Scores/Drift Protocol/Provenance/Access Control

Access Control

Permission models, admin surface, reentrancy protection, and authorization boundaries. #1 exploit vector by dollar loss in DeFi history.

Weight 18%79% confidence

Moderate

info

How This Score Is Built

Permission models, admin surface, reentrancy protection, and authorization boundaries. #1 exploit vector by dollar loss in DeFi history.

+23Strong positive

+12Positive

+5Slight positive

−15Strong negative

−8Negative

−3Slight negative

Scoring Tree

BRI Formula

300 + 700 × ∏(Dᵢ/100)^wᵢ

796

Current BRI

D1Access Control

Weight 18%

(60/100)^0.18 = 0.9122

Contributing Factors

+20Program authority

+20Admin controls

+20Keeper permissions

-40Centralized operations

Evidence Sources

protocol_metadataAug 1

protocol_metadataMar 1

blackhart_hacks_feedApr 1View

blackhart_analysisMay 17sha256:58daf5aa4a22....View

blackhart_hacks_feedMay 22View

Score Composition

-40

Centralized operations

Strong negativeopen_in_newSource CodeMay 6, 2026

+20

Program authority

Strong positiveopen_in_newSource CodeMay 6, 2026

+20

Admin controls

Strong positiveopen_in_newSource CodeMay 6, 2026

+20

Keeper permissions

Strong positiveopen_in_newSource CodeMay 6, 2026

Evidence Chain (7 files)

hack_forensicsMay 27, 2026, 12:00 AM

open_in_newPrecedent: StakeDAO exploit (analogous)

exploit type: Cross-chain trust binding hijack via private key compromise

loss usd: 91000

relation: analogous

match: Admin key compromise leading to a single privileged transaction authorizing large-scale value extraction. Centralized admin authority with no multisig or timelo

hack_forensicsMay 23, 2026, 12:00 AM

open_in_newPrecedent: StablR exploit (analogous)

exploit type: key_compromise

loss usd: 11020000

relation: analogous

match: Multisig signer compromised via blind-signing social engineering on a 2/5 Safe (April 2026, $285M). Same root cause: weak operational security on privileged aut

hack_forensicsMay 22, 2026, 12:00 AM

open_in_newPrecedent: Polymarket exploit (analogous)

exploit type: key_compromise

loss usd: 700000

relation: analogous

match: Operational private-key compromise enabling unilateral drain. Drift was via long-form social engineering + durable-nonce blind signing on a 2/5 multisig; Polyma

GitHub APIMay 17, 2026, 06:58 PM

open_in_newGitHub (/)

sha256:58daf5aa4a22...

hack_forensicsApr 1, 2026, 12:00 AM

open_in_newForensics: Drift exploit ($285,000,000)

exploit type: key_compromise

loss usd: 285000000

relation: direct

Audit ReportMar 1, 2023, 12:00 AM

Audit ReportAug 1, 2022, 12:00 AM

Score History

No dimension-level score changes recorded yet.

Methodology: 2.1Formula: 1.1Weights: 1.1

How is Access Control scored?← Back to Provenance Ledger