D1
Access Control
Permission models, admin surface, reentrancy protection, and authorization boundaries. #1 exploit vector by dollar loss in DeFi history.
Weight 18%85% confidence
50
Concerning
info
How This Score Is Built
Permission models, admin surface, reentrancy protection, and authorization boundaries. #1 exploit vector by dollar loss in DeFi history.
+23Strong positive
+12Positive
+5Slight positive
−15Strong negative
−8Negative
−3Slight negative
Scoring Tree
BRI Formula
300 + 700 × ∏(Dᵢ/100)^wᵢ
646
Current BRI
D1Access Control
Weight 18%
50
(50/100)^0.18 = 0.8827
Contributing Factors
+17Admin controls market creation and resolution
+17User pause/unpause capability for admin
+17Operator/admin role separation in CTF
-17Centralized market resolution (UMA oracle + admin override)
-17DEGRADED post-HACK-POLYMARKET-2026-001: UMA CTF Adapter Admin is a single-EOA hot key with no multisig protecting privileged ops
-17No on-chain timelock on admin actions, no per-tx velocity cap, no auto-pause on outflow rate
Score Composition
-17
Centralized market resolution (UMA oracle + admin override)
Strong negativeopen_in_newSource Code
-17
DEGRADED post-HACK-POLYMARKET-2026-001: UMA CTF Adapter Admin is a single-EOA hot key with no multisig protecting privileged ops
Strong negativeopen_in_newSource Code
-17
No on-chain timelock on admin actions, no per-tx velocity cap, no auto-pause on outflow rate
Strong negativeopen_in_newSource Code
+17
Admin controls market creation and resolution
+17
User pause/unpause capability for admin
+17
Operator/admin role separation in CTF
Evidence Chain (6 files)
hack_forensicsMay 27, 2026, 12:00 AM
open_in_newPrecedent: StakeDAO exploit (analogous)exploit type: Cross-chain trust binding hijack via private key compromise
loss usd: 91000
relation: analogous
match: Operational private key compromise, single wallet with admin-equivalent authority over protocol-adjacent value. Same dimensional failure: operational security p
hack_forensicsMay 23, 2026, 12:00 AM
open_in_newPrecedent: StablR exploit (analogous)exploit type: key_compromise
loss usd: 11020000
relation: analogous
match: Operational hot-wallet private-key compromise on Polygon (May 2026, $700K). Smaller scope (no mint authority) but identical anti-pattern of single-key custody f
BlackHart AnalysisMay 22, 2026, 11:37 AM
open_in_newAccess Control — Source Codesha256:5ebb3d36f03c...
hack_forensicsMay 22, 2026, 12:00 AM
open_in_newForensics: Polymarket exploit ($700,000)exploit type: key_compromise
loss usd: 700000
relation: direct
Audit ReportJun 1, 2024, 12:00 AM
Audit ReportJun 1, 2022, 12:00 AM
Score History
No dimension-level score changes recorded yet.
Methodology: 2.1Formula: 1.1Weights: 1.1