is endogenous collateral (Bluechip: 'invalid'); (2) USDD has two documented depeg events — June 2022 ($0.91–0.97, ~1 week, recovered via ~$2B reserve deployment) and March 2023 ($0.92, SVB contagion); (3) the Bluechip F rating characterizes the design as effectively under-collateralized and recommends against holding USDD; (4) the governance portal removal and no remaining DAO means reserve management is fully discretionary; (5) subsidized yields (historically up to 20%; currently ~4.75% via JustLend supply mining Phase XVI) create artificial demand that masks underlying adoption weakness. Not red (not pure-algorithmic; has PSM mechanism; has some exogenous USDT reserves); yellow for documented peg fragility, disputed effective collateral quality, and endogenous collateral concentration. RD-F-064 gray TVL concentration (top-10 wallet share) Top-10 wallet share cannot be measured. TRON substrate — Tronscan HTML returns 403; no programmatic holder-distribution read path available. USDD minting is controlled by TRON DAO Reserve whitelisted institutions (historically 7 entities: Poloniex, Amber Group, Ankr, Mirana Ventures, Multichain Capital, FalconX, TPS Capital), suggesting extremely concentrated minting authority. Retail holders are distributed via JustLend and exchanges. On-chain concentration of circulating supply cannot be quantified without Tronscan API access. RD-F-065 gray Liquidity depth per major asset PSM liquidity depth not quantifiable. USDD peg defense relies primarily on the PSM (zero-fee 1:1 USDD↔USDC/USDT swap, no price impact regardless of size per USDD docs), not secondary-market DEX depth. PSM reserve (USDT/USDC balance held by TRON DAO Reserve) is the correct analog to liquidity depth. This balance is not publicly readable from available sources (Tronscan blocked; tdr.org transparency page content is minimal per profile). SunSwap V3 DEX subgraph not accessible. Yellow signal: PSM design is structurally sound for peg maintenance at small scale; adequacy at current $1.475B supply with primarily TRX reserves is not verifiable. RD-F-066 n/a Utilization rate (lending protocols) USDD is a CDP stablecoin issuer, not a lending protocol. No borrow markets exist. DefiLlama confirms borrow.present: false, total_borrowed_usd: null. Utilization rate is a lending-protocol-specific metric. PD-024 lending-only N/A applies. RD-F-067 n/a Historical bad-debt events No lending markets, no borrow positions, no bad-debt-socialization mechanism. USDD operates a CDP (collateral → mint stablecoin) model; there is no lender/borrower pair that can generate bad debt in the traditional lending sense. The peg events (June 2022, March 2023) are reserve-management events, not bad-debt events. Data cache hacks: [] confirmed. PD-024 lending-only N/A applies. RD-F-070 n/a Empty cToken-style market (zero supply/borrow) USDD is not a Compound V2 fork. It is an original CDP stablecoin issued on TRON (TVM). No cToken market architecture exists. The empty-market/donation-attack pattern is specific to Compound V2 fork lending protocols with share-based accounting. The USDD PSM and CDP mechanism use 1:1 fixed-rate conversion, not share-price accounting. PD-024 Compound-fork-only N/A confirmed. RD-F-071 n/a Seed-deposit requirement for new market listing No lending markets exist for USDD. Seed-deposit requirement for market listing is a lending-protocol-specific control pattern. USDD is a CDP stablecoin issuer on TRON. PD-024 lending-only N/A applies. RD-F-072 n/a Market-listing governance threshold No lending markets exist. Market-listing governance threshold is a lending-protocol-specific metric. USDD CDP does not list discrete collateral markets via a governance threshold mechanism. PD-024 lending-only N/A applies. RD-F-073 n/a Oracle-manipulation-proof borrow cap No borrow markets and no per-asset borrow cap structure. USDD uses CDP minting (not borrow/supply lending) where TRX price is used to calculate collateral value. Oracle-manipulation-proof borrow cap is a lending-protocol construct not applicable to this architecture. PD-024 lending-only N/A applies. RD-F-074 n/a ERC-4626 virtual-share offset (OZ ≥4.9) USDD does not use an ERC-4626 vault structure. It is a TRC-20/ERC-20 stablecoin with a CDP minting mechanism. No share-price accounting, no virtual-share offset pattern to evaluate. PD-024 / ERC-4626-specific N/A. RD-F-075 n/a First-depositor / share-inflation guard USDD uses a CDP minting model, not a share-based vault with deposit/withdrawal accounting. No first-depositor share inflation vector exists structurally. The PSM is a 1:1 fixed-rate swap module with no share-price calculation. PD-024 / share-vault-specific N/A.
Operational history Green 17 15 of 15
RD-F-089 red Insurance coverage active No active insurance coverage found for USDD on any provider. Nexus Mutual search returned no USDD coverage. No Sherlock program found. No Unslashed or equivalent coverage. Protocol operates primarily on TRON (not covered by EVM-centric DeFi insurance providers). At $1.475B TVS, the absence of any insurance coverage is a material gap. $1.475B TVS with zero insurance is a significant risk for depositors. RD-F-084 yellow TVL stability (CoV over 90d) Data cache 90-day CoV = 0.361 (mean $1.03B, std $371M, window approx. Feb–May 2026). CoV above 0.30 yellow threshold. Notable anomalies: large step-up ~$650M to ~$1.09B approx. April 14-15 2026 (unexplained — potential large institutional mint or DefiLlama accounting recalculation). Protocol also has documented peg events in June 2022 (~$0.91 floor) and March 2023 (~$0.92 floor) demonstrating peg instability under stress conditions — relevant context for this factor as peg-stability history on a stablecoin. RD-F-086 yellow Pause activations (trailing 12 months) No documented emergency pause activations on USDD contracts in the trailing 12 months. However, the August-2024 unilateral removal of ~12,000 BTC (~$726M) from USDD reserves without DAO vote represents a significant unilateral operational action by the controlling entity that bypassed nominal governance — a precedent for unilateral operational intervention scored here as yellow context. The contract-level pause mechanism status is not independently verified (Tronscan reads blocked). Note: the BTC removal is NOT a contract exploit (U20); it routes to Cat 2/F041. Scored yellow for the opaque pause mechanism + precedent for unilateral action. RD-F-088 yellow Re-deployed to new addresses in last year Yes — the native Ethereum ERC-20 (`0x8EbdcF3d843E3A96137E84117C7989C883cE6127`) was deployed September 2025, within the trailing 12 months of this assessment (2026-05-17). This replaced the bridged 'Old USDD Token' ERC-20. The redeployment was planned and announced, and the fifth ChainSecurity audit (Oct 2025) covers the new deployment. Score yellow: new deployment within 12 months introduces fresh surface; users must migrate approvals from deprecated address. RD-F-082 n/a Post-mortem published within 30 days No exploit occurred. Post-mortem obligation presupposes an incident; with zero Cat 5 incidents the factor is structurally inapplicable. RD-F-083 n/a Auditor re-engaged after last exploit No exploit occurred. Post-exploit re-audit obligation presupposes an incident; with zero Cat 5 incidents the factor is structurally inapplicable. RD-F-085 n/a Incident response time (minutes) No exploit incident has occurred. Response time measurement presupposes an exploit; with zero Cat 5 incidents the factor is structurally inapplicable.
RD-F-076 green Protocol age (days) USDD launched on TRON mainnet 2022-05-05. Age at assessment 2026-05-17: ~1,107 days (~48 months). Exceeds the 12-month threshold for A-grade eligibility and the longer seasoning benchmarks. Profile §2 confirms launch date.
RD-F-077 green Prior exploit count Zero protocol-contract exploits. Hacksdatabase grep for 'usdd' (case-insensitive) returned 0 matching files. REKT News and DeFiYield web searches returned 0 USDD entries. The June-2022 and March-2023 depeg events and the August-2024 BTC reserve removal are governance/economic events excluded per U20 — no contract was exploited. Clean exploit record across ~48 months.
RD-F-078 green Chronic-exploit flag (≥3 incidents) Zero exploits in the hacksdatabase or public record. Chronic flag (>=3 prior exploits) does not apply. Derivative of F077.
RD-F-079 green Same-root-cause repeat exploit Zero contract exploits; no same-root-cause repeat exploit possible. The two peg events (June 2022 Alameda selloff; March 2023 SVB contagion) had different external triggers and were economic/market events, not contract bugs per U20 exclusion.
RD-F-080 green Days since last exploit No exploit has ever occurred (F077 = 0 exploits). Factor renders as not applicable but scores green per taxonomy: clean record across ~48 months since launch.
RD-F-081 green Post-exploit response score No prior exploit to evaluate post-exploit response against. Zero incidents in the Cat 5 register. Factor is vacuously green (no incidents to score). Peg events were responded to with reserve deployments (Cat 2/4 matters), not subject to post-exploit response scoring.
RD-F-087 green Pause > 7 consecutive days No pause of any duration has been publicly documented for USDD contracts in the trailing 12 months or in any period of its history. The June 2022 peg recovery involved reserve deployment (not a contract pause). Protocol has maintained continuous operational availability.
RD-F-166 green Deprecated contracts still holding value The 'Old USDD Token' (0x0C10bF8FcB7Bf5412187A595ab97a3609160b5c6) is labeled deprecated on Etherscan and superseded by the Sept-2025 native ERC-20 (0x8EbdcF3d843E3A96137E84117C7989C883cE6127). No evidence of material user TVL (>$100K) remaining in the deprecated contract. Migration to the native ERC-20 appears complete per The Block reporting and ChainSecurity fifth audit coverage of the new deployment.
Real-time signals Yellow 20 22 of 22
RD-F-098 yellow TVL anomaly — % drop in <1h TVL anomaly signal is applicable: USDD circulating supply tracked as TVL (~$1.475B). 30d TVL change +2.77%; 1d change +0.67%; no current severe drop below the 30% threshold. However, the DefiLlama cache shows a historically significant large supply step-up (~$650M to $1.09B in a single day, ts 1774828800 approx April 14, 2026) and an earlier large apparent drop (ts 1750636800, $448M to $96M) in the broader data series — both suggesting USDD supply is subject to large discrete movements that could trigger a TVL-anomaly signal. TRON-side real-time polling not wired in current pipeline (non_evm_substrate: true; Tronscan 403). Yellow: signal would be applicable if live infrastructure were in place; large historical supply swings demonstrate the signal is not a theoretical concern. RD-F-104 yellow Stablecoin depeg >2% on shared-LP venue Signal is applicable with USDD as the stablecoin (fire if USDD depegs >2% on venues with shared LP). USDD has two documented historical depeg events: June 2022 depeg to ~$0.91 on Curve/Binance (recovered ~1 week via reserve deployment); March 2023 depeg to ~$0.92 during SVB/USDC contagion. Reserve post-Aug-2024 BTC removal is ~98.9% TRX+USDT (per Decrypt/DL News), increasing depeg risk if TRX price drops sharply. Current posture: USDD at approximately $1.00 as of 2026-05-17; no active depeg. Signal would fire if USDD depegs again. Yellow: documented depeg vulnerability under stress; reserve composition elevated risk; no current active fire. RD-F-109 yellow Social-media impersonation scam spike Social-media impersonation scam-spike signal is applicable. USDD/TRON/Justin Sun is a very high-recognition brand with a documented scam-impersonation surface. Evidence: (1) Blockaid 2025 documented 4,200+ malicious dApps using stablecoin branding in URLs/page titles — USDD is a named stablecoin brand. (2) JustLend ecosystem (TRON protocol sharing Justin Sun/TRON DAO brand) had confirmed phishing infrastructure (justlend-dao.com, per JustLend process-learnings Cat 11 red finding). (3) Justin Sun's high social media presence and SEC settlement (March 2026) create ongoing opportunistic impersonation surface. (4) Over 54,000 fraudulent stablecoin tokens documented across chains (Cybernews). Yellow: persistently elevated social-media impersonation baseline; no confirmed acute single-day scam spike in accessible public records today but structural conditions make this signal near-continuously elevated for USDD. RD-F-090 gray Mixer withdrawal → protocol interaction Mixer-withdrawal detection requires live wallet-clustering feed (Chainalysis/TRM). TRON-side on-chain reads blocked (Tronscan 403). Ethereum-side USDD ERC-20 v2 (0x8EbdcF3d843E3A96137E84117C7989C883cE6127) public Ethplorer records show no flagged mixer-adjacent interactions, but this is not a substitute for a live clustering feed. T-09 phase-2 signal — production-live monitoring not wired for either TRON or Ethereum substrate at this time. RD-F-091 gray Partial-drain test transactions Partial-drain test transaction detection requires on-chain tx pattern matching infrastructure not available in static dry-run. TRON-side reads blocked. No documented partial-drain precursor pattern targeting USDD contracts in accessible public records. T-09 phase-2 signal. RD-F-092 gray Unusual mempool pattern from deployer wallet Deployer wallet address not publicly identified — data cache deployer.address: null; Tronscan 403 blocks TRON-side resolution; Ethereum deployer EOA not resolved in public sources. Cannot establish baseline deployer mempool pattern without the deployer address. RD-F-093 gray Abnormal gas-price willingness from attacker wallet Attacker gas-price anomaly detection requires live EVM mempool feed. TRON uses energy/bandwidth model — not comparable to EVM gas. Ethereum-side USDD contract: no flagged gas-price anomaly found in accessible public records. T-09 phase-2 signal. RD-F-094 gray New contract with similar bytecode to exploit template New contract deployment with similar bytecode detection requires a bytecode similarity scanning pipeline. No known exploit template targeting USDD ERC-20 v2 in accessible public records. ChainSecurity has conducted 5 audits; no publicly documented exploit-class bytecode for USDD-specific contracts. T-09 phase-2 signal. RD-F-095 gray Known-exploit function-selector replay Known-exploit replay selector-pattern detection requires an exploit-template database and live tx analysis infrastructure. No publicly documented known-exploit selector pattern targeting USDD ERC-20 v2 contracts. T-09 phase-2 signal. RD-F-096 gray New ERC-20 approval to unverified contract from whale ERC-20 approval monitoring for unverified contracts requires live event stream monitoring. TRON-side TRC-20 approval model differs and reads are blocked. Ethereum-side USDD ERC-20 v2: no flagged large-user approval to unverified contract in accessible public Ethplorer data. T-09 phase-2 signal. RD-F-097 gray Sybil surge of identical-pattern transactions Sybil transaction surge detection requires on-chain clustering and pattern-matching infrastructure. TRON-side reads blocked. Ethereum-side USDD ERC-20 v2: no documented sybil burst in accessible public records. T-09 phase-2 signal. RD-F-099 gray Oracle price deviation >X% from secondary Oracle price deviation signal is applicable to the TRON-side CDP (TRX USD price used for collateral ratio enforcement). The oracle mechanism for TRX pricing is not publicly documented — data cache oracle: null; oracle_feeds: []. TRON-side on-chain reads blocked (Tronscan 403). Ethereum-side PSM uses 1:1 USDC/USDT swap design (no oracle price feed needed by design). Cannot assess oracle deviation posture without resolving the TRON CDP oracle source address. RD-F-101 n/a Large governance proposal queued USDD has no on-chain Governor contract (data cache governance.governor_address: null). No Snapshot space (snapshot_space: null). Corporate-governed with de facto control by TRON DAO Reserve/Justin Sun — no DAO mechanism to monitor. Signal requires a Governor contract with proposal queue events to be applicable. RD-F-102 gray Admin/upgrade transaction in mempool Admin/upgrade tx mempool signal: TRON-side primary substrate — TVM mempool not accessible via EVM mempool infrastructure (Tronscan 403; non_evm_substrate: true). Ethereum-side USDD ERC-20 v2 admin key composition is not publicly disclosed; no Safe multisig identified (safe_multisigs: []). Cannot build protocol admin map required for this signal without knowing the admin/minter key addresses on Ethereum. T-09 phase-2 signal infrastructure also required. RD-F-103 n/a Bridge signer-set change proposed/executed USDD does not operate its own bridge protocol. BTTC is third-party BitTorrent/TRON infrastructure. Data cache layerzero.present: false. Native Ethereum and BSC deployments are independently minted, not bridge-routed. No bridge signer-set to monitor for this protocol. RD-F-106 n/a Cross-chain bridge unverified mint pattern USDD does not operate its own cross-chain bridge. BTTC bridge is third-party BitTorrent/TRON infrastructure. Native Ethereum and BSC deployments are independently minted. No cross-chain bridge architecture to monitor for deposit-src / mint-dst-without-proof patterns. RD-F-107 gray Admin EOA signing from new geography/device Admin/upgrader EOA identities not publicly disclosed for either TRON or Ethereum deployments. No Gnosis Safe identified. Reserve wallet addresses not published. Cannot establish baseline geography/device fingerprint without knowing the admin key addresses. This is an M-method factor requiring curator-level off-chain intelligence. RD-F-108 n/a GitHub force-push to sensitive branch USDD has no public GitHub repository (data cache github.repo_url: null). GitHub force-push monitoring requires a repository to monitor. This signal is not applicable without a public codebase. RD-F-110 n/a Unusual pending/executed proposal ratio USDD has no on-chain Governor contract (governance.governor_address: null). No DAO, no Snapshot space. Unusual proposal ratio signal requires a governor contract with countable proposals. Not applicable to corporate-governed no-DAO structure. RD-F-182 n/a Security-Council threshold reduction (RT) Security-Council threshold reduction event signal (batch-24 F182, Cat 6B). USDD has no Security Council, no on-chain multisig with a threshold parameter (safe_multisigs: []), and no bridge/protocol governance structure with a formal SC construct. The signal targets protocols with an on-chain Security Council multisig (e.g., Drift Protocol's 3/5 SC). USDD's governance is corporate (TRON DAO Reserve / Justin Sun); there is no threshold to reduce or monitor.
RD-F-100 green Flash loan >$10M targeting protocol tokens Flash loan targeting signal has limited applicability to USDD's architecture. USDD ERC-20 is not listed as a borrowable asset on Aave V3 or Balancer (data cache borrow.present: false). USDD's PSM design (1:1 USDC/USDT swap) is not a flash-loan-exploitable surface in the classic oracle-manipulation sense. TRON flash-loan infrastructure does not replicate EVM flash-loan patterns. No flash-loan targeting USDD contracts found in accessible EVM public records. Current architecture structurally limits flash-loan attack surface.
RD-F-105 green DNS/CDN/frontend hash drift DNS/frontend drift signal is applicable to usdd.io. Certificate transparency review (crt.sh retrieved 2026-05-17) shows: main wildcard (*.usdd.io + usdd.io) on Amazon CA (RSA 2048 M04), valid 2026-03-27 to 2026-10-10; docs/docs-zh/legacy-docs/beta-docs subdomains all on Google Trust Services with March-April 2026 issuances (valid 3-month cycles, consistent with automated cert rotation). No anomalous CA change, no unexplained cert rotation, no evidence of DNS hijack in observable cert transparency record. Multi-CA pattern (Amazon for main, Google for subdomains) is internally consistent. T-09 phase-2 signal infrastructure needed for live hash monitoring — static posture assessment only.
Dev identity & insider risk Green 15 16 of 16
RD-F-113 yellow Team other-protocol involvement history Justin Sun: founded TRON (2017), acquired BitTorrent (2018), acquired Poloniex (2019), World Liberty Financial investor ($75M), HTX (Huobi) advisor. No prior rug or exit-scam. SEC civil action (TRX wash trading 2017–2019, settled 2026 for $10M, no admission) is a material governance/conduct flag on a past project. Minting institutions are institutional-grade entities. Score yellow: prior-project involvement includes a civil fraud settlement, but no rug. RD-F-114 yellow Deployer address prior on-chain history TRON TRC-20 deployer wallet not individually traceable (Tronscan 403-blocked). ETH ERC-20 v2 deployer (0x8EbdcF3d843E3A96137E84117C7989C883cE6127) not individually labeled on Etherscan or Ethplorer. Entity attribution is established (TRON DAO / Justin Sun); no prior rug attribution to TRON Foundation. Score yellow: entity-confirmed origin but individual deployer wallet prior history not directly verified due to TRON substrate blockage. RD-F-121 yellow Contributor OSINT depth score Justin Sun: 5/5 OSINT depth (LinkedIn history, prior employer Ripple Labs, multiple conference appearances, academic credentials verifiable, Forbes profile, Wikipedia biography, SEC complaint). However, the TRON DAO Reserve team beyond Justin Sun (engineers, protocol developers) lacks public OSINT profiles — no named protocol engineers or CDP contract developers identified publicly. Minting institutions are named entities but individual principals are not individually profiled. Score yellow: lead figure is maximally transparent; engineering team is opaque. RD-F-122 yellow Contributor paid to DPRK-cluster wallet No confirmed on-chain path ≤3 hops from TRON DAO Reserve contributor wallets to DPRK-labeled cluster found in published OSINT. TRON blockchain broadly used by DPRK IT workers (21 TRON/ETH addresses designated in March 2026 OFAC action), but this is chain-level. No Chainalysis or TRM Labs report links USDD contributor payment wallets specifically to Lazarus. Score yellow: elevated chain-level concern with no wallet-specific positive evidence. RD-F-123 yellow Sudden admin-rescue/ACL change without discussion August 2024: ~12,000 BTC (~$726-732M) removed from TRON DAO Reserve with NO community vote and NO preceding public governance discussion. Justin Sun announced via personal X account retroactively. Confirmed publicly-reported process-bypass. However per U20: the event was PUBLICLY DISCLOSED (not concealed) — it is a process-bypass, not a hidden insider ACL change. USDD's governance is openly centralized with no DAO; there is no claim of democratic governance to violate by concealment. The Aug-2024 event is insider-conduct risk (one individual controlling a $1.4B stablecoin reserve with no checks), not red (which requires concealment/hidden ACL change). Score yellow: publicly-disclosed process-bypass by a single controlling figure. RD-F-125 yellow Deployer linked within 3 hops to DPRK/Lazarus No OFAC SDN designation for Justin Sun, TRON Foundation, BitTorrent Foundation, or Rainberry. SEC v. Sun = civil action (TRX wash trading 2017-2019), settled March 2026 for $10M with no admission of wrongdoing, all charges dismissed. No criminal charges. TRON chain addresses used by DPRK IT workers in March 2026 OFAC designations (chain-level, not deployer-wallet-specific to USDD). No Chainalysis or TRM Labs published report identifies the USDD TRC-20 or ERC-20 deployer wallet within 3 hops of Lazarus cluster. Score yellow per U15: elevated concern (SEC civil fraud history; TRON chain used by DPRK IT workers) without confirmed deployer-wallet DPRK nexus. RD-F-125 red threshold NOT met. Discretionary F-grade trigger NOT escalated. RD-F-116 gray Contributor tenure at admin-permissioned PR No public GitHub repository for USDD — contracts are TRON-native closed-source with no GitHub commit history accessible. Data cache confirms github.repo_url: null. Factor applies in principle (admin-permissioned code changes are relevant) but contributor tenure evidence is structurally unobtainable due to protocol opacity. RD-F-117 n/a ENS/NameStone identity bound to deployer TRON substrate — no ENS registry applies. ENS is Ethereum-native; canonical USDD deployment is TRC-20 on TRON (no ENS binding concept). The ETH ERC-20 v2 deployer EOA shows no ENS name in available OSINT. Per U7 and TRON playbook: this factor is not_applicable for TRON-substrate protocols. RD-F-119 n/a Commit timezone consistent with stated geography No public GitHub repository — factor is not assessable. No commit-time data available. TRON Foundation is based in Singapore/Caribbean; Justin Sun holds St. Kitts citizenship. No commit-time timezone anomaly analysis possible without a public repo.
RD-F-111 green Team doxx status Justin Sun is a maximally doxxed public figure: real name (Yucheng Sun / 孙宇晨), born 1990, Xining China, Peking University BA (History), U Penn MA (Political Economy), TRON founder since 2017, Forbes #411 ($8.5B net worth Apr 2026). TRON DAO Reserve is a named entity. Whitelisted minting institutions named publicly: Poloniex, Amber Group, Ankr, Mirana Ventures, FalconX, TPS Capital. Category: real-name doxxed at founder level; institutional entities named.
RD-F-112 green Team public accountability surface Justin Sun's public accountability surface is extensive: LinkedIn history (Ripple Labs prior work), conference speaker (Milken Institute Asia Summit 2023), X/Twitter @justinsuntron with millions of followers, Wikipedia biography, academic credentials (Peking U + U Penn) independently verifiable, SEC complaint with biographical details. Minting institutions are named corporate entities with registrable accountability.
RD-F-115 green Prior rug/exit-scam affiliation No verified rug or exit-scam attributable to Justin Sun, TRON Foundation, or named minting institutions. June 2022 USDD depeg was an economic event (peg restored via reserve deployment, not a rug). Aug 2024 BTC removal was a governance bypass (controversial but not an exit scam). No REKT database entry for USDD as a rug. Bluechip F-rating reflects governance risk, not a prior rug attribution.
RD-F-118 green Handle reuse across failed/rugged projects Justin Sun's X/Twitter handle @justinsuntron is consistent and long-established (TRON launch 2017 to present, unchanged). No evidence of handle cycling or reuse across prior rugged or failed projects. TRON DAO branding consistent since 2022. Minting institution names are stable institutional identities.
RD-F-120 green Video-off/voice-consistency flag Justin Sun has extensive video presence: YouTube appearances, Twitter Spaces, conference keynotes (Milken Institute Asia Summit 2023), multiple media interviews. No video-off flag. No voice/appearance inconsistency identified in curator observation. Doxxed physical presence at in-person events.
RD-F-124 green Deployer wallet mixer-funded within 30 days No evidence of Tornado Cash, Railgun, or similar mixer interaction within 30 days of TRC-20 deploy (May 2022) or ETH ERC-20 v2 deploy (Sept 2025). TRON-side: Tronscan 403-blocked prevents direct on-chain verification; no secondary source (Chainalysis, TRM, Arkham public labels) identifies mixer proximity for USDD deployer. ETH ERC-20 v2 deployer unlabeled on Etherscan. Justin Sun / TRON Foundation have CEX-routed funding histories, not mixer histories. Confidence medium due to TRON on-chain gap.
RD-F-184 green Real-capital social-engineering persona No curator-flagged social-engineering persona associated with USDD. The Drift Protocol Apr 2026 UNC4736 pattern (long-term persona building with $1M+ real-capital deposits before exploit) is not identified in USDD's history. Justin Sun is the de facto controlling figure — openly known and maximally public, not a covert implant. Minting institution members are named institutional entities with public footprints and no social-engineering persona flags.
Fork / dependency lineage Gray 0 10 of 10
RD-F-126 n/a Is-a-fork-of USDD is an original stablecoin design by TRON DAO Reserve. Not a fork of any prior protocol. Profile §5 explicitly confirms no fork lineage. Profile.meta.json cat8_fork_applicable: false. All Cat 8 factors N/A. RD-F-127 n/a Upstream patch not merged No upstream protocol — USDD is an original issuer. This factor applies only to forks. N/A by construction. RD-F-128 n/a Upstream vulnerability disclosure (last 90d) No upstream protocol — original issuer. Factor applies only to forks. N/A by construction. RD-F-129 n/a Code divergence from upstream (%) No upstream protocol to diff against — original issuer. N/A by construction. RD-F-130 n/a Fork depth (generations from original audit) No fork hops — original issuer. Fork depth concept does not apply to an original protocol. N/A. RD-F-131 n/a Fork retains upstream audit coverage No fork — N/A. USDD has independent audit coverage (ChainSecurity ≥5, CertiK) by its own auditors, not upstream audit inheritance. RD-F-132 n/a Fork has different economic parameters than upstream No fork — no upstream economic parameters to differ from. N/A. RD-F-133 n/a Dependency manifest uses unpinned versions No public GitHub repository (data cache github.repo_url: null). TRON substrate (TVM, not EVM Foundry/npm). The Ethereum ERC-20 is a single-file contract with inline SafeMath and no external library imports — no dependency manifest applicable. N/A. RD-F-134 n/a Dependency had malicious-release incident (last 90d) No public dependency manifest accessible (no public repo). No npm/PyPI/cargo dependencies identified. The Ethereum ERC-20 has no external library imports. N/A: cannot assess without dependency manifest and no known dependencies exist. RD-F-135 n/a Shared-library version with known-vuln status Ethereum ERC-20 uses inline SafeMath (no external OZ/Solady library import). No external shared library version to check for CVEs. TRON: no repo. N/A for shared-library vulnerability framing.
Post-deploy hygiene & change mgmt Yellow 22 13 of 13
RD-F-137 yellow Upgrade frequency (per 90 days) Multiple major contract deployments in last 12 months: USDD 2.0 on TRON (Jan 2025), USDD native Ethereum ERC-20 and PSM (Sept 2025). These represent significant new attack surface introductions. No proxy upgrade mechanism (non-upgradeable architecture) so no Upgraded events to count, but the redeploy/new-deploy pattern shows high cadence. RD-F-138 yellow Hot-patch deploys without timelock (last 30 days) No timelock exists on any chain — all deploys are structurally hot-patch eligible (no delay mechanism). No specific emergency hot-patch evidence in the last 30 days, but structural absence of timelock is the finding. RD-F-139 yellow Post-audit code changes without re-audit [U3 RECONCILED: red→yellow] Prior red rested on two claims: (1) 'Ethereum native USDD deployed Sept 2025, audited Oct 2025 — deployed-before-audited.' This claim dissolves: the canonical ETH ERC-20 is 0x4f8e5de400de08b164e7421b3ee387f461becd1a, which is an older, pre-existing contract; the Sept 2025 'deployment' referred to the wrong contract (0x8EbdcF3d, 84 holders, test/secondary). (2) 'USDD 2.0 CDP on TRON (Jan 2025) — pre-deploy audit not confirmed.' ChainSecurity V2 audit (Jan 2025) and the active cadence of 5 ChainSecurity engagements including the Jan-2025 V2 audit suggest the CDP architecture had contemporaneous audit coverage; however, exact scope of the Jan-2025 ChainSecurity V2 audit vs the new TRC-20 CDP contracts is unconfirmed. Yellow (not green) because: the TRON CDP pre-deploy audit scope is unresolved and partial confirmation is insufficient for green. Red is not sustained because the cleaner 'deployed-before-audited' evidence stream (ETH Sept 2025) was based on the wr RD-F-185 yellow Bridge rate-limiter / chain-pause as positive mitigant USDD does not operate a bridge (has_bridge_surface: false). No per-window outflow rate-limiter documented for USDD protocol contracts. The June 2022 depeg recovery via $2B reserve deployment demonstrates TDR has a market-intervention capability, but this is economic intervention, not a code-level rate-limiter. TRON blockchain has emergency validator pause capability in principle (Tron Foundation controls supernodes) but is not a published USDD protocol-level mitigant. Yellow: partial positive mitigant exists (TDR reserve intervention) but no code-level rate-limiter confirmed. RD-F-136 gray Deployed bytecode matches signed release tag No public GitHub repository (data-cache github.repo_url: null). Cannot compare deployed bytecode to a signed release tag. Canonical Ethereum 0x4f8e5de4 is Etherscan-verified but no GitHub repo to confirm release tag correspondence. RD-F-140 gray Fix-merged-but-not-deployed gap No public GitHub repository. Cannot compare merged fixes to deployed bytecode. Unobtainable by construction. RD-F-142 n/a Storage-layout collision risk across upgrades Canonical Ethereum USDD ERC-20 (0x4f8e5de400de08b164e7421b3ee387f461becd1a) is not a proxy contract — direct, non-upgradeable implementation. No storage-layout collision risk from upgrades applicable. TRC-20 on TRON: TVM architecture, not EVM proxy pattern. N/A by contract architecture. RD-F-143 n/a Reinitializable implementation (no _disableInitializers) Not applicable. Canonical Ethereum USDD ERC-20 (0x4f8e5de400de08b164e7421b3ee387f461becd1a) is a direct non-proxy implementation with constructor(uint256 chainId_) — no initialize() function, no proxy pattern, no _disableInitializers() requirement. TRC-20 on TRON: TVM, not EVM proxy architecture. N/A by contract structure and substrate. RD-F-144 gray CREATE2 factory permits same-address redeploy No evidence of CREATE2 factory pattern for Ethereum USDD (standard deploy used for 0x4f8e5de4). TRON deployment method unverifiable (Tronscan 403). Cannot confirm or deny for TRON contracts. RD-F-145 gray Deployed bytecode reproducibility No public GitHub repository (data-cache github.repo_url: null). No documented build toolchain. TRON contracts effectively closed-source (Tronscan 403). Cannot confirm bytecode reproducibility. RD-F-168 gray Stale-approval exposure on deprecated router Deprecated Old USDD Token (0x0C10bF8FcB7Bf5412187A595ab97a3609160b5c6) may retain active user ERC-20 approvals. Stale approval count not quantifiable in this session without an allowance-scan tool. TRON deprecated contracts also possible.
RD-F-141 green Test-mode parameters in deploy ChainSecurity fifth audit (Oct 2025) found no vulnerabilities. CertiK AA rating (87.5/100, Nov 2025). No test-mode parameters evident in canonical Ethereum verified source (0x4f8e5de4 is a clean ERC-20 with wards). Limited confidence given unverified TRON contracts.
RD-F-146 green New contract deploys in last 30 days No major new USDD contract deployments documented in the last 30 days (April-May 2026). The TVL spike visible in the data cache (April 14-15 2026: ~$650M to ~$1.09B) is likely a large institutional mint event, not a new contract deployment. No deployment announcements found for this period.
Cross-chain & bridge Gray 0 12 of 12
RD-F-147 n/a Protocol has bridge surface No USDD-operated bridge; cross-chain via third-party BTTC + native mint. Profile has_bridge_surface=false, is_a_bridge=false. RD-F-148 n/a Bridge validator count (M) No USDD-operated bridge; cross-chain via third-party BTTC + native mint. Profile has_bridge_surface=false. RD-F-149 n/a Bridge validator threshold (k-of-M) No USDD-operated bridge; cross-chain via third-party BTTC + native mint. Profile has_bridge_surface=false. RD-F-150 n/a Bridge validator co-hosting No USDD-operated bridge; cross-chain via third-party BTTC + native mint. Profile has_bridge_surface=false. RD-F-151 n/a Bridge ecrecover checks result ≠ address(0) No USDD-operated bridge; cross-chain via third-party BTTC + native mint. Profile has_bridge_surface=false. RD-F-151 (bridge ecrecover check) does not apply. RD-F-152 n/a Bridge binds message to srcChainId No USDD-operated bridge; cross-chain via third-party BTTC + native mint. Profile has_bridge_surface=false. RD-F-153 n/a Bridge tracks nonce-consumed mapping No USDD-operated bridge; cross-chain via third-party BTTC + native mint. Profile has_bridge_surface=false. RD-F-154 n/a Default bytes32(0) acceptable as valid root No USDD-operated bridge; cross-chain via third-party BTTC + native mint. Profile has_bridge_surface=false. RD-F-154 (bytes32(0) valid root) does not apply. RD-F-155 n/a Bridge validator-set rotation recency No USDD-operated bridge; cross-chain via third-party BTTC + native mint. Profile has_bridge_surface=false. RD-F-156 n/a Bridge uses same key custody for >30% validators No USDD-operated bridge; cross-chain via third-party BTTC + native mint. Profile has_bridge_surface=false. RD-F-157 n/a Bridge TVL per validator ratio No USDD-operated bridge; cross-chain via third-party BTTC + native mint. Profile has_bridge_surface=false. RD-F-179 n/a LayerZero OFT DVN config (count, threshold, diversity) Not applicable. USDD is not a LayerZero OApp. Data cache confirms layerzero.present=false. No DVN configuration to assess.
Threat intelligence & recon Yellow 44 8 of 8
RD-F-161 red Protocol-impersonator domain registered (typosquat) Protocol-impersonator domain registered (typosquat) signal — 90-day window applies (after 2026-02-17). USDD is a $1.475B stablecoin with high brand recognition; Justin Sun is a globally recognized crypto figure with active social media presence. Three lines of structural evidence: (1) Stablecoin impersonation at scale: Blockaid 2025 documented 4,200+ malicious dApps using stablecoin branding and 54,000+ fraudulent stablecoin tokens — USDD is a named high-recognition stablecoin that is actively impersonated in the broader stablecoin impersonation wave. (2) TRON ecosystem phishing infrastructure confirmed active: JustLend (shares TRON DAO / Justin Sun brand with USDD) had documented phishing infrastructure (justlend-dao.com) scoring Cat 11 red in the JustLend assessment. The TRON/Justin Sun brand cluster is actively targeted. (3) Justin Sun's SEC settlement (March 2026) created a heightened brand-exploitation window — high-profile news events drive domain registration spikes for imperson RD-F-163 yellow Avg attacker reconnaissance time for peer-class protocols Attacker wallet reconnaissance window for similar-class protocols: CDP/stablecoin issuers with centralized governance and large TVS are high-value reconnaissance targets. Reference pattern: USPD-style 78-day reconnaissance; Lazarus Group typically conducts 30–90 days of reconnaissance before striking (documented across multiple TRON/DeFi incidents). USDD-specific reconnaissance: no confirmed attacker-wallet reconnaissance targeting USDD contracts in accessible public records. However, TRON ecosystem is an active Lazarus target (Poloniex Nov 2023 attributed to Lazarus); $1.475B TVS with centralized minting authority and opaque reserve management creates a high-value reconnaissance target profile. Yellow: class-level elevated reconnaissance risk given TRON ecosystem targeting history; no confirmed active reconnaissance for USDD specifically. RD-F-158 gray Known-threat-actor cluster has touched protocol Known-threat-actor wallet interaction is a Tier-C advisory signal requiring live Chainalysis/TRM feed. Indirect adjacency documented: Poloniex (USDD whitelisted minter since 2022) was hacked Nov 2023 (~$126M), attributed to North Korea's Lazarus Group by Justin Sun and corroborated by blockchain investigators. USDD tokens were among stolen assets, representing theft of circulating USDD — not direct exploitation of USDD contract infrastructure. No confirmed direct Lazarus wallet interaction with USDD TRC-20 (TPYmHEhy5n8TCEfYGqW2rPxsghSfzghPDn) or ERC-20 v2 (0x8EbdcF3d843E3A96137E84117C7989C883cE6127) in accessible public records. Curator follow-up: verify whether Poloniex minting credentials were revoked/rotated after the Nov 2023 hack. RD-F-159 gray Attacker wallet pre-strike probe (low-gas failing txs) Mempool probe (failing low-gas txs from threat-actor wallet) requires live mempool monitoring infrastructure combined with a threat-actor cluster list. Not assessable in static dry-run. TRON-side mempool not accessible. Ethereum-side requires live mempool listener + Chainalysis/TRM feed. RD-F-160 n/a GitHub malicious-dependency incident touching protocol deps USDD has no public GitHub repository (github.repo_url: null) and no public dependency manifest. GitHub security advisory monitoring for malicious dependencies requires a repo with a dependency tree. This signal cannot apply to a closed-source protocol with no public codebase. RD-F-164 gray Leaked credential on paste/sentry site Leaked credential on paste/sentry site matching protocol infra requires proprietary paste/cred-dump monitoring feed (e.g., Have I Been Pwned enterprise, SpyCloud) — not available in static dry-run. No USDD-specific credential leak found in accessible public records. Requires live TI feed subscription for real assessment. RD-F-165 gray Protocol social channel has scam-coordinator flag Telegram/Discord scam-coordinator flag requires curator social watchlist feed. USDD has Telegram/Discord channels; no specific scam coordinator flagged in accessible public records. Requires curator-maintained social channel monitoring to assess. The broader stablecoin impersonation surface (F161) is documented but this specific factor requires curator-level intelligence on channel membership.
RD-F-162 green Known-exploit-template selector deployed by any address Known-exploit-template selector-pattern deployment: no documented known exploit template targeting USDD ERC-20 v2 or TRC-20 contracts in accessible public records. USDD contracts are original designs (not forks of previously-exploited EVM protocols) audited by ChainSecurity (5 engagements) and CertiK. No USDD-specific exploit-template class documented in any public post-mortem or security advisory. Rekt database: rekt.incidents: [] for USDD. Green: no known exploit-template risk for USDD's contract architecture.
Tooling / compiler / AI Yellow 33 5 of 5
RD-F-170 yellow Solc version used (known-bug versions flagged) Ethereum canonical ERC-20 (0x4f8e5de400de08b164e7421b3ee387f461becd1a): Solidity v0.6.12+commit.27d51765, EVM version Istanbul, optimization 200 runs. Etherscan solcbuginfo confirms no critical or high severity bugs active in 0.6.12 (all high-severity bugs were fixed before this version). However, 0.6.12 is an older, EOL Solidity version (0.8.x is current supported series). TRON primary: TVM compiler version unassessable (Tronscan-blocked). Yellow: older EOL Solidity version but no critical active bugs for this contract type. RD-F-174 yellow Dependency tree uses EOL Solidity version Ethereum ERC-20 uses Solidity 0.6.12 (EOL; current is 0.8.x). No forward-compat patch exists for 0.6.12 — it is unsupported. The contract has no external library dependencies (inline SafeMath). TRON TVM uses its own toolchain outside Solidity's versioning. Yellow: EOL Solidity version on Ethereum deployment, no future security patches will be issued for 0.6.x. RD-F-171 n/a Bytecode similarity to audited upstream with behavior deviation No upstream protocol exists to compare bytecode against (original design). This factor requires a fork relationship to assess AI-copy risk. N/A. RD-F-172 gray Repo shows AI-tool co-authorship in critical files No public GitHub repository (data cache github.repo_url: null). Cannot inspect commit history for AI co-authorship markers. Gray: data unavailable. RD-F-173 gray Team self-disclosure of AI-generated Solidity No public GitHub repository. USDD Medium blog and TRON DAO blog contain no disclosure of AI-generated Solidity usage in security-critical code. Absence of evidence; cannot confirm or deny without repo access. Gray.
Response & disclosure hygiene Red 50 4 of 4
RD-F-175 red Disclosure channel exists No public security-disclosure channel exists for USDD. Immunefi search returned no USDD listing — confirmed absence (profile §9 Phase-0 confirmed 404, not anti-bot). No Sherlock program. No dedicated security email, HackerOne, or responsible-disclosure page on usdd.io or trondao.org. Data cache confirms bug_bounty.platform: null, bug_bounty.url: null. $1.475B TVS with zero public disclosure channel is a significant hygiene gap. RD-F-176 red Disclosure SLA public No published acknowledgment-time SLA. Follows directly from F175 (no disclosure channel). No 72-hour or any other ack SLA published on usdd.io, TRON DAO Forum, or any accessible USDD documentation. Without a disclosure channel, no SLA can be meaningfully advertised.
RD-F-177 green Prior known-ignored disclosure No evidence that a disclosed vulnerability was ignored before being exploited. Zero contract exploits in USDD history means no post-mortem evidence of ignored disclosures exists. ChainSecurity audits found only minor issues (arithmetic precision, event handling) that were addressed; no pattern of ignored critical findings. Note: the absence of a disclosure channel (F175) makes ignored-disclosure structurally harder to observe, but absence of evidence is not evidence of ignoring — scored green for this specific factor.
RD-F-178 green CVE/GHSA advisory issued against protocol No CVE, GHSA, or equivalent public advisory has been issued against USDD's smart contracts. Web searches for 'USDD CVE' and 'USDD GHSA' returned no results. ChainSecurity audits identified only minor issues (precision, event handling) that did not rise to CVE/GHSA publication threshold. The TRON-chain substrate (TVM) is not tracked by standard EVM-focused CVE databases; no TVM-specific advisory for USDD found.
rubric_version v1.7.0 graded_at 2026-05-17 11:34:21 factors 184 protocol usdd