Skip to content

Risk Assessment: Flying Tulip FT Lend (#234)#237

Open
spalen0 wants to merge 6 commits into
masterfrom
report/flying-tulip-234
Open

Risk Assessment: Flying Tulip FT Lend (#234)#237
spalen0 wants to merge 6 commits into
masterfrom
report/flying-tulip-234

Conversation

@spalen0

@spalen0 spalen0 commented Jun 7, 2026

Copy link
Copy Markdown
Collaborator

Closes #234.

Risk assessment of Flying Tulip — FT Lend (ftDNMM) lending market on Ethereum. Report: reports/report/flying-tulip.md. All onchain values verified with cast + Etherscan at block 25264957 (Jun 7, 2026).

Verdict

High Risk — 5.0/5.0, gated by the "No audit" critical gate: the in-scope lending engine (PositionsManager, ConfigRegistry, IRMs, RFQ engines) and ftUSD have no public/dedicated audit. Residual weighted category subtotal is ≈3.5 (Elevated) if that gate is later cleared.

Key findings (onchain-verified)

  • Single 3-of-5 Gnosis Safe root of trust, no timelock (0x1118…70Cb): owns/upgrades every UUPS proxy, is ftUSD owner+masterMinter+pauser+blacklister, and can override oracle prices (setLastGoodPrice). Guardian is a 3-of-4 Safe sharing the same signers.
  • Unaudited in-scope contracts (verified on Etherscan but never security-reviewed); only the token-sale Escrow (PeckShield/Cantina) and the separate ftPUT product (Sherlock contest) were audited. No bug bounty, not in SEAL Safe Harbor.
  • Tiny & new: ~$2.7M supplied / ~$0.18M borrowed across 6 assets; ~59% concentrated in one WBTC depositor; launched ~Feb 2026 (~3.5 months).
  • Positives: onchain over-collateralization, blue-chip collateral, real Chainlink oracle for liquidations, idle supply earning Aave/Spark yield.

Category scores

Category Score Weight
Audits & Historical 4.75 20%
Centralization & Control 3.5 30%
Funds Management 3.0 30%
Liquidity Risk 3.0 15%
Operational Risk 3.5 5%

Draft for team review — see the report's Risk Score Assessment for the gate-vs-weighted-score discussion.

🤖 Generated with Claude Code

@spalen0 @claude
feat(reports): add Flying Tulip FT Lend risk assessment (#234)
dd24cdc 
Risk assessment of Flying Tulip's FT Lend (ftDNMM) lending market on
Ethereum, verified onchain at block 25264957 (Jun 7, 2026).

Verdict: High Risk 5.0/5.0 — gated by the absence of any public/dedicated
audit of the in-scope lending engine and ftUSD contracts. Residual
weighted category subtotal is ~3.5 (Elevated) if that gate is cleared.

Key onchain findings: single 3/5 Gnosis Safe root of trust with no
timelock (owns/upgrades all UUPS proxies, ftUSD master-minter/blacklister,
oracle price override); ~$2.7M lending TVL with ~59% concentration in one
WBTC depositor; ~3.5 months in production.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
@vercel

vercel Bot commented Jun 7, 2026
edited
Loading

Copy link
Copy Markdown

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Actions Updated (UTC)
risk-score Ready Ready Preview, Comment Jun 15, 2026 11:30am

Request Review

@spalen0 spalen0 marked this pull request as ready for review June 12, 2026 13:30
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Risk Assessment: Flying Tulip Lending market

2 participants

@spalen0 @codex