Scores/superform

superform

FORGED

DeFi · Ethereum · Unknown TVL · 10 contracts

Official site: www.superform.xyz ↗

617

3004756508251000

Confidence82%

Z-Factor0.50

Updated 2026-05-27Public score

Security Profile

Access Control
42

Economic Soundness
48

Oracle Integrity
52

Compositional Risk
35

Governance
55

Maturity
40

Resilience
25

Supply Chain
60

Liquidity & Market Structure
50

Cross-Chain Messaging
30

Op Security
57

Access Ctrl
42

Economic
48

Oracle
52

Compos.
35

Govern.
55

Maturity
40

Resilience
25

Supply Ch.
60

Liquidity
50

X-Chain
30

OpSec
57

Min

Avg

Max

Audit History

Bug Bounty Program

Unknown

Max payout on Unknown

Assessment

Cross-chain yield aggregator with 17 validated findings (3 Critical, 8 High) from 6 parallel analysis lenses. F1 class (inspect/build gap) is systemic across hooks — 10 lens cross-confirmations. Pre-mainnet v2 with 6 prior audits that missed these surfaces. BRI lands at low FORGED (602) due to extreme compositional and cross-chain risk partially offset by standard supply chain and governance structures.

Dimension Breakdown

Methodology

Access Control

Weight 19% · 88% confidence

+10F1 class: inspect()-vs-build() systemic parameter binding gap across 6 hooks

+10Manager can substitute critical calldata (dstChainId, recipient, lltv, outputAmount)

+106 sub-findings (F1a-F1f) with validated PoCs — 10 lens hits across 4 agents

+10F1a composes with ACK'd H-3.1.2 for SuperPosition supply inflation (Critical)

Provenance

Economic Soundness

Weight 14% · 82% confidence

+12F2: maxStaleness has no upper bound — manager sets type(uint256).max to disable PPS gate

+12F3: updatePPSAfterSkim bypasses 14-property DOD oracle validation

+12F4: cancel-redeem silently overridden by fulfill — manager captures optionality value

+12PPS manipulation surfaces compose: F2+F3+Recon M-02 ACK'd PPS-sandwich

Provenance

Oracle Integrity

Weight 14% · 80% confidence

+10F2: maxStaleness floor-only enforcement — no ceiling on oracle staleness

+10F3: skim path bypasses validator-network DOD (sets lastUpdateTimestamp directly)

+10F5: ECDSAPPSOracle uses abi.encodePacked instead of abi.encode for EIP-712

+10Standard signers produce wrong digest — silent ProofValidationFailed events

Provenance

Battle-Tested Maturity

Weight 13% · 85% confidence

-20v2 not yet deployed to mainnet (Cantina bounty active, pre-launch)

-20VaultBank still in test/draft — not yet promoted to src/

-20High velocity of changes across 193-contract surface

+406 prior audits (Spearbit, Recon, node.security, etc.) completed on earlier versions

Provenance

Governance & Upgradeability

Weight 11% · 75% confidence

+18SuperGovernor exists but manager role is over-trusted

+18maxStaleness floor-only enforcement (no ceiling — cosmology assumption #16)

-45No on-chain slashing for manager misbehavior (cosmology assumption #12)

+18Manager-as-strategist can keep staleness clock fresh without validator activity

Provenance

Adversarial Resilienceredacted

Weight 7% · 92% confidence

6 prior audits (Spearbit, Recon, node.security, etc.) missed these findings
17 validated findings including 3 Critical-class with 10 validated PoCs
F1 class (10 lens cross-confirmation) exploits pattern noted but not enumerated by Spearbit M-5.3.10
F7 is dual surface of node.security M-01 fix — new bug introduced by prior remediation

Provenance

Compositional Risk

Weight 5% · 90% confidence

-32Extreme composition: hooks compose with cross-chain bridges (Across, DeBridge)

+12External protocol integrations: Morpho, Ethena, Centrifuge, Pendle, Spectra, Fluid, Gearbox

+12Internal SuperPosition system creates synthetic cross-chain positions

-32F1 class directly exploits composition boundary between inspect() and build()

Provenance

Supply Chain

Weight 4% · 70% confidence

+15Standard dependencies: OpenZeppelin, forge-std, solady

+15No exotic or unaudited supply chain dependencies

+15Substrate/Solidity mixed stack but standard patterns

+15Moderate dependency complexity from multi-protocol integrations

Provenance

Cross-Chain Messaging

Weight 4% · 88% confidence

+8Cross-chain is CORE to SuperForm architecture — not optional

-70F1a/F1e/F1f directly exploit cross-chain bridge hook calldata binding gaps

+8Multiple bridge integrations: Across, DeBridge, Circle CCTP

+8SuperPositions create synthetic cross-chain receipt tokens

Provenance

Liquidity & Market Structure

Weight 2% · 60% confidence

+25Pre-mainnet: TVL not yet established for v2

+25v1 had moderate TVL but v2 is a complete redesign

Provenance

Operational Security

Weight 2% · 60% confidence

-22No branch protection detected

-22CI/CD present but unstable (20% success)

+14Commit signing: 100% verified

+14SECURITY.md present (detailed)

Provenance

Additional Dimensions

Cascade Exposure

Weight conditional · 0% confidence

-1

-30SuperPositions create synthetic cross-chain positions — failure cascades to all chains

+13Bridge integrations create cascade paths through Across, DeBridge, Circle

-30F1a: SuperPosition supply inflation propagates across all chains where SPs exist

+13Vault-bank architecture (when deployed) creates additional cascade surface

Provenance

Top Score Drivers

Dimensions with the greatest marginal impact on BRI.

Access Control

42+51 potential

Manager-as-strategist trust boundary is load-bearing with no on-chain enforcement

Battle-Tested Maturity

40+35.1 potential

6 prior audits (Spearbit, Recon, node.security, etc.) completed on earlier versions

Adversarial Resilience

25+30.8 potential

Economic Soundness

48+30.2 potential

F2: maxStaleness has no upper bound — manager sets type(uint256).max to disable PPS gate

Cascade Exposure

40+29 potential

SuperPositions create synthetic cross-chain positions — failure cascades to all chains

Adversarial Risk Signals

Publicly verifiable security posture indicators.

Disclosure HistoryNot Assessed

Remediation VelocityNot Assessed

Bug Bounty ProgramNot Assessed

Audit CoverageNot Assessed

Incident HistoryNot Assessed

Deployed Unknown11 dimensionsProvenance Ledger

methodology v2.1formula v1.1weights v1.1evidence sha256:sha256:1...

Score History & Verification

Score provenance tracking begins with the next reassessment.

Full provenance ledger

On-Chain Data

Protocol Slug: "superform"
Oracle: BRORegistry (Base)
Evidence: IPFS (pinned)
Staleness Threshold: 24 hours

Read Score

registry.getScore("superform")

Reduce exploitable risk

Continuous adversarial analysis, vulnerability detection, and verified reassessment.

View Plans Methodology

Embed this score

Live, updates automatically. Free for any site. Click-through links open the full report on BlackHart.

Public

Style

Theme

Format

Preview

Copy iframe code

<iframe
  src="https://blackhart.io/embed/oracle/superform?variant=card&theme=dark"
  title="BlackHart Risk Index: superform"
  width="340"
  height="290"
  frameborder="0"
  loading="lazy"
  style="border:0; max-width:100%;"
></iframe>

Believe this score contains a factual error? Submit evidence for review