BlackHartBlackHart
D1

Access Control

Permission models, admin surface, reentrancy protection, and authorization boundaries. #1 exploit vector by dollar loss in DeFi history.

Weight 18%79% confidence
60
Moderate
info

How This Score Is Built

Permission models, admin surface, reentrancy protection, and authorization boundaries. #1 exploit vector by dollar loss in DeFi history.

+23Strong positive
+12Positive
+5Slight positive
−15Strong negative
−8Negative
−3Slight negative

Scoring Tree

BRI Formula
300 + 700 × ∏(Dᵢ/100)^wᵢ
796
Current BRI
D1Access Control
Weight 18%
60
(60/100)^0.18 = 0.9122
Contributing Factors
+20Program authority
+20Admin controls
+20Keeper permissions
-40Centralized operations
Evidence Sources
protocol_metadataAug 1
protocol_metadataMar 1
blackhart_hacks_feedApr 1View
blackhart_analysisMay 17sha256:58daf5aa4a22....View
blackhart_hacks_feedMay 22View

Score Composition

-40

Centralized operations

Strong negativeopen_in_newSource CodeMay 6, 2026
+20

Program authority

Strong positiveopen_in_newSource CodeMay 6, 2026
+20

Admin controls

Strong positiveopen_in_newSource CodeMay 6, 2026
+20

Keeper permissions

Strong positiveopen_in_newSource CodeMay 6, 2026

Evidence Chain (7 files)

hack_forensicsMay 27, 2026, 12:00 AM
open_in_newPrecedent: StakeDAO exploit (analogous)
exploit type: Cross-chain trust binding hijack via private key compromise
loss usd: 91000
relation: analogous
match: Admin key compromise leading to a single privileged transaction authorizing large-scale value extraction. Centralized admin authority with no multisig or timelo
hack_forensicsMay 23, 2026, 12:00 AM
open_in_newPrecedent: StablR exploit (analogous)
exploit type: key_compromise
loss usd: 11020000
relation: analogous
match: Multisig signer compromised via blind-signing social engineering on a 2/5 Safe (April 2026, $285M). Same root cause: weak operational security on privileged aut
hack_forensicsMay 22, 2026, 12:00 AM
open_in_newPrecedent: Polymarket exploit (analogous)
exploit type: key_compromise
loss usd: 700000
relation: analogous
match: Operational private-key compromise enabling unilateral drain. Drift was via long-form social engineering + durable-nonce blind signing on a 2/5 multisig; Polyma
GitHub APIMay 17, 2026, 06:58 PM
open_in_newGitHub (/)
sha256:58daf5aa4a22...
hack_forensicsApr 1, 2026, 12:00 AM
open_in_newForensics: Drift exploit ($285,000,000)
exploit type: key_compromise
loss usd: 285000000
relation: direct
Audit ReportMar 1, 2023, 12:00 AM
Audit ReportAug 1, 2022, 12:00 AM

Score History

No dimension-level score changes recorded yet.

Methodology: 2.1Formula: 1.1Weights: 1.1