Aave

7 deployments · $13.7B aggregate TVL · Lending

Deployments

Each deployment is rated independently. Pick one to see its rating, risk analysis, and stage.

TVL $13.2B

Type Lending

Chains Ethereum, Plasma, Arbitrum, Base, Avalanche +16

View on DeFiLlama ↗

Control Exit Autonomy Open Access Verifiable

DefiScan Stage 0 Rated across 4 deployments ↗

Tier silver Weak AI consensus on all dimensions
Verifiability tentative Verified source + 5 auditors pre-deployment
Control tentative T1 upgrades reachable via ~5-day fast path
Ability to exit tentative Exits pausable indefinitely by 5-of-9 multisig
Autonomy tentative Oracle dependency with governance fast-paths
Open Access tentative Contracts open; official UI screens wallets

Control criteria

Upgradeability Upgradeable Bug bounty audits.sherlock.xyz Governance forum governance.aave.com Docs aave.com

About

Aave V3 is a decentralized non-custodial lending protocol where users supply assets to earn interest and borrow assets by providing overcollateralized deposits. It operates across 20+ chains with isolated markets and risk parameters managed through on-chain AAVE token governance. The protocol uses a cross-chain governance system (Governance V3) with voting via storage proofs on multiple networks while token balances remain on Ethereum mainnet.

Risk analysis

One card per dimension, sorted by severity. Only Verifiability and Autonomy carry automated signals in Phase 0. See methodology for scope.

Audit a dimension yourself · DEFI@home Contribute an LLM-run assessment — any model, any dimension. Three agreeing runs merge automatically into the public record.

DEFI@home is a distributed audit network modeled on SETI@home: instead of CPU cycles, it crowdsources LLM reasoning. Paste a slice prompt into Claude, ChatGPT, Gemini, or any browsing-capable model, and submit the JSON output as a pull request. The quorum bot merges it once ≥3 independent runs (from different models) reach the same grade — no single model, and no single contributor, can move the needle alone. How it works →

Address discovery 225 addresses on file · 2 runs Submit run ↗

### Per-protocol context (ground truth for this run)

- protocol.slug:              aave-v3
- protocol.name:              Aave V3
- protocol.chains:            Ethereum, Plasma, Arbitrum, Base, Avalanche, Binance, Mantle, Polygon, MegaETH, X Layer, xDai, Optimism, Linea, Sonic, Celo, Scroll, zkSync Era, Metis, Soneium, Fantom, Harmony
- protocol.category:          Lending
- protocol.website:           https://aave.com
- protocol.github:            aave, bgd-labs
- protocol.audit_links:       https://aave.com/security, https://github.com/code-423n4/2022-02-aave-lens, https://github.com/code-423n4/2022-02-aave-lens-findings, https://github.com/sherlock-protocol/sherlock-reports/blob/main/audits/2025.02.15%20-%20Final%20-%20Aave%20Public%20Audit%20Contest%20Report.pdf, https://github.com/sherlock-protocol/sherlock-reports/blob/main/audits/2026.02.05%20-%20Final%20-%20Aave%20Labs%20Collaborative%20Audit%20Report%201770295450.pdf, https://github.com/trailofbits/publications/blob/master/reviews/2021-11-aave-v3-securityreview.pdf
- snapshot.generated_at:      2026-06-01T11:27:13.878Z
- analysis_date:              2026-06-07
- prompt_version:             29
- address_book:               [
  {
    "chain": "Ethereum",
    "address": "0x5300A1a15135EA4dc7aD5a167152C01EFc9b192A",
    "role": "Short Executor (Level 1) / ACL Admin V3"
  },
  {
    "chain": "Ethereum",
    "address": "0xdAbad81aF85554E9ae636395611C58F7eC1aAEc5",
    "role": "PayloadsController (Ethereum)"
  },
  {
    "chain": "Ethereum",
    "address": "0x9AEE0B04504CeF83A65AC3f0e838D0593BCb2BC7",
    "role": "Governance V3 Core"
  },
  {
    "chain": "Ethereum",
    "address": "0xCe52ab41C40575B072A18C9700091Ccbe4A06710",
    "role": "Governance Guardian / Protocol Emergency Guardian (5-of-9)"
  },
  {
    "chain": "Ethereum",
    "address": "0x4457cA11E90f416Cc1D3a8E1cA41C0cdEcC251d4",
    "role": "GranularGuardian (cross-chain emergency)"
  },
  {
    "chain": "Ethereum",
    "address": "0xEd42a7D8559a463722Ca4beD50E0Cc05a386b0e1",
    "role": "CrossChainController"
  },
  {
    "chain": "Ethereum",
    "address": "0x17Dd33Ed0e3dD2a80E37489B8A63063161BE6957",
    "role": "Executor Level 2"
  },
  {
    "chain": "Ethereum",
    "address": "0x2CFe3ec4d5a6811f4B8067F0DE7e47DfA938Aa30",
    "role": "Protocol Guardian / emergency admin"
  },
  {
    "chain": "Ethereum",
    "address": "0x220d22f42c1b975B51509c24b174f8AbA7d8C540",
    "role": "Short Executor (Governance)"
  },
  {
    "chain": "Ethereum",
    "address": "0xa700691dA7b6769562170061709458FF21ed963e",
    "role": "timelock (governance long executor)"
  },
  {
    "chain": "Ethereum",
    "address": "0x851365275f493d15511cc005f2bd71E3c1699921",
    "role": "timelock (governance short executor)"
  },
  {
    "chain": "Ethereum",
    "address": "0xEE56e2B3D49159022b71869955dbF07245799b17",
    "role": "timelock (governance executor short)"
  },
  {
    "chain": "Ethereum",
    "address": "0x80C67432656d59144cEFf962E8fAF8926599bCF8",
    "role": "timelock (governance short executor)"
  },
  {
    "chain": "Ethereum",
    "address": "0xEE56e2B20045d908E992822039db30E882309413",
    "role": "admin (PoolAdmin / governance executor)"
  },
  {
    "chain": "Ethereum",
    "address": "0x87870bca3f3fd6335c3f4ce8392d69350b4fa4e2",
    "role": "pool (Aave V3 Pool proxy)"
  },
  {
    "chain": "Ethereum",
    "address": "0x2f39d218133AFaB8F2B819B1066c7E434Ad94E9e",
    "role": "other (PoolAddressesProvider — proxy admin for Pool/PoolConfigurator/ACLManager)"
  },
  {
    "chain": "Ethereum",
    "address": "0xcfBf336fe147D643B9Cb705648500e101504B16d",
    "role": "other (Prime Market PoolAddressesProvider)"
  },
  {
    "chain": "Ethereum",
    "address": "0xCca852Bc40e560adC3b1Cc58CA5b55638ce826c9",
    "role": "vault (Aave V4 Core Hub — Ethereum)"
  },
  {
    "chain": "Ethereum",
    "address": "0x06002e9c4412CB7814a791eA3666D905871E536A",
    "role": "vault (Aave V4 Plus Hub — Ethereum)"
  },
  {
    "chain": "Ethereum",
    "address": "0x943827DCA022D0F354a8a8c332dA1e5Eb9f9F931",
    "role": "vault (Aave V4 Prime Hub — Ethereum)"
  },
  {
    "chain": "Ethereum",
    "address": "0x08aE3BE30958cDd1847ec58fFfd4C451a87fDF01",
    "role": "admin (Aave V4 Access Manager — Ethereum)"
  },
  {
    "chain": "Optimism",
    "address": "0xa97684ead0e402dc232d5a977953df7ecbab3cdb",
    "role": "other (PoolAddressesProvider — Optimism)"
  },
  {
    "chain": "Polygon",
    "address": "0xa97684ead0e402dc232d5a977953df7ecbab3cdb",
    "role": "other (PoolAddressesProvider — Polygon)"
  },
  {
    "chain": "Ethereum",
    "address": "0x64b761D848206f447Fe2dd461b0c635Ec39EbB27",
    "role": "admin PoolConfigurator V3"
  },
  {
    "chain": "Ethereum",
    "address": "0x54586bE62E3c3580375aE3723C145253060Ca0C2",
    "role": "oracle AaveOracle V3"
  },
  {
    "chain": "Ethereum",
    "address": "0xc2aaCf6553D20d1e9d78E365AAba8032af9c85b0",
    "role": "admin ACLManager V3"
  },
  {
    "chain": "Ethereum",
    "address": "0x0a16f2FCC0D44FaE41cc54e079281D84A363bECD",
    "role": "other AaveProtocolDataProvider V3"
  },
  {
    "chain": "Ethereum",
    "address": "0x464C71f6c2F760DdA6093dCB91C24c39e5d6e18c",
    "role": "treasury Collector"
  },
  {
    "chain": "Ethereum",
    "address": "0x8164Cc65827dcFe994AB23944CBC90e0aa80bFcb",
    "role": "admin DefaultIncentivesController"
  },
  {
    "chain": "Ethereum",
    "address": "0x223d844fc4B006D67c0cDbd39371A9F73f69d974",
    "role": "admin EmissionManager"
  },
  {
    "chain": "Arbitrum",
    "address": "0xa97684ead0e402dC232d5A977953DF7ECBaB3CDb",
    "role": "factory PoolAddressesProvider V3"
  },
  {
    "chain": "Arbitrum",
    "address": "0x794a61358D6845594F94dc1DB02A252b5b4814aD",
    "role": "pool Pool V3"
  },
  {
    "chain": "Arbitrum",
    "address": "0x8145eddDf43f50276641b55bd3AD95944510021E",
    "role": "admin PoolConfigurator V3"
  },
  {
    "chain": "Arbitrum",
    "address": "0xb56c2F0B653B2e0b10C9b928C8580Ac5Df02C7C7",
    "role": "oracle AaveOracle V3"
  },
  {
    "chain": "Arbitrum",
    "address": "0x7A9ff54A6eE4a21223036890bB8c4ea2D62c686b",
    "role": "oracle PriceOracleSentinel V3"
  },
  {
    "chain": "Arbitrum",
    "address": "0xFF1137243698CaA18EE364Cc966CF0e02A4e6327",
    "role": "admin ACLAdmin V3"
  },
  {
    "chain": "Arbitrum",
    "address": "0xa72636CbcAa8F5FF95B2cc47F3CDEe83F3294a0B",
    "role": "admin ACLManager V3"
  },
  {
    "chain": "Arbitrum",
    "address": "0x243Aa95cAC2a25651eda86e80bEe66114413c43b",
    "role": "other AaveProtocolDataProvider V3"
  },
  {
    "chain": "Avalanche",
    "address": "0xa97684ead0e402dC232d5A977953DF7ECBaB3CDb",
    "role": "factory PoolAddressesProvider V3"
  },
  {
    "chain": "Avalanche",
    "address": "0x794a61358D6845594F94dc1DB02A252b5b4814aD",
    "role": "pool Pool V3"
  },
  {
    "chain": "Avalanche",
    "address": "0x8145eddDf43f50276641b55bd3AD95944510021E",
    "role": "admin PoolConfigurator V3"
  },
  {
    "chain": "Avalanche",
    "address": "0xEBd36016B3eD09D4693Ed4251c67Bd858c3c7C9C",
    "role": "oracle AaveOracle V3"
  },
  {
    "chain": "Avalanche",
    "address": "0x3C06dce358add17aAf230f2234bCCC4afd50d090",
    "role": "admin ACLAdmin V3"
  },
  {
    "chain": "Avalanche",
    "address": "0xa72636CbcAa8F5FF95B2cc47F3CDEe83F3294a0B",
    "role": "admin ACLManager V3"
  },
  {
    "chain": "Avalanche",
    "address": "0x243Aa95cAC2a25651eda86e80bEe66114413c43b",
    "role": "other AaveProtocolDataProvider V3"
  },
  {
    "chain": "Base",
    "address": "0xe20fCBdBfFC4Dd138cE8b2E6FBb6CB49777ad64D",
    "role": "factory PoolAddressesProvider V3"
  },
  {
    "chain": "Base",
    "address": "0xA238Dd80C259a72e81d7e4664a9801593F98d1c5",
    "role": "pool Pool V3"
  },
  {
    "chain": "Base",
    "address": "0x5731a04B1E775f0fdd454Bf70f3335886e9A96be",
    "role": "admin PoolConfigurator V3"
  },
  {
    "chain": "Base",
    "address": "0x2Cc0Fc26eD4563A5ce5e8bdcfe1A2878676Ae156",
    "role": "oracle AaveOracle V3"
  },
  {
    "chain": "Base",
    "address": "0x943AcD0c93d7a8Bee7dA5Fd0DC3d0028237074d6",
    "role": "oracle PriceOracleSentinel V3"
  },
  {
    "chain": "Base",
    "address": "0x9390B1735def18560c509E2d0bc090E9d6BA257a",
    "role": "admin ACLAdmin V3"
  },
  {
    "chain": "Base",
    "address": "0x43955b0899Ab7232E3a454cf84AedD22Ad46FD33",
    "role": "admin ACLManager V3"
  },
  {
    "chain": "Base",
    "address": "0x0F43731EB8d45A581f4a36DD74F5f358bc90C73A",
    "role": "other AaveProtocolDataProvider V3"
  },
  {
    "chain": "Binance",
    "address": "0xff75B6da14FfbbfD355Daf7a2731456b3562Ba6D",
    "role": "factory PoolAddressesProvider V3"
  },
  {
    "chain": "Binance",
    "address": "0x6807dc923806fE8Fd134338EABCA509979a7e0cB",
    "role": "pool Pool V3"
  },
  {
    "chain": "Binance",
    "address": "0x67bdF23C7fCE7C65fF7415Ba3F2520B45D6f9584",
    "role": "admin PoolConfigurator V3"
  },
  {
    "chain": "Binance",
    "address": "0x39bc1bfDa2130d6Bb6DBEfd366939b4c7aa7C697",
    "role": "oracle AaveOracle V3"
  },
  {
    "chain": "Binance",
    "address": "0x9390B1735def18560c509E2d0bc090E9d6BA257a",
    "role": "admin ACLAdmin V3"
  },
  {
    "chain": "Binance",
    "address": "0x2D97F8FA96886Fd923c065F5457F9DDd494e3877",
    "role": "admin ACLManager V3"
  },
  {
    "chain": "Binance",
    "address": "0xc90Df74A7c16245c5F5C5870327Ceb38Fe5d5328",
    "role": "other AaveProtocolDataProvider V3"
  },
  {
    "chain": "Celo",
    "address": "0x9F7Cf9417D5251C59fE94fB9147feEe1aAd9Cea5",
    "role": "factory PoolAddressesProvider V3"
  },
  {
    "chain": "Celo",
    "address": "0x3E59A31363E2ad014dcbc521c4a0d5757d9f3402",
    "role": "pool Pool V3"
  },
  {
    "chain": "Celo",
    "address": "0x7567E3434CC1BEf724AB595e6072367Ef4914691",
    "role": "admin PoolConfigurator V3"
  },
  {
    "chain": "Celo",
    "address": "0x1e693D088ceFD1E95ba4c4a5F7EeA41a1Ec37e8b",
    "role": "oracle AaveOracle V3"
  },
  {
    "chain": "Celo",
    "address": "0x1dF462e2712496373A347f8ad10802a5E95f053D",
    "role": "admin ACLAdmin V3"
  },
  {
    "chain": "Celo",
    "address": "0x7a12dCfd73C1B4cddf294da4cFce75FcaBBa314C",
    "role": "admin ACLManager V3"
  },
  {
    "chain": "Celo",
    "address": "0x2e0f8D3B1631296cC7c56538D6Eb6032601E15ED",
    "role": "other AaveProtocolDataProvider V3"
  },
  {
    "chain": "Celo",
    "address": "0xC959439207dA5341B74aDcdAC59016aa9Be7E9E7",
    "role": "treasury Collector"
  },
  {
    "chain": "Fantom",
    "address": "0xa97684ead0e402dC232d5A977953DF7ECBaB3CDb",
    "role": "factory PoolAddressesProvider V3"
  },
  {
    "chain": "Fantom",
    "address": "0x794a61358D6845594F94dc1DB02A252b5b4814aD",
    "role": "pool Pool V3"
  },
  {
    "chain": "Fantom",
    "address": "0x8145eddDf43f50276641b55bd3AD95944510021E",
    "role": "admin PoolConfigurator V3"
  },
  {
    "chain": "Fantom",
    "address": "0xfd6f3c1845604C8AE6c6E402ad17fb9885160754",
    "role": "oracle AaveOracle V3"
  },
  {
    "chain": "Fantom",
    "address": "0x39CB97b105173b56b5a2b4b33AD25d6a50E6c949",
    "role": "admin ACLAdmin V3"
  },
  {
    "chain": "Fantom",
    "address": "0xa72636CbcAa8F5FF95B2cc47F3CDEe83F3294a0B",
    "role": "admin ACLManager V3"
  },
  {
    "chain": "Fantom",
    "address": "0x69FA688f1Dc47d4B5d8029D5a35FB7a548310654",
    "role": "other AaveProtocolDataProvider V3"
  },
  {
    "chain": "xDai",
    "address": "0x36616cf17557639614c1cdDb356b1B83fc0B2132",
    "role": "factory PoolAddressesProvider V3"
  },
  {
    "chain": "xDai",
    "address": "0xb50201558B00496A145fE76f7424749556E326D8",
    "role": "pool Pool V3"
  },
  {
    "chain": "xDai",
    "address": "0x7304979ec9E4EaA0273b6A037a31c4e9e5A75D16",
    "role": "admin PoolConfigurator V3"
  },
  {
    "chain": "xDai",
    "address": "0xeb0a051be10228213BAEb449db63719d6742F7c4",
    "role": "oracle AaveOracle V3"
  },
  {
    "chain": "xDai",
    "address": "0x1dF462e2712496373A347f8ad10802a5E95f053D",
    "role": "admin ACLAdmin V3"
  },
  {
    "chain": "xDai",
    "address": "0xEc710f59005f48703908bC519D552Df5B8472614",
    "role": "admin ACLManager V3"
  },
  {
    "chain": "xDai",
    "address": "0xF1F5acB596568895393cB5E4D0452D6592A2fA70",
    "role": "other AaveProtocolDataProvider V3"
  },
  {
    "chain": "Harmony",
    "address": "0xa97684ead0e402dC232d5A977953DF7ECBaB3CDb",
    "role": "factory PoolAddressesProvider V3"
  },
  {
    "chain": "Harmony",
    "address": "0x794a61358D6845594F94dc1DB02A252b5b4814aD",
    "role": "pool Pool V3"
  },
  {
    "chain": "Harmony",
    "address": "0x8145eddDf43f50276641b55bd3AD95944510021E",
    "role": "admin PoolConfigurator V3"
  },
  {
    "chain": "Harmony",
    "address": "0x3C90887Ede8D65ccb2777A5d577beAb2548280AD",
    "role": "oracle AaveOracle V3"
  },
  {
    "chain": "Harmony",
    "address": "0xb2f0C5f37f4beD2cB51C44653cD5D84866BDcd2D",
    "role": "admin ACLAdmin V3"
  },
  {
    "chain": "Harmony",
    "address": "0xa72636CbcAa8F5FF95B2cc47F3CDEe83F3294a0B",
    "role": "admin ACLManager V3"
  },
  {
    "chain": "Harmony",
    "address": "0x69FA688f1Dc47d4B5d8029D5a35FB7a548310654",
    "role": "other AaveProtocolDataProvider V3"
  },
  {
    "chain": "Mantle",
    "address": "0xba50Cd2A20f6DA35D788639E581bca8d0B5d4D5f",
    "role": "factory PoolAddressesProvider V3"
  },
  {
    "chain": "Mantle",
    "address": "0x458F293454fE0d67EC0655f3672301301DD51422",
    "role": "pool Pool V3"
  },
  {
    "chain": "Mantle",
    "address": "0x719755fC1ACf2f9079B0Cbc56e23712c09Ab8626",
    "role": "admin PoolConfigurator V3"
  },
  {
    "chain": "Mantle",
    "address": "0x47a063CfDa980532267970d478EC340C0F80E8df",
    "role": "oracle AaveOracle V3"
  },
  {
    "chain": "Mantle",
    "address": "0x64df9D4302e1ff3516Dc744A19e992D27CAC252E",
    "role": "oracle PriceOracleSentinel V3"
  },
  {
    "chain": "Mantle",
    "address": "0x70884634D0098782592111A2A6B8d223be31CB7b",
    "role": "admin ACLAdmin V3"
  },
  {
    "chain": "Mantle",
    "address": "0x810D46F9a9027E28F9B01F75E2bdde839dA61115",
    "role": "admin ACLManager V3"
  },
  {
    "chain": "Mantle",
    "address": "0x487c5c669D9eee6057C44973207101276cf73b68",
    "role": "other AaveProtocolDataProvider V3"
  },
  {
    "chain": "MegaETH",
    "address": "0x46Dcd5F4600319b02649Fd76B55aA6c1035CA478",
    "role": "factory PoolAddressesProvider V3"
  },
  {
    "chain": "MegaETH",
    "address": "0x7e324AbC5De01d112AfC03a584966ff199741C28",
    "role": "pool Pool V3"
  },
  {
    "chain": "MegaETH",
    "address": "0xF15D31Bc839A853C9068686043cEc6EC5995DAbB",
    "role": "admin PoolConfigurator V3"
  },
  {
    "chain": "MegaETH",
    "address": "0x421117D7319E96d831972b3F7e970bbfe29C4F21",
    "role": "oracle AaveOracle V3"
  },
  {
    "chain": "MegaETH",
    "address": "0xE2E8Badc5d50f8a6188577B89f50701cDE2D4e19",
    "role": "admin ACLAdmin V3"
  },
  {
    "chain": "MegaETH",
    "address": "0x390D369C3878F2C5205CFb6Ec7154FfA65491c3D",
    "role": "admin ACLManager V3"
  },
  {
    "chain": "MegaETH",
    "address": "0x9588b453A4EE24a420830CB3302195cA7aA3b403",
    "role": "other AaveProtocolDataProvider V3"
  },
  {
    "chain": "Sonic",
    "address": "0x5C2e738F6E27bCE0F7558051Bf90605dD6176900",
    "role": "factory PoolAddressesProvider V3"
  },
  {
    "chain": "Sonic",
    "address": "0x5362dBb1e601abF3a4c14c22ffEdA64042E5eAA3",
    "role": "pool Pool V3"
  },
  {
    "chain": "Sonic",
    "address": "0x50c70FEB95aBC1A92FC30b9aCc41Bd349E5dE2f0",
    "role": "admin PoolConfigurator V3"
  },
  {
    "chain": "Sonic",
    "address": "0xD63f7658C66B2934Bd234D79D06aEF5290734B30",
    "role": "oracle AaveOracle V3"
  },
  {
    "chain": "Sonic",
    "address": "0x7b62461a3570c6AC8a9f8330421576e417B71EE7",
    "role": "admin ACLAdmin V3"
  },
  {
    "chain": "Sonic",
    "address": "0x3a790a47c4d531FD333FAD24f70B0ccb521B3b5A",
    "role": "admin ACLManager V3"
  },
  {
    "chain": "Sonic",
    "address": "0xc0a344397cfa89dF1e1d3e4fb330834D789cF2CD",
    "role": "other AaveProtocolDataProvider V3"
  },
  {
    "chain": "X Layer",
    "address": "0xdFf435BCcf782f11187D3a4454d96702eD78e092",
    "role": "factory PoolAddressesProvider V3"
  },
  {
    "chain": "X Layer",
    "address": "0xE3F3Caefdd7180F884c01E57f65Df979Af84f116",
    "role": "pool Pool V3"
  },
  {
    "chain": "X Layer",
    "address": "0x1408b48B6A610948f04813EA6b2F438A6BBAd2f2",
    "role": "admin PoolConfigurator V3"
  },
  {
    "chain": "X Layer",
    "address": "0x91FC11136d5615575a0fC5981Ab5C0C54418E2C6",
    "role": "oracle AaveOracle V3"
  },
  {
    "chain": "X Layer",
    "address": "0xE2E8Badc5d50f8a6188577B89f50701cDE2D4e19",
    "role": "admin ACLAdmin V3"
  },
  {
    "chain": "X Layer",
    "address": "0xc8f2720Fa7D857576d82e6aEca8EdC4869E9190e",
    "role": "admin ACLManager V3"
  },
  {
    "chain": "X Layer",
    "address": "0x6C505C31714f14e8af2A03633EB2Cdfb4959138F",
    "role": "other AaveProtocolDataProvider V3"
  },
  {
    "chain": "Linea",
    "address": "0x89502c3731F69DDC95B65753708A07F8Cd0373F4",
    "role": "factory PoolAddressesProvider V3"
  },
  {
    "chain": "Linea",
    "address": "0xc47b8C00b0f69a36fa203Ffeac0334874574a8Ac",
    "role": "pool Pool V3"
  },
  {
    "chain": "Linea",
    "address": "0x812E7c19421D9f41A6DDCF047d5cc2dE2Ca5Bfa2",
    "role": "admin PoolConfigurator V3"
  },
  {
    "chain": "Linea",
    "address": "0xCFDAdA7DCd2e785cF706BaDBC2B8Af5084d595e9",
    "role": "oracle AaveOracle V3"
  },
  {
    "chain": "Linea",
    "address": "0x8c2d95FE7aeB57b86961F3abB296A54f0ADb7F88",
    "role": "admin ACLAdmin V3"
  },
  {
    "chain": "Linea",
    "address": "0xbf32c7dFC72b730967072B112927ca0de205dbb5",
    "role": "admin ACLManager V3"
  },
  {
    "chain": "Metis",
    "address": "0xB9FABd7500B2C6781c35Dd48d54f81fc2299D7AF",
    "role": "factory PoolAddressesProvider V3"
  },
  {
    "chain": "Metis",
    "address": "0x90df02551bB792286e8D4f13E0e357b4Bf1D6a57",
    "role": "pool Pool V3"
  },
  {
    "chain": "Metis",
    "address": "0x69FEE8F261E004453BE0800BC9039717528645A6",
    "role": "admin PoolConfigurator V3"
  },
  {
    "chain": "Metis",
    "address": "0x38D36e85E47eA6ff0d18B0adF12E5fC8984A6f8e",
    "role": "oracle AaveOracle V3"
  },
  {
    "chain": "Metis",
    "address": "0x2B5EA1604BAbb7B730120950Cb13951f3525828A",
    "role": "oracle PriceOracleSentinel V3"
  },
  {
    "chain": "Metis",
    "address": "0x6fD45D32375d5aDB8D76275A3932c740F03a8718",
    "role": "admin ACLAdmin V3"
  },
  {
    "chain": "Optimism",
    "address": "0x794a61358D6845594F94dc1DB02A252b5b4814aD",
    "role": "pool Pool V3"
  },
  {
    "chain": "Optimism",
    "address": "0x8145eddDf43f50276641b55bd3AD95944510021E",
    "role": "admin PoolConfigurator V3"
  },
  {
    "chain": "Optimism",
    "address": "0xD81eb3728a631871a7eBBaD631b5f424909f0c77",
    "role": "oracle AaveOracle V3"
  },
  {
    "chain": "Optimism",
    "address": "0x746c675dAB49Bcd5BB9Dc85161f2d7Eb435009bf",
    "role": "admin ACLAdmin V3"
  },
  {
    "chain": "Polygon",
    "address": "0x794a61358D6845594F94dc1DB02A252b5b4814aD",
    "role": "pool Pool V3"
  },
  {
    "chain": "Polygon",
    "address": "0x8145eddDf43f50276641b55bd3AD95944510021E",
    "role": "admin PoolConfigurator V3"
  },
  {
    "chain": "Polygon",
    "address": "0xb023e699F5a33916Ea823A16485e259257cA8Bd1",
    "role": "oracle AaveOracle V3"
  },
  {
    "chain": "Polygon",
    "address": "0xDf7d0e6454DB638881302729F5ba99936EaAB233",
    "role": "admin ACLAdmin V3"
  },
  {
    "chain": "Scroll",
    "address": "0x69850D0B276776781C063771b161bd8894BCdD04",
    "role": "factory PoolAddressesProvider V3"
  },
  {
    "chain": "Scroll",
    "address": "0x11fCfe756c05AD438e312a7fd934381537D3cFfe",
    "role": "pool Pool V3"
  },
  {
    "chain": "Scroll",
    "address": "0x32BCab42a2bb5AC577D24b425D46d8b8e0Df9b7f",
    "role": "admin PoolConfigurator V3"
  },
  {
    "chain": "Scroll",
    "address": "0x04421D8C506E2fA2371a08EfAaBf791F624054F3",
    "role": "oracle AaveOracle V3"
  },
  {
    "chain": "Scroll",
    "address": "0xc1ABF87FfAdf4908f4eC8dc54A25DCFEabAE4A24",
    "role": "admin ACLAdmin V3"
  },
  {
    "chain": "Scroll",
    "address": "0x7633F981D87dC6307227de9383D2ce7243158081",
    "role": "admin ACLManager V3"
  },
  {
    "chain": "zkSync Era",
    "address": "0x2A3948BB219D6B2Fa83D64100006391a96bE6cb7",
    "role": "factory PoolAddressesProvider V3"
  },
  {
    "chain": "zkSync Era",
    "address": "0x78e30497a3c7527d953c6B1E3541b021A98Ac43c",
    "role": "pool Pool V3"
  },
  {
    "chain": "zkSync Era",
    "address": "0x0207d31b4377C74bEC37356aaD83E3dCc979F40E",
    "role": "admin PoolConfigurator V3"
  },
  {
    "chain": "zkSync Era",
    "address": "0xC7F58Fca663a8d377B6D0c9703C697f56dC40088",
    "role": "oracle AaveOracle V3"
  },
  {
    "chain": "zkSync Era",
    "address": "0x04cE39789e11a49595cD0ECEf6f4Bd54ABF4d020",
    "role": "admin ACLAdmin V3"
  },
  {
    "chain": "Soneium",
    "address": "0x82405D1a189bd6cE4667809C35B37fBE136A4c5B",
    "role": "factory PoolAddressesProvider V3"
  },
  {
    "chain": "Soneium",
    "address": "0xDd3d7A7d03D9fD9ef45f3E587287922eF65CA38B",
    "role": "pool Pool V3"
  },
  {
    "chain": "Soneium",
    "address": "0x1607FCeEc8dEbA4d5Da66D620b2363066d025a02",
    "role": "admin PoolConfigurator V3"
  },
  {
    "chain": "Soneium",
    "address": "0x20040a64612555042335926d72B4E5F667a67fA1",
    "role": "oracle AaveOracle V3"
  },
  {
    "chain": "Soneium",
    "address": "0xc0Bac16A64FbAa7EE6483bD12a759e28cD13dcBe",
    "role": "oracle PriceOracleSentinel V3"
  },
  {
    "chain": "Plasma",
    "address": "0x061D8e131F26512348ee5FA42e2DF1bA9d6505E9",
    "role": "factory PoolAddressesProvider V3"
  },
  {
    "chain": "Plasma",
    "address": "0x925a2A7214Ed92428B5b1B090F80b25700095e12",
    "role": "pool Pool V3"
  },
  {
    "chain": "Plasma",
    "address": "0xc022B6c71c30A8Ad52Dac504eFA132d13D99d2D9",
    "role": "admin PoolConfigurator V3"
  },
  {
    "chain": "Plasma",
    "address": "0x33E0b3fc976DC9C516926BA48CfC0A9E10a2aAA5",
    "role": "oracle AaveOracle V3"
  },
  {
    "chain": "Plasma",
    "address": "0x47aAdaAE1F05C978E6aBb7568d11B7F6e0FC4d6A",
    "role": "admin ACLAdmin V3"
  },
  {
    "chain": "Plasma",
    "address": "0xa860355F0ccFdC823F7332ac108317b2a1509C06",
    "role": "admin ACLManager V3"
  },
  {
    "chain": "Ethereum",
    "address": "0x617332a777780F546261247F621051d0b98975Eb",
    "role": "other VotingMachine"
  },
  {
    "chain": "Ethereum",
    "address": "0xf23f7De3AC42F22eBDA17e64DC4f51FB66b8E21f",
    "role": "other VotingPortalEthEth"
  },
  {
    "chain": "Ethereum",
    "address": "0x33aCEf7365809218485873B7d0d67FeE411B5D79",
    "role": "other VotingPortalEthAvax"
  },
  {
    "chain": "Ethereum",
    "address": "0x9b24C168d6A76b5459B1d47071a54962a4df36c3",
    "role": "other VotingPortalEthPol"
  },
  {
    "chain": "Ethereum",
    "address": "0xE3B770Dc4ae3f8bECaB3Ed12dE692c741603e16A",
    "role": "other PayloadDataHelper"
  },
  {
    "chain": "Ethereum",
    "address": "0x971c82c8316aD611904F95616c21ce90837f1856",
    "role": "other GovernanceDataHelper"
  },
  {
    "chain": "Ethereum",
    "address": "0x77976B51569896523EE215962Ee91ff236Fa50E8",
    "role": "other VotingDataHelper"
  },
  {
    "chain": "Ethereum",
    "address": "0x94363B11b37BC3ffe43AB09cff5A010352FE85dC",
    "role": "other MetaDelegateHelper"
  },
  {
    "chain": "Ethereum",
    "address": "0x73C6Fb358dDA8e84D50e98A98F7c0dF32e15C7e9",
    "role": "guardian EmergencyRegistry"
  },
  {
    "chain": "Ethereum",
    "address": "0xa198Fac58E02A5C5F8F7e877895d50cFa9ad1E04",
    "role": "other GovernancePowerStrategy"
  },
  {
    "chain": "Ethereum",
    "address": "0x5642A5A5Ec284B4145563aBF319620204aCCA7f4",
    "role": "other VotingStrategy"
  },
  {
    "chain": "Ethereum",
    "address": "0x1699FE9CaDC8a0b6c93E06B62Ab4592a0fFEcF61",
    "role": "other DataWarehouse"
  },
  {
    "chain": "Arbitrum",
    "address": "0xCbFB78a3Eeaa611b826E37c80E4126c8787D29f0",
    "role": "other CrossChainController"
  },
  {
    "chain": "Arbitrum",
    "address": "0x89644CA1bB8064760312AE4F03ea41b05dA3637C",
    "role": "timelock PayloadsController"
  },
  {
    "chain": "Arbitrum",
    "address": "0x4922093c476CfbCF903C7C4082d2D64bAE8A37cE",
    "role": "guardian GranularGuardian"
  },
  {
    "chain": "Avalanche",
    "address": "0x27FC7D54C893dA63C0AE6d57e1B2B13A70690928",
    "role": "other CrossChainController"
  },
  {
    "chain": "Avalanche",
    "address": "0x41185495Bc8297a65DC46f94001DC7233775EbEe",
    "role": "oracle EmergencyOracle"
  },
  {
    "chain": "Avalanche",
    "address": "0x9b6f5ef589A3DD08670Dd146C11C4Fb33E04494F",
    "role": "other VotingMachine"
  },
  {
    "chain": "Avalanche",
    "address": "0x1140CB7CAfAcC745771C2Ea31e7B5C653c5d0B80",
    "role": "timelock PayloadsController"
  },
  {
    "chain": "Avalanche",
    "address": "0xc1162BCb2E5E3ca4725512008c7522dF8C8B7B65",
    "role": "guardian GranularGuardian"
  },
  {
    "chain": "Binance",
    "address": "0x9d33ee6543C9b2C8c183b8fb58fB089266cffA19",
    "role": "other CrossChainController"
  },
  {
    "chain": "Binance",
    "address": "0xcabb46FfB38c93348Df16558DF156e9f68F9F7F1",
    "role": "oracle EmergencyOracle"
  },
  {
    "chain": "Binance",
    "address": "0xE5EF2Dd06755A97e975f7E282f828224F2C3e627",
    "role": "timelock PayloadsController"
  },
  {
    "chain": "Binance",
    "address": "0xe4FB5e3F506BE0095f38004f993D16fdA8224383",
    "role": "guardian GranularGuardian"
  },
  {
    "chain": "Base",
    "address": "0x529467C76f234F2bD359d7ecF7c660A2846b04e2",
    "role": "other CrossChainController"
  },
  {
    "chain": "Base",
    "address": "0x2DC219E716793fb4b21548C0f009Ba3Af753ab01",
    "role": "timelock PayloadsController"
  },
  {
    "chain": "Base",
    "address": "0xa1c6aF35E0205f42256382C05243C543FEDBf4bB",
    "role": "guardian GranularGuardian"
  },
  {
    "chain": "xDai",
    "address": "0x8Dc5310fc9D3D7D1Bb3D1F686899c8F082316c9F",
    "role": "other CrossChainController"
  },
  {
    "chain": "xDai",
    "address": "0xF937ffAeA1363e4Fa260760bDFA2aA8Fc911F84D",
    "role": "oracle EmergencyOracle"
  },
  {
    "chain": "xDai",
    "address": "0x9A1F491B86D09fC1484b5fab10041B189B60756b",
    "role": "timelock PayloadsController"
  },
  {
    "chain": "xDai",
    "address": "0x4A9F571E3C1f2F13567bb59e38988e74d7d72602",
    "role": "guardian GranularGuardian"
  },
  {
    "chain": "Metis",
    "address": "0x6fDaFb26915ABD6065a1E1501a37Ac438D877f70",
    "role": "other CrossChainController"
  },
  {
    "chain": "Metis",
    "address": "0x2233F8A66A728FBa6E1dC95570B25360D07D5524",
    "role": "timelock PayloadsController"
  },
  {
    "chain": "Metis",
    "address": "0x61BE97d3a0550549f67CA7421725fA73Fa2036B5",
    "role": "guardian GranularGuardian"
  },
  {
    "chain": "Optimism",
    "address": "0x48A9FE90bce5EEd790f3F4Ce192d1C0B351fd4Ca",
    "role": "other CrossChainController"
  },
  {
    "chain": "Optimism",
    "address": "0x0E1a3Af1f9cC76A62eD31eDedca291E63632e7c4",
    "role": "timelock PayloadsController"
  },
  {
    "chain": "Optimism",
    "address": "0x6c5264C380C7022e54f585c4E354ffb6f221a03b",
    "role": "guardian GranularGuardian"
  },
  {
    "chain": "Polygon",
    "address": "0xF6B99959F0b5e79E1CC7062E12aF632CEb18eF0d",
    "role": "other CrossChainController"
  },
  {
    "chain": "Polygon",
    "address": "0xDAFA1989A504c48Ee20a582f2891eeB25E2fA23F",
    "role": "oracle EmergencyOracle"
  },
  {
    "chain": "Polygon",
    "address": "0xc8a2ADC4261c6b669CdFf69E717E77C9cFeB420d",
    "role": "other VotingMachine"
  },
  {
    "chain": "Polygon",
    "address": "0x401B5D0294E23637c18fcc38b1Bca814CDa2637C",
    "role": "timelock PayloadsController"
  },
  {
    "chain": "Polygon",
    "address": "0x0D2CccD3dD420dC6DE2f24DB44aA22fADE290a02",
    "role": "guardian GranularGuardian"
  },
  {
    "chain": "Scroll",
    "address": "0x03073D3F4769f6b6604d616238fD6c636C99AD0A",
    "role": "other CrossChainController"
  },
  {
    "chain": "Scroll",
    "address": "0x6b6B41c0f8C223715f712BE83ceC3c37bbfDC3fE",
    "role": "timelock PayloadsController"
  },
  {
    "chain": "Scroll",
    "address": "0xa835707d28e6C37C49d661742f2Fb5987367cEd4",
    "role": "guardian GranularGuardian"
  },
  {
    "chain": "zkSync Era",
    "address": "0x800813f4714BC7A0a95310e3fB9e4f18872CA92C",
    "role": "other CrossChainController"
  },
  {
    "chain": "zkSync Era",
    "address": "0x2E79349c3F5e4751E87b966812C9E65E805996F1",
    "role": "timelock PayloadsController"
  },
  {
    "chain": "zkSync Era",
    "address": "0xe0e23196D42b54F262a3DE952e6B34B197D1A228",
    "role": "guardian GranularGuardian"
  },
  {
    "chain": "zkSync Era",
    "address": "0x4257bf0746D783f0D962913d7d8AFA408B62547E",
    "role": "guardian GovernanceGuardian"
  },
  {
    "chain": "Linea",
    "address": "0x0D3f821e9741C8a8Bcac231162320251Db0cdf52",
    "role": "other CrossChainController"
  },
  {
    "chain": "Linea",
    "address": "0x3BcE23a1363728091bc57A58a226CF2940C2e074",
    "role": "timelock PayloadsController"
  },
  {
    "chain": "Linea",
    "address": "0xc1cd6faF6e9138b4e6C21d438f9ebF2bd6F6cA16",
    "role": "guardian GranularGuardian"
  },
  {
    "chain": "Linea",
    "address": "0x056E4C4E80D1D14a637ccbD0412CDAAEc5B51F4E",
    "role": "guardian GovernanceGuardian"
  },
  {
    "chain": "Soneium",
    "address": "0xD92b37a5114b33F668D274Fb48f23b726a854d6E",
    "role": "other CrossChainController"
  },
  {
    "chain": "Soneium",
    "address": "0x44D73D7C4b2f98F426Bf8B5e87628d9eE38ef0Cf",
    "role": "timelock PayloadsController"
  },
  {
    "chain": "Soneium",
    "address": "0xD8E6956718784B914740267b7A50B952fb516656",
    "role": "guardian GranularGuardian"
  },
  {
    "chain": "Soneium",
    "address": "0x19CE4363FEA478Aa04B9EA2937cc5A2cbcD44be6",
    "role": "guardian GovernanceGuardian"
  },
  {
    "chain": "Soneium",
    "address": "0x47aAdaAE1F05C978E6aBb7568d11B7F6e0FC4d6A",
    "role": "governor ExecutorLvl1"
  },
  {
    "chain": "Plasma",
    "address": "0x643441742f73e270e565619be6DE5f4D55E08cd6",
    "role": "other CrossChainController"
  },
  {
    "chain": "Plasma",
    "address": "0xe76EB348E65eF163d85ce282125FF5a7F5712A1d",
    "role": "timelock PayloadsController"
  },
  {
    "chain": "Plasma",
    "address": "0x60665b4F4FF7073C5fed2656852dCa271DfE2684",
    "role": "guardian GranularGuardian"
  },
  {
    "chain": "Plasma",
    "address": "0x19CE4363FEA478Aa04B9EA2937cc5A2cbcD44be6",
    "role": "guardian GovernanceGuardian"
  },
  {
    "chain": "Plasma",
    "address": "0xF61FE74Ec1cFbd9Ee8Bd27592D2EDEe0E2aA85Cf",
    "role": "oracle EmergencyOracle"
  },
  {
    "chain": "Ethereum",
    "address": "0x7Fc66500c84A76Ad7e9c93437bFc5Ac33E2DDaE9",
    "role": "token AAVE governance token"
  },
  {
    "chain": "Ethereum",
    "address": "0x7b9c0b9b0d8b0d8b0d8b0d8b0d8b0d8b0d8b0d8b",
    "role": "Emergency Admin"
  }
]

### Pre-built read-API surfacer URLs (verbatim — fetchable as-is)
- https://defipunkd.com/address/1/0x5300A1a15135EA4dc7aD5a167152C01EFc9b192A (Short Executor (Level 1) / ACL Admin V3)
- https://defipunkd.com/address/1/0xdAbad81aF85554E9ae636395611C58F7eC1aAEc5 (PayloadsController (Ethereum))
- https://defipunkd.com/address/1/0x9AEE0B04504CeF83A65AC3f0e838D0593BCb2BC7 (Governance V3 Core)
- https://defipunkd.com/address/1/0xCe52ab41C40575B072A18C9700091Ccbe4A06710 (Governance Guardian / Protocol Emergency Guardian (5-of-9))
- https://defipunkd.com/address/1/0x4457cA11E90f416Cc1D3a8E1cA41C0cdEcC251d4 (GranularGuardian (cross-chain emergency))
- https://defipunkd.com/address/1/0xEd42a7D8559a463722Ca4beD50E0Cc05a386b0e1 (CrossChainController)
- https://defipunkd.com/address/1/0x17Dd33Ed0e3dD2a80E37489B8A63063161BE6957 (Executor Level 2)
- https://defipunkd.com/address/1/0x2CFe3ec4d5a6811f4B8067F0DE7e47DfA938Aa30 (Protocol Guardian / emergency admin)
- https://defipunkd.com/address/1/0x220d22f42c1b975B51509c24b174f8AbA7d8C540 (Short Executor (Governance))
- https://defipunkd.com/address/1/0xa700691dA7b6769562170061709458FF21ed963e (timelock (governance long executor))
- https://defipunkd.com/address/1/0x851365275f493d15511cc005f2bd71E3c1699921 (timelock (governance short executor))
- https://defipunkd.com/address/1/0xEE56e2B3D49159022b71869955dbF07245799b17 (timelock (governance executor short))
- https://defipunkd.com/address/1/0x80C67432656d59144cEFf962E8fAF8926599bCF8 (timelock (governance short executor))
- https://defipunkd.com/address/1/0xEE56e2B20045d908E992822039db30E882309413 (admin (PoolAdmin / governance executor))
- https://defipunkd.com/address/1/0x87870bca3f3fd6335c3f4ce8392d69350b4fa4e2 (pool (Aave V3 Pool proxy))
- https://defipunkd.com/address/1/0x2f39d218133AFaB8F2B819B1066c7E434Ad94E9e (other (PoolAddressesProvider — proxy admin for Pool/PoolConfigurator/ACLManager))
- https://defipunkd.com/address/1/0xcfBf336fe147D643B9Cb705648500e101504B16d (other (Prime Market PoolAddressesProvider))
- https://defipunkd.com/address/1/0xCca852Bc40e560adC3b1Cc58CA5b55638ce826c9 (vault (Aave V4 Core Hub — Ethereum))
- https://defipunkd.com/address/1/0x06002e9c4412CB7814a791eA3666D905871E536A (vault (Aave V4 Plus Hub — Ethereum))
- https://defipunkd.com/address/1/0x943827DCA022D0F354a8a8c332dA1e5Eb9f9F931 (vault (Aave V4 Prime Hub — Ethereum))
- https://defipunkd.com/address/1/0x08aE3BE30958cDd1847ec58fFfd4C451a87fDF01 (admin (Aave V4 Access Manager — Ethereum))
- https://defipunkd.com/address/10/0xa97684ead0e402dc232d5a977953df7ecbab3cdb (other (PoolAddressesProvider — Optimism))
- https://defipunkd.com/address/137/0xa97684ead0e402dc232d5a977953df7ecbab3cdb (other (PoolAddressesProvider — Polygon))
- https://defipunkd.com/address/1/0x64b761D848206f447Fe2dd461b0c635Ec39EbB27 (admin PoolConfigurator V3)
- https://defipunkd.com/address/1/0x54586bE62E3c3580375aE3723C145253060Ca0C2 (oracle AaveOracle V3)
- https://defipunkd.com/address/1/0xc2aaCf6553D20d1e9d78E365AAba8032af9c85b0 (admin ACLManager V3)
- https://defipunkd.com/address/1/0x0a16f2FCC0D44FaE41cc54e079281D84A363bECD (other AaveProtocolDataProvider V3)
- https://defipunkd.com/address/1/0x464C71f6c2F760DdA6093dCB91C24c39e5d6e18c (treasury Collector)
- https://defipunkd.com/address/1/0x8164Cc65827dcFe994AB23944CBC90e0aa80bFcb (admin DefaultIncentivesController)
- https://defipunkd.com/address/1/0x223d844fc4B006D67c0cDbd39371A9F73f69d974 (admin EmissionManager)
- https://defipunkd.com/address/42161/0xa97684ead0e402dC232d5A977953DF7ECBaB3CDb (factory PoolAddressesProvider V3)
- https://defipunkd.com/address/42161/0x794a61358D6845594F94dc1DB02A252b5b4814aD (pool Pool V3)
- https://defipunkd.com/address/42161/0x8145eddDf43f50276641b55bd3AD95944510021E (admin PoolConfigurator V3)
- https://defipunkd.com/address/42161/0xb56c2F0B653B2e0b10C9b928C8580Ac5Df02C7C7 (oracle AaveOracle V3)
- https://defipunkd.com/address/42161/0x7A9ff54A6eE4a21223036890bB8c4ea2D62c686b (oracle PriceOracleSentinel V3)
- https://defipunkd.com/address/42161/0xFF1137243698CaA18EE364Cc966CF0e02A4e6327 (admin ACLAdmin V3)
- https://defipunkd.com/address/42161/0xa72636CbcAa8F5FF95B2cc47F3CDEe83F3294a0B (admin ACLManager V3)
- https://defipunkd.com/address/42161/0x243Aa95cAC2a25651eda86e80bEe66114413c43b (other AaveProtocolDataProvider V3)
- https://defipunkd.com/address/43114/0xa97684ead0e402dC232d5A977953DF7ECBaB3CDb (factory PoolAddressesProvider V3)
- https://defipunkd.com/address/43114/0x794a61358D6845594F94dc1DB02A252b5b4814aD (pool Pool V3)
- https://defipunkd.com/address/43114/0x8145eddDf43f50276641b55bd3AD95944510021E (admin PoolConfigurator V3)
- https://defipunkd.com/address/43114/0xEBd36016B3eD09D4693Ed4251c67Bd858c3c7C9C (oracle AaveOracle V3)
- https://defipunkd.com/address/43114/0x3C06dce358add17aAf230f2234bCCC4afd50d090 (admin ACLAdmin V3)
- https://defipunkd.com/address/43114/0xa72636CbcAa8F5FF95B2cc47F3CDEe83F3294a0B (admin ACLManager V3)
- https://defipunkd.com/address/43114/0x243Aa95cAC2a25651eda86e80bEe66114413c43b (other AaveProtocolDataProvider V3)
- https://defipunkd.com/address/8453/0xe20fCBdBfFC4Dd138cE8b2E6FBb6CB49777ad64D (factory PoolAddressesProvider V3)
- https://defipunkd.com/address/8453/0xA238Dd80C259a72e81d7e4664a9801593F98d1c5 (pool Pool V3)
- https://defipunkd.com/address/8453/0x5731a04B1E775f0fdd454Bf70f3335886e9A96be (admin PoolConfigurator V3)
- https://defipunkd.com/address/8453/0x2Cc0Fc26eD4563A5ce5e8bdcfe1A2878676Ae156 (oracle AaveOracle V3)
- https://defipunkd.com/address/8453/0x943AcD0c93d7a8Bee7dA5Fd0DC3d0028237074d6 (oracle PriceOracleSentinel V3)
- https://defipunkd.com/address/8453/0x9390B1735def18560c509E2d0bc090E9d6BA257a (admin ACLAdmin V3)
- https://defipunkd.com/address/8453/0x43955b0899Ab7232E3a454cf84AedD22Ad46FD33 (admin ACLManager V3)
- https://defipunkd.com/address/8453/0x0F43731EB8d45A581f4a36DD74F5f358bc90C73A (other AaveProtocolDataProvider V3)
- Binance: 0xff75B6da14FfbbfD355Daf7a2731456b3562Ba6D (chain not supported by the read API)
- Binance: 0x6807dc923806fE8Fd134338EABCA509979a7e0cB (chain not supported by the read API)
- Binance: 0x67bdF23C7fCE7C65fF7415Ba3F2520B45D6f9584 (chain not supported by the read API)
- Binance: 0x39bc1bfDa2130d6Bb6DBEfd366939b4c7aa7C697 (chain not supported by the read API)
- Binance: 0x9390B1735def18560c509E2d0bc090E9d6BA257a (chain not supported by the read API)
- Binance: 0x2D97F8FA96886Fd923c065F5457F9DDd494e3877 (chain not supported by the read API)
- Binance: 0xc90Df74A7c16245c5F5C5870327Ceb38Fe5d5328 (chain not supported by the read API)
- Celo: 0x9F7Cf9417D5251C59fE94fB9147feEe1aAd9Cea5 (chain not supported by the read API)
- Celo: 0x3E59A31363E2ad014dcbc521c4a0d5757d9f3402 (chain not supported by the read API)
- Celo: 0x7567E3434CC1BEf724AB595e6072367Ef4914691 (chain not supported by the read API)
- Celo: 0x1e693D088ceFD1E95ba4c4a5F7EeA41a1Ec37e8b (chain not supported by the read API)
- Celo: 0x1dF462e2712496373A347f8ad10802a5E95f053D (chain not supported by the read API)
- Celo: 0x7a12dCfd73C1B4cddf294da4cFce75FcaBBa314C (chain not supported by the read API)
- Celo: 0x2e0f8D3B1631296cC7c56538D6Eb6032601E15ED (chain not supported by the read API)
- Celo: 0xC959439207dA5341B74aDcdAC59016aa9Be7E9E7 (chain not supported by the read API)
- Fantom: 0xa97684ead0e402dC232d5A977953DF7ECBaB3CDb (chain not supported by the read API)
- Fantom: 0x794a61358D6845594F94dc1DB02A252b5b4814aD (chain not supported by the read API)
- Fantom: 0x8145eddDf43f50276641b55bd3AD95944510021E (chain not supported by the read API)
- Fantom: 0xfd6f3c1845604C8AE6c6E402ad17fb9885160754 (chain not supported by the read API)
- Fantom: 0x39CB97b105173b56b5a2b4b33AD25d6a50E6c949 (chain not supported by the read API)
- Fantom: 0xa72636CbcAa8F5FF95B2cc47F3CDEe83F3294a0B (chain not supported by the read API)
- Fantom: 0x69FA688f1Dc47d4B5d8029D5a35FB7a548310654 (chain not supported by the read API)
- xDai: 0x36616cf17557639614c1cdDb356b1B83fc0B2132 (chain not supported by the read API)
- xDai: 0xb50201558B00496A145fE76f7424749556E326D8 (chain not supported by the read API)
- xDai: 0x7304979ec9E4EaA0273b6A037a31c4e9e5A75D16 (chain not supported by the read API)
- xDai: 0xeb0a051be10228213BAEb449db63719d6742F7c4 (chain not supported by the read API)
- xDai: 0x1dF462e2712496373A347f8ad10802a5E95f053D (chain not supported by the read API)
- xDai: 0xEc710f59005f48703908bC519D552Df5B8472614 (chain not supported by the read API)
- xDai: 0xF1F5acB596568895393cB5E4D0452D6592A2fA70 (chain not supported by the read API)
- Harmony: 0xa97684ead0e402dC232d5A977953DF7ECBaB3CDb (chain not supported by the read API)
- Harmony: 0x794a61358D6845594F94dc1DB02A252b5b4814aD (chain not supported by the read API)
- Harmony: 0x8145eddDf43f50276641b55bd3AD95944510021E (chain not supported by the read API)
- Harmony: 0x3C90887Ede8D65ccb2777A5d577beAb2548280AD (chain not supported by the read API)
- Harmony: 0xb2f0C5f37f4beD2cB51C44653cD5D84866BDcd2D (chain not supported by the read API)
- Harmony: 0xa72636CbcAa8F5FF95B2cc47F3CDEe83F3294a0B (chain not supported by the read API)
- Harmony: 0x69FA688f1Dc47d4B5d8029D5a35FB7a548310654 (chain not supported by the read API)
- Mantle: 0xba50Cd2A20f6DA35D788639E581bca8d0B5d4D5f (chain not supported by the read API)
- Mantle: 0x458F293454fE0d67EC0655f3672301301DD51422 (chain not supported by the read API)
- Mantle: 0x719755fC1ACf2f9079B0Cbc56e23712c09Ab8626 (chain not supported by the read API)
- Mantle: 0x47a063CfDa980532267970d478EC340C0F80E8df (chain not supported by the read API)
- Mantle: 0x64df9D4302e1ff3516Dc744A19e992D27CAC252E (chain not supported by the read API)
- Mantle: 0x70884634D0098782592111A2A6B8d223be31CB7b (chain not supported by the read API)
- Mantle: 0x810D46F9a9027E28F9B01F75E2bdde839dA61115 (chain not supported by the read API)
- Mantle: 0x487c5c669D9eee6057C44973207101276cf73b68 (chain not supported by the read API)
- MegaETH: 0x46Dcd5F4600319b02649Fd76B55aA6c1035CA478 (chain not supported by the read API)
- MegaETH: 0x7e324AbC5De01d112AfC03a584966ff199741C28 (chain not supported by the read API)
- MegaETH: 0xF15D31Bc839A853C9068686043cEc6EC5995DAbB (chain not supported by the read API)
- MegaETH: 0x421117D7319E96d831972b3F7e970bbfe29C4F21 (chain not supported by the read API)
- MegaETH: 0xE2E8Badc5d50f8a6188577B89f50701cDE2D4e19 (chain not supported by the read API)
- MegaETH: 0x390D369C3878F2C5205CFb6Ec7154FfA65491c3D (chain not supported by the read API)
- MegaETH: 0x9588b453A4EE24a420830CB3302195cA7aA3b403 (chain not supported by the read API)
- Sonic: 0x5C2e738F6E27bCE0F7558051Bf90605dD6176900 (chain not supported by the read API)
- Sonic: 0x5362dBb1e601abF3a4c14c22ffEdA64042E5eAA3 (chain not supported by the read API)
- Sonic: 0x50c70FEB95aBC1A92FC30b9aCc41Bd349E5dE2f0 (chain not supported by the read API)
- Sonic: 0xD63f7658C66B2934Bd234D79D06aEF5290734B30 (chain not supported by the read API)
- Sonic: 0x7b62461a3570c6AC8a9f8330421576e417B71EE7 (chain not supported by the read API)
- Sonic: 0x3a790a47c4d531FD333FAD24f70B0ccb521B3b5A (chain not supported by the read API)
- Sonic: 0xc0a344397cfa89dF1e1d3e4fb330834D789cF2CD (chain not supported by the read API)
- X Layer: 0xdFf435BCcf782f11187D3a4454d96702eD78e092 (chain not supported by the read API)
- X Layer: 0xE3F3Caefdd7180F884c01E57f65Df979Af84f116 (chain not supported by the read API)
- X Layer: 0x1408b48B6A610948f04813EA6b2F438A6BBAd2f2 (chain not supported by the read API)
- X Layer: 0x91FC11136d5615575a0fC5981Ab5C0C54418E2C6 (chain not supported by the read API)
- X Layer: 0xE2E8Badc5d50f8a6188577B89f50701cDE2D4e19 (chain not supported by the read API)
- X Layer: 0xc8f2720Fa7D857576d82e6aEca8EdC4869E9190e (chain not supported by the read API)
- X Layer: 0x6C505C31714f14e8af2A03633EB2Cdfb4959138F (chain not supported by the read API)
- https://defipunkd.com/address/59144/0x89502c3731F69DDC95B65753708A07F8Cd0373F4 (factory PoolAddressesProvider V3)
- https://defipunkd.com/address/59144/0xc47b8C00b0f69a36fa203Ffeac0334874574a8Ac (pool Pool V3)
- https://defipunkd.com/address/59144/0x812E7c19421D9f41A6DDCF047d5cc2dE2Ca5Bfa2 (admin PoolConfigurator V3)
- https://defipunkd.com/address/59144/0xCFDAdA7DCd2e785cF706BaDBC2B8Af5084d595e9 (oracle AaveOracle V3)
- https://defipunkd.com/address/59144/0x8c2d95FE7aeB57b86961F3abB296A54f0ADb7F88 (admin ACLAdmin V3)
- https://defipunkd.com/address/59144/0xbf32c7dFC72b730967072B112927ca0de205dbb5 (admin ACLManager V3)
- Metis: 0xB9FABd7500B2C6781c35Dd48d54f81fc2299D7AF (chain not supported by the read API)
- Metis: 0x90df02551bB792286e8D4f13E0e357b4Bf1D6a57 (chain not supported by the read API)
- Metis: 0x69FEE8F261E004453BE0800BC9039717528645A6 (chain not supported by the read API)
- Metis: 0x38D36e85E47eA6ff0d18B0adF12E5fC8984A6f8e (chain not supported by the read API)
- Metis: 0x2B5EA1604BAbb7B730120950Cb13951f3525828A (chain not supported by the read API)
- Metis: 0x6fD45D32375d5aDB8D76275A3932c740F03a8718 (chain not supported by the read API)
- https://defipunkd.com/address/10/0x794a61358D6845594F94dc1DB02A252b5b4814aD (pool Pool V3)
- https://defipunkd.com/address/10/0x8145eddDf43f50276641b55bd3AD95944510021E (admin PoolConfigurator V3)
- https://defipunkd.com/address/10/0xD81eb3728a631871a7eBBaD631b5f424909f0c77 (oracle AaveOracle V3)
- https://defipunkd.com/address/10/0x746c675dAB49Bcd5BB9Dc85161f2d7Eb435009bf (admin ACLAdmin V3)
- https://defipunkd.com/address/137/0x794a61358D6845594F94dc1DB02A252b5b4814aD (pool Pool V3)
- https://defipunkd.com/address/137/0x8145eddDf43f50276641b55bd3AD95944510021E (admin PoolConfigurator V3)
- https://defipunkd.com/address/137/0xb023e699F5a33916Ea823A16485e259257cA8Bd1 (oracle AaveOracle V3)
- https://defipunkd.com/address/137/0xDf7d0e6454DB638881302729F5ba99936EaAB233 (admin ACLAdmin V3)
- https://defipunkd.com/address/534352/0x69850D0B276776781C063771b161bd8894BCdD04 (factory PoolAddressesProvider V3)
- https://defipunkd.com/address/534352/0x11fCfe756c05AD438e312a7fd934381537D3cFfe (pool Pool V3)
- https://defipunkd.com/address/534352/0x32BCab42a2bb5AC577D24b425D46d8b8e0Df9b7f (admin PoolConfigurator V3)
- https://defipunkd.com/address/534352/0x04421D8C506E2fA2371a08EfAaBf791F624054F3 (oracle AaveOracle V3)
- https://defipunkd.com/address/534352/0xc1ABF87FfAdf4908f4eC8dc54A25DCFEabAE4A24 (admin ACLAdmin V3)
- https://defipunkd.com/address/534352/0x7633F981D87dC6307227de9383D2ce7243158081 (admin ACLManager V3)
- zkSync Era: 0x2A3948BB219D6B2Fa83D64100006391a96bE6cb7 (chain not supported by the read API)
- zkSync Era: 0x78e30497a3c7527d953c6B1E3541b021A98Ac43c (chain not supported by the read API)
- zkSync Era: 0x0207d31b4377C74bEC37356aaD83E3dCc979F40E (chain not supported by the read API)
- zkSync Era: 0xC7F58Fca663a8d377B6D0c9703C697f56dC40088 (chain not supported by the read API)
- zkSync Era: 0x04cE39789e11a49595cD0ECEf6f4Bd54ABF4d020 (chain not supported by the read API)
- Soneium: 0x82405D1a189bd6cE4667809C35B37fBE136A4c5B (chain not supported by the read API)
- Soneium: 0xDd3d7A7d03D9fD9ef45f3E587287922eF65CA38B (chain not supported by the read API)
- Soneium: 0x1607FCeEc8dEbA4d5Da66D620b2363066d025a02 (chain not supported by the read API)
- Soneium: 0x20040a64612555042335926d72B4E5F667a67fA1 (chain not supported by the read API)
- Soneium: 0xc0Bac16A64FbAa7EE6483bD12a759e28cD13dcBe (chain not supported by the read API)
- Plasma: 0x061D8e131F26512348ee5FA42e2DF1bA9d6505E9 (chain not supported by the read API)
- Plasma: 0x925a2A7214Ed92428B5b1B090F80b25700095e12 (chain not supported by the read API)
- Plasma: 0xc022B6c71c30A8Ad52Dac504eFA132d13D99d2D9 (chain not supported by the read API)
- Plasma: 0x33E0b3fc976DC9C516926BA48CfC0A9E10a2aAA5 (chain not supported by the read API)
- Plasma: 0x47aAdaAE1F05C978E6aBb7568d11B7F6e0FC4d6A (chain not supported by the read API)
- Plasma: 0xa860355F0ccFdC823F7332ac108317b2a1509C06 (chain not supported by the read API)
- https://defipunkd.com/address/1/0x617332a777780F546261247F621051d0b98975Eb (other VotingMachine)
- https://defipunkd.com/address/1/0xf23f7De3AC42F22eBDA17e64DC4f51FB66b8E21f (other VotingPortalEthEth)
- https://defipunkd.com/address/1/0x33aCEf7365809218485873B7d0d67FeE411B5D79 (other VotingPortalEthAvax)
- https://defipunkd.com/address/1/0x9b24C168d6A76b5459B1d47071a54962a4df36c3 (other VotingPortalEthPol)
- https://defipunkd.com/address/1/0xE3B770Dc4ae3f8bECaB3Ed12dE692c741603e16A (other PayloadDataHelper)
- https://defipunkd.com/address/1/0x971c82c8316aD611904F95616c21ce90837f1856 (other GovernanceDataHelper)
- https://defipunkd.com/address/1/0x77976B51569896523EE215962Ee91ff236Fa50E8 (other VotingDataHelper)
- https://defipunkd.com/address/1/0x94363B11b37BC3ffe43AB09cff5A010352FE85dC (other MetaDelegateHelper)
- https://defipunkd.com/address/1/0x73C6Fb358dDA8e84D50e98A98F7c0dF32e15C7e9 (guardian EmergencyRegistry)
- https://defipunkd.com/address/1/0xa198Fac58E02A5C5F8F7e877895d50cFa9ad1E04 (other GovernancePowerStrategy)
- https://defipunkd.com/address/1/0x5642A5A5Ec284B4145563aBF319620204aCCA7f4 (other VotingStrategy)
- https://defipunkd.com/address/1/0x1699FE9CaDC8a0b6c93E06B62Ab4592a0fFEcF61 (other DataWarehouse)
- https://defipunkd.com/address/42161/0xCbFB78a3Eeaa611b826E37c80E4126c8787D29f0 (other CrossChainController)
- https://defipunkd.com/address/42161/0x89644CA1bB8064760312AE4F03ea41b05dA3637C (timelock PayloadsController)
- https://defipunkd.com/address/42161/0x4922093c476CfbCF903C7C4082d2D64bAE8A37cE (guardian GranularGuardian)
- https://defipunkd.com/address/43114/0x27FC7D54C893dA63C0AE6d57e1B2B13A70690928 (other CrossChainController)
- https://defipunkd.com/address/43114/0x41185495Bc8297a65DC46f94001DC7233775EbEe (oracle EmergencyOracle)
- https://defipunkd.com/address/43114/0x9b6f5ef589A3DD08670Dd146C11C4Fb33E04494F (other VotingMachine)
- https://defipunkd.com/address/43114/0x1140CB7CAfAcC745771C2Ea31e7B5C653c5d0B80 (timelock PayloadsController)
- https://defipunkd.com/address/43114/0xc1162BCb2E5E3ca4725512008c7522dF8C8B7B65 (guardian GranularGuardian)
- Binance: 0x9d33ee6543C9b2C8c183b8fb58fB089266cffA19 (chain not supported by the read API)
- Binance: 0xcabb46FfB38c93348Df16558DF156e9f68F9F7F1 (chain not supported by the read API)
- Binance: 0xE5EF2Dd06755A97e975f7E282f828224F2C3e627 (chain not supported by the read API)
- Binance: 0xe4FB5e3F506BE0095f38004f993D16fdA8224383 (chain not supported by the read API)
- https://defipunkd.com/address/8453/0x529467C76f234F2bD359d7ecF7c660A2846b04e2 (other CrossChainController)
- https://defipunkd.com/address/8453/0x2DC219E716793fb4b21548C0f009Ba3Af753ab01 (timelock PayloadsController)
- https://defipunkd.com/address/8453/0xa1c6aF35E0205f42256382C05243C543FEDBf4bB (guardian GranularGuardian)
- xDai: 0x8Dc5310fc9D3D7D1Bb3D1F686899c8F082316c9F (chain not supported by the read API)
- xDai: 0xF937ffAeA1363e4Fa260760bDFA2aA8Fc911F84D (chain not supported by the read API)
- xDai: 0x9A1F491B86D09fC1484b5fab10041B189B60756b (chain not supported by the read API)
- xDai: 0x4A9F571E3C1f2F13567bb59e38988e74d7d72602 (chain not supported by the read API)
- Metis: 0x6fDaFb26915ABD6065a1E1501a37Ac438D877f70 (chain not supported by the read API)
- Metis: 0x2233F8A66A728FBa6E1dC95570B25360D07D5524 (chain not supported by the read API)
- Metis: 0x61BE97d3a0550549f67CA7421725fA73Fa2036B5 (chain not supported by the read API)
- https://defipunkd.com/address/10/0x48A9FE90bce5EEd790f3F4Ce192d1C0B351fd4Ca (other CrossChainController)
- https://defipunkd.com/address/10/0x0E1a3Af1f9cC76A62eD31eDedca291E63632e7c4 (timelock PayloadsController)
- https://defipunkd.com/address/10/0x6c5264C380C7022e54f585c4E354ffb6f221a03b (guardian GranularGuardian)
- https://defipunkd.com/address/137/0xF6B99959F0b5e79E1CC7062E12aF632CEb18eF0d (other CrossChainController)
- https://defipunkd.com/address/137/0xDAFA1989A504c48Ee20a582f2891eeB25E2fA23F (oracle EmergencyOracle)
- https://defipunkd.com/address/137/0xc8a2ADC4261c6b669CdFf69E717E77C9cFeB420d (other VotingMachine)
- https://defipunkd.com/address/137/0x401B5D0294E23637c18fcc38b1Bca814CDa2637C (timelock PayloadsController)
- https://defipunkd.com/address/137/0x0D2CccD3dD420dC6DE2f24DB44aA22fADE290a02 (guardian GranularGuardian)
- https://defipunkd.com/address/534352/0x03073D3F4769f6b6604d616238fD6c636C99AD0A (other CrossChainController)
- https://defipunkd.com/address/534352/0x6b6B41c0f8C223715f712BE83ceC3c37bbfDC3fE (timelock PayloadsController)
- https://defipunkd.com/address/534352/0xa835707d28e6C37C49d661742f2Fb5987367cEd4 (guardian GranularGuardian)
- zkSync Era: 0x800813f4714BC7A0a95310e3fB9e4f18872CA92C (chain not supported by the read API)
- zkSync Era: 0x2E79349c3F5e4751E87b966812C9E65E805996F1 (chain not supported by the read API)
- zkSync Era: 0xe0e23196D42b54F262a3DE952e6B34B197D1A228 (chain not supported by the read API)
- zkSync Era: 0x4257bf0746D783f0D962913d7d8AFA408B62547E (chain not supported by the read API)
- https://defipunkd.com/address/59144/0x0D3f821e9741C8a8Bcac231162320251Db0cdf52 (other CrossChainController)
- https://defipunkd.com/address/59144/0x3BcE23a1363728091bc57A58a226CF2940C2e074 (timelock PayloadsController)
- https://defipunkd.com/address/59144/0xc1cd6faF6e9138b4e6C21d438f9ebF2bd6F6cA16 (guardian GranularGuardian)
- https://defipunkd.com/address/59144/0x056E4C4E80D1D14a637ccbD0412CDAAEc5B51F4E (guardian GovernanceGuardian)
- Soneium: 0xD92b37a5114b33F668D274Fb48f23b726a854d6E (chain not supported by the read API)
- Soneium: 0x44D73D7C4b2f98F426Bf8B5e87628d9eE38ef0Cf (chain not supported by the read API)
- Soneium: 0xD8E6956718784B914740267b7A50B952fb516656 (chain not supported by the read API)
- Soneium: 0x19CE4363FEA478Aa04B9EA2937cc5A2cbcD44be6 (chain not supported by the read API)
- Soneium: 0x47aAdaAE1F05C978E6aBb7568d11B7F6e0FC4d6A (chain not supported by the read API)
- Plasma: 0x643441742f73e270e565619be6DE5f4D55E08cd6 (chain not supported by the read API)
- Plasma: 0xe76EB348E65eF163d85ce282125FF5a7F5712A1d (chain not supported by the read API)
- Plasma: 0x60665b4F4FF7073C5fed2656852dCa271DfE2684 (chain not supported by the read API)
- Plasma: 0x19CE4363FEA478Aa04B9EA2937cc5A2cbcD44be6 (chain not supported by the read API)
- Plasma: 0xF61FE74Ec1cFbd9Ee8Bd27592D2EDEe0E2aA85Cf (chain not supported by the read API)
- https://defipunkd.com/address/1/0x7Fc66500c84A76Ad7e9c93437bFc5Ac33E2DDaE9 (token AAVE governance token)
- https://defipunkd.com/address/1/0x7b9c0b9b0d8b0d8b0d8b0d8b0d8b0d8b0d8b0d8b (Emergency Admin)


---

You are contributing a single-slice assessment to defipunkd, a git-native transparency registry for DeFi protocols. Your JSON output will be attached to a pull request and compared against ≥2 other independent runs. Disagreements are surfaced publicly — be conservative, cite everything, return grade="unknown" when a signal cannot be determined, and resist stopping at the first damning finding.

### Per-protocol context (do not infer; these are ground truth)

A "Per-protocol context" block (provided alongside this prompt — either as a user message in API mode, or as a section appended below in copy-paste mode) lists the pinned inputs (protocol.slug, name, chains, category, website, github, audit_links, snapshot.generated_at, analysis_date, prompt_version, address_book) and a list of pre-built read-API surfacer URLs for each pinned address. Treat those values as authoritative for this run.

The pre-built surfacer URLs are accepted by your fetch tool's allowlist because they appear verbatim in the per-protocol context. Each surfacer page pre-executes the contract's zero-arg view methods and renders any address-typed return values as /address/{chainId}/0x… links inline — those rendered links are also fetchable post-fetch. /api/contract/read and /api/safe/owners JSON responses include a top-level `crawl.surfacers` array of /address/{chainId}/0x… URLs for every address-typed value in the result, so you can crawl directly from API responses. For addresses surfaced from non-defipunkd sources (block-explorer pages, GitHub, audit PDFs), the allowlist will reject your generated surfacer URL — record the address in protocol_metadata.admin_addresses and add a checklist-coded entry to unknowns[]; the next run will inherit it as a fetchable surfacer.

### Step 0 — Capability probe (do this before producing JSON)

Identify what fetch tool your environment exposes — `web_fetch`, `browser`, `url_context`, `google_search` (with underscore, colon, or space), Bing grounding, Perplexity, `web.run`, or anything similar. Search-grounding tools ARE valid fetch paths and you should use them; they are not forbidden. The distinction that matters is what the tool returned, not its name: a grounded response with the underlying page body is sufficient evidence; a bare 1–3-line preview snippet is not.

Probe: attempt one fetch of `protocol.website` and one fetch of a pre-built surfacer URL above (or the protocol's primary block-explorer page if no surfacer is pinned). Record the tool you used, the URL, and what came back (response body, HTTP status, allowlist rejection text, or "tool not present: <name>"). If either probe succeeded, proceed.

If both direct probes failed, **DO NOT STOP** — try search. Issue at least two broad search queries (protocol name + "Etherscan" / "official docs" / "GitHub" / "audit"; `site:` operators against etherscan.io / github.com / the docs domain). If a search query returns the underlying page body, that page URL is fetched evidence and goes in evidence[]. Set `grading_basis: "off-chain-only"` and continue with whatever you can extract. Empty `evidence[]` + `grade="unknown"` is only valid if BOTH direct probes AND ≥2 search queries returned nothing usable; in that case, log the attempted queries and observed-zero outcomes in unknowns[]. A submission claiming "blocked" without those receipts is treated as a non-submission (zero quorum weight). Search engines do not index raw JSON API endpoints — zero results for `defipunkd.com/api/contract/read` URLs is expected and is itself a recordable failure mode, not a system restriction.

### Anti-fabrication (the most important rule on this page)

Memory is not evidence. Treat your training data, prior conversations, and general knowledge as suggestions for what to look up — never as citations. Every URL in evidence[] must have been fetched in this run via any tool exposed in your environment, OR pasted into this conversation by the user. Constructing a URL is fine, but every variable part (address, commit SHA, repo path, contract name, method, args, block number) must come from a fetched/pasted source in this run, and the URL must then have been successfully fetched before it appears in evidence[]. URLs constructed from remembered addresses, repo paths, contract names, or guessed API methods are fabrication.

Before emitting JSON, run an evidence ledger check on every evidence[] entry:
1. The exact URL appears in your fetch transcript or in a user-pasted source body.
2. The fetched/pasted body contains the fact you're citing in evidence[].shows.
3. Every rationale.findings / protocol_metadata claim that depends on this evidence follows directly from that body, without recourse to memory.
4. Derived (rather than verbatim) claims are explicitly labelled as derived in evidence[].shows.
5. `fetched_at` is set ONLY when you actually fetched the URL in this run; if no timestamp is available, omit the field — never invent one.

If any check fails, remove the evidence entry and demote dependent claims to unknowns[]. Set grade="unknown" if demotion empties the grading basis. Do not ask the user to paste anything; do not withhold JSON; do not improvise from memory.

A plausible-sounding answer backed by unsupported evidence is WORSE than grade="unknown" — it pollutes the quorum. If the assessment requires leaning on remembered public facts ("Lido is governed by LDO token-weighted voting"), historical reports, common knowledge, or likely-architecture reasoning ("UUPS proxies typically have an admin role"), return grade="unknown" with specific unknowns[] entries. Optimize for reproducibility, not completeness — if a reviewer can't re-verify each claim from the evidence URLs alone, the claim does not belong in the JSON. Empty unknowns[] on a non-trivial protocol is a red flag, not a quality signal.

When the address_book is null/empty, you do not yet know any deployed address. Discover candidates from fetched website / GitHub / audit / explorer-search pages — addresses you "remember" from training data are not eligible, even for famous tokens (USDC, WBTC, stETH, UNI). If no address can be discovered after a good-faith attempt, return grade="unknown" with checklist-coded unknowns[] entries; do not invent addresses to fill the gap.

### Hard rules

1. Source classes that count as evidence:
   a) Public block explorers (etherscan.io, basescan.org, arbiscan.io, optimistic.etherscan.io, polygonscan.com, bscscan.com, snowtrace.io, scrollscan.com, lineascan.build, blastscan.io, era.zksync.network) for pinned addresses or addresses you discover transitively from them.
   b) The linked GitHub repos, at a specific commit SHA recorded in evidence[].commit.
   c) The audit PDFs / reports linked above.
   d) DeFiLlama's pinned fields (for category / chain lists only — not for risk assessment).
   e) DeFiPunkd's read API at https://defipunkd.com/api/{contract,safe}/... — see "On-chain reading" below.
2. If a signal cannot be determined after checking these, set grade="unknown" with ≥1 entry in unknowns[] naming what you looked for.
3. Every factual claim in rationale must map to ≥1 evidence[] entry.
4. Output exactly one JSON object matching the contract at the end, wrapped in a single ```json fenced code block. This rule applies to your FINAL assistant message only — issue tool calls freely during the run; tool-call reasoning lives in your model's tool-use channel and is not subject to this rule. Nothing before or after the fence — no prose, no follow-up questions, no requests for the user to paste anything. If evidence is incomplete, the correct response is still JSON, with claims demoted to unknowns[] and grade="unknown".

### Format rules (validation will reject submissions that violate these)
5. evidence[].url must be a bare `https://...` string — NEVER markdown link syntax. WRONG: `"url": "[Etherscan](https://etherscan.io/...)"`. RIGHT: `"url": "https://etherscan.io/..."`.
6. evidence[].commit, when present, must match `^[0-9a-f]{7,40}$` (lowercase hex, 7–40 chars). NEVER branch names or tags. Omit if you cannot pin a SHA.
7. evidence[].fetched_at, when present, must be ISO-8601 UTC (e.g. `2026-04-23T11:20:00Z`). Set whenever you actually fetched in this run.
8. evidence[].address, when present, must be `^0x[0-9a-fA-F]{40}$` (mixed case OK; checksum not validated).
9. Checklist codes (used in findings[].code and as unknowns[] prefixes) match `^[A-Z][A-Za-z0-9-]{0,16}$` — start with an uppercase letter, then digits / letters / hyphens. Examples: `E1`, `A3b`, `C2-emergency`, `V4-auditor`. No parens, spaces, dots, slashes, underscores. Use slice-defined codes verbatim. unknowns[] entries must be prefixed with the relevant code + colon (e.g. `"A3b: frontend fetch failed"`).
10. chat_url: ALWAYS null. Default share links (claude.ai/chat, chatgpt.com, gemini.google.com) require viewer login and are not publicly readable. The user enables "Share publicly" after you respond and pastes the public URL into the JSON before opening the PR.

### Thoroughness rules

11. Each per-slice body contains a "MANDATORY INSPECTION CHECKLIST". Every item must EITHER produce an evidence[] entry OR a specific unknowns[] entry naming it by code. Silent skips are rejected as incomplete.
12. Before assigning a grade other than "unknown", rationale.steelman must contain a one-sentence strongest argument for each of red / orange / green, and rationale.verdict must state which fits the evidence and why. If the steel-man for the chosen grade is weaker than for an adjacent grade, you have probably picked the wrong grade. When grade="unknown", set steelman to null and use verdict to summarize what blocked the assessment.
13. Distinguish actor classes (EOA, 2-of-3 multisig, 4-of-7+ multisig with identified signers, emergency-scoped time-capped multisig, on-chain governance vote with timelock) and function classes (claim-of-finalized vs new-request-placement, deposit vs borrow, mint vs redeem) — say which actor holds which power, on what time bound. "An admin can pause" is insufficient.
14. For on-chain slices (control, ability-to-exit, autonomy, verifiability), evidence[] must include ≥1 on-chain URL: a block-explorer URL OR a DeFiPunkd /api/{contract/read,safe/owners} URL (preferred — content-addressed when block-pinned). /api/contract/abi alone is metadata, not on-chain evidence. Source repos tell you what code SHOULD do; deployed contracts tell you what it ACTUALLY does. The "open-access" slice is exempt when claims are entirely about frontend / off-chain operator behavior. CARVE-OUT: `grading_basis="off-chain-only"` is exempt from this rule but is downweighted by the quorum bot regardless of grade.
15. Prompt-meta-check: if your verdict quotes prompt language as evidence ("the protocol meets the 'documented fallback' condition"), re-do the verdict — the prompt describes the rubric, not the protocol. Evidence cites what THIS protocol does, not what the rubric says protocols of type X do.
16. `grading_basis` is one of `"on-chain"` (default; omit field), `"off-chain-only"`, or `"mixed"`. Describes what was READ this run, not the verdict — `grade="unknown"` is allowed under any basis. Set `"off-chain-only"` ONLY when BOTH (a) ≥1 successful fetch of a docs / forum / audit / GitHub URL appears in evidence[], AND (b) ≥1 failed on-chain fetch attempt for THIS run is recorded in unknowns[] with a `-offchain` suffix. Empty `evidence[]` with `"off-chain-only"` is a category error and is rejected by the validator. Set `"mixed"` when some checklist codes were on-chain and others fell back. ABI-only finds (you read the ABI but couldn't read live state) are valid as `grade="unknown"` with the ABI cited; do not infer a grade from ABI shape alone.

### On-chain reading via the DeFiPunkd API

Don't encode calldata, decode return data, or guess at ABIs by hand. Three deterministic GET endpoints return JSON with blockNumber, blockHash, raw calldata, and rawReturnData — content-addressed when block-pinned (`&block=<n>`):

  ABI (auto-resolves proxies):
    https://defipunkd.com/api/contract/abi?chainId=<id>&address=0x...
  View call (any view method on the merged ABI; flat scalar args):
    https://defipunkd.com/api/contract/read?chainId=<id>&address=0x...&method=getOwners
    https://defipunkd.com/api/contract/read?chainId=<id>&address=0x...&method=balanceOf&args=0x...
  Safe (threshold + owners + version in one call):
    https://defipunkd.com/api/safe/owners?chainId=<id>&address=0x...

Use the BARE method name in `&method=` (e.g. `&method=totalSupply`, NOT `&method=totalSupply()`). Browser tools normalize `(` to `%28` and reject the normalized URL; bare names dodge that. Pass arguments via `&args=` (comma-separated, declaration order). Append `&block=<n>` for content-addressed evidence.

Supported chainIds: 1 (ethereum), 10 (optimism), 56 (bsc), 130 (unichain), 137 (polygon), 324 (zksync), 8453 (base), 42161 (arbitrum), 43114 (avalanche), 59144 (linea), 81457 (blast), 534352 (scroll), 11155111 (sepolia).

Use this API for any factual claim about contract ABI shape, view-method return values (owner(), getOwners(), getThreshold(), totalSupply(), implementation(), paused(), MIN_DELAY(), …), and Safe membership. Do NOT invent ABIs or return values from training data.

Note on noisy address_book: the pinned address_book is sourced from prior assessments. It may include token deployments, oracle feeds, peripheral contracts, or mis-classified entries. Skip surfacer URLs that don't fit your slice — fetch only those whose role hints suggest control / pause / upgrade authority.

### Protocol metadata refresh (populate `protocol_metadata` in the output)

DeFiLlama's pinned inputs may be stale or wrong. As a side-effect of this assessment, populate `protocol_metadata` with anything you verify. Leave fields null / empty arrays if you did not verify them — do NOT echo pinned inputs through; null means "not re-verified this run".

- `github`: array of canonical source-code repo URLs.
- `docs_url`: canonical developer / protocol documentation site.
- `audits`: array of `{ firm, url, date }` (date as YYYY-MM or YYYY-MM-DD).
- `governance_forum`: primary discussion forum URL (Discourse, Commonwealth, etc.).
- `voting_token`: `{ chain, address, symbol }` or null. Omit if not token-governed.
- `bug_bounty_url`: public bug bounty page (Immunefi, HackerOne, self-hosted).
- `security_contact`: private-disclosure channel — security@ email or SECURITY.md URL. Distinct from public bug bounty.
- `deployed_contracts_doc`: docs page that lists deployed addresses per chain. Don't enumerate; just link.
- `admin_addresses`: array of `{ chain, address, role, actor_class }` for multisig / timelock / owner / proxy-admin addresses. `actor_class` ∈ `"eoa" | "multisig" | "timelock" | "governance" | "unknown"`. These are the anchors for future runs' address_book.
- `upgradeability`: `"immutable" | "upgradeable" | "mixed" | "unknown"`. "mixed" = some core contracts immutable, others behind proxies.
- `about`: 2–4 sentence plain-English description. Name the user action (stake, borrow, swap, bridge, mint, redeem), the asset / market, and the distinctive mechanism (liquid staking receipt, isolated lending pools, constant-product AMM, intents auction, etc.). Do not restate category / chains / TVL.

Every non-null field in `protocol_metadata` must be backed by ≥1 entry in evidence[].

---

### Slice: DISCOVERY

You are a cataloguer, not a judge. Your job is to surface every contract address that could plausibly belong to this protocol's control or fund-holding surface, each backed by a citation. `grade` is ALWAYS `"unknown"` for discovery submissions — there is no green/orange/red rubric here. The five evaluation slices that run after you (control, ability-to-exit, autonomy, open-access, verifiability) consume your output via the addressBook ratchet — every address you record becomes a pre-built surfacer URL on the next run; every address you miss costs them a tool call.

Width beats depth. A `role: "other"` entry with one cited URL beats omitting it. Downstream slices will discard out-of-scope entries; they cannot rediscover what you fail to enumerate without paying the same cost again.

(Step 0 capability probe lives in the preamble — those rules apply here.)

### MANDATORY INSPECTION CHECKLIST (every D-code below must appear in evidence[] OR unknowns[])

- **D1. Block-explorer name-tag search per chain.** For each chain in `protocol.chains`, search the canonical block explorer for the protocol's name tag — `https://etherscan.io/searchHandler?term=<query>` and the per-chain explorers (basescan.org, arbiscan.io, optimistic.etherscan.io, polygonscan.com, bscscan.com, snowtrace.io, scrollscan.com, lineascan.build, blastscan.io, era.zksync.network). When direct fetch is blocked, use `site:<explorer> <protocol_name>` via search grounding. Record every address that surfaces with the protocol's tag, plus neighbouring "Token Contract" / "Multisig" / "Timelock" labels.

- **D2. Official deployments doc.** From `protocol.website` and the docs site, locate the canonical "Deployed contracts" / "Addresses" / "Contracts" / "Deployments" page (often at `/docs/deployments`, `/docs/addresses`, `/dashboard/contracts`). Cite the URL, record every address listed with its named role, and set `protocol_metadata.deployed_contracts_doc` to this URL.

- **D3. Audit PDFs.** From `protocol.audit_links` (and any audits surfaced by D2), open each. Most reports include a "Scope" / "Contracts in scope" address table in the first 5 pages. Extract every in-scope address with its labelled role. If the audit predates the current deployment, record the addresses anyway with role suffixed `(audit-era)` so downstream slices know to re-verify.

- **D4. GitHub deployment artifacts.** From `protocol.github`, walk the repo at a pinned commit SHA looking for: Foundry `broadcast/<script>/<chainId>/run-latest.json` (`transactions[].contractAddress` per chainId); hardhat-deploy `deployments/<network>/<Contract>.json` (`address` field); manual indexes (`deployments.json`, `addresses.json`, `contracts.json`, `networks.json`); markdown indexes (`docs/deployments.md`, `README.md` tables). Cite the file URL with the commit SHA; pin SHAs (`?ref=<sha>`) so the citation is content-addressed.

- **D5. Multi-chain enumeration.** If `protocol.chains.length > 1`, repeat D1–D4 per chain. Cross-chain deployments of the same logical contract get SEPARATE `admin_addresses[]` entries — one per chain. The chain field is part of the identity; do not collapse. If a chain has zero results, record `"D5: chain <name>: zero addresses surfaced from <sources tried>"` in unknowns[].

- **D6. Factory-discovered children.** For factory addresses surfaced in D1–D4, fetch the enumeration view via the read API (`/api/contract/read?...&method=allPools` / `getPool` / `getMarket` / `getVault`) and record each child with role like `"pool (from factory <0xFactory>)"`. **Cap at 50 children per factory.** Protocols with thousands of pools (Uniswap, Sushi) need dedicated ingestion — record the factory + the cap notice in unknowns[].

- **D7. Role taxonomy.** Every `admin_addresses[]` entry's `role` uses this controlled vocabulary (free-text suffixes OK for disambiguation, e.g. `"multisig (treasury)"`, but the leading token must match):

    `owner | admin | proxy_admin | governor | timelock | guardian | multisig | treasury | oracle | factory | router | token | pool | vault | other`

  Tentative classifications are encouraged. `actor_class` ∈ `eoa | multisig | timelock | governance | unknown` — use `unknown` when you found the address but didn't read its bytecode.

- **D8. Ratchet output integrity.** Every address in `admin_addresses[]` must trace to ≥1 fetched URL in evidence[]. Snippet-only sightings go in unknowns[] with a `D8` code, NOT in admin_addresses[].

### Discovery rationale framing

- `rationale.findings`: one entry per D-code, terse, factual. Per-address detail belongs in evidence[] and admin_addresses[], not here. Example: `"D1: 8 addresses surfaced from etherscan.io name-tag search for 'Aave V3'"`.
- `rationale.steelman`: ALWAYS null.
- `rationale.verdict`: one short line summarizing what corpora were walked and how many addresses were catalogued.
- `headline`: factual and quantitative — `"24 contracts catalogued across Ethereum, Arbitrum, and Base; 6 governance/admin and 18 protocol contracts."`.
- `short_headline`: under 60 chars — `"24 contracts across 3 chains"`.

### What discovery is NOT

- Not a verdict slice. `grade` must be `"unknown"`.
- Not exhaustive enumeration of leaf assets — record the factory + cap and move on (see D6).
- Not classification of trust assumptions — whether a multisig threshold is safe / timelock delay is sufficient / proxy admin is an EOA is the control slice's job.
- Not address-book reconciliation: when addressBook is non-empty, EXTEND it (find addresses prior runs missed) rather than re-cite the same addresses; re-cite only when you have new evidence for a refined role.

### protocol_metadata side-effects

While walking the corpora, populate every `protocol_metadata` field you can support with citations: `github`, `docs_url`, `audits` (one per D3 audit walked), `governance_forum`, `bug_bounty_url`, `security_contact`, `deployed_contracts_doc` (URL from D2), `upgradeability` (best-effort), and `about` (2–4 sentences sourced from docs/website, not memory). Discovery is the natural home for these — evaluation slices should not have to rediscover them.

---

### JSON output contract

Return exactly one JSON object inside a single ```json fenced block. Shape:

{
  "schema_version": 4,
  "slug": "<copy protocol.slug from the per-protocol context>",
  "slice": "discovery",
  "snapshot_generated_at": "<copy snapshot.generated_at from the per-protocol context>",
  "prompt_version": 29,
  "analysis_date": "<copy analysis_date from the per-protocol context>",
  "model": "<exact model name, e.g. claude-opus-4-7 / gpt-5-thinking / gemini-3-pro>",
  "chat_url": null,
  "grading_basis": "on-chain | off-chain-only | mixed (optional; omit for on-chain)",
  "grade": "green | orange | red | unknown",
  "headline": "<one-line summary>",
  "short_headline": "<≤6 words, ≤80 chars; omit if you can't fit>",
  "rationale": {
    "findings": [{ "code": "E1", "text": "<concrete, source-cited finding>" }],
    "steelman": { "red": "<one sentence>", "orange": "<one sentence>", "green": "<one sentence>" },
    "verdict": "Choosing <grade> because <reason ranking one steel-man above the others, citing specific evidence>."
  },
  "evidence": [{ "url": "https://...", "shows": "<what this URL demonstrates>", "chain": "...", "address": "0x...", "commit": "<hex SHA>", "fetched_at": "2026-04-23T11:20:00Z" }],
  "unknowns": ["E3: <thing you looked for but couldn't determine>"],
  "protocol_metadata": {
    "github": ["https://github.com/org/repo"],
    "docs_url": "https://docs.protocol.xyz",
    "audits": [{ "firm": "Trail of Bits", "url": "https://...report.pdf", "date": "2025-09" }],
    "governance_forum": "https://forum.protocol.xyz",
    "voting_token": { "chain": "Ethereum", "address": "0x...", "symbol": "XYZ" },
    "bug_bounty_url": "https://immunefi.com/bounty/protocol",
    "security_contact": "security@protocol.xyz",
    "deployed_contracts_doc": "https://docs.protocol.xyz/deployments",
    "admin_addresses": [{ "chain": "Ethereum", "address": "0x...", "role": "DAO treasury multisig", "actor_class": "multisig" }],
    "upgradeability": "immutable | upgradeable | mixed | unknown",
    "about": "<2–4 sentences>"
  }
}

Rules recap:
- grade="unknown" ⇒ steelman=null; unknowns[] ≥1; evidence[] may be empty.
- grade!="unknown" ⇒ steelman={red,orange,green}; evidence[] ≥1; verdict starts with "Choosing ".
- findings[].code matches the slice's checklist prefix verbatim (E1, C2-emergency, V4a, …); unknowns[] entries are checklist-coded ("E3: …").
- Wrap in a single ```json fence; nothing before or after. URLs are bare strings, never markdown links.

Verifiability ✓ 3/3 models agree AI-only weak green — weak consensus margin; only 0/3 sources have a public chat share link; total support weight 0.12 below confidence floor (1.5) Submit run ↗

### Per-protocol context (ground truth for this run)

- protocol.slug:              aave-v3
- protocol.name:              Aave V3
- protocol.chains:            Ethereum, Plasma, Arbitrum, Base, Avalanche, Binance, Mantle, Polygon, MegaETH, X Layer, xDai, Optimism, Linea, Sonic, Celo, Scroll, zkSync Era, Metis, Soneium, Fantom, Harmony
- protocol.category:          Lending
- protocol.website:           https://aave.com
- protocol.github:            aave, bgd-labs
- protocol.audit_links:       https://aave.com/security, https://github.com/code-423n4/2022-02-aave-lens, https://github.com/code-423n4/2022-02-aave-lens-findings, https://github.com/sherlock-protocol/sherlock-reports/blob/main/audits/2025.02.15%20-%20Final%20-%20Aave%20Public%20Audit%20Contest%20Report.pdf, https://github.com/sherlock-protocol/sherlock-reports/blob/main/audits/2026.02.05%20-%20Final%20-%20Aave%20Labs%20Collaborative%20Audit%20Report%201770295450.pdf, https://github.com/trailofbits/publications/blob/master/reviews/2021-11-aave-v3-securityreview.pdf
- snapshot.generated_at:      2026-06-01T11:27:13.878Z
- analysis_date:              2026-06-07
- prompt_version:             29
- address_book:               [
  {
    "chain": "Ethereum",
    "address": "0x5300A1a15135EA4dc7aD5a167152C01EFc9b192A",
    "role": "Short Executor (Level 1) / ACL Admin V3"
  },
  {
    "chain": "Ethereum",
    "address": "0xdAbad81aF85554E9ae636395611C58F7eC1aAEc5",
    "role": "PayloadsController (Ethereum)"
  },
  {
    "chain": "Ethereum",
    "address": "0x9AEE0B04504CeF83A65AC3f0e838D0593BCb2BC7",
    "role": "Governance V3 Core"
  },
  {
    "chain": "Ethereum",
    "address": "0xCe52ab41C40575B072A18C9700091Ccbe4A06710",
    "role": "Governance Guardian / Protocol Emergency Guardian (5-of-9)"
  },
  {
    "chain": "Ethereum",
    "address": "0x4457cA11E90f416Cc1D3a8E1cA41C0cdEcC251d4",
    "role": "GranularGuardian (cross-chain emergency)"
  },
  {
    "chain": "Ethereum",
    "address": "0xEd42a7D8559a463722Ca4beD50E0Cc05a386b0e1",
    "role": "CrossChainController"
  },
  {
    "chain": "Ethereum",
    "address": "0x17Dd33Ed0e3dD2a80E37489B8A63063161BE6957",
    "role": "Executor Level 2"
  },
  {
    "chain": "Ethereum",
    "address": "0x2CFe3ec4d5a6811f4B8067F0DE7e47DfA938Aa30",
    "role": "Protocol Guardian / emergency admin"
  },
  {
    "chain": "Ethereum",
    "address": "0x220d22f42c1b975B51509c24b174f8AbA7d8C540",
    "role": "Short Executor (Governance)"
  },
  {
    "chain": "Ethereum",
    "address": "0xa700691dA7b6769562170061709458FF21ed963e",
    "role": "timelock (governance long executor)"
  },
  {
    "chain": "Ethereum",
    "address": "0x851365275f493d15511cc005f2bd71E3c1699921",
    "role": "timelock (governance short executor)"
  },
  {
    "chain": "Ethereum",
    "address": "0xEE56e2B3D49159022b71869955dbF07245799b17",
    "role": "timelock (governance executor short)"
  },
  {
    "chain": "Ethereum",
    "address": "0x80C67432656d59144cEFf962E8fAF8926599bCF8",
    "role": "timelock (governance short executor)"
  },
  {
    "chain": "Ethereum",
    "address": "0xEE56e2B20045d908E992822039db30E882309413",
    "role": "admin (PoolAdmin / governance executor)"
  },
  {
    "chain": "Ethereum",
    "address": "0x87870bca3f3fd6335c3f4ce8392d69350b4fa4e2",
    "role": "pool (Aave V3 Pool proxy)"
  },
  {
    "chain": "Ethereum",
    "address": "0x2f39d218133AFaB8F2B819B1066c7E434Ad94E9e",
    "role": "other (PoolAddressesProvider — proxy admin for Pool/PoolConfigurator/ACLManager)"
  },
  {
    "chain": "Ethereum",
    "address": "0xcfBf336fe147D643B9Cb705648500e101504B16d",
    "role": "other (Prime Market PoolAddressesProvider)"
  },
  {
    "chain": "Ethereum",
    "address": "0xCca852Bc40e560adC3b1Cc58CA5b55638ce826c9",
    "role": "vault (Aave V4 Core Hub — Ethereum)"
  },
  {
    "chain": "Ethereum",
    "address": "0x06002e9c4412CB7814a791eA3666D905871E536A",
    "role": "vault (Aave V4 Plus Hub — Ethereum)"
  },
  {
    "chain": "Ethereum",
    "address": "0x943827DCA022D0F354a8a8c332dA1e5Eb9f9F931",
    "role": "vault (Aave V4 Prime Hub — Ethereum)"
  },
  {
    "chain": "Ethereum",
    "address": "0x08aE3BE30958cDd1847ec58fFfd4C451a87fDF01",
    "role": "admin (Aave V4 Access Manager — Ethereum)"
  },
  {
    "chain": "Optimism",
    "address": "0xa97684ead0e402dc232d5a977953df7ecbab3cdb",
    "role": "other (PoolAddressesProvider — Optimism)"
  },
  {
    "chain": "Polygon",
    "address": "0xa97684ead0e402dc232d5a977953df7ecbab3cdb",
    "role": "other (PoolAddressesProvider — Polygon)"
  },
  {
    "chain": "Ethereum",
    "address": "0x64b761D848206f447Fe2dd461b0c635Ec39EbB27",
    "role": "admin PoolConfigurator V3"
  },
  {
    "chain": "Ethereum",
    "address": "0x54586bE62E3c3580375aE3723C145253060Ca0C2",
    "role": "oracle AaveOracle V3"
  },
  {
    "chain": "Ethereum",
    "address": "0xc2aaCf6553D20d1e9d78E365AAba8032af9c85b0",
    "role": "admin ACLManager V3"
  },
  {
    "chain": "Ethereum",
    "address": "0x0a16f2FCC0D44FaE41cc54e079281D84A363bECD",
    "role": "other AaveProtocolDataProvider V3"
  },
  {
    "chain": "Ethereum",
    "address": "0x464C71f6c2F760DdA6093dCB91C24c39e5d6e18c",
    "role": "treasury Collector"
  },
  {
    "chain": "Ethereum",
    "address": "0x8164Cc65827dcFe994AB23944CBC90e0aa80bFcb",
    "role": "admin DefaultIncentivesController"
  },
  {
    "chain": "Ethereum",
    "address": "0x223d844fc4B006D67c0cDbd39371A9F73f69d974",
    "role": "admin EmissionManager"
  },
  {
    "chain": "Arbitrum",
    "address": "0xa97684ead0e402dC232d5A977953DF7ECBaB3CDb",
    "role": "factory PoolAddressesProvider V3"
  },
  {
    "chain": "Arbitrum",
    "address": "0x794a61358D6845594F94dc1DB02A252b5b4814aD",
    "role": "pool Pool V3"
  },
  {
    "chain": "Arbitrum",
    "address": "0x8145eddDf43f50276641b55bd3AD95944510021E",
    "role": "admin PoolConfigurator V3"
  },
  {
    "chain": "Arbitrum",
    "address": "0xb56c2F0B653B2e0b10C9b928C8580Ac5Df02C7C7",
    "role": "oracle AaveOracle V3"
  },
  {
    "chain": "Arbitrum",
    "address": "0x7A9ff54A6eE4a21223036890bB8c4ea2D62c686b",
    "role": "oracle PriceOracleSentinel V3"
  },
  {
    "chain": "Arbitrum",
    "address": "0xFF1137243698CaA18EE364Cc966CF0e02A4e6327",
    "role": "admin ACLAdmin V3"
  },
  {
    "chain": "Arbitrum",
    "address": "0xa72636CbcAa8F5FF95B2cc47F3CDEe83F3294a0B",
    "role": "admin ACLManager V3"
  },
  {
    "chain": "Arbitrum",
    "address": "0x243Aa95cAC2a25651eda86e80bEe66114413c43b",
    "role": "other AaveProtocolDataProvider V3"
  },
  {
    "chain": "Avalanche",
    "address": "0xa97684ead0e402dC232d5A977953DF7ECBaB3CDb",
    "role": "factory PoolAddressesProvider V3"
  },
  {
    "chain": "Avalanche",
    "address": "0x794a61358D6845594F94dc1DB02A252b5b4814aD",
    "role": "pool Pool V3"
  },
  {
    "chain": "Avalanche",
    "address": "0x8145eddDf43f50276641b55bd3AD95944510021E",
    "role": "admin PoolConfigurator V3"
  },
  {
    "chain": "Avalanche",
    "address": "0xEBd36016B3eD09D4693Ed4251c67Bd858c3c7C9C",
    "role": "oracle AaveOracle V3"
  },
  {
    "chain": "Avalanche",
    "address": "0x3C06dce358add17aAf230f2234bCCC4afd50d090",
    "role": "admin ACLAdmin V3"
  },
  {
    "chain": "Avalanche",
    "address": "0xa72636CbcAa8F5FF95B2cc47F3CDEe83F3294a0B",
    "role": "admin ACLManager V3"
  },
  {
    "chain": "Avalanche",
    "address": "0x243Aa95cAC2a25651eda86e80bEe66114413c43b",
    "role": "other AaveProtocolDataProvider V3"
  },
  {
    "chain": "Base",
    "address": "0xe20fCBdBfFC4Dd138cE8b2E6FBb6CB49777ad64D",
    "role": "factory PoolAddressesProvider V3"
  },
  {
    "chain": "Base",
    "address": "0xA238Dd80C259a72e81d7e4664a9801593F98d1c5",
    "role": "pool Pool V3"
  },
  {
    "chain": "Base",
    "address": "0x5731a04B1E775f0fdd454Bf70f3335886e9A96be",
    "role": "admin PoolConfigurator V3"
  },
  {
    "chain": "Base",
    "address": "0x2Cc0Fc26eD4563A5ce5e8bdcfe1A2878676Ae156",
    "role": "oracle AaveOracle V3"
  },
  {
    "chain": "Base",
    "address": "0x943AcD0c93d7a8Bee7dA5Fd0DC3d0028237074d6",
    "role": "oracle PriceOracleSentinel V3"
  },
  {
    "chain": "Base",
    "address": "0x9390B1735def18560c509E2d0bc090E9d6BA257a",
    "role": "admin ACLAdmin V3"
  },
  {
    "chain": "Base",
    "address": "0x43955b0899Ab7232E3a454cf84AedD22Ad46FD33",
    "role": "admin ACLManager V3"
  },
  {
    "chain": "Base",
    "address": "0x0F43731EB8d45A581f4a36DD74F5f358bc90C73A",
    "role": "other AaveProtocolDataProvider V3"
  },
  {
    "chain": "Binance",
    "address": "0xff75B6da14FfbbfD355Daf7a2731456b3562Ba6D",
    "role": "factory PoolAddressesProvider V3"
  },
  {
    "chain": "Binance",
    "address": "0x6807dc923806fE8Fd134338EABCA509979a7e0cB",
    "role": "pool Pool V3"
  },
  {
    "chain": "Binance",
    "address": "0x67bdF23C7fCE7C65fF7415Ba3F2520B45D6f9584",
    "role": "admin PoolConfigurator V3"
  },
  {
    "chain": "Binance",
    "address": "0x39bc1bfDa2130d6Bb6DBEfd366939b4c7aa7C697",
    "role": "oracle AaveOracle V3"
  },
  {
    "chain": "Binance",
    "address": "0x9390B1735def18560c509E2d0bc090E9d6BA257a",
    "role": "admin ACLAdmin V3"
  },
  {
    "chain": "Binance",
    "address": "0x2D97F8FA96886Fd923c065F5457F9DDd494e3877",
    "role": "admin ACLManager V3"
  },
  {
    "chain": "Binance",
    "address": "0xc90Df74A7c16245c5F5C5870327Ceb38Fe5d5328",
    "role": "other AaveProtocolDataProvider V3"
  },
  {
    "chain": "Celo",
    "address": "0x9F7Cf9417D5251C59fE94fB9147feEe1aAd9Cea5",
    "role": "factory PoolAddressesProvider V3"
  },
  {
    "chain": "Celo",
    "address": "0x3E59A31363E2ad014dcbc521c4a0d5757d9f3402",
    "role": "pool Pool V3"
  },
  {
    "chain": "Celo",
    "address": "0x7567E3434CC1BEf724AB595e6072367Ef4914691",
    "role": "admin PoolConfigurator V3"
  },
  {
    "chain": "Celo",
    "address": "0x1e693D088ceFD1E95ba4c4a5F7EeA41a1Ec37e8b",
    "role": "oracle AaveOracle V3"
  },
  {
    "chain": "Celo",
    "address": "0x1dF462e2712496373A347f8ad10802a5E95f053D",
    "role": "admin ACLAdmin V3"
  },
  {
    "chain": "Celo",
    "address": "0x7a12dCfd73C1B4cddf294da4cFce75FcaBBa314C",
    "role": "admin ACLManager V3"
  },
  {
    "chain": "Celo",
    "address": "0x2e0f8D3B1631296cC7c56538D6Eb6032601E15ED",
    "role": "other AaveProtocolDataProvider V3"
  },
  {
    "chain": "Celo",
    "address": "0xC959439207dA5341B74aDcdAC59016aa9Be7E9E7",
    "role": "treasury Collector"
  },
  {
    "chain": "Fantom",
    "address": "0xa97684ead0e402dC232d5A977953DF7ECBaB3CDb",
    "role": "factory PoolAddressesProvider V3"
  },
  {
    "chain": "Fantom",
    "address": "0x794a61358D6845594F94dc1DB02A252b5b4814aD",
    "role": "pool Pool V3"
  },
  {
    "chain": "Fantom",
    "address": "0x8145eddDf43f50276641b55bd3AD95944510021E",
    "role": "admin PoolConfigurator V3"
  },
  {
    "chain": "Fantom",
    "address": "0xfd6f3c1845604C8AE6c6E402ad17fb9885160754",
    "role": "oracle AaveOracle V3"
  },
  {
    "chain": "Fantom",
    "address": "0x39CB97b105173b56b5a2b4b33AD25d6a50E6c949",
    "role": "admin ACLAdmin V3"
  },
  {
    "chain": "Fantom",
    "address": "0xa72636CbcAa8F5FF95B2cc47F3CDEe83F3294a0B",
    "role": "admin ACLManager V3"
  },
  {
    "chain": "Fantom",
    "address": "0x69FA688f1Dc47d4B5d8029D5a35FB7a548310654",
    "role": "other AaveProtocolDataProvider V3"
  },
  {
    "chain": "xDai",
    "address": "0x36616cf17557639614c1cdDb356b1B83fc0B2132",
    "role": "factory PoolAddressesProvider V3"
  },
  {
    "chain": "xDai",
    "address": "0xb50201558B00496A145fE76f7424749556E326D8",
    "role": "pool Pool V3"
  },
  {
    "chain": "xDai",
    "address": "0x7304979ec9E4EaA0273b6A037a31c4e9e5A75D16",
    "role": "admin PoolConfigurator V3"
  },
  {
    "chain": "xDai",
    "address": "0xeb0a051be10228213BAEb449db63719d6742F7c4",
    "role": "oracle AaveOracle V3"
  },
  {
    "chain": "xDai",
    "address": "0x1dF462e2712496373A347f8ad10802a5E95f053D",
    "role": "admin ACLAdmin V3"
  },
  {
    "chain": "xDai",
    "address": "0xEc710f59005f48703908bC519D552Df5B8472614",
    "role": "admin ACLManager V3"
  },
  {
    "chain": "xDai",
    "address": "0xF1F5acB596568895393cB5E4D0452D6592A2fA70",
    "role": "other AaveProtocolDataProvider V3"
  },
  {
    "chain": "Harmony",
    "address": "0xa97684ead0e402dC232d5A977953DF7ECBaB3CDb",
    "role": "factory PoolAddressesProvider V3"
  },
  {
    "chain": "Harmony",
    "address": "0x794a61358D6845594F94dc1DB02A252b5b4814aD",
    "role": "pool Pool V3"
  },
  {
    "chain": "Harmony",
    "address": "0x8145eddDf43f50276641b55bd3AD95944510021E",
    "role": "admin PoolConfigurator V3"
  },
  {
    "chain": "Harmony",
    "address": "0x3C90887Ede8D65ccb2777A5d577beAb2548280AD",
    "role": "oracle AaveOracle V3"
  },
  {
    "chain": "Harmony",
    "address": "0xb2f0C5f37f4beD2cB51C44653cD5D84866BDcd2D",
    "role": "admin ACLAdmin V3"
  },
  {
    "chain": "Harmony",
    "address": "0xa72636CbcAa8F5FF95B2cc47F3CDEe83F3294a0B",
    "role": "admin ACLManager V3"
  },
  {
    "chain": "Harmony",
    "address": "0x69FA688f1Dc47d4B5d8029D5a35FB7a548310654",
    "role": "other AaveProtocolDataProvider V3"
  },
  {
    "chain": "Mantle",
    "address": "0xba50Cd2A20f6DA35D788639E581bca8d0B5d4D5f",
    "role": "factory PoolAddressesProvider V3"
  },
  {
    "chain": "Mantle",
    "address": "0x458F293454fE0d67EC0655f3672301301DD51422",
    "role": "pool Pool V3"
  },
  {
    "chain": "Mantle",
    "address": "0x719755fC1ACf2f9079B0Cbc56e23712c09Ab8626",
    "role": "admin PoolConfigurator V3"
  },
  {
    "chain": "Mantle",
    "address": "0x47a063CfDa980532267970d478EC340C0F80E8df",
    "role": "oracle AaveOracle V3"
  },
  {
    "chain": "Mantle",
    "address": "0x64df9D4302e1ff3516Dc744A19e992D27CAC252E",
    "role": "oracle PriceOracleSentinel V3"
  },
  {
    "chain": "Mantle",
    "address": "0x70884634D0098782592111A2A6B8d223be31CB7b",
    "role": "admin ACLAdmin V3"
  },
  {
    "chain": "Mantle",
    "address": "0x810D46F9a9027E28F9B01F75E2bdde839dA61115",
    "role": "admin ACLManager V3"
  },
  {
    "chain": "Mantle",
    "address": "0x487c5c669D9eee6057C44973207101276cf73b68",
    "role": "other AaveProtocolDataProvider V3"
  },
  {
    "chain": "MegaETH",
    "address": "0x46Dcd5F4600319b02649Fd76B55aA6c1035CA478",
    "role": "factory PoolAddressesProvider V3"
  },
  {
    "chain": "MegaETH",
    "address": "0x7e324AbC5De01d112AfC03a584966ff199741C28",
    "role": "pool Pool V3"
  },
  {
    "chain": "MegaETH",
    "address": "0xF15D31Bc839A853C9068686043cEc6EC5995DAbB",
    "role": "admin PoolConfigurator V3"
  },
  {
    "chain": "MegaETH",
    "address": "0x421117D7319E96d831972b3F7e970bbfe29C4F21",
    "role": "oracle AaveOracle V3"
  },
  {
    "chain": "MegaETH",
    "address": "0xE2E8Badc5d50f8a6188577B89f50701cDE2D4e19",
    "role": "admin ACLAdmin V3"
  },
  {
    "chain": "MegaETH",
    "address": "0x390D369C3878F2C5205CFb6Ec7154FfA65491c3D",
    "role": "admin ACLManager V3"
  },
  {
    "chain": "MegaETH",
    "address": "0x9588b453A4EE24a420830CB3302195cA7aA3b403",
    "role": "other AaveProtocolDataProvider V3"
  },
  {
    "chain": "Sonic",
    "address": "0x5C2e738F6E27bCE0F7558051Bf90605dD6176900",
    "role": "factory PoolAddressesProvider V3"
  },
  {
    "chain": "Sonic",
    "address": "0x5362dBb1e601abF3a4c14c22ffEdA64042E5eAA3",
    "role": "pool Pool V3"
  },
  {
    "chain": "Sonic",
    "address": "0x50c70FEB95aBC1A92FC30b9aCc41Bd349E5dE2f0",
    "role": "admin PoolConfigurator V3"
  },
  {
    "chain": "Sonic",
    "address": "0xD63f7658C66B2934Bd234D79D06aEF5290734B30",
    "role": "oracle AaveOracle V3"
  },
  {
    "chain": "Sonic",
    "address": "0x7b62461a3570c6AC8a9f8330421576e417B71EE7",
    "role": "admin ACLAdmin V3"
  },
  {
    "chain": "Sonic",
    "address": "0x3a790a47c4d531FD333FAD24f70B0ccb521B3b5A",
    "role": "admin ACLManager V3"
  },
  {
    "chain": "Sonic",
    "address": "0xc0a344397cfa89dF1e1d3e4fb330834D789cF2CD",
    "role": "other AaveProtocolDataProvider V3"
  },
  {
    "chain": "X Layer",
    "address": "0xdFf435BCcf782f11187D3a4454d96702eD78e092",
    "role": "factory PoolAddressesProvider V3"
  },
  {
    "chain": "X Layer",
    "address": "0xE3F3Caefdd7180F884c01E57f65Df979Af84f116",
    "role": "pool Pool V3"
  },
  {
    "chain": "X Layer",
    "address": "0x1408b48B6A610948f04813EA6b2F438A6BBAd2f2",
    "role": "admin PoolConfigurator V3"
  },
  {
    "chain": "X Layer",
    "address": "0x91FC11136d5615575a0fC5981Ab5C0C54418E2C6",
    "role": "oracle AaveOracle V3"
  },
  {
    "chain": "X Layer",
    "address": "0xE2E8Badc5d50f8a6188577B89f50701cDE2D4e19",
    "role": "admin ACLAdmin V3"
  },
  {
    "chain": "X Layer",
    "address": "0xc8f2720Fa7D857576d82e6aEca8EdC4869E9190e",
    "role": "admin ACLManager V3"
  },
  {
    "chain": "X Layer",
    "address": "0x6C505C31714f14e8af2A03633EB2Cdfb4959138F",
    "role": "other AaveProtocolDataProvider V3"
  },
  {
    "chain": "Linea",
    "address": "0x89502c3731F69DDC95B65753708A07F8Cd0373F4",
    "role": "factory PoolAddressesProvider V3"
  },
  {
    "chain": "Linea",
    "address": "0xc47b8C00b0f69a36fa203Ffeac0334874574a8Ac",
    "role": "pool Pool V3"
  },
  {
    "chain": "Linea",
    "address": "0x812E7c19421D9f41A6DDCF047d5cc2dE2Ca5Bfa2",
    "role": "admin PoolConfigurator V3"
  },
  {
    "chain": "Linea",
    "address": "0xCFDAdA7DCd2e785cF706BaDBC2B8Af5084d595e9",
    "role": "oracle AaveOracle V3"
  },
  {
    "chain": "Linea",
    "address": "0x8c2d95FE7aeB57b86961F3abB296A54f0ADb7F88",
    "role": "admin ACLAdmin V3"
  },
  {
    "chain": "Linea",
    "address": "0xbf32c7dFC72b730967072B112927ca0de205dbb5",
    "role": "admin ACLManager V3"
  },
  {
    "chain": "Metis",
    "address": "0xB9FABd7500B2C6781c35Dd48d54f81fc2299D7AF",
    "role": "factory PoolAddressesProvider V3"
  },
  {
    "chain": "Metis",
    "address": "0x90df02551bB792286e8D4f13E0e357b4Bf1D6a57",
    "role": "pool Pool V3"
  },
  {
    "chain": "Metis",
    "address": "0x69FEE8F261E004453BE0800BC9039717528645A6",
    "role": "admin PoolConfigurator V3"
  },
  {
    "chain": "Metis",
    "address": "0x38D36e85E47eA6ff0d18B0adF12E5fC8984A6f8e",
    "role": "oracle AaveOracle V3"
  },
  {
    "chain": "Metis",
    "address": "0x2B5EA1604BAbb7B730120950Cb13951f3525828A",
    "role": "oracle PriceOracleSentinel V3"
  },
  {
    "chain": "Metis",
    "address": "0x6fD45D32375d5aDB8D76275A3932c740F03a8718",
    "role": "admin ACLAdmin V3"
  },
  {
    "chain": "Optimism",
    "address": "0x794a61358D6845594F94dc1DB02A252b5b4814aD",
    "role": "pool Pool V3"
  },
  {
    "chain": "Optimism",
    "address": "0x8145eddDf43f50276641b55bd3AD95944510021E",
    "role": "admin PoolConfigurator V3"
  },
  {
    "chain": "Optimism",
    "address": "0xD81eb3728a631871a7eBBaD631b5f424909f0c77",
    "role": "oracle AaveOracle V3"
  },
  {
    "chain": "Optimism",
    "address": "0x746c675dAB49Bcd5BB9Dc85161f2d7Eb435009bf",
    "role": "admin ACLAdmin V3"
  },
  {
    "chain": "Polygon",
    "address": "0x794a61358D6845594F94dc1DB02A252b5b4814aD",
    "role": "pool Pool V3"
  },
  {
    "chain": "Polygon",
    "address": "0x8145eddDf43f50276641b55bd3AD95944510021E",
    "role": "admin PoolConfigurator V3"
  },
  {
    "chain": "Polygon",
    "address": "0xb023e699F5a33916Ea823A16485e259257cA8Bd1",
    "role": "oracle AaveOracle V3"
  },
  {
    "chain": "Polygon",
    "address": "0xDf7d0e6454DB638881302729F5ba99936EaAB233",
    "role": "admin ACLAdmin V3"
  },
  {
    "chain": "Scroll",
    "address": "0x69850D0B276776781C063771b161bd8894BCdD04",
    "role": "factory PoolAddressesProvider V3"
  },
  {
    "chain": "Scroll",
    "address": "0x11fCfe756c05AD438e312a7fd934381537D3cFfe",
    "role": "pool Pool V3"
  },
  {
    "chain": "Scroll",
    "address": "0x32BCab42a2bb5AC577D24b425D46d8b8e0Df9b7f",
    "role": "admin PoolConfigurator V3"
  },
  {
    "chain": "Scroll",
    "address": "0x04421D8C506E2fA2371a08EfAaBf791F624054F3",
    "role": "oracle AaveOracle V3"
  },
  {
    "chain": "Scroll",
    "address": "0xc1ABF87FfAdf4908f4eC8dc54A25DCFEabAE4A24",
    "role": "admin ACLAdmin V3"
  },
  {
    "chain": "Scroll",
    "address": "0x7633F981D87dC6307227de9383D2ce7243158081",
    "role": "admin ACLManager V3"
  },
  {
    "chain": "zkSync Era",
    "address": "0x2A3948BB219D6B2Fa83D64100006391a96bE6cb7",
    "role": "factory PoolAddressesProvider V3"
  },
  {
    "chain": "zkSync Era",
    "address": "0x78e30497a3c7527d953c6B1E3541b021A98Ac43c",
    "role": "pool Pool V3"
  },
  {
    "chain": "zkSync Era",
    "address": "0x0207d31b4377C74bEC37356aaD83E3dCc979F40E",
    "role": "admin PoolConfigurator V3"
  },
  {
    "chain": "zkSync Era",
    "address": "0xC7F58Fca663a8d377B6D0c9703C697f56dC40088",
    "role": "oracle AaveOracle V3"
  },
  {
    "chain": "zkSync Era",
    "address": "0x04cE39789e11a49595cD0ECEf6f4Bd54ABF4d020",
    "role": "admin ACLAdmin V3"
  },
  {
    "chain": "Soneium",
    "address": "0x82405D1a189bd6cE4667809C35B37fBE136A4c5B",
    "role": "factory PoolAddressesProvider V3"
  },
  {
    "chain": "Soneium",
    "address": "0xDd3d7A7d03D9fD9ef45f3E587287922eF65CA38B",
    "role": "pool Pool V3"
  },
  {
    "chain": "Soneium",
    "address": "0x1607FCeEc8dEbA4d5Da66D620b2363066d025a02",
    "role": "admin PoolConfigurator V3"
  },
  {
    "chain": "Soneium",
    "address": "0x20040a64612555042335926d72B4E5F667a67fA1",
    "role": "oracle AaveOracle V3"
  },
  {
    "chain": "Soneium",
    "address": "0xc0Bac16A64FbAa7EE6483bD12a759e28cD13dcBe",
    "role": "oracle PriceOracleSentinel V3"
  },
  {
    "chain": "Plasma",
    "address": "0x061D8e131F26512348ee5FA42e2DF1bA9d6505E9",
    "role": "factory PoolAddressesProvider V3"
  },
  {
    "chain": "Plasma",
    "address": "0x925a2A7214Ed92428B5b1B090F80b25700095e12",
    "role": "pool Pool V3"
  },
  {
    "chain": "Plasma",
    "address": "0xc022B6c71c30A8Ad52Dac504eFA132d13D99d2D9",
    "role": "admin PoolConfigurator V3"
  },
  {
    "chain": "Plasma",
    "address": "0x33E0b3fc976DC9C516926BA48CfC0A9E10a2aAA5",
    "role": "oracle AaveOracle V3"
  },
  {
    "chain": "Plasma",
    "address": "0x47aAdaAE1F05C978E6aBb7568d11B7F6e0FC4d6A",
    "role": "admin ACLAdmin V3"
  },
  {
    "chain": "Plasma",
    "address": "0xa860355F0ccFdC823F7332ac108317b2a1509C06",
    "role": "admin ACLManager V3"
  },
  {
    "chain": "Ethereum",
    "address": "0x617332a777780F546261247F621051d0b98975Eb",
    "role": "other VotingMachine"
  },
  {
    "chain": "Ethereum",
    "address": "0xf23f7De3AC42F22eBDA17e64DC4f51FB66b8E21f",
    "role": "other VotingPortalEthEth"
  },
  {
    "chain": "Ethereum",
    "address": "0x33aCEf7365809218485873B7d0d67FeE411B5D79",
    "role": "other VotingPortalEthAvax"
  },
  {
    "chain": "Ethereum",
    "address": "0x9b24C168d6A76b5459B1d47071a54962a4df36c3",
    "role": "other VotingPortalEthPol"
  },
  {
    "chain": "Ethereum",
    "address": "0xE3B770Dc4ae3f8bECaB3Ed12dE692c741603e16A",
    "role": "other PayloadDataHelper"
  },
  {
    "chain": "Ethereum",
    "address": "0x971c82c8316aD611904F95616c21ce90837f1856",
    "role": "other GovernanceDataHelper"
  },
  {
    "chain": "Ethereum",
    "address": "0x77976B51569896523EE215962Ee91ff236Fa50E8",
    "role": "other VotingDataHelper"
  },
  {
    "chain": "Ethereum",
    "address": "0x94363B11b37BC3ffe43AB09cff5A010352FE85dC",
    "role": "other MetaDelegateHelper"
  },
  {
    "chain": "Ethereum",
    "address": "0x73C6Fb358dDA8e84D50e98A98F7c0dF32e15C7e9",
    "role": "guardian EmergencyRegistry"
  },
  {
    "chain": "Ethereum",
    "address": "0xa198Fac58E02A5C5F8F7e877895d50cFa9ad1E04",
    "role": "other GovernancePowerStrategy"
  },
  {
    "chain": "Ethereum",
    "address": "0x5642A5A5Ec284B4145563aBF319620204aCCA7f4",
    "role": "other VotingStrategy"
  },
  {
    "chain": "Ethereum",
    "address": "0x1699FE9CaDC8a0b6c93E06B62Ab4592a0fFEcF61",
    "role": "other DataWarehouse"
  },
  {
    "chain": "Arbitrum",
    "address": "0xCbFB78a3Eeaa611b826E37c80E4126c8787D29f0",
    "role": "other CrossChainController"
  },
  {
    "chain": "Arbitrum",
    "address": "0x89644CA1bB8064760312AE4F03ea41b05dA3637C",
    "role": "timelock PayloadsController"
  },
  {
    "chain": "Arbitrum",
    "address": "0x4922093c476CfbCF903C7C4082d2D64bAE8A37cE",
    "role": "guardian GranularGuardian"
  },
  {
    "chain": "Avalanche",
    "address": "0x27FC7D54C893dA63C0AE6d57e1B2B13A70690928",
    "role": "other CrossChainController"
  },
  {
    "chain": "Avalanche",
    "address": "0x41185495Bc8297a65DC46f94001DC7233775EbEe",
    "role": "oracle EmergencyOracle"
  },
  {
    "chain": "Avalanche",
    "address": "0x9b6f5ef589A3DD08670Dd146C11C4Fb33E04494F",
    "role": "other VotingMachine"
  },
  {
    "chain": "Avalanche",
    "address": "0x1140CB7CAfAcC745771C2Ea31e7B5C653c5d0B80",
    "role": "timelock PayloadsController"
  },
  {
    "chain": "Avalanche",
    "address": "0xc1162BCb2E5E3ca4725512008c7522dF8C8B7B65",
    "role": "guardian GranularGuardian"
  },
  {
    "chain": "Binance",
    "address": "0x9d33ee6543C9b2C8c183b8fb58fB089266cffA19",
    "role": "other CrossChainController"
  },
  {
    "chain": "Binance",
    "address": "0xcabb46FfB38c93348Df16558DF156e9f68F9F7F1",
    "role": "oracle EmergencyOracle"
  },
  {
    "chain": "Binance",
    "address": "0xE5EF2Dd06755A97e975f7E282f828224F2C3e627",
    "role": "timelock PayloadsController"
  },
  {
    "chain": "Binance",
    "address": "0xe4FB5e3F506BE0095f38004f993D16fdA8224383",
    "role": "guardian GranularGuardian"
  },
  {
    "chain": "Base",
    "address": "0x529467C76f234F2bD359d7ecF7c660A2846b04e2",
    "role": "other CrossChainController"
  },
  {
    "chain": "Base",
    "address": "0x2DC219E716793fb4b21548C0f009Ba3Af753ab01",
    "role": "timelock PayloadsController"
  },
  {
    "chain": "Base",
    "address": "0xa1c6aF35E0205f42256382C05243C543FEDBf4bB",
    "role": "guardian GranularGuardian"
  },
  {
    "chain": "xDai",
    "address": "0x8Dc5310fc9D3D7D1Bb3D1F686899c8F082316c9F",
    "role": "other CrossChainController"
  },
  {
    "chain": "xDai",
    "address": "0xF937ffAeA1363e4Fa260760bDFA2aA8Fc911F84D",
    "role": "oracle EmergencyOracle"
  },
  {
    "chain": "xDai",
    "address": "0x9A1F491B86D09fC1484b5fab10041B189B60756b",
    "role": "timelock PayloadsController"
  },
  {
    "chain": "xDai",
    "address": "0x4A9F571E3C1f2F13567bb59e38988e74d7d72602",
    "role": "guardian GranularGuardian"
  },
  {
    "chain": "Metis",
    "address": "0x6fDaFb26915ABD6065a1E1501a37Ac438D877f70",
    "role": "other CrossChainController"
  },
  {
    "chain": "Metis",
    "address": "0x2233F8A66A728FBa6E1dC95570B25360D07D5524",
    "role": "timelock PayloadsController"
  },
  {
    "chain": "Metis",
    "address": "0x61BE97d3a0550549f67CA7421725fA73Fa2036B5",
    "role": "guardian GranularGuardian"
  },
  {
    "chain": "Optimism",
    "address": "0x48A9FE90bce5EEd790f3F4Ce192d1C0B351fd4Ca",
    "role": "other CrossChainController"
  },
  {
    "chain": "Optimism",
    "address": "0x0E1a3Af1f9cC76A62eD31eDedca291E63632e7c4",
    "role": "timelock PayloadsController"
  },
  {
    "chain": "Optimism",
    "address": "0x6c5264C380C7022e54f585c4E354ffb6f221a03b",
    "role": "guardian GranularGuardian"
  },
  {
    "chain": "Polygon",
    "address": "0xF6B99959F0b5e79E1CC7062E12aF632CEb18eF0d",
    "role": "other CrossChainController"
  },
  {
    "chain": "Polygon",
    "address": "0xDAFA1989A504c48Ee20a582f2891eeB25E2fA23F",
    "role": "oracle EmergencyOracle"
  },
  {
    "chain": "Polygon",
    "address": "0xc8a2ADC4261c6b669CdFf69E717E77C9cFeB420d",
    "role": "other VotingMachine"
  },
  {
    "chain": "Polygon",
    "address": "0x401B5D0294E23637c18fcc38b1Bca814CDa2637C",
    "role": "timelock PayloadsController"
  },
  {
    "chain": "Polygon",
    "address": "0x0D2CccD3dD420dC6DE2f24DB44aA22fADE290a02",
    "role": "guardian GranularGuardian"
  },
  {
    "chain": "Scroll",
    "address": "0x03073D3F4769f6b6604d616238fD6c636C99AD0A",
    "role": "other CrossChainController"
  },
  {
    "chain": "Scroll",
    "address": "0x6b6B41c0f8C223715f712BE83ceC3c37bbfDC3fE",
    "role": "timelock PayloadsController"
  },
  {
    "chain": "Scroll",
    "address": "0xa835707d28e6C37C49d661742f2Fb5987367cEd4",
    "role": "guardian GranularGuardian"
  },
  {
    "chain": "zkSync Era",
    "address": "0x800813f4714BC7A0a95310e3fB9e4f18872CA92C",
    "role": "other CrossChainController"
  },
  {
    "chain": "zkSync Era",
    "address": "0x2E79349c3F5e4751E87b966812C9E65E805996F1",
    "role": "timelock PayloadsController"
  },
  {
    "chain": "zkSync Era",
    "address": "0xe0e23196D42b54F262a3DE952e6B34B197D1A228",
    "role": "guardian GranularGuardian"
  },
  {
    "chain": "zkSync Era",
    "address": "0x4257bf0746D783f0D962913d7d8AFA408B62547E",
    "role": "guardian GovernanceGuardian"
  },
  {
    "chain": "Linea",
    "address": "0x0D3f821e9741C8a8Bcac231162320251Db0cdf52",
    "role": "other CrossChainController"
  },
  {
    "chain": "Linea",
    "address": "0x3BcE23a1363728091bc57A58a226CF2940C2e074",
    "role": "timelock PayloadsController"
  },
  {
    "chain": "Linea",
    "address": "0xc1cd6faF6e9138b4e6C21d438f9ebF2bd6F6cA16",
    "role": "guardian GranularGuardian"
  },
  {
    "chain": "Linea",
    "address": "0x056E4C4E80D1D14a637ccbD0412CDAAEc5B51F4E",
    "role": "guardian GovernanceGuardian"
  },
  {
    "chain": "Soneium",
    "address": "0xD92b37a5114b33F668D274Fb48f23b726a854d6E",
    "role": "other CrossChainController"
  },
  {
    "chain": "Soneium",
    "address": "0x44D73D7C4b2f98F426Bf8B5e87628d9eE38ef0Cf",
    "role": "timelock PayloadsController"
  },
  {
    "chain": "Soneium",
    "address": "0xD8E6956718784B914740267b7A50B952fb516656",
    "role": "guardian GranularGuardian"
  },
  {
    "chain": "Soneium",
    "address": "0x19CE4363FEA478Aa04B9EA2937cc5A2cbcD44be6",
    "role": "guardian GovernanceGuardian"
  },
  {
    "chain": "Soneium",
    "address": "0x47aAdaAE1F05C978E6aBb7568d11B7F6e0FC4d6A",
    "role": "governor ExecutorLvl1"
  },
  {
    "chain": "Plasma",
    "address": "0x643441742f73e270e565619be6DE5f4D55E08cd6",
    "role": "other CrossChainController"
  },
  {
    "chain": "Plasma",
    "address": "0xe76EB348E65eF163d85ce282125FF5a7F5712A1d",
    "role": "timelock PayloadsController"
  },
  {
    "chain": "Plasma",
    "address": "0x60665b4F4FF7073C5fed2656852dCa271DfE2684",
    "role": "guardian GranularGuardian"
  },
  {
    "chain": "Plasma",
    "address": "0x19CE4363FEA478Aa04B9EA2937cc5A2cbcD44be6",
    "role": "guardian GovernanceGuardian"
  },
  {
    "chain": "Plasma",
    "address": "0xF61FE74Ec1cFbd9Ee8Bd27592D2EDEe0E2aA85Cf",
    "role": "oracle EmergencyOracle"
  },
  {
    "chain": "Ethereum",
    "address": "0x7Fc66500c84A76Ad7e9c93437bFc5Ac33E2DDaE9",
    "role": "token AAVE governance token"
  },
  {
    "chain": "Ethereum",
    "address": "0x7b9c0b9b0d8b0d8b0d8b0d8b0d8b0d8b0d8b0d8b",
    "role": "Emergency Admin"
  }
]

### Pre-built read-API surfacer URLs (verbatim — fetchable as-is)
- https://defipunkd.com/address/1/0x5300A1a15135EA4dc7aD5a167152C01EFc9b192A (Short Executor (Level 1) / ACL Admin V3)
- https://defipunkd.com/address/1/0xdAbad81aF85554E9ae636395611C58F7eC1aAEc5 (PayloadsController (Ethereum))
- https://defipunkd.com/address/1/0x9AEE0B04504CeF83A65AC3f0e838D0593BCb2BC7 (Governance V3 Core)
- https://defipunkd.com/address/1/0xCe52ab41C40575B072A18C9700091Ccbe4A06710 (Governance Guardian / Protocol Emergency Guardian (5-of-9))
- https://defipunkd.com/address/1/0x4457cA11E90f416Cc1D3a8E1cA41C0cdEcC251d4 (GranularGuardian (cross-chain emergency))
- https://defipunkd.com/address/1/0xEd42a7D8559a463722Ca4beD50E0Cc05a386b0e1 (CrossChainController)
- https://defipunkd.com/address/1/0x17Dd33Ed0e3dD2a80E37489B8A63063161BE6957 (Executor Level 2)
- https://defipunkd.com/address/1/0x2CFe3ec4d5a6811f4B8067F0DE7e47DfA938Aa30 (Protocol Guardian / emergency admin)
- https://defipunkd.com/address/1/0x220d22f42c1b975B51509c24b174f8AbA7d8C540 (Short Executor (Governance))
- https://defipunkd.com/address/1/0xa700691dA7b6769562170061709458FF21ed963e (timelock (governance long executor))
- https://defipunkd.com/address/1/0x851365275f493d15511cc005f2bd71E3c1699921 (timelock (governance short executor))
- https://defipunkd.com/address/1/0xEE56e2B3D49159022b71869955dbF07245799b17 (timelock (governance executor short))
- https://defipunkd.com/address/1/0x80C67432656d59144cEFf962E8fAF8926599bCF8 (timelock (governance short executor))
- https://defipunkd.com/address/1/0xEE56e2B20045d908E992822039db30E882309413 (admin (PoolAdmin / governance executor))
- https://defipunkd.com/address/1/0x87870bca3f3fd6335c3f4ce8392d69350b4fa4e2 (pool (Aave V3 Pool proxy))
- https://defipunkd.com/address/1/0x2f39d218133AFaB8F2B819B1066c7E434Ad94E9e (other (PoolAddressesProvider — proxy admin for Pool/PoolConfigurator/ACLManager))
- https://defipunkd.com/address/1/0xcfBf336fe147D643B9Cb705648500e101504B16d (other (Prime Market PoolAddressesProvider))
- https://defipunkd.com/address/1/0xCca852Bc40e560adC3b1Cc58CA5b55638ce826c9 (vault (Aave V4 Core Hub — Ethereum))
- https://defipunkd.com/address/1/0x06002e9c4412CB7814a791eA3666D905871E536A (vault (Aave V4 Plus Hub — Ethereum))
- https://defipunkd.com/address/1/0x943827DCA022D0F354a8a8c332dA1e5Eb9f9F931 (vault (Aave V4 Prime Hub — Ethereum))
- https://defipunkd.com/address/1/0x08aE3BE30958cDd1847ec58fFfd4C451a87fDF01 (admin (Aave V4 Access Manager — Ethereum))
- https://defipunkd.com/address/10/0xa97684ead0e402dc232d5a977953df7ecbab3cdb (other (PoolAddressesProvider — Optimism))
- https://defipunkd.com/address/137/0xa97684ead0e402dc232d5a977953df7ecbab3cdb (other (PoolAddressesProvider — Polygon))
- https://defipunkd.com/address/1/0x64b761D848206f447Fe2dd461b0c635Ec39EbB27 (admin PoolConfigurator V3)
- https://defipunkd.com/address/1/0x54586bE62E3c3580375aE3723C145253060Ca0C2 (oracle AaveOracle V3)
- https://defipunkd.com/address/1/0xc2aaCf6553D20d1e9d78E365AAba8032af9c85b0 (admin ACLManager V3)
- https://defipunkd.com/address/1/0x0a16f2FCC0D44FaE41cc54e079281D84A363bECD (other AaveProtocolDataProvider V3)
- https://defipunkd.com/address/1/0x464C71f6c2F760DdA6093dCB91C24c39e5d6e18c (treasury Collector)
- https://defipunkd.com/address/1/0x8164Cc65827dcFe994AB23944CBC90e0aa80bFcb (admin DefaultIncentivesController)
- https://defipunkd.com/address/1/0x223d844fc4B006D67c0cDbd39371A9F73f69d974 (admin EmissionManager)
- https://defipunkd.com/address/42161/0xa97684ead0e402dC232d5A977953DF7ECBaB3CDb (factory PoolAddressesProvider V3)
- https://defipunkd.com/address/42161/0x794a61358D6845594F94dc1DB02A252b5b4814aD (pool Pool V3)
- https://defipunkd.com/address/42161/0x8145eddDf43f50276641b55bd3AD95944510021E (admin PoolConfigurator V3)
- https://defipunkd.com/address/42161/0xb56c2F0B653B2e0b10C9b928C8580Ac5Df02C7C7 (oracle AaveOracle V3)
- https://defipunkd.com/address/42161/0x7A9ff54A6eE4a21223036890bB8c4ea2D62c686b (oracle PriceOracleSentinel V3)
- https://defipunkd.com/address/42161/0xFF1137243698CaA18EE364Cc966CF0e02A4e6327 (admin ACLAdmin V3)
- https://defipunkd.com/address/42161/0xa72636CbcAa8F5FF95B2cc47F3CDEe83F3294a0B (admin ACLManager V3)
- https://defipunkd.com/address/42161/0x243Aa95cAC2a25651eda86e80bEe66114413c43b (other AaveProtocolDataProvider V3)
- https://defipunkd.com/address/43114/0xa97684ead0e402dC232d5A977953DF7ECBaB3CDb (factory PoolAddressesProvider V3)
- https://defipunkd.com/address/43114/0x794a61358D6845594F94dc1DB02A252b5b4814aD (pool Pool V3)
- https://defipunkd.com/address/43114/0x8145eddDf43f50276641b55bd3AD95944510021E (admin PoolConfigurator V3)
- https://defipunkd.com/address/43114/0xEBd36016B3eD09D4693Ed4251c67Bd858c3c7C9C (oracle AaveOracle V3)
- https://defipunkd.com/address/43114/0x3C06dce358add17aAf230f2234bCCC4afd50d090 (admin ACLAdmin V3)
- https://defipunkd.com/address/43114/0xa72636CbcAa8F5FF95B2cc47F3CDEe83F3294a0B (admin ACLManager V3)
- https://defipunkd.com/address/43114/0x243Aa95cAC2a25651eda86e80bEe66114413c43b (other AaveProtocolDataProvider V3)
- https://defipunkd.com/address/8453/0xe20fCBdBfFC4Dd138cE8b2E6FBb6CB49777ad64D (factory PoolAddressesProvider V3)
- https://defipunkd.com/address/8453/0xA238Dd80C259a72e81d7e4664a9801593F98d1c5 (pool Pool V3)
- https://defipunkd.com/address/8453/0x5731a04B1E775f0fdd454Bf70f3335886e9A96be (admin PoolConfigurator V3)
- https://defipunkd.com/address/8453/0x2Cc0Fc26eD4563A5ce5e8bdcfe1A2878676Ae156 (oracle AaveOracle V3)
- https://defipunkd.com/address/8453/0x943AcD0c93d7a8Bee7dA5Fd0DC3d0028237074d6 (oracle PriceOracleSentinel V3)
- https://defipunkd.com/address/8453/0x9390B1735def18560c509E2d0bc090E9d6BA257a (admin ACLAdmin V3)
- https://defipunkd.com/address/8453/0x43955b0899Ab7232E3a454cf84AedD22Ad46FD33 (admin ACLManager V3)
- https://defipunkd.com/address/8453/0x0F43731EB8d45A581f4a36DD74F5f358bc90C73A (other AaveProtocolDataProvider V3)
- Binance: 0xff75B6da14FfbbfD355Daf7a2731456b3562Ba6D (chain not supported by the read API)
- Binance: 0x6807dc923806fE8Fd134338EABCA509979a7e0cB (chain not supported by the read API)
- Binance: 0x67bdF23C7fCE7C65fF7415Ba3F2520B45D6f9584 (chain not supported by the read API)
- Binance: 0x39bc1bfDa2130d6Bb6DBEfd366939b4c7aa7C697 (chain not supported by the read API)
- Binance: 0x9390B1735def18560c509E2d0bc090E9d6BA257a (chain not supported by the read API)
- Binance: 0x2D97F8FA96886Fd923c065F5457F9DDd494e3877 (chain not supported by the read API)
- Binance: 0xc90Df74A7c16245c5F5C5870327Ceb38Fe5d5328 (chain not supported by the read API)
- Celo: 0x9F7Cf9417D5251C59fE94fB9147feEe1aAd9Cea5 (chain not supported by the read API)
- Celo: 0x3E59A31363E2ad014dcbc521c4a0d5757d9f3402 (chain not supported by the read API)
- Celo: 0x7567E3434CC1BEf724AB595e6072367Ef4914691 (chain not supported by the read API)
- Celo: 0x1e693D088ceFD1E95ba4c4a5F7EeA41a1Ec37e8b (chain not supported by the read API)
- Celo: 0x1dF462e2712496373A347f8ad10802a5E95f053D (chain not supported by the read API)
- Celo: 0x7a12dCfd73C1B4cddf294da4cFce75FcaBBa314C (chain not supported by the read API)
- Celo: 0x2e0f8D3B1631296cC7c56538D6Eb6032601E15ED (chain not supported by the read API)
- Celo: 0xC959439207dA5341B74aDcdAC59016aa9Be7E9E7 (chain not supported by the read API)
- Fantom: 0xa97684ead0e402dC232d5A977953DF7ECBaB3CDb (chain not supported by the read API)
- Fantom: 0x794a61358D6845594F94dc1DB02A252b5b4814aD (chain not supported by the read API)
- Fantom: 0x8145eddDf43f50276641b55bd3AD95944510021E (chain not supported by the read API)
- Fantom: 0xfd6f3c1845604C8AE6c6E402ad17fb9885160754 (chain not supported by the read API)
- Fantom: 0x39CB97b105173b56b5a2b4b33AD25d6a50E6c949 (chain not supported by the read API)
- Fantom: 0xa72636CbcAa8F5FF95B2cc47F3CDEe83F3294a0B (chain not supported by the read API)
- Fantom: 0x69FA688f1Dc47d4B5d8029D5a35FB7a548310654 (chain not supported by the read API)
- xDai: 0x36616cf17557639614c1cdDb356b1B83fc0B2132 (chain not supported by the read API)
- xDai: 0xb50201558B00496A145fE76f7424749556E326D8 (chain not supported by the read API)
- xDai: 0x7304979ec9E4EaA0273b6A037a31c4e9e5A75D16 (chain not supported by the read API)
- xDai: 0xeb0a051be10228213BAEb449db63719d6742F7c4 (chain not supported by the read API)
- xDai: 0x1dF462e2712496373A347f8ad10802a5E95f053D (chain not supported by the read API)
- xDai: 0xEc710f59005f48703908bC519D552Df5B8472614 (chain not supported by the read API)
- xDai: 0xF1F5acB596568895393cB5E4D0452D6592A2fA70 (chain not supported by the read API)
- Harmony: 0xa97684ead0e402dC232d5A977953DF7ECBaB3CDb (chain not supported by the read API)
- Harmony: 0x794a61358D6845594F94dc1DB02A252b5b4814aD (chain not supported by the read API)
- Harmony: 0x8145eddDf43f50276641b55bd3AD95944510021E (chain not supported by the read API)
- Harmony: 0x3C90887Ede8D65ccb2777A5d577beAb2548280AD (chain not supported by the read API)
- Harmony: 0xb2f0C5f37f4beD2cB51C44653cD5D84866BDcd2D (chain not supported by the read API)
- Harmony: 0xa72636CbcAa8F5FF95B2cc47F3CDEe83F3294a0B (chain not supported by the read API)
- Harmony: 0x69FA688f1Dc47d4B5d8029D5a35FB7a548310654 (chain not supported by the read API)
- Mantle: 0xba50Cd2A20f6DA35D788639E581bca8d0B5d4D5f (chain not supported by the read API)
- Mantle: 0x458F293454fE0d67EC0655f3672301301DD51422 (chain not supported by the read API)
- Mantle: 0x719755fC1ACf2f9079B0Cbc56e23712c09Ab8626 (chain not supported by the read API)
- Mantle: 0x47a063CfDa980532267970d478EC340C0F80E8df (chain not supported by the read API)
- Mantle: 0x64df9D4302e1ff3516Dc744A19e992D27CAC252E (chain not supported by the read API)
- Mantle: 0x70884634D0098782592111A2A6B8d223be31CB7b (chain not supported by the read API)
- Mantle: 0x810D46F9a9027E28F9B01F75E2bdde839dA61115 (chain not supported by the read API)
- Mantle: 0x487c5c669D9eee6057C44973207101276cf73b68 (chain not supported by the read API)
- MegaETH: 0x46Dcd5F4600319b02649Fd76B55aA6c1035CA478 (chain not supported by the read API)
- MegaETH: 0x7e324AbC5De01d112AfC03a584966ff199741C28 (chain not supported by the read API)
- MegaETH: 0xF15D31Bc839A853C9068686043cEc6EC5995DAbB (chain not supported by the read API)
- MegaETH: 0x421117D7319E96d831972b3F7e970bbfe29C4F21 (chain not supported by the read API)
- MegaETH: 0xE2E8Badc5d50f8a6188577B89f50701cDE2D4e19 (chain not supported by the read API)
- MegaETH: 0x390D369C3878F2C5205CFb6Ec7154FfA65491c3D (chain not supported by the read API)
- MegaETH: 0x9588b453A4EE24a420830CB3302195cA7aA3b403 (chain not supported by the read API)
- Sonic: 0x5C2e738F6E27bCE0F7558051Bf90605dD6176900 (chain not supported by the read API)
- Sonic: 0x5362dBb1e601abF3a4c14c22ffEdA64042E5eAA3 (chain not supported by the read API)
- Sonic: 0x50c70FEB95aBC1A92FC30b9aCc41Bd349E5dE2f0 (chain not supported by the read API)
- Sonic: 0xD63f7658C66B2934Bd234D79D06aEF5290734B30 (chain not supported by the read API)
- Sonic: 0x7b62461a3570c6AC8a9f8330421576e417B71EE7 (chain not supported by the read API)
- Sonic: 0x3a790a47c4d531FD333FAD24f70B0ccb521B3b5A (chain not supported by the read API)
- Sonic: 0xc0a344397cfa89dF1e1d3e4fb330834D789cF2CD (chain not supported by the read API)
- X Layer: 0xdFf435BCcf782f11187D3a4454d96702eD78e092 (chain not supported by the read API)
- X Layer: 0xE3F3Caefdd7180F884c01E57f65Df979Af84f116 (chain not supported by the read API)
- X Layer: 0x1408b48B6A610948f04813EA6b2F438A6BBAd2f2 (chain not supported by the read API)
- X Layer: 0x91FC11136d5615575a0fC5981Ab5C0C54418E2C6 (chain not supported by the read API)
- X Layer: 0xE2E8Badc5d50f8a6188577B89f50701cDE2D4e19 (chain not supported by the read API)
- X Layer: 0xc8f2720Fa7D857576d82e6aEca8EdC4869E9190e (chain not supported by the read API)
- X Layer: 0x6C505C31714f14e8af2A03633EB2Cdfb4959138F (chain not supported by the read API)
- https://defipunkd.com/address/59144/0x89502c3731F69DDC95B65753708A07F8Cd0373F4 (factory PoolAddressesProvider V3)
- https://defipunkd.com/address/59144/0xc47b8C00b0f69a36fa203Ffeac0334874574a8Ac (pool Pool V3)
- https://defipunkd.com/address/59144/0x812E7c19421D9f41A6DDCF047d5cc2dE2Ca5Bfa2 (admin PoolConfigurator V3)
- https://defipunkd.com/address/59144/0xCFDAdA7DCd2e785cF706BaDBC2B8Af5084d595e9 (oracle AaveOracle V3)
- https://defipunkd.com/address/59144/0x8c2d95FE7aeB57b86961F3abB296A54f0ADb7F88 (admin ACLAdmin V3)
- https://defipunkd.com/address/59144/0xbf32c7dFC72b730967072B112927ca0de205dbb5 (admin ACLManager V3)
- Metis: 0xB9FABd7500B2C6781c35Dd48d54f81fc2299D7AF (chain not supported by the read API)
- Metis: 0x90df02551bB792286e8D4f13E0e357b4Bf1D6a57 (chain not supported by the read API)
- Metis: 0x69FEE8F261E004453BE0800BC9039717528645A6 (chain not supported by the read API)
- Metis: 0x38D36e85E47eA6ff0d18B0adF12E5fC8984A6f8e (chain not supported by the read API)
- Metis: 0x2B5EA1604BAbb7B730120950Cb13951f3525828A (chain not supported by the read API)
- Metis: 0x6fD45D32375d5aDB8D76275A3932c740F03a8718 (chain not supported by the read API)
- https://defipunkd.com/address/10/0x794a61358D6845594F94dc1DB02A252b5b4814aD (pool Pool V3)
- https://defipunkd.com/address/10/0x8145eddDf43f50276641b55bd3AD95944510021E (admin PoolConfigurator V3)
- https://defipunkd.com/address/10/0xD81eb3728a631871a7eBBaD631b5f424909f0c77 (oracle AaveOracle V3)
- https://defipunkd.com/address/10/0x746c675dAB49Bcd5BB9Dc85161f2d7Eb435009bf (admin ACLAdmin V3)
- https://defipunkd.com/address/137/0x794a61358D6845594F94dc1DB02A252b5b4814aD (pool Pool V3)
- https://defipunkd.com/address/137/0x8145eddDf43f50276641b55bd3AD95944510021E (admin PoolConfigurator V3)
- https://defipunkd.com/address/137/0xb023e699F5a33916Ea823A16485e259257cA8Bd1 (oracle AaveOracle V3)
- https://defipunkd.com/address/137/0xDf7d0e6454DB638881302729F5ba99936EaAB233 (admin ACLAdmin V3)
- https://defipunkd.com/address/534352/0x69850D0B276776781C063771b161bd8894BCdD04 (factory PoolAddressesProvider V3)
- https://defipunkd.com/address/534352/0x11fCfe756c05AD438e312a7fd934381537D3cFfe (pool Pool V3)
- https://defipunkd.com/address/534352/0x32BCab42a2bb5AC577D24b425D46d8b8e0Df9b7f (admin PoolConfigurator V3)
- https://defipunkd.com/address/534352/0x04421D8C506E2fA2371a08EfAaBf791F624054F3 (oracle AaveOracle V3)
- https://defipunkd.com/address/534352/0xc1ABF87FfAdf4908f4eC8dc54A25DCFEabAE4A24 (admin ACLAdmin V3)
- https://defipunkd.com/address/534352/0x7633F981D87dC6307227de9383D2ce7243158081 (admin ACLManager V3)
- zkSync Era: 0x2A3948BB219D6B2Fa83D64100006391a96bE6cb7 (chain not supported by the read API)
- zkSync Era: 0x78e30497a3c7527d953c6B1E3541b021A98Ac43c (chain not supported by the read API)
- zkSync Era: 0x0207d31b4377C74bEC37356aaD83E3dCc979F40E (chain not supported by the read API)
- zkSync Era: 0xC7F58Fca663a8d377B6D0c9703C697f56dC40088 (chain not supported by the read API)
- zkSync Era: 0x04cE39789e11a49595cD0ECEf6f4Bd54ABF4d020 (chain not supported by the read API)
- Soneium: 0x82405D1a189bd6cE4667809C35B37fBE136A4c5B (chain not supported by the read API)
- Soneium: 0xDd3d7A7d03D9fD9ef45f3E587287922eF65CA38B (chain not supported by the read API)
- Soneium: 0x1607FCeEc8dEbA4d5Da66D620b2363066d025a02 (chain not supported by the read API)
- Soneium: 0x20040a64612555042335926d72B4E5F667a67fA1 (chain not supported by the read API)
- Soneium: 0xc0Bac16A64FbAa7EE6483bD12a759e28cD13dcBe (chain not supported by the read API)
- Plasma: 0x061D8e131F26512348ee5FA42e2DF1bA9d6505E9 (chain not supported by the read API)
- Plasma: 0x925a2A7214Ed92428B5b1B090F80b25700095e12 (chain not supported by the read API)
- Plasma: 0xc022B6c71c30A8Ad52Dac504eFA132d13D99d2D9 (chain not supported by the read API)
- Plasma: 0x33E0b3fc976DC9C516926BA48CfC0A9E10a2aAA5 (chain not supported by the read API)
- Plasma: 0x47aAdaAE1F05C978E6aBb7568d11B7F6e0FC4d6A (chain not supported by the read API)
- Plasma: 0xa860355F0ccFdC823F7332ac108317b2a1509C06 (chain not supported by the read API)
- https://defipunkd.com/address/1/0x617332a777780F546261247F621051d0b98975Eb (other VotingMachine)
- https://defipunkd.com/address/1/0xf23f7De3AC42F22eBDA17e64DC4f51FB66b8E21f (other VotingPortalEthEth)
- https://defipunkd.com/address/1/0x33aCEf7365809218485873B7d0d67FeE411B5D79 (other VotingPortalEthAvax)
- https://defipunkd.com/address/1/0x9b24C168d6A76b5459B1d47071a54962a4df36c3 (other VotingPortalEthPol)
- https://defipunkd.com/address/1/0xE3B770Dc4ae3f8bECaB3Ed12dE692c741603e16A (other PayloadDataHelper)
- https://defipunkd.com/address/1/0x971c82c8316aD611904F95616c21ce90837f1856 (other GovernanceDataHelper)
- https://defipunkd.com/address/1/0x77976B51569896523EE215962Ee91ff236Fa50E8 (other VotingDataHelper)
- https://defipunkd.com/address/1/0x94363B11b37BC3ffe43AB09cff5A010352FE85dC (other MetaDelegateHelper)
- https://defipunkd.com/address/1/0x73C6Fb358dDA8e84D50e98A98F7c0dF32e15C7e9 (guardian EmergencyRegistry)
- https://defipunkd.com/address/1/0xa198Fac58E02A5C5F8F7e877895d50cFa9ad1E04 (other GovernancePowerStrategy)
- https://defipunkd.com/address/1/0x5642A5A5Ec284B4145563aBF319620204aCCA7f4 (other VotingStrategy)
- https://defipunkd.com/address/1/0x1699FE9CaDC8a0b6c93E06B62Ab4592a0fFEcF61 (other DataWarehouse)
- https://defipunkd.com/address/42161/0xCbFB78a3Eeaa611b826E37c80E4126c8787D29f0 (other CrossChainController)
- https://defipunkd.com/address/42161/0x89644CA1bB8064760312AE4F03ea41b05dA3637C (timelock PayloadsController)
- https://defipunkd.com/address/42161/0x4922093c476CfbCF903C7C4082d2D64bAE8A37cE (guardian GranularGuardian)
- https://defipunkd.com/address/43114/0x27FC7D54C893dA63C0AE6d57e1B2B13A70690928 (other CrossChainController)
- https://defipunkd.com/address/43114/0x41185495Bc8297a65DC46f94001DC7233775EbEe (oracle EmergencyOracle)
- https://defipunkd.com/address/43114/0x9b6f5ef589A3DD08670Dd146C11C4Fb33E04494F (other VotingMachine)
- https://defipunkd.com/address/43114/0x1140CB7CAfAcC745771C2Ea31e7B5C653c5d0B80 (timelock PayloadsController)
- https://defipunkd.com/address/43114/0xc1162BCb2E5E3ca4725512008c7522dF8C8B7B65 (guardian GranularGuardian)
- Binance: 0x9d33ee6543C9b2C8c183b8fb58fB089266cffA19 (chain not supported by the read API)
- Binance: 0xcabb46FfB38c93348Df16558DF156e9f68F9F7F1 (chain not supported by the read API)
- Binance: 0xE5EF2Dd06755A97e975f7E282f828224F2C3e627 (chain not supported by the read API)
- Binance: 0xe4FB5e3F506BE0095f38004f993D16fdA8224383 (chain not supported by the read API)
- https://defipunkd.com/address/8453/0x529467C76f234F2bD359d7ecF7c660A2846b04e2 (other CrossChainController)
- https://defipunkd.com/address/8453/0x2DC219E716793fb4b21548C0f009Ba3Af753ab01 (timelock PayloadsController)
- https://defipunkd.com/address/8453/0xa1c6aF35E0205f42256382C05243C543FEDBf4bB (guardian GranularGuardian)
- xDai: 0x8Dc5310fc9D3D7D1Bb3D1F686899c8F082316c9F (chain not supported by the read API)
- xDai: 0xF937ffAeA1363e4Fa260760bDFA2aA8Fc911F84D (chain not supported by the read API)
- xDai: 0x9A1F491B86D09fC1484b5fab10041B189B60756b (chain not supported by the read API)
- xDai: 0x4A9F571E3C1f2F13567bb59e38988e74d7d72602 (chain not supported by the read API)
- Metis: 0x6fDaFb26915ABD6065a1E1501a37Ac438D877f70 (chain not supported by the read API)
- Metis: 0x2233F8A66A728FBa6E1dC95570B25360D07D5524 (chain not supported by the read API)
- Metis: 0x61BE97d3a0550549f67CA7421725fA73Fa2036B5 (chain not supported by the read API)
- https://defipunkd.com/address/10/0x48A9FE90bce5EEd790f3F4Ce192d1C0B351fd4Ca (other CrossChainController)
- https://defipunkd.com/address/10/0x0E1a3Af1f9cC76A62eD31eDedca291E63632e7c4 (timelock PayloadsController)
- https://defipunkd.com/address/10/0x6c5264C380C7022e54f585c4E354ffb6f221a03b (guardian GranularGuardian)
- https://defipunkd.com/address/137/0xF6B99959F0b5e79E1CC7062E12aF632CEb18eF0d (other CrossChainController)
- https://defipunkd.com/address/137/0xDAFA1989A504c48Ee20a582f2891eeB25E2fA23F (oracle EmergencyOracle)
- https://defipunkd.com/address/137/0xc8a2ADC4261c6b669CdFf69E717E77C9cFeB420d (other VotingMachine)
- https://defipunkd.com/address/137/0x401B5D0294E23637c18fcc38b1Bca814CDa2637C (timelock PayloadsController)
- https://defipunkd.com/address/137/0x0D2CccD3dD420dC6DE2f24DB44aA22fADE290a02 (guardian GranularGuardian)
- https://defipunkd.com/address/534352/0x03073D3F4769f6b6604d616238fD6c636C99AD0A (other CrossChainController)
- https://defipunkd.com/address/534352/0x6b6B41c0f8C223715f712BE83ceC3c37bbfDC3fE (timelock PayloadsController)
- https://defipunkd.com/address/534352/0xa835707d28e6C37C49d661742f2Fb5987367cEd4 (guardian GranularGuardian)
- zkSync Era: 0x800813f4714BC7A0a95310e3fB9e4f18872CA92C (chain not supported by the read API)
- zkSync Era: 0x2E79349c3F5e4751E87b966812C9E65E805996F1 (chain not supported by the read API)
- zkSync Era: 0xe0e23196D42b54F262a3DE952e6B34B197D1A228 (chain not supported by the read API)
- zkSync Era: 0x4257bf0746D783f0D962913d7d8AFA408B62547E (chain not supported by the read API)
- https://defipunkd.com/address/59144/0x0D3f821e9741C8a8Bcac231162320251Db0cdf52 (other CrossChainController)
- https://defipunkd.com/address/59144/0x3BcE23a1363728091bc57A58a226CF2940C2e074 (timelock PayloadsController)
- https://defipunkd.com/address/59144/0xc1cd6faF6e9138b4e6C21d438f9ebF2bd6F6cA16 (guardian GranularGuardian)
- https://defipunkd.com/address/59144/0x056E4C4E80D1D14a637ccbD0412CDAAEc5B51F4E (guardian GovernanceGuardian)
- Soneium: 0xD92b37a5114b33F668D274Fb48f23b726a854d6E (chain not supported by the read API)
- Soneium: 0x44D73D7C4b2f98F426Bf8B5e87628d9eE38ef0Cf (chain not supported by the read API)
- Soneium: 0xD8E6956718784B914740267b7A50B952fb516656 (chain not supported by the read API)
- Soneium: 0x19CE4363FEA478Aa04B9EA2937cc5A2cbcD44be6 (chain not supported by the read API)
- Soneium: 0x47aAdaAE1F05C978E6aBb7568d11B7F6e0FC4d6A (chain not supported by the read API)
- Plasma: 0x643441742f73e270e565619be6DE5f4D55E08cd6 (chain not supported by the read API)
- Plasma: 0xe76EB348E65eF163d85ce282125FF5a7F5712A1d (chain not supported by the read API)
- Plasma: 0x60665b4F4FF7073C5fed2656852dCa271DfE2684 (chain not supported by the read API)
- Plasma: 0x19CE4363FEA478Aa04B9EA2937cc5A2cbcD44be6 (chain not supported by the read API)
- Plasma: 0xF61FE74Ec1cFbd9Ee8Bd27592D2EDEe0E2aA85Cf (chain not supported by the read API)
- https://defipunkd.com/address/1/0x7Fc66500c84A76Ad7e9c93437bFc5Ac33E2DDaE9 (token AAVE governance token)
- https://defipunkd.com/address/1/0x7b9c0b9b0d8b0d8b0d8b0d8b0d8b0d8b0d8b0d8b (Emergency Admin)


---

You are contributing a single-slice assessment to defipunkd, a git-native transparency registry for DeFi protocols. Your JSON output will be attached to a pull request and compared against ≥2 other independent runs. Disagreements are surfaced publicly — be conservative, cite everything, return grade="unknown" when a signal cannot be determined, and resist stopping at the first damning finding.

### Per-protocol context (do not infer; these are ground truth)

A "Per-protocol context" block (provided alongside this prompt — either as a user message in API mode, or as a section appended below in copy-paste mode) lists the pinned inputs (protocol.slug, name, chains, category, website, github, audit_links, snapshot.generated_at, analysis_date, prompt_version, address_book) and a list of pre-built read-API surfacer URLs for each pinned address. Treat those values as authoritative for this run.

The pre-built surfacer URLs are accepted by your fetch tool's allowlist because they appear verbatim in the per-protocol context. Each surfacer page pre-executes the contract's zero-arg view methods and renders any address-typed return values as /address/{chainId}/0x… links inline — those rendered links are also fetchable post-fetch. /api/contract/read and /api/safe/owners JSON responses include a top-level `crawl.surfacers` array of /address/{chainId}/0x… URLs for every address-typed value in the result, so you can crawl directly from API responses. For addresses surfaced from non-defipunkd sources (block-explorer pages, GitHub, audit PDFs), the allowlist will reject your generated surfacer URL — record the address in protocol_metadata.admin_addresses and add a checklist-coded entry to unknowns[]; the next run will inherit it as a fetchable surfacer.

### Step 0 — Capability probe (do this before producing JSON)

Identify what fetch tool your environment exposes — `web_fetch`, `browser`, `url_context`, `google_search` (with underscore, colon, or space), Bing grounding, Perplexity, `web.run`, or anything similar. Search-grounding tools ARE valid fetch paths and you should use them; they are not forbidden. The distinction that matters is what the tool returned, not its name: a grounded response with the underlying page body is sufficient evidence; a bare 1–3-line preview snippet is not.

Probe: attempt one fetch of `protocol.website` and one fetch of a pre-built surfacer URL above (or the protocol's primary block-explorer page if no surfacer is pinned). Record the tool you used, the URL, and what came back (response body, HTTP status, allowlist rejection text, or "tool not present: <name>"). If either probe succeeded, proceed.

If both direct probes failed, **DO NOT STOP** — try search. Issue at least two broad search queries (protocol name + "Etherscan" / "official docs" / "GitHub" / "audit"; `site:` operators against etherscan.io / github.com / the docs domain). If a search query returns the underlying page body, that page URL is fetched evidence and goes in evidence[]. Set `grading_basis: "off-chain-only"` and continue with whatever you can extract. Empty `evidence[]` + `grade="unknown"` is only valid if BOTH direct probes AND ≥2 search queries returned nothing usable; in that case, log the attempted queries and observed-zero outcomes in unknowns[]. A submission claiming "blocked" without those receipts is treated as a non-submission (zero quorum weight). Search engines do not index raw JSON API endpoints — zero results for `defipunkd.com/api/contract/read` URLs is expected and is itself a recordable failure mode, not a system restriction.

### Anti-fabrication (the most important rule on this page)

Memory is not evidence. Treat your training data, prior conversations, and general knowledge as suggestions for what to look up — never as citations. Every URL in evidence[] must have been fetched in this run via any tool exposed in your environment, OR pasted into this conversation by the user. Constructing a URL is fine, but every variable part (address, commit SHA, repo path, contract name, method, args, block number) must come from a fetched/pasted source in this run, and the URL must then have been successfully fetched before it appears in evidence[]. URLs constructed from remembered addresses, repo paths, contract names, or guessed API methods are fabrication.

Before emitting JSON, run an evidence ledger check on every evidence[] entry:
1. The exact URL appears in your fetch transcript or in a user-pasted source body.
2. The fetched/pasted body contains the fact you're citing in evidence[].shows.
3. Every rationale.findings / protocol_metadata claim that depends on this evidence follows directly from that body, without recourse to memory.
4. Derived (rather than verbatim) claims are explicitly labelled as derived in evidence[].shows.
5. `fetched_at` is set ONLY when you actually fetched the URL in this run; if no timestamp is available, omit the field — never invent one.

If any check fails, remove the evidence entry and demote dependent claims to unknowns[]. Set grade="unknown" if demotion empties the grading basis. Do not ask the user to paste anything; do not withhold JSON; do not improvise from memory.

A plausible-sounding answer backed by unsupported evidence is WORSE than grade="unknown" — it pollutes the quorum. If the assessment requires leaning on remembered public facts ("Lido is governed by LDO token-weighted voting"), historical reports, common knowledge, or likely-architecture reasoning ("UUPS proxies typically have an admin role"), return grade="unknown" with specific unknowns[] entries. Optimize for reproducibility, not completeness — if a reviewer can't re-verify each claim from the evidence URLs alone, the claim does not belong in the JSON. Empty unknowns[] on a non-trivial protocol is a red flag, not a quality signal.

When the address_book is null/empty, you do not yet know any deployed address. Discover candidates from fetched website / GitHub / audit / explorer-search pages — addresses you "remember" from training data are not eligible, even for famous tokens (USDC, WBTC, stETH, UNI). If no address can be discovered after a good-faith attempt, return grade="unknown" with checklist-coded unknowns[] entries; do not invent addresses to fill the gap.

### Hard rules

1. Source classes that count as evidence:
   a) Public block explorers (etherscan.io, basescan.org, arbiscan.io, optimistic.etherscan.io, polygonscan.com, bscscan.com, snowtrace.io, scrollscan.com, lineascan.build, blastscan.io, era.zksync.network) for pinned addresses or addresses you discover transitively from them.
   b) The linked GitHub repos, at a specific commit SHA recorded in evidence[].commit.
   c) The audit PDFs / reports linked above.
   d) DeFiLlama's pinned fields (for category / chain lists only — not for risk assessment).
   e) DeFiPunkd's read API at https://defipunkd.com/api/{contract,safe}/... — see "On-chain reading" below.
2. If a signal cannot be determined after checking these, set grade="unknown" with ≥1 entry in unknowns[] naming what you looked for.
3. Every factual claim in rationale must map to ≥1 evidence[] entry.
4. Output exactly one JSON object matching the contract at the end, wrapped in a single ```json fenced code block. This rule applies to your FINAL assistant message only — issue tool calls freely during the run; tool-call reasoning lives in your model's tool-use channel and is not subject to this rule. Nothing before or after the fence — no prose, no follow-up questions, no requests for the user to paste anything. If evidence is incomplete, the correct response is still JSON, with claims demoted to unknowns[] and grade="unknown".

### Format rules (validation will reject submissions that violate these)
5. evidence[].url must be a bare `https://...` string — NEVER markdown link syntax. WRONG: `"url": "[Etherscan](https://etherscan.io/...)"`. RIGHT: `"url": "https://etherscan.io/..."`.
6. evidence[].commit, when present, must match `^[0-9a-f]{7,40}$` (lowercase hex, 7–40 chars). NEVER branch names or tags. Omit if you cannot pin a SHA.
7. evidence[].fetched_at, when present, must be ISO-8601 UTC (e.g. `2026-04-23T11:20:00Z`). Set whenever you actually fetched in this run.
8. evidence[].address, when present, must be `^0x[0-9a-fA-F]{40}$` (mixed case OK; checksum not validated).
9. Checklist codes (used in findings[].code and as unknowns[] prefixes) match `^[A-Z][A-Za-z0-9-]{0,16}$` — start with an uppercase letter, then digits / letters / hyphens. Examples: `E1`, `A3b`, `C2-emergency`, `V4-auditor`. No parens, spaces, dots, slashes, underscores. Use slice-defined codes verbatim. unknowns[] entries must be prefixed with the relevant code + colon (e.g. `"A3b: frontend fetch failed"`).
10. chat_url: ALWAYS null. Default share links (claude.ai/chat, chatgpt.com, gemini.google.com) require viewer login and are not publicly readable. The user enables "Share publicly" after you respond and pastes the public URL into the JSON before opening the PR.

### Thoroughness rules

11. Each per-slice body contains a "MANDATORY INSPECTION CHECKLIST". Every item must EITHER produce an evidence[] entry OR a specific unknowns[] entry naming it by code. Silent skips are rejected as incomplete.
12. Before assigning a grade other than "unknown", rationale.steelman must contain a one-sentence strongest argument for each of red / orange / green, and rationale.verdict must state which fits the evidence and why. If the steel-man for the chosen grade is weaker than for an adjacent grade, you have probably picked the wrong grade. When grade="unknown", set steelman to null and use verdict to summarize what blocked the assessment.
13. Distinguish actor classes (EOA, 2-of-3 multisig, 4-of-7+ multisig with identified signers, emergency-scoped time-capped multisig, on-chain governance vote with timelock) and function classes (claim-of-finalized vs new-request-placement, deposit vs borrow, mint vs redeem) — say which actor holds which power, on what time bound. "An admin can pause" is insufficient.
14. For on-chain slices (control, ability-to-exit, autonomy, verifiability), evidence[] must include ≥1 on-chain URL: a block-explorer URL OR a DeFiPunkd /api/{contract/read,safe/owners} URL (preferred — content-addressed when block-pinned). /api/contract/abi alone is metadata, not on-chain evidence. Source repos tell you what code SHOULD do; deployed contracts tell you what it ACTUALLY does. The "open-access" slice is exempt when claims are entirely about frontend / off-chain operator behavior. CARVE-OUT: `grading_basis="off-chain-only"` is exempt from this rule but is downweighted by the quorum bot regardless of grade.
15. Prompt-meta-check: if your verdict quotes prompt language as evidence ("the protocol meets the 'documented fallback' condition"), re-do the verdict — the prompt describes the rubric, not the protocol. Evidence cites what THIS protocol does, not what the rubric says protocols of type X do.
16. `grading_basis` is one of `"on-chain"` (default; omit field), `"off-chain-only"`, or `"mixed"`. Describes what was READ this run, not the verdict — `grade="unknown"` is allowed under any basis. Set `"off-chain-only"` ONLY when BOTH (a) ≥1 successful fetch of a docs / forum / audit / GitHub URL appears in evidence[], AND (b) ≥1 failed on-chain fetch attempt for THIS run is recorded in unknowns[] with a `-offchain` suffix. Empty `evidence[]` with `"off-chain-only"` is a category error and is rejected by the validator. Set `"mixed"` when some checklist codes were on-chain and others fell back. ABI-only finds (you read the ABI but couldn't read live state) are valid as `grade="unknown"` with the ABI cited; do not infer a grade from ABI shape alone.

### On-chain reading via the DeFiPunkd API

Don't encode calldata, decode return data, or guess at ABIs by hand. Three deterministic GET endpoints return JSON with blockNumber, blockHash, raw calldata, and rawReturnData — content-addressed when block-pinned (`&block=<n>`):

  ABI (auto-resolves proxies):
    https://defipunkd.com/api/contract/abi?chainId=<id>&address=0x...
  View call (any view method on the merged ABI; flat scalar args):
    https://defipunkd.com/api/contract/read?chainId=<id>&address=0x...&method=getOwners
    https://defipunkd.com/api/contract/read?chainId=<id>&address=0x...&method=balanceOf&args=0x...
  Safe (threshold + owners + version in one call):
    https://defipunkd.com/api/safe/owners?chainId=<id>&address=0x...

Use the BARE method name in `&method=` (e.g. `&method=totalSupply`, NOT `&method=totalSupply()`). Browser tools normalize `(` to `%28` and reject the normalized URL; bare names dodge that. Pass arguments via `&args=` (comma-separated, declaration order). Append `&block=<n>` for content-addressed evidence.

Supported chainIds: 1 (ethereum), 10 (optimism), 56 (bsc), 130 (unichain), 137 (polygon), 324 (zksync), 8453 (base), 42161 (arbitrum), 43114 (avalanche), 59144 (linea), 81457 (blast), 534352 (scroll), 11155111 (sepolia).

Use this API for any factual claim about contract ABI shape, view-method return values (owner(), getOwners(), getThreshold(), totalSupply(), implementation(), paused(), MIN_DELAY(), …), and Safe membership. Do NOT invent ABIs or return values from training data.

Note on noisy address_book: the pinned address_book is sourced from prior assessments. It may include token deployments, oracle feeds, peripheral contracts, or mis-classified entries. Skip surfacer URLs that don't fit your slice — fetch only those whose role hints suggest control / pause / upgrade authority.

### Protocol metadata refresh (populate `protocol_metadata` in the output)

DeFiLlama's pinned inputs may be stale or wrong. As a side-effect of this assessment, populate `protocol_metadata` with anything you verify. Leave fields null / empty arrays if you did not verify them — do NOT echo pinned inputs through; null means "not re-verified this run".

- `github`: array of canonical source-code repo URLs.
- `docs_url`: canonical developer / protocol documentation site.
- `audits`: array of `{ firm, url, date }` (date as YYYY-MM or YYYY-MM-DD).
- `governance_forum`: primary discussion forum URL (Discourse, Commonwealth, etc.).
- `voting_token`: `{ chain, address, symbol }` or null. Omit if not token-governed.
- `bug_bounty_url`: public bug bounty page (Immunefi, HackerOne, self-hosted).
- `security_contact`: private-disclosure channel — security@ email or SECURITY.md URL. Distinct from public bug bounty.
- `deployed_contracts_doc`: docs page that lists deployed addresses per chain. Don't enumerate; just link.
- `admin_addresses`: array of `{ chain, address, role, actor_class }` for multisig / timelock / owner / proxy-admin addresses. `actor_class` ∈ `"eoa" | "multisig" | "timelock" | "governance" | "unknown"`. These are the anchors for future runs' address_book.
- `upgradeability`: `"immutable" | "upgradeable" | "mixed" | "unknown"`. "mixed" = some core contracts immutable, others behind proxies.
- `about`: 2–4 sentence plain-English description. Name the user action (stake, borrow, swap, bridge, mint, redeem), the asset / market, and the distinctive mechanism (liquid staking receipt, isolated lending pools, constant-product AMM, intents auction, etc.). Do not restate category / chains / TVL.

Every non-null field in `protocol_metadata` must be backed by ≥1 entry in evidence[].

---

### Slice: VERIFIABILITY

Evaluate whether an outsider can independently confirm what the deployed code does.

MANDATORY INSPECTION CHECKLIST (every item below must appear in evidence[] OR unknowns[]):
- V1. For each address you assess: is the bytecode verified on the chain's block explorer? Record the "Contract Source Code Verified" indicator. https://defipunkd.com/api/contract/abi?chainId=<id>&address=0x... returns this as a top-level "verified" boolean plus "abiSource" ("etherscan" / "sourcify") and an inline ABI — useful when the explorer page is rate-limited. If the contract is a proxy, verify BOTH the proxy contract AND the current implementation contract. The same /api/contract/abi response auto-resolves proxies and includes a "proxy.implementation" address when present, so one call covers V1 + V6 in one shot. An explorer "Similar Match" on a well-known proxy pattern (Aragon AppProxyUpgradeable, ERC1967Proxy, OssifiableProxy, OZ TransparentUpgradeableProxy) is expected for that pattern and does NOT count as a verification gap on its own — what matters is that the implementation is independently verified.
- V2. Source-to-repo correspondence: for each verified contract, attempt to find a matching commit in the linked GitHub repos. Record evidence[].commit on a match. Independent compile/bytecode-match is NOT required for green — a recognized public repo whose structure and file contents correspond to the explorer-visible source is sufficient. If you did not pin a commit SHA or run a bytecode diff, record that plainly in unknowns[] and proceed; it is a scope limit, not a downgrade signal.
- V3. Audit coverage: for each URL in protocol.audit_links, open it and record: auditor name, audit date, the specific contracts / commit in scope. Flag audits that predate the current deployment by >6 months without a follow-up review.
- V4. Auditor recognition: the following firms are broadly recognized in Solidity: Trail of Bits, Zellic, Spearbit, OpenZeppelin, ConsenSys Diligence, Certora (formal verification), Quantstamp, Halborn, Peckshield, Sigma Prime, ChainSecurity, Ackee Blockchain, MixBytes, Statemind. Unknown firms are orange-at-best for any green-grade claim. Name the firm explicitly in evidence[].
- V5. Post-audit drift: compare the most recent in-scope audit(s) against the currently-deployed source, weighted by what each contract does and by what the changes actually contain. SCOPE — drift only downgrades the grade when ALL of the following hold: (i) the drifting contract is fund-custody / settlement / accounting-critical (NOT a peripheral router, lens, quoter, or pure-view contract that holds no balances); (ii) the changes are material — new functions, modified access control, modified accounting, modified fund flow — and not refactors / struct relocations / import reorgs / build or CI fixes / formatting; (iii) no later audit, fix-audit, or differential audit from a recognized firm covers the changed files (audits often pin a pre-fix commit while a follow-up reviews the delta — match by file scope, not by commit-hash equality). When you cite drift as a downgrade reason, name the specific behavior change (function added, role granted, accounting formula altered) — "N commits ahead" or "+X/-Y LOC" alone is not evidence of material drift. If you have not sampled the diff content (e.g. via the GitHub compare view or the top commits in the window), record drift as an unknowns[] entry rather than auto-downgrading; commit-count and LOC are starting signals, not findings.
- V6. Implementation vs proxy: a verified proxy with an unverified implementation is effectively unverified. State whether the implementation is verified separately.

EVIDENCE DISCIPLINE (read before writing findings[]):
- Do not assert a specific deploy-commit SHA, bytecode equivalence, or "identical to audited commit" unless you actually fetched the artifact that shows it (e.g., a deployed-addresses JSON you opened, an explorer page you read). Inferred or plausible matches belong in unknowns[], never in findings[] or evidence[].
- Evidence[] entries must correspond to pages/files you actually retrieved this run. A URL you did not open is not evidence.

Then write the steel-man section per Hard Rule 11.

Grade rules:
- green   = deployed bytecode verified on the explorer (proxy AND implementation if proxied; "Similar Match" on a standard proxy pattern is fine per V1), a public source repo exists whose contents correspond to the explorer-visible source, AND ≥1 audit from a recognized firm covering the currently-deployed contracts (≤6 months of drift OR drift was re-audited). A missing local compile-match is not a downgrade — record it in unknowns[] and still grade green if the other conditions hold.
- orange  = verified but with visible drift from the public repo, OR audit scope is stale relative to deployment, OR only minor / unknown-firm audits exist, OR only some of the main contracts are verified, OR proxy verified but implementation only partially verified.
- red     = unverified bytecode (or verified proxy with unverified implementation), OR no audit in protocol.audit_links, OR no public repo.
- unknown = reserved for when the protocol's verifiability posture genuinely cannot be assessed (e.g., explorer and repo both inaccessible for this protocol). Do NOT use unknown merely because you, the analyst, could not run a particular check such as a bytecode diff — that goes in unknowns[] while the grade is still assigned from the evidence you do have.

---

### JSON output contract

Return exactly one JSON object inside a single ```json fenced block. Shape:

{
  "schema_version": 4,
  "slug": "<copy protocol.slug from the per-protocol context>",
  "slice": "verifiability",
  "snapshot_generated_at": "<copy snapshot.generated_at from the per-protocol context>",
  "prompt_version": 29,
  "analysis_date": "<copy analysis_date from the per-protocol context>",
  "model": "<exact model name, e.g. claude-opus-4-7 / gpt-5-thinking / gemini-3-pro>",
  "chat_url": null,
  "grading_basis": "on-chain | off-chain-only | mixed (optional; omit for on-chain)",
  "grade": "green | orange | red | unknown",
  "headline": "<one-line summary>",
  "short_headline": "<≤6 words, ≤80 chars; omit if you can't fit>",
  "rationale": {
    "findings": [{ "code": "E1", "text": "<concrete, source-cited finding>" }],
    "steelman": { "red": "<one sentence>", "orange": "<one sentence>", "green": "<one sentence>" },
    "verdict": "Choosing <grade> because <reason ranking one steel-man above the others, citing specific evidence>."
  },
  "evidence": [{ "url": "https://...", "shows": "<what this URL demonstrates>", "chain": "...", "address": "0x...", "commit": "<hex SHA>", "fetched_at": "2026-04-23T11:20:00Z" }],
  "unknowns": ["E3: <thing you looked for but couldn't determine>"],
  "protocol_metadata": {
    "github": ["https://github.com/org/repo"],
    "docs_url": "https://docs.protocol.xyz",
    "audits": [{ "firm": "Trail of Bits", "url": "https://...report.pdf", "date": "2025-09" }],
    "governance_forum": "https://forum.protocol.xyz",
    "voting_token": { "chain": "Ethereum", "address": "0x...", "symbol": "XYZ" },
    "bug_bounty_url": "https://immunefi.com/bounty/protocol",
    "security_contact": "security@protocol.xyz",
    "deployed_contracts_doc": "https://docs.protocol.xyz/deployments",
    "admin_addresses": [{ "chain": "Ethereum", "address": "0x...", "role": "DAO treasury multisig", "actor_class": "multisig" }],
    "upgradeability": "immutable | upgradeable | mixed | unknown",
    "about": "<2–4 sentences>"
  }
}

Rules recap:
- grade="unknown" ⇒ steelman=null; unknowns[] ≥1; evidence[] may be empty.
- grade!="unknown" ⇒ steelman={red,orange,green}; evidence[] ≥1; verdict starts with "Choosing ".
- findings[].code matches the slice's checklist prefix verbatim (E1, C2-emergency, V4a, …); unknowns[] entries are checklist-coded ("E3: …").
- Wrap in a single ```json fence; nothing before or after. URLs are bare strings, never markdown links.

Control ✓ 4/4 models agree AI-only weak orange — only 0/4 sources have a public chat share link; total support weight 0.38 below confidence floor (1.5) Submit run ↗

### Per-protocol context (ground truth for this run)

- protocol.slug:              aave-v3
- protocol.name:              Aave V3
- protocol.chains:            Ethereum, Plasma, Arbitrum, Base, Avalanche, Binance, Mantle, Polygon, MegaETH, X Layer, xDai, Optimism, Linea, Sonic, Celo, Scroll, zkSync Era, Metis, Soneium, Fantom, Harmony
- protocol.category:          Lending
- protocol.website:           https://aave.com
- protocol.github:            aave, bgd-labs
- protocol.audit_links:       https://aave.com/security, https://github.com/code-423n4/2022-02-aave-lens, https://github.com/code-423n4/2022-02-aave-lens-findings, https://github.com/sherlock-protocol/sherlock-reports/blob/main/audits/2025.02.15%20-%20Final%20-%20Aave%20Public%20Audit%20Contest%20Report.pdf, https://github.com/sherlock-protocol/sherlock-reports/blob/main/audits/2026.02.05%20-%20Final%20-%20Aave%20Labs%20Collaborative%20Audit%20Report%201770295450.pdf, https://github.com/trailofbits/publications/blob/master/reviews/2021-11-aave-v3-securityreview.pdf
- snapshot.generated_at:      2026-06-01T11:27:13.878Z
- analysis_date:              2026-06-07
- prompt_version:             29
- address_book:               [
  {
    "chain": "Ethereum",
    "address": "0x5300A1a15135EA4dc7aD5a167152C01EFc9b192A",
    "role": "Short Executor (Level 1) / ACL Admin V3"
  },
  {
    "chain": "Ethereum",
    "address": "0xdAbad81aF85554E9ae636395611C58F7eC1aAEc5",
    "role": "PayloadsController (Ethereum)"
  },
  {
    "chain": "Ethereum",
    "address": "0x9AEE0B04504CeF83A65AC3f0e838D0593BCb2BC7",
    "role": "Governance V3 Core"
  },
  {
    "chain": "Ethereum",
    "address": "0xCe52ab41C40575B072A18C9700091Ccbe4A06710",
    "role": "Governance Guardian / Protocol Emergency Guardian (5-of-9)"
  },
  {
    "chain": "Ethereum",
    "address": "0x4457cA11E90f416Cc1D3a8E1cA41C0cdEcC251d4",
    "role": "GranularGuardian (cross-chain emergency)"
  },
  {
    "chain": "Ethereum",
    "address": "0xEd42a7D8559a463722Ca4beD50E0Cc05a386b0e1",
    "role": "CrossChainController"
  },
  {
    "chain": "Ethereum",
    "address": "0x17Dd33Ed0e3dD2a80E37489B8A63063161BE6957",
    "role": "Executor Level 2"
  },
  {
    "chain": "Ethereum",
    "address": "0x2CFe3ec4d5a6811f4B8067F0DE7e47DfA938Aa30",
    "role": "Protocol Guardian / emergency admin"
  },
  {
    "chain": "Ethereum",
    "address": "0x220d22f42c1b975B51509c24b174f8AbA7d8C540",
    "role": "Short Executor (Governance)"
  },
  {
    "chain": "Ethereum",
    "address": "0xa700691dA7b6769562170061709458FF21ed963e",
    "role": "timelock (governance long executor)"
  },
  {
    "chain": "Ethereum",
    "address": "0x851365275f493d15511cc005f2bd71E3c1699921",
    "role": "timelock (governance short executor)"
  },
  {
    "chain": "Ethereum",
    "address": "0xEE56e2B3D49159022b71869955dbF07245799b17",
    "role": "timelock (governance executor short)"
  },
  {
    "chain": "Ethereum",
    "address": "0x80C67432656d59144cEFf962E8fAF8926599bCF8",
    "role": "timelock (governance short executor)"
  },
  {
    "chain": "Ethereum",
    "address": "0xEE56e2B20045d908E992822039db30E882309413",
    "role": "admin (PoolAdmin / governance executor)"
  },
  {
    "chain": "Ethereum",
    "address": "0x87870bca3f3fd6335c3f4ce8392d69350b4fa4e2",
    "role": "pool (Aave V3 Pool proxy)"
  },
  {
    "chain": "Ethereum",
    "address": "0x2f39d218133AFaB8F2B819B1066c7E434Ad94E9e",
    "role": "other (PoolAddressesProvider — proxy admin for Pool/PoolConfigurator/ACLManager)"
  },
  {
    "chain": "Ethereum",
    "address": "0xcfBf336fe147D643B9Cb705648500e101504B16d",
    "role": "other (Prime Market PoolAddressesProvider)"
  },
  {
    "chain": "Ethereum",
    "address": "0xCca852Bc40e560adC3b1Cc58CA5b55638ce826c9",
    "role": "vault (Aave V4 Core Hub — Ethereum)"
  },
  {
    "chain": "Ethereum",
    "address": "0x06002e9c4412CB7814a791eA3666D905871E536A",
    "role": "vault (Aave V4 Plus Hub — Ethereum)"
  },
  {
    "chain": "Ethereum",
    "address": "0x943827DCA022D0F354a8a8c332dA1e5Eb9f9F931",
    "role": "vault (Aave V4 Prime Hub — Ethereum)"
  },
  {
    "chain": "Ethereum",
    "address": "0x08aE3BE30958cDd1847ec58fFfd4C451a87fDF01",
    "role": "admin (Aave V4 Access Manager — Ethereum)"
  },
  {
    "chain": "Optimism",
    "address": "0xa97684ead0e402dc232d5a977953df7ecbab3cdb",
    "role": "other (PoolAddressesProvider — Optimism)"
  },
  {
    "chain": "Polygon",
    "address": "0xa97684ead0e402dc232d5a977953df7ecbab3cdb",
    "role": "other (PoolAddressesProvider — Polygon)"
  },
  {
    "chain": "Ethereum",
    "address": "0x64b761D848206f447Fe2dd461b0c635Ec39EbB27",
    "role": "admin PoolConfigurator V3"
  },
  {
    "chain": "Ethereum",
    "address": "0x54586bE62E3c3580375aE3723C145253060Ca0C2",
    "role": "oracle AaveOracle V3"
  },
  {
    "chain": "Ethereum",
    "address": "0xc2aaCf6553D20d1e9d78E365AAba8032af9c85b0",
    "role": "admin ACLManager V3"
  },
  {
    "chain": "Ethereum",
    "address": "0x0a16f2FCC0D44FaE41cc54e079281D84A363bECD",
    "role": "other AaveProtocolDataProvider V3"
  },
  {
    "chain": "Ethereum",
    "address": "0x464C71f6c2F760DdA6093dCB91C24c39e5d6e18c",
    "role": "treasury Collector"
  },
  {
    "chain": "Ethereum",
    "address": "0x8164Cc65827dcFe994AB23944CBC90e0aa80bFcb",
    "role": "admin DefaultIncentivesController"
  },
  {
    "chain": "Ethereum",
    "address": "0x223d844fc4B006D67c0cDbd39371A9F73f69d974",
    "role": "admin EmissionManager"
  },
  {
    "chain": "Arbitrum",
    "address": "0xa97684ead0e402dC232d5A977953DF7ECBaB3CDb",
    "role": "factory PoolAddressesProvider V3"
  },
  {
    "chain": "Arbitrum",
    "address": "0x794a61358D6845594F94dc1DB02A252b5b4814aD",
    "role": "pool Pool V3"
  },
  {
    "chain": "Arbitrum",
    "address": "0x8145eddDf43f50276641b55bd3AD95944510021E",
    "role": "admin PoolConfigurator V3"
  },
  {
    "chain": "Arbitrum",
    "address": "0xb56c2F0B653B2e0b10C9b928C8580Ac5Df02C7C7",
    "role": "oracle AaveOracle V3"
  },
  {
    "chain": "Arbitrum",
    "address": "0x7A9ff54A6eE4a21223036890bB8c4ea2D62c686b",
    "role": "oracle PriceOracleSentinel V3"
  },
  {
    "chain": "Arbitrum",
    "address": "0xFF1137243698CaA18EE364Cc966CF0e02A4e6327",
    "role": "admin ACLAdmin V3"
  },
  {
    "chain": "Arbitrum",
    "address": "0xa72636CbcAa8F5FF95B2cc47F3CDEe83F3294a0B",
    "role": "admin ACLManager V3"
  },
  {
    "chain": "Arbitrum",
    "address": "0x243Aa95cAC2a25651eda86e80bEe66114413c43b",
    "role": "other AaveProtocolDataProvider V3"
  },
  {
    "chain": "Avalanche",
    "address": "0xa97684ead0e402dC232d5A977953DF7ECBaB3CDb",
    "role": "factory PoolAddressesProvider V3"
  },
  {
    "chain": "Avalanche",
    "address": "0x794a61358D6845594F94dc1DB02A252b5b4814aD",
    "role": "pool Pool V3"
  },
  {
    "chain": "Avalanche",
    "address": "0x8145eddDf43f50276641b55bd3AD95944510021E",
    "role": "admin PoolConfigurator V3"
  },
  {
    "chain": "Avalanche",
    "address": "0xEBd36016B3eD09D4693Ed4251c67Bd858c3c7C9C",
    "role": "oracle AaveOracle V3"
  },
  {
    "chain": "Avalanche",
    "address": "0x3C06dce358add17aAf230f2234bCCC4afd50d090",
    "role": "admin ACLAdmin V3"
  },
  {
    "chain": "Avalanche",
    "address": "0xa72636CbcAa8F5FF95B2cc47F3CDEe83F3294a0B",
    "role": "admin ACLManager V3"
  },
  {
    "chain": "Avalanche",
    "address": "0x243Aa95cAC2a25651eda86e80bEe66114413c43b",
    "role": "other AaveProtocolDataProvider V3"
  },
  {
    "chain": "Base",
    "address": "0xe20fCBdBfFC4Dd138cE8b2E6FBb6CB49777ad64D",
    "role": "factory PoolAddressesProvider V3"
  },
  {
    "chain": "Base",
    "address": "0xA238Dd80C259a72e81d7e4664a9801593F98d1c5",
    "role": "pool Pool V3"
  },
  {
    "chain": "Base",
    "address": "0x5731a04B1E775f0fdd454Bf70f3335886e9A96be",
    "role": "admin PoolConfigurator V3"
  },
  {
    "chain": "Base",
    "address": "0x2Cc0Fc26eD4563A5ce5e8bdcfe1A2878676Ae156",
    "role": "oracle AaveOracle V3"
  },
  {
    "chain": "Base",
    "address": "0x943AcD0c93d7a8Bee7dA5Fd0DC3d0028237074d6",
    "role": "oracle PriceOracleSentinel V3"
  },
  {
    "chain": "Base",
    "address": "0x9390B1735def18560c509E2d0bc090E9d6BA257a",
    "role": "admin ACLAdmin V3"
  },
  {
    "chain": "Base",
    "address": "0x43955b0899Ab7232E3a454cf84AedD22Ad46FD33",
    "role": "admin ACLManager V3"
  },
  {
    "chain": "Base",
    "address": "0x0F43731EB8d45A581f4a36DD74F5f358bc90C73A",
    "role": "other AaveProtocolDataProvider V3"
  },
  {
    "chain": "Binance",
    "address": "0xff75B6da14FfbbfD355Daf7a2731456b3562Ba6D",
    "role": "factory PoolAddressesProvider V3"
  },
  {
    "chain": "Binance",
    "address": "0x6807dc923806fE8Fd134338EABCA509979a7e0cB",
    "role": "pool Pool V3"
  },
  {
    "chain": "Binance",
    "address": "0x67bdF23C7fCE7C65fF7415Ba3F2520B45D6f9584",
    "role": "admin PoolConfigurator V3"
  },
  {
    "chain": "Binance",
    "address": "0x39bc1bfDa2130d6Bb6DBEfd366939b4c7aa7C697",
    "role": "oracle AaveOracle V3"
  },
  {
    "chain": "Binance",
    "address": "0x9390B1735def18560c509E2d0bc090E9d6BA257a",
    "role": "admin ACLAdmin V3"
  },
  {
    "chain": "Binance",
    "address": "0x2D97F8FA96886Fd923c065F5457F9DDd494e3877",
    "role": "admin ACLManager V3"
  },
  {
    "chain": "Binance",
    "address": "0xc90Df74A7c16245c5F5C5870327Ceb38Fe5d5328",
    "role": "other AaveProtocolDataProvider V3"
  },
  {
    "chain": "Celo",
    "address": "0x9F7Cf9417D5251C59fE94fB9147feEe1aAd9Cea5",
    "role": "factory PoolAddressesProvider V3"
  },
  {
    "chain": "Celo",
    "address": "0x3E59A31363E2ad014dcbc521c4a0d5757d9f3402",
    "role": "pool Pool V3"
  },
  {
    "chain": "Celo",
    "address": "0x7567E3434CC1BEf724AB595e6072367Ef4914691",
    "role": "admin PoolConfigurator V3"
  },
  {
    "chain": "Celo",
    "address": "0x1e693D088ceFD1E95ba4c4a5F7EeA41a1Ec37e8b",
    "role": "oracle AaveOracle V3"
  },
  {
    "chain": "Celo",
    "address": "0x1dF462e2712496373A347f8ad10802a5E95f053D",
    "role": "admin ACLAdmin V3"
  },
  {
    "chain": "Celo",
    "address": "0x7a12dCfd73C1B4cddf294da4cFce75FcaBBa314C",
    "role": "admin ACLManager V3"
  },
  {
    "chain": "Celo",
    "address": "0x2e0f8D3B1631296cC7c56538D6Eb6032601E15ED",
    "role": "other AaveProtocolDataProvider V3"
  },
  {
    "chain": "Celo",
    "address": "0xC959439207dA5341B74aDcdAC59016aa9Be7E9E7",
    "role": "treasury Collector"
  },
  {
    "chain": "Fantom",
    "address": "0xa97684ead0e402dC232d5A977953DF7ECBaB3CDb",
    "role": "factory PoolAddressesProvider V3"
  },
  {
    "chain": "Fantom",
    "address": "0x794a61358D6845594F94dc1DB02A252b5b4814aD",
    "role": "pool Pool V3"
  },
  {
    "chain": "Fantom",
    "address": "0x8145eddDf43f50276641b55bd3AD95944510021E",
    "role": "admin PoolConfigurator V3"
  },
  {
    "chain": "Fantom",
    "address": "0xfd6f3c1845604C8AE6c6E402ad17fb9885160754",
    "role": "oracle AaveOracle V3"
  },
  {
    "chain": "Fantom",
    "address": "0x39CB97b105173b56b5a2b4b33AD25d6a50E6c949",
    "role": "admin ACLAdmin V3"
  },
  {
    "chain": "Fantom",
    "address": "0xa72636CbcAa8F5FF95B2cc47F3CDEe83F3294a0B",
    "role": "admin ACLManager V3"
  },
  {
    "chain": "Fantom",
    "address": "0x69FA688f1Dc47d4B5d8029D5a35FB7a548310654",
    "role": "other AaveProtocolDataProvider V3"
  },
  {
    "chain": "xDai",
    "address": "0x36616cf17557639614c1cdDb356b1B83fc0B2132",
    "role": "factory PoolAddressesProvider V3"
  },
  {
    "chain": "xDai",
    "address": "0xb50201558B00496A145fE76f7424749556E326D8",
    "role": "pool Pool V3"
  },
  {
    "chain": "xDai",
    "address": "0x7304979ec9E4EaA0273b6A037a31c4e9e5A75D16",
    "role": "admin PoolConfigurator V3"
  },
  {
    "chain": "xDai",
    "address": "0xeb0a051be10228213BAEb449db63719d6742F7c4",
    "role": "oracle AaveOracle V3"
  },
  {
    "chain": "xDai",
    "address": "0x1dF462e2712496373A347f8ad10802a5E95f053D",
    "role": "admin ACLAdmin V3"
  },
  {
    "chain": "xDai",
    "address": "0xEc710f59005f48703908bC519D552Df5B8472614",
    "role": "admin ACLManager V3"
  },
  {
    "chain": "xDai",
    "address": "0xF1F5acB596568895393cB5E4D0452D6592A2fA70",
    "role": "other AaveProtocolDataProvider V3"
  },
  {
    "chain": "Harmony",
    "address": "0xa97684ead0e402dC232d5A977953DF7ECBaB3CDb",
    "role": "factory PoolAddressesProvider V3"
  },
  {
    "chain": "Harmony",
    "address": "0x794a61358D6845594F94dc1DB02A252b5b4814aD",
    "role": "pool Pool V3"
  },
  {
    "chain": "Harmony",
    "address": "0x8145eddDf43f50276641b55bd3AD95944510021E",
    "role": "admin PoolConfigurator V3"
  },
  {
    "chain": "Harmony",
    "address": "0x3C90887Ede8D65ccb2777A5d577beAb2548280AD",
    "role": "oracle AaveOracle V3"
  },
  {
    "chain": "Harmony",
    "address": "0xb2f0C5f37f4beD2cB51C44653cD5D84866BDcd2D",
    "role": "admin ACLAdmin V3"
  },
  {
    "chain": "Harmony",
    "address": "0xa72636CbcAa8F5FF95B2cc47F3CDEe83F3294a0B",
    "role": "admin ACLManager V3"
  },
  {
    "chain": "Harmony",
    "address": "0x69FA688f1Dc47d4B5d8029D5a35FB7a548310654",
    "role": "other AaveProtocolDataProvider V3"
  },
  {
    "chain": "Mantle",
    "address": "0xba50Cd2A20f6DA35D788639E581bca8d0B5d4D5f",
    "role": "factory PoolAddressesProvider V3"
  },
  {
    "chain": "Mantle",
    "address": "0x458F293454fE0d67EC0655f3672301301DD51422",
    "role": "pool Pool V3"
  },
  {
    "chain": "Mantle",
    "address": "0x719755fC1ACf2f9079B0Cbc56e23712c09Ab8626",
    "role": "admin PoolConfigurator V3"
  },
  {
    "chain": "Mantle",
    "address": "0x47a063CfDa980532267970d478EC340C0F80E8df",
    "role": "oracle AaveOracle V3"
  },
  {
    "chain": "Mantle",
    "address": "0x64df9D4302e1ff3516Dc744A19e992D27CAC252E",
    "role": "oracle PriceOracleSentinel V3"
  },
  {
    "chain": "Mantle",
    "address": "0x70884634D0098782592111A2A6B8d223be31CB7b",
    "role": "admin ACLAdmin V3"
  },
  {
    "chain": "Mantle",
    "address": "0x810D46F9a9027E28F9B01F75E2bdde839dA61115",
    "role": "admin ACLManager V3"
  },
  {
    "chain": "Mantle",
    "address": "0x487c5c669D9eee6057C44973207101276cf73b68",
    "role": "other AaveProtocolDataProvider V3"
  },
  {
    "chain": "MegaETH",
    "address": "0x46Dcd5F4600319b02649Fd76B55aA6c1035CA478",
    "role": "factory PoolAddressesProvider V3"
  },
  {
    "chain": "MegaETH",
    "address": "0x7e324AbC5De01d112AfC03a584966ff199741C28",
    "role": "pool Pool V3"
  },
  {
    "chain": "MegaETH",
    "address": "0xF15D31Bc839A853C9068686043cEc6EC5995DAbB",
    "role": "admin PoolConfigurator V3"
  },
  {
    "chain": "MegaETH",
    "address": "0x421117D7319E96d831972b3F7e970bbfe29C4F21",
    "role": "oracle AaveOracle V3"
  },
  {
    "chain": "MegaETH",
    "address": "0xE2E8Badc5d50f8a6188577B89f50701cDE2D4e19",
    "role": "admin ACLAdmin V3"
  },
  {
    "chain": "MegaETH",
    "address": "0x390D369C3878F2C5205CFb6Ec7154FfA65491c3D",
    "role": "admin ACLManager V3"
  },
  {
    "chain": "MegaETH",
    "address": "0x9588b453A4EE24a420830CB3302195cA7aA3b403",
    "role": "other AaveProtocolDataProvider V3"
  },
  {
    "chain": "Sonic",
    "address": "0x5C2e738F6E27bCE0F7558051Bf90605dD6176900",
    "role": "factory PoolAddressesProvider V3"
  },
  {
    "chain": "Sonic",
    "address": "0x5362dBb1e601abF3a4c14c22ffEdA64042E5eAA3",
    "role": "pool Pool V3"
  },
  {
    "chain": "Sonic",
    "address": "0x50c70FEB95aBC1A92FC30b9aCc41Bd349E5dE2f0",
    "role": "admin PoolConfigurator V3"
  },
  {
    "chain": "Sonic",
    "address": "0xD63f7658C66B2934Bd234D79D06aEF5290734B30",
    "role": "oracle AaveOracle V3"
  },
  {
    "chain": "Sonic",
    "address": "0x7b62461a3570c6AC8a9f8330421576e417B71EE7",
    "role": "admin ACLAdmin V3"
  },
  {
    "chain": "Sonic",
    "address": "0x3a790a47c4d531FD333FAD24f70B0ccb521B3b5A",
    "role": "admin ACLManager V3"
  },
  {
    "chain": "Sonic",
    "address": "0xc0a344397cfa89dF1e1d3e4fb330834D789cF2CD",
    "role": "other AaveProtocolDataProvider V3"
  },
  {
    "chain": "X Layer",
    "address": "0xdFf435BCcf782f11187D3a4454d96702eD78e092",
    "role": "factory PoolAddressesProvider V3"
  },
  {
    "chain": "X Layer",
    "address": "0xE3F3Caefdd7180F884c01E57f65Df979Af84f116",
    "role": "pool Pool V3"
  },
  {
    "chain": "X Layer",
    "address": "0x1408b48B6A610948f04813EA6b2F438A6BBAd2f2",
    "role": "admin PoolConfigurator V3"
  },
  {
    "chain": "X Layer",
    "address": "0x91FC11136d5615575a0fC5981Ab5C0C54418E2C6",
    "role": "oracle AaveOracle V3"
  },
  {
    "chain": "X Layer",
    "address": "0xE2E8Badc5d50f8a6188577B89f50701cDE2D4e19",
    "role": "admin ACLAdmin V3"
  },
  {
    "chain": "X Layer",
    "address": "0xc8f2720Fa7D857576d82e6aEca8EdC4869E9190e",
    "role": "admin ACLManager V3"
  },
  {
    "chain": "X Layer",
    "address": "0x6C505C31714f14e8af2A03633EB2Cdfb4959138F",
    "role": "other AaveProtocolDataProvider V3"
  },
  {
    "chain": "Linea",
    "address": "0x89502c3731F69DDC95B65753708A07F8Cd0373F4",
    "role": "factory PoolAddressesProvider V3"
  },
  {
    "chain": "Linea",
    "address": "0xc47b8C00b0f69a36fa203Ffeac0334874574a8Ac",
    "role": "pool Pool V3"
  },
  {
    "chain": "Linea",
    "address": "0x812E7c19421D9f41A6DDCF047d5cc2dE2Ca5Bfa2",
    "role": "admin PoolConfigurator V3"
  },
  {
    "chain": "Linea",
    "address": "0xCFDAdA7DCd2e785cF706BaDBC2B8Af5084d595e9",
    "role": "oracle AaveOracle V3"
  },
  {
    "chain": "Linea",
    "address": "0x8c2d95FE7aeB57b86961F3abB296A54f0ADb7F88",
    "role": "admin ACLAdmin V3"
  },
  {
    "chain": "Linea",
    "address": "0xbf32c7dFC72b730967072B112927ca0de205dbb5",
    "role": "admin ACLManager V3"
  },
  {
    "chain": "Metis",
    "address": "0xB9FABd7500B2C6781c35Dd48d54f81fc2299D7AF",
    "role": "factory PoolAddressesProvider V3"
  },
  {
    "chain": "Metis",
    "address": "0x90df02551bB792286e8D4f13E0e357b4Bf1D6a57",
    "role": "pool Pool V3"
  },
  {
    "chain": "Metis",
    "address": "0x69FEE8F261E004453BE0800BC9039717528645A6",
    "role": "admin PoolConfigurator V3"
  },
  {
    "chain": "Metis",
    "address": "0x38D36e85E47eA6ff0d18B0adF12E5fC8984A6f8e",
    "role": "oracle AaveOracle V3"
  },
  {
    "chain": "Metis",
    "address": "0x2B5EA1604BAbb7B730120950Cb13951f3525828A",
    "role": "oracle PriceOracleSentinel V3"
  },
  {
    "chain": "Metis",
    "address": "0x6fD45D32375d5aDB8D76275A3932c740F03a8718",
    "role": "admin ACLAdmin V3"
  },
  {
    "chain": "Optimism",
    "address": "0x794a61358D6845594F94dc1DB02A252b5b4814aD",
    "role": "pool Pool V3"
  },
  {
    "chain": "Optimism",
    "address": "0x8145eddDf43f50276641b55bd3AD95944510021E",
    "role": "admin PoolConfigurator V3"
  },
  {
    "chain": "Optimism",
    "address": "0xD81eb3728a631871a7eBBaD631b5f424909f0c77",
    "role": "oracle AaveOracle V3"
  },
  {
    "chain": "Optimism",
    "address": "0x746c675dAB49Bcd5BB9Dc85161f2d7Eb435009bf",
    "role": "admin ACLAdmin V3"
  },
  {
    "chain": "Polygon",
    "address": "0x794a61358D6845594F94dc1DB02A252b5b4814aD",
    "role": "pool Pool V3"
  },
  {
    "chain": "Polygon",
    "address": "0x8145eddDf43f50276641b55bd3AD95944510021E",
    "role": "admin PoolConfigurator V3"
  },
  {
    "chain": "Polygon",
    "address": "0xb023e699F5a33916Ea823A16485e259257cA8Bd1",
    "role": "oracle AaveOracle V3"
  },
  {
    "chain": "Polygon",
    "address": "0xDf7d0e6454DB638881302729F5ba99936EaAB233",
    "role": "admin ACLAdmin V3"
  },
  {
    "chain": "Scroll",
    "address": "0x69850D0B276776781C063771b161bd8894BCdD04",
    "role": "factory PoolAddressesProvider V3"
  },
  {
    "chain": "Scroll",
    "address": "0x11fCfe756c05AD438e312a7fd934381537D3cFfe",
    "role": "pool Pool V3"
  },
  {
    "chain": "Scroll",
    "address": "0x32BCab42a2bb5AC577D24b425D46d8b8e0Df9b7f",
    "role": "admin PoolConfigurator V3"
  },
  {
    "chain": "Scroll",
    "address": "0x04421D8C506E2fA2371a08EfAaBf791F624054F3",
    "role": "oracle AaveOracle V3"
  },
  {
    "chain": "Scroll",
    "address": "0xc1ABF87FfAdf4908f4eC8dc54A25DCFEabAE4A24",
    "role": "admin ACLAdmin V3"
  },
  {
    "chain": "Scroll",
    "address": "0x7633F981D87dC6307227de9383D2ce7243158081",
    "role": "admin ACLManager V3"
  },
  {
    "chain": "zkSync Era",
    "address": "0x2A3948BB219D6B2Fa83D64100006391a96bE6cb7",
    "role": "factory PoolAddressesProvider V3"
  },
  {
    "chain": "zkSync Era",
    "address": "0x78e30497a3c7527d953c6B1E3541b021A98Ac43c",
    "role": "pool Pool V3"
  },
  {
    "chain": "zkSync Era",
    "address": "0x0207d31b4377C74bEC37356aaD83E3dCc979F40E",
    "role": "admin PoolConfigurator V3"
  },
  {
    "chain": "zkSync Era",
    "address": "0xC7F58Fca663a8d377B6D0c9703C697f56dC40088",
    "role": "oracle AaveOracle V3"
  },
  {
    "chain": "zkSync Era",
    "address": "0x04cE39789e11a49595cD0ECEf6f4Bd54ABF4d020",
    "role": "admin ACLAdmin V3"
  },
  {
    "chain": "Soneium",
    "address": "0x82405D1a189bd6cE4667809C35B37fBE136A4c5B",
    "role": "factory PoolAddressesProvider V3"
  },
  {
    "chain": "Soneium",
    "address": "0xDd3d7A7d03D9fD9ef45f3E587287922eF65CA38B",
    "role": "pool Pool V3"
  },
  {
    "chain": "Soneium",
    "address": "0x1607FCeEc8dEbA4d5Da66D620b2363066d025a02",
    "role": "admin PoolConfigurator V3"
  },
  {
    "chain": "Soneium",
    "address": "0x20040a64612555042335926d72B4E5F667a67fA1",
    "role": "oracle AaveOracle V3"
  },
  {
    "chain": "Soneium",
    "address": "0xc0Bac16A64FbAa7EE6483bD12a759e28cD13dcBe",
    "role": "oracle PriceOracleSentinel V3"
  },
  {
    "chain": "Plasma",
    "address": "0x061D8e131F26512348ee5FA42e2DF1bA9d6505E9",
    "role": "factory PoolAddressesProvider V3"
  },
  {
    "chain": "Plasma",
    "address": "0x925a2A7214Ed92428B5b1B090F80b25700095e12",
    "role": "pool Pool V3"
  },
  {
    "chain": "Plasma",
    "address": "0xc022B6c71c30A8Ad52Dac504eFA132d13D99d2D9",
    "role": "admin PoolConfigurator V3"
  },
  {
    "chain": "Plasma",
    "address": "0x33E0b3fc976DC9C516926BA48CfC0A9E10a2aAA5",
    "role": "oracle AaveOracle V3"
  },
  {
    "chain": "Plasma",
    "address": "0x47aAdaAE1F05C978E6aBb7568d11B7F6e0FC4d6A",
    "role": "admin ACLAdmin V3"
  },
  {
    "chain": "Plasma",
    "address": "0xa860355F0ccFdC823F7332ac108317b2a1509C06",
    "role": "admin ACLManager V3"
  },
  {
    "chain": "Ethereum",
    "address": "0x617332a777780F546261247F621051d0b98975Eb",
    "role": "other VotingMachine"
  },
  {
    "chain": "Ethereum",
    "address": "0xf23f7De3AC42F22eBDA17e64DC4f51FB66b8E21f",
    "role": "other VotingPortalEthEth"
  },
  {
    "chain": "Ethereum",
    "address": "0x33aCEf7365809218485873B7d0d67FeE411B5D79",
    "role": "other VotingPortalEthAvax"
  },
  {
    "chain": "Ethereum",
    "address": "0x9b24C168d6A76b5459B1d47071a54962a4df36c3",
    "role": "other VotingPortalEthPol"
  },
  {
    "chain": "Ethereum",
    "address": "0xE3B770Dc4ae3f8bECaB3Ed12dE692c741603e16A",
    "role": "other PayloadDataHelper"
  },
  {
    "chain": "Ethereum",
    "address": "0x971c82c8316aD611904F95616c21ce90837f1856",
    "role": "other GovernanceDataHelper"
  },
  {
    "chain": "Ethereum",
    "address": "0x77976B51569896523EE215962Ee91ff236Fa50E8",
    "role": "other VotingDataHelper"
  },
  {
    "chain": "Ethereum",
    "address": "0x94363B11b37BC3ffe43AB09cff5A010352FE85dC",
    "role": "other MetaDelegateHelper"
  },
  {
    "chain": "Ethereum",
    "address": "0x73C6Fb358dDA8e84D50e98A98F7c0dF32e15C7e9",
    "role": "guardian EmergencyRegistry"
  },
  {
    "chain": "Ethereum",
    "address": "0xa198Fac58E02A5C5F8F7e877895d50cFa9ad1E04",
    "role": "other GovernancePowerStrategy"
  },
  {
    "chain": "Ethereum",
    "address": "0x5642A5A5Ec284B4145563aBF319620204aCCA7f4",
    "role": "other VotingStrategy"
  },
  {
    "chain": "Ethereum",
    "address": "0x1699FE9CaDC8a0b6c93E06B62Ab4592a0fFEcF61",
    "role": "other DataWarehouse"
  },
  {
    "chain": "Arbitrum",
    "address": "0xCbFB78a3Eeaa611b826E37c80E4126c8787D29f0",
    "role": "other CrossChainController"
  },
  {
    "chain": "Arbitrum",
    "address": "0x89644CA1bB8064760312AE4F03ea41b05dA3637C",
    "role": "timelock PayloadsController"
  },
  {
    "chain": "Arbitrum",
    "address": "0x4922093c476CfbCF903C7C4082d2D64bAE8A37cE",
    "role": "guardian GranularGuardian"
  },
  {
    "chain": "Avalanche",
    "address": "0x27FC7D54C893dA63C0AE6d57e1B2B13A70690928",
    "role": "other CrossChainController"
  },
  {
    "chain": "Avalanche",
    "address": "0x41185495Bc8297a65DC46f94001DC7233775EbEe",
    "role": "oracle EmergencyOracle"
  },
  {
    "chain": "Avalanche",
    "address": "0x9b6f5ef589A3DD08670Dd146C11C4Fb33E04494F",
    "role": "other VotingMachine"
  },
  {
    "chain": "Avalanche",
    "address": "0x1140CB7CAfAcC745771C2Ea31e7B5C653c5d0B80",
    "role": "timelock PayloadsController"
  },
  {
    "chain": "Avalanche",
    "address": "0xc1162BCb2E5E3ca4725512008c7522dF8C8B7B65",
    "role": "guardian GranularGuardian"
  },
  {
    "chain": "Binance",
    "address": "0x9d33ee6543C9b2C8c183b8fb58fB089266cffA19",
    "role": "other CrossChainController"
  },
  {
    "chain": "Binance",
    "address": "0xcabb46FfB38c93348Df16558DF156e9f68F9F7F1",
    "role": "oracle EmergencyOracle"
  },
  {
    "chain": "Binance",
    "address": "0xE5EF2Dd06755A97e975f7E282f828224F2C3e627",
    "role": "timelock PayloadsController"
  },
  {
    "chain": "Binance",
    "address": "0xe4FB5e3F506BE0095f38004f993D16fdA8224383",
    "role": "guardian GranularGuardian"
  },
  {
    "chain": "Base",
    "address": "0x529467C76f234F2bD359d7ecF7c660A2846b04e2",
    "role": "other CrossChainController"
  },
  {
    "chain": "Base",
    "address": "0x2DC219E716793fb4b21548C0f009Ba3Af753ab01",
    "role": "timelock PayloadsController"
  },
  {
    "chain": "Base",
    "address": "0xa1c6aF35E0205f42256382C05243C543FEDBf4bB",
    "role": "guardian GranularGuardian"
  },
  {
    "chain": "xDai",
    "address": "0x8Dc5310fc9D3D7D1Bb3D1F686899c8F082316c9F",
    "role": "other CrossChainController"
  },
  {
    "chain": "xDai",
    "address": "0xF937ffAeA1363e4Fa260760bDFA2aA8Fc911F84D",
    "role": "oracle EmergencyOracle"
  },
  {
    "chain": "xDai",
    "address": "0x9A1F491B86D09fC1484b5fab10041B189B60756b",
    "role": "timelock PayloadsController"
  },
  {
    "chain": "xDai",
    "address": "0x4A9F571E3C1f2F13567bb59e38988e74d7d72602",
    "role": "guardian GranularGuardian"
  },
  {
    "chain": "Metis",
    "address": "0x6fDaFb26915ABD6065a1E1501a37Ac438D877f70",
    "role": "other CrossChainController"
  },
  {
    "chain": "Metis",
    "address": "0x2233F8A66A728FBa6E1dC95570B25360D07D5524",
    "role": "timelock PayloadsController"
  },
  {
    "chain": "Metis",
    "address": "0x61BE97d3a0550549f67CA7421725fA73Fa2036B5",
    "role": "guardian GranularGuardian"
  },
  {
    "chain": "Optimism",
    "address": "0x48A9FE90bce5EEd790f3F4Ce192d1C0B351fd4Ca",
    "role": "other CrossChainController"
  },
  {
    "chain": "Optimism",
    "address": "0x0E1a3Af1f9cC76A62eD31eDedca291E63632e7c4",
    "role": "timelock PayloadsController"
  },
  {
    "chain": "Optimism",
    "address": "0x6c5264C380C7022e54f585c4E354ffb6f221a03b",
    "role": "guardian GranularGuardian"
  },
  {
    "chain": "Polygon",
    "address": "0xF6B99959F0b5e79E1CC7062E12aF632CEb18eF0d",
    "role": "other CrossChainController"
  },
  {
    "chain": "Polygon",
    "address": "0xDAFA1989A504c48Ee20a582f2891eeB25E2fA23F",
    "role": "oracle EmergencyOracle"
  },
  {
    "chain": "Polygon",
    "address": "0xc8a2ADC4261c6b669CdFf69E717E77C9cFeB420d",
    "role": "other VotingMachine"
  },
  {
    "chain": "Polygon",
    "address": "0x401B5D0294E23637c18fcc38b1Bca814CDa2637C",
    "role": "timelock PayloadsController"
  },
  {
    "chain": "Polygon",
    "address": "0x0D2CccD3dD420dC6DE2f24DB44aA22fADE290a02",
    "role": "guardian GranularGuardian"
  },
  {
    "chain": "Scroll",
    "address": "0x03073D3F4769f6b6604d616238fD6c636C99AD0A",
    "role": "other CrossChainController"
  },
  {
    "chain": "Scroll",
    "address": "0x6b6B41c0f8C223715f712BE83ceC3c37bbfDC3fE",
    "role": "timelock PayloadsController"
  },
  {
    "chain": "Scroll",
    "address": "0xa835707d28e6C37C49d661742f2Fb5987367cEd4",
    "role": "guardian GranularGuardian"
  },
  {
    "chain": "zkSync Era",
    "address": "0x800813f4714BC7A0a95310e3fB9e4f18872CA92C",
    "role": "other CrossChainController"
  },
  {
    "chain": "zkSync Era",
    "address": "0x2E79349c3F5e4751E87b966812C9E65E805996F1",
    "role": "timelock PayloadsController"
  },
  {
    "chain": "zkSync Era",
    "address": "0xe0e23196D42b54F262a3DE952e6B34B197D1A228",
    "role": "guardian GranularGuardian"
  },
  {
    "chain": "zkSync Era",
    "address": "0x4257bf0746D783f0D962913d7d8AFA408B62547E",
    "role": "guardian GovernanceGuardian"
  },
  {
    "chain": "Linea",
    "address": "0x0D3f821e9741C8a8Bcac231162320251Db0cdf52",
    "role": "other CrossChainController"
  },
  {
    "chain": "Linea",
    "address": "0x3BcE23a1363728091bc57A58a226CF2940C2e074",
    "role": "timelock PayloadsController"
  },
  {
    "chain": "Linea",
    "address": "0xc1cd6faF6e9138b4e6C21d438f9ebF2bd6F6cA16",
    "role": "guardian GranularGuardian"
  },
  {
    "chain": "Linea",
    "address": "0x056E4C4E80D1D14a637ccbD0412CDAAEc5B51F4E",
    "role": "guardian GovernanceGuardian"
  },
  {
    "chain": "Soneium",
    "address": "0xD92b37a5114b33F668D274Fb48f23b726a854d6E",
    "role": "other CrossChainController"
  },
  {
    "chain": "Soneium",
    "address": "0x44D73D7C4b2f98F426Bf8B5e87628d9eE38ef0Cf",
    "role": "timelock PayloadsController"
  },
  {
    "chain": "Soneium",
    "address": "0xD8E6956718784B914740267b7A50B952fb516656",
    "role": "guardian GranularGuardian"
  },
  {
    "chain": "Soneium",
    "address": "0x19CE4363FEA478Aa04B9EA2937cc5A2cbcD44be6",
    "role": "guardian GovernanceGuardian"
  },
  {
    "chain": "Soneium",
    "address": "0x47aAdaAE1F05C978E6aBb7568d11B7F6e0FC4d6A",
    "role": "governor ExecutorLvl1"
  },
  {
    "chain": "Plasma",
    "address": "0x643441742f73e270e565619be6DE5f4D55E08cd6",
    "role": "other CrossChainController"
  },
  {
    "chain": "Plasma",
    "address": "0xe76EB348E65eF163d85ce282125FF5a7F5712A1d",
    "role": "timelock PayloadsController"
  },
  {
    "chain": "Plasma",
    "address": "0x60665b4F4FF7073C5fed2656852dCa271DfE2684",
    "role": "guardian GranularGuardian"
  },
  {
    "chain": "Plasma",
    "address": "0x19CE4363FEA478Aa04B9EA2937cc5A2cbcD44be6",
    "role": "guardian GovernanceGuardian"
  },
  {
    "chain": "Plasma",
    "address": "0xF61FE74Ec1cFbd9Ee8Bd27592D2EDEe0E2aA85Cf",
    "role": "oracle EmergencyOracle"
  },
  {
    "chain": "Ethereum",
    "address": "0x7Fc66500c84A76Ad7e9c93437bFc5Ac33E2DDaE9",
    "role": "token AAVE governance token"
  },
  {
    "chain": "Ethereum",
    "address": "0x7b9c0b9b0d8b0d8b0d8b0d8b0d8b0d8b0d8b0d8b",
    "role": "Emergency Admin"
  }
]

### Pre-built read-API surfacer URLs (verbatim — fetchable as-is)
- https://defipunkd.com/address/1/0x5300A1a15135EA4dc7aD5a167152C01EFc9b192A (Short Executor (Level 1) / ACL Admin V3)
- https://defipunkd.com/address/1/0xdAbad81aF85554E9ae636395611C58F7eC1aAEc5 (PayloadsController (Ethereum))
- https://defipunkd.com/address/1/0x9AEE0B04504CeF83A65AC3f0e838D0593BCb2BC7 (Governance V3 Core)
- https://defipunkd.com/address/1/0xCe52ab41C40575B072A18C9700091Ccbe4A06710 (Governance Guardian / Protocol Emergency Guardian (5-of-9))
- https://defipunkd.com/address/1/0x4457cA11E90f416Cc1D3a8E1cA41C0cdEcC251d4 (GranularGuardian (cross-chain emergency))
- https://defipunkd.com/address/1/0xEd42a7D8559a463722Ca4beD50E0Cc05a386b0e1 (CrossChainController)
- https://defipunkd.com/address/1/0x17Dd33Ed0e3dD2a80E37489B8A63063161BE6957 (Executor Level 2)
- https://defipunkd.com/address/1/0x2CFe3ec4d5a6811f4B8067F0DE7e47DfA938Aa30 (Protocol Guardian / emergency admin)
- https://defipunkd.com/address/1/0x220d22f42c1b975B51509c24b174f8AbA7d8C540 (Short Executor (Governance))
- https://defipunkd.com/address/1/0xa700691dA7b6769562170061709458FF21ed963e (timelock (governance long executor))
- https://defipunkd.com/address/1/0x851365275f493d15511cc005f2bd71E3c1699921 (timelock (governance short executor))
- https://defipunkd.com/address/1/0xEE56e2B3D49159022b71869955dbF07245799b17 (timelock (governance executor short))
- https://defipunkd.com/address/1/0x80C67432656d59144cEFf962E8fAF8926599bCF8 (timelock (governance short executor))
- https://defipunkd.com/address/1/0xEE56e2B20045d908E992822039db30E882309413 (admin (PoolAdmin / governance executor))
- https://defipunkd.com/address/1/0x87870bca3f3fd6335c3f4ce8392d69350b4fa4e2 (pool (Aave V3 Pool proxy))
- https://defipunkd.com/address/1/0x2f39d218133AFaB8F2B819B1066c7E434Ad94E9e (other (PoolAddressesProvider — proxy admin for Pool/PoolConfigurator/ACLManager))
- https://defipunkd.com/address/1/0xcfBf336fe147D643B9Cb705648500e101504B16d (other (Prime Market PoolAddressesProvider))
- https://defipunkd.com/address/1/0xCca852Bc40e560adC3b1Cc58CA5b55638ce826c9 (vault (Aave V4 Core Hub — Ethereum))
- https://defipunkd.com/address/1/0x06002e9c4412CB7814a791eA3666D905871E536A (vault (Aave V4 Plus Hub — Ethereum))
- https://defipunkd.com/address/1/0x943827DCA022D0F354a8a8c332dA1e5Eb9f9F931 (vault (Aave V4 Prime Hub — Ethereum))
- https://defipunkd.com/address/1/0x08aE3BE30958cDd1847ec58fFfd4C451a87fDF01 (admin (Aave V4 Access Manager — Ethereum))
- https://defipunkd.com/address/10/0xa97684ead0e402dc232d5a977953df7ecbab3cdb (other (PoolAddressesProvider — Optimism))
- https://defipunkd.com/address/137/0xa97684ead0e402dc232d5a977953df7ecbab3cdb (other (PoolAddressesProvider — Polygon))
- https://defipunkd.com/address/1/0x64b761D848206f447Fe2dd461b0c635Ec39EbB27 (admin PoolConfigurator V3)
- https://defipunkd.com/address/1/0x54586bE62E3c3580375aE3723C145253060Ca0C2 (oracle AaveOracle V3)
- https://defipunkd.com/address/1/0xc2aaCf6553D20d1e9d78E365AAba8032af9c85b0 (admin ACLManager V3)
- https://defipunkd.com/address/1/0x0a16f2FCC0D44FaE41cc54e079281D84A363bECD (other AaveProtocolDataProvider V3)
- https://defipunkd.com/address/1/0x464C71f6c2F760DdA6093dCB91C24c39e5d6e18c (treasury Collector)
- https://defipunkd.com/address/1/0x8164Cc65827dcFe994AB23944CBC90e0aa80bFcb (admin DefaultIncentivesController)
- https://defipunkd.com/address/1/0x223d844fc4B006D67c0cDbd39371A9F73f69d974 (admin EmissionManager)
- https://defipunkd.com/address/42161/0xa97684ead0e402dC232d5A977953DF7ECBaB3CDb (factory PoolAddressesProvider V3)
- https://defipunkd.com/address/42161/0x794a61358D6845594F94dc1DB02A252b5b4814aD (pool Pool V3)
- https://defipunkd.com/address/42161/0x8145eddDf43f50276641b55bd3AD95944510021E (admin PoolConfigurator V3)
- https://defipunkd.com/address/42161/0xb56c2F0B653B2e0b10C9b928C8580Ac5Df02C7C7 (oracle AaveOracle V3)
- https://defipunkd.com/address/42161/0x7A9ff54A6eE4a21223036890bB8c4ea2D62c686b (oracle PriceOracleSentinel V3)
- https://defipunkd.com/address/42161/0xFF1137243698CaA18EE364Cc966CF0e02A4e6327 (admin ACLAdmin V3)
- https://defipunkd.com/address/42161/0xa72636CbcAa8F5FF95B2cc47F3CDEe83F3294a0B (admin ACLManager V3)
- https://defipunkd.com/address/42161/0x243Aa95cAC2a25651eda86e80bEe66114413c43b (other AaveProtocolDataProvider V3)
- https://defipunkd.com/address/43114/0xa97684ead0e402dC232d5A977953DF7ECBaB3CDb (factory PoolAddressesProvider V3)
- https://defipunkd.com/address/43114/0x794a61358D6845594F94dc1DB02A252b5b4814aD (pool Pool V3)
- https://defipunkd.com/address/43114/0x8145eddDf43f50276641b55bd3AD95944510021E (admin PoolConfigurator V3)
- https://defipunkd.com/address/43114/0xEBd36016B3eD09D4693Ed4251c67Bd858c3c7C9C (oracle AaveOracle V3)
- https://defipunkd.com/address/43114/0x3C06dce358add17aAf230f2234bCCC4afd50d090 (admin ACLAdmin V3)
- https://defipunkd.com/address/43114/0xa72636CbcAa8F5FF95B2cc47F3CDEe83F3294a0B (admin ACLManager V3)
- https://defipunkd.com/address/43114/0x243Aa95cAC2a25651eda86e80bEe66114413c43b (other AaveProtocolDataProvider V3)
- https://defipunkd.com/address/8453/0xe20fCBdBfFC4Dd138cE8b2E6FBb6CB49777ad64D (factory PoolAddressesProvider V3)
- https://defipunkd.com/address/8453/0xA238Dd80C259a72e81d7e4664a9801593F98d1c5 (pool Pool V3)
- https://defipunkd.com/address/8453/0x5731a04B1E775f0fdd454Bf70f3335886e9A96be (admin PoolConfigurator V3)
- https://defipunkd.com/address/8453/0x2Cc0Fc26eD4563A5ce5e8bdcfe1A2878676Ae156 (oracle AaveOracle V3)
- https://defipunkd.com/address/8453/0x943AcD0c93d7a8Bee7dA5Fd0DC3d0028237074d6 (oracle PriceOracleSentinel V3)
- https://defipunkd.com/address/8453/0x9390B1735def18560c509E2d0bc090E9d6BA257a (admin ACLAdmin V3)
- https://defipunkd.com/address/8453/0x43955b0899Ab7232E3a454cf84AedD22Ad46FD33 (admin ACLManager V3)
- https://defipunkd.com/address/8453/0x0F43731EB8d45A581f4a36DD74F5f358bc90C73A (other AaveProtocolDataProvider V3)
- Binance: 0xff75B6da14FfbbfD355Daf7a2731456b3562Ba6D (chain not supported by the read API)
- Binance: 0x6807dc923806fE8Fd134338EABCA509979a7e0cB (chain not supported by the read API)
- Binance: 0x67bdF23C7fCE7C65fF7415Ba3F2520B45D6f9584 (chain not supported by the read API)
- Binance: 0x39bc1bfDa2130d6Bb6DBEfd366939b4c7aa7C697 (chain not supported by the read API)
- Binance: 0x9390B1735def18560c509E2d0bc090E9d6BA257a (chain not supported by the read API)
- Binance: 0x2D97F8FA96886Fd923c065F5457F9DDd494e3877 (chain not supported by the read API)
- Binance: 0xc90Df74A7c16245c5F5C5870327Ceb38Fe5d5328 (chain not supported by the read API)
- Celo: 0x9F7Cf9417D5251C59fE94fB9147feEe1aAd9Cea5 (chain not supported by the read API)
- Celo: 0x3E59A31363E2ad014dcbc521c4a0d5757d9f3402 (chain not supported by the read API)
- Celo: 0x7567E3434CC1BEf724AB595e6072367Ef4914691 (chain not supported by the read API)
- Celo: 0x1e693D088ceFD1E95ba4c4a5F7EeA41a1Ec37e8b (chain not supported by the read API)
- Celo: 0x1dF462e2712496373A347f8ad10802a5E95f053D (chain not supported by the read API)
- Celo: 0x7a12dCfd73C1B4cddf294da4cFce75FcaBBa314C (chain not supported by the read API)
- Celo: 0x2e0f8D3B1631296cC7c56538D6Eb6032601E15ED (chain not supported by the read API)
- Celo: 0xC959439207dA5341B74aDcdAC59016aa9Be7E9E7 (chain not supported by the read API)
- Fantom: 0xa97684ead0e402dC232d5A977953DF7ECBaB3CDb (chain not supported by the read API)
- Fantom: 0x794a61358D6845594F94dc1DB02A252b5b4814aD (chain not supported by the read API)
- Fantom: 0x8145eddDf43f50276641b55bd3AD95944510021E (chain not supported by the read API)
- Fantom: 0xfd6f3c1845604C8AE6c6E402ad17fb9885160754 (chain not supported by the read API)
- Fantom: 0x39CB97b105173b56b5a2b4b33AD25d6a50E6c949 (chain not supported by the read API)
- Fantom: 0xa72636CbcAa8F5FF95B2cc47F3CDEe83F3294a0B (chain not supported by the read API)
- Fantom: 0x69FA688f1Dc47d4B5d8029D5a35FB7a548310654 (chain not supported by the read API)
- xDai: 0x36616cf17557639614c1cdDb356b1B83fc0B2132 (chain not supported by the read API)
- xDai: 0xb50201558B00496A145fE76f7424749556E326D8 (chain not supported by the read API)
- xDai: 0x7304979ec9E4EaA0273b6A037a31c4e9e5A75D16 (chain not supported by the read API)
- xDai: 0xeb0a051be10228213BAEb449db63719d6742F7c4 (chain not supported by the read API)
- xDai: 0x1dF462e2712496373A347f8ad10802a5E95f053D (chain not supported by the read API)
- xDai: 0xEc710f59005f48703908bC519D552Df5B8472614 (chain not supported by the read API)
- xDai: 0xF1F5acB596568895393cB5E4D0452D6592A2fA70 (chain not supported by the read API)
- Harmony: 0xa97684ead0e402dC232d5A977953DF7ECBaB3CDb (chain not supported by the read API)
- Harmony: 0x794a61358D6845594F94dc1DB02A252b5b4814aD (chain not supported by the read API)
- Harmony: 0x8145eddDf43f50276641b55bd3AD95944510021E (chain not supported by the read API)
- Harmony: 0x3C90887Ede8D65ccb2777A5d577beAb2548280AD (chain not supported by the read API)
- Harmony: 0xb2f0C5f37f4beD2cB51C44653cD5D84866BDcd2D (chain not supported by the read API)
- Harmony: 0xa72636CbcAa8F5FF95B2cc47F3CDEe83F3294a0B (chain not supported by the read API)
- Harmony: 0x69FA688f1Dc47d4B5d8029D5a35FB7a548310654 (chain not supported by the read API)
- Mantle: 0xba50Cd2A20f6DA35D788639E581bca8d0B5d4D5f (chain not supported by the read API)
- Mantle: 0x458F293454fE0d67EC0655f3672301301DD51422 (chain not supported by the read API)
- Mantle: 0x719755fC1ACf2f9079B0Cbc56e23712c09Ab8626 (chain not supported by the read API)
- Mantle: 0x47a063CfDa980532267970d478EC340C0F80E8df (chain not supported by the read API)
- Mantle: 0x64df9D4302e1ff3516Dc744A19e992D27CAC252E (chain not supported by the read API)
- Mantle: 0x70884634D0098782592111A2A6B8d223be31CB7b (chain not supported by the read API)
- Mantle: 0x810D46F9a9027E28F9B01F75E2bdde839dA61115 (chain not supported by the read API)
- Mantle: 0x487c5c669D9eee6057C44973207101276cf73b68 (chain not supported by the read API)
- MegaETH: 0x46Dcd5F4600319b02649Fd76B55aA6c1035CA478 (chain not supported by the read API)
- MegaETH: 0x7e324AbC5De01d112AfC03a584966ff199741C28 (chain not supported by the read API)
- MegaETH: 0xF15D31Bc839A853C9068686043cEc6EC5995DAbB (chain not supported by the read API)
- MegaETH: 0x421117D7319E96d831972b3F7e970bbfe29C4F21 (chain not supported by the read API)
- MegaETH: 0xE2E8Badc5d50f8a6188577B89f50701cDE2D4e19 (chain not supported by the read API)
- MegaETH: 0x390D369C3878F2C5205CFb6Ec7154FfA65491c3D (chain not supported by the read API)
- MegaETH: 0x9588b453A4EE24a420830CB3302195cA7aA3b403 (chain not supported by the read API)
- Sonic: 0x5C2e738F6E27bCE0F7558051Bf90605dD6176900 (chain not supported by the read API)
- Sonic: 0x5362dBb1e601abF3a4c14c22ffEdA64042E5eAA3 (chain not supported by the read API)
- Sonic: 0x50c70FEB95aBC1A92FC30b9aCc41Bd349E5dE2f0 (chain not supported by the read API)
- Sonic: 0xD63f7658C66B2934Bd234D79D06aEF5290734B30 (chain not supported by the read API)
- Sonic: 0x7b62461a3570c6AC8a9f8330421576e417B71EE7 (chain not supported by the read API)
- Sonic: 0x3a790a47c4d531FD333FAD24f70B0ccb521B3b5A (chain not supported by the read API)
- Sonic: 0xc0a344397cfa89dF1e1d3e4fb330834D789cF2CD (chain not supported by the read API)
- X Layer: 0xdFf435BCcf782f11187D3a4454d96702eD78e092 (chain not supported by the read API)
- X Layer: 0xE3F3Caefdd7180F884c01E57f65Df979Af84f116 (chain not supported by the read API)
- X Layer: 0x1408b48B6A610948f04813EA6b2F438A6BBAd2f2 (chain not supported by the read API)
- X Layer: 0x91FC11136d5615575a0fC5981Ab5C0C54418E2C6 (chain not supported by the read API)
- X Layer: 0xE2E8Badc5d50f8a6188577B89f50701cDE2D4e19 (chain not supported by the read API)
- X Layer: 0xc8f2720Fa7D857576d82e6aEca8EdC4869E9190e (chain not supported by the read API)
- X Layer: 0x6C505C31714f14e8af2A03633EB2Cdfb4959138F (chain not supported by the read API)
- https://defipunkd.com/address/59144/0x89502c3731F69DDC95B65753708A07F8Cd0373F4 (factory PoolAddressesProvider V3)
- https://defipunkd.com/address/59144/0xc47b8C00b0f69a36fa203Ffeac0334874574a8Ac (pool Pool V3)
- https://defipunkd.com/address/59144/0x812E7c19421D9f41A6DDCF047d5cc2dE2Ca5Bfa2 (admin PoolConfigurator V3)
- https://defipunkd.com/address/59144/0xCFDAdA7DCd2e785cF706BaDBC2B8Af5084d595e9 (oracle AaveOracle V3)
- https://defipunkd.com/address/59144/0x8c2d95FE7aeB57b86961F3abB296A54f0ADb7F88 (admin ACLAdmin V3)
- https://defipunkd.com/address/59144/0xbf32c7dFC72b730967072B112927ca0de205dbb5 (admin ACLManager V3)
- Metis: 0xB9FABd7500B2C6781c35Dd48d54f81fc2299D7AF (chain not supported by the read API)
- Metis: 0x90df02551bB792286e8D4f13E0e357b4Bf1D6a57 (chain not supported by the read API)
- Metis: 0x69FEE8F261E004453BE0800BC9039717528645A6 (chain not supported by the read API)
- Metis: 0x38D36e85E47eA6ff0d18B0adF12E5fC8984A6f8e (chain not supported by the read API)
- Metis: 0x2B5EA1604BAbb7B730120950Cb13951f3525828A (chain not supported by the read API)
- Metis: 0x6fD45D32375d5aDB8D76275A3932c740F03a8718 (chain not supported by the read API)
- https://defipunkd.com/address/10/0x794a61358D6845594F94dc1DB02A252b5b4814aD (pool Pool V3)
- https://defipunkd.com/address/10/0x8145eddDf43f50276641b55bd3AD95944510021E (admin PoolConfigurator V3)
- https://defipunkd.com/address/10/0xD81eb3728a631871a7eBBaD631b5f424909f0c77 (oracle AaveOracle V3)
- https://defipunkd.com/address/10/0x746c675dAB49Bcd5BB9Dc85161f2d7Eb435009bf (admin ACLAdmin V3)
- https://defipunkd.com/address/137/0x794a61358D6845594F94dc1DB02A252b5b4814aD (pool Pool V3)
- https://defipunkd.com/address/137/0x8145eddDf43f50276641b55bd3AD95944510021E (admin PoolConfigurator V3)
- https://defipunkd.com/address/137/0xb023e699F5a33916Ea823A16485e259257cA8Bd1 (oracle AaveOracle V3)
- https://defipunkd.com/address/137/0xDf7d0e6454DB638881302729F5ba99936EaAB233 (admin ACLAdmin V3)
- https://defipunkd.com/address/534352/0x69850D0B276776781C063771b161bd8894BCdD04 (factory PoolAddressesProvider V3)
- https://defipunkd.com/address/534352/0x11fCfe756c05AD438e312a7fd934381537D3cFfe (pool Pool V3)
- https://defipunkd.com/address/534352/0x32BCab42a2bb5AC577D24b425D46d8b8e0Df9b7f (admin PoolConfigurator V3)
- https://defipunkd.com/address/534352/0x04421D8C506E2fA2371a08EfAaBf791F624054F3 (oracle AaveOracle V3)
- https://defipunkd.com/address/534352/0xc1ABF87FfAdf4908f4eC8dc54A25DCFEabAE4A24 (admin ACLAdmin V3)
- https://defipunkd.com/address/534352/0x7633F981D87dC6307227de9383D2ce7243158081 (admin ACLManager V3)
- zkSync Era: 0x2A3948BB219D6B2Fa83D64100006391a96bE6cb7 (chain not supported by the read API)
- zkSync Era: 0x78e30497a3c7527d953c6B1E3541b021A98Ac43c (chain not supported by the read API)
- zkSync Era: 0x0207d31b4377C74bEC37356aaD83E3dCc979F40E (chain not supported by the read API)
- zkSync Era: 0xC7F58Fca663a8d377B6D0c9703C697f56dC40088 (chain not supported by the read API)
- zkSync Era: 0x04cE39789e11a49595cD0ECEf6f4Bd54ABF4d020 (chain not supported by the read API)
- Soneium: 0x82405D1a189bd6cE4667809C35B37fBE136A4c5B (chain not supported by the read API)
- Soneium: 0xDd3d7A7d03D9fD9ef45f3E587287922eF65CA38B (chain not supported by the read API)
- Soneium: 0x1607FCeEc8dEbA4d5Da66D620b2363066d025a02 (chain not supported by the read API)
- Soneium: 0x20040a64612555042335926d72B4E5F667a67fA1 (chain not supported by the read API)
- Soneium: 0xc0Bac16A64FbAa7EE6483bD12a759e28cD13dcBe (chain not supported by the read API)
- Plasma: 0x061D8e131F26512348ee5FA42e2DF1bA9d6505E9 (chain not supported by the read API)
- Plasma: 0x925a2A7214Ed92428B5b1B090F80b25700095e12 (chain not supported by the read API)
- Plasma: 0xc022B6c71c30A8Ad52Dac504eFA132d13D99d2D9 (chain not supported by the read API)
- Plasma: 0x33E0b3fc976DC9C516926BA48CfC0A9E10a2aAA5 (chain not supported by the read API)
- Plasma: 0x47aAdaAE1F05C978E6aBb7568d11B7F6e0FC4d6A (chain not supported by the read API)
- Plasma: 0xa860355F0ccFdC823F7332ac108317b2a1509C06 (chain not supported by the read API)
- https://defipunkd.com/address/1/0x617332a777780F546261247F621051d0b98975Eb (other VotingMachine)
- https://defipunkd.com/address/1/0xf23f7De3AC42F22eBDA17e64DC4f51FB66b8E21f (other VotingPortalEthEth)
- https://defipunkd.com/address/1/0x33aCEf7365809218485873B7d0d67FeE411B5D79 (other VotingPortalEthAvax)
- https://defipunkd.com/address/1/0x9b24C168d6A76b5459B1d47071a54962a4df36c3 (other VotingPortalEthPol)
- https://defipunkd.com/address/1/0xE3B770Dc4ae3f8bECaB3Ed12dE692c741603e16A (other PayloadDataHelper)
- https://defipunkd.com/address/1/0x971c82c8316aD611904F95616c21ce90837f1856 (other GovernanceDataHelper)
- https://defipunkd.com/address/1/0x77976B51569896523EE215962Ee91ff236Fa50E8 (other VotingDataHelper)
- https://defipunkd.com/address/1/0x94363B11b37BC3ffe43AB09cff5A010352FE85dC (other MetaDelegateHelper)
- https://defipunkd.com/address/1/0x73C6Fb358dDA8e84D50e98A98F7c0dF32e15C7e9 (guardian EmergencyRegistry)
- https://defipunkd.com/address/1/0xa198Fac58E02A5C5F8F7e877895d50cFa9ad1E04 (other GovernancePowerStrategy)
- https://defipunkd.com/address/1/0x5642A5A5Ec284B4145563aBF319620204aCCA7f4 (other VotingStrategy)
- https://defipunkd.com/address/1/0x1699FE9CaDC8a0b6c93E06B62Ab4592a0fFEcF61 (other DataWarehouse)
- https://defipunkd.com/address/42161/0xCbFB78a3Eeaa611b826E37c80E4126c8787D29f0 (other CrossChainController)
- https://defipunkd.com/address/42161/0x89644CA1bB8064760312AE4F03ea41b05dA3637C (timelock PayloadsController)
- https://defipunkd.com/address/42161/0x4922093c476CfbCF903C7C4082d2D64bAE8A37cE (guardian GranularGuardian)
- https://defipunkd.com/address/43114/0x27FC7D54C893dA63C0AE6d57e1B2B13A70690928 (other CrossChainController)
- https://defipunkd.com/address/43114/0x41185495Bc8297a65DC46f94001DC7233775EbEe (oracle EmergencyOracle)
- https://defipunkd.com/address/43114/0x9b6f5ef589A3DD08670Dd146C11C4Fb33E04494F (other VotingMachine)
- https://defipunkd.com/address/43114/0x1140CB7CAfAcC745771C2Ea31e7B5C653c5d0B80 (timelock PayloadsController)
- https://defipunkd.com/address/43114/0xc1162BCb2E5E3ca4725512008c7522dF8C8B7B65 (guardian GranularGuardian)
- Binance: 0x9d33ee6543C9b2C8c183b8fb58fB089266cffA19 (chain not supported by the read API)
- Binance: 0xcabb46FfB38c93348Df16558DF156e9f68F9F7F1 (chain not supported by the read API)
- Binance: 0xE5EF2Dd06755A97e975f7E282f828224F2C3e627 (chain not supported by the read API)
- Binance: 0xe4FB5e3F506BE0095f38004f993D16fdA8224383 (chain not supported by the read API)
- https://defipunkd.com/address/8453/0x529467C76f234F2bD359d7ecF7c660A2846b04e2 (other CrossChainController)
- https://defipunkd.com/address/8453/0x2DC219E716793fb4b21548C0f009Ba3Af753ab01 (timelock PayloadsController)
- https://defipunkd.com/address/8453/0xa1c6aF35E0205f42256382C05243C543FEDBf4bB (guardian GranularGuardian)
- xDai: 0x8Dc5310fc9D3D7D1Bb3D1F686899c8F082316c9F (chain not supported by the read API)
- xDai: 0xF937ffAeA1363e4Fa260760bDFA2aA8Fc911F84D (chain not supported by the read API)
- xDai: 0x9A1F491B86D09fC1484b5fab10041B189B60756b (chain not supported by the read API)
- xDai: 0x4A9F571E3C1f2F13567bb59e38988e74d7d72602 (chain not supported by the read API)
- Metis: 0x6fDaFb26915ABD6065a1E1501a37Ac438D877f70 (chain not supported by the read API)
- Metis: 0x2233F8A66A728FBa6E1dC95570B25360D07D5524 (chain not supported by the read API)
- Metis: 0x61BE97d3a0550549f67CA7421725fA73Fa2036B5 (chain not supported by the read API)
- https://defipunkd.com/address/10/0x48A9FE90bce5EEd790f3F4Ce192d1C0B351fd4Ca (other CrossChainController)
- https://defipunkd.com/address/10/0x0E1a3Af1f9cC76A62eD31eDedca291E63632e7c4 (timelock PayloadsController)
- https://defipunkd.com/address/10/0x6c5264C380C7022e54f585c4E354ffb6f221a03b (guardian GranularGuardian)
- https://defipunkd.com/address/137/0xF6B99959F0b5e79E1CC7062E12aF632CEb18eF0d (other CrossChainController)
- https://defipunkd.com/address/137/0xDAFA1989A504c48Ee20a582f2891eeB25E2fA23F (oracle EmergencyOracle)
- https://defipunkd.com/address/137/0xc8a2ADC4261c6b669CdFf69E717E77C9cFeB420d (other VotingMachine)
- https://defipunkd.com/address/137/0x401B5D0294E23637c18fcc38b1Bca814CDa2637C (timelock PayloadsController)
- https://defipunkd.com/address/137/0x0D2CccD3dD420dC6DE2f24DB44aA22fADE290a02 (guardian GranularGuardian)
- https://defipunkd.com/address/534352/0x03073D3F4769f6b6604d616238fD6c636C99AD0A (other CrossChainController)
- https://defipunkd.com/address/534352/0x6b6B41c0f8C223715f712BE83ceC3c37bbfDC3fE (timelock PayloadsController)
- https://defipunkd.com/address/534352/0xa835707d28e6C37C49d661742f2Fb5987367cEd4 (guardian GranularGuardian)
- zkSync Era: 0x800813f4714BC7A0a95310e3fB9e4f18872CA92C (chain not supported by the read API)
- zkSync Era: 0x2E79349c3F5e4751E87b966812C9E65E805996F1 (chain not supported by the read API)
- zkSync Era: 0xe0e23196D42b54F262a3DE952e6B34B197D1A228 (chain not supported by the read API)
- zkSync Era: 0x4257bf0746D783f0D962913d7d8AFA408B62547E (chain not supported by the read API)
- https://defipunkd.com/address/59144/0x0D3f821e9741C8a8Bcac231162320251Db0cdf52 (other CrossChainController)
- https://defipunkd.com/address/59144/0x3BcE23a1363728091bc57A58a226CF2940C2e074 (timelock PayloadsController)
- https://defipunkd.com/address/59144/0xc1cd6faF6e9138b4e6C21d438f9ebF2bd6F6cA16 (guardian GranularGuardian)
- https://defipunkd.com/address/59144/0x056E4C4E80D1D14a637ccbD0412CDAAEc5B51F4E (guardian GovernanceGuardian)
- Soneium: 0xD92b37a5114b33F668D274Fb48f23b726a854d6E (chain not supported by the read API)
- Soneium: 0x44D73D7C4b2f98F426Bf8B5e87628d9eE38ef0Cf (chain not supported by the read API)
- Soneium: 0xD8E6956718784B914740267b7A50B952fb516656 (chain not supported by the read API)
- Soneium: 0x19CE4363FEA478Aa04B9EA2937cc5A2cbcD44be6 (chain not supported by the read API)
- Soneium: 0x47aAdaAE1F05C978E6aBb7568d11B7F6e0FC4d6A (chain not supported by the read API)
- Plasma: 0x643441742f73e270e565619be6DE5f4D55E08cd6 (chain not supported by the read API)
- Plasma: 0xe76EB348E65eF163d85ce282125FF5a7F5712A1d (chain not supported by the read API)
- Plasma: 0x60665b4F4FF7073C5fed2656852dCa271DfE2684 (chain not supported by the read API)
- Plasma: 0x19CE4363FEA478Aa04B9EA2937cc5A2cbcD44be6 (chain not supported by the read API)
- Plasma: 0xF61FE74Ec1cFbd9Ee8Bd27592D2EDEe0E2aA85Cf (chain not supported by the read API)
- https://defipunkd.com/address/1/0x7Fc66500c84A76Ad7e9c93437bFc5Ac33E2DDaE9 (token AAVE governance token)
- https://defipunkd.com/address/1/0x7b9c0b9b0d8b0d8b0d8b0d8b0d8b0d8b0d8b0d8b (Emergency Admin)


---

You are contributing a single-slice assessment to defipunkd, a git-native transparency registry for DeFi protocols. Your JSON output will be attached to a pull request and compared against ≥2 other independent runs. Disagreements are surfaced publicly — be conservative, cite everything, return grade="unknown" when a signal cannot be determined, and resist stopping at the first damning finding.

### Per-protocol context (do not infer; these are ground truth)

A "Per-protocol context" block (provided alongside this prompt — either as a user message in API mode, or as a section appended below in copy-paste mode) lists the pinned inputs (protocol.slug, name, chains, category, website, github, audit_links, snapshot.generated_at, analysis_date, prompt_version, address_book) and a list of pre-built read-API surfacer URLs for each pinned address. Treat those values as authoritative for this run.

The pre-built surfacer URLs are accepted by your fetch tool's allowlist because they appear verbatim in the per-protocol context. Each surfacer page pre-executes the contract's zero-arg view methods and renders any address-typed return values as /address/{chainId}/0x… links inline — those rendered links are also fetchable post-fetch. /api/contract/read and /api/safe/owners JSON responses include a top-level `crawl.surfacers` array of /address/{chainId}/0x… URLs for every address-typed value in the result, so you can crawl directly from API responses. For addresses surfaced from non-defipunkd sources (block-explorer pages, GitHub, audit PDFs), the allowlist will reject your generated surfacer URL — record the address in protocol_metadata.admin_addresses and add a checklist-coded entry to unknowns[]; the next run will inherit it as a fetchable surfacer.

### Step 0 — Capability probe (do this before producing JSON)

Identify what fetch tool your environment exposes — `web_fetch`, `browser`, `url_context`, `google_search` (with underscore, colon, or space), Bing grounding, Perplexity, `web.run`, or anything similar. Search-grounding tools ARE valid fetch paths and you should use them; they are not forbidden. The distinction that matters is what the tool returned, not its name: a grounded response with the underlying page body is sufficient evidence; a bare 1–3-line preview snippet is not.

Probe: attempt one fetch of `protocol.website` and one fetch of a pre-built surfacer URL above (or the protocol's primary block-explorer page if no surfacer is pinned). Record the tool you used, the URL, and what came back (response body, HTTP status, allowlist rejection text, or "tool not present: <name>"). If either probe succeeded, proceed.

If both direct probes failed, **DO NOT STOP** — try search. Issue at least two broad search queries (protocol name + "Etherscan" / "official docs" / "GitHub" / "audit"; `site:` operators against etherscan.io / github.com / the docs domain). If a search query returns the underlying page body, that page URL is fetched evidence and goes in evidence[]. Set `grading_basis: "off-chain-only"` and continue with whatever you can extract. Empty `evidence[]` + `grade="unknown"` is only valid if BOTH direct probes AND ≥2 search queries returned nothing usable; in that case, log the attempted queries and observed-zero outcomes in unknowns[]. A submission claiming "blocked" without those receipts is treated as a non-submission (zero quorum weight). Search engines do not index raw JSON API endpoints — zero results for `defipunkd.com/api/contract/read` URLs is expected and is itself a recordable failure mode, not a system restriction.

### Anti-fabrication (the most important rule on this page)

Memory is not evidence. Treat your training data, prior conversations, and general knowledge as suggestions for what to look up — never as citations. Every URL in evidence[] must have been fetched in this run via any tool exposed in your environment, OR pasted into this conversation by the user. Constructing a URL is fine, but every variable part (address, commit SHA, repo path, contract name, method, args, block number) must come from a fetched/pasted source in this run, and the URL must then have been successfully fetched before it appears in evidence[]. URLs constructed from remembered addresses, repo paths, contract names, or guessed API methods are fabrication.

Before emitting JSON, run an evidence ledger check on every evidence[] entry:
1. The exact URL appears in your fetch transcript or in a user-pasted source body.
2. The fetched/pasted body contains the fact you're citing in evidence[].shows.
3. Every rationale.findings / protocol_metadata claim that depends on this evidence follows directly from that body, without recourse to memory.
4. Derived (rather than verbatim) claims are explicitly labelled as derived in evidence[].shows.
5. `fetched_at` is set ONLY when you actually fetched the URL in this run; if no timestamp is available, omit the field — never invent one.

If any check fails, remove the evidence entry and demote dependent claims to unknowns[]. Set grade="unknown" if demotion empties the grading basis. Do not ask the user to paste anything; do not withhold JSON; do not improvise from memory.

A plausible-sounding answer backed by unsupported evidence is WORSE than grade="unknown" — it pollutes the quorum. If the assessment requires leaning on remembered public facts ("Lido is governed by LDO token-weighted voting"), historical reports, common knowledge, or likely-architecture reasoning ("UUPS proxies typically have an admin role"), return grade="unknown" with specific unknowns[] entries. Optimize for reproducibility, not completeness — if a reviewer can't re-verify each claim from the evidence URLs alone, the claim does not belong in the JSON. Empty unknowns[] on a non-trivial protocol is a red flag, not a quality signal.

When the address_book is null/empty, you do not yet know any deployed address. Discover candidates from fetched website / GitHub / audit / explorer-search pages — addresses you "remember" from training data are not eligible, even for famous tokens (USDC, WBTC, stETH, UNI). If no address can be discovered after a good-faith attempt, return grade="unknown" with checklist-coded unknowns[] entries; do not invent addresses to fill the gap.

### Hard rules

1. Source classes that count as evidence:
   a) Public block explorers (etherscan.io, basescan.org, arbiscan.io, optimistic.etherscan.io, polygonscan.com, bscscan.com, snowtrace.io, scrollscan.com, lineascan.build, blastscan.io, era.zksync.network) for pinned addresses or addresses you discover transitively from them.
   b) The linked GitHub repos, at a specific commit SHA recorded in evidence[].commit.
   c) The audit PDFs / reports linked above.
   d) DeFiLlama's pinned fields (for category / chain lists only — not for risk assessment).
   e) DeFiPunkd's read API at https://defipunkd.com/api/{contract,safe}/... — see "On-chain reading" below.
2. If a signal cannot be determined after checking these, set grade="unknown" with ≥1 entry in unknowns[] naming what you looked for.
3. Every factual claim in rationale must map to ≥1 evidence[] entry.
4. Output exactly one JSON object matching the contract at the end, wrapped in a single ```json fenced code block. This rule applies to your FINAL assistant message only — issue tool calls freely during the run; tool-call reasoning lives in your model's tool-use channel and is not subject to this rule. Nothing before or after the fence — no prose, no follow-up questions, no requests for the user to paste anything. If evidence is incomplete, the correct response is still JSON, with claims demoted to unknowns[] and grade="unknown".

### Format rules (validation will reject submissions that violate these)
5. evidence[].url must be a bare `https://...` string — NEVER markdown link syntax. WRONG: `"url": "[Etherscan](https://etherscan.io/...)"`. RIGHT: `"url": "https://etherscan.io/..."`.
6. evidence[].commit, when present, must match `^[0-9a-f]{7,40}$` (lowercase hex, 7–40 chars). NEVER branch names or tags. Omit if you cannot pin a SHA.
7. evidence[].fetched_at, when present, must be ISO-8601 UTC (e.g. `2026-04-23T11:20:00Z`). Set whenever you actually fetched in this run.
8. evidence[].address, when present, must be `^0x[0-9a-fA-F]{40}$` (mixed case OK; checksum not validated).
9. Checklist codes (used in findings[].code and as unknowns[] prefixes) match `^[A-Z][A-Za-z0-9-]{0,16}$` — start with an uppercase letter, then digits / letters / hyphens. Examples: `E1`, `A3b`, `C2-emergency`, `V4-auditor`. No parens, spaces, dots, slashes, underscores. Use slice-defined codes verbatim. unknowns[] entries must be prefixed with the relevant code + colon (e.g. `"A3b: frontend fetch failed"`).
10. chat_url: ALWAYS null. Default share links (claude.ai/chat, chatgpt.com, gemini.google.com) require viewer login and are not publicly readable. The user enables "Share publicly" after you respond and pastes the public URL into the JSON before opening the PR.

### Thoroughness rules

11. Each per-slice body contains a "MANDATORY INSPECTION CHECKLIST". Every item must EITHER produce an evidence[] entry OR a specific unknowns[] entry naming it by code. Silent skips are rejected as incomplete.
12. Before assigning a grade other than "unknown", rationale.steelman must contain a one-sentence strongest argument for each of red / orange / green, and rationale.verdict must state which fits the evidence and why. If the steel-man for the chosen grade is weaker than for an adjacent grade, you have probably picked the wrong grade. When grade="unknown", set steelman to null and use verdict to summarize what blocked the assessment.
13. Distinguish actor classes (EOA, 2-of-3 multisig, 4-of-7+ multisig with identified signers, emergency-scoped time-capped multisig, on-chain governance vote with timelock) and function classes (claim-of-finalized vs new-request-placement, deposit vs borrow, mint vs redeem) — say which actor holds which power, on what time bound. "An admin can pause" is insufficient.
14. For on-chain slices (control, ability-to-exit, autonomy, verifiability), evidence[] must include ≥1 on-chain URL: a block-explorer URL OR a DeFiPunkd /api/{contract/read,safe/owners} URL (preferred — content-addressed when block-pinned). /api/contract/abi alone is metadata, not on-chain evidence. Source repos tell you what code SHOULD do; deployed contracts tell you what it ACTUALLY does. The "open-access" slice is exempt when claims are entirely about frontend / off-chain operator behavior. CARVE-OUT: `grading_basis="off-chain-only"` is exempt from this rule but is downweighted by the quorum bot regardless of grade.
15. Prompt-meta-check: if your verdict quotes prompt language as evidence ("the protocol meets the 'documented fallback' condition"), re-do the verdict — the prompt describes the rubric, not the protocol. Evidence cites what THIS protocol does, not what the rubric says protocols of type X do.
16. `grading_basis` is one of `"on-chain"` (default; omit field), `"off-chain-only"`, or `"mixed"`. Describes what was READ this run, not the verdict — `grade="unknown"` is allowed under any basis. Set `"off-chain-only"` ONLY when BOTH (a) ≥1 successful fetch of a docs / forum / audit / GitHub URL appears in evidence[], AND (b) ≥1 failed on-chain fetch attempt for THIS run is recorded in unknowns[] with a `-offchain` suffix. Empty `evidence[]` with `"off-chain-only"` is a category error and is rejected by the validator. Set `"mixed"` when some checklist codes were on-chain and others fell back. ABI-only finds (you read the ABI but couldn't read live state) are valid as `grade="unknown"` with the ABI cited; do not infer a grade from ABI shape alone.

### On-chain reading via the DeFiPunkd API

Don't encode calldata, decode return data, or guess at ABIs by hand. Three deterministic GET endpoints return JSON with blockNumber, blockHash, raw calldata, and rawReturnData — content-addressed when block-pinned (`&block=<n>`):

  ABI (auto-resolves proxies):
    https://defipunkd.com/api/contract/abi?chainId=<id>&address=0x...
  View call (any view method on the merged ABI; flat scalar args):
    https://defipunkd.com/api/contract/read?chainId=<id>&address=0x...&method=getOwners
    https://defipunkd.com/api/contract/read?chainId=<id>&address=0x...&method=balanceOf&args=0x...
  Safe (threshold + owners + version in one call):
    https://defipunkd.com/api/safe/owners?chainId=<id>&address=0x...

Use the BARE method name in `&method=` (e.g. `&method=totalSupply`, NOT `&method=totalSupply()`). Browser tools normalize `(` to `%28` and reject the normalized URL; bare names dodge that. Pass arguments via `&args=` (comma-separated, declaration order). Append `&block=<n>` for content-addressed evidence.

Supported chainIds: 1 (ethereum), 10 (optimism), 56 (bsc), 130 (unichain), 137 (polygon), 324 (zksync), 8453 (base), 42161 (arbitrum), 43114 (avalanche), 59144 (linea), 81457 (blast), 534352 (scroll), 11155111 (sepolia).

Use this API for any factual claim about contract ABI shape, view-method return values (owner(), getOwners(), getThreshold(), totalSupply(), implementation(), paused(), MIN_DELAY(), …), and Safe membership. Do NOT invent ABIs or return values from training data.

Note on noisy address_book: the pinned address_book is sourced from prior assessments. It may include token deployments, oracle feeds, peripheral contracts, or mis-classified entries. Skip surfacer URLs that don't fit your slice — fetch only those whose role hints suggest control / pause / upgrade authority.

### Protocol metadata refresh (populate `protocol_metadata` in the output)

DeFiLlama's pinned inputs may be stale or wrong. As a side-effect of this assessment, populate `protocol_metadata` with anything you verify. Leave fields null / empty arrays if you did not verify them — do NOT echo pinned inputs through; null means "not re-verified this run".

- `github`: array of canonical source-code repo URLs.
- `docs_url`: canonical developer / protocol documentation site.
- `audits`: array of `{ firm, url, date }` (date as YYYY-MM or YYYY-MM-DD).
- `governance_forum`: primary discussion forum URL (Discourse, Commonwealth, etc.).
- `voting_token`: `{ chain, address, symbol }` or null. Omit if not token-governed.
- `bug_bounty_url`: public bug bounty page (Immunefi, HackerOne, self-hosted).
- `security_contact`: private-disclosure channel — security@ email or SECURITY.md URL. Distinct from public bug bounty.
- `deployed_contracts_doc`: docs page that lists deployed addresses per chain. Don't enumerate; just link.
- `admin_addresses`: array of `{ chain, address, role, actor_class }` for multisig / timelock / owner / proxy-admin addresses. `actor_class` ∈ `"eoa" | "multisig" | "timelock" | "governance" | "unknown"`. These are the anchors for future runs' address_book.
- `upgradeability`: `"immutable" | "upgradeable" | "mixed" | "unknown"`. "mixed" = some core contracts immutable, others behind proxies.
- `about`: 2–4 sentence plain-English description. Name the user action (stake, borrow, swap, bridge, mint, redeem), the asset / market, and the distinctive mechanism (liquid staking receipt, isolated lending pools, constant-product AMM, intents auction, etc.). Do not restate category / chains / TVL.

Every non-null field in `protocol_metadata` must be backed by ≥1 entry in evidence[].

---

### Slice: CONTROL

Evaluate who can change the protocol's rules, how fast, and how broadly.

(Step 0 capability probe and the off-chain-only fallback live in the preamble — those rules apply here.)

### MANDATORY INSPECTION CHECKLIST (every item below must appear in evidence[] OR unknowns[])

- **C1.** For each address you assess: who is the contract owner / admin / pendingAdmin / governor — read these via the block explorer's "Read Contract" tab OR `https://defipunkd.com/api/contract/read?chainId=<id>&address=0x...&method=owner` (BARE method names: `&method=owner`, `&method=admin`, `&method=pendingOwner`, `&method=governor`). For Safes use `/api/safe/owners?chainId=<id>&address=0x...`. When a protocol has multiple major versions deployed (v2/v3/v4), perform C1 reads on the NEWEST deployment separately — newer deployments often have weaker control surfaces than the legacy core.
- **C2.** Upgrade mechanism: transparent proxy / UUPS / Beacon / Diamond / immutable. Identify the proxy admin address. Check upgradeability of GOVERNANCE contracts too — a Governor / Aragon Voting / OZ Governor is often itself a proxy whose admin is the Timelock. Asymmetry: when fund-holding cores are immutable AND governance has no admin path that reaches them, an upgradable Governor/Timelock is T3-only and must NOT drag the verdict below green on that basis alone (see grade rules and the "immutable cores" caveat). Only call upgradability "mixed" if you can name a concrete function on the upgradable surface that reaches T1 or T2 on user funds.
- **C3.** EXECUTION PATH (enumerate every stage, in order, with delays in seconds). The operative path is usually a chain (voting → scheduler → timelock → executor; or governor → queue → execute; or Aragon Voting → DualGovernance → EmergencyProtectedTimelock → AdminExecutor). For each stage, record (a) the contract address, (b) the delay constant name + value in seconds, (c) the URL you read it from (block-explorer Read Contract OR `/api/contract/read?...&method=MIN_DELAY&block=<n>`). Do NOT stop at the first timelock-shaped contract — if its admin is itself called by another contract, keep walking. The grading delay is the SUM OF DELAYS ON THE UNCONTESTED FAST PATH (shortest time a proposal with no opposition can go from submission to executable). Dynamic / contested extensions (veto signaling, rage quit, escrow delay) are modifiers, not the basis — note them separately.
- **C4.** Enumerate EVERY multisig with reachable control — main proxy admin, emergency activation, emergency execution, reseal / pause, gate-seal committees, tiebreaker, per-module admins. For each Safe, fetch threshold + owners + version via `/api/safe/owners?chainId=<id>&address=0x...` (response includes raw eth_call data, so the URL is citable evidence). Enumerate ops/council/incentives multisigs even when off the upgrade path — record their scope so a reader can see they are NOT on the upgrade path. For each: (a) address, (b) threshold / total signers, (c) signer identities classified as insider (team, paid auditors under ongoing engagement, mandated service providers) vs non-insider (independent community members, unaffiliated researchers), (d) the specific power held (upgrade, pause, parameter, etc.).
- **C5.** On-chain governance: Governor / GovernorBravo / OZ Governor / Aragon Voting with token-weighted voting? Record proposal threshold, voting period, quorum, and the timelock delay between queue and execute. Every numeric constant must come from a Read Contract call you can link to, or be in unknowns[] with the C-code. If votingDelay / votingPeriod are denominated in BLOCKS, convert to seconds at the chain's CURRENT block time (Ethereum mainnet ≈ 12s post-Merge, not the 15s in older Compound/Bravo deployments) — cite both block count and converted seconds.
- **C6.** EMERGENCY POWERS: separate emergency-pause / guardian role with a different time cap or different actor than the main upgrade authority? Record it explicitly.
- **C7.** POWER TIER (blast radius). For each privileged path in C3–C6, classify the WORST thing that path can do, choosing the highest applicable tier. Cite the specific function name and any on-chain bound — tier claims without a named function are unsupported.
    - **T1 — FUND-CRITICAL**: replace implementation of contracts holding user funds; change AMM math / accounting / collateral logic; mint unbacked debt or shares; pause withdrawals; drain user-fund treasury; change oracle to attacker-controlled source; replace upgrade admin with EOA.
    - **T2 — ECONOMICALLY MATERIAL**: change fee parameters within bounded ranges; redirect protocol fees; add/remove markets / collateral types; bounded inflation or token mint within hard-capped schedule; spend protocol-owned (non-user) treasury.
    - **T3 — GOVERNANCE-INTERNAL**: change voting rules, quorum, voting period, proposal threshold; upgrade the Governor itself; rotate Timelock admin; mint governance tokens within a capped annual schedule.
    - **T4 — OPERATIONAL**: incentives distribution, grants, ENS / frontend canonicalization, deployment coordination, periphery router deprecation.
  The grade is set by the HIGHEST tier reachable on the uncontested fast path, not the median. State the tier and the binding function in the verdict.

### Read Contract discipline (applies to C3, C4, C5)

Every numeric constant cited (timelock delays, voting periods, multisig thresholds, quorum percentages) must come from EITHER (a) a block-explorer Read Contract URL, OR (b) a DeFiPunkd `/api/contract/read` or `/api/safe/owners` URL (preferred with `&block=<n>` for content-addressed evidence), OR (c) an unknowns[] entry with the C-code. Docs / blog posts are corroboration only — they cannot be the sole citation for a value that is also readable on-chain.

### Off-chain-only substitute hierarchy (when grading_basis="off-chain-only" — see preamble Rule 16)

When on-chain reads were genuinely unreachable this run, eligible off-chain substitutes in priority order:
1. Linked audit PDFs (admin roles, multisig members, timelock delays usually enumerated).
2. Governance forum posts that quote constants from a successful on-chain proposal (cite post URL + linked execution-tx URL).
3. Official protocol docs pages with named addresses and roles (must be on a domain owned by the protocol).
4. GitHub README / SECURITY.md / governance/*.md at a pinned commit SHA.

Forbidden substitutes: third-party blog posts, X / Twitter threads, search-result snippets, model memory. Required degradation: any C-code citing a numeric constant from docs/forum/audit prose ONLY must also carry an `unknowns[]` entry with `-offchain` suffix noting "value not re-read on-chain in this run; corroboration only".

### Grade rules (apply the timelock bar conditional on the highest C7 tier reachable on the fast path)

Security Council standard (used below): a multisig qualifies as "Security Council" only if ALL of: ≥7 signers, ≥51% threshold, ≥50% non-insider signers, every signer publicly announced. Failing any criterion = NOT a Security Council, regardless of signer reputation.

- **green**: highest reachable tier is T3 or T4 regardless of timelock; OR T2 reachable with uncontested-fast-path delay ≥7 days; OR T1 reachable only via immutable contracts (T1 is unreachable); OR T1 reachable with uncontested-fast-path delay ≥7 days combined with a Security Council multisig; OR T1 reachable with uncontested-fast-path delay ≥7 days through active on-chain governance with broad token distribution.
- **orange**: T2 reachable with uncontested-fast-path delay >0 but <7 days; OR T1 reachable with uncontested-fast-path delay >0 but <7 days; OR a multisig failing one or more Security Council criteria sits on a T1/T2 path; OR unclear upgrade authority on a T1/T2 path; OR governance with very short timelock or low quorum on a T1/T2 path.
- **red**: T1 reachable with no timelock by a single EOA or 2-of-3 multisig; OR a T1 upgrade admin that is not a smart contract you can audit.
- **unknown**: completed the checklist but still cannot determine the upgrade authority OR cannot classify the highest tier reachable on the main contracts.

Tiering caveats:
- "Bounded" must be enforced ON-CHAIN to count as T2. A function that sets fees with no upper-bound check is T1 — cite the bound check.
- Recurring T2 economic extraction (e.g. fee redirect with no rate limit) approaches T1 over time. A single proposal that can permanently redirect all future revenue is T1.
- T3 assumes the governance contract cannot itself authorize a T1/T2 action without going through the same timelock. If governance can self-upgrade to bypass the timelock, T3 collapses into T1.
- Do not downgrade tier by hand-waving ("realistically governance would never…"). Tier on what the contract permits, not what feels likely.

Notes:
- **Dynamic / dual-governance timelocks** (Lido, Compound escrow veto): the rubric grades on the uncontested path because that is the path most upgrades take. A dynamic extension that fires only under stake-weighted opposition is a real protection — name it in the green steel-man, but it does not lift an orange fast path into green; state the tension in the verdict.
- **Immutable cores with upgradable governance** (Uniswap-style): if fund-holding contracts are immutable and have no admin-reachable function moving / freezing / re-routing user funds, the highest reachable tier on the upgrade path is T3 — green regardless of timelock. Don't grade this orange just because the Governor is a proxy — that's a C2 fact, not a downgrade. Downgrade only applies if you can cite a concrete function on the upgradable surface that reaches T1 or T2 (privileged hook, upgradable factory controlling fund-routing, fee-switch redirecting protocol revenue without bound).
- **The 7-day bar** reflects the exit-window standard — users need notice after a queued upgrade to withdraw if they disagree. The ability-to-exit slice grades the exit side; this slice grades the delay side; both must hold for users to actually benefit from the delay.

---

### JSON output contract

Return exactly one JSON object inside a single ```json fenced block. Shape:

{
  "schema_version": 4,
  "slug": "<copy protocol.slug from the per-protocol context>",
  "slice": "control",
  "snapshot_generated_at": "<copy snapshot.generated_at from the per-protocol context>",
  "prompt_version": 29,
  "analysis_date": "<copy analysis_date from the per-protocol context>",
  "model": "<exact model name, e.g. claude-opus-4-7 / gpt-5-thinking / gemini-3-pro>",
  "chat_url": null,
  "grading_basis": "on-chain | off-chain-only | mixed (optional; omit for on-chain)",
  "grade": "green | orange | red | unknown",
  "headline": "<one-line summary>",
  "short_headline": "<≤6 words, ≤80 chars; omit if you can't fit>",
  "rationale": {
    "findings": [{ "code": "E1", "text": "<concrete, source-cited finding>" }],
    "steelman": { "red": "<one sentence>", "orange": "<one sentence>", "green": "<one sentence>" },
    "verdict": "Choosing <grade> because <reason ranking one steel-man above the others, citing specific evidence>."
  },
  "evidence": [{ "url": "https://...", "shows": "<what this URL demonstrates>", "chain": "...", "address": "0x...", "commit": "<hex SHA>", "fetched_at": "2026-04-23T11:20:00Z" }],
  "unknowns": ["E3: <thing you looked for but couldn't determine>"],
  "protocol_metadata": {
    "github": ["https://github.com/org/repo"],
    "docs_url": "https://docs.protocol.xyz",
    "audits": [{ "firm": "Trail of Bits", "url": "https://...report.pdf", "date": "2025-09" }],
    "governance_forum": "https://forum.protocol.xyz",
    "voting_token": { "chain": "Ethereum", "address": "0x...", "symbol": "XYZ" },
    "bug_bounty_url": "https://immunefi.com/bounty/protocol",
    "security_contact": "security@protocol.xyz",
    "deployed_contracts_doc": "https://docs.protocol.xyz/deployments",
    "admin_addresses": [{ "chain": "Ethereum", "address": "0x...", "role": "DAO treasury multisig", "actor_class": "multisig" }],
    "upgradeability": "immutable | upgradeable | mixed | unknown",
    "about": "<2–4 sentences>"
  }
}

Rules recap:
- grade="unknown" ⇒ steelman=null; unknowns[] ≥1; evidence[] may be empty.
- grade!="unknown" ⇒ steelman={red,orange,green}; evidence[] ≥1; verdict starts with "Choosing ".
- findings[].code matches the slice's checklist prefix verbatim (E1, C2-emergency, V4a, …); unknowns[] entries are checklist-coded ("E3: …").
- Wrap in a single ```json fence; nothing before or after. URLs are bare strings, never markdown links.

Ability to exit ✓ 3/3 models agree AI-only weak red — weak consensus margin; only 0/3 sources have a public chat share link; total support weight 0.12 below confidence floor (1.5) Submit run ↗

### Per-protocol context (ground truth for this run)

- protocol.slug:              aave-v3
- protocol.name:              Aave V3
- protocol.chains:            Ethereum, Plasma, Arbitrum, Base, Avalanche, Binance, Mantle, Polygon, MegaETH, X Layer, xDai, Optimism, Linea, Sonic, Celo, Scroll, zkSync Era, Metis, Soneium, Fantom, Harmony
- protocol.category:          Lending
- protocol.website:           https://aave.com
- protocol.github:            aave, bgd-labs
- protocol.audit_links:       https://aave.com/security, https://github.com/code-423n4/2022-02-aave-lens, https://github.com/code-423n4/2022-02-aave-lens-findings, https://github.com/sherlock-protocol/sherlock-reports/blob/main/audits/2025.02.15%20-%20Final%20-%20Aave%20Public%20Audit%20Contest%20Report.pdf, https://github.com/sherlock-protocol/sherlock-reports/blob/main/audits/2026.02.05%20-%20Final%20-%20Aave%20Labs%20Collaborative%20Audit%20Report%201770295450.pdf, https://github.com/trailofbits/publications/blob/master/reviews/2021-11-aave-v3-securityreview.pdf
- snapshot.generated_at:      2026-06-01T11:27:13.878Z
- analysis_date:              2026-06-07
- prompt_version:             29
- address_book:               [
  {
    "chain": "Ethereum",
    "address": "0x5300A1a15135EA4dc7aD5a167152C01EFc9b192A",
    "role": "Short Executor (Level 1) / ACL Admin V3"
  },
  {
    "chain": "Ethereum",
    "address": "0xdAbad81aF85554E9ae636395611C58F7eC1aAEc5",
    "role": "PayloadsController (Ethereum)"
  },
  {
    "chain": "Ethereum",
    "address": "0x9AEE0B04504CeF83A65AC3f0e838D0593BCb2BC7",
    "role": "Governance V3 Core"
  },
  {
    "chain": "Ethereum",
    "address": "0xCe52ab41C40575B072A18C9700091Ccbe4A06710",
    "role": "Governance Guardian / Protocol Emergency Guardian (5-of-9)"
  },
  {
    "chain": "Ethereum",
    "address": "0x4457cA11E90f416Cc1D3a8E1cA41C0cdEcC251d4",
    "role": "GranularGuardian (cross-chain emergency)"
  },
  {
    "chain": "Ethereum",
    "address": "0xEd42a7D8559a463722Ca4beD50E0Cc05a386b0e1",
    "role": "CrossChainController"
  },
  {
    "chain": "Ethereum",
    "address": "0x17Dd33Ed0e3dD2a80E37489B8A63063161BE6957",
    "role": "Executor Level 2"
  },
  {
    "chain": "Ethereum",
    "address": "0x2CFe3ec4d5a6811f4B8067F0DE7e47DfA938Aa30",
    "role": "Protocol Guardian / emergency admin"
  },
  {
    "chain": "Ethereum",
    "address": "0x220d22f42c1b975B51509c24b174f8AbA7d8C540",
    "role": "Short Executor (Governance)"
  },
  {
    "chain": "Ethereum",
    "address": "0xa700691dA7b6769562170061709458FF21ed963e",
    "role": "timelock (governance long executor)"
  },
  {
    "chain": "Ethereum",
    "address": "0x851365275f493d15511cc005f2bd71E3c1699921",
    "role": "timelock (governance short executor)"
  },
  {
    "chain": "Ethereum",
    "address": "0xEE56e2B3D49159022b71869955dbF07245799b17",
    "role": "timelock (governance executor short)"
  },
  {
    "chain": "Ethereum",
    "address": "0x80C67432656d59144cEFf962E8fAF8926599bCF8",
    "role": "timelock (governance short executor)"
  },
  {
    "chain": "Ethereum",
    "address": "0xEE56e2B20045d908E992822039db30E882309413",
    "role": "admin (PoolAdmin / governance executor)"
  },
  {
    "chain": "Ethereum",
    "address": "0x87870bca3f3fd6335c3f4ce8392d69350b4fa4e2",
    "role": "pool (Aave V3 Pool proxy)"
  },
  {
    "chain": "Ethereum",
    "address": "0x2f39d218133AFaB8F2B819B1066c7E434Ad94E9e",
    "role": "other (PoolAddressesProvider — proxy admin for Pool/PoolConfigurator/ACLManager)"
  },
  {
    "chain": "Ethereum",
    "address": "0xcfBf336fe147D643B9Cb705648500e101504B16d",
    "role": "other (Prime Market PoolAddressesProvider)"
  },
  {
    "chain": "Ethereum",
    "address": "0xCca852Bc40e560adC3b1Cc58CA5b55638ce826c9",
    "role": "vault (Aave V4 Core Hub — Ethereum)"
  },
  {
    "chain": "Ethereum",
    "address": "0x06002e9c4412CB7814a791eA3666D905871E536A",
    "role": "vault (Aave V4 Plus Hub — Ethereum)"
  },
  {
    "chain": "Ethereum",
    "address": "0x943827DCA022D0F354a8a8c332dA1e5Eb9f9F931",
    "role": "vault (Aave V4 Prime Hub — Ethereum)"
  },
  {
    "chain": "Ethereum",
    "address": "0x08aE3BE30958cDd1847ec58fFfd4C451a87fDF01",
    "role": "admin (Aave V4 Access Manager — Ethereum)"
  },
  {
    "chain": "Optimism",
    "address": "0xa97684ead0e402dc232d5a977953df7ecbab3cdb",
    "role": "other (PoolAddressesProvider — Optimism)"
  },
  {
    "chain": "Polygon",
    "address": "0xa97684ead0e402dc232d5a977953df7ecbab3cdb",
    "role": "other (PoolAddressesProvider — Polygon)"
  },
  {
    "chain": "Ethereum",
    "address": "0x64b761D848206f447Fe2dd461b0c635Ec39EbB27",
    "role": "admin PoolConfigurator V3"
  },
  {
    "chain": "Ethereum",
    "address": "0x54586bE62E3c3580375aE3723C145253060Ca0C2",
    "role": "oracle AaveOracle V3"
  },
  {
    "chain": "Ethereum",
    "address": "0xc2aaCf6553D20d1e9d78E365AAba8032af9c85b0",
    "role": "admin ACLManager V3"
  },
  {
    "chain": "Ethereum",
    "address": "0x0a16f2FCC0D44FaE41cc54e079281D84A363bECD",
    "role": "other AaveProtocolDataProvider V3"
  },
  {
    "chain": "Ethereum",
    "address": "0x464C71f6c2F760DdA6093dCB91C24c39e5d6e18c",
    "role": "treasury Collector"
  },
  {
    "chain": "Ethereum",
    "address": "0x8164Cc65827dcFe994AB23944CBC90e0aa80bFcb",
    "role": "admin DefaultIncentivesController"
  },
  {
    "chain": "Ethereum",
    "address": "0x223d844fc4B006D67c0cDbd39371A9F73f69d974",
    "role": "admin EmissionManager"
  },
  {
    "chain": "Arbitrum",
    "address": "0xa97684ead0e402dC232d5A977953DF7ECBaB3CDb",
    "role": "factory PoolAddressesProvider V3"
  },
  {
    "chain": "Arbitrum",
    "address": "0x794a61358D6845594F94dc1DB02A252b5b4814aD",
    "role": "pool Pool V3"
  },
  {
    "chain": "Arbitrum",
    "address": "0x8145eddDf43f50276641b55bd3AD95944510021E",
    "role": "admin PoolConfigurator V3"
  },
  {
    "chain": "Arbitrum",
    "address": "0xb56c2F0B653B2e0b10C9b928C8580Ac5Df02C7C7",
    "role": "oracle AaveOracle V3"
  },
  {
    "chain": "Arbitrum",
    "address": "0x7A9ff54A6eE4a21223036890bB8c4ea2D62c686b",
    "role": "oracle PriceOracleSentinel V3"
  },
  {
    "chain": "Arbitrum",
    "address": "0xFF1137243698CaA18EE364Cc966CF0e02A4e6327",
    "role": "admin ACLAdmin V3"
  },
  {
    "chain": "Arbitrum",
    "address": "0xa72636CbcAa8F5FF95B2cc47F3CDEe83F3294a0B",
    "role": "admin ACLManager V3"
  },
  {
    "chain": "Arbitrum",
    "address": "0x243Aa95cAC2a25651eda86e80bEe66114413c43b",
    "role": "other AaveProtocolDataProvider V3"
  },
  {
    "chain": "Avalanche",
    "address": "0xa97684ead0e402dC232d5A977953DF7ECBaB3CDb",
    "role": "factory PoolAddressesProvider V3"
  },
  {
    "chain": "Avalanche",
    "address": "0x794a61358D6845594F94dc1DB02A252b5b4814aD",
    "role": "pool Pool V3"
  },
  {
    "chain": "Avalanche",
    "address": "0x8145eddDf43f50276641b55bd3AD95944510021E",
    "role": "admin PoolConfigurator V3"
  },
  {
    "chain": "Avalanche",
    "address": "0xEBd36016B3eD09D4693Ed4251c67Bd858c3c7C9C",
    "role": "oracle AaveOracle V3"
  },
  {
    "chain": "Avalanche",
    "address": "0x3C06dce358add17aAf230f2234bCCC4afd50d090",
    "role": "admin ACLAdmin V3"
  },
  {
    "chain": "Avalanche",
    "address": "0xa72636CbcAa8F5FF95B2cc47F3CDEe83F3294a0B",
    "role": "admin ACLManager V3"
  },
  {
    "chain": "Avalanche",
    "address": "0x243Aa95cAC2a25651eda86e80bEe66114413c43b",
    "role": "other AaveProtocolDataProvider V3"
  },
  {
    "chain": "Base",
    "address": "0xe20fCBdBfFC4Dd138cE8b2E6FBb6CB49777ad64D",
    "role": "factory PoolAddressesProvider V3"
  },
  {
    "chain": "Base",
    "address": "0xA238Dd80C259a72e81d7e4664a9801593F98d1c5",
    "role": "pool Pool V3"
  },
  {
    "chain": "Base",
    "address": "0x5731a04B1E775f0fdd454Bf70f3335886e9A96be",
    "role": "admin PoolConfigurator V3"
  },
  {
    "chain": "Base",
    "address": "0x2Cc0Fc26eD4563A5ce5e8bdcfe1A2878676Ae156",
    "role": "oracle AaveOracle V3"
  },
  {
    "chain": "Base",
    "address": "0x943AcD0c93d7a8Bee7dA5Fd0DC3d0028237074d6",
    "role": "oracle PriceOracleSentinel V3"
  },
  {
    "chain": "Base",
    "address": "0x9390B1735def18560c509E2d0bc090E9d6BA257a",
    "role": "admin ACLAdmin V3"
  },
  {
    "chain": "Base",
    "address": "0x43955b0899Ab7232E3a454cf84AedD22Ad46FD33",
    "role": "admin ACLManager V3"
  },
  {
    "chain": "Base",
    "address": "0x0F43731EB8d45A581f4a36DD74F5f358bc90C73A",
    "role": "other AaveProtocolDataProvider V3"
  },
  {
    "chain": "Binance",
    "address": "0xff75B6da14FfbbfD355Daf7a2731456b3562Ba6D",
    "role": "factory PoolAddressesProvider V3"
  },
  {
    "chain": "Binance",
    "address": "0x6807dc923806fE8Fd134338EABCA509979a7e0cB",
    "role": "pool Pool V3"
  },
  {
    "chain": "Binance",
    "address": "0x67bdF23C7fCE7C65fF7415Ba3F2520B45D6f9584",
    "role": "admin PoolConfigurator V3"
  },
  {
    "chain": "Binance",
    "address": "0x39bc1bfDa2130d6Bb6DBEfd366939b4c7aa7C697",
    "role": "oracle AaveOracle V3"
  },
  {
    "chain": "Binance",
    "address": "0x9390B1735def18560c509E2d0bc090E9d6BA257a",
    "role": "admin ACLAdmin V3"
  },
  {
    "chain": "Binance",
    "address": "0x2D97F8FA96886Fd923c065F5457F9DDd494e3877",
    "role": "admin ACLManager V3"
  },
  {
    "chain": "Binance",
    "address": "0xc90Df74A7c16245c5F5C5870327Ceb38Fe5d5328",
    "role": "other AaveProtocolDataProvider V3"
  },
  {
    "chain": "Celo",
    "address": "0x9F7Cf9417D5251C59fE94fB9147feEe1aAd9Cea5",
    "role": "factory PoolAddressesProvider V3"
  },
  {
    "chain": "Celo",
    "address": "0x3E59A31363E2ad014dcbc521c4a0d5757d9f3402",
    "role": "pool Pool V3"
  },
  {
    "chain": "Celo",
    "address": "0x7567E3434CC1BEf724AB595e6072367Ef4914691",
    "role": "admin PoolConfigurator V3"
  },
  {
    "chain": "Celo",
    "address": "0x1e693D088ceFD1E95ba4c4a5F7EeA41a1Ec37e8b",
    "role": "oracle AaveOracle V3"
  },
  {
    "chain": "Celo",
    "address": "0x1dF462e2712496373A347f8ad10802a5E95f053D",
    "role": "admin ACLAdmin V3"
  },
  {
    "chain": "Celo",
    "address": "0x7a12dCfd73C1B4cddf294da4cFce75FcaBBa314C",
    "role": "admin ACLManager V3"
  },
  {
    "chain": "Celo",
    "address": "0x2e0f8D3B1631296cC7c56538D6Eb6032601E15ED",
    "role": "other AaveProtocolDataProvider V3"
  },
  {
    "chain": "Celo",
    "address": "0xC959439207dA5341B74aDcdAC59016aa9Be7E9E7",
    "role": "treasury Collector"
  },
  {
    "chain": "Fantom",
    "address": "0xa97684ead0e402dC232d5A977953DF7ECBaB3CDb",
    "role": "factory PoolAddressesProvider V3"
  },
  {
    "chain": "Fantom",
    "address": "0x794a61358D6845594F94dc1DB02A252b5b4814aD",
    "role": "pool Pool V3"
  },
  {
    "chain": "Fantom",
    "address": "0x8145eddDf43f50276641b55bd3AD95944510021E",
    "role": "admin PoolConfigurator V3"
  },
  {
    "chain": "Fantom",
    "address": "0xfd6f3c1845604C8AE6c6E402ad17fb9885160754",
    "role": "oracle AaveOracle V3"
  },
  {
    "chain": "Fantom",
    "address": "0x39CB97b105173b56b5a2b4b33AD25d6a50E6c949",
    "role": "admin ACLAdmin V3"
  },
  {
    "chain": "Fantom",
    "address": "0xa72636CbcAa8F5FF95B2cc47F3CDEe83F3294a0B",
    "role": "admin ACLManager V3"
  },
  {
    "chain": "Fantom",
    "address": "0x69FA688f1Dc47d4B5d8029D5a35FB7a548310654",
    "role": "other AaveProtocolDataProvider V3"
  },
  {
    "chain": "xDai",
    "address": "0x36616cf17557639614c1cdDb356b1B83fc0B2132",
    "role": "factory PoolAddressesProvider V3"
  },
  {
    "chain": "xDai",
    "address": "0xb50201558B00496A145fE76f7424749556E326D8",
    "role": "pool Pool V3"
  },
  {
    "chain": "xDai",
    "address": "0x7304979ec9E4EaA0273b6A037a31c4e9e5A75D16",
    "role": "admin PoolConfigurator V3"
  },
  {
    "chain": "xDai",
    "address": "0xeb0a051be10228213BAEb449db63719d6742F7c4",
    "role": "oracle AaveOracle V3"
  },
  {
    "chain": "xDai",
    "address": "0x1dF462e2712496373A347f8ad10802a5E95f053D",
    "role": "admin ACLAdmin V3"
  },
  {
    "chain": "xDai",
    "address": "0xEc710f59005f48703908bC519D552Df5B8472614",
    "role": "admin ACLManager V3"
  },
  {
    "chain": "xDai",
    "address": "0xF1F5acB596568895393cB5E4D0452D6592A2fA70",
    "role": "other AaveProtocolDataProvider V3"
  },
  {
    "chain": "Harmony",
    "address": "0xa97684ead0e402dC232d5A977953DF7ECBaB3CDb",
    "role": "factory PoolAddressesProvider V3"
  },
  {
    "chain": "Harmony",
    "address": "0x794a61358D6845594F94dc1DB02A252b5b4814aD",
    "role": "pool Pool V3"
  },
  {
    "chain": "Harmony",
    "address": "0x8145eddDf43f50276641b55bd3AD95944510021E",
    "role": "admin PoolConfigurator V3"
  },
  {
    "chain": "Harmony",
    "address": "0x3C90887Ede8D65ccb2777A5d577beAb2548280AD",
    "role": "oracle AaveOracle V3"
  },
  {
    "chain": "Harmony",
    "address": "0xb2f0C5f37f4beD2cB51C44653cD5D84866BDcd2D",
    "role": "admin ACLAdmin V3"
  },
  {
    "chain": "Harmony",
    "address": "0xa72636CbcAa8F5FF95B2cc47F3CDEe83F3294a0B",
    "role": "admin ACLManager V3"
  },
  {
    "chain": "Harmony",
    "address": "0x69FA688f1Dc47d4B5d8029D5a35FB7a548310654",
    "role": "other AaveProtocolDataProvider V3"
  },
  {
    "chain": "Mantle",
    "address": "0xba50Cd2A20f6DA35D788639E581bca8d0B5d4D5f",
    "role": "factory PoolAddressesProvider V3"
  },
  {
    "chain": "Mantle",
    "address": "0x458F293454fE0d67EC0655f3672301301DD51422",
    "role": "pool Pool V3"
  },
  {
    "chain": "Mantle",
    "address": "0x719755fC1ACf2f9079B0Cbc56e23712c09Ab8626",
    "role": "admin PoolConfigurator V3"
  },
  {
    "chain": "Mantle",
    "address": "0x47a063CfDa980532267970d478EC340C0F80E8df",
    "role": "oracle AaveOracle V3"
  },
  {
    "chain": "Mantle",
    "address": "0x64df9D4302e1ff3516Dc744A19e992D27CAC252E",
    "role": "oracle PriceOracleSentinel V3"
  },
  {
    "chain": "Mantle",
    "address": "0x70884634D0098782592111A2A6B8d223be31CB7b",
    "role": "admin ACLAdmin V3"
  },
  {
    "chain": "Mantle",
    "address": "0x810D46F9a9027E28F9B01F75E2bdde839dA61115",
    "role": "admin ACLManager V3"
  },
  {
    "chain": "Mantle",
    "address": "0x487c5c669D9eee6057C44973207101276cf73b68",
    "role": "other AaveProtocolDataProvider V3"
  },
  {
    "chain": "MegaETH",
    "address": "0x46Dcd5F4600319b02649Fd76B55aA6c1035CA478",
    "role": "factory PoolAddressesProvider V3"
  },
  {
    "chain": "MegaETH",
    "address": "0x7e324AbC5De01d112AfC03a584966ff199741C28",
    "role": "pool Pool V3"
  },
  {
    "chain": "MegaETH",
    "address": "0xF15D31Bc839A853C9068686043cEc6EC5995DAbB",
    "role": "admin PoolConfigurator V3"
  },
  {
    "chain": "MegaETH",
    "address": "0x421117D7319E96d831972b3F7e970bbfe29C4F21",
    "role": "oracle AaveOracle V3"
  },
  {
    "chain": "MegaETH",
    "address": "0xE2E8Badc5d50f8a6188577B89f50701cDE2D4e19",
    "role": "admin ACLAdmin V3"
  },
  {
    "chain": "MegaETH",
    "address": "0x390D369C3878F2C5205CFb6Ec7154FfA65491c3D",
    "role": "admin ACLManager V3"
  },
  {
    "chain": "MegaETH",
    "address": "0x9588b453A4EE24a420830CB3302195cA7aA3b403",
    "role": "other AaveProtocolDataProvider V3"
  },
  {
    "chain": "Sonic",
    "address": "0x5C2e738F6E27bCE0F7558051Bf90605dD6176900",
    "role": "factory PoolAddressesProvider V3"
  },
  {
    "chain": "Sonic",
    "address": "0x5362dBb1e601abF3a4c14c22ffEdA64042E5eAA3",
    "role": "pool Pool V3"
  },
  {
    "chain": "Sonic",
    "address": "0x50c70FEB95aBC1A92FC30b9aCc41Bd349E5dE2f0",
    "role": "admin PoolConfigurator V3"
  },
  {
    "chain": "Sonic",
    "address": "0xD63f7658C66B2934Bd234D79D06aEF5290734B30",
    "role": "oracle AaveOracle V3"
  },
  {
    "chain": "Sonic",
    "address": "0x7b62461a3570c6AC8a9f8330421576e417B71EE7",
    "role": "admin ACLAdmin V3"
  },
  {
    "chain": "Sonic",
    "address": "0x3a790a47c4d531FD333FAD24f70B0ccb521B3b5A",
    "role": "admin ACLManager V3"
  },
  {
    "chain": "Sonic",
    "address": "0xc0a344397cfa89dF1e1d3e4fb330834D789cF2CD",
    "role": "other AaveProtocolDataProvider V3"
  },
  {
    "chain": "X Layer",
    "address": "0xdFf435BCcf782f11187D3a4454d96702eD78e092",
    "role": "factory PoolAddressesProvider V3"
  },
  {
    "chain": "X Layer",
    "address": "0xE3F3Caefdd7180F884c01E57f65Df979Af84f116",
    "role": "pool Pool V3"
  },
  {
    "chain": "X Layer",
    "address": "0x1408b48B6A610948f04813EA6b2F438A6BBAd2f2",
    "role": "admin PoolConfigurator V3"
  },
  {
    "chain": "X Layer",
    "address": "0x91FC11136d5615575a0fC5981Ab5C0C54418E2C6",
    "role": "oracle AaveOracle V3"
  },
  {
    "chain": "X Layer",
    "address": "0xE2E8Badc5d50f8a6188577B89f50701cDE2D4e19",
    "role": "admin ACLAdmin V3"
  },
  {
    "chain": "X Layer",
    "address": "0xc8f2720Fa7D857576d82e6aEca8EdC4869E9190e",
    "role": "admin ACLManager V3"
  },
  {
    "chain": "X Layer",
    "address": "0x6C505C31714f14e8af2A03633EB2Cdfb4959138F",
    "role": "other AaveProtocolDataProvider V3"
  },
  {
    "chain": "Linea",
    "address": "0x89502c3731F69DDC95B65753708A07F8Cd0373F4",
    "role": "factory PoolAddressesProvider V3"
  },
  {
    "chain": "Linea",
    "address": "0xc47b8C00b0f69a36fa203Ffeac0334874574a8Ac",
    "role": "pool Pool V3"
  },
  {
    "chain": "Linea",
    "address": "0x812E7c19421D9f41A6DDCF047d5cc2dE2Ca5Bfa2",
    "role": "admin PoolConfigurator V3"
  },
  {
    "chain": "Linea",
    "address": "0xCFDAdA7DCd2e785cF706BaDBC2B8Af5084d595e9",
    "role": "oracle AaveOracle V3"
  },
  {
    "chain": "Linea",
    "address": "0x8c2d95FE7aeB57b86961F3abB296A54f0ADb7F88",
    "role": "admin ACLAdmin V3"
  },
  {
    "chain": "Linea",
    "address": "0xbf32c7dFC72b730967072B112927ca0de205dbb5",
    "role": "admin ACLManager V3"
  },
  {
    "chain": "Metis",
    "address": "0xB9FABd7500B2C6781c35Dd48d54f81fc2299D7AF",
    "role": "factory PoolAddressesProvider V3"
  },
  {
    "chain": "Metis",
    "address": "0x90df02551bB792286e8D4f13E0e357b4Bf1D6a57",
    "role": "pool Pool V3"
  },
  {
    "chain": "Metis",
    "address": "0x69FEE8F261E004453BE0800BC9039717528645A6",
    "role": "admin PoolConfigurator V3"
  },
  {
    "chain": "Metis",
    "address": "0x38D36e85E47eA6ff0d18B0adF12E5fC8984A6f8e",
    "role": "oracle AaveOracle V3"
  },
  {
    "chain": "Metis",
    "address": "0x2B5EA1604BAbb7B730120950Cb13951f3525828A",
    "role": "oracle PriceOracleSentinel V3"
  },
  {
    "chain": "Metis",
    "address": "0x6fD45D32375d5aDB8D76275A3932c740F03a8718",
    "role": "admin ACLAdmin V3"
  },
  {
    "chain": "Optimism",
    "address": "0x794a61358D6845594F94dc1DB02A252b5b4814aD",
    "role": "pool Pool V3"
  },
  {
    "chain": "Optimism",
    "address": "0x8145eddDf43f50276641b55bd3AD95944510021E",
    "role": "admin PoolConfigurator V3"
  },
  {
    "chain": "Optimism",
    "address": "0xD81eb3728a631871a7eBBaD631b5f424909f0c77",
    "role": "oracle AaveOracle V3"
  },
  {
    "chain": "Optimism",
    "address": "0x746c675dAB49Bcd5BB9Dc85161f2d7Eb435009bf",
    "role": "admin ACLAdmin V3"
  },
  {
    "chain": "Polygon",
    "address": "0x794a61358D6845594F94dc1DB02A252b5b4814aD",
    "role": "pool Pool V3"
  },
  {
    "chain": "Polygon",
    "address": "0x8145eddDf43f50276641b55bd3AD95944510021E",
    "role": "admin PoolConfigurator V3"
  },
  {
    "chain": "Polygon",
    "address": "0xb023e699F5a33916Ea823A16485e259257cA8Bd1",
    "role": "oracle AaveOracle V3"
  },
  {
    "chain": "Polygon",
    "address": "0xDf7d0e6454DB638881302729F5ba99936EaAB233",
    "role": "admin ACLAdmin V3"
  },
  {
    "chain": "Scroll",
    "address": "0x69850D0B276776781C063771b161bd8894BCdD04",
    "role": "factory PoolAddressesProvider V3"
  },
  {
    "chain": "Scroll",
    "address": "0x11fCfe756c05AD438e312a7fd934381537D3cFfe",
    "role": "pool Pool V3"
  },
  {
    "chain": "Scroll",
    "address": "0x32BCab42a2bb5AC577D24b425D46d8b8e0Df9b7f",
    "role": "admin PoolConfigurator V3"
  },
  {
    "chain": "Scroll",
    "address": "0x04421D8C506E2fA2371a08EfAaBf791F624054F3",
    "role": "oracle AaveOracle V3"
  },
  {
    "chain": "Scroll",
    "address": "0xc1ABF87FfAdf4908f4eC8dc54A25DCFEabAE4A24",
    "role": "admin ACLAdmin V3"
  },
  {
    "chain": "Scroll",
    "address": "0x7633F981D87dC6307227de9383D2ce7243158081",
    "role": "admin ACLManager V3"
  },
  {
    "chain": "zkSync Era",
    "address": "0x2A3948BB219D6B2Fa83D64100006391a96bE6cb7",
    "role": "factory PoolAddressesProvider V3"
  },
  {
    "chain": "zkSync Era",
    "address": "0x78e30497a3c7527d953c6B1E3541b021A98Ac43c",
    "role": "pool Pool V3"
  },
  {
    "chain": "zkSync Era",
    "address": "0x0207d31b4377C74bEC37356aaD83E3dCc979F40E",
    "role": "admin PoolConfigurator V3"
  },
  {
    "chain": "zkSync Era",
    "address": "0xC7F58Fca663a8d377B6D0c9703C697f56dC40088",
    "role": "oracle AaveOracle V3"
  },
  {
    "chain": "zkSync Era",
    "address": "0x04cE39789e11a49595cD0ECEf6f4Bd54ABF4d020",
    "role": "admin ACLAdmin V3"
  },
  {
    "chain": "Soneium",
    "address": "0x82405D1a189bd6cE4667809C35B37fBE136A4c5B",
    "role": "factory PoolAddressesProvider V3"
  },
  {
    "chain": "Soneium",
    "address": "0xDd3d7A7d03D9fD9ef45f3E587287922eF65CA38B",
    "role": "pool Pool V3"
  },
  {
    "chain": "Soneium",
    "address": "0x1607FCeEc8dEbA4d5Da66D620b2363066d025a02",
    "role": "admin PoolConfigurator V3"
  },
  {
    "chain": "Soneium",
    "address": "0x20040a64612555042335926d72B4E5F667a67fA1",
    "role": "oracle AaveOracle V3"
  },
  {
    "chain": "Soneium",
    "address": "0xc0Bac16A64FbAa7EE6483bD12a759e28cD13dcBe",
    "role": "oracle PriceOracleSentinel V3"
  },
  {
    "chain": "Plasma",
    "address": "0x061D8e131F26512348ee5FA42e2DF1bA9d6505E9",
    "role": "factory PoolAddressesProvider V3"
  },
  {
    "chain": "Plasma",
    "address": "0x925a2A7214Ed92428B5b1B090F80b25700095e12",
    "role": "pool Pool V3"
  },
  {
    "chain": "Plasma",
    "address": "0xc022B6c71c30A8Ad52Dac504eFA132d13D99d2D9",
    "role": "admin PoolConfigurator V3"
  },
  {
    "chain": "Plasma",
    "address": "0x33E0b3fc976DC9C516926BA48CfC0A9E10a2aAA5",
    "role": "oracle AaveOracle V3"
  },
  {
    "chain": "Plasma",
    "address": "0x47aAdaAE1F05C978E6aBb7568d11B7F6e0FC4d6A",
    "role": "admin ACLAdmin V3"
  },
  {
    "chain": "Plasma",
    "address": "0xa860355F0ccFdC823F7332ac108317b2a1509C06",
    "role": "admin ACLManager V3"
  },
  {
    "chain": "Ethereum",
    "address": "0x617332a777780F546261247F621051d0b98975Eb",
    "role": "other VotingMachine"
  },
  {
    "chain": "Ethereum",
    "address": "0xf23f7De3AC42F22eBDA17e64DC4f51FB66b8E21f",
    "role": "other VotingPortalEthEth"
  },
  {
    "chain": "Ethereum",
    "address": "0x33aCEf7365809218485873B7d0d67FeE411B5D79",
    "role": "other VotingPortalEthAvax"
  },
  {
    "chain": "Ethereum",
    "address": "0x9b24C168d6A76b5459B1d47071a54962a4df36c3",
    "role": "other VotingPortalEthPol"
  },
  {
    "chain": "Ethereum",
    "address": "0xE3B770Dc4ae3f8bECaB3Ed12dE692c741603e16A",
    "role": "other PayloadDataHelper"
  },
  {
    "chain": "Ethereum",
    "address": "0x971c82c8316aD611904F95616c21ce90837f1856",
    "role": "other GovernanceDataHelper"
  },
  {
    "chain": "Ethereum",
    "address": "0x77976B51569896523EE215962Ee91ff236Fa50E8",
    "role": "other VotingDataHelper"
  },
  {
    "chain": "Ethereum",
    "address": "0x94363B11b37BC3ffe43AB09cff5A010352FE85dC",
    "role": "other MetaDelegateHelper"
  },
  {
    "chain": "Ethereum",
    "address": "0x73C6Fb358dDA8e84D50e98A98F7c0dF32e15C7e9",
    "role": "guardian EmergencyRegistry"
  },
  {
    "chain": "Ethereum",
    "address": "0xa198Fac58E02A5C5F8F7e877895d50cFa9ad1E04",
    "role": "other GovernancePowerStrategy"
  },
  {
    "chain": "Ethereum",
    "address": "0x5642A5A5Ec284B4145563aBF319620204aCCA7f4",
    "role": "other VotingStrategy"
  },
  {
    "chain": "Ethereum",
    "address": "0x1699FE9CaDC8a0b6c93E06B62Ab4592a0fFEcF61",
    "role": "other DataWarehouse"
  },
  {
    "chain": "Arbitrum",
    "address": "0xCbFB78a3Eeaa611b826E37c80E4126c8787D29f0",
    "role": "other CrossChainController"
  },
  {
    "chain": "Arbitrum",
    "address": "0x89644CA1bB8064760312AE4F03ea41b05dA3637C",
    "role": "timelock PayloadsController"
  },
  {
    "chain": "Arbitrum",
    "address": "0x4922093c476CfbCF903C7C4082d2D64bAE8A37cE",
    "role": "guardian GranularGuardian"
  },
  {
    "chain": "Avalanche",
    "address": "0x27FC7D54C893dA63C0AE6d57e1B2B13A70690928",
    "role": "other CrossChainController"
  },
  {
    "chain": "Avalanche",
    "address": "0x41185495Bc8297a65DC46f94001DC7233775EbEe",
    "role": "oracle EmergencyOracle"
  },
  {
    "chain": "Avalanche",
    "address": "0x9b6f5ef589A3DD08670Dd146C11C4Fb33E04494F",
    "role": "other VotingMachine"
  },
  {
    "chain": "Avalanche",
    "address": "0x1140CB7CAfAcC745771C2Ea31e7B5C653c5d0B80",
    "role": "timelock PayloadsController"
  },
  {
    "chain": "Avalanche",
    "address": "0xc1162BCb2E5E3ca4725512008c7522dF8C8B7B65",
    "role": "guardian GranularGuardian"
  },
  {
    "chain": "Binance",
    "address": "0x9d33ee6543C9b2C8c183b8fb58fB089266cffA19",
    "role": "other CrossChainController"
  },
  {
    "chain": "Binance",
    "address": "0xcabb46FfB38c93348Df16558DF156e9f68F9F7F1",
    "role": "oracle EmergencyOracle"
  },
  {
    "chain": "Binance",
    "address": "0xE5EF2Dd06755A97e975f7E282f828224F2C3e627",
    "role": "timelock PayloadsController"
  },
  {
    "chain": "Binance",
    "address": "0xe4FB5e3F506BE0095f38004f993D16fdA8224383",
    "role": "guardian GranularGuardian"
  },
  {
    "chain": "Base",
    "address": "0x529467C76f234F2bD359d7ecF7c660A2846b04e2",
    "role": "other CrossChainController"
  },
  {
    "chain": "Base",
    "address": "0x2DC219E716793fb4b21548C0f009Ba3Af753ab01",
    "role": "timelock PayloadsController"
  },
  {
    "chain": "Base",
    "address": "0xa1c6aF35E0205f42256382C05243C543FEDBf4bB",
    "role": "guardian GranularGuardian"
  },
  {
    "chain": "xDai",
    "address": "0x8Dc5310fc9D3D7D1Bb3D1F686899c8F082316c9F",
    "role": "other CrossChainController"
  },
  {
    "chain": "xDai",
    "address": "0xF937ffAeA1363e4Fa260760bDFA2aA8Fc911F84D",
    "role": "oracle EmergencyOracle"
  },
  {
    "chain": "xDai",
    "address": "0x9A1F491B86D09fC1484b5fab10041B189B60756b",
    "role": "timelock PayloadsController"
  },
  {
    "chain": "xDai",
    "address": "0x4A9F571E3C1f2F13567bb59e38988e74d7d72602",
    "role": "guardian GranularGuardian"
  },
  {
    "chain": "Metis",
    "address": "0x6fDaFb26915ABD6065a1E1501a37Ac438D877f70",
    "role": "other CrossChainController"
  },
  {
    "chain": "Metis",
    "address": "0x2233F8A66A728FBa6E1dC95570B25360D07D5524",
    "role": "timelock PayloadsController"
  },
  {
    "chain": "Metis",
    "address": "0x61BE97d3a0550549f67CA7421725fA73Fa2036B5",
    "role": "guardian GranularGuardian"
  },
  {
    "chain": "Optimism",
    "address": "0x48A9FE90bce5EEd790f3F4Ce192d1C0B351fd4Ca",
    "role": "other CrossChainController"
  },
  {
    "chain": "Optimism",
    "address": "0x0E1a3Af1f9cC76A62eD31eDedca291E63632e7c4",
    "role": "timelock PayloadsController"
  },
  {
    "chain": "Optimism",
    "address": "0x6c5264C380C7022e54f585c4E354ffb6f221a03b",
    "role": "guardian GranularGuardian"
  },
  {
    "chain": "Polygon",
    "address": "0xF6B99959F0b5e79E1CC7062E12aF632CEb18eF0d",
    "role": "other CrossChainController"
  },
  {
    "chain": "Polygon",
    "address": "0xDAFA1989A504c48Ee20a582f2891eeB25E2fA23F",
    "role": "oracle EmergencyOracle"
  },
  {
    "chain": "Polygon",
    "address": "0xc8a2ADC4261c6b669CdFf69E717E77C9cFeB420d",
    "role": "other VotingMachine"
  },
  {
    "chain": "Polygon",
    "address": "0x401B5D0294E23637c18fcc38b1Bca814CDa2637C",
    "role": "timelock PayloadsController"
  },
  {
    "chain": "Polygon",
    "address": "0x0D2CccD3dD420dC6DE2f24DB44aA22fADE290a02",
    "role": "guardian GranularGuardian"
  },
  {
    "chain": "Scroll",
    "address": "0x03073D3F4769f6b6604d616238fD6c636C99AD0A",
    "role": "other CrossChainController"
  },
  {
    "chain": "Scroll",
    "address": "0x6b6B41c0f8C223715f712BE83ceC3c37bbfDC3fE",
    "role": "timelock PayloadsController"
  },
  {
    "chain": "Scroll",
    "address": "0xa835707d28e6C37C49d661742f2Fb5987367cEd4",
    "role": "guardian GranularGuardian"
  },
  {
    "chain": "zkSync Era",
    "address": "0x800813f4714BC7A0a95310e3fB9e4f18872CA92C",
    "role": "other CrossChainController"
  },
  {
    "chain": "zkSync Era",
    "address": "0x2E79349c3F5e4751E87b966812C9E65E805996F1",
    "role": "timelock PayloadsController"
  },
  {
    "chain": "zkSync Era",
    "address": "0xe0e23196D42b54F262a3DE952e6B34B197D1A228",
    "role": "guardian GranularGuardian"
  },
  {
    "chain": "zkSync Era",
    "address": "0x4257bf0746D783f0D962913d7d8AFA408B62547E",
    "role": "guardian GovernanceGuardian"
  },
  {
    "chain": "Linea",
    "address": "0x0D3f821e9741C8a8Bcac231162320251Db0cdf52",
    "role": "other CrossChainController"
  },
  {
    "chain": "Linea",
    "address": "0x3BcE23a1363728091bc57A58a226CF2940C2e074",
    "role": "timelock PayloadsController"
  },
  {
    "chain": "Linea",
    "address": "0xc1cd6faF6e9138b4e6C21d438f9ebF2bd6F6cA16",
    "role": "guardian GranularGuardian"
  },
  {
    "chain": "Linea",
    "address": "0x056E4C4E80D1D14a637ccbD0412CDAAEc5B51F4E",
    "role": "guardian GovernanceGuardian"
  },
  {
    "chain": "Soneium",
    "address": "0xD92b37a5114b33F668D274Fb48f23b726a854d6E",
    "role": "other CrossChainController"
  },
  {
    "chain": "Soneium",
    "address": "0x44D73D7C4b2f98F426Bf8B5e87628d9eE38ef0Cf",
    "role": "timelock PayloadsController"
  },
  {
    "chain": "Soneium",
    "address": "0xD8E6956718784B914740267b7A50B952fb516656",
    "role": "guardian GranularGuardian"
  },
  {
    "chain": "Soneium",
    "address": "0x19CE4363FEA478Aa04B9EA2937cc5A2cbcD44be6",
    "role": "guardian GovernanceGuardian"
  },
  {
    "chain": "Soneium",
    "address": "0x47aAdaAE1F05C978E6aBb7568d11B7F6e0FC4d6A",
    "role": "governor ExecutorLvl1"
  },
  {
    "chain": "Plasma",
    "address": "0x643441742f73e270e565619be6DE5f4D55E08cd6",
    "role": "other CrossChainController"
  },
  {
    "chain": "Plasma",
    "address": "0xe76EB348E65eF163d85ce282125FF5a7F5712A1d",
    "role": "timelock PayloadsController"
  },
  {
    "chain": "Plasma",
    "address": "0x60665b4F4FF7073C5fed2656852dCa271DfE2684",
    "role": "guardian GranularGuardian"
  },
  {
    "chain": "Plasma",
    "address": "0x19CE4363FEA478Aa04B9EA2937cc5A2cbcD44be6",
    "role": "guardian GovernanceGuardian"
  },
  {
    "chain": "Plasma",
    "address": "0xF61FE74Ec1cFbd9Ee8Bd27592D2EDEe0E2aA85Cf",
    "role": "oracle EmergencyOracle"
  },
  {
    "chain": "Ethereum",
    "address": "0x7Fc66500c84A76Ad7e9c93437bFc5Ac33E2DDaE9",
    "role": "token AAVE governance token"
  },
  {
    "chain": "Ethereum",
    "address": "0x7b9c0b9b0d8b0d8b0d8b0d8b0d8b0d8b0d8b0d8b",
    "role": "Emergency Admin"
  }
]

### Pre-built read-API surfacer URLs (verbatim — fetchable as-is)
- https://defipunkd.com/address/1/0x5300A1a15135EA4dc7aD5a167152C01EFc9b192A (Short Executor (Level 1) / ACL Admin V3)
- https://defipunkd.com/address/1/0xdAbad81aF85554E9ae636395611C58F7eC1aAEc5 (PayloadsController (Ethereum))
- https://defipunkd.com/address/1/0x9AEE0B04504CeF83A65AC3f0e838D0593BCb2BC7 (Governance V3 Core)
- https://defipunkd.com/address/1/0xCe52ab41C40575B072A18C9700091Ccbe4A06710 (Governance Guardian / Protocol Emergency Guardian (5-of-9))
- https://defipunkd.com/address/1/0x4457cA11E90f416Cc1D3a8E1cA41C0cdEcC251d4 (GranularGuardian (cross-chain emergency))
- https://defipunkd.com/address/1/0xEd42a7D8559a463722Ca4beD50E0Cc05a386b0e1 (CrossChainController)
- https://defipunkd.com/address/1/0x17Dd33Ed0e3dD2a80E37489B8A63063161BE6957 (Executor Level 2)
- https://defipunkd.com/address/1/0x2CFe3ec4d5a6811f4B8067F0DE7e47DfA938Aa30 (Protocol Guardian / emergency admin)
- https://defipunkd.com/address/1/0x220d22f42c1b975B51509c24b174f8AbA7d8C540 (Short Executor (Governance))
- https://defipunkd.com/address/1/0xa700691dA7b6769562170061709458FF21ed963e (timelock (governance long executor))
- https://defipunkd.com/address/1/0x851365275f493d15511cc005f2bd71E3c1699921 (timelock (governance short executor))
- https://defipunkd.com/address/1/0xEE56e2B3D49159022b71869955dbF07245799b17 (timelock (governance executor short))
- https://defipunkd.com/address/1/0x80C67432656d59144cEFf962E8fAF8926599bCF8 (timelock (governance short executor))
- https://defipunkd.com/address/1/0xEE56e2B20045d908E992822039db30E882309413 (admin (PoolAdmin / governance executor))
- https://defipunkd.com/address/1/0x87870bca3f3fd6335c3f4ce8392d69350b4fa4e2 (pool (Aave V3 Pool proxy))
- https://defipunkd.com/address/1/0x2f39d218133AFaB8F2B819B1066c7E434Ad94E9e (other (PoolAddressesProvider — proxy admin for Pool/PoolConfigurator/ACLManager))
- https://defipunkd.com/address/1/0xcfBf336fe147D643B9Cb705648500e101504B16d (other (Prime Market PoolAddressesProvider))
- https://defipunkd.com/address/1/0xCca852Bc40e560adC3b1Cc58CA5b55638ce826c9 (vault (Aave V4 Core Hub — Ethereum))
- https://defipunkd.com/address/1/0x06002e9c4412CB7814a791eA3666D905871E536A (vault (Aave V4 Plus Hub — Ethereum))
- https://defipunkd.com/address/1/0x943827DCA022D0F354a8a8c332dA1e5Eb9f9F931 (vault (Aave V4 Prime Hub — Ethereum))
- https://defipunkd.com/address/1/0x08aE3BE30958cDd1847ec58fFfd4C451a87fDF01 (admin (Aave V4 Access Manager — Ethereum))
- https://defipunkd.com/address/10/0xa97684ead0e402dc232d5a977953df7ecbab3cdb (other (PoolAddressesProvider — Optimism))
- https://defipunkd.com/address/137/0xa97684ead0e402dc232d5a977953df7ecbab3cdb (other (PoolAddressesProvider — Polygon))
- https://defipunkd.com/address/1/0x64b761D848206f447Fe2dd461b0c635Ec39EbB27 (admin PoolConfigurator V3)
- https://defipunkd.com/address/1/0x54586bE62E3c3580375aE3723C145253060Ca0C2 (oracle AaveOracle V3)
- https://defipunkd.com/address/1/0xc2aaCf6553D20d1e9d78E365AAba8032af9c85b0 (admin ACLManager V3)
- https://defipunkd.com/address/1/0x0a16f2FCC0D44FaE41cc54e079281D84A363bECD (other AaveProtocolDataProvider V3)
- https://defipunkd.com/address/1/0x464C71f6c2F760DdA6093dCB91C24c39e5d6e18c (treasury Collector)
- https://defipunkd.com/address/1/0x8164Cc65827dcFe994AB23944CBC90e0aa80bFcb (admin DefaultIncentivesController)
- https://defipunkd.com/address/1/0x223d844fc4B006D67c0cDbd39371A9F73f69d974 (admin EmissionManager)
- https://defipunkd.com/address/42161/0xa97684ead0e402dC232d5A977953DF7ECBaB3CDb (factory PoolAddressesProvider V3)
- https://defipunkd.com/address/42161/0x794a61358D6845594F94dc1DB02A252b5b4814aD (pool Pool V3)
- https://defipunkd.com/address/42161/0x8145eddDf43f50276641b55bd3AD95944510021E (admin PoolConfigurator V3)
- https://defipunkd.com/address/42161/0xb56c2F0B653B2e0b10C9b928C8580Ac5Df02C7C7 (oracle AaveOracle V3)
- https://defipunkd.com/address/42161/0x7A9ff54A6eE4a21223036890bB8c4ea2D62c686b (oracle PriceOracleSentinel V3)
- https://defipunkd.com/address/42161/0xFF1137243698CaA18EE364Cc966CF0e02A4e6327 (admin ACLAdmin V3)
- https://defipunkd.com/address/42161/0xa72636CbcAa8F5FF95B2cc47F3CDEe83F3294a0B (admin ACLManager V3)
- https://defipunkd.com/address/42161/0x243Aa95cAC2a25651eda86e80bEe66114413c43b (other AaveProtocolDataProvider V3)
- https://defipunkd.com/address/43114/0xa97684ead0e402dC232d5A977953DF7ECBaB3CDb (factory PoolAddressesProvider V3)
- https://defipunkd.com/address/43114/0x794a61358D6845594F94dc1DB02A252b5b4814aD (pool Pool V3)
- https://defipunkd.com/address/43114/0x8145eddDf43f50276641b55bd3AD95944510021E (admin PoolConfigurator V3)
- https://defipunkd.com/address/43114/0xEBd36016B3eD09D4693Ed4251c67Bd858c3c7C9C (oracle AaveOracle V3)
- https://defipunkd.com/address/43114/0x3C06dce358add17aAf230f2234bCCC4afd50d090 (admin ACLAdmin V3)
- https://defipunkd.com/address/43114/0xa72636CbcAa8F5FF95B2cc47F3CDEe83F3294a0B (admin ACLManager V3)
- https://defipunkd.com/address/43114/0x243Aa95cAC2a25651eda86e80bEe66114413c43b (other AaveProtocolDataProvider V3)
- https://defipunkd.com/address/8453/0xe20fCBdBfFC4Dd138cE8b2E6FBb6CB49777ad64D (factory PoolAddressesProvider V3)
- https://defipunkd.com/address/8453/0xA238Dd80C259a72e81d7e4664a9801593F98d1c5 (pool Pool V3)
- https://defipunkd.com/address/8453/0x5731a04B1E775f0fdd454Bf70f3335886e9A96be (admin PoolConfigurator V3)
- https://defipunkd.com/address/8453/0x2Cc0Fc26eD4563A5ce5e8bdcfe1A2878676Ae156 (oracle AaveOracle V3)
- https://defipunkd.com/address/8453/0x943AcD0c93d7a8Bee7dA5Fd0DC3d0028237074d6 (oracle PriceOracleSentinel V3)
- https://defipunkd.com/address/8453/0x9390B1735def18560c509E2d0bc090E9d6BA257a (admin ACLAdmin V3)
- https://defipunkd.com/address/8453/0x43955b0899Ab7232E3a454cf84AedD22Ad46FD33 (admin ACLManager V3)
- https://defipunkd.com/address/8453/0x0F43731EB8d45A581f4a36DD74F5f358bc90C73A (other AaveProtocolDataProvider V3)
- Binance: 0xff75B6da14FfbbfD355Daf7a2731456b3562Ba6D (chain not supported by the read API)
- Binance: 0x6807dc923806fE8Fd134338EABCA509979a7e0cB (chain not supported by the read API)
- Binance: 0x67bdF23C7fCE7C65fF7415Ba3F2520B45D6f9584 (chain not supported by the read API)
- Binance: 0x39bc1bfDa2130d6Bb6DBEfd366939b4c7aa7C697 (chain not supported by the read API)
- Binance: 0x9390B1735def18560c509E2d0bc090E9d6BA257a (chain not supported by the read API)
- Binance: 0x2D97F8FA96886Fd923c065F5457F9DDd494e3877 (chain not supported by the read API)
- Binance: 0xc90Df74A7c16245c5F5C5870327Ceb38Fe5d5328 (chain not supported by the read API)
- Celo: 0x9F7Cf9417D5251C59fE94fB9147feEe1aAd9Cea5 (chain not supported by the read API)
- Celo: 0x3E59A31363E2ad014dcbc521c4a0d5757d9f3402 (chain not supported by the read API)
- Celo: 0x7567E3434CC1BEf724AB595e6072367Ef4914691 (chain not supported by the read API)
- Celo: 0x1e693D088ceFD1E95ba4c4a5F7EeA41a1Ec37e8b (chain not supported by the read API)
- Celo: 0x1dF462e2712496373A347f8ad10802a5E95f053D (chain not supported by the read API)
- Celo: 0x7a12dCfd73C1B4cddf294da4cFce75FcaBBa314C (chain not supported by the read API)
- Celo: 0x2e0f8D3B1631296cC7c56538D6Eb6032601E15ED (chain not supported by the read API)
- Celo: 0xC959439207dA5341B74aDcdAC59016aa9Be7E9E7 (chain not supported by the read API)
- Fantom: 0xa97684ead0e402dC232d5A977953DF7ECBaB3CDb (chain not supported by the read API)
- Fantom: 0x794a61358D6845594F94dc1DB02A252b5b4814aD (chain not supported by the read API)
- Fantom: 0x8145eddDf43f50276641b55bd3AD95944510021E (chain not supported by the read API)
- Fantom: 0xfd6f3c1845604C8AE6c6E402ad17fb9885160754 (chain not supported by the read API)
- Fantom: 0x39CB97b105173b56b5a2b4b33AD25d6a50E6c949 (chain not supported by the read API)
- Fantom: 0xa72636CbcAa8F5FF95B2cc47F3CDEe83F3294a0B (chain not supported by the read API)
- Fantom: 0x69FA688f1Dc47d4B5d8029D5a35FB7a548310654 (chain not supported by the read API)
- xDai: 0x36616cf17557639614c1cdDb356b1B83fc0B2132 (chain not supported by the read API)
- xDai: 0xb50201558B00496A145fE76f7424749556E326D8 (chain not supported by the read API)
- xDai: 0x7304979ec9E4EaA0273b6A037a31c4e9e5A75D16 (chain not supported by the read API)
- xDai: 0xeb0a051be10228213BAEb449db63719d6742F7c4 (chain not supported by the read API)
- xDai: 0x1dF462e2712496373A347f8ad10802a5E95f053D (chain not supported by the read API)
- xDai: 0xEc710f59005f48703908bC519D552Df5B8472614 (chain not supported by the read API)
- xDai: 0xF1F5acB596568895393cB5E4D0452D6592A2fA70 (chain not supported by the read API)
- Harmony: 0xa97684ead0e402dC232d5A977953DF7ECBaB3CDb (chain not supported by the read API)
- Harmony: 0x794a61358D6845594F94dc1DB02A252b5b4814aD (chain not supported by the read API)
- Harmony: 0x8145eddDf43f50276641b55bd3AD95944510021E (chain not supported by the read API)
- Harmony: 0x3C90887Ede8D65ccb2777A5d577beAb2548280AD (chain not supported by the read API)
- Harmony: 0xb2f0C5f37f4beD2cB51C44653cD5D84866BDcd2D (chain not supported by the read API)
- Harmony: 0xa72636CbcAa8F5FF95B2cc47F3CDEe83F3294a0B (chain not supported by the read API)
- Harmony: 0x69FA688f1Dc47d4B5d8029D5a35FB7a548310654 (chain not supported by the read API)
- Mantle: 0xba50Cd2A20f6DA35D788639E581bca8d0B5d4D5f (chain not supported by the read API)
- Mantle: 0x458F293454fE0d67EC0655f3672301301DD51422 (chain not supported by the read API)
- Mantle: 0x719755fC1ACf2f9079B0Cbc56e23712c09Ab8626 (chain not supported by the read API)
- Mantle: 0x47a063CfDa980532267970d478EC340C0F80E8df (chain not supported by the read API)
- Mantle: 0x64df9D4302e1ff3516Dc744A19e992D27CAC252E (chain not supported by the read API)
- Mantle: 0x70884634D0098782592111A2A6B8d223be31CB7b (chain not supported by the read API)
- Mantle: 0x810D46F9a9027E28F9B01F75E2bdde839dA61115 (chain not supported by the read API)
- Mantle: 0x487c5c669D9eee6057C44973207101276cf73b68 (chain not supported by the read API)
- MegaETH: 0x46Dcd5F4600319b02649Fd76B55aA6c1035CA478 (chain not supported by the read API)
- MegaETH: 0x7e324AbC5De01d112AfC03a584966ff199741C28 (chain not supported by the read API)
- MegaETH: 0xF15D31Bc839A853C9068686043cEc6EC5995DAbB (chain not supported by the read API)
- MegaETH: 0x421117D7319E96d831972b3F7e970bbfe29C4F21 (chain not supported by the read API)
- MegaETH: 0xE2E8Badc5d50f8a6188577B89f50701cDE2D4e19 (chain not supported by the read API)
- MegaETH: 0x390D369C3878F2C5205CFb6Ec7154FfA65491c3D (chain not supported by the read API)
- MegaETH: 0x9588b453A4EE24a420830CB3302195cA7aA3b403 (chain not supported by the read API)
- Sonic: 0x5C2e738F6E27bCE0F7558051Bf90605dD6176900 (chain not supported by the read API)
- Sonic: 0x5362dBb1e601abF3a4c14c22ffEdA64042E5eAA3 (chain not supported by the read API)
- Sonic: 0x50c70FEB95aBC1A92FC30b9aCc41Bd349E5dE2f0 (chain not supported by the read API)
- Sonic: 0xD63f7658C66B2934Bd234D79D06aEF5290734B30 (chain not supported by the read API)
- Sonic: 0x7b62461a3570c6AC8a9f8330421576e417B71EE7 (chain not supported by the read API)
- Sonic: 0x3a790a47c4d531FD333FAD24f70B0ccb521B3b5A (chain not supported by the read API)
- Sonic: 0xc0a344397cfa89dF1e1d3e4fb330834D789cF2CD (chain not supported by the read API)
- X Layer: 0xdFf435BCcf782f11187D3a4454d96702eD78e092 (chain not supported by the read API)
- X Layer: 0xE3F3Caefdd7180F884c01E57f65Df979Af84f116 (chain not supported by the read API)
- X Layer: 0x1408b48B6A610948f04813EA6b2F438A6BBAd2f2 (chain not supported by the read API)
- X Layer: 0x91FC11136d5615575a0fC5981Ab5C0C54418E2C6 (chain not supported by the read API)
- X Layer: 0xE2E8Badc5d50f8a6188577B89f50701cDE2D4e19 (chain not supported by the read API)
- X Layer: 0xc8f2720Fa7D857576d82e6aEca8EdC4869E9190e (chain not supported by the read API)
- X Layer: 0x6C505C31714f14e8af2A03633EB2Cdfb4959138F (chain not supported by the read API)
- https://defipunkd.com/address/59144/0x89502c3731F69DDC95B65753708A07F8Cd0373F4 (factory PoolAddressesProvider V3)
- https://defipunkd.com/address/59144/0xc47b8C00b0f69a36fa203Ffeac0334874574a8Ac (pool Pool V3)
- https://defipunkd.com/address/59144/0x812E7c19421D9f41A6DDCF047d5cc2dE2Ca5Bfa2 (admin PoolConfigurator V3)
- https://defipunkd.com/address/59144/0xCFDAdA7DCd2e785cF706BaDBC2B8Af5084d595e9 (oracle AaveOracle V3)
- https://defipunkd.com/address/59144/0x8c2d95FE7aeB57b86961F3abB296A54f0ADb7F88 (admin ACLAdmin V3)
- https://defipunkd.com/address/59144/0xbf32c7dFC72b730967072B112927ca0de205dbb5 (admin ACLManager V3)
- Metis: 0xB9FABd7500B2C6781c35Dd48d54f81fc2299D7AF (chain not supported by the read API)
- Metis: 0x90df02551bB792286e8D4f13E0e357b4Bf1D6a57 (chain not supported by the read API)
- Metis: 0x69FEE8F261E004453BE0800BC9039717528645A6 (chain not supported by the read API)
- Metis: 0x38D36e85E47eA6ff0d18B0adF12E5fC8984A6f8e (chain not supported by the read API)
- Metis: 0x2B5EA1604BAbb7B730120950Cb13951f3525828A (chain not supported by the read API)
- Metis: 0x6fD45D32375d5aDB8D76275A3932c740F03a8718 (chain not supported by the read API)
- https://defipunkd.com/address/10/0x794a61358D6845594F94dc1DB02A252b5b4814aD (pool Pool V3)
- https://defipunkd.com/address/10/0x8145eddDf43f50276641b55bd3AD95944510021E (admin PoolConfigurator V3)
- https://defipunkd.com/address/10/0xD81eb3728a631871a7eBBaD631b5f424909f0c77 (oracle AaveOracle V3)
- https://defipunkd.com/address/10/0x746c675dAB49Bcd5BB9Dc85161f2d7Eb435009bf (admin ACLAdmin V3)
- https://defipunkd.com/address/137/0x794a61358D6845594F94dc1DB02A252b5b4814aD (pool Pool V3)
- https://defipunkd.com/address/137/0x8145eddDf43f50276641b55bd3AD95944510021E (admin PoolConfigurator V3)
- https://defipunkd.com/address/137/0xb023e699F5a33916Ea823A16485e259257cA8Bd1 (oracle AaveOracle V3)
- https://defipunkd.com/address/137/0xDf7d0e6454DB638881302729F5ba99936EaAB233 (admin ACLAdmin V3)
- https://defipunkd.com/address/534352/0x69850D0B276776781C063771b161bd8894BCdD04 (factory PoolAddressesProvider V3)
- https://defipunkd.com/address/534352/0x11fCfe756c05AD438e312a7fd934381537D3cFfe (pool Pool V3)
- https://defipunkd.com/address/534352/0x32BCab42a2bb5AC577D24b425D46d8b8e0Df9b7f (admin PoolConfigurator V3)
- https://defipunkd.com/address/534352/0x04421D8C506E2fA2371a08EfAaBf791F624054F3 (oracle AaveOracle V3)
- https://defipunkd.com/address/534352/0xc1ABF87FfAdf4908f4eC8dc54A25DCFEabAE4A24 (admin ACLAdmin V3)
- https://defipunkd.com/address/534352/0x7633F981D87dC6307227de9383D2ce7243158081 (admin ACLManager V3)
- zkSync Era: 0x2A3948BB219D6B2Fa83D64100006391a96bE6cb7 (chain not supported by the read API)
- zkSync Era: 0x78e30497a3c7527d953c6B1E3541b021A98Ac43c (chain not supported by the read API)
- zkSync Era: 0x0207d31b4377C74bEC37356aaD83E3dCc979F40E (chain not supported by the read API)
- zkSync Era: 0xC7F58Fca663a8d377B6D0c9703C697f56dC40088 (chain not supported by the read API)
- zkSync Era: 0x04cE39789e11a49595cD0ECEf6f4Bd54ABF4d020 (chain not supported by the read API)
- Soneium: 0x82405D1a189bd6cE4667809C35B37fBE136A4c5B (chain not supported by the read API)
- Soneium: 0xDd3d7A7d03D9fD9ef45f3E587287922eF65CA38B (chain not supported by the read API)
- Soneium: 0x1607FCeEc8dEbA4d5Da66D620b2363066d025a02 (chain not supported by the read API)
- Soneium: 0x20040a64612555042335926d72B4E5F667a67fA1 (chain not supported by the read API)
- Soneium: 0xc0Bac16A64FbAa7EE6483bD12a759e28cD13dcBe (chain not supported by the read API)
- Plasma: 0x061D8e131F26512348ee5FA42e2DF1bA9d6505E9 (chain not supported by the read API)
- Plasma: 0x925a2A7214Ed92428B5b1B090F80b25700095e12 (chain not supported by the read API)
- Plasma: 0xc022B6c71c30A8Ad52Dac504eFA132d13D99d2D9 (chain not supported by the read API)
- Plasma: 0x33E0b3fc976DC9C516926BA48CfC0A9E10a2aAA5 (chain not supported by the read API)
- Plasma: 0x47aAdaAE1F05C978E6aBb7568d11B7F6e0FC4d6A (chain not supported by the read API)
- Plasma: 0xa860355F0ccFdC823F7332ac108317b2a1509C06 (chain not supported by the read API)
- https://defipunkd.com/address/1/0x617332a777780F546261247F621051d0b98975Eb (other VotingMachine)
- https://defipunkd.com/address/1/0xf23f7De3AC42F22eBDA17e64DC4f51FB66b8E21f (other VotingPortalEthEth)
- https://defipunkd.com/address/1/0x33aCEf7365809218485873B7d0d67FeE411B5D79 (other VotingPortalEthAvax)
- https://defipunkd.com/address/1/0x9b24C168d6A76b5459B1d47071a54962a4df36c3 (other VotingPortalEthPol)
- https://defipunkd.com/address/1/0xE3B770Dc4ae3f8bECaB3Ed12dE692c741603e16A (other PayloadDataHelper)
- https://defipunkd.com/address/1/0x971c82c8316aD611904F95616c21ce90837f1856 (other GovernanceDataHelper)
- https://defipunkd.com/address/1/0x77976B51569896523EE215962Ee91ff236Fa50E8 (other VotingDataHelper)
- https://defipunkd.com/address/1/0x94363B11b37BC3ffe43AB09cff5A010352FE85dC (other MetaDelegateHelper)
- https://defipunkd.com/address/1/0x73C6Fb358dDA8e84D50e98A98F7c0dF32e15C7e9 (guardian EmergencyRegistry)
- https://defipunkd.com/address/1/0xa198Fac58E02A5C5F8F7e877895d50cFa9ad1E04 (other GovernancePowerStrategy)
- https://defipunkd.com/address/1/0x5642A5A5Ec284B4145563aBF319620204aCCA7f4 (other VotingStrategy)
- https://defipunkd.com/address/1/0x1699FE9CaDC8a0b6c93E06B62Ab4592a0fFEcF61 (other DataWarehouse)
- https://defipunkd.com/address/42161/0xCbFB78a3Eeaa611b826E37c80E4126c8787D29f0 (other CrossChainController)
- https://defipunkd.com/address/42161/0x89644CA1bB8064760312AE4F03ea41b05dA3637C (timelock PayloadsController)
- https://defipunkd.com/address/42161/0x4922093c476CfbCF903C7C4082d2D64bAE8A37cE (guardian GranularGuardian)
- https://defipunkd.com/address/43114/0x27FC7D54C893dA63C0AE6d57e1B2B13A70690928 (other CrossChainController)
- https://defipunkd.com/address/43114/0x41185495Bc8297a65DC46f94001DC7233775EbEe (oracle EmergencyOracle)
- https://defipunkd.com/address/43114/0x9b6f5ef589A3DD08670Dd146C11C4Fb33E04494F (other VotingMachine)
- https://defipunkd.com/address/43114/0x1140CB7CAfAcC745771C2Ea31e7B5C653c5d0B80 (timelock PayloadsController)
- https://defipunkd.com/address/43114/0xc1162BCb2E5E3ca4725512008c7522dF8C8B7B65 (guardian GranularGuardian)
- Binance: 0x9d33ee6543C9b2C8c183b8fb58fB089266cffA19 (chain not supported by the read API)
- Binance: 0xcabb46FfB38c93348Df16558DF156e9f68F9F7F1 (chain not supported by the read API)
- Binance: 0xE5EF2Dd06755A97e975f7E282f828224F2C3e627 (chain not supported by the read API)
- Binance: 0xe4FB5e3F506BE0095f38004f993D16fdA8224383 (chain not supported by the read API)
- https://defipunkd.com/address/8453/0x529467C76f234F2bD359d7ecF7c660A2846b04e2 (other CrossChainController)
- https://defipunkd.com/address/8453/0x2DC219E716793fb4b21548C0f009Ba3Af753ab01 (timelock PayloadsController)
- https://defipunkd.com/address/8453/0xa1c6aF35E0205f42256382C05243C543FEDBf4bB (guardian GranularGuardian)
- xDai: 0x8Dc5310fc9D3D7D1Bb3D1F686899c8F082316c9F (chain not supported by the read API)
- xDai: 0xF937ffAeA1363e4Fa260760bDFA2aA8Fc911F84D (chain not supported by the read API)
- xDai: 0x9A1F491B86D09fC1484b5fab10041B189B60756b (chain not supported by the read API)
- xDai: 0x4A9F571E3C1f2F13567bb59e38988e74d7d72602 (chain not supported by the read API)
- Metis: 0x6fDaFb26915ABD6065a1E1501a37Ac438D877f70 (chain not supported by the read API)
- Metis: 0x2233F8A66A728FBa6E1dC95570B25360D07D5524 (chain not supported by the read API)
- Metis: 0x61BE97d3a0550549f67CA7421725fA73Fa2036B5 (chain not supported by the read API)
- https://defipunkd.com/address/10/0x48A9FE90bce5EEd790f3F4Ce192d1C0B351fd4Ca (other CrossChainController)
- https://defipunkd.com/address/10/0x0E1a3Af1f9cC76A62eD31eDedca291E63632e7c4 (timelock PayloadsController)
- https://defipunkd.com/address/10/0x6c5264C380C7022e54f585c4E354ffb6f221a03b (guardian GranularGuardian)
- https://defipunkd.com/address/137/0xF6B99959F0b5e79E1CC7062E12aF632CEb18eF0d (other CrossChainController)
- https://defipunkd.com/address/137/0xDAFA1989A504c48Ee20a582f2891eeB25E2fA23F (oracle EmergencyOracle)
- https://defipunkd.com/address/137/0xc8a2ADC4261c6b669CdFf69E717E77C9cFeB420d (other VotingMachine)
- https://defipunkd.com/address/137/0x401B5D0294E23637c18fcc38b1Bca814CDa2637C (timelock PayloadsController)
- https://defipunkd.com/address/137/0x0D2CccD3dD420dC6DE2f24DB44aA22fADE290a02 (guardian GranularGuardian)
- https://defipunkd.com/address/534352/0x03073D3F4769f6b6604d616238fD6c636C99AD0A (other CrossChainController)
- https://defipunkd.com/address/534352/0x6b6B41c0f8C223715f712BE83ceC3c37bbfDC3fE (timelock PayloadsController)
- https://defipunkd.com/address/534352/0xa835707d28e6C37C49d661742f2Fb5987367cEd4 (guardian GranularGuardian)
- zkSync Era: 0x800813f4714BC7A0a95310e3fB9e4f18872CA92C (chain not supported by the read API)
- zkSync Era: 0x2E79349c3F5e4751E87b966812C9E65E805996F1 (chain not supported by the read API)
- zkSync Era: 0xe0e23196D42b54F262a3DE952e6B34B197D1A228 (chain not supported by the read API)
- zkSync Era: 0x4257bf0746D783f0D962913d7d8AFA408B62547E (chain not supported by the read API)
- https://defipunkd.com/address/59144/0x0D3f821e9741C8a8Bcac231162320251Db0cdf52 (other CrossChainController)
- https://defipunkd.com/address/59144/0x3BcE23a1363728091bc57A58a226CF2940C2e074 (timelock PayloadsController)
- https://defipunkd.com/address/59144/0xc1cd6faF6e9138b4e6C21d438f9ebF2bd6F6cA16 (guardian GranularGuardian)
- https://defipunkd.com/address/59144/0x056E4C4E80D1D14a637ccbD0412CDAAEc5B51F4E (guardian GovernanceGuardian)
- Soneium: 0xD92b37a5114b33F668D274Fb48f23b726a854d6E (chain not supported by the read API)
- Soneium: 0x44D73D7C4b2f98F426Bf8B5e87628d9eE38ef0Cf (chain not supported by the read API)
- Soneium: 0xD8E6956718784B914740267b7A50B952fb516656 (chain not supported by the read API)
- Soneium: 0x19CE4363FEA478Aa04B9EA2937cc5A2cbcD44be6 (chain not supported by the read API)
- Soneium: 0x47aAdaAE1F05C978E6aBb7568d11B7F6e0FC4d6A (chain not supported by the read API)
- Plasma: 0x643441742f73e270e565619be6DE5f4D55E08cd6 (chain not supported by the read API)
- Plasma: 0xe76EB348E65eF163d85ce282125FF5a7F5712A1d (chain not supported by the read API)
- Plasma: 0x60665b4F4FF7073C5fed2656852dCa271DfE2684 (chain not supported by the read API)
- Plasma: 0x19CE4363FEA478Aa04B9EA2937cc5A2cbcD44be6 (chain not supported by the read API)
- Plasma: 0xF61FE74Ec1cFbd9Ee8Bd27592D2EDEe0E2aA85Cf (chain not supported by the read API)
- https://defipunkd.com/address/1/0x7Fc66500c84A76Ad7e9c93437bFc5Ac33E2DDaE9 (token AAVE governance token)
- https://defipunkd.com/address/1/0x7b9c0b9b0d8b0d8b0d8b0d8b0d8b0d8b0d8b0d8b (Emergency Admin)


---

You are contributing a single-slice assessment to defipunkd, a git-native transparency registry for DeFi protocols. Your JSON output will be attached to a pull request and compared against ≥2 other independent runs. Disagreements are surfaced publicly — be conservative, cite everything, return grade="unknown" when a signal cannot be determined, and resist stopping at the first damning finding.

### Per-protocol context (do not infer; these are ground truth)

A "Per-protocol context" block (provided alongside this prompt — either as a user message in API mode, or as a section appended below in copy-paste mode) lists the pinned inputs (protocol.slug, name, chains, category, website, github, audit_links, snapshot.generated_at, analysis_date, prompt_version, address_book) and a list of pre-built read-API surfacer URLs for each pinned address. Treat those values as authoritative for this run.

The pre-built surfacer URLs are accepted by your fetch tool's allowlist because they appear verbatim in the per-protocol context. Each surfacer page pre-executes the contract's zero-arg view methods and renders any address-typed return values as /address/{chainId}/0x… links inline — those rendered links are also fetchable post-fetch. /api/contract/read and /api/safe/owners JSON responses include a top-level `crawl.surfacers` array of /address/{chainId}/0x… URLs for every address-typed value in the result, so you can crawl directly from API responses. For addresses surfaced from non-defipunkd sources (block-explorer pages, GitHub, audit PDFs), the allowlist will reject your generated surfacer URL — record the address in protocol_metadata.admin_addresses and add a checklist-coded entry to unknowns[]; the next run will inherit it as a fetchable surfacer.

### Step 0 — Capability probe (do this before producing JSON)

Identify what fetch tool your environment exposes — `web_fetch`, `browser`, `url_context`, `google_search` (with underscore, colon, or space), Bing grounding, Perplexity, `web.run`, or anything similar. Search-grounding tools ARE valid fetch paths and you should use them; they are not forbidden. The distinction that matters is what the tool returned, not its name: a grounded response with the underlying page body is sufficient evidence; a bare 1–3-line preview snippet is not.

Probe: attempt one fetch of `protocol.website` and one fetch of a pre-built surfacer URL above (or the protocol's primary block-explorer page if no surfacer is pinned). Record the tool you used, the URL, and what came back (response body, HTTP status, allowlist rejection text, or "tool not present: <name>"). If either probe succeeded, proceed.

If both direct probes failed, **DO NOT STOP** — try search. Issue at least two broad search queries (protocol name + "Etherscan" / "official docs" / "GitHub" / "audit"; `site:` operators against etherscan.io / github.com / the docs domain). If a search query returns the underlying page body, that page URL is fetched evidence and goes in evidence[]. Set `grading_basis: "off-chain-only"` and continue with whatever you can extract. Empty `evidence[]` + `grade="unknown"` is only valid if BOTH direct probes AND ≥2 search queries returned nothing usable; in that case, log the attempted queries and observed-zero outcomes in unknowns[]. A submission claiming "blocked" without those receipts is treated as a non-submission (zero quorum weight). Search engines do not index raw JSON API endpoints — zero results for `defipunkd.com/api/contract/read` URLs is expected and is itself a recordable failure mode, not a system restriction.

### Anti-fabrication (the most important rule on this page)

Memory is not evidence. Treat your training data, prior conversations, and general knowledge as suggestions for what to look up — never as citations. Every URL in evidence[] must have been fetched in this run via any tool exposed in your environment, OR pasted into this conversation by the user. Constructing a URL is fine, but every variable part (address, commit SHA, repo path, contract name, method, args, block number) must come from a fetched/pasted source in this run, and the URL must then have been successfully fetched before it appears in evidence[]. URLs constructed from remembered addresses, repo paths, contract names, or guessed API methods are fabrication.

Before emitting JSON, run an evidence ledger check on every evidence[] entry:
1. The exact URL appears in your fetch transcript or in a user-pasted source body.
2. The fetched/pasted body contains the fact you're citing in evidence[].shows.
3. Every rationale.findings / protocol_metadata claim that depends on this evidence follows directly from that body, without recourse to memory.
4. Derived (rather than verbatim) claims are explicitly labelled as derived in evidence[].shows.
5. `fetched_at` is set ONLY when you actually fetched the URL in this run; if no timestamp is available, omit the field — never invent one.

If any check fails, remove the evidence entry and demote dependent claims to unknowns[]. Set grade="unknown" if demotion empties the grading basis. Do not ask the user to paste anything; do not withhold JSON; do not improvise from memory.

A plausible-sounding answer backed by unsupported evidence is WORSE than grade="unknown" — it pollutes the quorum. If the assessment requires leaning on remembered public facts ("Lido is governed by LDO token-weighted voting"), historical reports, common knowledge, or likely-architecture reasoning ("UUPS proxies typically have an admin role"), return grade="unknown" with specific unknowns[] entries. Optimize for reproducibility, not completeness — if a reviewer can't re-verify each claim from the evidence URLs alone, the claim does not belong in the JSON. Empty unknowns[] on a non-trivial protocol is a red flag, not a quality signal.

When the address_book is null/empty, you do not yet know any deployed address. Discover candidates from fetched website / GitHub / audit / explorer-search pages — addresses you "remember" from training data are not eligible, even for famous tokens (USDC, WBTC, stETH, UNI). If no address can be discovered after a good-faith attempt, return grade="unknown" with checklist-coded unknowns[] entries; do not invent addresses to fill the gap.

### Hard rules

1. Source classes that count as evidence:
   a) Public block explorers (etherscan.io, basescan.org, arbiscan.io, optimistic.etherscan.io, polygonscan.com, bscscan.com, snowtrace.io, scrollscan.com, lineascan.build, blastscan.io, era.zksync.network) for pinned addresses or addresses you discover transitively from them.
   b) The linked GitHub repos, at a specific commit SHA recorded in evidence[].commit.
   c) The audit PDFs / reports linked above.
   d) DeFiLlama's pinned fields (for category / chain lists only — not for risk assessment).
   e) DeFiPunkd's read API at https://defipunkd.com/api/{contract,safe}/... — see "On-chain reading" below.
2. If a signal cannot be determined after checking these, set grade="unknown" with ≥1 entry in unknowns[] naming what you looked for.
3. Every factual claim in rationale must map to ≥1 evidence[] entry.
4. Output exactly one JSON object matching the contract at the end, wrapped in a single ```json fenced code block. This rule applies to your FINAL assistant message only — issue tool calls freely during the run; tool-call reasoning lives in your model's tool-use channel and is not subject to this rule. Nothing before or after the fence — no prose, no follow-up questions, no requests for the user to paste anything. If evidence is incomplete, the correct response is still JSON, with claims demoted to unknowns[] and grade="unknown".

### Format rules (validation will reject submissions that violate these)
5. evidence[].url must be a bare `https://...` string — NEVER markdown link syntax. WRONG: `"url": "[Etherscan](https://etherscan.io/...)"`. RIGHT: `"url": "https://etherscan.io/..."`.
6. evidence[].commit, when present, must match `^[0-9a-f]{7,40}$` (lowercase hex, 7–40 chars). NEVER branch names or tags. Omit if you cannot pin a SHA.
7. evidence[].fetched_at, when present, must be ISO-8601 UTC (e.g. `2026-04-23T11:20:00Z`). Set whenever you actually fetched in this run.
8. evidence[].address, when present, must be `^0x[0-9a-fA-F]{40}$` (mixed case OK; checksum not validated).
9. Checklist codes (used in findings[].code and as unknowns[] prefixes) match `^[A-Z][A-Za-z0-9-]{0,16}$` — start with an uppercase letter, then digits / letters / hyphens. Examples: `E1`, `A3b`, `C2-emergency`, `V4-auditor`. No parens, spaces, dots, slashes, underscores. Use slice-defined codes verbatim. unknowns[] entries must be prefixed with the relevant code + colon (e.g. `"A3b: frontend fetch failed"`).
10. chat_url: ALWAYS null. Default share links (claude.ai/chat, chatgpt.com, gemini.google.com) require viewer login and are not publicly readable. The user enables "Share publicly" after you respond and pastes the public URL into the JSON before opening the PR.

### Thoroughness rules

11. Each per-slice body contains a "MANDATORY INSPECTION CHECKLIST". Every item must EITHER produce an evidence[] entry OR a specific unknowns[] entry naming it by code. Silent skips are rejected as incomplete.
12. Before assigning a grade other than "unknown", rationale.steelman must contain a one-sentence strongest argument for each of red / orange / green, and rationale.verdict must state which fits the evidence and why. If the steel-man for the chosen grade is weaker than for an adjacent grade, you have probably picked the wrong grade. When grade="unknown", set steelman to null and use verdict to summarize what blocked the assessment.
13. Distinguish actor classes (EOA, 2-of-3 multisig, 4-of-7+ multisig with identified signers, emergency-scoped time-capped multisig, on-chain governance vote with timelock) and function classes (claim-of-finalized vs new-request-placement, deposit vs borrow, mint vs redeem) — say which actor holds which power, on what time bound. "An admin can pause" is insufficient.
14. For on-chain slices (control, ability-to-exit, autonomy, verifiability), evidence[] must include ≥1 on-chain URL: a block-explorer URL OR a DeFiPunkd /api/{contract/read,safe/owners} URL (preferred — content-addressed when block-pinned). /api/contract/abi alone is metadata, not on-chain evidence. Source repos tell you what code SHOULD do; deployed contracts tell you what it ACTUALLY does. The "open-access" slice is exempt when claims are entirely about frontend / off-chain operator behavior. CARVE-OUT: `grading_basis="off-chain-only"` is exempt from this rule but is downweighted by the quorum bot regardless of grade.
15. Prompt-meta-check: if your verdict quotes prompt language as evidence ("the protocol meets the 'documented fallback' condition"), re-do the verdict — the prompt describes the rubric, not the protocol. Evidence cites what THIS protocol does, not what the rubric says protocols of type X do.
16. `grading_basis` is one of `"on-chain"` (default; omit field), `"off-chain-only"`, or `"mixed"`. Describes what was READ this run, not the verdict — `grade="unknown"` is allowed under any basis. Set `"off-chain-only"` ONLY when BOTH (a) ≥1 successful fetch of a docs / forum / audit / GitHub URL appears in evidence[], AND (b) ≥1 failed on-chain fetch attempt for THIS run is recorded in unknowns[] with a `-offchain` suffix. Empty `evidence[]` with `"off-chain-only"` is a category error and is rejected by the validator. Set `"mixed"` when some checklist codes were on-chain and others fell back. ABI-only finds (you read the ABI but couldn't read live state) are valid as `grade="unknown"` with the ABI cited; do not infer a grade from ABI shape alone.

### On-chain reading via the DeFiPunkd API

Don't encode calldata, decode return data, or guess at ABIs by hand. Three deterministic GET endpoints return JSON with blockNumber, blockHash, raw calldata, and rawReturnData — content-addressed when block-pinned (`&block=<n>`):

  ABI (auto-resolves proxies):
    https://defipunkd.com/api/contract/abi?chainId=<id>&address=0x...
  View call (any view method on the merged ABI; flat scalar args):
    https://defipunkd.com/api/contract/read?chainId=<id>&address=0x...&method=getOwners
    https://defipunkd.com/api/contract/read?chainId=<id>&address=0x...&method=balanceOf&args=0x...
  Safe (threshold + owners + version in one call):
    https://defipunkd.com/api/safe/owners?chainId=<id>&address=0x...

Use the BARE method name in `&method=` (e.g. `&method=totalSupply`, NOT `&method=totalSupply()`). Browser tools normalize `(` to `%28` and reject the normalized URL; bare names dodge that. Pass arguments via `&args=` (comma-separated, declaration order). Append `&block=<n>` for content-addressed evidence.

Supported chainIds: 1 (ethereum), 10 (optimism), 56 (bsc), 130 (unichain), 137 (polygon), 324 (zksync), 8453 (base), 42161 (arbitrum), 43114 (avalanche), 59144 (linea), 81457 (blast), 534352 (scroll), 11155111 (sepolia).

Use this API for any factual claim about contract ABI shape, view-method return values (owner(), getOwners(), getThreshold(), totalSupply(), implementation(), paused(), MIN_DELAY(), …), and Safe membership. Do NOT invent ABIs or return values from training data.

Note on noisy address_book: the pinned address_book is sourced from prior assessments. It may include token deployments, oracle feeds, peripheral contracts, or mis-classified entries. Skip surfacer URLs that don't fit your slice — fetch only those whose role hints suggest control / pause / upgrade authority.

### Protocol metadata refresh (populate `protocol_metadata` in the output)

DeFiLlama's pinned inputs may be stale or wrong. As a side-effect of this assessment, populate `protocol_metadata` with anything you verify. Leave fields null / empty arrays if you did not verify them — do NOT echo pinned inputs through; null means "not re-verified this run".

- `github`: array of canonical source-code repo URLs.
- `docs_url`: canonical developer / protocol documentation site.
- `audits`: array of `{ firm, url, date }` (date as YYYY-MM or YYYY-MM-DD).
- `governance_forum`: primary discussion forum URL (Discourse, Commonwealth, etc.).
- `voting_token`: `{ chain, address, symbol }` or null. Omit if not token-governed.
- `bug_bounty_url`: public bug bounty page (Immunefi, HackerOne, self-hosted).
- `security_contact`: private-disclosure channel — security@ email or SECURITY.md URL. Distinct from public bug bounty.
- `deployed_contracts_doc`: docs page that lists deployed addresses per chain. Don't enumerate; just link.
- `admin_addresses`: array of `{ chain, address, role, actor_class }` for multisig / timelock / owner / proxy-admin addresses. `actor_class` ∈ `"eoa" | "multisig" | "timelock" | "governance" | "unknown"`. These are the anchors for future runs' address_book.
- `upgradeability`: `"immutable" | "upgradeable" | "mixed" | "unknown"`. "mixed" = some core contracts immutable, others behind proxies.
- `about`: 2–4 sentence plain-English description. Name the user action (stake, borrow, swap, bridge, mint, redeem), the asset / market, and the distinctive mechanism (liquid staking receipt, isolated lending pools, constant-product AMM, intents auction, etc.). Do not restate category / chains / TVL.

Every non-null field in `protocol_metadata` must be backed by ≥1 entry in evidence[].

---

### Slice: ABILITY-TO-EXIT

Evaluate whether users can withdraw their funds on their own terms, even under adversarial admin conditions.

MANDATORY INSPECTION CHECKLIST (every item below must appear in evidence[] OR unknowns[]):
- E1. Enumerate every user-facing exit function in the main contracts: withdraw, redeem, burn, requestWithdrawal, claim, exit, etc. List them by name. Do NOT treat the contract as a monolith.
- E2. For EACH exit function in E1: identify its access modifiers and any pause guards (e.g. _checkResumed, whenNotPaused, onlyRole). Functions that gate REQUEST PLACEMENT often differ from functions that CLAIM FINALIZED FUNDS — check both separately.
- E3. For each pause guard: identify the role holder (which address holds PAUSE_ROLE / GUARDIAN / etc.) and the maximum pause duration. Specifically check whether PAUSE_INFINITELY (or equivalent uncapped pause) is callable, and which actor can call it (single multisig vs governance vote). For role-holder reads use https://defipunkd.com/api/contract/read?chainId=<id>&address=0x...&method=hasRole&args=0x...,0x... or &method=getRoleAdmin&args=0x.... For "is currently paused" checks use &method=paused or &method=isPaused&args=<resume-code>. Use the BARE method name (no parens). Cite the URL with &block=<n> in evidence[].
- E4. EMERGENCY vs GOVERNANCE pause distinction: many protocols have a fast-acting emergency pause capped at N days and a slow governance pause that can be indefinite. Record both paths separately if present, with their time caps and actor classes.
- E5. Queued redemption: documented maximum queue duration, daily withdrawal caps, whether the queue itself is pausable.
- E6. Forced-exit / escape-hatch / permissionless emergency-exit mechanism for adversarial-admin scenarios.
- E7. Frontend dependency: confirm exit functions are directly callable on-chain (e.g. via Etherscan write tab or a generic wallet) without the project's frontend.

Then write the steel-man section per Hard Rule 11. Common red-vs-orange tension on this slice: indefinite pause exists (suggests red) BUT the realistic emergency path is time-capped AND claims of already-finalized exits are not pause-gated (suggests orange). Resolve this by stating who can do what for how long, not by stopping at the worst-case sentence.

Grade rules:
- green   = permissionless exit; pause is either absent, narrowly scoped to clearly-described emergencies with auto-expiry, or capped at ≤7 days; no frontend dependency for exit; claims of already-finalized exits are not pause-gated under any path.
- orange  = pausable with broad scope OR indefinite pause is reachable only through governance vote (not unilateral admin action), OR queued redemption with documented max > 7 days, OR claims-of-finalized are exempt but new-request placement can be paused indefinitely by governance.
- red     = exit requires admin signature, OR ANY actor (including governance) can pause CLAIMS of finalized exits indefinitely, OR there is no on-chain exit function at all (purely custodial), OR pause is held by a single EOA / 2-of-3 multisig with no time cap.
- unknown = checklist incomplete after checking the sources above.

---

### JSON output contract

Return exactly one JSON object inside a single ```json fenced block. Shape:

{
  "schema_version": 4,
  "slug": "<copy protocol.slug from the per-protocol context>",
  "slice": "ability-to-exit",
  "snapshot_generated_at": "<copy snapshot.generated_at from the per-protocol context>",
  "prompt_version": 29,
  "analysis_date": "<copy analysis_date from the per-protocol context>",
  "model": "<exact model name, e.g. claude-opus-4-7 / gpt-5-thinking / gemini-3-pro>",
  "chat_url": null,
  "grading_basis": "on-chain | off-chain-only | mixed (optional; omit for on-chain)",
  "grade": "green | orange | red | unknown",
  "headline": "<one-line summary>",
  "short_headline": "<≤6 words, ≤80 chars; omit if you can't fit>",
  "rationale": {
    "findings": [{ "code": "E1", "text": "<concrete, source-cited finding>" }],
    "steelman": { "red": "<one sentence>", "orange": "<one sentence>", "green": "<one sentence>" },
    "verdict": "Choosing <grade> because <reason ranking one steel-man above the others, citing specific evidence>."
  },
  "evidence": [{ "url": "https://...", "shows": "<what this URL demonstrates>", "chain": "...", "address": "0x...", "commit": "<hex SHA>", "fetched_at": "2026-04-23T11:20:00Z" }],
  "unknowns": ["E3: <thing you looked for but couldn't determine>"],
  "protocol_metadata": {
    "github": ["https://github.com/org/repo"],
    "docs_url": "https://docs.protocol.xyz",
    "audits": [{ "firm": "Trail of Bits", "url": "https://...report.pdf", "date": "2025-09" }],
    "governance_forum": "https://forum.protocol.xyz",
    "voting_token": { "chain": "Ethereum", "address": "0x...", "symbol": "XYZ" },
    "bug_bounty_url": "https://immunefi.com/bounty/protocol",
    "security_contact": "security@protocol.xyz",
    "deployed_contracts_doc": "https://docs.protocol.xyz/deployments",
    "admin_addresses": [{ "chain": "Ethereum", "address": "0x...", "role": "DAO treasury multisig", "actor_class": "multisig" }],
    "upgradeability": "immutable | upgradeable | mixed | unknown",
    "about": "<2–4 sentences>"
  }
}

Rules recap:
- grade="unknown" ⇒ steelman=null; unknowns[] ≥1; evidence[] may be empty.
- grade!="unknown" ⇒ steelman={red,orange,green}; evidence[] ≥1; verdict starts with "Choosing ".
- findings[].code matches the slice's checklist prefix verbatim (E1, C2-emergency, V4a, …); unknowns[] entries are checklist-coded ("E3: …").
- Wrap in a single ```json fence; nothing before or after. URLs are bare strings, never markdown links.

Autonomy ✓ 3/3 models agree AI-only weak orange — weak consensus margin; only 0/3 sources have a public chat share link; total support weight 0.12 below confidence floor (1.5) Submit run ↗

### Per-protocol context (ground truth for this run)

- protocol.slug:              aave-v3
- protocol.name:              Aave V3
- protocol.chains:            Ethereum, Plasma, Arbitrum, Base, Avalanche, Binance, Mantle, Polygon, MegaETH, X Layer, xDai, Optimism, Linea, Sonic, Celo, Scroll, zkSync Era, Metis, Soneium, Fantom, Harmony
- protocol.category:          Lending
- protocol.website:           https://aave.com
- protocol.github:            aave, bgd-labs
- protocol.audit_links:       https://aave.com/security, https://github.com/code-423n4/2022-02-aave-lens, https://github.com/code-423n4/2022-02-aave-lens-findings, https://github.com/sherlock-protocol/sherlock-reports/blob/main/audits/2025.02.15%20-%20Final%20-%20Aave%20Public%20Audit%20Contest%20Report.pdf, https://github.com/sherlock-protocol/sherlock-reports/blob/main/audits/2026.02.05%20-%20Final%20-%20Aave%20Labs%20Collaborative%20Audit%20Report%201770295450.pdf, https://github.com/trailofbits/publications/blob/master/reviews/2021-11-aave-v3-securityreview.pdf
- snapshot.generated_at:      2026-06-01T11:27:13.878Z
- analysis_date:              2026-06-07
- prompt_version:             29
- address_book:               [
  {
    "chain": "Ethereum",
    "address": "0x5300A1a15135EA4dc7aD5a167152C01EFc9b192A",
    "role": "Short Executor (Level 1) / ACL Admin V3"
  },
  {
    "chain": "Ethereum",
    "address": "0xdAbad81aF85554E9ae636395611C58F7eC1aAEc5",
    "role": "PayloadsController (Ethereum)"
  },
  {
    "chain": "Ethereum",
    "address": "0x9AEE0B04504CeF83A65AC3f0e838D0593BCb2BC7",
    "role": "Governance V3 Core"
  },
  {
    "chain": "Ethereum",
    "address": "0xCe52ab41C40575B072A18C9700091Ccbe4A06710",
    "role": "Governance Guardian / Protocol Emergency Guardian (5-of-9)"
  },
  {
    "chain": "Ethereum",
    "address": "0x4457cA11E90f416Cc1D3a8E1cA41C0cdEcC251d4",
    "role": "GranularGuardian (cross-chain emergency)"
  },
  {
    "chain": "Ethereum",
    "address": "0xEd42a7D8559a463722Ca4beD50E0Cc05a386b0e1",
    "role": "CrossChainController"
  },
  {
    "chain": "Ethereum",
    "address": "0x17Dd33Ed0e3dD2a80E37489B8A63063161BE6957",
    "role": "Executor Level 2"
  },
  {
    "chain": "Ethereum",
    "address": "0x2CFe3ec4d5a6811f4B8067F0DE7e47DfA938Aa30",
    "role": "Protocol Guardian / emergency admin"
  },
  {
    "chain": "Ethereum",
    "address": "0x220d22f42c1b975B51509c24b174f8AbA7d8C540",
    "role": "Short Executor (Governance)"
  },
  {
    "chain": "Ethereum",
    "address": "0xa700691dA7b6769562170061709458FF21ed963e",
    "role": "timelock (governance long executor)"
  },
  {
    "chain": "Ethereum",
    "address": "0x851365275f493d15511cc005f2bd71E3c1699921",
    "role": "timelock (governance short executor)"
  },
  {
    "chain": "Ethereum",
    "address": "0xEE56e2B3D49159022b71869955dbF07245799b17",
    "role": "timelock (governance executor short)"
  },
  {
    "chain": "Ethereum",
    "address": "0x80C67432656d59144cEFf962E8fAF8926599bCF8",
    "role": "timelock (governance short executor)"
  },
  {
    "chain": "Ethereum",
    "address": "0xEE56e2B20045d908E992822039db30E882309413",
    "role": "admin (PoolAdmin / governance executor)"
  },
  {
    "chain": "Ethereum",
    "address": "0x87870bca3f3fd6335c3f4ce8392d69350b4fa4e2",
    "role": "pool (Aave V3 Pool proxy)"
  },
  {
    "chain": "Ethereum",
    "address": "0x2f39d218133AFaB8F2B819B1066c7E434Ad94E9e",
    "role": "other (PoolAddressesProvider — proxy admin for Pool/PoolConfigurator/ACLManager)"
  },
  {
    "chain": "Ethereum",
    "address": "0xcfBf336fe147D643B9Cb705648500e101504B16d",
    "role": "other (Prime Market PoolAddressesProvider)"
  },
  {
    "chain": "Ethereum",
    "address": "0xCca852Bc40e560adC3b1Cc58CA5b55638ce826c9",
    "role": "vault (Aave V4 Core Hub — Ethereum)"
  },
  {
    "chain": "Ethereum",
    "address": "0x06002e9c4412CB7814a791eA3666D905871E536A",
    "role": "vault (Aave V4 Plus Hub — Ethereum)"
  },
  {
    "chain": "Ethereum",
    "address": "0x943827DCA022D0F354a8a8c332dA1e5Eb9f9F931",
    "role": "vault (Aave V4 Prime Hub — Ethereum)"
  },
  {
    "chain": "Ethereum",
    "address": "0x08aE3BE30958cDd1847ec58fFfd4C451a87fDF01",
    "role": "admin (Aave V4 Access Manager — Ethereum)"
  },
  {
    "chain": "Optimism",
    "address": "0xa97684ead0e402dc232d5a977953df7ecbab3cdb",
    "role": "other (PoolAddressesProvider — Optimism)"
  },
  {
    "chain": "Polygon",
    "address": "0xa97684ead0e402dc232d5a977953df7ecbab3cdb",
    "role": "other (PoolAddressesProvider — Polygon)"
  },
  {
    "chain": "Ethereum",
    "address": "0x64b761D848206f447Fe2dd461b0c635Ec39EbB27",
    "role": "admin PoolConfigurator V3"
  },
  {
    "chain": "Ethereum",
    "address": "0x54586bE62E3c3580375aE3723C145253060Ca0C2",
    "role": "oracle AaveOracle V3"
  },
  {
    "chain": "Ethereum",
    "address": "0xc2aaCf6553D20d1e9d78E365AAba8032af9c85b0",
    "role": "admin ACLManager V3"
  },
  {
    "chain": "Ethereum",
    "address": "0x0a16f2FCC0D44FaE41cc54e079281D84A363bECD",
    "role": "other AaveProtocolDataProvider V3"
  },
  {
    "chain": "Ethereum",
    "address": "0x464C71f6c2F760DdA6093dCB91C24c39e5d6e18c",
    "role": "treasury Collector"
  },
  {
    "chain": "Ethereum",
    "address": "0x8164Cc65827dcFe994AB23944CBC90e0aa80bFcb",
    "role": "admin DefaultIncentivesController"
  },
  {
    "chain": "Ethereum",
    "address": "0x223d844fc4B006D67c0cDbd39371A9F73f69d974",
    "role": "admin EmissionManager"
  },
  {
    "chain": "Arbitrum",
    "address": "0xa97684ead0e402dC232d5A977953DF7ECBaB3CDb",
    "role": "factory PoolAddressesProvider V3"
  },
  {
    "chain": "Arbitrum",
    "address": "0x794a61358D6845594F94dc1DB02A252b5b4814aD",
    "role": "pool Pool V3"
  },
  {
    "chain": "Arbitrum",
    "address": "0x8145eddDf43f50276641b55bd3AD95944510021E",
    "role": "admin PoolConfigurator V3"
  },
  {
    "chain": "Arbitrum",
    "address": "0xb56c2F0B653B2e0b10C9b928C8580Ac5Df02C7C7",
    "role": "oracle AaveOracle V3"
  },
  {
    "chain": "Arbitrum",
    "address": "0x7A9ff54A6eE4a21223036890bB8c4ea2D62c686b",
    "role": "oracle PriceOracleSentinel V3"
  },
  {
    "chain": "Arbitrum",
    "address": "0xFF1137243698CaA18EE364Cc966CF0e02A4e6327",
    "role": "admin ACLAdmin V3"
  },
  {
    "chain": "Arbitrum",
    "address": "0xa72636CbcAa8F5FF95B2cc47F3CDEe83F3294a0B",
    "role": "admin ACLManager V3"
  },
  {
    "chain": "Arbitrum",
    "address": "0x243Aa95cAC2a25651eda86e80bEe66114413c43b",
    "role": "other AaveProtocolDataProvider V3"
  },
  {
    "chain": "Avalanche",
    "address": "0xa97684ead0e402dC232d5A977953DF7ECBaB3CDb",
    "role": "factory PoolAddressesProvider V3"
  },
  {
    "chain": "Avalanche",
    "address": "0x794a61358D6845594F94dc1DB02A252b5b4814aD",
    "role": "pool Pool V3"
  },
  {
    "chain": "Avalanche",
    "address": "0x8145eddDf43f50276641b55bd3AD95944510021E",
    "role": "admin PoolConfigurator V3"
  },
  {
    "chain": "Avalanche",
    "address": "0xEBd36016B3eD09D4693Ed4251c67Bd858c3c7C9C",
    "role": "oracle AaveOracle V3"
  },
  {
    "chain": "Avalanche",
    "address": "0x3C06dce358add17aAf230f2234bCCC4afd50d090",
    "role": "admin ACLAdmin V3"
  },
  {
    "chain": "Avalanche",
    "address": "0xa72636CbcAa8F5FF95B2cc47F3CDEe83F3294a0B",
    "role": "admin ACLManager V3"
  },
  {
    "chain": "Avalanche",
    "address": "0x243Aa95cAC2a25651eda86e80bEe66114413c43b",
    "role": "other AaveProtocolDataProvider V3"
  },
  {
    "chain": "Base",
    "address": "0xe20fCBdBfFC4Dd138cE8b2E6FBb6CB49777ad64D",
    "role": "factory PoolAddressesProvider V3"
  },
  {
    "chain": "Base",
    "address": "0xA238Dd80C259a72e81d7e4664a9801593F98d1c5",
    "role": "pool Pool V3"
  },
  {
    "chain": "Base",
    "address": "0x5731a04B1E775f0fdd454Bf70f3335886e9A96be",
    "role": "admin PoolConfigurator V3"
  },
  {
    "chain": "Base",
    "address": "0x2Cc0Fc26eD4563A5ce5e8bdcfe1A2878676Ae156",
    "role": "oracle AaveOracle V3"
  },
  {
    "chain": "Base",
    "address": "0x943AcD0c93d7a8Bee7dA5Fd0DC3d0028237074d6",
    "role": "oracle PriceOracleSentinel V3"
  },
  {
    "chain": "Base",
    "address": "0x9390B1735def18560c509E2d0bc090E9d6BA257a",
    "role": "admin ACLAdmin V3"
  },
  {
    "chain": "Base",
    "address": "0x43955b0899Ab7232E3a454cf84AedD22Ad46FD33",
    "role": "admin ACLManager V3"
  },
  {
    "chain": "Base",
    "address": "0x0F43731EB8d45A581f4a36DD74F5f358bc90C73A",
    "role": "other AaveProtocolDataProvider V3"
  },
  {
    "chain": "Binance",
    "address": "0xff75B6da14FfbbfD355Daf7a2731456b3562Ba6D",
    "role": "factory PoolAddressesProvider V3"
  },
  {
    "chain": "Binance",
    "address": "0x6807dc923806fE8Fd134338EABCA509979a7e0cB",
    "role": "pool Pool V3"
  },
  {
    "chain": "Binance",
    "address": "0x67bdF23C7fCE7C65fF7415Ba3F2520B45D6f9584",
    "role": "admin PoolConfigurator V3"
  },
  {
    "chain": "Binance",
    "address": "0x39bc1bfDa2130d6Bb6DBEfd366939b4c7aa7C697",
    "role": "oracle AaveOracle V3"
  },
  {
    "chain": "Binance",
    "address": "0x9390B1735def18560c509E2d0bc090E9d6BA257a",
    "role": "admin ACLAdmin V3"
  },
  {
    "chain": "Binance",
    "address": "0x2D97F8FA96886Fd923c065F5457F9DDd494e3877",
    "role": "admin ACLManager V3"
  },
  {
    "chain": "Binance",
    "address": "0xc90Df74A7c16245c5F5C5870327Ceb38Fe5d5328",
    "role": "other AaveProtocolDataProvider V3"
  },
  {
    "chain": "Celo",
    "address": "0x9F7Cf9417D5251C59fE94fB9147feEe1aAd9Cea5",
    "role": "factory PoolAddressesProvider V3"
  },
  {
    "chain": "Celo",
    "address": "0x3E59A31363E2ad014dcbc521c4a0d5757d9f3402",
    "role": "pool Pool V3"
  },
  {
    "chain": "Celo",
    "address": "0x7567E3434CC1BEf724AB595e6072367Ef4914691",
    "role": "admin PoolConfigurator V3"
  },
  {
    "chain": "Celo",
    "address": "0x1e693D088ceFD1E95ba4c4a5F7EeA41a1Ec37e8b",
    "role": "oracle AaveOracle V3"
  },
  {
    "chain": "Celo",
    "address": "0x1dF462e2712496373A347f8ad10802a5E95f053D",
    "role": "admin ACLAdmin V3"
  },
  {
    "chain": "Celo",
    "address": "0x7a12dCfd73C1B4cddf294da4cFce75FcaBBa314C",
    "role": "admin ACLManager V3"
  },
  {
    "chain": "Celo",
    "address": "0x2e0f8D3B1631296cC7c56538D6Eb6032601E15ED",
    "role": "other AaveProtocolDataProvider V3"
  },
  {
    "chain": "Celo",
    "address": "0xC959439207dA5341B74aDcdAC59016aa9Be7E9E7",
    "role": "treasury Collector"
  },
  {
    "chain": "Fantom",
    "address": "0xa97684ead0e402dC232d5A977953DF7ECBaB3CDb",
    "role": "factory PoolAddressesProvider V3"
  },
  {
    "chain": "Fantom",
    "address": "0x794a61358D6845594F94dc1DB02A252b5b4814aD",
    "role": "pool Pool V3"
  },
  {
    "chain": "Fantom",
    "address": "0x8145eddDf43f50276641b55bd3AD95944510021E",
    "role": "admin PoolConfigurator V3"
  },
  {
    "chain": "Fantom",
    "address": "0xfd6f3c1845604C8AE6c6E402ad17fb9885160754",
    "role": "oracle AaveOracle V3"
  },
  {
    "chain": "Fantom",
    "address": "0x39CB97b105173b56b5a2b4b33AD25d6a50E6c949",
    "role": "admin ACLAdmin V3"
  },
  {
    "chain": "Fantom",
    "address": "0xa72636CbcAa8F5FF95B2cc47F3CDEe83F3294a0B",
    "role": "admin ACLManager V3"
  },
  {
    "chain": "Fantom",
    "address": "0x69FA688f1Dc47d4B5d8029D5a35FB7a548310654",
    "role": "other AaveProtocolDataProvider V3"
  },
  {
    "chain": "xDai",
    "address": "0x36616cf17557639614c1cdDb356b1B83fc0B2132",
    "role": "factory PoolAddressesProvider V3"
  },
  {
    "chain": "xDai",
    "address": "0xb50201558B00496A145fE76f7424749556E326D8",
    "role": "pool Pool V3"
  },
  {
    "chain": "xDai",
    "address": "0x7304979ec9E4EaA0273b6A037a31c4e9e5A75D16",
    "role": "admin PoolConfigurator V3"
  },
  {
    "chain": "xDai",
    "address": "0xeb0a051be10228213BAEb449db63719d6742F7c4",
    "role": "oracle AaveOracle V3"
  },
  {
    "chain": "xDai",
    "address": "0x1dF462e2712496373A347f8ad10802a5E95f053D",
    "role": "admin ACLAdmin V3"
  },
  {
    "chain": "xDai",
    "address": "0xEc710f59005f48703908bC519D552Df5B8472614",
    "role": "admin ACLManager V3"
  },
  {
    "chain": "xDai",
    "address": "0xF1F5acB596568895393cB5E4D0452D6592A2fA70",
    "role": "other AaveProtocolDataProvider V3"
  },
  {
    "chain": "Harmony",
    "address": "0xa97684ead0e402dC232d5A977953DF7ECBaB3CDb",
    "role": "factory PoolAddressesProvider V3"
  },
  {
    "chain": "Harmony",
    "address": "0x794a61358D6845594F94dc1DB02A252b5b4814aD",
    "role": "pool Pool V3"
  },
  {
    "chain": "Harmony",
    "address": "0x8145eddDf43f50276641b55bd3AD95944510021E",
    "role": "admin PoolConfigurator V3"
  },
  {
    "chain": "Harmony",
    "address": "0x3C90887Ede8D65ccb2777A5d577beAb2548280AD",
    "role": "oracle AaveOracle V3"
  },
  {
    "chain": "Harmony",
    "address": "0xb2f0C5f37f4beD2cB51C44653cD5D84866BDcd2D",
    "role": "admin ACLAdmin V3"
  },
  {
    "chain": "Harmony",
    "address": "0xa72636CbcAa8F5FF95B2cc47F3CDEe83F3294a0B",
    "role": "admin ACLManager V3"
  },
  {
    "chain": "Harmony",
    "address": "0x69FA688f1Dc47d4B5d8029D5a35FB7a548310654",
    "role": "other AaveProtocolDataProvider V3"
  },
  {
    "chain": "Mantle",
    "address": "0xba50Cd2A20f6DA35D788639E581bca8d0B5d4D5f",
    "role": "factory PoolAddressesProvider V3"
  },
  {
    "chain": "Mantle",
    "address": "0x458F293454fE0d67EC0655f3672301301DD51422",
    "role": "pool Pool V3"
  },
  {
    "chain": "Mantle",
    "address": "0x719755fC1ACf2f9079B0Cbc56e23712c09Ab8626",
    "role": "admin PoolConfigurator V3"
  },
  {
    "chain": "Mantle",
    "address": "0x47a063CfDa980532267970d478EC340C0F80E8df",
    "role": "oracle AaveOracle V3"
  },
  {
    "chain": "Mantle",
    "address": "0x64df9D4302e1ff3516Dc744A19e992D27CAC252E",
    "role": "oracle PriceOracleSentinel V3"
  },
  {
    "chain": "Mantle",
    "address": "0x70884634D0098782592111A2A6B8d223be31CB7b",
    "role": "admin ACLAdmin V3"
  },
  {
    "chain": "Mantle",
    "address": "0x810D46F9a9027E28F9B01F75E2bdde839dA61115",
    "role": "admin ACLManager V3"
  },
  {
    "chain": "Mantle",
    "address": "0x487c5c669D9eee6057C44973207101276cf73b68",
    "role": "other AaveProtocolDataProvider V3"
  },
  {
    "chain": "MegaETH",
    "address": "0x46Dcd5F4600319b02649Fd76B55aA6c1035CA478",
    "role": "factory PoolAddressesProvider V3"
  },
  {
    "chain": "MegaETH",
    "address": "0x7e324AbC5De01d112AfC03a584966ff199741C28",
    "role": "pool Pool V3"
  },
  {
    "chain": "MegaETH",
    "address": "0xF15D31Bc839A853C9068686043cEc6EC5995DAbB",
    "role": "admin PoolConfigurator V3"
  },
  {
    "chain": "MegaETH",
    "address": "0x421117D7319E96d831972b3F7e970bbfe29C4F21",
    "role": "oracle AaveOracle V3"
  },
  {
    "chain": "MegaETH",
    "address": "0xE2E8Badc5d50f8a6188577B89f50701cDE2D4e19",
    "role": "admin ACLAdmin V3"
  },
  {
    "chain": "MegaETH",
    "address": "0x390D369C3878F2C5205CFb6Ec7154FfA65491c3D",
    "role": "admin ACLManager V3"
  },
  {
    "chain": "MegaETH",
    "address": "0x9588b453A4EE24a420830CB3302195cA7aA3b403",
    "role": "other AaveProtocolDataProvider V3"
  },
  {
    "chain": "Sonic",
    "address": "0x5C2e738F6E27bCE0F7558051Bf90605dD6176900",
    "role": "factory PoolAddressesProvider V3"
  },
  {
    "chain": "Sonic",
    "address": "0x5362dBb1e601abF3a4c14c22ffEdA64042E5eAA3",
    "role": "pool Pool V3"
  },
  {
    "chain": "Sonic",
    "address": "0x50c70FEB95aBC1A92FC30b9aCc41Bd349E5dE2f0",
    "role": "admin PoolConfigurator V3"
  },
  {
    "chain": "Sonic",
    "address": "0xD63f7658C66B2934Bd234D79D06aEF5290734B30",
    "role": "oracle AaveOracle V3"
  },
  {
    "chain": "Sonic",
    "address": "0x7b62461a3570c6AC8a9f8330421576e417B71EE7",
    "role": "admin ACLAdmin V3"
  },
  {
    "chain": "Sonic",
    "address": "0x3a790a47c4d531FD333FAD24f70B0ccb521B3b5A",
    "role": "admin ACLManager V3"
  },
  {
    "chain": "Sonic",
    "address": "0xc0a344397cfa89dF1e1d3e4fb330834D789cF2CD",
    "role": "other AaveProtocolDataProvider V3"
  },
  {
    "chain": "X Layer",
    "address": "0xdFf435BCcf782f11187D3a4454d96702eD78e092",
    "role": "factory PoolAddressesProvider V3"
  },
  {
    "chain": "X Layer",
    "address": "0xE3F3Caefdd7180F884c01E57f65Df979Af84f116",
    "role": "pool Pool V3"
  },
  {
    "chain": "X Layer",
    "address": "0x1408b48B6A610948f04813EA6b2F438A6BBAd2f2",
    "role": "admin PoolConfigurator V3"
  },
  {
    "chain": "X Layer",
    "address": "0x91FC11136d5615575a0fC5981Ab5C0C54418E2C6",
    "role": "oracle AaveOracle V3"
  },
  {
    "chain": "X Layer",
    "address": "0xE2E8Badc5d50f8a6188577B89f50701cDE2D4e19",
    "role": "admin ACLAdmin V3"
  },
  {
    "chain": "X Layer",
    "address": "0xc8f2720Fa7D857576d82e6aEca8EdC4869E9190e",
    "role": "admin ACLManager V3"
  },
  {
    "chain": "X Layer",
    "address": "0x6C505C31714f14e8af2A03633EB2Cdfb4959138F",
    "role": "other AaveProtocolDataProvider V3"
  },
  {
    "chain": "Linea",
    "address": "0x89502c3731F69DDC95B65753708A07F8Cd0373F4",
    "role": "factory PoolAddressesProvider V3"
  },
  {
    "chain": "Linea",
    "address": "0xc47b8C00b0f69a36fa203Ffeac0334874574a8Ac",
    "role": "pool Pool V3"
  },
  {
    "chain": "Linea",
    "address": "0x812E7c19421D9f41A6DDCF047d5cc2dE2Ca5Bfa2",
    "role": "admin PoolConfigurator V3"
  },
  {
    "chain": "Linea",
    "address": "0xCFDAdA7DCd2e785cF706BaDBC2B8Af5084d595e9",
    "role": "oracle AaveOracle V3"
  },
  {
    "chain": "Linea",
    "address": "0x8c2d95FE7aeB57b86961F3abB296A54f0ADb7F88",
    "role": "admin ACLAdmin V3"
  },
  {
    "chain": "Linea",
    "address": "0xbf32c7dFC72b730967072B112927ca0de205dbb5",
    "role": "admin ACLManager V3"
  },
  {
    "chain": "Metis",
    "address": "0xB9FABd7500B2C6781c35Dd48d54f81fc2299D7AF",
    "role": "factory PoolAddressesProvider V3"
  },
  {
    "chain": "Metis",
    "address": "0x90df02551bB792286e8D4f13E0e357b4Bf1D6a57",
    "role": "pool Pool V3"
  },
  {
    "chain": "Metis",
    "address": "0x69FEE8F261E004453BE0800BC9039717528645A6",
    "role": "admin PoolConfigurator V3"
  },
  {
    "chain": "Metis",
    "address": "0x38D36e85E47eA6ff0d18B0adF12E5fC8984A6f8e",
    "role": "oracle AaveOracle V3"
  },
  {
    "chain": "Metis",
    "address": "0x2B5EA1604BAbb7B730120950Cb13951f3525828A",
    "role": "oracle PriceOracleSentinel V3"
  },
  {
    "chain": "Metis",
    "address": "0x6fD45D32375d5aDB8D76275A3932c740F03a8718",
    "role": "admin ACLAdmin V3"
  },
  {
    "chain": "Optimism",
    "address": "0x794a61358D6845594F94dc1DB02A252b5b4814aD",
    "role": "pool Pool V3"
  },
  {
    "chain": "Optimism",
    "address": "0x8145eddDf43f50276641b55bd3AD95944510021E",
    "role": "admin PoolConfigurator V3"
  },
  {
    "chain": "Optimism",
    "address": "0xD81eb3728a631871a7eBBaD631b5f424909f0c77",
    "role": "oracle AaveOracle V3"
  },
  {
    "chain": "Optimism",
    "address": "0x746c675dAB49Bcd5BB9Dc85161f2d7Eb435009bf",
    "role": "admin ACLAdmin V3"
  },
  {
    "chain": "Polygon",
    "address": "0x794a61358D6845594F94dc1DB02A252b5b4814aD",
    "role": "pool Pool V3"
  },
  {
    "chain": "Polygon",
    "address": "0x8145eddDf43f50276641b55bd3AD95944510021E",
    "role": "admin PoolConfigurator V3"
  },
  {
    "chain": "Polygon",
    "address": "0xb023e699F5a33916Ea823A16485e259257cA8Bd1",
    "role": "oracle AaveOracle V3"
  },
  {
    "chain": "Polygon",
    "address": "0xDf7d0e6454DB638881302729F5ba99936EaAB233",
    "role": "admin ACLAdmin V3"
  },
  {
    "chain": "Scroll",
    "address": "0x69850D0B276776781C063771b161bd8894BCdD04",
    "role": "factory PoolAddressesProvider V3"
  },
  {
    "chain": "Scroll",
    "address": "0x11fCfe756c05AD438e312a7fd934381537D3cFfe",
    "role": "pool Pool V3"
  },
  {
    "chain": "Scroll",
    "address": "0x32BCab42a2bb5AC577D24b425D46d8b8e0Df9b7f",
    "role": "admin PoolConfigurator V3"
  },
  {
    "chain": "Scroll",
    "address": "0x04421D8C506E2fA2371a08EfAaBf791F624054F3",
    "role": "oracle AaveOracle V3"
  },
  {
    "chain": "Scroll",
    "address": "0xc1ABF87FfAdf4908f4eC8dc54A25DCFEabAE4A24",
    "role": "admin ACLAdmin V3"
  },
  {
    "chain": "Scroll",
    "address": "0x7633F981D87dC6307227de9383D2ce7243158081",
    "role": "admin ACLManager V3"
  },
  {
    "chain": "zkSync Era",
    "address": "0x2A3948BB219D6B2Fa83D64100006391a96bE6cb7",
    "role": "factory PoolAddressesProvider V3"
  },
  {
    "chain": "zkSync Era",
    "address": "0x78e30497a3c7527d953c6B1E3541b021A98Ac43c",
    "role": "pool Pool V3"
  },
  {
    "chain": "zkSync Era",
    "address": "0x0207d31b4377C74bEC37356aaD83E3dCc979F40E",
    "role": "admin PoolConfigurator V3"
  },
  {
    "chain": "zkSync Era",
    "address": "0xC7F58Fca663a8d377B6D0c9703C697f56dC40088",
    "role": "oracle AaveOracle V3"
  },
  {
    "chain": "zkSync Era",
    "address": "0x04cE39789e11a49595cD0ECEf6f4Bd54ABF4d020",
    "role": "admin ACLAdmin V3"
  },
  {
    "chain": "Soneium",
    "address": "0x82405D1a189bd6cE4667809C35B37fBE136A4c5B",
    "role": "factory PoolAddressesProvider V3"
  },
  {
    "chain": "Soneium",
    "address": "0xDd3d7A7d03D9fD9ef45f3E587287922eF65CA38B",
    "role": "pool Pool V3"
  },
  {
    "chain": "Soneium",
    "address": "0x1607FCeEc8dEbA4d5Da66D620b2363066d025a02",
    "role": "admin PoolConfigurator V3"
  },
  {
    "chain": "Soneium",
    "address": "0x20040a64612555042335926d72B4E5F667a67fA1",
    "role": "oracle AaveOracle V3"
  },
  {
    "chain": "Soneium",
    "address": "0xc0Bac16A64FbAa7EE6483bD12a759e28cD13dcBe",
    "role": "oracle PriceOracleSentinel V3"
  },
  {
    "chain": "Plasma",
    "address": "0x061D8e131F26512348ee5FA42e2DF1bA9d6505E9",
    "role": "factory PoolAddressesProvider V3"
  },
  {
    "chain": "Plasma",
    "address": "0x925a2A7214Ed92428B5b1B090F80b25700095e12",
    "role": "pool Pool V3"
  },
  {
    "chain": "Plasma",
    "address": "0xc022B6c71c30A8Ad52Dac504eFA132d13D99d2D9",
    "role": "admin PoolConfigurator V3"
  },
  {
    "chain": "Plasma",
    "address": "0x33E0b3fc976DC9C516926BA48CfC0A9E10a2aAA5",
    "role": "oracle AaveOracle V3"
  },
  {
    "chain": "Plasma",
    "address": "0x47aAdaAE1F05C978E6aBb7568d11B7F6e0FC4d6A",
    "role": "admin ACLAdmin V3"
  },
  {
    "chain": "Plasma",
    "address": "0xa860355F0ccFdC823F7332ac108317b2a1509C06",
    "role": "admin ACLManager V3"
  },
  {
    "chain": "Ethereum",
    "address": "0x617332a777780F546261247F621051d0b98975Eb",
    "role": "other VotingMachine"
  },
  {
    "chain": "Ethereum",
    "address": "0xf23f7De3AC42F22eBDA17e64DC4f51FB66b8E21f",
    "role": "other VotingPortalEthEth"
  },
  {
    "chain": "Ethereum",
    "address": "0x33aCEf7365809218485873B7d0d67FeE411B5D79",
    "role": "other VotingPortalEthAvax"
  },
  {
    "chain": "Ethereum",
    "address": "0x9b24C168d6A76b5459B1d47071a54962a4df36c3",
    "role": "other VotingPortalEthPol"
  },
  {
    "chain": "Ethereum",
    "address": "0xE3B770Dc4ae3f8bECaB3Ed12dE692c741603e16A",
    "role": "other PayloadDataHelper"
  },
  {
    "chain": "Ethereum",
    "address": "0x971c82c8316aD611904F95616c21ce90837f1856",
    "role": "other GovernanceDataHelper"
  },
  {
    "chain": "Ethereum",
    "address": "0x77976B51569896523EE215962Ee91ff236Fa50E8",
    "role": "other VotingDataHelper"
  },
  {
    "chain": "Ethereum",
    "address": "0x94363B11b37BC3ffe43AB09cff5A010352FE85dC",
    "role": "other MetaDelegateHelper"
  },
  {
    "chain": "Ethereum",
    "address": "0x73C6Fb358dDA8e84D50e98A98F7c0dF32e15C7e9",
    "role": "guardian EmergencyRegistry"
  },
  {
    "chain": "Ethereum",
    "address": "0xa198Fac58E02A5C5F8F7e877895d50cFa9ad1E04",
    "role": "other GovernancePowerStrategy"
  },
  {
    "chain": "Ethereum",
    "address": "0x5642A5A5Ec284B4145563aBF319620204aCCA7f4",
    "role": "other VotingStrategy"
  },
  {
    "chain": "Ethereum",
    "address": "0x1699FE9CaDC8a0b6c93E06B62Ab4592a0fFEcF61",
    "role": "other DataWarehouse"
  },
  {
    "chain": "Arbitrum",
    "address": "0xCbFB78a3Eeaa611b826E37c80E4126c8787D29f0",
    "role": "other CrossChainController"
  },
  {
    "chain": "Arbitrum",
    "address": "0x89644CA1bB8064760312AE4F03ea41b05dA3637C",
    "role": "timelock PayloadsController"
  },
  {
    "chain": "Arbitrum",
    "address": "0x4922093c476CfbCF903C7C4082d2D64bAE8A37cE",
    "role": "guardian GranularGuardian"
  },
  {
    "chain": "Avalanche",
    "address": "0x27FC7D54C893dA63C0AE6d57e1B2B13A70690928",
    "role": "other CrossChainController"
  },
  {
    "chain": "Avalanche",
    "address": "0x41185495Bc8297a65DC46f94001DC7233775EbEe",
    "role": "oracle EmergencyOracle"
  },
  {
    "chain": "Avalanche",
    "address": "0x9b6f5ef589A3DD08670Dd146C11C4Fb33E04494F",
    "role": "other VotingMachine"
  },
  {
    "chain": "Avalanche",
    "address": "0x1140CB7CAfAcC745771C2Ea31e7B5C653c5d0B80",
    "role": "timelock PayloadsController"
  },
  {
    "chain": "Avalanche",
    "address": "0xc1162BCb2E5E3ca4725512008c7522dF8C8B7B65",
    "role": "guardian GranularGuardian"
  },
  {
    "chain": "Binance",
    "address": "0x9d33ee6543C9b2C8c183b8fb58fB089266cffA19",
    "role": "other CrossChainController"
  },
  {
    "chain": "Binance",
    "address": "0xcabb46FfB38c93348Df16558DF156e9f68F9F7F1",
    "role": "oracle EmergencyOracle"
  },
  {
    "chain": "Binance",
    "address": "0xE5EF2Dd06755A97e975f7E282f828224F2C3e627",
    "role": "timelock PayloadsController"
  },
  {
    "chain": "Binance",
    "address": "0xe4FB5e3F506BE0095f38004f993D16fdA8224383",
    "role": "guardian GranularGuardian"
  },
  {
    "chain": "Base",
    "address": "0x529467C76f234F2bD359d7ecF7c660A2846b04e2",
    "role": "other CrossChainController"
  },
  {
    "chain": "Base",
    "address": "0x2DC219E716793fb4b21548C0f009Ba3Af753ab01",
    "role": "timelock PayloadsController"
  },
  {
    "chain": "Base",
    "address": "0xa1c6aF35E0205f42256382C05243C543FEDBf4bB",
    "role": "guardian GranularGuardian"
  },
  {
    "chain": "xDai",
    "address": "0x8Dc5310fc9D3D7D1Bb3D1F686899c8F082316c9F",
    "role": "other CrossChainController"
  },
  {
    "chain": "xDai",
    "address": "0xF937ffAeA1363e4Fa260760bDFA2aA8Fc911F84D",
    "role": "oracle EmergencyOracle"
  },
  {
    "chain": "xDai",
    "address": "0x9A1F491B86D09fC1484b5fab10041B189B60756b",
    "role": "timelock PayloadsController"
  },
  {
    "chain": "xDai",
    "address": "0x4A9F571E3C1f2F13567bb59e38988e74d7d72602",
    "role": "guardian GranularGuardian"
  },
  {
    "chain": "Metis",
    "address": "0x6fDaFb26915ABD6065a1E1501a37Ac438D877f70",
    "role": "other CrossChainController"
  },
  {
    "chain": "Metis",
    "address": "0x2233F8A66A728FBa6E1dC95570B25360D07D5524",
    "role": "timelock PayloadsController"
  },
  {
    "chain": "Metis",
    "address": "0x61BE97d3a0550549f67CA7421725fA73Fa2036B5",
    "role": "guardian GranularGuardian"
  },
  {
    "chain": "Optimism",
    "address": "0x48A9FE90bce5EEd790f3F4Ce192d1C0B351fd4Ca",
    "role": "other CrossChainController"
  },
  {
    "chain": "Optimism",
    "address": "0x0E1a3Af1f9cC76A62eD31eDedca291E63632e7c4",
    "role": "timelock PayloadsController"
  },
  {
    "chain": "Optimism",
    "address": "0x6c5264C380C7022e54f585c4E354ffb6f221a03b",
    "role": "guardian GranularGuardian"
  },
  {
    "chain": "Polygon",
    "address": "0xF6B99959F0b5e79E1CC7062E12aF632CEb18eF0d",
    "role": "other CrossChainController"
  },
  {
    "chain": "Polygon",
    "address": "0xDAFA1989A504c48Ee20a582f2891eeB25E2fA23F",
    "role": "oracle EmergencyOracle"
  },
  {
    "chain": "Polygon",
    "address": "0xc8a2ADC4261c6b669CdFf69E717E77C9cFeB420d",
    "role": "other VotingMachine"
  },
  {
    "chain": "Polygon",
    "address": "0x401B5D0294E23637c18fcc38b1Bca814CDa2637C",
    "role": "timelock PayloadsController"
  },
  {
    "chain": "Polygon",
    "address": "0x0D2CccD3dD420dC6DE2f24DB44aA22fADE290a02",
    "role": "guardian GranularGuardian"
  },
  {
    "chain": "Scroll",
    "address": "0x03073D3F4769f6b6604d616238fD6c636C99AD0A",
    "role": "other CrossChainController"
  },
  {
    "chain": "Scroll",
    "address": "0x6b6B41c0f8C223715f712BE83ceC3c37bbfDC3fE",
    "role": "timelock PayloadsController"
  },
  {
    "chain": "Scroll",
    "address": "0xa835707d28e6C37C49d661742f2Fb5987367cEd4",
    "role": "guardian GranularGuardian"
  },
  {
    "chain": "zkSync Era",
    "address": "0x800813f4714BC7A0a95310e3fB9e4f18872CA92C",
    "role": "other CrossChainController"
  },
  {
    "chain": "zkSync Era",
    "address": "0x2E79349c3F5e4751E87b966812C9E65E805996F1",
    "role": "timelock PayloadsController"
  },
  {
    "chain": "zkSync Era",
    "address": "0xe0e23196D42b54F262a3DE952e6B34B197D1A228",
    "role": "guardian GranularGuardian"
  },
  {
    "chain": "zkSync Era",
    "address": "0x4257bf0746D783f0D962913d7d8AFA408B62547E",
    "role": "guardian GovernanceGuardian"
  },
  {
    "chain": "Linea",
    "address": "0x0D3f821e9741C8a8Bcac231162320251Db0cdf52",
    "role": "other CrossChainController"
  },
  {
    "chain": "Linea",
    "address": "0x3BcE23a1363728091bc57A58a226CF2940C2e074",
    "role": "timelock PayloadsController"
  },
  {
    "chain": "Linea",
    "address": "0xc1cd6faF6e9138b4e6C21d438f9ebF2bd6F6cA16",
    "role": "guardian GranularGuardian"
  },
  {
    "chain": "Linea",
    "address": "0x056E4C4E80D1D14a637ccbD0412CDAAEc5B51F4E",
    "role": "guardian GovernanceGuardian"
  },
  {
    "chain": "Soneium",
    "address": "0xD92b37a5114b33F668D274Fb48f23b726a854d6E",
    "role": "other CrossChainController"
  },
  {
    "chain": "Soneium",
    "address": "0x44D73D7C4b2f98F426Bf8B5e87628d9eE38ef0Cf",
    "role": "timelock PayloadsController"
  },
  {
    "chain": "Soneium",
    "address": "0xD8E6956718784B914740267b7A50B952fb516656",
    "role": "guardian GranularGuardian"
  },
  {
    "chain": "Soneium",
    "address": "0x19CE4363FEA478Aa04B9EA2937cc5A2cbcD44be6",
    "role": "guardian GovernanceGuardian"
  },
  {
    "chain": "Soneium",
    "address": "0x47aAdaAE1F05C978E6aBb7568d11B7F6e0FC4d6A",
    "role": "governor ExecutorLvl1"
  },
  {
    "chain": "Plasma",
    "address": "0x643441742f73e270e565619be6DE5f4D55E08cd6",
    "role": "other CrossChainController"
  },
  {
    "chain": "Plasma",
    "address": "0xe76EB348E65eF163d85ce282125FF5a7F5712A1d",
    "role": "timelock PayloadsController"
  },
  {
    "chain": "Plasma",
    "address": "0x60665b4F4FF7073C5fed2656852dCa271DfE2684",
    "role": "guardian GranularGuardian"
  },
  {
    "chain": "Plasma",
    "address": "0x19CE4363FEA478Aa04B9EA2937cc5A2cbcD44be6",
    "role": "guardian GovernanceGuardian"
  },
  {
    "chain": "Plasma",
    "address": "0xF61FE74Ec1cFbd9Ee8Bd27592D2EDEe0E2aA85Cf",
    "role": "oracle EmergencyOracle"
  },
  {
    "chain": "Ethereum",
    "address": "0x7Fc66500c84A76Ad7e9c93437bFc5Ac33E2DDaE9",
    "role": "token AAVE governance token"
  },
  {
    "chain": "Ethereum",
    "address": "0x7b9c0b9b0d8b0d8b0d8b0d8b0d8b0d8b0d8b0d8b",
    "role": "Emergency Admin"
  }
]

### Pre-built read-API surfacer URLs (verbatim — fetchable as-is)
- https://defipunkd.com/address/1/0x5300A1a15135EA4dc7aD5a167152C01EFc9b192A (Short Executor (Level 1) / ACL Admin V3)
- https://defipunkd.com/address/1/0xdAbad81aF85554E9ae636395611C58F7eC1aAEc5 (PayloadsController (Ethereum))
- https://defipunkd.com/address/1/0x9AEE0B04504CeF83A65AC3f0e838D0593BCb2BC7 (Governance V3 Core)
- https://defipunkd.com/address/1/0xCe52ab41C40575B072A18C9700091Ccbe4A06710 (Governance Guardian / Protocol Emergency Guardian (5-of-9))
- https://defipunkd.com/address/1/0x4457cA11E90f416Cc1D3a8E1cA41C0cdEcC251d4 (GranularGuardian (cross-chain emergency))
- https://defipunkd.com/address/1/0xEd42a7D8559a463722Ca4beD50E0Cc05a386b0e1 (CrossChainController)
- https://defipunkd.com/address/1/0x17Dd33Ed0e3dD2a80E37489B8A63063161BE6957 (Executor Level 2)
- https://defipunkd.com/address/1/0x2CFe3ec4d5a6811f4B8067F0DE7e47DfA938Aa30 (Protocol Guardian / emergency admin)
- https://defipunkd.com/address/1/0x220d22f42c1b975B51509c24b174f8AbA7d8C540 (Short Executor (Governance))
- https://defipunkd.com/address/1/0xa700691dA7b6769562170061709458FF21ed963e (timelock (governance long executor))
- https://defipunkd.com/address/1/0x851365275f493d15511cc005f2bd71E3c1699921 (timelock (governance short executor))
- https://defipunkd.com/address/1/0xEE56e2B3D49159022b71869955dbF07245799b17 (timelock (governance executor short))
- https://defipunkd.com/address/1/0x80C67432656d59144cEFf962E8fAF8926599bCF8 (timelock (governance short executor))
- https://defipunkd.com/address/1/0xEE56e2B20045d908E992822039db30E882309413 (admin (PoolAdmin / governance executor))
- https://defipunkd.com/address/1/0x87870bca3f3fd6335c3f4ce8392d69350b4fa4e2 (pool (Aave V3 Pool proxy))
- https://defipunkd.com/address/1/0x2f39d218133AFaB8F2B819B1066c7E434Ad94E9e (other (PoolAddressesProvider — proxy admin for Pool/PoolConfigurator/ACLManager))
- https://defipunkd.com/address/1/0xcfBf336fe147D643B9Cb705648500e101504B16d (other (Prime Market PoolAddressesProvider))
- https://defipunkd.com/address/1/0xCca852Bc40e560adC3b1Cc58CA5b55638ce826c9 (vault (Aave V4 Core Hub — Ethereum))
- https://defipunkd.com/address/1/0x06002e9c4412CB7814a791eA3666D905871E536A (vault (Aave V4 Plus Hub — Ethereum))
- https://defipunkd.com/address/1/0x943827DCA022D0F354a8a8c332dA1e5Eb9f9F931 (vault (Aave V4 Prime Hub — Ethereum))
- https://defipunkd.com/address/1/0x08aE3BE30958cDd1847ec58fFfd4C451a87fDF01 (admin (Aave V4 Access Manager — Ethereum))
- https://defipunkd.com/address/10/0xa97684ead0e402dc232d5a977953df7ecbab3cdb (other (PoolAddressesProvider — Optimism))
- https://defipunkd.com/address/137/0xa97684ead0e402dc232d5a977953df7ecbab3cdb (other (PoolAddressesProvider — Polygon))
- https://defipunkd.com/address/1/0x64b761D848206f447Fe2dd461b0c635Ec39EbB27 (admin PoolConfigurator V3)
- https://defipunkd.com/address/1/0x54586bE62E3c3580375aE3723C145253060Ca0C2 (oracle AaveOracle V3)
- https://defipunkd.com/address/1/0xc2aaCf6553D20d1e9d78E365AAba8032af9c85b0 (admin ACLManager V3)
- https://defipunkd.com/address/1/0x0a16f2FCC0D44FaE41cc54e079281D84A363bECD (other AaveProtocolDataProvider V3)
- https://defipunkd.com/address/1/0x464C71f6c2F760DdA6093dCB91C24c39e5d6e18c (treasury Collector)
- https://defipunkd.com/address/1/0x8164Cc65827dcFe994AB23944CBC90e0aa80bFcb (admin DefaultIncentivesController)
- https://defipunkd.com/address/1/0x223d844fc4B006D67c0cDbd39371A9F73f69d974 (admin EmissionManager)
- https://defipunkd.com/address/42161/0xa97684ead0e402dC232d5A977953DF7ECBaB3CDb (factory PoolAddressesProvider V3)
- https://defipunkd.com/address/42161/0x794a61358D6845594F94dc1DB02A252b5b4814aD (pool Pool V3)
- https://defipunkd.com/address/42161/0x8145eddDf43f50276641b55bd3AD95944510021E (admin PoolConfigurator V3)
- https://defipunkd.com/address/42161/0xb56c2F0B653B2e0b10C9b928C8580Ac5Df02C7C7 (oracle AaveOracle V3)
- https://defipunkd.com/address/42161/0x7A9ff54A6eE4a21223036890bB8c4ea2D62c686b (oracle PriceOracleSentinel V3)
- https://defipunkd.com/address/42161/0xFF1137243698CaA18EE364Cc966CF0e02A4e6327 (admin ACLAdmin V3)
- https://defipunkd.com/address/42161/0xa72636CbcAa8F5FF95B2cc47F3CDEe83F3294a0B (admin ACLManager V3)
- https://defipunkd.com/address/42161/0x243Aa95cAC2a25651eda86e80bEe66114413c43b (other AaveProtocolDataProvider V3)
- https://defipunkd.com/address/43114/0xa97684ead0e402dC232d5A977953DF7ECBaB3CDb (factory PoolAddressesProvider V3)
- https://defipunkd.com/address/43114/0x794a61358D6845594F94dc1DB02A252b5b4814aD (pool Pool V3)
- https://defipunkd.com/address/43114/0x8145eddDf43f50276641b55bd3AD95944510021E (admin PoolConfigurator V3)
- https://defipunkd.com/address/43114/0xEBd36016B3eD09D4693Ed4251c67Bd858c3c7C9C (oracle AaveOracle V3)
- https://defipunkd.com/address/43114/0x3C06dce358add17aAf230f2234bCCC4afd50d090 (admin ACLAdmin V3)
- https://defipunkd.com/address/43114/0xa72636CbcAa8F5FF95B2cc47F3CDEe83F3294a0B (admin ACLManager V3)
- https://defipunkd.com/address/43114/0x243Aa95cAC2a25651eda86e80bEe66114413c43b (other AaveProtocolDataProvider V3)
- https://defipunkd.com/address/8453/0xe20fCBdBfFC4Dd138cE8b2E6FBb6CB49777ad64D (factory PoolAddressesProvider V3)
- https://defipunkd.com/address/8453/0xA238Dd80C259a72e81d7e4664a9801593F98d1c5 (pool Pool V3)
- https://defipunkd.com/address/8453/0x5731a04B1E775f0fdd454Bf70f3335886e9A96be (admin PoolConfigurator V3)
- https://defipunkd.com/address/8453/0x2Cc0Fc26eD4563A5ce5e8bdcfe1A2878676Ae156 (oracle AaveOracle V3)
- https://defipunkd.com/address/8453/0x943AcD0c93d7a8Bee7dA5Fd0DC3d0028237074d6 (oracle PriceOracleSentinel V3)
- https://defipunkd.com/address/8453/0x9390B1735def18560c509E2d0bc090E9d6BA257a (admin ACLAdmin V3)
- https://defipunkd.com/address/8453/0x43955b0899Ab7232E3a454cf84AedD22Ad46FD33 (admin ACLManager V3)
- https://defipunkd.com/address/8453/0x0F43731EB8d45A581f4a36DD74F5f358bc90C73A (other AaveProtocolDataProvider V3)
- Binance: 0xff75B6da14FfbbfD355Daf7a2731456b3562Ba6D (chain not supported by the read API)
- Binance: 0x6807dc923806fE8Fd134338EABCA509979a7e0cB (chain not supported by the read API)
- Binance: 0x67bdF23C7fCE7C65fF7415Ba3F2520B45D6f9584 (chain not supported by the read API)
- Binance: 0x39bc1bfDa2130d6Bb6DBEfd366939b4c7aa7C697 (chain not supported by the read API)
- Binance: 0x9390B1735def18560c509E2d0bc090E9d6BA257a (chain not supported by the read API)
- Binance: 0x2D97F8FA96886Fd923c065F5457F9DDd494e3877 (chain not supported by the read API)
- Binance: 0xc90Df74A7c16245c5F5C5870327Ceb38Fe5d5328 (chain not supported by the read API)
- Celo: 0x9F7Cf9417D5251C59fE94fB9147feEe1aAd9Cea5 (chain not supported by the read API)
- Celo: 0x3E59A31363E2ad014dcbc521c4a0d5757d9f3402 (chain not supported by the read API)
- Celo: 0x7567E3434CC1BEf724AB595e6072367Ef4914691 (chain not supported by the read API)
- Celo: 0x1e693D088ceFD1E95ba4c4a5F7EeA41a1Ec37e8b (chain not supported by the read API)
- Celo: 0x1dF462e2712496373A347f8ad10802a5E95f053D (chain not supported by the read API)
- Celo: 0x7a12dCfd73C1B4cddf294da4cFce75FcaBBa314C (chain not supported by the read API)
- Celo: 0x2e0f8D3B1631296cC7c56538D6Eb6032601E15ED (chain not supported by the read API)
- Celo: 0xC959439207dA5341B74aDcdAC59016aa9Be7E9E7 (chain not supported by the read API)
- Fantom: 0xa97684ead0e402dC232d5A977953DF7ECBaB3CDb (chain not supported by the read API)
- Fantom: 0x794a61358D6845594F94dc1DB02A252b5b4814aD (chain not supported by the read API)
- Fantom: 0x8145eddDf43f50276641b55bd3AD95944510021E (chain not supported by the read API)
- Fantom: 0xfd6f3c1845604C8AE6c6E402ad17fb9885160754 (chain not supported by the read API)
- Fantom: 0x39CB97b105173b56b5a2b4b33AD25d6a50E6c949 (chain not supported by the read API)
- Fantom: 0xa72636CbcAa8F5FF95B2cc47F3CDEe83F3294a0B (chain not supported by the read API)
- Fantom: 0x69FA688f1Dc47d4B5d8029D5a35FB7a548310654 (chain not supported by the read API)
- xDai: 0x36616cf17557639614c1cdDb356b1B83fc0B2132 (chain not supported by the read API)
- xDai: 0xb50201558B00496A145fE76f7424749556E326D8 (chain not supported by the read API)
- xDai: 0x7304979ec9E4EaA0273b6A037a31c4e9e5A75D16 (chain not supported by the read API)
- xDai: 0xeb0a051be10228213BAEb449db63719d6742F7c4 (chain not supported by the read API)
- xDai: 0x1dF462e2712496373A347f8ad10802a5E95f053D (chain not supported by the read API)
- xDai: 0xEc710f59005f48703908bC519D552Df5B8472614 (chain not supported by the read API)
- xDai: 0xF1F5acB596568895393cB5E4D0452D6592A2fA70 (chain not supported by the read API)
- Harmony: 0xa97684ead0e402dC232d5A977953DF7ECBaB3CDb (chain not supported by the read API)
- Harmony: 0x794a61358D6845594F94dc1DB02A252b5b4814aD (chain not supported by the read API)
- Harmony: 0x8145eddDf43f50276641b55bd3AD95944510021E (chain not supported by the read API)
- Harmony: 0x3C90887Ede8D65ccb2777A5d577beAb2548280AD (chain not supported by the read API)
- Harmony: 0xb2f0C5f37f4beD2cB51C44653cD5D84866BDcd2D (chain not supported by the read API)
- Harmony: 0xa72636CbcAa8F5FF95B2cc47F3CDEe83F3294a0B (chain not supported by the read API)
- Harmony: 0x69FA688f1Dc47d4B5d8029D5a35FB7a548310654 (chain not supported by the read API)
- Mantle: 0xba50Cd2A20f6DA35D788639E581bca8d0B5d4D5f (chain not supported by the read API)
- Mantle: 0x458F293454fE0d67EC0655f3672301301DD51422 (chain not supported by the read API)
- Mantle: 0x719755fC1ACf2f9079B0Cbc56e23712c09Ab8626 (chain not supported by the read API)
- Mantle: 0x47a063CfDa980532267970d478EC340C0F80E8df (chain not supported by the read API)
- Mantle: 0x64df9D4302e1ff3516Dc744A19e992D27CAC252E (chain not supported by the read API)
- Mantle: 0x70884634D0098782592111A2A6B8d223be31CB7b (chain not supported by the read API)
- Mantle: 0x810D46F9a9027E28F9B01F75E2bdde839dA61115 (chain not supported by the read API)
- Mantle: 0x487c5c669D9eee6057C44973207101276cf73b68 (chain not supported by the read API)
- MegaETH: 0x46Dcd5F4600319b02649Fd76B55aA6c1035CA478 (chain not supported by the read API)
- MegaETH: 0x7e324AbC5De01d112AfC03a584966ff199741C28 (chain not supported by the read API)
- MegaETH: 0xF15D31Bc839A853C9068686043cEc6EC5995DAbB (chain not supported by the read API)
- MegaETH: 0x421117D7319E96d831972b3F7e970bbfe29C4F21 (chain not supported by the read API)
- MegaETH: 0xE2E8Badc5d50f8a6188577B89f50701cDE2D4e19 (chain not supported by the read API)
- MegaETH: 0x390D369C3878F2C5205CFb6Ec7154FfA65491c3D (chain not supported by the read API)
- MegaETH: 0x9588b453A4EE24a420830CB3302195cA7aA3b403 (chain not supported by the read API)
- Sonic: 0x5C2e738F6E27bCE0F7558051Bf90605dD6176900 (chain not supported by the read API)
- Sonic: 0x5362dBb1e601abF3a4c14c22ffEdA64042E5eAA3 (chain not supported by the read API)
- Sonic: 0x50c70FEB95aBC1A92FC30b9aCc41Bd349E5dE2f0 (chain not supported by the read API)
- Sonic: 0xD63f7658C66B2934Bd234D79D06aEF5290734B30 (chain not supported by the read API)
- Sonic: 0x7b62461a3570c6AC8a9f8330421576e417B71EE7 (chain not supported by the read API)
- Sonic: 0x3a790a47c4d531FD333FAD24f70B0ccb521B3b5A (chain not supported by the read API)
- Sonic: 0xc0a344397cfa89dF1e1d3e4fb330834D789cF2CD (chain not supported by the read API)
- X Layer: 0xdFf435BCcf782f11187D3a4454d96702eD78e092 (chain not supported by the read API)
- X Layer: 0xE3F3Caefdd7180F884c01E57f65Df979Af84f116 (chain not supported by the read API)
- X Layer: 0x1408b48B6A610948f04813EA6b2F438A6BBAd2f2 (chain not supported by the read API)
- X Layer: 0x91FC11136d5615575a0fC5981Ab5C0C54418E2C6 (chain not supported by the read API)
- X Layer: 0xE2E8Badc5d50f8a6188577B89f50701cDE2D4e19 (chain not supported by the read API)
- X Layer: 0xc8f2720Fa7D857576d82e6aEca8EdC4869E9190e (chain not supported by the read API)
- X Layer: 0x6C505C31714f14e8af2A03633EB2Cdfb4959138F (chain not supported by the read API)
- https://defipunkd.com/address/59144/0x89502c3731F69DDC95B65753708A07F8Cd0373F4 (factory PoolAddressesProvider V3)
- https://defipunkd.com/address/59144/0xc47b8C00b0f69a36fa203Ffeac0334874574a8Ac (pool Pool V3)
- https://defipunkd.com/address/59144/0x812E7c19421D9f41A6DDCF047d5cc2dE2Ca5Bfa2 (admin PoolConfigurator V3)
- https://defipunkd.com/address/59144/0xCFDAdA7DCd2e785cF706BaDBC2B8Af5084d595e9 (oracle AaveOracle V3)
- https://defipunkd.com/address/59144/0x8c2d95FE7aeB57b86961F3abB296A54f0ADb7F88 (admin ACLAdmin V3)
- https://defipunkd.com/address/59144/0xbf32c7dFC72b730967072B112927ca0de205dbb5 (admin ACLManager V3)
- Metis: 0xB9FABd7500B2C6781c35Dd48d54f81fc2299D7AF (chain not supported by the read API)
- Metis: 0x90df02551bB792286e8D4f13E0e357b4Bf1D6a57 (chain not supported by the read API)
- Metis: 0x69FEE8F261E004453BE0800BC9039717528645A6 (chain not supported by the read API)
- Metis: 0x38D36e85E47eA6ff0d18B0adF12E5fC8984A6f8e (chain not supported by the read API)
- Metis: 0x2B5EA1604BAbb7B730120950Cb13951f3525828A (chain not supported by the read API)
- Metis: 0x6fD45D32375d5aDB8D76275A3932c740F03a8718 (chain not supported by the read API)
- https://defipunkd.com/address/10/0x794a61358D6845594F94dc1DB02A252b5b4814aD (pool Pool V3)
- https://defipunkd.com/address/10/0x8145eddDf43f50276641b55bd3AD95944510021E (admin PoolConfigurator V3)
- https://defipunkd.com/address/10/0xD81eb3728a631871a7eBBaD631b5f424909f0c77 (oracle AaveOracle V3)
- https://defipunkd.com/address/10/0x746c675dAB49Bcd5BB9Dc85161f2d7Eb435009bf (admin ACLAdmin V3)
- https://defipunkd.com/address/137/0x794a61358D6845594F94dc1DB02A252b5b4814aD (pool Pool V3)
- https://defipunkd.com/address/137/0x8145eddDf43f50276641b55bd3AD95944510021E (admin PoolConfigurator V3)
- https://defipunkd.com/address/137/0xb023e699F5a33916Ea823A16485e259257cA8Bd1 (oracle AaveOracle V3)
- https://defipunkd.com/address/137/0xDf7d0e6454DB638881302729F5ba99936EaAB233 (admin ACLAdmin V3)
- https://defipunkd.com/address/534352/0x69850D0B276776781C063771b161bd8894BCdD04 (factory PoolAddressesProvider V3)
- https://defipunkd.com/address/534352/0x11fCfe756c05AD438e312a7fd934381537D3cFfe (pool Pool V3)
- https://defipunkd.com/address/534352/0x32BCab42a2bb5AC577D24b425D46d8b8e0Df9b7f (admin PoolConfigurator V3)
- https://defipunkd.com/address/534352/0x04421D8C506E2fA2371a08EfAaBf791F624054F3 (oracle AaveOracle V3)
- https://defipunkd.com/address/534352/0xc1ABF87FfAdf4908f4eC8dc54A25DCFEabAE4A24 (admin ACLAdmin V3)
- https://defipunkd.com/address/534352/0x7633F981D87dC6307227de9383D2ce7243158081 (admin ACLManager V3)
- zkSync Era: 0x2A3948BB219D6B2Fa83D64100006391a96bE6cb7 (chain not supported by the read API)
- zkSync Era: 0x78e30497a3c7527d953c6B1E3541b021A98Ac43c (chain not supported by the read API)
- zkSync Era: 0x0207d31b4377C74bEC37356aaD83E3dCc979F40E (chain not supported by the read API)
- zkSync Era: 0xC7F58Fca663a8d377B6D0c9703C697f56dC40088 (chain not supported by the read API)
- zkSync Era: 0x04cE39789e11a49595cD0ECEf6f4Bd54ABF4d020 (chain not supported by the read API)
- Soneium: 0x82405D1a189bd6cE4667809C35B37fBE136A4c5B (chain not supported by the read API)
- Soneium: 0xDd3d7A7d03D9fD9ef45f3E587287922eF65CA38B (chain not supported by the read API)
- Soneium: 0x1607FCeEc8dEbA4d5Da66D620b2363066d025a02 (chain not supported by the read API)
- Soneium: 0x20040a64612555042335926d72B4E5F667a67fA1 (chain not supported by the read API)
- Soneium: 0xc0Bac16A64FbAa7EE6483bD12a759e28cD13dcBe (chain not supported by the read API)
- Plasma: 0x061D8e131F26512348ee5FA42e2DF1bA9d6505E9 (chain not supported by the read API)
- Plasma: 0x925a2A7214Ed92428B5b1B090F80b25700095e12 (chain not supported by the read API)
- Plasma: 0xc022B6c71c30A8Ad52Dac504eFA132d13D99d2D9 (chain not supported by the read API)
- Plasma: 0x33E0b3fc976DC9C516926BA48CfC0A9E10a2aAA5 (chain not supported by the read API)
- Plasma: 0x47aAdaAE1F05C978E6aBb7568d11B7F6e0FC4d6A (chain not supported by the read API)
- Plasma: 0xa860355F0ccFdC823F7332ac108317b2a1509C06 (chain not supported by the read API)
- https://defipunkd.com/address/1/0x617332a777780F546261247F621051d0b98975Eb (other VotingMachine)
- https://defipunkd.com/address/1/0xf23f7De3AC42F22eBDA17e64DC4f51FB66b8E21f (other VotingPortalEthEth)
- https://defipunkd.com/address/1/0x33aCEf7365809218485873B7d0d67FeE411B5D79 (other VotingPortalEthAvax)
- https://defipunkd.com/address/1/0x9b24C168d6A76b5459B1d47071a54962a4df36c3 (other VotingPortalEthPol)
- https://defipunkd.com/address/1/0xE3B770Dc4ae3f8bECaB3Ed12dE692c741603e16A (other PayloadDataHelper)
- https://defipunkd.com/address/1/0x971c82c8316aD611904F95616c21ce90837f1856 (other GovernanceDataHelper)
- https://defipunkd.com/address/1/0x77976B51569896523EE215962Ee91ff236Fa50E8 (other VotingDataHelper)
- https://defipunkd.com/address/1/0x94363B11b37BC3ffe43AB09cff5A010352FE85dC (other MetaDelegateHelper)
- https://defipunkd.com/address/1/0x73C6Fb358dDA8e84D50e98A98F7c0dF32e15C7e9 (guardian EmergencyRegistry)
- https://defipunkd.com/address/1/0xa198Fac58E02A5C5F8F7e877895d50cFa9ad1E04 (other GovernancePowerStrategy)
- https://defipunkd.com/address/1/0x5642A5A5Ec284B4145563aBF319620204aCCA7f4 (other VotingStrategy)
- https://defipunkd.com/address/1/0x1699FE9CaDC8a0b6c93E06B62Ab4592a0fFEcF61 (other DataWarehouse)
- https://defipunkd.com/address/42161/0xCbFB78a3Eeaa611b826E37c80E4126c8787D29f0 (other CrossChainController)
- https://defipunkd.com/address/42161/0x89644CA1bB8064760312AE4F03ea41b05dA3637C (timelock PayloadsController)
- https://defipunkd.com/address/42161/0x4922093c476CfbCF903C7C4082d2D64bAE8A37cE (guardian GranularGuardian)
- https://defipunkd.com/address/43114/0x27FC7D54C893dA63C0AE6d57e1B2B13A70690928 (other CrossChainController)
- https://defipunkd.com/address/43114/0x41185495Bc8297a65DC46f94001DC7233775EbEe (oracle EmergencyOracle)
- https://defipunkd.com/address/43114/0x9b6f5ef589A3DD08670Dd146C11C4Fb33E04494F (other VotingMachine)
- https://defipunkd.com/address/43114/0x1140CB7CAfAcC745771C2Ea31e7B5C653c5d0B80 (timelock PayloadsController)
- https://defipunkd.com/address/43114/0xc1162BCb2E5E3ca4725512008c7522dF8C8B7B65 (guardian GranularGuardian)
- Binance: 0x9d33ee6543C9b2C8c183b8fb58fB089266cffA19 (chain not supported by the read API)
- Binance: 0xcabb46FfB38c93348Df16558DF156e9f68F9F7F1 (chain not supported by the read API)
- Binance: 0xE5EF2Dd06755A97e975f7E282f828224F2C3e627 (chain not supported by the read API)
- Binance: 0xe4FB5e3F506BE0095f38004f993D16fdA8224383 (chain not supported by the read API)
- https://defipunkd.com/address/8453/0x529467C76f234F2bD359d7ecF7c660A2846b04e2 (other CrossChainController)
- https://defipunkd.com/address/8453/0x2DC219E716793fb4b21548C0f009Ba3Af753ab01 (timelock PayloadsController)
- https://defipunkd.com/address/8453/0xa1c6aF35E0205f42256382C05243C543FEDBf4bB (guardian GranularGuardian)
- xDai: 0x8Dc5310fc9D3D7D1Bb3D1F686899c8F082316c9F (chain not supported by the read API)
- xDai: 0xF937ffAeA1363e4Fa260760bDFA2aA8Fc911F84D (chain not supported by the read API)
- xDai: 0x9A1F491B86D09fC1484b5fab10041B189B60756b (chain not supported by the read API)
- xDai: 0x4A9F571E3C1f2F13567bb59e38988e74d7d72602 (chain not supported by the read API)
- Metis: 0x6fDaFb26915ABD6065a1E1501a37Ac438D877f70 (chain not supported by the read API)
- Metis: 0x2233F8A66A728FBa6E1dC95570B25360D07D5524 (chain not supported by the read API)
- Metis: 0x61BE97d3a0550549f67CA7421725fA73Fa2036B5 (chain not supported by the read API)
- https://defipunkd.com/address/10/0x48A9FE90bce5EEd790f3F4Ce192d1C0B351fd4Ca (other CrossChainController)
- https://defipunkd.com/address/10/0x0E1a3Af1f9cC76A62eD31eDedca291E63632e7c4 (timelock PayloadsController)
- https://defipunkd.com/address/10/0x6c5264C380C7022e54f585c4E354ffb6f221a03b (guardian GranularGuardian)
- https://defipunkd.com/address/137/0xF6B99959F0b5e79E1CC7062E12aF632CEb18eF0d (other CrossChainController)
- https://defipunkd.com/address/137/0xDAFA1989A504c48Ee20a582f2891eeB25E2fA23F (oracle EmergencyOracle)
- https://defipunkd.com/address/137/0xc8a2ADC4261c6b669CdFf69E717E77C9cFeB420d (other VotingMachine)
- https://defipunkd.com/address/137/0x401B5D0294E23637c18fcc38b1Bca814CDa2637C (timelock PayloadsController)
- https://defipunkd.com/address/137/0x0D2CccD3dD420dC6DE2f24DB44aA22fADE290a02 (guardian GranularGuardian)
- https://defipunkd.com/address/534352/0x03073D3F4769f6b6604d616238fD6c636C99AD0A (other CrossChainController)
- https://defipunkd.com/address/534352/0x6b6B41c0f8C223715f712BE83ceC3c37bbfDC3fE (timelock PayloadsController)
- https://defipunkd.com/address/534352/0xa835707d28e6C37C49d661742f2Fb5987367cEd4 (guardian GranularGuardian)
- zkSync Era: 0x800813f4714BC7A0a95310e3fB9e4f18872CA92C (chain not supported by the read API)
- zkSync Era: 0x2E79349c3F5e4751E87b966812C9E65E805996F1 (chain not supported by the read API)
- zkSync Era: 0xe0e23196D42b54F262a3DE952e6B34B197D1A228 (chain not supported by the read API)
- zkSync Era: 0x4257bf0746D783f0D962913d7d8AFA408B62547E (chain not supported by the read API)
- https://defipunkd.com/address/59144/0x0D3f821e9741C8a8Bcac231162320251Db0cdf52 (other CrossChainController)
- https://defipunkd.com/address/59144/0x3BcE23a1363728091bc57A58a226CF2940C2e074 (timelock PayloadsController)
- https://defipunkd.com/address/59144/0xc1cd6faF6e9138b4e6C21d438f9ebF2bd6F6cA16 (guardian GranularGuardian)
- https://defipunkd.com/address/59144/0x056E4C4E80D1D14a637ccbD0412CDAAEc5B51F4E (guardian GovernanceGuardian)
- Soneium: 0xD92b37a5114b33F668D274Fb48f23b726a854d6E (chain not supported by the read API)
- Soneium: 0x44D73D7C4b2f98F426Bf8B5e87628d9eE38ef0Cf (chain not supported by the read API)
- Soneium: 0xD8E6956718784B914740267b7A50B952fb516656 (chain not supported by the read API)
- Soneium: 0x19CE4363FEA478Aa04B9EA2937cc5A2cbcD44be6 (chain not supported by the read API)
- Soneium: 0x47aAdaAE1F05C978E6aBb7568d11B7F6e0FC4d6A (chain not supported by the read API)
- Plasma: 0x643441742f73e270e565619be6DE5f4D55E08cd6 (chain not supported by the read API)
- Plasma: 0xe76EB348E65eF163d85ce282125FF5a7F5712A1d (chain not supported by the read API)
- Plasma: 0x60665b4F4FF7073C5fed2656852dCa271DfE2684 (chain not supported by the read API)
- Plasma: 0x19CE4363FEA478Aa04B9EA2937cc5A2cbcD44be6 (chain not supported by the read API)
- Plasma: 0xF61FE74Ec1cFbd9Ee8Bd27592D2EDEe0E2aA85Cf (chain not supported by the read API)
- https://defipunkd.com/address/1/0x7Fc66500c84A76Ad7e9c93437bFc5Ac33E2DDaE9 (token AAVE governance token)
- https://defipunkd.com/address/1/0x7b9c0b9b0d8b0d8b0d8b0d8b0d8b0d8b0d8b0d8b (Emergency Admin)


---

You are contributing a single-slice assessment to defipunkd, a git-native transparency registry for DeFi protocols. Your JSON output will be attached to a pull request and compared against ≥2 other independent runs. Disagreements are surfaced publicly — be conservative, cite everything, return grade="unknown" when a signal cannot be determined, and resist stopping at the first damning finding.

### Per-protocol context (do not infer; these are ground truth)

A "Per-protocol context" block (provided alongside this prompt — either as a user message in API mode, or as a section appended below in copy-paste mode) lists the pinned inputs (protocol.slug, name, chains, category, website, github, audit_links, snapshot.generated_at, analysis_date, prompt_version, address_book) and a list of pre-built read-API surfacer URLs for each pinned address. Treat those values as authoritative for this run.

The pre-built surfacer URLs are accepted by your fetch tool's allowlist because they appear verbatim in the per-protocol context. Each surfacer page pre-executes the contract's zero-arg view methods and renders any address-typed return values as /address/{chainId}/0x… links inline — those rendered links are also fetchable post-fetch. /api/contract/read and /api/safe/owners JSON responses include a top-level `crawl.surfacers` array of /address/{chainId}/0x… URLs for every address-typed value in the result, so you can crawl directly from API responses. For addresses surfaced from non-defipunkd sources (block-explorer pages, GitHub, audit PDFs), the allowlist will reject your generated surfacer URL — record the address in protocol_metadata.admin_addresses and add a checklist-coded entry to unknowns[]; the next run will inherit it as a fetchable surfacer.

### Step 0 — Capability probe (do this before producing JSON)

Identify what fetch tool your environment exposes — `web_fetch`, `browser`, `url_context`, `google_search` (with underscore, colon, or space), Bing grounding, Perplexity, `web.run`, or anything similar. Search-grounding tools ARE valid fetch paths and you should use them; they are not forbidden. The distinction that matters is what the tool returned, not its name: a grounded response with the underlying page body is sufficient evidence; a bare 1–3-line preview snippet is not.

Probe: attempt one fetch of `protocol.website` and one fetch of a pre-built surfacer URL above (or the protocol's primary block-explorer page if no surfacer is pinned). Record the tool you used, the URL, and what came back (response body, HTTP status, allowlist rejection text, or "tool not present: <name>"). If either probe succeeded, proceed.

If both direct probes failed, **DO NOT STOP** — try search. Issue at least two broad search queries (protocol name + "Etherscan" / "official docs" / "GitHub" / "audit"; `site:` operators against etherscan.io / github.com / the docs domain). If a search query returns the underlying page body, that page URL is fetched evidence and goes in evidence[]. Set `grading_basis: "off-chain-only"` and continue with whatever you can extract. Empty `evidence[]` + `grade="unknown"` is only valid if BOTH direct probes AND ≥2 search queries returned nothing usable; in that case, log the attempted queries and observed-zero outcomes in unknowns[]. A submission claiming "blocked" without those receipts is treated as a non-submission (zero quorum weight). Search engines do not index raw JSON API endpoints — zero results for `defipunkd.com/api/contract/read` URLs is expected and is itself a recordable failure mode, not a system restriction.

### Anti-fabrication (the most important rule on this page)

Memory is not evidence. Treat your training data, prior conversations, and general knowledge as suggestions for what to look up — never as citations. Every URL in evidence[] must have been fetched in this run via any tool exposed in your environment, OR pasted into this conversation by the user. Constructing a URL is fine, but every variable part (address, commit SHA, repo path, contract name, method, args, block number) must come from a fetched/pasted source in this run, and the URL must then have been successfully fetched before it appears in evidence[]. URLs constructed from remembered addresses, repo paths, contract names, or guessed API methods are fabrication.

Before emitting JSON, run an evidence ledger check on every evidence[] entry:
1. The exact URL appears in your fetch transcript or in a user-pasted source body.
2. The fetched/pasted body contains the fact you're citing in evidence[].shows.
3. Every rationale.findings / protocol_metadata claim that depends on this evidence follows directly from that body, without recourse to memory.
4. Derived (rather than verbatim) claims are explicitly labelled as derived in evidence[].shows.
5. `fetched_at` is set ONLY when you actually fetched the URL in this run; if no timestamp is available, omit the field — never invent one.

If any check fails, remove the evidence entry and demote dependent claims to unknowns[]. Set grade="unknown" if demotion empties the grading basis. Do not ask the user to paste anything; do not withhold JSON; do not improvise from memory.

A plausible-sounding answer backed by unsupported evidence is WORSE than grade="unknown" — it pollutes the quorum. If the assessment requires leaning on remembered public facts ("Lido is governed by LDO token-weighted voting"), historical reports, common knowledge, or likely-architecture reasoning ("UUPS proxies typically have an admin role"), return grade="unknown" with specific unknowns[] entries. Optimize for reproducibility, not completeness — if a reviewer can't re-verify each claim from the evidence URLs alone, the claim does not belong in the JSON. Empty unknowns[] on a non-trivial protocol is a red flag, not a quality signal.

When the address_book is null/empty, you do not yet know any deployed address. Discover candidates from fetched website / GitHub / audit / explorer-search pages — addresses you "remember" from training data are not eligible, even for famous tokens (USDC, WBTC, stETH, UNI). If no address can be discovered after a good-faith attempt, return grade="unknown" with checklist-coded unknowns[] entries; do not invent addresses to fill the gap.

### Hard rules

1. Source classes that count as evidence:
   a) Public block explorers (etherscan.io, basescan.org, arbiscan.io, optimistic.etherscan.io, polygonscan.com, bscscan.com, snowtrace.io, scrollscan.com, lineascan.build, blastscan.io, era.zksync.network) for pinned addresses or addresses you discover transitively from them.
   b) The linked GitHub repos, at a specific commit SHA recorded in evidence[].commit.
   c) The audit PDFs / reports linked above.
   d) DeFiLlama's pinned fields (for category / chain lists only — not for risk assessment).
   e) DeFiPunkd's read API at https://defipunkd.com/api/{contract,safe}/... — see "On-chain reading" below.
2. If a signal cannot be determined after checking these, set grade="unknown" with ≥1 entry in unknowns[] naming what you looked for.
3. Every factual claim in rationale must map to ≥1 evidence[] entry.
4. Output exactly one JSON object matching the contract at the end, wrapped in a single ```json fenced code block. This rule applies to your FINAL assistant message only — issue tool calls freely during the run; tool-call reasoning lives in your model's tool-use channel and is not subject to this rule. Nothing before or after the fence — no prose, no follow-up questions, no requests for the user to paste anything. If evidence is incomplete, the correct response is still JSON, with claims demoted to unknowns[] and grade="unknown".

### Format rules (validation will reject submissions that violate these)
5. evidence[].url must be a bare `https://...` string — NEVER markdown link syntax. WRONG: `"url": "[Etherscan](https://etherscan.io/...)"`. RIGHT: `"url": "https://etherscan.io/..."`.
6. evidence[].commit, when present, must match `^[0-9a-f]{7,40}$` (lowercase hex, 7–40 chars). NEVER branch names or tags. Omit if you cannot pin a SHA.
7. evidence[].fetched_at, when present, must be ISO-8601 UTC (e.g. `2026-04-23T11:20:00Z`). Set whenever you actually fetched in this run.
8. evidence[].address, when present, must be `^0x[0-9a-fA-F]{40}$` (mixed case OK; checksum not validated).
9. Checklist codes (used in findings[].code and as unknowns[] prefixes) match `^[A-Z][A-Za-z0-9-]{0,16}$` — start with an uppercase letter, then digits / letters / hyphens. Examples: `E1`, `A3b`, `C2-emergency`, `V4-auditor`. No parens, spaces, dots, slashes, underscores. Use slice-defined codes verbatim. unknowns[] entries must be prefixed with the relevant code + colon (e.g. `"A3b: frontend fetch failed"`).
10. chat_url: ALWAYS null. Default share links (claude.ai/chat, chatgpt.com, gemini.google.com) require viewer login and are not publicly readable. The user enables "Share publicly" after you respond and pastes the public URL into the JSON before opening the PR.

### Thoroughness rules

11. Each per-slice body contains a "MANDATORY INSPECTION CHECKLIST". Every item must EITHER produce an evidence[] entry OR a specific unknowns[] entry naming it by code. Silent skips are rejected as incomplete.
12. Before assigning a grade other than "unknown", rationale.steelman must contain a one-sentence strongest argument for each of red / orange / green, and rationale.verdict must state which fits the evidence and why. If the steel-man for the chosen grade is weaker than for an adjacent grade, you have probably picked the wrong grade. When grade="unknown", set steelman to null and use verdict to summarize what blocked the assessment.
13. Distinguish actor classes (EOA, 2-of-3 multisig, 4-of-7+ multisig with identified signers, emergency-scoped time-capped multisig, on-chain governance vote with timelock) and function classes (claim-of-finalized vs new-request-placement, deposit vs borrow, mint vs redeem) — say which actor holds which power, on what time bound. "An admin can pause" is insufficient.
14. For on-chain slices (control, ability-to-exit, autonomy, verifiability), evidence[] must include ≥1 on-chain URL: a block-explorer URL OR a DeFiPunkd /api/{contract/read,safe/owners} URL (preferred — content-addressed when block-pinned). /api/contract/abi alone is metadata, not on-chain evidence. Source repos tell you what code SHOULD do; deployed contracts tell you what it ACTUALLY does. The "open-access" slice is exempt when claims are entirely about frontend / off-chain operator behavior. CARVE-OUT: `grading_basis="off-chain-only"` is exempt from this rule but is downweighted by the quorum bot regardless of grade.
15. Prompt-meta-check: if your verdict quotes prompt language as evidence ("the protocol meets the 'documented fallback' condition"), re-do the verdict — the prompt describes the rubric, not the protocol. Evidence cites what THIS protocol does, not what the rubric says protocols of type X do.
16. `grading_basis` is one of `"on-chain"` (default; omit field), `"off-chain-only"`, or `"mixed"`. Describes what was READ this run, not the verdict — `grade="unknown"` is allowed under any basis. Set `"off-chain-only"` ONLY when BOTH (a) ≥1 successful fetch of a docs / forum / audit / GitHub URL appears in evidence[], AND (b) ≥1 failed on-chain fetch attempt for THIS run is recorded in unknowns[] with a `-offchain` suffix. Empty `evidence[]` with `"off-chain-only"` is a category error and is rejected by the validator. Set `"mixed"` when some checklist codes were on-chain and others fell back. ABI-only finds (you read the ABI but couldn't read live state) are valid as `grade="unknown"` with the ABI cited; do not infer a grade from ABI shape alone.

### On-chain reading via the DeFiPunkd API

Don't encode calldata, decode return data, or guess at ABIs by hand. Three deterministic GET endpoints return JSON with blockNumber, blockHash, raw calldata, and rawReturnData — content-addressed when block-pinned (`&block=<n>`):

  ABI (auto-resolves proxies):
    https://defipunkd.com/api/contract/abi?chainId=<id>&address=0x...
  View call (any view method on the merged ABI; flat scalar args):
    https://defipunkd.com/api/contract/read?chainId=<id>&address=0x...&method=getOwners
    https://defipunkd.com/api/contract/read?chainId=<id>&address=0x...&method=balanceOf&args=0x...
  Safe (threshold + owners + version in one call):
    https://defipunkd.com/api/safe/owners?chainId=<id>&address=0x...

Use the BARE method name in `&method=` (e.g. `&method=totalSupply`, NOT `&method=totalSupply()`). Browser tools normalize `(` to `%28` and reject the normalized URL; bare names dodge that. Pass arguments via `&args=` (comma-separated, declaration order). Append `&block=<n>` for content-addressed evidence.

Supported chainIds: 1 (ethereum), 10 (optimism), 56 (bsc), 130 (unichain), 137 (polygon), 324 (zksync), 8453 (base), 42161 (arbitrum), 43114 (avalanche), 59144 (linea), 81457 (blast), 534352 (scroll), 11155111 (sepolia).

Use this API for any factual claim about contract ABI shape, view-method return values (owner(), getOwners(), getThreshold(), totalSupply(), implementation(), paused(), MIN_DELAY(), …), and Safe membership. Do NOT invent ABIs or return values from training data.

Note on noisy address_book: the pinned address_book is sourced from prior assessments. It may include token deployments, oracle feeds, peripheral contracts, or mis-classified entries. Skip surfacer URLs that don't fit your slice — fetch only those whose role hints suggest control / pause / upgrade authority.

### Protocol metadata refresh (populate `protocol_metadata` in the output)

DeFiLlama's pinned inputs may be stale or wrong. As a side-effect of this assessment, populate `protocol_metadata` with anything you verify. Leave fields null / empty arrays if you did not verify them — do NOT echo pinned inputs through; null means "not re-verified this run".

- `github`: array of canonical source-code repo URLs.
- `docs_url`: canonical developer / protocol documentation site.
- `audits`: array of `{ firm, url, date }` (date as YYYY-MM or YYYY-MM-DD).
- `governance_forum`: primary discussion forum URL (Discourse, Commonwealth, etc.).
- `voting_token`: `{ chain, address, symbol }` or null. Omit if not token-governed.
- `bug_bounty_url`: public bug bounty page (Immunefi, HackerOne, self-hosted).
- `security_contact`: private-disclosure channel — security@ email or SECURITY.md URL. Distinct from public bug bounty.
- `deployed_contracts_doc`: docs page that lists deployed addresses per chain. Don't enumerate; just link.
- `admin_addresses`: array of `{ chain, address, role, actor_class }` for multisig / timelock / owner / proxy-admin addresses. `actor_class` ∈ `"eoa" | "multisig" | "timelock" | "governance" | "unknown"`. These are the anchors for future runs' address_book.
- `upgradeability`: `"immutable" | "upgradeable" | "mixed" | "unknown"`. "mixed" = some core contracts immutable, others behind proxies.
- `about`: 2–4 sentence plain-English description. Name the user action (stake, borrow, swap, bridge, mint, redeem), the asset / market, and the distinctive mechanism (liquid staking receipt, isolated lending pools, constant-product AMM, intents auction, etc.). Do not restate category / chains / TVL.

Every non-null field in `protocol_metadata` must be backed by ≥1 entry in evidence[].

---

### Slice: AUTONOMY

Evaluate this protocol's autonomy: can a failure of anything outside its own contracts cause theft or loss of user principal, loss of unclaimed yield, or materially change the protocol's expected performance? "Autonomy" is not "has zero external touchpoints" — it is "external failures are either survivable or recoverable without user loss". This slice adapts DefiScan v1's Autonomy dimension; dependencies are one of several criteria, not the whole frame.

GUARDRAILS (read before grading):
- Category alone (Liquid Staking, Bridge, RWA Lending, Restaking, …) does NOT force a grade. A category is a hint about where to look; the grade must come from the concrete A1–A9 findings below.
- Base-chain consensus (Ethereum PoS, the chain's validator set, the canonical Deposit Contract at 0x00000000219ab540356cBB839Cbe05303d7705Fa) is the SUBSTRATE, not a dependency, for any protocol deployed on that chain. Do not list "depends on Ethereum" as a finding.
- Oracles or other integrations used by DOWNSTREAM protocols that happen to read this protocol's token (e.g. Chainlink stETH/USD consumed by Aave) are NOT this protocol's dependencies. Count only what THIS protocol's contracts call or trust on-chain. If a feed or contract appears in the protocol's docs only as reference material for third-party integrators, EXCLUDE IT ENTIRELY — do not log it as a finding even with a "peripheral" or "referenced only" caveat.
- "Upgradeable admin can change things" belongs to the CONTROL slice; only count it here when the upgrade surface lets governance silently swap an external dependency (see A9).
- Underlying-asset risk in opt-in, isolated markets is NOT autonomy-red on its own. When a protocol wraps third-party yield-bearing assets (LSTs, LRTs, ERC-4626 vaults, lending receipts, restaked tokens) into per-market silos that users explicitly choose, a failure of one underlying does NOT propagate to other markets and is risk the user opted into per-market. Record it under A4 with depth and propagation scope, but do not let it alone drive a red verdict — red requires an external dependency that cross-cuts the protocol or that the user did not opt into at deposit time. A failure mode that is "if the LRT you deposited is hacked, your principal in that LRT-backed market is impaired" is the underlying's autonomy story, not this protocol's; grade it on whether THIS protocol introduces additional dependencies on top.
- Sub-module enumeration is mandatory before grading. If the protocol ships distinct product lines or modules (e.g., a v2 core AMM plus a newer perps/funding-rate module, a lending pool plus a separate vault layer, an L1 core plus a cross-chain extension), enumerate each in findings and grade against the WORST module weighted by its share of TVS or its blast radius. A green core does not rescue an orange/red sub-module; conversely, a small red sub-module with capped TVS may bound the overall grade to orange. Name each module by its on-chain factory or router address. If you do not know whether a module exists, that is an unknowns[] entry, not silence. EXPLICIT TVS WEIGHTING: in the verdict, state each module's approximate share of total protocol TVS (use "~X%" if exact figures unavailable; check DeFiLlama or block-explorer balances on the module's main contract) and how that share informs the weighted grade. Format: "Module A holds ~X% of TVS (grade: <g>); Module B holds ~Y% (grade: <g>); weighted overall = <grade> because <reason>." If a red sub-module holds <5% of total TVS and is capped, the overall grade may be orange; if it holds >25%, the overall grade is red. Do not let qualitative reasoning substitute for the percentages — write the numbers.

MANDATORY INSPECTION CHECKLIST (every item below must appear in evidence[] OR unknowns[]):
- A1. External contract calls. Enumerate every external contract the core contracts call or read from (oracles, price feeds, AMM pools, lending pools, staking/deposit contracts, yield wrappers). For each, identify the address, the provider, and what user-facing function of this protocol would break or mis-price if that external contract paused, mis-reported, or behaved adversarially. Grep for "oracle", "aggregator", "getPrice", "latestAnswer", "chainlink", "pyth", "redstone" as a starting point. To verify an oracle is live and what it currently reports, hit https://defipunkd.com/api/contract/read?chainId=<id>&address=<oracle>&method=latestAnswer (or &method=latestRoundData, &method=getPrice, &method=description; use the BARE method name without parens) and cite the URL — the response includes blockNumber/blockHash and rawReturnData, which is stronger evidence than a docs page about which feed "should" be used.
- A2. Off-chain actor committees reporting INTO the protocol. Oracle committees, guardian multisigs, DAO-selected validator sets acting as protocol reporters, exit-bus signers, fraud-proof challengers. For each, record committee size, quorum, who picks the members, and what mis-reporting could do (mint, burn, finalize withdrawal, freeze). Distinguish this from governance admins (control slice). NOTE ON STAKING PROTOCOLS: validator slashing and node-operator misbehavior are properties of the base-chain substrate, NOT external dependencies, when the operator set is diversified enough that a coordinated failure caps at <5% principal loss. Count validator/operator risk under A2 ONLY if the operator set is small, non-diversified, or lacks bonding / slashing-insurance / diversification mitigations. A curated set of 30+ independent operators with documented diversification falls under the mitigated path; a 3-operator LST does not. Do not cite the protocol's own risk disclosure as evidence that operator failure = principal loss unless you also check the diversification and bond mitigations.
- A3. Bridge / cross-chain messaging dependencies. Only count bridges that carry material TVL or are required for a core user flow. For each, name the bridge operator (canonical L1↔L2, LayerZero, Wormhole, Axelar, custom multisig), the trust model (canonical, optimistic, light-client, guardian set), and what fraction of TVL or users ride on it. "wstETH exists on 15 chains" is not a finding unless material TVL sits there. Before listing any non-primary chain deployment as a dependency, verify it is still operational as of analysis_date — retired or sunset deployments (e.g., Lido-on-Terra, Lido-on-Solana) belong in unknowns[] or should be omitted, never cited as a current dependency.
- A4. Nested collateral / restaking chains. For restaking / LRT / receipt-of-receipt designs: record the depth of the collateral chain, every actor with slashing or freezing power at each level, and whether a failure N levels deep propagates to user principal here.
- A5. Fork lineage (silent check). If DeFiLlama's forkedFrom is non-empty, record it as one finding and move on. If empty, do NOT add a placeholder finding; it adds noise.
- A6. Fallback mechanisms and circuit breakers. What catches an external failure? Sanity-check contracts on oracle reports, rebase bounds, pause paths triggered by bad prices, second-opinion oracles, max-per-block throughput caps, withdrawal queues that absorb bad reports. Record which A1–A4 risks are mitigated by which fallback, and which are unmitigated. For EACH fallback you cite, state its activation status explicitly: (i) LIVE and enforcing on-chain today, (ii) DEPLOYED but not yet wired / activated (e.g., interface exists but the address is zero or the role is unassigned), or (iii) DOCUMENTED / PROPOSED only (forum post, LIP draft, audit pending). Only (i) counts as mitigation for the grade. A fallback in state (ii) or (iii) should be noted but must not reduce the risk in your steel-man or verdict. If you cannot determine activation status, add an unknowns[] entry rather than assume it is live.
- A7. Sequencer / L1-liveness dependency BEYOND the base-chain substrate. SCOPE — sequencer risk only counts here when the protocol IS its own L2/L3 appchain or app-rollup, where the sequencer is part of the protocol's own stack and a freeze is a protocol-level outage. A protocol permissionlessly deployed on a third-party L2 inherits that L2's sequencer as substrate, not an A7 dependency. Record the sequencer/DA trust model when A7 applies.
- A8. Keeper / relayer / off-chain bot liveness. Protocols that need permissionless-but-necessary off-chain actors (liquidation bots, auto-compounders, deposit relayers, intent solvers). Record whether the role is permissionless, what degrades if nobody runs it (yield paused, bad debt accumulates, positions go stale), and whether the failure mode is graceful or catastrophic.
- A9. Governance-mutable dependency surface. Can an admin or DAO action silently INTRODUCE a NEW EXTERNAL dependency — swap the oracle address to a different provider, register a new staking module that calls an untrusted contract, add a new bridge, route SY through a new external vault — without an exit window for users? Check the upgrade / router / module-registry contracts. Answer: which EXTERNAL dependencies are governance-mutable, who holds that power, and whether there is a timelock or exit window. SCOPE LIMIT — read carefully: A9 is about the *external dependency surface*, not the upgrade surface in general. "The proxyAdmin / EOA can upgrade the router implementation to arbitrary bytecode" is a CONTROL-slice finding (admin can rug), NOT an autonomy-A9 finding. A9 fires only when the upgrade specifically swaps out or adds a contract that THIS protocol calls or trusts (e.g., changing the oracle address from Chainlink to a malicious feed, registering a new SY adapter that points to a third-party vault, redirecting a bridge endpoint). If the only finding is "admin can change implementation," do not log it under A9 and do not let it drive the autonomy grade — note it under control instead. The autonomy-relevant version of the same upgrade key is "admin can swap [specific external address X] without timelock"; that requires identifying the specific external dependency that becomes mutable.

STEEL-MAN (per Hard Rule 13): write one-sentence strongest arguments for red, orange, and green using the A1–A9 findings.

IMPACTED TVS ESTIMATE: the headline MUST include a rough impacted-TVS figure — the fraction of protocol TVS that could be lost or frozen if the worst-unmitigated dependency you identified failed. Use "~X%" if exact numbers are unavailable, "<1%" for de minimis, "unclear" only if A1–A9 left the question genuinely open (in which case grade=unknown is usually correct). Do NOT substitute qualitative phrases like "significant" — give a number or bracket.

GRADE ANCHORS (mapped to DefiScan v1 stages):
- green = Stage 2 equivalent. Failure of any external dependency cannot cause loss of user principal or unclaimed yield. Either there are no material external dependencies, or every critical one has a documented fallback (A6) that keeps users whole. Governance cannot silently introduce new dependencies without an exit window (A9). Impacted TVS under any single-dependency failure: effectively 0.
- orange = Stage 1 equivalent. Failure of some external dependency can cause loss of unclaimed yield, or can materially change expected performance (pause withdrawals, freeze positions, degrade price quality), but cannot cause loss of principal. Committee-based oracles with sanity checks, canonical-only bridges, fallback paths that exist but are incomplete, or governance-mutable dependencies protected by a ≥7-day timelock. Impacted TVS is bounded and recoverable.
- red = Stage 0 equivalent. Failure of an external dependency CAN cause theft or loss of principal. Examples: single-provider oracle with no sanity check or fallback, material TVL on a non-canonical bridge with a guardian multisig, governance can hot-swap oracles or add staking modules with no timelock or exit window, unmitigated keeper-liveness dependency where positions become insolvent if bots stop. Impacted TVS is material.
- unknown = checklist incomplete after inspecting source + verified contracts. Prefer unknown over guessing when A1/A6 could not be reconstructed. RESERVE unknown for cases where the CORE ARCHITECTURE itself is unverifiable — not for cases where you merely cannot enumerate every per-market dependency in a multi-market protocol. If the core router/factory/oracle architecture is verifiable on-chain and you can determine whether the core requires external dependencies, grade the architecture even when an exhaustive per-market external-dependency census is infeasible. Acknowledge the per-market gap in unknowns[] but still issue a grade. Refusing to grade a multi-market protocol because you cannot list every SY/vault/market is over-use of unknown; grade the architecture and say so.

PROMPT-META CHECK (per Hard Rule 17): before finalizing, verify the verdict cites concrete contract addresses, docs, or code — not the rubric itself. If your verdict says "the protocol belongs to a category the rubric marks red", rewrite it with the A1–A9 finding that actually justifies the grade, or drop to grade=unknown.

---

### JSON output contract

Return exactly one JSON object inside a single ```json fenced block. Shape:

{
  "schema_version": 4,
  "slug": "<copy protocol.slug from the per-protocol context>",
  "slice": "autonomy",
  "snapshot_generated_at": "<copy snapshot.generated_at from the per-protocol context>",
  "prompt_version": 29,
  "analysis_date": "<copy analysis_date from the per-protocol context>",
  "model": "<exact model name, e.g. claude-opus-4-7 / gpt-5-thinking / gemini-3-pro>",
  "chat_url": null,
  "grading_basis": "on-chain | off-chain-only | mixed (optional; omit for on-chain)",
  "grade": "green | orange | red | unknown",
  "headline": "<one-line summary>",
  "short_headline": "<≤6 words, ≤80 chars; omit if you can't fit>",
  "rationale": {
    "findings": [{ "code": "E1", "text": "<concrete, source-cited finding>" }],
    "steelman": { "red": "<one sentence>", "orange": "<one sentence>", "green": "<one sentence>" },
    "verdict": "Choosing <grade> because <reason ranking one steel-man above the others, citing specific evidence>."
  },
  "evidence": [{ "url": "https://...", "shows": "<what this URL demonstrates>", "chain": "...", "address": "0x...", "commit": "<hex SHA>", "fetched_at": "2026-04-23T11:20:00Z" }],
  "unknowns": ["E3: <thing you looked for but couldn't determine>"],
  "protocol_metadata": {
    "github": ["https://github.com/org/repo"],
    "docs_url": "https://docs.protocol.xyz",
    "audits": [{ "firm": "Trail of Bits", "url": "https://...report.pdf", "date": "2025-09" }],
    "governance_forum": "https://forum.protocol.xyz",
    "voting_token": { "chain": "Ethereum", "address": "0x...", "symbol": "XYZ" },
    "bug_bounty_url": "https://immunefi.com/bounty/protocol",
    "security_contact": "security@protocol.xyz",
    "deployed_contracts_doc": "https://docs.protocol.xyz/deployments",
    "admin_addresses": [{ "chain": "Ethereum", "address": "0x...", "role": "DAO treasury multisig", "actor_class": "multisig" }],
    "upgradeability": "immutable | upgradeable | mixed | unknown",
    "about": "<2–4 sentences>"
  }
}

Rules recap:
- grade="unknown" ⇒ steelman=null; unknowns[] ≥1; evidence[] may be empty.
- grade!="unknown" ⇒ steelman={red,orange,green}; evidence[] ≥1; verdict starts with "Choosing ".
- findings[].code matches the slice's checklist prefix verbatim (E1, C2-emergency, V4a, …); unknowns[] entries are checklist-coded ("E3: …").
- Wrap in a single ```json fence; nothing before or after. URLs are bare strings, never markdown links.

Open Access ✓ 3/3 models agree AI-only weak orange — only 0/3 sources have a public chat share link; total support weight 0.12 below confidence floor (1.5) Submit run ↗

### Per-protocol context (ground truth for this run)

- protocol.slug:              aave-v3
- protocol.name:              Aave V3
- protocol.chains:            Ethereum, Plasma, Arbitrum, Base, Avalanche, Binance, Mantle, Polygon, MegaETH, X Layer, xDai, Optimism, Linea, Sonic, Celo, Scroll, zkSync Era, Metis, Soneium, Fantom, Harmony
- protocol.category:          Lending
- protocol.website:           https://aave.com
- protocol.github:            aave, bgd-labs
- protocol.audit_links:       https://aave.com/security, https://github.com/code-423n4/2022-02-aave-lens, https://github.com/code-423n4/2022-02-aave-lens-findings, https://github.com/sherlock-protocol/sherlock-reports/blob/main/audits/2025.02.15%20-%20Final%20-%20Aave%20Public%20Audit%20Contest%20Report.pdf, https://github.com/sherlock-protocol/sherlock-reports/blob/main/audits/2026.02.05%20-%20Final%20-%20Aave%20Labs%20Collaborative%20Audit%20Report%201770295450.pdf, https://github.com/trailofbits/publications/blob/master/reviews/2021-11-aave-v3-securityreview.pdf
- snapshot.generated_at:      2026-06-01T11:27:13.878Z
- analysis_date:              2026-06-07
- prompt_version:             29
- address_book:               [
  {
    "chain": "Ethereum",
    "address": "0x5300A1a15135EA4dc7aD5a167152C01EFc9b192A",
    "role": "Short Executor (Level 1) / ACL Admin V3"
  },
  {
    "chain": "Ethereum",
    "address": "0xdAbad81aF85554E9ae636395611C58F7eC1aAEc5",
    "role": "PayloadsController (Ethereum)"
  },
  {
    "chain": "Ethereum",
    "address": "0x9AEE0B04504CeF83A65AC3f0e838D0593BCb2BC7",
    "role": "Governance V3 Core"
  },
  {
    "chain": "Ethereum",
    "address": "0xCe52ab41C40575B072A18C9700091Ccbe4A06710",
    "role": "Governance Guardian / Protocol Emergency Guardian (5-of-9)"
  },
  {
    "chain": "Ethereum",
    "address": "0x4457cA11E90f416Cc1D3a8E1cA41C0cdEcC251d4",
    "role": "GranularGuardian (cross-chain emergency)"
  },
  {
    "chain": "Ethereum",
    "address": "0xEd42a7D8559a463722Ca4beD50E0Cc05a386b0e1",
    "role": "CrossChainController"
  },
  {
    "chain": "Ethereum",
    "address": "0x17Dd33Ed0e3dD2a80E37489B8A63063161BE6957",
    "role": "Executor Level 2"
  },
  {
    "chain": "Ethereum",
    "address": "0x2CFe3ec4d5a6811f4B8067F0DE7e47DfA938Aa30",
    "role": "Protocol Guardian / emergency admin"
  },
  {
    "chain": "Ethereum",
    "address": "0x220d22f42c1b975B51509c24b174f8AbA7d8C540",
    "role": "Short Executor (Governance)"
  },
  {
    "chain": "Ethereum",
    "address": "0xa700691dA7b6769562170061709458FF21ed963e",
    "role": "timelock (governance long executor)"
  },
  {
    "chain": "Ethereum",
    "address": "0x851365275f493d15511cc005f2bd71E3c1699921",
    "role": "timelock (governance short executor)"
  },
  {
    "chain": "Ethereum",
    "address": "0xEE56e2B3D49159022b71869955dbF07245799b17",
    "role": "timelock (governance executor short)"
  },
  {
    "chain": "Ethereum",
    "address": "0x80C67432656d59144cEFf962E8fAF8926599bCF8",
    "role": "timelock (governance short executor)"
  },
  {
    "chain": "Ethereum",
    "address": "0xEE56e2B20045d908E992822039db30E882309413",
    "role": "admin (PoolAdmin / governance executor)"
  },
  {
    "chain": "Ethereum",
    "address": "0x87870bca3f3fd6335c3f4ce8392d69350b4fa4e2",
    "role": "pool (Aave V3 Pool proxy)"
  },
  {
    "chain": "Ethereum",
    "address": "0x2f39d218133AFaB8F2B819B1066c7E434Ad94E9e",
    "role": "other (PoolAddressesProvider — proxy admin for Pool/PoolConfigurator/ACLManager)"
  },
  {
    "chain": "Ethereum",
    "address": "0xcfBf336fe147D643B9Cb705648500e101504B16d",
    "role": "other (Prime Market PoolAddressesProvider)"
  },
  {
    "chain": "Ethereum",
    "address": "0xCca852Bc40e560adC3b1Cc58CA5b55638ce826c9",
    "role": "vault (Aave V4 Core Hub — Ethereum)"
  },
  {
    "chain": "Ethereum",
    "address": "0x06002e9c4412CB7814a791eA3666D905871E536A",
    "role": "vault (Aave V4 Plus Hub — Ethereum)"
  },
  {
    "chain": "Ethereum",
    "address": "0x943827DCA022D0F354a8a8c332dA1e5Eb9f9F931",
    "role": "vault (Aave V4 Prime Hub — Ethereum)"
  },
  {
    "chain": "Ethereum",
    "address": "0x08aE3BE30958cDd1847ec58fFfd4C451a87fDF01",
    "role": "admin (Aave V4 Access Manager — Ethereum)"
  },
  {
    "chain": "Optimism",
    "address": "0xa97684ead0e402dc232d5a977953df7ecbab3cdb",
    "role": "other (PoolAddressesProvider — Optimism)"
  },
  {
    "chain": "Polygon",
    "address": "0xa97684ead0e402dc232d5a977953df7ecbab3cdb",
    "role": "other (PoolAddressesProvider — Polygon)"
  },
  {
    "chain": "Ethereum",
    "address": "0x64b761D848206f447Fe2dd461b0c635Ec39EbB27",
    "role": "admin PoolConfigurator V3"
  },
  {
    "chain": "Ethereum",
    "address": "0x54586bE62E3c3580375aE3723C145253060Ca0C2",
    "role": "oracle AaveOracle V3"
  },
  {
    "chain": "Ethereum",
    "address": "0xc2aaCf6553D20d1e9d78E365AAba8032af9c85b0",
    "role": "admin ACLManager V3"
  },
  {
    "chain": "Ethereum",
    "address": "0x0a16f2FCC0D44FaE41cc54e079281D84A363bECD",
    "role": "other AaveProtocolDataProvider V3"
  },
  {
    "chain": "Ethereum",
    "address": "0x464C71f6c2F760DdA6093dCB91C24c39e5d6e18c",
    "role": "treasury Collector"
  },
  {
    "chain": "Ethereum",
    "address": "0x8164Cc65827dcFe994AB23944CBC90e0aa80bFcb",
    "role": "admin DefaultIncentivesController"
  },
  {
    "chain": "Ethereum",
    "address": "0x223d844fc4B006D67c0cDbd39371A9F73f69d974",
    "role": "admin EmissionManager"
  },
  {
    "chain": "Arbitrum",
    "address": "0xa97684ead0e402dC232d5A977953DF7ECBaB3CDb",
    "role": "factory PoolAddressesProvider V3"
  },
  {
    "chain": "Arbitrum",
    "address": "0x794a61358D6845594F94dc1DB02A252b5b4814aD",
    "role": "pool Pool V3"
  },
  {
    "chain": "Arbitrum",
    "address": "0x8145eddDf43f50276641b55bd3AD95944510021E",
    "role": "admin PoolConfigurator V3"
  },
  {
    "chain": "Arbitrum",
    "address": "0xb56c2F0B653B2e0b10C9b928C8580Ac5Df02C7C7",
    "role": "oracle AaveOracle V3"
  },
  {
    "chain": "Arbitrum",
    "address": "0x7A9ff54A6eE4a21223036890bB8c4ea2D62c686b",
    "role": "oracle PriceOracleSentinel V3"
  },
  {
    "chain": "Arbitrum",
    "address": "0xFF1137243698CaA18EE364Cc966CF0e02A4e6327",
    "role": "admin ACLAdmin V3"
  },
  {
    "chain": "Arbitrum",
    "address": "0xa72636CbcAa8F5FF95B2cc47F3CDEe83F3294a0B",
    "role": "admin ACLManager V3"
  },
  {
    "chain": "Arbitrum",
    "address": "0x243Aa95cAC2a25651eda86e80bEe66114413c43b",
    "role": "other AaveProtocolDataProvider V3"
  },
  {
    "chain": "Avalanche",
    "address": "0xa97684ead0e402dC232d5A977953DF7ECBaB3CDb",
    "role": "factory PoolAddressesProvider V3"
  },
  {
    "chain": "Avalanche",
    "address": "0x794a61358D6845594F94dc1DB02A252b5b4814aD",
    "role": "pool Pool V3"
  },
  {
    "chain": "Avalanche",
    "address": "0x8145eddDf43f50276641b55bd3AD95944510021E",
    "role": "admin PoolConfigurator V3"
  },
  {
    "chain": "Avalanche",
    "address": "0xEBd36016B3eD09D4693Ed4251c67Bd858c3c7C9C",
    "role": "oracle AaveOracle V3"
  },
  {
    "chain": "Avalanche",
    "address": "0x3C06dce358add17aAf230f2234bCCC4afd50d090",
    "role": "admin ACLAdmin V3"
  },
  {
    "chain": "Avalanche",
    "address": "0xa72636CbcAa8F5FF95B2cc47F3CDEe83F3294a0B",
    "role": "admin ACLManager V3"
  },
  {
    "chain": "Avalanche",
    "address": "0x243Aa95cAC2a25651eda86e80bEe66114413c43b",
    "role": "other AaveProtocolDataProvider V3"
  },
  {
    "chain": "Base",
    "address": "0xe20fCBdBfFC4Dd138cE8b2E6FBb6CB49777ad64D",
    "role": "factory PoolAddressesProvider V3"
  },
  {
    "chain": "Base",
    "address": "0xA238Dd80C259a72e81d7e4664a9801593F98d1c5",
    "role": "pool Pool V3"
  },
  {
    "chain": "Base",
    "address": "0x5731a04B1E775f0fdd454Bf70f3335886e9A96be",
    "role": "admin PoolConfigurator V3"
  },
  {
    "chain": "Base",
    "address": "0x2Cc0Fc26eD4563A5ce5e8bdcfe1A2878676Ae156",
    "role": "oracle AaveOracle V3"
  },
  {
    "chain": "Base",
    "address": "0x943AcD0c93d7a8Bee7dA5Fd0DC3d0028237074d6",
    "role": "oracle PriceOracleSentinel V3"
  },
  {
    "chain": "Base",
    "address": "0x9390B1735def18560c509E2d0bc090E9d6BA257a",
    "role": "admin ACLAdmin V3"
  },
  {
    "chain": "Base",
    "address": "0x43955b0899Ab7232E3a454cf84AedD22Ad46FD33",
    "role": "admin ACLManager V3"
  },
  {
    "chain": "Base",
    "address": "0x0F43731EB8d45A581f4a36DD74F5f358bc90C73A",
    "role": "other AaveProtocolDataProvider V3"
  },
  {
    "chain": "Binance",
    "address": "0xff75B6da14FfbbfD355Daf7a2731456b3562Ba6D",
    "role": "factory PoolAddressesProvider V3"
  },
  {
    "chain": "Binance",
    "address": "0x6807dc923806fE8Fd134338EABCA509979a7e0cB",
    "role": "pool Pool V3"
  },
  {
    "chain": "Binance",
    "address": "0x67bdF23C7fCE7C65fF7415Ba3F2520B45D6f9584",
    "role": "admin PoolConfigurator V3"
  },
  {
    "chain": "Binance",
    "address": "0x39bc1bfDa2130d6Bb6DBEfd366939b4c7aa7C697",
    "role": "oracle AaveOracle V3"
  },
  {
    "chain": "Binance",
    "address": "0x9390B1735def18560c509E2d0bc090E9d6BA257a",
    "role": "admin ACLAdmin V3"
  },
  {
    "chain": "Binance",
    "address": "0x2D97F8FA96886Fd923c065F5457F9DDd494e3877",
    "role": "admin ACLManager V3"
  },
  {
    "chain": "Binance",
    "address": "0xc90Df74A7c16245c5F5C5870327Ceb38Fe5d5328",
    "role": "other AaveProtocolDataProvider V3"
  },
  {
    "chain": "Celo",
    "address": "0x9F7Cf9417D5251C59fE94fB9147feEe1aAd9Cea5",
    "role": "factory PoolAddressesProvider V3"
  },
  {
    "chain": "Celo",
    "address": "0x3E59A31363E2ad014dcbc521c4a0d5757d9f3402",
    "role": "pool Pool V3"
  },
  {
    "chain": "Celo",
    "address": "0x7567E3434CC1BEf724AB595e6072367Ef4914691",
    "role": "admin PoolConfigurator V3"
  },
  {
    "chain": "Celo",
    "address": "0x1e693D088ceFD1E95ba4c4a5F7EeA41a1Ec37e8b",
    "role": "oracle AaveOracle V3"
  },
  {
    "chain": "Celo",
    "address": "0x1dF462e2712496373A347f8ad10802a5E95f053D",
    "role": "admin ACLAdmin V3"
  },
  {
    "chain": "Celo",
    "address": "0x7a12dCfd73C1B4cddf294da4cFce75FcaBBa314C",
    "role": "admin ACLManager V3"
  },
  {
    "chain": "Celo",
    "address": "0x2e0f8D3B1631296cC7c56538D6Eb6032601E15ED",
    "role": "other AaveProtocolDataProvider V3"
  },
  {
    "chain": "Celo",
    "address": "0xC959439207dA5341B74aDcdAC59016aa9Be7E9E7",
    "role": "treasury Collector"
  },
  {
    "chain": "Fantom",
    "address": "0xa97684ead0e402dC232d5A977953DF7ECBaB3CDb",
    "role": "factory PoolAddressesProvider V3"
  },
  {
    "chain": "Fantom",
    "address": "0x794a61358D6845594F94dc1DB02A252b5b4814aD",
    "role": "pool Pool V3"
  },
  {
    "chain": "Fantom",
    "address": "0x8145eddDf43f50276641b55bd3AD95944510021E",
    "role": "admin PoolConfigurator V3"
  },
  {
    "chain": "Fantom",
    "address": "0xfd6f3c1845604C8AE6c6E402ad17fb9885160754",
    "role": "oracle AaveOracle V3"
  },
  {
    "chain": "Fantom",
    "address": "0x39CB97b105173b56b5a2b4b33AD25d6a50E6c949",
    "role": "admin ACLAdmin V3"
  },
  {
    "chain": "Fantom",
    "address": "0xa72636CbcAa8F5FF95B2cc47F3CDEe83F3294a0B",
    "role": "admin ACLManager V3"
  },
  {
    "chain": "Fantom",
    "address": "0x69FA688f1Dc47d4B5d8029D5a35FB7a548310654",
    "role": "other AaveProtocolDataProvider V3"
  },
  {
    "chain": "xDai",
    "address": "0x36616cf17557639614c1cdDb356b1B83fc0B2132",
    "role": "factory PoolAddressesProvider V3"
  },
  {
    "chain": "xDai",
    "address": "0xb50201558B00496A145fE76f7424749556E326D8",
    "role": "pool Pool V3"
  },
  {
    "chain": "xDai",
    "address": "0x7304979ec9E4EaA0273b6A037a31c4e9e5A75D16",
    "role": "admin PoolConfigurator V3"
  },
  {
    "chain": "xDai",
    "address": "0xeb0a051be10228213BAEb449db63719d6742F7c4",
    "role": "oracle AaveOracle V3"
  },
  {
    "chain": "xDai",
    "address": "0x1dF462e2712496373A347f8ad10802a5E95f053D",
    "role": "admin ACLAdmin V3"
  },
  {
    "chain": "xDai",
    "address": "0xEc710f59005f48703908bC519D552Df5B8472614",
    "role": "admin ACLManager V3"
  },
  {
    "chain": "xDai",
    "address": "0xF1F5acB596568895393cB5E4D0452D6592A2fA70",
    "role": "other AaveProtocolDataProvider V3"
  },
  {
    "chain": "Harmony",
    "address": "0xa97684ead0e402dC232d5A977953DF7ECBaB3CDb",
    "role": "factory PoolAddressesProvider V3"
  },
  {
    "chain": "Harmony",
    "address": "0x794a61358D6845594F94dc1DB02A252b5b4814aD",
    "role": "pool Pool V3"
  },
  {
    "chain": "Harmony",
    "address": "0x8145eddDf43f50276641b55bd3AD95944510021E",
    "role": "admin PoolConfigurator V3"
  },
  {
    "chain": "Harmony",
    "address": "0x3C90887Ede8D65ccb2777A5d577beAb2548280AD",
    "role": "oracle AaveOracle V3"
  },
  {
    "chain": "Harmony",
    "address": "0xb2f0C5f37f4beD2cB51C44653cD5D84866BDcd2D",
    "role": "admin ACLAdmin V3"
  },
  {
    "chain": "Harmony",
    "address": "0xa72636CbcAa8F5FF95B2cc47F3CDEe83F3294a0B",
    "role": "admin ACLManager V3"
  },
  {
    "chain": "Harmony",
    "address": "0x69FA688f1Dc47d4B5d8029D5a35FB7a548310654",
    "role": "other AaveProtocolDataProvider V3"
  },
  {
    "chain": "Mantle",
    "address": "0xba50Cd2A20f6DA35D788639E581bca8d0B5d4D5f",
    "role": "factory PoolAddressesProvider V3"
  },
  {
    "chain": "Mantle",
    "address": "0x458F293454fE0d67EC0655f3672301301DD51422",
    "role": "pool Pool V3"
  },
  {
    "chain": "Mantle",
    "address": "0x719755fC1ACf2f9079B0Cbc56e23712c09Ab8626",
    "role": "admin PoolConfigurator V3"
  },
  {
    "chain": "Mantle",
    "address": "0x47a063CfDa980532267970d478EC340C0F80E8df",
    "role": "oracle AaveOracle V3"
  },
  {
    "chain": "Mantle",
    "address": "0x64df9D4302e1ff3516Dc744A19e992D27CAC252E",
    "role": "oracle PriceOracleSentinel V3"
  },
  {
    "chain": "Mantle",
    "address": "0x70884634D0098782592111A2A6B8d223be31CB7b",
    "role": "admin ACLAdmin V3"
  },
  {
    "chain": "Mantle",
    "address": "0x810D46F9a9027E28F9B01F75E2bdde839dA61115",
    "role": "admin ACLManager V3"
  },
  {
    "chain": "Mantle",
    "address": "0x487c5c669D9eee6057C44973207101276cf73b68",
    "role": "other AaveProtocolDataProvider V3"
  },
  {
    "chain": "MegaETH",
    "address": "0x46Dcd5F4600319b02649Fd76B55aA6c1035CA478",
    "role": "factory PoolAddressesProvider V3"
  },
  {
    "chain": "MegaETH",
    "address": "0x7e324AbC5De01d112AfC03a584966ff199741C28",
    "role": "pool Pool V3"
  },
  {
    "chain": "MegaETH",
    "address": "0xF15D31Bc839A853C9068686043cEc6EC5995DAbB",
    "role": "admin PoolConfigurator V3"
  },
  {
    "chain": "MegaETH",
    "address": "0x421117D7319E96d831972b3F7e970bbfe29C4F21",
    "role": "oracle AaveOracle V3"
  },
  {
    "chain": "MegaETH",
    "address": "0xE2E8Badc5d50f8a6188577B89f50701cDE2D4e19",
    "role": "admin ACLAdmin V3"
  },
  {
    "chain": "MegaETH",
    "address": "0x390D369C3878F2C5205CFb6Ec7154FfA65491c3D",
    "role": "admin ACLManager V3"
  },
  {
    "chain": "MegaETH",
    "address": "0x9588b453A4EE24a420830CB3302195cA7aA3b403",
    "role": "other AaveProtocolDataProvider V3"
  },
  {
    "chain": "Sonic",
    "address": "0x5C2e738F6E27bCE0F7558051Bf90605dD6176900",
    "role": "factory PoolAddressesProvider V3"
  },
  {
    "chain": "Sonic",
    "address": "0x5362dBb1e601abF3a4c14c22ffEdA64042E5eAA3",
    "role": "pool Pool V3"
  },
  {
    "chain": "Sonic",
    "address": "0x50c70FEB95aBC1A92FC30b9aCc41Bd349E5dE2f0",
    "role": "admin PoolConfigurator V3"
  },
  {
    "chain": "Sonic",
    "address": "0xD63f7658C66B2934Bd234D79D06aEF5290734B30",
    "role": "oracle AaveOracle V3"
  },
  {
    "chain": "Sonic",
    "address": "0x7b62461a3570c6AC8a9f8330421576e417B71EE7",
    "role": "admin ACLAdmin V3"
  },
  {
    "chain": "Sonic",
    "address": "0x3a790a47c4d531FD333FAD24f70B0ccb521B3b5A",
    "role": "admin ACLManager V3"
  },
  {
    "chain": "Sonic",
    "address": "0xc0a344397cfa89dF1e1d3e4fb330834D789cF2CD",
    "role": "other AaveProtocolDataProvider V3"
  },
  {
    "chain": "X Layer",
    "address": "0xdFf435BCcf782f11187D3a4454d96702eD78e092",
    "role": "factory PoolAddressesProvider V3"
  },
  {
    "chain": "X Layer",
    "address": "0xE3F3Caefdd7180F884c01E57f65Df979Af84f116",
    "role": "pool Pool V3"
  },
  {
    "chain": "X Layer",
    "address": "0x1408b48B6A610948f04813EA6b2F438A6BBAd2f2",
    "role": "admin PoolConfigurator V3"
  },
  {
    "chain": "X Layer",
    "address": "0x91FC11136d5615575a0fC5981Ab5C0C54418E2C6",
    "role": "oracle AaveOracle V3"
  },
  {
    "chain": "X Layer",
    "address": "0xE2E8Badc5d50f8a6188577B89f50701cDE2D4e19",
    "role": "admin ACLAdmin V3"
  },
  {
    "chain": "X Layer",
    "address": "0xc8f2720Fa7D857576d82e6aEca8EdC4869E9190e",
    "role": "admin ACLManager V3"
  },
  {
    "chain": "X Layer",
    "address": "0x6C505C31714f14e8af2A03633EB2Cdfb4959138F",
    "role": "other AaveProtocolDataProvider V3"
  },
  {
    "chain": "Linea",
    "address": "0x89502c3731F69DDC95B65753708A07F8Cd0373F4",
    "role": "factory PoolAddressesProvider V3"
  },
  {
    "chain": "Linea",
    "address": "0xc47b8C00b0f69a36fa203Ffeac0334874574a8Ac",
    "role": "pool Pool V3"
  },
  {
    "chain": "Linea",
    "address": "0x812E7c19421D9f41A6DDCF047d5cc2dE2Ca5Bfa2",
    "role": "admin PoolConfigurator V3"
  },
  {
    "chain": "Linea",
    "address": "0xCFDAdA7DCd2e785cF706BaDBC2B8Af5084d595e9",
    "role": "oracle AaveOracle V3"
  },
  {
    "chain": "Linea",
    "address": "0x8c2d95FE7aeB57b86961F3abB296A54f0ADb7F88",
    "role": "admin ACLAdmin V3"
  },
  {
    "chain": "Linea",
    "address": "0xbf32c7dFC72b730967072B112927ca0de205dbb5",
    "role": "admin ACLManager V3"
  },
  {
    "chain": "Metis",
    "address": "0xB9FABd7500B2C6781c35Dd48d54f81fc2299D7AF",
    "role": "factory PoolAddressesProvider V3"
  },
  {
    "chain": "Metis",
    "address": "0x90df02551bB792286e8D4f13E0e357b4Bf1D6a57",
    "role": "pool Pool V3"
  },
  {
    "chain": "Metis",
    "address": "0x69FEE8F261E004453BE0800BC9039717528645A6",
    "role": "admin PoolConfigurator V3"
  },
  {
    "chain": "Metis",
    "address": "0x38D36e85E47eA6ff0d18B0adF12E5fC8984A6f8e",
    "role": "oracle AaveOracle V3"
  },
  {
    "chain": "Metis",
    "address": "0x2B5EA1604BAbb7B730120950Cb13951f3525828A",
    "role": "oracle PriceOracleSentinel V3"
  },
  {
    "chain": "Metis",
    "address": "0x6fD45D32375d5aDB8D76275A3932c740F03a8718",
    "role": "admin ACLAdmin V3"
  },
  {
    "chain": "Optimism",
    "address": "0x794a61358D6845594F94dc1DB02A252b5b4814aD",
    "role": "pool Pool V3"
  },
  {
    "chain": "Optimism",
    "address": "0x8145eddDf43f50276641b55bd3AD95944510021E",
    "role": "admin PoolConfigurator V3"
  },
  {
    "chain": "Optimism",
    "address": "0xD81eb3728a631871a7eBBaD631b5f424909f0c77",
    "role": "oracle AaveOracle V3"
  },
  {
    "chain": "Optimism",
    "address": "0x746c675dAB49Bcd5BB9Dc85161f2d7Eb435009bf",
    "role": "admin ACLAdmin V3"
  },
  {
    "chain": "Polygon",
    "address": "0x794a61358D6845594F94dc1DB02A252b5b4814aD",
    "role": "pool Pool V3"
  },
  {
    "chain": "Polygon",
    "address": "0x8145eddDf43f50276641b55bd3AD95944510021E",
    "role": "admin PoolConfigurator V3"
  },
  {
    "chain": "Polygon",
    "address": "0xb023e699F5a33916Ea823A16485e259257cA8Bd1",
    "role": "oracle AaveOracle V3"
  },
  {
    "chain": "Polygon",
    "address": "0xDf7d0e6454DB638881302729F5ba99936EaAB233",
    "role": "admin ACLAdmin V3"
  },
  {
    "chain": "Scroll",
    "address": "0x69850D0B276776781C063771b161bd8894BCdD04",
    "role": "factory PoolAddressesProvider V3"
  },
  {
    "chain": "Scroll",
    "address": "0x11fCfe756c05AD438e312a7fd934381537D3cFfe",
    "role": "pool Pool V3"
  },
  {
    "chain": "Scroll",
    "address": "0x32BCab42a2bb5AC577D24b425D46d8b8e0Df9b7f",
    "role": "admin PoolConfigurator V3"
  },
  {
    "chain": "Scroll",
    "address": "0x04421D8C506E2fA2371a08EfAaBf791F624054F3",
    "role": "oracle AaveOracle V3"
  },
  {
    "chain": "Scroll",
    "address": "0xc1ABF87FfAdf4908f4eC8dc54A25DCFEabAE4A24",
    "role": "admin ACLAdmin V3"
  },
  {
    "chain": "Scroll",
    "address": "0x7633F981D87dC6307227de9383D2ce7243158081",
    "role": "admin ACLManager V3"
  },
  {
    "chain": "zkSync Era",
    "address": "0x2A3948BB219D6B2Fa83D64100006391a96bE6cb7",
    "role": "factory PoolAddressesProvider V3"
  },
  {
    "chain": "zkSync Era",
    "address": "0x78e30497a3c7527d953c6B1E3541b021A98Ac43c",
    "role": "pool Pool V3"
  },
  {
    "chain": "zkSync Era",
    "address": "0x0207d31b4377C74bEC37356aaD83E3dCc979F40E",
    "role": "admin PoolConfigurator V3"
  },
  {
    "chain": "zkSync Era",
    "address": "0xC7F58Fca663a8d377B6D0c9703C697f56dC40088",
    "role": "oracle AaveOracle V3"
  },
  {
    "chain": "zkSync Era",
    "address": "0x04cE39789e11a49595cD0ECEf6f4Bd54ABF4d020",
    "role": "admin ACLAdmin V3"
  },
  {
    "chain": "Soneium",
    "address": "0x82405D1a189bd6cE4667809C35B37fBE136A4c5B",
    "role": "factory PoolAddressesProvider V3"
  },
  {
    "chain": "Soneium",
    "address": "0xDd3d7A7d03D9fD9ef45f3E587287922eF65CA38B",
    "role": "pool Pool V3"
  },
  {
    "chain": "Soneium",
    "address": "0x1607FCeEc8dEbA4d5Da66D620b2363066d025a02",
    "role": "admin PoolConfigurator V3"
  },
  {
    "chain": "Soneium",
    "address": "0x20040a64612555042335926d72B4E5F667a67fA1",
    "role": "oracle AaveOracle V3"
  },
  {
    "chain": "Soneium",
    "address": "0xc0Bac16A64FbAa7EE6483bD12a759e28cD13dcBe",
    "role": "oracle PriceOracleSentinel V3"
  },
  {
    "chain": "Plasma",
    "address": "0x061D8e131F26512348ee5FA42e2DF1bA9d6505E9",
    "role": "factory PoolAddressesProvider V3"
  },
  {
    "chain": "Plasma",
    "address": "0x925a2A7214Ed92428B5b1B090F80b25700095e12",
    "role": "pool Pool V3"
  },
  {
    "chain": "Plasma",
    "address": "0xc022B6c71c30A8Ad52Dac504eFA132d13D99d2D9",
    "role": "admin PoolConfigurator V3"
  },
  {
    "chain": "Plasma",
    "address": "0x33E0b3fc976DC9C516926BA48CfC0A9E10a2aAA5",
    "role": "oracle AaveOracle V3"
  },
  {
    "chain": "Plasma",
    "address": "0x47aAdaAE1F05C978E6aBb7568d11B7F6e0FC4d6A",
    "role": "admin ACLAdmin V3"
  },
  {
    "chain": "Plasma",
    "address": "0xa860355F0ccFdC823F7332ac108317b2a1509C06",
    "role": "admin ACLManager V3"
  },
  {
    "chain": "Ethereum",
    "address": "0x617332a777780F546261247F621051d0b98975Eb",
    "role": "other VotingMachine"
  },
  {
    "chain": "Ethereum",
    "address": "0xf23f7De3AC42F22eBDA17e64DC4f51FB66b8E21f",
    "role": "other VotingPortalEthEth"
  },
  {
    "chain": "Ethereum",
    "address": "0x33aCEf7365809218485873B7d0d67FeE411B5D79",
    "role": "other VotingPortalEthAvax"
  },
  {
    "chain": "Ethereum",
    "address": "0x9b24C168d6A76b5459B1d47071a54962a4df36c3",
    "role": "other VotingPortalEthPol"
  },
  {
    "chain": "Ethereum",
    "address": "0xE3B770Dc4ae3f8bECaB3Ed12dE692c741603e16A",
    "role": "other PayloadDataHelper"
  },
  {
    "chain": "Ethereum",
    "address": "0x971c82c8316aD611904F95616c21ce90837f1856",
    "role": "other GovernanceDataHelper"
  },
  {
    "chain": "Ethereum",
    "address": "0x77976B51569896523EE215962Ee91ff236Fa50E8",
    "role": "other VotingDataHelper"
  },
  {
    "chain": "Ethereum",
    "address": "0x94363B11b37BC3ffe43AB09cff5A010352FE85dC",
    "role": "other MetaDelegateHelper"
  },
  {
    "chain": "Ethereum",
    "address": "0x73C6Fb358dDA8e84D50e98A98F7c0dF32e15C7e9",
    "role": "guardian EmergencyRegistry"
  },
  {
    "chain": "Ethereum",
    "address": "0xa198Fac58E02A5C5F8F7e877895d50cFa9ad1E04",
    "role": "other GovernancePowerStrategy"
  },
  {
    "chain": "Ethereum",
    "address": "0x5642A5A5Ec284B4145563aBF319620204aCCA7f4",
    "role": "other VotingStrategy"
  },
  {
    "chain": "Ethereum",
    "address": "0x1699FE9CaDC8a0b6c93E06B62Ab4592a0fFEcF61",
    "role": "other DataWarehouse"
  },
  {
    "chain": "Arbitrum",
    "address": "0xCbFB78a3Eeaa611b826E37c80E4126c8787D29f0",
    "role": "other CrossChainController"
  },
  {
    "chain": "Arbitrum",
    "address": "0x89644CA1bB8064760312AE4F03ea41b05dA3637C",
    "role": "timelock PayloadsController"
  },
  {
    "chain": "Arbitrum",
    "address": "0x4922093c476CfbCF903C7C4082d2D64bAE8A37cE",
    "role": "guardian GranularGuardian"
  },
  {
    "chain": "Avalanche",
    "address": "0x27FC7D54C893dA63C0AE6d57e1B2B13A70690928",
    "role": "other CrossChainController"
  },
  {
    "chain": "Avalanche",
    "address": "0x41185495Bc8297a65DC46f94001DC7233775EbEe",
    "role": "oracle EmergencyOracle"
  },
  {
    "chain": "Avalanche",
    "address": "0x9b6f5ef589A3DD08670Dd146C11C4Fb33E04494F",
    "role": "other VotingMachine"
  },
  {
    "chain": "Avalanche",
    "address": "0x1140CB7CAfAcC745771C2Ea31e7B5C653c5d0B80",
    "role": "timelock PayloadsController"
  },
  {
    "chain": "Avalanche",
    "address": "0xc1162BCb2E5E3ca4725512008c7522dF8C8B7B65",
    "role": "guardian GranularGuardian"
  },
  {
    "chain": "Binance",
    "address": "0x9d33ee6543C9b2C8c183b8fb58fB089266cffA19",
    "role": "other CrossChainController"
  },
  {
    "chain": "Binance",
    "address": "0xcabb46FfB38c93348Df16558DF156e9f68F9F7F1",
    "role": "oracle EmergencyOracle"
  },
  {
    "chain": "Binance",
    "address": "0xE5EF2Dd06755A97e975f7E282f828224F2C3e627",
    "role": "timelock PayloadsController"
  },
  {
    "chain": "Binance",
    "address": "0xe4FB5e3F506BE0095f38004f993D16fdA8224383",
    "role": "guardian GranularGuardian"
  },
  {
    "chain": "Base",
    "address": "0x529467C76f234F2bD359d7ecF7c660A2846b04e2",
    "role": "other CrossChainController"
  },
  {
    "chain": "Base",
    "address": "0x2DC219E716793fb4b21548C0f009Ba3Af753ab01",
    "role": "timelock PayloadsController"
  },
  {
    "chain": "Base",
    "address": "0xa1c6aF35E0205f42256382C05243C543FEDBf4bB",
    "role": "guardian GranularGuardian"
  },
  {
    "chain": "xDai",
    "address": "0x8Dc5310fc9D3D7D1Bb3D1F686899c8F082316c9F",
    "role": "other CrossChainController"
  },
  {
    "chain": "xDai",
    "address": "0xF937ffAeA1363e4Fa260760bDFA2aA8Fc911F84D",
    "role": "oracle EmergencyOracle"
  },
  {
    "chain": "xDai",
    "address": "0x9A1F491B86D09fC1484b5fab10041B189B60756b",
    "role": "timelock PayloadsController"
  },
  {
    "chain": "xDai",
    "address": "0x4A9F571E3C1f2F13567bb59e38988e74d7d72602",
    "role": "guardian GranularGuardian"
  },
  {
    "chain": "Metis",
    "address": "0x6fDaFb26915ABD6065a1E1501a37Ac438D877f70",
    "role": "other CrossChainController"
  },
  {
    "chain": "Metis",
    "address": "0x2233F8A66A728FBa6E1dC95570B25360D07D5524",
    "role": "timelock PayloadsController"
  },
  {
    "chain": "Metis",
    "address": "0x61BE97d3a0550549f67CA7421725fA73Fa2036B5",
    "role": "guardian GranularGuardian"
  },
  {
    "chain": "Optimism",
    "address": "0x48A9FE90bce5EEd790f3F4Ce192d1C0B351fd4Ca",
    "role": "other CrossChainController"
  },
  {
    "chain": "Optimism",
    "address": "0x0E1a3Af1f9cC76A62eD31eDedca291E63632e7c4",
    "role": "timelock PayloadsController"
  },
  {
    "chain": "Optimism",
    "address": "0x6c5264C380C7022e54f585c4E354ffb6f221a03b",
    "role": "guardian GranularGuardian"
  },
  {
    "chain": "Polygon",
    "address": "0xF6B99959F0b5e79E1CC7062E12aF632CEb18eF0d",
    "role": "other CrossChainController"
  },
  {
    "chain": "Polygon",
    "address": "0xDAFA1989A504c48Ee20a582f2891eeB25E2fA23F",
    "role": "oracle EmergencyOracle"
  },
  {
    "chain": "Polygon",
    "address": "0xc8a2ADC4261c6b669CdFf69E717E77C9cFeB420d",
    "role": "other VotingMachine"
  },
  {
    "chain": "Polygon",
    "address": "0x401B5D0294E23637c18fcc38b1Bca814CDa2637C",
    "role": "timelock PayloadsController"
  },
  {
    "chain": "Polygon",
    "address": "0x0D2CccD3dD420dC6DE2f24DB44aA22fADE290a02",
    "role": "guardian GranularGuardian"
  },
  {
    "chain": "Scroll",
    "address": "0x03073D3F4769f6b6604d616238fD6c636C99AD0A",
    "role": "other CrossChainController"
  },
  {
    "chain": "Scroll",
    "address": "0x6b6B41c0f8C223715f712BE83ceC3c37bbfDC3fE",
    "role": "timelock PayloadsController"
  },
  {
    "chain": "Scroll",
    "address": "0xa835707d28e6C37C49d661742f2Fb5987367cEd4",
    "role": "guardian GranularGuardian"
  },
  {
    "chain": "zkSync Era",
    "address": "0x800813f4714BC7A0a95310e3fB9e4f18872CA92C",
    "role": "other CrossChainController"
  },
  {
    "chain": "zkSync Era",
    "address": "0x2E79349c3F5e4751E87b966812C9E65E805996F1",
    "role": "timelock PayloadsController"
  },
  {
    "chain": "zkSync Era",
    "address": "0xe0e23196D42b54F262a3DE952e6B34B197D1A228",
    "role": "guardian GranularGuardian"
  },
  {
    "chain": "zkSync Era",
    "address": "0x4257bf0746D783f0D962913d7d8AFA408B62547E",
    "role": "guardian GovernanceGuardian"
  },
  {
    "chain": "Linea",
    "address": "0x0D3f821e9741C8a8Bcac231162320251Db0cdf52",
    "role": "other CrossChainController"
  },
  {
    "chain": "Linea",
    "address": "0x3BcE23a1363728091bc57A58a226CF2940C2e074",
    "role": "timelock PayloadsController"
  },
  {
    "chain": "Linea",
    "address": "0xc1cd6faF6e9138b4e6C21d438f9ebF2bd6F6cA16",
    "role": "guardian GranularGuardian"
  },
  {
    "chain": "Linea",
    "address": "0x056E4C4E80D1D14a637ccbD0412CDAAEc5B51F4E",
    "role": "guardian GovernanceGuardian"
  },
  {
    "chain": "Soneium",
    "address": "0xD92b37a5114b33F668D274Fb48f23b726a854d6E",
    "role": "other CrossChainController"
  },
  {
    "chain": "Soneium",
    "address": "0x44D73D7C4b2f98F426Bf8B5e87628d9eE38ef0Cf",
    "role": "timelock PayloadsController"
  },
  {
    "chain": "Soneium",
    "address": "0xD8E6956718784B914740267b7A50B952fb516656",
    "role": "guardian GranularGuardian"
  },
  {
    "chain": "Soneium",
    "address": "0x19CE4363FEA478Aa04B9EA2937cc5A2cbcD44be6",
    "role": "guardian GovernanceGuardian"
  },
  {
    "chain": "Soneium",
    "address": "0x47aAdaAE1F05C978E6aBb7568d11B7F6e0FC4d6A",
    "role": "governor ExecutorLvl1"
  },
  {
    "chain": "Plasma",
    "address": "0x643441742f73e270e565619be6DE5f4D55E08cd6",
    "role": "other CrossChainController"
  },
  {
    "chain": "Plasma",
    "address": "0xe76EB348E65eF163d85ce282125FF5a7F5712A1d",
    "role": "timelock PayloadsController"
  },
  {
    "chain": "Plasma",
    "address": "0x60665b4F4FF7073C5fed2656852dCa271DfE2684",
    "role": "guardian GranularGuardian"
  },
  {
    "chain": "Plasma",
    "address": "0x19CE4363FEA478Aa04B9EA2937cc5A2cbcD44be6",
    "role": "guardian GovernanceGuardian"
  },
  {
    "chain": "Plasma",
    "address": "0xF61FE74Ec1cFbd9Ee8Bd27592D2EDEe0E2aA85Cf",
    "role": "oracle EmergencyOracle"
  },
  {
    "chain": "Ethereum",
    "address": "0x7Fc66500c84A76Ad7e9c93437bFc5Ac33E2DDaE9",
    "role": "token AAVE governance token"
  },
  {
    "chain": "Ethereum",
    "address": "0x7b9c0b9b0d8b0d8b0d8b0d8b0d8b0d8b0d8b0d8b",
    "role": "Emergency Admin"
  }
]

### Pre-built read-API surfacer URLs (verbatim — fetchable as-is)
- https://defipunkd.com/address/1/0x5300A1a15135EA4dc7aD5a167152C01EFc9b192A (Short Executor (Level 1) / ACL Admin V3)
- https://defipunkd.com/address/1/0xdAbad81aF85554E9ae636395611C58F7eC1aAEc5 (PayloadsController (Ethereum))
- https://defipunkd.com/address/1/0x9AEE0B04504CeF83A65AC3f0e838D0593BCb2BC7 (Governance V3 Core)
- https://defipunkd.com/address/1/0xCe52ab41C40575B072A18C9700091Ccbe4A06710 (Governance Guardian / Protocol Emergency Guardian (5-of-9))
- https://defipunkd.com/address/1/0x4457cA11E90f416Cc1D3a8E1cA41C0cdEcC251d4 (GranularGuardian (cross-chain emergency))
- https://defipunkd.com/address/1/0xEd42a7D8559a463722Ca4beD50E0Cc05a386b0e1 (CrossChainController)
- https://defipunkd.com/address/1/0x17Dd33Ed0e3dD2a80E37489B8A63063161BE6957 (Executor Level 2)
- https://defipunkd.com/address/1/0x2CFe3ec4d5a6811f4B8067F0DE7e47DfA938Aa30 (Protocol Guardian / emergency admin)
- https://defipunkd.com/address/1/0x220d22f42c1b975B51509c24b174f8AbA7d8C540 (Short Executor (Governance))
- https://defipunkd.com/address/1/0xa700691dA7b6769562170061709458FF21ed963e (timelock (governance long executor))
- https://defipunkd.com/address/1/0x851365275f493d15511cc005f2bd71E3c1699921 (timelock (governance short executor))
- https://defipunkd.com/address/1/0xEE56e2B3D49159022b71869955dbF07245799b17 (timelock (governance executor short))
- https://defipunkd.com/address/1/0x80C67432656d59144cEFf962E8fAF8926599bCF8 (timelock (governance short executor))
- https://defipunkd.com/address/1/0xEE56e2B20045d908E992822039db30E882309413 (admin (PoolAdmin / governance executor))
- https://defipunkd.com/address/1/0x87870bca3f3fd6335c3f4ce8392d69350b4fa4e2 (pool (Aave V3 Pool proxy))
- https://defipunkd.com/address/1/0x2f39d218133AFaB8F2B819B1066c7E434Ad94E9e (other (PoolAddressesProvider — proxy admin for Pool/PoolConfigurator/ACLManager))
- https://defipunkd.com/address/1/0xcfBf336fe147D643B9Cb705648500e101504B16d (other (Prime Market PoolAddressesProvider))
- https://defipunkd.com/address/1/0xCca852Bc40e560adC3b1Cc58CA5b55638ce826c9 (vault (Aave V4 Core Hub — Ethereum))
- https://defipunkd.com/address/1/0x06002e9c4412CB7814a791eA3666D905871E536A (vault (Aave V4 Plus Hub — Ethereum))
- https://defipunkd.com/address/1/0x943827DCA022D0F354a8a8c332dA1e5Eb9f9F931 (vault (Aave V4 Prime Hub — Ethereum))
- https://defipunkd.com/address/1/0x08aE3BE30958cDd1847ec58fFfd4C451a87fDF01 (admin (Aave V4 Access Manager — Ethereum))
- https://defipunkd.com/address/10/0xa97684ead0e402dc232d5a977953df7ecbab3cdb (other (PoolAddressesProvider — Optimism))
- https://defipunkd.com/address/137/0xa97684ead0e402dc232d5a977953df7ecbab3cdb (other (PoolAddressesProvider — Polygon))
- https://defipunkd.com/address/1/0x64b761D848206f447Fe2dd461b0c635Ec39EbB27 (admin PoolConfigurator V3)
- https://defipunkd.com/address/1/0x54586bE62E3c3580375aE3723C145253060Ca0C2 (oracle AaveOracle V3)
- https://defipunkd.com/address/1/0xc2aaCf6553D20d1e9d78E365AAba8032af9c85b0 (admin ACLManager V3)
- https://defipunkd.com/address/1/0x0a16f2FCC0D44FaE41cc54e079281D84A363bECD (other AaveProtocolDataProvider V3)
- https://defipunkd.com/address/1/0x464C71f6c2F760DdA6093dCB91C24c39e5d6e18c (treasury Collector)
- https://defipunkd.com/address/1/0x8164Cc65827dcFe994AB23944CBC90e0aa80bFcb (admin DefaultIncentivesController)
- https://defipunkd.com/address/1/0x223d844fc4B006D67c0cDbd39371A9F73f69d974 (admin EmissionManager)
- https://defipunkd.com/address/42161/0xa97684ead0e402dC232d5A977953DF7ECBaB3CDb (factory PoolAddressesProvider V3)
- https://defipunkd.com/address/42161/0x794a61358D6845594F94dc1DB02A252b5b4814aD (pool Pool V3)
- https://defipunkd.com/address/42161/0x8145eddDf43f50276641b55bd3AD95944510021E (admin PoolConfigurator V3)
- https://defipunkd.com/address/42161/0xb56c2F0B653B2e0b10C9b928C8580Ac5Df02C7C7 (oracle AaveOracle V3)
- https://defipunkd.com/address/42161/0x7A9ff54A6eE4a21223036890bB8c4ea2D62c686b (oracle PriceOracleSentinel V3)
- https://defipunkd.com/address/42161/0xFF1137243698CaA18EE364Cc966CF0e02A4e6327 (admin ACLAdmin V3)
- https://defipunkd.com/address/42161/0xa72636CbcAa8F5FF95B2cc47F3CDEe83F3294a0B (admin ACLManager V3)
- https://defipunkd.com/address/42161/0x243Aa95cAC2a25651eda86e80bEe66114413c43b (other AaveProtocolDataProvider V3)
- https://defipunkd.com/address/43114/0xa97684ead0e402dC232d5A977953DF7ECBaB3CDb (factory PoolAddressesProvider V3)
- https://defipunkd.com/address/43114/0x794a61358D6845594F94dc1DB02A252b5b4814aD (pool Pool V3)
- https://defipunkd.com/address/43114/0x8145eddDf43f50276641b55bd3AD95944510021E (admin PoolConfigurator V3)
- https://defipunkd.com/address/43114/0xEBd36016B3eD09D4693Ed4251c67Bd858c3c7C9C (oracle AaveOracle V3)
- https://defipunkd.com/address/43114/0x3C06dce358add17aAf230f2234bCCC4afd50d090 (admin ACLAdmin V3)
- https://defipunkd.com/address/43114/0xa72636CbcAa8F5FF95B2cc47F3CDEe83F3294a0B (admin ACLManager V3)
- https://defipunkd.com/address/43114/0x243Aa95cAC2a25651eda86e80bEe66114413c43b (other AaveProtocolDataProvider V3)
- https://defipunkd.com/address/8453/0xe20fCBdBfFC4Dd138cE8b2E6FBb6CB49777ad64D (factory PoolAddressesProvider V3)
- https://defipunkd.com/address/8453/0xA238Dd80C259a72e81d7e4664a9801593F98d1c5 (pool Pool V3)
- https://defipunkd.com/address/8453/0x5731a04B1E775f0fdd454Bf70f3335886e9A96be (admin PoolConfigurator V3)
- https://defipunkd.com/address/8453/0x2Cc0Fc26eD4563A5ce5e8bdcfe1A2878676Ae156 (oracle AaveOracle V3)
- https://defipunkd.com/address/8453/0x943AcD0c93d7a8Bee7dA5Fd0DC3d0028237074d6 (oracle PriceOracleSentinel V3)
- https://defipunkd.com/address/8453/0x9390B1735def18560c509E2d0bc090E9d6BA257a (admin ACLAdmin V3)
- https://defipunkd.com/address/8453/0x43955b0899Ab7232E3a454cf84AedD22Ad46FD33 (admin ACLManager V3)
- https://defipunkd.com/address/8453/0x0F43731EB8d45A581f4a36DD74F5f358bc90C73A (other AaveProtocolDataProvider V3)
- Binance: 0xff75B6da14FfbbfD355Daf7a2731456b3562Ba6D (chain not supported by the read API)
- Binance: 0x6807dc923806fE8Fd134338EABCA509979a7e0cB (chain not supported by the read API)
- Binance: 0x67bdF23C7fCE7C65fF7415Ba3F2520B45D6f9584 (chain not supported by the read API)
- Binance: 0x39bc1bfDa2130d6Bb6DBEfd366939b4c7aa7C697 (chain not supported by the read API)
- Binance: 0x9390B1735def18560c509E2d0bc090E9d6BA257a (chain not supported by the read API)
- Binance: 0x2D97F8FA96886Fd923c065F5457F9DDd494e3877 (chain not supported by the read API)
- Binance: 0xc90Df74A7c16245c5F5C5870327Ceb38Fe5d5328 (chain not supported by the read API)
- Celo: 0x9F7Cf9417D5251C59fE94fB9147feEe1aAd9Cea5 (chain not supported by the read API)
- Celo: 0x3E59A31363E2ad014dcbc521c4a0d5757d9f3402 (chain not supported by the read API)
- Celo: 0x7567E3434CC1BEf724AB595e6072367Ef4914691 (chain not supported by the read API)
- Celo: 0x1e693D088ceFD1E95ba4c4a5F7EeA41a1Ec37e8b (chain not supported by the read API)
- Celo: 0x1dF462e2712496373A347f8ad10802a5E95f053D (chain not supported by the read API)
- Celo: 0x7a12dCfd73C1B4cddf294da4cFce75FcaBBa314C (chain not supported by the read API)
- Celo: 0x2e0f8D3B1631296cC7c56538D6Eb6032601E15ED (chain not supported by the read API)
- Celo: 0xC959439207dA5341B74aDcdAC59016aa9Be7E9E7 (chain not supported by the read API)
- Fantom: 0xa97684ead0e402dC232d5A977953DF7ECBaB3CDb (chain not supported by the read API)
- Fantom: 0x794a61358D6845594F94dc1DB02A252b5b4814aD (chain not supported by the read API)
- Fantom: 0x8145eddDf43f50276641b55bd3AD95944510021E (chain not supported by the read API)
- Fantom: 0xfd6f3c1845604C8AE6c6E402ad17fb9885160754 (chain not supported by the read API)
- Fantom: 0x39CB97b105173b56b5a2b4b33AD25d6a50E6c949 (chain not supported by the read API)
- Fantom: 0xa72636CbcAa8F5FF95B2cc47F3CDEe83F3294a0B (chain not supported by the read API)
- Fantom: 0x69FA688f1Dc47d4B5d8029D5a35FB7a548310654 (chain not supported by the read API)
- xDai: 0x36616cf17557639614c1cdDb356b1B83fc0B2132 (chain not supported by the read API)
- xDai: 0xb50201558B00496A145fE76f7424749556E326D8 (chain not supported by the read API)
- xDai: 0x7304979ec9E4EaA0273b6A037a31c4e9e5A75D16 (chain not supported by the read API)
- xDai: 0xeb0a051be10228213BAEb449db63719d6742F7c4 (chain not supported by the read API)
- xDai: 0x1dF462e2712496373A347f8ad10802a5E95f053D (chain not supported by the read API)
- xDai: 0xEc710f59005f48703908bC519D552Df5B8472614 (chain not supported by the read API)
- xDai: 0xF1F5acB596568895393cB5E4D0452D6592A2fA70 (chain not supported by the read API)
- Harmony: 0xa97684ead0e402dC232d5A977953DF7ECBaB3CDb (chain not supported by the read API)
- Harmony: 0x794a61358D6845594F94dc1DB02A252b5b4814aD (chain not supported by the read API)
- Harmony: 0x8145eddDf43f50276641b55bd3AD95944510021E (chain not supported by the read API)
- Harmony: 0x3C90887Ede8D65ccb2777A5d577beAb2548280AD (chain not supported by the read API)
- Harmony: 0xb2f0C5f37f4beD2cB51C44653cD5D84866BDcd2D (chain not supported by the read API)
- Harmony: 0xa72636CbcAa8F5FF95B2cc47F3CDEe83F3294a0B (chain not supported by the read API)
- Harmony: 0x69FA688f1Dc47d4B5d8029D5a35FB7a548310654 (chain not supported by the read API)
- Mantle: 0xba50Cd2A20f6DA35D788639E581bca8d0B5d4D5f (chain not supported by the read API)
- Mantle: 0x458F293454fE0d67EC0655f3672301301DD51422 (chain not supported by the read API)
- Mantle: 0x719755fC1ACf2f9079B0Cbc56e23712c09Ab8626 (chain not supported by the read API)
- Mantle: 0x47a063CfDa980532267970d478EC340C0F80E8df (chain not supported by the read API)
- Mantle: 0x64df9D4302e1ff3516Dc744A19e992D27CAC252E (chain not supported by the read API)
- Mantle: 0x70884634D0098782592111A2A6B8d223be31CB7b (chain not supported by the read API)
- Mantle: 0x810D46F9a9027E28F9B01F75E2bdde839dA61115 (chain not supported by the read API)
- Mantle: 0x487c5c669D9eee6057C44973207101276cf73b68 (chain not supported by the read API)
- MegaETH: 0x46Dcd5F4600319b02649Fd76B55aA6c1035CA478 (chain not supported by the read API)
- MegaETH: 0x7e324AbC5De01d112AfC03a584966ff199741C28 (chain not supported by the read API)
- MegaETH: 0xF15D31Bc839A853C9068686043cEc6EC5995DAbB (chain not supported by the read API)
- MegaETH: 0x421117D7319E96d831972b3F7e970bbfe29C4F21 (chain not supported by the read API)
- MegaETH: 0xE2E8Badc5d50f8a6188577B89f50701cDE2D4e19 (chain not supported by the read API)
- MegaETH: 0x390D369C3878F2C5205CFb6Ec7154FfA65491c3D (chain not supported by the read API)
- MegaETH: 0x9588b453A4EE24a420830CB3302195cA7aA3b403 (chain not supported by the read API)
- Sonic: 0x5C2e738F6E27bCE0F7558051Bf90605dD6176900 (chain not supported by the read API)
- Sonic: 0x5362dBb1e601abF3a4c14c22ffEdA64042E5eAA3 (chain not supported by the read API)
- Sonic: 0x50c70FEB95aBC1A92FC30b9aCc41Bd349E5dE2f0 (chain not supported by the read API)
- Sonic: 0xD63f7658C66B2934Bd234D79D06aEF5290734B30 (chain not supported by the read API)
- Sonic: 0x7b62461a3570c6AC8a9f8330421576e417B71EE7 (chain not supported by the read API)
- Sonic: 0x3a790a47c4d531FD333FAD24f70B0ccb521B3b5A (chain not supported by the read API)
- Sonic: 0xc0a344397cfa89dF1e1d3e4fb330834D789cF2CD (chain not supported by the read API)
- X Layer: 0xdFf435BCcf782f11187D3a4454d96702eD78e092 (chain not supported by the read API)
- X Layer: 0xE3F3Caefdd7180F884c01E57f65Df979Af84f116 (chain not supported by the read API)
- X Layer: 0x1408b48B6A610948f04813EA6b2F438A6BBAd2f2 (chain not supported by the read API)
- X Layer: 0x91FC11136d5615575a0fC5981Ab5C0C54418E2C6 (chain not supported by the read API)
- X Layer: 0xE2E8Badc5d50f8a6188577B89f50701cDE2D4e19 (chain not supported by the read API)
- X Layer: 0xc8f2720Fa7D857576d82e6aEca8EdC4869E9190e (chain not supported by the read API)
- X Layer: 0x6C505C31714f14e8af2A03633EB2Cdfb4959138F (chain not supported by the read API)
- https://defipunkd.com/address/59144/0x89502c3731F69DDC95B65753708A07F8Cd0373F4 (factory PoolAddressesProvider V3)
- https://defipunkd.com/address/59144/0xc47b8C00b0f69a36fa203Ffeac0334874574a8Ac (pool Pool V3)
- https://defipunkd.com/address/59144/0x812E7c19421D9f41A6DDCF047d5cc2dE2Ca5Bfa2 (admin PoolConfigurator V3)
- https://defipunkd.com/address/59144/0xCFDAdA7DCd2e785cF706BaDBC2B8Af5084d595e9 (oracle AaveOracle V3)
- https://defipunkd.com/address/59144/0x8c2d95FE7aeB57b86961F3abB296A54f0ADb7F88 (admin ACLAdmin V3)
- https://defipunkd.com/address/59144/0xbf32c7dFC72b730967072B112927ca0de205dbb5 (admin ACLManager V3)
- Metis: 0xB9FABd7500B2C6781c35Dd48d54f81fc2299D7AF (chain not supported by the read API)
- Metis: 0x90df02551bB792286e8D4f13E0e357b4Bf1D6a57 (chain not supported by the read API)
- Metis: 0x69FEE8F261E004453BE0800BC9039717528645A6 (chain not supported by the read API)
- Metis: 0x38D36e85E47eA6ff0d18B0adF12E5fC8984A6f8e (chain not supported by the read API)
- Metis: 0x2B5EA1604BAbb7B730120950Cb13951f3525828A (chain not supported by the read API)
- Metis: 0x6fD45D32375d5aDB8D76275A3932c740F03a8718 (chain not supported by the read API)
- https://defipunkd.com/address/10/0x794a61358D6845594F94dc1DB02A252b5b4814aD (pool Pool V3)
- https://defipunkd.com/address/10/0x8145eddDf43f50276641b55bd3AD95944510021E (admin PoolConfigurator V3)
- https://defipunkd.com/address/10/0xD81eb3728a631871a7eBBaD631b5f424909f0c77 (oracle AaveOracle V3)
- https://defipunkd.com/address/10/0x746c675dAB49Bcd5BB9Dc85161f2d7Eb435009bf (admin ACLAdmin V3)
- https://defipunkd.com/address/137/0x794a61358D6845594F94dc1DB02A252b5b4814aD (pool Pool V3)
- https://defipunkd.com/address/137/0x8145eddDf43f50276641b55bd3AD95944510021E (admin PoolConfigurator V3)
- https://defipunkd.com/address/137/0xb023e699F5a33916Ea823A16485e259257cA8Bd1 (oracle AaveOracle V3)
- https://defipunkd.com/address/137/0xDf7d0e6454DB638881302729F5ba99936EaAB233 (admin ACLAdmin V3)
- https://defipunkd.com/address/534352/0x69850D0B276776781C063771b161bd8894BCdD04 (factory PoolAddressesProvider V3)
- https://defipunkd.com/address/534352/0x11fCfe756c05AD438e312a7fd934381537D3cFfe (pool Pool V3)
- https://defipunkd.com/address/534352/0x32BCab42a2bb5AC577D24b425D46d8b8e0Df9b7f (admin PoolConfigurator V3)
- https://defipunkd.com/address/534352/0x04421D8C506E2fA2371a08EfAaBf791F624054F3 (oracle AaveOracle V3)
- https://defipunkd.com/address/534352/0xc1ABF87FfAdf4908f4eC8dc54A25DCFEabAE4A24 (admin ACLAdmin V3)
- https://defipunkd.com/address/534352/0x7633F981D87dC6307227de9383D2ce7243158081 (admin ACLManager V3)
- zkSync Era: 0x2A3948BB219D6B2Fa83D64100006391a96bE6cb7 (chain not supported by the read API)
- zkSync Era: 0x78e30497a3c7527d953c6B1E3541b021A98Ac43c (chain not supported by the read API)
- zkSync Era: 0x0207d31b4377C74bEC37356aaD83E3dCc979F40E (chain not supported by the read API)
- zkSync Era: 0xC7F58Fca663a8d377B6D0c9703C697f56dC40088 (chain not supported by the read API)
- zkSync Era: 0x04cE39789e11a49595cD0ECEf6f4Bd54ABF4d020 (chain not supported by the read API)
- Soneium: 0x82405D1a189bd6cE4667809C35B37fBE136A4c5B (chain not supported by the read API)
- Soneium: 0xDd3d7A7d03D9fD9ef45f3E587287922eF65CA38B (chain not supported by the read API)
- Soneium: 0x1607FCeEc8dEbA4d5Da66D620b2363066d025a02 (chain not supported by the read API)
- Soneium: 0x20040a64612555042335926d72B4E5F667a67fA1 (chain not supported by the read API)
- Soneium: 0xc0Bac16A64FbAa7EE6483bD12a759e28cD13dcBe (chain not supported by the read API)
- Plasma: 0x061D8e131F26512348ee5FA42e2DF1bA9d6505E9 (chain not supported by the read API)
- Plasma: 0x925a2A7214Ed92428B5b1B090F80b25700095e12 (chain not supported by the read API)
- Plasma: 0xc022B6c71c30A8Ad52Dac504eFA132d13D99d2D9 (chain not supported by the read API)
- Plasma: 0x33E0b3fc976DC9C516926BA48CfC0A9E10a2aAA5 (chain not supported by the read API)
- Plasma: 0x47aAdaAE1F05C978E6aBb7568d11B7F6e0FC4d6A (chain not supported by the read API)
- Plasma: 0xa860355F0ccFdC823F7332ac108317b2a1509C06 (chain not supported by the read API)
- https://defipunkd.com/address/1/0x617332a777780F546261247F621051d0b98975Eb (other VotingMachine)
- https://defipunkd.com/address/1/0xf23f7De3AC42F22eBDA17e64DC4f51FB66b8E21f (other VotingPortalEthEth)
- https://defipunkd.com/address/1/0x33aCEf7365809218485873B7d0d67FeE411B5D79 (other VotingPortalEthAvax)
- https://defipunkd.com/address/1/0x9b24C168d6A76b5459B1d47071a54962a4df36c3 (other VotingPortalEthPol)
- https://defipunkd.com/address/1/0xE3B770Dc4ae3f8bECaB3Ed12dE692c741603e16A (other PayloadDataHelper)
- https://defipunkd.com/address/1/0x971c82c8316aD611904F95616c21ce90837f1856 (other GovernanceDataHelper)
- https://defipunkd.com/address/1/0x77976B51569896523EE215962Ee91ff236Fa50E8 (other VotingDataHelper)
- https://defipunkd.com/address/1/0x94363B11b37BC3ffe43AB09cff5A010352FE85dC (other MetaDelegateHelper)
- https://defipunkd.com/address/1/0x73C6Fb358dDA8e84D50e98A98F7c0dF32e15C7e9 (guardian EmergencyRegistry)
- https://defipunkd.com/address/1/0xa198Fac58E02A5C5F8F7e877895d50cFa9ad1E04 (other GovernancePowerStrategy)
- https://defipunkd.com/address/1/0x5642A5A5Ec284B4145563aBF319620204aCCA7f4 (other VotingStrategy)
- https://defipunkd.com/address/1/0x1699FE9CaDC8a0b6c93E06B62Ab4592a0fFEcF61 (other DataWarehouse)
- https://defipunkd.com/address/42161/0xCbFB78a3Eeaa611b826E37c80E4126c8787D29f0 (other CrossChainController)
- https://defipunkd.com/address/42161/0x89644CA1bB8064760312AE4F03ea41b05dA3637C (timelock PayloadsController)
- https://defipunkd.com/address/42161/0x4922093c476CfbCF903C7C4082d2D64bAE8A37cE (guardian GranularGuardian)
- https://defipunkd.com/address/43114/0x27FC7D54C893dA63C0AE6d57e1B2B13A70690928 (other CrossChainController)
- https://defipunkd.com/address/43114/0x41185495Bc8297a65DC46f94001DC7233775EbEe (oracle EmergencyOracle)
- https://defipunkd.com/address/43114/0x9b6f5ef589A3DD08670Dd146C11C4Fb33E04494F (other VotingMachine)
- https://defipunkd.com/address/43114/0x1140CB7CAfAcC745771C2Ea31e7B5C653c5d0B80 (timelock PayloadsController)
- https://defipunkd.com/address/43114/0xc1162BCb2E5E3ca4725512008c7522dF8C8B7B65 (guardian GranularGuardian)
- Binance: 0x9d33ee6543C9b2C8c183b8fb58fB089266cffA19 (chain not supported by the read API)
- Binance: 0xcabb46FfB38c93348Df16558DF156e9f68F9F7F1 (chain not supported by the read API)
- Binance: 0xE5EF2Dd06755A97e975f7E282f828224F2C3e627 (chain not supported by the read API)
- Binance: 0xe4FB5e3F506BE0095f38004f993D16fdA8224383 (chain not supported by the read API)
- https://defipunkd.com/address/8453/0x529467C76f234F2bD359d7ecF7c660A2846b04e2 (other CrossChainController)
- https://defipunkd.com/address/8453/0x2DC219E716793fb4b21548C0f009Ba3Af753ab01 (timelock PayloadsController)
- https://defipunkd.com/address/8453/0xa1c6aF35E0205f42256382C05243C543FEDBf4bB (guardian GranularGuardian)
- xDai: 0x8Dc5310fc9D3D7D1Bb3D1F686899c8F082316c9F (chain not supported by the read API)
- xDai: 0xF937ffAeA1363e4Fa260760bDFA2aA8Fc911F84D (chain not supported by the read API)
- xDai: 0x9A1F491B86D09fC1484b5fab10041B189B60756b (chain not supported by the read API)
- xDai: 0x4A9F571E3C1f2F13567bb59e38988e74d7d72602 (chain not supported by the read API)
- Metis: 0x6fDaFb26915ABD6065a1E1501a37Ac438D877f70 (chain not supported by the read API)
- Metis: 0x2233F8A66A728FBa6E1dC95570B25360D07D5524 (chain not supported by the read API)
- Metis: 0x61BE97d3a0550549f67CA7421725fA73Fa2036B5 (chain not supported by the read API)
- https://defipunkd.com/address/10/0x48A9FE90bce5EEd790f3F4Ce192d1C0B351fd4Ca (other CrossChainController)
- https://defipunkd.com/address/10/0x0E1a3Af1f9cC76A62eD31eDedca291E63632e7c4 (timelock PayloadsController)
- https://defipunkd.com/address/10/0x6c5264C380C7022e54f585c4E354ffb6f221a03b (guardian GranularGuardian)
- https://defipunkd.com/address/137/0xF6B99959F0b5e79E1CC7062E12aF632CEb18eF0d (other CrossChainController)
- https://defipunkd.com/address/137/0xDAFA1989A504c48Ee20a582f2891eeB25E2fA23F (oracle EmergencyOracle)
- https://defipunkd.com/address/137/0xc8a2ADC4261c6b669CdFf69E717E77C9cFeB420d (other VotingMachine)
- https://defipunkd.com/address/137/0x401B5D0294E23637c18fcc38b1Bca814CDa2637C (timelock PayloadsController)
- https://defipunkd.com/address/137/0x0D2CccD3dD420dC6DE2f24DB44aA22fADE290a02 (guardian GranularGuardian)
- https://defipunkd.com/address/534352/0x03073D3F4769f6b6604d616238fD6c636C99AD0A (other CrossChainController)
- https://defipunkd.com/address/534352/0x6b6B41c0f8C223715f712BE83ceC3c37bbfDC3fE (timelock PayloadsController)
- https://defipunkd.com/address/534352/0xa835707d28e6C37C49d661742f2Fb5987367cEd4 (guardian GranularGuardian)
- zkSync Era: 0x800813f4714BC7A0a95310e3fB9e4f18872CA92C (chain not supported by the read API)
- zkSync Era: 0x2E79349c3F5e4751E87b966812C9E65E805996F1 (chain not supported by the read API)
- zkSync Era: 0xe0e23196D42b54F262a3DE952e6B34B197D1A228 (chain not supported by the read API)
- zkSync Era: 0x4257bf0746D783f0D962913d7d8AFA408B62547E (chain not supported by the read API)
- https://defipunkd.com/address/59144/0x0D3f821e9741C8a8Bcac231162320251Db0cdf52 (other CrossChainController)
- https://defipunkd.com/address/59144/0x3BcE23a1363728091bc57A58a226CF2940C2e074 (timelock PayloadsController)
- https://defipunkd.com/address/59144/0xc1cd6faF6e9138b4e6C21d438f9ebF2bd6F6cA16 (guardian GranularGuardian)
- https://defipunkd.com/address/59144/0x056E4C4E80D1D14a637ccbD0412CDAAEc5B51F4E (guardian GovernanceGuardian)
- Soneium: 0xD92b37a5114b33F668D274Fb48f23b726a854d6E (chain not supported by the read API)
- Soneium: 0x44D73D7C4b2f98F426Bf8B5e87628d9eE38ef0Cf (chain not supported by the read API)
- Soneium: 0xD8E6956718784B914740267b7A50B952fb516656 (chain not supported by the read API)
- Soneium: 0x19CE4363FEA478Aa04B9EA2937cc5A2cbcD44be6 (chain not supported by the read API)
- Soneium: 0x47aAdaAE1F05C978E6aBb7568d11B7F6e0FC4d6A (chain not supported by the read API)
- Plasma: 0x643441742f73e270e565619be6DE5f4D55E08cd6 (chain not supported by the read API)
- Plasma: 0xe76EB348E65eF163d85ce282125FF5a7F5712A1d (chain not supported by the read API)
- Plasma: 0x60665b4F4FF7073C5fed2656852dCa271DfE2684 (chain not supported by the read API)
- Plasma: 0x19CE4363FEA478Aa04B9EA2937cc5A2cbcD44be6 (chain not supported by the read API)
- Plasma: 0xF61FE74Ec1cFbd9Ee8Bd27592D2EDEe0E2aA85Cf (chain not supported by the read API)
- https://defipunkd.com/address/1/0x7Fc66500c84A76Ad7e9c93437bFc5Ac33E2DDaE9 (token AAVE governance token)
- https://defipunkd.com/address/1/0x7b9c0b9b0d8b0d8b0d8b0d8b0d8b0d8b0d8b0d8b (Emergency Admin)


---

You are contributing a single-slice assessment to defipunkd, a git-native transparency registry for DeFi protocols. Your JSON output will be attached to a pull request and compared against ≥2 other independent runs. Disagreements are surfaced publicly — be conservative, cite everything, return grade="unknown" when a signal cannot be determined, and resist stopping at the first damning finding.

### Per-protocol context (do not infer; these are ground truth)

A "Per-protocol context" block (provided alongside this prompt — either as a user message in API mode, or as a section appended below in copy-paste mode) lists the pinned inputs (protocol.slug, name, chains, category, website, github, audit_links, snapshot.generated_at, analysis_date, prompt_version, address_book) and a list of pre-built read-API surfacer URLs for each pinned address. Treat those values as authoritative for this run.

The pre-built surfacer URLs are accepted by your fetch tool's allowlist because they appear verbatim in the per-protocol context. Each surfacer page pre-executes the contract's zero-arg view methods and renders any address-typed return values as /address/{chainId}/0x… links inline — those rendered links are also fetchable post-fetch. /api/contract/read and /api/safe/owners JSON responses include a top-level `crawl.surfacers` array of /address/{chainId}/0x… URLs for every address-typed value in the result, so you can crawl directly from API responses. For addresses surfaced from non-defipunkd sources (block-explorer pages, GitHub, audit PDFs), the allowlist will reject your generated surfacer URL — record the address in protocol_metadata.admin_addresses and add a checklist-coded entry to unknowns[]; the next run will inherit it as a fetchable surfacer.

### Step 0 — Capability probe (do this before producing JSON)

Identify what fetch tool your environment exposes — `web_fetch`, `browser`, `url_context`, `google_search` (with underscore, colon, or space), Bing grounding, Perplexity, `web.run`, or anything similar. Search-grounding tools ARE valid fetch paths and you should use them; they are not forbidden. The distinction that matters is what the tool returned, not its name: a grounded response with the underlying page body is sufficient evidence; a bare 1–3-line preview snippet is not.

Probe: attempt one fetch of `protocol.website` and one fetch of a pre-built surfacer URL above (or the protocol's primary block-explorer page if no surfacer is pinned). Record the tool you used, the URL, and what came back (response body, HTTP status, allowlist rejection text, or "tool not present: <name>"). If either probe succeeded, proceed.

If both direct probes failed, **DO NOT STOP** — try search. Issue at least two broad search queries (protocol name + "Etherscan" / "official docs" / "GitHub" / "audit"; `site:` operators against etherscan.io / github.com / the docs domain). If a search query returns the underlying page body, that page URL is fetched evidence and goes in evidence[]. Set `grading_basis: "off-chain-only"` and continue with whatever you can extract. Empty `evidence[]` + `grade="unknown"` is only valid if BOTH direct probes AND ≥2 search queries returned nothing usable; in that case, log the attempted queries and observed-zero outcomes in unknowns[]. A submission claiming "blocked" without those receipts is treated as a non-submission (zero quorum weight). Search engines do not index raw JSON API endpoints — zero results for `defipunkd.com/api/contract/read` URLs is expected and is itself a recordable failure mode, not a system restriction.

### Anti-fabrication (the most important rule on this page)

Memory is not evidence. Treat your training data, prior conversations, and general knowledge as suggestions for what to look up — never as citations. Every URL in evidence[] must have been fetched in this run via any tool exposed in your environment, OR pasted into this conversation by the user. Constructing a URL is fine, but every variable part (address, commit SHA, repo path, contract name, method, args, block number) must come from a fetched/pasted source in this run, and the URL must then have been successfully fetched before it appears in evidence[]. URLs constructed from remembered addresses, repo paths, contract names, or guessed API methods are fabrication.

Before emitting JSON, run an evidence ledger check on every evidence[] entry:
1. The exact URL appears in your fetch transcript or in a user-pasted source body.
2. The fetched/pasted body contains the fact you're citing in evidence[].shows.
3. Every rationale.findings / protocol_metadata claim that depends on this evidence follows directly from that body, without recourse to memory.
4. Derived (rather than verbatim) claims are explicitly labelled as derived in evidence[].shows.
5. `fetched_at` is set ONLY when you actually fetched the URL in this run; if no timestamp is available, omit the field — never invent one.

If any check fails, remove the evidence entry and demote dependent claims to unknowns[]. Set grade="unknown" if demotion empties the grading basis. Do not ask the user to paste anything; do not withhold JSON; do not improvise from memory.

A plausible-sounding answer backed by unsupported evidence is WORSE than grade="unknown" — it pollutes the quorum. If the assessment requires leaning on remembered public facts ("Lido is governed by LDO token-weighted voting"), historical reports, common knowledge, or likely-architecture reasoning ("UUPS proxies typically have an admin role"), return grade="unknown" with specific unknowns[] entries. Optimize for reproducibility, not completeness — if a reviewer can't re-verify each claim from the evidence URLs alone, the claim does not belong in the JSON. Empty unknowns[] on a non-trivial protocol is a red flag, not a quality signal.

When the address_book is null/empty, you do not yet know any deployed address. Discover candidates from fetched website / GitHub / audit / explorer-search pages — addresses you "remember" from training data are not eligible, even for famous tokens (USDC, WBTC, stETH, UNI). If no address can be discovered after a good-faith attempt, return grade="unknown" with checklist-coded unknowns[] entries; do not invent addresses to fill the gap.

### Hard rules

1. Source classes that count as evidence:
   a) Public block explorers (etherscan.io, basescan.org, arbiscan.io, optimistic.etherscan.io, polygonscan.com, bscscan.com, snowtrace.io, scrollscan.com, lineascan.build, blastscan.io, era.zksync.network) for pinned addresses or addresses you discover transitively from them.
   b) The linked GitHub repos, at a specific commit SHA recorded in evidence[].commit.
   c) The audit PDFs / reports linked above.
   d) DeFiLlama's pinned fields (for category / chain lists only — not for risk assessment).
   e) DeFiPunkd's read API at https://defipunkd.com/api/{contract,safe}/... — see "On-chain reading" below.
2. If a signal cannot be determined after checking these, set grade="unknown" with ≥1 entry in unknowns[] naming what you looked for.
3. Every factual claim in rationale must map to ≥1 evidence[] entry.
4. Output exactly one JSON object matching the contract at the end, wrapped in a single ```json fenced code block. This rule applies to your FINAL assistant message only — issue tool calls freely during the run; tool-call reasoning lives in your model's tool-use channel and is not subject to this rule. Nothing before or after the fence — no prose, no follow-up questions, no requests for the user to paste anything. If evidence is incomplete, the correct response is still JSON, with claims demoted to unknowns[] and grade="unknown".

### Format rules (validation will reject submissions that violate these)
5. evidence[].url must be a bare `https://...` string — NEVER markdown link syntax. WRONG: `"url": "[Etherscan](https://etherscan.io/...)"`. RIGHT: `"url": "https://etherscan.io/..."`.
6. evidence[].commit, when present, must match `^[0-9a-f]{7,40}$` (lowercase hex, 7–40 chars). NEVER branch names or tags. Omit if you cannot pin a SHA.
7. evidence[].fetched_at, when present, must be ISO-8601 UTC (e.g. `2026-04-23T11:20:00Z`). Set whenever you actually fetched in this run.
8. evidence[].address, when present, must be `^0x[0-9a-fA-F]{40}$` (mixed case OK; checksum not validated).
9. Checklist codes (used in findings[].code and as unknowns[] prefixes) match `^[A-Z][A-Za-z0-9-]{0,16}$` — start with an uppercase letter, then digits / letters / hyphens. Examples: `E1`, `A3b`, `C2-emergency`, `V4-auditor`. No parens, spaces, dots, slashes, underscores. Use slice-defined codes verbatim. unknowns[] entries must be prefixed with the relevant code + colon (e.g. `"A3b: frontend fetch failed"`).
10. chat_url: ALWAYS null. Default share links (claude.ai/chat, chatgpt.com, gemini.google.com) require viewer login and are not publicly readable. The user enables "Share publicly" after you respond and pastes the public URL into the JSON before opening the PR.

### Thoroughness rules

11. Each per-slice body contains a "MANDATORY INSPECTION CHECKLIST". Every item must EITHER produce an evidence[] entry OR a specific unknowns[] entry naming it by code. Silent skips are rejected as incomplete.
12. Before assigning a grade other than "unknown", rationale.steelman must contain a one-sentence strongest argument for each of red / orange / green, and rationale.verdict must state which fits the evidence and why. If the steel-man for the chosen grade is weaker than for an adjacent grade, you have probably picked the wrong grade. When grade="unknown", set steelman to null and use verdict to summarize what blocked the assessment.
13. Distinguish actor classes (EOA, 2-of-3 multisig, 4-of-7+ multisig with identified signers, emergency-scoped time-capped multisig, on-chain governance vote with timelock) and function classes (claim-of-finalized vs new-request-placement, deposit vs borrow, mint vs redeem) — say which actor holds which power, on what time bound. "An admin can pause" is insufficient.
14. For on-chain slices (control, ability-to-exit, autonomy, verifiability), evidence[] must include ≥1 on-chain URL: a block-explorer URL OR a DeFiPunkd /api/{contract/read,safe/owners} URL (preferred — content-addressed when block-pinned). /api/contract/abi alone is metadata, not on-chain evidence. Source repos tell you what code SHOULD do; deployed contracts tell you what it ACTUALLY does. The "open-access" slice is exempt when claims are entirely about frontend / off-chain operator behavior. CARVE-OUT: `grading_basis="off-chain-only"` is exempt from this rule but is downweighted by the quorum bot regardless of grade.
15. Prompt-meta-check: if your verdict quotes prompt language as evidence ("the protocol meets the 'documented fallback' condition"), re-do the verdict — the prompt describes the rubric, not the protocol. Evidence cites what THIS protocol does, not what the rubric says protocols of type X do.
16. `grading_basis` is one of `"on-chain"` (default; omit field), `"off-chain-only"`, or `"mixed"`. Describes what was READ this run, not the verdict — `grade="unknown"` is allowed under any basis. Set `"off-chain-only"` ONLY when BOTH (a) ≥1 successful fetch of a docs / forum / audit / GitHub URL appears in evidence[], AND (b) ≥1 failed on-chain fetch attempt for THIS run is recorded in unknowns[] with a `-offchain` suffix. Empty `evidence[]` with `"off-chain-only"` is a category error and is rejected by the validator. Set `"mixed"` when some checklist codes were on-chain and others fell back. ABI-only finds (you read the ABI but couldn't read live state) are valid as `grade="unknown"` with the ABI cited; do not infer a grade from ABI shape alone.

### On-chain reading via the DeFiPunkd API

Don't encode calldata, decode return data, or guess at ABIs by hand. Three deterministic GET endpoints return JSON with blockNumber, blockHash, raw calldata, and rawReturnData — content-addressed when block-pinned (`&block=<n>`):

  ABI (auto-resolves proxies):
    https://defipunkd.com/api/contract/abi?chainId=<id>&address=0x...
  View call (any view method on the merged ABI; flat scalar args):
    https://defipunkd.com/api/contract/read?chainId=<id>&address=0x...&method=getOwners
    https://defipunkd.com/api/contract/read?chainId=<id>&address=0x...&method=balanceOf&args=0x...
  Safe (threshold + owners + version in one call):
    https://defipunkd.com/api/safe/owners?chainId=<id>&address=0x...

Use the BARE method name in `&method=` (e.g. `&method=totalSupply`, NOT `&method=totalSupply()`). Browser tools normalize `(` to `%28` and reject the normalized URL; bare names dodge that. Pass arguments via `&args=` (comma-separated, declaration order). Append `&block=<n>` for content-addressed evidence.

Supported chainIds: 1 (ethereum), 10 (optimism), 56 (bsc), 130 (unichain), 137 (polygon), 324 (zksync), 8453 (base), 42161 (arbitrum), 43114 (avalanche), 59144 (linea), 81457 (blast), 534352 (scroll), 11155111 (sepolia).

Use this API for any factual claim about contract ABI shape, view-method return values (owner(), getOwners(), getThreshold(), totalSupply(), implementation(), paused(), MIN_DELAY(), …), and Safe membership. Do NOT invent ABIs or return values from training data.

Note on noisy address_book: the pinned address_book is sourced from prior assessments. It may include token deployments, oracle feeds, peripheral contracts, or mis-classified entries. Skip surfacer URLs that don't fit your slice — fetch only those whose role hints suggest control / pause / upgrade authority.

### Protocol metadata refresh (populate `protocol_metadata` in the output)

DeFiLlama's pinned inputs may be stale or wrong. As a side-effect of this assessment, populate `protocol_metadata` with anything you verify. Leave fields null / empty arrays if you did not verify them — do NOT echo pinned inputs through; null means "not re-verified this run".

- `github`: array of canonical source-code repo URLs.
- `docs_url`: canonical developer / protocol documentation site.
- `audits`: array of `{ firm, url, date }` (date as YYYY-MM or YYYY-MM-DD).
- `governance_forum`: primary discussion forum URL (Discourse, Commonwealth, etc.).
- `voting_token`: `{ chain, address, symbol }` or null. Omit if not token-governed.
- `bug_bounty_url`: public bug bounty page (Immunefi, HackerOne, self-hosted).
- `security_contact`: private-disclosure channel — security@ email or SECURITY.md URL. Distinct from public bug bounty.
- `deployed_contracts_doc`: docs page that lists deployed addresses per chain. Don't enumerate; just link.
- `admin_addresses`: array of `{ chain, address, role, actor_class }` for multisig / timelock / owner / proxy-admin addresses. `actor_class` ∈ `"eoa" | "multisig" | "timelock" | "governance" | "unknown"`. These are the anchors for future runs' address_book.
- `upgradeability`: `"immutable" | "upgradeable" | "mixed" | "unknown"`. "mixed" = some core contracts immutable, others behind proxies.
- `about`: 2–4 sentence plain-English description. Name the user action (stake, borrow, swap, bridge, mint, redeem), the asset / market, and the distinctive mechanism (liquid staking receipt, isolated lending pools, constant-product AMM, intents auction, etc.). Do not restate category / chains / TVL.

Every non-null field in `protocol_metadata` must be backed by ≥1 entry in evidence[].

---

### Slice: OPEN-ACCESS

Evaluate who is allowed to use the protocol and whether any of that permission is granted off-chain.

Scope: this slice is about ADMISSION — who can enter, exit, or transact. Operator LIVENESS (what breaks if keepers/oracles go offline) is assessed in the dependencies slice and is out of scope for the grade here. You may note operator dependencies as context, but do not let "the protocol halts if operator X disappears" drive the access grade on its own; that belongs in dependencies. Source verification / contract verification on block explorers is assessed in the verifiability slice and is out of scope here — do NOT let "contract is unverified" drive the access grade.

Framing: the smart contracts are the access layer; frontends are UX. A permissionless contract is reachable by any client (SDK, third-party UI, aggregator, wallet integration). Frontend ToS, IP geo-blocking, and wallet screening are publisher policies on one specific client — they are reported as context but do NOT determine the grade. The grade hinges on (1) what the contract itself permits, and (2) whether the protocol is practically reachable without the official publisher's cooperation.

Meta-check before finalizing: if your verdict cites phrases from this prompt as evidence ("the protocol meets the 'credible alternatives' condition", "this fits the 'documented fallback' rule"), redo the verdict. The prompt describes the rubric; evidence must come from the protocol. A verdict should cite what the protocol does, not what the rubric says.

MANDATORY INSPECTION CHECKLIST (every item below must appear in evidence[] OR unknowns[]):
- A1. Whitelist / allowlist modifiers in user-facing entry points. Grep for "onlyWhitelisted", "onlyRole", "allowlist", "isAccredited", "isKYCed". Note which functions are gated and who can add/remove from the list.
- A2. Off-chain operators in the admission path: keepers, sequencers, privileged relayers, oracle posters whose approval is required to admit a user action (not just to keep the protocol live). For each, identify whether the role is held by a single operator, a permissioned committee, or is permissionless. Enumerate per user-facing function class (deposit vs withdraw-request vs claim-finalized vs transfer) which ones require operator approval to be admitted, and which ones admit users unconditionally. A function whose placement is unconditional but whose downstream settlement depends on an operator is an admission-permissionless function — flag the liveness dependency as context and defer its grading weight to the dependencies slice.
- A3. Frontend restrictions on the official interface — record as context, not as a grade lever. Distinguish:
    - A3-passive: boilerplate ToS clauses (sanctions attestation, restricted-territory self-certification, VPN-circumvention prohibition, "comply with applicable law" eligibility, age of majority).
    - A3-active: runtime enforcement — IP-based geo-blocking, wallet-address screening against a sanctions oracle (Chainalysis, TRM, Elliptic), KYC wall, rendering-blocking jurisdiction banner.
  Record findings under the correct tier. Quote ToS text or banner text in evidence[].shows. These findings populate the headline and rationale but do NOT move the grade by themselves; the grade is set by A1, A2, and the A3b path check below.
- A3b. Independent access paths (the operative grade input). Enumerate paths that do not require the official publisher's cooperation:
    - Published SDK / library / CLI for direct contract interaction.
    - Third-party frontends operated by separate legal entities.
    - Wallet-integrated access (MetaMask Swaps, Safe apps, etc.).
    - DEX / lending / yield aggregators that route through the contracts.
  Record at least one concrete link per path that exists. The protocol does NOT have to self-document these — the test is existence, not UX cost. An A3b-i redistribution of the official UI bound by the same ToS does NOT count as an independent path.
- A4. Sanctions / compliance tooling at the contract level: does the protocol check addresses against OFAC lists or similar on-chain blocklists in the contract itself? (Frontend-only screening belongs in A3.)
- A5. Differentiate read access vs write access: many protocols are read-permissionless (anyone can view state) but write-gated (only certain addresses can deposit/borrow). Record both.
- A6. ToS / Legal links: locate them on the website and produce a VERBATIM quote of any jurisdictional, sanctions, or eligibility clause in evidence[].shows. If you cannot extract the clause text verbatim (SPA render failure, paywall, dead link, etc.), do NOT paraphrase or infer from general knowledge — record the ToS URL in unknowns[] with the reason extraction failed. Assertions about ToS content without a verbatim quote will be downweighted by reviewers.

Then write the steel-man section per Hard Rule 11.

Grade rules (admission-focused; liveness concerns belong in dependencies; source verification belongs in verifiability):
- green   = no contract-level whitelist/KYC on user entry/exit; no operator approval required to admit a user action; AND at least one independent A3b path exists (published SDK, third-party frontend, wallet integration, or aggregator routing). Frontend ToS posture and A3-active enforcement on the official UI do NOT block green when contracts are permissionless and an independent path exists — they are reported as context.
- orange  = contracts admit users unconditionally, BUT the protocol is operationally captured by the official publisher: no published SDK, no third-party frontend, no wallet integration, no aggregator routing. The contract is theoretically open but practically reachable only through the official UI. Also applies when admission requires approval from a permissioned committee that is governance-managed with a documented replacement procedure.
- red     = contract-level whitelist / KYC on user entry/exit, OR admission of a core user action requires approval from a single privileged operator or a small committee with no documented replacement procedure, OR enforces an on-chain blocklist updatable by a single party.
- unknown = checklist incomplete after checking the sources above.

Default-grade guidance: when contracts are fully permissionless AND any A3b independent path exists, the default grade is green regardless of frontend ToS or A3-active enforcement on the official UI. Frontend geo-blocking, sanctions-oracle wallet screening, and ToS sanctions clauses are publisher policies on one client and are reported in findings/headline as context, not as grade levers. To grade orange on operational-capture grounds, the auditor must affirmatively show that ALL independent paths are absent or also gated.

Guideline on committees: where admission depends on a multi-operator committee, the relevant axes are (a) set size, (b) whether replacement/rotation is governed on-chain, (c) whether the replacement procedure is publicly documented. A large set with on-chain governance replacement should not be graded as a single-party operator even if rotation is not instantaneous. A small set with informal replacement should be treated as a single-party operator.

---

### JSON output contract

Return exactly one JSON object inside a single ```json fenced block. Shape:

{
  "schema_version": 4,
  "slug": "<copy protocol.slug from the per-protocol context>",
  "slice": "open-access",
  "snapshot_generated_at": "<copy snapshot.generated_at from the per-protocol context>",
  "prompt_version": 29,
  "analysis_date": "<copy analysis_date from the per-protocol context>",
  "model": "<exact model name, e.g. claude-opus-4-7 / gpt-5-thinking / gemini-3-pro>",
  "chat_url": null,
  "grading_basis": "on-chain | off-chain-only | mixed (optional; omit for on-chain)",
  "grade": "green | orange | red | unknown",
  "headline": "<one-line summary>",
  "short_headline": "<≤6 words, ≤80 chars; omit if you can't fit>",
  "rationale": {
    "findings": [{ "code": "E1", "text": "<concrete, source-cited finding>" }],
    "steelman": { "red": "<one sentence>", "orange": "<one sentence>", "green": "<one sentence>" },
    "verdict": "Choosing <grade> because <reason ranking one steel-man above the others, citing specific evidence>."
  },
  "evidence": [{ "url": "https://...", "shows": "<what this URL demonstrates>", "chain": "...", "address": "0x...", "commit": "<hex SHA>", "fetched_at": "2026-04-23T11:20:00Z" }],
  "unknowns": ["E3: <thing you looked for but couldn't determine>"],
  "protocol_metadata": {
    "github": ["https://github.com/org/repo"],
    "docs_url": "https://docs.protocol.xyz",
    "audits": [{ "firm": "Trail of Bits", "url": "https://...report.pdf", "date": "2025-09" }],
    "governance_forum": "https://forum.protocol.xyz",
    "voting_token": { "chain": "Ethereum", "address": "0x...", "symbol": "XYZ" },
    "bug_bounty_url": "https://immunefi.com/bounty/protocol",
    "security_contact": "security@protocol.xyz",
    "deployed_contracts_doc": "https://docs.protocol.xyz/deployments",
    "admin_addresses": [{ "chain": "Ethereum", "address": "0x...", "role": "DAO treasury multisig", "actor_class": "multisig" }],
    "upgradeability": "immutable | upgradeable | mixed | unknown",
    "about": "<2–4 sentences>"
  }
}

Rules recap:
- grade="unknown" ⇒ steelman=null; unknowns[] ≥1; evidence[] may be empty.
- grade!="unknown" ⇒ steelman={red,orange,green}; evidence[] ≥1; verdict starts with "Choosing ".
- findings[].code matches the slice's checklist prefix verbatim (E1, C2-emergency, V4a, …); unknowns[] entries are checklist-coded ("E3: …").
- Wrap in a single ```json fence; nothing before or after. URLs are bare strings, never markdown links.

Audit all 5 dimensions · one prompt Submit run ↗

### Per-protocol context (ground truth for this run)

- protocol.slug:              aave-v3
- protocol.name:              Aave V3
- protocol.chains:            Ethereum, Plasma, Arbitrum, Base, Avalanche, Binance, Mantle, Polygon, MegaETH, X Layer, xDai, Optimism, Linea, Sonic, Celo, Scroll, zkSync Era, Metis, Soneium, Fantom, Harmony
- protocol.category:          Lending
- protocol.website:           https://aave.com
- protocol.github:            aave, bgd-labs
- protocol.audit_links:       https://aave.com/security, https://github.com/code-423n4/2022-02-aave-lens, https://github.com/code-423n4/2022-02-aave-lens-findings, https://github.com/sherlock-protocol/sherlock-reports/blob/main/audits/2025.02.15%20-%20Final%20-%20Aave%20Public%20Audit%20Contest%20Report.pdf, https://github.com/sherlock-protocol/sherlock-reports/blob/main/audits/2026.02.05%20-%20Final%20-%20Aave%20Labs%20Collaborative%20Audit%20Report%201770295450.pdf, https://github.com/trailofbits/publications/blob/master/reviews/2021-11-aave-v3-securityreview.pdf
- snapshot.generated_at:      2026-06-01T11:27:13.878Z
- analysis_date:              2026-06-07
- prompt_version:             29
- address_book:               [
  {
    "chain": "Ethereum",
    "address": "0x5300A1a15135EA4dc7aD5a167152C01EFc9b192A",
    "role": "Short Executor (Level 1) / ACL Admin V3"
  },
  {
    "chain": "Ethereum",
    "address": "0xdAbad81aF85554E9ae636395611C58F7eC1aAEc5",
    "role": "PayloadsController (Ethereum)"
  },
  {
    "chain": "Ethereum",
    "address": "0x9AEE0B04504CeF83A65AC3f0e838D0593BCb2BC7",
    "role": "Governance V3 Core"
  },
  {
    "chain": "Ethereum",
    "address": "0xCe52ab41C40575B072A18C9700091Ccbe4A06710",
    "role": "Governance Guardian / Protocol Emergency Guardian (5-of-9)"
  },
  {
    "chain": "Ethereum",
    "address": "0x4457cA11E90f416Cc1D3a8E1cA41C0cdEcC251d4",
    "role": "GranularGuardian (cross-chain emergency)"
  },
  {
    "chain": "Ethereum",
    "address": "0xEd42a7D8559a463722Ca4beD50E0Cc05a386b0e1",
    "role": "CrossChainController"
  },
  {
    "chain": "Ethereum",
    "address": "0x17Dd33Ed0e3dD2a80E37489B8A63063161BE6957",
    "role": "Executor Level 2"
  },
  {
    "chain": "Ethereum",
    "address": "0x2CFe3ec4d5a6811f4B8067F0DE7e47DfA938Aa30",
    "role": "Protocol Guardian / emergency admin"
  },
  {
    "chain": "Ethereum",
    "address": "0x220d22f42c1b975B51509c24b174f8AbA7d8C540",
    "role": "Short Executor (Governance)"
  },
  {
    "chain": "Ethereum",
    "address": "0xa700691dA7b6769562170061709458FF21ed963e",
    "role": "timelock (governance long executor)"
  },
  {
    "chain": "Ethereum",
    "address": "0x851365275f493d15511cc005f2bd71E3c1699921",
    "role": "timelock (governance short executor)"
  },
  {
    "chain": "Ethereum",
    "address": "0xEE56e2B3D49159022b71869955dbF07245799b17",
    "role": "timelock (governance executor short)"
  },
  {
    "chain": "Ethereum",
    "address": "0x80C67432656d59144cEFf962E8fAF8926599bCF8",
    "role": "timelock (governance short executor)"
  },
  {
    "chain": "Ethereum",
    "address": "0xEE56e2B20045d908E992822039db30E882309413",
    "role": "admin (PoolAdmin / governance executor)"
  },
  {
    "chain": "Ethereum",
    "address": "0x87870bca3f3fd6335c3f4ce8392d69350b4fa4e2",
    "role": "pool (Aave V3 Pool proxy)"
  },
  {
    "chain": "Ethereum",
    "address": "0x2f39d218133AFaB8F2B819B1066c7E434Ad94E9e",
    "role": "other (PoolAddressesProvider — proxy admin for Pool/PoolConfigurator/ACLManager)"
  },
  {
    "chain": "Ethereum",
    "address": "0xcfBf336fe147D643B9Cb705648500e101504B16d",
    "role": "other (Prime Market PoolAddressesProvider)"
  },
  {
    "chain": "Ethereum",
    "address": "0xCca852Bc40e560adC3b1Cc58CA5b55638ce826c9",
    "role": "vault (Aave V4 Core Hub — Ethereum)"
  },
  {
    "chain": "Ethereum",
    "address": "0x06002e9c4412CB7814a791eA3666D905871E536A",
    "role": "vault (Aave V4 Plus Hub — Ethereum)"
  },
  {
    "chain": "Ethereum",
    "address": "0x943827DCA022D0F354a8a8c332dA1e5Eb9f9F931",
    "role": "vault (Aave V4 Prime Hub — Ethereum)"
  },
  {
    "chain": "Ethereum",
    "address": "0x08aE3BE30958cDd1847ec58fFfd4C451a87fDF01",
    "role": "admin (Aave V4 Access Manager — Ethereum)"
  },
  {
    "chain": "Optimism",
    "address": "0xa97684ead0e402dc232d5a977953df7ecbab3cdb",
    "role": "other (PoolAddressesProvider — Optimism)"
  },
  {
    "chain": "Polygon",
    "address": "0xa97684ead0e402dc232d5a977953df7ecbab3cdb",
    "role": "other (PoolAddressesProvider — Polygon)"
  },
  {
    "chain": "Ethereum",
    "address": "0x64b761D848206f447Fe2dd461b0c635Ec39EbB27",
    "role": "admin PoolConfigurator V3"
  },
  {
    "chain": "Ethereum",
    "address": "0x54586bE62E3c3580375aE3723C145253060Ca0C2",
    "role": "oracle AaveOracle V3"
  },
  {
    "chain": "Ethereum",
    "address": "0xc2aaCf6553D20d1e9d78E365AAba8032af9c85b0",
    "role": "admin ACLManager V3"
  },
  {
    "chain": "Ethereum",
    "address": "0x0a16f2FCC0D44FaE41cc54e079281D84A363bECD",
    "role": "other AaveProtocolDataProvider V3"
  },
  {
    "chain": "Ethereum",
    "address": "0x464C71f6c2F760DdA6093dCB91C24c39e5d6e18c",
    "role": "treasury Collector"
  },
  {
    "chain": "Ethereum",
    "address": "0x8164Cc65827dcFe994AB23944CBC90e0aa80bFcb",
    "role": "admin DefaultIncentivesController"
  },
  {
    "chain": "Ethereum",
    "address": "0x223d844fc4B006D67c0cDbd39371A9F73f69d974",
    "role": "admin EmissionManager"
  },
  {
    "chain": "Arbitrum",
    "address": "0xa97684ead0e402dC232d5A977953DF7ECBaB3CDb",
    "role": "factory PoolAddressesProvider V3"
  },
  {
    "chain": "Arbitrum",
    "address": "0x794a61358D6845594F94dc1DB02A252b5b4814aD",
    "role": "pool Pool V3"
  },
  {
    "chain": "Arbitrum",
    "address": "0x8145eddDf43f50276641b55bd3AD95944510021E",
    "role": "admin PoolConfigurator V3"
  },
  {
    "chain": "Arbitrum",
    "address": "0xb56c2F0B653B2e0b10C9b928C8580Ac5Df02C7C7",
    "role": "oracle AaveOracle V3"
  },
  {
    "chain": "Arbitrum",
    "address": "0x7A9ff54A6eE4a21223036890bB8c4ea2D62c686b",
    "role": "oracle PriceOracleSentinel V3"
  },
  {
    "chain": "Arbitrum",
    "address": "0xFF1137243698CaA18EE364Cc966CF0e02A4e6327",
    "role": "admin ACLAdmin V3"
  },
  {
    "chain": "Arbitrum",
    "address": "0xa72636CbcAa8F5FF95B2cc47F3CDEe83F3294a0B",
    "role": "admin ACLManager V3"
  },
  {
    "chain": "Arbitrum",
    "address": "0x243Aa95cAC2a25651eda86e80bEe66114413c43b",
    "role": "other AaveProtocolDataProvider V3"
  },
  {
    "chain": "Avalanche",
    "address": "0xa97684ead0e402dC232d5A977953DF7ECBaB3CDb",
    "role": "factory PoolAddressesProvider V3"
  },
  {
    "chain": "Avalanche",
    "address": "0x794a61358D6845594F94dc1DB02A252b5b4814aD",
    "role": "pool Pool V3"
  },
  {
    "chain": "Avalanche",
    "address": "0x8145eddDf43f50276641b55bd3AD95944510021E",
    "role": "admin PoolConfigurator V3"
  },
  {
    "chain": "Avalanche",
    "address": "0xEBd36016B3eD09D4693Ed4251c67Bd858c3c7C9C",
    "role": "oracle AaveOracle V3"
  },
  {
    "chain": "Avalanche",
    "address": "0x3C06dce358add17aAf230f2234bCCC4afd50d090",
    "role": "admin ACLAdmin V3"
  },
  {
    "chain": "Avalanche",
    "address": "0xa72636CbcAa8F5FF95B2cc47F3CDEe83F3294a0B",
    "role": "admin ACLManager V3"
  },
  {
    "chain": "Avalanche",
    "address": "0x243Aa95cAC2a25651eda86e80bEe66114413c43b",
    "role": "other AaveProtocolDataProvider V3"
  },
  {
    "chain": "Base",
    "address": "0xe20fCBdBfFC4Dd138cE8b2E6FBb6CB49777ad64D",
    "role": "factory PoolAddressesProvider V3"
  },
  {
    "chain": "Base",
    "address": "0xA238Dd80C259a72e81d7e4664a9801593F98d1c5",
    "role": "pool Pool V3"
  },
  {
    "chain": "Base",
    "address": "0x5731a04B1E775f0fdd454Bf70f3335886e9A96be",
    "role": "admin PoolConfigurator V3"
  },
  {
    "chain": "Base",
    "address": "0x2Cc0Fc26eD4563A5ce5e8bdcfe1A2878676Ae156",
    "role": "oracle AaveOracle V3"
  },
  {
    "chain": "Base",
    "address": "0x943AcD0c93d7a8Bee7dA5Fd0DC3d0028237074d6",
    "role": "oracle PriceOracleSentinel V3"
  },
  {
    "chain": "Base",
    "address": "0x9390B1735def18560c509E2d0bc090E9d6BA257a",
    "role": "admin ACLAdmin V3"
  },
  {
    "chain": "Base",
    "address": "0x43955b0899Ab7232E3a454cf84AedD22Ad46FD33",
    "role": "admin ACLManager V3"
  },
  {
    "chain": "Base",
    "address": "0x0F43731EB8d45A581f4a36DD74F5f358bc90C73A",
    "role": "other AaveProtocolDataProvider V3"
  },
  {
    "chain": "Binance",
    "address": "0xff75B6da14FfbbfD355Daf7a2731456b3562Ba6D",
    "role": "factory PoolAddressesProvider V3"
  },
  {
    "chain": "Binance",
    "address": "0x6807dc923806fE8Fd134338EABCA509979a7e0cB",
    "role": "pool Pool V3"
  },
  {
    "chain": "Binance",
    "address": "0x67bdF23C7fCE7C65fF7415Ba3F2520B45D6f9584",
    "role": "admin PoolConfigurator V3"
  },
  {
    "chain": "Binance",
    "address": "0x39bc1bfDa2130d6Bb6DBEfd366939b4c7aa7C697",
    "role": "oracle AaveOracle V3"
  },
  {
    "chain": "Binance",
    "address": "0x9390B1735def18560c509E2d0bc090E9d6BA257a",
    "role": "admin ACLAdmin V3"
  },
  {
    "chain": "Binance",
    "address": "0x2D97F8FA96886Fd923c065F5457F9DDd494e3877",
    "role": "admin ACLManager V3"
  },
  {
    "chain": "Binance",
    "address": "0xc90Df74A7c16245c5F5C5870327Ceb38Fe5d5328",
    "role": "other AaveProtocolDataProvider V3"
  },
  {
    "chain": "Celo",
    "address": "0x9F7Cf9417D5251C59fE94fB9147feEe1aAd9Cea5",
    "role": "factory PoolAddressesProvider V3"
  },
  {
    "chain": "Celo",
    "address": "0x3E59A31363E2ad014dcbc521c4a0d5757d9f3402",
    "role": "pool Pool V3"
  },
  {
    "chain": "Celo",
    "address": "0x7567E3434CC1BEf724AB595e6072367Ef4914691",
    "role": "admin PoolConfigurator V3"
  },
  {
    "chain": "Celo",
    "address": "0x1e693D088ceFD1E95ba4c4a5F7EeA41a1Ec37e8b",
    "role": "oracle AaveOracle V3"
  },
  {
    "chain": "Celo",
    "address": "0x1dF462e2712496373A347f8ad10802a5E95f053D",
    "role": "admin ACLAdmin V3"
  },
  {
    "chain": "Celo",
    "address": "0x7a12dCfd73C1B4cddf294da4cFce75FcaBBa314C",
    "role": "admin ACLManager V3"
  },
  {
    "chain": "Celo",
    "address": "0x2e0f8D3B1631296cC7c56538D6Eb6032601E15ED",
    "role": "other AaveProtocolDataProvider V3"
  },
  {
    "chain": "Celo",
    "address": "0xC959439207dA5341B74aDcdAC59016aa9Be7E9E7",
    "role": "treasury Collector"
  },
  {
    "chain": "Fantom",
    "address": "0xa97684ead0e402dC232d5A977953DF7ECBaB3CDb",
    "role": "factory PoolAddressesProvider V3"
  },
  {
    "chain": "Fantom",
    "address": "0x794a61358D6845594F94dc1DB02A252b5b4814aD",
    "role": "pool Pool V3"
  },
  {
    "chain": "Fantom",
    "address": "0x8145eddDf43f50276641b55bd3AD95944510021E",
    "role": "admin PoolConfigurator V3"
  },
  {
    "chain": "Fantom",
    "address": "0xfd6f3c1845604C8AE6c6E402ad17fb9885160754",
    "role": "oracle AaveOracle V3"
  },
  {
    "chain": "Fantom",
    "address": "0x39CB97b105173b56b5a2b4b33AD25d6a50E6c949",
    "role": "admin ACLAdmin V3"
  },
  {
    "chain": "Fantom",
    "address": "0xa72636CbcAa8F5FF95B2cc47F3CDEe83F3294a0B",
    "role": "admin ACLManager V3"
  },
  {
    "chain": "Fantom",
    "address": "0x69FA688f1Dc47d4B5d8029D5a35FB7a548310654",
    "role": "other AaveProtocolDataProvider V3"
  },
  {
    "chain": "xDai",
    "address": "0x36616cf17557639614c1cdDb356b1B83fc0B2132",
    "role": "factory PoolAddressesProvider V3"
  },
  {
    "chain": "xDai",
    "address": "0xb50201558B00496A145fE76f7424749556E326D8",
    "role": "pool Pool V3"
  },
  {
    "chain": "xDai",
    "address": "0x7304979ec9E4EaA0273b6A037a31c4e9e5A75D16",
    "role": "admin PoolConfigurator V3"
  },
  {
    "chain": "xDai",
    "address": "0xeb0a051be10228213BAEb449db63719d6742F7c4",
    "role": "oracle AaveOracle V3"
  },
  {
    "chain": "xDai",
    "address": "0x1dF462e2712496373A347f8ad10802a5E95f053D",
    "role": "admin ACLAdmin V3"
  },
  {
    "chain": "xDai",
    "address": "0xEc710f59005f48703908bC519D552Df5B8472614",
    "role": "admin ACLManager V3"
  },
  {
    "chain": "xDai",
    "address": "0xF1F5acB596568895393cB5E4D0452D6592A2fA70",
    "role": "other AaveProtocolDataProvider V3"
  },
  {
    "chain": "Harmony",
    "address": "0xa97684ead0e402dC232d5A977953DF7ECBaB3CDb",
    "role": "factory PoolAddressesProvider V3"
  },
  {
    "chain": "Harmony",
    "address": "0x794a61358D6845594F94dc1DB02A252b5b4814aD",
    "role": "pool Pool V3"
  },
  {
    "chain": "Harmony",
    "address": "0x8145eddDf43f50276641b55bd3AD95944510021E",
    "role": "admin PoolConfigurator V3"
  },
  {
    "chain": "Harmony",
    "address": "0x3C90887Ede8D65ccb2777A5d577beAb2548280AD",
    "role": "oracle AaveOracle V3"
  },
  {
    "chain": "Harmony",
    "address": "0xb2f0C5f37f4beD2cB51C44653cD5D84866BDcd2D",
    "role": "admin ACLAdmin V3"
  },
  {
    "chain": "Harmony",
    "address": "0xa72636CbcAa8F5FF95B2cc47F3CDEe83F3294a0B",
    "role": "admin ACLManager V3"
  },
  {
    "chain": "Harmony",
    "address": "0x69FA688f1Dc47d4B5d8029D5a35FB7a548310654",
    "role": "other AaveProtocolDataProvider V3"
  },
  {
    "chain": "Mantle",
    "address": "0xba50Cd2A20f6DA35D788639E581bca8d0B5d4D5f",
    "role": "factory PoolAddressesProvider V3"
  },
  {
    "chain": "Mantle",
    "address": "0x458F293454fE0d67EC0655f3672301301DD51422",
    "role": "pool Pool V3"
  },
  {
    "chain": "Mantle",
    "address": "0x719755fC1ACf2f9079B0Cbc56e23712c09Ab8626",
    "role": "admin PoolConfigurator V3"
  },
  {
    "chain": "Mantle",
    "address": "0x47a063CfDa980532267970d478EC340C0F80E8df",
    "role": "oracle AaveOracle V3"
  },
  {
    "chain": "Mantle",
    "address": "0x64df9D4302e1ff3516Dc744A19e992D27CAC252E",
    "role": "oracle PriceOracleSentinel V3"
  },
  {
    "chain": "Mantle",
    "address": "0x70884634D0098782592111A2A6B8d223be31CB7b",
    "role": "admin ACLAdmin V3"
  },
  {
    "chain": "Mantle",
    "address": "0x810D46F9a9027E28F9B01F75E2bdde839dA61115",
    "role": "admin ACLManager V3"
  },
  {
    "chain": "Mantle",
    "address": "0x487c5c669D9eee6057C44973207101276cf73b68",
    "role": "other AaveProtocolDataProvider V3"
  },
  {
    "chain": "MegaETH",
    "address": "0x46Dcd5F4600319b02649Fd76B55aA6c1035CA478",
    "role": "factory PoolAddressesProvider V3"
  },
  {
    "chain": "MegaETH",
    "address": "0x7e324AbC5De01d112AfC03a584966ff199741C28",
    "role": "pool Pool V3"
  },
  {
    "chain": "MegaETH",
    "address": "0xF15D31Bc839A853C9068686043cEc6EC5995DAbB",
    "role": "admin PoolConfigurator V3"
  },
  {
    "chain": "MegaETH",
    "address": "0x421117D7319E96d831972b3F7e970bbfe29C4F21",
    "role": "oracle AaveOracle V3"
  },
  {
    "chain": "MegaETH",
    "address": "0xE2E8Badc5d50f8a6188577B89f50701cDE2D4e19",
    "role": "admin ACLAdmin V3"
  },
  {
    "chain": "MegaETH",
    "address": "0x390D369C3878F2C5205CFb6Ec7154FfA65491c3D",
    "role": "admin ACLManager V3"
  },
  {
    "chain": "MegaETH",
    "address": "0x9588b453A4EE24a420830CB3302195cA7aA3b403",
    "role": "other AaveProtocolDataProvider V3"
  },
  {
    "chain": "Sonic",
    "address": "0x5C2e738F6E27bCE0F7558051Bf90605dD6176900",
    "role": "factory PoolAddressesProvider V3"
  },
  {
    "chain": "Sonic",
    "address": "0x5362dBb1e601abF3a4c14c22ffEdA64042E5eAA3",
    "role": "pool Pool V3"
  },
  {
    "chain": "Sonic",
    "address": "0x50c70FEB95aBC1A92FC30b9aCc41Bd349E5dE2f0",
    "role": "admin PoolConfigurator V3"
  },
  {
    "chain": "Sonic",
    "address": "0xD63f7658C66B2934Bd234D79D06aEF5290734B30",
    "role": "oracle AaveOracle V3"
  },
  {
    "chain": "Sonic",
    "address": "0x7b62461a3570c6AC8a9f8330421576e417B71EE7",
    "role": "admin ACLAdmin V3"
  },
  {
    "chain": "Sonic",
    "address": "0x3a790a47c4d531FD333FAD24f70B0ccb521B3b5A",
    "role": "admin ACLManager V3"
  },
  {
    "chain": "Sonic",
    "address": "0xc0a344397cfa89dF1e1d3e4fb330834D789cF2CD",
    "role": "other AaveProtocolDataProvider V3"
  },
  {
    "chain": "X Layer",
    "address": "0xdFf435BCcf782f11187D3a4454d96702eD78e092",
    "role": "factory PoolAddressesProvider V3"
  },
  {
    "chain": "X Layer",
    "address": "0xE3F3Caefdd7180F884c01E57f65Df979Af84f116",
    "role": "pool Pool V3"
  },
  {
    "chain": "X Layer",
    "address": "0x1408b48B6A610948f04813EA6b2F438A6BBAd2f2",
    "role": "admin PoolConfigurator V3"
  },
  {
    "chain": "X Layer",
    "address": "0x91FC11136d5615575a0fC5981Ab5C0C54418E2C6",
    "role": "oracle AaveOracle V3"
  },
  {
    "chain": "X Layer",
    "address": "0xE2E8Badc5d50f8a6188577B89f50701cDE2D4e19",
    "role": "admin ACLAdmin V3"
  },
  {
    "chain": "X Layer",
    "address": "0xc8f2720Fa7D857576d82e6aEca8EdC4869E9190e",
    "role": "admin ACLManager V3"
  },
  {
    "chain": "X Layer",
    "address": "0x6C505C31714f14e8af2A03633EB2Cdfb4959138F",
    "role": "other AaveProtocolDataProvider V3"
  },
  {
    "chain": "Linea",
    "address": "0x89502c3731F69DDC95B65753708A07F8Cd0373F4",
    "role": "factory PoolAddressesProvider V3"
  },
  {
    "chain": "Linea",
    "address": "0xc47b8C00b0f69a36fa203Ffeac0334874574a8Ac",
    "role": "pool Pool V3"
  },
  {
    "chain": "Linea",
    "address": "0x812E7c19421D9f41A6DDCF047d5cc2dE2Ca5Bfa2",
    "role": "admin PoolConfigurator V3"
  },
  {
    "chain": "Linea",
    "address": "0xCFDAdA7DCd2e785cF706BaDBC2B8Af5084d595e9",
    "role": "oracle AaveOracle V3"
  },
  {
    "chain": "Linea",
    "address": "0x8c2d95FE7aeB57b86961F3abB296A54f0ADb7F88",
    "role": "admin ACLAdmin V3"
  },
  {
    "chain": "Linea",
    "address": "0xbf32c7dFC72b730967072B112927ca0de205dbb5",
    "role": "admin ACLManager V3"
  },
  {
    "chain": "Metis",
    "address": "0xB9FABd7500B2C6781c35Dd48d54f81fc2299D7AF",
    "role": "factory PoolAddressesProvider V3"
  },
  {
    "chain": "Metis",
    "address": "0x90df02551bB792286e8D4f13E0e357b4Bf1D6a57",
    "role": "pool Pool V3"
  },
  {
    "chain": "Metis",
    "address": "0x69FEE8F261E004453BE0800BC9039717528645A6",
    "role": "admin PoolConfigurator V3"
  },
  {
    "chain": "Metis",
    "address": "0x38D36e85E47eA6ff0d18B0adF12E5fC8984A6f8e",
    "role": "oracle AaveOracle V3"
  },
  {
    "chain": "Metis",
    "address": "0x2B5EA1604BAbb7B730120950Cb13951f3525828A",
    "role": "oracle PriceOracleSentinel V3"
  },
  {
    "chain": "Metis",
    "address": "0x6fD45D32375d5aDB8D76275A3932c740F03a8718",
    "role": "admin ACLAdmin V3"
  },
  {
    "chain": "Optimism",
    "address": "0x794a61358D6845594F94dc1DB02A252b5b4814aD",
    "role": "pool Pool V3"
  },
  {
    "chain": "Optimism",
    "address": "0x8145eddDf43f50276641b55bd3AD95944510021E",
    "role": "admin PoolConfigurator V3"
  },
  {
    "chain": "Optimism",
    "address": "0xD81eb3728a631871a7eBBaD631b5f424909f0c77",
    "role": "oracle AaveOracle V3"
  },
  {
    "chain": "Optimism",
    "address": "0x746c675dAB49Bcd5BB9Dc85161f2d7Eb435009bf",
    "role": "admin ACLAdmin V3"
  },
  {
    "chain": "Polygon",
    "address": "0x794a61358D6845594F94dc1DB02A252b5b4814aD",
    "role": "pool Pool V3"
  },
  {
    "chain": "Polygon",
    "address": "0x8145eddDf43f50276641b55bd3AD95944510021E",
    "role": "admin PoolConfigurator V3"
  },
  {
    "chain": "Polygon",
    "address": "0xb023e699F5a33916Ea823A16485e259257cA8Bd1",
    "role": "oracle AaveOracle V3"
  },
  {
    "chain": "Polygon",
    "address": "0xDf7d0e6454DB638881302729F5ba99936EaAB233",
    "role": "admin ACLAdmin V3"
  },
  {
    "chain": "Scroll",
    "address": "0x69850D0B276776781C063771b161bd8894BCdD04",
    "role": "factory PoolAddressesProvider V3"
  },
  {
    "chain": "Scroll",
    "address": "0x11fCfe756c05AD438e312a7fd934381537D3cFfe",
    "role": "pool Pool V3"
  },
  {
    "chain": "Scroll",
    "address": "0x32BCab42a2bb5AC577D24b425D46d8b8e0Df9b7f",
    "role": "admin PoolConfigurator V3"
  },
  {
    "chain": "Scroll",
    "address": "0x04421D8C506E2fA2371a08EfAaBf791F624054F3",
    "role": "oracle AaveOracle V3"
  },
  {
    "chain": "Scroll",
    "address": "0xc1ABF87FfAdf4908f4eC8dc54A25DCFEabAE4A24",
    "role": "admin ACLAdmin V3"
  },
  {
    "chain": "Scroll",
    "address": "0x7633F981D87dC6307227de9383D2ce7243158081",
    "role": "admin ACLManager V3"
  },
  {
    "chain": "zkSync Era",
    "address": "0x2A3948BB219D6B2Fa83D64100006391a96bE6cb7",
    "role": "factory PoolAddressesProvider V3"
  },
  {
    "chain": "zkSync Era",
    "address": "0x78e30497a3c7527d953c6B1E3541b021A98Ac43c",
    "role": "pool Pool V3"
  },
  {
    "chain": "zkSync Era",
    "address": "0x0207d31b4377C74bEC37356aaD83E3dCc979F40E",
    "role": "admin PoolConfigurator V3"
  },
  {
    "chain": "zkSync Era",
    "address": "0xC7F58Fca663a8d377B6D0c9703C697f56dC40088",
    "role": "oracle AaveOracle V3"
  },
  {
    "chain": "zkSync Era",
    "address": "0x04cE39789e11a49595cD0ECEf6f4Bd54ABF4d020",
    "role": "admin ACLAdmin V3"
  },
  {
    "chain": "Soneium",
    "address": "0x82405D1a189bd6cE4667809C35B37fBE136A4c5B",
    "role": "factory PoolAddressesProvider V3"
  },
  {
    "chain": "Soneium",
    "address": "0xDd3d7A7d03D9fD9ef45f3E587287922eF65CA38B",
    "role": "pool Pool V3"
  },
  {
    "chain": "Soneium",
    "address": "0x1607FCeEc8dEbA4d5Da66D620b2363066d025a02",
    "role": "admin PoolConfigurator V3"
  },
  {
    "chain": "Soneium",
    "address": "0x20040a64612555042335926d72B4E5F667a67fA1",
    "role": "oracle AaveOracle V3"
  },
  {
    "chain": "Soneium",
    "address": "0xc0Bac16A64FbAa7EE6483bD12a759e28cD13dcBe",
    "role": "oracle PriceOracleSentinel V3"
  },
  {
    "chain": "Plasma",
    "address": "0x061D8e131F26512348ee5FA42e2DF1bA9d6505E9",
    "role": "factory PoolAddressesProvider V3"
  },
  {
    "chain": "Plasma",
    "address": "0x925a2A7214Ed92428B5b1B090F80b25700095e12",
    "role": "pool Pool V3"
  },
  {
    "chain": "Plasma",
    "address": "0xc022B6c71c30A8Ad52Dac504eFA132d13D99d2D9",
    "role": "admin PoolConfigurator V3"
  },
  {
    "chain": "Plasma",
    "address": "0x33E0b3fc976DC9C516926BA48CfC0A9E10a2aAA5",
    "role": "oracle AaveOracle V3"
  },
  {
    "chain": "Plasma",
    "address": "0x47aAdaAE1F05C978E6aBb7568d11B7F6e0FC4d6A",
    "role": "admin ACLAdmin V3"
  },
  {
    "chain": "Plasma",
    "address": "0xa860355F0ccFdC823F7332ac108317b2a1509C06",
    "role": "admin ACLManager V3"
  },
  {
    "chain": "Ethereum",
    "address": "0x617332a777780F546261247F621051d0b98975Eb",
    "role": "other VotingMachine"
  },
  {
    "chain": "Ethereum",
    "address": "0xf23f7De3AC42F22eBDA17e64DC4f51FB66b8E21f",
    "role": "other VotingPortalEthEth"
  },
  {
    "chain": "Ethereum",
    "address": "0x33aCEf7365809218485873B7d0d67FeE411B5D79",
    "role": "other VotingPortalEthAvax"
  },
  {
    "chain": "Ethereum",
    "address": "0x9b24C168d6A76b5459B1d47071a54962a4df36c3",
    "role": "other VotingPortalEthPol"
  },
  {
    "chain": "Ethereum",
    "address": "0xE3B770Dc4ae3f8bECaB3Ed12dE692c741603e16A",
    "role": "other PayloadDataHelper"
  },
  {
    "chain": "Ethereum",
    "address": "0x971c82c8316aD611904F95616c21ce90837f1856",
    "role": "other GovernanceDataHelper"
  },
  {
    "chain": "Ethereum",
    "address": "0x77976B51569896523EE215962Ee91ff236Fa50E8",
    "role": "other VotingDataHelper"
  },
  {
    "chain": "Ethereum",
    "address": "0x94363B11b37BC3ffe43AB09cff5A010352FE85dC",
    "role": "other MetaDelegateHelper"
  },
  {
    "chain": "Ethereum",
    "address": "0x73C6Fb358dDA8e84D50e98A98F7c0dF32e15C7e9",
    "role": "guardian EmergencyRegistry"
  },
  {
    "chain": "Ethereum",
    "address": "0xa198Fac58E02A5C5F8F7e877895d50cFa9ad1E04",
    "role": "other GovernancePowerStrategy"
  },
  {
    "chain": "Ethereum",
    "address": "0x5642A5A5Ec284B4145563aBF319620204aCCA7f4",
    "role": "other VotingStrategy"
  },
  {
    "chain": "Ethereum",
    "address": "0x1699FE9CaDC8a0b6c93E06B62Ab4592a0fFEcF61",
    "role": "other DataWarehouse"
  },
  {
    "chain": "Arbitrum",
    "address": "0xCbFB78a3Eeaa611b826E37c80E4126c8787D29f0",
    "role": "other CrossChainController"
  },
  {
    "chain": "Arbitrum",
    "address": "0x89644CA1bB8064760312AE4F03ea41b05dA3637C",
    "role": "timelock PayloadsController"
  },
  {
    "chain": "Arbitrum",
    "address": "0x4922093c476CfbCF903C7C4082d2D64bAE8A37cE",
    "role": "guardian GranularGuardian"
  },
  {
    "chain": "Avalanche",
    "address": "0x27FC7D54C893dA63C0AE6d57e1B2B13A70690928",
    "role": "other CrossChainController"
  },
  {
    "chain": "Avalanche",
    "address": "0x41185495Bc8297a65DC46f94001DC7233775EbEe",
    "role": "oracle EmergencyOracle"
  },
  {
    "chain": "Avalanche",
    "address": "0x9b6f5ef589A3DD08670Dd146C11C4Fb33E04494F",
    "role": "other VotingMachine"
  },
  {
    "chain": "Avalanche",
    "address": "0x1140CB7CAfAcC745771C2Ea31e7B5C653c5d0B80",
    "role": "timelock PayloadsController"
  },
  {
    "chain": "Avalanche",
    "address": "0xc1162BCb2E5E3ca4725512008c7522dF8C8B7B65",
    "role": "guardian GranularGuardian"
  },
  {
    "chain": "Binance",
    "address": "0x9d33ee6543C9b2C8c183b8fb58fB089266cffA19",
    "role": "other CrossChainController"
  },
  {
    "chain": "Binance",
    "address": "0xcabb46FfB38c93348Df16558DF156e9f68F9F7F1",
    "role": "oracle EmergencyOracle"
  },
  {
    "chain": "Binance",
    "address": "0xE5EF2Dd06755A97e975f7E282f828224F2C3e627",
    "role": "timelock PayloadsController"
  },
  {
    "chain": "Binance",
    "address": "0xe4FB5e3F506BE0095f38004f993D16fdA8224383",
    "role": "guardian GranularGuardian"
  },
  {
    "chain": "Base",
    "address": "0x529467C76f234F2bD359d7ecF7c660A2846b04e2",
    "role": "other CrossChainController"
  },
  {
    "chain": "Base",
    "address": "0x2DC219E716793fb4b21548C0f009Ba3Af753ab01",
    "role": "timelock PayloadsController"
  },
  {
    "chain": "Base",
    "address": "0xa1c6aF35E0205f42256382C05243C543FEDBf4bB",
    "role": "guardian GranularGuardian"
  },
  {
    "chain": "xDai",
    "address": "0x8Dc5310fc9D3D7D1Bb3D1F686899c8F082316c9F",
    "role": "other CrossChainController"
  },
  {
    "chain": "xDai",
    "address": "0xF937ffAeA1363e4Fa260760bDFA2aA8Fc911F84D",
    "role": "oracle EmergencyOracle"
  },
  {
    "chain": "xDai",
    "address": "0x9A1F491B86D09fC1484b5fab10041B189B60756b",
    "role": "timelock PayloadsController"
  },
  {
    "chain": "xDai",
    "address": "0x4A9F571E3C1f2F13567bb59e38988e74d7d72602",
    "role": "guardian GranularGuardian"
  },
  {
    "chain": "Metis",
    "address": "0x6fDaFb26915ABD6065a1E1501a37Ac438D877f70",
    "role": "other CrossChainController"
  },
  {
    "chain": "Metis",
    "address": "0x2233F8A66A728FBa6E1dC95570B25360D07D5524",
    "role": "timelock PayloadsController"
  },
  {
    "chain": "Metis",
    "address": "0x61BE97d3a0550549f67CA7421725fA73Fa2036B5",
    "role": "guardian GranularGuardian"
  },
  {
    "chain": "Optimism",
    "address": "0x48A9FE90bce5EEd790f3F4Ce192d1C0B351fd4Ca",
    "role": "other CrossChainController"
  },
  {
    "chain": "Optimism",
    "address": "0x0E1a3Af1f9cC76A62eD31eDedca291E63632e7c4",
    "role": "timelock PayloadsController"
  },
  {
    "chain": "Optimism",
    "address": "0x6c5264C380C7022e54f585c4E354ffb6f221a03b",
    "role": "guardian GranularGuardian"
  },
  {
    "chain": "Polygon",
    "address": "0xF6B99959F0b5e79E1CC7062E12aF632CEb18eF0d",
    "role": "other CrossChainController"
  },
  {
    "chain": "Polygon",
    "address": "0xDAFA1989A504c48Ee20a582f2891eeB25E2fA23F",
    "role": "oracle EmergencyOracle"
  },
  {
    "chain": "Polygon",
    "address": "0xc8a2ADC4261c6b669CdFf69E717E77C9cFeB420d",
    "role": "other VotingMachine"
  },
  {
    "chain": "Polygon",
    "address": "0x401B5D0294E23637c18fcc38b1Bca814CDa2637C",
    "role": "timelock PayloadsController"
  },
  {
    "chain": "Polygon",
    "address": "0x0D2CccD3dD420dC6DE2f24DB44aA22fADE290a02",
    "role": "guardian GranularGuardian"
  },
  {
    "chain": "Scroll",
    "address": "0x03073D3F4769f6b6604d616238fD6c636C99AD0A",
    "role": "other CrossChainController"
  },
  {
    "chain": "Scroll",
    "address": "0x6b6B41c0f8C223715f712BE83ceC3c37bbfDC3fE",
    "role": "timelock PayloadsController"
  },
  {
    "chain": "Scroll",
    "address": "0xa835707d28e6C37C49d661742f2Fb5987367cEd4",
    "role": "guardian GranularGuardian"
  },
  {
    "chain": "zkSync Era",
    "address": "0x800813f4714BC7A0a95310e3fB9e4f18872CA92C",
    "role": "other CrossChainController"
  },
  {
    "chain": "zkSync Era",
    "address": "0x2E79349c3F5e4751E87b966812C9E65E805996F1",
    "role": "timelock PayloadsController"
  },
  {
    "chain": "zkSync Era",
    "address": "0xe0e23196D42b54F262a3DE952e6B34B197D1A228",
    "role": "guardian GranularGuardian"
  },
  {
    "chain": "zkSync Era",
    "address": "0x4257bf0746D783f0D962913d7d8AFA408B62547E",
    "role": "guardian GovernanceGuardian"
  },
  {
    "chain": "Linea",
    "address": "0x0D3f821e9741C8a8Bcac231162320251Db0cdf52",
    "role": "other CrossChainController"
  },
  {
    "chain": "Linea",
    "address": "0x3BcE23a1363728091bc57A58a226CF2940C2e074",
    "role": "timelock PayloadsController"
  },
  {
    "chain": "Linea",
    "address": "0xc1cd6faF6e9138b4e6C21d438f9ebF2bd6F6cA16",
    "role": "guardian GranularGuardian"
  },
  {
    "chain": "Linea",
    "address": "0x056E4C4E80D1D14a637ccbD0412CDAAEc5B51F4E",
    "role": "guardian GovernanceGuardian"
  },
  {
    "chain": "Soneium",
    "address": "0xD92b37a5114b33F668D274Fb48f23b726a854d6E",
    "role": "other CrossChainController"
  },
  {
    "chain": "Soneium",
    "address": "0x44D73D7C4b2f98F426Bf8B5e87628d9eE38ef0Cf",
    "role": "timelock PayloadsController"
  },
  {
    "chain": "Soneium",
    "address": "0xD8E6956718784B914740267b7A50B952fb516656",
    "role": "guardian GranularGuardian"
  },
  {
    "chain": "Soneium",
    "address": "0x19CE4363FEA478Aa04B9EA2937cc5A2cbcD44be6",
    "role": "guardian GovernanceGuardian"
  },
  {
    "chain": "Soneium",
    "address": "0x47aAdaAE1F05C978E6aBb7568d11B7F6e0FC4d6A",
    "role": "governor ExecutorLvl1"
  },
  {
    "chain": "Plasma",
    "address": "0x643441742f73e270e565619be6DE5f4D55E08cd6",
    "role": "other CrossChainController"
  },
  {
    "chain": "Plasma",
    "address": "0xe76EB348E65eF163d85ce282125FF5a7F5712A1d",
    "role": "timelock PayloadsController"
  },
  {
    "chain": "Plasma",
    "address": "0x60665b4F4FF7073C5fed2656852dCa271DfE2684",
    "role": "guardian GranularGuardian"
  },
  {
    "chain": "Plasma",
    "address": "0x19CE4363FEA478Aa04B9EA2937cc5A2cbcD44be6",
    "role": "guardian GovernanceGuardian"
  },
  {
    "chain": "Plasma",
    "address": "0xF61FE74Ec1cFbd9Ee8Bd27592D2EDEe0E2aA85Cf",
    "role": "oracle EmergencyOracle"
  },
  {
    "chain": "Ethereum",
    "address": "0x7Fc66500c84A76Ad7e9c93437bFc5Ac33E2DDaE9",
    "role": "token AAVE governance token"
  },
  {
    "chain": "Ethereum",
    "address": "0x7b9c0b9b0d8b0d8b0d8b0d8b0d8b0d8b0d8b0d8b",
    "role": "Emergency Admin"
  }
]

### Pre-built read-API surfacer URLs (verbatim — fetchable as-is)
- https://defipunkd.com/address/1/0x5300A1a15135EA4dc7aD5a167152C01EFc9b192A (Short Executor (Level 1) / ACL Admin V3)
- https://defipunkd.com/address/1/0xdAbad81aF85554E9ae636395611C58F7eC1aAEc5 (PayloadsController (Ethereum))
- https://defipunkd.com/address/1/0x9AEE0B04504CeF83A65AC3f0e838D0593BCb2BC7 (Governance V3 Core)
- https://defipunkd.com/address/1/0xCe52ab41C40575B072A18C9700091Ccbe4A06710 (Governance Guardian / Protocol Emergency Guardian (5-of-9))
- https://defipunkd.com/address/1/0x4457cA11E90f416Cc1D3a8E1cA41C0cdEcC251d4 (GranularGuardian (cross-chain emergency))
- https://defipunkd.com/address/1/0xEd42a7D8559a463722Ca4beD50E0Cc05a386b0e1 (CrossChainController)
- https://defipunkd.com/address/1/0x17Dd33Ed0e3dD2a80E37489B8A63063161BE6957 (Executor Level 2)
- https://defipunkd.com/address/1/0x2CFe3ec4d5a6811f4B8067F0DE7e47DfA938Aa30 (Protocol Guardian / emergency admin)
- https://defipunkd.com/address/1/0x220d22f42c1b975B51509c24b174f8AbA7d8C540 (Short Executor (Governance))
- https://defipunkd.com/address/1/0xa700691dA7b6769562170061709458FF21ed963e (timelock (governance long executor))
- https://defipunkd.com/address/1/0x851365275f493d15511cc005f2bd71E3c1699921 (timelock (governance short executor))
- https://defipunkd.com/address/1/0xEE56e2B3D49159022b71869955dbF07245799b17 (timelock (governance executor short))
- https://defipunkd.com/address/1/0x80C67432656d59144cEFf962E8fAF8926599bCF8 (timelock (governance short executor))
- https://defipunkd.com/address/1/0xEE56e2B20045d908E992822039db30E882309413 (admin (PoolAdmin / governance executor))
- https://defipunkd.com/address/1/0x87870bca3f3fd6335c3f4ce8392d69350b4fa4e2 (pool (Aave V3 Pool proxy))
- https://defipunkd.com/address/1/0x2f39d218133AFaB8F2B819B1066c7E434Ad94E9e (other (PoolAddressesProvider — proxy admin for Pool/PoolConfigurator/ACLManager))
- https://defipunkd.com/address/1/0xcfBf336fe147D643B9Cb705648500e101504B16d (other (Prime Market PoolAddressesProvider))
- https://defipunkd.com/address/1/0xCca852Bc40e560adC3b1Cc58CA5b55638ce826c9 (vault (Aave V4 Core Hub — Ethereum))
- https://defipunkd.com/address/1/0x06002e9c4412CB7814a791eA3666D905871E536A (vault (Aave V4 Plus Hub — Ethereum))
- https://defipunkd.com/address/1/0x943827DCA022D0F354a8a8c332dA1e5Eb9f9F931 (vault (Aave V4 Prime Hub — Ethereum))
- https://defipunkd.com/address/1/0x08aE3BE30958cDd1847ec58fFfd4C451a87fDF01 (admin (Aave V4 Access Manager — Ethereum))
- https://defipunkd.com/address/10/0xa97684ead0e402dc232d5a977953df7ecbab3cdb (other (PoolAddressesProvider — Optimism))
- https://defipunkd.com/address/137/0xa97684ead0e402dc232d5a977953df7ecbab3cdb (other (PoolAddressesProvider — Polygon))
- https://defipunkd.com/address/1/0x64b761D848206f447Fe2dd461b0c635Ec39EbB27 (admin PoolConfigurator V3)
- https://defipunkd.com/address/1/0x54586bE62E3c3580375aE3723C145253060Ca0C2 (oracle AaveOracle V3)
- https://defipunkd.com/address/1/0xc2aaCf6553D20d1e9d78E365AAba8032af9c85b0 (admin ACLManager V3)
- https://defipunkd.com/address/1/0x0a16f2FCC0D44FaE41cc54e079281D84A363bECD (other AaveProtocolDataProvider V3)
- https://defipunkd.com/address/1/0x464C71f6c2F760DdA6093dCB91C24c39e5d6e18c (treasury Collector)
- https://defipunkd.com/address/1/0x8164Cc65827dcFe994AB23944CBC90e0aa80bFcb (admin DefaultIncentivesController)
- https://defipunkd.com/address/1/0x223d844fc4B006D67c0cDbd39371A9F73f69d974 (admin EmissionManager)
- https://defipunkd.com/address/42161/0xa97684ead0e402dC232d5A977953DF7ECBaB3CDb (factory PoolAddressesProvider V3)
- https://defipunkd.com/address/42161/0x794a61358D6845594F94dc1DB02A252b5b4814aD (pool Pool V3)
- https://defipunkd.com/address/42161/0x8145eddDf43f50276641b55bd3AD95944510021E (admin PoolConfigurator V3)
- https://defipunkd.com/address/42161/0xb56c2F0B653B2e0b10C9b928C8580Ac5Df02C7C7 (oracle AaveOracle V3)
- https://defipunkd.com/address/42161/0x7A9ff54A6eE4a21223036890bB8c4ea2D62c686b (oracle PriceOracleSentinel V3)
- https://defipunkd.com/address/42161/0xFF1137243698CaA18EE364Cc966CF0e02A4e6327 (admin ACLAdmin V3)
- https://defipunkd.com/address/42161/0xa72636CbcAa8F5FF95B2cc47F3CDEe83F3294a0B (admin ACLManager V3)
- https://defipunkd.com/address/42161/0x243Aa95cAC2a25651eda86e80bEe66114413c43b (other AaveProtocolDataProvider V3)
- https://defipunkd.com/address/43114/0xa97684ead0e402dC232d5A977953DF7ECBaB3CDb (factory PoolAddressesProvider V3)
- https://defipunkd.com/address/43114/0x794a61358D6845594F94dc1DB02A252b5b4814aD (pool Pool V3)
- https://defipunkd.com/address/43114/0x8145eddDf43f50276641b55bd3AD95944510021E (admin PoolConfigurator V3)
- https://defipunkd.com/address/43114/0xEBd36016B3eD09D4693Ed4251c67Bd858c3c7C9C (oracle AaveOracle V3)
- https://defipunkd.com/address/43114/0x3C06dce358add17aAf230f2234bCCC4afd50d090 (admin ACLAdmin V3)
- https://defipunkd.com/address/43114/0xa72636CbcAa8F5FF95B2cc47F3CDEe83F3294a0B (admin ACLManager V3)
- https://defipunkd.com/address/43114/0x243Aa95cAC2a25651eda86e80bEe66114413c43b (other AaveProtocolDataProvider V3)
- https://defipunkd.com/address/8453/0xe20fCBdBfFC4Dd138cE8b2E6FBb6CB49777ad64D (factory PoolAddressesProvider V3)
- https://defipunkd.com/address/8453/0xA238Dd80C259a72e81d7e4664a9801593F98d1c5 (pool Pool V3)
- https://defipunkd.com/address/8453/0x5731a04B1E775f0fdd454Bf70f3335886e9A96be (admin PoolConfigurator V3)
- https://defipunkd.com/address/8453/0x2Cc0Fc26eD4563A5ce5e8bdcfe1A2878676Ae156 (oracle AaveOracle V3)
- https://defipunkd.com/address/8453/0x943AcD0c93d7a8Bee7dA5Fd0DC3d0028237074d6 (oracle PriceOracleSentinel V3)
- https://defipunkd.com/address/8453/0x9390B1735def18560c509E2d0bc090E9d6BA257a (admin ACLAdmin V3)
- https://defipunkd.com/address/8453/0x43955b0899Ab7232E3a454cf84AedD22Ad46FD33 (admin ACLManager V3)
- https://defipunkd.com/address/8453/0x0F43731EB8d45A581f4a36DD74F5f358bc90C73A (other AaveProtocolDataProvider V3)
- Binance: 0xff75B6da14FfbbfD355Daf7a2731456b3562Ba6D (chain not supported by the read API)
- Binance: 0x6807dc923806fE8Fd134338EABCA509979a7e0cB (chain not supported by the read API)
- Binance: 0x67bdF23C7fCE7C65fF7415Ba3F2520B45D6f9584 (chain not supported by the read API)
- Binance: 0x39bc1bfDa2130d6Bb6DBEfd366939b4c7aa7C697 (chain not supported by the read API)
- Binance: 0x9390B1735def18560c509E2d0bc090E9d6BA257a (chain not supported by the read API)
- Binance: 0x2D97F8FA96886Fd923c065F5457F9DDd494e3877 (chain not supported by the read API)
- Binance: 0xc90Df74A7c16245c5F5C5870327Ceb38Fe5d5328 (chain not supported by the read API)
- Celo: 0x9F7Cf9417D5251C59fE94fB9147feEe1aAd9Cea5 (chain not supported by the read API)
- Celo: 0x3E59A31363E2ad014dcbc521c4a0d5757d9f3402 (chain not supported by the read API)
- Celo: 0x7567E3434CC1BEf724AB595e6072367Ef4914691 (chain not supported by the read API)
- Celo: 0x1e693D088ceFD1E95ba4c4a5F7EeA41a1Ec37e8b (chain not supported by the read API)
- Celo: 0x1dF462e2712496373A347f8ad10802a5E95f053D (chain not supported by the read API)
- Celo: 0x7a12dCfd73C1B4cddf294da4cFce75FcaBBa314C (chain not supported by the read API)
- Celo: 0x2e0f8D3B1631296cC7c56538D6Eb6032601E15ED (chain not supported by the read API)
- Celo: 0xC959439207dA5341B74aDcdAC59016aa9Be7E9E7 (chain not supported by the read API)
- Fantom: 0xa97684ead0e402dC232d5A977953DF7ECBaB3CDb (chain not supported by the read API)
- Fantom: 0x794a61358D6845594F94dc1DB02A252b5b4814aD (chain not supported by the read API)
- Fantom: 0x8145eddDf43f50276641b55bd3AD95944510021E (chain not supported by the read API)
- Fantom: 0xfd6f3c1845604C8AE6c6E402ad17fb9885160754 (chain not supported by the read API)
- Fantom: 0x39CB97b105173b56b5a2b4b33AD25d6a50E6c949 (chain not supported by the read API)
- Fantom: 0xa72636CbcAa8F5FF95B2cc47F3CDEe83F3294a0B (chain not supported by the read API)
- Fantom: 0x69FA688f1Dc47d4B5d8029D5a35FB7a548310654 (chain not supported by the read API)
- xDai: 0x36616cf17557639614c1cdDb356b1B83fc0B2132 (chain not supported by the read API)
- xDai: 0xb50201558B00496A145fE76f7424749556E326D8 (chain not supported by the read API)
- xDai: 0x7304979ec9E4EaA0273b6A037a31c4e9e5A75D16 (chain not supported by the read API)
- xDai: 0xeb0a051be10228213BAEb449db63719d6742F7c4 (chain not supported by the read API)
- xDai: 0x1dF462e2712496373A347f8ad10802a5E95f053D (chain not supported by the read API)
- xDai: 0xEc710f59005f48703908bC519D552Df5B8472614 (chain not supported by the read API)
- xDai: 0xF1F5acB596568895393cB5E4D0452D6592A2fA70 (chain not supported by the read API)
- Harmony: 0xa97684ead0e402dC232d5A977953DF7ECBaB3CDb (chain not supported by the read API)
- Harmony: 0x794a61358D6845594F94dc1DB02A252b5b4814aD (chain not supported by the read API)
- Harmony: 0x8145eddDf43f50276641b55bd3AD95944510021E (chain not supported by the read API)
- Harmony: 0x3C90887Ede8D65ccb2777A5d577beAb2548280AD (chain not supported by the read API)
- Harmony: 0xb2f0C5f37f4beD2cB51C44653cD5D84866BDcd2D (chain not supported by the read API)
- Harmony: 0xa72636CbcAa8F5FF95B2cc47F3CDEe83F3294a0B (chain not supported by the read API)
- Harmony: 0x69FA688f1Dc47d4B5d8029D5a35FB7a548310654 (chain not supported by the read API)
- Mantle: 0xba50Cd2A20f6DA35D788639E581bca8d0B5d4D5f (chain not supported by the read API)
- Mantle: 0x458F293454fE0d67EC0655f3672301301DD51422 (chain not supported by the read API)
- Mantle: 0x719755fC1ACf2f9079B0Cbc56e23712c09Ab8626 (chain not supported by the read API)
- Mantle: 0x47a063CfDa980532267970d478EC340C0F80E8df (chain not supported by the read API)
- Mantle: 0x64df9D4302e1ff3516Dc744A19e992D27CAC252E (chain not supported by the read API)
- Mantle: 0x70884634D0098782592111A2A6B8d223be31CB7b (chain not supported by the read API)
- Mantle: 0x810D46F9a9027E28F9B01F75E2bdde839dA61115 (chain not supported by the read API)
- Mantle: 0x487c5c669D9eee6057C44973207101276cf73b68 (chain not supported by the read API)
- MegaETH: 0x46Dcd5F4600319b02649Fd76B55aA6c1035CA478 (chain not supported by the read API)
- MegaETH: 0x7e324AbC5De01d112AfC03a584966ff199741C28 (chain not supported by the read API)
- MegaETH: 0xF15D31Bc839A853C9068686043cEc6EC5995DAbB (chain not supported by the read API)
- MegaETH: 0x421117D7319E96d831972b3F7e970bbfe29C4F21 (chain not supported by the read API)
- MegaETH: 0xE2E8Badc5d50f8a6188577B89f50701cDE2D4e19 (chain not supported by the read API)
- MegaETH: 0x390D369C3878F2C5205CFb6Ec7154FfA65491c3D (chain not supported by the read API)
- MegaETH: 0x9588b453A4EE24a420830CB3302195cA7aA3b403 (chain not supported by the read API)
- Sonic: 0x5C2e738F6E27bCE0F7558051Bf90605dD6176900 (chain not supported by the read API)
- Sonic: 0x5362dBb1e601abF3a4c14c22ffEdA64042E5eAA3 (chain not supported by the read API)
- Sonic: 0x50c70FEB95aBC1A92FC30b9aCc41Bd349E5dE2f0 (chain not supported by the read API)
- Sonic: 0xD63f7658C66B2934Bd234D79D06aEF5290734B30 (chain not supported by the read API)
- Sonic: 0x7b62461a3570c6AC8a9f8330421576e417B71EE7 (chain not supported by the read API)
- Sonic: 0x3a790a47c4d531FD333FAD24f70B0ccb521B3b5A (chain not supported by the read API)
- Sonic: 0xc0a344397cfa89dF1e1d3e4fb330834D789cF2CD (chain not supported by the read API)
- X Layer: 0xdFf435BCcf782f11187D3a4454d96702eD78e092 (chain not supported by the read API)
- X Layer: 0xE3F3Caefdd7180F884c01E57f65Df979Af84f116 (chain not supported by the read API)
- X Layer: 0x1408b48B6A610948f04813EA6b2F438A6BBAd2f2 (chain not supported by the read API)
- X Layer: 0x91FC11136d5615575a0fC5981Ab5C0C54418E2C6 (chain not supported by the read API)
- X Layer: 0xE2E8Badc5d50f8a6188577B89f50701cDE2D4e19 (chain not supported by the read API)
- X Layer: 0xc8f2720Fa7D857576d82e6aEca8EdC4869E9190e (chain not supported by the read API)
- X Layer: 0x6C505C31714f14e8af2A03633EB2Cdfb4959138F (chain not supported by the read API)
- https://defipunkd.com/address/59144/0x89502c3731F69DDC95B65753708A07F8Cd0373F4 (factory PoolAddressesProvider V3)
- https://defipunkd.com/address/59144/0xc47b8C00b0f69a36fa203Ffeac0334874574a8Ac (pool Pool V3)
- https://defipunkd.com/address/59144/0x812E7c19421D9f41A6DDCF047d5cc2dE2Ca5Bfa2 (admin PoolConfigurator V3)
- https://defipunkd.com/address/59144/0xCFDAdA7DCd2e785cF706BaDBC2B8Af5084d595e9 (oracle AaveOracle V3)
- https://defipunkd.com/address/59144/0x8c2d95FE7aeB57b86961F3abB296A54f0ADb7F88 (admin ACLAdmin V3)
- https://defipunkd.com/address/59144/0xbf32c7dFC72b730967072B112927ca0de205dbb5 (admin ACLManager V3)
- Metis: 0xB9FABd7500B2C6781c35Dd48d54f81fc2299D7AF (chain not supported by the read API)
- Metis: 0x90df02551bB792286e8D4f13E0e357b4Bf1D6a57 (chain not supported by the read API)
- Metis: 0x69FEE8F261E004453BE0800BC9039717528645A6 (chain not supported by the read API)
- Metis: 0x38D36e85E47eA6ff0d18B0adF12E5fC8984A6f8e (chain not supported by the read API)
- Metis: 0x2B5EA1604BAbb7B730120950Cb13951f3525828A (chain not supported by the read API)
- Metis: 0x6fD45D32375d5aDB8D76275A3932c740F03a8718 (chain not supported by the read API)
- https://defipunkd.com/address/10/0x794a61358D6845594F94dc1DB02A252b5b4814aD (pool Pool V3)
- https://defipunkd.com/address/10/0x8145eddDf43f50276641b55bd3AD95944510021E (admin PoolConfigurator V3)
- https://defipunkd.com/address/10/0xD81eb3728a631871a7eBBaD631b5f424909f0c77 (oracle AaveOracle V3)
- https://defipunkd.com/address/10/0x746c675dAB49Bcd5BB9Dc85161f2d7Eb435009bf (admin ACLAdmin V3)
- https://defipunkd.com/address/137/0x794a61358D6845594F94dc1DB02A252b5b4814aD (pool Pool V3)
- https://defipunkd.com/address/137/0x8145eddDf43f50276641b55bd3AD95944510021E (admin PoolConfigurator V3)
- https://defipunkd.com/address/137/0xb023e699F5a33916Ea823A16485e259257cA8Bd1 (oracle AaveOracle V3)
- https://defipunkd.com/address/137/0xDf7d0e6454DB638881302729F5ba99936EaAB233 (admin ACLAdmin V3)
- https://defipunkd.com/address/534352/0x69850D0B276776781C063771b161bd8894BCdD04 (factory PoolAddressesProvider V3)
- https://defipunkd.com/address/534352/0x11fCfe756c05AD438e312a7fd934381537D3cFfe (pool Pool V3)
- https://defipunkd.com/address/534352/0x32BCab42a2bb5AC577D24b425D46d8b8e0Df9b7f (admin PoolConfigurator V3)
- https://defipunkd.com/address/534352/0x04421D8C506E2fA2371a08EfAaBf791F624054F3 (oracle AaveOracle V3)
- https://defipunkd.com/address/534352/0xc1ABF87FfAdf4908f4eC8dc54A25DCFEabAE4A24 (admin ACLAdmin V3)
- https://defipunkd.com/address/534352/0x7633F981D87dC6307227de9383D2ce7243158081 (admin ACLManager V3)
- zkSync Era: 0x2A3948BB219D6B2Fa83D64100006391a96bE6cb7 (chain not supported by the read API)
- zkSync Era: 0x78e30497a3c7527d953c6B1E3541b021A98Ac43c (chain not supported by the read API)
- zkSync Era: 0x0207d31b4377C74bEC37356aaD83E3dCc979F40E (chain not supported by the read API)
- zkSync Era: 0xC7F58Fca663a8d377B6D0c9703C697f56dC40088 (chain not supported by the read API)
- zkSync Era: 0x04cE39789e11a49595cD0ECEf6f4Bd54ABF4d020 (chain not supported by the read API)
- Soneium: 0x82405D1a189bd6cE4667809C35B37fBE136A4c5B (chain not supported by the read API)
- Soneium: 0xDd3d7A7d03D9fD9ef45f3E587287922eF65CA38B (chain not supported by the read API)
- Soneium: 0x1607FCeEc8dEbA4d5Da66D620b2363066d025a02 (chain not supported by the read API)
- Soneium: 0x20040a64612555042335926d72B4E5F667a67fA1 (chain not supported by the read API)
- Soneium: 0xc0Bac16A64FbAa7EE6483bD12a759e28cD13dcBe (chain not supported by the read API)
- Plasma: 0x061D8e131F26512348ee5FA42e2DF1bA9d6505E9 (chain not supported by the read API)
- Plasma: 0x925a2A7214Ed92428B5b1B090F80b25700095e12 (chain not supported by the read API)
- Plasma: 0xc022B6c71c30A8Ad52Dac504eFA132d13D99d2D9 (chain not supported by the read API)
- Plasma: 0x33E0b3fc976DC9C516926BA48CfC0A9E10a2aAA5 (chain not supported by the read API)
- Plasma: 0x47aAdaAE1F05C978E6aBb7568d11B7F6e0FC4d6A (chain not supported by the read API)
- Plasma: 0xa860355F0ccFdC823F7332ac108317b2a1509C06 (chain not supported by the read API)
- https://defipunkd.com/address/1/0x617332a777780F546261247F621051d0b98975Eb (other VotingMachine)
- https://defipunkd.com/address/1/0xf23f7De3AC42F22eBDA17e64DC4f51FB66b8E21f (other VotingPortalEthEth)
- https://defipunkd.com/address/1/0x33aCEf7365809218485873B7d0d67FeE411B5D79 (other VotingPortalEthAvax)
- https://defipunkd.com/address/1/0x9b24C168d6A76b5459B1d47071a54962a4df36c3 (other VotingPortalEthPol)
- https://defipunkd.com/address/1/0xE3B770Dc4ae3f8bECaB3Ed12dE692c741603e16A (other PayloadDataHelper)
- https://defipunkd.com/address/1/0x971c82c8316aD611904F95616c21ce90837f1856 (other GovernanceDataHelper)
- https://defipunkd.com/address/1/0x77976B51569896523EE215962Ee91ff236Fa50E8 (other VotingDataHelper)
- https://defipunkd.com/address/1/0x94363B11b37BC3ffe43AB09cff5A010352FE85dC (other MetaDelegateHelper)
- https://defipunkd.com/address/1/0x73C6Fb358dDA8e84D50e98A98F7c0dF32e15C7e9 (guardian EmergencyRegistry)
- https://defipunkd.com/address/1/0xa198Fac58E02A5C5F8F7e877895d50cFa9ad1E04 (other GovernancePowerStrategy)
- https://defipunkd.com/address/1/0x5642A5A5Ec284B4145563aBF319620204aCCA7f4 (other VotingStrategy)
- https://defipunkd.com/address/1/0x1699FE9CaDC8a0b6c93E06B62Ab4592a0fFEcF61 (other DataWarehouse)
- https://defipunkd.com/address/42161/0xCbFB78a3Eeaa611b826E37c80E4126c8787D29f0 (other CrossChainController)
- https://defipunkd.com/address/42161/0x89644CA1bB8064760312AE4F03ea41b05dA3637C (timelock PayloadsController)
- https://defipunkd.com/address/42161/0x4922093c476CfbCF903C7C4082d2D64bAE8A37cE (guardian GranularGuardian)
- https://defipunkd.com/address/43114/0x27FC7D54C893dA63C0AE6d57e1B2B13A70690928 (other CrossChainController)
- https://defipunkd.com/address/43114/0x41185495Bc8297a65DC46f94001DC7233775EbEe (oracle EmergencyOracle)
- https://defipunkd.com/address/43114/0x9b6f5ef589A3DD08670Dd146C11C4Fb33E04494F (other VotingMachine)
- https://defipunkd.com/address/43114/0x1140CB7CAfAcC745771C2Ea31e7B5C653c5d0B80 (timelock PayloadsController)
- https://defipunkd.com/address/43114/0xc1162BCb2E5E3ca4725512008c7522dF8C8B7B65 (guardian GranularGuardian)
- Binance: 0x9d33ee6543C9b2C8c183b8fb58fB089266cffA19 (chain not supported by the read API)
- Binance: 0xcabb46FfB38c93348Df16558DF156e9f68F9F7F1 (chain not supported by the read API)
- Binance: 0xE5EF2Dd06755A97e975f7E282f828224F2C3e627 (chain not supported by the read API)
- Binance: 0xe4FB5e3F506BE0095f38004f993D16fdA8224383 (chain not supported by the read API)
- https://defipunkd.com/address/8453/0x529467C76f234F2bD359d7ecF7c660A2846b04e2 (other CrossChainController)
- https://defipunkd.com/address/8453/0x2DC219E716793fb4b21548C0f009Ba3Af753ab01 (timelock PayloadsController)
- https://defipunkd.com/address/8453/0xa1c6aF35E0205f42256382C05243C543FEDBf4bB (guardian GranularGuardian)
- xDai: 0x8Dc5310fc9D3D7D1Bb3D1F686899c8F082316c9F (chain not supported by the read API)
- xDai: 0xF937ffAeA1363e4Fa260760bDFA2aA8Fc911F84D (chain not supported by the read API)
- xDai: 0x9A1F491B86D09fC1484b5fab10041B189B60756b (chain not supported by the read API)
- xDai: 0x4A9F571E3C1f2F13567bb59e38988e74d7d72602 (chain not supported by the read API)
- Metis: 0x6fDaFb26915ABD6065a1E1501a37Ac438D877f70 (chain not supported by the read API)
- Metis: 0x2233F8A66A728FBa6E1dC95570B25360D07D5524 (chain not supported by the read API)
- Metis: 0x61BE97d3a0550549f67CA7421725fA73Fa2036B5 (chain not supported by the read API)
- https://defipunkd.com/address/10/0x48A9FE90bce5EEd790f3F4Ce192d1C0B351fd4Ca (other CrossChainController)
- https://defipunkd.com/address/10/0x0E1a3Af1f9cC76A62eD31eDedca291E63632e7c4 (timelock PayloadsController)
- https://defipunkd.com/address/10/0x6c5264C380C7022e54f585c4E354ffb6f221a03b (guardian GranularGuardian)
- https://defipunkd.com/address/137/0xF6B99959F0b5e79E1CC7062E12aF632CEb18eF0d (other CrossChainController)
- https://defipunkd.com/address/137/0xDAFA1989A504c48Ee20a582f2891eeB25E2fA23F (oracle EmergencyOracle)
- https://defipunkd.com/address/137/0xc8a2ADC4261c6b669CdFf69E717E77C9cFeB420d (other VotingMachine)
- https://defipunkd.com/address/137/0x401B5D0294E23637c18fcc38b1Bca814CDa2637C (timelock PayloadsController)
- https://defipunkd.com/address/137/0x0D2CccD3dD420dC6DE2f24DB44aA22fADE290a02 (guardian GranularGuardian)
- https://defipunkd.com/address/534352/0x03073D3F4769f6b6604d616238fD6c636C99AD0A (other CrossChainController)
- https://defipunkd.com/address/534352/0x6b6B41c0f8C223715f712BE83ceC3c37bbfDC3fE (timelock PayloadsController)
- https://defipunkd.com/address/534352/0xa835707d28e6C37C49d661742f2Fb5987367cEd4 (guardian GranularGuardian)
- zkSync Era: 0x800813f4714BC7A0a95310e3fB9e4f18872CA92C (chain not supported by the read API)
- zkSync Era: 0x2E79349c3F5e4751E87b966812C9E65E805996F1 (chain not supported by the read API)
- zkSync Era: 0xe0e23196D42b54F262a3DE952e6B34B197D1A228 (chain not supported by the read API)
- zkSync Era: 0x4257bf0746D783f0D962913d7d8AFA408B62547E (chain not supported by the read API)
- https://defipunkd.com/address/59144/0x0D3f821e9741C8a8Bcac231162320251Db0cdf52 (other CrossChainController)
- https://defipunkd.com/address/59144/0x3BcE23a1363728091bc57A58a226CF2940C2e074 (timelock PayloadsController)
- https://defipunkd.com/address/59144/0xc1cd6faF6e9138b4e6C21d438f9ebF2bd6F6cA16 (guardian GranularGuardian)
- https://defipunkd.com/address/59144/0x056E4C4E80D1D14a637ccbD0412CDAAEc5B51F4E (guardian GovernanceGuardian)
- Soneium: 0xD92b37a5114b33F668D274Fb48f23b726a854d6E (chain not supported by the read API)
- Soneium: 0x44D73D7C4b2f98F426Bf8B5e87628d9eE38ef0Cf (chain not supported by the read API)
- Soneium: 0xD8E6956718784B914740267b7A50B952fb516656 (chain not supported by the read API)
- Soneium: 0x19CE4363FEA478Aa04B9EA2937cc5A2cbcD44be6 (chain not supported by the read API)
- Soneium: 0x47aAdaAE1F05C978E6aBb7568d11B7F6e0FC4d6A (chain not supported by the read API)
- Plasma: 0x643441742f73e270e565619be6DE5f4D55E08cd6 (chain not supported by the read API)
- Plasma: 0xe76EB348E65eF163d85ce282125FF5a7F5712A1d (chain not supported by the read API)
- Plasma: 0x60665b4F4FF7073C5fed2656852dCa271DfE2684 (chain not supported by the read API)
- Plasma: 0x19CE4363FEA478Aa04B9EA2937cc5A2cbcD44be6 (chain not supported by the read API)
- Plasma: 0xF61FE74Ec1cFbd9Ee8Bd27592D2EDEe0E2aA85Cf (chain not supported by the read API)
- https://defipunkd.com/address/1/0x7Fc66500c84A76Ad7e9c93437bFc5Ac33E2DDaE9 (token AAVE governance token)
- https://defipunkd.com/address/1/0x7b9c0b9b0d8b0d8b0d8b0d8b0d8b0d8b0d8b0d8b (Emergency Admin)


---

You are contributing a single-slice assessment to defipunkd, a git-native transparency registry for DeFi protocols. Your JSON output will be attached to a pull request and compared against ≥2 other independent runs. Disagreements are surfaced publicly — be conservative, cite everything, return grade="unknown" when a signal cannot be determined, and resist stopping at the first damning finding.

### Per-protocol context (do not infer; these are ground truth)

A "Per-protocol context" block (provided alongside this prompt — either as a user message in API mode, or as a section appended below in copy-paste mode) lists the pinned inputs (protocol.slug, name, chains, category, website, github, audit_links, snapshot.generated_at, analysis_date, prompt_version, address_book) and a list of pre-built read-API surfacer URLs for each pinned address. Treat those values as authoritative for this run.

The pre-built surfacer URLs are accepted by your fetch tool's allowlist because they appear verbatim in the per-protocol context. Each surfacer page pre-executes the contract's zero-arg view methods and renders any address-typed return values as /address/{chainId}/0x… links inline — those rendered links are also fetchable post-fetch. /api/contract/read and /api/safe/owners JSON responses include a top-level `crawl.surfacers` array of /address/{chainId}/0x… URLs for every address-typed value in the result, so you can crawl directly from API responses. For addresses surfaced from non-defipunkd sources (block-explorer pages, GitHub, audit PDFs), the allowlist will reject your generated surfacer URL — record the address in protocol_metadata.admin_addresses and add a checklist-coded entry to unknowns[]; the next run will inherit it as a fetchable surfacer.

### Step 0 — Capability probe (do this before producing JSON)

Identify what fetch tool your environment exposes — `web_fetch`, `browser`, `url_context`, `google_search` (with underscore, colon, or space), Bing grounding, Perplexity, `web.run`, or anything similar. Search-grounding tools ARE valid fetch paths and you should use them; they are not forbidden. The distinction that matters is what the tool returned, not its name: a grounded response with the underlying page body is sufficient evidence; a bare 1–3-line preview snippet is not.

Probe: attempt one fetch of `protocol.website` and one fetch of a pre-built surfacer URL above (or the protocol's primary block-explorer page if no surfacer is pinned). Record the tool you used, the URL, and what came back (response body, HTTP status, allowlist rejection text, or "tool not present: <name>"). If either probe succeeded, proceed.

If both direct probes failed, **DO NOT STOP** — try search. Issue at least two broad search queries (protocol name + "Etherscan" / "official docs" / "GitHub" / "audit"; `site:` operators against etherscan.io / github.com / the docs domain). If a search query returns the underlying page body, that page URL is fetched evidence and goes in evidence[]. Set `grading_basis: "off-chain-only"` and continue with whatever you can extract. Empty `evidence[]` + `grade="unknown"` is only valid if BOTH direct probes AND ≥2 search queries returned nothing usable; in that case, log the attempted queries and observed-zero outcomes in unknowns[]. A submission claiming "blocked" without those receipts is treated as a non-submission (zero quorum weight). Search engines do not index raw JSON API endpoints — zero results for `defipunkd.com/api/contract/read` URLs is expected and is itself a recordable failure mode, not a system restriction.

### Anti-fabrication (the most important rule on this page)

Memory is not evidence. Treat your training data, prior conversations, and general knowledge as suggestions for what to look up — never as citations. Every URL in evidence[] must have been fetched in this run via any tool exposed in your environment, OR pasted into this conversation by the user. Constructing a URL is fine, but every variable part (address, commit SHA, repo path, contract name, method, args, block number) must come from a fetched/pasted source in this run, and the URL must then have been successfully fetched before it appears in evidence[]. URLs constructed from remembered addresses, repo paths, contract names, or guessed API methods are fabrication.

Before emitting JSON, run an evidence ledger check on every evidence[] entry:
1. The exact URL appears in your fetch transcript or in a user-pasted source body.
2. The fetched/pasted body contains the fact you're citing in evidence[].shows.
3. Every rationale.findings / protocol_metadata claim that depends on this evidence follows directly from that body, without recourse to memory.
4. Derived (rather than verbatim) claims are explicitly labelled as derived in evidence[].shows.
5. `fetched_at` is set ONLY when you actually fetched the URL in this run; if no timestamp is available, omit the field — never invent one.

If any check fails, remove the evidence entry and demote dependent claims to unknowns[]. Set grade="unknown" if demotion empties the grading basis. Do not ask the user to paste anything; do not withhold JSON; do not improvise from memory.

A plausible-sounding answer backed by unsupported evidence is WORSE than grade="unknown" — it pollutes the quorum. If the assessment requires leaning on remembered public facts ("Lido is governed by LDO token-weighted voting"), historical reports, common knowledge, or likely-architecture reasoning ("UUPS proxies typically have an admin role"), return grade="unknown" with specific unknowns[] entries. Optimize for reproducibility, not completeness — if a reviewer can't re-verify each claim from the evidence URLs alone, the claim does not belong in the JSON. Empty unknowns[] on a non-trivial protocol is a red flag, not a quality signal.

When the address_book is null/empty, you do not yet know any deployed address. Discover candidates from fetched website / GitHub / audit / explorer-search pages — addresses you "remember" from training data are not eligible, even for famous tokens (USDC, WBTC, stETH, UNI). If no address can be discovered after a good-faith attempt, return grade="unknown" with checklist-coded unknowns[] entries; do not invent addresses to fill the gap.

### Hard rules

1. Source classes that count as evidence:
   a) Public block explorers (etherscan.io, basescan.org, arbiscan.io, optimistic.etherscan.io, polygonscan.com, bscscan.com, snowtrace.io, scrollscan.com, lineascan.build, blastscan.io, era.zksync.network) for pinned addresses or addresses you discover transitively from them.
   b) The linked GitHub repos, at a specific commit SHA recorded in evidence[].commit.
   c) The audit PDFs / reports linked above.
   d) DeFiLlama's pinned fields (for category / chain lists only — not for risk assessment).
   e) DeFiPunkd's read API at https://defipunkd.com/api/{contract,safe}/... — see "On-chain reading" below.
2. If a signal cannot be determined after checking these, set grade="unknown" with ≥1 entry in unknowns[] naming what you looked for.
3. Every factual claim in rationale must map to ≥1 evidence[] entry.
4. Output exactly one JSON object matching the contract at the end, wrapped in a single ```json fenced code block. This rule applies to your FINAL assistant message only — issue tool calls freely during the run; tool-call reasoning lives in your model's tool-use channel and is not subject to this rule. Nothing before or after the fence — no prose, no follow-up questions, no requests for the user to paste anything. If evidence is incomplete, the correct response is still JSON, with claims demoted to unknowns[] and grade="unknown".

### Format rules (validation will reject submissions that violate these)
5. evidence[].url must be a bare `https://...` string — NEVER markdown link syntax. WRONG: `"url": "[Etherscan](https://etherscan.io/...)"`. RIGHT: `"url": "https://etherscan.io/..."`.
6. evidence[].commit, when present, must match `^[0-9a-f]{7,40}$` (lowercase hex, 7–40 chars). NEVER branch names or tags. Omit if you cannot pin a SHA.
7. evidence[].fetched_at, when present, must be ISO-8601 UTC (e.g. `2026-04-23T11:20:00Z`). Set whenever you actually fetched in this run.
8. evidence[].address, when present, must be `^0x[0-9a-fA-F]{40}$` (mixed case OK; checksum not validated).
9. Checklist codes (used in findings[].code and as unknowns[] prefixes) match `^[A-Z][A-Za-z0-9-]{0,16}$` — start with an uppercase letter, then digits / letters / hyphens. Examples: `E1`, `A3b`, `C2-emergency`, `V4-auditor`. No parens, spaces, dots, slashes, underscores. Use slice-defined codes verbatim. unknowns[] entries must be prefixed with the relevant code + colon (e.g. `"A3b: frontend fetch failed"`).
10. chat_url: ALWAYS null. Default share links (claude.ai/chat, chatgpt.com, gemini.google.com) require viewer login and are not publicly readable. The user enables "Share publicly" after you respond and pastes the public URL into the JSON before opening the PR.

### Thoroughness rules

11. Each per-slice body contains a "MANDATORY INSPECTION CHECKLIST". Every item must EITHER produce an evidence[] entry OR a specific unknowns[] entry naming it by code. Silent skips are rejected as incomplete.
12. Before assigning a grade other than "unknown", rationale.steelman must contain a one-sentence strongest argument for each of red / orange / green, and rationale.verdict must state which fits the evidence and why. If the steel-man for the chosen grade is weaker than for an adjacent grade, you have probably picked the wrong grade. When grade="unknown", set steelman to null and use verdict to summarize what blocked the assessment.
13. Distinguish actor classes (EOA, 2-of-3 multisig, 4-of-7+ multisig with identified signers, emergency-scoped time-capped multisig, on-chain governance vote with timelock) and function classes (claim-of-finalized vs new-request-placement, deposit vs borrow, mint vs redeem) — say which actor holds which power, on what time bound. "An admin can pause" is insufficient.
14. For on-chain slices (control, ability-to-exit, autonomy, verifiability), evidence[] must include ≥1 on-chain URL: a block-explorer URL OR a DeFiPunkd /api/{contract/read,safe/owners} URL (preferred — content-addressed when block-pinned). /api/contract/abi alone is metadata, not on-chain evidence. Source repos tell you what code SHOULD do; deployed contracts tell you what it ACTUALLY does. The "open-access" slice is exempt when claims are entirely about frontend / off-chain operator behavior. CARVE-OUT: `grading_basis="off-chain-only"` is exempt from this rule but is downweighted by the quorum bot regardless of grade.
15. Prompt-meta-check: if your verdict quotes prompt language as evidence ("the protocol meets the 'documented fallback' condition"), re-do the verdict — the prompt describes the rubric, not the protocol. Evidence cites what THIS protocol does, not what the rubric says protocols of type X do.
16. `grading_basis` is one of `"on-chain"` (default; omit field), `"off-chain-only"`, or `"mixed"`. Describes what was READ this run, not the verdict — `grade="unknown"` is allowed under any basis. Set `"off-chain-only"` ONLY when BOTH (a) ≥1 successful fetch of a docs / forum / audit / GitHub URL appears in evidence[], AND (b) ≥1 failed on-chain fetch attempt for THIS run is recorded in unknowns[] with a `-offchain` suffix. Empty `evidence[]` with `"off-chain-only"` is a category error and is rejected by the validator. Set `"mixed"` when some checklist codes were on-chain and others fell back. ABI-only finds (you read the ABI but couldn't read live state) are valid as `grade="unknown"` with the ABI cited; do not infer a grade from ABI shape alone.

### On-chain reading via the DeFiPunkd API

Don't encode calldata, decode return data, or guess at ABIs by hand. Three deterministic GET endpoints return JSON with blockNumber, blockHash, raw calldata, and rawReturnData — content-addressed when block-pinned (`&block=<n>`):

  ABI (auto-resolves proxies):
    https://defipunkd.com/api/contract/abi?chainId=<id>&address=0x...
  View call (any view method on the merged ABI; flat scalar args):
    https://defipunkd.com/api/contract/read?chainId=<id>&address=0x...&method=getOwners
    https://defipunkd.com/api/contract/read?chainId=<id>&address=0x...&method=balanceOf&args=0x...
  Safe (threshold + owners + version in one call):
    https://defipunkd.com/api/safe/owners?chainId=<id>&address=0x...

Use the BARE method name in `&method=` (e.g. `&method=totalSupply`, NOT `&method=totalSupply()`). Browser tools normalize `(` to `%28` and reject the normalized URL; bare names dodge that. Pass arguments via `&args=` (comma-separated, declaration order). Append `&block=<n>` for content-addressed evidence.

Supported chainIds: 1 (ethereum), 10 (optimism), 56 (bsc), 130 (unichain), 137 (polygon), 324 (zksync), 8453 (base), 42161 (arbitrum), 43114 (avalanche), 59144 (linea), 81457 (blast), 534352 (scroll), 11155111 (sepolia).

Use this API for any factual claim about contract ABI shape, view-method return values (owner(), getOwners(), getThreshold(), totalSupply(), implementation(), paused(), MIN_DELAY(), …), and Safe membership. Do NOT invent ABIs or return values from training data.

Note on noisy address_book: the pinned address_book is sourced from prior assessments. It may include token deployments, oracle feeds, peripheral contracts, or mis-classified entries. Skip surfacer URLs that don't fit your slice — fetch only those whose role hints suggest control / pause / upgrade authority.

### Protocol metadata refresh (populate `protocol_metadata` in the output)

DeFiLlama's pinned inputs may be stale or wrong. As a side-effect of this assessment, populate `protocol_metadata` with anything you verify. Leave fields null / empty arrays if you did not verify them — do NOT echo pinned inputs through; null means "not re-verified this run".

- `github`: array of canonical source-code repo URLs.
- `docs_url`: canonical developer / protocol documentation site.
- `audits`: array of `{ firm, url, date }` (date as YYYY-MM or YYYY-MM-DD).
- `governance_forum`: primary discussion forum URL (Discourse, Commonwealth, etc.).
- `voting_token`: `{ chain, address, symbol }` or null. Omit if not token-governed.
- `bug_bounty_url`: public bug bounty page (Immunefi, HackerOne, self-hosted).
- `security_contact`: private-disclosure channel — security@ email or SECURITY.md URL. Distinct from public bug bounty.
- `deployed_contracts_doc`: docs page that lists deployed addresses per chain. Don't enumerate; just link.
- `admin_addresses`: array of `{ chain, address, role, actor_class }` for multisig / timelock / owner / proxy-admin addresses. `actor_class` ∈ `"eoa" | "multisig" | "timelock" | "governance" | "unknown"`. These are the anchors for future runs' address_book.
- `upgradeability`: `"immutable" | "upgradeable" | "mixed" | "unknown"`. "mixed" = some core contracts immutable, others behind proxies.
- `about`: 2–4 sentence plain-English description. Name the user action (stake, borrow, swap, bridge, mint, redeem), the asset / market, and the distinctive mechanism (liquid staking receipt, isolated lending pools, constant-product AMM, intents auction, etc.). Do not restate category / chains / TVL.

Every non-null field in `protocol_metadata` must be backed by ≥1 entry in evidence[].

---

### Slice: CONTROL

Evaluate who can change the protocol's rules, how fast, and how broadly.

(Step 0 capability probe and the off-chain-only fallback live in the preamble — those rules apply here.)

### MANDATORY INSPECTION CHECKLIST (every item below must appear in evidence[] OR unknowns[])

- **C1.** For each address you assess: who is the contract owner / admin / pendingAdmin / governor — read these via the block explorer's "Read Contract" tab OR `https://defipunkd.com/api/contract/read?chainId=<id>&address=0x...&method=owner` (BARE method names: `&method=owner`, `&method=admin`, `&method=pendingOwner`, `&method=governor`). For Safes use `/api/safe/owners?chainId=<id>&address=0x...`. When a protocol has multiple major versions deployed (v2/v3/v4), perform C1 reads on the NEWEST deployment separately — newer deployments often have weaker control surfaces than the legacy core.
- **C2.** Upgrade mechanism: transparent proxy / UUPS / Beacon / Diamond / immutable. Identify the proxy admin address. Check upgradeability of GOVERNANCE contracts too — a Governor / Aragon Voting / OZ Governor is often itself a proxy whose admin is the Timelock. Asymmetry: when fund-holding cores are immutable AND governance has no admin path that reaches them, an upgradable Governor/Timelock is T3-only and must NOT drag the verdict below green on that basis alone (see grade rules and the "immutable cores" caveat). Only call upgradability "mixed" if you can name a concrete function on the upgradable surface that reaches T1 or T2 on user funds.
- **C3.** EXECUTION PATH (enumerate every stage, in order, with delays in seconds). The operative path is usually a chain (voting → scheduler → timelock → executor; or governor → queue → execute; or Aragon Voting → DualGovernance → EmergencyProtectedTimelock → AdminExecutor). For each stage, record (a) the contract address, (b) the delay constant name + value in seconds, (c) the URL you read it from (block-explorer Read Contract OR `/api/contract/read?...&method=MIN_DELAY&block=<n>`). Do NOT stop at the first timelock-shaped contract — if its admin is itself called by another contract, keep walking. The grading delay is the SUM OF DELAYS ON THE UNCONTESTED FAST PATH (shortest time a proposal with no opposition can go from submission to executable). Dynamic / contested extensions (veto signaling, rage quit, escrow delay) are modifiers, not the basis — note them separately.
- **C4.** Enumerate EVERY multisig with reachable control — main proxy admin, emergency activation, emergency execution, reseal / pause, gate-seal committees, tiebreaker, per-module admins. For each Safe, fetch threshold + owners + version via `/api/safe/owners?chainId=<id>&address=0x...` (response includes raw eth_call data, so the URL is citable evidence). Enumerate ops/council/incentives multisigs even when off the upgrade path — record their scope so a reader can see they are NOT on the upgrade path. For each: (a) address, (b) threshold / total signers, (c) signer identities classified as insider (team, paid auditors under ongoing engagement, mandated service providers) vs non-insider (independent community members, unaffiliated researchers), (d) the specific power held (upgrade, pause, parameter, etc.).
- **C5.** On-chain governance: Governor / GovernorBravo / OZ Governor / Aragon Voting with token-weighted voting? Record proposal threshold, voting period, quorum, and the timelock delay between queue and execute. Every numeric constant must come from a Read Contract call you can link to, or be in unknowns[] with the C-code. If votingDelay / votingPeriod are denominated in BLOCKS, convert to seconds at the chain's CURRENT block time (Ethereum mainnet ≈ 12s post-Merge, not the 15s in older Compound/Bravo deployments) — cite both block count and converted seconds.
- **C6.** EMERGENCY POWERS: separate emergency-pause / guardian role with a different time cap or different actor than the main upgrade authority? Record it explicitly.
- **C7.** POWER TIER (blast radius). For each privileged path in C3–C6, classify the WORST thing that path can do, choosing the highest applicable tier. Cite the specific function name and any on-chain bound — tier claims without a named function are unsupported.
    - **T1 — FUND-CRITICAL**: replace implementation of contracts holding user funds; change AMM math / accounting / collateral logic; mint unbacked debt or shares; pause withdrawals; drain user-fund treasury; change oracle to attacker-controlled source; replace upgrade admin with EOA.
    - **T2 — ECONOMICALLY MATERIAL**: change fee parameters within bounded ranges; redirect protocol fees; add/remove markets / collateral types; bounded inflation or token mint within hard-capped schedule; spend protocol-owned (non-user) treasury.
    - **T3 — GOVERNANCE-INTERNAL**: change voting rules, quorum, voting period, proposal threshold; upgrade the Governor itself; rotate Timelock admin; mint governance tokens within a capped annual schedule.
    - **T4 — OPERATIONAL**: incentives distribution, grants, ENS / frontend canonicalization, deployment coordination, periphery router deprecation.
  The grade is set by the HIGHEST tier reachable on the uncontested fast path, not the median. State the tier and the binding function in the verdict.

### Read Contract discipline (applies to C3, C4, C5)

Every numeric constant cited (timelock delays, voting periods, multisig thresholds, quorum percentages) must come from EITHER (a) a block-explorer Read Contract URL, OR (b) a DeFiPunkd `/api/contract/read` or `/api/safe/owners` URL (preferred with `&block=<n>` for content-addressed evidence), OR (c) an unknowns[] entry with the C-code. Docs / blog posts are corroboration only — they cannot be the sole citation for a value that is also readable on-chain.

### Off-chain-only substitute hierarchy (when grading_basis="off-chain-only" — see preamble Rule 16)

When on-chain reads were genuinely unreachable this run, eligible off-chain substitutes in priority order:
1. Linked audit PDFs (admin roles, multisig members, timelock delays usually enumerated).
2. Governance forum posts that quote constants from a successful on-chain proposal (cite post URL + linked execution-tx URL).
3. Official protocol docs pages with named addresses and roles (must be on a domain owned by the protocol).
4. GitHub README / SECURITY.md / governance/*.md at a pinned commit SHA.

Forbidden substitutes: third-party blog posts, X / Twitter threads, search-result snippets, model memory. Required degradation: any C-code citing a numeric constant from docs/forum/audit prose ONLY must also carry an `unknowns[]` entry with `-offchain` suffix noting "value not re-read on-chain in this run; corroboration only".

### Grade rules (apply the timelock bar conditional on the highest C7 tier reachable on the fast path)

Security Council standard (used below): a multisig qualifies as "Security Council" only if ALL of: ≥7 signers, ≥51% threshold, ≥50% non-insider signers, every signer publicly announced. Failing any criterion = NOT a Security Council, regardless of signer reputation.

- **green**: highest reachable tier is T3 or T4 regardless of timelock; OR T2 reachable with uncontested-fast-path delay ≥7 days; OR T1 reachable only via immutable contracts (T1 is unreachable); OR T1 reachable with uncontested-fast-path delay ≥7 days combined with a Security Council multisig; OR T1 reachable with uncontested-fast-path delay ≥7 days through active on-chain governance with broad token distribution.
- **orange**: T2 reachable with uncontested-fast-path delay >0 but <7 days; OR T1 reachable with uncontested-fast-path delay >0 but <7 days; OR a multisig failing one or more Security Council criteria sits on a T1/T2 path; OR unclear upgrade authority on a T1/T2 path; OR governance with very short timelock or low quorum on a T1/T2 path.
- **red**: T1 reachable with no timelock by a single EOA or 2-of-3 multisig; OR a T1 upgrade admin that is not a smart contract you can audit.
- **unknown**: completed the checklist but still cannot determine the upgrade authority OR cannot classify the highest tier reachable on the main contracts.

Tiering caveats:
- "Bounded" must be enforced ON-CHAIN to count as T2. A function that sets fees with no upper-bound check is T1 — cite the bound check.
- Recurring T2 economic extraction (e.g. fee redirect with no rate limit) approaches T1 over time. A single proposal that can permanently redirect all future revenue is T1.
- T3 assumes the governance contract cannot itself authorize a T1/T2 action without going through the same timelock. If governance can self-upgrade to bypass the timelock, T3 collapses into T1.
- Do not downgrade tier by hand-waving ("realistically governance would never…"). Tier on what the contract permits, not what feels likely.

Notes:
- **Dynamic / dual-governance timelocks** (Lido, Compound escrow veto): the rubric grades on the uncontested path because that is the path most upgrades take. A dynamic extension that fires only under stake-weighted opposition is a real protection — name it in the green steel-man, but it does not lift an orange fast path into green; state the tension in the verdict.
- **Immutable cores with upgradable governance** (Uniswap-style): if fund-holding contracts are immutable and have no admin-reachable function moving / freezing / re-routing user funds, the highest reachable tier on the upgrade path is T3 — green regardless of timelock. Don't grade this orange just because the Governor is a proxy — that's a C2 fact, not a downgrade. Downgrade only applies if you can cite a concrete function on the upgradable surface that reaches T1 or T2 (privileged hook, upgradable factory controlling fund-routing, fee-switch redirecting protocol revenue without bound).
- **The 7-day bar** reflects the exit-window standard — users need notice after a queued upgrade to withdraw if they disagree. The ability-to-exit slice grades the exit side; this slice grades the delay side; both must hold for users to actually benefit from the delay.

---

### Slice: ABILITY-TO-EXIT

Evaluate whether users can withdraw their funds on their own terms, even under adversarial admin conditions.

MANDATORY INSPECTION CHECKLIST (every item below must appear in evidence[] OR unknowns[]):
- E1. Enumerate every user-facing exit function in the main contracts: withdraw, redeem, burn, requestWithdrawal, claim, exit, etc. List them by name. Do NOT treat the contract as a monolith.
- E2. For EACH exit function in E1: identify its access modifiers and any pause guards (e.g. _checkResumed, whenNotPaused, onlyRole). Functions that gate REQUEST PLACEMENT often differ from functions that CLAIM FINALIZED FUNDS — check both separately.
- E3. For each pause guard: identify the role holder (which address holds PAUSE_ROLE / GUARDIAN / etc.) and the maximum pause duration. Specifically check whether PAUSE_INFINITELY (or equivalent uncapped pause) is callable, and which actor can call it (single multisig vs governance vote). For role-holder reads use https://defipunkd.com/api/contract/read?chainId=<id>&address=0x...&method=hasRole&args=0x...,0x... or &method=getRoleAdmin&args=0x.... For "is currently paused" checks use &method=paused or &method=isPaused&args=<resume-code>. Use the BARE method name (no parens). Cite the URL with &block=<n> in evidence[].
- E4. EMERGENCY vs GOVERNANCE pause distinction: many protocols have a fast-acting emergency pause capped at N days and a slow governance pause that can be indefinite. Record both paths separately if present, with their time caps and actor classes.
- E5. Queued redemption: documented maximum queue duration, daily withdrawal caps, whether the queue itself is pausable.
- E6. Forced-exit / escape-hatch / permissionless emergency-exit mechanism for adversarial-admin scenarios.
- E7. Frontend dependency: confirm exit functions are directly callable on-chain (e.g. via Etherscan write tab or a generic wallet) without the project's frontend.

Then write the steel-man section per Hard Rule 11. Common red-vs-orange tension on this slice: indefinite pause exists (suggests red) BUT the realistic emergency path is time-capped AND claims of already-finalized exits are not pause-gated (suggests orange). Resolve this by stating who can do what for how long, not by stopping at the worst-case sentence.

Grade rules:
- green   = permissionless exit; pause is either absent, narrowly scoped to clearly-described emergencies with auto-expiry, or capped at ≤7 days; no frontend dependency for exit; claims of already-finalized exits are not pause-gated under any path.
- orange  = pausable with broad scope OR indefinite pause is reachable only through governance vote (not unilateral admin action), OR queued redemption with documented max > 7 days, OR claims-of-finalized are exempt but new-request placement can be paused indefinitely by governance.
- red     = exit requires admin signature, OR ANY actor (including governance) can pause CLAIMS of finalized exits indefinitely, OR there is no on-chain exit function at all (purely custodial), OR pause is held by a single EOA / 2-of-3 multisig with no time cap.
- unknown = checklist incomplete after checking the sources above.

---

### Slice: AUTONOMY

Evaluate this protocol's autonomy: can a failure of anything outside its own contracts cause theft or loss of user principal, loss of unclaimed yield, or materially change the protocol's expected performance? "Autonomy" is not "has zero external touchpoints" — it is "external failures are either survivable or recoverable without user loss". This slice adapts DefiScan v1's Autonomy dimension; dependencies are one of several criteria, not the whole frame.

GUARDRAILS (read before grading):
- Category alone (Liquid Staking, Bridge, RWA Lending, Restaking, …) does NOT force a grade. A category is a hint about where to look; the grade must come from the concrete A1–A9 findings below.
- Base-chain consensus (Ethereum PoS, the chain's validator set, the canonical Deposit Contract at 0x00000000219ab540356cBB839Cbe05303d7705Fa) is the SUBSTRATE, not a dependency, for any protocol deployed on that chain. Do not list "depends on Ethereum" as a finding.
- Oracles or other integrations used by DOWNSTREAM protocols that happen to read this protocol's token (e.g. Chainlink stETH/USD consumed by Aave) are NOT this protocol's dependencies. Count only what THIS protocol's contracts call or trust on-chain. If a feed or contract appears in the protocol's docs only as reference material for third-party integrators, EXCLUDE IT ENTIRELY — do not log it as a finding even with a "peripheral" or "referenced only" caveat.
- "Upgradeable admin can change things" belongs to the CONTROL slice; only count it here when the upgrade surface lets governance silently swap an external dependency (see A9).
- Underlying-asset risk in opt-in, isolated markets is NOT autonomy-red on its own. When a protocol wraps third-party yield-bearing assets (LSTs, LRTs, ERC-4626 vaults, lending receipts, restaked tokens) into per-market silos that users explicitly choose, a failure of one underlying does NOT propagate to other markets and is risk the user opted into per-market. Record it under A4 with depth and propagation scope, but do not let it alone drive a red verdict — red requires an external dependency that cross-cuts the protocol or that the user did not opt into at deposit time. A failure mode that is "if the LRT you deposited is hacked, your principal in that LRT-backed market is impaired" is the underlying's autonomy story, not this protocol's; grade it on whether THIS protocol introduces additional dependencies on top.
- Sub-module enumeration is mandatory before grading. If the protocol ships distinct product lines or modules (e.g., a v2 core AMM plus a newer perps/funding-rate module, a lending pool plus a separate vault layer, an L1 core plus a cross-chain extension), enumerate each in findings and grade against the WORST module weighted by its share of TVS or its blast radius. A green core does not rescue an orange/red sub-module; conversely, a small red sub-module with capped TVS may bound the overall grade to orange. Name each module by its on-chain factory or router address. If you do not know whether a module exists, that is an unknowns[] entry, not silence. EXPLICIT TVS WEIGHTING: in the verdict, state each module's approximate share of total protocol TVS (use "~X%" if exact figures unavailable; check DeFiLlama or block-explorer balances on the module's main contract) and how that share informs the weighted grade. Format: "Module A holds ~X% of TVS (grade: <g>); Module B holds ~Y% (grade: <g>); weighted overall = <grade> because <reason>." If a red sub-module holds <5% of total TVS and is capped, the overall grade may be orange; if it holds >25%, the overall grade is red. Do not let qualitative reasoning substitute for the percentages — write the numbers.

MANDATORY INSPECTION CHECKLIST (every item below must appear in evidence[] OR unknowns[]):
- A1. External contract calls. Enumerate every external contract the core contracts call or read from (oracles, price feeds, AMM pools, lending pools, staking/deposit contracts, yield wrappers). For each, identify the address, the provider, and what user-facing function of this protocol would break or mis-price if that external contract paused, mis-reported, or behaved adversarially. Grep for "oracle", "aggregator", "getPrice", "latestAnswer", "chainlink", "pyth", "redstone" as a starting point. To verify an oracle is live and what it currently reports, hit https://defipunkd.com/api/contract/read?chainId=<id>&address=<oracle>&method=latestAnswer (or &method=latestRoundData, &method=getPrice, &method=description; use the BARE method name without parens) and cite the URL — the response includes blockNumber/blockHash and rawReturnData, which is stronger evidence than a docs page about which feed "should" be used.
- A2. Off-chain actor committees reporting INTO the protocol. Oracle committees, guardian multisigs, DAO-selected validator sets acting as protocol reporters, exit-bus signers, fraud-proof challengers. For each, record committee size, quorum, who picks the members, and what mis-reporting could do (mint, burn, finalize withdrawal, freeze). Distinguish this from governance admins (control slice). NOTE ON STAKING PROTOCOLS: validator slashing and node-operator misbehavior are properties of the base-chain substrate, NOT external dependencies, when the operator set is diversified enough that a coordinated failure caps at <5% principal loss. Count validator/operator risk under A2 ONLY if the operator set is small, non-diversified, or lacks bonding / slashing-insurance / diversification mitigations. A curated set of 30+ independent operators with documented diversification falls under the mitigated path; a 3-operator LST does not. Do not cite the protocol's own risk disclosure as evidence that operator failure = principal loss unless you also check the diversification and bond mitigations.
- A3. Bridge / cross-chain messaging dependencies. Only count bridges that carry material TVL or are required for a core user flow. For each, name the bridge operator (canonical L1↔L2, LayerZero, Wormhole, Axelar, custom multisig), the trust model (canonical, optimistic, light-client, guardian set), and what fraction of TVL or users ride on it. "wstETH exists on 15 chains" is not a finding unless material TVL sits there. Before listing any non-primary chain deployment as a dependency, verify it is still operational as of analysis_date — retired or sunset deployments (e.g., Lido-on-Terra, Lido-on-Solana) belong in unknowns[] or should be omitted, never cited as a current dependency.
- A4. Nested collateral / restaking chains. For restaking / LRT / receipt-of-receipt designs: record the depth of the collateral chain, every actor with slashing or freezing power at each level, and whether a failure N levels deep propagates to user principal here.
- A5. Fork lineage (silent check). If DeFiLlama's forkedFrom is non-empty, record it as one finding and move on. If empty, do NOT add a placeholder finding; it adds noise.
- A6. Fallback mechanisms and circuit breakers. What catches an external failure? Sanity-check contracts on oracle reports, rebase bounds, pause paths triggered by bad prices, second-opinion oracles, max-per-block throughput caps, withdrawal queues that absorb bad reports. Record which A1–A4 risks are mitigated by which fallback, and which are unmitigated. For EACH fallback you cite, state its activation status explicitly: (i) LIVE and enforcing on-chain today, (ii) DEPLOYED but not yet wired / activated (e.g., interface exists but the address is zero or the role is unassigned), or (iii) DOCUMENTED / PROPOSED only (forum post, LIP draft, audit pending). Only (i) counts as mitigation for the grade. A fallback in state (ii) or (iii) should be noted but must not reduce the risk in your steel-man or verdict. If you cannot determine activation status, add an unknowns[] entry rather than assume it is live.
- A7. Sequencer / L1-liveness dependency BEYOND the base-chain substrate. SCOPE — sequencer risk only counts here when the protocol IS its own L2/L3 appchain or app-rollup, where the sequencer is part of the protocol's own stack and a freeze is a protocol-level outage. A protocol permissionlessly deployed on a third-party L2 inherits that L2's sequencer as substrate, not an A7 dependency. Record the sequencer/DA trust model when A7 applies.
- A8. Keeper / relayer / off-chain bot liveness. Protocols that need permissionless-but-necessary off-chain actors (liquidation bots, auto-compounders, deposit relayers, intent solvers). Record whether the role is permissionless, what degrades if nobody runs it (yield paused, bad debt accumulates, positions go stale), and whether the failure mode is graceful or catastrophic.
- A9. Governance-mutable dependency surface. Can an admin or DAO action silently INTRODUCE a NEW EXTERNAL dependency — swap the oracle address to a different provider, register a new staking module that calls an untrusted contract, add a new bridge, route SY through a new external vault — without an exit window for users? Check the upgrade / router / module-registry contracts. Answer: which EXTERNAL dependencies are governance-mutable, who holds that power, and whether there is a timelock or exit window. SCOPE LIMIT — read carefully: A9 is about the *external dependency surface*, not the upgrade surface in general. "The proxyAdmin / EOA can upgrade the router implementation to arbitrary bytecode" is a CONTROL-slice finding (admin can rug), NOT an autonomy-A9 finding. A9 fires only when the upgrade specifically swaps out or adds a contract that THIS protocol calls or trusts (e.g., changing the oracle address from Chainlink to a malicious feed, registering a new SY adapter that points to a third-party vault, redirecting a bridge endpoint). If the only finding is "admin can change implementation," do not log it under A9 and do not let it drive the autonomy grade — note it under control instead. The autonomy-relevant version of the same upgrade key is "admin can swap [specific external address X] without timelock"; that requires identifying the specific external dependency that becomes mutable.

STEEL-MAN (per Hard Rule 13): write one-sentence strongest arguments for red, orange, and green using the A1–A9 findings.

IMPACTED TVS ESTIMATE: the headline MUST include a rough impacted-TVS figure — the fraction of protocol TVS that could be lost or frozen if the worst-unmitigated dependency you identified failed. Use "~X%" if exact numbers are unavailable, "<1%" for de minimis, "unclear" only if A1–A9 left the question genuinely open (in which case grade=unknown is usually correct). Do NOT substitute qualitative phrases like "significant" — give a number or bracket.

GRADE ANCHORS (mapped to DefiScan v1 stages):
- green = Stage 2 equivalent. Failure of any external dependency cannot cause loss of user principal or unclaimed yield. Either there are no material external dependencies, or every critical one has a documented fallback (A6) that keeps users whole. Governance cannot silently introduce new dependencies without an exit window (A9). Impacted TVS under any single-dependency failure: effectively 0.
- orange = Stage 1 equivalent. Failure of some external dependency can cause loss of unclaimed yield, or can materially change expected performance (pause withdrawals, freeze positions, degrade price quality), but cannot cause loss of principal. Committee-based oracles with sanity checks, canonical-only bridges, fallback paths that exist but are incomplete, or governance-mutable dependencies protected by a ≥7-day timelock. Impacted TVS is bounded and recoverable.
- red = Stage 0 equivalent. Failure of an external dependency CAN cause theft or loss of principal. Examples: single-provider oracle with no sanity check or fallback, material TVL on a non-canonical bridge with a guardian multisig, governance can hot-swap oracles or add staking modules with no timelock or exit window, unmitigated keeper-liveness dependency where positions become insolvent if bots stop. Impacted TVS is material.
- unknown = checklist incomplete after inspecting source + verified contracts. Prefer unknown over guessing when A1/A6 could not be reconstructed. RESERVE unknown for cases where the CORE ARCHITECTURE itself is unverifiable — not for cases where you merely cannot enumerate every per-market dependency in a multi-market protocol. If the core router/factory/oracle architecture is verifiable on-chain and you can determine whether the core requires external dependencies, grade the architecture even when an exhaustive per-market external-dependency census is infeasible. Acknowledge the per-market gap in unknowns[] but still issue a grade. Refusing to grade a multi-market protocol because you cannot list every SY/vault/market is over-use of unknown; grade the architecture and say so.

PROMPT-META CHECK (per Hard Rule 17): before finalizing, verify the verdict cites concrete contract addresses, docs, or code — not the rubric itself. If your verdict says "the protocol belongs to a category the rubric marks red", rewrite it with the A1–A9 finding that actually justifies the grade, or drop to grade=unknown.

---

### Slice: OPEN-ACCESS

Evaluate who is allowed to use the protocol and whether any of that permission is granted off-chain.

Scope: this slice is about ADMISSION — who can enter, exit, or transact. Operator LIVENESS (what breaks if keepers/oracles go offline) is assessed in the dependencies slice and is out of scope for the grade here. You may note operator dependencies as context, but do not let "the protocol halts if operator X disappears" drive the access grade on its own; that belongs in dependencies. Source verification / contract verification on block explorers is assessed in the verifiability slice and is out of scope here — do NOT let "contract is unverified" drive the access grade.

Framing: the smart contracts are the access layer; frontends are UX. A permissionless contract is reachable by any client (SDK, third-party UI, aggregator, wallet integration). Frontend ToS, IP geo-blocking, and wallet screening are publisher policies on one specific client — they are reported as context but do NOT determine the grade. The grade hinges on (1) what the contract itself permits, and (2) whether the protocol is practically reachable without the official publisher's cooperation.

Meta-check before finalizing: if your verdict cites phrases from this prompt as evidence ("the protocol meets the 'credible alternatives' condition", "this fits the 'documented fallback' rule"), redo the verdict. The prompt describes the rubric; evidence must come from the protocol. A verdict should cite what the protocol does, not what the rubric says.

MANDATORY INSPECTION CHECKLIST (every item below must appear in evidence[] OR unknowns[]):
- A1. Whitelist / allowlist modifiers in user-facing entry points. Grep for "onlyWhitelisted", "onlyRole", "allowlist", "isAccredited", "isKYCed". Note which functions are gated and who can add/remove from the list.
- A2. Off-chain operators in the admission path: keepers, sequencers, privileged relayers, oracle posters whose approval is required to admit a user action (not just to keep the protocol live). For each, identify whether the role is held by a single operator, a permissioned committee, or is permissionless. Enumerate per user-facing function class (deposit vs withdraw-request vs claim-finalized vs transfer) which ones require operator approval to be admitted, and which ones admit users unconditionally. A function whose placement is unconditional but whose downstream settlement depends on an operator is an admission-permissionless function — flag the liveness dependency as context and defer its grading weight to the dependencies slice.
- A3. Frontend restrictions on the official interface — record as context, not as a grade lever. Distinguish:
    - A3-passive: boilerplate ToS clauses (sanctions attestation, restricted-territory self-certification, VPN-circumvention prohibition, "comply with applicable law" eligibility, age of majority).
    - A3-active: runtime enforcement — IP-based geo-blocking, wallet-address screening against a sanctions oracle (Chainalysis, TRM, Elliptic), KYC wall, rendering-blocking jurisdiction banner.
  Record findings under the correct tier. Quote ToS text or banner text in evidence[].shows. These findings populate the headline and rationale but do NOT move the grade by themselves; the grade is set by A1, A2, and the A3b path check below.
- A3b. Independent access paths (the operative grade input). Enumerate paths that do not require the official publisher's cooperation:
    - Published SDK / library / CLI for direct contract interaction.
    - Third-party frontends operated by separate legal entities.
    - Wallet-integrated access (MetaMask Swaps, Safe apps, etc.).
    - DEX / lending / yield aggregators that route through the contracts.
  Record at least one concrete link per path that exists. The protocol does NOT have to self-document these — the test is existence, not UX cost. An A3b-i redistribution of the official UI bound by the same ToS does NOT count as an independent path.
- A4. Sanctions / compliance tooling at the contract level: does the protocol check addresses against OFAC lists or similar on-chain blocklists in the contract itself? (Frontend-only screening belongs in A3.)
- A5. Differentiate read access vs write access: many protocols are read-permissionless (anyone can view state) but write-gated (only certain addresses can deposit/borrow). Record both.
- A6. ToS / Legal links: locate them on the website and produce a VERBATIM quote of any jurisdictional, sanctions, or eligibility clause in evidence[].shows. If you cannot extract the clause text verbatim (SPA render failure, paywall, dead link, etc.), do NOT paraphrase or infer from general knowledge — record the ToS URL in unknowns[] with the reason extraction failed. Assertions about ToS content without a verbatim quote will be downweighted by reviewers.

Then write the steel-man section per Hard Rule 11.

Grade rules (admission-focused; liveness concerns belong in dependencies; source verification belongs in verifiability):
- green   = no contract-level whitelist/KYC on user entry/exit; no operator approval required to admit a user action; AND at least one independent A3b path exists (published SDK, third-party frontend, wallet integration, or aggregator routing). Frontend ToS posture and A3-active enforcement on the official UI do NOT block green when contracts are permissionless and an independent path exists — they are reported as context.
- orange  = contracts admit users unconditionally, BUT the protocol is operationally captured by the official publisher: no published SDK, no third-party frontend, no wallet integration, no aggregator routing. The contract is theoretically open but practically reachable only through the official UI. Also applies when admission requires approval from a permissioned committee that is governance-managed with a documented replacement procedure.
- red     = contract-level whitelist / KYC on user entry/exit, OR admission of a core user action requires approval from a single privileged operator or a small committee with no documented replacement procedure, OR enforces an on-chain blocklist updatable by a single party.
- unknown = checklist incomplete after checking the sources above.

Default-grade guidance: when contracts are fully permissionless AND any A3b independent path exists, the default grade is green regardless of frontend ToS or A3-active enforcement on the official UI. Frontend geo-blocking, sanctions-oracle wallet screening, and ToS sanctions clauses are publisher policies on one client and are reported in findings/headline as context, not as grade levers. To grade orange on operational-capture grounds, the auditor must affirmatively show that ALL independent paths are absent or also gated.

Guideline on committees: where admission depends on a multi-operator committee, the relevant axes are (a) set size, (b) whether replacement/rotation is governed on-chain, (c) whether the replacement procedure is publicly documented. A large set with on-chain governance replacement should not be graded as a single-party operator even if rotation is not instantaneous. A small set with informal replacement should be treated as a single-party operator.

---

### Slice: VERIFIABILITY

Evaluate whether an outsider can independently confirm what the deployed code does.

MANDATORY INSPECTION CHECKLIST (every item below must appear in evidence[] OR unknowns[]):
- V1. For each address you assess: is the bytecode verified on the chain's block explorer? Record the "Contract Source Code Verified" indicator. https://defipunkd.com/api/contract/abi?chainId=<id>&address=0x... returns this as a top-level "verified" boolean plus "abiSource" ("etherscan" / "sourcify") and an inline ABI — useful when the explorer page is rate-limited. If the contract is a proxy, verify BOTH the proxy contract AND the current implementation contract. The same /api/contract/abi response auto-resolves proxies and includes a "proxy.implementation" address when present, so one call covers V1 + V6 in one shot. An explorer "Similar Match" on a well-known proxy pattern (Aragon AppProxyUpgradeable, ERC1967Proxy, OssifiableProxy, OZ TransparentUpgradeableProxy) is expected for that pattern and does NOT count as a verification gap on its own — what matters is that the implementation is independently verified.
- V2. Source-to-repo correspondence: for each verified contract, attempt to find a matching commit in the linked GitHub repos. Record evidence[].commit on a match. Independent compile/bytecode-match is NOT required for green — a recognized public repo whose structure and file contents correspond to the explorer-visible source is sufficient. If you did not pin a commit SHA or run a bytecode diff, record that plainly in unknowns[] and proceed; it is a scope limit, not a downgrade signal.
- V3. Audit coverage: for each URL in protocol.audit_links, open it and record: auditor name, audit date, the specific contracts / commit in scope. Flag audits that predate the current deployment by >6 months without a follow-up review.
- V4. Auditor recognition: the following firms are broadly recognized in Solidity: Trail of Bits, Zellic, Spearbit, OpenZeppelin, ConsenSys Diligence, Certora (formal verification), Quantstamp, Halborn, Peckshield, Sigma Prime, ChainSecurity, Ackee Blockchain, MixBytes, Statemind. Unknown firms are orange-at-best for any green-grade claim. Name the firm explicitly in evidence[].
- V5. Post-audit drift: compare the most recent in-scope audit(s) against the currently-deployed source, weighted by what each contract does and by what the changes actually contain. SCOPE — drift only downgrades the grade when ALL of the following hold: (i) the drifting contract is fund-custody / settlement / accounting-critical (NOT a peripheral router, lens, quoter, or pure-view contract that holds no balances); (ii) the changes are material — new functions, modified access control, modified accounting, modified fund flow — and not refactors / struct relocations / import reorgs / build or CI fixes / formatting; (iii) no later audit, fix-audit, or differential audit from a recognized firm covers the changed files (audits often pin a pre-fix commit while a follow-up reviews the delta — match by file scope, not by commit-hash equality). When you cite drift as a downgrade reason, name the specific behavior change (function added, role granted, accounting formula altered) — "N commits ahead" or "+X/-Y LOC" alone is not evidence of material drift. If you have not sampled the diff content (e.g. via the GitHub compare view or the top commits in the window), record drift as an unknowns[] entry rather than auto-downgrading; commit-count and LOC are starting signals, not findings.
- V6. Implementation vs proxy: a verified proxy with an unverified implementation is effectively unverified. State whether the implementation is verified separately.

EVIDENCE DISCIPLINE (read before writing findings[]):
- Do not assert a specific deploy-commit SHA, bytecode equivalence, or "identical to audited commit" unless you actually fetched the artifact that shows it (e.g., a deployed-addresses JSON you opened, an explorer page you read). Inferred or plausible matches belong in unknowns[], never in findings[] or evidence[].
- Evidence[] entries must correspond to pages/files you actually retrieved this run. A URL you did not open is not evidence.

Then write the steel-man section per Hard Rule 11.

Grade rules:
- green   = deployed bytecode verified on the explorer (proxy AND implementation if proxied; "Similar Match" on a standard proxy pattern is fine per V1), a public source repo exists whose contents correspond to the explorer-visible source, AND ≥1 audit from a recognized firm covering the currently-deployed contracts (≤6 months of drift OR drift was re-audited). A missing local compile-match is not a downgrade — record it in unknowns[] and still grade green if the other conditions hold.
- orange  = verified but with visible drift from the public repo, OR audit scope is stale relative to deployment, OR only minor / unknown-firm audits exist, OR only some of the main contracts are verified, OR proxy verified but implementation only partially verified.
- red     = unverified bytecode (or verified proxy with unverified implementation), OR no audit in protocol.audit_links, OR no public repo.
- unknown = reserved for when the protocol's verifiability posture genuinely cannot be assessed (e.g., explorer and repo both inaccessible for this protocol). Do NOT use unknown merely because you, the analyst, could not run a particular check such as a bytecode diff — that goes in unknowns[] while the grade is still assigned from the evidence you do have.

---

### JSON output contract

Return exactly one JSON array inside a single ```json fenced block. The array MUST contain exactly five objects, one per risk slice, in this exact order: "control", "ability-to-exit", "autonomy", "open-access", "verifiability". Do not include the discovery slice.

Each object has the same shape as a normal slice submission:

{
  "schema_version": 4,
  "slug": "<copy protocol.slug from the per-protocol context>",
  "slice": "<one of: control | ability-to-exit | autonomy | open-access | verifiability>",
  "snapshot_generated_at": "<copy snapshot.generated_at from the per-protocol context>",
  "prompt_version": 29,
  "analysis_date": "<copy analysis_date from the per-protocol context>",
  "model": "<exact model name, e.g. claude-opus-4-7 / gpt-5-thinking / gemini-3-pro>",
  "chat_url": null,
  "grading_basis": "on-chain | off-chain-only | mixed (optional; omit for on-chain)",
  "grade": "green | orange | red | unknown",
  "headline": "<one-line summary>",
  "short_headline": "<≤6 words, ≤80 chars; omit if you can't fit>",
  "rationale": {
    "findings": [{ "code": "E1", "text": "<concrete, source-cited finding>" }],
    "steelman": { "red": "<one sentence>", "orange": "<one sentence>", "green": "<one sentence>" },
    "verdict": "Choosing <grade> because <reason ranking one steel-man above the others, citing specific evidence>."
  },
  "evidence": [{ "url": "https://...", "shows": "<what this URL demonstrates>", "chain": "...", "address": "0x...", "commit": "<hex SHA>", "fetched_at": "2026-04-23T11:20:00Z" }],
  "unknowns": ["E3: <thing you looked for but couldn't determine>"],
  "protocol_metadata": {
    "github": ["https://github.com/org/repo"],
    "docs_url": "https://docs.protocol.xyz",
    "audits": [{ "firm": "Trail of Bits", "url": "https://...report.pdf", "date": "2025-09" }],
    "governance_forum": "https://forum.protocol.xyz",
    "voting_token": { "chain": "Ethereum", "address": "0x...", "symbol": "XYZ" },
    "bug_bounty_url": "https://immunefi.com/bounty/protocol",
    "security_contact": "security@protocol.xyz",
    "deployed_contracts_doc": "https://docs.protocol.xyz/deployments",
    "admin_addresses": [{ "chain": "Ethereum", "address": "0x...", "role": "DAO treasury multisig", "actor_class": "multisig" }],
    "upgradeability": "immutable | upgradeable | mixed | unknown",
    "about": "<2–4 sentences>"
  }
}

Rules recap:
- Produce one complete object for each of these slices only: control, ability-to-exit, autonomy, open-access, verifiability.
- Reuse the same model, chat_url, snapshot_generated_at, prompt_version, analysis_date, and slug values across all five objects.
- grade="unknown" ⇒ steelman=null; unknowns[] ≥1; evidence[] may be empty.
- grade!="unknown" ⇒ steelman={red,orange,green}; evidence[] ≥1; verdict starts with "Choosing ".
- findings[].code matches that object's slice checklist prefix verbatim (C1, E2, AU3, A3b, V4a, …); unknowns[] entries are checklist-coded ("C3: …").
- Wrap the array in a single ```json fence; nothing before or after. URLs are bare strings, never markdown links.

Verifiability tentative 3/3 models agree AI-only 0/3 with chat share link

Pool/PoolConfigurator/PoolAddressesProvider all 'Source Code Verified - Exact Match' on Etherscan; deployed implementations correspond to aave-dao/aave-v3-origin@v3.6.0; v3.6 audited Nov 2025 by 5 recognized firms (Certora, MixBytes, Pashov, Blackthorn, Savant) ~2 months before on-chain upgrade Jan 2026.

Verdict

All three core Aave V3 contracts on Ethereum mainnet (Pool proxy 0x87870Bca..., PoolConfigurator proxy 0x64b761D8..., PoolAddressesProvider 0x2f39d218...) show 'Source Code Verified - Exact Match' on Etherscan. Both proxy AND current implementation contracts are independently verified: Pool implementation 0x8147b99d... ('PoolInstance', Solidity 0.8.27) and PoolConfigurator implementation 0x6fDdde45... ('PoolConfiguratorInstance', Solidity 0.8.27). The deployed implementations correspond to the public aave-dao/aave-v3-origin repo at tag v3.6.0 (commit 5a230ec82fcb10afc7fe7cffa8978752fb17aa2b): contract names match exactly, the v3.6.0 PoolInstance.sol declares POOL_REVISION=10 and PoolConfiguratorInstance.sol declares CONFIGURATOR_REVISION=7. The current v3.6 release was audited by five recognized firms (Certora, MixBytes, Pashov, Blackthorn, Savant) in Nov 2025, ~2 months before the on-chain upgrade (Jan 16, 2026), well within the 6-month freshness window. Earlier versions (V3 genesis, V3.0.1, V3.0.2, V3.1, V3.2, V3.3, V3.4, V3.5) were each independently re-audited by recognized firms (OpenZeppelin, Trail of Bits, ABDK, Sigma Prime, Peckshield, Certora, MixBytes, ChainSecurity, Sherlock), so post-audit drift is continuously addressed. Choosing green because all V1-V6 conditions hold with direct on-chain and repo evidence.

Steelman argument

Steelman argument Pool, PoolConfigurator and PoolAddressesProvider are all 'Verified - Exact Match' on Etherscan with both proxies and current implementations verified; deployed implementation source corresponds to aave-dao/aave-v3-origin @ tag v3.6.0 (5a230ec82fcb10afc7fe7cffa8978752fb17aa2b); five recognized firms audited v3.6 Nov 16-29 2025, only ~2 months before the on-chain upgrade Jan 16 2026 - all green-rule conditions hold.

Evidence (6)

V1: Pool 0x87870Bca..., PoolConfigurator 0x64b761D8..., PoolAddressesProvider 0x2f39d218..., and ACLManager 0xc2aaCf65... all show 'Source Code Verified - Exact Match' on Etherscan.
V6: Both Pool and PoolConfigurator are EIP-1967 proxies; their current implementations 0x8147b99d... (PoolInstance) and 0x6fDdde45... (PoolConfiguratorInstance) are independently verified with exact-match status.
V2: Verified deployed sources correspond to aave-dao/aave-v3-origin tag v3.6.0 (commit 5a230ec82fcb10afc7fe7cffa8978752fb17aa2b): contract names PoolInstance and PoolConfiguratorInstance match the repo's src/contracts/instances/ folder, with POOL_REVISION=10 and CONFIGURATOR_REVISION=7 consistent with the v3.6.0 release.
V3: Audit coverage is dense and continuous: V3.6 audited by Blackthorn (2025-11-16), Certora (2025-11-18), MixBytes (2025-11-18), Savant (2025-11-18), Pashov (2025-11-29). Earlier versions V3.5/V3.4/V3.3/V3.2/V3.1/V3.0.x each have multiple firm audits (Certora, MixBytes, ABDK, OpenZeppelin, Trail of Bits, Sigma Prime, PeckShield, Sherlock, Oxorio, Enigma).
V4: All current and historical auditors are recognized: Certora (formal verification), Trail of Bits, OpenZeppelin, ABDK, Sigma Prime, PeckShield, MixBytes, ChainSecurity, Sherlock are explicitly listed in the recognized-firm rubric. Pashov, Blackthorn, Savant, StErMi, Enigma are well-known Solidity audit/contest firms in 2025-26 practice.
V5: On-chain Pool upgrade to v3.6 implementation occurred ~Jan 16, 2026, ~2 months after the Nov 2025 v3.6 audits, well within the 6-month freshness window. BGD Labs has shipped V3.0.1 -> V3.6 with separate audits per version, so historical post-audit drift has been continuously re-audited.

Why is this consensus tentative?

weak consensus margin
only 0/3 sources have a public chat share link
total support weight 0.12 below confidence floor (1.5)

A fresh independent run can strengthen (or overturn) the verdict.

Run your own prompt Submit run ↗

### Per-protocol context (ground truth for this run)

- protocol.slug:              aave-v3
- protocol.name:              Aave V3
- protocol.chains:            Ethereum, Plasma, Arbitrum, Base, Avalanche, Binance, Mantle, Polygon, MegaETH, X Layer, xDai, Optimism, Linea, Sonic, Celo, Scroll, zkSync Era, Metis, Soneium, Fantom, Harmony
- protocol.category:          Lending
- protocol.website:           https://aave.com
- protocol.github:            aave, bgd-labs
- protocol.audit_links:       https://aave.com/security, https://github.com/code-423n4/2022-02-aave-lens, https://github.com/code-423n4/2022-02-aave-lens-findings, https://github.com/sherlock-protocol/sherlock-reports/blob/main/audits/2025.02.15%20-%20Final%20-%20Aave%20Public%20Audit%20Contest%20Report.pdf, https://github.com/sherlock-protocol/sherlock-reports/blob/main/audits/2026.02.05%20-%20Final%20-%20Aave%20Labs%20Collaborative%20Audit%20Report%201770295450.pdf, https://github.com/trailofbits/publications/blob/master/reviews/2021-11-aave-v3-securityreview.pdf
- snapshot.generated_at:      2026-06-01T11:27:13.878Z
- analysis_date:              2026-06-07
- prompt_version:             29
- address_book:               [
  {
    "chain": "Ethereum",
    "address": "0x5300A1a15135EA4dc7aD5a167152C01EFc9b192A",
    "role": "Short Executor (Level 1) / ACL Admin V3"
  },
  {
    "chain": "Ethereum",
    "address": "0xdAbad81aF85554E9ae636395611C58F7eC1aAEc5",
    "role": "PayloadsController (Ethereum)"
  },
  {
    "chain": "Ethereum",
    "address": "0x9AEE0B04504CeF83A65AC3f0e838D0593BCb2BC7",
    "role": "Governance V3 Core"
  },
  {
    "chain": "Ethereum",
    "address": "0xCe52ab41C40575B072A18C9700091Ccbe4A06710",
    "role": "Governance Guardian / Protocol Emergency Guardian (5-of-9)"
  },
  {
    "chain": "Ethereum",
    "address": "0x4457cA11E90f416Cc1D3a8E1cA41C0cdEcC251d4",
    "role": "GranularGuardian (cross-chain emergency)"
  },
  {
    "chain": "Ethereum",
    "address": "0xEd42a7D8559a463722Ca4beD50E0Cc05a386b0e1",
    "role": "CrossChainController"
  },
  {
    "chain": "Ethereum",
    "address": "0x17Dd33Ed0e3dD2a80E37489B8A63063161BE6957",
    "role": "Executor Level 2"
  },
  {
    "chain": "Ethereum",
    "address": "0x2CFe3ec4d5a6811f4B8067F0DE7e47DfA938Aa30",
    "role": "Protocol Guardian / emergency admin"
  },
  {
    "chain": "Ethereum",
    "address": "0x220d22f42c1b975B51509c24b174f8AbA7d8C540",
    "role": "Short Executor (Governance)"
  },
  {
    "chain": "Ethereum",
    "address": "0xa700691dA7b6769562170061709458FF21ed963e",
    "role": "timelock (governance long executor)"
  },
  {
    "chain": "Ethereum",
    "address": "0x851365275f493d15511cc005f2bd71E3c1699921",
    "role": "timelock (governance short executor)"
  },
  {
    "chain": "Ethereum",
    "address": "0xEE56e2B3D49159022b71869955dbF07245799b17",
    "role": "timelock (governance executor short)"
  },
  {
    "chain": "Ethereum",
    "address": "0x80C67432656d59144cEFf962E8fAF8926599bCF8",
    "role": "timelock (governance short executor)"
  },
  {
    "chain": "Ethereum",
    "address": "0xEE56e2B20045d908E992822039db30E882309413",
    "role": "admin (PoolAdmin / governance executor)"
  },
  {
    "chain": "Ethereum",
    "address": "0x87870bca3f3fd6335c3f4ce8392d69350b4fa4e2",
    "role": "pool (Aave V3 Pool proxy)"
  },
  {
    "chain": "Ethereum",
    "address": "0x2f39d218133AFaB8F2B819B1066c7E434Ad94E9e",
    "role": "other (PoolAddressesProvider — proxy admin for Pool/PoolConfigurator/ACLManager)"
  },
  {
    "chain": "Ethereum",
    "address": "0xcfBf336fe147D643B9Cb705648500e101504B16d",
    "role": "other (Prime Market PoolAddressesProvider)"
  },
  {
    "chain": "Ethereum",
    "address": "0xCca852Bc40e560adC3b1Cc58CA5b55638ce826c9",
    "role": "vault (Aave V4 Core Hub — Ethereum)"
  },
  {
    "chain": "Ethereum",
    "address": "0x06002e9c4412CB7814a791eA3666D905871E536A",
    "role": "vault (Aave V4 Plus Hub — Ethereum)"
  },
  {
    "chain": "Ethereum",
    "address": "0x943827DCA022D0F354a8a8c332dA1e5Eb9f9F931",
    "role": "vault (Aave V4 Prime Hub — Ethereum)"
  },
  {
    "chain": "Ethereum",
    "address": "0x08aE3BE30958cDd1847ec58fFfd4C451a87fDF01",
    "role": "admin (Aave V4 Access Manager — Ethereum)"
  },
  {
    "chain": "Optimism",
    "address": "0xa97684ead0e402dc232d5a977953df7ecbab3cdb",
    "role": "other (PoolAddressesProvider — Optimism)"
  },
  {
    "chain": "Polygon",
    "address": "0xa97684ead0e402dc232d5a977953df7ecbab3cdb",
    "role": "other (PoolAddressesProvider — Polygon)"
  },
  {
    "chain": "Ethereum",
    "address": "0x64b761D848206f447Fe2dd461b0c635Ec39EbB27",
    "role": "admin PoolConfigurator V3"
  },
  {
    "chain": "Ethereum",
    "address": "0x54586bE62E3c3580375aE3723C145253060Ca0C2",
    "role": "oracle AaveOracle V3"
  },
  {
    "chain": "Ethereum",
    "address": "0xc2aaCf6553D20d1e9d78E365AAba8032af9c85b0",
    "role": "admin ACLManager V3"
  },
  {
    "chain": "Ethereum",
    "address": "0x0a16f2FCC0D44FaE41cc54e079281D84A363bECD",
    "role": "other AaveProtocolDataProvider V3"
  },
  {
    "chain": "Ethereum",
    "address": "0x464C71f6c2F760DdA6093dCB91C24c39e5d6e18c",
    "role": "treasury Collector"
  },
  {
    "chain": "Ethereum",
    "address": "0x8164Cc65827dcFe994AB23944CBC90e0aa80bFcb",
    "role": "admin DefaultIncentivesController"
  },
  {
    "chain": "Ethereum",
    "address": "0x223d844fc4B006D67c0cDbd39371A9F73f69d974",
    "role": "admin EmissionManager"
  },
  {
    "chain": "Arbitrum",
    "address": "0xa97684ead0e402dC232d5A977953DF7ECBaB3CDb",
    "role": "factory PoolAddressesProvider V3"
  },
  {
    "chain": "Arbitrum",
    "address": "0x794a61358D6845594F94dc1DB02A252b5b4814aD",
    "role": "pool Pool V3"
  },
  {
    "chain": "Arbitrum",
    "address": "0x8145eddDf43f50276641b55bd3AD95944510021E",
    "role": "admin PoolConfigurator V3"
  },
  {
    "chain": "Arbitrum",
    "address": "0xb56c2F0B653B2e0b10C9b928C8580Ac5Df02C7C7",
    "role": "oracle AaveOracle V3"
  },
  {
    "chain": "Arbitrum",
    "address": "0x7A9ff54A6eE4a21223036890bB8c4ea2D62c686b",
    "role": "oracle PriceOracleSentinel V3"
  },
  {
    "chain": "Arbitrum",
    "address": "0xFF1137243698CaA18EE364Cc966CF0e02A4e6327",
    "role": "admin ACLAdmin V3"
  },
  {
    "chain": "Arbitrum",
    "address": "0xa72636CbcAa8F5FF95B2cc47F3CDEe83F3294a0B",
    "role": "admin ACLManager V3"
  },
  {
    "chain": "Arbitrum",
    "address": "0x243Aa95cAC2a25651eda86e80bEe66114413c43b",
    "role": "other AaveProtocolDataProvider V3"
  },
  {
    "chain": "Avalanche",
    "address": "0xa97684ead0e402dC232d5A977953DF7ECBaB3CDb",
    "role": "factory PoolAddressesProvider V3"
  },
  {
    "chain": "Avalanche",
    "address": "0x794a61358D6845594F94dc1DB02A252b5b4814aD",
    "role": "pool Pool V3"
  },
  {
    "chain": "Avalanche",
    "address": "0x8145eddDf43f50276641b55bd3AD95944510021E",
    "role": "admin PoolConfigurator V3"
  },
  {
    "chain": "Avalanche",
    "address": "0xEBd36016B3eD09D4693Ed4251c67Bd858c3c7C9C",
    "role": "oracle AaveOracle V3"
  },
  {
    "chain": "Avalanche",
    "address": "0x3C06dce358add17aAf230f2234bCCC4afd50d090",
    "role": "admin ACLAdmin V3"
  },
  {
    "chain": "Avalanche",
    "address": "0xa72636CbcAa8F5FF95B2cc47F3CDEe83F3294a0B",
    "role": "admin ACLManager V3"
  },
  {
    "chain": "Avalanche",
    "address": "0x243Aa95cAC2a25651eda86e80bEe66114413c43b",
    "role": "other AaveProtocolDataProvider V3"
  },
  {
    "chain": "Base",
    "address": "0xe20fCBdBfFC4Dd138cE8b2E6FBb6CB49777ad64D",
    "role": "factory PoolAddressesProvider V3"
  },
  {
    "chain": "Base",
    "address": "0xA238Dd80C259a72e81d7e4664a9801593F98d1c5",
    "role": "pool Pool V3"
  },
  {
    "chain": "Base",
    "address": "0x5731a04B1E775f0fdd454Bf70f3335886e9A96be",
    "role": "admin PoolConfigurator V3"
  },
  {
    "chain": "Base",
    "address": "0x2Cc0Fc26eD4563A5ce5e8bdcfe1A2878676Ae156",
    "role": "oracle AaveOracle V3"
  },
  {
    "chain": "Base",
    "address": "0x943AcD0c93d7a8Bee7dA5Fd0DC3d0028237074d6",
    "role": "oracle PriceOracleSentinel V3"
  },
  {
    "chain": "Base",
    "address": "0x9390B1735def18560c509E2d0bc090E9d6BA257a",
    "role": "admin ACLAdmin V3"
  },
  {
    "chain": "Base",
    "address": "0x43955b0899Ab7232E3a454cf84AedD22Ad46FD33",
    "role": "admin ACLManager V3"
  },
  {
    "chain": "Base",
    "address": "0x0F43731EB8d45A581f4a36DD74F5f358bc90C73A",
    "role": "other AaveProtocolDataProvider V3"
  },
  {
    "chain": "Binance",
    "address": "0xff75B6da14FfbbfD355Daf7a2731456b3562Ba6D",
    "role": "factory PoolAddressesProvider V3"
  },
  {
    "chain": "Binance",
    "address": "0x6807dc923806fE8Fd134338EABCA509979a7e0cB",
    "role": "pool Pool V3"
  },
  {
    "chain": "Binance",
    "address": "0x67bdF23C7fCE7C65fF7415Ba3F2520B45D6f9584",
    "role": "admin PoolConfigurator V3"
  },
  {
    "chain": "Binance",
    "address": "0x39bc1bfDa2130d6Bb6DBEfd366939b4c7aa7C697",
    "role": "oracle AaveOracle V3"
  },
  {
    "chain": "Binance",
    "address": "0x9390B1735def18560c509E2d0bc090E9d6BA257a",
    "role": "admin ACLAdmin V3"
  },
  {
    "chain": "Binance",
    "address": "0x2D97F8FA96886Fd923c065F5457F9DDd494e3877",
    "role": "admin ACLManager V3"
  },
  {
    "chain": "Binance",
    "address": "0xc90Df74A7c16245c5F5C5870327Ceb38Fe5d5328",
    "role": "other AaveProtocolDataProvider V3"
  },
  {
    "chain": "Celo",
    "address": "0x9F7Cf9417D5251C59fE94fB9147feEe1aAd9Cea5",
    "role": "factory PoolAddressesProvider V3"
  },
  {
    "chain": "Celo",
    "address": "0x3E59A31363E2ad014dcbc521c4a0d5757d9f3402",
    "role": "pool Pool V3"
  },
  {
    "chain": "Celo",
    "address": "0x7567E3434CC1BEf724AB595e6072367Ef4914691",
    "role": "admin PoolConfigurator V3"
  },
  {
    "chain": "Celo",
    "address": "0x1e693D088ceFD1E95ba4c4a5F7EeA41a1Ec37e8b",
    "role": "oracle AaveOracle V3"
  },
  {
    "chain": "Celo",
    "address": "0x1dF462e2712496373A347f8ad10802a5E95f053D",
    "role": "admin ACLAdmin V3"
  },
  {
    "chain": "Celo",
    "address": "0x7a12dCfd73C1B4cddf294da4cFce75FcaBBa314C",
    "role": "admin ACLManager V3"
  },
  {
    "chain": "Celo",
    "address": "0x2e0f8D3B1631296cC7c56538D6Eb6032601E15ED",
    "role": "other AaveProtocolDataProvider V3"
  },
  {
    "chain": "Celo",
    "address": "0xC959439207dA5341B74aDcdAC59016aa9Be7E9E7",
    "role": "treasury Collector"
  },
  {
    "chain": "Fantom",
    "address": "0xa97684ead0e402dC232d5A977953DF7ECBaB3CDb",
    "role": "factory PoolAddressesProvider V3"
  },
  {
    "chain": "Fantom",
    "address": "0x794a61358D6845594F94dc1DB02A252b5b4814aD",
    "role": "pool Pool V3"
  },
  {
    "chain": "Fantom",
    "address": "0x8145eddDf43f50276641b55bd3AD95944510021E",
    "role": "admin PoolConfigurator V3"
  },
  {
    "chain": "Fantom",
    "address": "0xfd6f3c1845604C8AE6c6E402ad17fb9885160754",
    "role": "oracle AaveOracle V3"
  },
  {
    "chain": "Fantom",
    "address": "0x39CB97b105173b56b5a2b4b33AD25d6a50E6c949",
    "role": "admin ACLAdmin V3"
  },
  {
    "chain": "Fantom",
    "address": "0xa72636CbcAa8F5FF95B2cc47F3CDEe83F3294a0B",
    "role": "admin ACLManager V3"
  },
  {
    "chain": "Fantom",
    "address": "0x69FA688f1Dc47d4B5d8029D5a35FB7a548310654",
    "role": "other AaveProtocolDataProvider V3"
  },
  {
    "chain": "xDai",
    "address": "0x36616cf17557639614c1cdDb356b1B83fc0B2132",
    "role": "factory PoolAddressesProvider V3"
  },
  {
    "chain": "xDai",
    "address": "0xb50201558B00496A145fE76f7424749556E326D8",
    "role": "pool Pool V3"
  },
  {
    "chain": "xDai",
    "address": "0x7304979ec9E4EaA0273b6A037a31c4e9e5A75D16",
    "role": "admin PoolConfigurator V3"
  },
  {
    "chain": "xDai",
    "address": "0xeb0a051be10228213BAEb449db63719d6742F7c4",
    "role": "oracle AaveOracle V3"
  },
  {
    "chain": "xDai",
    "address": "0x1dF462e2712496373A347f8ad10802a5E95f053D",
    "role": "admin ACLAdmin V3"
  },
  {
    "chain": "xDai",
    "address": "0xEc710f59005f48703908bC519D552Df5B8472614",
    "role": "admin ACLManager V3"
  },
  {
    "chain": "xDai",
    "address": "0xF1F5acB596568895393cB5E4D0452D6592A2fA70",
    "role": "other AaveProtocolDataProvider V3"
  },
  {
    "chain": "Harmony",
    "address": "0xa97684ead0e402dC232d5A977953DF7ECBaB3CDb",
    "role": "factory PoolAddressesProvider V3"
  },
  {
    "chain": "Harmony",
    "address": "0x794a61358D6845594F94dc1DB02A252b5b4814aD",
    "role": "pool Pool V3"
  },
  {
    "chain": "Harmony",
    "address": "0x8145eddDf43f50276641b55bd3AD95944510021E",
    "role": "admin PoolConfigurator V3"
  },
  {
    "chain": "Harmony",
    "address": "0x3C90887Ede8D65ccb2777A5d577beAb2548280AD",
    "role": "oracle AaveOracle V3"
  },
  {
    "chain": "Harmony",
    "address": "0xb2f0C5f37f4beD2cB51C44653cD5D84866BDcd2D",
    "role": "admin ACLAdmin V3"
  },
  {
    "chain": "Harmony",
    "address": "0xa72636CbcAa8F5FF95B2cc47F3CDEe83F3294a0B",
    "role": "admin ACLManager V3"
  },
  {
    "chain": "Harmony",
    "address": "0x69FA688f1Dc47d4B5d8029D5a35FB7a548310654",
    "role": "other AaveProtocolDataProvider V3"
  },
  {
    "chain": "Mantle",
    "address": "0xba50Cd2A20f6DA35D788639E581bca8d0B5d4D5f",
    "role": "factory PoolAddressesProvider V3"
  },
  {
    "chain": "Mantle",
    "address": "0x458F293454fE0d67EC0655f3672301301DD51422",
    "role": "pool Pool V3"
  },
  {
    "chain": "Mantle",
    "address": "0x719755fC1ACf2f9079B0Cbc56e23712c09Ab8626",
    "role": "admin PoolConfigurator V3"
  },
  {
    "chain": "Mantle",
    "address": "0x47a063CfDa980532267970d478EC340C0F80E8df",
    "role": "oracle AaveOracle V3"
  },
  {
    "chain": "Mantle",
    "address": "0x64df9D4302e1ff3516Dc744A19e992D27CAC252E",
    "role": "oracle PriceOracleSentinel V3"
  },
  {
    "chain": "Mantle",
    "address": "0x70884634D0098782592111A2A6B8d223be31CB7b",
    "role": "admin ACLAdmin V3"
  },
  {
    "chain": "Mantle",
    "address": "0x810D46F9a9027E28F9B01F75E2bdde839dA61115",
    "role": "admin ACLManager V3"
  },
  {
    "chain": "Mantle",
    "address": "0x487c5c669D9eee6057C44973207101276cf73b68",
    "role": "other AaveProtocolDataProvider V3"
  },
  {
    "chain": "MegaETH",
    "address": "0x46Dcd5F4600319b02649Fd76B55aA6c1035CA478",
    "role": "factory PoolAddressesProvider V3"
  },
  {
    "chain": "MegaETH",
    "address": "0x7e324AbC5De01d112AfC03a584966ff199741C28",
    "role": "pool Pool V3"
  },
  {
    "chain": "MegaETH",
    "address": "0xF15D31Bc839A853C9068686043cEc6EC5995DAbB",
    "role": "admin PoolConfigurator V3"
  },
  {
    "chain": "MegaETH",
    "address": "0x421117D7319E96d831972b3F7e970bbfe29C4F21",
    "role": "oracle AaveOracle V3"
  },
  {
    "chain": "MegaETH",
    "address": "0xE2E8Badc5d50f8a6188577B89f50701cDE2D4e19",
    "role": "admin ACLAdmin V3"
  },
  {
    "chain": "MegaETH",
    "address": "0x390D369C3878F2C5205CFb6Ec7154FfA65491c3D",
    "role": "admin ACLManager V3"
  },
  {
    "chain": "MegaETH",
    "address": "0x9588b453A4EE24a420830CB3302195cA7aA3b403",
    "role": "other AaveProtocolDataProvider V3"
  },
  {
    "chain": "Sonic",
    "address": "0x5C2e738F6E27bCE0F7558051Bf90605dD6176900",
    "role": "factory PoolAddressesProvider V3"
  },
  {
    "chain": "Sonic",
    "address": "0x5362dBb1e601abF3a4c14c22ffEdA64042E5eAA3",
    "role": "pool Pool V3"
  },
  {
    "chain": "Sonic",
    "address": "0x50c70FEB95aBC1A92FC30b9aCc41Bd349E5dE2f0",
    "role": "admin PoolConfigurator V3"
  },
  {
    "chain": "Sonic",
    "address": "0xD63f7658C66B2934Bd234D79D06aEF5290734B30",
    "role": "oracle AaveOracle V3"
  },
  {
    "chain": "Sonic",
    "address": "0x7b62461a3570c6AC8a9f8330421576e417B71EE7",
    "role": "admin ACLAdmin V3"
  },
  {
    "chain": "Sonic",
    "address": "0x3a790a47c4d531FD333FAD24f70B0ccb521B3b5A",
    "role": "admin ACLManager V3"
  },
  {
    "chain": "Sonic",
    "address": "0xc0a344397cfa89dF1e1d3e4fb330834D789cF2CD",
    "role": "other AaveProtocolDataProvider V3"
  },
  {
    "chain": "X Layer",
    "address": "0xdFf435BCcf782f11187D3a4454d96702eD78e092",
    "role": "factory PoolAddressesProvider V3"
  },
  {
    "chain": "X Layer",
    "address": "0xE3F3Caefdd7180F884c01E57f65Df979Af84f116",
    "role": "pool Pool V3"
  },
  {
    "chain": "X Layer",
    "address": "0x1408b48B6A610948f04813EA6b2F438A6BBAd2f2",
    "role": "admin PoolConfigurator V3"
  },
  {
    "chain": "X Layer",
    "address": "0x91FC11136d5615575a0fC5981Ab5C0C54418E2C6",
    "role": "oracle AaveOracle V3"
  },
  {
    "chain": "X Layer",
    "address": "0xE2E8Badc5d50f8a6188577B89f50701cDE2D4e19",
    "role": "admin ACLAdmin V3"
  },
  {
    "chain": "X Layer",
    "address": "0xc8f2720Fa7D857576d82e6aEca8EdC4869E9190e",
    "role": "admin ACLManager V3"
  },
  {
    "chain": "X Layer",
    "address": "0x6C505C31714f14e8af2A03633EB2Cdfb4959138F",
    "role": "other AaveProtocolDataProvider V3"
  },
  {
    "chain": "Linea",
    "address": "0x89502c3731F69DDC95B65753708A07F8Cd0373F4",
    "role": "factory PoolAddressesProvider V3"
  },
  {
    "chain": "Linea",
    "address": "0xc47b8C00b0f69a36fa203Ffeac0334874574a8Ac",
    "role": "pool Pool V3"
  },
  {
    "chain": "Linea",
    "address": "0x812E7c19421D9f41A6DDCF047d5cc2dE2Ca5Bfa2",
    "role": "admin PoolConfigurator V3"
  },
  {
    "chain": "Linea",
    "address": "0xCFDAdA7DCd2e785cF706BaDBC2B8Af5084d595e9",
    "role": "oracle AaveOracle V3"
  },
  {
    "chain": "Linea",
    "address": "0x8c2d95FE7aeB57b86961F3abB296A54f0ADb7F88",
    "role": "admin ACLAdmin V3"
  },
  {
    "chain": "Linea",
    "address": "0xbf32c7dFC72b730967072B112927ca0de205dbb5",
    "role": "admin ACLManager V3"
  },
  {
    "chain": "Metis",
    "address": "0xB9FABd7500B2C6781c35Dd48d54f81fc2299D7AF",
    "role": "factory PoolAddressesProvider V3"
  },
  {
    "chain": "Metis",
    "address": "0x90df02551bB792286e8D4f13E0e357b4Bf1D6a57",
    "role": "pool Pool V3"
  },
  {
    "chain": "Metis",
    "address": "0x69FEE8F261E004453BE0800BC9039717528645A6",
    "role": "admin PoolConfigurator V3"
  },
  {
    "chain": "Metis",
    "address": "0x38D36e85E47eA6ff0d18B0adF12E5fC8984A6f8e",
    "role": "oracle AaveOracle V3"
  },
  {
    "chain": "Metis",
    "address": "0x2B5EA1604BAbb7B730120950Cb13951f3525828A",
    "role": "oracle PriceOracleSentinel V3"
  },
  {
    "chain": "Metis",
    "address": "0x6fD45D32375d5aDB8D76275A3932c740F03a8718",
    "role": "admin ACLAdmin V3"
  },
  {
    "chain": "Optimism",
    "address": "0x794a61358D6845594F94dc1DB02A252b5b4814aD",
    "role": "pool Pool V3"
  },
  {
    "chain": "Optimism",
    "address": "0x8145eddDf43f50276641b55bd3AD95944510021E",
    "role": "admin PoolConfigurator V3"
  },
  {
    "chain": "Optimism",
    "address": "0xD81eb3728a631871a7eBBaD631b5f424909f0c77",
    "role": "oracle AaveOracle V3"
  },
  {
    "chain": "Optimism",
    "address": "0x746c675dAB49Bcd5BB9Dc85161f2d7Eb435009bf",
    "role": "admin ACLAdmin V3"
  },
  {
    "chain": "Polygon",
    "address": "0x794a61358D6845594F94dc1DB02A252b5b4814aD",
    "role": "pool Pool V3"
  },
  {
    "chain": "Polygon",
    "address": "0x8145eddDf43f50276641b55bd3AD95944510021E",
    "role": "admin PoolConfigurator V3"
  },
  {
    "chain": "Polygon",
    "address": "0xb023e699F5a33916Ea823A16485e259257cA8Bd1",
    "role": "oracle AaveOracle V3"
  },
  {
    "chain": "Polygon",
    "address": "0xDf7d0e6454DB638881302729F5ba99936EaAB233",
    "role": "admin ACLAdmin V3"
  },
  {
    "chain": "Scroll",
    "address": "0x69850D0B276776781C063771b161bd8894BCdD04",
    "role": "factory PoolAddressesProvider V3"
  },
  {
    "chain": "Scroll",
    "address": "0x11fCfe756c05AD438e312a7fd934381537D3cFfe",
    "role": "pool Pool V3"
  },
  {
    "chain": "Scroll",
    "address": "0x32BCab42a2bb5AC577D24b425D46d8b8e0Df9b7f",
    "role": "admin PoolConfigurator V3"
  },
  {
    "chain": "Scroll",
    "address": "0x04421D8C506E2fA2371a08EfAaBf791F624054F3",
    "role": "oracle AaveOracle V3"
  },
  {
    "chain": "Scroll",
    "address": "0xc1ABF87FfAdf4908f4eC8dc54A25DCFEabAE4A24",
    "role": "admin ACLAdmin V3"
  },
  {
    "chain": "Scroll",
    "address": "0x7633F981D87dC6307227de9383D2ce7243158081",
    "role": "admin ACLManager V3"
  },
  {
    "chain": "zkSync Era",
    "address": "0x2A3948BB219D6B2Fa83D64100006391a96bE6cb7",
    "role": "factory PoolAddressesProvider V3"
  },
  {
    "chain": "zkSync Era",
    "address": "0x78e30497a3c7527d953c6B1E3541b021A98Ac43c",
    "role": "pool Pool V3"
  },
  {
    "chain": "zkSync Era",
    "address": "0x0207d31b4377C74bEC37356aaD83E3dCc979F40E",
    "role": "admin PoolConfigurator V3"
  },
  {
    "chain": "zkSync Era",
    "address": "0xC7F58Fca663a8d377B6D0c9703C697f56dC40088",
    "role": "oracle AaveOracle V3"
  },
  {
    "chain": "zkSync Era",
    "address": "0x04cE39789e11a49595cD0ECEf6f4Bd54ABF4d020",
    "role": "admin ACLAdmin V3"
  },
  {
    "chain": "Soneium",
    "address": "0x82405D1a189bd6cE4667809C35B37fBE136A4c5B",
    "role": "factory PoolAddressesProvider V3"
  },
  {
    "chain": "Soneium",
    "address": "0xDd3d7A7d03D9fD9ef45f3E587287922eF65CA38B",
    "role": "pool Pool V3"
  },
  {
    "chain": "Soneium",
    "address": "0x1607FCeEc8dEbA4d5Da66D620b2363066d025a02",
    "role": "admin PoolConfigurator V3"
  },
  {
    "chain": "Soneium",
    "address": "0x20040a64612555042335926d72B4E5F667a67fA1",
    "role": "oracle AaveOracle V3"
  },
  {
    "chain": "Soneium",
    "address": "0xc0Bac16A64FbAa7EE6483bD12a759e28cD13dcBe",
    "role": "oracle PriceOracleSentinel V3"
  },
  {
    "chain": "Plasma",
    "address": "0x061D8e131F26512348ee5FA42e2DF1bA9d6505E9",
    "role": "factory PoolAddressesProvider V3"
  },
  {
    "chain": "Plasma",
    "address": "0x925a2A7214Ed92428B5b1B090F80b25700095e12",
    "role": "pool Pool V3"
  },
  {
    "chain": "Plasma",
    "address": "0xc022B6c71c30A8Ad52Dac504eFA132d13D99d2D9",
    "role": "admin PoolConfigurator V3"
  },
  {
    "chain": "Plasma",
    "address": "0x33E0b3fc976DC9C516926BA48CfC0A9E10a2aAA5",
    "role": "oracle AaveOracle V3"
  },
  {
    "chain": "Plasma",
    "address": "0x47aAdaAE1F05C978E6aBb7568d11B7F6e0FC4d6A",
    "role": "admin ACLAdmin V3"
  },
  {
    "chain": "Plasma",
    "address": "0xa860355F0ccFdC823F7332ac108317b2a1509C06",
    "role": "admin ACLManager V3"
  },
  {
    "chain": "Ethereum",
    "address": "0x617332a777780F546261247F621051d0b98975Eb",
    "role": "other VotingMachine"
  },
  {
    "chain": "Ethereum",
    "address": "0xf23f7De3AC42F22eBDA17e64DC4f51FB66b8E21f",
    "role": "other VotingPortalEthEth"
  },
  {
    "chain": "Ethereum",
    "address": "0x33aCEf7365809218485873B7d0d67FeE411B5D79",
    "role": "other VotingPortalEthAvax"
  },
  {
    "chain": "Ethereum",
    "address": "0x9b24C168d6A76b5459B1d47071a54962a4df36c3",
    "role": "other VotingPortalEthPol"
  },
  {
    "chain": "Ethereum",
    "address": "0xE3B770Dc4ae3f8bECaB3Ed12dE692c741603e16A",
    "role": "other PayloadDataHelper"
  },
  {
    "chain": "Ethereum",
    "address": "0x971c82c8316aD611904F95616c21ce90837f1856",
    "role": "other GovernanceDataHelper"
  },
  {
    "chain": "Ethereum",
    "address": "0x77976B51569896523EE215962Ee91ff236Fa50E8",
    "role": "other VotingDataHelper"
  },
  {
    "chain": "Ethereum",
    "address": "0x94363B11b37BC3ffe43AB09cff5A010352FE85dC",
    "role": "other MetaDelegateHelper"
  },
  {
    "chain": "Ethereum",
    "address": "0x73C6Fb358dDA8e84D50e98A98F7c0dF32e15C7e9",
    "role": "guardian EmergencyRegistry"
  },
  {
    "chain": "Ethereum",
    "address": "0xa198Fac58E02A5C5F8F7e877895d50cFa9ad1E04",
    "role": "other GovernancePowerStrategy"
  },
  {
    "chain": "Ethereum",
    "address": "0x5642A5A5Ec284B4145563aBF319620204aCCA7f4",
    "role": "other VotingStrategy"
  },
  {
    "chain": "Ethereum",
    "address": "0x1699FE9CaDC8a0b6c93E06B62Ab4592a0fFEcF61",
    "role": "other DataWarehouse"
  },
  {
    "chain": "Arbitrum",
    "address": "0xCbFB78a3Eeaa611b826E37c80E4126c8787D29f0",
    "role": "other CrossChainController"
  },
  {
    "chain": "Arbitrum",
    "address": "0x89644CA1bB8064760312AE4F03ea41b05dA3637C",
    "role": "timelock PayloadsController"
  },
  {
    "chain": "Arbitrum",
    "address": "0x4922093c476CfbCF903C7C4082d2D64bAE8A37cE",
    "role": "guardian GranularGuardian"
  },
  {
    "chain": "Avalanche",
    "address": "0x27FC7D54C893dA63C0AE6d57e1B2B13A70690928",
    "role": "other CrossChainController"
  },
  {
    "chain": "Avalanche",
    "address": "0x41185495Bc8297a65DC46f94001DC7233775EbEe",
    "role": "oracle EmergencyOracle"
  },
  {
    "chain": "Avalanche",
    "address": "0x9b6f5ef589A3DD08670Dd146C11C4Fb33E04494F",
    "role": "other VotingMachine"
  },
  {
    "chain": "Avalanche",
    "address": "0x1140CB7CAfAcC745771C2Ea31e7B5C653c5d0B80",
    "role": "timelock PayloadsController"
  },
  {
    "chain": "Avalanche",
    "address": "0xc1162BCb2E5E3ca4725512008c7522dF8C8B7B65",
    "role": "guardian GranularGuardian"
  },
  {
    "chain": "Binance",
    "address": "0x9d33ee6543C9b2C8c183b8fb58fB089266cffA19",
    "role": "other CrossChainController"
  },
  {
    "chain": "Binance",
    "address": "0xcabb46FfB38c93348Df16558DF156e9f68F9F7F1",
    "role": "oracle EmergencyOracle"
  },
  {
    "chain": "Binance",
    "address": "0xE5EF2Dd06755A97e975f7E282f828224F2C3e627",
    "role": "timelock PayloadsController"
  },
  {
    "chain": "Binance",
    "address": "0xe4FB5e3F506BE0095f38004f993D16fdA8224383",
    "role": "guardian GranularGuardian"
  },
  {
    "chain": "Base",
    "address": "0x529467C76f234F2bD359d7ecF7c660A2846b04e2",
    "role": "other CrossChainController"
  },
  {
    "chain": "Base",
    "address": "0x2DC219E716793fb4b21548C0f009Ba3Af753ab01",
    "role": "timelock PayloadsController"
  },
  {
    "chain": "Base",
    "address": "0xa1c6aF35E0205f42256382C05243C543FEDBf4bB",
    "role": "guardian GranularGuardian"
  },
  {
    "chain": "xDai",
    "address": "0x8Dc5310fc9D3D7D1Bb3D1F686899c8F082316c9F",
    "role": "other CrossChainController"
  },
  {
    "chain": "xDai",
    "address": "0xF937ffAeA1363e4Fa260760bDFA2aA8Fc911F84D",
    "role": "oracle EmergencyOracle"
  },
  {
    "chain": "xDai",
    "address": "0x9A1F491B86D09fC1484b5fab10041B189B60756b",
    "role": "timelock PayloadsController"
  },
  {
    "chain": "xDai",
    "address": "0x4A9F571E3C1f2F13567bb59e38988e74d7d72602",
    "role": "guardian GranularGuardian"
  },
  {
    "chain": "Metis",
    "address": "0x6fDaFb26915ABD6065a1E1501a37Ac438D877f70",
    "role": "other CrossChainController"
  },
  {
    "chain": "Metis",
    "address": "0x2233F8A66A728FBa6E1dC95570B25360D07D5524",
    "role": "timelock PayloadsController"
  },
  {
    "chain": "Metis",
    "address": "0x61BE97d3a0550549f67CA7421725fA73Fa2036B5",
    "role": "guardian GranularGuardian"
  },
  {
    "chain": "Optimism",
    "address": "0x48A9FE90bce5EEd790f3F4Ce192d1C0B351fd4Ca",
    "role": "other CrossChainController"
  },
  {
    "chain": "Optimism",
    "address": "0x0E1a3Af1f9cC76A62eD31eDedca291E63632e7c4",
    "role": "timelock PayloadsController"
  },
  {
    "chain": "Optimism",
    "address": "0x6c5264C380C7022e54f585c4E354ffb6f221a03b",
    "role": "guardian GranularGuardian"
  },
  {
    "chain": "Polygon",
    "address": "0xF6B99959F0b5e79E1CC7062E12aF632CEb18eF0d",
    "role": "other CrossChainController"
  },
  {
    "chain": "Polygon",
    "address": "0xDAFA1989A504c48Ee20a582f2891eeB25E2fA23F",
    "role": "oracle EmergencyOracle"
  },
  {
    "chain": "Polygon",
    "address": "0xc8a2ADC4261c6b669CdFf69E717E77C9cFeB420d",
    "role": "other VotingMachine"
  },
  {
    "chain": "Polygon",
    "address": "0x401B5D0294E23637c18fcc38b1Bca814CDa2637C",
    "role": "timelock PayloadsController"
  },
  {
    "chain": "Polygon",
    "address": "0x0D2CccD3dD420dC6DE2f24DB44aA22fADE290a02",
    "role": "guardian GranularGuardian"
  },
  {
    "chain": "Scroll",
    "address": "0x03073D3F4769f6b6604d616238fD6c636C99AD0A",
    "role": "other CrossChainController"
  },
  {
    "chain": "Scroll",
    "address": "0x6b6B41c0f8C223715f712BE83ceC3c37bbfDC3fE",
    "role": "timelock PayloadsController"
  },
  {
    "chain": "Scroll",
    "address": "0xa835707d28e6C37C49d661742f2Fb5987367cEd4",
    "role": "guardian GranularGuardian"
  },
  {
    "chain": "zkSync Era",
    "address": "0x800813f4714BC7A0a95310e3fB9e4f18872CA92C",
    "role": "other CrossChainController"
  },
  {
    "chain": "zkSync Era",
    "address": "0x2E79349c3F5e4751E87b966812C9E65E805996F1",
    "role": "timelock PayloadsController"
  },
  {
    "chain": "zkSync Era",
    "address": "0xe0e23196D42b54F262a3DE952e6B34B197D1A228",
    "role": "guardian GranularGuardian"
  },
  {
    "chain": "zkSync Era",
    "address": "0x4257bf0746D783f0D962913d7d8AFA408B62547E",
    "role": "guardian GovernanceGuardian"
  },
  {
    "chain": "Linea",
    "address": "0x0D3f821e9741C8a8Bcac231162320251Db0cdf52",
    "role": "other CrossChainController"
  },
  {
    "chain": "Linea",
    "address": "0x3BcE23a1363728091bc57A58a226CF2940C2e074",
    "role": "timelock PayloadsController"
  },
  {
    "chain": "Linea",
    "address": "0xc1cd6faF6e9138b4e6C21d438f9ebF2bd6F6cA16",
    "role": "guardian GranularGuardian"
  },
  {
    "chain": "Linea",
    "address": "0x056E4C4E80D1D14a637ccbD0412CDAAEc5B51F4E",
    "role": "guardian GovernanceGuardian"
  },
  {
    "chain": "Soneium",
    "address": "0xD92b37a5114b33F668D274Fb48f23b726a854d6E",
    "role": "other CrossChainController"
  },
  {
    "chain": "Soneium",
    "address": "0x44D73D7C4b2f98F426Bf8B5e87628d9eE38ef0Cf",
    "role": "timelock PayloadsController"
  },
  {
    "chain": "Soneium",
    "address": "0xD8E6956718784B914740267b7A50B952fb516656",
    "role": "guardian GranularGuardian"
  },
  {
    "chain": "Soneium",
    "address": "0x19CE4363FEA478Aa04B9EA2937cc5A2cbcD44be6",
    "role": "guardian GovernanceGuardian"
  },
  {
    "chain": "Soneium",
    "address": "0x47aAdaAE1F05C978E6aBb7568d11B7F6e0FC4d6A",
    "role": "governor ExecutorLvl1"
  },
  {
    "chain": "Plasma",
    "address": "0x643441742f73e270e565619be6DE5f4D55E08cd6",
    "role": "other CrossChainController"
  },
  {
    "chain": "Plasma",
    "address": "0xe76EB348E65eF163d85ce282125FF5a7F5712A1d",
    "role": "timelock PayloadsController"
  },
  {
    "chain": "Plasma",
    "address": "0x60665b4F4FF7073C5fed2656852dCa271DfE2684",
    "role": "guardian GranularGuardian"
  },
  {
    "chain": "Plasma",
    "address": "0x19CE4363FEA478Aa04B9EA2937cc5A2cbcD44be6",
    "role": "guardian GovernanceGuardian"
  },
  {
    "chain": "Plasma",
    "address": "0xF61FE74Ec1cFbd9Ee8Bd27592D2EDEe0E2aA85Cf",
    "role": "oracle EmergencyOracle"
  },
  {
    "chain": "Ethereum",
    "address": "0x7Fc66500c84A76Ad7e9c93437bFc5Ac33E2DDaE9",
    "role": "token AAVE governance token"
  },
  {
    "chain": "Ethereum",
    "address": "0x7b9c0b9b0d8b0d8b0d8b0d8b0d8b0d8b0d8b0d8b",
    "role": "Emergency Admin"
  }
]

### Pre-built read-API surfacer URLs (verbatim — fetchable as-is)
- https://defipunkd.com/address/1/0x5300A1a15135EA4dc7aD5a167152C01EFc9b192A (Short Executor (Level 1) / ACL Admin V3)
- https://defipunkd.com/address/1/0xdAbad81aF85554E9ae636395611C58F7eC1aAEc5 (PayloadsController (Ethereum))
- https://defipunkd.com/address/1/0x9AEE0B04504CeF83A65AC3f0e838D0593BCb2BC7 (Governance V3 Core)
- https://defipunkd.com/address/1/0xCe52ab41C40575B072A18C9700091Ccbe4A06710 (Governance Guardian / Protocol Emergency Guardian (5-of-9))
- https://defipunkd.com/address/1/0x4457cA11E90f416Cc1D3a8E1cA41C0cdEcC251d4 (GranularGuardian (cross-chain emergency))
- https://defipunkd.com/address/1/0xEd42a7D8559a463722Ca4beD50E0Cc05a386b0e1 (CrossChainController)
- https://defipunkd.com/address/1/0x17Dd33Ed0e3dD2a80E37489B8A63063161BE6957 (Executor Level 2)
- https://defipunkd.com/address/1/0x2CFe3ec4d5a6811f4B8067F0DE7e47DfA938Aa30 (Protocol Guardian / emergency admin)
- https://defipunkd.com/address/1/0x220d22f42c1b975B51509c24b174f8AbA7d8C540 (Short Executor (Governance))
- https://defipunkd.com/address/1/0xa700691dA7b6769562170061709458FF21ed963e (timelock (governance long executor))
- https://defipunkd.com/address/1/0x851365275f493d15511cc005f2bd71E3c1699921 (timelock (governance short executor))
- https://defipunkd.com/address/1/0xEE56e2B3D49159022b71869955dbF07245799b17 (timelock (governance executor short))
- https://defipunkd.com/address/1/0x80C67432656d59144cEFf962E8fAF8926599bCF8 (timelock (governance short executor))
- https://defipunkd.com/address/1/0xEE56e2B20045d908E992822039db30E882309413 (admin (PoolAdmin / governance executor))
- https://defipunkd.com/address/1/0x87870bca3f3fd6335c3f4ce8392d69350b4fa4e2 (pool (Aave V3 Pool proxy))
- https://defipunkd.com/address/1/0x2f39d218133AFaB8F2B819B1066c7E434Ad94E9e (other (PoolAddressesProvider — proxy admin for Pool/PoolConfigurator/ACLManager))
- https://defipunkd.com/address/1/0xcfBf336fe147D643B9Cb705648500e101504B16d (other (Prime Market PoolAddressesProvider))
- https://defipunkd.com/address/1/0xCca852Bc40e560adC3b1Cc58CA5b55638ce826c9 (vault (Aave V4 Core Hub — Ethereum))
- https://defipunkd.com/address/1/0x06002e9c4412CB7814a791eA3666D905871E536A (vault (Aave V4 Plus Hub — Ethereum))
- https://defipunkd.com/address/1/0x943827DCA022D0F354a8a8c332dA1e5Eb9f9F931 (vault (Aave V4 Prime Hub — Ethereum))
- https://defipunkd.com/address/1/0x08aE3BE30958cDd1847ec58fFfd4C451a87fDF01 (admin (Aave V4 Access Manager — Ethereum))
- https://defipunkd.com/address/10/0xa97684ead0e402dc232d5a977953df7ecbab3cdb (other (PoolAddressesProvider — Optimism))
- https://defipunkd.com/address/137/0xa97684ead0e402dc232d5a977953df7ecbab3cdb (other (PoolAddressesProvider — Polygon))
- https://defipunkd.com/address/1/0x64b761D848206f447Fe2dd461b0c635Ec39EbB27 (admin PoolConfigurator V3)
- https://defipunkd.com/address/1/0x54586bE62E3c3580375aE3723C145253060Ca0C2 (oracle AaveOracle V3)
- https://defipunkd.com/address/1/0xc2aaCf6553D20d1e9d78E365AAba8032af9c85b0 (admin ACLManager V3)
- https://defipunkd.com/address/1/0x0a16f2FCC0D44FaE41cc54e079281D84A363bECD (other AaveProtocolDataProvider V3)
- https://defipunkd.com/address/1/0x464C71f6c2F760DdA6093dCB91C24c39e5d6e18c (treasury Collector)
- https://defipunkd.com/address/1/0x8164Cc65827dcFe994AB23944CBC90e0aa80bFcb (admin DefaultIncentivesController)
- https://defipunkd.com/address/1/0x223d844fc4B006D67c0cDbd39371A9F73f69d974 (admin EmissionManager)
- https://defipunkd.com/address/42161/0xa97684ead0e402dC232d5A977953DF7ECBaB3CDb (factory PoolAddressesProvider V3)
- https://defipunkd.com/address/42161/0x794a61358D6845594F94dc1DB02A252b5b4814aD (pool Pool V3)
- https://defipunkd.com/address/42161/0x8145eddDf43f50276641b55bd3AD95944510021E (admin PoolConfigurator V3)
- https://defipunkd.com/address/42161/0xb56c2F0B653B2e0b10C9b928C8580Ac5Df02C7C7 (oracle AaveOracle V3)
- https://defipunkd.com/address/42161/0x7A9ff54A6eE4a21223036890bB8c4ea2D62c686b (oracle PriceOracleSentinel V3)
- https://defipunkd.com/address/42161/0xFF1137243698CaA18EE364Cc966CF0e02A4e6327 (admin ACLAdmin V3)
- https://defipunkd.com/address/42161/0xa72636CbcAa8F5FF95B2cc47F3CDEe83F3294a0B (admin ACLManager V3)
- https://defipunkd.com/address/42161/0x243Aa95cAC2a25651eda86e80bEe66114413c43b (other AaveProtocolDataProvider V3)
- https://defipunkd.com/address/43114/0xa97684ead0e402dC232d5A977953DF7ECBaB3CDb (factory PoolAddressesProvider V3)
- https://defipunkd.com/address/43114/0x794a61358D6845594F94dc1DB02A252b5b4814aD (pool Pool V3)
- https://defipunkd.com/address/43114/0x8145eddDf43f50276641b55bd3AD95944510021E (admin PoolConfigurator V3)
- https://defipunkd.com/address/43114/0xEBd36016B3eD09D4693Ed4251c67Bd858c3c7C9C (oracle AaveOracle V3)
- https://defipunkd.com/address/43114/0x3C06dce358add17aAf230f2234bCCC4afd50d090 (admin ACLAdmin V3)
- https://defipunkd.com/address/43114/0xa72636CbcAa8F5FF95B2cc47F3CDEe83F3294a0B (admin ACLManager V3)
- https://defipunkd.com/address/43114/0x243Aa95cAC2a25651eda86e80bEe66114413c43b (other AaveProtocolDataProvider V3)
- https://defipunkd.com/address/8453/0xe20fCBdBfFC4Dd138cE8b2E6FBb6CB49777ad64D (factory PoolAddressesProvider V3)
- https://defipunkd.com/address/8453/0xA238Dd80C259a72e81d7e4664a9801593F98d1c5 (pool Pool V3)
- https://defipunkd.com/address/8453/0x5731a04B1E775f0fdd454Bf70f3335886e9A96be (admin PoolConfigurator V3)
- https://defipunkd.com/address/8453/0x2Cc0Fc26eD4563A5ce5e8bdcfe1A2878676Ae156 (oracle AaveOracle V3)
- https://defipunkd.com/address/8453/0x943AcD0c93d7a8Bee7dA5Fd0DC3d0028237074d6 (oracle PriceOracleSentinel V3)
- https://defipunkd.com/address/8453/0x9390B1735def18560c509E2d0bc090E9d6BA257a (admin ACLAdmin V3)
- https://defipunkd.com/address/8453/0x43955b0899Ab7232E3a454cf84AedD22Ad46FD33 (admin ACLManager V3)
- https://defipunkd.com/address/8453/0x0F43731EB8d45A581f4a36DD74F5f358bc90C73A (other AaveProtocolDataProvider V3)
- Binance: 0xff75B6da14FfbbfD355Daf7a2731456b3562Ba6D (chain not supported by the read API)
- Binance: 0x6807dc923806fE8Fd134338EABCA509979a7e0cB (chain not supported by the read API)
- Binance: 0x67bdF23C7fCE7C65fF7415Ba3F2520B45D6f9584 (chain not supported by the read API)
- Binance: 0x39bc1bfDa2130d6Bb6DBEfd366939b4c7aa7C697 (chain not supported by the read API)
- Binance: 0x9390B1735def18560c509E2d0bc090E9d6BA257a (chain not supported by the read API)
- Binance: 0x2D97F8FA96886Fd923c065F5457F9DDd494e3877 (chain not supported by the read API)
- Binance: 0xc90Df74A7c16245c5F5C5870327Ceb38Fe5d5328 (chain not supported by the read API)
- Celo: 0x9F7Cf9417D5251C59fE94fB9147feEe1aAd9Cea5 (chain not supported by the read API)
- Celo: 0x3E59A31363E2ad014dcbc521c4a0d5757d9f3402 (chain not supported by the read API)
- Celo: 0x7567E3434CC1BEf724AB595e6072367Ef4914691 (chain not supported by the read API)
- Celo: 0x1e693D088ceFD1E95ba4c4a5F7EeA41a1Ec37e8b (chain not supported by the read API)
- Celo: 0x1dF462e2712496373A347f8ad10802a5E95f053D (chain not supported by the read API)
- Celo: 0x7a12dCfd73C1B4cddf294da4cFce75FcaBBa314C (chain not supported by the read API)
- Celo: 0x2e0f8D3B1631296cC7c56538D6Eb6032601E15ED (chain not supported by the read API)
- Celo: 0xC959439207dA5341B74aDcdAC59016aa9Be7E9E7 (chain not supported by the read API)
- Fantom: 0xa97684ead0e402dC232d5A977953DF7ECBaB3CDb (chain not supported by the read API)
- Fantom: 0x794a61358D6845594F94dc1DB02A252b5b4814aD (chain not supported by the read API)
- Fantom: 0x8145eddDf43f50276641b55bd3AD95944510021E (chain not supported by the read API)
- Fantom: 0xfd6f3c1845604C8AE6c6E402ad17fb9885160754 (chain not supported by the read API)
- Fantom: 0x39CB97b105173b56b5a2b4b33AD25d6a50E6c949 (chain not supported by the read API)
- Fantom: 0xa72636CbcAa8F5FF95B2cc47F3CDEe83F3294a0B (chain not supported by the read API)
- Fantom: 0x69FA688f1Dc47d4B5d8029D5a35FB7a548310654 (chain not supported by the read API)
- xDai: 0x36616cf17557639614c1cdDb356b1B83fc0B2132 (chain not supported by the read API)
- xDai: 0xb50201558B00496A145fE76f7424749556E326D8 (chain not supported by the read API)
- xDai: 0x7304979ec9E4EaA0273b6A037a31c4e9e5A75D16 (chain not supported by the read API)
- xDai: 0xeb0a051be10228213BAEb449db63719d6742F7c4 (chain not supported by the read API)
- xDai: 0x1dF462e2712496373A347f8ad10802a5E95f053D (chain not supported by the read API)
- xDai: 0xEc710f59005f48703908bC519D552Df5B8472614 (chain not supported by the read API)
- xDai: 0xF1F5acB596568895393cB5E4D0452D6592A2fA70 (chain not supported by the read API)
- Harmony: 0xa97684ead0e402dC232d5A977953DF7ECBaB3CDb (chain not supported by the read API)
- Harmony: 0x794a61358D6845594F94dc1DB02A252b5b4814aD (chain not supported by the read API)
- Harmony: 0x8145eddDf43f50276641b55bd3AD95944510021E (chain not supported by the read API)
- Harmony: 0x3C90887Ede8D65ccb2777A5d577beAb2548280AD (chain not supported by the read API)
- Harmony: 0xb2f0C5f37f4beD2cB51C44653cD5D84866BDcd2D (chain not supported by the read API)
- Harmony: 0xa72636CbcAa8F5FF95B2cc47F3CDEe83F3294a0B (chain not supported by the read API)
- Harmony: 0x69FA688f1Dc47d4B5d8029D5a35FB7a548310654 (chain not supported by the read API)
- Mantle: 0xba50Cd2A20f6DA35D788639E581bca8d0B5d4D5f (chain not supported by the read API)
- Mantle: 0x458F293454fE0d67EC0655f3672301301DD51422 (chain not supported by the read API)
- Mantle: 0x719755fC1ACf2f9079B0Cbc56e23712c09Ab8626 (chain not supported by the read API)
- Mantle: 0x47a063CfDa980532267970d478EC340C0F80E8df (chain not supported by the read API)
- Mantle: 0x64df9D4302e1ff3516Dc744A19e992D27CAC252E (chain not supported by the read API)
- Mantle: 0x70884634D0098782592111A2A6B8d223be31CB7b (chain not supported by the read API)
- Mantle: 0x810D46F9a9027E28F9B01F75E2bdde839dA61115 (chain not supported by the read API)
- Mantle: 0x487c5c669D9eee6057C44973207101276cf73b68 (chain not supported by the read API)
- MegaETH: 0x46Dcd5F4600319b02649Fd76B55aA6c1035CA478 (chain not supported by the read API)
- MegaETH: 0x7e324AbC5De01d112AfC03a584966ff199741C28 (chain not supported by the read API)
- MegaETH: 0xF15D31Bc839A853C9068686043cEc6EC5995DAbB (chain not supported by the read API)
- MegaETH: 0x421117D7319E96d831972b3F7e970bbfe29C4F21 (chain not supported by the read API)
- MegaETH: 0xE2E8Badc5d50f8a6188577B89f50701cDE2D4e19 (chain not supported by the read API)
- MegaETH: 0x390D369C3878F2C5205CFb6Ec7154FfA65491c3D (chain not supported by the read API)
- MegaETH: 0x9588b453A4EE24a420830CB3302195cA7aA3b403 (chain not supported by the read API)
- Sonic: 0x5C2e738F6E27bCE0F7558051Bf90605dD6176900 (chain not supported by the read API)
- Sonic: 0x5362dBb1e601abF3a4c14c22ffEdA64042E5eAA3 (chain not supported by the read API)
- Sonic: 0x50c70FEB95aBC1A92FC30b9aCc41Bd349E5dE2f0 (chain not supported by the read API)
- Sonic: 0xD63f7658C66B2934Bd234D79D06aEF5290734B30 (chain not supported by the read API)
- Sonic: 0x7b62461a3570c6AC8a9f8330421576e417B71EE7 (chain not supported by the read API)
- Sonic: 0x3a790a47c4d531FD333FAD24f70B0ccb521B3b5A (chain not supported by the read API)
- Sonic: 0xc0a344397cfa89dF1e1d3e4fb330834D789cF2CD (chain not supported by the read API)
- X Layer: 0xdFf435BCcf782f11187D3a4454d96702eD78e092 (chain not supported by the read API)
- X Layer: 0xE3F3Caefdd7180F884c01E57f65Df979Af84f116 (chain not supported by the read API)
- X Layer: 0x1408b48B6A610948f04813EA6b2F438A6BBAd2f2 (chain not supported by the read API)
- X Layer: 0x91FC11136d5615575a0fC5981Ab5C0C54418E2C6 (chain not supported by the read API)
- X Layer: 0xE2E8Badc5d50f8a6188577B89f50701cDE2D4e19 (chain not supported by the read API)
- X Layer: 0xc8f2720Fa7D857576d82e6aEca8EdC4869E9190e (chain not supported by the read API)
- X Layer: 0x6C505C31714f14e8af2A03633EB2Cdfb4959138F (chain not supported by the read API)
- https://defipunkd.com/address/59144/0x89502c3731F69DDC95B65753708A07F8Cd0373F4 (factory PoolAddressesProvider V3)
- https://defipunkd.com/address/59144/0xc47b8C00b0f69a36fa203Ffeac0334874574a8Ac (pool Pool V3)
- https://defipunkd.com/address/59144/0x812E7c19421D9f41A6DDCF047d5cc2dE2Ca5Bfa2 (admin PoolConfigurator V3)
- https://defipunkd.com/address/59144/0xCFDAdA7DCd2e785cF706BaDBC2B8Af5084d595e9 (oracle AaveOracle V3)
- https://defipunkd.com/address/59144/0x8c2d95FE7aeB57b86961F3abB296A54f0ADb7F88 (admin ACLAdmin V3)
- https://defipunkd.com/address/59144/0xbf32c7dFC72b730967072B112927ca0de205dbb5 (admin ACLManager V3)
- Metis: 0xB9FABd7500B2C6781c35Dd48d54f81fc2299D7AF (chain not supported by the read API)
- Metis: 0x90df02551bB792286e8D4f13E0e357b4Bf1D6a57 (chain not supported by the read API)
- Metis: 0x69FEE8F261E004453BE0800BC9039717528645A6 (chain not supported by the read API)
- Metis: 0x38D36e85E47eA6ff0d18B0adF12E5fC8984A6f8e (chain not supported by the read API)
- Metis: 0x2B5EA1604BAbb7B730120950Cb13951f3525828A (chain not supported by the read API)
- Metis: 0x6fD45D32375d5aDB8D76275A3932c740F03a8718 (chain not supported by the read API)
- https://defipunkd.com/address/10/0x794a61358D6845594F94dc1DB02A252b5b4814aD (pool Pool V3)
- https://defipunkd.com/address/10/0x8145eddDf43f50276641b55bd3AD95944510021E (admin PoolConfigurator V3)
- https://defipunkd.com/address/10/0xD81eb3728a631871a7eBBaD631b5f424909f0c77 (oracle AaveOracle V3)
- https://defipunkd.com/address/10/0x746c675dAB49Bcd5BB9Dc85161f2d7Eb435009bf (admin ACLAdmin V3)
- https://defipunkd.com/address/137/0x794a61358D6845594F94dc1DB02A252b5b4814aD (pool Pool V3)
- https://defipunkd.com/address/137/0x8145eddDf43f50276641b55bd3AD95944510021E (admin PoolConfigurator V3)
- https://defipunkd.com/address/137/0xb023e699F5a33916Ea823A16485e259257cA8Bd1 (oracle AaveOracle V3)
- https://defipunkd.com/address/137/0xDf7d0e6454DB638881302729F5ba99936EaAB233 (admin ACLAdmin V3)
- https://defipunkd.com/address/534352/0x69850D0B276776781C063771b161bd8894BCdD04 (factory PoolAddressesProvider V3)
- https://defipunkd.com/address/534352/0x11fCfe756c05AD438e312a7fd934381537D3cFfe (pool Pool V3)
- https://defipunkd.com/address/534352/0x32BCab42a2bb5AC577D24b425D46d8b8e0Df9b7f (admin PoolConfigurator V3)
- https://defipunkd.com/address/534352/0x04421D8C506E2fA2371a08EfAaBf791F624054F3 (oracle AaveOracle V3)
- https://defipunkd.com/address/534352/0xc1ABF87FfAdf4908f4eC8dc54A25DCFEabAE4A24 (admin ACLAdmin V3)
- https://defipunkd.com/address/534352/0x7633F981D87dC6307227de9383D2ce7243158081 (admin ACLManager V3)
- zkSync Era: 0x2A3948BB219D6B2Fa83D64100006391a96bE6cb7 (chain not supported by the read API)
- zkSync Era: 0x78e30497a3c7527d953c6B1E3541b021A98Ac43c (chain not supported by the read API)
- zkSync Era: 0x0207d31b4377C74bEC37356aaD83E3dCc979F40E (chain not supported by the read API)
- zkSync Era: 0xC7F58Fca663a8d377B6D0c9703C697f56dC40088 (chain not supported by the read API)
- zkSync Era: 0x04cE39789e11a49595cD0ECEf6f4Bd54ABF4d020 (chain not supported by the read API)
- Soneium: 0x82405D1a189bd6cE4667809C35B37fBE136A4c5B (chain not supported by the read API)
- Soneium: 0xDd3d7A7d03D9fD9ef45f3E587287922eF65CA38B (chain not supported by the read API)
- Soneium: 0x1607FCeEc8dEbA4d5Da66D620b2363066d025a02 (chain not supported by the read API)
- Soneium: 0x20040a64612555042335926d72B4E5F667a67fA1 (chain not supported by the read API)
- Soneium: 0xc0Bac16A64FbAa7EE6483bD12a759e28cD13dcBe (chain not supported by the read API)
- Plasma: 0x061D8e131F26512348ee5FA42e2DF1bA9d6505E9 (chain not supported by the read API)
- Plasma: 0x925a2A7214Ed92428B5b1B090F80b25700095e12 (chain not supported by the read API)
- Plasma: 0xc022B6c71c30A8Ad52Dac504eFA132d13D99d2D9 (chain not supported by the read API)
- Plasma: 0x33E0b3fc976DC9C516926BA48CfC0A9E10a2aAA5 (chain not supported by the read API)
- Plasma: 0x47aAdaAE1F05C978E6aBb7568d11B7F6e0FC4d6A (chain not supported by the read API)
- Plasma: 0xa860355F0ccFdC823F7332ac108317b2a1509C06 (chain not supported by the read API)
- https://defipunkd.com/address/1/0x617332a777780F546261247F621051d0b98975Eb (other VotingMachine)
- https://defipunkd.com/address/1/0xf23f7De3AC42F22eBDA17e64DC4f51FB66b8E21f (other VotingPortalEthEth)
- https://defipunkd.com/address/1/0x33aCEf7365809218485873B7d0d67FeE411B5D79 (other VotingPortalEthAvax)
- https://defipunkd.com/address/1/0x9b24C168d6A76b5459B1d47071a54962a4df36c3 (other VotingPortalEthPol)
- https://defipunkd.com/address/1/0xE3B770Dc4ae3f8bECaB3Ed12dE692c741603e16A (other PayloadDataHelper)
- https://defipunkd.com/address/1/0x971c82c8316aD611904F95616c21ce90837f1856 (other GovernanceDataHelper)
- https://defipunkd.com/address/1/0x77976B51569896523EE215962Ee91ff236Fa50E8 (other VotingDataHelper)
- https://defipunkd.com/address/1/0x94363B11b37BC3ffe43AB09cff5A010352FE85dC (other MetaDelegateHelper)
- https://defipunkd.com/address/1/0x73C6Fb358dDA8e84D50e98A98F7c0dF32e15C7e9 (guardian EmergencyRegistry)
- https://defipunkd.com/address/1/0xa198Fac58E02A5C5F8F7e877895d50cFa9ad1E04 (other GovernancePowerStrategy)
- https://defipunkd.com/address/1/0x5642A5A5Ec284B4145563aBF319620204aCCA7f4 (other VotingStrategy)
- https://defipunkd.com/address/1/0x1699FE9CaDC8a0b6c93E06B62Ab4592a0fFEcF61 (other DataWarehouse)
- https://defipunkd.com/address/42161/0xCbFB78a3Eeaa611b826E37c80E4126c8787D29f0 (other CrossChainController)
- https://defipunkd.com/address/42161/0x89644CA1bB8064760312AE4F03ea41b05dA3637C (timelock PayloadsController)
- https://defipunkd.com/address/42161/0x4922093c476CfbCF903C7C4082d2D64bAE8A37cE (guardian GranularGuardian)
- https://defipunkd.com/address/43114/0x27FC7D54C893dA63C0AE6d57e1B2B13A70690928 (other CrossChainController)
- https://defipunkd.com/address/43114/0x41185495Bc8297a65DC46f94001DC7233775EbEe (oracle EmergencyOracle)
- https://defipunkd.com/address/43114/0x9b6f5ef589A3DD08670Dd146C11C4Fb33E04494F (other VotingMachine)
- https://defipunkd.com/address/43114/0x1140CB7CAfAcC745771C2Ea31e7B5C653c5d0B80 (timelock PayloadsController)
- https://defipunkd.com/address/43114/0xc1162BCb2E5E3ca4725512008c7522dF8C8B7B65 (guardian GranularGuardian)
- Binance: 0x9d33ee6543C9b2C8c183b8fb58fB089266cffA19 (chain not supported by the read API)
- Binance: 0xcabb46FfB38c93348Df16558DF156e9f68F9F7F1 (chain not supported by the read API)
- Binance: 0xE5EF2Dd06755A97e975f7E282f828224F2C3e627 (chain not supported by the read API)
- Binance: 0xe4FB5e3F506BE0095f38004f993D16fdA8224383 (chain not supported by the read API)
- https://defipunkd.com/address/8453/0x529467C76f234F2bD359d7ecF7c660A2846b04e2 (other CrossChainController)
- https://defipunkd.com/address/8453/0x2DC219E716793fb4b21548C0f009Ba3Af753ab01 (timelock PayloadsController)
- https://defipunkd.com/address/8453/0xa1c6aF35E0205f42256382C05243C543FEDBf4bB (guardian GranularGuardian)
- xDai: 0x8Dc5310fc9D3D7D1Bb3D1F686899c8F082316c9F (chain not supported by the read API)
- xDai: 0xF937ffAeA1363e4Fa260760bDFA2aA8Fc911F84D (chain not supported by the read API)
- xDai: 0x9A1F491B86D09fC1484b5fab10041B189B60756b (chain not supported by the read API)
- xDai: 0x4A9F571E3C1f2F13567bb59e38988e74d7d72602 (chain not supported by the read API)
- Metis: 0x6fDaFb26915ABD6065a1E1501a37Ac438D877f70 (chain not supported by the read API)
- Metis: 0x2233F8A66A728FBa6E1dC95570B25360D07D5524 (chain not supported by the read API)
- Metis: 0x61BE97d3a0550549f67CA7421725fA73Fa2036B5 (chain not supported by the read API)
- https://defipunkd.com/address/10/0x48A9FE90bce5EEd790f3F4Ce192d1C0B351fd4Ca (other CrossChainController)
- https://defipunkd.com/address/10/0x0E1a3Af1f9cC76A62eD31eDedca291E63632e7c4 (timelock PayloadsController)
- https://defipunkd.com/address/10/0x6c5264C380C7022e54f585c4E354ffb6f221a03b (guardian GranularGuardian)
- https://defipunkd.com/address/137/0xF6B99959F0b5e79E1CC7062E12aF632CEb18eF0d (other CrossChainController)
- https://defipunkd.com/address/137/0xDAFA1989A504c48Ee20a582f2891eeB25E2fA23F (oracle EmergencyOracle)
- https://defipunkd.com/address/137/0xc8a2ADC4261c6b669CdFf69E717E77C9cFeB420d (other VotingMachine)
- https://defipunkd.com/address/137/0x401B5D0294E23637c18fcc38b1Bca814CDa2637C (timelock PayloadsController)
- https://defipunkd.com/address/137/0x0D2CccD3dD420dC6DE2f24DB44aA22fADE290a02 (guardian GranularGuardian)
- https://defipunkd.com/address/534352/0x03073D3F4769f6b6604d616238fD6c636C99AD0A (other CrossChainController)
- https://defipunkd.com/address/534352/0x6b6B41c0f8C223715f712BE83ceC3c37bbfDC3fE (timelock PayloadsController)
- https://defipunkd.com/address/534352/0xa835707d28e6C37C49d661742f2Fb5987367cEd4 (guardian GranularGuardian)
- zkSync Era: 0x800813f4714BC7A0a95310e3fB9e4f18872CA92C (chain not supported by the read API)
- zkSync Era: 0x2E79349c3F5e4751E87b966812C9E65E805996F1 (chain not supported by the read API)
- zkSync Era: 0xe0e23196D42b54F262a3DE952e6B34B197D1A228 (chain not supported by the read API)
- zkSync Era: 0x4257bf0746D783f0D962913d7d8AFA408B62547E (chain not supported by the read API)
- https://defipunkd.com/address/59144/0x0D3f821e9741C8a8Bcac231162320251Db0cdf52 (other CrossChainController)
- https://defipunkd.com/address/59144/0x3BcE23a1363728091bc57A58a226CF2940C2e074 (timelock PayloadsController)
- https://defipunkd.com/address/59144/0xc1cd6faF6e9138b4e6C21d438f9ebF2bd6F6cA16 (guardian GranularGuardian)
- https://defipunkd.com/address/59144/0x056E4C4E80D1D14a637ccbD0412CDAAEc5B51F4E (guardian GovernanceGuardian)
- Soneium: 0xD92b37a5114b33F668D274Fb48f23b726a854d6E (chain not supported by the read API)
- Soneium: 0x44D73D7C4b2f98F426Bf8B5e87628d9eE38ef0Cf (chain not supported by the read API)
- Soneium: 0xD8E6956718784B914740267b7A50B952fb516656 (chain not supported by the read API)
- Soneium: 0x19CE4363FEA478Aa04B9EA2937cc5A2cbcD44be6 (chain not supported by the read API)
- Soneium: 0x47aAdaAE1F05C978E6aBb7568d11B7F6e0FC4d6A (chain not supported by the read API)
- Plasma: 0x643441742f73e270e565619be6DE5f4D55E08cd6 (chain not supported by the read API)
- Plasma: 0xe76EB348E65eF163d85ce282125FF5a7F5712A1d (chain not supported by the read API)
- Plasma: 0x60665b4F4FF7073C5fed2656852dCa271DfE2684 (chain not supported by the read API)
- Plasma: 0x19CE4363FEA478Aa04B9EA2937cc5A2cbcD44be6 (chain not supported by the read API)
- Plasma: 0xF61FE74Ec1cFbd9Ee8Bd27592D2EDEe0E2aA85Cf (chain not supported by the read API)
- https://defipunkd.com/address/1/0x7Fc66500c84A76Ad7e9c93437bFc5Ac33E2DDaE9 (token AAVE governance token)
- https://defipunkd.com/address/1/0x7b9c0b9b0d8b0d8b0d8b0d8b0d8b0d8b0d8b0d8b (Emergency Admin)


---

You are contributing a single-slice assessment to defipunkd, a git-native transparency registry for DeFi protocols. Your JSON output will be attached to a pull request and compared against ≥2 other independent runs. Disagreements are surfaced publicly — be conservative, cite everything, return grade="unknown" when a signal cannot be determined, and resist stopping at the first damning finding.

### Per-protocol context (do not infer; these are ground truth)

A "Per-protocol context" block (provided alongside this prompt — either as a user message in API mode, or as a section appended below in copy-paste mode) lists the pinned inputs (protocol.slug, name, chains, category, website, github, audit_links, snapshot.generated_at, analysis_date, prompt_version, address_book) and a list of pre-built read-API surfacer URLs for each pinned address. Treat those values as authoritative for this run.

The pre-built surfacer URLs are accepted by your fetch tool's allowlist because they appear verbatim in the per-protocol context. Each surfacer page pre-executes the contract's zero-arg view methods and renders any address-typed return values as /address/{chainId}/0x… links inline — those rendered links are also fetchable post-fetch. /api/contract/read and /api/safe/owners JSON responses include a top-level `crawl.surfacers` array of /address/{chainId}/0x… URLs for every address-typed value in the result, so you can crawl directly from API responses. For addresses surfaced from non-defipunkd sources (block-explorer pages, GitHub, audit PDFs), the allowlist will reject your generated surfacer URL — record the address in protocol_metadata.admin_addresses and add a checklist-coded entry to unknowns[]; the next run will inherit it as a fetchable surfacer.

### Step 0 — Capability probe (do this before producing JSON)

Identify what fetch tool your environment exposes — `web_fetch`, `browser`, `url_context`, `google_search` (with underscore, colon, or space), Bing grounding, Perplexity, `web.run`, or anything similar. Search-grounding tools ARE valid fetch paths and you should use them; they are not forbidden. The distinction that matters is what the tool returned, not its name: a grounded response with the underlying page body is sufficient evidence; a bare 1–3-line preview snippet is not.

Probe: attempt one fetch of `protocol.website` and one fetch of a pre-built surfacer URL above (or the protocol's primary block-explorer page if no surfacer is pinned). Record the tool you used, the URL, and what came back (response body, HTTP status, allowlist rejection text, or "tool not present: <name>"). If either probe succeeded, proceed.

If both direct probes failed, **DO NOT STOP** — try search. Issue at least two broad search queries (protocol name + "Etherscan" / "official docs" / "GitHub" / "audit"; `site:` operators against etherscan.io / github.com / the docs domain). If a search query returns the underlying page body, that page URL is fetched evidence and goes in evidence[]. Set `grading_basis: "off-chain-only"` and continue with whatever you can extract. Empty `evidence[]` + `grade="unknown"` is only valid if BOTH direct probes AND ≥2 search queries returned nothing usable; in that case, log the attempted queries and observed-zero outcomes in unknowns[]. A submission claiming "blocked" without those receipts is treated as a non-submission (zero quorum weight). Search engines do not index raw JSON API endpoints — zero results for `defipunkd.com/api/contract/read` URLs is expected and is itself a recordable failure mode, not a system restriction.

### Anti-fabrication (the most important rule on this page)

Memory is not evidence. Treat your training data, prior conversations, and general knowledge as suggestions for what to look up — never as citations. Every URL in evidence[] must have been fetched in this run via any tool exposed in your environment, OR pasted into this conversation by the user. Constructing a URL is fine, but every variable part (address, commit SHA, repo path, contract name, method, args, block number) must come from a fetched/pasted source in this run, and the URL must then have been successfully fetched before it appears in evidence[]. URLs constructed from remembered addresses, repo paths, contract names, or guessed API methods are fabrication.

Before emitting JSON, run an evidence ledger check on every evidence[] entry:
1. The exact URL appears in your fetch transcript or in a user-pasted source body.
2. The fetched/pasted body contains the fact you're citing in evidence[].shows.
3. Every rationale.findings / protocol_metadata claim that depends on this evidence follows directly from that body, without recourse to memory.
4. Derived (rather than verbatim) claims are explicitly labelled as derived in evidence[].shows.
5. `fetched_at` is set ONLY when you actually fetched the URL in this run; if no timestamp is available, omit the field — never invent one.

If any check fails, remove the evidence entry and demote dependent claims to unknowns[]. Set grade="unknown" if demotion empties the grading basis. Do not ask the user to paste anything; do not withhold JSON; do not improvise from memory.

A plausible-sounding answer backed by unsupported evidence is WORSE than grade="unknown" — it pollutes the quorum. If the assessment requires leaning on remembered public facts ("Lido is governed by LDO token-weighted voting"), historical reports, common knowledge, or likely-architecture reasoning ("UUPS proxies typically have an admin role"), return grade="unknown" with specific unknowns[] entries. Optimize for reproducibility, not completeness — if a reviewer can't re-verify each claim from the evidence URLs alone, the claim does not belong in the JSON. Empty unknowns[] on a non-trivial protocol is a red flag, not a quality signal.

When the address_book is null/empty, you do not yet know any deployed address. Discover candidates from fetched website / GitHub / audit / explorer-search pages — addresses you "remember" from training data are not eligible, even for famous tokens (USDC, WBTC, stETH, UNI). If no address can be discovered after a good-faith attempt, return grade="unknown" with checklist-coded unknowns[] entries; do not invent addresses to fill the gap.

### Hard rules

1. Source classes that count as evidence:
   a) Public block explorers (etherscan.io, basescan.org, arbiscan.io, optimistic.etherscan.io, polygonscan.com, bscscan.com, snowtrace.io, scrollscan.com, lineascan.build, blastscan.io, era.zksync.network) for pinned addresses or addresses you discover transitively from them.
   b) The linked GitHub repos, at a specific commit SHA recorded in evidence[].commit.
   c) The audit PDFs / reports linked above.
   d) DeFiLlama's pinned fields (for category / chain lists only — not for risk assessment).
   e) DeFiPunkd's read API at https://defipunkd.com/api/{contract,safe}/... — see "On-chain reading" below.
2. If a signal cannot be determined after checking these, set grade="unknown" with ≥1 entry in unknowns[] naming what you looked for.
3. Every factual claim in rationale must map to ≥1 evidence[] entry.
4. Output exactly one JSON object matching the contract at the end, wrapped in a single ```json fenced code block. This rule applies to your FINAL assistant message only — issue tool calls freely during the run; tool-call reasoning lives in your model's tool-use channel and is not subject to this rule. Nothing before or after the fence — no prose, no follow-up questions, no requests for the user to paste anything. If evidence is incomplete, the correct response is still JSON, with claims demoted to unknowns[] and grade="unknown".

### Format rules (validation will reject submissions that violate these)
5. evidence[].url must be a bare `https://...` string — NEVER markdown link syntax. WRONG: `"url": "[Etherscan](https://etherscan.io/...)"`. RIGHT: `"url": "https://etherscan.io/..."`.
6. evidence[].commit, when present, must match `^[0-9a-f]{7,40}$` (lowercase hex, 7–40 chars). NEVER branch names or tags. Omit if you cannot pin a SHA.
7. evidence[].fetched_at, when present, must be ISO-8601 UTC (e.g. `2026-04-23T11:20:00Z`). Set whenever you actually fetched in this run.
8. evidence[].address, when present, must be `^0x[0-9a-fA-F]{40}$` (mixed case OK; checksum not validated).
9. Checklist codes (used in findings[].code and as unknowns[] prefixes) match `^[A-Z][A-Za-z0-9-]{0,16}$` — start with an uppercase letter, then digits / letters / hyphens. Examples: `E1`, `A3b`, `C2-emergency`, `V4-auditor`. No parens, spaces, dots, slashes, underscores. Use slice-defined codes verbatim. unknowns[] entries must be prefixed with the relevant code + colon (e.g. `"A3b: frontend fetch failed"`).
10. chat_url: ALWAYS null. Default share links (claude.ai/chat, chatgpt.com, gemini.google.com) require viewer login and are not publicly readable. The user enables "Share publicly" after you respond and pastes the public URL into the JSON before opening the PR.

### Thoroughness rules

11. Each per-slice body contains a "MANDATORY INSPECTION CHECKLIST". Every item must EITHER produce an evidence[] entry OR a specific unknowns[] entry naming it by code. Silent skips are rejected as incomplete.
12. Before assigning a grade other than "unknown", rationale.steelman must contain a one-sentence strongest argument for each of red / orange / green, and rationale.verdict must state which fits the evidence and why. If the steel-man for the chosen grade is weaker than for an adjacent grade, you have probably picked the wrong grade. When grade="unknown", set steelman to null and use verdict to summarize what blocked the assessment.
13. Distinguish actor classes (EOA, 2-of-3 multisig, 4-of-7+ multisig with identified signers, emergency-scoped time-capped multisig, on-chain governance vote with timelock) and function classes (claim-of-finalized vs new-request-placement, deposit vs borrow, mint vs redeem) — say which actor holds which power, on what time bound. "An admin can pause" is insufficient.
14. For on-chain slices (control, ability-to-exit, autonomy, verifiability), evidence[] must include ≥1 on-chain URL: a block-explorer URL OR a DeFiPunkd /api/{contract/read,safe/owners} URL (preferred — content-addressed when block-pinned). /api/contract/abi alone is metadata, not on-chain evidence. Source repos tell you what code SHOULD do; deployed contracts tell you what it ACTUALLY does. The "open-access" slice is exempt when claims are entirely about frontend / off-chain operator behavior. CARVE-OUT: `grading_basis="off-chain-only"` is exempt from this rule but is downweighted by the quorum bot regardless of grade.
15. Prompt-meta-check: if your verdict quotes prompt language as evidence ("the protocol meets the 'documented fallback' condition"), re-do the verdict — the prompt describes the rubric, not the protocol. Evidence cites what THIS protocol does, not what the rubric says protocols of type X do.
16. `grading_basis` is one of `"on-chain"` (default; omit field), `"off-chain-only"`, or `"mixed"`. Describes what was READ this run, not the verdict — `grade="unknown"` is allowed under any basis. Set `"off-chain-only"` ONLY when BOTH (a) ≥1 successful fetch of a docs / forum / audit / GitHub URL appears in evidence[], AND (b) ≥1 failed on-chain fetch attempt for THIS run is recorded in unknowns[] with a `-offchain` suffix. Empty `evidence[]` with `"off-chain-only"` is a category error and is rejected by the validator. Set `"mixed"` when some checklist codes were on-chain and others fell back. ABI-only finds (you read the ABI but couldn't read live state) are valid as `grade="unknown"` with the ABI cited; do not infer a grade from ABI shape alone.

### On-chain reading via the DeFiPunkd API

Don't encode calldata, decode return data, or guess at ABIs by hand. Three deterministic GET endpoints return JSON with blockNumber, blockHash, raw calldata, and rawReturnData — content-addressed when block-pinned (`&block=<n>`):

  ABI (auto-resolves proxies):
    https://defipunkd.com/api/contract/abi?chainId=<id>&address=0x...
  View call (any view method on the merged ABI; flat scalar args):
    https://defipunkd.com/api/contract/read?chainId=<id>&address=0x...&method=getOwners
    https://defipunkd.com/api/contract/read?chainId=<id>&address=0x...&method=balanceOf&args=0x...
  Safe (threshold + owners + version in one call):
    https://defipunkd.com/api/safe/owners?chainId=<id>&address=0x...

Use the BARE method name in `&method=` (e.g. `&method=totalSupply`, NOT `&method=totalSupply()`). Browser tools normalize `(` to `%28` and reject the normalized URL; bare names dodge that. Pass arguments via `&args=` (comma-separated, declaration order). Append `&block=<n>` for content-addressed evidence.

Supported chainIds: 1 (ethereum), 10 (optimism), 56 (bsc), 130 (unichain), 137 (polygon), 324 (zksync), 8453 (base), 42161 (arbitrum), 43114 (avalanche), 59144 (linea), 81457 (blast), 534352 (scroll), 11155111 (sepolia).

Use this API for any factual claim about contract ABI shape, view-method return values (owner(), getOwners(), getThreshold(), totalSupply(), implementation(), paused(), MIN_DELAY(), …), and Safe membership. Do NOT invent ABIs or return values from training data.

Note on noisy address_book: the pinned address_book is sourced from prior assessments. It may include token deployments, oracle feeds, peripheral contracts, or mis-classified entries. Skip surfacer URLs that don't fit your slice — fetch only those whose role hints suggest control / pause / upgrade authority.

### Protocol metadata refresh (populate `protocol_metadata` in the output)

DeFiLlama's pinned inputs may be stale or wrong. As a side-effect of this assessment, populate `protocol_metadata` with anything you verify. Leave fields null / empty arrays if you did not verify them — do NOT echo pinned inputs through; null means "not re-verified this run".

- `github`: array of canonical source-code repo URLs.
- `docs_url`: canonical developer / protocol documentation site.
- `audits`: array of `{ firm, url, date }` (date as YYYY-MM or YYYY-MM-DD).
- `governance_forum`: primary discussion forum URL (Discourse, Commonwealth, etc.).
- `voting_token`: `{ chain, address, symbol }` or null. Omit if not token-governed.
- `bug_bounty_url`: public bug bounty page (Immunefi, HackerOne, self-hosted).
- `security_contact`: private-disclosure channel — security@ email or SECURITY.md URL. Distinct from public bug bounty.
- `deployed_contracts_doc`: docs page that lists deployed addresses per chain. Don't enumerate; just link.
- `admin_addresses`: array of `{ chain, address, role, actor_class }` for multisig / timelock / owner / proxy-admin addresses. `actor_class` ∈ `"eoa" | "multisig" | "timelock" | "governance" | "unknown"`. These are the anchors for future runs' address_book.
- `upgradeability`: `"immutable" | "upgradeable" | "mixed" | "unknown"`. "mixed" = some core contracts immutable, others behind proxies.
- `about`: 2–4 sentence plain-English description. Name the user action (stake, borrow, swap, bridge, mint, redeem), the asset / market, and the distinctive mechanism (liquid staking receipt, isolated lending pools, constant-product AMM, intents auction, etc.). Do not restate category / chains / TVL.

Every non-null field in `protocol_metadata` must be backed by ≥1 entry in evidence[].

---

### Slice: VERIFIABILITY

Evaluate whether an outsider can independently confirm what the deployed code does.

MANDATORY INSPECTION CHECKLIST (every item below must appear in evidence[] OR unknowns[]):
- V1. For each address you assess: is the bytecode verified on the chain's block explorer? Record the "Contract Source Code Verified" indicator. https://defipunkd.com/api/contract/abi?chainId=<id>&address=0x... returns this as a top-level "verified" boolean plus "abiSource" ("etherscan" / "sourcify") and an inline ABI — useful when the explorer page is rate-limited. If the contract is a proxy, verify BOTH the proxy contract AND the current implementation contract. The same /api/contract/abi response auto-resolves proxies and includes a "proxy.implementation" address when present, so one call covers V1 + V6 in one shot. An explorer "Similar Match" on a well-known proxy pattern (Aragon AppProxyUpgradeable, ERC1967Proxy, OssifiableProxy, OZ TransparentUpgradeableProxy) is expected for that pattern and does NOT count as a verification gap on its own — what matters is that the implementation is independently verified.
- V2. Source-to-repo correspondence: for each verified contract, attempt to find a matching commit in the linked GitHub repos. Record evidence[].commit on a match. Independent compile/bytecode-match is NOT required for green — a recognized public repo whose structure and file contents correspond to the explorer-visible source is sufficient. If you did not pin a commit SHA or run a bytecode diff, record that plainly in unknowns[] and proceed; it is a scope limit, not a downgrade signal.
- V3. Audit coverage: for each URL in protocol.audit_links, open it and record: auditor name, audit date, the specific contracts / commit in scope. Flag audits that predate the current deployment by >6 months without a follow-up review.
- V4. Auditor recognition: the following firms are broadly recognized in Solidity: Trail of Bits, Zellic, Spearbit, OpenZeppelin, ConsenSys Diligence, Certora (formal verification), Quantstamp, Halborn, Peckshield, Sigma Prime, ChainSecurity, Ackee Blockchain, MixBytes, Statemind. Unknown firms are orange-at-best for any green-grade claim. Name the firm explicitly in evidence[].
- V5. Post-audit drift: compare the most recent in-scope audit(s) against the currently-deployed source, weighted by what each contract does and by what the changes actually contain. SCOPE — drift only downgrades the grade when ALL of the following hold: (i) the drifting contract is fund-custody / settlement / accounting-critical (NOT a peripheral router, lens, quoter, or pure-view contract that holds no balances); (ii) the changes are material — new functions, modified access control, modified accounting, modified fund flow — and not refactors / struct relocations / import reorgs / build or CI fixes / formatting; (iii) no later audit, fix-audit, or differential audit from a recognized firm covers the changed files (audits often pin a pre-fix commit while a follow-up reviews the delta — match by file scope, not by commit-hash equality). When you cite drift as a downgrade reason, name the specific behavior change (function added, role granted, accounting formula altered) — "N commits ahead" or "+X/-Y LOC" alone is not evidence of material drift. If you have not sampled the diff content (e.g. via the GitHub compare view or the top commits in the window), record drift as an unknowns[] entry rather than auto-downgrading; commit-count and LOC are starting signals, not findings.
- V6. Implementation vs proxy: a verified proxy with an unverified implementation is effectively unverified. State whether the implementation is verified separately.

EVIDENCE DISCIPLINE (read before writing findings[]):
- Do not assert a specific deploy-commit SHA, bytecode equivalence, or "identical to audited commit" unless you actually fetched the artifact that shows it (e.g., a deployed-addresses JSON you opened, an explorer page you read). Inferred or plausible matches belong in unknowns[], never in findings[] or evidence[].
- Evidence[] entries must correspond to pages/files you actually retrieved this run. A URL you did not open is not evidence.

Then write the steel-man section per Hard Rule 11.

Grade rules:
- green   = deployed bytecode verified on the explorer (proxy AND implementation if proxied; "Similar Match" on a standard proxy pattern is fine per V1), a public source repo exists whose contents correspond to the explorer-visible source, AND ≥1 audit from a recognized firm covering the currently-deployed contracts (≤6 months of drift OR drift was re-audited). A missing local compile-match is not a downgrade — record it in unknowns[] and still grade green if the other conditions hold.
- orange  = verified but with visible drift from the public repo, OR audit scope is stale relative to deployment, OR only minor / unknown-firm audits exist, OR only some of the main contracts are verified, OR proxy verified but implementation only partially verified.
- red     = unverified bytecode (or verified proxy with unverified implementation), OR no audit in protocol.audit_links, OR no public repo.
- unknown = reserved for when the protocol's verifiability posture genuinely cannot be assessed (e.g., explorer and repo both inaccessible for this protocol). Do NOT use unknown merely because you, the analyst, could not run a particular check such as a bytecode diff — that goes in unknowns[] while the grade is still assigned from the evidence you do have.

---

### JSON output contract

Return exactly one JSON object inside a single ```json fenced block. Shape:

{
  "schema_version": 4,
  "slug": "<copy protocol.slug from the per-protocol context>",
  "slice": "verifiability",
  "snapshot_generated_at": "<copy snapshot.generated_at from the per-protocol context>",
  "prompt_version": 29,
  "analysis_date": "<copy analysis_date from the per-protocol context>",
  "model": "<exact model name, e.g. claude-opus-4-7 / gpt-5-thinking / gemini-3-pro>",
  "chat_url": null,
  "grading_basis": "on-chain | off-chain-only | mixed (optional; omit for on-chain)",
  "grade": "green | orange | red | unknown",
  "headline": "<one-line summary>",
  "short_headline": "<≤6 words, ≤80 chars; omit if you can't fit>",
  "rationale": {
    "findings": [{ "code": "E1", "text": "<concrete, source-cited finding>" }],
    "steelman": { "red": "<one sentence>", "orange": "<one sentence>", "green": "<one sentence>" },
    "verdict": "Choosing <grade> because <reason ranking one steel-man above the others, citing specific evidence>."
  },
  "evidence": [{ "url": "https://...", "shows": "<what this URL demonstrates>", "chain": "...", "address": "0x...", "commit": "<hex SHA>", "fetched_at": "2026-04-23T11:20:00Z" }],
  "unknowns": ["E3: <thing you looked for but couldn't determine>"],
  "protocol_metadata": {
    "github": ["https://github.com/org/repo"],
    "docs_url": "https://docs.protocol.xyz",
    "audits": [{ "firm": "Trail of Bits", "url": "https://...report.pdf", "date": "2025-09" }],
    "governance_forum": "https://forum.protocol.xyz",
    "voting_token": { "chain": "Ethereum", "address": "0x...", "symbol": "XYZ" },
    "bug_bounty_url": "https://immunefi.com/bounty/protocol",
    "security_contact": "security@protocol.xyz",
    "deployed_contracts_doc": "https://docs.protocol.xyz/deployments",
    "admin_addresses": [{ "chain": "Ethereum", "address": "0x...", "role": "DAO treasury multisig", "actor_class": "multisig" }],
    "upgradeability": "immutable | upgradeable | mixed | unknown",
    "about": "<2–4 sentences>"
  }
}

Rules recap:
- grade="unknown" ⇒ steelman=null; unknowns[] ≥1; evidence[] may be empty.
- grade!="unknown" ⇒ steelman={red,orange,green}; evidence[] ≥1; verdict starts with "Choosing ".
- findings[].code matches the slice's checklist prefix verbatim (E1, C2-emergency, V4a, …); unknowns[] entries are checklist-coded ("E3: …").
- Wrap in a single ```json fence; nothing before or after. URLs are bare strings, never markdown links.

Sources claude-opus-4-7 no url gpt-5.5 no url gemini-3-flash-preview no url View raw submissions ↗

Control tentative 4/4 models agree AI-only 0/4 with chat share link

Aave V3 is governed by AAVE token-weighted on-chain governance with a 1-day timelock on the Short Executor path that can perform T1 fund-critical actions (upgrade Pool implementations, change oracles, pause markets). The 5-of-9 guardian multisig has veto-only power.

Verdict

Choosing orange because T1 fund-critical actions (Pool implementation upgrades via PoolAddressesProvider.setPoolImpl, oracle source changes) are reachable through the Short Executor path with only a 1-day (86400s) timelock delay, which is >0 but <7 days. While governance is broad and token-weighted with AAVE/stkAAVE/aAAVE, the 1-day timelock on the Short Executor is insufficient for the 7-day exit-window standard required for green on a T1 path. The guardian (5-of-9 multisig) has instant T1-scoped emergency pause power, but this is limited to pause/cancel and does not compound the timelock concern since it cannot execute upgrades. The Long Executor's 7-day timelock only covers T3 governance-internal changes, not the primary T1 upgrade path.

Steelman argument

Steelman argument T1 fund-critical actions (implementation upgrades, oracle changes) are reachable via the Short Executor with only a 1-day timelock, which is below the 7-day exit-window standard; the guardian multisig's pause power adds further instant T1 capability scoped to emergencies.

Evidence (7)

C1: Governance V3 core (0x9AEE…BC7) is a TransparentUpgradeableProxy whose owner() is the Short Executor at 0x5300A1a15135EA4dc7aD5a167152C01EFc9b192A. The guardian() is the 5-of-9 multisig at 0xCe52ab41C40575B072A18C9700091Ccbe4A06710. The PayloadsController (0xdAbad81a…) also has owner() = 0x5300…5192A and guardian() = 0xCe52ab41…. The Executor (0x5300…) has owner() = PayloadsController (0xdAbad81a…), forming the chain: Governance V3 → PayloadsController → Executor → protocol contracts.
C2: Both Governance V3 (0x9AEE…BC7) and PayloadsController (0xdAbad81a…) are TransparentUpgradeableProxy contracts. The Governance proxy implementation is at 0x58BcB647…; PayloadsController implementation at 0x7222182c…. The Executor (0x5300…) is NOT a proxy — it is immutable. Upgradeability of proxies is controlled by the Executor, which is itself controlled by PayloadsController (i.e., governance proposals). The Pool (0x87870bca…) is also a proxy managed via the PoolAddressesProvider, whose owner is the Executor. Overall: upgradeable.
C3: EXECUTION PATH (Short Executor / Level 1 — most protocol updates): (1) Proposal created on Governance V3 at 0x9AEE…BC7; (2) coolDownBeforeVotingStart (docs state 1 day for short path); (3) voting period of 3 days (MIN_VOTING_DURATION = 259200s on-chain); (4) vote results relayed via CrossChainController → PayloadsController queues payload; (5) MIN_EXECUTION_DELAY = 86400s (1 day) on PayloadsController at 0xdAbad81a…; (6) Executor 0x5300… executes via executeTransaction. The uncontested fast-path TIMELOCK DELAY is 1 day (86400s). The Long Executor path (Level 2) for governance-internal changes has a 7-day timelock and 10-day voting period per docs.
C4: Guardian multisig at 0xCe52ab41C40575B072A18C9700091Ccbe4A06710 is a 5-of-9 Gnosis Safe v1.3.0. Nine owners: 0xDA5A…BE7D, 0x1e38…8885, 0x4f96…1DC9, 0xebED…FE29, 0xbd4D…d4B7, 0xA310…7396, 0x936C…9EF3, 0x0D23…0E9, 0x4C30…099f. Per Aave docs, composed of 'highly active entities within the Aave DAO, such as service providers and delegates.' The guardian can cancel governance proposals and payloads (veto power) but cannot execute or upgrade. GranularGuardian (0x4457cA11…) has SOLVE_EMERGENCY_ROLE and RETRY_ROLE for cross-chain emergency management on CrossChainController only. Signer identities are not fully publicly enumerable from on-chain data alone — per docs they are service providers and delegates, making insider/non-insider classification uncertain.
C5: On-chain governance uses AAVE, stkAAVE, and aAAVE token-weighted voting via Governance V3 at 0x9AEE…BC7. MIN_VOTING_DURATION = 259200s (3 days) read on-chain. ACHIEVABLE_VOTING_PARTICIPATION = 5,000,000e18 (5M AAVE). Docs: Short Executor proposals require 3-day voting period and 1-day timelock; Long Executor proposals require 10-day voting period and 7-day timelock. Voting configs per access level are set via getVotingConfig(uint8) but the API endpoint was blocked during this run. Docs confirm quorum and vote differential requirements exist.
C6: The Protocol Guardian (5-of-9 multisig at 0xCe52ab41…) holds EMERGENCY_ADMIN role and can pause markets and cancel proposals/payloads. This is a separate emergency power from the main upgrade/governance path. Per Aave docs, this guardian is 'responsible for acting swiftly in emergency situations to protect the protocol.' The guardian can pause but pausing is time-bounded by the need for governance to unpause or the guardian to lift the pause. The guardian CANNOT upgrade contracts or change implementations — only cancel/pause.
C7: POWER TIER — T1 (FUND-CRITICAL) is reachable on the Short Executor (Level 1) path. The Executor at 0x5300… is the ACL Admin for Aave V3 and can call PoolAddressesProvider.setPoolImpl() to replace the Pool implementation (holding user funds), set oracle sources via AaveOracle, and configure reserve parameters via PoolConfigurator. These are T1 functions (replace implementation of fund-holding contracts, change oracle sources). The Long Executor (Level 2) handles T3 governance-internal changes with a 7-day timelock. The guardian's pause power is also T1-scoped (can freeze withdrawals) but is veto/pause only, not an upgrade path.

Why is this consensus tentative?

only 0/4 sources have a public chat share link
total support weight 0.38 below confidence floor (1.5)

A fresh independent run can strengthen (or overturn) the verdict.

Run your own prompt Submit run ↗

### Per-protocol context (ground truth for this run)

- protocol.slug:              aave-v3
- protocol.name:              Aave V3
- protocol.chains:            Ethereum, Plasma, Arbitrum, Base, Avalanche, Binance, Mantle, Polygon, MegaETH, X Layer, xDai, Optimism, Linea, Sonic, Celo, Scroll, zkSync Era, Metis, Soneium, Fantom, Harmony
- protocol.category:          Lending
- protocol.website:           https://aave.com
- protocol.github:            aave, bgd-labs
- protocol.audit_links:       https://aave.com/security, https://github.com/code-423n4/2022-02-aave-lens, https://github.com/code-423n4/2022-02-aave-lens-findings, https://github.com/sherlock-protocol/sherlock-reports/blob/main/audits/2025.02.15%20-%20Final%20-%20Aave%20Public%20Audit%20Contest%20Report.pdf, https://github.com/sherlock-protocol/sherlock-reports/blob/main/audits/2026.02.05%20-%20Final%20-%20Aave%20Labs%20Collaborative%20Audit%20Report%201770295450.pdf, https://github.com/trailofbits/publications/blob/master/reviews/2021-11-aave-v3-securityreview.pdf
- snapshot.generated_at:      2026-06-01T11:27:13.878Z
- analysis_date:              2026-06-07
- prompt_version:             29
- address_book:               [
  {
    "chain": "Ethereum",
    "address": "0x5300A1a15135EA4dc7aD5a167152C01EFc9b192A",
    "role": "Short Executor (Level 1) / ACL Admin V3"
  },
  {
    "chain": "Ethereum",
    "address": "0xdAbad81aF85554E9ae636395611C58F7eC1aAEc5",
    "role": "PayloadsController (Ethereum)"
  },
  {
    "chain": "Ethereum",
    "address": "0x9AEE0B04504CeF83A65AC3f0e838D0593BCb2BC7",
    "role": "Governance V3 Core"
  },
  {
    "chain": "Ethereum",
    "address": "0xCe52ab41C40575B072A18C9700091Ccbe4A06710",
    "role": "Governance Guardian / Protocol Emergency Guardian (5-of-9)"
  },
  {
    "chain": "Ethereum",
    "address": "0x4457cA11E90f416Cc1D3a8E1cA41C0cdEcC251d4",
    "role": "GranularGuardian (cross-chain emergency)"
  },
  {
    "chain": "Ethereum",
    "address": "0xEd42a7D8559a463722Ca4beD50E0Cc05a386b0e1",
    "role": "CrossChainController"
  },
  {
    "chain": "Ethereum",
    "address": "0x17Dd33Ed0e3dD2a80E37489B8A63063161BE6957",
    "role": "Executor Level 2"
  },
  {
    "chain": "Ethereum",
    "address": "0x2CFe3ec4d5a6811f4B8067F0DE7e47DfA938Aa30",
    "role": "Protocol Guardian / emergency admin"
  },
  {
    "chain": "Ethereum",
    "address": "0x220d22f42c1b975B51509c24b174f8AbA7d8C540",
    "role": "Short Executor (Governance)"
  },
  {
    "chain": "Ethereum",
    "address": "0xa700691dA7b6769562170061709458FF21ed963e",
    "role": "timelock (governance long executor)"
  },
  {
    "chain": "Ethereum",
    "address": "0x851365275f493d15511cc005f2bd71E3c1699921",
    "role": "timelock (governance short executor)"
  },
  {
    "chain": "Ethereum",
    "address": "0xEE56e2B3D49159022b71869955dbF07245799b17",
    "role": "timelock (governance executor short)"
  },
  {
    "chain": "Ethereum",
    "address": "0x80C67432656d59144cEFf962E8fAF8926599bCF8",
    "role": "timelock (governance short executor)"
  },
  {
    "chain": "Ethereum",
    "address": "0xEE56e2B20045d908E992822039db30E882309413",
    "role": "admin (PoolAdmin / governance executor)"
  },
  {
    "chain": "Ethereum",
    "address": "0x87870bca3f3fd6335c3f4ce8392d69350b4fa4e2",
    "role": "pool (Aave V3 Pool proxy)"
  },
  {
    "chain": "Ethereum",
    "address": "0x2f39d218133AFaB8F2B819B1066c7E434Ad94E9e",
    "role": "other (PoolAddressesProvider — proxy admin for Pool/PoolConfigurator/ACLManager)"
  },
  {
    "chain": "Ethereum",
    "address": "0xcfBf336fe147D643B9Cb705648500e101504B16d",
    "role": "other (Prime Market PoolAddressesProvider)"
  },
  {
    "chain": "Ethereum",
    "address": "0xCca852Bc40e560adC3b1Cc58CA5b55638ce826c9",
    "role": "vault (Aave V4 Core Hub — Ethereum)"
  },
  {
    "chain": "Ethereum",
    "address": "0x06002e9c4412CB7814a791eA3666D905871E536A",
    "role": "vault (Aave V4 Plus Hub — Ethereum)"
  },
  {
    "chain": "Ethereum",
    "address": "0x943827DCA022D0F354a8a8c332dA1e5Eb9f9F931",
    "role": "vault (Aave V4 Prime Hub — Ethereum)"
  },
  {
    "chain": "Ethereum",
    "address": "0x08aE3BE30958cDd1847ec58fFfd4C451a87fDF01",
    "role": "admin (Aave V4 Access Manager — Ethereum)"
  },
  {
    "chain": "Optimism",
    "address": "0xa97684ead0e402dc232d5a977953df7ecbab3cdb",
    "role": "other (PoolAddressesProvider — Optimism)"
  },
  {
    "chain": "Polygon",
    "address": "0xa97684ead0e402dc232d5a977953df7ecbab3cdb",
    "role": "other (PoolAddressesProvider — Polygon)"
  },
  {
    "chain": "Ethereum",
    "address": "0x64b761D848206f447Fe2dd461b0c635Ec39EbB27",
    "role": "admin PoolConfigurator V3"
  },
  {
    "chain": "Ethereum",
    "address": "0x54586bE62E3c3580375aE3723C145253060Ca0C2",
    "role": "oracle AaveOracle V3"
  },
  {
    "chain": "Ethereum",
    "address": "0xc2aaCf6553D20d1e9d78E365AAba8032af9c85b0",
    "role": "admin ACLManager V3"
  },
  {
    "chain": "Ethereum",
    "address": "0x0a16f2FCC0D44FaE41cc54e079281D84A363bECD",
    "role": "other AaveProtocolDataProvider V3"
  },
  {
    "chain": "Ethereum",
    "address": "0x464C71f6c2F760DdA6093dCB91C24c39e5d6e18c",
    "role": "treasury Collector"
  },
  {
    "chain": "Ethereum",
    "address": "0x8164Cc65827dcFe994AB23944CBC90e0aa80bFcb",
    "role": "admin DefaultIncentivesController"
  },
  {
    "chain": "Ethereum",
    "address": "0x223d844fc4B006D67c0cDbd39371A9F73f69d974",
    "role": "admin EmissionManager"
  },
  {
    "chain": "Arbitrum",
    "address": "0xa97684ead0e402dC232d5A977953DF7ECBaB3CDb",
    "role": "factory PoolAddressesProvider V3"
  },
  {
    "chain": "Arbitrum",
    "address": "0x794a61358D6845594F94dc1DB02A252b5b4814aD",
    "role": "pool Pool V3"
  },
  {
    "chain": "Arbitrum",
    "address": "0x8145eddDf43f50276641b55bd3AD95944510021E",
    "role": "admin PoolConfigurator V3"
  },
  {
    "chain": "Arbitrum",
    "address": "0xb56c2F0B653B2e0b10C9b928C8580Ac5Df02C7C7",
    "role": "oracle AaveOracle V3"
  },
  {
    "chain": "Arbitrum",
    "address": "0x7A9ff54A6eE4a21223036890bB8c4ea2D62c686b",
    "role": "oracle PriceOracleSentinel V3"
  },
  {
    "chain": "Arbitrum",
    "address": "0xFF1137243698CaA18EE364Cc966CF0e02A4e6327",
    "role": "admin ACLAdmin V3"
  },
  {
    "chain": "Arbitrum",
    "address": "0xa72636CbcAa8F5FF95B2cc47F3CDEe83F3294a0B",
    "role": "admin ACLManager V3"
  },
  {
    "chain": "Arbitrum",
    "address": "0x243Aa95cAC2a25651eda86e80bEe66114413c43b",
    "role": "other AaveProtocolDataProvider V3"
  },
  {
    "chain": "Avalanche",
    "address": "0xa97684ead0e402dC232d5A977953DF7ECBaB3CDb",
    "role": "factory PoolAddressesProvider V3"
  },
  {
    "chain": "Avalanche",
    "address": "0x794a61358D6845594F94dc1DB02A252b5b4814aD",
    "role": "pool Pool V3"
  },
  {
    "chain": "Avalanche",
    "address": "0x8145eddDf43f50276641b55bd3AD95944510021E",
    "role": "admin PoolConfigurator V3"
  },
  {
    "chain": "Avalanche",
    "address": "0xEBd36016B3eD09D4693Ed4251c67Bd858c3c7C9C",
    "role": "oracle AaveOracle V3"
  },
  {
    "chain": "Avalanche",
    "address": "0x3C06dce358add17aAf230f2234bCCC4afd50d090",
    "role": "admin ACLAdmin V3"
  },
  {
    "chain": "Avalanche",
    "address": "0xa72636CbcAa8F5FF95B2cc47F3CDEe83F3294a0B",
    "role": "admin ACLManager V3"
  },
  {
    "chain": "Avalanche",
    "address": "0x243Aa95cAC2a25651eda86e80bEe66114413c43b",
    "role": "other AaveProtocolDataProvider V3"
  },
  {
    "chain": "Base",
    "address": "0xe20fCBdBfFC4Dd138cE8b2E6FBb6CB49777ad64D",
    "role": "factory PoolAddressesProvider V3"
  },
  {
    "chain": "Base",
    "address": "0xA238Dd80C259a72e81d7e4664a9801593F98d1c5",
    "role": "pool Pool V3"
  },
  {
    "chain": "Base",
    "address": "0x5731a04B1E775f0fdd454Bf70f3335886e9A96be",
    "role": "admin PoolConfigurator V3"
  },
  {
    "chain": "Base",
    "address": "0x2Cc0Fc26eD4563A5ce5e8bdcfe1A2878676Ae156",
    "role": "oracle AaveOracle V3"
  },
  {
    "chain": "Base",
    "address": "0x943AcD0c93d7a8Bee7dA5Fd0DC3d0028237074d6",
    "role": "oracle PriceOracleSentinel V3"
  },
  {
    "chain": "Base",
    "address": "0x9390B1735def18560c509E2d0bc090E9d6BA257a",
    "role": "admin ACLAdmin V3"
  },
  {
    "chain": "Base",
    "address": "0x43955b0899Ab7232E3a454cf84AedD22Ad46FD33",
    "role": "admin ACLManager V3"
  },
  {
    "chain": "Base",
    "address": "0x0F43731EB8d45A581f4a36DD74F5f358bc90C73A",
    "role": "other AaveProtocolDataProvider V3"
  },
  {
    "chain": "Binance",
    "address": "0xff75B6da14FfbbfD355Daf7a2731456b3562Ba6D",
    "role": "factory PoolAddressesProvider V3"
  },
  {
    "chain": "Binance",
    "address": "0x6807dc923806fE8Fd134338EABCA509979a7e0cB",
    "role": "pool Pool V3"
  },
  {
    "chain": "Binance",
    "address": "0x67bdF23C7fCE7C65fF7415Ba3F2520B45D6f9584",
    "role": "admin PoolConfigurator V3"
  },
  {
    "chain": "Binance",
    "address": "0x39bc1bfDa2130d6Bb6DBEfd366939b4c7aa7C697",
    "role": "oracle AaveOracle V3"
  },
  {
    "chain": "Binance",
    "address": "0x9390B1735def18560c509E2d0bc090E9d6BA257a",
    "role": "admin ACLAdmin V3"
  },
  {
    "chain": "Binance",
    "address": "0x2D97F8FA96886Fd923c065F5457F9DDd494e3877",
    "role": "admin ACLManager V3"
  },
  {
    "chain": "Binance",
    "address": "0xc90Df74A7c16245c5F5C5870327Ceb38Fe5d5328",
    "role": "other AaveProtocolDataProvider V3"
  },
  {
    "chain": "Celo",
    "address": "0x9F7Cf9417D5251C59fE94fB9147feEe1aAd9Cea5",
    "role": "factory PoolAddressesProvider V3"
  },
  {
    "chain": "Celo",
    "address": "0x3E59A31363E2ad014dcbc521c4a0d5757d9f3402",
    "role": "pool Pool V3"
  },
  {
    "chain": "Celo",
    "address": "0x7567E3434CC1BEf724AB595e6072367Ef4914691",
    "role": "admin PoolConfigurator V3"
  },
  {
    "chain": "Celo",
    "address": "0x1e693D088ceFD1E95ba4c4a5F7EeA41a1Ec37e8b",
    "role": "oracle AaveOracle V3"
  },
  {
    "chain": "Celo",
    "address": "0x1dF462e2712496373A347f8ad10802a5E95f053D",
    "role": "admin ACLAdmin V3"
  },
  {
    "chain": "Celo",
    "address": "0x7a12dCfd73C1B4cddf294da4cFce75FcaBBa314C",
    "role": "admin ACLManager V3"
  },
  {
    "chain": "Celo",
    "address": "0x2e0f8D3B1631296cC7c56538D6Eb6032601E15ED",
    "role": "other AaveProtocolDataProvider V3"
  },
  {
    "chain": "Celo",
    "address": "0xC959439207dA5341B74aDcdAC59016aa9Be7E9E7",
    "role": "treasury Collector"
  },
  {
    "chain": "Fantom",
    "address": "0xa97684ead0e402dC232d5A977953DF7ECBaB3CDb",
    "role": "factory PoolAddressesProvider V3"
  },
  {
    "chain": "Fantom",
    "address": "0x794a61358D6845594F94dc1DB02A252b5b4814aD",
    "role": "pool Pool V3"
  },
  {
    "chain": "Fantom",
    "address": "0x8145eddDf43f50276641b55bd3AD95944510021E",
    "role": "admin PoolConfigurator V3"
  },
  {
    "chain": "Fantom",
    "address": "0xfd6f3c1845604C8AE6c6E402ad17fb9885160754",
    "role": "oracle AaveOracle V3"
  },
  {
    "chain": "Fantom",
    "address": "0x39CB97b105173b56b5a2b4b33AD25d6a50E6c949",
    "role": "admin ACLAdmin V3"
  },
  {
    "chain": "Fantom",
    "address": "0xa72636CbcAa8F5FF95B2cc47F3CDEe83F3294a0B",
    "role": "admin ACLManager V3"
  },
  {
    "chain": "Fantom",
    "address": "0x69FA688f1Dc47d4B5d8029D5a35FB7a548310654",
    "role": "other AaveProtocolDataProvider V3"
  },
  {
    "chain": "xDai",
    "address": "0x36616cf17557639614c1cdDb356b1B83fc0B2132",
    "role": "factory PoolAddressesProvider V3"
  },
  {
    "chain": "xDai",
    "address": "0xb50201558B00496A145fE76f7424749556E326D8",
    "role": "pool Pool V3"
  },
  {
    "chain": "xDai",
    "address": "0x7304979ec9E4EaA0273b6A037a31c4e9e5A75D16",
    "role": "admin PoolConfigurator V3"
  },
  {
    "chain": "xDai",
    "address": "0xeb0a051be10228213BAEb449db63719d6742F7c4",
    "role": "oracle AaveOracle V3"
  },
  {
    "chain": "xDai",
    "address": "0x1dF462e2712496373A347f8ad10802a5E95f053D",
    "role": "admin ACLAdmin V3"
  },
  {
    "chain": "xDai",
    "address": "0xEc710f59005f48703908bC519D552Df5B8472614",
    "role": "admin ACLManager V3"
  },
  {
    "chain": "xDai",
    "address": "0xF1F5acB596568895393cB5E4D0452D6592A2fA70",
    "role": "other AaveProtocolDataProvider V3"
  },
  {
    "chain": "Harmony",
    "address": "0xa97684ead0e402dC232d5A977953DF7ECBaB3CDb",
    "role": "factory PoolAddressesProvider V3"
  },
  {
    "chain": "Harmony",
    "address": "0x794a61358D6845594F94dc1DB02A252b5b4814aD",
    "role": "pool Pool V3"
  },
  {
    "chain": "Harmony",
    "address": "0x8145eddDf43f50276641b55bd3AD95944510021E",
    "role": "admin PoolConfigurator V3"
  },
  {
    "chain": "Harmony",
    "address": "0x3C90887Ede8D65ccb2777A5d577beAb2548280AD",
    "role": "oracle AaveOracle V3"
  },
  {
    "chain": "Harmony",
    "address": "0xb2f0C5f37f4beD2cB51C44653cD5D84866BDcd2D",
    "role": "admin ACLAdmin V3"
  },
  {
    "chain": "Harmony",
    "address": "0xa72636CbcAa8F5FF95B2cc47F3CDEe83F3294a0B",
    "role": "admin ACLManager V3"
  },
  {
    "chain": "Harmony",
    "address": "0x69FA688f1Dc47d4B5d8029D5a35FB7a548310654",
    "role": "other AaveProtocolDataProvider V3"
  },
  {
    "chain": "Mantle",
    "address": "0xba50Cd2A20f6DA35D788639E581bca8d0B5d4D5f",
    "role": "factory PoolAddressesProvider V3"
  },
  {
    "chain": "Mantle",
    "address": "0x458F293454fE0d67EC0655f3672301301DD51422",
    "role": "pool Pool V3"
  },
  {
    "chain": "Mantle",
    "address": "0x719755fC1ACf2f9079B0Cbc56e23712c09Ab8626",
    "role": "admin PoolConfigurator V3"
  },
  {
    "chain": "Mantle",
    "address": "0x47a063CfDa980532267970d478EC340C0F80E8df",
    "role": "oracle AaveOracle V3"
  },
  {
    "chain": "Mantle",
    "address": "0x64df9D4302e1ff3516Dc744A19e992D27CAC252E",
    "role": "oracle PriceOracleSentinel V3"
  },
  {
    "chain": "Mantle",
    "address": "0x70884634D0098782592111A2A6B8d223be31CB7b",
    "role": "admin ACLAdmin V3"
  },
  {
    "chain": "Mantle",
    "address": "0x810D46F9a9027E28F9B01F75E2bdde839dA61115",
    "role": "admin ACLManager V3"
  },
  {
    "chain": "Mantle",
    "address": "0x487c5c669D9eee6057C44973207101276cf73b68",
    "role": "other AaveProtocolDataProvider V3"
  },
  {
    "chain": "MegaETH",
    "address": "0x46Dcd5F4600319b02649Fd76B55aA6c1035CA478",
    "role": "factory PoolAddressesProvider V3"
  },
  {
    "chain": "MegaETH",
    "address": "0x7e324AbC5De01d112AfC03a584966ff199741C28",
    "role": "pool Pool V3"
  },
  {
    "chain": "MegaETH",
    "address": "0xF15D31Bc839A853C9068686043cEc6EC5995DAbB",
    "role": "admin PoolConfigurator V3"
  },
  {
    "chain": "MegaETH",
    "address": "0x421117D7319E96d831972b3F7e970bbfe29C4F21",
    "role": "oracle AaveOracle V3"
  },
  {
    "chain": "MegaETH",
    "address": "0xE2E8Badc5d50f8a6188577B89f50701cDE2D4e19",
    "role": "admin ACLAdmin V3"
  },
  {
    "chain": "MegaETH",
    "address": "0x390D369C3878F2C5205CFb6Ec7154FfA65491c3D",
    "role": "admin ACLManager V3"
  },
  {
    "chain": "MegaETH",
    "address": "0x9588b453A4EE24a420830CB3302195cA7aA3b403",
    "role": "other AaveProtocolDataProvider V3"
  },
  {
    "chain": "Sonic",
    "address": "0x5C2e738F6E27bCE0F7558051Bf90605dD6176900",
    "role": "factory PoolAddressesProvider V3"
  },
  {
    "chain": "Sonic",
    "address": "0x5362dBb1e601abF3a4c14c22ffEdA64042E5eAA3",
    "role": "pool Pool V3"
  },
  {
    "chain": "Sonic",
    "address": "0x50c70FEB95aBC1A92FC30b9aCc41Bd349E5dE2f0",
    "role": "admin PoolConfigurator V3"
  },
  {
    "chain": "Sonic",
    "address": "0xD63f7658C66B2934Bd234D79D06aEF5290734B30",
    "role": "oracle AaveOracle V3"
  },
  {
    "chain": "Sonic",
    "address": "0x7b62461a3570c6AC8a9f8330421576e417B71EE7",
    "role": "admin ACLAdmin V3"
  },
  {
    "chain": "Sonic",
    "address": "0x3a790a47c4d531FD333FAD24f70B0ccb521B3b5A",
    "role": "admin ACLManager V3"
  },
  {
    "chain": "Sonic",
    "address": "0xc0a344397cfa89dF1e1d3e4fb330834D789cF2CD",
    "role": "other AaveProtocolDataProvider V3"
  },
  {
    "chain": "X Layer",
    "address": "0xdFf435BCcf782f11187D3a4454d96702eD78e092",
    "role": "factory PoolAddressesProvider V3"
  },
  {
    "chain": "X Layer",
    "address": "0xE3F3Caefdd7180F884c01E57f65Df979Af84f116",
    "role": "pool Pool V3"
  },
  {
    "chain": "X Layer",
    "address": "0x1408b48B6A610948f04813EA6b2F438A6BBAd2f2",
    "role": "admin PoolConfigurator V3"
  },
  {
    "chain": "X Layer",
    "address": "0x91FC11136d5615575a0fC5981Ab5C0C54418E2C6",
    "role": "oracle AaveOracle V3"
  },
  {
    "chain": "X Layer",
    "address": "0xE2E8Badc5d50f8a6188577B89f50701cDE2D4e19",
    "role": "admin ACLAdmin V3"
  },
  {
    "chain": "X Layer",
    "address": "0xc8f2720Fa7D857576d82e6aEca8EdC4869E9190e",
    "role": "admin ACLManager V3"
  },
  {
    "chain": "X Layer",
    "address": "0x6C505C31714f14e8af2A03633EB2Cdfb4959138F",
    "role": "other AaveProtocolDataProvider V3"
  },
  {
    "chain": "Linea",
    "address": "0x89502c3731F69DDC95B65753708A07F8Cd0373F4",
    "role": "factory PoolAddressesProvider V3"
  },
  {
    "chain": "Linea",
    "address": "0xc47b8C00b0f69a36fa203Ffeac0334874574a8Ac",
    "role": "pool Pool V3"
  },
  {
    "chain": "Linea",
    "address": "0x812E7c19421D9f41A6DDCF047d5cc2dE2Ca5Bfa2",
    "role": "admin PoolConfigurator V3"
  },
  {
    "chain": "Linea",
    "address": "0xCFDAdA7DCd2e785cF706BaDBC2B8Af5084d595e9",
    "role": "oracle AaveOracle V3"
  },
  {
    "chain": "Linea",
    "address": "0x8c2d95FE7aeB57b86961F3abB296A54f0ADb7F88",
    "role": "admin ACLAdmin V3"
  },
  {
    "chain": "Linea",
    "address": "0xbf32c7dFC72b730967072B112927ca0de205dbb5",
    "role": "admin ACLManager V3"
  },
  {
    "chain": "Metis",
    "address": "0xB9FABd7500B2C6781c35Dd48d54f81fc2299D7AF",
    "role": "factory PoolAddressesProvider V3"
  },
  {
    "chain": "Metis",
    "address": "0x90df02551bB792286e8D4f13E0e357b4Bf1D6a57",
    "role": "pool Pool V3"
  },
  {
    "chain": "Metis",
    "address": "0x69FEE8F261E004453BE0800BC9039717528645A6",
    "role": "admin PoolConfigurator V3"
  },
  {
    "chain": "Metis",
    "address": "0x38D36e85E47eA6ff0d18B0adF12E5fC8984A6f8e",
    "role": "oracle AaveOracle V3"
  },
  {
    "chain": "Metis",
    "address": "0x2B5EA1604BAbb7B730120950Cb13951f3525828A",
    "role": "oracle PriceOracleSentinel V3"
  },
  {
    "chain": "Metis",
    "address": "0x6fD45D32375d5aDB8D76275A3932c740F03a8718",
    "role": "admin ACLAdmin V3"
  },
  {
    "chain": "Optimism",
    "address": "0x794a61358D6845594F94dc1DB02A252b5b4814aD",
    "role": "pool Pool V3"
  },
  {
    "chain": "Optimism",
    "address": "0x8145eddDf43f50276641b55bd3AD95944510021E",
    "role": "admin PoolConfigurator V3"
  },
  {
    "chain": "Optimism",
    "address": "0xD81eb3728a631871a7eBBaD631b5f424909f0c77",
    "role": "oracle AaveOracle V3"
  },
  {
    "chain": "Optimism",
    "address": "0x746c675dAB49Bcd5BB9Dc85161f2d7Eb435009bf",
    "role": "admin ACLAdmin V3"
  },
  {
    "chain": "Polygon",
    "address": "0x794a61358D6845594F94dc1DB02A252b5b4814aD",
    "role": "pool Pool V3"
  },
  {
    "chain": "Polygon",
    "address": "0x8145eddDf43f50276641b55bd3AD95944510021E",
    "role": "admin PoolConfigurator V3"
  },
  {
    "chain": "Polygon",
    "address": "0xb023e699F5a33916Ea823A16485e259257cA8Bd1",
    "role": "oracle AaveOracle V3"
  },
  {
    "chain": "Polygon",
    "address": "0xDf7d0e6454DB638881302729F5ba99936EaAB233",
    "role": "admin ACLAdmin V3"
  },
  {
    "chain": "Scroll",
    "address": "0x69850D0B276776781C063771b161bd8894BCdD04",
    "role": "factory PoolAddressesProvider V3"
  },
  {
    "chain": "Scroll",
    "address": "0x11fCfe756c05AD438e312a7fd934381537D3cFfe",
    "role": "pool Pool V3"
  },
  {
    "chain": "Scroll",
    "address": "0x32BCab42a2bb5AC577D24b425D46d8b8e0Df9b7f",
    "role": "admin PoolConfigurator V3"
  },
  {
    "chain": "Scroll",
    "address": "0x04421D8C506E2fA2371a08EfAaBf791F624054F3",
    "role": "oracle AaveOracle V3"
  },
  {
    "chain": "Scroll",
    "address": "0xc1ABF87FfAdf4908f4eC8dc54A25DCFEabAE4A24",
    "role": "admin ACLAdmin V3"
  },
  {
    "chain": "Scroll",
    "address": "0x7633F981D87dC6307227de9383D2ce7243158081",
    "role": "admin ACLManager V3"
  },
  {
    "chain": "zkSync Era",
    "address": "0x2A3948BB219D6B2Fa83D64100006391a96bE6cb7",
    "role": "factory PoolAddressesProvider V3"
  },
  {
    "chain": "zkSync Era",
    "address": "0x78e30497a3c7527d953c6B1E3541b021A98Ac43c",
    "role": "pool Pool V3"
  },
  {
    "chain": "zkSync Era",
    "address": "0x0207d31b4377C74bEC37356aaD83E3dCc979F40E",
    "role": "admin PoolConfigurator V3"
  },
  {
    "chain": "zkSync Era",
    "address": "0xC7F58Fca663a8d377B6D0c9703C697f56dC40088",
    "role": "oracle AaveOracle V3"
  },
  {
    "chain": "zkSync Era",
    "address": "0x04cE39789e11a49595cD0ECEf6f4Bd54ABF4d020",
    "role": "admin ACLAdmin V3"
  },
  {
    "chain": "Soneium",
    "address": "0x82405D1a189bd6cE4667809C35B37fBE136A4c5B",
    "role": "factory PoolAddressesProvider V3"
  },
  {
    "chain": "Soneium",
    "address": "0xDd3d7A7d03D9fD9ef45f3E587287922eF65CA38B",
    "role": "pool Pool V3"
  },
  {
    "chain": "Soneium",
    "address": "0x1607FCeEc8dEbA4d5Da66D620b2363066d025a02",
    "role": "admin PoolConfigurator V3"
  },
  {
    "chain": "Soneium",
    "address": "0x20040a64612555042335926d72B4E5F667a67fA1",
    "role": "oracle AaveOracle V3"
  },
  {
    "chain": "Soneium",
    "address": "0xc0Bac16A64FbAa7EE6483bD12a759e28cD13dcBe",
    "role": "oracle PriceOracleSentinel V3"
  },
  {
    "chain": "Plasma",
    "address": "0x061D8e131F26512348ee5FA42e2DF1bA9d6505E9",
    "role": "factory PoolAddressesProvider V3"
  },
  {
    "chain": "Plasma",
    "address": "0x925a2A7214Ed92428B5b1B090F80b25700095e12",
    "role": "pool Pool V3"
  },
  {
    "chain": "Plasma",
    "address": "0xc022B6c71c30A8Ad52Dac504eFA132d13D99d2D9",
    "role": "admin PoolConfigurator V3"
  },
  {
    "chain": "Plasma",
    "address": "0x33E0b3fc976DC9C516926BA48CfC0A9E10a2aAA5",
    "role": "oracle AaveOracle V3"
  },
  {
    "chain": "Plasma",
    "address": "0x47aAdaAE1F05C978E6aBb7568d11B7F6e0FC4d6A",
    "role": "admin ACLAdmin V3"
  },
  {
    "chain": "Plasma",
    "address": "0xa860355F0ccFdC823F7332ac108317b2a1509C06",
    "role": "admin ACLManager V3"
  },
  {
    "chain": "Ethereum",
    "address": "0x617332a777780F546261247F621051d0b98975Eb",
    "role": "other VotingMachine"
  },
  {
    "chain": "Ethereum",
    "address": "0xf23f7De3AC42F22eBDA17e64DC4f51FB66b8E21f",
    "role": "other VotingPortalEthEth"
  },
  {
    "chain": "Ethereum",
    "address": "0x33aCEf7365809218485873B7d0d67FeE411B5D79",
    "role": "other VotingPortalEthAvax"
  },
  {
    "chain": "Ethereum",
    "address": "0x9b24C168d6A76b5459B1d47071a54962a4df36c3",
    "role": "other VotingPortalEthPol"
  },
  {
    "chain": "Ethereum",
    "address": "0xE3B770Dc4ae3f8bECaB3Ed12dE692c741603e16A",
    "role": "other PayloadDataHelper"
  },
  {
    "chain": "Ethereum",
    "address": "0x971c82c8316aD611904F95616c21ce90837f1856",
    "role": "other GovernanceDataHelper"
  },
  {
    "chain": "Ethereum",
    "address": "0x77976B51569896523EE215962Ee91ff236Fa50E8",
    "role": "other VotingDataHelper"
  },
  {
    "chain": "Ethereum",
    "address": "0x94363B11b37BC3ffe43AB09cff5A010352FE85dC",
    "role": "other MetaDelegateHelper"
  },
  {
    "chain": "Ethereum",
    "address": "0x73C6Fb358dDA8e84D50e98A98F7c0dF32e15C7e9",
    "role": "guardian EmergencyRegistry"
  },
  {
    "chain": "Ethereum",
    "address": "0xa198Fac58E02A5C5F8F7e877895d50cFa9ad1E04",
    "role": "other GovernancePowerStrategy"
  },
  {
    "chain": "Ethereum",
    "address": "0x5642A5A5Ec284B4145563aBF319620204aCCA7f4",
    "role": "other VotingStrategy"
  },
  {
    "chain": "Ethereum",
    "address": "0x1699FE9CaDC8a0b6c93E06B62Ab4592a0fFEcF61",
    "role": "other DataWarehouse"
  },
  {
    "chain": "Arbitrum",
    "address": "0xCbFB78a3Eeaa611b826E37c80E4126c8787D29f0",
    "role": "other CrossChainController"
  },
  {
    "chain": "Arbitrum",
    "address": "0x89644CA1bB8064760312AE4F03ea41b05dA3637C",
    "role": "timelock PayloadsController"
  },
  {
    "chain": "Arbitrum",
    "address": "0x4922093c476CfbCF903C7C4082d2D64bAE8A37cE",
    "role": "guardian GranularGuardian"
  },
  {
    "chain": "Avalanche",
    "address": "0x27FC7D54C893dA63C0AE6d57e1B2B13A70690928",
    "role": "other CrossChainController"
  },
  {
    "chain": "Avalanche",
    "address": "0x41185495Bc8297a65DC46f94001DC7233775EbEe",
    "role": "oracle EmergencyOracle"
  },
  {
    "chain": "Avalanche",
    "address": "0x9b6f5ef589A3DD08670Dd146C11C4Fb33E04494F",
    "role": "other VotingMachine"
  },
  {
    "chain": "Avalanche",
    "address": "0x1140CB7CAfAcC745771C2Ea31e7B5C653c5d0B80",
    "role": "timelock PayloadsController"
  },
  {
    "chain": "Avalanche",
    "address": "0xc1162BCb2E5E3ca4725512008c7522dF8C8B7B65",
    "role": "guardian GranularGuardian"
  },
  {
    "chain": "Binance",
    "address": "0x9d33ee6543C9b2C8c183b8fb58fB089266cffA19",
    "role": "other CrossChainController"
  },
  {
    "chain": "Binance",
    "address": "0xcabb46FfB38c93348Df16558DF156e9f68F9F7F1",
    "role": "oracle EmergencyOracle"
  },
  {
    "chain": "Binance",
    "address": "0xE5EF2Dd06755A97e975f7E282f828224F2C3e627",
    "role": "timelock PayloadsController"
  },
  {
    "chain": "Binance",
    "address": "0xe4FB5e3F506BE0095f38004f993D16fdA8224383",
    "role": "guardian GranularGuardian"
  },
  {
    "chain": "Base",
    "address": "0x529467C76f234F2bD359d7ecF7c660A2846b04e2",
    "role": "other CrossChainController"
  },
  {
    "chain": "Base",
    "address": "0x2DC219E716793fb4b21548C0f009Ba3Af753ab01",
    "role": "timelock PayloadsController"
  },
  {
    "chain": "Base",
    "address": "0xa1c6aF35E0205f42256382C05243C543FEDBf4bB",
    "role": "guardian GranularGuardian"
  },
  {
    "chain": "xDai",
    "address": "0x8Dc5310fc9D3D7D1Bb3D1F686899c8F082316c9F",
    "role": "other CrossChainController"
  },
  {
    "chain": "xDai",
    "address": "0xF937ffAeA1363e4Fa260760bDFA2aA8Fc911F84D",
    "role": "oracle EmergencyOracle"
  },
  {
    "chain": "xDai",
    "address": "0x9A1F491B86D09fC1484b5fab10041B189B60756b",
    "role": "timelock PayloadsController"
  },
  {
    "chain": "xDai",
    "address": "0x4A9F571E3C1f2F13567bb59e38988e74d7d72602",
    "role": "guardian GranularGuardian"
  },
  {
    "chain": "Metis",
    "address": "0x6fDaFb26915ABD6065a1E1501a37Ac438D877f70",
    "role": "other CrossChainController"
  },
  {
    "chain": "Metis",
    "address": "0x2233F8A66A728FBa6E1dC95570B25360D07D5524",
    "role": "timelock PayloadsController"
  },
  {
    "chain": "Metis",
    "address": "0x61BE97d3a0550549f67CA7421725fA73Fa2036B5",
    "role": "guardian GranularGuardian"
  },
  {
    "chain": "Optimism",
    "address": "0x48A9FE90bce5EEd790f3F4Ce192d1C0B351fd4Ca",
    "role": "other CrossChainController"
  },
  {
    "chain": "Optimism",
    "address": "0x0E1a3Af1f9cC76A62eD31eDedca291E63632e7c4",
    "role": "timelock PayloadsController"
  },
  {
    "chain": "Optimism",
    "address": "0x6c5264C380C7022e54f585c4E354ffb6f221a03b",
    "role": "guardian GranularGuardian"
  },
  {
    "chain": "Polygon",
    "address": "0xF6B99959F0b5e79E1CC7062E12aF632CEb18eF0d",
    "role": "other CrossChainController"
  },
  {
    "chain": "Polygon",
    "address": "0xDAFA1989A504c48Ee20a582f2891eeB25E2fA23F",
    "role": "oracle EmergencyOracle"
  },
  {
    "chain": "Polygon",
    "address": "0xc8a2ADC4261c6b669CdFf69E717E77C9cFeB420d",
    "role": "other VotingMachine"
  },
  {
    "chain": "Polygon",
    "address": "0x401B5D0294E23637c18fcc38b1Bca814CDa2637C",
    "role": "timelock PayloadsController"
  },
  {
    "chain": "Polygon",
    "address": "0x0D2CccD3dD420dC6DE2f24DB44aA22fADE290a02",
    "role": "guardian GranularGuardian"
  },
  {
    "chain": "Scroll",
    "address": "0x03073D3F4769f6b6604d616238fD6c636C99AD0A",
    "role": "other CrossChainController"
  },
  {
    "chain": "Scroll",
    "address": "0x6b6B41c0f8C223715f712BE83ceC3c37bbfDC3fE",
    "role": "timelock PayloadsController"
  },
  {
    "chain": "Scroll",
    "address": "0xa835707d28e6C37C49d661742f2Fb5987367cEd4",
    "role": "guardian GranularGuardian"
  },
  {
    "chain": "zkSync Era",
    "address": "0x800813f4714BC7A0a95310e3fB9e4f18872CA92C",
    "role": "other CrossChainController"
  },
  {
    "chain": "zkSync Era",
    "address": "0x2E79349c3F5e4751E87b966812C9E65E805996F1",
    "role": "timelock PayloadsController"
  },
  {
    "chain": "zkSync Era",
    "address": "0xe0e23196D42b54F262a3DE952e6B34B197D1A228",
    "role": "guardian GranularGuardian"
  },
  {
    "chain": "zkSync Era",
    "address": "0x4257bf0746D783f0D962913d7d8AFA408B62547E",
    "role": "guardian GovernanceGuardian"
  },
  {
    "chain": "Linea",
    "address": "0x0D3f821e9741C8a8Bcac231162320251Db0cdf52",
    "role": "other CrossChainController"
  },
  {
    "chain": "Linea",
    "address": "0x3BcE23a1363728091bc57A58a226CF2940C2e074",
    "role": "timelock PayloadsController"
  },
  {
    "chain": "Linea",
    "address": "0xc1cd6faF6e9138b4e6C21d438f9ebF2bd6F6cA16",
    "role": "guardian GranularGuardian"
  },
  {
    "chain": "Linea",
    "address": "0x056E4C4E80D1D14a637ccbD0412CDAAEc5B51F4E",
    "role": "guardian GovernanceGuardian"
  },
  {
    "chain": "Soneium",
    "address": "0xD92b37a5114b33F668D274Fb48f23b726a854d6E",
    "role": "other CrossChainController"
  },
  {
    "chain": "Soneium",
    "address": "0x44D73D7C4b2f98F426Bf8B5e87628d9eE38ef0Cf",
    "role": "timelock PayloadsController"
  },
  {
    "chain": "Soneium",
    "address": "0xD8E6956718784B914740267b7A50B952fb516656",
    "role": "guardian GranularGuardian"
  },
  {
    "chain": "Soneium",
    "address": "0x19CE4363FEA478Aa04B9EA2937cc5A2cbcD44be6",
    "role": "guardian GovernanceGuardian"
  },
  {
    "chain": "Soneium",
    "address": "0x47aAdaAE1F05C978E6aBb7568d11B7F6e0FC4d6A",
    "role": "governor ExecutorLvl1"
  },
  {
    "chain": "Plasma",
    "address": "0x643441742f73e270e565619be6DE5f4D55E08cd6",
    "role": "other CrossChainController"
  },
  {
    "chain": "Plasma",
    "address": "0xe76EB348E65eF163d85ce282125FF5a7F5712A1d",
    "role": "timelock PayloadsController"
  },
  {
    "chain": "Plasma",
    "address": "0x60665b4F4FF7073C5fed2656852dCa271DfE2684",
    "role": "guardian GranularGuardian"
  },
  {
    "chain": "Plasma",
    "address": "0x19CE4363FEA478Aa04B9EA2937cc5A2cbcD44be6",
    "role": "guardian GovernanceGuardian"
  },
  {
    "chain": "Plasma",
    "address": "0xF61FE74Ec1cFbd9Ee8Bd27592D2EDEe0E2aA85Cf",
    "role": "oracle EmergencyOracle"
  },
  {
    "chain": "Ethereum",
    "address": "0x7Fc66500c84A76Ad7e9c93437bFc5Ac33E2DDaE9",
    "role": "token AAVE governance token"
  },
  {
    "chain": "Ethereum",
    "address": "0x7b9c0b9b0d8b0d8b0d8b0d8b0d8b0d8b0d8b0d8b",
    "role": "Emergency Admin"
  }
]

### Pre-built read-API surfacer URLs (verbatim — fetchable as-is)
- https://defipunkd.com/address/1/0x5300A1a15135EA4dc7aD5a167152C01EFc9b192A (Short Executor (Level 1) / ACL Admin V3)
- https://defipunkd.com/address/1/0xdAbad81aF85554E9ae636395611C58F7eC1aAEc5 (PayloadsController (Ethereum))
- https://defipunkd.com/address/1/0x9AEE0B04504CeF83A65AC3f0e838D0593BCb2BC7 (Governance V3 Core)
- https://defipunkd.com/address/1/0xCe52ab41C40575B072A18C9700091Ccbe4A06710 (Governance Guardian / Protocol Emergency Guardian (5-of-9))
- https://defipunkd.com/address/1/0x4457cA11E90f416Cc1D3a8E1cA41C0cdEcC251d4 (GranularGuardian (cross-chain emergency))
- https://defipunkd.com/address/1/0xEd42a7D8559a463722Ca4beD50E0Cc05a386b0e1 (CrossChainController)
- https://defipunkd.com/address/1/0x17Dd33Ed0e3dD2a80E37489B8A63063161BE6957 (Executor Level 2)
- https://defipunkd.com/address/1/0x2CFe3ec4d5a6811f4B8067F0DE7e47DfA938Aa30 (Protocol Guardian / emergency admin)
- https://defipunkd.com/address/1/0x220d22f42c1b975B51509c24b174f8AbA7d8C540 (Short Executor (Governance))
- https://defipunkd.com/address/1/0xa700691dA7b6769562170061709458FF21ed963e (timelock (governance long executor))
- https://defipunkd.com/address/1/0x851365275f493d15511cc005f2bd71E3c1699921 (timelock (governance short executor))
- https://defipunkd.com/address/1/0xEE56e2B3D49159022b71869955dbF07245799b17 (timelock (governance executor short))
- https://defipunkd.com/address/1/0x80C67432656d59144cEFf962E8fAF8926599bCF8 (timelock (governance short executor))
- https://defipunkd.com/address/1/0xEE56e2B20045d908E992822039db30E882309413 (admin (PoolAdmin / governance executor))
- https://defipunkd.com/address/1/0x87870bca3f3fd6335c3f4ce8392d69350b4fa4e2 (pool (Aave V3 Pool proxy))
- https://defipunkd.com/address/1/0x2f39d218133AFaB8F2B819B1066c7E434Ad94E9e (other (PoolAddressesProvider — proxy admin for Pool/PoolConfigurator/ACLManager))
- https://defipunkd.com/address/1/0xcfBf336fe147D643B9Cb705648500e101504B16d (other (Prime Market PoolAddressesProvider))
- https://defipunkd.com/address/1/0xCca852Bc40e560adC3b1Cc58CA5b55638ce826c9 (vault (Aave V4 Core Hub — Ethereum))
- https://defipunkd.com/address/1/0x06002e9c4412CB7814a791eA3666D905871E536A (vault (Aave V4 Plus Hub — Ethereum))
- https://defipunkd.com/address/1/0x943827DCA022D0F354a8a8c332dA1e5Eb9f9F931 (vault (Aave V4 Prime Hub — Ethereum))
- https://defipunkd.com/address/1/0x08aE3BE30958cDd1847ec58fFfd4C451a87fDF01 (admin (Aave V4 Access Manager — Ethereum))
- https://defipunkd.com/address/10/0xa97684ead0e402dc232d5a977953df7ecbab3cdb (other (PoolAddressesProvider — Optimism))
- https://defipunkd.com/address/137/0xa97684ead0e402dc232d5a977953df7ecbab3cdb (other (PoolAddressesProvider — Polygon))
- https://defipunkd.com/address/1/0x64b761D848206f447Fe2dd461b0c635Ec39EbB27 (admin PoolConfigurator V3)
- https://defipunkd.com/address/1/0x54586bE62E3c3580375aE3723C145253060Ca0C2 (oracle AaveOracle V3)
- https://defipunkd.com/address/1/0xc2aaCf6553D20d1e9d78E365AAba8032af9c85b0 (admin ACLManager V3)
- https://defipunkd.com/address/1/0x0a16f2FCC0D44FaE41cc54e079281D84A363bECD (other AaveProtocolDataProvider V3)
- https://defipunkd.com/address/1/0x464C71f6c2F760DdA6093dCB91C24c39e5d6e18c (treasury Collector)
- https://defipunkd.com/address/1/0x8164Cc65827dcFe994AB23944CBC90e0aa80bFcb (admin DefaultIncentivesController)
- https://defipunkd.com/address/1/0x223d844fc4B006D67c0cDbd39371A9F73f69d974 (admin EmissionManager)
- https://defipunkd.com/address/42161/0xa97684ead0e402dC232d5A977953DF7ECBaB3CDb (factory PoolAddressesProvider V3)
- https://defipunkd.com/address/42161/0x794a61358D6845594F94dc1DB02A252b5b4814aD (pool Pool V3)
- https://defipunkd.com/address/42161/0x8145eddDf43f50276641b55bd3AD95944510021E (admin PoolConfigurator V3)
- https://defipunkd.com/address/42161/0xb56c2F0B653B2e0b10C9b928C8580Ac5Df02C7C7 (oracle AaveOracle V3)
- https://defipunkd.com/address/42161/0x7A9ff54A6eE4a21223036890bB8c4ea2D62c686b (oracle PriceOracleSentinel V3)
- https://defipunkd.com/address/42161/0xFF1137243698CaA18EE364Cc966CF0e02A4e6327 (admin ACLAdmin V3)
- https://defipunkd.com/address/42161/0xa72636CbcAa8F5FF95B2cc47F3CDEe83F3294a0B (admin ACLManager V3)
- https://defipunkd.com/address/42161/0x243Aa95cAC2a25651eda86e80bEe66114413c43b (other AaveProtocolDataProvider V3)
- https://defipunkd.com/address/43114/0xa97684ead0e402dC232d5A977953DF7ECBaB3CDb (factory PoolAddressesProvider V3)
- https://defipunkd.com/address/43114/0x794a61358D6845594F94dc1DB02A252b5b4814aD (pool Pool V3)
- https://defipunkd.com/address/43114/0x8145eddDf43f50276641b55bd3AD95944510021E (admin PoolConfigurator V3)
- https://defipunkd.com/address/43114/0xEBd36016B3eD09D4693Ed4251c67Bd858c3c7C9C (oracle AaveOracle V3)
- https://defipunkd.com/address/43114/0x3C06dce358add17aAf230f2234bCCC4afd50d090 (admin ACLAdmin V3)
- https://defipunkd.com/address/43114/0xa72636CbcAa8F5FF95B2cc47F3CDEe83F3294a0B (admin ACLManager V3)
- https://defipunkd.com/address/43114/0x243Aa95cAC2a25651eda86e80bEe66114413c43b (other AaveProtocolDataProvider V3)
- https://defipunkd.com/address/8453/0xe20fCBdBfFC4Dd138cE8b2E6FBb6CB49777ad64D (factory PoolAddressesProvider V3)
- https://defipunkd.com/address/8453/0xA238Dd80C259a72e81d7e4664a9801593F98d1c5 (pool Pool V3)
- https://defipunkd.com/address/8453/0x5731a04B1E775f0fdd454Bf70f3335886e9A96be (admin PoolConfigurator V3)
- https://defipunkd.com/address/8453/0x2Cc0Fc26eD4563A5ce5e8bdcfe1A2878676Ae156 (oracle AaveOracle V3)
- https://defipunkd.com/address/8453/0x943AcD0c93d7a8Bee7dA5Fd0DC3d0028237074d6 (oracle PriceOracleSentinel V3)
- https://defipunkd.com/address/8453/0x9390B1735def18560c509E2d0bc090E9d6BA257a (admin ACLAdmin V3)
- https://defipunkd.com/address/8453/0x43955b0899Ab7232E3a454cf84AedD22Ad46FD33 (admin ACLManager V3)
- https://defipunkd.com/address/8453/0x0F43731EB8d45A581f4a36DD74F5f358bc90C73A (other AaveProtocolDataProvider V3)
- Binance: 0xff75B6da14FfbbfD355Daf7a2731456b3562Ba6D (chain not supported by the read API)
- Binance: 0x6807dc923806fE8Fd134338EABCA509979a7e0cB (chain not supported by the read API)
- Binance: 0x67bdF23C7fCE7C65fF7415Ba3F2520B45D6f9584 (chain not supported by the read API)
- Binance: 0x39bc1bfDa2130d6Bb6DBEfd366939b4c7aa7C697 (chain not supported by the read API)
- Binance: 0x9390B1735def18560c509E2d0bc090E9d6BA257a (chain not supported by the read API)
- Binance: 0x2D97F8FA96886Fd923c065F5457F9DDd494e3877 (chain not supported by the read API)
- Binance: 0xc90Df74A7c16245c5F5C5870327Ceb38Fe5d5328 (chain not supported by the read API)
- Celo: 0x9F7Cf9417D5251C59fE94fB9147feEe1aAd9Cea5 (chain not supported by the read API)
- Celo: 0x3E59A31363E2ad014dcbc521c4a0d5757d9f3402 (chain not supported by the read API)
- Celo: 0x7567E3434CC1BEf724AB595e6072367Ef4914691 (chain not supported by the read API)
- Celo: 0x1e693D088ceFD1E95ba4c4a5F7EeA41a1Ec37e8b (chain not supported by the read API)
- Celo: 0x1dF462e2712496373A347f8ad10802a5E95f053D (chain not supported by the read API)
- Celo: 0x7a12dCfd73C1B4cddf294da4cFce75FcaBBa314C (chain not supported by the read API)
- Celo: 0x2e0f8D3B1631296cC7c56538D6Eb6032601E15ED (chain not supported by the read API)
- Celo: 0xC959439207dA5341B74aDcdAC59016aa9Be7E9E7 (chain not supported by the read API)
- Fantom: 0xa97684ead0e402dC232d5A977953DF7ECBaB3CDb (chain not supported by the read API)
- Fantom: 0x794a61358D6845594F94dc1DB02A252b5b4814aD (chain not supported by the read API)
- Fantom: 0x8145eddDf43f50276641b55bd3AD95944510021E (chain not supported by the read API)
- Fantom: 0xfd6f3c1845604C8AE6c6E402ad17fb9885160754 (chain not supported by the read API)
- Fantom: 0x39CB97b105173b56b5a2b4b33AD25d6a50E6c949 (chain not supported by the read API)
- Fantom: 0xa72636CbcAa8F5FF95B2cc47F3CDEe83F3294a0B (chain not supported by the read API)
- Fantom: 0x69FA688f1Dc47d4B5d8029D5a35FB7a548310654 (chain not supported by the read API)
- xDai: 0x36616cf17557639614c1cdDb356b1B83fc0B2132 (chain not supported by the read API)
- xDai: 0xb50201558B00496A145fE76f7424749556E326D8 (chain not supported by the read API)
- xDai: 0x7304979ec9E4EaA0273b6A037a31c4e9e5A75D16 (chain not supported by the read API)
- xDai: 0xeb0a051be10228213BAEb449db63719d6742F7c4 (chain not supported by the read API)
- xDai: 0x1dF462e2712496373A347f8ad10802a5E95f053D (chain not supported by the read API)
- xDai: 0xEc710f59005f48703908bC519D552Df5B8472614 (chain not supported by the read API)
- xDai: 0xF1F5acB596568895393cB5E4D0452D6592A2fA70 (chain not supported by the read API)
- Harmony: 0xa97684ead0e402dC232d5A977953DF7ECBaB3CDb (chain not supported by the read API)
- Harmony: 0x794a61358D6845594F94dc1DB02A252b5b4814aD (chain not supported by the read API)
- Harmony: 0x8145eddDf43f50276641b55bd3AD95944510021E (chain not supported by the read API)
- Harmony: 0x3C90887Ede8D65ccb2777A5d577beAb2548280AD (chain not supported by the read API)
- Harmony: 0xb2f0C5f37f4beD2cB51C44653cD5D84866BDcd2D (chain not supported by the read API)
- Harmony: 0xa72636CbcAa8F5FF95B2cc47F3CDEe83F3294a0B (chain not supported by the read API)
- Harmony: 0x69FA688f1Dc47d4B5d8029D5a35FB7a548310654 (chain not supported by the read API)
- Mantle: 0xba50Cd2A20f6DA35D788639E581bca8d0B5d4D5f (chain not supported by the read API)
- Mantle: 0x458F293454fE0d67EC0655f3672301301DD51422 (chain not supported by the read API)
- Mantle: 0x719755fC1ACf2f9079B0Cbc56e23712c09Ab8626 (chain not supported by the read API)
- Mantle: 0x47a063CfDa980532267970d478EC340C0F80E8df (chain not supported by the read API)
- Mantle: 0x64df9D4302e1ff3516Dc744A19e992D27CAC252E (chain not supported by the read API)
- Mantle: 0x70884634D0098782592111A2A6B8d223be31CB7b (chain not supported by the read API)
- Mantle: 0x810D46F9a9027E28F9B01F75E2bdde839dA61115 (chain not supported by the read API)
- Mantle: 0x487c5c669D9eee6057C44973207101276cf73b68 (chain not supported by the read API)
- MegaETH: 0x46Dcd5F4600319b02649Fd76B55aA6c1035CA478 (chain not supported by the read API)
- MegaETH: 0x7e324AbC5De01d112AfC03a584966ff199741C28 (chain not supported by the read API)
- MegaETH: 0xF15D31Bc839A853C9068686043cEc6EC5995DAbB (chain not supported by the read API)
- MegaETH: 0x421117D7319E96d831972b3F7e970bbfe29C4F21 (chain not supported by the read API)
- MegaETH: 0xE2E8Badc5d50f8a6188577B89f50701cDE2D4e19 (chain not supported by the read API)
- MegaETH: 0x390D369C3878F2C5205CFb6Ec7154FfA65491c3D (chain not supported by the read API)
- MegaETH: 0x9588b453A4EE24a420830CB3302195cA7aA3b403 (chain not supported by the read API)
- Sonic: 0x5C2e738F6E27bCE0F7558051Bf90605dD6176900 (chain not supported by the read API)
- Sonic: 0x5362dBb1e601abF3a4c14c22ffEdA64042E5eAA3 (chain not supported by the read API)
- Sonic: 0x50c70FEB95aBC1A92FC30b9aCc41Bd349E5dE2f0 (chain not supported by the read API)
- Sonic: 0xD63f7658C66B2934Bd234D79D06aEF5290734B30 (chain not supported by the read API)
- Sonic: 0x7b62461a3570c6AC8a9f8330421576e417B71EE7 (chain not supported by the read API)
- Sonic: 0x3a790a47c4d531FD333FAD24f70B0ccb521B3b5A (chain not supported by the read API)
- Sonic: 0xc0a344397cfa89dF1e1d3e4fb330834D789cF2CD (chain not supported by the read API)
- X Layer: 0xdFf435BCcf782f11187D3a4454d96702eD78e092 (chain not supported by the read API)
- X Layer: 0xE3F3Caefdd7180F884c01E57f65Df979Af84f116 (chain not supported by the read API)
- X Layer: 0x1408b48B6A610948f04813EA6b2F438A6BBAd2f2 (chain not supported by the read API)
- X Layer: 0x91FC11136d5615575a0fC5981Ab5C0C54418E2C6 (chain not supported by the read API)
- X Layer: 0xE2E8Badc5d50f8a6188577B89f50701cDE2D4e19 (chain not supported by the read API)
- X Layer: 0xc8f2720Fa7D857576d82e6aEca8EdC4869E9190e (chain not supported by the read API)
- X Layer: 0x6C505C31714f14e8af2A03633EB2Cdfb4959138F (chain not supported by the read API)
- https://defipunkd.com/address/59144/0x89502c3731F69DDC95B65753708A07F8Cd0373F4 (factory PoolAddressesProvider V3)
- https://defipunkd.com/address/59144/0xc47b8C00b0f69a36fa203Ffeac0334874574a8Ac (pool Pool V3)
- https://defipunkd.com/address/59144/0x812E7c19421D9f41A6DDCF047d5cc2dE2Ca5Bfa2 (admin PoolConfigurator V3)
- https://defipunkd.com/address/59144/0xCFDAdA7DCd2e785cF706BaDBC2B8Af5084d595e9 (oracle AaveOracle V3)
- https://defipunkd.com/address/59144/0x8c2d95FE7aeB57b86961F3abB296A54f0ADb7F88 (admin ACLAdmin V3)
- https://defipunkd.com/address/59144/0xbf32c7dFC72b730967072B112927ca0de205dbb5 (admin ACLManager V3)
- Metis: 0xB9FABd7500B2C6781c35Dd48d54f81fc2299D7AF (chain not supported by the read API)
- Metis: 0x90df02551bB792286e8D4f13E0e357b4Bf1D6a57 (chain not supported by the read API)
- Metis: 0x69FEE8F261E004453BE0800BC9039717528645A6 (chain not supported by the read API)
- Metis: 0x38D36e85E47eA6ff0d18B0adF12E5fC8984A6f8e (chain not supported by the read API)
- Metis: 0x2B5EA1604BAbb7B730120950Cb13951f3525828A (chain not supported by the read API)
- Metis: 0x6fD45D32375d5aDB8D76275A3932c740F03a8718 (chain not supported by the read API)
- https://defipunkd.com/address/10/0x794a61358D6845594F94dc1DB02A252b5b4814aD (pool Pool V3)
- https://defipunkd.com/address/10/0x8145eddDf43f50276641b55bd3AD95944510021E (admin PoolConfigurator V3)
- https://defipunkd.com/address/10/0xD81eb3728a631871a7eBBaD631b5f424909f0c77 (oracle AaveOracle V3)
- https://defipunkd.com/address/10/0x746c675dAB49Bcd5BB9Dc85161f2d7Eb435009bf (admin ACLAdmin V3)
- https://defipunkd.com/address/137/0x794a61358D6845594F94dc1DB02A252b5b4814aD (pool Pool V3)
- https://defipunkd.com/address/137/0x8145eddDf43f50276641b55bd3AD95944510021E (admin PoolConfigurator V3)
- https://defipunkd.com/address/137/0xb023e699F5a33916Ea823A16485e259257cA8Bd1 (oracle AaveOracle V3)
- https://defipunkd.com/address/137/0xDf7d0e6454DB638881302729F5ba99936EaAB233 (admin ACLAdmin V3)
- https://defipunkd.com/address/534352/0x69850D0B276776781C063771b161bd8894BCdD04 (factory PoolAddressesProvider V3)
- https://defipunkd.com/address/534352/0x11fCfe756c05AD438e312a7fd934381537D3cFfe (pool Pool V3)
- https://defipunkd.com/address/534352/0x32BCab42a2bb5AC577D24b425D46d8b8e0Df9b7f (admin PoolConfigurator V3)
- https://defipunkd.com/address/534352/0x04421D8C506E2fA2371a08EfAaBf791F624054F3 (oracle AaveOracle V3)
- https://defipunkd.com/address/534352/0xc1ABF87FfAdf4908f4eC8dc54A25DCFEabAE4A24 (admin ACLAdmin V3)
- https://defipunkd.com/address/534352/0x7633F981D87dC6307227de9383D2ce7243158081 (admin ACLManager V3)
- zkSync Era: 0x2A3948BB219D6B2Fa83D64100006391a96bE6cb7 (chain not supported by the read API)
- zkSync Era: 0x78e30497a3c7527d953c6B1E3541b021A98Ac43c (chain not supported by the read API)
- zkSync Era: 0x0207d31b4377C74bEC37356aaD83E3dCc979F40E (chain not supported by the read API)
- zkSync Era: 0xC7F58Fca663a8d377B6D0c9703C697f56dC40088 (chain not supported by the read API)
- zkSync Era: 0x04cE39789e11a49595cD0ECEf6f4Bd54ABF4d020 (chain not supported by the read API)
- Soneium: 0x82405D1a189bd6cE4667809C35B37fBE136A4c5B (chain not supported by the read API)
- Soneium: 0xDd3d7A7d03D9fD9ef45f3E587287922eF65CA38B (chain not supported by the read API)
- Soneium: 0x1607FCeEc8dEbA4d5Da66D620b2363066d025a02 (chain not supported by the read API)
- Soneium: 0x20040a64612555042335926d72B4E5F667a67fA1 (chain not supported by the read API)
- Soneium: 0xc0Bac16A64FbAa7EE6483bD12a759e28cD13dcBe (chain not supported by the read API)
- Plasma: 0x061D8e131F26512348ee5FA42e2DF1bA9d6505E9 (chain not supported by the read API)
- Plasma: 0x925a2A7214Ed92428B5b1B090F80b25700095e12 (chain not supported by the read API)
- Plasma: 0xc022B6c71c30A8Ad52Dac504eFA132d13D99d2D9 (chain not supported by the read API)
- Plasma: 0x33E0b3fc976DC9C516926BA48CfC0A9E10a2aAA5 (chain not supported by the read API)
- Plasma: 0x47aAdaAE1F05C978E6aBb7568d11B7F6e0FC4d6A (chain not supported by the read API)
- Plasma: 0xa860355F0ccFdC823F7332ac108317b2a1509C06 (chain not supported by the read API)
- https://defipunkd.com/address/1/0x617332a777780F546261247F621051d0b98975Eb (other VotingMachine)
- https://defipunkd.com/address/1/0xf23f7De3AC42F22eBDA17e64DC4f51FB66b8E21f (other VotingPortalEthEth)
- https://defipunkd.com/address/1/0x33aCEf7365809218485873B7d0d67FeE411B5D79 (other VotingPortalEthAvax)
- https://defipunkd.com/address/1/0x9b24C168d6A76b5459B1d47071a54962a4df36c3 (other VotingPortalEthPol)
- https://defipunkd.com/address/1/0xE3B770Dc4ae3f8bECaB3Ed12dE692c741603e16A (other PayloadDataHelper)
- https://defipunkd.com/address/1/0x971c82c8316aD611904F95616c21ce90837f1856 (other GovernanceDataHelper)
- https://defipunkd.com/address/1/0x77976B51569896523EE215962Ee91ff236Fa50E8 (other VotingDataHelper)
- https://defipunkd.com/address/1/0x94363B11b37BC3ffe43AB09cff5A010352FE85dC (other MetaDelegateHelper)
- https://defipunkd.com/address/1/0x73C6Fb358dDA8e84D50e98A98F7c0dF32e15C7e9 (guardian EmergencyRegistry)
- https://defipunkd.com/address/1/0xa198Fac58E02A5C5F8F7e877895d50cFa9ad1E04 (other GovernancePowerStrategy)
- https://defipunkd.com/address/1/0x5642A5A5Ec284B4145563aBF319620204aCCA7f4 (other VotingStrategy)
- https://defipunkd.com/address/1/0x1699FE9CaDC8a0b6c93E06B62Ab4592a0fFEcF61 (other DataWarehouse)
- https://defipunkd.com/address/42161/0xCbFB78a3Eeaa611b826E37c80E4126c8787D29f0 (other CrossChainController)
- https://defipunkd.com/address/42161/0x89644CA1bB8064760312AE4F03ea41b05dA3637C (timelock PayloadsController)
- https://defipunkd.com/address/42161/0x4922093c476CfbCF903C7C4082d2D64bAE8A37cE (guardian GranularGuardian)
- https://defipunkd.com/address/43114/0x27FC7D54C893dA63C0AE6d57e1B2B13A70690928 (other CrossChainController)
- https://defipunkd.com/address/43114/0x41185495Bc8297a65DC46f94001DC7233775EbEe (oracle EmergencyOracle)
- https://defipunkd.com/address/43114/0x9b6f5ef589A3DD08670Dd146C11C4Fb33E04494F (other VotingMachine)
- https://defipunkd.com/address/43114/0x1140CB7CAfAcC745771C2Ea31e7B5C653c5d0B80 (timelock PayloadsController)
- https://defipunkd.com/address/43114/0xc1162BCb2E5E3ca4725512008c7522dF8C8B7B65 (guardian GranularGuardian)
- Binance: 0x9d33ee6543C9b2C8c183b8fb58fB089266cffA19 (chain not supported by the read API)
- Binance: 0xcabb46FfB38c93348Df16558DF156e9f68F9F7F1 (chain not supported by the read API)
- Binance: 0xE5EF2Dd06755A97e975f7E282f828224F2C3e627 (chain not supported by the read API)
- Binance: 0xe4FB5e3F506BE0095f38004f993D16fdA8224383 (chain not supported by the read API)
- https://defipunkd.com/address/8453/0x529467C76f234F2bD359d7ecF7c660A2846b04e2 (other CrossChainController)
- https://defipunkd.com/address/8453/0x2DC219E716793fb4b21548C0f009Ba3Af753ab01 (timelock PayloadsController)
- https://defipunkd.com/address/8453/0xa1c6aF35E0205f42256382C05243C543FEDBf4bB (guardian GranularGuardian)
- xDai: 0x8Dc5310fc9D3D7D1Bb3D1F686899c8F082316c9F (chain not supported by the read API)
- xDai: 0xF937ffAeA1363e4Fa260760bDFA2aA8Fc911F84D (chain not supported by the read API)
- xDai: 0x9A1F491B86D09fC1484b5fab10041B189B60756b (chain not supported by the read API)
- xDai: 0x4A9F571E3C1f2F13567bb59e38988e74d7d72602 (chain not supported by the read API)
- Metis: 0x6fDaFb26915ABD6065a1E1501a37Ac438D877f70 (chain not supported by the read API)
- Metis: 0x2233F8A66A728FBa6E1dC95570B25360D07D5524 (chain not supported by the read API)
- Metis: 0x61BE97d3a0550549f67CA7421725fA73Fa2036B5 (chain not supported by the read API)
- https://defipunkd.com/address/10/0x48A9FE90bce5EEd790f3F4Ce192d1C0B351fd4Ca (other CrossChainController)
- https://defipunkd.com/address/10/0x0E1a3Af1f9cC76A62eD31eDedca291E63632e7c4 (timelock PayloadsController)
- https://defipunkd.com/address/10/0x6c5264C380C7022e54f585c4E354ffb6f221a03b (guardian GranularGuardian)
- https://defipunkd.com/address/137/0xF6B99959F0b5e79E1CC7062E12aF632CEb18eF0d (other CrossChainController)
- https://defipunkd.com/address/137/0xDAFA1989A504c48Ee20a582f2891eeB25E2fA23F (oracle EmergencyOracle)
- https://defipunkd.com/address/137/0xc8a2ADC4261c6b669CdFf69E717E77C9cFeB420d (other VotingMachine)
- https://defipunkd.com/address/137/0x401B5D0294E23637c18fcc38b1Bca814CDa2637C (timelock PayloadsController)
- https://defipunkd.com/address/137/0x0D2CccD3dD420dC6DE2f24DB44aA22fADE290a02 (guardian GranularGuardian)
- https://defipunkd.com/address/534352/0x03073D3F4769f6b6604d616238fD6c636C99AD0A (other CrossChainController)
- https://defipunkd.com/address/534352/0x6b6B41c0f8C223715f712BE83ceC3c37bbfDC3fE (timelock PayloadsController)
- https://defipunkd.com/address/534352/0xa835707d28e6C37C49d661742f2Fb5987367cEd4 (guardian GranularGuardian)
- zkSync Era: 0x800813f4714BC7A0a95310e3fB9e4f18872CA92C (chain not supported by the read API)
- zkSync Era: 0x2E79349c3F5e4751E87b966812C9E65E805996F1 (chain not supported by the read API)
- zkSync Era: 0xe0e23196D42b54F262a3DE952e6B34B197D1A228 (chain not supported by the read API)
- zkSync Era: 0x4257bf0746D783f0D962913d7d8AFA408B62547E (chain not supported by the read API)
- https://defipunkd.com/address/59144/0x0D3f821e9741C8a8Bcac231162320251Db0cdf52 (other CrossChainController)
- https://defipunkd.com/address/59144/0x3BcE23a1363728091bc57A58a226CF2940C2e074 (timelock PayloadsController)
- https://defipunkd.com/address/59144/0xc1cd6faF6e9138b4e6C21d438f9ebF2bd6F6cA16 (guardian GranularGuardian)
- https://defipunkd.com/address/59144/0x056E4C4E80D1D14a637ccbD0412CDAAEc5B51F4E (guardian GovernanceGuardian)
- Soneium: 0xD92b37a5114b33F668D274Fb48f23b726a854d6E (chain not supported by the read API)
- Soneium: 0x44D73D7C4b2f98F426Bf8B5e87628d9eE38ef0Cf (chain not supported by the read API)
- Soneium: 0xD8E6956718784B914740267b7A50B952fb516656 (chain not supported by the read API)
- Soneium: 0x19CE4363FEA478Aa04B9EA2937cc5A2cbcD44be6 (chain not supported by the read API)
- Soneium: 0x47aAdaAE1F05C978E6aBb7568d11B7F6e0FC4d6A (chain not supported by the read API)
- Plasma: 0x643441742f73e270e565619be6DE5f4D55E08cd6 (chain not supported by the read API)
- Plasma: 0xe76EB348E65eF163d85ce282125FF5a7F5712A1d (chain not supported by the read API)
- Plasma: 0x60665b4F4FF7073C5fed2656852dCa271DfE2684 (chain not supported by the read API)
- Plasma: 0x19CE4363FEA478Aa04B9EA2937cc5A2cbcD44be6 (chain not supported by the read API)
- Plasma: 0xF61FE74Ec1cFbd9Ee8Bd27592D2EDEe0E2aA85Cf (chain not supported by the read API)
- https://defipunkd.com/address/1/0x7Fc66500c84A76Ad7e9c93437bFc5Ac33E2DDaE9 (token AAVE governance token)
- https://defipunkd.com/address/1/0x7b9c0b9b0d8b0d8b0d8b0d8b0d8b0d8b0d8b0d8b (Emergency Admin)


---

You are contributing a single-slice assessment to defipunkd, a git-native transparency registry for DeFi protocols. Your JSON output will be attached to a pull request and compared against ≥2 other independent runs. Disagreements are surfaced publicly — be conservative, cite everything, return grade="unknown" when a signal cannot be determined, and resist stopping at the first damning finding.

### Per-protocol context (do not infer; these are ground truth)

A "Per-protocol context" block (provided alongside this prompt — either as a user message in API mode, or as a section appended below in copy-paste mode) lists the pinned inputs (protocol.slug, name, chains, category, website, github, audit_links, snapshot.generated_at, analysis_date, prompt_version, address_book) and a list of pre-built read-API surfacer URLs for each pinned address. Treat those values as authoritative for this run.

The pre-built surfacer URLs are accepted by your fetch tool's allowlist because they appear verbatim in the per-protocol context. Each surfacer page pre-executes the contract's zero-arg view methods and renders any address-typed return values as /address/{chainId}/0x… links inline — those rendered links are also fetchable post-fetch. /api/contract/read and /api/safe/owners JSON responses include a top-level `crawl.surfacers` array of /address/{chainId}/0x… URLs for every address-typed value in the result, so you can crawl directly from API responses. For addresses surfaced from non-defipunkd sources (block-explorer pages, GitHub, audit PDFs), the allowlist will reject your generated surfacer URL — record the address in protocol_metadata.admin_addresses and add a checklist-coded entry to unknowns[]; the next run will inherit it as a fetchable surfacer.

### Step 0 — Capability probe (do this before producing JSON)

Identify what fetch tool your environment exposes — `web_fetch`, `browser`, `url_context`, `google_search` (with underscore, colon, or space), Bing grounding, Perplexity, `web.run`, or anything similar. Search-grounding tools ARE valid fetch paths and you should use them; they are not forbidden. The distinction that matters is what the tool returned, not its name: a grounded response with the underlying page body is sufficient evidence; a bare 1–3-line preview snippet is not.

Probe: attempt one fetch of `protocol.website` and one fetch of a pre-built surfacer URL above (or the protocol's primary block-explorer page if no surfacer is pinned). Record the tool you used, the URL, and what came back (response body, HTTP status, allowlist rejection text, or "tool not present: <name>"). If either probe succeeded, proceed.

If both direct probes failed, **DO NOT STOP** — try search. Issue at least two broad search queries (protocol name + "Etherscan" / "official docs" / "GitHub" / "audit"; `site:` operators against etherscan.io / github.com / the docs domain). If a search query returns the underlying page body, that page URL is fetched evidence and goes in evidence[]. Set `grading_basis: "off-chain-only"` and continue with whatever you can extract. Empty `evidence[]` + `grade="unknown"` is only valid if BOTH direct probes AND ≥2 search queries returned nothing usable; in that case, log the attempted queries and observed-zero outcomes in unknowns[]. A submission claiming "blocked" without those receipts is treated as a non-submission (zero quorum weight). Search engines do not index raw JSON API endpoints — zero results for `defipunkd.com/api/contract/read` URLs is expected and is itself a recordable failure mode, not a system restriction.

### Anti-fabrication (the most important rule on this page)

Memory is not evidence. Treat your training data, prior conversations, and general knowledge as suggestions for what to look up — never as citations. Every URL in evidence[] must have been fetched in this run via any tool exposed in your environment, OR pasted into this conversation by the user. Constructing a URL is fine, but every variable part (address, commit SHA, repo path, contract name, method, args, block number) must come from a fetched/pasted source in this run, and the URL must then have been successfully fetched before it appears in evidence[]. URLs constructed from remembered addresses, repo paths, contract names, or guessed API methods are fabrication.

Before emitting JSON, run an evidence ledger check on every evidence[] entry:
1. The exact URL appears in your fetch transcript or in a user-pasted source body.
2. The fetched/pasted body contains the fact you're citing in evidence[].shows.
3. Every rationale.findings / protocol_metadata claim that depends on this evidence follows directly from that body, without recourse to memory.
4. Derived (rather than verbatim) claims are explicitly labelled as derived in evidence[].shows.
5. `fetched_at` is set ONLY when you actually fetched the URL in this run; if no timestamp is available, omit the field — never invent one.

If any check fails, remove the evidence entry and demote dependent claims to unknowns[]. Set grade="unknown" if demotion empties the grading basis. Do not ask the user to paste anything; do not withhold JSON; do not improvise from memory.

A plausible-sounding answer backed by unsupported evidence is WORSE than grade="unknown" — it pollutes the quorum. If the assessment requires leaning on remembered public facts ("Lido is governed by LDO token-weighted voting"), historical reports, common knowledge, or likely-architecture reasoning ("UUPS proxies typically have an admin role"), return grade="unknown" with specific unknowns[] entries. Optimize for reproducibility, not completeness — if a reviewer can't re-verify each claim from the evidence URLs alone, the claim does not belong in the JSON. Empty unknowns[] on a non-trivial protocol is a red flag, not a quality signal.

When the address_book is null/empty, you do not yet know any deployed address. Discover candidates from fetched website / GitHub / audit / explorer-search pages — addresses you "remember" from training data are not eligible, even for famous tokens (USDC, WBTC, stETH, UNI). If no address can be discovered after a good-faith attempt, return grade="unknown" with checklist-coded unknowns[] entries; do not invent addresses to fill the gap.

### Hard rules

1. Source classes that count as evidence:
   a) Public block explorers (etherscan.io, basescan.org, arbiscan.io, optimistic.etherscan.io, polygonscan.com, bscscan.com, snowtrace.io, scrollscan.com, lineascan.build, blastscan.io, era.zksync.network) for pinned addresses or addresses you discover transitively from them.
   b) The linked GitHub repos, at a specific commit SHA recorded in evidence[].commit.
   c) The audit PDFs / reports linked above.
   d) DeFiLlama's pinned fields (for category / chain lists only — not for risk assessment).
   e) DeFiPunkd's read API at https://defipunkd.com/api/{contract,safe}/... — see "On-chain reading" below.
2. If a signal cannot be determined after checking these, set grade="unknown" with ≥1 entry in unknowns[] naming what you looked for.
3. Every factual claim in rationale must map to ≥1 evidence[] entry.
4. Output exactly one JSON object matching the contract at the end, wrapped in a single ```json fenced code block. This rule applies to your FINAL assistant message only — issue tool calls freely during the run; tool-call reasoning lives in your model's tool-use channel and is not subject to this rule. Nothing before or after the fence — no prose, no follow-up questions, no requests for the user to paste anything. If evidence is incomplete, the correct response is still JSON, with claims demoted to unknowns[] and grade="unknown".

### Format rules (validation will reject submissions that violate these)
5. evidence[].url must be a bare `https://...` string — NEVER markdown link syntax. WRONG: `"url": "[Etherscan](https://etherscan.io/...)"`. RIGHT: `"url": "https://etherscan.io/..."`.
6. evidence[].commit, when present, must match `^[0-9a-f]{7,40}$` (lowercase hex, 7–40 chars). NEVER branch names or tags. Omit if you cannot pin a SHA.
7. evidence[].fetched_at, when present, must be ISO-8601 UTC (e.g. `2026-04-23T11:20:00Z`). Set whenever you actually fetched in this run.
8. evidence[].address, when present, must be `^0x[0-9a-fA-F]{40}$` (mixed case OK; checksum not validated).
9. Checklist codes (used in findings[].code and as unknowns[] prefixes) match `^[A-Z][A-Za-z0-9-]{0,16}$` — start with an uppercase letter, then digits / letters / hyphens. Examples: `E1`, `A3b`, `C2-emergency`, `V4-auditor`. No parens, spaces, dots, slashes, underscores. Use slice-defined codes verbatim. unknowns[] entries must be prefixed with the relevant code + colon (e.g. `"A3b: frontend fetch failed"`).
10. chat_url: ALWAYS null. Default share links (claude.ai/chat, chatgpt.com, gemini.google.com) require viewer login and are not publicly readable. The user enables "Share publicly" after you respond and pastes the public URL into the JSON before opening the PR.

### Thoroughness rules

11. Each per-slice body contains a "MANDATORY INSPECTION CHECKLIST". Every item must EITHER produce an evidence[] entry OR a specific unknowns[] entry naming it by code. Silent skips are rejected as incomplete.
12. Before assigning a grade other than "unknown", rationale.steelman must contain a one-sentence strongest argument for each of red / orange / green, and rationale.verdict must state which fits the evidence and why. If the steel-man for the chosen grade is weaker than for an adjacent grade, you have probably picked the wrong grade. When grade="unknown", set steelman to null and use verdict to summarize what blocked the assessment.
13. Distinguish actor classes (EOA, 2-of-3 multisig, 4-of-7+ multisig with identified signers, emergency-scoped time-capped multisig, on-chain governance vote with timelock) and function classes (claim-of-finalized vs new-request-placement, deposit vs borrow, mint vs redeem) — say which actor holds which power, on what time bound. "An admin can pause" is insufficient.
14. For on-chain slices (control, ability-to-exit, autonomy, verifiability), evidence[] must include ≥1 on-chain URL: a block-explorer URL OR a DeFiPunkd /api/{contract/read,safe/owners} URL (preferred — content-addressed when block-pinned). /api/contract/abi alone is metadata, not on-chain evidence. Source repos tell you what code SHOULD do; deployed contracts tell you what it ACTUALLY does. The "open-access" slice is exempt when claims are entirely about frontend / off-chain operator behavior. CARVE-OUT: `grading_basis="off-chain-only"` is exempt from this rule but is downweighted by the quorum bot regardless of grade.
15. Prompt-meta-check: if your verdict quotes prompt language as evidence ("the protocol meets the 'documented fallback' condition"), re-do the verdict — the prompt describes the rubric, not the protocol. Evidence cites what THIS protocol does, not what the rubric says protocols of type X do.
16. `grading_basis` is one of `"on-chain"` (default; omit field), `"off-chain-only"`, or `"mixed"`. Describes what was READ this run, not the verdict — `grade="unknown"` is allowed under any basis. Set `"off-chain-only"` ONLY when BOTH (a) ≥1 successful fetch of a docs / forum / audit / GitHub URL appears in evidence[], AND (b) ≥1 failed on-chain fetch attempt for THIS run is recorded in unknowns[] with a `-offchain` suffix. Empty `evidence[]` with `"off-chain-only"` is a category error and is rejected by the validator. Set `"mixed"` when some checklist codes were on-chain and others fell back. ABI-only finds (you read the ABI but couldn't read live state) are valid as `grade="unknown"` with the ABI cited; do not infer a grade from ABI shape alone.

### On-chain reading via the DeFiPunkd API

Don't encode calldata, decode return data, or guess at ABIs by hand. Three deterministic GET endpoints return JSON with blockNumber, blockHash, raw calldata, and rawReturnData — content-addressed when block-pinned (`&block=<n>`):

  ABI (auto-resolves proxies):
    https://defipunkd.com/api/contract/abi?chainId=<id>&address=0x...
  View call (any view method on the merged ABI; flat scalar args):
    https://defipunkd.com/api/contract/read?chainId=<id>&address=0x...&method=getOwners
    https://defipunkd.com/api/contract/read?chainId=<id>&address=0x...&method=balanceOf&args=0x...
  Safe (threshold + owners + version in one call):
    https://defipunkd.com/api/safe/owners?chainId=<id>&address=0x...

Use the BARE method name in `&method=` (e.g. `&method=totalSupply`, NOT `&method=totalSupply()`). Browser tools normalize `(` to `%28` and reject the normalized URL; bare names dodge that. Pass arguments via `&args=` (comma-separated, declaration order). Append `&block=<n>` for content-addressed evidence.

Supported chainIds: 1 (ethereum), 10 (optimism), 56 (bsc), 130 (unichain), 137 (polygon), 324 (zksync), 8453 (base), 42161 (arbitrum), 43114 (avalanche), 59144 (linea), 81457 (blast), 534352 (scroll), 11155111 (sepolia).

Use this API for any factual claim about contract ABI shape, view-method return values (owner(), getOwners(), getThreshold(), totalSupply(), implementation(), paused(), MIN_DELAY(), …), and Safe membership. Do NOT invent ABIs or return values from training data.

Note on noisy address_book: the pinned address_book is sourced from prior assessments. It may include token deployments, oracle feeds, peripheral contracts, or mis-classified entries. Skip surfacer URLs that don't fit your slice — fetch only those whose role hints suggest control / pause / upgrade authority.

### Protocol metadata refresh (populate `protocol_metadata` in the output)

DeFiLlama's pinned inputs may be stale or wrong. As a side-effect of this assessment, populate `protocol_metadata` with anything you verify. Leave fields null / empty arrays if you did not verify them — do NOT echo pinned inputs through; null means "not re-verified this run".

- `github`: array of canonical source-code repo URLs.
- `docs_url`: canonical developer / protocol documentation site.
- `audits`: array of `{ firm, url, date }` (date as YYYY-MM or YYYY-MM-DD).
- `governance_forum`: primary discussion forum URL (Discourse, Commonwealth, etc.).
- `voting_token`: `{ chain, address, symbol }` or null. Omit if not token-governed.
- `bug_bounty_url`: public bug bounty page (Immunefi, HackerOne, self-hosted).
- `security_contact`: private-disclosure channel — security@ email or SECURITY.md URL. Distinct from public bug bounty.
- `deployed_contracts_doc`: docs page that lists deployed addresses per chain. Don't enumerate; just link.
- `admin_addresses`: array of `{ chain, address, role, actor_class }` for multisig / timelock / owner / proxy-admin addresses. `actor_class` ∈ `"eoa" | "multisig" | "timelock" | "governance" | "unknown"`. These are the anchors for future runs' address_book.
- `upgradeability`: `"immutable" | "upgradeable" | "mixed" | "unknown"`. "mixed" = some core contracts immutable, others behind proxies.
- `about`: 2–4 sentence plain-English description. Name the user action (stake, borrow, swap, bridge, mint, redeem), the asset / market, and the distinctive mechanism (liquid staking receipt, isolated lending pools, constant-product AMM, intents auction, etc.). Do not restate category / chains / TVL.

Every non-null field in `protocol_metadata` must be backed by ≥1 entry in evidence[].

---

### Slice: CONTROL

Evaluate who can change the protocol's rules, how fast, and how broadly.

(Step 0 capability probe and the off-chain-only fallback live in the preamble — those rules apply here.)

### MANDATORY INSPECTION CHECKLIST (every item below must appear in evidence[] OR unknowns[])

- **C1.** For each address you assess: who is the contract owner / admin / pendingAdmin / governor — read these via the block explorer's "Read Contract" tab OR `https://defipunkd.com/api/contract/read?chainId=<id>&address=0x...&method=owner` (BARE method names: `&method=owner`, `&method=admin`, `&method=pendingOwner`, `&method=governor`). For Safes use `/api/safe/owners?chainId=<id>&address=0x...`. When a protocol has multiple major versions deployed (v2/v3/v4), perform C1 reads on the NEWEST deployment separately — newer deployments often have weaker control surfaces than the legacy core.
- **C2.** Upgrade mechanism: transparent proxy / UUPS / Beacon / Diamond / immutable. Identify the proxy admin address. Check upgradeability of GOVERNANCE contracts too — a Governor / Aragon Voting / OZ Governor is often itself a proxy whose admin is the Timelock. Asymmetry: when fund-holding cores are immutable AND governance has no admin path that reaches them, an upgradable Governor/Timelock is T3-only and must NOT drag the verdict below green on that basis alone (see grade rules and the "immutable cores" caveat). Only call upgradability "mixed" if you can name a concrete function on the upgradable surface that reaches T1 or T2 on user funds.
- **C3.** EXECUTION PATH (enumerate every stage, in order, with delays in seconds). The operative path is usually a chain (voting → scheduler → timelock → executor; or governor → queue → execute; or Aragon Voting → DualGovernance → EmergencyProtectedTimelock → AdminExecutor). For each stage, record (a) the contract address, (b) the delay constant name + value in seconds, (c) the URL you read it from (block-explorer Read Contract OR `/api/contract/read?...&method=MIN_DELAY&block=<n>`). Do NOT stop at the first timelock-shaped contract — if its admin is itself called by another contract, keep walking. The grading delay is the SUM OF DELAYS ON THE UNCONTESTED FAST PATH (shortest time a proposal with no opposition can go from submission to executable). Dynamic / contested extensions (veto signaling, rage quit, escrow delay) are modifiers, not the basis — note them separately.
- **C4.** Enumerate EVERY multisig with reachable control — main proxy admin, emergency activation, emergency execution, reseal / pause, gate-seal committees, tiebreaker, per-module admins. For each Safe, fetch threshold + owners + version via `/api/safe/owners?chainId=<id>&address=0x...` (response includes raw eth_call data, so the URL is citable evidence). Enumerate ops/council/incentives multisigs even when off the upgrade path — record their scope so a reader can see they are NOT on the upgrade path. For each: (a) address, (b) threshold / total signers, (c) signer identities classified as insider (team, paid auditors under ongoing engagement, mandated service providers) vs non-insider (independent community members, unaffiliated researchers), (d) the specific power held (upgrade, pause, parameter, etc.).
- **C5.** On-chain governance: Governor / GovernorBravo / OZ Governor / Aragon Voting with token-weighted voting? Record proposal threshold, voting period, quorum, and the timelock delay between queue and execute. Every numeric constant must come from a Read Contract call you can link to, or be in unknowns[] with the C-code. If votingDelay / votingPeriod are denominated in BLOCKS, convert to seconds at the chain's CURRENT block time (Ethereum mainnet ≈ 12s post-Merge, not the 15s in older Compound/Bravo deployments) — cite both block count and converted seconds.
- **C6.** EMERGENCY POWERS: separate emergency-pause / guardian role with a different time cap or different actor than the main upgrade authority? Record it explicitly.
- **C7.** POWER TIER (blast radius). For each privileged path in C3–C6, classify the WORST thing that path can do, choosing the highest applicable tier. Cite the specific function name and any on-chain bound — tier claims without a named function are unsupported.
    - **T1 — FUND-CRITICAL**: replace implementation of contracts holding user funds; change AMM math / accounting / collateral logic; mint unbacked debt or shares; pause withdrawals; drain user-fund treasury; change oracle to attacker-controlled source; replace upgrade admin with EOA.
    - **T2 — ECONOMICALLY MATERIAL**: change fee parameters within bounded ranges; redirect protocol fees; add/remove markets / collateral types; bounded inflation or token mint within hard-capped schedule; spend protocol-owned (non-user) treasury.
    - **T3 — GOVERNANCE-INTERNAL**: change voting rules, quorum, voting period, proposal threshold; upgrade the Governor itself; rotate Timelock admin; mint governance tokens within a capped annual schedule.
    - **T4 — OPERATIONAL**: incentives distribution, grants, ENS / frontend canonicalization, deployment coordination, periphery router deprecation.
  The grade is set by the HIGHEST tier reachable on the uncontested fast path, not the median. State the tier and the binding function in the verdict.

### Read Contract discipline (applies to C3, C4, C5)

Every numeric constant cited (timelock delays, voting periods, multisig thresholds, quorum percentages) must come from EITHER (a) a block-explorer Read Contract URL, OR (b) a DeFiPunkd `/api/contract/read` or `/api/safe/owners` URL (preferred with `&block=<n>` for content-addressed evidence), OR (c) an unknowns[] entry with the C-code. Docs / blog posts are corroboration only — they cannot be the sole citation for a value that is also readable on-chain.

### Off-chain-only substitute hierarchy (when grading_basis="off-chain-only" — see preamble Rule 16)

When on-chain reads were genuinely unreachable this run, eligible off-chain substitutes in priority order:
1. Linked audit PDFs (admin roles, multisig members, timelock delays usually enumerated).
2. Governance forum posts that quote constants from a successful on-chain proposal (cite post URL + linked execution-tx URL).
3. Official protocol docs pages with named addresses and roles (must be on a domain owned by the protocol).
4. GitHub README / SECURITY.md / governance/*.md at a pinned commit SHA.

Forbidden substitutes: third-party blog posts, X / Twitter threads, search-result snippets, model memory. Required degradation: any C-code citing a numeric constant from docs/forum/audit prose ONLY must also carry an `unknowns[]` entry with `-offchain` suffix noting "value not re-read on-chain in this run; corroboration only".

### Grade rules (apply the timelock bar conditional on the highest C7 tier reachable on the fast path)

Security Council standard (used below): a multisig qualifies as "Security Council" only if ALL of: ≥7 signers, ≥51% threshold, ≥50% non-insider signers, every signer publicly announced. Failing any criterion = NOT a Security Council, regardless of signer reputation.

- **green**: highest reachable tier is T3 or T4 regardless of timelock; OR T2 reachable with uncontested-fast-path delay ≥7 days; OR T1 reachable only via immutable contracts (T1 is unreachable); OR T1 reachable with uncontested-fast-path delay ≥7 days combined with a Security Council multisig; OR T1 reachable with uncontested-fast-path delay ≥7 days through active on-chain governance with broad token distribution.
- **orange**: T2 reachable with uncontested-fast-path delay >0 but <7 days; OR T1 reachable with uncontested-fast-path delay >0 but <7 days; OR a multisig failing one or more Security Council criteria sits on a T1/T2 path; OR unclear upgrade authority on a T1/T2 path; OR governance with very short timelock or low quorum on a T1/T2 path.
- **red**: T1 reachable with no timelock by a single EOA or 2-of-3 multisig; OR a T1 upgrade admin that is not a smart contract you can audit.
- **unknown**: completed the checklist but still cannot determine the upgrade authority OR cannot classify the highest tier reachable on the main contracts.

Tiering caveats:
- "Bounded" must be enforced ON-CHAIN to count as T2. A function that sets fees with no upper-bound check is T1 — cite the bound check.
- Recurring T2 economic extraction (e.g. fee redirect with no rate limit) approaches T1 over time. A single proposal that can permanently redirect all future revenue is T1.
- T3 assumes the governance contract cannot itself authorize a T1/T2 action without going through the same timelock. If governance can self-upgrade to bypass the timelock, T3 collapses into T1.
- Do not downgrade tier by hand-waving ("realistically governance would never…"). Tier on what the contract permits, not what feels likely.

Notes:
- **Dynamic / dual-governance timelocks** (Lido, Compound escrow veto): the rubric grades on the uncontested path because that is the path most upgrades take. A dynamic extension that fires only under stake-weighted opposition is a real protection — name it in the green steel-man, but it does not lift an orange fast path into green; state the tension in the verdict.
- **Immutable cores with upgradable governance** (Uniswap-style): if fund-holding contracts are immutable and have no admin-reachable function moving / freezing / re-routing user funds, the highest reachable tier on the upgrade path is T3 — green regardless of timelock. Don't grade this orange just because the Governor is a proxy — that's a C2 fact, not a downgrade. Downgrade only applies if you can cite a concrete function on the upgradable surface that reaches T1 or T2 (privileged hook, upgradable factory controlling fund-routing, fee-switch redirecting protocol revenue without bound).
- **The 7-day bar** reflects the exit-window standard — users need notice after a queued upgrade to withdraw if they disagree. The ability-to-exit slice grades the exit side; this slice grades the delay side; both must hold for users to actually benefit from the delay.

---

### JSON output contract

Return exactly one JSON object inside a single ```json fenced block. Shape:

{
  "schema_version": 4,
  "slug": "<copy protocol.slug from the per-protocol context>",
  "slice": "control",
  "snapshot_generated_at": "<copy snapshot.generated_at from the per-protocol context>",
  "prompt_version": 29,
  "analysis_date": "<copy analysis_date from the per-protocol context>",
  "model": "<exact model name, e.g. claude-opus-4-7 / gpt-5-thinking / gemini-3-pro>",
  "chat_url": null,
  "grading_basis": "on-chain | off-chain-only | mixed (optional; omit for on-chain)",
  "grade": "green | orange | red | unknown",
  "headline": "<one-line summary>",
  "short_headline": "<≤6 words, ≤80 chars; omit if you can't fit>",
  "rationale": {
    "findings": [{ "code": "E1", "text": "<concrete, source-cited finding>" }],
    "steelman": { "red": "<one sentence>", "orange": "<one sentence>", "green": "<one sentence>" },
    "verdict": "Choosing <grade> because <reason ranking one steel-man above the others, citing specific evidence>."
  },
  "evidence": [{ "url": "https://...", "shows": "<what this URL demonstrates>", "chain": "...", "address": "0x...", "commit": "<hex SHA>", "fetched_at": "2026-04-23T11:20:00Z" }],
  "unknowns": ["E3: <thing you looked for but couldn't determine>"],
  "protocol_metadata": {
    "github": ["https://github.com/org/repo"],
    "docs_url": "https://docs.protocol.xyz",
    "audits": [{ "firm": "Trail of Bits", "url": "https://...report.pdf", "date": "2025-09" }],
    "governance_forum": "https://forum.protocol.xyz",
    "voting_token": { "chain": "Ethereum", "address": "0x...", "symbol": "XYZ" },
    "bug_bounty_url": "https://immunefi.com/bounty/protocol",
    "security_contact": "security@protocol.xyz",
    "deployed_contracts_doc": "https://docs.protocol.xyz/deployments",
    "admin_addresses": [{ "chain": "Ethereum", "address": "0x...", "role": "DAO treasury multisig", "actor_class": "multisig" }],
    "upgradeability": "immutable | upgradeable | mixed | unknown",
    "about": "<2–4 sentences>"
  }
}

Rules recap:
- grade="unknown" ⇒ steelman=null; unknowns[] ≥1; evidence[] may be empty.
- grade!="unknown" ⇒ steelman={red,orange,green}; evidence[] ≥1; verdict starts with "Choosing ".
- findings[].code matches the slice's checklist prefix verbatim (E1, C2-emergency, V4a, …); unknowns[] entries are checklist-coded ("E3: …").
- Wrap in a single ```json fence; nothing before or after. URLs are bare strings, never markdown links.

Sources claude-opus-4-6 (autorun) no url claude-opus-4-7 no url gpt-5.5 no url gemini-3-flash-preview no url View raw submissions ↗

Ability to exit tentative 3/3 models agree AI-only 0/3 with chat share link

Aave V3 withdraw/repay/liquidationCall are gated by ReservePaused; 5-of-9 Protocol Guardian Safe (EMERGENCY_ADMIN) can call setPoolPause unilaterally with NO time cap on the paused state — pause persists until same admin clears it. No escape hatch, no auto-expiry.

Verdict

Choosing red because withdraw/repay/repayWithATokens/repayWithPermit/liquidationCall all delegate to library validators that revert with Errors.ReservePaused() when the reserve's paused bit is set. The pause bit is set/cleared by PoolConfigurator.setReservePause/setPoolPause, gated by onlyEmergencyOrPoolAdmin, callable by either the EMERGENCY_ADMIN_ROLE holder (Aave Protocol Guardian Safe 0x2CFe3ec4d5a6811f4B8067F0DE7e47DfA938Aa30, verified 5-of-9 Gnosis Safe) or POOL_ADMIN_ROLE holder (Aave Governance v3 Executor Lvl1, 0x5300A1a15135EA4dc7aD5a167152C01EFc9b192A, timelocked governance). Critically, neither setPoolPause nor setReservePause take a maximum-duration parameter that bounds the paused state: MAX_GRACE_PERIOD = 4 hours caps only the post-unpause liquidation grace window, not the pause itself. There is no auto-expiry, no escape-hatch / forced-exit mechanism, and no separate already-finalized-claim path that bypasses the pause guard - withdrawal IS the exit, and it is pause-gated. The 5-of-9 emergency-admin multisig can therefore freeze user withdrawals indefinitely without a governance vote, matching the slice's red criterion 'ANY actor (including governance) can pause CLAIMS of finalized exits indefinitely'. Functions are directly callable on-chain via Etherscan Write-as-Proxy and any wallet (no frontend dependency).

Steelman argument

Steelman argument withdraw/repay/liquidationCall all revert under ReservePaused; setPoolPause and setReservePause are callable by a 5-of-9 multisig (EMERGENCY_ADMIN) with NO time cap on the paused state itself, no auto-expiry, no escape hatch. Per the slice rubric 'ANY actor (including governance) can pause CLAIMS of finalized exits indefinitely' = red.

Evidence (7)

E1: User-facing exit functions on Pool: withdraw(asset,amount,to), repay(asset,amount,interestRateMode,onBehalfOf), repayWithATokens(asset,amount,interestRateMode), repayWithPermit(asset,amount,interestRateMode,onBehalfOf,deadline,permitV,permitR,permitS), liquidationCall(collateralAsset,debtAsset,borrower,debtToCover,receiveAToken). All public/virtual/override and delegate to SupplyLogic.executeWithdraw / BorrowLogic.executeRepay / LiquidationLogic.executeLiquidationCall.
E2: ValidationLogic enforces pause guards: validateWithdraw -> require(!isPaused, Errors.ReservePaused()); validateRepay -> require(!isPaused, Errors.ReservePaused()); validateLiquidationCall -> require(!collateralReservePaused && !principalReservePaused, Errors.ReservePaused()). All exit paths are pause-gated; freeze gates only NEW debt creation (validateBorrow) and supply, not repay/withdraw.
E3: PoolConfigurator.setPoolPause(bool paused) external onlyEmergencyOrPoolAdmin -> calls setPoolPause(paused, 0); setReservePause(asset, paused, gracePeriod) public onlyEmergencyOrPoolAdmin. MAX_GRACE_PERIOD = 4 hours but the require(gracePeriod <= MAX_GRACE_PERIOD) only fires when UNPAUSING and bounds the post-unpause liquidation grace window. The PAUSE itself is a boolean with no expiry timestamp - it persists until explicitly unpaused.
E4: Two pause paths: (1) EMERGENCY_ADMIN_ROLE held by Protocol Guardian 0x2CFe3ec4d5a6811f4B8067F0DE7e47DfA938Aa30 (verified 5-of-9 Gnosis Safe), unilateral pause without governance. (2) POOL_ADMIN_ROLE held by 0x5300A1a15135EA4dc7aD5a167152C01EFc9b192A (Aave Governance v3 Executor Lvl1, timelocked). Emergency-admin path has no time cap; pool-admin path requires governance vote.
E5: Aave V3 has NO queued redemption, NO daily withdrawal cap, NO multi-block claim phase. SupplyLogic.executeWithdraw burns aTokens and transfers underlying in the same call/block. Only constraint is reserve liquidity and health factor.
E6: Aave V3 has NO permissionless escape-hatch / forced-exit mechanism. Pool.sol exposes no function that bypasses ValidationLogic.validateWithdraw's ReservePaused require. There is no time-locked auto-unpause, no governance-bypass exit, no aToken redemption path that ignores Pool state.
E7: Etherscan exposes Pool proxy under 'Write as Proxy', delegating to verified implementation. withdraw/repay/repayWithATokens/repayWithPermit/liquidationCall are all directly callable via Etherscan Web3 Connect or any generic wallet/SDK without any Aave-frontend dependency. Recent transaction history confirms organic non-frontend calls. No referrer check, no signed-attestation required.

Why is this consensus tentative?

weak consensus margin
only 0/3 sources have a public chat share link
total support weight 0.12 below confidence floor (1.5)

A fresh independent run can strengthen (or overturn) the verdict.

Run your own prompt Submit run ↗

### Per-protocol context (ground truth for this run)

- protocol.slug:              aave-v3
- protocol.name:              Aave V3
- protocol.chains:            Ethereum, Plasma, Arbitrum, Base, Avalanche, Binance, Mantle, Polygon, MegaETH, X Layer, xDai, Optimism, Linea, Sonic, Celo, Scroll, zkSync Era, Metis, Soneium, Fantom, Harmony
- protocol.category:          Lending
- protocol.website:           https://aave.com
- protocol.github:            aave, bgd-labs
- protocol.audit_links:       https://aave.com/security, https://github.com/code-423n4/2022-02-aave-lens, https://github.com/code-423n4/2022-02-aave-lens-findings, https://github.com/sherlock-protocol/sherlock-reports/blob/main/audits/2025.02.15%20-%20Final%20-%20Aave%20Public%20Audit%20Contest%20Report.pdf, https://github.com/sherlock-protocol/sherlock-reports/blob/main/audits/2026.02.05%20-%20Final%20-%20Aave%20Labs%20Collaborative%20Audit%20Report%201770295450.pdf, https://github.com/trailofbits/publications/blob/master/reviews/2021-11-aave-v3-securityreview.pdf
- snapshot.generated_at:      2026-06-01T11:27:13.878Z
- analysis_date:              2026-06-07
- prompt_version:             29
- address_book:               [
  {
    "chain": "Ethereum",
    "address": "0x5300A1a15135EA4dc7aD5a167152C01EFc9b192A",
    "role": "Short Executor (Level 1) / ACL Admin V3"
  },
  {
    "chain": "Ethereum",
    "address": "0xdAbad81aF85554E9ae636395611C58F7eC1aAEc5",
    "role": "PayloadsController (Ethereum)"
  },
  {
    "chain": "Ethereum",
    "address": "0x9AEE0B04504CeF83A65AC3f0e838D0593BCb2BC7",
    "role": "Governance V3 Core"
  },
  {
    "chain": "Ethereum",
    "address": "0xCe52ab41C40575B072A18C9700091Ccbe4A06710",
    "role": "Governance Guardian / Protocol Emergency Guardian (5-of-9)"
  },
  {
    "chain": "Ethereum",
    "address": "0x4457cA11E90f416Cc1D3a8E1cA41C0cdEcC251d4",
    "role": "GranularGuardian (cross-chain emergency)"
  },
  {
    "chain": "Ethereum",
    "address": "0xEd42a7D8559a463722Ca4beD50E0Cc05a386b0e1",
    "role": "CrossChainController"
  },
  {
    "chain": "Ethereum",
    "address": "0x17Dd33Ed0e3dD2a80E37489B8A63063161BE6957",
    "role": "Executor Level 2"
  },
  {
    "chain": "Ethereum",
    "address": "0x2CFe3ec4d5a6811f4B8067F0DE7e47DfA938Aa30",
    "role": "Protocol Guardian / emergency admin"
  },
  {
    "chain": "Ethereum",
    "address": "0x220d22f42c1b975B51509c24b174f8AbA7d8C540",
    "role": "Short Executor (Governance)"
  },
  {
    "chain": "Ethereum",
    "address": "0xa700691dA7b6769562170061709458FF21ed963e",
    "role": "timelock (governance long executor)"
  },
  {
    "chain": "Ethereum",
    "address": "0x851365275f493d15511cc005f2bd71E3c1699921",
    "role": "timelock (governance short executor)"
  },
  {
    "chain": "Ethereum",
    "address": "0xEE56e2B3D49159022b71869955dbF07245799b17",
    "role": "timelock (governance executor short)"
  },
  {
    "chain": "Ethereum",
    "address": "0x80C67432656d59144cEFf962E8fAF8926599bCF8",
    "role": "timelock (governance short executor)"
  },
  {
    "chain": "Ethereum",
    "address": "0xEE56e2B20045d908E992822039db30E882309413",
    "role": "admin (PoolAdmin / governance executor)"
  },
  {
    "chain": "Ethereum",
    "address": "0x87870bca3f3fd6335c3f4ce8392d69350b4fa4e2",
    "role": "pool (Aave V3 Pool proxy)"
  },
  {
    "chain": "Ethereum",
    "address": "0x2f39d218133AFaB8F2B819B1066c7E434Ad94E9e",
    "role": "other (PoolAddressesProvider — proxy admin for Pool/PoolConfigurator/ACLManager)"
  },
  {
    "chain": "Ethereum",
    "address": "0xcfBf336fe147D643B9Cb705648500e101504B16d",
    "role": "other (Prime Market PoolAddressesProvider)"
  },
  {
    "chain": "Ethereum",
    "address": "0xCca852Bc40e560adC3b1Cc58CA5b55638ce826c9",
    "role": "vault (Aave V4 Core Hub — Ethereum)"
  },
  {
    "chain": "Ethereum",
    "address": "0x06002e9c4412CB7814a791eA3666D905871E536A",
    "role": "vault (Aave V4 Plus Hub — Ethereum)"
  },
  {
    "chain": "Ethereum",
    "address": "0x943827DCA022D0F354a8a8c332dA1e5Eb9f9F931",
    "role": "vault (Aave V4 Prime Hub — Ethereum)"
  },
  {
    "chain": "Ethereum",
    "address": "0x08aE3BE30958cDd1847ec58fFfd4C451a87fDF01",
    "role": "admin (Aave V4 Access Manager — Ethereum)"
  },
  {
    "chain": "Optimism",
    "address": "0xa97684ead0e402dc232d5a977953df7ecbab3cdb",
    "role": "other (PoolAddressesProvider — Optimism)"
  },
  {
    "chain": "Polygon",
    "address": "0xa97684ead0e402dc232d5a977953df7ecbab3cdb",
    "role": "other (PoolAddressesProvider — Polygon)"
  },
  {
    "chain": "Ethereum",
    "address": "0x64b761D848206f447Fe2dd461b0c635Ec39EbB27",
    "role": "admin PoolConfigurator V3"
  },
  {
    "chain": "Ethereum",
    "address": "0x54586bE62E3c3580375aE3723C145253060Ca0C2",
    "role": "oracle AaveOracle V3"
  },
  {
    "chain": "Ethereum",
    "address": "0xc2aaCf6553D20d1e9d78E365AAba8032af9c85b0",
    "role": "admin ACLManager V3"
  },
  {
    "chain": "Ethereum",
    "address": "0x0a16f2FCC0D44FaE41cc54e079281D84A363bECD",
    "role": "other AaveProtocolDataProvider V3"
  },
  {
    "chain": "Ethereum",
    "address": "0x464C71f6c2F760DdA6093dCB91C24c39e5d6e18c",
    "role": "treasury Collector"
  },
  {
    "chain": "Ethereum",
    "address": "0x8164Cc65827dcFe994AB23944CBC90e0aa80bFcb",
    "role": "admin DefaultIncentivesController"
  },
  {
    "chain": "Ethereum",
    "address": "0x223d844fc4B006D67c0cDbd39371A9F73f69d974",
    "role": "admin EmissionManager"
  },
  {
    "chain": "Arbitrum",
    "address": "0xa97684ead0e402dC232d5A977953DF7ECBaB3CDb",
    "role": "factory PoolAddressesProvider V3"
  },
  {
    "chain": "Arbitrum",
    "address": "0x794a61358D6845594F94dc1DB02A252b5b4814aD",
    "role": "pool Pool V3"
  },
  {
    "chain": "Arbitrum",
    "address": "0x8145eddDf43f50276641b55bd3AD95944510021E",
    "role": "admin PoolConfigurator V3"
  },
  {
    "chain": "Arbitrum",
    "address": "0xb56c2F0B653B2e0b10C9b928C8580Ac5Df02C7C7",
    "role": "oracle AaveOracle V3"
  },
  {
    "chain": "Arbitrum",
    "address": "0x7A9ff54A6eE4a21223036890bB8c4ea2D62c686b",
    "role": "oracle PriceOracleSentinel V3"
  },
  {
    "chain": "Arbitrum",
    "address": "0xFF1137243698CaA18EE364Cc966CF0e02A4e6327",
    "role": "admin ACLAdmin V3"
  },
  {
    "chain": "Arbitrum",
    "address": "0xa72636CbcAa8F5FF95B2cc47F3CDEe83F3294a0B",
    "role": "admin ACLManager V3"
  },
  {
    "chain": "Arbitrum",
    "address": "0x243Aa95cAC2a25651eda86e80bEe66114413c43b",
    "role": "other AaveProtocolDataProvider V3"
  },
  {
    "chain": "Avalanche",
    "address": "0xa97684ead0e402dC232d5A977953DF7ECBaB3CDb",
    "role": "factory PoolAddressesProvider V3"
  },
  {
    "chain": "Avalanche",
    "address": "0x794a61358D6845594F94dc1DB02A252b5b4814aD",
    "role": "pool Pool V3"
  },
  {
    "chain": "Avalanche",
    "address": "0x8145eddDf43f50276641b55bd3AD95944510021E",
    "role": "admin PoolConfigurator V3"
  },
  {
    "chain": "Avalanche",
    "address": "0xEBd36016B3eD09D4693Ed4251c67Bd858c3c7C9C",
    "role": "oracle AaveOracle V3"
  },
  {
    "chain": "Avalanche",
    "address": "0x3C06dce358add17aAf230f2234bCCC4afd50d090",
    "role": "admin ACLAdmin V3"
  },
  {
    "chain": "Avalanche",
    "address": "0xa72636CbcAa8F5FF95B2cc47F3CDEe83F3294a0B",
    "role": "admin ACLManager V3"
  },
  {
    "chain": "Avalanche",
    "address": "0x243Aa95cAC2a25651eda86e80bEe66114413c43b",
    "role": "other AaveProtocolDataProvider V3"
  },
  {
    "chain": "Base",
    "address": "0xe20fCBdBfFC4Dd138cE8b2E6FBb6CB49777ad64D",
    "role": "factory PoolAddressesProvider V3"
  },
  {
    "chain": "Base",
    "address": "0xA238Dd80C259a72e81d7e4664a9801593F98d1c5",
    "role": "pool Pool V3"
  },
  {
    "chain": "Base",
    "address": "0x5731a04B1E775f0fdd454Bf70f3335886e9A96be",
    "role": "admin PoolConfigurator V3"
  },
  {
    "chain": "Base",
    "address": "0x2Cc0Fc26eD4563A5ce5e8bdcfe1A2878676Ae156",
    "role": "oracle AaveOracle V3"
  },
  {
    "chain": "Base",
    "address": "0x943AcD0c93d7a8Bee7dA5Fd0DC3d0028237074d6",
    "role": "oracle PriceOracleSentinel V3"
  },
  {
    "chain": "Base",
    "address": "0x9390B1735def18560c509E2d0bc090E9d6BA257a",
    "role": "admin ACLAdmin V3"
  },
  {
    "chain": "Base",
    "address": "0x43955b0899Ab7232E3a454cf84AedD22Ad46FD33",
    "role": "admin ACLManager V3"
  },
  {
    "chain": "Base",
    "address": "0x0F43731EB8d45A581f4a36DD74F5f358bc90C73A",
    "role": "other AaveProtocolDataProvider V3"
  },
  {
    "chain": "Binance",
    "address": "0xff75B6da14FfbbfD355Daf7a2731456b3562Ba6D",
    "role": "factory PoolAddressesProvider V3"
  },
  {
    "chain": "Binance",
    "address": "0x6807dc923806fE8Fd134338EABCA509979a7e0cB",
    "role": "pool Pool V3"
  },
  {
    "chain": "Binance",
    "address": "0x67bdF23C7fCE7C65fF7415Ba3F2520B45D6f9584",
    "role": "admin PoolConfigurator V3"
  },
  {
    "chain": "Binance",
    "address": "0x39bc1bfDa2130d6Bb6DBEfd366939b4c7aa7C697",
    "role": "oracle AaveOracle V3"
  },
  {
    "chain": "Binance",
    "address": "0x9390B1735def18560c509E2d0bc090E9d6BA257a",
    "role": "admin ACLAdmin V3"
  },
  {
    "chain": "Binance",
    "address": "0x2D97F8FA96886Fd923c065F5457F9DDd494e3877",
    "role": "admin ACLManager V3"
  },
  {
    "chain": "Binance",
    "address": "0xc90Df74A7c16245c5F5C5870327Ceb38Fe5d5328",
    "role": "other AaveProtocolDataProvider V3"
  },
  {
    "chain": "Celo",
    "address": "0x9F7Cf9417D5251C59fE94fB9147feEe1aAd9Cea5",
    "role": "factory PoolAddressesProvider V3"
  },
  {
    "chain": "Celo",
    "address": "0x3E59A31363E2ad014dcbc521c4a0d5757d9f3402",
    "role": "pool Pool V3"
  },
  {
    "chain": "Celo",
    "address": "0x7567E3434CC1BEf724AB595e6072367Ef4914691",
    "role": "admin PoolConfigurator V3"
  },
  {
    "chain": "Celo",
    "address": "0x1e693D088ceFD1E95ba4c4a5F7EeA41a1Ec37e8b",
    "role": "oracle AaveOracle V3"
  },
  {
    "chain": "Celo",
    "address": "0x1dF462e2712496373A347f8ad10802a5E95f053D",
    "role": "admin ACLAdmin V3"
  },
  {
    "chain": "Celo",
    "address": "0x7a12dCfd73C1B4cddf294da4cFce75FcaBBa314C",
    "role": "admin ACLManager V3"
  },
  {
    "chain": "Celo",
    "address": "0x2e0f8D3B1631296cC7c56538D6Eb6032601E15ED",
    "role": "other AaveProtocolDataProvider V3"
  },
  {
    "chain": "Celo",
    "address": "0xC959439207dA5341B74aDcdAC59016aa9Be7E9E7",
    "role": "treasury Collector"
  },
  {
    "chain": "Fantom",
    "address": "0xa97684ead0e402dC232d5A977953DF7ECBaB3CDb",
    "role": "factory PoolAddressesProvider V3"
  },
  {
    "chain": "Fantom",
    "address": "0x794a61358D6845594F94dc1DB02A252b5b4814aD",
    "role": "pool Pool V3"
  },
  {
    "chain": "Fantom",
    "address": "0x8145eddDf43f50276641b55bd3AD95944510021E",
    "role": "admin PoolConfigurator V3"
  },
  {
    "chain": "Fantom",
    "address": "0xfd6f3c1845604C8AE6c6E402ad17fb9885160754",
    "role": "oracle AaveOracle V3"
  },
  {
    "chain": "Fantom",
    "address": "0x39CB97b105173b56b5a2b4b33AD25d6a50E6c949",
    "role": "admin ACLAdmin V3"
  },
  {
    "chain": "Fantom",
    "address": "0xa72636CbcAa8F5FF95B2cc47F3CDEe83F3294a0B",
    "role": "admin ACLManager V3"
  },
  {
    "chain": "Fantom",
    "address": "0x69FA688f1Dc47d4B5d8029D5a35FB7a548310654",
    "role": "other AaveProtocolDataProvider V3"
  },
  {
    "chain": "xDai",
    "address": "0x36616cf17557639614c1cdDb356b1B83fc0B2132",
    "role": "factory PoolAddressesProvider V3"
  },
  {
    "chain": "xDai",
    "address": "0xb50201558B00496A145fE76f7424749556E326D8",
    "role": "pool Pool V3"
  },
  {
    "chain": "xDai",
    "address": "0x7304979ec9E4EaA0273b6A037a31c4e9e5A75D16",
    "role": "admin PoolConfigurator V3"
  },
  {
    "chain": "xDai",
    "address": "0xeb0a051be10228213BAEb449db63719d6742F7c4",
    "role": "oracle AaveOracle V3"
  },
  {
    "chain": "xDai",
    "address": "0x1dF462e2712496373A347f8ad10802a5E95f053D",
    "role": "admin ACLAdmin V3"
  },
  {
    "chain": "xDai",
    "address": "0xEc710f59005f48703908bC519D552Df5B8472614",
    "role": "admin ACLManager V3"
  },
  {
    "chain": "xDai",
    "address": "0xF1F5acB596568895393cB5E4D0452D6592A2fA70",
    "role": "other AaveProtocolDataProvider V3"
  },
  {
    "chain": "Harmony",
    "address": "0xa97684ead0e402dC232d5A977953DF7ECBaB3CDb",
    "role": "factory PoolAddressesProvider V3"
  },
  {
    "chain": "Harmony",
    "address": "0x794a61358D6845594F94dc1DB02A252b5b4814aD",
    "role": "pool Pool V3"
  },
  {
    "chain": "Harmony",
    "address": "0x8145eddDf43f50276641b55bd3AD95944510021E",
    "role": "admin PoolConfigurator V3"
  },
  {
    "chain": "Harmony",
    "address": "0x3C90887Ede8D65ccb2777A5d577beAb2548280AD",
    "role": "oracle AaveOracle V3"
  },
  {
    "chain": "Harmony",
    "address": "0xb2f0C5f37f4beD2cB51C44653cD5D84866BDcd2D",
    "role": "admin ACLAdmin V3"
  },
  {
    "chain": "Harmony",
    "address": "0xa72636CbcAa8F5FF95B2cc47F3CDEe83F3294a0B",
    "role": "admin ACLManager V3"
  },
  {
    "chain": "Harmony",
    "address": "0x69FA688f1Dc47d4B5d8029D5a35FB7a548310654",
    "role": "other AaveProtocolDataProvider V3"
  },
  {
    "chain": "Mantle",
    "address": "0xba50Cd2A20f6DA35D788639E581bca8d0B5d4D5f",
    "role": "factory PoolAddressesProvider V3"
  },
  {
    "chain": "Mantle",
    "address": "0x458F293454fE0d67EC0655f3672301301DD51422",
    "role": "pool Pool V3"
  },
  {
    "chain": "Mantle",
    "address": "0x719755fC1ACf2f9079B0Cbc56e23712c09Ab8626",
    "role": "admin PoolConfigurator V3"
  },
  {
    "chain": "Mantle",
    "address": "0x47a063CfDa980532267970d478EC340C0F80E8df",
    "role": "oracle AaveOracle V3"
  },
  {
    "chain": "Mantle",
    "address": "0x64df9D4302e1ff3516Dc744A19e992D27CAC252E",
    "role": "oracle PriceOracleSentinel V3"
  },
  {
    "chain": "Mantle",
    "address": "0x70884634D0098782592111A2A6B8d223be31CB7b",
    "role": "admin ACLAdmin V3"
  },
  {
    "chain": "Mantle",
    "address": "0x810D46F9a9027E28F9B01F75E2bdde839dA61115",
    "role": "admin ACLManager V3"
  },
  {
    "chain": "Mantle",
    "address": "0x487c5c669D9eee6057C44973207101276cf73b68",
    "role": "other AaveProtocolDataProvider V3"
  },
  {
    "chain": "MegaETH",
    "address": "0x46Dcd5F4600319b02649Fd76B55aA6c1035CA478",
    "role": "factory PoolAddressesProvider V3"
  },
  {
    "chain": "MegaETH",
    "address": "0x7e324AbC5De01d112AfC03a584966ff199741C28",
    "role": "pool Pool V3"
  },
  {
    "chain": "MegaETH",
    "address": "0xF15D31Bc839A853C9068686043cEc6EC5995DAbB",
    "role": "admin PoolConfigurator V3"
  },
  {
    "chain": "MegaETH",
    "address": "0x421117D7319E96d831972b3F7e970bbfe29C4F21",
    "role": "oracle AaveOracle V3"
  },
  {
    "chain": "MegaETH",
    "address": "0xE2E8Badc5d50f8a6188577B89f50701cDE2D4e19",
    "role": "admin ACLAdmin V3"
  },
  {
    "chain": "MegaETH",
    "address": "0x390D369C3878F2C5205CFb6Ec7154FfA65491c3D",
    "role": "admin ACLManager V3"
  },
  {
    "chain": "MegaETH",
    "address": "0x9588b453A4EE24a420830CB3302195cA7aA3b403",
    "role": "other AaveProtocolDataProvider V3"
  },
  {
    "chain": "Sonic",
    "address": "0x5C2e738F6E27bCE0F7558051Bf90605dD6176900",
    "role": "factory PoolAddressesProvider V3"
  },
  {
    "chain": "Sonic",
    "address": "0x5362dBb1e601abF3a4c14c22ffEdA64042E5eAA3",
    "role": "pool Pool V3"
  },
  {
    "chain": "Sonic",
    "address": "0x50c70FEB95aBC1A92FC30b9aCc41Bd349E5dE2f0",
    "role": "admin PoolConfigurator V3"
  },
  {
    "chain": "Sonic",
    "address": "0xD63f7658C66B2934Bd234D79D06aEF5290734B30",
    "role": "oracle AaveOracle V3"
  },
  {
    "chain": "Sonic",
    "address": "0x7b62461a3570c6AC8a9f8330421576e417B71EE7",
    "role": "admin ACLAdmin V3"
  },
  {
    "chain": "Sonic",
    "address": "0x3a790a47c4d531FD333FAD24f70B0ccb521B3b5A",
    "role": "admin ACLManager V3"
  },
  {
    "chain": "Sonic",
    "address": "0xc0a344397cfa89dF1e1d3e4fb330834D789cF2CD",
    "role": "other AaveProtocolDataProvider V3"
  },
  {
    "chain": "X Layer",
    "address": "0xdFf435BCcf782f11187D3a4454d96702eD78e092",
    "role": "factory PoolAddressesProvider V3"
  },
  {
    "chain": "X Layer",
    "address": "0xE3F3Caefdd7180F884c01E57f65Df979Af84f116",
    "role": "pool Pool V3"
  },
  {
    "chain": "X Layer",
    "address": "0x1408b48B6A610948f04813EA6b2F438A6BBAd2f2",
    "role": "admin PoolConfigurator V3"
  },
  {
    "chain": "X Layer",
    "address": "0x91FC11136d5615575a0fC5981Ab5C0C54418E2C6",
    "role": "oracle AaveOracle V3"
  },
  {
    "chain": "X Layer",
    "address": "0xE2E8Badc5d50f8a6188577B89f50701cDE2D4e19",
    "role": "admin ACLAdmin V3"
  },
  {
    "chain": "X Layer",
    "address": "0xc8f2720Fa7D857576d82e6aEca8EdC4869E9190e",
    "role": "admin ACLManager V3"
  },
  {
    "chain": "X Layer",
    "address": "0x6C505C31714f14e8af2A03633EB2Cdfb4959138F",
    "role": "other AaveProtocolDataProvider V3"
  },
  {
    "chain": "Linea",
    "address": "0x89502c3731F69DDC95B65753708A07F8Cd0373F4",
    "role": "factory PoolAddressesProvider V3"
  },
  {
    "chain": "Linea",
    "address": "0xc47b8C00b0f69a36fa203Ffeac0334874574a8Ac",
    "role": "pool Pool V3"
  },
  {
    "chain": "Linea",
    "address": "0x812E7c19421D9f41A6DDCF047d5cc2dE2Ca5Bfa2",
    "role": "admin PoolConfigurator V3"
  },
  {
    "chain": "Linea",
    "address": "0xCFDAdA7DCd2e785cF706BaDBC2B8Af5084d595e9",
    "role": "oracle AaveOracle V3"
  },
  {
    "chain": "Linea",
    "address": "0x8c2d95FE7aeB57b86961F3abB296A54f0ADb7F88",
    "role": "admin ACLAdmin V3"
  },
  {
    "chain": "Linea",
    "address": "0xbf32c7dFC72b730967072B112927ca0de205dbb5",
    "role": "admin ACLManager V3"
  },
  {
    "chain": "Metis",
    "address": "0xB9FABd7500B2C6781c35Dd48d54f81fc2299D7AF",
    "role": "factory PoolAddressesProvider V3"
  },
  {
    "chain": "Metis",
    "address": "0x90df02551bB792286e8D4f13E0e357b4Bf1D6a57",
    "role": "pool Pool V3"
  },
  {
    "chain": "Metis",
    "address": "0x69FEE8F261E004453BE0800BC9039717528645A6",
    "role": "admin PoolConfigurator V3"
  },
  {
    "chain": "Metis",
    "address": "0x38D36e85E47eA6ff0d18B0adF12E5fC8984A6f8e",
    "role": "oracle AaveOracle V3"
  },
  {
    "chain": "Metis",
    "address": "0x2B5EA1604BAbb7B730120950Cb13951f3525828A",
    "role": "oracle PriceOracleSentinel V3"
  },
  {
    "chain": "Metis",
    "address": "0x6fD45D32375d5aDB8D76275A3932c740F03a8718",
    "role": "admin ACLAdmin V3"
  },
  {
    "chain": "Optimism",
    "address": "0x794a61358D6845594F94dc1DB02A252b5b4814aD",
    "role": "pool Pool V3"
  },
  {
    "chain": "Optimism",
    "address": "0x8145eddDf43f50276641b55bd3AD95944510021E",
    "role": "admin PoolConfigurator V3"
  },
  {
    "chain": "Optimism",
    "address": "0xD81eb3728a631871a7eBBaD631b5f424909f0c77",
    "role": "oracle AaveOracle V3"
  },
  {
    "chain": "Optimism",
    "address": "0x746c675dAB49Bcd5BB9Dc85161f2d7Eb435009bf",
    "role": "admin ACLAdmin V3"
  },
  {
    "chain": "Polygon",
    "address": "0x794a61358D6845594F94dc1DB02A252b5b4814aD",
    "role": "pool Pool V3"
  },
  {
    "chain": "Polygon",
    "address": "0x8145eddDf43f50276641b55bd3AD95944510021E",
    "role": "admin PoolConfigurator V3"
  },
  {
    "chain": "Polygon",
    "address": "0xb023e699F5a33916Ea823A16485e259257cA8Bd1",
    "role": "oracle AaveOracle V3"
  },
  {
    "chain": "Polygon",
    "address": "0xDf7d0e6454DB638881302729F5ba99936EaAB233",
    "role": "admin ACLAdmin V3"
  },
  {
    "chain": "Scroll",
    "address": "0x69850D0B276776781C063771b161bd8894BCdD04",
    "role": "factory PoolAddressesProvider V3"
  },
  {
    "chain": "Scroll",
    "address": "0x11fCfe756c05AD438e312a7fd934381537D3cFfe",
    "role": "pool Pool V3"
  },
  {
    "chain": "Scroll",
    "address": "0x32BCab42a2bb5AC577D24b425D46d8b8e0Df9b7f",
    "role": "admin PoolConfigurator V3"
  },
  {
    "chain": "Scroll",
    "address": "0x04421D8C506E2fA2371a08EfAaBf791F624054F3",
    "role": "oracle AaveOracle V3"
  },
  {
    "chain": "Scroll",
    "address": "0xc1ABF87FfAdf4908f4eC8dc54A25DCFEabAE4A24",
    "role": "admin ACLAdmin V3"
  },
  {
    "chain": "Scroll",
    "address": "0x7633F981D87dC6307227de9383D2ce7243158081",
    "role": "admin ACLManager V3"
  },
  {
    "chain": "zkSync Era",
    "address": "0x2A3948BB219D6B2Fa83D64100006391a96bE6cb7",
    "role": "factory PoolAddressesProvider V3"
  },
  {
    "chain": "zkSync Era",
    "address": "0x78e30497a3c7527d953c6B1E3541b021A98Ac43c",
    "role": "pool Pool V3"
  },
  {
    "chain": "zkSync Era",
    "address": "0x0207d31b4377C74bEC37356aaD83E3dCc979F40E",
    "role": "admin PoolConfigurator V3"
  },
  {
    "chain": "zkSync Era",
    "address": "0xC7F58Fca663a8d377B6D0c9703C697f56dC40088",
    "role": "oracle AaveOracle V3"
  },
  {
    "chain": "zkSync Era",
    "address": "0x04cE39789e11a49595cD0ECEf6f4Bd54ABF4d020",
    "role": "admin ACLAdmin V3"
  },
  {
    "chain": "Soneium",
    "address": "0x82405D1a189bd6cE4667809C35B37fBE136A4c5B",
    "role": "factory PoolAddressesProvider V3"
  },
  {
    "chain": "Soneium",
    "address": "0xDd3d7A7d03D9fD9ef45f3E587287922eF65CA38B",
    "role": "pool Pool V3"
  },
  {
    "chain": "Soneium",
    "address": "0x1607FCeEc8dEbA4d5Da66D620b2363066d025a02",
    "role": "admin PoolConfigurator V3"
  },
  {
    "chain": "Soneium",
    "address": "0x20040a64612555042335926d72B4E5F667a67fA1",
    "role": "oracle AaveOracle V3"
  },
  {
    "chain": "Soneium",
    "address": "0xc0Bac16A64FbAa7EE6483bD12a759e28cD13dcBe",
    "role": "oracle PriceOracleSentinel V3"
  },
  {
    "chain": "Plasma",
    "address": "0x061D8e131F26512348ee5FA42e2DF1bA9d6505E9",
    "role": "factory PoolAddressesProvider V3"
  },
  {
    "chain": "Plasma",
    "address": "0x925a2A7214Ed92428B5b1B090F80b25700095e12",
    "role": "pool Pool V3"
  },
  {
    "chain": "Plasma",
    "address": "0xc022B6c71c30A8Ad52Dac504eFA132d13D99d2D9",
    "role": "admin PoolConfigurator V3"
  },
  {
    "chain": "Plasma",
    "address": "0x33E0b3fc976DC9C516926BA48CfC0A9E10a2aAA5",
    "role": "oracle AaveOracle V3"
  },
  {
    "chain": "Plasma",
    "address": "0x47aAdaAE1F05C978E6aBb7568d11B7F6e0FC4d6A",
    "role": "admin ACLAdmin V3"
  },
  {
    "chain": "Plasma",
    "address": "0xa860355F0ccFdC823F7332ac108317b2a1509C06",
    "role": "admin ACLManager V3"
  },
  {
    "chain": "Ethereum",
    "address": "0x617332a777780F546261247F621051d0b98975Eb",
    "role": "other VotingMachine"
  },
  {
    "chain": "Ethereum",
    "address": "0xf23f7De3AC42F22eBDA17e64DC4f51FB66b8E21f",
    "role": "other VotingPortalEthEth"
  },
  {
    "chain": "Ethereum",
    "address": "0x33aCEf7365809218485873B7d0d67FeE411B5D79",
    "role": "other VotingPortalEthAvax"
  },
  {
    "chain": "Ethereum",
    "address": "0x9b24C168d6A76b5459B1d47071a54962a4df36c3",
    "role": "other VotingPortalEthPol"
  },
  {
    "chain": "Ethereum",
    "address": "0xE3B770Dc4ae3f8bECaB3Ed12dE692c741603e16A",
    "role": "other PayloadDataHelper"
  },
  {
    "chain": "Ethereum",
    "address": "0x971c82c8316aD611904F95616c21ce90837f1856",
    "role": "other GovernanceDataHelper"
  },
  {
    "chain": "Ethereum",
    "address": "0x77976B51569896523EE215962Ee91ff236Fa50E8",
    "role": "other VotingDataHelper"
  },
  {
    "chain": "Ethereum",
    "address": "0x94363B11b37BC3ffe43AB09cff5A010352FE85dC",
    "role": "other MetaDelegateHelper"
  },
  {
    "chain": "Ethereum",
    "address": "0x73C6Fb358dDA8e84D50e98A98F7c0dF32e15C7e9",
    "role": "guardian EmergencyRegistry"
  },
  {
    "chain": "Ethereum",
    "address": "0xa198Fac58E02A5C5F8F7e877895d50cFa9ad1E04",
    "role": "other GovernancePowerStrategy"
  },
  {
    "chain": "Ethereum",
    "address": "0x5642A5A5Ec284B4145563aBF319620204aCCA7f4",
    "role": "other VotingStrategy"
  },
  {
    "chain": "Ethereum",
    "address": "0x1699FE9CaDC8a0b6c93E06B62Ab4592a0fFEcF61",
    "role": "other DataWarehouse"
  },
  {
    "chain": "Arbitrum",
    "address": "0xCbFB78a3Eeaa611b826E37c80E4126c8787D29f0",
    "role": "other CrossChainController"
  },
  {
    "chain": "Arbitrum",
    "address": "0x89644CA1bB8064760312AE4F03ea41b05dA3637C",
    "role": "timelock PayloadsController"
  },
  {
    "chain": "Arbitrum",
    "address": "0x4922093c476CfbCF903C7C4082d2D64bAE8A37cE",
    "role": "guardian GranularGuardian"
  },
  {
    "chain": "Avalanche",
    "address": "0x27FC7D54C893dA63C0AE6d57e1B2B13A70690928",
    "role": "other CrossChainController"
  },
  {
    "chain": "Avalanche",
    "address": "0x41185495Bc8297a65DC46f94001DC7233775EbEe",
    "role": "oracle EmergencyOracle"
  },
  {
    "chain": "Avalanche",
    "address": "0x9b6f5ef589A3DD08670Dd146C11C4Fb33E04494F",
    "role": "other VotingMachine"
  },
  {
    "chain": "Avalanche",
    "address": "0x1140CB7CAfAcC745771C2Ea31e7B5C653c5d0B80",
    "role": "timelock PayloadsController"
  },
  {
    "chain": "Avalanche",
    "address": "0xc1162BCb2E5E3ca4725512008c7522dF8C8B7B65",
    "role": "guardian GranularGuardian"
  },
  {
    "chain": "Binance",
    "address": "0x9d33ee6543C9b2C8c183b8fb58fB089266cffA19",
    "role": "other CrossChainController"
  },
  {
    "chain": "Binance",
    "address": "0xcabb46FfB38c93348Df16558DF156e9f68F9F7F1",
    "role": "oracle EmergencyOracle"
  },
  {
    "chain": "Binance",
    "address": "0xE5EF2Dd06755A97e975f7E282f828224F2C3e627",
    "role": "timelock PayloadsController"
  },
  {
    "chain": "Binance",
    "address": "0xe4FB5e3F506BE0095f38004f993D16fdA8224383",
    "role": "guardian GranularGuardian"
  },
  {
    "chain": "Base",
    "address": "0x529467C76f234F2bD359d7ecF7c660A2846b04e2",
    "role": "other CrossChainController"
  },
  {
    "chain": "Base",
    "address": "0x2DC219E716793fb4b21548C0f009Ba3Af753ab01",
    "role": "timelock PayloadsController"
  },
  {
    "chain": "Base",
    "address": "0xa1c6aF35E0205f42256382C05243C543FEDBf4bB",
    "role": "guardian GranularGuardian"
  },
  {
    "chain": "xDai",
    "address": "0x8Dc5310fc9D3D7D1Bb3D1F686899c8F082316c9F",
    "role": "other CrossChainController"
  },
  {
    "chain": "xDai",
    "address": "0xF937ffAeA1363e4Fa260760bDFA2aA8Fc911F84D",
    "role": "oracle EmergencyOracle"
  },
  {
    "chain": "xDai",
    "address": "0x9A1F491B86D09fC1484b5fab10041B189B60756b",
    "role": "timelock PayloadsController"
  },
  {
    "chain": "xDai",
    "address": "0x4A9F571E3C1f2F13567bb59e38988e74d7d72602",
    "role": "guardian GranularGuardian"
  },
  {
    "chain": "Metis",
    "address": "0x6fDaFb26915ABD6065a1E1501a37Ac438D877f70",
    "role": "other CrossChainController"
  },
  {
    "chain": "Metis",
    "address": "0x2233F8A66A728FBa6E1dC95570B25360D07D5524",
    "role": "timelock PayloadsController"
  },
  {
    "chain": "Metis",
    "address": "0x61BE97d3a0550549f67CA7421725fA73Fa2036B5",
    "role": "guardian GranularGuardian"
  },
  {
    "chain": "Optimism",
    "address": "0x48A9FE90bce5EEd790f3F4Ce192d1C0B351fd4Ca",
    "role": "other CrossChainController"
  },
  {
    "chain": "Optimism",
    "address": "0x0E1a3Af1f9cC76A62eD31eDedca291E63632e7c4",
    "role": "timelock PayloadsController"
  },
  {
    "chain": "Optimism",
    "address": "0x6c5264C380C7022e54f585c4E354ffb6f221a03b",
    "role": "guardian GranularGuardian"
  },
  {
    "chain": "Polygon",
    "address": "0xF6B99959F0b5e79E1CC7062E12aF632CEb18eF0d",
    "role": "other CrossChainController"
  },
  {
    "chain": "Polygon",
    "address": "0xDAFA1989A504c48Ee20a582f2891eeB25E2fA23F",
    "role": "oracle EmergencyOracle"
  },
  {
    "chain": "Polygon",
    "address": "0xc8a2ADC4261c6b669CdFf69E717E77C9cFeB420d",
    "role": "other VotingMachine"
  },
  {
    "chain": "Polygon",
    "address": "0x401B5D0294E23637c18fcc38b1Bca814CDa2637C",
    "role": "timelock PayloadsController"
  },
  {
    "chain": "Polygon",
    "address": "0x0D2CccD3dD420dC6DE2f24DB44aA22fADE290a02",
    "role": "guardian GranularGuardian"
  },
  {
    "chain": "Scroll",
    "address": "0x03073D3F4769f6b6604d616238fD6c636C99AD0A",
    "role": "other CrossChainController"
  },
  {
    "chain": "Scroll",
    "address": "0x6b6B41c0f8C223715f712BE83ceC3c37bbfDC3fE",
    "role": "timelock PayloadsController"
  },
  {
    "chain": "Scroll",
    "address": "0xa835707d28e6C37C49d661742f2Fb5987367cEd4",
    "role": "guardian GranularGuardian"
  },
  {
    "chain": "zkSync Era",
    "address": "0x800813f4714BC7A0a95310e3fB9e4f18872CA92C",
    "role": "other CrossChainController"
  },
  {
    "chain": "zkSync Era",
    "address": "0x2E79349c3F5e4751E87b966812C9E65E805996F1",
    "role": "timelock PayloadsController"
  },
  {
    "chain": "zkSync Era",
    "address": "0xe0e23196D42b54F262a3DE952e6B34B197D1A228",
    "role": "guardian GranularGuardian"
  },
  {
    "chain": "zkSync Era",
    "address": "0x4257bf0746D783f0D962913d7d8AFA408B62547E",
    "role": "guardian GovernanceGuardian"
  },
  {
    "chain": "Linea",
    "address": "0x0D3f821e9741C8a8Bcac231162320251Db0cdf52",
    "role": "other CrossChainController"
  },
  {
    "chain": "Linea",
    "address": "0x3BcE23a1363728091bc57A58a226CF2940C2e074",
    "role": "timelock PayloadsController"
  },
  {
    "chain": "Linea",
    "address": "0xc1cd6faF6e9138b4e6C21d438f9ebF2bd6F6cA16",
    "role": "guardian GranularGuardian"
  },
  {
    "chain": "Linea",
    "address": "0x056E4C4E80D1D14a637ccbD0412CDAAEc5B51F4E",
    "role": "guardian GovernanceGuardian"
  },
  {
    "chain": "Soneium",
    "address": "0xD92b37a5114b33F668D274Fb48f23b726a854d6E",
    "role": "other CrossChainController"
  },
  {
    "chain": "Soneium",
    "address": "0x44D73D7C4b2f98F426Bf8B5e87628d9eE38ef0Cf",
    "role": "timelock PayloadsController"
  },
  {
    "chain": "Soneium",
    "address": "0xD8E6956718784B914740267b7A50B952fb516656",
    "role": "guardian GranularGuardian"
  },
  {
    "chain": "Soneium",
    "address": "0x19CE4363FEA478Aa04B9EA2937cc5A2cbcD44be6",
    "role": "guardian GovernanceGuardian"
  },
  {
    "chain": "Soneium",
    "address": "0x47aAdaAE1F05C978E6aBb7568d11B7F6e0FC4d6A",
    "role": "governor ExecutorLvl1"
  },
  {
    "chain": "Plasma",
    "address": "0x643441742f73e270e565619be6DE5f4D55E08cd6",
    "role": "other CrossChainController"
  },
  {
    "chain": "Plasma",
    "address": "0xe76EB348E65eF163d85ce282125FF5a7F5712A1d",
    "role": "timelock PayloadsController"
  },
  {
    "chain": "Plasma",
    "address": "0x60665b4F4FF7073C5fed2656852dCa271DfE2684",
    "role": "guardian GranularGuardian"
  },
  {
    "chain": "Plasma",
    "address": "0x19CE4363FEA478Aa04B9EA2937cc5A2cbcD44be6",
    "role": "guardian GovernanceGuardian"
  },
  {
    "chain": "Plasma",
    "address": "0xF61FE74Ec1cFbd9Ee8Bd27592D2EDEe0E2aA85Cf",
    "role": "oracle EmergencyOracle"
  },
  {
    "chain": "Ethereum",
    "address": "0x7Fc66500c84A76Ad7e9c93437bFc5Ac33E2DDaE9",
    "role": "token AAVE governance token"
  },
  {
    "chain": "Ethereum",
    "address": "0x7b9c0b9b0d8b0d8b0d8b0d8b0d8b0d8b0d8b0d8b",
    "role": "Emergency Admin"
  }
]

### Pre-built read-API surfacer URLs (verbatim — fetchable as-is)
- https://defipunkd.com/address/1/0x5300A1a15135EA4dc7aD5a167152C01EFc9b192A (Short Executor (Level 1) / ACL Admin V3)
- https://defipunkd.com/address/1/0xdAbad81aF85554E9ae636395611C58F7eC1aAEc5 (PayloadsController (Ethereum))
- https://defipunkd.com/address/1/0x9AEE0B04504CeF83A65AC3f0e838D0593BCb2BC7 (Governance V3 Core)
- https://defipunkd.com/address/1/0xCe52ab41C40575B072A18C9700091Ccbe4A06710 (Governance Guardian / Protocol Emergency Guardian (5-of-9))
- https://defipunkd.com/address/1/0x4457cA11E90f416Cc1D3a8E1cA41C0cdEcC251d4 (GranularGuardian (cross-chain emergency))
- https://defipunkd.com/address/1/0xEd42a7D8559a463722Ca4beD50E0Cc05a386b0e1 (CrossChainController)
- https://defipunkd.com/address/1/0x17Dd33Ed0e3dD2a80E37489B8A63063161BE6957 (Executor Level 2)
- https://defipunkd.com/address/1/0x2CFe3ec4d5a6811f4B8067F0DE7e47DfA938Aa30 (Protocol Guardian / emergency admin)
- https://defipunkd.com/address/1/0x220d22f42c1b975B51509c24b174f8AbA7d8C540 (Short Executor (Governance))
- https://defipunkd.com/address/1/0xa700691dA7b6769562170061709458FF21ed963e (timelock (governance long executor))
- https://defipunkd.com/address/1/0x851365275f493d15511cc005f2bd71E3c1699921 (timelock (governance short executor))
- https://defipunkd.com/address/1/0xEE56e2B3D49159022b71869955dbF07245799b17 (timelock (governance executor short))
- https://defipunkd.com/address/1/0x80C67432656d59144cEFf962E8fAF8926599bCF8 (timelock (governance short executor))
- https://defipunkd.com/address/1/0xEE56e2B20045d908E992822039db30E882309413 (admin (PoolAdmin / governance executor))
- https://defipunkd.com/address/1/0x87870bca3f3fd6335c3f4ce8392d69350b4fa4e2 (pool (Aave V3 Pool proxy))
- https://defipunkd.com/address/1/0x2f39d218133AFaB8F2B819B1066c7E434Ad94E9e (other (PoolAddressesProvider — proxy admin for Pool/PoolConfigurator/ACLManager))
- https://defipunkd.com/address/1/0xcfBf336fe147D643B9Cb705648500e101504B16d (other (Prime Market PoolAddressesProvider))
- https://defipunkd.com/address/1/0xCca852Bc40e560adC3b1Cc58CA5b55638ce826c9 (vault (Aave V4 Core Hub — Ethereum))
- https://defipunkd.com/address/1/0x06002e9c4412CB7814a791eA3666D905871E536A (vault (Aave V4 Plus Hub — Ethereum))
- https://defipunkd.com/address/1/0x943827DCA022D0F354a8a8c332dA1e5Eb9f9F931 (vault (Aave V4 Prime Hub — Ethereum))
- https://defipunkd.com/address/1/0x08aE3BE30958cDd1847ec58fFfd4C451a87fDF01 (admin (Aave V4 Access Manager — Ethereum))
- https://defipunkd.com/address/10/0xa97684ead0e402dc232d5a977953df7ecbab3cdb (other (PoolAddressesProvider — Optimism))
- https://defipunkd.com/address/137/0xa97684ead0e402dc232d5a977953df7ecbab3cdb (other (PoolAddressesProvider — Polygon))
- https://defipunkd.com/address/1/0x64b761D848206f447Fe2dd461b0c635Ec39EbB27 (admin PoolConfigurator V3)
- https://defipunkd.com/address/1/0x54586bE62E3c3580375aE3723C145253060Ca0C2 (oracle AaveOracle V3)
- https://defipunkd.com/address/1/0xc2aaCf6553D20d1e9d78E365AAba8032af9c85b0 (admin ACLManager V3)
- https://defipunkd.com/address/1/0x0a16f2FCC0D44FaE41cc54e079281D84A363bECD (other AaveProtocolDataProvider V3)
- https://defipunkd.com/address/1/0x464C71f6c2F760DdA6093dCB91C24c39e5d6e18c (treasury Collector)
- https://defipunkd.com/address/1/0x8164Cc65827dcFe994AB23944CBC90e0aa80bFcb (admin DefaultIncentivesController)
- https://defipunkd.com/address/1/0x223d844fc4B006D67c0cDbd39371A9F73f69d974 (admin EmissionManager)
- https://defipunkd.com/address/42161/0xa97684ead0e402dC232d5A977953DF7ECBaB3CDb (factory PoolAddressesProvider V3)
- https://defipunkd.com/address/42161/0x794a61358D6845594F94dc1DB02A252b5b4814aD (pool Pool V3)
- https://defipunkd.com/address/42161/0x8145eddDf43f50276641b55bd3AD95944510021E (admin PoolConfigurator V3)
- https://defipunkd.com/address/42161/0xb56c2F0B653B2e0b10C9b928C8580Ac5Df02C7C7 (oracle AaveOracle V3)
- https://defipunkd.com/address/42161/0x7A9ff54A6eE4a21223036890bB8c4ea2D62c686b (oracle PriceOracleSentinel V3)
- https://defipunkd.com/address/42161/0xFF1137243698CaA18EE364Cc966CF0e02A4e6327 (admin ACLAdmin V3)
- https://defipunkd.com/address/42161/0xa72636CbcAa8F5FF95B2cc47F3CDEe83F3294a0B (admin ACLManager V3)
- https://defipunkd.com/address/42161/0x243Aa95cAC2a25651eda86e80bEe66114413c43b (other AaveProtocolDataProvider V3)
- https://defipunkd.com/address/43114/0xa97684ead0e402dC232d5A977953DF7ECBaB3CDb (factory PoolAddressesProvider V3)
- https://defipunkd.com/address/43114/0x794a61358D6845594F94dc1DB02A252b5b4814aD (pool Pool V3)
- https://defipunkd.com/address/43114/0x8145eddDf43f50276641b55bd3AD95944510021E (admin PoolConfigurator V3)
- https://defipunkd.com/address/43114/0xEBd36016B3eD09D4693Ed4251c67Bd858c3c7C9C (oracle AaveOracle V3)
- https://defipunkd.com/address/43114/0x3C06dce358add17aAf230f2234bCCC4afd50d090 (admin ACLAdmin V3)
- https://defipunkd.com/address/43114/0xa72636CbcAa8F5FF95B2cc47F3CDEe83F3294a0B (admin ACLManager V3)
- https://defipunkd.com/address/43114/0x243Aa95cAC2a25651eda86e80bEe66114413c43b (other AaveProtocolDataProvider V3)
- https://defipunkd.com/address/8453/0xe20fCBdBfFC4Dd138cE8b2E6FBb6CB49777ad64D (factory PoolAddressesProvider V3)
- https://defipunkd.com/address/8453/0xA238Dd80C259a72e81d7e4664a9801593F98d1c5 (pool Pool V3)
- https://defipunkd.com/address/8453/0x5731a04B1E775f0fdd454Bf70f3335886e9A96be (admin PoolConfigurator V3)
- https://defipunkd.com/address/8453/0x2Cc0Fc26eD4563A5ce5e8bdcfe1A2878676Ae156 (oracle AaveOracle V3)
- https://defipunkd.com/address/8453/0x943AcD0c93d7a8Bee7dA5Fd0DC3d0028237074d6 (oracle PriceOracleSentinel V3)
- https://defipunkd.com/address/8453/0x9390B1735def18560c509E2d0bc090E9d6BA257a (admin ACLAdmin V3)
- https://defipunkd.com/address/8453/0x43955b0899Ab7232E3a454cf84AedD22Ad46FD33 (admin ACLManager V3)
- https://defipunkd.com/address/8453/0x0F43731EB8d45A581f4a36DD74F5f358bc90C73A (other AaveProtocolDataProvider V3)
- Binance: 0xff75B6da14FfbbfD355Daf7a2731456b3562Ba6D (chain not supported by the read API)
- Binance: 0x6807dc923806fE8Fd134338EABCA509979a7e0cB (chain not supported by the read API)
- Binance: 0x67bdF23C7fCE7C65fF7415Ba3F2520B45D6f9584 (chain not supported by the read API)
- Binance: 0x39bc1bfDa2130d6Bb6DBEfd366939b4c7aa7C697 (chain not supported by the read API)
- Binance: 0x9390B1735def18560c509E2d0bc090E9d6BA257a (chain not supported by the read API)
- Binance: 0x2D97F8FA96886Fd923c065F5457F9DDd494e3877 (chain not supported by the read API)
- Binance: 0xc90Df74A7c16245c5F5C5870327Ceb38Fe5d5328 (chain not supported by the read API)
- Celo: 0x9F7Cf9417D5251C59fE94fB9147feEe1aAd9Cea5 (chain not supported by the read API)
- Celo: 0x3E59A31363E2ad014dcbc521c4a0d5757d9f3402 (chain not supported by the read API)
- Celo: 0x7567E3434CC1BEf724AB595e6072367Ef4914691 (chain not supported by the read API)
- Celo: 0x1e693D088ceFD1E95ba4c4a5F7EeA41a1Ec37e8b (chain not supported by the read API)
- Celo: 0x1dF462e2712496373A347f8ad10802a5E95f053D (chain not supported by the read API)
- Celo: 0x7a12dCfd73C1B4cddf294da4cFce75FcaBBa314C (chain not supported by the read API)
- Celo: 0x2e0f8D3B1631296cC7c56538D6Eb6032601E15ED (chain not supported by the read API)
- Celo: 0xC959439207dA5341B74aDcdAC59016aa9Be7E9E7 (chain not supported by the read API)
- Fantom: 0xa97684ead0e402dC232d5A977953DF7ECBaB3CDb (chain not supported by the read API)
- Fantom: 0x794a61358D6845594F94dc1DB02A252b5b4814aD (chain not supported by the read API)
- Fantom: 0x8145eddDf43f50276641b55bd3AD95944510021E (chain not supported by the read API)
- Fantom: 0xfd6f3c1845604C8AE6c6E402ad17fb9885160754 (chain not supported by the read API)
- Fantom: 0x39CB97b105173b56b5a2b4b33AD25d6a50E6c949 (chain not supported by the read API)
- Fantom: 0xa72636CbcAa8F5FF95B2cc47F3CDEe83F3294a0B (chain not supported by the read API)
- Fantom: 0x69FA688f1Dc47d4B5d8029D5a35FB7a548310654 (chain not supported by the read API)
- xDai: 0x36616cf17557639614c1cdDb356b1B83fc0B2132 (chain not supported by the read API)
- xDai: 0xb50201558B00496A145fE76f7424749556E326D8 (chain not supported by the read API)
- xDai: 0x7304979ec9E4EaA0273b6A037a31c4e9e5A75D16 (chain not supported by the read API)
- xDai: 0xeb0a051be10228213BAEb449db63719d6742F7c4 (chain not supported by the read API)
- xDai: 0x1dF462e2712496373A347f8ad10802a5E95f053D (chain not supported by the read API)
- xDai: 0xEc710f59005f48703908bC519D552Df5B8472614 (chain not supported by the read API)
- xDai: 0xF1F5acB596568895393cB5E4D0452D6592A2fA70 (chain not supported by the read API)
- Harmony: 0xa97684ead0e402dC232d5A977953DF7ECBaB3CDb (chain not supported by the read API)
- Harmony: 0x794a61358D6845594F94dc1DB02A252b5b4814aD (chain not supported by the read API)
- Harmony: 0x8145eddDf43f50276641b55bd3AD95944510021E (chain not supported by the read API)
- Harmony: 0x3C90887Ede8D65ccb2777A5d577beAb2548280AD (chain not supported by the read API)
- Harmony: 0xb2f0C5f37f4beD2cB51C44653cD5D84866BDcd2D (chain not supported by the read API)
- Harmony: 0xa72636CbcAa8F5FF95B2cc47F3CDEe83F3294a0B (chain not supported by the read API)
- Harmony: 0x69FA688f1Dc47d4B5d8029D5a35FB7a548310654 (chain not supported by the read API)
- Mantle: 0xba50Cd2A20f6DA35D788639E581bca8d0B5d4D5f (chain not supported by the read API)
- Mantle: 0x458F293454fE0d67EC0655f3672301301DD51422 (chain not supported by the read API)
- Mantle: 0x719755fC1ACf2f9079B0Cbc56e23712c09Ab8626 (chain not supported by the read API)
- Mantle: 0x47a063CfDa980532267970d478EC340C0F80E8df (chain not supported by the read API)
- Mantle: 0x64df9D4302e1ff3516Dc744A19e992D27CAC252E (chain not supported by the read API)
- Mantle: 0x70884634D0098782592111A2A6B8d223be31CB7b (chain not supported by the read API)
- Mantle: 0x810D46F9a9027E28F9B01F75E2bdde839dA61115 (chain not supported by the read API)
- Mantle: 0x487c5c669D9eee6057C44973207101276cf73b68 (chain not supported by the read API)
- MegaETH: 0x46Dcd5F4600319b02649Fd76B55aA6c1035CA478 (chain not supported by the read API)
- MegaETH: 0x7e324AbC5De01d112AfC03a584966ff199741C28 (chain not supported by the read API)
- MegaETH: 0xF15D31Bc839A853C9068686043cEc6EC5995DAbB (chain not supported by the read API)
- MegaETH: 0x421117D7319E96d831972b3F7e970bbfe29C4F21 (chain not supported by the read API)
- MegaETH: 0xE2E8Badc5d50f8a6188577B89f50701cDE2D4e19 (chain not supported by the read API)
- MegaETH: 0x390D369C3878F2C5205CFb6Ec7154FfA65491c3D (chain not supported by the read API)
- MegaETH: 0x9588b453A4EE24a420830CB3302195cA7aA3b403 (chain not supported by the read API)
- Sonic: 0x5C2e738F6E27bCE0F7558051Bf90605dD6176900 (chain not supported by the read API)
- Sonic: 0x5362dBb1e601abF3a4c14c22ffEdA64042E5eAA3 (chain not supported by the read API)
- Sonic: 0x50c70FEB95aBC1A92FC30b9aCc41Bd349E5dE2f0 (chain not supported by the read API)
- Sonic: 0xD63f7658C66B2934Bd234D79D06aEF5290734B30 (chain not supported by the read API)
- Sonic: 0x7b62461a3570c6AC8a9f8330421576e417B71EE7 (chain not supported by the read API)
- Sonic: 0x3a790a47c4d531FD333FAD24f70B0ccb521B3b5A (chain not supported by the read API)
- Sonic: 0xc0a344397cfa89dF1e1d3e4fb330834D789cF2CD (chain not supported by the read API)
- X Layer: 0xdFf435BCcf782f11187D3a4454d96702eD78e092 (chain not supported by the read API)
- X Layer: 0xE3F3Caefdd7180F884c01E57f65Df979Af84f116 (chain not supported by the read API)
- X Layer: 0x1408b48B6A610948f04813EA6b2F438A6BBAd2f2 (chain not supported by the read API)
- X Layer: 0x91FC11136d5615575a0fC5981Ab5C0C54418E2C6 (chain not supported by the read API)
- X Layer: 0xE2E8Badc5d50f8a6188577B89f50701cDE2D4e19 (chain not supported by the read API)
- X Layer: 0xc8f2720Fa7D857576d82e6aEca8EdC4869E9190e (chain not supported by the read API)
- X Layer: 0x6C505C31714f14e8af2A03633EB2Cdfb4959138F (chain not supported by the read API)
- https://defipunkd.com/address/59144/0x89502c3731F69DDC95B65753708A07F8Cd0373F4 (factory PoolAddressesProvider V3)
- https://defipunkd.com/address/59144/0xc47b8C00b0f69a36fa203Ffeac0334874574a8Ac (pool Pool V3)
- https://defipunkd.com/address/59144/0x812E7c19421D9f41A6DDCF047d5cc2dE2Ca5Bfa2 (admin PoolConfigurator V3)
- https://defipunkd.com/address/59144/0xCFDAdA7DCd2e785cF706BaDBC2B8Af5084d595e9 (oracle AaveOracle V3)
- https://defipunkd.com/address/59144/0x8c2d95FE7aeB57b86961F3abB296A54f0ADb7F88 (admin ACLAdmin V3)
- https://defipunkd.com/address/59144/0xbf32c7dFC72b730967072B112927ca0de205dbb5 (admin ACLManager V3)
- Metis: 0xB9FABd7500B2C6781c35Dd48d54f81fc2299D7AF (chain not supported by the read API)
- Metis: 0x90df02551bB792286e8D4f13E0e357b4Bf1D6a57 (chain not supported by the read API)
- Metis: 0x69FEE8F261E004453BE0800BC9039717528645A6 (chain not supported by the read API)
- Metis: 0x38D36e85E47eA6ff0d18B0adF12E5fC8984A6f8e (chain not supported by the read API)
- Metis: 0x2B5EA1604BAbb7B730120950Cb13951f3525828A (chain not supported by the read API)
- Metis: 0x6fD45D32375d5aDB8D76275A3932c740F03a8718 (chain not supported by the read API)
- https://defipunkd.com/address/10/0x794a61358D6845594F94dc1DB02A252b5b4814aD (pool Pool V3)
- https://defipunkd.com/address/10/0x8145eddDf43f50276641b55bd3AD95944510021E (admin PoolConfigurator V3)
- https://defipunkd.com/address/10/0xD81eb3728a631871a7eBBaD631b5f424909f0c77 (oracle AaveOracle V3)
- https://defipunkd.com/address/10/0x746c675dAB49Bcd5BB9Dc85161f2d7Eb435009bf (admin ACLAdmin V3)
- https://defipunkd.com/address/137/0x794a61358D6845594F94dc1DB02A252b5b4814aD (pool Pool V3)
- https://defipunkd.com/address/137/0x8145eddDf43f50276641b55bd3AD95944510021E (admin PoolConfigurator V3)
- https://defipunkd.com/address/137/0xb023e699F5a33916Ea823A16485e259257cA8Bd1 (oracle AaveOracle V3)
- https://defipunkd.com/address/137/0xDf7d0e6454DB638881302729F5ba99936EaAB233 (admin ACLAdmin V3)
- https://defipunkd.com/address/534352/0x69850D0B276776781C063771b161bd8894BCdD04 (factory PoolAddressesProvider V3)
- https://defipunkd.com/address/534352/0x11fCfe756c05AD438e312a7fd934381537D3cFfe (pool Pool V3)
- https://defipunkd.com/address/534352/0x32BCab42a2bb5AC577D24b425D46d8b8e0Df9b7f (admin PoolConfigurator V3)
- https://defipunkd.com/address/534352/0x04421D8C506E2fA2371a08EfAaBf791F624054F3 (oracle AaveOracle V3)
- https://defipunkd.com/address/534352/0xc1ABF87FfAdf4908f4eC8dc54A25DCFEabAE4A24 (admin ACLAdmin V3)
- https://defipunkd.com/address/534352/0x7633F981D87dC6307227de9383D2ce7243158081 (admin ACLManager V3)
- zkSync Era: 0x2A3948BB219D6B2Fa83D64100006391a96bE6cb7 (chain not supported by the read API)
- zkSync Era: 0x78e30497a3c7527d953c6B1E3541b021A98Ac43c (chain not supported by the read API)
- zkSync Era: 0x0207d31b4377C74bEC37356aaD83E3dCc979F40E (chain not supported by the read API)
- zkSync Era: 0xC7F58Fca663a8d377B6D0c9703C697f56dC40088 (chain not supported by the read API)
- zkSync Era: 0x04cE39789e11a49595cD0ECEf6f4Bd54ABF4d020 (chain not supported by the read API)
- Soneium: 0x82405D1a189bd6cE4667809C35B37fBE136A4c5B (chain not supported by the read API)
- Soneium: 0xDd3d7A7d03D9fD9ef45f3E587287922eF65CA38B (chain not supported by the read API)
- Soneium: 0x1607FCeEc8dEbA4d5Da66D620b2363066d025a02 (chain not supported by the read API)
- Soneium: 0x20040a64612555042335926d72B4E5F667a67fA1 (chain not supported by the read API)
- Soneium: 0xc0Bac16A64FbAa7EE6483bD12a759e28cD13dcBe (chain not supported by the read API)
- Plasma: 0x061D8e131F26512348ee5FA42e2DF1bA9d6505E9 (chain not supported by the read API)
- Plasma: 0x925a2A7214Ed92428B5b1B090F80b25700095e12 (chain not supported by the read API)
- Plasma: 0xc022B6c71c30A8Ad52Dac504eFA132d13D99d2D9 (chain not supported by the read API)
- Plasma: 0x33E0b3fc976DC9C516926BA48CfC0A9E10a2aAA5 (chain not supported by the read API)
- Plasma: 0x47aAdaAE1F05C978E6aBb7568d11B7F6e0FC4d6A (chain not supported by the read API)
- Plasma: 0xa860355F0ccFdC823F7332ac108317b2a1509C06 (chain not supported by the read API)
- https://defipunkd.com/address/1/0x617332a777780F546261247F621051d0b98975Eb (other VotingMachine)
- https://defipunkd.com/address/1/0xf23f7De3AC42F22eBDA17e64DC4f51FB66b8E21f (other VotingPortalEthEth)
- https://defipunkd.com/address/1/0x33aCEf7365809218485873B7d0d67FeE411B5D79 (other VotingPortalEthAvax)
- https://defipunkd.com/address/1/0x9b24C168d6A76b5459B1d47071a54962a4df36c3 (other VotingPortalEthPol)
- https://defipunkd.com/address/1/0xE3B770Dc4ae3f8bECaB3Ed12dE692c741603e16A (other PayloadDataHelper)
- https://defipunkd.com/address/1/0x971c82c8316aD611904F95616c21ce90837f1856 (other GovernanceDataHelper)
- https://defipunkd.com/address/1/0x77976B51569896523EE215962Ee91ff236Fa50E8 (other VotingDataHelper)
- https://defipunkd.com/address/1/0x94363B11b37BC3ffe43AB09cff5A010352FE85dC (other MetaDelegateHelper)
- https://defipunkd.com/address/1/0x73C6Fb358dDA8e84D50e98A98F7c0dF32e15C7e9 (guardian EmergencyRegistry)
- https://defipunkd.com/address/1/0xa198Fac58E02A5C5F8F7e877895d50cFa9ad1E04 (other GovernancePowerStrategy)
- https://defipunkd.com/address/1/0x5642A5A5Ec284B4145563aBF319620204aCCA7f4 (other VotingStrategy)
- https://defipunkd.com/address/1/0x1699FE9CaDC8a0b6c93E06B62Ab4592a0fFEcF61 (other DataWarehouse)
- https://defipunkd.com/address/42161/0xCbFB78a3Eeaa611b826E37c80E4126c8787D29f0 (other CrossChainController)
- https://defipunkd.com/address/42161/0x89644CA1bB8064760312AE4F03ea41b05dA3637C (timelock PayloadsController)
- https://defipunkd.com/address/42161/0x4922093c476CfbCF903C7C4082d2D64bAE8A37cE (guardian GranularGuardian)
- https://defipunkd.com/address/43114/0x27FC7D54C893dA63C0AE6d57e1B2B13A70690928 (other CrossChainController)
- https://defipunkd.com/address/43114/0x41185495Bc8297a65DC46f94001DC7233775EbEe (oracle EmergencyOracle)
- https://defipunkd.com/address/43114/0x9b6f5ef589A3DD08670Dd146C11C4Fb33E04494F (other VotingMachine)
- https://defipunkd.com/address/43114/0x1140CB7CAfAcC745771C2Ea31e7B5C653c5d0B80 (timelock PayloadsController)
- https://defipunkd.com/address/43114/0xc1162BCb2E5E3ca4725512008c7522dF8C8B7B65 (guardian GranularGuardian)
- Binance: 0x9d33ee6543C9b2C8c183b8fb58fB089266cffA19 (chain not supported by the read API)
- Binance: 0xcabb46FfB38c93348Df16558DF156e9f68F9F7F1 (chain not supported by the read API)
- Binance: 0xE5EF2Dd06755A97e975f7E282f828224F2C3e627 (chain not supported by the read API)
- Binance: 0xe4FB5e3F506BE0095f38004f993D16fdA8224383 (chain not supported by the read API)
- https://defipunkd.com/address/8453/0x529467C76f234F2bD359d7ecF7c660A2846b04e2 (other CrossChainController)
- https://defipunkd.com/address/8453/0x2DC219E716793fb4b21548C0f009Ba3Af753ab01 (timelock PayloadsController)
- https://defipunkd.com/address/8453/0xa1c6aF35E0205f42256382C05243C543FEDBf4bB (guardian GranularGuardian)
- xDai: 0x8Dc5310fc9D3D7D1Bb3D1F686899c8F082316c9F (chain not supported by the read API)
- xDai: 0xF937ffAeA1363e4Fa260760bDFA2aA8Fc911F84D (chain not supported by the read API)
- xDai: 0x9A1F491B86D09fC1484b5fab10041B189B60756b (chain not supported by the read API)
- xDai: 0x4A9F571E3C1f2F13567bb59e38988e74d7d72602 (chain not supported by the read API)
- Metis: 0x6fDaFb26915ABD6065a1E1501a37Ac438D877f70 (chain not supported by the read API)
- Metis: 0x2233F8A66A728FBa6E1dC95570B25360D07D5524 (chain not supported by the read API)
- Metis: 0x61BE97d3a0550549f67CA7421725fA73Fa2036B5 (chain not supported by the read API)
- https://defipunkd.com/address/10/0x48A9FE90bce5EEd790f3F4Ce192d1C0B351fd4Ca (other CrossChainController)
- https://defipunkd.com/address/10/0x0E1a3Af1f9cC76A62eD31eDedca291E63632e7c4 (timelock PayloadsController)
- https://defipunkd.com/address/10/0x6c5264C380C7022e54f585c4E354ffb6f221a03b (guardian GranularGuardian)
- https://defipunkd.com/address/137/0xF6B99959F0b5e79E1CC7062E12aF632CEb18eF0d (other CrossChainController)
- https://defipunkd.com/address/137/0xDAFA1989A504c48Ee20a582f2891eeB25E2fA23F (oracle EmergencyOracle)
- https://defipunkd.com/address/137/0xc8a2ADC4261c6b669CdFf69E717E77C9cFeB420d (other VotingMachine)
- https://defipunkd.com/address/137/0x401B5D0294E23637c18fcc38b1Bca814CDa2637C (timelock PayloadsController)
- https://defipunkd.com/address/137/0x0D2CccD3dD420dC6DE2f24DB44aA22fADE290a02 (guardian GranularGuardian)
- https://defipunkd.com/address/534352/0x03073D3F4769f6b6604d616238fD6c636C99AD0A (other CrossChainController)
- https://defipunkd.com/address/534352/0x6b6B41c0f8C223715f712BE83ceC3c37bbfDC3fE (timelock PayloadsController)
- https://defipunkd.com/address/534352/0xa835707d28e6C37C49d661742f2Fb5987367cEd4 (guardian GranularGuardian)
- zkSync Era: 0x800813f4714BC7A0a95310e3fB9e4f18872CA92C (chain not supported by the read API)
- zkSync Era: 0x2E79349c3F5e4751E87b966812C9E65E805996F1 (chain not supported by the read API)
- zkSync Era: 0xe0e23196D42b54F262a3DE952e6B34B197D1A228 (chain not supported by the read API)
- zkSync Era: 0x4257bf0746D783f0D962913d7d8AFA408B62547E (chain not supported by the read API)
- https://defipunkd.com/address/59144/0x0D3f821e9741C8a8Bcac231162320251Db0cdf52 (other CrossChainController)
- https://defipunkd.com/address/59144/0x3BcE23a1363728091bc57A58a226CF2940C2e074 (timelock PayloadsController)
- https://defipunkd.com/address/59144/0xc1cd6faF6e9138b4e6C21d438f9ebF2bd6F6cA16 (guardian GranularGuardian)
- https://defipunkd.com/address/59144/0x056E4C4E80D1D14a637ccbD0412CDAAEc5B51F4E (guardian GovernanceGuardian)
- Soneium: 0xD92b37a5114b33F668D274Fb48f23b726a854d6E (chain not supported by the read API)
- Soneium: 0x44D73D7C4b2f98F426Bf8B5e87628d9eE38ef0Cf (chain not supported by the read API)
- Soneium: 0xD8E6956718784B914740267b7A50B952fb516656 (chain not supported by the read API)
- Soneium: 0x19CE4363FEA478Aa04B9EA2937cc5A2cbcD44be6 (chain not supported by the read API)
- Soneium: 0x47aAdaAE1F05C978E6aBb7568d11B7F6e0FC4d6A (chain not supported by the read API)
- Plasma: 0x643441742f73e270e565619be6DE5f4D55E08cd6 (chain not supported by the read API)
- Plasma: 0xe76EB348E65eF163d85ce282125FF5a7F5712A1d (chain not supported by the read API)
- Plasma: 0x60665b4F4FF7073C5fed2656852dCa271DfE2684 (chain not supported by the read API)
- Plasma: 0x19CE4363FEA478Aa04B9EA2937cc5A2cbcD44be6 (chain not supported by the read API)
- Plasma: 0xF61FE74Ec1cFbd9Ee8Bd27592D2EDEe0E2aA85Cf (chain not supported by the read API)
- https://defipunkd.com/address/1/0x7Fc66500c84A76Ad7e9c93437bFc5Ac33E2DDaE9 (token AAVE governance token)
- https://defipunkd.com/address/1/0x7b9c0b9b0d8b0d8b0d8b0d8b0d8b0d8b0d8b0d8b (Emergency Admin)


---

You are contributing a single-slice assessment to defipunkd, a git-native transparency registry for DeFi protocols. Your JSON output will be attached to a pull request and compared against ≥2 other independent runs. Disagreements are surfaced publicly — be conservative, cite everything, return grade="unknown" when a signal cannot be determined, and resist stopping at the first damning finding.

### Per-protocol context (do not infer; these are ground truth)

A "Per-protocol context" block (provided alongside this prompt — either as a user message in API mode, or as a section appended below in copy-paste mode) lists the pinned inputs (protocol.slug, name, chains, category, website, github, audit_links, snapshot.generated_at, analysis_date, prompt_version, address_book) and a list of pre-built read-API surfacer URLs for each pinned address. Treat those values as authoritative for this run.

The pre-built surfacer URLs are accepted by your fetch tool's allowlist because they appear verbatim in the per-protocol context. Each surfacer page pre-executes the contract's zero-arg view methods and renders any address-typed return values as /address/{chainId}/0x… links inline — those rendered links are also fetchable post-fetch. /api/contract/read and /api/safe/owners JSON responses include a top-level `crawl.surfacers` array of /address/{chainId}/0x… URLs for every address-typed value in the result, so you can crawl directly from API responses. For addresses surfaced from non-defipunkd sources (block-explorer pages, GitHub, audit PDFs), the allowlist will reject your generated surfacer URL — record the address in protocol_metadata.admin_addresses and add a checklist-coded entry to unknowns[]; the next run will inherit it as a fetchable surfacer.

### Step 0 — Capability probe (do this before producing JSON)

Identify what fetch tool your environment exposes — `web_fetch`, `browser`, `url_context`, `google_search` (with underscore, colon, or space), Bing grounding, Perplexity, `web.run`, or anything similar. Search-grounding tools ARE valid fetch paths and you should use them; they are not forbidden. The distinction that matters is what the tool returned, not its name: a grounded response with the underlying page body is sufficient evidence; a bare 1–3-line preview snippet is not.

Probe: attempt one fetch of `protocol.website` and one fetch of a pre-built surfacer URL above (or the protocol's primary block-explorer page if no surfacer is pinned). Record the tool you used, the URL, and what came back (response body, HTTP status, allowlist rejection text, or "tool not present: <name>"). If either probe succeeded, proceed.

If both direct probes failed, **DO NOT STOP** — try search. Issue at least two broad search queries (protocol name + "Etherscan" / "official docs" / "GitHub" / "audit"; `site:` operators against etherscan.io / github.com / the docs domain). If a search query returns the underlying page body, that page URL is fetched evidence and goes in evidence[]. Set `grading_basis: "off-chain-only"` and continue with whatever you can extract. Empty `evidence[]` + `grade="unknown"` is only valid if BOTH direct probes AND ≥2 search queries returned nothing usable; in that case, log the attempted queries and observed-zero outcomes in unknowns[]. A submission claiming "blocked" without those receipts is treated as a non-submission (zero quorum weight). Search engines do not index raw JSON API endpoints — zero results for `defipunkd.com/api/contract/read` URLs is expected and is itself a recordable failure mode, not a system restriction.

### Anti-fabrication (the most important rule on this page)

Memory is not evidence. Treat your training data, prior conversations, and general knowledge as suggestions for what to look up — never as citations. Every URL in evidence[] must have been fetched in this run via any tool exposed in your environment, OR pasted into this conversation by the user. Constructing a URL is fine, but every variable part (address, commit SHA, repo path, contract name, method, args, block number) must come from a fetched/pasted source in this run, and the URL must then have been successfully fetched before it appears in evidence[]. URLs constructed from remembered addresses, repo paths, contract names, or guessed API methods are fabrication.

Before emitting JSON, run an evidence ledger check on every evidence[] entry:
1. The exact URL appears in your fetch transcript or in a user-pasted source body.
2. The fetched/pasted body contains the fact you're citing in evidence[].shows.
3. Every rationale.findings / protocol_metadata claim that depends on this evidence follows directly from that body, without recourse to memory.
4. Derived (rather than verbatim) claims are explicitly labelled as derived in evidence[].shows.
5. `fetched_at` is set ONLY when you actually fetched the URL in this run; if no timestamp is available, omit the field — never invent one.

If any check fails, remove the evidence entry and demote dependent claims to unknowns[]. Set grade="unknown" if demotion empties the grading basis. Do not ask the user to paste anything; do not withhold JSON; do not improvise from memory.

A plausible-sounding answer backed by unsupported evidence is WORSE than grade="unknown" — it pollutes the quorum. If the assessment requires leaning on remembered public facts ("Lido is governed by LDO token-weighted voting"), historical reports, common knowledge, or likely-architecture reasoning ("UUPS proxies typically have an admin role"), return grade="unknown" with specific unknowns[] entries. Optimize for reproducibility, not completeness — if a reviewer can't re-verify each claim from the evidence URLs alone, the claim does not belong in the JSON. Empty unknowns[] on a non-trivial protocol is a red flag, not a quality signal.

When the address_book is null/empty, you do not yet know any deployed address. Discover candidates from fetched website / GitHub / audit / explorer-search pages — addresses you "remember" from training data are not eligible, even for famous tokens (USDC, WBTC, stETH, UNI). If no address can be discovered after a good-faith attempt, return grade="unknown" with checklist-coded unknowns[] entries; do not invent addresses to fill the gap.

### Hard rules

1. Source classes that count as evidence:
   a) Public block explorers (etherscan.io, basescan.org, arbiscan.io, optimistic.etherscan.io, polygonscan.com, bscscan.com, snowtrace.io, scrollscan.com, lineascan.build, blastscan.io, era.zksync.network) for pinned addresses or addresses you discover transitively from them.
   b) The linked GitHub repos, at a specific commit SHA recorded in evidence[].commit.
   c) The audit PDFs / reports linked above.
   d) DeFiLlama's pinned fields (for category / chain lists only — not for risk assessment).
   e) DeFiPunkd's read API at https://defipunkd.com/api/{contract,safe}/... — see "On-chain reading" below.
2. If a signal cannot be determined after checking these, set grade="unknown" with ≥1 entry in unknowns[] naming what you looked for.
3. Every factual claim in rationale must map to ≥1 evidence[] entry.
4. Output exactly one JSON object matching the contract at the end, wrapped in a single ```json fenced code block. This rule applies to your FINAL assistant message only — issue tool calls freely during the run; tool-call reasoning lives in your model's tool-use channel and is not subject to this rule. Nothing before or after the fence — no prose, no follow-up questions, no requests for the user to paste anything. If evidence is incomplete, the correct response is still JSON, with claims demoted to unknowns[] and grade="unknown".

### Format rules (validation will reject submissions that violate these)
5. evidence[].url must be a bare `https://...` string — NEVER markdown link syntax. WRONG: `"url": "[Etherscan](https://etherscan.io/...)"`. RIGHT: `"url": "https://etherscan.io/..."`.
6. evidence[].commit, when present, must match `^[0-9a-f]{7,40}$` (lowercase hex, 7–40 chars). NEVER branch names or tags. Omit if you cannot pin a SHA.
7. evidence[].fetched_at, when present, must be ISO-8601 UTC (e.g. `2026-04-23T11:20:00Z`). Set whenever you actually fetched in this run.
8. evidence[].address, when present, must be `^0x[0-9a-fA-F]{40}$` (mixed case OK; checksum not validated).
9. Checklist codes (used in findings[].code and as unknowns[] prefixes) match `^[A-Z][A-Za-z0-9-]{0,16}$` — start with an uppercase letter, then digits / letters / hyphens. Examples: `E1`, `A3b`, `C2-emergency`, `V4-auditor`. No parens, spaces, dots, slashes, underscores. Use slice-defined codes verbatim. unknowns[] entries must be prefixed with the relevant code + colon (e.g. `"A3b: frontend fetch failed"`).
10. chat_url: ALWAYS null. Default share links (claude.ai/chat, chatgpt.com, gemini.google.com) require viewer login and are not publicly readable. The user enables "Share publicly" after you respond and pastes the public URL into the JSON before opening the PR.

### Thoroughness rules

11. Each per-slice body contains a "MANDATORY INSPECTION CHECKLIST". Every item must EITHER produce an evidence[] entry OR a specific unknowns[] entry naming it by code. Silent skips are rejected as incomplete.
12. Before assigning a grade other than "unknown", rationale.steelman must contain a one-sentence strongest argument for each of red / orange / green, and rationale.verdict must state which fits the evidence and why. If the steel-man for the chosen grade is weaker than for an adjacent grade, you have probably picked the wrong grade. When grade="unknown", set steelman to null and use verdict to summarize what blocked the assessment.
13. Distinguish actor classes (EOA, 2-of-3 multisig, 4-of-7+ multisig with identified signers, emergency-scoped time-capped multisig, on-chain governance vote with timelock) and function classes (claim-of-finalized vs new-request-placement, deposit vs borrow, mint vs redeem) — say which actor holds which power, on what time bound. "An admin can pause" is insufficient.
14. For on-chain slices (control, ability-to-exit, autonomy, verifiability), evidence[] must include ≥1 on-chain URL: a block-explorer URL OR a DeFiPunkd /api/{contract/read,safe/owners} URL (preferred — content-addressed when block-pinned). /api/contract/abi alone is metadata, not on-chain evidence. Source repos tell you what code SHOULD do; deployed contracts tell you what it ACTUALLY does. The "open-access" slice is exempt when claims are entirely about frontend / off-chain operator behavior. CARVE-OUT: `grading_basis="off-chain-only"` is exempt from this rule but is downweighted by the quorum bot regardless of grade.
15. Prompt-meta-check: if your verdict quotes prompt language as evidence ("the protocol meets the 'documented fallback' condition"), re-do the verdict — the prompt describes the rubric, not the protocol. Evidence cites what THIS protocol does, not what the rubric says protocols of type X do.
16. `grading_basis` is one of `"on-chain"` (default; omit field), `"off-chain-only"`, or `"mixed"`. Describes what was READ this run, not the verdict — `grade="unknown"` is allowed under any basis. Set `"off-chain-only"` ONLY when BOTH (a) ≥1 successful fetch of a docs / forum / audit / GitHub URL appears in evidence[], AND (b) ≥1 failed on-chain fetch attempt for THIS run is recorded in unknowns[] with a `-offchain` suffix. Empty `evidence[]` with `"off-chain-only"` is a category error and is rejected by the validator. Set `"mixed"` when some checklist codes were on-chain and others fell back. ABI-only finds (you read the ABI but couldn't read live state) are valid as `grade="unknown"` with the ABI cited; do not infer a grade from ABI shape alone.

### On-chain reading via the DeFiPunkd API

Don't encode calldata, decode return data, or guess at ABIs by hand. Three deterministic GET endpoints return JSON with blockNumber, blockHash, raw calldata, and rawReturnData — content-addressed when block-pinned (`&block=<n>`):

  ABI (auto-resolves proxies):
    https://defipunkd.com/api/contract/abi?chainId=<id>&address=0x...
  View call (any view method on the merged ABI; flat scalar args):
    https://defipunkd.com/api/contract/read?chainId=<id>&address=0x...&method=getOwners
    https://defipunkd.com/api/contract/read?chainId=<id>&address=0x...&method=balanceOf&args=0x...
  Safe (threshold + owners + version in one call):
    https://defipunkd.com/api/safe/owners?chainId=<id>&address=0x...

Use the BARE method name in `&method=` (e.g. `&method=totalSupply`, NOT `&method=totalSupply()`). Browser tools normalize `(` to `%28` and reject the normalized URL; bare names dodge that. Pass arguments via `&args=` (comma-separated, declaration order). Append `&block=<n>` for content-addressed evidence.

Supported chainIds: 1 (ethereum), 10 (optimism), 56 (bsc), 130 (unichain), 137 (polygon), 324 (zksync), 8453 (base), 42161 (arbitrum), 43114 (avalanche), 59144 (linea), 81457 (blast), 534352 (scroll), 11155111 (sepolia).

Use this API for any factual claim about contract ABI shape, view-method return values (owner(), getOwners(), getThreshold(), totalSupply(), implementation(), paused(), MIN_DELAY(), …), and Safe membership. Do NOT invent ABIs or return values from training data.

Note on noisy address_book: the pinned address_book is sourced from prior assessments. It may include token deployments, oracle feeds, peripheral contracts, or mis-classified entries. Skip surfacer URLs that don't fit your slice — fetch only those whose role hints suggest control / pause / upgrade authority.

### Protocol metadata refresh (populate `protocol_metadata` in the output)

DeFiLlama's pinned inputs may be stale or wrong. As a side-effect of this assessment, populate `protocol_metadata` with anything you verify. Leave fields null / empty arrays if you did not verify them — do NOT echo pinned inputs through; null means "not re-verified this run".

- `github`: array of canonical source-code repo URLs.
- `docs_url`: canonical developer / protocol documentation site.
- `audits`: array of `{ firm, url, date }` (date as YYYY-MM or YYYY-MM-DD).
- `governance_forum`: primary discussion forum URL (Discourse, Commonwealth, etc.).
- `voting_token`: `{ chain, address, symbol }` or null. Omit if not token-governed.
- `bug_bounty_url`: public bug bounty page (Immunefi, HackerOne, self-hosted).
- `security_contact`: private-disclosure channel — security@ email or SECURITY.md URL. Distinct from public bug bounty.
- `deployed_contracts_doc`: docs page that lists deployed addresses per chain. Don't enumerate; just link.
- `admin_addresses`: array of `{ chain, address, role, actor_class }` for multisig / timelock / owner / proxy-admin addresses. `actor_class` ∈ `"eoa" | "multisig" | "timelock" | "governance" | "unknown"`. These are the anchors for future runs' address_book.
- `upgradeability`: `"immutable" | "upgradeable" | "mixed" | "unknown"`. "mixed" = some core contracts immutable, others behind proxies.
- `about`: 2–4 sentence plain-English description. Name the user action (stake, borrow, swap, bridge, mint, redeem), the asset / market, and the distinctive mechanism (liquid staking receipt, isolated lending pools, constant-product AMM, intents auction, etc.). Do not restate category / chains / TVL.

Every non-null field in `protocol_metadata` must be backed by ≥1 entry in evidence[].

---

### Slice: ABILITY-TO-EXIT

Evaluate whether users can withdraw their funds on their own terms, even under adversarial admin conditions.

MANDATORY INSPECTION CHECKLIST (every item below must appear in evidence[] OR unknowns[]):
- E1. Enumerate every user-facing exit function in the main contracts: withdraw, redeem, burn, requestWithdrawal, claim, exit, etc. List them by name. Do NOT treat the contract as a monolith.
- E2. For EACH exit function in E1: identify its access modifiers and any pause guards (e.g. _checkResumed, whenNotPaused, onlyRole). Functions that gate REQUEST PLACEMENT often differ from functions that CLAIM FINALIZED FUNDS — check both separately.
- E3. For each pause guard: identify the role holder (which address holds PAUSE_ROLE / GUARDIAN / etc.) and the maximum pause duration. Specifically check whether PAUSE_INFINITELY (or equivalent uncapped pause) is callable, and which actor can call it (single multisig vs governance vote). For role-holder reads use https://defipunkd.com/api/contract/read?chainId=<id>&address=0x...&method=hasRole&args=0x...,0x... or &method=getRoleAdmin&args=0x.... For "is currently paused" checks use &method=paused or &method=isPaused&args=<resume-code>. Use the BARE method name (no parens). Cite the URL with &block=<n> in evidence[].
- E4. EMERGENCY vs GOVERNANCE pause distinction: many protocols have a fast-acting emergency pause capped at N days and a slow governance pause that can be indefinite. Record both paths separately if present, with their time caps and actor classes.
- E5. Queued redemption: documented maximum queue duration, daily withdrawal caps, whether the queue itself is pausable.
- E6. Forced-exit / escape-hatch / permissionless emergency-exit mechanism for adversarial-admin scenarios.
- E7. Frontend dependency: confirm exit functions are directly callable on-chain (e.g. via Etherscan write tab or a generic wallet) without the project's frontend.

Then write the steel-man section per Hard Rule 11. Common red-vs-orange tension on this slice: indefinite pause exists (suggests red) BUT the realistic emergency path is time-capped AND claims of already-finalized exits are not pause-gated (suggests orange). Resolve this by stating who can do what for how long, not by stopping at the worst-case sentence.

Grade rules:
- green   = permissionless exit; pause is either absent, narrowly scoped to clearly-described emergencies with auto-expiry, or capped at ≤7 days; no frontend dependency for exit; claims of already-finalized exits are not pause-gated under any path.
- orange  = pausable with broad scope OR indefinite pause is reachable only through governance vote (not unilateral admin action), OR queued redemption with documented max > 7 days, OR claims-of-finalized are exempt but new-request placement can be paused indefinitely by governance.
- red     = exit requires admin signature, OR ANY actor (including governance) can pause CLAIMS of finalized exits indefinitely, OR there is no on-chain exit function at all (purely custodial), OR pause is held by a single EOA / 2-of-3 multisig with no time cap.
- unknown = checklist incomplete after checking the sources above.

---

### JSON output contract

Return exactly one JSON object inside a single ```json fenced block. Shape:

{
  "schema_version": 4,
  "slug": "<copy protocol.slug from the per-protocol context>",
  "slice": "ability-to-exit",
  "snapshot_generated_at": "<copy snapshot.generated_at from the per-protocol context>",
  "prompt_version": 29,
  "analysis_date": "<copy analysis_date from the per-protocol context>",
  "model": "<exact model name, e.g. claude-opus-4-7 / gpt-5-thinking / gemini-3-pro>",
  "chat_url": null,
  "grading_basis": "on-chain | off-chain-only | mixed (optional; omit for on-chain)",
  "grade": "green | orange | red | unknown",
  "headline": "<one-line summary>",
  "short_headline": "<≤6 words, ≤80 chars; omit if you can't fit>",
  "rationale": {
    "findings": [{ "code": "E1", "text": "<concrete, source-cited finding>" }],
    "steelman": { "red": "<one sentence>", "orange": "<one sentence>", "green": "<one sentence>" },
    "verdict": "Choosing <grade> because <reason ranking one steel-man above the others, citing specific evidence>."
  },
  "evidence": [{ "url": "https://...", "shows": "<what this URL demonstrates>", "chain": "...", "address": "0x...", "commit": "<hex SHA>", "fetched_at": "2026-04-23T11:20:00Z" }],
  "unknowns": ["E3: <thing you looked for but couldn't determine>"],
  "protocol_metadata": {
    "github": ["https://github.com/org/repo"],
    "docs_url": "https://docs.protocol.xyz",
    "audits": [{ "firm": "Trail of Bits", "url": "https://...report.pdf", "date": "2025-09" }],
    "governance_forum": "https://forum.protocol.xyz",
    "voting_token": { "chain": "Ethereum", "address": "0x...", "symbol": "XYZ" },
    "bug_bounty_url": "https://immunefi.com/bounty/protocol",
    "security_contact": "security@protocol.xyz",
    "deployed_contracts_doc": "https://docs.protocol.xyz/deployments",
    "admin_addresses": [{ "chain": "Ethereum", "address": "0x...", "role": "DAO treasury multisig", "actor_class": "multisig" }],
    "upgradeability": "immutable | upgradeable | mixed | unknown",
    "about": "<2–4 sentences>"
  }
}

Rules recap:
- grade="unknown" ⇒ steelman=null; unknowns[] ≥1; evidence[] may be empty.
- grade!="unknown" ⇒ steelman={red,orange,green}; evidence[] ≥1; verdict starts with "Choosing ".
- findings[].code matches the slice's checklist prefix verbatim (E1, C2-emergency, V4a, …); unknowns[] entries are checklist-coded ("E3: …").
- Wrap in a single ```json fence; nothing before or after. URLs are bare strings, never markdown links.

Sources claude-opus-4-7 no url gpt-5.5 no url gemini-3-flash-preview no url View raw submissions ↗

Autonomy tentative 3/3 models agree AI-only 0/3 with chat share link

Aave V3 has multi-layered oracle safety (CAPO caps, fallback, PriceOracleSentinel, Umbrella) and 1-day/7-day governance timelocks, but per-reserve oracle sources are governance-mutable on a 1-day delay (Level 1 executor) plus Risk-Steward multisig fast-paths; March 2026 CAPO misconfig caused ~$27M and April 2026 Kelp/rsETH bridge exploit pushed ~$200M of bad debt into V3 markets. Impacted TVS realised ~1-2% (~$200M of ~$13.6B).

Verdict

Choosing orange because Aave V3 Core Lending (Ethereum + L2s, ~99% of $13.6B TVS) holds the dominant share; GHO module (~$200M GHO outstanding, <2% of TVS) and Umbrella Safety Module are smaller. The core architecture is verifiable on-chain: AaveOracle (0x54586bE62E3c3580375aE3723C145253060Ca0C2) reads per-asset Chainlink/CAPO sources with a configurable fallback, gated by POOL_ADMIN/ASSET_LISTING_ADMIN roles held by Executor Lvl1 (1-day timelock via PayloadsController) and bypassable for narrow params by Risk Stewards (1-of-1 / 2-of-2 multisig with on-chain constraints). PriceOracleSentinel and CAPO caps are LIVE on-chain mitigations against external oracle anomalies. Two real 2026 incidents bound the grade: (a) March-2026 CAPO snapshot/timestamp misconfiguration caused ~$27M unfair wstETH liquidations (DAO reimbursed via treasury), (b) April-2026 Kelp DAO LayerZero bridge exploit minted unbacked rsETH that an attacker deposited as Aave V3 collateral on Ethereum + Arbitrum, leaving ~$200M of bad debt that the DAO is socializing. Aave's smart contracts functioned as designed in (b) - the loss came from an opt-in third-party LRT - but rsETH was not isolation-mode-only and the bad debt cross-cuts the WETH reserve via shortfall. Together with the 1-day-only timelock on most oracle-relevant actions (Level 1) and the Risk Steward fast-path, this fits Stage 1 / orange: external dependency failures can degrade performance and create bounded principal loss but cannot trivially drain the protocol; mitigations are partial and have been observed to fail.

Steelman argument

Steelman argument External dependency failures can cause bounded performance degradation and bounded principal loss (March-2026 CAPO: ~$27M, refunded; April-2026 Kelp: ~$200M, partly covered by Aave + DeFi-United bailout), but defense-in-depth (CAPO caps, PriceOracleSentinel for L2 sequencer outages, Umbrella slashing, Protocol Guardian freeze, governance timelocks of 1-day / 7-day, isolation mode and supply caps per reserve) prevents catastrophic protocol-wide drains, and the contracts themselves continued functioning as designed during both incidents.

Evidence (12)

A1: AaveOracle (0x54586bE62E3c3580375aE3723C145253060Ca0C2) is the only oracle entrypoint for the Pool. Per-reserve assetsSources mapping holds one Chainlink-compatible aggregator address per asset; for LSTs/LRTs (wstETH, rsETH, weETH, ezETH, osETH) Aave uses CAPO (PriceCapAdapter) adapters wrapping Chainlink feeds with a max-yearly-growth cap on the exchange-rate ratio. getAssetPrice flow: if asset==BASE_CURRENCY return BASE_CURRENCY_UNIT; else read source.latestAnswer(); if price<=0 or no source set, fall back to _fallbackOracle. On Ethereum mainnet _fallbackOracle is currently the zero address per the deployed code, so a reserve with assetsSources[asset]==0 would revert.
A2: No off-chain reporter committee writes prices into Aave's contracts. Chainlink's own DON is upstream substrate not a committee that this protocol selects. CAPO snapshots are pushed by Risk Stewards (Risk Council multisig 0x8513e6f37dbc52de87b166980fa3f50639694b60) under on-chain constrained debounce (max 3% ratio change per 3-day window) - March-2026 incident showed the constraint is enforced on ratio but can be bypassed on snapshotTimestamp semantics, causing 2.85% underpricing. GHO Stewards multisig is 3-of-4 and adjusts GHO bucket capacities/borrow rates within bounds. Protocol Guardian is a 5-of-9 Safe holding EMERGENCY_ADMIN - pause-only, cannot mint/burn/finalize.
A3: Cross-chain dependencies: (i) GHO bridged to Arbitrum/Base/Avalanche/Gnosis/Mantle via Chainlink CCIP; (ii) Aave Governance V3 cross-chain message delivery uses a.DI Cross-Chain Controller with 2-of-3 consensus across LayerZero + Chainlink CCIP + Hyperlane; (iii) per-chain L2/sidechain canonical bridges secure the substrate. April-2026 Kelp DAO bridge incident (NOT an Aave bridge - third-party Kelp LayerZero bridge with 1-of-1 DVN config) minted unbacked rsETH that was deposited as collateral; ~$200M bad debt cross-cuts Aave V3 Core (Ethereum), Arbitrum, Base, Mantle, Linea, Avalanche, Ink.
A4: Aave lists LSTs (wstETH, weETH, osETH, rETH) and LRTs (rsETH, ezETH) as opt-in per-market reserves. Collateral chain depth is: Aave reserve -> LST/LRT token contract -> staking/restaking module -> Ethereum validators / EigenLayer AVSs (depth 2-4 levels). At each level, slashing/freeze power exists. April-2026 Kelp incident is the materialized version: a failure 2 levels deep (Kelp's bridge) effectively coined unbacked rsETH that propagated to Aave principal via collateralized borrow. rsETH was NOT isolation-mode-only on Aave V3 (listed as borrowable across multiple chains) so the failure leaked ~$200M of bad debt into general WETH reserves, requiring Umbrella + treasury + DeFi-United bailout to socialize.
A5: DeFiLlama forkedFrom for aave-v3 is empty / Aave V3 is the original (forks include Spark, Radiant, Hyperliquid native lending, etc.). No upstream dependency from a forked codebase.
A6: Active mitigations (status = LIVE on-chain unless otherwise noted): (i) AaveOracle fallback oracle slot - DEPLOYED but currently unset on Ethereum mainnet, partial mitigation only; (ii) CAPO PriceCapAdapter wrapping Chainlink feeds for LSTs/LRTs - LIVE, did NOT prevent March-2026 wstETH 2.85% underpricing; (iii) PriceOracleSentinel - LIVE on every L2 deployment; (iv) Reserve Pause / Reserve Freeze - LIVE; (v) Per-asset supply/borrow caps & isolation mode - LIVE; (vi) Umbrella Safety Module - LIVE for selected assets, used in April-2026 incident response; (vii) Risk Steward debounce/magnitude bounds - LIVE on-chain. Unmitigated: (a) AaveOracle fallback unset on Ethereum, (b) per-reserve oracle source has no second-opinion oracle nor on-chain sanity check inside Aave, (c) no per-block throughput caps independent of asset cap.
A7: Aave V3 deployed on Ethereum (substrate, ~82% of TVS at $11.22B / $13.64B per DeFiLlama) and on multiple L2s/sidechains. Each L2 deployment inherits its sequencer + canonical bridge trust model. Aave's PriceOracleSentinel disables borrows + adds liquidation grace period if the L2 sequencer feed reports down. Sequencer freeze does not steal funds but freezes positions; canonical bridge failure on the L2 itself is substrate.
A8: Liquidation bots are permissionless - anyone can call liquidationCall on the Pool. April-2026 Kelp incident demonstrated bot dependency: ~$300M borrow spike + frozen rsETH meant liquidations could not run on the unbacked positions; the Protocol Guardian froze + LTV-zero'd rsETH within hours, but bad debt (~$200M) crystallized. Failure mode is graceful (debt -> DAO socialisation via Umbrella + treasury) rather than catastrophic protocol-wide insolvency.
A9: Governance-mutable external dependency surface: (i) AaveOracle.setAssetSources and setFallbackOracle are gated only by onlyAssetListingOrPoolAdmins (ACLManager), no in-contract timelock - protection is governance-level: POOL_ADMIN role is held by Executor Lvl1 owned by PayloadsController enforcing 1-day timelock for Level 1, 7-day for Level 2. (ii) CAPO PriceCapAdapter.setCapParameters is callable by RISK_ADMIN or POOL_ADMIN - RISK_ADMIN held by Risk Stewards (Risk Council multisig, 1-of-1 / 2-of-2 with on-chain debounce constraints, NO timelock). (iii) PoolAddressesProvider.setPriceOracle could swap entire AaveOracle - Level 2 (7-day timelock). (iv) PoolConfigurator.setReserveInterestRateStrategy, freeze/unfreeze, supply/borrow cap changes - POOL_ADMIN (1 day) or RISK_ADMIN. (v) GHO facilitator add/remove + bucket capacity - GHO Stewards 3-of-4 multisig within bounds. Net: an external oracle source for any single asset can be hot-swapped after 1-day timelock by governance, OR within steward-bounded magnitudes with no timelock. This is the strongest A9 finding driving the orange grade.
A6-incident-1: March-10-2026 CAPO oracle incident on wstETH: a Risk-Steward update simultaneously updated snapshotRatio and snapshotTimestamp in a way that broke the implicit invariant between them. The cap held against single-update manipulation but the timestamp drift caused latestAnswer to return ~1.1939 while the live wstETH/stETH ratio was ~1.228, a 2.85% underpricing of wstETH collateral. Result: ~10,938 wstETH (~$27.1M) of borrower positions liquidated unfairly, ~499 ETH of liquidation bonuses captured by liquidators. DAO refunded via treasury. This is a materialized A6/A9 failure mode: the CAPO mitigation itself, mutated by the steward path with no timelock, caused user loss.
A4-incident-2: April-18-to-20-2026 Kelp DAO / rsETH incident: attacker exploited Kelp DAO's LayerZero V2 Unichain<->Ethereum bridge (1-of-1 DVN configuration) to mint 116,500 unbacked rsETH (~$292M, ~18% of rsETH circulating supply). Attacker deposited 89,567 of the stolen rsETH into Aave V3 across Ethereum Core and Arbitrum and borrowed ~$190M of WETH/other assets. Aave's contracts functioned as designed. Protocol Guardian froze rsETH and wrsETH markets across V3 deployments within hours and set LTV to 0. DAO raised ~$160M of needed ~$200M via 'DeFi United' (Lido, EtherFi, Ethena) + Stani Kulechov 5,000 ETH. Aave V3 TVL dropped from ~$26.4B to ~$17.9B over 2 days. Confirms A4 underlying-asset / A3 third-party-bridge propagation into general protocol bad debt despite per-market caps.
A1-modules: Sub-module enumeration with TVS weighting: (a) Aave V3 Core Lending (~$13.64B aggregated; Ethereum 82%, Arbitrum 4.3%, Avalanche 2.4%, others) - grade orange driven by A9 oracle-mutability + materialized incidents. (b) GHO module (~$200M GHO outstanding, <2% of TVS) - depends on Chainlink CCIP for cross-chain GHO and on the Aave Pool oracle for borrow-against-collateral; same orange tier. (c) Umbrella Safety Module - protective layer, semi-isolated. (d) Stata Token / ERC4626 wrapper - passthrough on aTokens. Weighted overall: Module A holds ~98% of TVS (orange), Modules B+C+D combined ~2% (orange). Weighted overall = orange.

Why is this consensus tentative?

weak consensus margin
only 0/3 sources have a public chat share link
total support weight 0.12 below confidence floor (1.5)

A fresh independent run can strengthen (or overturn) the verdict.

Run your own prompt Submit run ↗

### Per-protocol context (ground truth for this run)

- protocol.slug:              aave-v3
- protocol.name:              Aave V3
- protocol.chains:            Ethereum, Plasma, Arbitrum, Base, Avalanche, Binance, Mantle, Polygon, MegaETH, X Layer, xDai, Optimism, Linea, Sonic, Celo, Scroll, zkSync Era, Metis, Soneium, Fantom, Harmony
- protocol.category:          Lending
- protocol.website:           https://aave.com
- protocol.github:            aave, bgd-labs
- protocol.audit_links:       https://aave.com/security, https://github.com/code-423n4/2022-02-aave-lens, https://github.com/code-423n4/2022-02-aave-lens-findings, https://github.com/sherlock-protocol/sherlock-reports/blob/main/audits/2025.02.15%20-%20Final%20-%20Aave%20Public%20Audit%20Contest%20Report.pdf, https://github.com/sherlock-protocol/sherlock-reports/blob/main/audits/2026.02.05%20-%20Final%20-%20Aave%20Labs%20Collaborative%20Audit%20Report%201770295450.pdf, https://github.com/trailofbits/publications/blob/master/reviews/2021-11-aave-v3-securityreview.pdf
- snapshot.generated_at:      2026-06-01T11:27:13.878Z
- analysis_date:              2026-06-07
- prompt_version:             29
- address_book:               [
  {
    "chain": "Ethereum",
    "address": "0x5300A1a15135EA4dc7aD5a167152C01EFc9b192A",
    "role": "Short Executor (Level 1) / ACL Admin V3"
  },
  {
    "chain": "Ethereum",
    "address": "0xdAbad81aF85554E9ae636395611C58F7eC1aAEc5",
    "role": "PayloadsController (Ethereum)"
  },
  {
    "chain": "Ethereum",
    "address": "0x9AEE0B04504CeF83A65AC3f0e838D0593BCb2BC7",
    "role": "Governance V3 Core"
  },
  {
    "chain": "Ethereum",
    "address": "0xCe52ab41C40575B072A18C9700091Ccbe4A06710",
    "role": "Governance Guardian / Protocol Emergency Guardian (5-of-9)"
  },
  {
    "chain": "Ethereum",
    "address": "0x4457cA11E90f416Cc1D3a8E1cA41C0cdEcC251d4",
    "role": "GranularGuardian (cross-chain emergency)"
  },
  {
    "chain": "Ethereum",
    "address": "0xEd42a7D8559a463722Ca4beD50E0Cc05a386b0e1",
    "role": "CrossChainController"
  },
  {
    "chain": "Ethereum",
    "address": "0x17Dd33Ed0e3dD2a80E37489B8A63063161BE6957",
    "role": "Executor Level 2"
  },
  {
    "chain": "Ethereum",
    "address": "0x2CFe3ec4d5a6811f4B8067F0DE7e47DfA938Aa30",
    "role": "Protocol Guardian / emergency admin"
  },
  {
    "chain": "Ethereum",
    "address": "0x220d22f42c1b975B51509c24b174f8AbA7d8C540",
    "role": "Short Executor (Governance)"
  },
  {
    "chain": "Ethereum",
    "address": "0xa700691dA7b6769562170061709458FF21ed963e",
    "role": "timelock (governance long executor)"
  },
  {
    "chain": "Ethereum",
    "address": "0x851365275f493d15511cc005f2bd71E3c1699921",
    "role": "timelock (governance short executor)"
  },
  {
    "chain": "Ethereum",
    "address": "0xEE56e2B3D49159022b71869955dbF07245799b17",
    "role": "timelock (governance executor short)"
  },
  {
    "chain": "Ethereum",
    "address": "0x80C67432656d59144cEFf962E8fAF8926599bCF8",
    "role": "timelock (governance short executor)"
  },
  {
    "chain": "Ethereum",
    "address": "0xEE56e2B20045d908E992822039db30E882309413",
    "role": "admin (PoolAdmin / governance executor)"
  },
  {
    "chain": "Ethereum",
    "address": "0x87870bca3f3fd6335c3f4ce8392d69350b4fa4e2",
    "role": "pool (Aave V3 Pool proxy)"
  },
  {
    "chain": "Ethereum",
    "address": "0x2f39d218133AFaB8F2B819B1066c7E434Ad94E9e",
    "role": "other (PoolAddressesProvider — proxy admin for Pool/PoolConfigurator/ACLManager)"
  },
  {
    "chain": "Ethereum",
    "address": "0xcfBf336fe147D643B9Cb705648500e101504B16d",
    "role": "other (Prime Market PoolAddressesProvider)"
  },
  {
    "chain": "Ethereum",
    "address": "0xCca852Bc40e560adC3b1Cc58CA5b55638ce826c9",
    "role": "vault (Aave V4 Core Hub — Ethereum)"
  },
  {
    "chain": "Ethereum",
    "address": "0x06002e9c4412CB7814a791eA3666D905871E536A",
    "role": "vault (Aave V4 Plus Hub — Ethereum)"
  },
  {
    "chain": "Ethereum",
    "address": "0x943827DCA022D0F354a8a8c332dA1e5Eb9f9F931",
    "role": "vault (Aave V4 Prime Hub — Ethereum)"
  },
  {
    "chain": "Ethereum",
    "address": "0x08aE3BE30958cDd1847ec58fFfd4C451a87fDF01",
    "role": "admin (Aave V4 Access Manager — Ethereum)"
  },
  {
    "chain": "Optimism",
    "address": "0xa97684ead0e402dc232d5a977953df7ecbab3cdb",
    "role": "other (PoolAddressesProvider — Optimism)"
  },
  {
    "chain": "Polygon",
    "address": "0xa97684ead0e402dc232d5a977953df7ecbab3cdb",
    "role": "other (PoolAddressesProvider — Polygon)"
  },
  {
    "chain": "Ethereum",
    "address": "0x64b761D848206f447Fe2dd461b0c635Ec39EbB27",
    "role": "admin PoolConfigurator V3"
  },
  {
    "chain": "Ethereum",
    "address": "0x54586bE62E3c3580375aE3723C145253060Ca0C2",
    "role": "oracle AaveOracle V3"
  },
  {
    "chain": "Ethereum",
    "address": "0xc2aaCf6553D20d1e9d78E365AAba8032af9c85b0",
    "role": "admin ACLManager V3"
  },
  {
    "chain": "Ethereum",
    "address": "0x0a16f2FCC0D44FaE41cc54e079281D84A363bECD",
    "role": "other AaveProtocolDataProvider V3"
  },
  {
    "chain": "Ethereum",
    "address": "0x464C71f6c2F760DdA6093dCB91C24c39e5d6e18c",
    "role": "treasury Collector"
  },
  {
    "chain": "Ethereum",
    "address": "0x8164Cc65827dcFe994AB23944CBC90e0aa80bFcb",
    "role": "admin DefaultIncentivesController"
  },
  {
    "chain": "Ethereum",
    "address": "0x223d844fc4B006D67c0cDbd39371A9F73f69d974",
    "role": "admin EmissionManager"
  },
  {
    "chain": "Arbitrum",
    "address": "0xa97684ead0e402dC232d5A977953DF7ECBaB3CDb",
    "role": "factory PoolAddressesProvider V3"
  },
  {
    "chain": "Arbitrum",
    "address": "0x794a61358D6845594F94dc1DB02A252b5b4814aD",
    "role": "pool Pool V3"
  },
  {
    "chain": "Arbitrum",
    "address": "0x8145eddDf43f50276641b55bd3AD95944510021E",
    "role": "admin PoolConfigurator V3"
  },
  {
    "chain": "Arbitrum",
    "address": "0xb56c2F0B653B2e0b10C9b928C8580Ac5Df02C7C7",
    "role": "oracle AaveOracle V3"
  },
  {
    "chain": "Arbitrum",
    "address": "0x7A9ff54A6eE4a21223036890bB8c4ea2D62c686b",
    "role": "oracle PriceOracleSentinel V3"
  },
  {
    "chain": "Arbitrum",
    "address": "0xFF1137243698CaA18EE364Cc966CF0e02A4e6327",
    "role": "admin ACLAdmin V3"
  },
  {
    "chain": "Arbitrum",
    "address": "0xa72636CbcAa8F5FF95B2cc47F3CDEe83F3294a0B",
    "role": "admin ACLManager V3"
  },
  {
    "chain": "Arbitrum",
    "address": "0x243Aa95cAC2a25651eda86e80bEe66114413c43b",
    "role": "other AaveProtocolDataProvider V3"
  },
  {
    "chain": "Avalanche",
    "address": "0xa97684ead0e402dC232d5A977953DF7ECBaB3CDb",
    "role": "factory PoolAddressesProvider V3"
  },
  {
    "chain": "Avalanche",
    "address": "0x794a61358D6845594F94dc1DB02A252b5b4814aD",
    "role": "pool Pool V3"
  },
  {
    "chain": "Avalanche",
    "address": "0x8145eddDf43f50276641b55bd3AD95944510021E",
    "role": "admin PoolConfigurator V3"
  },
  {
    "chain": "Avalanche",
    "address": "0xEBd36016B3eD09D4693Ed4251c67Bd858c3c7C9C",
    "role": "oracle AaveOracle V3"
  },
  {
    "chain": "Avalanche",
    "address": "0x3C06dce358add17aAf230f2234bCCC4afd50d090",
    "role": "admin ACLAdmin V3"
  },
  {
    "chain": "Avalanche",
    "address": "0xa72636CbcAa8F5FF95B2cc47F3CDEe83F3294a0B",
    "role": "admin ACLManager V3"
  },
  {
    "chain": "Avalanche",
    "address": "0x243Aa95cAC2a25651eda86e80bEe66114413c43b",
    "role": "other AaveProtocolDataProvider V3"
  },
  {
    "chain": "Base",
    "address": "0xe20fCBdBfFC4Dd138cE8b2E6FBb6CB49777ad64D",
    "role": "factory PoolAddressesProvider V3"
  },
  {
    "chain": "Base",
    "address": "0xA238Dd80C259a72e81d7e4664a9801593F98d1c5",
    "role": "pool Pool V3"
  },
  {
    "chain": "Base",
    "address": "0x5731a04B1E775f0fdd454Bf70f3335886e9A96be",
    "role": "admin PoolConfigurator V3"
  },
  {
    "chain": "Base",
    "address": "0x2Cc0Fc26eD4563A5ce5e8bdcfe1A2878676Ae156",
    "role": "oracle AaveOracle V3"
  },
  {
    "chain": "Base",
    "address": "0x943AcD0c93d7a8Bee7dA5Fd0DC3d0028237074d6",
    "role": "oracle PriceOracleSentinel V3"
  },
  {
    "chain": "Base",
    "address": "0x9390B1735def18560c509E2d0bc090E9d6BA257a",
    "role": "admin ACLAdmin V3"
  },
  {
    "chain": "Base",
    "address": "0x43955b0899Ab7232E3a454cf84AedD22Ad46FD33",
    "role": "admin ACLManager V3"
  },
  {
    "chain": "Base",
    "address": "0x0F43731EB8d45A581f4a36DD74F5f358bc90C73A",
    "role": "other AaveProtocolDataProvider V3"
  },
  {
    "chain": "Binance",
    "address": "0xff75B6da14FfbbfD355Daf7a2731456b3562Ba6D",
    "role": "factory PoolAddressesProvider V3"
  },
  {
    "chain": "Binance",
    "address": "0x6807dc923806fE8Fd134338EABCA509979a7e0cB",
    "role": "pool Pool V3"
  },
  {
    "chain": "Binance",
    "address": "0x67bdF23C7fCE7C65fF7415Ba3F2520B45D6f9584",
    "role": "admin PoolConfigurator V3"
  },
  {
    "chain": "Binance",
    "address": "0x39bc1bfDa2130d6Bb6DBEfd366939b4c7aa7C697",
    "role": "oracle AaveOracle V3"
  },
  {
    "chain": "Binance",
    "address": "0x9390B1735def18560c509E2d0bc090E9d6BA257a",
    "role": "admin ACLAdmin V3"
  },
  {
    "chain": "Binance",
    "address": "0x2D97F8FA96886Fd923c065F5457F9DDd494e3877",
    "role": "admin ACLManager V3"
  },
  {
    "chain": "Binance",
    "address": "0xc90Df74A7c16245c5F5C5870327Ceb38Fe5d5328",
    "role": "other AaveProtocolDataProvider V3"
  },
  {
    "chain": "Celo",
    "address": "0x9F7Cf9417D5251C59fE94fB9147feEe1aAd9Cea5",
    "role": "factory PoolAddressesProvider V3"
  },
  {
    "chain": "Celo",
    "address": "0x3E59A31363E2ad014dcbc521c4a0d5757d9f3402",
    "role": "pool Pool V3"
  },
  {
    "chain": "Celo",
    "address": "0x7567E3434CC1BEf724AB595e6072367Ef4914691",
    "role": "admin PoolConfigurator V3"
  },
  {
    "chain": "Celo",
    "address": "0x1e693D088ceFD1E95ba4c4a5F7EeA41a1Ec37e8b",
    "role": "oracle AaveOracle V3"
  },
  {
    "chain": "Celo",
    "address": "0x1dF462e2712496373A347f8ad10802a5E95f053D",
    "role": "admin ACLAdmin V3"
  },
  {
    "chain": "Celo",
    "address": "0x7a12dCfd73C1B4cddf294da4cFce75FcaBBa314C",
    "role": "admin ACLManager V3"
  },
  {
    "chain": "Celo",
    "address": "0x2e0f8D3B1631296cC7c56538D6Eb6032601E15ED",
    "role": "other AaveProtocolDataProvider V3"
  },
  {
    "chain": "Celo",
    "address": "0xC959439207dA5341B74aDcdAC59016aa9Be7E9E7",
    "role": "treasury Collector"
  },
  {
    "chain": "Fantom",
    "address": "0xa97684ead0e402dC232d5A977953DF7ECBaB3CDb",
    "role": "factory PoolAddressesProvider V3"
  },
  {
    "chain": "Fantom",
    "address": "0x794a61358D6845594F94dc1DB02A252b5b4814aD",
    "role": "pool Pool V3"
  },
  {
    "chain": "Fantom",
    "address": "0x8145eddDf43f50276641b55bd3AD95944510021E",
    "role": "admin PoolConfigurator V3"
  },
  {
    "chain": "Fantom",
    "address": "0xfd6f3c1845604C8AE6c6E402ad17fb9885160754",
    "role": "oracle AaveOracle V3"
  },
  {
    "chain": "Fantom",
    "address": "0x39CB97b105173b56b5a2b4b33AD25d6a50E6c949",
    "role": "admin ACLAdmin V3"
  },
  {
    "chain": "Fantom",
    "address": "0xa72636CbcAa8F5FF95B2cc47F3CDEe83F3294a0B",
    "role": "admin ACLManager V3"
  },
  {
    "chain": "Fantom",
    "address": "0x69FA688f1Dc47d4B5d8029D5a35FB7a548310654",
    "role": "other AaveProtocolDataProvider V3"
  },
  {
    "chain": "xDai",
    "address": "0x36616cf17557639614c1cdDb356b1B83fc0B2132",
    "role": "factory PoolAddressesProvider V3"
  },
  {
    "chain": "xDai",
    "address": "0xb50201558B00496A145fE76f7424749556E326D8",
    "role": "pool Pool V3"
  },
  {
    "chain": "xDai",
    "address": "0x7304979ec9E4EaA0273b6A037a31c4e9e5A75D16",
    "role": "admin PoolConfigurator V3"
  },
  {
    "chain": "xDai",
    "address": "0xeb0a051be10228213BAEb449db63719d6742F7c4",
    "role": "oracle AaveOracle V3"
  },
  {
    "chain": "xDai",
    "address": "0x1dF462e2712496373A347f8ad10802a5E95f053D",
    "role": "admin ACLAdmin V3"
  },
  {
    "chain": "xDai",
    "address": "0xEc710f59005f48703908bC519D552Df5B8472614",
    "role": "admin ACLManager V3"
  },
  {
    "chain": "xDai",
    "address": "0xF1F5acB596568895393cB5E4D0452D6592A2fA70",
    "role": "other AaveProtocolDataProvider V3"
  },
  {
    "chain": "Harmony",
    "address": "0xa97684ead0e402dC232d5A977953DF7ECBaB3CDb",
    "role": "factory PoolAddressesProvider V3"
  },
  {
    "chain": "Harmony",
    "address": "0x794a61358D6845594F94dc1DB02A252b5b4814aD",
    "role": "pool Pool V3"
  },
  {
    "chain": "Harmony",
    "address": "0x8145eddDf43f50276641b55bd3AD95944510021E",
    "role": "admin PoolConfigurator V3"
  },
  {
    "chain": "Harmony",
    "address": "0x3C90887Ede8D65ccb2777A5d577beAb2548280AD",
    "role": "oracle AaveOracle V3"
  },
  {
    "chain": "Harmony",
    "address": "0xb2f0C5f37f4beD2cB51C44653cD5D84866BDcd2D",
    "role": "admin ACLAdmin V3"
  },
  {
    "chain": "Harmony",
    "address": "0xa72636CbcAa8F5FF95B2cc47F3CDEe83F3294a0B",
    "role": "admin ACLManager V3"
  },
  {
    "chain": "Harmony",
    "address": "0x69FA688f1Dc47d4B5d8029D5a35FB7a548310654",
    "role": "other AaveProtocolDataProvider V3"
  },
  {
    "chain": "Mantle",
    "address": "0xba50Cd2A20f6DA35D788639E581bca8d0B5d4D5f",
    "role": "factory PoolAddressesProvider V3"
  },
  {
    "chain": "Mantle",
    "address": "0x458F293454fE0d67EC0655f3672301301DD51422",
    "role": "pool Pool V3"
  },
  {
    "chain": "Mantle",
    "address": "0x719755fC1ACf2f9079B0Cbc56e23712c09Ab8626",
    "role": "admin PoolConfigurator V3"
  },
  {
    "chain": "Mantle",
    "address": "0x47a063CfDa980532267970d478EC340C0F80E8df",
    "role": "oracle AaveOracle V3"
  },
  {
    "chain": "Mantle",
    "address": "0x64df9D4302e1ff3516Dc744A19e992D27CAC252E",
    "role": "oracle PriceOracleSentinel V3"
  },
  {
    "chain": "Mantle",
    "address": "0x70884634D0098782592111A2A6B8d223be31CB7b",
    "role": "admin ACLAdmin V3"
  },
  {
    "chain": "Mantle",
    "address": "0x810D46F9a9027E28F9B01F75E2bdde839dA61115",
    "role": "admin ACLManager V3"
  },
  {
    "chain": "Mantle",
    "address": "0x487c5c669D9eee6057C44973207101276cf73b68",
    "role": "other AaveProtocolDataProvider V3"
  },
  {
    "chain": "MegaETH",
    "address": "0x46Dcd5F4600319b02649Fd76B55aA6c1035CA478",
    "role": "factory PoolAddressesProvider V3"
  },
  {
    "chain": "MegaETH",
    "address": "0x7e324AbC5De01d112AfC03a584966ff199741C28",
    "role": "pool Pool V3"
  },
  {
    "chain": "MegaETH",
    "address": "0xF15D31Bc839A853C9068686043cEc6EC5995DAbB",
    "role": "admin PoolConfigurator V3"
  },
  {
    "chain": "MegaETH",
    "address": "0x421117D7319E96d831972b3F7e970bbfe29C4F21",
    "role": "oracle AaveOracle V3"
  },
  {
    "chain": "MegaETH",
    "address": "0xE2E8Badc5d50f8a6188577B89f50701cDE2D4e19",
    "role": "admin ACLAdmin V3"
  },
  {
    "chain": "MegaETH",
    "address": "0x390D369C3878F2C5205CFb6Ec7154FfA65491c3D",
    "role": "admin ACLManager V3"
  },
  {
    "chain": "MegaETH",
    "address": "0x9588b453A4EE24a420830CB3302195cA7aA3b403",
    "role": "other AaveProtocolDataProvider V3"
  },
  {
    "chain": "Sonic",
    "address": "0x5C2e738F6E27bCE0F7558051Bf90605dD6176900",
    "role": "factory PoolAddressesProvider V3"
  },
  {
    "chain": "Sonic",
    "address": "0x5362dBb1e601abF3a4c14c22ffEdA64042E5eAA3",
    "role": "pool Pool V3"
  },
  {
    "chain": "Sonic",
    "address": "0x50c70FEB95aBC1A92FC30b9aCc41Bd349E5dE2f0",
    "role": "admin PoolConfigurator V3"
  },
  {
    "chain": "Sonic",
    "address": "0xD63f7658C66B2934Bd234D79D06aEF5290734B30",
    "role": "oracle AaveOracle V3"
  },
  {
    "chain": "Sonic",
    "address": "0x7b62461a3570c6AC8a9f8330421576e417B71EE7",
    "role": "admin ACLAdmin V3"
  },
  {
    "chain": "Sonic",
    "address": "0x3a790a47c4d531FD333FAD24f70B0ccb521B3b5A",
    "role": "admin ACLManager V3"
  },
  {
    "chain": "Sonic",
    "address": "0xc0a344397cfa89dF1e1d3e4fb330834D789cF2CD",
    "role": "other AaveProtocolDataProvider V3"
  },
  {
    "chain": "X Layer",
    "address": "0xdFf435BCcf782f11187D3a4454d96702eD78e092",
    "role": "factory PoolAddressesProvider V3"
  },
  {
    "chain": "X Layer",
    "address": "0xE3F3Caefdd7180F884c01E57f65Df979Af84f116",
    "role": "pool Pool V3"
  },
  {
    "chain": "X Layer",
    "address": "0x1408b48B6A610948f04813EA6b2F438A6BBAd2f2",
    "role": "admin PoolConfigurator V3"
  },
  {
    "chain": "X Layer",
    "address": "0x91FC11136d5615575a0fC5981Ab5C0C54418E2C6",
    "role": "oracle AaveOracle V3"
  },
  {
    "chain": "X Layer",
    "address": "0xE2E8Badc5d50f8a6188577B89f50701cDE2D4e19",
    "role": "admin ACLAdmin V3"
  },
  {
    "chain": "X Layer",
    "address": "0xc8f2720Fa7D857576d82e6aEca8EdC4869E9190e",
    "role": "admin ACLManager V3"
  },
  {
    "chain": "X Layer",
    "address": "0x6C505C31714f14e8af2A03633EB2Cdfb4959138F",
    "role": "other AaveProtocolDataProvider V3"
  },
  {
    "chain": "Linea",
    "address": "0x89502c3731F69DDC95B65753708A07F8Cd0373F4",
    "role": "factory PoolAddressesProvider V3"
  },
  {
    "chain": "Linea",
    "address": "0xc47b8C00b0f69a36fa203Ffeac0334874574a8Ac",
    "role": "pool Pool V3"
  },
  {
    "chain": "Linea",
    "address": "0x812E7c19421D9f41A6DDCF047d5cc2dE2Ca5Bfa2",
    "role": "admin PoolConfigurator V3"
  },
  {
    "chain": "Linea",
    "address": "0xCFDAdA7DCd2e785cF706BaDBC2B8Af5084d595e9",
    "role": "oracle AaveOracle V3"
  },
  {
    "chain": "Linea",
    "address": "0x8c2d95FE7aeB57b86961F3abB296A54f0ADb7F88",
    "role": "admin ACLAdmin V3"
  },
  {
    "chain": "Linea",
    "address": "0xbf32c7dFC72b730967072B112927ca0de205dbb5",
    "role": "admin ACLManager V3"
  },
  {
    "chain": "Metis",
    "address": "0xB9FABd7500B2C6781c35Dd48d54f81fc2299D7AF",
    "role": "factory PoolAddressesProvider V3"
  },
  {
    "chain": "Metis",
    "address": "0x90df02551bB792286e8D4f13E0e357b4Bf1D6a57",
    "role": "pool Pool V3"
  },
  {
    "chain": "Metis",
    "address": "0x69FEE8F261E004453BE0800BC9039717528645A6",
    "role": "admin PoolConfigurator V3"
  },
  {
    "chain": "Metis",
    "address": "0x38D36e85E47eA6ff0d18B0adF12E5fC8984A6f8e",
    "role": "oracle AaveOracle V3"
  },
  {
    "chain": "Metis",
    "address": "0x2B5EA1604BAbb7B730120950Cb13951f3525828A",
    "role": "oracle PriceOracleSentinel V3"
  },
  {
    "chain": "Metis",
    "address": "0x6fD45D32375d5aDB8D76275A3932c740F03a8718",
    "role": "admin ACLAdmin V3"
  },
  {
    "chain": "Optimism",
    "address": "0x794a61358D6845594F94dc1DB02A252b5b4814aD",
    "role": "pool Pool V3"
  },
  {
    "chain": "Optimism",
    "address": "0x8145eddDf43f50276641b55bd3AD95944510021E",
    "role": "admin PoolConfigurator V3"
  },
  {
    "chain": "Optimism",
    "address": "0xD81eb3728a631871a7eBBaD631b5f424909f0c77",
    "role": "oracle AaveOracle V3"
  },
  {
    "chain": "Optimism",
    "address": "0x746c675dAB49Bcd5BB9Dc85161f2d7Eb435009bf",
    "role": "admin ACLAdmin V3"
  },
  {
    "chain": "Polygon",
    "address": "0x794a61358D6845594F94dc1DB02A252b5b4814aD",
    "role": "pool Pool V3"
  },
  {
    "chain": "Polygon",
    "address": "0x8145eddDf43f50276641b55bd3AD95944510021E",
    "role": "admin PoolConfigurator V3"
  },
  {
    "chain": "Polygon",
    "address": "0xb023e699F5a33916Ea823A16485e259257cA8Bd1",
    "role": "oracle AaveOracle V3"
  },
  {
    "chain": "Polygon",
    "address": "0xDf7d0e6454DB638881302729F5ba99936EaAB233",
    "role": "admin ACLAdmin V3"
  },
  {
    "chain": "Scroll",
    "address": "0x69850D0B276776781C063771b161bd8894BCdD04",
    "role": "factory PoolAddressesProvider V3"
  },
  {
    "chain": "Scroll",
    "address": "0x11fCfe756c05AD438e312a7fd934381537D3cFfe",
    "role": "pool Pool V3"
  },
  {
    "chain": "Scroll",
    "address": "0x32BCab42a2bb5AC577D24b425D46d8b8e0Df9b7f",
    "role": "admin PoolConfigurator V3"
  },
  {
    "chain": "Scroll",
    "address": "0x04421D8C506E2fA2371a08EfAaBf791F624054F3",
    "role": "oracle AaveOracle V3"
  },
  {
    "chain": "Scroll",
    "address": "0xc1ABF87FfAdf4908f4eC8dc54A25DCFEabAE4A24",
    "role": "admin ACLAdmin V3"
  },
  {
    "chain": "Scroll",
    "address": "0x7633F981D87dC6307227de9383D2ce7243158081",
    "role": "admin ACLManager V3"
  },
  {
    "chain": "zkSync Era",
    "address": "0x2A3948BB219D6B2Fa83D64100006391a96bE6cb7",
    "role": "factory PoolAddressesProvider V3"
  },
  {
    "chain": "zkSync Era",
    "address": "0x78e30497a3c7527d953c6B1E3541b021A98Ac43c",
    "role": "pool Pool V3"
  },
  {
    "chain": "zkSync Era",
    "address": "0x0207d31b4377C74bEC37356aaD83E3dCc979F40E",
    "role": "admin PoolConfigurator V3"
  },
  {
    "chain": "zkSync Era",
    "address": "0xC7F58Fca663a8d377B6D0c9703C697f56dC40088",
    "role": "oracle AaveOracle V3"
  },
  {
    "chain": "zkSync Era",
    "address": "0x04cE39789e11a49595cD0ECEf6f4Bd54ABF4d020",
    "role": "admin ACLAdmin V3"
  },
  {
    "chain": "Soneium",
    "address": "0x82405D1a189bd6cE4667809C35B37fBE136A4c5B",
    "role": "factory PoolAddressesProvider V3"
  },
  {
    "chain": "Soneium",
    "address": "0xDd3d7A7d03D9fD9ef45f3E587287922eF65CA38B",
    "role": "pool Pool V3"
  },
  {
    "chain": "Soneium",
    "address": "0x1607FCeEc8dEbA4d5Da66D620b2363066d025a02",
    "role": "admin PoolConfigurator V3"
  },
  {
    "chain": "Soneium",
    "address": "0x20040a64612555042335926d72B4E5F667a67fA1",
    "role": "oracle AaveOracle V3"
  },
  {
    "chain": "Soneium",
    "address": "0xc0Bac16A64FbAa7EE6483bD12a759e28cD13dcBe",
    "role": "oracle PriceOracleSentinel V3"
  },
  {
    "chain": "Plasma",
    "address": "0x061D8e131F26512348ee5FA42e2DF1bA9d6505E9",
    "role": "factory PoolAddressesProvider V3"
  },
  {
    "chain": "Plasma",
    "address": "0x925a2A7214Ed92428B5b1B090F80b25700095e12",
    "role": "pool Pool V3"
  },
  {
    "chain": "Plasma",
    "address": "0xc022B6c71c30A8Ad52Dac504eFA132d13D99d2D9",
    "role": "admin PoolConfigurator V3"
  },
  {
    "chain": "Plasma",
    "address": "0x33E0b3fc976DC9C516926BA48CfC0A9E10a2aAA5",
    "role": "oracle AaveOracle V3"
  },
  {
    "chain": "Plasma",
    "address": "0x47aAdaAE1F05C978E6aBb7568d11B7F6e0FC4d6A",
    "role": "admin ACLAdmin V3"
  },
  {
    "chain": "Plasma",
    "address": "0xa860355F0ccFdC823F7332ac108317b2a1509C06",
    "role": "admin ACLManager V3"
  },
  {
    "chain": "Ethereum",
    "address": "0x617332a777780F546261247F621051d0b98975Eb",
    "role": "other VotingMachine"
  },
  {
    "chain": "Ethereum",
    "address": "0xf23f7De3AC42F22eBDA17e64DC4f51FB66b8E21f",
    "role": "other VotingPortalEthEth"
  },
  {
    "chain": "Ethereum",
    "address": "0x33aCEf7365809218485873B7d0d67FeE411B5D79",
    "role": "other VotingPortalEthAvax"
  },
  {
    "chain": "Ethereum",
    "address": "0x9b24C168d6A76b5459B1d47071a54962a4df36c3",
    "role": "other VotingPortalEthPol"
  },
  {
    "chain": "Ethereum",
    "address": "0xE3B770Dc4ae3f8bECaB3Ed12dE692c741603e16A",
    "role": "other PayloadDataHelper"
  },
  {
    "chain": "Ethereum",
    "address": "0x971c82c8316aD611904F95616c21ce90837f1856",
    "role": "other GovernanceDataHelper"
  },
  {
    "chain": "Ethereum",
    "address": "0x77976B51569896523EE215962Ee91ff236Fa50E8",
    "role": "other VotingDataHelper"
  },
  {
    "chain": "Ethereum",
    "address": "0x94363B11b37BC3ffe43AB09cff5A010352FE85dC",
    "role": "other MetaDelegateHelper"
  },
  {
    "chain": "Ethereum",
    "address": "0x73C6Fb358dDA8e84D50e98A98F7c0dF32e15C7e9",
    "role": "guardian EmergencyRegistry"
  },
  {
    "chain": "Ethereum",
    "address": "0xa198Fac58E02A5C5F8F7e877895d50cFa9ad1E04",
    "role": "other GovernancePowerStrategy"
  },
  {
    "chain": "Ethereum",
    "address": "0x5642A5A5Ec284B4145563aBF319620204aCCA7f4",
    "role": "other VotingStrategy"
  },
  {
    "chain": "Ethereum",
    "address": "0x1699FE9CaDC8a0b6c93E06B62Ab4592a0fFEcF61",
    "role": "other DataWarehouse"
  },
  {
    "chain": "Arbitrum",
    "address": "0xCbFB78a3Eeaa611b826E37c80E4126c8787D29f0",
    "role": "other CrossChainController"
  },
  {
    "chain": "Arbitrum",
    "address": "0x89644CA1bB8064760312AE4F03ea41b05dA3637C",
    "role": "timelock PayloadsController"
  },
  {
    "chain": "Arbitrum",
    "address": "0x4922093c476CfbCF903C7C4082d2D64bAE8A37cE",
    "role": "guardian GranularGuardian"
  },
  {
    "chain": "Avalanche",
    "address": "0x27FC7D54C893dA63C0AE6d57e1B2B13A70690928",
    "role": "other CrossChainController"
  },
  {
    "chain": "Avalanche",
    "address": "0x41185495Bc8297a65DC46f94001DC7233775EbEe",
    "role": "oracle EmergencyOracle"
  },
  {
    "chain": "Avalanche",
    "address": "0x9b6f5ef589A3DD08670Dd146C11C4Fb33E04494F",
    "role": "other VotingMachine"
  },
  {
    "chain": "Avalanche",
    "address": "0x1140CB7CAfAcC745771C2Ea31e7B5C653c5d0B80",
    "role": "timelock PayloadsController"
  },
  {
    "chain": "Avalanche",
    "address": "0xc1162BCb2E5E3ca4725512008c7522dF8C8B7B65",
    "role": "guardian GranularGuardian"
  },
  {
    "chain": "Binance",
    "address": "0x9d33ee6543C9b2C8c183b8fb58fB089266cffA19",
    "role": "other CrossChainController"
  },
  {
    "chain": "Binance",
    "address": "0xcabb46FfB38c93348Df16558DF156e9f68F9F7F1",
    "role": "oracle EmergencyOracle"
  },
  {
    "chain": "Binance",
    "address": "0xE5EF2Dd06755A97e975f7E282f828224F2C3e627",
    "role": "timelock PayloadsController"
  },
  {
    "chain": "Binance",
    "address": "0xe4FB5e3F506BE0095f38004f993D16fdA8224383",
    "role": "guardian GranularGuardian"
  },
  {
    "chain": "Base",
    "address": "0x529467C76f234F2bD359d7ecF7c660A2846b04e2",
    "role": "other CrossChainController"
  },
  {
    "chain": "Base",
    "address": "0x2DC219E716793fb4b21548C0f009Ba3Af753ab01",
    "role": "timelock PayloadsController"
  },
  {
    "chain": "Base",
    "address": "0xa1c6aF35E0205f42256382C05243C543FEDBf4bB",
    "role": "guardian GranularGuardian"
  },
  {
    "chain": "xDai",
    "address": "0x8Dc5310fc9D3D7D1Bb3D1F686899c8F082316c9F",
    "role": "other CrossChainController"
  },
  {
    "chain": "xDai",
    "address": "0xF937ffAeA1363e4Fa260760bDFA2aA8Fc911F84D",
    "role": "oracle EmergencyOracle"
  },
  {
    "chain": "xDai",
    "address": "0x9A1F491B86D09fC1484b5fab10041B189B60756b",
    "role": "timelock PayloadsController"
  },
  {
    "chain": "xDai",
    "address": "0x4A9F571E3C1f2F13567bb59e38988e74d7d72602",
    "role": "guardian GranularGuardian"
  },
  {
    "chain": "Metis",
    "address": "0x6fDaFb26915ABD6065a1E1501a37Ac438D877f70",
    "role": "other CrossChainController"
  },
  {
    "chain": "Metis",
    "address": "0x2233F8A66A728FBa6E1dC95570B25360D07D5524",
    "role": "timelock PayloadsController"
  },
  {
    "chain": "Metis",
    "address": "0x61BE97d3a0550549f67CA7421725fA73Fa2036B5",
    "role": "guardian GranularGuardian"
  },
  {
    "chain": "Optimism",
    "address": "0x48A9FE90bce5EEd790f3F4Ce192d1C0B351fd4Ca",
    "role": "other CrossChainController"
  },
  {
    "chain": "Optimism",
    "address": "0x0E1a3Af1f9cC76A62eD31eDedca291E63632e7c4",
    "role": "timelock PayloadsController"
  },
  {
    "chain": "Optimism",
    "address": "0x6c5264C380C7022e54f585c4E354ffb6f221a03b",
    "role": "guardian GranularGuardian"
  },
  {
    "chain": "Polygon",
    "address": "0xF6B99959F0b5e79E1CC7062E12aF632CEb18eF0d",
    "role": "other CrossChainController"
  },
  {
    "chain": "Polygon",
    "address": "0xDAFA1989A504c48Ee20a582f2891eeB25E2fA23F",
    "role": "oracle EmergencyOracle"
  },
  {
    "chain": "Polygon",
    "address": "0xc8a2ADC4261c6b669CdFf69E717E77C9cFeB420d",
    "role": "other VotingMachine"
  },
  {
    "chain": "Polygon",
    "address": "0x401B5D0294E23637c18fcc38b1Bca814CDa2637C",
    "role": "timelock PayloadsController"
  },
  {
    "chain": "Polygon",
    "address": "0x0D2CccD3dD420dC6DE2f24DB44aA22fADE290a02",
    "role": "guardian GranularGuardian"
  },
  {
    "chain": "Scroll",
    "address": "0x03073D3F4769f6b6604d616238fD6c636C99AD0A",
    "role": "other CrossChainController"
  },
  {
    "chain": "Scroll",
    "address": "0x6b6B41c0f8C223715f712BE83ceC3c37bbfDC3fE",
    "role": "timelock PayloadsController"
  },
  {
    "chain": "Scroll",
    "address": "0xa835707d28e6C37C49d661742f2Fb5987367cEd4",
    "role": "guardian GranularGuardian"
  },
  {
    "chain": "zkSync Era",
    "address": "0x800813f4714BC7A0a95310e3fB9e4f18872CA92C",
    "role": "other CrossChainController"
  },
  {
    "chain": "zkSync Era",
    "address": "0x2E79349c3F5e4751E87b966812C9E65E805996F1",
    "role": "timelock PayloadsController"
  },
  {
    "chain": "zkSync Era",
    "address": "0xe0e23196D42b54F262a3DE952e6B34B197D1A228",
    "role": "guardian GranularGuardian"
  },
  {
    "chain": "zkSync Era",
    "address": "0x4257bf0746D783f0D962913d7d8AFA408B62547E",
    "role": "guardian GovernanceGuardian"
  },
  {
    "chain": "Linea",
    "address": "0x0D3f821e9741C8a8Bcac231162320251Db0cdf52",
    "role": "other CrossChainController"
  },
  {
    "chain": "Linea",
    "address": "0x3BcE23a1363728091bc57A58a226CF2940C2e074",
    "role": "timelock PayloadsController"
  },
  {
    "chain": "Linea",
    "address": "0xc1cd6faF6e9138b4e6C21d438f9ebF2bd6F6cA16",
    "role": "guardian GranularGuardian"
  },
  {
    "chain": "Linea",
    "address": "0x056E4C4E80D1D14a637ccbD0412CDAAEc5B51F4E",
    "role": "guardian GovernanceGuardian"
  },
  {
    "chain": "Soneium",
    "address": "0xD92b37a5114b33F668D274Fb48f23b726a854d6E",
    "role": "other CrossChainController"
  },
  {
    "chain": "Soneium",
    "address": "0x44D73D7C4b2f98F426Bf8B5e87628d9eE38ef0Cf",
    "role": "timelock PayloadsController"
  },
  {
    "chain": "Soneium",
    "address": "0xD8E6956718784B914740267b7A50B952fb516656",
    "role": "guardian GranularGuardian"
  },
  {
    "chain": "Soneium",
    "address": "0x19CE4363FEA478Aa04B9EA2937cc5A2cbcD44be6",
    "role": "guardian GovernanceGuardian"
  },
  {
    "chain": "Soneium",
    "address": "0x47aAdaAE1F05C978E6aBb7568d11B7F6e0FC4d6A",
    "role": "governor ExecutorLvl1"
  },
  {
    "chain": "Plasma",
    "address": "0x643441742f73e270e565619be6DE5f4D55E08cd6",
    "role": "other CrossChainController"
  },
  {
    "chain": "Plasma",
    "address": "0xe76EB348E65eF163d85ce282125FF5a7F5712A1d",
    "role": "timelock PayloadsController"
  },
  {
    "chain": "Plasma",
    "address": "0x60665b4F4FF7073C5fed2656852dCa271DfE2684",
    "role": "guardian GranularGuardian"
  },
  {
    "chain": "Plasma",
    "address": "0x19CE4363FEA478Aa04B9EA2937cc5A2cbcD44be6",
    "role": "guardian GovernanceGuardian"
  },
  {
    "chain": "Plasma",
    "address": "0xF61FE74Ec1cFbd9Ee8Bd27592D2EDEe0E2aA85Cf",
    "role": "oracle EmergencyOracle"
  },
  {
    "chain": "Ethereum",
    "address": "0x7Fc66500c84A76Ad7e9c93437bFc5Ac33E2DDaE9",
    "role": "token AAVE governance token"
  },
  {
    "chain": "Ethereum",
    "address": "0x7b9c0b9b0d8b0d8b0d8b0d8b0d8b0d8b0d8b0d8b",
    "role": "Emergency Admin"
  }
]

### Pre-built read-API surfacer URLs (verbatim — fetchable as-is)
- https://defipunkd.com/address/1/0x5300A1a15135EA4dc7aD5a167152C01EFc9b192A (Short Executor (Level 1) / ACL Admin V3)
- https://defipunkd.com/address/1/0xdAbad81aF85554E9ae636395611C58F7eC1aAEc5 (PayloadsController (Ethereum))
- https://defipunkd.com/address/1/0x9AEE0B04504CeF83A65AC3f0e838D0593BCb2BC7 (Governance V3 Core)
- https://defipunkd.com/address/1/0xCe52ab41C40575B072A18C9700091Ccbe4A06710 (Governance Guardian / Protocol Emergency Guardian (5-of-9))
- https://defipunkd.com/address/1/0x4457cA11E90f416Cc1D3a8E1cA41C0cdEcC251d4 (GranularGuardian (cross-chain emergency))
- https://defipunkd.com/address/1/0xEd42a7D8559a463722Ca4beD50E0Cc05a386b0e1 (CrossChainController)
- https://defipunkd.com/address/1/0x17Dd33Ed0e3dD2a80E37489B8A63063161BE6957 (Executor Level 2)
- https://defipunkd.com/address/1/0x2CFe3ec4d5a6811f4B8067F0DE7e47DfA938Aa30 (Protocol Guardian / emergency admin)
- https://defipunkd.com/address/1/0x220d22f42c1b975B51509c24b174f8AbA7d8C540 (Short Executor (Governance))
- https://defipunkd.com/address/1/0xa700691dA7b6769562170061709458FF21ed963e (timelock (governance long executor))
- https://defipunkd.com/address/1/0x851365275f493d15511cc005f2bd71E3c1699921 (timelock (governance short executor))
- https://defipunkd.com/address/1/0xEE56e2B3D49159022b71869955dbF07245799b17 (timelock (governance executor short))
- https://defipunkd.com/address/1/0x80C67432656d59144cEFf962E8fAF8926599bCF8 (timelock (governance short executor))
- https://defipunkd.com/address/1/0xEE56e2B20045d908E992822039db30E882309413 (admin (PoolAdmin / governance executor))
- https://defipunkd.com/address/1/0x87870bca3f3fd6335c3f4ce8392d69350b4fa4e2 (pool (Aave V3 Pool proxy))
- https://defipunkd.com/address/1/0x2f39d218133AFaB8F2B819B1066c7E434Ad94E9e (other (PoolAddressesProvider — proxy admin for Pool/PoolConfigurator/ACLManager))
- https://defipunkd.com/address/1/0xcfBf336fe147D643B9Cb705648500e101504B16d (other (Prime Market PoolAddressesProvider))
- https://defipunkd.com/address/1/0xCca852Bc40e560adC3b1Cc58CA5b55638ce826c9 (vault (Aave V4 Core Hub — Ethereum))
- https://defipunkd.com/address/1/0x06002e9c4412CB7814a791eA3666D905871E536A (vault (Aave V4 Plus Hub — Ethereum))
- https://defipunkd.com/address/1/0x943827DCA022D0F354a8a8c332dA1e5Eb9f9F931 (vault (Aave V4 Prime Hub — Ethereum))
- https://defipunkd.com/address/1/0x08aE3BE30958cDd1847ec58fFfd4C451a87fDF01 (admin (Aave V4 Access Manager — Ethereum))
- https://defipunkd.com/address/10/0xa97684ead0e402dc232d5a977953df7ecbab3cdb (other (PoolAddressesProvider — Optimism))
- https://defipunkd.com/address/137/0xa97684ead0e402dc232d5a977953df7ecbab3cdb (other (PoolAddressesProvider — Polygon))
- https://defipunkd.com/address/1/0x64b761D848206f447Fe2dd461b0c635Ec39EbB27 (admin PoolConfigurator V3)
- https://defipunkd.com/address/1/0x54586bE62E3c3580375aE3723C145253060Ca0C2 (oracle AaveOracle V3)
- https://defipunkd.com/address/1/0xc2aaCf6553D20d1e9d78E365AAba8032af9c85b0 (admin ACLManager V3)
- https://defipunkd.com/address/1/0x0a16f2FCC0D44FaE41cc54e079281D84A363bECD (other AaveProtocolDataProvider V3)
- https://defipunkd.com/address/1/0x464C71f6c2F760DdA6093dCB91C24c39e5d6e18c (treasury Collector)
- https://defipunkd.com/address/1/0x8164Cc65827dcFe994AB23944CBC90e0aa80bFcb (admin DefaultIncentivesController)
- https://defipunkd.com/address/1/0x223d844fc4B006D67c0cDbd39371A9F73f69d974 (admin EmissionManager)
- https://defipunkd.com/address/42161/0xa97684ead0e402dC232d5A977953DF7ECBaB3CDb (factory PoolAddressesProvider V3)
- https://defipunkd.com/address/42161/0x794a61358D6845594F94dc1DB02A252b5b4814aD (pool Pool V3)
- https://defipunkd.com/address/42161/0x8145eddDf43f50276641b55bd3AD95944510021E (admin PoolConfigurator V3)
- https://defipunkd.com/address/42161/0xb56c2F0B653B2e0b10C9b928C8580Ac5Df02C7C7 (oracle AaveOracle V3)
- https://defipunkd.com/address/42161/0x7A9ff54A6eE4a21223036890bB8c4ea2D62c686b (oracle PriceOracleSentinel V3)
- https://defipunkd.com/address/42161/0xFF1137243698CaA18EE364Cc966CF0e02A4e6327 (admin ACLAdmin V3)
- https://defipunkd.com/address/42161/0xa72636CbcAa8F5FF95B2cc47F3CDEe83F3294a0B (admin ACLManager V3)
- https://defipunkd.com/address/42161/0x243Aa95cAC2a25651eda86e80bEe66114413c43b (other AaveProtocolDataProvider V3)
- https://defipunkd.com/address/43114/0xa97684ead0e402dC232d5A977953DF7ECBaB3CDb (factory PoolAddressesProvider V3)
- https://defipunkd.com/address/43114/0x794a61358D6845594F94dc1DB02A252b5b4814aD (pool Pool V3)
- https://defipunkd.com/address/43114/0x8145eddDf43f50276641b55bd3AD95944510021E (admin PoolConfigurator V3)
- https://defipunkd.com/address/43114/0xEBd36016B3eD09D4693Ed4251c67Bd858c3c7C9C (oracle AaveOracle V3)
- https://defipunkd.com/address/43114/0x3C06dce358add17aAf230f2234bCCC4afd50d090 (admin ACLAdmin V3)
- https://defipunkd.com/address/43114/0xa72636CbcAa8F5FF95B2cc47F3CDEe83F3294a0B (admin ACLManager V3)
- https://defipunkd.com/address/43114/0x243Aa95cAC2a25651eda86e80bEe66114413c43b (other AaveProtocolDataProvider V3)
- https://defipunkd.com/address/8453/0xe20fCBdBfFC4Dd138cE8b2E6FBb6CB49777ad64D (factory PoolAddressesProvider V3)
- https://defipunkd.com/address/8453/0xA238Dd80C259a72e81d7e4664a9801593F98d1c5 (pool Pool V3)
- https://defipunkd.com/address/8453/0x5731a04B1E775f0fdd454Bf70f3335886e9A96be (admin PoolConfigurator V3)
- https://defipunkd.com/address/8453/0x2Cc0Fc26eD4563A5ce5e8bdcfe1A2878676Ae156 (oracle AaveOracle V3)
- https://defipunkd.com/address/8453/0x943AcD0c93d7a8Bee7dA5Fd0DC3d0028237074d6 (oracle PriceOracleSentinel V3)
- https://defipunkd.com/address/8453/0x9390B1735def18560c509E2d0bc090E9d6BA257a (admin ACLAdmin V3)
- https://defipunkd.com/address/8453/0x43955b0899Ab7232E3a454cf84AedD22Ad46FD33 (admin ACLManager V3)
- https://defipunkd.com/address/8453/0x0F43731EB8d45A581f4a36DD74F5f358bc90C73A (other AaveProtocolDataProvider V3)
- Binance: 0xff75B6da14FfbbfD355Daf7a2731456b3562Ba6D (chain not supported by the read API)
- Binance: 0x6807dc923806fE8Fd134338EABCA509979a7e0cB (chain not supported by the read API)
- Binance: 0x67bdF23C7fCE7C65fF7415Ba3F2520B45D6f9584 (chain not supported by the read API)
- Binance: 0x39bc1bfDa2130d6Bb6DBEfd366939b4c7aa7C697 (chain not supported by the read API)
- Binance: 0x9390B1735def18560c509E2d0bc090E9d6BA257a (chain not supported by the read API)
- Binance: 0x2D97F8FA96886Fd923c065F5457F9DDd494e3877 (chain not supported by the read API)
- Binance: 0xc90Df74A7c16245c5F5C5870327Ceb38Fe5d5328 (chain not supported by the read API)
- Celo: 0x9F7Cf9417D5251C59fE94fB9147feEe1aAd9Cea5 (chain not supported by the read API)
- Celo: 0x3E59A31363E2ad014dcbc521c4a0d5757d9f3402 (chain not supported by the read API)
- Celo: 0x7567E3434CC1BEf724AB595e6072367Ef4914691 (chain not supported by the read API)
- Celo: 0x1e693D088ceFD1E95ba4c4a5F7EeA41a1Ec37e8b (chain not supported by the read API)
- Celo: 0x1dF462e2712496373A347f8ad10802a5E95f053D (chain not supported by the read API)
- Celo: 0x7a12dCfd73C1B4cddf294da4cFce75FcaBBa314C (chain not supported by the read API)
- Celo: 0x2e0f8D3B1631296cC7c56538D6Eb6032601E15ED (chain not supported by the read API)
- Celo: 0xC959439207dA5341B74aDcdAC59016aa9Be7E9E7 (chain not supported by the read API)
- Fantom: 0xa97684ead0e402dC232d5A977953DF7ECBaB3CDb (chain not supported by the read API)
- Fantom: 0x794a61358D6845594F94dc1DB02A252b5b4814aD (chain not supported by the read API)
- Fantom: 0x8145eddDf43f50276641b55bd3AD95944510021E (chain not supported by the read API)
- Fantom: 0xfd6f3c1845604C8AE6c6E402ad17fb9885160754 (chain not supported by the read API)
- Fantom: 0x39CB97b105173b56b5a2b4b33AD25d6a50E6c949 (chain not supported by the read API)
- Fantom: 0xa72636CbcAa8F5FF95B2cc47F3CDEe83F3294a0B (chain not supported by the read API)
- Fantom: 0x69FA688f1Dc47d4B5d8029D5a35FB7a548310654 (chain not supported by the read API)
- xDai: 0x36616cf17557639614c1cdDb356b1B83fc0B2132 (chain not supported by the read API)
- xDai: 0xb50201558B00496A145fE76f7424749556E326D8 (chain not supported by the read API)
- xDai: 0x7304979ec9E4EaA0273b6A037a31c4e9e5A75D16 (chain not supported by the read API)
- xDai: 0xeb0a051be10228213BAEb449db63719d6742F7c4 (chain not supported by the read API)
- xDai: 0x1dF462e2712496373A347f8ad10802a5E95f053D (chain not supported by the read API)
- xDai: 0xEc710f59005f48703908bC519D552Df5B8472614 (chain not supported by the read API)
- xDai: 0xF1F5acB596568895393cB5E4D0452D6592A2fA70 (chain not supported by the read API)
- Harmony: 0xa97684ead0e402dC232d5A977953DF7ECBaB3CDb (chain not supported by the read API)
- Harmony: 0x794a61358D6845594F94dc1DB02A252b5b4814aD (chain not supported by the read API)
- Harmony: 0x8145eddDf43f50276641b55bd3AD95944510021E (chain not supported by the read API)
- Harmony: 0x3C90887Ede8D65ccb2777A5d577beAb2548280AD (chain not supported by the read API)
- Harmony: 0xb2f0C5f37f4beD2cB51C44653cD5D84866BDcd2D (chain not supported by the read API)
- Harmony: 0xa72636CbcAa8F5FF95B2cc47F3CDEe83F3294a0B (chain not supported by the read API)
- Harmony: 0x69FA688f1Dc47d4B5d8029D5a35FB7a548310654 (chain not supported by the read API)
- Mantle: 0xba50Cd2A20f6DA35D788639E581bca8d0B5d4D5f (chain not supported by the read API)
- Mantle: 0x458F293454fE0d67EC0655f3672301301DD51422 (chain not supported by the read API)
- Mantle: 0x719755fC1ACf2f9079B0Cbc56e23712c09Ab8626 (chain not supported by the read API)
- Mantle: 0x47a063CfDa980532267970d478EC340C0F80E8df (chain not supported by the read API)
- Mantle: 0x64df9D4302e1ff3516Dc744A19e992D27CAC252E (chain not supported by the read API)
- Mantle: 0x70884634D0098782592111A2A6B8d223be31CB7b (chain not supported by the read API)
- Mantle: 0x810D46F9a9027E28F9B01F75E2bdde839dA61115 (chain not supported by the read API)
- Mantle: 0x487c5c669D9eee6057C44973207101276cf73b68 (chain not supported by the read API)
- MegaETH: 0x46Dcd5F4600319b02649Fd76B55aA6c1035CA478 (chain not supported by the read API)
- MegaETH: 0x7e324AbC5De01d112AfC03a584966ff199741C28 (chain not supported by the read API)
- MegaETH: 0xF15D31Bc839A853C9068686043cEc6EC5995DAbB (chain not supported by the read API)
- MegaETH: 0x421117D7319E96d831972b3F7e970bbfe29C4F21 (chain not supported by the read API)
- MegaETH: 0xE2E8Badc5d50f8a6188577B89f50701cDE2D4e19 (chain not supported by the read API)
- MegaETH: 0x390D369C3878F2C5205CFb6Ec7154FfA65491c3D (chain not supported by the read API)
- MegaETH: 0x9588b453A4EE24a420830CB3302195cA7aA3b403 (chain not supported by the read API)
- Sonic: 0x5C2e738F6E27bCE0F7558051Bf90605dD6176900 (chain not supported by the read API)
- Sonic: 0x5362dBb1e601abF3a4c14c22ffEdA64042E5eAA3 (chain not supported by the read API)
- Sonic: 0x50c70FEB95aBC1A92FC30b9aCc41Bd349E5dE2f0 (chain not supported by the read API)
- Sonic: 0xD63f7658C66B2934Bd234D79D06aEF5290734B30 (chain not supported by the read API)
- Sonic: 0x7b62461a3570c6AC8a9f8330421576e417B71EE7 (chain not supported by the read API)
- Sonic: 0x3a790a47c4d531FD333FAD24f70B0ccb521B3b5A (chain not supported by the read API)
- Sonic: 0xc0a344397cfa89dF1e1d3e4fb330834D789cF2CD (chain not supported by the read API)
- X Layer: 0xdFf435BCcf782f11187D3a4454d96702eD78e092 (chain not supported by the read API)
- X Layer: 0xE3F3Caefdd7180F884c01E57f65Df979Af84f116 (chain not supported by the read API)
- X Layer: 0x1408b48B6A610948f04813EA6b2F438A6BBAd2f2 (chain not supported by the read API)
- X Layer: 0x91FC11136d5615575a0fC5981Ab5C0C54418E2C6 (chain not supported by the read API)
- X Layer: 0xE2E8Badc5d50f8a6188577B89f50701cDE2D4e19 (chain not supported by the read API)
- X Layer: 0xc8f2720Fa7D857576d82e6aEca8EdC4869E9190e (chain not supported by the read API)
- X Layer: 0x6C505C31714f14e8af2A03633EB2Cdfb4959138F (chain not supported by the read API)
- https://defipunkd.com/address/59144/0x89502c3731F69DDC95B65753708A07F8Cd0373F4 (factory PoolAddressesProvider V3)
- https://defipunkd.com/address/59144/0xc47b8C00b0f69a36fa203Ffeac0334874574a8Ac (pool Pool V3)
- https://defipunkd.com/address/59144/0x812E7c19421D9f41A6DDCF047d5cc2dE2Ca5Bfa2 (admin PoolConfigurator V3)
- https://defipunkd.com/address/59144/0xCFDAdA7DCd2e785cF706BaDBC2B8Af5084d595e9 (oracle AaveOracle V3)
- https://defipunkd.com/address/59144/0x8c2d95FE7aeB57b86961F3abB296A54f0ADb7F88 (admin ACLAdmin V3)
- https://defipunkd.com/address/59144/0xbf32c7dFC72b730967072B112927ca0de205dbb5 (admin ACLManager V3)
- Metis: 0xB9FABd7500B2C6781c35Dd48d54f81fc2299D7AF (chain not supported by the read API)
- Metis: 0x90df02551bB792286e8D4f13E0e357b4Bf1D6a57 (chain not supported by the read API)
- Metis: 0x69FEE8F261E004453BE0800BC9039717528645A6 (chain not supported by the read API)
- Metis: 0x38D36e85E47eA6ff0d18B0adF12E5fC8984A6f8e (chain not supported by the read API)
- Metis: 0x2B5EA1604BAbb7B730120950Cb13951f3525828A (chain not supported by the read API)
- Metis: 0x6fD45D32375d5aDB8D76275A3932c740F03a8718 (chain not supported by the read API)
- https://defipunkd.com/address/10/0x794a61358D6845594F94dc1DB02A252b5b4814aD (pool Pool V3)
- https://defipunkd.com/address/10/0x8145eddDf43f50276641b55bd3AD95944510021E (admin PoolConfigurator V3)
- https://defipunkd.com/address/10/0xD81eb3728a631871a7eBBaD631b5f424909f0c77 (oracle AaveOracle V3)
- https://defipunkd.com/address/10/0x746c675dAB49Bcd5BB9Dc85161f2d7Eb435009bf (admin ACLAdmin V3)
- https://defipunkd.com/address/137/0x794a61358D6845594F94dc1DB02A252b5b4814aD (pool Pool V3)
- https://defipunkd.com/address/137/0x8145eddDf43f50276641b55bd3AD95944510021E (admin PoolConfigurator V3)
- https://defipunkd.com/address/137/0xb023e699F5a33916Ea823A16485e259257cA8Bd1 (oracle AaveOracle V3)
- https://defipunkd.com/address/137/0xDf7d0e6454DB638881302729F5ba99936EaAB233 (admin ACLAdmin V3)
- https://defipunkd.com/address/534352/0x69850D0B276776781C063771b161bd8894BCdD04 (factory PoolAddressesProvider V3)
- https://defipunkd.com/address/534352/0x11fCfe756c05AD438e312a7fd934381537D3cFfe (pool Pool V3)
- https://defipunkd.com/address/534352/0x32BCab42a2bb5AC577D24b425D46d8b8e0Df9b7f (admin PoolConfigurator V3)
- https://defipunkd.com/address/534352/0x04421D8C506E2fA2371a08EfAaBf791F624054F3 (oracle AaveOracle V3)
- https://defipunkd.com/address/534352/0xc1ABF87FfAdf4908f4eC8dc54A25DCFEabAE4A24 (admin ACLAdmin V3)
- https://defipunkd.com/address/534352/0x7633F981D87dC6307227de9383D2ce7243158081 (admin ACLManager V3)
- zkSync Era: 0x2A3948BB219D6B2Fa83D64100006391a96bE6cb7 (chain not supported by the read API)
- zkSync Era: 0x78e30497a3c7527d953c6B1E3541b021A98Ac43c (chain not supported by the read API)
- zkSync Era: 0x0207d31b4377C74bEC37356aaD83E3dCc979F40E (chain not supported by the read API)
- zkSync Era: 0xC7F58Fca663a8d377B6D0c9703C697f56dC40088 (chain not supported by the read API)
- zkSync Era: 0x04cE39789e11a49595cD0ECEf6f4Bd54ABF4d020 (chain not supported by the read API)
- Soneium: 0x82405D1a189bd6cE4667809C35B37fBE136A4c5B (chain not supported by the read API)
- Soneium: 0xDd3d7A7d03D9fD9ef45f3E587287922eF65CA38B (chain not supported by the read API)
- Soneium: 0x1607FCeEc8dEbA4d5Da66D620b2363066d025a02 (chain not supported by the read API)
- Soneium: 0x20040a64612555042335926d72B4E5F667a67fA1 (chain not supported by the read API)
- Soneium: 0xc0Bac16A64FbAa7EE6483bD12a759e28cD13dcBe (chain not supported by the read API)
- Plasma: 0x061D8e131F26512348ee5FA42e2DF1bA9d6505E9 (chain not supported by the read API)
- Plasma: 0x925a2A7214Ed92428B5b1B090F80b25700095e12 (chain not supported by the read API)
- Plasma: 0xc022B6c71c30A8Ad52Dac504eFA132d13D99d2D9 (chain not supported by the read API)
- Plasma: 0x33E0b3fc976DC9C516926BA48CfC0A9E10a2aAA5 (chain not supported by the read API)
- Plasma: 0x47aAdaAE1F05C978E6aBb7568d11B7F6e0FC4d6A (chain not supported by the read API)
- Plasma: 0xa860355F0ccFdC823F7332ac108317b2a1509C06 (chain not supported by the read API)
- https://defipunkd.com/address/1/0x617332a777780F546261247F621051d0b98975Eb (other VotingMachine)
- https://defipunkd.com/address/1/0xf23f7De3AC42F22eBDA17e64DC4f51FB66b8E21f (other VotingPortalEthEth)
- https://defipunkd.com/address/1/0x33aCEf7365809218485873B7d0d67FeE411B5D79 (other VotingPortalEthAvax)
- https://defipunkd.com/address/1/0x9b24C168d6A76b5459B1d47071a54962a4df36c3 (other VotingPortalEthPol)
- https://defipunkd.com/address/1/0xE3B770Dc4ae3f8bECaB3Ed12dE692c741603e16A (other PayloadDataHelper)
- https://defipunkd.com/address/1/0x971c82c8316aD611904F95616c21ce90837f1856 (other GovernanceDataHelper)
- https://defipunkd.com/address/1/0x77976B51569896523EE215962Ee91ff236Fa50E8 (other VotingDataHelper)
- https://defipunkd.com/address/1/0x94363B11b37BC3ffe43AB09cff5A010352FE85dC (other MetaDelegateHelper)
- https://defipunkd.com/address/1/0x73C6Fb358dDA8e84D50e98A98F7c0dF32e15C7e9 (guardian EmergencyRegistry)
- https://defipunkd.com/address/1/0xa198Fac58E02A5C5F8F7e877895d50cFa9ad1E04 (other GovernancePowerStrategy)
- https://defipunkd.com/address/1/0x5642A5A5Ec284B4145563aBF319620204aCCA7f4 (other VotingStrategy)
- https://defipunkd.com/address/1/0x1699FE9CaDC8a0b6c93E06B62Ab4592a0fFEcF61 (other DataWarehouse)
- https://defipunkd.com/address/42161/0xCbFB78a3Eeaa611b826E37c80E4126c8787D29f0 (other CrossChainController)
- https://defipunkd.com/address/42161/0x89644CA1bB8064760312AE4F03ea41b05dA3637C (timelock PayloadsController)
- https://defipunkd.com/address/42161/0x4922093c476CfbCF903C7C4082d2D64bAE8A37cE (guardian GranularGuardian)
- https://defipunkd.com/address/43114/0x27FC7D54C893dA63C0AE6d57e1B2B13A70690928 (other CrossChainController)
- https://defipunkd.com/address/43114/0x41185495Bc8297a65DC46f94001DC7233775EbEe (oracle EmergencyOracle)
- https://defipunkd.com/address/43114/0x9b6f5ef589A3DD08670Dd146C11C4Fb33E04494F (other VotingMachine)
- https://defipunkd.com/address/43114/0x1140CB7CAfAcC745771C2Ea31e7B5C653c5d0B80 (timelock PayloadsController)
- https://defipunkd.com/address/43114/0xc1162BCb2E5E3ca4725512008c7522dF8C8B7B65 (guardian GranularGuardian)
- Binance: 0x9d33ee6543C9b2C8c183b8fb58fB089266cffA19 (chain not supported by the read API)
- Binance: 0xcabb46FfB38c93348Df16558DF156e9f68F9F7F1 (chain not supported by the read API)
- Binance: 0xE5EF2Dd06755A97e975f7E282f828224F2C3e627 (chain not supported by the read API)
- Binance: 0xe4FB5e3F506BE0095f38004f993D16fdA8224383 (chain not supported by the read API)
- https://defipunkd.com/address/8453/0x529467C76f234F2bD359d7ecF7c660A2846b04e2 (other CrossChainController)
- https://defipunkd.com/address/8453/0x2DC219E716793fb4b21548C0f009Ba3Af753ab01 (timelock PayloadsController)
- https://defipunkd.com/address/8453/0xa1c6aF35E0205f42256382C05243C543FEDBf4bB (guardian GranularGuardian)
- xDai: 0x8Dc5310fc9D3D7D1Bb3D1F686899c8F082316c9F (chain not supported by the read API)
- xDai: 0xF937ffAeA1363e4Fa260760bDFA2aA8Fc911F84D (chain not supported by the read API)
- xDai: 0x9A1F491B86D09fC1484b5fab10041B189B60756b (chain not supported by the read API)
- xDai: 0x4A9F571E3C1f2F13567bb59e38988e74d7d72602 (chain not supported by the read API)
- Metis: 0x6fDaFb26915ABD6065a1E1501a37Ac438D877f70 (chain not supported by the read API)
- Metis: 0x2233F8A66A728FBa6E1dC95570B25360D07D5524 (chain not supported by the read API)
- Metis: 0x61BE97d3a0550549f67CA7421725fA73Fa2036B5 (chain not supported by the read API)
- https://defipunkd.com/address/10/0x48A9FE90bce5EEd790f3F4Ce192d1C0B351fd4Ca (other CrossChainController)
- https://defipunkd.com/address/10/0x0E1a3Af1f9cC76A62eD31eDedca291E63632e7c4 (timelock PayloadsController)
- https://defipunkd.com/address/10/0x6c5264C380C7022e54f585c4E354ffb6f221a03b (guardian GranularGuardian)
- https://defipunkd.com/address/137/0xF6B99959F0b5e79E1CC7062E12aF632CEb18eF0d (other CrossChainController)
- https://defipunkd.com/address/137/0xDAFA1989A504c48Ee20a582f2891eeB25E2fA23F (oracle EmergencyOracle)
- https://defipunkd.com/address/137/0xc8a2ADC4261c6b669CdFf69E717E77C9cFeB420d (other VotingMachine)
- https://defipunkd.com/address/137/0x401B5D0294E23637c18fcc38b1Bca814CDa2637C (timelock PayloadsController)
- https://defipunkd.com/address/137/0x0D2CccD3dD420dC6DE2f24DB44aA22fADE290a02 (guardian GranularGuardian)
- https://defipunkd.com/address/534352/0x03073D3F4769f6b6604d616238fD6c636C99AD0A (other CrossChainController)
- https://defipunkd.com/address/534352/0x6b6B41c0f8C223715f712BE83ceC3c37bbfDC3fE (timelock PayloadsController)
- https://defipunkd.com/address/534352/0xa835707d28e6C37C49d661742f2Fb5987367cEd4 (guardian GranularGuardian)
- zkSync Era: 0x800813f4714BC7A0a95310e3fB9e4f18872CA92C (chain not supported by the read API)
- zkSync Era: 0x2E79349c3F5e4751E87b966812C9E65E805996F1 (chain not supported by the read API)
- zkSync Era: 0xe0e23196D42b54F262a3DE952e6B34B197D1A228 (chain not supported by the read API)
- zkSync Era: 0x4257bf0746D783f0D962913d7d8AFA408B62547E (chain not supported by the read API)
- https://defipunkd.com/address/59144/0x0D3f821e9741C8a8Bcac231162320251Db0cdf52 (other CrossChainController)
- https://defipunkd.com/address/59144/0x3BcE23a1363728091bc57A58a226CF2940C2e074 (timelock PayloadsController)
- https://defipunkd.com/address/59144/0xc1cd6faF6e9138b4e6C21d438f9ebF2bd6F6cA16 (guardian GranularGuardian)
- https://defipunkd.com/address/59144/0x056E4C4E80D1D14a637ccbD0412CDAAEc5B51F4E (guardian GovernanceGuardian)
- Soneium: 0xD92b37a5114b33F668D274Fb48f23b726a854d6E (chain not supported by the read API)
- Soneium: 0x44D73D7C4b2f98F426Bf8B5e87628d9eE38ef0Cf (chain not supported by the read API)
- Soneium: 0xD8E6956718784B914740267b7A50B952fb516656 (chain not supported by the read API)
- Soneium: 0x19CE4363FEA478Aa04B9EA2937cc5A2cbcD44be6 (chain not supported by the read API)
- Soneium: 0x47aAdaAE1F05C978E6aBb7568d11B7F6e0FC4d6A (chain not supported by the read API)
- Plasma: 0x643441742f73e270e565619be6DE5f4D55E08cd6 (chain not supported by the read API)
- Plasma: 0xe76EB348E65eF163d85ce282125FF5a7F5712A1d (chain not supported by the read API)
- Plasma: 0x60665b4F4FF7073C5fed2656852dCa271DfE2684 (chain not supported by the read API)
- Plasma: 0x19CE4363FEA478Aa04B9EA2937cc5A2cbcD44be6 (chain not supported by the read API)
- Plasma: 0xF61FE74Ec1cFbd9Ee8Bd27592D2EDEe0E2aA85Cf (chain not supported by the read API)
- https://defipunkd.com/address/1/0x7Fc66500c84A76Ad7e9c93437bFc5Ac33E2DDaE9 (token AAVE governance token)
- https://defipunkd.com/address/1/0x7b9c0b9b0d8b0d8b0d8b0d8b0d8b0d8b0d8b0d8b (Emergency Admin)


---

You are contributing a single-slice assessment to defipunkd, a git-native transparency registry for DeFi protocols. Your JSON output will be attached to a pull request and compared against ≥2 other independent runs. Disagreements are surfaced publicly — be conservative, cite everything, return grade="unknown" when a signal cannot be determined, and resist stopping at the first damning finding.

### Per-protocol context (do not infer; these are ground truth)

A "Per-protocol context" block (provided alongside this prompt — either as a user message in API mode, or as a section appended below in copy-paste mode) lists the pinned inputs (protocol.slug, name, chains, category, website, github, audit_links, snapshot.generated_at, analysis_date, prompt_version, address_book) and a list of pre-built read-API surfacer URLs for each pinned address. Treat those values as authoritative for this run.

The pre-built surfacer URLs are accepted by your fetch tool's allowlist because they appear verbatim in the per-protocol context. Each surfacer page pre-executes the contract's zero-arg view methods and renders any address-typed return values as /address/{chainId}/0x… links inline — those rendered links are also fetchable post-fetch. /api/contract/read and /api/safe/owners JSON responses include a top-level `crawl.surfacers` array of /address/{chainId}/0x… URLs for every address-typed value in the result, so you can crawl directly from API responses. For addresses surfaced from non-defipunkd sources (block-explorer pages, GitHub, audit PDFs), the allowlist will reject your generated surfacer URL — record the address in protocol_metadata.admin_addresses and add a checklist-coded entry to unknowns[]; the next run will inherit it as a fetchable surfacer.

### Step 0 — Capability probe (do this before producing JSON)

Identify what fetch tool your environment exposes — `web_fetch`, `browser`, `url_context`, `google_search` (with underscore, colon, or space), Bing grounding, Perplexity, `web.run`, or anything similar. Search-grounding tools ARE valid fetch paths and you should use them; they are not forbidden. The distinction that matters is what the tool returned, not its name: a grounded response with the underlying page body is sufficient evidence; a bare 1–3-line preview snippet is not.

Probe: attempt one fetch of `protocol.website` and one fetch of a pre-built surfacer URL above (or the protocol's primary block-explorer page if no surfacer is pinned). Record the tool you used, the URL, and what came back (response body, HTTP status, allowlist rejection text, or "tool not present: <name>"). If either probe succeeded, proceed.

If both direct probes failed, **DO NOT STOP** — try search. Issue at least two broad search queries (protocol name + "Etherscan" / "official docs" / "GitHub" / "audit"; `site:` operators against etherscan.io / github.com / the docs domain). If a search query returns the underlying page body, that page URL is fetched evidence and goes in evidence[]. Set `grading_basis: "off-chain-only"` and continue with whatever you can extract. Empty `evidence[]` + `grade="unknown"` is only valid if BOTH direct probes AND ≥2 search queries returned nothing usable; in that case, log the attempted queries and observed-zero outcomes in unknowns[]. A submission claiming "blocked" without those receipts is treated as a non-submission (zero quorum weight). Search engines do not index raw JSON API endpoints — zero results for `defipunkd.com/api/contract/read` URLs is expected and is itself a recordable failure mode, not a system restriction.

### Anti-fabrication (the most important rule on this page)

Memory is not evidence. Treat your training data, prior conversations, and general knowledge as suggestions for what to look up — never as citations. Every URL in evidence[] must have been fetched in this run via any tool exposed in your environment, OR pasted into this conversation by the user. Constructing a URL is fine, but every variable part (address, commit SHA, repo path, contract name, method, args, block number) must come from a fetched/pasted source in this run, and the URL must then have been successfully fetched before it appears in evidence[]. URLs constructed from remembered addresses, repo paths, contract names, or guessed API methods are fabrication.

Before emitting JSON, run an evidence ledger check on every evidence[] entry:
1. The exact URL appears in your fetch transcript or in a user-pasted source body.
2. The fetched/pasted body contains the fact you're citing in evidence[].shows.
3. Every rationale.findings / protocol_metadata claim that depends on this evidence follows directly from that body, without recourse to memory.
4. Derived (rather than verbatim) claims are explicitly labelled as derived in evidence[].shows.
5. `fetched_at` is set ONLY when you actually fetched the URL in this run; if no timestamp is available, omit the field — never invent one.

If any check fails, remove the evidence entry and demote dependent claims to unknowns[]. Set grade="unknown" if demotion empties the grading basis. Do not ask the user to paste anything; do not withhold JSON; do not improvise from memory.

A plausible-sounding answer backed by unsupported evidence is WORSE than grade="unknown" — it pollutes the quorum. If the assessment requires leaning on remembered public facts ("Lido is governed by LDO token-weighted voting"), historical reports, common knowledge, or likely-architecture reasoning ("UUPS proxies typically have an admin role"), return grade="unknown" with specific unknowns[] entries. Optimize for reproducibility, not completeness — if a reviewer can't re-verify each claim from the evidence URLs alone, the claim does not belong in the JSON. Empty unknowns[] on a non-trivial protocol is a red flag, not a quality signal.

When the address_book is null/empty, you do not yet know any deployed address. Discover candidates from fetched website / GitHub / audit / explorer-search pages — addresses you "remember" from training data are not eligible, even for famous tokens (USDC, WBTC, stETH, UNI). If no address can be discovered after a good-faith attempt, return grade="unknown" with checklist-coded unknowns[] entries; do not invent addresses to fill the gap.

### Hard rules

1. Source classes that count as evidence:
   a) Public block explorers (etherscan.io, basescan.org, arbiscan.io, optimistic.etherscan.io, polygonscan.com, bscscan.com, snowtrace.io, scrollscan.com, lineascan.build, blastscan.io, era.zksync.network) for pinned addresses or addresses you discover transitively from them.
   b) The linked GitHub repos, at a specific commit SHA recorded in evidence[].commit.
   c) The audit PDFs / reports linked above.
   d) DeFiLlama's pinned fields (for category / chain lists only — not for risk assessment).
   e) DeFiPunkd's read API at https://defipunkd.com/api/{contract,safe}/... — see "On-chain reading" below.
2. If a signal cannot be determined after checking these, set grade="unknown" with ≥1 entry in unknowns[] naming what you looked for.
3. Every factual claim in rationale must map to ≥1 evidence[] entry.
4. Output exactly one JSON object matching the contract at the end, wrapped in a single ```json fenced code block. This rule applies to your FINAL assistant message only — issue tool calls freely during the run; tool-call reasoning lives in your model's tool-use channel and is not subject to this rule. Nothing before or after the fence — no prose, no follow-up questions, no requests for the user to paste anything. If evidence is incomplete, the correct response is still JSON, with claims demoted to unknowns[] and grade="unknown".

### Format rules (validation will reject submissions that violate these)
5. evidence[].url must be a bare `https://...` string — NEVER markdown link syntax. WRONG: `"url": "[Etherscan](https://etherscan.io/...)"`. RIGHT: `"url": "https://etherscan.io/..."`.
6. evidence[].commit, when present, must match `^[0-9a-f]{7,40}$` (lowercase hex, 7–40 chars). NEVER branch names or tags. Omit if you cannot pin a SHA.
7. evidence[].fetched_at, when present, must be ISO-8601 UTC (e.g. `2026-04-23T11:20:00Z`). Set whenever you actually fetched in this run.
8. evidence[].address, when present, must be `^0x[0-9a-fA-F]{40}$` (mixed case OK; checksum not validated).
9. Checklist codes (used in findings[].code and as unknowns[] prefixes) match `^[A-Z][A-Za-z0-9-]{0,16}$` — start with an uppercase letter, then digits / letters / hyphens. Examples: `E1`, `A3b`, `C2-emergency`, `V4-auditor`. No parens, spaces, dots, slashes, underscores. Use slice-defined codes verbatim. unknowns[] entries must be prefixed with the relevant code + colon (e.g. `"A3b: frontend fetch failed"`).
10. chat_url: ALWAYS null. Default share links (claude.ai/chat, chatgpt.com, gemini.google.com) require viewer login and are not publicly readable. The user enables "Share publicly" after you respond and pastes the public URL into the JSON before opening the PR.

### Thoroughness rules

11. Each per-slice body contains a "MANDATORY INSPECTION CHECKLIST". Every item must EITHER produce an evidence[] entry OR a specific unknowns[] entry naming it by code. Silent skips are rejected as incomplete.
12. Before assigning a grade other than "unknown", rationale.steelman must contain a one-sentence strongest argument for each of red / orange / green, and rationale.verdict must state which fits the evidence and why. If the steel-man for the chosen grade is weaker than for an adjacent grade, you have probably picked the wrong grade. When grade="unknown", set steelman to null and use verdict to summarize what blocked the assessment.
13. Distinguish actor classes (EOA, 2-of-3 multisig, 4-of-7+ multisig with identified signers, emergency-scoped time-capped multisig, on-chain governance vote with timelock) and function classes (claim-of-finalized vs new-request-placement, deposit vs borrow, mint vs redeem) — say which actor holds which power, on what time bound. "An admin can pause" is insufficient.
14. For on-chain slices (control, ability-to-exit, autonomy, verifiability), evidence[] must include ≥1 on-chain URL: a block-explorer URL OR a DeFiPunkd /api/{contract/read,safe/owners} URL (preferred — content-addressed when block-pinned). /api/contract/abi alone is metadata, not on-chain evidence. Source repos tell you what code SHOULD do; deployed contracts tell you what it ACTUALLY does. The "open-access" slice is exempt when claims are entirely about frontend / off-chain operator behavior. CARVE-OUT: `grading_basis="off-chain-only"` is exempt from this rule but is downweighted by the quorum bot regardless of grade.
15. Prompt-meta-check: if your verdict quotes prompt language as evidence ("the protocol meets the 'documented fallback' condition"), re-do the verdict — the prompt describes the rubric, not the protocol. Evidence cites what THIS protocol does, not what the rubric says protocols of type X do.
16. `grading_basis` is one of `"on-chain"` (default; omit field), `"off-chain-only"`, or `"mixed"`. Describes what was READ this run, not the verdict — `grade="unknown"` is allowed under any basis. Set `"off-chain-only"` ONLY when BOTH (a) ≥1 successful fetch of a docs / forum / audit / GitHub URL appears in evidence[], AND (b) ≥1 failed on-chain fetch attempt for THIS run is recorded in unknowns[] with a `-offchain` suffix. Empty `evidence[]` with `"off-chain-only"` is a category error and is rejected by the validator. Set `"mixed"` when some checklist codes were on-chain and others fell back. ABI-only finds (you read the ABI but couldn't read live state) are valid as `grade="unknown"` with the ABI cited; do not infer a grade from ABI shape alone.

### On-chain reading via the DeFiPunkd API

Don't encode calldata, decode return data, or guess at ABIs by hand. Three deterministic GET endpoints return JSON with blockNumber, blockHash, raw calldata, and rawReturnData — content-addressed when block-pinned (`&block=<n>`):

  ABI (auto-resolves proxies):
    https://defipunkd.com/api/contract/abi?chainId=<id>&address=0x...
  View call (any view method on the merged ABI; flat scalar args):
    https://defipunkd.com/api/contract/read?chainId=<id>&address=0x...&method=getOwners
    https://defipunkd.com/api/contract/read?chainId=<id>&address=0x...&method=balanceOf&args=0x...
  Safe (threshold + owners + version in one call):
    https://defipunkd.com/api/safe/owners?chainId=<id>&address=0x...

Use the BARE method name in `&method=` (e.g. `&method=totalSupply`, NOT `&method=totalSupply()`). Browser tools normalize `(` to `%28` and reject the normalized URL; bare names dodge that. Pass arguments via `&args=` (comma-separated, declaration order). Append `&block=<n>` for content-addressed evidence.

Supported chainIds: 1 (ethereum), 10 (optimism), 56 (bsc), 130 (unichain), 137 (polygon), 324 (zksync), 8453 (base), 42161 (arbitrum), 43114 (avalanche), 59144 (linea), 81457 (blast), 534352 (scroll), 11155111 (sepolia).

Use this API for any factual claim about contract ABI shape, view-method return values (owner(), getOwners(), getThreshold(), totalSupply(), implementation(), paused(), MIN_DELAY(), …), and Safe membership. Do NOT invent ABIs or return values from training data.

Note on noisy address_book: the pinned address_book is sourced from prior assessments. It may include token deployments, oracle feeds, peripheral contracts, or mis-classified entries. Skip surfacer URLs that don't fit your slice — fetch only those whose role hints suggest control / pause / upgrade authority.

### Protocol metadata refresh (populate `protocol_metadata` in the output)

DeFiLlama's pinned inputs may be stale or wrong. As a side-effect of this assessment, populate `protocol_metadata` with anything you verify. Leave fields null / empty arrays if you did not verify them — do NOT echo pinned inputs through; null means "not re-verified this run".

- `github`: array of canonical source-code repo URLs.
- `docs_url`: canonical developer / protocol documentation site.
- `audits`: array of `{ firm, url, date }` (date as YYYY-MM or YYYY-MM-DD).
- `governance_forum`: primary discussion forum URL (Discourse, Commonwealth, etc.).
- `voting_token`: `{ chain, address, symbol }` or null. Omit if not token-governed.
- `bug_bounty_url`: public bug bounty page (Immunefi, HackerOne, self-hosted).
- `security_contact`: private-disclosure channel — security@ email or SECURITY.md URL. Distinct from public bug bounty.
- `deployed_contracts_doc`: docs page that lists deployed addresses per chain. Don't enumerate; just link.
- `admin_addresses`: array of `{ chain, address, role, actor_class }` for multisig / timelock / owner / proxy-admin addresses. `actor_class` ∈ `"eoa" | "multisig" | "timelock" | "governance" | "unknown"`. These are the anchors for future runs' address_book.
- `upgradeability`: `"immutable" | "upgradeable" | "mixed" | "unknown"`. "mixed" = some core contracts immutable, others behind proxies.
- `about`: 2–4 sentence plain-English description. Name the user action (stake, borrow, swap, bridge, mint, redeem), the asset / market, and the distinctive mechanism (liquid staking receipt, isolated lending pools, constant-product AMM, intents auction, etc.). Do not restate category / chains / TVL.

Every non-null field in `protocol_metadata` must be backed by ≥1 entry in evidence[].

---

### Slice: AUTONOMY

Evaluate this protocol's autonomy: can a failure of anything outside its own contracts cause theft or loss of user principal, loss of unclaimed yield, or materially change the protocol's expected performance? "Autonomy" is not "has zero external touchpoints" — it is "external failures are either survivable or recoverable without user loss". This slice adapts DefiScan v1's Autonomy dimension; dependencies are one of several criteria, not the whole frame.

GUARDRAILS (read before grading):
- Category alone (Liquid Staking, Bridge, RWA Lending, Restaking, …) does NOT force a grade. A category is a hint about where to look; the grade must come from the concrete A1–A9 findings below.
- Base-chain consensus (Ethereum PoS, the chain's validator set, the canonical Deposit Contract at 0x00000000219ab540356cBB839Cbe05303d7705Fa) is the SUBSTRATE, not a dependency, for any protocol deployed on that chain. Do not list "depends on Ethereum" as a finding.
- Oracles or other integrations used by DOWNSTREAM protocols that happen to read this protocol's token (e.g. Chainlink stETH/USD consumed by Aave) are NOT this protocol's dependencies. Count only what THIS protocol's contracts call or trust on-chain. If a feed or contract appears in the protocol's docs only as reference material for third-party integrators, EXCLUDE IT ENTIRELY — do not log it as a finding even with a "peripheral" or "referenced only" caveat.
- "Upgradeable admin can change things" belongs to the CONTROL slice; only count it here when the upgrade surface lets governance silently swap an external dependency (see A9).
- Underlying-asset risk in opt-in, isolated markets is NOT autonomy-red on its own. When a protocol wraps third-party yield-bearing assets (LSTs, LRTs, ERC-4626 vaults, lending receipts, restaked tokens) into per-market silos that users explicitly choose, a failure of one underlying does NOT propagate to other markets and is risk the user opted into per-market. Record it under A4 with depth and propagation scope, but do not let it alone drive a red verdict — red requires an external dependency that cross-cuts the protocol or that the user did not opt into at deposit time. A failure mode that is "if the LRT you deposited is hacked, your principal in that LRT-backed market is impaired" is the underlying's autonomy story, not this protocol's; grade it on whether THIS protocol introduces additional dependencies on top.
- Sub-module enumeration is mandatory before grading. If the protocol ships distinct product lines or modules (e.g., a v2 core AMM plus a newer perps/funding-rate module, a lending pool plus a separate vault layer, an L1 core plus a cross-chain extension), enumerate each in findings and grade against the WORST module weighted by its share of TVS or its blast radius. A green core does not rescue an orange/red sub-module; conversely, a small red sub-module with capped TVS may bound the overall grade to orange. Name each module by its on-chain factory or router address. If you do not know whether a module exists, that is an unknowns[] entry, not silence. EXPLICIT TVS WEIGHTING: in the verdict, state each module's approximate share of total protocol TVS (use "~X%" if exact figures unavailable; check DeFiLlama or block-explorer balances on the module's main contract) and how that share informs the weighted grade. Format: "Module A holds ~X% of TVS (grade: <g>); Module B holds ~Y% (grade: <g>); weighted overall = <grade> because <reason>." If a red sub-module holds <5% of total TVS and is capped, the overall grade may be orange; if it holds >25%, the overall grade is red. Do not let qualitative reasoning substitute for the percentages — write the numbers.

MANDATORY INSPECTION CHECKLIST (every item below must appear in evidence[] OR unknowns[]):
- A1. External contract calls. Enumerate every external contract the core contracts call or read from (oracles, price feeds, AMM pools, lending pools, staking/deposit contracts, yield wrappers). For each, identify the address, the provider, and what user-facing function of this protocol would break or mis-price if that external contract paused, mis-reported, or behaved adversarially. Grep for "oracle", "aggregator", "getPrice", "latestAnswer", "chainlink", "pyth", "redstone" as a starting point. To verify an oracle is live and what it currently reports, hit https://defipunkd.com/api/contract/read?chainId=<id>&address=<oracle>&method=latestAnswer (or &method=latestRoundData, &method=getPrice, &method=description; use the BARE method name without parens) and cite the URL — the response includes blockNumber/blockHash and rawReturnData, which is stronger evidence than a docs page about which feed "should" be used.
- A2. Off-chain actor committees reporting INTO the protocol. Oracle committees, guardian multisigs, DAO-selected validator sets acting as protocol reporters, exit-bus signers, fraud-proof challengers. For each, record committee size, quorum, who picks the members, and what mis-reporting could do (mint, burn, finalize withdrawal, freeze). Distinguish this from governance admins (control slice). NOTE ON STAKING PROTOCOLS: validator slashing and node-operator misbehavior are properties of the base-chain substrate, NOT external dependencies, when the operator set is diversified enough that a coordinated failure caps at <5% principal loss. Count validator/operator risk under A2 ONLY if the operator set is small, non-diversified, or lacks bonding / slashing-insurance / diversification mitigations. A curated set of 30+ independent operators with documented diversification falls under the mitigated path; a 3-operator LST does not. Do not cite the protocol's own risk disclosure as evidence that operator failure = principal loss unless you also check the diversification and bond mitigations.
- A3. Bridge / cross-chain messaging dependencies. Only count bridges that carry material TVL or are required for a core user flow. For each, name the bridge operator (canonical L1↔L2, LayerZero, Wormhole, Axelar, custom multisig), the trust model (canonical, optimistic, light-client, guardian set), and what fraction of TVL or users ride on it. "wstETH exists on 15 chains" is not a finding unless material TVL sits there. Before listing any non-primary chain deployment as a dependency, verify it is still operational as of analysis_date — retired or sunset deployments (e.g., Lido-on-Terra, Lido-on-Solana) belong in unknowns[] or should be omitted, never cited as a current dependency.
- A4. Nested collateral / restaking chains. For restaking / LRT / receipt-of-receipt designs: record the depth of the collateral chain, every actor with slashing or freezing power at each level, and whether a failure N levels deep propagates to user principal here.
- A5. Fork lineage (silent check). If DeFiLlama's forkedFrom is non-empty, record it as one finding and move on. If empty, do NOT add a placeholder finding; it adds noise.
- A6. Fallback mechanisms and circuit breakers. What catches an external failure? Sanity-check contracts on oracle reports, rebase bounds, pause paths triggered by bad prices, second-opinion oracles, max-per-block throughput caps, withdrawal queues that absorb bad reports. Record which A1–A4 risks are mitigated by which fallback, and which are unmitigated. For EACH fallback you cite, state its activation status explicitly: (i) LIVE and enforcing on-chain today, (ii) DEPLOYED but not yet wired / activated (e.g., interface exists but the address is zero or the role is unassigned), or (iii) DOCUMENTED / PROPOSED only (forum post, LIP draft, audit pending). Only (i) counts as mitigation for the grade. A fallback in state (ii) or (iii) should be noted but must not reduce the risk in your steel-man or verdict. If you cannot determine activation status, add an unknowns[] entry rather than assume it is live.
- A7. Sequencer / L1-liveness dependency BEYOND the base-chain substrate. SCOPE — sequencer risk only counts here when the protocol IS its own L2/L3 appchain or app-rollup, where the sequencer is part of the protocol's own stack and a freeze is a protocol-level outage. A protocol permissionlessly deployed on a third-party L2 inherits that L2's sequencer as substrate, not an A7 dependency. Record the sequencer/DA trust model when A7 applies.
- A8. Keeper / relayer / off-chain bot liveness. Protocols that need permissionless-but-necessary off-chain actors (liquidation bots, auto-compounders, deposit relayers, intent solvers). Record whether the role is permissionless, what degrades if nobody runs it (yield paused, bad debt accumulates, positions go stale), and whether the failure mode is graceful or catastrophic.
- A9. Governance-mutable dependency surface. Can an admin or DAO action silently INTRODUCE a NEW EXTERNAL dependency — swap the oracle address to a different provider, register a new staking module that calls an untrusted contract, add a new bridge, route SY through a new external vault — without an exit window for users? Check the upgrade / router / module-registry contracts. Answer: which EXTERNAL dependencies are governance-mutable, who holds that power, and whether there is a timelock or exit window. SCOPE LIMIT — read carefully: A9 is about the *external dependency surface*, not the upgrade surface in general. "The proxyAdmin / EOA can upgrade the router implementation to arbitrary bytecode" is a CONTROL-slice finding (admin can rug), NOT an autonomy-A9 finding. A9 fires only when the upgrade specifically swaps out or adds a contract that THIS protocol calls or trusts (e.g., changing the oracle address from Chainlink to a malicious feed, registering a new SY adapter that points to a third-party vault, redirecting a bridge endpoint). If the only finding is "admin can change implementation," do not log it under A9 and do not let it drive the autonomy grade — note it under control instead. The autonomy-relevant version of the same upgrade key is "admin can swap [specific external address X] without timelock"; that requires identifying the specific external dependency that becomes mutable.

STEEL-MAN (per Hard Rule 13): write one-sentence strongest arguments for red, orange, and green using the A1–A9 findings.

IMPACTED TVS ESTIMATE: the headline MUST include a rough impacted-TVS figure — the fraction of protocol TVS that could be lost or frozen if the worst-unmitigated dependency you identified failed. Use "~X%" if exact numbers are unavailable, "<1%" for de minimis, "unclear" only if A1–A9 left the question genuinely open (in which case grade=unknown is usually correct). Do NOT substitute qualitative phrases like "significant" — give a number or bracket.

GRADE ANCHORS (mapped to DefiScan v1 stages):
- green = Stage 2 equivalent. Failure of any external dependency cannot cause loss of user principal or unclaimed yield. Either there are no material external dependencies, or every critical one has a documented fallback (A6) that keeps users whole. Governance cannot silently introduce new dependencies without an exit window (A9). Impacted TVS under any single-dependency failure: effectively 0.
- orange = Stage 1 equivalent. Failure of some external dependency can cause loss of unclaimed yield, or can materially change expected performance (pause withdrawals, freeze positions, degrade price quality), but cannot cause loss of principal. Committee-based oracles with sanity checks, canonical-only bridges, fallback paths that exist but are incomplete, or governance-mutable dependencies protected by a ≥7-day timelock. Impacted TVS is bounded and recoverable.
- red = Stage 0 equivalent. Failure of an external dependency CAN cause theft or loss of principal. Examples: single-provider oracle with no sanity check or fallback, material TVL on a non-canonical bridge with a guardian multisig, governance can hot-swap oracles or add staking modules with no timelock or exit window, unmitigated keeper-liveness dependency where positions become insolvent if bots stop. Impacted TVS is material.
- unknown = checklist incomplete after inspecting source + verified contracts. Prefer unknown over guessing when A1/A6 could not be reconstructed. RESERVE unknown for cases where the CORE ARCHITECTURE itself is unverifiable — not for cases where you merely cannot enumerate every per-market dependency in a multi-market protocol. If the core router/factory/oracle architecture is verifiable on-chain and you can determine whether the core requires external dependencies, grade the architecture even when an exhaustive per-market external-dependency census is infeasible. Acknowledge the per-market gap in unknowns[] but still issue a grade. Refusing to grade a multi-market protocol because you cannot list every SY/vault/market is over-use of unknown; grade the architecture and say so.

PROMPT-META CHECK (per Hard Rule 17): before finalizing, verify the verdict cites concrete contract addresses, docs, or code — not the rubric itself. If your verdict says "the protocol belongs to a category the rubric marks red", rewrite it with the A1–A9 finding that actually justifies the grade, or drop to grade=unknown.

---

### JSON output contract

Return exactly one JSON object inside a single ```json fenced block. Shape:

{
  "schema_version": 4,
  "slug": "<copy protocol.slug from the per-protocol context>",
  "slice": "autonomy",
  "snapshot_generated_at": "<copy snapshot.generated_at from the per-protocol context>",
  "prompt_version": 29,
  "analysis_date": "<copy analysis_date from the per-protocol context>",
  "model": "<exact model name, e.g. claude-opus-4-7 / gpt-5-thinking / gemini-3-pro>",
  "chat_url": null,
  "grading_basis": "on-chain | off-chain-only | mixed (optional; omit for on-chain)",
  "grade": "green | orange | red | unknown",
  "headline": "<one-line summary>",
  "short_headline": "<≤6 words, ≤80 chars; omit if you can't fit>",
  "rationale": {
    "findings": [{ "code": "E1", "text": "<concrete, source-cited finding>" }],
    "steelman": { "red": "<one sentence>", "orange": "<one sentence>", "green": "<one sentence>" },
    "verdict": "Choosing <grade> because <reason ranking one steel-man above the others, citing specific evidence>."
  },
  "evidence": [{ "url": "https://...", "shows": "<what this URL demonstrates>", "chain": "...", "address": "0x...", "commit": "<hex SHA>", "fetched_at": "2026-04-23T11:20:00Z" }],
  "unknowns": ["E3: <thing you looked for but couldn't determine>"],
  "protocol_metadata": {
    "github": ["https://github.com/org/repo"],
    "docs_url": "https://docs.protocol.xyz",
    "audits": [{ "firm": "Trail of Bits", "url": "https://...report.pdf", "date": "2025-09" }],
    "governance_forum": "https://forum.protocol.xyz",
    "voting_token": { "chain": "Ethereum", "address": "0x...", "symbol": "XYZ" },
    "bug_bounty_url": "https://immunefi.com/bounty/protocol",
    "security_contact": "security@protocol.xyz",
    "deployed_contracts_doc": "https://docs.protocol.xyz/deployments",
    "admin_addresses": [{ "chain": "Ethereum", "address": "0x...", "role": "DAO treasury multisig", "actor_class": "multisig" }],
    "upgradeability": "immutable | upgradeable | mixed | unknown",
    "about": "<2–4 sentences>"
  }
}

Rules recap:
- grade="unknown" ⇒ steelman=null; unknowns[] ≥1; evidence[] may be empty.
- grade!="unknown" ⇒ steelman={red,orange,green}; evidence[] ≥1; verdict starts with "Choosing ".
- findings[].code matches the slice's checklist prefix verbatim (E1, C2-emergency, V4a, …); unknowns[] entries are checklist-coded ("E3: …").
- Wrap in a single ```json fence; nothing before or after. URLs are bare strings, never markdown links.

Sources claude-opus-4-7 no url gpt-5.5 no url gemini-3-flash-preview no url View raw submissions ↗

Open Access tentative 3/3 models agree AI-only 0/3 with chat share link

Smart contracts are admission-permissionless; official frontend app.aave.com applies TRM Labs wallet screening + ToS restricted-jurisdiction enforcement. Independent A3b-ii paths exist (cp0x pi-aave-interface, direct contract calls) but are third-party-operated.

Verdict

Choosing orange because Aave V3 smart contracts are admission-permissionless (Pool.supply/withdraw/borrow/repay/liquidationCall/flashLoan are public virtual override with no whitelist/KYC modifier per Pool.sol @ commit 1e3d70c4151a94166ebc59e2eaa4aff6e6ba6978), but the official frontend app.aave.com applies A3-active enforcement via TRM Labs API integration which screens connected wallets and rejects flagged ones (publicly confirmed by Aave Labs in the 2022 dusted-wallets incident: 'We integrated TRM's API on the Aave IPFS frontend'), and the ToS at aave.com/legal/app/terms-of-service explicitly reserves the right to restrict access on the basis of Restricted Jurisdictions (Belarus, Cuba, Iran, North Korea, Russia, Syria, Venezuela, etc.) and to act when users attempt circumvention through VPNs or proxies. Independent A3b-ii paths exist (cp0x pi-aave-interface live at aave.cp0x.com under MIT license, direct contract calls via Etherscan, CLI/SDK), but they are operated by third parties or require technical capability and are not officially documented by Aave on its public landing pages. Per the rubric, A3-active screening on the official frontend without clearly-documented non-technical alternatives places this slice at orange, not green. Red is not appropriate because there is no contract-level whitelist, no on-chain blocklist updated by a single party, and no operator approval gating admission.

Steelman argument

Steelman argument The official protocol-branded frontend (app.aave.com, operated by Aave Interfaces Ltd / Aave Labs) actively screens wallet addresses against TRM Labs and explicitly enforces Restricted-Jurisdiction policy with anti-VPN-circumvention language, and while alternatives exist they are run by third parties (cp0x) or require CLI/Etherscan skills, so admission via the canonical interface is non-trivially gated for non-technical users.

Evidence (9)

A1: Pool.sol user-facing functions supply, supplyWithPermit, withdraw, borrow, repay, repayWithPermit, repayWithATokens, liquidationCall, flashLoan, flashLoanSimple are declared public virtual override with no onlyWhitelisted/onlyRole/isAccredited/isKYCed/allowlist modifier. Only modifiers in Pool.sol are onlyPoolConfigurator, onlyPoolAdmin, onlyPositionManager(address onBehalfOf), onlyUmbrella - all gating admin operations, not user entry. grep on Pool.sol returned no matches for whitelist|allowlist|isAccredited|isKYCed|sanction.
A2: User-facing supply/withdraw/borrow/repay route to SupplyLogic.executeSupply / SupplyLogic.executeWithdraw / BorrowLogic.executeBorrow / BorrowLogic.executeRepay with user: _msgSender(); no off-chain keeper/sequencer/relayer approval is required to admit the action. Liquidations are open to any caller (liquidationCall is public). No operator committee gates admission.
A3-active: Aave Labs publicly confirmed runtime wallet screening on the official frontend in the August-2022 dusted-wallets incident: 'We integrated TRM's API on the Aave IPFS frontend, which is why some users may be experiencing trouble accessing the Aave app.' The governance forum thread 'Address Blocking and TRM Labs' confirms that Aave 'use[s] TRM Labs to scan for supposed illegal or sanctioned activity' with blocked accounts 'only banned from using their front end- not from using the Aave protocol entirely.' Satisfies evidentiary floor (d) public incident report + (c) named third-party screening provider.
A3-passive: ToS at aave.com/legal/app/terms-of-service Section 2.3: 'access to and use of the Services is prohibited for any person or entity that is located in, organized under the laws of, or ordinarily resident in any country or territory that is, or whose government is, the subject of comprehensive trade or economic sanctions ... including, without limitation, Belarus, Cote d'Ivoire, Crimea, Cuba, Donetsk PR, Iran, Iraq, Kherson, Liberia, Libya, Luhansk PR, Myanmar, North Korea, Russia, Sudan, Syria, Venezuela, Zaporizhzhia.' Anti-circumvention clause: 'The Company reserves the right ... if you attempt to circumvent such restrictions through virtual private networks, proxies, or similar technologies.' These are passive eligibility/attestation clauses; their grade-weight is ~0.25.
A3b-i: Aave's official frontend is also pinned to IPFS (referenced by Aave Labs as the 'Aave IPFS frontend' in the TRM incident statement). The same ToS defines 'Interface' as 'an independent interface providing one of the available applications through which users, via their self-custodial wallets, interact with the Aave Protocol' and 'Services' as 'both the Aave.com website ... and App.aave.com interface'. IPFS-pinned redistributions of the official UI remain bound by the same ToS and so are not an independent A3b-ii path.
A3b-ii: cp0x maintains pi-aave-interface, an independent permissionless frontend for Aave V3, deployed live at https://aave.cp0x.com (HTTP/1.1 200 from nginx, served from cp0x infrastructure, distinct legal entity from Aave Interfaces Ltd). Repo (github.com/cp0x-org/pi-aave-interface) is publicly accessible, MIT-licensed, README states 'An open-source, permissionless interface for the Aave protocol, designed to be fully permissionless and enable direct, unrestricted interaction with smart contracts.' Aave's TRM-labs-block incident report explicitly notes 'Users could still connect via CLI or forking the front-end to host in their environments.' These paths exist but are not officially advertised on aave.com landing pages and skew technical.
A4: Off-chain compliance tooling: TRM Labs API integrated on the official IPFS-hosted frontend to screen wallet addresses against sanctions lists (confirmed by Aave Labs in the dusted-wallets incident and the governance forum thread 'Address Blocking and TRM Labs'). Privacy Policy at aave.com/privacy-policy: 'We may collect the wallet address you use to connect to the Interface to block wallets that are associated with certain legally prohibited conduct from Interface.' No on-chain OFAC oracle (Chainalysis Sanctions Oracle) is checked by Pool.sol; screening is exclusively at the application/frontend layer.
A5: Read access: fully permissionless on-chain (any caller can call view functions getReserveData, getUserAccountData, getReservesList, etc. on the verified proxy 0x87870Bca3F3fD6335C3F4ce8392D69350B4fA4E2). Write access: permissionless at the contract layer (no modifier gates supply/withdraw/borrow/repay), but the official app.aave.com frontend gates write access by wallet via TRM screening + ToS jurisdictional self-attestation. The split between contract-level (open) and frontend-level (gated) is the central observation.
A6: Two canonical ToS endpoints exist: aave.com/terms-of-service (older, naming OFAC/UN/EU/HM Treasury sanction lists) and aave.com/legal/app/terms-of-service (newer, with explicit VPN/proxy circumvention clause). Operator entity: 'Aave Interfaces Ltd ... Aave Labs, Company, we, us, or our.' Privacy Policy at aave.com/privacy-policy contains the wallet-blocking disclosure verbatim.

Why is this consensus tentative?

only 0/3 sources have a public chat share link
total support weight 0.12 below confidence floor (1.5)

A fresh independent run can strengthen (or overturn) the verdict.

Run your own prompt Submit run ↗

### Per-protocol context (ground truth for this run)

- protocol.slug:              aave-v3
- protocol.name:              Aave V3
- protocol.chains:            Ethereum, Plasma, Arbitrum, Base, Avalanche, Binance, Mantle, Polygon, MegaETH, X Layer, xDai, Optimism, Linea, Sonic, Celo, Scroll, zkSync Era, Metis, Soneium, Fantom, Harmony
- protocol.category:          Lending
- protocol.website:           https://aave.com
- protocol.github:            aave, bgd-labs
- protocol.audit_links:       https://aave.com/security, https://github.com/code-423n4/2022-02-aave-lens, https://github.com/code-423n4/2022-02-aave-lens-findings, https://github.com/sherlock-protocol/sherlock-reports/blob/main/audits/2025.02.15%20-%20Final%20-%20Aave%20Public%20Audit%20Contest%20Report.pdf, https://github.com/sherlock-protocol/sherlock-reports/blob/main/audits/2026.02.05%20-%20Final%20-%20Aave%20Labs%20Collaborative%20Audit%20Report%201770295450.pdf, https://github.com/trailofbits/publications/blob/master/reviews/2021-11-aave-v3-securityreview.pdf
- snapshot.generated_at:      2026-06-01T11:27:13.878Z
- analysis_date:              2026-06-07
- prompt_version:             29
- address_book:               [
  {
    "chain": "Ethereum",
    "address": "0x5300A1a15135EA4dc7aD5a167152C01EFc9b192A",
    "role": "Short Executor (Level 1) / ACL Admin V3"
  },
  {
    "chain": "Ethereum",
    "address": "0xdAbad81aF85554E9ae636395611C58F7eC1aAEc5",
    "role": "PayloadsController (Ethereum)"
  },
  {
    "chain": "Ethereum",
    "address": "0x9AEE0B04504CeF83A65AC3f0e838D0593BCb2BC7",
    "role": "Governance V3 Core"
  },
  {
    "chain": "Ethereum",
    "address": "0xCe52ab41C40575B072A18C9700091Ccbe4A06710",
    "role": "Governance Guardian / Protocol Emergency Guardian (5-of-9)"
  },
  {
    "chain": "Ethereum",
    "address": "0x4457cA11E90f416Cc1D3a8E1cA41C0cdEcC251d4",
    "role": "GranularGuardian (cross-chain emergency)"
  },
  {
    "chain": "Ethereum",
    "address": "0xEd42a7D8559a463722Ca4beD50E0Cc05a386b0e1",
    "role": "CrossChainController"
  },
  {
    "chain": "Ethereum",
    "address": "0x17Dd33Ed0e3dD2a80E37489B8A63063161BE6957",
    "role": "Executor Level 2"
  },
  {
    "chain": "Ethereum",
    "address": "0x2CFe3ec4d5a6811f4B8067F0DE7e47DfA938Aa30",
    "role": "Protocol Guardian / emergency admin"
  },
  {
    "chain": "Ethereum",
    "address": "0x220d22f42c1b975B51509c24b174f8AbA7d8C540",
    "role": "Short Executor (Governance)"
  },
  {
    "chain": "Ethereum",
    "address": "0xa700691dA7b6769562170061709458FF21ed963e",
    "role": "timelock (governance long executor)"
  },
  {
    "chain": "Ethereum",
    "address": "0x851365275f493d15511cc005f2bd71E3c1699921",
    "role": "timelock (governance short executor)"
  },
  {
    "chain": "Ethereum",
    "address": "0xEE56e2B3D49159022b71869955dbF07245799b17",
    "role": "timelock (governance executor short)"
  },
  {
    "chain": "Ethereum",
    "address": "0x80C67432656d59144cEFf962E8fAF8926599bCF8",
    "role": "timelock (governance short executor)"
  },
  {
    "chain": "Ethereum",
    "address": "0xEE56e2B20045d908E992822039db30E882309413",
    "role": "admin (PoolAdmin / governance executor)"
  },
  {
    "chain": "Ethereum",
    "address": "0x87870bca3f3fd6335c3f4ce8392d69350b4fa4e2",
    "role": "pool (Aave V3 Pool proxy)"
  },
  {
    "chain": "Ethereum",
    "address": "0x2f39d218133AFaB8F2B819B1066c7E434Ad94E9e",
    "role": "other (PoolAddressesProvider — proxy admin for Pool/PoolConfigurator/ACLManager)"
  },
  {
    "chain": "Ethereum",
    "address": "0xcfBf336fe147D643B9Cb705648500e101504B16d",
    "role": "other (Prime Market PoolAddressesProvider)"
  },
  {
    "chain": "Ethereum",
    "address": "0xCca852Bc40e560adC3b1Cc58CA5b55638ce826c9",
    "role": "vault (Aave V4 Core Hub — Ethereum)"
  },
  {
    "chain": "Ethereum",
    "address": "0x06002e9c4412CB7814a791eA3666D905871E536A",
    "role": "vault (Aave V4 Plus Hub — Ethereum)"
  },
  {
    "chain": "Ethereum",
    "address": "0x943827DCA022D0F354a8a8c332dA1e5Eb9f9F931",
    "role": "vault (Aave V4 Prime Hub — Ethereum)"
  },
  {
    "chain": "Ethereum",
    "address": "0x08aE3BE30958cDd1847ec58fFfd4C451a87fDF01",
    "role": "admin (Aave V4 Access Manager — Ethereum)"
  },
  {
    "chain": "Optimism",
    "address": "0xa97684ead0e402dc232d5a977953df7ecbab3cdb",
    "role": "other (PoolAddressesProvider — Optimism)"
  },
  {
    "chain": "Polygon",
    "address": "0xa97684ead0e402dc232d5a977953df7ecbab3cdb",
    "role": "other (PoolAddressesProvider — Polygon)"
  },
  {
    "chain": "Ethereum",
    "address": "0x64b761D848206f447Fe2dd461b0c635Ec39EbB27",
    "role": "admin PoolConfigurator V3"
  },
  {
    "chain": "Ethereum",
    "address": "0x54586bE62E3c3580375aE3723C145253060Ca0C2",
    "role": "oracle AaveOracle V3"
  },
  {
    "chain": "Ethereum",
    "address": "0xc2aaCf6553D20d1e9d78E365AAba8032af9c85b0",
    "role": "admin ACLManager V3"
  },
  {
    "chain": "Ethereum",
    "address": "0x0a16f2FCC0D44FaE41cc54e079281D84A363bECD",
    "role": "other AaveProtocolDataProvider V3"
  },
  {
    "chain": "Ethereum",
    "address": "0x464C71f6c2F760DdA6093dCB91C24c39e5d6e18c",
    "role": "treasury Collector"
  },
  {
    "chain": "Ethereum",
    "address": "0x8164Cc65827dcFe994AB23944CBC90e0aa80bFcb",
    "role": "admin DefaultIncentivesController"
  },
  {
    "chain": "Ethereum",
    "address": "0x223d844fc4B006D67c0cDbd39371A9F73f69d974",
    "role": "admin EmissionManager"
  },
  {
    "chain": "Arbitrum",
    "address": "0xa97684ead0e402dC232d5A977953DF7ECBaB3CDb",
    "role": "factory PoolAddressesProvider V3"
  },
  {
    "chain": "Arbitrum",
    "address": "0x794a61358D6845594F94dc1DB02A252b5b4814aD",
    "role": "pool Pool V3"
  },
  {
    "chain": "Arbitrum",
    "address": "0x8145eddDf43f50276641b55bd3AD95944510021E",
    "role": "admin PoolConfigurator V3"
  },
  {
    "chain": "Arbitrum",
    "address": "0xb56c2F0B653B2e0b10C9b928C8580Ac5Df02C7C7",
    "role": "oracle AaveOracle V3"
  },
  {
    "chain": "Arbitrum",
    "address": "0x7A9ff54A6eE4a21223036890bB8c4ea2D62c686b",
    "role": "oracle PriceOracleSentinel V3"
  },
  {
    "chain": "Arbitrum",
    "address": "0xFF1137243698CaA18EE364Cc966CF0e02A4e6327",
    "role": "admin ACLAdmin V3"
  },
  {
    "chain": "Arbitrum",
    "address": "0xa72636CbcAa8F5FF95B2cc47F3CDEe83F3294a0B",
    "role": "admin ACLManager V3"
  },
  {
    "chain": "Arbitrum",
    "address": "0x243Aa95cAC2a25651eda86e80bEe66114413c43b",
    "role": "other AaveProtocolDataProvider V3"
  },
  {
    "chain": "Avalanche",
    "address": "0xa97684ead0e402dC232d5A977953DF7ECBaB3CDb",
    "role": "factory PoolAddressesProvider V3"
  },
  {
    "chain": "Avalanche",
    "address": "0x794a61358D6845594F94dc1DB02A252b5b4814aD",
    "role": "pool Pool V3"
  },
  {
    "chain": "Avalanche",
    "address": "0x8145eddDf43f50276641b55bd3AD95944510021E",
    "role": "admin PoolConfigurator V3"
  },
  {
    "chain": "Avalanche",
    "address": "0xEBd36016B3eD09D4693Ed4251c67Bd858c3c7C9C",
    "role": "oracle AaveOracle V3"
  },
  {
    "chain": "Avalanche",
    "address": "0x3C06dce358add17aAf230f2234bCCC4afd50d090",
    "role": "admin ACLAdmin V3"
  },
  {
    "chain": "Avalanche",
    "address": "0xa72636CbcAa8F5FF95B2cc47F3CDEe83F3294a0B",
    "role": "admin ACLManager V3"
  },
  {
    "chain": "Avalanche",
    "address": "0x243Aa95cAC2a25651eda86e80bEe66114413c43b",
    "role": "other AaveProtocolDataProvider V3"
  },
  {
    "chain": "Base",
    "address": "0xe20fCBdBfFC4Dd138cE8b2E6FBb6CB49777ad64D",
    "role": "factory PoolAddressesProvider V3"
  },
  {
    "chain": "Base",
    "address": "0xA238Dd80C259a72e81d7e4664a9801593F98d1c5",
    "role": "pool Pool V3"
  },
  {
    "chain": "Base",
    "address": "0x5731a04B1E775f0fdd454Bf70f3335886e9A96be",
    "role": "admin PoolConfigurator V3"
  },
  {
    "chain": "Base",
    "address": "0x2Cc0Fc26eD4563A5ce5e8bdcfe1A2878676Ae156",
    "role": "oracle AaveOracle V3"
  },
  {
    "chain": "Base",
    "address": "0x943AcD0c93d7a8Bee7dA5Fd0DC3d0028237074d6",
    "role": "oracle PriceOracleSentinel V3"
  },
  {
    "chain": "Base",
    "address": "0x9390B1735def18560c509E2d0bc090E9d6BA257a",
    "role": "admin ACLAdmin V3"
  },
  {
    "chain": "Base",
    "address": "0x43955b0899Ab7232E3a454cf84AedD22Ad46FD33",
    "role": "admin ACLManager V3"
  },
  {
    "chain": "Base",
    "address": "0x0F43731EB8d45A581f4a36DD74F5f358bc90C73A",
    "role": "other AaveProtocolDataProvider V3"
  },
  {
    "chain": "Binance",
    "address": "0xff75B6da14FfbbfD355Daf7a2731456b3562Ba6D",
    "role": "factory PoolAddressesProvider V3"
  },
  {
    "chain": "Binance",
    "address": "0x6807dc923806fE8Fd134338EABCA509979a7e0cB",
    "role": "pool Pool V3"
  },
  {
    "chain": "Binance",
    "address": "0x67bdF23C7fCE7C65fF7415Ba3F2520B45D6f9584",
    "role": "admin PoolConfigurator V3"
  },
  {
    "chain": "Binance",
    "address": "0x39bc1bfDa2130d6Bb6DBEfd366939b4c7aa7C697",
    "role": "oracle AaveOracle V3"
  },
  {
    "chain": "Binance",
    "address": "0x9390B1735def18560c509E2d0bc090E9d6BA257a",
    "role": "admin ACLAdmin V3"
  },
  {
    "chain": "Binance",
    "address": "0x2D97F8FA96886Fd923c065F5457F9DDd494e3877",
    "role": "admin ACLManager V3"
  },
  {
    "chain": "Binance",
    "address": "0xc90Df74A7c16245c5F5C5870327Ceb38Fe5d5328",
    "role": "other AaveProtocolDataProvider V3"
  },
  {
    "chain": "Celo",
    "address": "0x9F7Cf9417D5251C59fE94fB9147feEe1aAd9Cea5",
    "role": "factory PoolAddressesProvider V3"
  },
  {
    "chain": "Celo",
    "address": "0x3E59A31363E2ad014dcbc521c4a0d5757d9f3402",
    "role": "pool Pool V3"
  },
  {
    "chain": "Celo",
    "address": "0x7567E3434CC1BEf724AB595e6072367Ef4914691",
    "role": "admin PoolConfigurator V3"
  },
  {
    "chain": "Celo",
    "address": "0x1e693D088ceFD1E95ba4c4a5F7EeA41a1Ec37e8b",
    "role": "oracle AaveOracle V3"
  },
  {
    "chain": "Celo",
    "address": "0x1dF462e2712496373A347f8ad10802a5E95f053D",
    "role": "admin ACLAdmin V3"
  },
  {
    "chain": "Celo",
    "address": "0x7a12dCfd73C1B4cddf294da4cFce75FcaBBa314C",
    "role": "admin ACLManager V3"
  },
  {
    "chain": "Celo",
    "address": "0x2e0f8D3B1631296cC7c56538D6Eb6032601E15ED",
    "role": "other AaveProtocolDataProvider V3"
  },
  {
    "chain": "Celo",
    "address": "0xC959439207dA5341B74aDcdAC59016aa9Be7E9E7",
    "role": "treasury Collector"
  },
  {
    "chain": "Fantom",
    "address": "0xa97684ead0e402dC232d5A977953DF7ECBaB3CDb",
    "role": "factory PoolAddressesProvider V3"
  },
  {
    "chain": "Fantom",
    "address": "0x794a61358D6845594F94dc1DB02A252b5b4814aD",
    "role": "pool Pool V3"
  },
  {
    "chain": "Fantom",
    "address": "0x8145eddDf43f50276641b55bd3AD95944510021E",
    "role": "admin PoolConfigurator V3"
  },
  {
    "chain": "Fantom",
    "address": "0xfd6f3c1845604C8AE6c6E402ad17fb9885160754",
    "role": "oracle AaveOracle V3"
  },
  {
    "chain": "Fantom",
    "address": "0x39CB97b105173b56b5a2b4b33AD25d6a50E6c949",
    "role": "admin ACLAdmin V3"
  },
  {
    "chain": "Fantom",
    "address": "0xa72636CbcAa8F5FF95B2cc47F3CDEe83F3294a0B",
    "role": "admin ACLManager V3"
  },
  {
    "chain": "Fantom",
    "address": "0x69FA688f1Dc47d4B5d8029D5a35FB7a548310654",
    "role": "other AaveProtocolDataProvider V3"
  },
  {
    "chain": "xDai",
    "address": "0x36616cf17557639614c1cdDb356b1B83fc0B2132",
    "role": "factory PoolAddressesProvider V3"
  },
  {
    "chain": "xDai",
    "address": "0xb50201558B00496A145fE76f7424749556E326D8",
    "role": "pool Pool V3"
  },
  {
    "chain": "xDai",
    "address": "0x7304979ec9E4EaA0273b6A037a31c4e9e5A75D16",
    "role": "admin PoolConfigurator V3"
  },
  {
    "chain": "xDai",
    "address": "0xeb0a051be10228213BAEb449db63719d6742F7c4",
    "role": "oracle AaveOracle V3"
  },
  {
    "chain": "xDai",
    "address": "0x1dF462e2712496373A347f8ad10802a5E95f053D",
    "role": "admin ACLAdmin V3"
  },
  {
    "chain": "xDai",
    "address": "0xEc710f59005f48703908bC519D552Df5B8472614",
    "role": "admin ACLManager V3"
  },
  {
    "chain": "xDai",
    "address": "0xF1F5acB596568895393cB5E4D0452D6592A2fA70",
    "role": "other AaveProtocolDataProvider V3"
  },
  {
    "chain": "Harmony",
    "address": "0xa97684ead0e402dC232d5A977953DF7ECBaB3CDb",
    "role": "factory PoolAddressesProvider V3"
  },
  {
    "chain": "Harmony",
    "address": "0x794a61358D6845594F94dc1DB02A252b5b4814aD",
    "role": "pool Pool V3"
  },
  {
    "chain": "Harmony",
    "address": "0x8145eddDf43f50276641b55bd3AD95944510021E",
    "role": "admin PoolConfigurator V3"
  },
  {
    "chain": "Harmony",
    "address": "0x3C90887Ede8D65ccb2777A5d577beAb2548280AD",
    "role": "oracle AaveOracle V3"
  },
  {
    "chain": "Harmony",
    "address": "0xb2f0C5f37f4beD2cB51C44653cD5D84866BDcd2D",
    "role": "admin ACLAdmin V3"
  },
  {
    "chain": "Harmony",
    "address": "0xa72636CbcAa8F5FF95B2cc47F3CDEe83F3294a0B",
    "role": "admin ACLManager V3"
  },
  {
    "chain": "Harmony",
    "address": "0x69FA688f1Dc47d4B5d8029D5a35FB7a548310654",
    "role": "other AaveProtocolDataProvider V3"
  },
  {
    "chain": "Mantle",
    "address": "0xba50Cd2A20f6DA35D788639E581bca8d0B5d4D5f",
    "role": "factory PoolAddressesProvider V3"
  },
  {
    "chain": "Mantle",
    "address": "0x458F293454fE0d67EC0655f3672301301DD51422",
    "role": "pool Pool V3"
  },
  {
    "chain": "Mantle",
    "address": "0x719755fC1ACf2f9079B0Cbc56e23712c09Ab8626",
    "role": "admin PoolConfigurator V3"
  },
  {
    "chain": "Mantle",
    "address": "0x47a063CfDa980532267970d478EC340C0F80E8df",
    "role": "oracle AaveOracle V3"
  },
  {
    "chain": "Mantle",
    "address": "0x64df9D4302e1ff3516Dc744A19e992D27CAC252E",
    "role": "oracle PriceOracleSentinel V3"
  },
  {
    "chain": "Mantle",
    "address": "0x70884634D0098782592111A2A6B8d223be31CB7b",
    "role": "admin ACLAdmin V3"
  },
  {
    "chain": "Mantle",
    "address": "0x810D46F9a9027E28F9B01F75E2bdde839dA61115",
    "role": "admin ACLManager V3"
  },
  {
    "chain": "Mantle",
    "address": "0x487c5c669D9eee6057C44973207101276cf73b68",
    "role": "other AaveProtocolDataProvider V3"
  },
  {
    "chain": "MegaETH",
    "address": "0x46Dcd5F4600319b02649Fd76B55aA6c1035CA478",
    "role": "factory PoolAddressesProvider V3"
  },
  {
    "chain": "MegaETH",
    "address": "0x7e324AbC5De01d112AfC03a584966ff199741C28",
    "role": "pool Pool V3"
  },
  {
    "chain": "MegaETH",
    "address": "0xF15D31Bc839A853C9068686043cEc6EC5995DAbB",
    "role": "admin PoolConfigurator V3"
  },
  {
    "chain": "MegaETH",
    "address": "0x421117D7319E96d831972b3F7e970bbfe29C4F21",
    "role": "oracle AaveOracle V3"
  },
  {
    "chain": "MegaETH",
    "address": "0xE2E8Badc5d50f8a6188577B89f50701cDE2D4e19",
    "role": "admin ACLAdmin V3"
  },
  {
    "chain": "MegaETH",
    "address": "0x390D369C3878F2C5205CFb6Ec7154FfA65491c3D",
    "role": "admin ACLManager V3"
  },
  {
    "chain": "MegaETH",
    "address": "0x9588b453A4EE24a420830CB3302195cA7aA3b403",
    "role": "other AaveProtocolDataProvider V3"
  },
  {
    "chain": "Sonic",
    "address": "0x5C2e738F6E27bCE0F7558051Bf90605dD6176900",
    "role": "factory PoolAddressesProvider V3"
  },
  {
    "chain": "Sonic",
    "address": "0x5362dBb1e601abF3a4c14c22ffEdA64042E5eAA3",
    "role": "pool Pool V3"
  },
  {
    "chain": "Sonic",
    "address": "0x50c70FEB95aBC1A92FC30b9aCc41Bd349E5dE2f0",
    "role": "admin PoolConfigurator V3"
  },
  {
    "chain": "Sonic",
    "address": "0xD63f7658C66B2934Bd234D79D06aEF5290734B30",
    "role": "oracle AaveOracle V3"
  },
  {
    "chain": "Sonic",
    "address": "0x7b62461a3570c6AC8a9f8330421576e417B71EE7",
    "role": "admin ACLAdmin V3"
  },
  {
    "chain": "Sonic",
    "address": "0x3a790a47c4d531FD333FAD24f70B0ccb521B3b5A",
    "role": "admin ACLManager V3"
  },
  {
    "chain": "Sonic",
    "address": "0xc0a344397cfa89dF1e1d3e4fb330834D789cF2CD",
    "role": "other AaveProtocolDataProvider V3"
  },
  {
    "chain": "X Layer",
    "address": "0xdFf435BCcf782f11187D3a4454d96702eD78e092",
    "role": "factory PoolAddressesProvider V3"
  },
  {
    "chain": "X Layer",
    "address": "0xE3F3Caefdd7180F884c01E57f65Df979Af84f116",
    "role": "pool Pool V3"
  },
  {
    "chain": "X Layer",
    "address": "0x1408b48B6A610948f04813EA6b2F438A6BBAd2f2",
    "role": "admin PoolConfigurator V3"
  },
  {
    "chain": "X Layer",
    "address": "0x91FC11136d5615575a0fC5981Ab5C0C54418E2C6",
    "role": "oracle AaveOracle V3"
  },
  {
    "chain": "X Layer",
    "address": "0xE2E8Badc5d50f8a6188577B89f50701cDE2D4e19",
    "role": "admin ACLAdmin V3"
  },
  {
    "chain": "X Layer",
    "address": "0xc8f2720Fa7D857576d82e6aEca8EdC4869E9190e",
    "role": "admin ACLManager V3"
  },
  {
    "chain": "X Layer",
    "address": "0x6C505C31714f14e8af2A03633EB2Cdfb4959138F",
    "role": "other AaveProtocolDataProvider V3"
  },
  {
    "chain": "Linea",
    "address": "0x89502c3731F69DDC95B65753708A07F8Cd0373F4",
    "role": "factory PoolAddressesProvider V3"
  },
  {
    "chain": "Linea",
    "address": "0xc47b8C00b0f69a36fa203Ffeac0334874574a8Ac",
    "role": "pool Pool V3"
  },
  {
    "chain": "Linea",
    "address": "0x812E7c19421D9f41A6DDCF047d5cc2dE2Ca5Bfa2",
    "role": "admin PoolConfigurator V3"
  },
  {
    "chain": "Linea",
    "address": "0xCFDAdA7DCd2e785cF706BaDBC2B8Af5084d595e9",
    "role": "oracle AaveOracle V3"
  },
  {
    "chain": "Linea",
    "address": "0x8c2d95FE7aeB57b86961F3abB296A54f0ADb7F88",
    "role": "admin ACLAdmin V3"
  },
  {
    "chain": "Linea",
    "address": "0xbf32c7dFC72b730967072B112927ca0de205dbb5",
    "role": "admin ACLManager V3"
  },
  {
    "chain": "Metis",
    "address": "0xB9FABd7500B2C6781c35Dd48d54f81fc2299D7AF",
    "role": "factory PoolAddressesProvider V3"
  },
  {
    "chain": "Metis",
    "address": "0x90df02551bB792286e8D4f13E0e357b4Bf1D6a57",
    "role": "pool Pool V3"
  },
  {
    "chain": "Metis",
    "address": "0x69FEE8F261E004453BE0800BC9039717528645A6",
    "role": "admin PoolConfigurator V3"
  },
  {
    "chain": "Metis",
    "address": "0x38D36e85E47eA6ff0d18B0adF12E5fC8984A6f8e",
    "role": "oracle AaveOracle V3"
  },
  {
    "chain": "Metis",
    "address": "0x2B5EA1604BAbb7B730120950Cb13951f3525828A",
    "role": "oracle PriceOracleSentinel V3"
  },
  {
    "chain": "Metis",
    "address": "0x6fD45D32375d5aDB8D76275A3932c740F03a8718",
    "role": "admin ACLAdmin V3"
  },
  {
    "chain": "Optimism",
    "address": "0x794a61358D6845594F94dc1DB02A252b5b4814aD",
    "role": "pool Pool V3"
  },
  {
    "chain": "Optimism",
    "address": "0x8145eddDf43f50276641b55bd3AD95944510021E",
    "role": "admin PoolConfigurator V3"
  },
  {
    "chain": "Optimism",
    "address": "0xD81eb3728a631871a7eBBaD631b5f424909f0c77",
    "role": "oracle AaveOracle V3"
  },
  {
    "chain": "Optimism",
    "address": "0x746c675dAB49Bcd5BB9Dc85161f2d7Eb435009bf",
    "role": "admin ACLAdmin V3"
  },
  {
    "chain": "Polygon",
    "address": "0x794a61358D6845594F94dc1DB02A252b5b4814aD",
    "role": "pool Pool V3"
  },
  {
    "chain": "Polygon",
    "address": "0x8145eddDf43f50276641b55bd3AD95944510021E",
    "role": "admin PoolConfigurator V3"
  },
  {
    "chain": "Polygon",
    "address": "0xb023e699F5a33916Ea823A16485e259257cA8Bd1",
    "role": "oracle AaveOracle V3"
  },
  {
    "chain": "Polygon",
    "address": "0xDf7d0e6454DB638881302729F5ba99936EaAB233",
    "role": "admin ACLAdmin V3"
  },
  {
    "chain": "Scroll",
    "address": "0x69850D0B276776781C063771b161bd8894BCdD04",
    "role": "factory PoolAddressesProvider V3"
  },
  {
    "chain": "Scroll",
    "address": "0x11fCfe756c05AD438e312a7fd934381537D3cFfe",
    "role": "pool Pool V3"
  },
  {
    "chain": "Scroll",
    "address": "0x32BCab42a2bb5AC577D24b425D46d8b8e0Df9b7f",
    "role": "admin PoolConfigurator V3"
  },
  {
    "chain": "Scroll",
    "address": "0x04421D8C506E2fA2371a08EfAaBf791F624054F3",
    "role": "oracle AaveOracle V3"
  },
  {
    "chain": "Scroll",
    "address": "0xc1ABF87FfAdf4908f4eC8dc54A25DCFEabAE4A24",
    "role": "admin ACLAdmin V3"
  },
  {
    "chain": "Scroll",
    "address": "0x7633F981D87dC6307227de9383D2ce7243158081",
    "role": "admin ACLManager V3"
  },
  {
    "chain": "zkSync Era",
    "address": "0x2A3948BB219D6B2Fa83D64100006391a96bE6cb7",
    "role": "factory PoolAddressesProvider V3"
  },
  {
    "chain": "zkSync Era",
    "address": "0x78e30497a3c7527d953c6B1E3541b021A98Ac43c",
    "role": "pool Pool V3"
  },
  {
    "chain": "zkSync Era",
    "address": "0x0207d31b4377C74bEC37356aaD83E3dCc979F40E",
    "role": "admin PoolConfigurator V3"
  },
  {
    "chain": "zkSync Era",
    "address": "0xC7F58Fca663a8d377B6D0c9703C697f56dC40088",
    "role": "oracle AaveOracle V3"
  },
  {
    "chain": "zkSync Era",
    "address": "0x04cE39789e11a49595cD0ECEf6f4Bd54ABF4d020",
    "role": "admin ACLAdmin V3"
  },
  {
    "chain": "Soneium",
    "address": "0x82405D1a189bd6cE4667809C35B37fBE136A4c5B",
    "role": "factory PoolAddressesProvider V3"
  },
  {
    "chain": "Soneium",
    "address": "0xDd3d7A7d03D9fD9ef45f3E587287922eF65CA38B",
    "role": "pool Pool V3"
  },
  {
    "chain": "Soneium",
    "address": "0x1607FCeEc8dEbA4d5Da66D620b2363066d025a02",
    "role": "admin PoolConfigurator V3"
  },
  {
    "chain": "Soneium",
    "address": "0x20040a64612555042335926d72B4E5F667a67fA1",
    "role": "oracle AaveOracle V3"
  },
  {
    "chain": "Soneium",
    "address": "0xc0Bac16A64FbAa7EE6483bD12a759e28cD13dcBe",
    "role": "oracle PriceOracleSentinel V3"
  },
  {
    "chain": "Plasma",
    "address": "0x061D8e131F26512348ee5FA42e2DF1bA9d6505E9",
    "role": "factory PoolAddressesProvider V3"
  },
  {
    "chain": "Plasma",
    "address": "0x925a2A7214Ed92428B5b1B090F80b25700095e12",
    "role": "pool Pool V3"
  },
  {
    "chain": "Plasma",
    "address": "0xc022B6c71c30A8Ad52Dac504eFA132d13D99d2D9",
    "role": "admin PoolConfigurator V3"
  },
  {
    "chain": "Plasma",
    "address": "0x33E0b3fc976DC9C516926BA48CfC0A9E10a2aAA5",
    "role": "oracle AaveOracle V3"
  },
  {
    "chain": "Plasma",
    "address": "0x47aAdaAE1F05C978E6aBb7568d11B7F6e0FC4d6A",
    "role": "admin ACLAdmin V3"
  },
  {
    "chain": "Plasma",
    "address": "0xa860355F0ccFdC823F7332ac108317b2a1509C06",
    "role": "admin ACLManager V3"
  },
  {
    "chain": "Ethereum",
    "address": "0x617332a777780F546261247F621051d0b98975Eb",
    "role": "other VotingMachine"
  },
  {
    "chain": "Ethereum",
    "address": "0xf23f7De3AC42F22eBDA17e64DC4f51FB66b8E21f",
    "role": "other VotingPortalEthEth"
  },
  {
    "chain": "Ethereum",
    "address": "0x33aCEf7365809218485873B7d0d67FeE411B5D79",
    "role": "other VotingPortalEthAvax"
  },
  {
    "chain": "Ethereum",
    "address": "0x9b24C168d6A76b5459B1d47071a54962a4df36c3",
    "role": "other VotingPortalEthPol"
  },
  {
    "chain": "Ethereum",
    "address": "0xE3B770Dc4ae3f8bECaB3Ed12dE692c741603e16A",
    "role": "other PayloadDataHelper"
  },
  {
    "chain": "Ethereum",
    "address": "0x971c82c8316aD611904F95616c21ce90837f1856",
    "role": "other GovernanceDataHelper"
  },
  {
    "chain": "Ethereum",
    "address": "0x77976B51569896523EE215962Ee91ff236Fa50E8",
    "role": "other VotingDataHelper"
  },
  {
    "chain": "Ethereum",
    "address": "0x94363B11b37BC3ffe43AB09cff5A010352FE85dC",
    "role": "other MetaDelegateHelper"
  },
  {
    "chain": "Ethereum",
    "address": "0x73C6Fb358dDA8e84D50e98A98F7c0dF32e15C7e9",
    "role": "guardian EmergencyRegistry"
  },
  {
    "chain": "Ethereum",
    "address": "0xa198Fac58E02A5C5F8F7e877895d50cFa9ad1E04",
    "role": "other GovernancePowerStrategy"
  },
  {
    "chain": "Ethereum",
    "address": "0x5642A5A5Ec284B4145563aBF319620204aCCA7f4",
    "role": "other VotingStrategy"
  },
  {
    "chain": "Ethereum",
    "address": "0x1699FE9CaDC8a0b6c93E06B62Ab4592a0fFEcF61",
    "role": "other DataWarehouse"
  },
  {
    "chain": "Arbitrum",
    "address": "0xCbFB78a3Eeaa611b826E37c80E4126c8787D29f0",
    "role": "other CrossChainController"
  },
  {
    "chain": "Arbitrum",
    "address": "0x89644CA1bB8064760312AE4F03ea41b05dA3637C",
    "role": "timelock PayloadsController"
  },
  {
    "chain": "Arbitrum",
    "address": "0x4922093c476CfbCF903C7C4082d2D64bAE8A37cE",
    "role": "guardian GranularGuardian"
  },
  {
    "chain": "Avalanche",
    "address": "0x27FC7D54C893dA63C0AE6d57e1B2B13A70690928",
    "role": "other CrossChainController"
  },
  {
    "chain": "Avalanche",
    "address": "0x41185495Bc8297a65DC46f94001DC7233775EbEe",
    "role": "oracle EmergencyOracle"
  },
  {
    "chain": "Avalanche",
    "address": "0x9b6f5ef589A3DD08670Dd146C11C4Fb33E04494F",
    "role": "other VotingMachine"
  },
  {
    "chain": "Avalanche",
    "address": "0x1140CB7CAfAcC745771C2Ea31e7B5C653c5d0B80",
    "role": "timelock PayloadsController"
  },
  {
    "chain": "Avalanche",
    "address": "0xc1162BCb2E5E3ca4725512008c7522dF8C8B7B65",
    "role": "guardian GranularGuardian"
  },
  {
    "chain": "Binance",
    "address": "0x9d33ee6543C9b2C8c183b8fb58fB089266cffA19",
    "role": "other CrossChainController"
  },
  {
    "chain": "Binance",
    "address": "0xcabb46FfB38c93348Df16558DF156e9f68F9F7F1",
    "role": "oracle EmergencyOracle"
  },
  {
    "chain": "Binance",
    "address": "0xE5EF2Dd06755A97e975f7E282f828224F2C3e627",
    "role": "timelock PayloadsController"
  },
  {
    "chain": "Binance",
    "address": "0xe4FB5e3F506BE0095f38004f993D16fdA8224383",
    "role": "guardian GranularGuardian"
  },
  {
    "chain": "Base",
    "address": "0x529467C76f234F2bD359d7ecF7c660A2846b04e2",
    "role": "other CrossChainController"
  },
  {
    "chain": "Base",
    "address": "0x2DC219E716793fb4b21548C0f009Ba3Af753ab01",
    "role": "timelock PayloadsController"
  },
  {
    "chain": "Base",
    "address": "0xa1c6aF35E0205f42256382C05243C543FEDBf4bB",
    "role": "guardian GranularGuardian"
  },
  {
    "chain": "xDai",
    "address": "0x8Dc5310fc9D3D7D1Bb3D1F686899c8F082316c9F",
    "role": "other CrossChainController"
  },
  {
    "chain": "xDai",
    "address": "0xF937ffAeA1363e4Fa260760bDFA2aA8Fc911F84D",
    "role": "oracle EmergencyOracle"
  },
  {
    "chain": "xDai",
    "address": "0x9A1F491B86D09fC1484b5fab10041B189B60756b",
    "role": "timelock PayloadsController"
  },
  {
    "chain": "xDai",
    "address": "0x4A9F571E3C1f2F13567bb59e38988e74d7d72602",
    "role": "guardian GranularGuardian"
  },
  {
    "chain": "Metis",
    "address": "0x6fDaFb26915ABD6065a1E1501a37Ac438D877f70",
    "role": "other CrossChainController"
  },
  {
    "chain": "Metis",
    "address": "0x2233F8A66A728FBa6E1dC95570B25360D07D5524",
    "role": "timelock PayloadsController"
  },
  {
    "chain": "Metis",
    "address": "0x61BE97d3a0550549f67CA7421725fA73Fa2036B5",
    "role": "guardian GranularGuardian"
  },
  {
    "chain": "Optimism",
    "address": "0x48A9FE90bce5EEd790f3F4Ce192d1C0B351fd4Ca",
    "role": "other CrossChainController"
  },
  {
    "chain": "Optimism",
    "address": "0x0E1a3Af1f9cC76A62eD31eDedca291E63632e7c4",
    "role": "timelock PayloadsController"
  },
  {
    "chain": "Optimism",
    "address": "0x6c5264C380C7022e54f585c4E354ffb6f221a03b",
    "role": "guardian GranularGuardian"
  },
  {
    "chain": "Polygon",
    "address": "0xF6B99959F0b5e79E1CC7062E12aF632CEb18eF0d",
    "role": "other CrossChainController"
  },
  {
    "chain": "Polygon",
    "address": "0xDAFA1989A504c48Ee20a582f2891eeB25E2fA23F",
    "role": "oracle EmergencyOracle"
  },
  {
    "chain": "Polygon",
    "address": "0xc8a2ADC4261c6b669CdFf69E717E77C9cFeB420d",
    "role": "other VotingMachine"
  },
  {
    "chain": "Polygon",
    "address": "0x401B5D0294E23637c18fcc38b1Bca814CDa2637C",
    "role": "timelock PayloadsController"
  },
  {
    "chain": "Polygon",
    "address": "0x0D2CccD3dD420dC6DE2f24DB44aA22fADE290a02",
    "role": "guardian GranularGuardian"
  },
  {
    "chain": "Scroll",
    "address": "0x03073D3F4769f6b6604d616238fD6c636C99AD0A",
    "role": "other CrossChainController"
  },
  {
    "chain": "Scroll",
    "address": "0x6b6B41c0f8C223715f712BE83ceC3c37bbfDC3fE",
    "role": "timelock PayloadsController"
  },
  {
    "chain": "Scroll",
    "address": "0xa835707d28e6C37C49d661742f2Fb5987367cEd4",
    "role": "guardian GranularGuardian"
  },
  {
    "chain": "zkSync Era",
    "address": "0x800813f4714BC7A0a95310e3fB9e4f18872CA92C",
    "role": "other CrossChainController"
  },
  {
    "chain": "zkSync Era",
    "address": "0x2E79349c3F5e4751E87b966812C9E65E805996F1",
    "role": "timelock PayloadsController"
  },
  {
    "chain": "zkSync Era",
    "address": "0xe0e23196D42b54F262a3DE952e6B34B197D1A228",
    "role": "guardian GranularGuardian"
  },
  {
    "chain": "zkSync Era",
    "address": "0x4257bf0746D783f0D962913d7d8AFA408B62547E",
    "role": "guardian GovernanceGuardian"
  },
  {
    "chain": "Linea",
    "address": "0x0D3f821e9741C8a8Bcac231162320251Db0cdf52",
    "role": "other CrossChainController"
  },
  {
    "chain": "Linea",
    "address": "0x3BcE23a1363728091bc57A58a226CF2940C2e074",
    "role": "timelock PayloadsController"
  },
  {
    "chain": "Linea",
    "address": "0xc1cd6faF6e9138b4e6C21d438f9ebF2bd6F6cA16",
    "role": "guardian GranularGuardian"
  },
  {
    "chain": "Linea",
    "address": "0x056E4C4E80D1D14a637ccbD0412CDAAEc5B51F4E",
    "role": "guardian GovernanceGuardian"
  },
  {
    "chain": "Soneium",
    "address": "0xD92b37a5114b33F668D274Fb48f23b726a854d6E",
    "role": "other CrossChainController"
  },
  {
    "chain": "Soneium",
    "address": "0x44D73D7C4b2f98F426Bf8B5e87628d9eE38ef0Cf",
    "role": "timelock PayloadsController"
  },
  {
    "chain": "Soneium",
    "address": "0xD8E6956718784B914740267b7A50B952fb516656",
    "role": "guardian GranularGuardian"
  },
  {
    "chain": "Soneium",
    "address": "0x19CE4363FEA478Aa04B9EA2937cc5A2cbcD44be6",
    "role": "guardian GovernanceGuardian"
  },
  {
    "chain": "Soneium",
    "address": "0x47aAdaAE1F05C978E6aBb7568d11B7F6e0FC4d6A",
    "role": "governor ExecutorLvl1"
  },
  {
    "chain": "Plasma",
    "address": "0x643441742f73e270e565619be6DE5f4D55E08cd6",
    "role": "other CrossChainController"
  },
  {
    "chain": "Plasma",
    "address": "0xe76EB348E65eF163d85ce282125FF5a7F5712A1d",
    "role": "timelock PayloadsController"
  },
  {
    "chain": "Plasma",
    "address": "0x60665b4F4FF7073C5fed2656852dCa271DfE2684",
    "role": "guardian GranularGuardian"
  },
  {
    "chain": "Plasma",
    "address": "0x19CE4363FEA478Aa04B9EA2937cc5A2cbcD44be6",
    "role": "guardian GovernanceGuardian"
  },
  {
    "chain": "Plasma",
    "address": "0xF61FE74Ec1cFbd9Ee8Bd27592D2EDEe0E2aA85Cf",
    "role": "oracle EmergencyOracle"
  },
  {
    "chain": "Ethereum",
    "address": "0x7Fc66500c84A76Ad7e9c93437bFc5Ac33E2DDaE9",
    "role": "token AAVE governance token"
  },
  {
    "chain": "Ethereum",
    "address": "0x7b9c0b9b0d8b0d8b0d8b0d8b0d8b0d8b0d8b0d8b",
    "role": "Emergency Admin"
  }
]

### Pre-built read-API surfacer URLs (verbatim — fetchable as-is)
- https://defipunkd.com/address/1/0x5300A1a15135EA4dc7aD5a167152C01EFc9b192A (Short Executor (Level 1) / ACL Admin V3)
- https://defipunkd.com/address/1/0xdAbad81aF85554E9ae636395611C58F7eC1aAEc5 (PayloadsController (Ethereum))
- https://defipunkd.com/address/1/0x9AEE0B04504CeF83A65AC3f0e838D0593BCb2BC7 (Governance V3 Core)
- https://defipunkd.com/address/1/0xCe52ab41C40575B072A18C9700091Ccbe4A06710 (Governance Guardian / Protocol Emergency Guardian (5-of-9))
- https://defipunkd.com/address/1/0x4457cA11E90f416Cc1D3a8E1cA41C0cdEcC251d4 (GranularGuardian (cross-chain emergency))
- https://defipunkd.com/address/1/0xEd42a7D8559a463722Ca4beD50E0Cc05a386b0e1 (CrossChainController)
- https://defipunkd.com/address/1/0x17Dd33Ed0e3dD2a80E37489B8A63063161BE6957 (Executor Level 2)
- https://defipunkd.com/address/1/0x2CFe3ec4d5a6811f4B8067F0DE7e47DfA938Aa30 (Protocol Guardian / emergency admin)
- https://defipunkd.com/address/1/0x220d22f42c1b975B51509c24b174f8AbA7d8C540 (Short Executor (Governance))
- https://defipunkd.com/address/1/0xa700691dA7b6769562170061709458FF21ed963e (timelock (governance long executor))
- https://defipunkd.com/address/1/0x851365275f493d15511cc005f2bd71E3c1699921 (timelock (governance short executor))
- https://defipunkd.com/address/1/0xEE56e2B3D49159022b71869955dbF07245799b17 (timelock (governance executor short))
- https://defipunkd.com/address/1/0x80C67432656d59144cEFf962E8fAF8926599bCF8 (timelock (governance short executor))
- https://defipunkd.com/address/1/0xEE56e2B20045d908E992822039db30E882309413 (admin (PoolAdmin / governance executor))
- https://defipunkd.com/address/1/0x87870bca3f3fd6335c3f4ce8392d69350b4fa4e2 (pool (Aave V3 Pool proxy))
- https://defipunkd.com/address/1/0x2f39d218133AFaB8F2B819B1066c7E434Ad94E9e (other (PoolAddressesProvider — proxy admin for Pool/PoolConfigurator/ACLManager))
- https://defipunkd.com/address/1/0xcfBf336fe147D643B9Cb705648500e101504B16d (other (Prime Market PoolAddressesProvider))
- https://defipunkd.com/address/1/0xCca852Bc40e560adC3b1Cc58CA5b55638ce826c9 (vault (Aave V4 Core Hub — Ethereum))
- https://defipunkd.com/address/1/0x06002e9c4412CB7814a791eA3666D905871E536A (vault (Aave V4 Plus Hub — Ethereum))
- https://defipunkd.com/address/1/0x943827DCA022D0F354a8a8c332dA1e5Eb9f9F931 (vault (Aave V4 Prime Hub — Ethereum))
- https://defipunkd.com/address/1/0x08aE3BE30958cDd1847ec58fFfd4C451a87fDF01 (admin (Aave V4 Access Manager — Ethereum))
- https://defipunkd.com/address/10/0xa97684ead0e402dc232d5a977953df7ecbab3cdb (other (PoolAddressesProvider — Optimism))
- https://defipunkd.com/address/137/0xa97684ead0e402dc232d5a977953df7ecbab3cdb (other (PoolAddressesProvider — Polygon))
- https://defipunkd.com/address/1/0x64b761D848206f447Fe2dd461b0c635Ec39EbB27 (admin PoolConfigurator V3)
- https://defipunkd.com/address/1/0x54586bE62E3c3580375aE3723C145253060Ca0C2 (oracle AaveOracle V3)
- https://defipunkd.com/address/1/0xc2aaCf6553D20d1e9d78E365AAba8032af9c85b0 (admin ACLManager V3)
- https://defipunkd.com/address/1/0x0a16f2FCC0D44FaE41cc54e079281D84A363bECD (other AaveProtocolDataProvider V3)
- https://defipunkd.com/address/1/0x464C71f6c2F760DdA6093dCB91C24c39e5d6e18c (treasury Collector)
- https://defipunkd.com/address/1/0x8164Cc65827dcFe994AB23944CBC90e0aa80bFcb (admin DefaultIncentivesController)
- https://defipunkd.com/address/1/0x223d844fc4B006D67c0cDbd39371A9F73f69d974 (admin EmissionManager)
- https://defipunkd.com/address/42161/0xa97684ead0e402dC232d5A977953DF7ECBaB3CDb (factory PoolAddressesProvider V3)
- https://defipunkd.com/address/42161/0x794a61358D6845594F94dc1DB02A252b5b4814aD (pool Pool V3)
- https://defipunkd.com/address/42161/0x8145eddDf43f50276641b55bd3AD95944510021E (admin PoolConfigurator V3)
- https://defipunkd.com/address/42161/0xb56c2F0B653B2e0b10C9b928C8580Ac5Df02C7C7 (oracle AaveOracle V3)
- https://defipunkd.com/address/42161/0x7A9ff54A6eE4a21223036890bB8c4ea2D62c686b (oracle PriceOracleSentinel V3)
- https://defipunkd.com/address/42161/0xFF1137243698CaA18EE364Cc966CF0e02A4e6327 (admin ACLAdmin V3)
- https://defipunkd.com/address/42161/0xa72636CbcAa8F5FF95B2cc47F3CDEe83F3294a0B (admin ACLManager V3)
- https://defipunkd.com/address/42161/0x243Aa95cAC2a25651eda86e80bEe66114413c43b (other AaveProtocolDataProvider V3)
- https://defipunkd.com/address/43114/0xa97684ead0e402dC232d5A977953DF7ECBaB3CDb (factory PoolAddressesProvider V3)
- https://defipunkd.com/address/43114/0x794a61358D6845594F94dc1DB02A252b5b4814aD (pool Pool V3)
- https://defipunkd.com/address/43114/0x8145eddDf43f50276641b55bd3AD95944510021E (admin PoolConfigurator V3)
- https://defipunkd.com/address/43114/0xEBd36016B3eD09D4693Ed4251c67Bd858c3c7C9C (oracle AaveOracle V3)
- https://defipunkd.com/address/43114/0x3C06dce358add17aAf230f2234bCCC4afd50d090 (admin ACLAdmin V3)
- https://defipunkd.com/address/43114/0xa72636CbcAa8F5FF95B2cc47F3CDEe83F3294a0B (admin ACLManager V3)
- https://defipunkd.com/address/43114/0x243Aa95cAC2a25651eda86e80bEe66114413c43b (other AaveProtocolDataProvider V3)
- https://defipunkd.com/address/8453/0xe20fCBdBfFC4Dd138cE8b2E6FBb6CB49777ad64D (factory PoolAddressesProvider V3)
- https://defipunkd.com/address/8453/0xA238Dd80C259a72e81d7e4664a9801593F98d1c5 (pool Pool V3)
- https://defipunkd.com/address/8453/0x5731a04B1E775f0fdd454Bf70f3335886e9A96be (admin PoolConfigurator V3)
- https://defipunkd.com/address/8453/0x2Cc0Fc26eD4563A5ce5e8bdcfe1A2878676Ae156 (oracle AaveOracle V3)
- https://defipunkd.com/address/8453/0x943AcD0c93d7a8Bee7dA5Fd0DC3d0028237074d6 (oracle PriceOracleSentinel V3)
- https://defipunkd.com/address/8453/0x9390B1735def18560c509E2d0bc090E9d6BA257a (admin ACLAdmin V3)
- https://defipunkd.com/address/8453/0x43955b0899Ab7232E3a454cf84AedD22Ad46FD33 (admin ACLManager V3)
- https://defipunkd.com/address/8453/0x0F43731EB8d45A581f4a36DD74F5f358bc90C73A (other AaveProtocolDataProvider V3)
- Binance: 0xff75B6da14FfbbfD355Daf7a2731456b3562Ba6D (chain not supported by the read API)
- Binance: 0x6807dc923806fE8Fd134338EABCA509979a7e0cB (chain not supported by the read API)
- Binance: 0x67bdF23C7fCE7C65fF7415Ba3F2520B45D6f9584 (chain not supported by the read API)
- Binance: 0x39bc1bfDa2130d6Bb6DBEfd366939b4c7aa7C697 (chain not supported by the read API)
- Binance: 0x9390B1735def18560c509E2d0bc090E9d6BA257a (chain not supported by the read API)
- Binance: 0x2D97F8FA96886Fd923c065F5457F9DDd494e3877 (chain not supported by the read API)
- Binance: 0xc90Df74A7c16245c5F5C5870327Ceb38Fe5d5328 (chain not supported by the read API)
- Celo: 0x9F7Cf9417D5251C59fE94fB9147feEe1aAd9Cea5 (chain not supported by the read API)
- Celo: 0x3E59A31363E2ad014dcbc521c4a0d5757d9f3402 (chain not supported by the read API)
- Celo: 0x7567E3434CC1BEf724AB595e6072367Ef4914691 (chain not supported by the read API)
- Celo: 0x1e693D088ceFD1E95ba4c4a5F7EeA41a1Ec37e8b (chain not supported by the read API)
- Celo: 0x1dF462e2712496373A347f8ad10802a5E95f053D (chain not supported by the read API)
- Celo: 0x7a12dCfd73C1B4cddf294da4cFce75FcaBBa314C (chain not supported by the read API)
- Celo: 0x2e0f8D3B1631296cC7c56538D6Eb6032601E15ED (chain not supported by the read API)
- Celo: 0xC959439207dA5341B74aDcdAC59016aa9Be7E9E7 (chain not supported by the read API)
- Fantom: 0xa97684ead0e402dC232d5A977953DF7ECBaB3CDb (chain not supported by the read API)
- Fantom: 0x794a61358D6845594F94dc1DB02A252b5b4814aD (chain not supported by the read API)
- Fantom: 0x8145eddDf43f50276641b55bd3AD95944510021E (chain not supported by the read API)
- Fantom: 0xfd6f3c1845604C8AE6c6E402ad17fb9885160754 (chain not supported by the read API)
- Fantom: 0x39CB97b105173b56b5a2b4b33AD25d6a50E6c949 (chain not supported by the read API)
- Fantom: 0xa72636CbcAa8F5FF95B2cc47F3CDEe83F3294a0B (chain not supported by the read API)
- Fantom: 0x69FA688f1Dc47d4B5d8029D5a35FB7a548310654 (chain not supported by the read API)
- xDai: 0x36616cf17557639614c1cdDb356b1B83fc0B2132 (chain not supported by the read API)
- xDai: 0xb50201558B00496A145fE76f7424749556E326D8 (chain not supported by the read API)
- xDai: 0x7304979ec9E4EaA0273b6A037a31c4e9e5A75D16 (chain not supported by the read API)
- xDai: 0xeb0a051be10228213BAEb449db63719d6742F7c4 (chain not supported by the read API)
- xDai: 0x1dF462e2712496373A347f8ad10802a5E95f053D (chain not supported by the read API)
- xDai: 0xEc710f59005f48703908bC519D552Df5B8472614 (chain not supported by the read API)
- xDai: 0xF1F5acB596568895393cB5E4D0452D6592A2fA70 (chain not supported by the read API)
- Harmony: 0xa97684ead0e402dC232d5A977953DF7ECBaB3CDb (chain not supported by the read API)
- Harmony: 0x794a61358D6845594F94dc1DB02A252b5b4814aD (chain not supported by the read API)
- Harmony: 0x8145eddDf43f50276641b55bd3AD95944510021E (chain not supported by the read API)
- Harmony: 0x3C90887Ede8D65ccb2777A5d577beAb2548280AD (chain not supported by the read API)
- Harmony: 0xb2f0C5f37f4beD2cB51C44653cD5D84866BDcd2D (chain not supported by the read API)
- Harmony: 0xa72636CbcAa8F5FF95B2cc47F3CDEe83F3294a0B (chain not supported by the read API)
- Harmony: 0x69FA688f1Dc47d4B5d8029D5a35FB7a548310654 (chain not supported by the read API)
- Mantle: 0xba50Cd2A20f6DA35D788639E581bca8d0B5d4D5f (chain not supported by the read API)
- Mantle: 0x458F293454fE0d67EC0655f3672301301DD51422 (chain not supported by the read API)
- Mantle: 0x719755fC1ACf2f9079B0Cbc56e23712c09Ab8626 (chain not supported by the read API)
- Mantle: 0x47a063CfDa980532267970d478EC340C0F80E8df (chain not supported by the read API)
- Mantle: 0x64df9D4302e1ff3516Dc744A19e992D27CAC252E (chain not supported by the read API)
- Mantle: 0x70884634D0098782592111A2A6B8d223be31CB7b (chain not supported by the read API)
- Mantle: 0x810D46F9a9027E28F9B01F75E2bdde839dA61115 (chain not supported by the read API)
- Mantle: 0x487c5c669D9eee6057C44973207101276cf73b68 (chain not supported by the read API)
- MegaETH: 0x46Dcd5F4600319b02649Fd76B55aA6c1035CA478 (chain not supported by the read API)
- MegaETH: 0x7e324AbC5De01d112AfC03a584966ff199741C28 (chain not supported by the read API)
- MegaETH: 0xF15D31Bc839A853C9068686043cEc6EC5995DAbB (chain not supported by the read API)
- MegaETH: 0x421117D7319E96d831972b3F7e970bbfe29C4F21 (chain not supported by the read API)
- MegaETH: 0xE2E8Badc5d50f8a6188577B89f50701cDE2D4e19 (chain not supported by the read API)
- MegaETH: 0x390D369C3878F2C5205CFb6Ec7154FfA65491c3D (chain not supported by the read API)
- MegaETH: 0x9588b453A4EE24a420830CB3302195cA7aA3b403 (chain not supported by the read API)
- Sonic: 0x5C2e738F6E27bCE0F7558051Bf90605dD6176900 (chain not supported by the read API)
- Sonic: 0x5362dBb1e601abF3a4c14c22ffEdA64042E5eAA3 (chain not supported by the read API)
- Sonic: 0x50c70FEB95aBC1A92FC30b9aCc41Bd349E5dE2f0 (chain not supported by the read API)
- Sonic: 0xD63f7658C66B2934Bd234D79D06aEF5290734B30 (chain not supported by the read API)
- Sonic: 0x7b62461a3570c6AC8a9f8330421576e417B71EE7 (chain not supported by the read API)
- Sonic: 0x3a790a47c4d531FD333FAD24f70B0ccb521B3b5A (chain not supported by the read API)
- Sonic: 0xc0a344397cfa89dF1e1d3e4fb330834D789cF2CD (chain not supported by the read API)
- X Layer: 0xdFf435BCcf782f11187D3a4454d96702eD78e092 (chain not supported by the read API)
- X Layer: 0xE3F3Caefdd7180F884c01E57f65Df979Af84f116 (chain not supported by the read API)
- X Layer: 0x1408b48B6A610948f04813EA6b2F438A6BBAd2f2 (chain not supported by the read API)
- X Layer: 0x91FC11136d5615575a0fC5981Ab5C0C54418E2C6 (chain not supported by the read API)
- X Layer: 0xE2E8Badc5d50f8a6188577B89f50701cDE2D4e19 (chain not supported by the read API)
- X Layer: 0xc8f2720Fa7D857576d82e6aEca8EdC4869E9190e (chain not supported by the read API)
- X Layer: 0x6C505C31714f14e8af2A03633EB2Cdfb4959138F (chain not supported by the read API)
- https://defipunkd.com/address/59144/0x89502c3731F69DDC95B65753708A07F8Cd0373F4 (factory PoolAddressesProvider V3)
- https://defipunkd.com/address/59144/0xc47b8C00b0f69a36fa203Ffeac0334874574a8Ac (pool Pool V3)
- https://defipunkd.com/address/59144/0x812E7c19421D9f41A6DDCF047d5cc2dE2Ca5Bfa2 (admin PoolConfigurator V3)
- https://defipunkd.com/address/59144/0xCFDAdA7DCd2e785cF706BaDBC2B8Af5084d595e9 (oracle AaveOracle V3)
- https://defipunkd.com/address/59144/0x8c2d95FE7aeB57b86961F3abB296A54f0ADb7F88 (admin ACLAdmin V3)
- https://defipunkd.com/address/59144/0xbf32c7dFC72b730967072B112927ca0de205dbb5 (admin ACLManager V3)
- Metis: 0xB9FABd7500B2C6781c35Dd48d54f81fc2299D7AF (chain not supported by the read API)
- Metis: 0x90df02551bB792286e8D4f13E0e357b4Bf1D6a57 (chain not supported by the read API)
- Metis: 0x69FEE8F261E004453BE0800BC9039717528645A6 (chain not supported by the read API)
- Metis: 0x38D36e85E47eA6ff0d18B0adF12E5fC8984A6f8e (chain not supported by the read API)
- Metis: 0x2B5EA1604BAbb7B730120950Cb13951f3525828A (chain not supported by the read API)
- Metis: 0x6fD45D32375d5aDB8D76275A3932c740F03a8718 (chain not supported by the read API)
- https://defipunkd.com/address/10/0x794a61358D6845594F94dc1DB02A252b5b4814aD (pool Pool V3)
- https://defipunkd.com/address/10/0x8145eddDf43f50276641b55bd3AD95944510021E (admin PoolConfigurator V3)
- https://defipunkd.com/address/10/0xD81eb3728a631871a7eBBaD631b5f424909f0c77 (oracle AaveOracle V3)
- https://defipunkd.com/address/10/0x746c675dAB49Bcd5BB9Dc85161f2d7Eb435009bf (admin ACLAdmin V3)
- https://defipunkd.com/address/137/0x794a61358D6845594F94dc1DB02A252b5b4814aD (pool Pool V3)
- https://defipunkd.com/address/137/0x8145eddDf43f50276641b55bd3AD95944510021E (admin PoolConfigurator V3)
- https://defipunkd.com/address/137/0xb023e699F5a33916Ea823A16485e259257cA8Bd1 (oracle AaveOracle V3)
- https://defipunkd.com/address/137/0xDf7d0e6454DB638881302729F5ba99936EaAB233 (admin ACLAdmin V3)
- https://defipunkd.com/address/534352/0x69850D0B276776781C063771b161bd8894BCdD04 (factory PoolAddressesProvider V3)
- https://defipunkd.com/address/534352/0x11fCfe756c05AD438e312a7fd934381537D3cFfe (pool Pool V3)
- https://defipunkd.com/address/534352/0x32BCab42a2bb5AC577D24b425D46d8b8e0Df9b7f (admin PoolConfigurator V3)
- https://defipunkd.com/address/534352/0x04421D8C506E2fA2371a08EfAaBf791F624054F3 (oracle AaveOracle V3)
- https://defipunkd.com/address/534352/0xc1ABF87FfAdf4908f4eC8dc54A25DCFEabAE4A24 (admin ACLAdmin V3)
- https://defipunkd.com/address/534352/0x7633F981D87dC6307227de9383D2ce7243158081 (admin ACLManager V3)
- zkSync Era: 0x2A3948BB219D6B2Fa83D64100006391a96bE6cb7 (chain not supported by the read API)
- zkSync Era: 0x78e30497a3c7527d953c6B1E3541b021A98Ac43c (chain not supported by the read API)
- zkSync Era: 0x0207d31b4377C74bEC37356aaD83E3dCc979F40E (chain not supported by the read API)
- zkSync Era: 0xC7F58Fca663a8d377B6D0c9703C697f56dC40088 (chain not supported by the read API)
- zkSync Era: 0x04cE39789e11a49595cD0ECEf6f4Bd54ABF4d020 (chain not supported by the read API)
- Soneium: 0x82405D1a189bd6cE4667809C35B37fBE136A4c5B (chain not supported by the read API)
- Soneium: 0xDd3d7A7d03D9fD9ef45f3E587287922eF65CA38B (chain not supported by the read API)
- Soneium: 0x1607FCeEc8dEbA4d5Da66D620b2363066d025a02 (chain not supported by the read API)
- Soneium: 0x20040a64612555042335926d72B4E5F667a67fA1 (chain not supported by the read API)
- Soneium: 0xc0Bac16A64FbAa7EE6483bD12a759e28cD13dcBe (chain not supported by the read API)
- Plasma: 0x061D8e131F26512348ee5FA42e2DF1bA9d6505E9 (chain not supported by the read API)
- Plasma: 0x925a2A7214Ed92428B5b1B090F80b25700095e12 (chain not supported by the read API)
- Plasma: 0xc022B6c71c30A8Ad52Dac504eFA132d13D99d2D9 (chain not supported by the read API)
- Plasma: 0x33E0b3fc976DC9C516926BA48CfC0A9E10a2aAA5 (chain not supported by the read API)
- Plasma: 0x47aAdaAE1F05C978E6aBb7568d11B7F6e0FC4d6A (chain not supported by the read API)
- Plasma: 0xa860355F0ccFdC823F7332ac108317b2a1509C06 (chain not supported by the read API)
- https://defipunkd.com/address/1/0x617332a777780F546261247F621051d0b98975Eb (other VotingMachine)
- https://defipunkd.com/address/1/0xf23f7De3AC42F22eBDA17e64DC4f51FB66b8E21f (other VotingPortalEthEth)
- https://defipunkd.com/address/1/0x33aCEf7365809218485873B7d0d67FeE411B5D79 (other VotingPortalEthAvax)
- https://defipunkd.com/address/1/0x9b24C168d6A76b5459B1d47071a54962a4df36c3 (other VotingPortalEthPol)
- https://defipunkd.com/address/1/0xE3B770Dc4ae3f8bECaB3Ed12dE692c741603e16A (other PayloadDataHelper)
- https://defipunkd.com/address/1/0x971c82c8316aD611904F95616c21ce90837f1856 (other GovernanceDataHelper)
- https://defipunkd.com/address/1/0x77976B51569896523EE215962Ee91ff236Fa50E8 (other VotingDataHelper)
- https://defipunkd.com/address/1/0x94363B11b37BC3ffe43AB09cff5A010352FE85dC (other MetaDelegateHelper)
- https://defipunkd.com/address/1/0x73C6Fb358dDA8e84D50e98A98F7c0dF32e15C7e9 (guardian EmergencyRegistry)
- https://defipunkd.com/address/1/0xa198Fac58E02A5C5F8F7e877895d50cFa9ad1E04 (other GovernancePowerStrategy)
- https://defipunkd.com/address/1/0x5642A5A5Ec284B4145563aBF319620204aCCA7f4 (other VotingStrategy)
- https://defipunkd.com/address/1/0x1699FE9CaDC8a0b6c93E06B62Ab4592a0fFEcF61 (other DataWarehouse)
- https://defipunkd.com/address/42161/0xCbFB78a3Eeaa611b826E37c80E4126c8787D29f0 (other CrossChainController)
- https://defipunkd.com/address/42161/0x89644CA1bB8064760312AE4F03ea41b05dA3637C (timelock PayloadsController)
- https://defipunkd.com/address/42161/0x4922093c476CfbCF903C7C4082d2D64bAE8A37cE (guardian GranularGuardian)
- https://defipunkd.com/address/43114/0x27FC7D54C893dA63C0AE6d57e1B2B13A70690928 (other CrossChainController)
- https://defipunkd.com/address/43114/0x41185495Bc8297a65DC46f94001DC7233775EbEe (oracle EmergencyOracle)
- https://defipunkd.com/address/43114/0x9b6f5ef589A3DD08670Dd146C11C4Fb33E04494F (other VotingMachine)
- https://defipunkd.com/address/43114/0x1140CB7CAfAcC745771C2Ea31e7B5C653c5d0B80 (timelock PayloadsController)
- https://defipunkd.com/address/43114/0xc1162BCb2E5E3ca4725512008c7522dF8C8B7B65 (guardian GranularGuardian)
- Binance: 0x9d33ee6543C9b2C8c183b8fb58fB089266cffA19 (chain not supported by the read API)
- Binance: 0xcabb46FfB38c93348Df16558DF156e9f68F9F7F1 (chain not supported by the read API)
- Binance: 0xE5EF2Dd06755A97e975f7E282f828224F2C3e627 (chain not supported by the read API)
- Binance: 0xe4FB5e3F506BE0095f38004f993D16fdA8224383 (chain not supported by the read API)
- https://defipunkd.com/address/8453/0x529467C76f234F2bD359d7ecF7c660A2846b04e2 (other CrossChainController)
- https://defipunkd.com/address/8453/0x2DC219E716793fb4b21548C0f009Ba3Af753ab01 (timelock PayloadsController)
- https://defipunkd.com/address/8453/0xa1c6aF35E0205f42256382C05243C543FEDBf4bB (guardian GranularGuardian)
- xDai: 0x8Dc5310fc9D3D7D1Bb3D1F686899c8F082316c9F (chain not supported by the read API)
- xDai: 0xF937ffAeA1363e4Fa260760bDFA2aA8Fc911F84D (chain not supported by the read API)
- xDai: 0x9A1F491B86D09fC1484b5fab10041B189B60756b (chain not supported by the read API)
- xDai: 0x4A9F571E3C1f2F13567bb59e38988e74d7d72602 (chain not supported by the read API)
- Metis: 0x6fDaFb26915ABD6065a1E1501a37Ac438D877f70 (chain not supported by the read API)
- Metis: 0x2233F8A66A728FBa6E1dC95570B25360D07D5524 (chain not supported by the read API)
- Metis: 0x61BE97d3a0550549f67CA7421725fA73Fa2036B5 (chain not supported by the read API)
- https://defipunkd.com/address/10/0x48A9FE90bce5EEd790f3F4Ce192d1C0B351fd4Ca (other CrossChainController)
- https://defipunkd.com/address/10/0x0E1a3Af1f9cC76A62eD31eDedca291E63632e7c4 (timelock PayloadsController)
- https://defipunkd.com/address/10/0x6c5264C380C7022e54f585c4E354ffb6f221a03b (guardian GranularGuardian)
- https://defipunkd.com/address/137/0xF6B99959F0b5e79E1CC7062E12aF632CEb18eF0d (other CrossChainController)
- https://defipunkd.com/address/137/0xDAFA1989A504c48Ee20a582f2891eeB25E2fA23F (oracle EmergencyOracle)
- https://defipunkd.com/address/137/0xc8a2ADC4261c6b669CdFf69E717E77C9cFeB420d (other VotingMachine)
- https://defipunkd.com/address/137/0x401B5D0294E23637c18fcc38b1Bca814CDa2637C (timelock PayloadsController)
- https://defipunkd.com/address/137/0x0D2CccD3dD420dC6DE2f24DB44aA22fADE290a02 (guardian GranularGuardian)
- https://defipunkd.com/address/534352/0x03073D3F4769f6b6604d616238fD6c636C99AD0A (other CrossChainController)
- https://defipunkd.com/address/534352/0x6b6B41c0f8C223715f712BE83ceC3c37bbfDC3fE (timelock PayloadsController)
- https://defipunkd.com/address/534352/0xa835707d28e6C37C49d661742f2Fb5987367cEd4 (guardian GranularGuardian)
- zkSync Era: 0x800813f4714BC7A0a95310e3fB9e4f18872CA92C (chain not supported by the read API)
- zkSync Era: 0x2E79349c3F5e4751E87b966812C9E65E805996F1 (chain not supported by the read API)
- zkSync Era: 0xe0e23196D42b54F262a3DE952e6B34B197D1A228 (chain not supported by the read API)
- zkSync Era: 0x4257bf0746D783f0D962913d7d8AFA408B62547E (chain not supported by the read API)
- https://defipunkd.com/address/59144/0x0D3f821e9741C8a8Bcac231162320251Db0cdf52 (other CrossChainController)
- https://defipunkd.com/address/59144/0x3BcE23a1363728091bc57A58a226CF2940C2e074 (timelock PayloadsController)
- https://defipunkd.com/address/59144/0xc1cd6faF6e9138b4e6C21d438f9ebF2bd6F6cA16 (guardian GranularGuardian)
- https://defipunkd.com/address/59144/0x056E4C4E80D1D14a637ccbD0412CDAAEc5B51F4E (guardian GovernanceGuardian)
- Soneium: 0xD92b37a5114b33F668D274Fb48f23b726a854d6E (chain not supported by the read API)
- Soneium: 0x44D73D7C4b2f98F426Bf8B5e87628d9eE38ef0Cf (chain not supported by the read API)
- Soneium: 0xD8E6956718784B914740267b7A50B952fb516656 (chain not supported by the read API)
- Soneium: 0x19CE4363FEA478Aa04B9EA2937cc5A2cbcD44be6 (chain not supported by the read API)
- Soneium: 0x47aAdaAE1F05C978E6aBb7568d11B7F6e0FC4d6A (chain not supported by the read API)
- Plasma: 0x643441742f73e270e565619be6DE5f4D55E08cd6 (chain not supported by the read API)
- Plasma: 0xe76EB348E65eF163d85ce282125FF5a7F5712A1d (chain not supported by the read API)
- Plasma: 0x60665b4F4FF7073C5fed2656852dCa271DfE2684 (chain not supported by the read API)
- Plasma: 0x19CE4363FEA478Aa04B9EA2937cc5A2cbcD44be6 (chain not supported by the read API)
- Plasma: 0xF61FE74Ec1cFbd9Ee8Bd27592D2EDEe0E2aA85Cf (chain not supported by the read API)
- https://defipunkd.com/address/1/0x7Fc66500c84A76Ad7e9c93437bFc5Ac33E2DDaE9 (token AAVE governance token)
- https://defipunkd.com/address/1/0x7b9c0b9b0d8b0d8b0d8b0d8b0d8b0d8b0d8b0d8b (Emergency Admin)


---

You are contributing a single-slice assessment to defipunkd, a git-native transparency registry for DeFi protocols. Your JSON output will be attached to a pull request and compared against ≥2 other independent runs. Disagreements are surfaced publicly — be conservative, cite everything, return grade="unknown" when a signal cannot be determined, and resist stopping at the first damning finding.

### Per-protocol context (do not infer; these are ground truth)

A "Per-protocol context" block (provided alongside this prompt — either as a user message in API mode, or as a section appended below in copy-paste mode) lists the pinned inputs (protocol.slug, name, chains, category, website, github, audit_links, snapshot.generated_at, analysis_date, prompt_version, address_book) and a list of pre-built read-API surfacer URLs for each pinned address. Treat those values as authoritative for this run.

The pre-built surfacer URLs are accepted by your fetch tool's allowlist because they appear verbatim in the per-protocol context. Each surfacer page pre-executes the contract's zero-arg view methods and renders any address-typed return values as /address/{chainId}/0x… links inline — those rendered links are also fetchable post-fetch. /api/contract/read and /api/safe/owners JSON responses include a top-level `crawl.surfacers` array of /address/{chainId}/0x… URLs for every address-typed value in the result, so you can crawl directly from API responses. For addresses surfaced from non-defipunkd sources (block-explorer pages, GitHub, audit PDFs), the allowlist will reject your generated surfacer URL — record the address in protocol_metadata.admin_addresses and add a checklist-coded entry to unknowns[]; the next run will inherit it as a fetchable surfacer.

### Step 0 — Capability probe (do this before producing JSON)

Identify what fetch tool your environment exposes — `web_fetch`, `browser`, `url_context`, `google_search` (with underscore, colon, or space), Bing grounding, Perplexity, `web.run`, or anything similar. Search-grounding tools ARE valid fetch paths and you should use them; they are not forbidden. The distinction that matters is what the tool returned, not its name: a grounded response with the underlying page body is sufficient evidence; a bare 1–3-line preview snippet is not.

Probe: attempt one fetch of `protocol.website` and one fetch of a pre-built surfacer URL above (or the protocol's primary block-explorer page if no surfacer is pinned). Record the tool you used, the URL, and what came back (response body, HTTP status, allowlist rejection text, or "tool not present: <name>"). If either probe succeeded, proceed.

If both direct probes failed, **DO NOT STOP** — try search. Issue at least two broad search queries (protocol name + "Etherscan" / "official docs" / "GitHub" / "audit"; `site:` operators against etherscan.io / github.com / the docs domain). If a search query returns the underlying page body, that page URL is fetched evidence and goes in evidence[]. Set `grading_basis: "off-chain-only"` and continue with whatever you can extract. Empty `evidence[]` + `grade="unknown"` is only valid if BOTH direct probes AND ≥2 search queries returned nothing usable; in that case, log the attempted queries and observed-zero outcomes in unknowns[]. A submission claiming "blocked" without those receipts is treated as a non-submission (zero quorum weight). Search engines do not index raw JSON API endpoints — zero results for `defipunkd.com/api/contract/read` URLs is expected and is itself a recordable failure mode, not a system restriction.

### Anti-fabrication (the most important rule on this page)

Memory is not evidence. Treat your training data, prior conversations, and general knowledge as suggestions for what to look up — never as citations. Every URL in evidence[] must have been fetched in this run via any tool exposed in your environment, OR pasted into this conversation by the user. Constructing a URL is fine, but every variable part (address, commit SHA, repo path, contract name, method, args, block number) must come from a fetched/pasted source in this run, and the URL must then have been successfully fetched before it appears in evidence[]. URLs constructed from remembered addresses, repo paths, contract names, or guessed API methods are fabrication.

Before emitting JSON, run an evidence ledger check on every evidence[] entry:
1. The exact URL appears in your fetch transcript or in a user-pasted source body.
2. The fetched/pasted body contains the fact you're citing in evidence[].shows.
3. Every rationale.findings / protocol_metadata claim that depends on this evidence follows directly from that body, without recourse to memory.
4. Derived (rather than verbatim) claims are explicitly labelled as derived in evidence[].shows.
5. `fetched_at` is set ONLY when you actually fetched the URL in this run; if no timestamp is available, omit the field — never invent one.

If any check fails, remove the evidence entry and demote dependent claims to unknowns[]. Set grade="unknown" if demotion empties the grading basis. Do not ask the user to paste anything; do not withhold JSON; do not improvise from memory.

A plausible-sounding answer backed by unsupported evidence is WORSE than grade="unknown" — it pollutes the quorum. If the assessment requires leaning on remembered public facts ("Lido is governed by LDO token-weighted voting"), historical reports, common knowledge, or likely-architecture reasoning ("UUPS proxies typically have an admin role"), return grade="unknown" with specific unknowns[] entries. Optimize for reproducibility, not completeness — if a reviewer can't re-verify each claim from the evidence URLs alone, the claim does not belong in the JSON. Empty unknowns[] on a non-trivial protocol is a red flag, not a quality signal.

When the address_book is null/empty, you do not yet know any deployed address. Discover candidates from fetched website / GitHub / audit / explorer-search pages — addresses you "remember" from training data are not eligible, even for famous tokens (USDC, WBTC, stETH, UNI). If no address can be discovered after a good-faith attempt, return grade="unknown" with checklist-coded unknowns[] entries; do not invent addresses to fill the gap.

### Hard rules

1. Source classes that count as evidence:
   a) Public block explorers (etherscan.io, basescan.org, arbiscan.io, optimistic.etherscan.io, polygonscan.com, bscscan.com, snowtrace.io, scrollscan.com, lineascan.build, blastscan.io, era.zksync.network) for pinned addresses or addresses you discover transitively from them.
   b) The linked GitHub repos, at a specific commit SHA recorded in evidence[].commit.
   c) The audit PDFs / reports linked above.
   d) DeFiLlama's pinned fields (for category / chain lists only — not for risk assessment).
   e) DeFiPunkd's read API at https://defipunkd.com/api/{contract,safe}/... — see "On-chain reading" below.
2. If a signal cannot be determined after checking these, set grade="unknown" with ≥1 entry in unknowns[] naming what you looked for.
3. Every factual claim in rationale must map to ≥1 evidence[] entry.
4. Output exactly one JSON object matching the contract at the end, wrapped in a single ```json fenced code block. This rule applies to your FINAL assistant message only — issue tool calls freely during the run; tool-call reasoning lives in your model's tool-use channel and is not subject to this rule. Nothing before or after the fence — no prose, no follow-up questions, no requests for the user to paste anything. If evidence is incomplete, the correct response is still JSON, with claims demoted to unknowns[] and grade="unknown".

### Format rules (validation will reject submissions that violate these)
5. evidence[].url must be a bare `https://...` string — NEVER markdown link syntax. WRONG: `"url": "[Etherscan](https://etherscan.io/...)"`. RIGHT: `"url": "https://etherscan.io/..."`.
6. evidence[].commit, when present, must match `^[0-9a-f]{7,40}$` (lowercase hex, 7–40 chars). NEVER branch names or tags. Omit if you cannot pin a SHA.
7. evidence[].fetched_at, when present, must be ISO-8601 UTC (e.g. `2026-04-23T11:20:00Z`). Set whenever you actually fetched in this run.
8. evidence[].address, when present, must be `^0x[0-9a-fA-F]{40}$` (mixed case OK; checksum not validated).
9. Checklist codes (used in findings[].code and as unknowns[] prefixes) match `^[A-Z][A-Za-z0-9-]{0,16}$` — start with an uppercase letter, then digits / letters / hyphens. Examples: `E1`, `A3b`, `C2-emergency`, `V4-auditor`. No parens, spaces, dots, slashes, underscores. Use slice-defined codes verbatim. unknowns[] entries must be prefixed with the relevant code + colon (e.g. `"A3b: frontend fetch failed"`).
10. chat_url: ALWAYS null. Default share links (claude.ai/chat, chatgpt.com, gemini.google.com) require viewer login and are not publicly readable. The user enables "Share publicly" after you respond and pastes the public URL into the JSON before opening the PR.

### Thoroughness rules

11. Each per-slice body contains a "MANDATORY INSPECTION CHECKLIST". Every item must EITHER produce an evidence[] entry OR a specific unknowns[] entry naming it by code. Silent skips are rejected as incomplete.
12. Before assigning a grade other than "unknown", rationale.steelman must contain a one-sentence strongest argument for each of red / orange / green, and rationale.verdict must state which fits the evidence and why. If the steel-man for the chosen grade is weaker than for an adjacent grade, you have probably picked the wrong grade. When grade="unknown", set steelman to null and use verdict to summarize what blocked the assessment.
13. Distinguish actor classes (EOA, 2-of-3 multisig, 4-of-7+ multisig with identified signers, emergency-scoped time-capped multisig, on-chain governance vote with timelock) and function classes (claim-of-finalized vs new-request-placement, deposit vs borrow, mint vs redeem) — say which actor holds which power, on what time bound. "An admin can pause" is insufficient.
14. For on-chain slices (control, ability-to-exit, autonomy, verifiability), evidence[] must include ≥1 on-chain URL: a block-explorer URL OR a DeFiPunkd /api/{contract/read,safe/owners} URL (preferred — content-addressed when block-pinned). /api/contract/abi alone is metadata, not on-chain evidence. Source repos tell you what code SHOULD do; deployed contracts tell you what it ACTUALLY does. The "open-access" slice is exempt when claims are entirely about frontend / off-chain operator behavior. CARVE-OUT: `grading_basis="off-chain-only"` is exempt from this rule but is downweighted by the quorum bot regardless of grade.
15. Prompt-meta-check: if your verdict quotes prompt language as evidence ("the protocol meets the 'documented fallback' condition"), re-do the verdict — the prompt describes the rubric, not the protocol. Evidence cites what THIS protocol does, not what the rubric says protocols of type X do.
16. `grading_basis` is one of `"on-chain"` (default; omit field), `"off-chain-only"`, or `"mixed"`. Describes what was READ this run, not the verdict — `grade="unknown"` is allowed under any basis. Set `"off-chain-only"` ONLY when BOTH (a) ≥1 successful fetch of a docs / forum / audit / GitHub URL appears in evidence[], AND (b) ≥1 failed on-chain fetch attempt for THIS run is recorded in unknowns[] with a `-offchain` suffix. Empty `evidence[]` with `"off-chain-only"` is a category error and is rejected by the validator. Set `"mixed"` when some checklist codes were on-chain and others fell back. ABI-only finds (you read the ABI but couldn't read live state) are valid as `grade="unknown"` with the ABI cited; do not infer a grade from ABI shape alone.

### On-chain reading via the DeFiPunkd API

Don't encode calldata, decode return data, or guess at ABIs by hand. Three deterministic GET endpoints return JSON with blockNumber, blockHash, raw calldata, and rawReturnData — content-addressed when block-pinned (`&block=<n>`):

  ABI (auto-resolves proxies):
    https://defipunkd.com/api/contract/abi?chainId=<id>&address=0x...
  View call (any view method on the merged ABI; flat scalar args):
    https://defipunkd.com/api/contract/read?chainId=<id>&address=0x...&method=getOwners
    https://defipunkd.com/api/contract/read?chainId=<id>&address=0x...&method=balanceOf&args=0x...
  Safe (threshold + owners + version in one call):
    https://defipunkd.com/api/safe/owners?chainId=<id>&address=0x...

Use the BARE method name in `&method=` (e.g. `&method=totalSupply`, NOT `&method=totalSupply()`). Browser tools normalize `(` to `%28` and reject the normalized URL; bare names dodge that. Pass arguments via `&args=` (comma-separated, declaration order). Append `&block=<n>` for content-addressed evidence.

Supported chainIds: 1 (ethereum), 10 (optimism), 56 (bsc), 130 (unichain), 137 (polygon), 324 (zksync), 8453 (base), 42161 (arbitrum), 43114 (avalanche), 59144 (linea), 81457 (blast), 534352 (scroll), 11155111 (sepolia).

Use this API for any factual claim about contract ABI shape, view-method return values (owner(), getOwners(), getThreshold(), totalSupply(), implementation(), paused(), MIN_DELAY(), …), and Safe membership. Do NOT invent ABIs or return values from training data.

Note on noisy address_book: the pinned address_book is sourced from prior assessments. It may include token deployments, oracle feeds, peripheral contracts, or mis-classified entries. Skip surfacer URLs that don't fit your slice — fetch only those whose role hints suggest control / pause / upgrade authority.

### Protocol metadata refresh (populate `protocol_metadata` in the output)

DeFiLlama's pinned inputs may be stale or wrong. As a side-effect of this assessment, populate `protocol_metadata` with anything you verify. Leave fields null / empty arrays if you did not verify them — do NOT echo pinned inputs through; null means "not re-verified this run".

- `github`: array of canonical source-code repo URLs.
- `docs_url`: canonical developer / protocol documentation site.
- `audits`: array of `{ firm, url, date }` (date as YYYY-MM or YYYY-MM-DD).
- `governance_forum`: primary discussion forum URL (Discourse, Commonwealth, etc.).
- `voting_token`: `{ chain, address, symbol }` or null. Omit if not token-governed.
- `bug_bounty_url`: public bug bounty page (Immunefi, HackerOne, self-hosted).
- `security_contact`: private-disclosure channel — security@ email or SECURITY.md URL. Distinct from public bug bounty.
- `deployed_contracts_doc`: docs page that lists deployed addresses per chain. Don't enumerate; just link.
- `admin_addresses`: array of `{ chain, address, role, actor_class }` for multisig / timelock / owner / proxy-admin addresses. `actor_class` ∈ `"eoa" | "multisig" | "timelock" | "governance" | "unknown"`. These are the anchors for future runs' address_book.
- `upgradeability`: `"immutable" | "upgradeable" | "mixed" | "unknown"`. "mixed" = some core contracts immutable, others behind proxies.
- `about`: 2–4 sentence plain-English description. Name the user action (stake, borrow, swap, bridge, mint, redeem), the asset / market, and the distinctive mechanism (liquid staking receipt, isolated lending pools, constant-product AMM, intents auction, etc.). Do not restate category / chains / TVL.

Every non-null field in `protocol_metadata` must be backed by ≥1 entry in evidence[].

---

### Slice: OPEN-ACCESS

Evaluate who is allowed to use the protocol and whether any of that permission is granted off-chain.

Scope: this slice is about ADMISSION — who can enter, exit, or transact. Operator LIVENESS (what breaks if keepers/oracles go offline) is assessed in the dependencies slice and is out of scope for the grade here. You may note operator dependencies as context, but do not let "the protocol halts if operator X disappears" drive the access grade on its own; that belongs in dependencies. Source verification / contract verification on block explorers is assessed in the verifiability slice and is out of scope here — do NOT let "contract is unverified" drive the access grade.

Framing: the smart contracts are the access layer; frontends are UX. A permissionless contract is reachable by any client (SDK, third-party UI, aggregator, wallet integration). Frontend ToS, IP geo-blocking, and wallet screening are publisher policies on one specific client — they are reported as context but do NOT determine the grade. The grade hinges on (1) what the contract itself permits, and (2) whether the protocol is practically reachable without the official publisher's cooperation.

Meta-check before finalizing: if your verdict cites phrases from this prompt as evidence ("the protocol meets the 'credible alternatives' condition", "this fits the 'documented fallback' rule"), redo the verdict. The prompt describes the rubric; evidence must come from the protocol. A verdict should cite what the protocol does, not what the rubric says.

MANDATORY INSPECTION CHECKLIST (every item below must appear in evidence[] OR unknowns[]):
- A1. Whitelist / allowlist modifiers in user-facing entry points. Grep for "onlyWhitelisted", "onlyRole", "allowlist", "isAccredited", "isKYCed". Note which functions are gated and who can add/remove from the list.
- A2. Off-chain operators in the admission path: keepers, sequencers, privileged relayers, oracle posters whose approval is required to admit a user action (not just to keep the protocol live). For each, identify whether the role is held by a single operator, a permissioned committee, or is permissionless. Enumerate per user-facing function class (deposit vs withdraw-request vs claim-finalized vs transfer) which ones require operator approval to be admitted, and which ones admit users unconditionally. A function whose placement is unconditional but whose downstream settlement depends on an operator is an admission-permissionless function — flag the liveness dependency as context and defer its grading weight to the dependencies slice.
- A3. Frontend restrictions on the official interface — record as context, not as a grade lever. Distinguish:
    - A3-passive: boilerplate ToS clauses (sanctions attestation, restricted-territory self-certification, VPN-circumvention prohibition, "comply with applicable law" eligibility, age of majority).
    - A3-active: runtime enforcement — IP-based geo-blocking, wallet-address screening against a sanctions oracle (Chainalysis, TRM, Elliptic), KYC wall, rendering-blocking jurisdiction banner.
  Record findings under the correct tier. Quote ToS text or banner text in evidence[].shows. These findings populate the headline and rationale but do NOT move the grade by themselves; the grade is set by A1, A2, and the A3b path check below.
- A3b. Independent access paths (the operative grade input). Enumerate paths that do not require the official publisher's cooperation:
    - Published SDK / library / CLI for direct contract interaction.
    - Third-party frontends operated by separate legal entities.
    - Wallet-integrated access (MetaMask Swaps, Safe apps, etc.).
    - DEX / lending / yield aggregators that route through the contracts.
  Record at least one concrete link per path that exists. The protocol does NOT have to self-document these — the test is existence, not UX cost. An A3b-i redistribution of the official UI bound by the same ToS does NOT count as an independent path.
- A4. Sanctions / compliance tooling at the contract level: does the protocol check addresses against OFAC lists or similar on-chain blocklists in the contract itself? (Frontend-only screening belongs in A3.)
- A5. Differentiate read access vs write access: many protocols are read-permissionless (anyone can view state) but write-gated (only certain addresses can deposit/borrow). Record both.
- A6. ToS / Legal links: locate them on the website and produce a VERBATIM quote of any jurisdictional, sanctions, or eligibility clause in evidence[].shows. If you cannot extract the clause text verbatim (SPA render failure, paywall, dead link, etc.), do NOT paraphrase or infer from general knowledge — record the ToS URL in unknowns[] with the reason extraction failed. Assertions about ToS content without a verbatim quote will be downweighted by reviewers.

Then write the steel-man section per Hard Rule 11.

Grade rules (admission-focused; liveness concerns belong in dependencies; source verification belongs in verifiability):
- green   = no contract-level whitelist/KYC on user entry/exit; no operator approval required to admit a user action; AND at least one independent A3b path exists (published SDK, third-party frontend, wallet integration, or aggregator routing). Frontend ToS posture and A3-active enforcement on the official UI do NOT block green when contracts are permissionless and an independent path exists — they are reported as context.
- orange  = contracts admit users unconditionally, BUT the protocol is operationally captured by the official publisher: no published SDK, no third-party frontend, no wallet integration, no aggregator routing. The contract is theoretically open but practically reachable only through the official UI. Also applies when admission requires approval from a permissioned committee that is governance-managed with a documented replacement procedure.
- red     = contract-level whitelist / KYC on user entry/exit, OR admission of a core user action requires approval from a single privileged operator or a small committee with no documented replacement procedure, OR enforces an on-chain blocklist updatable by a single party.
- unknown = checklist incomplete after checking the sources above.

Default-grade guidance: when contracts are fully permissionless AND any A3b independent path exists, the default grade is green regardless of frontend ToS or A3-active enforcement on the official UI. Frontend geo-blocking, sanctions-oracle wallet screening, and ToS sanctions clauses are publisher policies on one client and are reported in findings/headline as context, not as grade levers. To grade orange on operational-capture grounds, the auditor must affirmatively show that ALL independent paths are absent or also gated.

Guideline on committees: where admission depends on a multi-operator committee, the relevant axes are (a) set size, (b) whether replacement/rotation is governed on-chain, (c) whether the replacement procedure is publicly documented. A large set with on-chain governance replacement should not be graded as a single-party operator even if rotation is not instantaneous. A small set with informal replacement should be treated as a single-party operator.

---

### JSON output contract

Return exactly one JSON object inside a single ```json fenced block. Shape:

{
  "schema_version": 4,
  "slug": "<copy protocol.slug from the per-protocol context>",
  "slice": "open-access",
  "snapshot_generated_at": "<copy snapshot.generated_at from the per-protocol context>",
  "prompt_version": 29,
  "analysis_date": "<copy analysis_date from the per-protocol context>",
  "model": "<exact model name, e.g. claude-opus-4-7 / gpt-5-thinking / gemini-3-pro>",
  "chat_url": null,
  "grading_basis": "on-chain | off-chain-only | mixed (optional; omit for on-chain)",
  "grade": "green | orange | red | unknown",
  "headline": "<one-line summary>",
  "short_headline": "<≤6 words, ≤80 chars; omit if you can't fit>",
  "rationale": {
    "findings": [{ "code": "E1", "text": "<concrete, source-cited finding>" }],
    "steelman": { "red": "<one sentence>", "orange": "<one sentence>", "green": "<one sentence>" },
    "verdict": "Choosing <grade> because <reason ranking one steel-man above the others, citing specific evidence>."
  },
  "evidence": [{ "url": "https://...", "shows": "<what this URL demonstrates>", "chain": "...", "address": "0x...", "commit": "<hex SHA>", "fetched_at": "2026-04-23T11:20:00Z" }],
  "unknowns": ["E3: <thing you looked for but couldn't determine>"],
  "protocol_metadata": {
    "github": ["https://github.com/org/repo"],
    "docs_url": "https://docs.protocol.xyz",
    "audits": [{ "firm": "Trail of Bits", "url": "https://...report.pdf", "date": "2025-09" }],
    "governance_forum": "https://forum.protocol.xyz",
    "voting_token": { "chain": "Ethereum", "address": "0x...", "symbol": "XYZ" },
    "bug_bounty_url": "https://immunefi.com/bounty/protocol",
    "security_contact": "security@protocol.xyz",
    "deployed_contracts_doc": "https://docs.protocol.xyz/deployments",
    "admin_addresses": [{ "chain": "Ethereum", "address": "0x...", "role": "DAO treasury multisig", "actor_class": "multisig" }],
    "upgradeability": "immutable | upgradeable | mixed | unknown",
    "about": "<2–4 sentences>"
  }
}

Rules recap:
- grade="unknown" ⇒ steelman=null; unknowns[] ≥1; evidence[] may be empty.
- grade!="unknown" ⇒ steelman={red,orange,green}; evidence[] ≥1; verdict starts with "Choosing ".
- findings[].code matches the slice's checklist prefix verbatim (E1, C2-emergency, V4a, …); unknowns[] entries are checklist-coded ("E3: …").
- Wrap in a single ```json fence; nothing before or after. URLs are bare strings, never markdown links.

Sources claude-opus-4-7 no url gpt-5.5 no url gemini-3-flash-preview no url View raw submissions ↗

Stage

Preview of the Phase-3 maturity framework. DeFiPunk'd will adopt DeFiScan v2's stages verbatim; the section is rendered below in its intended shape so the structure is visible today.

Aave V3 has not yet been assessed under the DeFiScan v2 stage framework.

The walkaway test is the central criterion. Once stages land, protocols reach Stage 1 only if users can exit in the presence of malicious operators even when the emergency council disappears.

Scope of assessment

Stages are assessed per-protocol against DeFiScan v2's criteria: governance structure, upgradeability path, timelock durations, emergency-council scope, and the walkaway test. The analysis depends on onchain discovery (roles, owners, timelocks) and deeper review of deployed contracts — neither of which DeFiPunk'd automates at Phase 0.

Stage 0 requirements pending

Governance is largely off-chain, contracts are upgradeable with short or no timelock, and the protocol depends on a multisig or team with full discretion. At Phase 0 DeFiPunk'd does not automatically evaluate these; the assessment lands with crawler-based onchain discovery.

Stage 1 requirements pending

Users can exit or opt out on their own terms even if the team disappears. Upgrades run through a meaningful timelock with an emergency security council clearly scoped. The walkaway test is the headline criterion.

Stage 2 requirements pending

Protocol is fully permissionless and immutable, or upgrades require a supermajority of token holders with a long timelock and no emergency override. This is the terminal stage of the DeFiScan v2 framework.

Learn more about DeFiScan v2 stages →

Stages are an opinionated assessment of maturity, not a rating of security or safety. A protocol can sit at Stage 2 and still carry substantial technical or economic risk; the framework exists to incentivize decentralization, not to rank protocols.

Contract surface

Every contract in scope for this protocol — pooled from DeFiLlama's TVL adapter (mechanical) and DEFI@home discovery submissions (LLM-curated). Verified-source flags come from Etherscan + Sourcify; owner / multisig metadata is read on-chain when available. Reviewer audit context, not a slice score. A lending protocol's adapter set will list third-party collateral tokens alongside its own contracts; attribution is the grader's job.

240addresses
11verified source
0proxies

TVL adapter pinned at 683d369. Sourcecode fetched 2026-05-06. Control fetched 2026-05-07.

Mainnet only


Arbitrum	admin ACLAdmin V3	`0xff11…6327`	discovery	—	—	—	governance
Arbitrum	admin ACLManager V3	`0xa726…4a0b`	discovery	—	—	—	—
Arbitrum	admin PoolConfigurator V3	`0x8145…021e`	discovery	—	—	—	—
Arbitrum	factory PoolAddressesProvider V3	`0xa976…3cdb`	discovery	—	—	—	factory
Arbitrum	guardian GranularGuardian	`0x4922…37ce`	discovery	—	—	—	guardian
Arbitrum	oracle AaveOracle V3	`0xb56c…c7c7`	discovery	—	—	—	oracle
Arbitrum	oracle PriceOracleSentinel V3	`0x7a9f…686b`	discovery	—	—	—	oracle
Arbitrum	other AaveProtocolDataProvider V3	`0x243a…c43b`	discovery	—	—	—	—
Arbitrum	other CrossChainController	`0xcbfb…29f0`	discovery	—	—	—	—
Arbitrum	pool Pool V3	`0x794a…14ad`	discovery	—	—	—	token
Arbitrum	timelock PayloadsController	`0x8964…637c`	discovery	—	—	—	timelock
Avalanche	admin ACLAdmin V3	`0x3c06…d090`	discovery	—	—	—	governance
Avalanche	admin ACLManager V3	`0xa726…4a0b`	discovery	—	—	—	—
Avalanche	admin PoolConfigurator V3	`0x8145…021e`	discovery	—	—	—	—
Avalanche	factory PoolAddressesProvider V3	`0xa976…3cdb`	discovery	—	—	—	factory
Avalanche	guardian GranularGuardian	`0xc116…7b65`	discovery	—	—	—	guardian
Avalanche	oracle AaveOracle V3	`0xebd3…7c9c`	discovery	—	—	—	oracle
Avalanche	oracle EmergencyOracle	`0x4118…ebee`	discovery	—	—	—	oracle
Avalanche	other AaveProtocolDataProvider V3	`0x243a…c43b`	discovery	—	—	—	—
Avalanche	other CrossChainController	`0x27fc…0928`	discovery	—	—	—	—
Avalanche	other VotingMachine	`0x9b6f…494f`	discovery	—	—	—	—
Avalanche	pool Pool V3	`0x794a…14ad`	discovery	—	—	—	—
Avalanche	timelock PayloadsController	`0x1140…0b80`	discovery	—	—	—	timelock
Base	admin ACLAdmin V3	`0x9390…257a`	discovery	—	—	—	governance
Base	admin ACLManager V3	`0x4395…fd33`	discovery	—	—	—	—
Base	admin PoolConfigurator V3	`0x5731…96be`	discovery	—	—	—	—
Base	factory PoolAddressesProvider V3	`0xe20f…d64d`	discovery	—	—	—	factory
Base	guardian GranularGuardian	`0xa1c6…f4bb`	discovery	—	—	—	guardian
Base	oracle AaveOracle V3	`0x2cc0…e156`	discovery	—	—	—	oracle
Base	oracle PriceOracleSentinel V3	`0x943a…74d6`	discovery	—	—	—	oracle
Base	other AaveProtocolDataProvider V3	`0x0f43…c73a`	discovery	—	—	—	—
Base	other CrossChainController	`0x5294…04e2`	discovery	—	—	—	—
Base	pool Pool V3	`0xa238…d1c5`	discovery	—	—	—	—
Base	timelock PayloadsController	`0x2dc2…ab01`	discovery	—	—	—	timelock
Binance	admin ACLAdmin V3	`0x9390…257a`	discovery	—	—	—	governance
Binance	admin ACLManager V3	`0x2d97…3877`	discovery	—	—	—	—
Binance	admin PoolConfigurator V3	`0x67bd…9584`	discovery	—	—	—	—
Binance	factory PoolAddressesProvider V3	`0xff75…ba6d`	discovery	—	—	—	factory
Binance	guardian GranularGuardian	`0xe4fb…4383`	discovery	—	—	—	guardian
Binance	oracle AaveOracle V3	`0x39bc…c697`	discovery	—	—	—	oracle
Binance	oracle EmergencyOracle	`0xcabb…f7f1`	discovery	—	—	—	oracle
Binance	other AaveProtocolDataProvider V3	`0xc90d…5328`	discovery	—	—	—	—
Binance	other CrossChainController	`0x9d33…fa19`	discovery	—	—	—	—
Binance	pool Pool V3	`0x6807…e0cb`	discovery	—	—	—	—
Binance	timelock PayloadsController	`0xe5ef…e627`	discovery	—	—	—	timelock
Celo	admin ACLAdmin V3	`0x1df4…053d`	discovery	—	—	—	governance
Celo	admin ACLManager V3	`0x7a12…314c`	discovery	—	—	—	—
Celo	admin PoolConfigurator V3	`0x7567…4691`	discovery	—	—	—	—
Celo	factory PoolAddressesProvider V3	`0x9f7c…cea5`	discovery	—	—	—	factory
Celo	oracle AaveOracle V3	`0x1e69…7e8b`	discovery	—	—	—	oracle
Celo	other AaveProtocolDataProvider V3	`0x2e0f…15ed`	discovery	—	—	—	—
Celo	pool Pool V3	`0x3e59…3402`	discovery	—	—	—	—
Celo	treasury Collector	`0xc959…e9e7`	discovery	—	—	—	treasury
ethereum	AaveProtocolDataProvider	`0x0879…31cd`	TVL	✓	—	—	—
ethereum	PendlePrincipalToken	`0x3de0…0f49`	TVL	✓	—	—	—
ethereum	AaveProtocolDataProvider	`0x4139…8cbd`	TVL	✓	—	—	—
ethereum	PendlePrincipalToken	`0x62c6…38b7`	TVL	✓	—	—	—
ethereum	PendlePrincipalToken	`0x9bf4…b375`	TVL	✓	—	—	—
ethereum	PendlePrincipalToken	`0xaebf…6ce0`	TVL	✓	—	—	—
ethereum	PendlePrincipalToken	`0xbc67…e10a`	TVL	✓	—	—	—
ethereum	PendlePrincipalToken	`0xe6a9…49b3`	TVL	✓	—	—	—
ethereum	AaveProtocolDataProvider	`0xe7d4…5758`	TVL	✓	—	—	—
ethereum	PendlePrincipalToken	`0xe848…d7b2`	TVL	✓	—	—	—
Ethereum	admin (Aave V4 Access Manager — Ethereum)	`0x08ae…df01`	discovery	—	—	—	—
Ethereum	admin (PoolAdmin / governance executor)	`0xee56…9413`	discovery	—	—	—	timelock
Ethereum	admin ACLManager V3	`0xc2aa…85b0`	discovery	—	—	—	—
Ethereum	admin DefaultIncentivesController	`0x8164…bfcb`	discovery	—	—	—	—
Ethereum	admin EmissionManager	`0x223d…d974`	discovery	—	—	—	—
Ethereum	admin PoolConfigurator V3	`0x64b7…bb27`	discovery	—	—	—	—
Ethereum	governor Governance V3	`0x9aee…2bc7`	discovery	—	—	—	governance
Ethereum	guardian (governance guardian / payload cancellation guardian)	`0xce52…6710`	discovery	—	—	—	multisig
Ethereum	guardian (Protocol Guardian / emergency admin)	`0x2cfe…aa30`	discovery	—	—	—	multisig
Ethereum	guardian EmergencyRegistry	`0x73c6…c7e9`	discovery	—	—	—	guardian
Ethereum	guardian GranularGuardian	`0x4457…51d4`	discovery	—	—	—	guardian
Ethereum	oracle AaveOracle V3	`0x5458…a0c2`	discovery	—	—	—	oracle
Ethereum	other (PayloadsController)	`0xdaba…aec5`	discovery	—	—	—	—
Ethereum	other (PoolAddressesProvider — proxy admin for Pool/PoolConfigurator/ACLManager)	`0x2f39…4e9e`	discovery	—	—	—	governance
Ethereum	other (Prime Market PoolAddressesProvider)	`0xcfbf…b16d`	discovery	—	—	—	—
Ethereum	other AaveProtocolDataProvider V3	`0x0a16…becd`	discovery	—	—	—	—
Ethereum	other CrossChainController	`0xed42…b0e1`	discovery	—	—	—	—
Ethereum	other DataWarehouse	`0x1699…cf61`	discovery	—	—	—	—
Ethereum	other GovernanceDataHelper	`0x971c…1856`	discovery	—	—	—	—
Ethereum	other GovernancePowerStrategy	`0xa198…1e04`	discovery	—	—	—	—
Ethereum	other MetaDelegateHelper	`0x9436…85dc`	discovery	—	—	—	—
Ethereum	other PayloadDataHelper	`0xe3b7…e16a`	discovery	—	—	—	—
Ethereum	other VotingDataHelper	`0x7797…50e8`	discovery	—	—	—	—
Ethereum	other VotingMachine	`0x6173…75eb`	discovery	—	—	—	—
Ethereum	other VotingPortalEthAvax	`0x33ac…5d79`	discovery	—	—	—	—
Ethereum	other VotingPortalEthEth	`0xf23f…e21f`	discovery	—	—	—	—
Ethereum	other VotingPortalEthPol	`0x9b24…36c3`	discovery	—	—	—	—
Ethereum	other VotingStrategy	`0x5642…a7f4`	discovery	—	—	—	—
Ethereum	pool (Aave V3 Pool proxy)	`0x8787…a4e2`	discovery	—	—	—	—
Ethereum	timelock (ACL admin / executor)	`0x5300…192a`	discovery	—	—	—	timelock
Ethereum	timelock (executor level 2)	`0x17dd…6957`	discovery	—	—	—	timelock
Ethereum	timelock (governance executor short)	`0xee56…9b17`	discovery	—	—	—	timelock
Ethereum	timelock (governance long executor)	`0xa700…963e`	discovery	—	—	—	timelock
Ethereum	timelock (governance short executor)	`0x80c6…bcf8`	discovery	—	—	—	timelock
Ethereum	timelock (governance short executor)	`0x8513…9921`	discovery	—	—	—	timelock
Ethereum	timelock (short executor governance)	`0x220d…c540`	discovery	—	—	—	timelock
Ethereum	token AAVE governance token	`0x7fc6…dae9`	discovery	—	—	—	governance
Ethereum	treasury Collector	`0x464c…e18c`	discovery	—	—	—	treasury
Ethereum	vault (Aave V4 Core Hub — Ethereum)	`0xcca8…26c9`	discovery	—	—	—	vault
Ethereum	vault (Aave V4 Plus Hub — Ethereum)	`0x0600…536a`	discovery	—	—	—	vault
Ethereum	vault (Aave V4 Prime Hub — Ethereum)	`0x9438…f931`	discovery	—	—	—	vault
Fantom	admin ACLAdmin V3	`0x39cb…c949`	discovery	—	—	—	governance
Fantom	admin ACLManager V3	`0xa726…4a0b`	discovery	—	—	—	—
Fantom	admin PoolConfigurator V3	`0x8145…021e`	discovery	—	—	—	—
Fantom	factory PoolAddressesProvider V3	`0xa976…3cdb`	discovery	—	—	—	factory
Fantom	oracle AaveOracle V3	`0xfd6f…0754`	discovery	—	—	—	oracle
Fantom	other AaveProtocolDataProvider V3	`0x69fa…0654`	discovery	—	—	—	—
Fantom	pool Pool V3	`0x794a…14ad`	discovery	—	—	—	—
Harmony	admin ACLAdmin V3	`0xb2f0…cd2d`	discovery	—	—	—	governance
Harmony	admin ACLManager V3	`0xa726…4a0b`	discovery	—	—	—	—
Harmony	admin PoolConfigurator V3	`0x8145…021e`	discovery	—	—	—	—
Harmony	factory PoolAddressesProvider V3	`0xa976…3cdb`	discovery	—	—	—	factory
Harmony	oracle AaveOracle V3	`0x3c90…80ad`	discovery	—	—	—	oracle
Harmony	other AaveProtocolDataProvider V3	`0x69fa…0654`	discovery	—	—	—	—
Harmony	pool Pool V3	`0x794a…14ad`	discovery	—	—	—	—
Linea	admin ACLAdmin V3	`0x8c2d…7f88`	discovery	—	—	—	governance
Linea	admin ACLManager V3	`0xbf32…dbb5`	discovery	—	—	—	—
Linea	admin PoolConfigurator V3	`0x812e…bfa2`	discovery	—	—	—	—
Linea	factory PoolAddressesProvider V3	`0x8950…73f4`	discovery	—	—	—	factory
Linea	guardian GovernanceGuardian	`0x056e…1f4e`	discovery	—	—	—	guardian
Linea	guardian GranularGuardian	`0xc1cd…ca16`	discovery	—	—	—	guardian
Linea	oracle AaveOracle V3	`0xcfda…95e9`	discovery	—	—	—	oracle
Linea	other CrossChainController	`0x0d3f…df52`	discovery	—	—	—	—
Linea	pool Pool V3	`0xc47b…a8ac`	discovery	—	—	—	—
Linea	timelock PayloadsController	`0x3bce…e074`	discovery	—	—	—	timelock
mantle	AaveProtocolDataProvider	`0x487c…3b68`	TVL + disc	✓	—	—	—
mantle	user	`0xb873…313c`	TVL	✗	—	—	—
Mantle	admin ACLAdmin V3	`0x7088…cb7b`	discovery	—	—	—	governance
Mantle	admin ACLManager V3	`0x810d…1115`	discovery	—	—	—	—
Mantle	admin PoolConfigurator V3	`0x7197…8626`	discovery	—	—	—	—
Mantle	factory PoolAddressesProvider V3	`0xba50…4d5f`	discovery	—	—	—	factory
Mantle	oracle AaveOracle V3	`0x47a0…e8df`	discovery	—	—	—	oracle
Mantle	oracle PriceOracleSentinel V3	`0x64df…252e`	discovery	—	—	—	oracle
Mantle	pool Pool V3	`0x458f…1422`	discovery	—	—	—	—
MegaETH	admin ACLAdmin V3	`0xe2e8…4e19`	discovery	—	—	—	governance
MegaETH	admin ACLManager V3	`0x390d…1c3d`	discovery	—	—	—	—
MegaETH	admin PoolConfigurator V3	`0xf15d…dabb`	discovery	—	—	—	—
MegaETH	factory PoolAddressesProvider V3	`0x46dc…a478`	discovery	—	—	—	factory
MegaETH	oracle AaveOracle V3	`0x4211…4f21`	discovery	—	—	—	oracle
MegaETH	other AaveProtocolDataProvider V3	`0x9588…b403`	discovery	—	—	—	—
MegaETH	pool Pool V3	`0x7e32…1c28`	discovery	—	—	—	—
Metis	admin ACLAdmin V3	`0x6fd4…8718`	discovery	—	—	—	governance
Metis	admin PoolConfigurator V3	`0x69fe…45a6`	discovery	—	—	—	—
Metis	factory PoolAddressesProvider V3	`0xb9fa…d7af`	discovery	—	—	—	factory
Metis	guardian GranularGuardian	`0x61be…36b5`	discovery	—	—	—	guardian
Metis	oracle AaveOracle V3	`0x38d3…6f8e`	discovery	—	—	—	oracle
Metis	oracle PriceOracleSentinel V3	`0x2b5e…828a`	discovery	—	—	—	oracle
Metis	other CrossChainController	`0x6fda…7f70`	discovery	—	—	—	—
Metis	pool Pool V3	`0x90df…6a57`	discovery	—	—	—	—
Metis	timelock PayloadsController	`0x2233…5524`	discovery	—	—	—	timelock
Optimism	admin ACLAdmin V3	`0x746c…09bf`	discovery	—	—	—	governance
Optimism	admin PoolConfigurator V3	`0x8145…021e`	discovery	—	—	—	—
Optimism	guardian GranularGuardian	`0x6c52…a03b`	discovery	—	—	—	guardian
Optimism	oracle AaveOracle V3	`0xd81e…0c77`	discovery	—	—	—	oracle
Optimism	other (PoolAddressesProvider — Optimism)	`0xa976…3cdb`	discovery	—	—	—	—
Optimism	other CrossChainController	`0x48a9…d4ca`	discovery	—	—	—	—
Optimism	pool Pool V3	`0x794a…14ad`	discovery	—	—	—	—
Optimism	timelock PayloadsController	`0x0e1a…e7c4`	discovery	—	—	—	timelock
plasma	—	`0x02fc…5dd8`	TVL	—	—	—	—
plasma	—	`0x54dc…aa44`	TVL	—	—	—	—
plasma	—	`0x93b5…8c9a`	TVL	—	—	—	—
plasma	—	`0xab50…cc82`	TVL	—	—	—	—
plasma	—	`0xf2d6…419f`	TVL	—	—	—	—
Plasma	admin ACLAdmin V3	`0x47aa…4d6a`	discovery	—	—	—	governance
Plasma	admin ACLManager V3	`0xa860…9c06`	discovery	—	—	—	—
Plasma	admin PoolConfigurator V3	`0xc022…d2d9`	discovery	—	—	—	—
Plasma	factory PoolAddressesProvider V3	`0x061d…05e9`	discovery	—	—	—	factory
Plasma	guardian GovernanceGuardian	`0x19ce…4be6`	discovery	—	—	—	guardian
Plasma	guardian GranularGuardian	`0x6066…2684`	discovery	—	—	—	guardian
Plasma	oracle AaveOracle V3	`0x33e0…aaa5`	discovery	—	—	—	oracle
Plasma	oracle EmergencyOracle	`0xf61f…85cf`	discovery	—	—	—	oracle
Plasma	other CrossChainController	`0x6434…8cd6`	discovery	—	—	—	—
Plasma	pool Pool V3	`0x925a…5e12`	discovery	—	—	—	—
Plasma	timelock PayloadsController	`0xe76e…2a1d`	discovery	—	—	—	timelock
Polygon	admin ACLAdmin V3	`0xdf7d…b233`	discovery	—	—	—	governance
Polygon	admin PoolConfigurator V3	`0x8145…021e`	discovery	—	—	—	—
Polygon	guardian GranularGuardian	`0x0d2c…0a02`	discovery	—	—	—	guardian
Polygon	oracle AaveOracle V3	`0xb023…8bd1`	discovery	—	—	—	oracle
Polygon	oracle EmergencyOracle	`0xdafa…a23f`	discovery	—	—	—	oracle
Polygon	other (PoolAddressesProvider — Polygon)	`0xa976…3cdb`	discovery	—	—	—	—
Polygon	other CrossChainController	`0xf6b9…ef0d`	discovery	—	—	—	—
Polygon	other VotingMachine	`0xc8a2…420d`	discovery	—	—	—	—
Polygon	pool Pool V3	`0x794a…14ad`	discovery	—	—	—	—
Polygon	timelock PayloadsController	`0x401b…637c`	discovery	—	—	—	timelock
Scroll	admin ACLAdmin V3	`0xc1ab…4a24`	discovery	—	—	—	governance
Scroll	admin ACLManager V3	`0x7633…8081`	discovery	—	—	—	—
Scroll	admin PoolConfigurator V3	`0x32bc…9b7f`	discovery	—	—	—	—
Scroll	factory PoolAddressesProvider V3	`0x6985…dd04`	discovery	—	—	—	factory
Scroll	guardian GranularGuardian	`0xa835…ced4`	discovery	—	—	—	guardian
Scroll	oracle AaveOracle V3	`0x0442…54f3`	discovery	—	—	—	oracle
Scroll	other CrossChainController	`0x0307…ad0a`	discovery	—	—	—	—
Scroll	pool Pool V3	`0x11fc…cffe`	discovery	—	—	—	—
Scroll	timelock PayloadsController	`0x6b6b…c3fe`	discovery	—	—	—	timelock
Soneium	admin PoolConfigurator V3	`0x1607…5a02`	discovery	—	—	—	—
Soneium	factory PoolAddressesProvider V3	`0x8240…4c5b`	discovery	—	—	—	factory
Soneium	governor ExecutorLvl1	`0x47aa…4d6a`	discovery	—	—	—	governance
Soneium	guardian GovernanceGuardian	`0x19ce…4be6`	discovery	—	—	—	guardian
Soneium	guardian GranularGuardian	`0xd8e6…6656`	discovery	—	—	—	guardian
Soneium	oracle AaveOracle V3	`0x2004…7fa1`	discovery	—	—	—	oracle
Soneium	oracle PriceOracleSentinel V3	`0xc0ba…dcbe`	discovery	—	—	—	oracle
Soneium	other CrossChainController	`0xd92b…4d6e`	discovery	—	—	—	—
Soneium	pool Pool V3	`0xdd3d…a38b`	discovery	—	—	—	—
Soneium	timelock PayloadsController	`0x44d7…f0cf`	discovery	—	—	—	timelock
Sonic	admin ACLAdmin V3	`0x7b62…1ee7`	discovery	—	—	—	governance
Sonic	admin ACLManager V3	`0x3a79…3b5a`	discovery	—	—	—	—
Sonic	admin PoolConfigurator V3	`0x50c7…e2f0`	discovery	—	—	—	—
Sonic	factory PoolAddressesProvider V3	`0x5c2e…6900`	discovery	—	—	—	factory
Sonic	oracle AaveOracle V3	`0xd63f…4b30`	discovery	—	—	—	oracle
Sonic	other AaveProtocolDataProvider V3	`0xc0a3…f2cd`	discovery	—	—	—	—
Sonic	pool Pool V3	`0x5362…eaa3`	discovery	—	—	—	—
X Layer	admin ACLAdmin V3	`0xe2e8…4e19`	discovery	—	—	—	governance
X Layer	admin ACLManager V3	`0xc8f2…190e`	discovery	—	—	—	—
X Layer	admin PoolConfigurator V3	`0x1408…d2f2`	discovery	—	—	—	—
X Layer	factory PoolAddressesProvider V3	`0xdff4…e092`	discovery	—	—	—	factory
X Layer	oracle AaveOracle V3	`0x91fc…e2c6`	discovery	—	—	—	oracle
X Layer	other AaveProtocolDataProvider V3	`0x6c50…138f`	discovery	—	—	—	—
X Layer	pool Pool V3	`0xe3f3…f116`	discovery	—	—	—	—
xDai	admin ACLAdmin V3	`0x1df4…053d`	discovery	—	—	—	governance
xDai	admin ACLManager V3	`0xec71…2614`	discovery	—	—	—	—
xDai	admin PoolConfigurator V3	`0x7304…5d16`	discovery	—	—	—	—
xDai	factory PoolAddressesProvider V3	`0x3661…2132`	discovery	—	—	—	factory
xDai	guardian GranularGuardian	`0x4a9f…2602`	discovery	—	—	—	guardian
xDai	oracle AaveOracle V3	`0xeb0a…f7c4`	discovery	—	—	—	oracle
xDai	oracle EmergencyOracle	`0xf937…f84d`	discovery	—	—	—	oracle
xDai	other AaveProtocolDataProvider V3	`0xf1f5…fa70`	discovery	—	—	—	—
xDai	other CrossChainController	`0x8dc5…6c9f`	discovery	—	—	—	—
xDai	pool Pool V3	`0xb502…26d8`	discovery	—	—	—	—
xDai	timelock PayloadsController	`0x9a1f…756b`	discovery	—	—	—	timelock
zkSync Era	admin ACLAdmin V3	`0x04ce…d020`	discovery	—	—	—	governance
zkSync Era	admin PoolConfigurator V3	`0x0207…f40e`	discovery	—	—	—	—
zkSync Era	factory PoolAddressesProvider V3	`0x2a39…6cb7`	discovery	—	—	—	factory
zkSync Era	guardian GovernanceGuardian	`0x4257…547e`	discovery	—	—	—	guardian
zkSync Era	guardian GranularGuardian	`0xe0e2…a228`	discovery	—	—	—	guardian
zkSync Era	oracle AaveOracle V3	`0xc7f5…0088`	discovery	—	—	—	oracle
zkSync Era	other CrossChainController	`0x8008…a92c`	discovery	—	—	—	—
zkSync Era	pool Pool V3	`0x78e3…c43c`	discovery	—	—	—	—
zkSync Era	timelock PayloadsController	`0x2e79…96f1`	discovery	—	—	—	timelock

TVL $345.2M

Type RWA Lending

Chain Ethereum

View on DeFiLlama ↗

Control Exit Autonomy Open Access Verifiable

Verifiability tentative Open source + 11 audits
Control unknown Not yet assessed
Ability to exit unknown Not yet assessed
Autonomy tentative Off-chain counterparties reduce autonomy
Open Access unknown Not yet assessed

Control criteria

Upgradeability Upgradeable Bug bounty immunefi.com Governance forum governance.aave.com Docs aave.com

About

Aave Horizon RWA is a specialized Aave V3.3 lending market on Ethereum for institutional and qualified users to borrow permissionless stablecoins (USDC, GHO, RLUSD) against permissioned, tokenized real-world assets (RWAs) as collateral. Non-custodial smart contracts execute borrowing and lending deterministically. RWA issuers (Circle, Superstate, Centrifuge, etc.) manage whitelisting and KYC; aTokens are non-transferable by default to enforce compliance.

Risk analysis

One card per dimension, sorted by severity. Only Verifiability and Autonomy carry automated signals in Phase 0. See methodology for scope.

Audit a dimension yourself · DEFI@home Contribute an LLM-run assessment — any model, any dimension. Three agreeing runs merge automatically into the public record.

Address discovery 1 address on file · 1 run Submit run ↗

### Per-protocol context (ground truth for this run)

- protocol.slug:              aave-horizon-rwa
- protocol.name:              Aave Horizon RWA
- protocol.chains:            Ethereum
- protocol.category:          RWA Lending
- protocol.website:           https://app.aave.com/markets/?marketName=proto_horizon_v3
- protocol.github:            aave, bgd-labs
- protocol.audit_links:       https://github.com/aave/aave-v3-horizon/tree/main/audits, https://github.com/code-423n4/2022-02-aave-lens, https://github.com/code-423n4/2022-02-aave-lens-findings, https://github.com/sherlock-protocol/sherlock-reports/blob/main/audits/2025.02.15%20-%20Final%20-%20Aave%20Public%20Audit%20Contest%20Report.pdf, https://github.com/sherlock-protocol/sherlock-reports/blob/main/audits/2026.02.05%20-%20Final%20-%20Aave%20Labs%20Collaborative%20Audit%20Report%201770295450.pdf, https://github.com/trailofbits/publications/blob/master/reviews/2021-11-aave-v3-securityreview.pdf, https://github.com/trailofbits/publications/blob/master/reviews/2026-02-aave-v4-securityreview.pdf
- snapshot.generated_at:      2026-06-01T11:27:13.878Z
- analysis_date:              2026-06-07
- prompt_version:             29
- address_book:               [
  {
    "chain": "Ethereum",
    "address": "0xAe05Cd22df81871bc7cC2a04BeCfb516bFe332C8",
    "role": "pool"
  },
  {
    "chain": "Ethereum",
    "address": "0x7fc66500c84a76ad7e9c93437bfc5ac33e2ddae9",
    "role": "AAVE governance token"
  }
]

### Pre-built read-API surfacer URLs (verbatim — fetchable as-is)
- https://defipunkd.com/address/1/0xAe05Cd22df81871bc7cC2a04BeCfb516bFe332C8 (pool)
- https://defipunkd.com/address/1/0x7fc66500c84a76ad7e9c93437bfc5ac33e2ddae9 (AAVE governance token)


---

You are contributing a single-slice assessment to defipunkd, a git-native transparency registry for DeFi protocols. Your JSON output will be attached to a pull request and compared against ≥2 other independent runs. Disagreements are surfaced publicly — be conservative, cite everything, return grade="unknown" when a signal cannot be determined, and resist stopping at the first damning finding.

### Per-protocol context (do not infer; these are ground truth)

A "Per-protocol context" block (provided alongside this prompt — either as a user message in API mode, or as a section appended below in copy-paste mode) lists the pinned inputs (protocol.slug, name, chains, category, website, github, audit_links, snapshot.generated_at, analysis_date, prompt_version, address_book) and a list of pre-built read-API surfacer URLs for each pinned address. Treat those values as authoritative for this run.

The pre-built surfacer URLs are accepted by your fetch tool's allowlist because they appear verbatim in the per-protocol context. Each surfacer page pre-executes the contract's zero-arg view methods and renders any address-typed return values as /address/{chainId}/0x… links inline — those rendered links are also fetchable post-fetch. /api/contract/read and /api/safe/owners JSON responses include a top-level `crawl.surfacers` array of /address/{chainId}/0x… URLs for every address-typed value in the result, so you can crawl directly from API responses. For addresses surfaced from non-defipunkd sources (block-explorer pages, GitHub, audit PDFs), the allowlist will reject your generated surfacer URL — record the address in protocol_metadata.admin_addresses and add a checklist-coded entry to unknowns[]; the next run will inherit it as a fetchable surfacer.

### Step 0 — Capability probe (do this before producing JSON)

Identify what fetch tool your environment exposes — `web_fetch`, `browser`, `url_context`, `google_search` (with underscore, colon, or space), Bing grounding, Perplexity, `web.run`, or anything similar. Search-grounding tools ARE valid fetch paths and you should use them; they are not forbidden. The distinction that matters is what the tool returned, not its name: a grounded response with the underlying page body is sufficient evidence; a bare 1–3-line preview snippet is not.

Probe: attempt one fetch of `protocol.website` and one fetch of a pre-built surfacer URL above (or the protocol's primary block-explorer page if no surfacer is pinned). Record the tool you used, the URL, and what came back (response body, HTTP status, allowlist rejection text, or "tool not present: <name>"). If either probe succeeded, proceed.

If both direct probes failed, **DO NOT STOP** — try search. Issue at least two broad search queries (protocol name + "Etherscan" / "official docs" / "GitHub" / "audit"; `site:` operators against etherscan.io / github.com / the docs domain). If a search query returns the underlying page body, that page URL is fetched evidence and goes in evidence[]. Set `grading_basis: "off-chain-only"` and continue with whatever you can extract. Empty `evidence[]` + `grade="unknown"` is only valid if BOTH direct probes AND ≥2 search queries returned nothing usable; in that case, log the attempted queries and observed-zero outcomes in unknowns[]. A submission claiming "blocked" without those receipts is treated as a non-submission (zero quorum weight). Search engines do not index raw JSON API endpoints — zero results for `defipunkd.com/api/contract/read` URLs is expected and is itself a recordable failure mode, not a system restriction.

### Anti-fabrication (the most important rule on this page)

Memory is not evidence. Treat your training data, prior conversations, and general knowledge as suggestions for what to look up — never as citations. Every URL in evidence[] must have been fetched in this run via any tool exposed in your environment, OR pasted into this conversation by the user. Constructing a URL is fine, but every variable part (address, commit SHA, repo path, contract name, method, args, block number) must come from a fetched/pasted source in this run, and the URL must then have been successfully fetched before it appears in evidence[]. URLs constructed from remembered addresses, repo paths, contract names, or guessed API methods are fabrication.

Before emitting JSON, run an evidence ledger check on every evidence[] entry:
1. The exact URL appears in your fetch transcript or in a user-pasted source body.
2. The fetched/pasted body contains the fact you're citing in evidence[].shows.
3. Every rationale.findings / protocol_metadata claim that depends on this evidence follows directly from that body, without recourse to memory.
4. Derived (rather than verbatim) claims are explicitly labelled as derived in evidence[].shows.
5. `fetched_at` is set ONLY when you actually fetched the URL in this run; if no timestamp is available, omit the field — never invent one.

If any check fails, remove the evidence entry and demote dependent claims to unknowns[]. Set grade="unknown" if demotion empties the grading basis. Do not ask the user to paste anything; do not withhold JSON; do not improvise from memory.

A plausible-sounding answer backed by unsupported evidence is WORSE than grade="unknown" — it pollutes the quorum. If the assessment requires leaning on remembered public facts ("Lido is governed by LDO token-weighted voting"), historical reports, common knowledge, or likely-architecture reasoning ("UUPS proxies typically have an admin role"), return grade="unknown" with specific unknowns[] entries. Optimize for reproducibility, not completeness — if a reviewer can't re-verify each claim from the evidence URLs alone, the claim does not belong in the JSON. Empty unknowns[] on a non-trivial protocol is a red flag, not a quality signal.

When the address_book is null/empty, you do not yet know any deployed address. Discover candidates from fetched website / GitHub / audit / explorer-search pages — addresses you "remember" from training data are not eligible, even for famous tokens (USDC, WBTC, stETH, UNI). If no address can be discovered after a good-faith attempt, return grade="unknown" with checklist-coded unknowns[] entries; do not invent addresses to fill the gap.

### Hard rules

1. Source classes that count as evidence:
   a) Public block explorers (etherscan.io, basescan.org, arbiscan.io, optimistic.etherscan.io, polygonscan.com, bscscan.com, snowtrace.io, scrollscan.com, lineascan.build, blastscan.io, era.zksync.network) for pinned addresses or addresses you discover transitively from them.
   b) The linked GitHub repos, at a specific commit SHA recorded in evidence[].commit.
   c) The audit PDFs / reports linked above.
   d) DeFiLlama's pinned fields (for category / chain lists only — not for risk assessment).
   e) DeFiPunkd's read API at https://defipunkd.com/api/{contract,safe}/... — see "On-chain reading" below.
2. If a signal cannot be determined after checking these, set grade="unknown" with ≥1 entry in unknowns[] naming what you looked for.
3. Every factual claim in rationale must map to ≥1 evidence[] entry.
4. Output exactly one JSON object matching the contract at the end, wrapped in a single ```json fenced code block. This rule applies to your FINAL assistant message only — issue tool calls freely during the run; tool-call reasoning lives in your model's tool-use channel and is not subject to this rule. Nothing before or after the fence — no prose, no follow-up questions, no requests for the user to paste anything. If evidence is incomplete, the correct response is still JSON, with claims demoted to unknowns[] and grade="unknown".

### Format rules (validation will reject submissions that violate these)
5. evidence[].url must be a bare `https://...` string — NEVER markdown link syntax. WRONG: `"url": "[Etherscan](https://etherscan.io/...)"`. RIGHT: `"url": "https://etherscan.io/..."`.
6. evidence[].commit, when present, must match `^[0-9a-f]{7,40}$` (lowercase hex, 7–40 chars). NEVER branch names or tags. Omit if you cannot pin a SHA.
7. evidence[].fetched_at, when present, must be ISO-8601 UTC (e.g. `2026-04-23T11:20:00Z`). Set whenever you actually fetched in this run.
8. evidence[].address, when present, must be `^0x[0-9a-fA-F]{40}$` (mixed case OK; checksum not validated).
9. Checklist codes (used in findings[].code and as unknowns[] prefixes) match `^[A-Z][A-Za-z0-9-]{0,16}$` — start with an uppercase letter, then digits / letters / hyphens. Examples: `E1`, `A3b`, `C2-emergency`, `V4-auditor`. No parens, spaces, dots, slashes, underscores. Use slice-defined codes verbatim. unknowns[] entries must be prefixed with the relevant code + colon (e.g. `"A3b: frontend fetch failed"`).
10. chat_url: ALWAYS null. Default share links (claude.ai/chat, chatgpt.com, gemini.google.com) require viewer login and are not publicly readable. The user enables "Share publicly" after you respond and pastes the public URL into the JSON before opening the PR.

### Thoroughness rules

11. Each per-slice body contains a "MANDATORY INSPECTION CHECKLIST". Every item must EITHER produce an evidence[] entry OR a specific unknowns[] entry naming it by code. Silent skips are rejected as incomplete.
12. Before assigning a grade other than "unknown", rationale.steelman must contain a one-sentence strongest argument for each of red / orange / green, and rationale.verdict must state which fits the evidence and why. If the steel-man for the chosen grade is weaker than for an adjacent grade, you have probably picked the wrong grade. When grade="unknown", set steelman to null and use verdict to summarize what blocked the assessment.
13. Distinguish actor classes (EOA, 2-of-3 multisig, 4-of-7+ multisig with identified signers, emergency-scoped time-capped multisig, on-chain governance vote with timelock) and function classes (claim-of-finalized vs new-request-placement, deposit vs borrow, mint vs redeem) — say which actor holds which power, on what time bound. "An admin can pause" is insufficient.
14. For on-chain slices (control, ability-to-exit, autonomy, verifiability), evidence[] must include ≥1 on-chain URL: a block-explorer URL OR a DeFiPunkd /api/{contract/read,safe/owners} URL (preferred — content-addressed when block-pinned). /api/contract/abi alone is metadata, not on-chain evidence. Source repos tell you what code SHOULD do; deployed contracts tell you what it ACTUALLY does. The "open-access" slice is exempt when claims are entirely about frontend / off-chain operator behavior. CARVE-OUT: `grading_basis="off-chain-only"` is exempt from this rule but is downweighted by the quorum bot regardless of grade.
15. Prompt-meta-check: if your verdict quotes prompt language as evidence ("the protocol meets the 'documented fallback' condition"), re-do the verdict — the prompt describes the rubric, not the protocol. Evidence cites what THIS protocol does, not what the rubric says protocols of type X do.
16. `grading_basis` is one of `"on-chain"` (default; omit field), `"off-chain-only"`, or `"mixed"`. Describes what was READ this run, not the verdict — `grade="unknown"` is allowed under any basis. Set `"off-chain-only"` ONLY when BOTH (a) ≥1 successful fetch of a docs / forum / audit / GitHub URL appears in evidence[], AND (b) ≥1 failed on-chain fetch attempt for THIS run is recorded in unknowns[] with a `-offchain` suffix. Empty `evidence[]` with `"off-chain-only"` is a category error and is rejected by the validator. Set `"mixed"` when some checklist codes were on-chain and others fell back. ABI-only finds (you read the ABI but couldn't read live state) are valid as `grade="unknown"` with the ABI cited; do not infer a grade from ABI shape alone.

### On-chain reading via the DeFiPunkd API

Don't encode calldata, decode return data, or guess at ABIs by hand. Three deterministic GET endpoints return JSON with blockNumber, blockHash, raw calldata, and rawReturnData — content-addressed when block-pinned (`&block=<n>`):

  ABI (auto-resolves proxies):
    https://defipunkd.com/api/contract/abi?chainId=<id>&address=0x...
  View call (any view method on the merged ABI; flat scalar args):
    https://defipunkd.com/api/contract/read?chainId=<id>&address=0x...&method=getOwners
    https://defipunkd.com/api/contract/read?chainId=<id>&address=0x...&method=balanceOf&args=0x...
  Safe (threshold + owners + version in one call):
    https://defipunkd.com/api/safe/owners?chainId=<id>&address=0x...

Use the BARE method name in `&method=` (e.g. `&method=totalSupply`, NOT `&method=totalSupply()`). Browser tools normalize `(` to `%28` and reject the normalized URL; bare names dodge that. Pass arguments via `&args=` (comma-separated, declaration order). Append `&block=<n>` for content-addressed evidence.

Supported chainIds: 1 (ethereum), 10 (optimism), 56 (bsc), 130 (unichain), 137 (polygon), 324 (zksync), 8453 (base), 42161 (arbitrum), 43114 (avalanche), 59144 (linea), 81457 (blast), 534352 (scroll), 11155111 (sepolia).

Use this API for any factual claim about contract ABI shape, view-method return values (owner(), getOwners(), getThreshold(), totalSupply(), implementation(), paused(), MIN_DELAY(), …), and Safe membership. Do NOT invent ABIs or return values from training data.

Note on noisy address_book: the pinned address_book is sourced from prior assessments. It may include token deployments, oracle feeds, peripheral contracts, or mis-classified entries. Skip surfacer URLs that don't fit your slice — fetch only those whose role hints suggest control / pause / upgrade authority.

### Protocol metadata refresh (populate `protocol_metadata` in the output)

DeFiLlama's pinned inputs may be stale or wrong. As a side-effect of this assessment, populate `protocol_metadata` with anything you verify. Leave fields null / empty arrays if you did not verify them — do NOT echo pinned inputs through; null means "not re-verified this run".

- `github`: array of canonical source-code repo URLs.
- `docs_url`: canonical developer / protocol documentation site.
- `audits`: array of `{ firm, url, date }` (date as YYYY-MM or YYYY-MM-DD).
- `governance_forum`: primary discussion forum URL (Discourse, Commonwealth, etc.).
- `voting_token`: `{ chain, address, symbol }` or null. Omit if not token-governed.
- `bug_bounty_url`: public bug bounty page (Immunefi, HackerOne, self-hosted).
- `security_contact`: private-disclosure channel — security@ email or SECURITY.md URL. Distinct from public bug bounty.
- `deployed_contracts_doc`: docs page that lists deployed addresses per chain. Don't enumerate; just link.
- `admin_addresses`: array of `{ chain, address, role, actor_class }` for multisig / timelock / owner / proxy-admin addresses. `actor_class` ∈ `"eoa" | "multisig" | "timelock" | "governance" | "unknown"`. These are the anchors for future runs' address_book.
- `upgradeability`: `"immutable" | "upgradeable" | "mixed" | "unknown"`. "mixed" = some core contracts immutable, others behind proxies.
- `about`: 2–4 sentence plain-English description. Name the user action (stake, borrow, swap, bridge, mint, redeem), the asset / market, and the distinctive mechanism (liquid staking receipt, isolated lending pools, constant-product AMM, intents auction, etc.). Do not restate category / chains / TVL.

Every non-null field in `protocol_metadata` must be backed by ≥1 entry in evidence[].

---

### Slice: DISCOVERY

You are a cataloguer, not a judge. Your job is to surface every contract address that could plausibly belong to this protocol's control or fund-holding surface, each backed by a citation. `grade` is ALWAYS `"unknown"` for discovery submissions — there is no green/orange/red rubric here. The five evaluation slices that run after you (control, ability-to-exit, autonomy, open-access, verifiability) consume your output via the addressBook ratchet — every address you record becomes a pre-built surfacer URL on the next run; every address you miss costs them a tool call.

Width beats depth. A `role: "other"` entry with one cited URL beats omitting it. Downstream slices will discard out-of-scope entries; they cannot rediscover what you fail to enumerate without paying the same cost again.

(Step 0 capability probe lives in the preamble — those rules apply here.)

### MANDATORY INSPECTION CHECKLIST (every D-code below must appear in evidence[] OR unknowns[])

- **D1. Block-explorer name-tag search per chain.** For each chain in `protocol.chains`, search the canonical block explorer for the protocol's name tag — `https://etherscan.io/searchHandler?term=<query>` and the per-chain explorers (basescan.org, arbiscan.io, optimistic.etherscan.io, polygonscan.com, bscscan.com, snowtrace.io, scrollscan.com, lineascan.build, blastscan.io, era.zksync.network). When direct fetch is blocked, use `site:<explorer> <protocol_name>` via search grounding. Record every address that surfaces with the protocol's tag, plus neighbouring "Token Contract" / "Multisig" / "Timelock" labels.

- **D2. Official deployments doc.** From `protocol.website` and the docs site, locate the canonical "Deployed contracts" / "Addresses" / "Contracts" / "Deployments" page (often at `/docs/deployments`, `/docs/addresses`, `/dashboard/contracts`). Cite the URL, record every address listed with its named role, and set `protocol_metadata.deployed_contracts_doc` to this URL.

- **D3. Audit PDFs.** From `protocol.audit_links` (and any audits surfaced by D2), open each. Most reports include a "Scope" / "Contracts in scope" address table in the first 5 pages. Extract every in-scope address with its labelled role. If the audit predates the current deployment, record the addresses anyway with role suffixed `(audit-era)` so downstream slices know to re-verify.

- **D4. GitHub deployment artifacts.** From `protocol.github`, walk the repo at a pinned commit SHA looking for: Foundry `broadcast/<script>/<chainId>/run-latest.json` (`transactions[].contractAddress` per chainId); hardhat-deploy `deployments/<network>/<Contract>.json` (`address` field); manual indexes (`deployments.json`, `addresses.json`, `contracts.json`, `networks.json`); markdown indexes (`docs/deployments.md`, `README.md` tables). Cite the file URL with the commit SHA; pin SHAs (`?ref=<sha>`) so the citation is content-addressed.

- **D5. Multi-chain enumeration.** If `protocol.chains.length > 1`, repeat D1–D4 per chain. Cross-chain deployments of the same logical contract get SEPARATE `admin_addresses[]` entries — one per chain. The chain field is part of the identity; do not collapse. If a chain has zero results, record `"D5: chain <name>: zero addresses surfaced from <sources tried>"` in unknowns[].

- **D6. Factory-discovered children.** For factory addresses surfaced in D1–D4, fetch the enumeration view via the read API (`/api/contract/read?...&method=allPools` / `getPool` / `getMarket` / `getVault`) and record each child with role like `"pool (from factory <0xFactory>)"`. **Cap at 50 children per factory.** Protocols with thousands of pools (Uniswap, Sushi) need dedicated ingestion — record the factory + the cap notice in unknowns[].

- **D7. Role taxonomy.** Every `admin_addresses[]` entry's `role` uses this controlled vocabulary (free-text suffixes OK for disambiguation, e.g. `"multisig (treasury)"`, but the leading token must match):

    `owner | admin | proxy_admin | governor | timelock | guardian | multisig | treasury | oracle | factory | router | token | pool | vault | other`

  Tentative classifications are encouraged. `actor_class` ∈ `eoa | multisig | timelock | governance | unknown` — use `unknown` when you found the address but didn't read its bytecode.

- **D8. Ratchet output integrity.** Every address in `admin_addresses[]` must trace to ≥1 fetched URL in evidence[]. Snippet-only sightings go in unknowns[] with a `D8` code, NOT in admin_addresses[].

### Discovery rationale framing

- `rationale.findings`: one entry per D-code, terse, factual. Per-address detail belongs in evidence[] and admin_addresses[], not here. Example: `"D1: 8 addresses surfaced from etherscan.io name-tag search for 'Aave V3'"`.
- `rationale.steelman`: ALWAYS null.
- `rationale.verdict`: one short line summarizing what corpora were walked and how many addresses were catalogued.
- `headline`: factual and quantitative — `"24 contracts catalogued across Ethereum, Arbitrum, and Base; 6 governance/admin and 18 protocol contracts."`.
- `short_headline`: under 60 chars — `"24 contracts across 3 chains"`.

### What discovery is NOT

- Not a verdict slice. `grade` must be `"unknown"`.
- Not exhaustive enumeration of leaf assets — record the factory + cap and move on (see D6).
- Not classification of trust assumptions — whether a multisig threshold is safe / timelock delay is sufficient / proxy admin is an EOA is the control slice's job.
- Not address-book reconciliation: when addressBook is non-empty, EXTEND it (find addresses prior runs missed) rather than re-cite the same addresses; re-cite only when you have new evidence for a refined role.

### protocol_metadata side-effects

While walking the corpora, populate every `protocol_metadata` field you can support with citations: `github`, `docs_url`, `audits` (one per D3 audit walked), `governance_forum`, `bug_bounty_url`, `security_contact`, `deployed_contracts_doc` (URL from D2), `upgradeability` (best-effort), and `about` (2–4 sentences sourced from docs/website, not memory). Discovery is the natural home for these — evaluation slices should not have to rediscover them.

---

### JSON output contract

Return exactly one JSON object inside a single ```json fenced block. Shape:

{
  "schema_version": 4,
  "slug": "<copy protocol.slug from the per-protocol context>",
  "slice": "discovery",
  "snapshot_generated_at": "<copy snapshot.generated_at from the per-protocol context>",
  "prompt_version": 29,
  "analysis_date": "<copy analysis_date from the per-protocol context>",
  "model": "<exact model name, e.g. claude-opus-4-7 / gpt-5-thinking / gemini-3-pro>",
  "chat_url": null,
  "grading_basis": "on-chain | off-chain-only | mixed (optional; omit for on-chain)",
  "grade": "green | orange | red | unknown",
  "headline": "<one-line summary>",
  "short_headline": "<≤6 words, ≤80 chars; omit if you can't fit>",
  "rationale": {
    "findings": [{ "code": "E1", "text": "<concrete, source-cited finding>" }],
    "steelman": { "red": "<one sentence>", "orange": "<one sentence>", "green": "<one sentence>" },
    "verdict": "Choosing <grade> because <reason ranking one steel-man above the others, citing specific evidence>."
  },
  "evidence": [{ "url": "https://...", "shows": "<what this URL demonstrates>", "chain": "...", "address": "0x...", "commit": "<hex SHA>", "fetched_at": "2026-04-23T11:20:00Z" }],
  "unknowns": ["E3: <thing you looked for but couldn't determine>"],
  "protocol_metadata": {
    "github": ["https://github.com/org/repo"],
    "docs_url": "https://docs.protocol.xyz",
    "audits": [{ "firm": "Trail of Bits", "url": "https://...report.pdf", "date": "2025-09" }],
    "governance_forum": "https://forum.protocol.xyz",
    "voting_token": { "chain": "Ethereum", "address": "0x...", "symbol": "XYZ" },
    "bug_bounty_url": "https://immunefi.com/bounty/protocol",
    "security_contact": "security@protocol.xyz",
    "deployed_contracts_doc": "https://docs.protocol.xyz/deployments",
    "admin_addresses": [{ "chain": "Ethereum", "address": "0x...", "role": "DAO treasury multisig", "actor_class": "multisig" }],
    "upgradeability": "immutable | upgradeable | mixed | unknown",
    "about": "<2–4 sentences>"
  }
}

Rules recap:
- grade="unknown" ⇒ steelman=null; unknowns[] ≥1; evidence[] may be empty.
- grade!="unknown" ⇒ steelman={red,orange,green}; evidence[] ≥1; verdict starts with "Choosing ".
- findings[].code matches the slice's checklist prefix verbatim (E1, C2-emergency, V4a, …); unknowns[] entries are checklist-coded ("E3: …").
- Wrap in a single ```json fence; nothing before or after. URLs are bare strings, never markdown links.

Verifiability Unverified Submit run ↗

### Per-protocol context (ground truth for this run)

- protocol.slug:              aave-horizon-rwa
- protocol.name:              Aave Horizon RWA
- protocol.chains:            Ethereum
- protocol.category:          RWA Lending
- protocol.website:           https://app.aave.com/markets/?marketName=proto_horizon_v3
- protocol.github:            aave, bgd-labs
- protocol.audit_links:       https://github.com/aave/aave-v3-horizon/tree/main/audits, https://github.com/code-423n4/2022-02-aave-lens, https://github.com/code-423n4/2022-02-aave-lens-findings, https://github.com/sherlock-protocol/sherlock-reports/blob/main/audits/2025.02.15%20-%20Final%20-%20Aave%20Public%20Audit%20Contest%20Report.pdf, https://github.com/sherlock-protocol/sherlock-reports/blob/main/audits/2026.02.05%20-%20Final%20-%20Aave%20Labs%20Collaborative%20Audit%20Report%201770295450.pdf, https://github.com/trailofbits/publications/blob/master/reviews/2021-11-aave-v3-securityreview.pdf, https://github.com/trailofbits/publications/blob/master/reviews/2026-02-aave-v4-securityreview.pdf
- snapshot.generated_at:      2026-06-01T11:27:13.878Z
- analysis_date:              2026-06-07
- prompt_version:             29
- address_book:               [
  {
    "chain": "Ethereum",
    "address": "0xAe05Cd22df81871bc7cC2a04BeCfb516bFe332C8",
    "role": "pool"
  },
  {
    "chain": "Ethereum",
    "address": "0x7fc66500c84a76ad7e9c93437bfc5ac33e2ddae9",
    "role": "AAVE governance token"
  }
]

### Pre-built read-API surfacer URLs (verbatim — fetchable as-is)
- https://defipunkd.com/address/1/0xAe05Cd22df81871bc7cC2a04BeCfb516bFe332C8 (pool)
- https://defipunkd.com/address/1/0x7fc66500c84a76ad7e9c93437bfc5ac33e2ddae9 (AAVE governance token)


---

You are contributing a single-slice assessment to defipunkd, a git-native transparency registry for DeFi protocols. Your JSON output will be attached to a pull request and compared against ≥2 other independent runs. Disagreements are surfaced publicly — be conservative, cite everything, return grade="unknown" when a signal cannot be determined, and resist stopping at the first damning finding.

### Per-protocol context (do not infer; these are ground truth)

A "Per-protocol context" block (provided alongside this prompt — either as a user message in API mode, or as a section appended below in copy-paste mode) lists the pinned inputs (protocol.slug, name, chains, category, website, github, audit_links, snapshot.generated_at, analysis_date, prompt_version, address_book) and a list of pre-built read-API surfacer URLs for each pinned address. Treat those values as authoritative for this run.

The pre-built surfacer URLs are accepted by your fetch tool's allowlist because they appear verbatim in the per-protocol context. Each surfacer page pre-executes the contract's zero-arg view methods and renders any address-typed return values as /address/{chainId}/0x… links inline — those rendered links are also fetchable post-fetch. /api/contract/read and /api/safe/owners JSON responses include a top-level `crawl.surfacers` array of /address/{chainId}/0x… URLs for every address-typed value in the result, so you can crawl directly from API responses. For addresses surfaced from non-defipunkd sources (block-explorer pages, GitHub, audit PDFs), the allowlist will reject your generated surfacer URL — record the address in protocol_metadata.admin_addresses and add a checklist-coded entry to unknowns[]; the next run will inherit it as a fetchable surfacer.

### Step 0 — Capability probe (do this before producing JSON)

Identify what fetch tool your environment exposes — `web_fetch`, `browser`, `url_context`, `google_search` (with underscore, colon, or space), Bing grounding, Perplexity, `web.run`, or anything similar. Search-grounding tools ARE valid fetch paths and you should use them; they are not forbidden. The distinction that matters is what the tool returned, not its name: a grounded response with the underlying page body is sufficient evidence; a bare 1–3-line preview snippet is not.

Probe: attempt one fetch of `protocol.website` and one fetch of a pre-built surfacer URL above (or the protocol's primary block-explorer page if no surfacer is pinned). Record the tool you used, the URL, and what came back (response body, HTTP status, allowlist rejection text, or "tool not present: <name>"). If either probe succeeded, proceed.

If both direct probes failed, **DO NOT STOP** — try search. Issue at least two broad search queries (protocol name + "Etherscan" / "official docs" / "GitHub" / "audit"; `site:` operators against etherscan.io / github.com / the docs domain). If a search query returns the underlying page body, that page URL is fetched evidence and goes in evidence[]. Set `grading_basis: "off-chain-only"` and continue with whatever you can extract. Empty `evidence[]` + `grade="unknown"` is only valid if BOTH direct probes AND ≥2 search queries returned nothing usable; in that case, log the attempted queries and observed-zero outcomes in unknowns[]. A submission claiming "blocked" without those receipts is treated as a non-submission (zero quorum weight). Search engines do not index raw JSON API endpoints — zero results for `defipunkd.com/api/contract/read` URLs is expected and is itself a recordable failure mode, not a system restriction.

### Anti-fabrication (the most important rule on this page)

Memory is not evidence. Treat your training data, prior conversations, and general knowledge as suggestions for what to look up — never as citations. Every URL in evidence[] must have been fetched in this run via any tool exposed in your environment, OR pasted into this conversation by the user. Constructing a URL is fine, but every variable part (address, commit SHA, repo path, contract name, method, args, block number) must come from a fetched/pasted source in this run, and the URL must then have been successfully fetched before it appears in evidence[]. URLs constructed from remembered addresses, repo paths, contract names, or guessed API methods are fabrication.

Before emitting JSON, run an evidence ledger check on every evidence[] entry:
1. The exact URL appears in your fetch transcript or in a user-pasted source body.
2. The fetched/pasted body contains the fact you're citing in evidence[].shows.
3. Every rationale.findings / protocol_metadata claim that depends on this evidence follows directly from that body, without recourse to memory.
4. Derived (rather than verbatim) claims are explicitly labelled as derived in evidence[].shows.
5. `fetched_at` is set ONLY when you actually fetched the URL in this run; if no timestamp is available, omit the field — never invent one.

If any check fails, remove the evidence entry and demote dependent claims to unknowns[]. Set grade="unknown" if demotion empties the grading basis. Do not ask the user to paste anything; do not withhold JSON; do not improvise from memory.

A plausible-sounding answer backed by unsupported evidence is WORSE than grade="unknown" — it pollutes the quorum. If the assessment requires leaning on remembered public facts ("Lido is governed by LDO token-weighted voting"), historical reports, common knowledge, or likely-architecture reasoning ("UUPS proxies typically have an admin role"), return grade="unknown" with specific unknowns[] entries. Optimize for reproducibility, not completeness — if a reviewer can't re-verify each claim from the evidence URLs alone, the claim does not belong in the JSON. Empty unknowns[] on a non-trivial protocol is a red flag, not a quality signal.

When the address_book is null/empty, you do not yet know any deployed address. Discover candidates from fetched website / GitHub / audit / explorer-search pages — addresses you "remember" from training data are not eligible, even for famous tokens (USDC, WBTC, stETH, UNI). If no address can be discovered after a good-faith attempt, return grade="unknown" with checklist-coded unknowns[] entries; do not invent addresses to fill the gap.

### Hard rules

1. Source classes that count as evidence:
   a) Public block explorers (etherscan.io, basescan.org, arbiscan.io, optimistic.etherscan.io, polygonscan.com, bscscan.com, snowtrace.io, scrollscan.com, lineascan.build, blastscan.io, era.zksync.network) for pinned addresses or addresses you discover transitively from them.
   b) The linked GitHub repos, at a specific commit SHA recorded in evidence[].commit.
   c) The audit PDFs / reports linked above.
   d) DeFiLlama's pinned fields (for category / chain lists only — not for risk assessment).
   e) DeFiPunkd's read API at https://defipunkd.com/api/{contract,safe}/... — see "On-chain reading" below.
2. If a signal cannot be determined after checking these, set grade="unknown" with ≥1 entry in unknowns[] naming what you looked for.
3. Every factual claim in rationale must map to ≥1 evidence[] entry.
4. Output exactly one JSON object matching the contract at the end, wrapped in a single ```json fenced code block. This rule applies to your FINAL assistant message only — issue tool calls freely during the run; tool-call reasoning lives in your model's tool-use channel and is not subject to this rule. Nothing before or after the fence — no prose, no follow-up questions, no requests for the user to paste anything. If evidence is incomplete, the correct response is still JSON, with claims demoted to unknowns[] and grade="unknown".

### Format rules (validation will reject submissions that violate these)
5. evidence[].url must be a bare `https://...` string — NEVER markdown link syntax. WRONG: `"url": "[Etherscan](https://etherscan.io/...)"`. RIGHT: `"url": "https://etherscan.io/..."`.
6. evidence[].commit, when present, must match `^[0-9a-f]{7,40}$` (lowercase hex, 7–40 chars). NEVER branch names or tags. Omit if you cannot pin a SHA.
7. evidence[].fetched_at, when present, must be ISO-8601 UTC (e.g. `2026-04-23T11:20:00Z`). Set whenever you actually fetched in this run.
8. evidence[].address, when present, must be `^0x[0-9a-fA-F]{40}$` (mixed case OK; checksum not validated).
9. Checklist codes (used in findings[].code and as unknowns[] prefixes) match `^[A-Z][A-Za-z0-9-]{0,16}$` — start with an uppercase letter, then digits / letters / hyphens. Examples: `E1`, `A3b`, `C2-emergency`, `V4-auditor`. No parens, spaces, dots, slashes, underscores. Use slice-defined codes verbatim. unknowns[] entries must be prefixed with the relevant code + colon (e.g. `"A3b: frontend fetch failed"`).
10. chat_url: ALWAYS null. Default share links (claude.ai/chat, chatgpt.com, gemini.google.com) require viewer login and are not publicly readable. The user enables "Share publicly" after you respond and pastes the public URL into the JSON before opening the PR.

### Thoroughness rules

11. Each per-slice body contains a "MANDATORY INSPECTION CHECKLIST". Every item must EITHER produce an evidence[] entry OR a specific unknowns[] entry naming it by code. Silent skips are rejected as incomplete.
12. Before assigning a grade other than "unknown", rationale.steelman must contain a one-sentence strongest argument for each of red / orange / green, and rationale.verdict must state which fits the evidence and why. If the steel-man for the chosen grade is weaker than for an adjacent grade, you have probably picked the wrong grade. When grade="unknown", set steelman to null and use verdict to summarize what blocked the assessment.
13. Distinguish actor classes (EOA, 2-of-3 multisig, 4-of-7+ multisig with identified signers, emergency-scoped time-capped multisig, on-chain governance vote with timelock) and function classes (claim-of-finalized vs new-request-placement, deposit vs borrow, mint vs redeem) — say which actor holds which power, on what time bound. "An admin can pause" is insufficient.
14. For on-chain slices (control, ability-to-exit, autonomy, verifiability), evidence[] must include ≥1 on-chain URL: a block-explorer URL OR a DeFiPunkd /api/{contract/read,safe/owners} URL (preferred — content-addressed when block-pinned). /api/contract/abi alone is metadata, not on-chain evidence. Source repos tell you what code SHOULD do; deployed contracts tell you what it ACTUALLY does. The "open-access" slice is exempt when claims are entirely about frontend / off-chain operator behavior. CARVE-OUT: `grading_basis="off-chain-only"` is exempt from this rule but is downweighted by the quorum bot regardless of grade.
15. Prompt-meta-check: if your verdict quotes prompt language as evidence ("the protocol meets the 'documented fallback' condition"), re-do the verdict — the prompt describes the rubric, not the protocol. Evidence cites what THIS protocol does, not what the rubric says protocols of type X do.
16. `grading_basis` is one of `"on-chain"` (default; omit field), `"off-chain-only"`, or `"mixed"`. Describes what was READ this run, not the verdict — `grade="unknown"` is allowed under any basis. Set `"off-chain-only"` ONLY when BOTH (a) ≥1 successful fetch of a docs / forum / audit / GitHub URL appears in evidence[], AND (b) ≥1 failed on-chain fetch attempt for THIS run is recorded in unknowns[] with a `-offchain` suffix. Empty `evidence[]` with `"off-chain-only"` is a category error and is rejected by the validator. Set `"mixed"` when some checklist codes were on-chain and others fell back. ABI-only finds (you read the ABI but couldn't read live state) are valid as `grade="unknown"` with the ABI cited; do not infer a grade from ABI shape alone.

### On-chain reading via the DeFiPunkd API

Don't encode calldata, decode return data, or guess at ABIs by hand. Three deterministic GET endpoints return JSON with blockNumber, blockHash, raw calldata, and rawReturnData — content-addressed when block-pinned (`&block=<n>`):

  ABI (auto-resolves proxies):
    https://defipunkd.com/api/contract/abi?chainId=<id>&address=0x...
  View call (any view method on the merged ABI; flat scalar args):
    https://defipunkd.com/api/contract/read?chainId=<id>&address=0x...&method=getOwners
    https://defipunkd.com/api/contract/read?chainId=<id>&address=0x...&method=balanceOf&args=0x...
  Safe (threshold + owners + version in one call):
    https://defipunkd.com/api/safe/owners?chainId=<id>&address=0x...

Use the BARE method name in `&method=` (e.g. `&method=totalSupply`, NOT `&method=totalSupply()`). Browser tools normalize `(` to `%28` and reject the normalized URL; bare names dodge that. Pass arguments via `&args=` (comma-separated, declaration order). Append `&block=<n>` for content-addressed evidence.

Supported chainIds: 1 (ethereum), 10 (optimism), 56 (bsc), 130 (unichain), 137 (polygon), 324 (zksync), 8453 (base), 42161 (arbitrum), 43114 (avalanche), 59144 (linea), 81457 (blast), 534352 (scroll), 11155111 (sepolia).

Use this API for any factual claim about contract ABI shape, view-method return values (owner(), getOwners(), getThreshold(), totalSupply(), implementation(), paused(), MIN_DELAY(), …), and Safe membership. Do NOT invent ABIs or return values from training data.

Note on noisy address_book: the pinned address_book is sourced from prior assessments. It may include token deployments, oracle feeds, peripheral contracts, or mis-classified entries. Skip surfacer URLs that don't fit your slice — fetch only those whose role hints suggest control / pause / upgrade authority.

### Protocol metadata refresh (populate `protocol_metadata` in the output)

DeFiLlama's pinned inputs may be stale or wrong. As a side-effect of this assessment, populate `protocol_metadata` with anything you verify. Leave fields null / empty arrays if you did not verify them — do NOT echo pinned inputs through; null means "not re-verified this run".

- `github`: array of canonical source-code repo URLs.
- `docs_url`: canonical developer / protocol documentation site.
- `audits`: array of `{ firm, url, date }` (date as YYYY-MM or YYYY-MM-DD).
- `governance_forum`: primary discussion forum URL (Discourse, Commonwealth, etc.).
- `voting_token`: `{ chain, address, symbol }` or null. Omit if not token-governed.
- `bug_bounty_url`: public bug bounty page (Immunefi, HackerOne, self-hosted).
- `security_contact`: private-disclosure channel — security@ email or SECURITY.md URL. Distinct from public bug bounty.
- `deployed_contracts_doc`: docs page that lists deployed addresses per chain. Don't enumerate; just link.
- `admin_addresses`: array of `{ chain, address, role, actor_class }` for multisig / timelock / owner / proxy-admin addresses. `actor_class` ∈ `"eoa" | "multisig" | "timelock" | "governance" | "unknown"`. These are the anchors for future runs' address_book.
- `upgradeability`: `"immutable" | "upgradeable" | "mixed" | "unknown"`. "mixed" = some core contracts immutable, others behind proxies.
- `about`: 2–4 sentence plain-English description. Name the user action (stake, borrow, swap, bridge, mint, redeem), the asset / market, and the distinctive mechanism (liquid staking receipt, isolated lending pools, constant-product AMM, intents auction, etc.). Do not restate category / chains / TVL.

Every non-null field in `protocol_metadata` must be backed by ≥1 entry in evidence[].

---

### Slice: VERIFIABILITY

Evaluate whether an outsider can independently confirm what the deployed code does.

MANDATORY INSPECTION CHECKLIST (every item below must appear in evidence[] OR unknowns[]):
- V1. For each address you assess: is the bytecode verified on the chain's block explorer? Record the "Contract Source Code Verified" indicator. https://defipunkd.com/api/contract/abi?chainId=<id>&address=0x... returns this as a top-level "verified" boolean plus "abiSource" ("etherscan" / "sourcify") and an inline ABI — useful when the explorer page is rate-limited. If the contract is a proxy, verify BOTH the proxy contract AND the current implementation contract. The same /api/contract/abi response auto-resolves proxies and includes a "proxy.implementation" address when present, so one call covers V1 + V6 in one shot. An explorer "Similar Match" on a well-known proxy pattern (Aragon AppProxyUpgradeable, ERC1967Proxy, OssifiableProxy, OZ TransparentUpgradeableProxy) is expected for that pattern and does NOT count as a verification gap on its own — what matters is that the implementation is independently verified.
- V2. Source-to-repo correspondence: for each verified contract, attempt to find a matching commit in the linked GitHub repos. Record evidence[].commit on a match. Independent compile/bytecode-match is NOT required for green — a recognized public repo whose structure and file contents correspond to the explorer-visible source is sufficient. If you did not pin a commit SHA or run a bytecode diff, record that plainly in unknowns[] and proceed; it is a scope limit, not a downgrade signal.
- V3. Audit coverage: for each URL in protocol.audit_links, open it and record: auditor name, audit date, the specific contracts / commit in scope. Flag audits that predate the current deployment by >6 months without a follow-up review.
- V4. Auditor recognition: the following firms are broadly recognized in Solidity: Trail of Bits, Zellic, Spearbit, OpenZeppelin, ConsenSys Diligence, Certora (formal verification), Quantstamp, Halborn, Peckshield, Sigma Prime, ChainSecurity, Ackee Blockchain, MixBytes, Statemind. Unknown firms are orange-at-best for any green-grade claim. Name the firm explicitly in evidence[].
- V5. Post-audit drift: compare the most recent in-scope audit(s) against the currently-deployed source, weighted by what each contract does and by what the changes actually contain. SCOPE — drift only downgrades the grade when ALL of the following hold: (i) the drifting contract is fund-custody / settlement / accounting-critical (NOT a peripheral router, lens, quoter, or pure-view contract that holds no balances); (ii) the changes are material — new functions, modified access control, modified accounting, modified fund flow — and not refactors / struct relocations / import reorgs / build or CI fixes / formatting; (iii) no later audit, fix-audit, or differential audit from a recognized firm covers the changed files (audits often pin a pre-fix commit while a follow-up reviews the delta — match by file scope, not by commit-hash equality). When you cite drift as a downgrade reason, name the specific behavior change (function added, role granted, accounting formula altered) — "N commits ahead" or "+X/-Y LOC" alone is not evidence of material drift. If you have not sampled the diff content (e.g. via the GitHub compare view or the top commits in the window), record drift as an unknowns[] entry rather than auto-downgrading; commit-count and LOC are starting signals, not findings.
- V6. Implementation vs proxy: a verified proxy with an unverified implementation is effectively unverified. State whether the implementation is verified separately.

EVIDENCE DISCIPLINE (read before writing findings[]):
- Do not assert a specific deploy-commit SHA, bytecode equivalence, or "identical to audited commit" unless you actually fetched the artifact that shows it (e.g., a deployed-addresses JSON you opened, an explorer page you read). Inferred or plausible matches belong in unknowns[], never in findings[] or evidence[].
- Evidence[] entries must correspond to pages/files you actually retrieved this run. A URL you did not open is not evidence.

Then write the steel-man section per Hard Rule 11.

Grade rules:
- green   = deployed bytecode verified on the explorer (proxy AND implementation if proxied; "Similar Match" on a standard proxy pattern is fine per V1), a public source repo exists whose contents correspond to the explorer-visible source, AND ≥1 audit from a recognized firm covering the currently-deployed contracts (≤6 months of drift OR drift was re-audited). A missing local compile-match is not a downgrade — record it in unknowns[] and still grade green if the other conditions hold.
- orange  = verified but with visible drift from the public repo, OR audit scope is stale relative to deployment, OR only minor / unknown-firm audits exist, OR only some of the main contracts are verified, OR proxy verified but implementation only partially verified.
- red     = unverified bytecode (or verified proxy with unverified implementation), OR no audit in protocol.audit_links, OR no public repo.
- unknown = reserved for when the protocol's verifiability posture genuinely cannot be assessed (e.g., explorer and repo both inaccessible for this protocol). Do NOT use unknown merely because you, the analyst, could not run a particular check such as a bytecode diff — that goes in unknowns[] while the grade is still assigned from the evidence you do have.

---

### JSON output contract

Return exactly one JSON object inside a single ```json fenced block. Shape:

{
  "schema_version": 4,
  "slug": "<copy protocol.slug from the per-protocol context>",
  "slice": "verifiability",
  "snapshot_generated_at": "<copy snapshot.generated_at from the per-protocol context>",
  "prompt_version": 29,
  "analysis_date": "<copy analysis_date from the per-protocol context>",
  "model": "<exact model name, e.g. claude-opus-4-7 / gpt-5-thinking / gemini-3-pro>",
  "chat_url": null,
  "grading_basis": "on-chain | off-chain-only | mixed (optional; omit for on-chain)",
  "grade": "green | orange | red | unknown",
  "headline": "<one-line summary>",
  "short_headline": "<≤6 words, ≤80 chars; omit if you can't fit>",
  "rationale": {
    "findings": [{ "code": "E1", "text": "<concrete, source-cited finding>" }],
    "steelman": { "red": "<one sentence>", "orange": "<one sentence>", "green": "<one sentence>" },
    "verdict": "Choosing <grade> because <reason ranking one steel-man above the others, citing specific evidence>."
  },
  "evidence": [{ "url": "https://...", "shows": "<what this URL demonstrates>", "chain": "...", "address": "0x...", "commit": "<hex SHA>", "fetched_at": "2026-04-23T11:20:00Z" }],
  "unknowns": ["E3: <thing you looked for but couldn't determine>"],
  "protocol_metadata": {
    "github": ["https://github.com/org/repo"],
    "docs_url": "https://docs.protocol.xyz",
    "audits": [{ "firm": "Trail of Bits", "url": "https://...report.pdf", "date": "2025-09" }],
    "governance_forum": "https://forum.protocol.xyz",
    "voting_token": { "chain": "Ethereum", "address": "0x...", "symbol": "XYZ" },
    "bug_bounty_url": "https://immunefi.com/bounty/protocol",
    "security_contact": "security@protocol.xyz",
    "deployed_contracts_doc": "https://docs.protocol.xyz/deployments",
    "admin_addresses": [{ "chain": "Ethereum", "address": "0x...", "role": "DAO treasury multisig", "actor_class": "multisig" }],
    "upgradeability": "immutable | upgradeable | mixed | unknown",
    "about": "<2–4 sentences>"
  }
}

Rules recap:
- grade="unknown" ⇒ steelman=null; unknowns[] ≥1; evidence[] may be empty.
- grade!="unknown" ⇒ steelman={red,orange,green}; evidence[] ≥1; verdict starts with "Choosing ".
- findings[].code matches the slice's checklist prefix verbatim (E1, C2-emergency, V4a, …); unknowns[] entries are checklist-coded ("E3: …").
- Wrap in a single ```json fence; nothing before or after. URLs are bare strings, never markdown links.

Control Unverified Submit run ↗

### Per-protocol context (ground truth for this run)

- protocol.slug:              aave-horizon-rwa
- protocol.name:              Aave Horizon RWA
- protocol.chains:            Ethereum
- protocol.category:          RWA Lending
- protocol.website:           https://app.aave.com/markets/?marketName=proto_horizon_v3
- protocol.github:            aave, bgd-labs
- protocol.audit_links:       https://github.com/aave/aave-v3-horizon/tree/main/audits, https://github.com/code-423n4/2022-02-aave-lens, https://github.com/code-423n4/2022-02-aave-lens-findings, https://github.com/sherlock-protocol/sherlock-reports/blob/main/audits/2025.02.15%20-%20Final%20-%20Aave%20Public%20Audit%20Contest%20Report.pdf, https://github.com/sherlock-protocol/sherlock-reports/blob/main/audits/2026.02.05%20-%20Final%20-%20Aave%20Labs%20Collaborative%20Audit%20Report%201770295450.pdf, https://github.com/trailofbits/publications/blob/master/reviews/2021-11-aave-v3-securityreview.pdf, https://github.com/trailofbits/publications/blob/master/reviews/2026-02-aave-v4-securityreview.pdf
- snapshot.generated_at:      2026-06-01T11:27:13.878Z
- analysis_date:              2026-06-07
- prompt_version:             29
- address_book:               [
  {
    "chain": "Ethereum",
    "address": "0xAe05Cd22df81871bc7cC2a04BeCfb516bFe332C8",
    "role": "pool"
  },
  {
    "chain": "Ethereum",
    "address": "0x7fc66500c84a76ad7e9c93437bfc5ac33e2ddae9",
    "role": "AAVE governance token"
  }
]

### Pre-built read-API surfacer URLs (verbatim — fetchable as-is)
- https://defipunkd.com/address/1/0xAe05Cd22df81871bc7cC2a04BeCfb516bFe332C8 (pool)
- https://defipunkd.com/address/1/0x7fc66500c84a76ad7e9c93437bfc5ac33e2ddae9 (AAVE governance token)


---

You are contributing a single-slice assessment to defipunkd, a git-native transparency registry for DeFi protocols. Your JSON output will be attached to a pull request and compared against ≥2 other independent runs. Disagreements are surfaced publicly — be conservative, cite everything, return grade="unknown" when a signal cannot be determined, and resist stopping at the first damning finding.

### Per-protocol context (do not infer; these are ground truth)

A "Per-protocol context" block (provided alongside this prompt — either as a user message in API mode, or as a section appended below in copy-paste mode) lists the pinned inputs (protocol.slug, name, chains, category, website, github, audit_links, snapshot.generated_at, analysis_date, prompt_version, address_book) and a list of pre-built read-API surfacer URLs for each pinned address. Treat those values as authoritative for this run.

The pre-built surfacer URLs are accepted by your fetch tool's allowlist because they appear verbatim in the per-protocol context. Each surfacer page pre-executes the contract's zero-arg view methods and renders any address-typed return values as /address/{chainId}/0x… links inline — those rendered links are also fetchable post-fetch. /api/contract/read and /api/safe/owners JSON responses include a top-level `crawl.surfacers` array of /address/{chainId}/0x… URLs for every address-typed value in the result, so you can crawl directly from API responses. For addresses surfaced from non-defipunkd sources (block-explorer pages, GitHub, audit PDFs), the allowlist will reject your generated surfacer URL — record the address in protocol_metadata.admin_addresses and add a checklist-coded entry to unknowns[]; the next run will inherit it as a fetchable surfacer.

### Step 0 — Capability probe (do this before producing JSON)

Identify what fetch tool your environment exposes — `web_fetch`, `browser`, `url_context`, `google_search` (with underscore, colon, or space), Bing grounding, Perplexity, `web.run`, or anything similar. Search-grounding tools ARE valid fetch paths and you should use them; they are not forbidden. The distinction that matters is what the tool returned, not its name: a grounded response with the underlying page body is sufficient evidence; a bare 1–3-line preview snippet is not.

Probe: attempt one fetch of `protocol.website` and one fetch of a pre-built surfacer URL above (or the protocol's primary block-explorer page if no surfacer is pinned). Record the tool you used, the URL, and what came back (response body, HTTP status, allowlist rejection text, or "tool not present: <name>"). If either probe succeeded, proceed.

If both direct probes failed, **DO NOT STOP** — try search. Issue at least two broad search queries (protocol name + "Etherscan" / "official docs" / "GitHub" / "audit"; `site:` operators against etherscan.io / github.com / the docs domain). If a search query returns the underlying page body, that page URL is fetched evidence and goes in evidence[]. Set `grading_basis: "off-chain-only"` and continue with whatever you can extract. Empty `evidence[]` + `grade="unknown"` is only valid if BOTH direct probes AND ≥2 search queries returned nothing usable; in that case, log the attempted queries and observed-zero outcomes in unknowns[]. A submission claiming "blocked" without those receipts is treated as a non-submission (zero quorum weight). Search engines do not index raw JSON API endpoints — zero results for `defipunkd.com/api/contract/read` URLs is expected and is itself a recordable failure mode, not a system restriction.

### Anti-fabrication (the most important rule on this page)

Memory is not evidence. Treat your training data, prior conversations, and general knowledge as suggestions for what to look up — never as citations. Every URL in evidence[] must have been fetched in this run via any tool exposed in your environment, OR pasted into this conversation by the user. Constructing a URL is fine, but every variable part (address, commit SHA, repo path, contract name, method, args, block number) must come from a fetched/pasted source in this run, and the URL must then have been successfully fetched before it appears in evidence[]. URLs constructed from remembered addresses, repo paths, contract names, or guessed API methods are fabrication.

Before emitting JSON, run an evidence ledger check on every evidence[] entry:
1. The exact URL appears in your fetch transcript or in a user-pasted source body.
2. The fetched/pasted body contains the fact you're citing in evidence[].shows.
3. Every rationale.findings / protocol_metadata claim that depends on this evidence follows directly from that body, without recourse to memory.
4. Derived (rather than verbatim) claims are explicitly labelled as derived in evidence[].shows.
5. `fetched_at` is set ONLY when you actually fetched the URL in this run; if no timestamp is available, omit the field — never invent one.

If any check fails, remove the evidence entry and demote dependent claims to unknowns[]. Set grade="unknown" if demotion empties the grading basis. Do not ask the user to paste anything; do not withhold JSON; do not improvise from memory.

A plausible-sounding answer backed by unsupported evidence is WORSE than grade="unknown" — it pollutes the quorum. If the assessment requires leaning on remembered public facts ("Lido is governed by LDO token-weighted voting"), historical reports, common knowledge, or likely-architecture reasoning ("UUPS proxies typically have an admin role"), return grade="unknown" with specific unknowns[] entries. Optimize for reproducibility, not completeness — if a reviewer can't re-verify each claim from the evidence URLs alone, the claim does not belong in the JSON. Empty unknowns[] on a non-trivial protocol is a red flag, not a quality signal.

When the address_book is null/empty, you do not yet know any deployed address. Discover candidates from fetched website / GitHub / audit / explorer-search pages — addresses you "remember" from training data are not eligible, even for famous tokens (USDC, WBTC, stETH, UNI). If no address can be discovered after a good-faith attempt, return grade="unknown" with checklist-coded unknowns[] entries; do not invent addresses to fill the gap.

### Hard rules

1. Source classes that count as evidence:
   a) Public block explorers (etherscan.io, basescan.org, arbiscan.io, optimistic.etherscan.io, polygonscan.com, bscscan.com, snowtrace.io, scrollscan.com, lineascan.build, blastscan.io, era.zksync.network) for pinned addresses or addresses you discover transitively from them.
   b) The linked GitHub repos, at a specific commit SHA recorded in evidence[].commit.
   c) The audit PDFs / reports linked above.
   d) DeFiLlama's pinned fields (for category / chain lists only — not for risk assessment).
   e) DeFiPunkd's read API at https://defipunkd.com/api/{contract,safe}/... — see "On-chain reading" below.
2. If a signal cannot be determined after checking these, set grade="unknown" with ≥1 entry in unknowns[] naming what you looked for.
3. Every factual claim in rationale must map to ≥1 evidence[] entry.
4. Output exactly one JSON object matching the contract at the end, wrapped in a single ```json fenced code block. This rule applies to your FINAL assistant message only — issue tool calls freely during the run; tool-call reasoning lives in your model's tool-use channel and is not subject to this rule. Nothing before or after the fence — no prose, no follow-up questions, no requests for the user to paste anything. If evidence is incomplete, the correct response is still JSON, with claims demoted to unknowns[] and grade="unknown".

### Format rules (validation will reject submissions that violate these)
5. evidence[].url must be a bare `https://...` string — NEVER markdown link syntax. WRONG: `"url": "[Etherscan](https://etherscan.io/...)"`. RIGHT: `"url": "https://etherscan.io/..."`.
6. evidence[].commit, when present, must match `^[0-9a-f]{7,40}$` (lowercase hex, 7–40 chars). NEVER branch names or tags. Omit if you cannot pin a SHA.
7. evidence[].fetched_at, when present, must be ISO-8601 UTC (e.g. `2026-04-23T11:20:00Z`). Set whenever you actually fetched in this run.
8. evidence[].address, when present, must be `^0x[0-9a-fA-F]{40}$` (mixed case OK; checksum not validated).
9. Checklist codes (used in findings[].code and as unknowns[] prefixes) match `^[A-Z][A-Za-z0-9-]{0,16}$` — start with an uppercase letter, then digits / letters / hyphens. Examples: `E1`, `A3b`, `C2-emergency`, `V4-auditor`. No parens, spaces, dots, slashes, underscores. Use slice-defined codes verbatim. unknowns[] entries must be prefixed with the relevant code + colon (e.g. `"A3b: frontend fetch failed"`).
10. chat_url: ALWAYS null. Default share links (claude.ai/chat, chatgpt.com, gemini.google.com) require viewer login and are not publicly readable. The user enables "Share publicly" after you respond and pastes the public URL into the JSON before opening the PR.

### Thoroughness rules

11. Each per-slice body contains a "MANDATORY INSPECTION CHECKLIST". Every item must EITHER produce an evidence[] entry OR a specific unknowns[] entry naming it by code. Silent skips are rejected as incomplete.
12. Before assigning a grade other than "unknown", rationale.steelman must contain a one-sentence strongest argument for each of red / orange / green, and rationale.verdict must state which fits the evidence and why. If the steel-man for the chosen grade is weaker than for an adjacent grade, you have probably picked the wrong grade. When grade="unknown", set steelman to null and use verdict to summarize what blocked the assessment.
13. Distinguish actor classes (EOA, 2-of-3 multisig, 4-of-7+ multisig with identified signers, emergency-scoped time-capped multisig, on-chain governance vote with timelock) and function classes (claim-of-finalized vs new-request-placement, deposit vs borrow, mint vs redeem) — say which actor holds which power, on what time bound. "An admin can pause" is insufficient.
14. For on-chain slices (control, ability-to-exit, autonomy, verifiability), evidence[] must include ≥1 on-chain URL: a block-explorer URL OR a DeFiPunkd /api/{contract/read,safe/owners} URL (preferred — content-addressed when block-pinned). /api/contract/abi alone is metadata, not on-chain evidence. Source repos tell you what code SHOULD do; deployed contracts tell you what it ACTUALLY does. The "open-access" slice is exempt when claims are entirely about frontend / off-chain operator behavior. CARVE-OUT: `grading_basis="off-chain-only"` is exempt from this rule but is downweighted by the quorum bot regardless of grade.
15. Prompt-meta-check: if your verdict quotes prompt language as evidence ("the protocol meets the 'documented fallback' condition"), re-do the verdict — the prompt describes the rubric, not the protocol. Evidence cites what THIS protocol does, not what the rubric says protocols of type X do.
16. `grading_basis` is one of `"on-chain"` (default; omit field), `"off-chain-only"`, or `"mixed"`. Describes what was READ this run, not the verdict — `grade="unknown"` is allowed under any basis. Set `"off-chain-only"` ONLY when BOTH (a) ≥1 successful fetch of a docs / forum / audit / GitHub URL appears in evidence[], AND (b) ≥1 failed on-chain fetch attempt for THIS run is recorded in unknowns[] with a `-offchain` suffix. Empty `evidence[]` with `"off-chain-only"` is a category error and is rejected by the validator. Set `"mixed"` when some checklist codes were on-chain and others fell back. ABI-only finds (you read the ABI but couldn't read live state) are valid as `grade="unknown"` with the ABI cited; do not infer a grade from ABI shape alone.

### On-chain reading via the DeFiPunkd API

Don't encode calldata, decode return data, or guess at ABIs by hand. Three deterministic GET endpoints return JSON with blockNumber, blockHash, raw calldata, and rawReturnData — content-addressed when block-pinned (`&block=<n>`):

  ABI (auto-resolves proxies):
    https://defipunkd.com/api/contract/abi?chainId=<id>&address=0x...
  View call (any view method on the merged ABI; flat scalar args):
    https://defipunkd.com/api/contract/read?chainId=<id>&address=0x...&method=getOwners
    https://defipunkd.com/api/contract/read?chainId=<id>&address=0x...&method=balanceOf&args=0x...
  Safe (threshold + owners + version in one call):
    https://defipunkd.com/api/safe/owners?chainId=<id>&address=0x...

Use the BARE method name in `&method=` (e.g. `&method=totalSupply`, NOT `&method=totalSupply()`). Browser tools normalize `(` to `%28` and reject the normalized URL; bare names dodge that. Pass arguments via `&args=` (comma-separated, declaration order). Append `&block=<n>` for content-addressed evidence.

Supported chainIds: 1 (ethereum), 10 (optimism), 56 (bsc), 130 (unichain), 137 (polygon), 324 (zksync), 8453 (base), 42161 (arbitrum), 43114 (avalanche), 59144 (linea), 81457 (blast), 534352 (scroll), 11155111 (sepolia).

Use this API for any factual claim about contract ABI shape, view-method return values (owner(), getOwners(), getThreshold(), totalSupply(), implementation(), paused(), MIN_DELAY(), …), and Safe membership. Do NOT invent ABIs or return values from training data.

Note on noisy address_book: the pinned address_book is sourced from prior assessments. It may include token deployments, oracle feeds, peripheral contracts, or mis-classified entries. Skip surfacer URLs that don't fit your slice — fetch only those whose role hints suggest control / pause / upgrade authority.

### Protocol metadata refresh (populate `protocol_metadata` in the output)

DeFiLlama's pinned inputs may be stale or wrong. As a side-effect of this assessment, populate `protocol_metadata` with anything you verify. Leave fields null / empty arrays if you did not verify them — do NOT echo pinned inputs through; null means "not re-verified this run".

- `github`: array of canonical source-code repo URLs.
- `docs_url`: canonical developer / protocol documentation site.
- `audits`: array of `{ firm, url, date }` (date as YYYY-MM or YYYY-MM-DD).
- `governance_forum`: primary discussion forum URL (Discourse, Commonwealth, etc.).
- `voting_token`: `{ chain, address, symbol }` or null. Omit if not token-governed.
- `bug_bounty_url`: public bug bounty page (Immunefi, HackerOne, self-hosted).
- `security_contact`: private-disclosure channel — security@ email or SECURITY.md URL. Distinct from public bug bounty.
- `deployed_contracts_doc`: docs page that lists deployed addresses per chain. Don't enumerate; just link.
- `admin_addresses`: array of `{ chain, address, role, actor_class }` for multisig / timelock / owner / proxy-admin addresses. `actor_class` ∈ `"eoa" | "multisig" | "timelock" | "governance" | "unknown"`. These are the anchors for future runs' address_book.
- `upgradeability`: `"immutable" | "upgradeable" | "mixed" | "unknown"`. "mixed" = some core contracts immutable, others behind proxies.
- `about`: 2–4 sentence plain-English description. Name the user action (stake, borrow, swap, bridge, mint, redeem), the asset / market, and the distinctive mechanism (liquid staking receipt, isolated lending pools, constant-product AMM, intents auction, etc.). Do not restate category / chains / TVL.

Every non-null field in `protocol_metadata` must be backed by ≥1 entry in evidence[].

---

### Slice: CONTROL

Evaluate who can change the protocol's rules, how fast, and how broadly.

(Step 0 capability probe and the off-chain-only fallback live in the preamble — those rules apply here.)

### MANDATORY INSPECTION CHECKLIST (every item below must appear in evidence[] OR unknowns[])

- **C1.** For each address you assess: who is the contract owner / admin / pendingAdmin / governor — read these via the block explorer's "Read Contract" tab OR `https://defipunkd.com/api/contract/read?chainId=<id>&address=0x...&method=owner` (BARE method names: `&method=owner`, `&method=admin`, `&method=pendingOwner`, `&method=governor`). For Safes use `/api/safe/owners?chainId=<id>&address=0x...`. When a protocol has multiple major versions deployed (v2/v3/v4), perform C1 reads on the NEWEST deployment separately — newer deployments often have weaker control surfaces than the legacy core.
- **C2.** Upgrade mechanism: transparent proxy / UUPS / Beacon / Diamond / immutable. Identify the proxy admin address. Check upgradeability of GOVERNANCE contracts too — a Governor / Aragon Voting / OZ Governor is often itself a proxy whose admin is the Timelock. Asymmetry: when fund-holding cores are immutable AND governance has no admin path that reaches them, an upgradable Governor/Timelock is T3-only and must NOT drag the verdict below green on that basis alone (see grade rules and the "immutable cores" caveat). Only call upgradability "mixed" if you can name a concrete function on the upgradable surface that reaches T1 or T2 on user funds.
- **C3.** EXECUTION PATH (enumerate every stage, in order, with delays in seconds). The operative path is usually a chain (voting → scheduler → timelock → executor; or governor → queue → execute; or Aragon Voting → DualGovernance → EmergencyProtectedTimelock → AdminExecutor). For each stage, record (a) the contract address, (b) the delay constant name + value in seconds, (c) the URL you read it from (block-explorer Read Contract OR `/api/contract/read?...&method=MIN_DELAY&block=<n>`). Do NOT stop at the first timelock-shaped contract — if its admin is itself called by another contract, keep walking. The grading delay is the SUM OF DELAYS ON THE UNCONTESTED FAST PATH (shortest time a proposal with no opposition can go from submission to executable). Dynamic / contested extensions (veto signaling, rage quit, escrow delay) are modifiers, not the basis — note them separately.
- **C4.** Enumerate EVERY multisig with reachable control — main proxy admin, emergency activation, emergency execution, reseal / pause, gate-seal committees, tiebreaker, per-module admins. For each Safe, fetch threshold + owners + version via `/api/safe/owners?chainId=<id>&address=0x...` (response includes raw eth_call data, so the URL is citable evidence). Enumerate ops/council/incentives multisigs even when off the upgrade path — record their scope so a reader can see they are NOT on the upgrade path. For each: (a) address, (b) threshold / total signers, (c) signer identities classified as insider (team, paid auditors under ongoing engagement, mandated service providers) vs non-insider (independent community members, unaffiliated researchers), (d) the specific power held (upgrade, pause, parameter, etc.).
- **C5.** On-chain governance: Governor / GovernorBravo / OZ Governor / Aragon Voting with token-weighted voting? Record proposal threshold, voting period, quorum, and the timelock delay between queue and execute. Every numeric constant must come from a Read Contract call you can link to, or be in unknowns[] with the C-code. If votingDelay / votingPeriod are denominated in BLOCKS, convert to seconds at the chain's CURRENT block time (Ethereum mainnet ≈ 12s post-Merge, not the 15s in older Compound/Bravo deployments) — cite both block count and converted seconds.
- **C6.** EMERGENCY POWERS: separate emergency-pause / guardian role with a different time cap or different actor than the main upgrade authority? Record it explicitly.
- **C7.** POWER TIER (blast radius). For each privileged path in C3–C6, classify the WORST thing that path can do, choosing the highest applicable tier. Cite the specific function name and any on-chain bound — tier claims without a named function are unsupported.
    - **T1 — FUND-CRITICAL**: replace implementation of contracts holding user funds; change AMM math / accounting / collateral logic; mint unbacked debt or shares; pause withdrawals; drain user-fund treasury; change oracle to attacker-controlled source; replace upgrade admin with EOA.
    - **T2 — ECONOMICALLY MATERIAL**: change fee parameters within bounded ranges; redirect protocol fees; add/remove markets / collateral types; bounded inflation or token mint within hard-capped schedule; spend protocol-owned (non-user) treasury.
    - **T3 — GOVERNANCE-INTERNAL**: change voting rules, quorum, voting period, proposal threshold; upgrade the Governor itself; rotate Timelock admin; mint governance tokens within a capped annual schedule.
    - **T4 — OPERATIONAL**: incentives distribution, grants, ENS / frontend canonicalization, deployment coordination, periphery router deprecation.
  The grade is set by the HIGHEST tier reachable on the uncontested fast path, not the median. State the tier and the binding function in the verdict.

### Read Contract discipline (applies to C3, C4, C5)

Every numeric constant cited (timelock delays, voting periods, multisig thresholds, quorum percentages) must come from EITHER (a) a block-explorer Read Contract URL, OR (b) a DeFiPunkd `/api/contract/read` or `/api/safe/owners` URL (preferred with `&block=<n>` for content-addressed evidence), OR (c) an unknowns[] entry with the C-code. Docs / blog posts are corroboration only — they cannot be the sole citation for a value that is also readable on-chain.

### Off-chain-only substitute hierarchy (when grading_basis="off-chain-only" — see preamble Rule 16)

When on-chain reads were genuinely unreachable this run, eligible off-chain substitutes in priority order:
1. Linked audit PDFs (admin roles, multisig members, timelock delays usually enumerated).
2. Governance forum posts that quote constants from a successful on-chain proposal (cite post URL + linked execution-tx URL).
3. Official protocol docs pages with named addresses and roles (must be on a domain owned by the protocol).
4. GitHub README / SECURITY.md / governance/*.md at a pinned commit SHA.

Forbidden substitutes: third-party blog posts, X / Twitter threads, search-result snippets, model memory. Required degradation: any C-code citing a numeric constant from docs/forum/audit prose ONLY must also carry an `unknowns[]` entry with `-offchain` suffix noting "value not re-read on-chain in this run; corroboration only".

### Grade rules (apply the timelock bar conditional on the highest C7 tier reachable on the fast path)

Security Council standard (used below): a multisig qualifies as "Security Council" only if ALL of: ≥7 signers, ≥51% threshold, ≥50% non-insider signers, every signer publicly announced. Failing any criterion = NOT a Security Council, regardless of signer reputation.

- **green**: highest reachable tier is T3 or T4 regardless of timelock; OR T2 reachable with uncontested-fast-path delay ≥7 days; OR T1 reachable only via immutable contracts (T1 is unreachable); OR T1 reachable with uncontested-fast-path delay ≥7 days combined with a Security Council multisig; OR T1 reachable with uncontested-fast-path delay ≥7 days through active on-chain governance with broad token distribution.
- **orange**: T2 reachable with uncontested-fast-path delay >0 but <7 days; OR T1 reachable with uncontested-fast-path delay >0 but <7 days; OR a multisig failing one or more Security Council criteria sits on a T1/T2 path; OR unclear upgrade authority on a T1/T2 path; OR governance with very short timelock or low quorum on a T1/T2 path.
- **red**: T1 reachable with no timelock by a single EOA or 2-of-3 multisig; OR a T1 upgrade admin that is not a smart contract you can audit.
- **unknown**: completed the checklist but still cannot determine the upgrade authority OR cannot classify the highest tier reachable on the main contracts.

Tiering caveats:
- "Bounded" must be enforced ON-CHAIN to count as T2. A function that sets fees with no upper-bound check is T1 — cite the bound check.
- Recurring T2 economic extraction (e.g. fee redirect with no rate limit) approaches T1 over time. A single proposal that can permanently redirect all future revenue is T1.
- T3 assumes the governance contract cannot itself authorize a T1/T2 action without going through the same timelock. If governance can self-upgrade to bypass the timelock, T3 collapses into T1.
- Do not downgrade tier by hand-waving ("realistically governance would never…"). Tier on what the contract permits, not what feels likely.

Notes:
- **Dynamic / dual-governance timelocks** (Lido, Compound escrow veto): the rubric grades on the uncontested path because that is the path most upgrades take. A dynamic extension that fires only under stake-weighted opposition is a real protection — name it in the green steel-man, but it does not lift an orange fast path into green; state the tension in the verdict.
- **Immutable cores with upgradable governance** (Uniswap-style): if fund-holding contracts are immutable and have no admin-reachable function moving / freezing / re-routing user funds, the highest reachable tier on the upgrade path is T3 — green regardless of timelock. Don't grade this orange just because the Governor is a proxy — that's a C2 fact, not a downgrade. Downgrade only applies if you can cite a concrete function on the upgradable surface that reaches T1 or T2 (privileged hook, upgradable factory controlling fund-routing, fee-switch redirecting protocol revenue without bound).
- **The 7-day bar** reflects the exit-window standard — users need notice after a queued upgrade to withdraw if they disagree. The ability-to-exit slice grades the exit side; this slice grades the delay side; both must hold for users to actually benefit from the delay.

---

### JSON output contract

Return exactly one JSON object inside a single ```json fenced block. Shape:

{
  "schema_version": 4,
  "slug": "<copy protocol.slug from the per-protocol context>",
  "slice": "control",
  "snapshot_generated_at": "<copy snapshot.generated_at from the per-protocol context>",
  "prompt_version": 29,
  "analysis_date": "<copy analysis_date from the per-protocol context>",
  "model": "<exact model name, e.g. claude-opus-4-7 / gpt-5-thinking / gemini-3-pro>",
  "chat_url": null,
  "grading_basis": "on-chain | off-chain-only | mixed (optional; omit for on-chain)",
  "grade": "green | orange | red | unknown",
  "headline": "<one-line summary>",
  "short_headline": "<≤6 words, ≤80 chars; omit if you can't fit>",
  "rationale": {
    "findings": [{ "code": "E1", "text": "<concrete, source-cited finding>" }],
    "steelman": { "red": "<one sentence>", "orange": "<one sentence>", "green": "<one sentence>" },
    "verdict": "Choosing <grade> because <reason ranking one steel-man above the others, citing specific evidence>."
  },
  "evidence": [{ "url": "https://...", "shows": "<what this URL demonstrates>", "chain": "...", "address": "0x...", "commit": "<hex SHA>", "fetched_at": "2026-04-23T11:20:00Z" }],
  "unknowns": ["E3: <thing you looked for but couldn't determine>"],
  "protocol_metadata": {
    "github": ["https://github.com/org/repo"],
    "docs_url": "https://docs.protocol.xyz",
    "audits": [{ "firm": "Trail of Bits", "url": "https://...report.pdf", "date": "2025-09" }],
    "governance_forum": "https://forum.protocol.xyz",
    "voting_token": { "chain": "Ethereum", "address": "0x...", "symbol": "XYZ" },
    "bug_bounty_url": "https://immunefi.com/bounty/protocol",
    "security_contact": "security@protocol.xyz",
    "deployed_contracts_doc": "https://docs.protocol.xyz/deployments",
    "admin_addresses": [{ "chain": "Ethereum", "address": "0x...", "role": "DAO treasury multisig", "actor_class": "multisig" }],
    "upgradeability": "immutable | upgradeable | mixed | unknown",
    "about": "<2–4 sentences>"
  }
}

Rules recap:
- grade="unknown" ⇒ steelman=null; unknowns[] ≥1; evidence[] may be empty.
- grade!="unknown" ⇒ steelman={red,orange,green}; evidence[] ≥1; verdict starts with "Choosing ".
- findings[].code matches the slice's checklist prefix verbatim (E1, C2-emergency, V4a, …); unknowns[] entries are checklist-coded ("E3: …").
- Wrap in a single ```json fence; nothing before or after. URLs are bare strings, never markdown links.

Ability to exit Unverified Submit run ↗

### Per-protocol context (ground truth for this run)

- protocol.slug:              aave-horizon-rwa
- protocol.name:              Aave Horizon RWA
- protocol.chains:            Ethereum
- protocol.category:          RWA Lending
- protocol.website:           https://app.aave.com/markets/?marketName=proto_horizon_v3
- protocol.github:            aave, bgd-labs
- protocol.audit_links:       https://github.com/aave/aave-v3-horizon/tree/main/audits, https://github.com/code-423n4/2022-02-aave-lens, https://github.com/code-423n4/2022-02-aave-lens-findings, https://github.com/sherlock-protocol/sherlock-reports/blob/main/audits/2025.02.15%20-%20Final%20-%20Aave%20Public%20Audit%20Contest%20Report.pdf, https://github.com/sherlock-protocol/sherlock-reports/blob/main/audits/2026.02.05%20-%20Final%20-%20Aave%20Labs%20Collaborative%20Audit%20Report%201770295450.pdf, https://github.com/trailofbits/publications/blob/master/reviews/2021-11-aave-v3-securityreview.pdf, https://github.com/trailofbits/publications/blob/master/reviews/2026-02-aave-v4-securityreview.pdf
- snapshot.generated_at:      2026-06-01T11:27:13.878Z
- analysis_date:              2026-06-07
- prompt_version:             29
- address_book:               [
  {
    "chain": "Ethereum",
    "address": "0xAe05Cd22df81871bc7cC2a04BeCfb516bFe332C8",
    "role": "pool"
  },
  {
    "chain": "Ethereum",
    "address": "0x7fc66500c84a76ad7e9c93437bfc5ac33e2ddae9",
    "role": "AAVE governance token"
  }
]

### Pre-built read-API surfacer URLs (verbatim — fetchable as-is)
- https://defipunkd.com/address/1/0xAe05Cd22df81871bc7cC2a04BeCfb516bFe332C8 (pool)
- https://defipunkd.com/address/1/0x7fc66500c84a76ad7e9c93437bfc5ac33e2ddae9 (AAVE governance token)


---

You are contributing a single-slice assessment to defipunkd, a git-native transparency registry for DeFi protocols. Your JSON output will be attached to a pull request and compared against ≥2 other independent runs. Disagreements are surfaced publicly — be conservative, cite everything, return grade="unknown" when a signal cannot be determined, and resist stopping at the first damning finding.

### Per-protocol context (do not infer; these are ground truth)

A "Per-protocol context" block (provided alongside this prompt — either as a user message in API mode, or as a section appended below in copy-paste mode) lists the pinned inputs (protocol.slug, name, chains, category, website, github, audit_links, snapshot.generated_at, analysis_date, prompt_version, address_book) and a list of pre-built read-API surfacer URLs for each pinned address. Treat those values as authoritative for this run.

The pre-built surfacer URLs are accepted by your fetch tool's allowlist because they appear verbatim in the per-protocol context. Each surfacer page pre-executes the contract's zero-arg view methods and renders any address-typed return values as /address/{chainId}/0x… links inline — those rendered links are also fetchable post-fetch. /api/contract/read and /api/safe/owners JSON responses include a top-level `crawl.surfacers` array of /address/{chainId}/0x… URLs for every address-typed value in the result, so you can crawl directly from API responses. For addresses surfaced from non-defipunkd sources (block-explorer pages, GitHub, audit PDFs), the allowlist will reject your generated surfacer URL — record the address in protocol_metadata.admin_addresses and add a checklist-coded entry to unknowns[]; the next run will inherit it as a fetchable surfacer.

### Step 0 — Capability probe (do this before producing JSON)

Identify what fetch tool your environment exposes — `web_fetch`, `browser`, `url_context`, `google_search` (with underscore, colon, or space), Bing grounding, Perplexity, `web.run`, or anything similar. Search-grounding tools ARE valid fetch paths and you should use them; they are not forbidden. The distinction that matters is what the tool returned, not its name: a grounded response with the underlying page body is sufficient evidence; a bare 1–3-line preview snippet is not.

Probe: attempt one fetch of `protocol.website` and one fetch of a pre-built surfacer URL above (or the protocol's primary block-explorer page if no surfacer is pinned). Record the tool you used, the URL, and what came back (response body, HTTP status, allowlist rejection text, or "tool not present: <name>"). If either probe succeeded, proceed.

If both direct probes failed, **DO NOT STOP** — try search. Issue at least two broad search queries (protocol name + "Etherscan" / "official docs" / "GitHub" / "audit"; `site:` operators against etherscan.io / github.com / the docs domain). If a search query returns the underlying page body, that page URL is fetched evidence and goes in evidence[]. Set `grading_basis: "off-chain-only"` and continue with whatever you can extract. Empty `evidence[]` + `grade="unknown"` is only valid if BOTH direct probes AND ≥2 search queries returned nothing usable; in that case, log the attempted queries and observed-zero outcomes in unknowns[]. A submission claiming "blocked" without those receipts is treated as a non-submission (zero quorum weight). Search engines do not index raw JSON API endpoints — zero results for `defipunkd.com/api/contract/read` URLs is expected and is itself a recordable failure mode, not a system restriction.

### Anti-fabrication (the most important rule on this page)

Memory is not evidence. Treat your training data, prior conversations, and general knowledge as suggestions for what to look up — never as citations. Every URL in evidence[] must have been fetched in this run via any tool exposed in your environment, OR pasted into this conversation by the user. Constructing a URL is fine, but every variable part (address, commit SHA, repo path, contract name, method, args, block number) must come from a fetched/pasted source in this run, and the URL must then have been successfully fetched before it appears in evidence[]. URLs constructed from remembered addresses, repo paths, contract names, or guessed API methods are fabrication.

Before emitting JSON, run an evidence ledger check on every evidence[] entry:
1. The exact URL appears in your fetch transcript or in a user-pasted source body.
2. The fetched/pasted body contains the fact you're citing in evidence[].shows.
3. Every rationale.findings / protocol_metadata claim that depends on this evidence follows directly from that body, without recourse to memory.
4. Derived (rather than verbatim) claims are explicitly labelled as derived in evidence[].shows.
5. `fetched_at` is set ONLY when you actually fetched the URL in this run; if no timestamp is available, omit the field — never invent one.

If any check fails, remove the evidence entry and demote dependent claims to unknowns[]. Set grade="unknown" if demotion empties the grading basis. Do not ask the user to paste anything; do not withhold JSON; do not improvise from memory.

A plausible-sounding answer backed by unsupported evidence is WORSE than grade="unknown" — it pollutes the quorum. If the assessment requires leaning on remembered public facts ("Lido is governed by LDO token-weighted voting"), historical reports, common knowledge, or likely-architecture reasoning ("UUPS proxies typically have an admin role"), return grade="unknown" with specific unknowns[] entries. Optimize for reproducibility, not completeness — if a reviewer can't re-verify each claim from the evidence URLs alone, the claim does not belong in the JSON. Empty unknowns[] on a non-trivial protocol is a red flag, not a quality signal.

When the address_book is null/empty, you do not yet know any deployed address. Discover candidates from fetched website / GitHub / audit / explorer-search pages — addresses you "remember" from training data are not eligible, even for famous tokens (USDC, WBTC, stETH, UNI). If no address can be discovered after a good-faith attempt, return grade="unknown" with checklist-coded unknowns[] entries; do not invent addresses to fill the gap.

### Hard rules

1. Source classes that count as evidence:
   a) Public block explorers (etherscan.io, basescan.org, arbiscan.io, optimistic.etherscan.io, polygonscan.com, bscscan.com, snowtrace.io, scrollscan.com, lineascan.build, blastscan.io, era.zksync.network) for pinned addresses or addresses you discover transitively from them.
   b) The linked GitHub repos, at a specific commit SHA recorded in evidence[].commit.
   c) The audit PDFs / reports linked above.
   d) DeFiLlama's pinned fields (for category / chain lists only — not for risk assessment).
   e) DeFiPunkd's read API at https://defipunkd.com/api/{contract,safe}/... — see "On-chain reading" below.
2. If a signal cannot be determined after checking these, set grade="unknown" with ≥1 entry in unknowns[] naming what you looked for.
3. Every factual claim in rationale must map to ≥1 evidence[] entry.
4. Output exactly one JSON object matching the contract at the end, wrapped in a single ```json fenced code block. This rule applies to your FINAL assistant message only — issue tool calls freely during the run; tool-call reasoning lives in your model's tool-use channel and is not subject to this rule. Nothing before or after the fence — no prose, no follow-up questions, no requests for the user to paste anything. If evidence is incomplete, the correct response is still JSON, with claims demoted to unknowns[] and grade="unknown".

### Format rules (validation will reject submissions that violate these)
5. evidence[].url must be a bare `https://...` string — NEVER markdown link syntax. WRONG: `"url": "[Etherscan](https://etherscan.io/...)"`. RIGHT: `"url": "https://etherscan.io/..."`.
6. evidence[].commit, when present, must match `^[0-9a-f]{7,40}$` (lowercase hex, 7–40 chars). NEVER branch names or tags. Omit if you cannot pin a SHA.
7. evidence[].fetched_at, when present, must be ISO-8601 UTC (e.g. `2026-04-23T11:20:00Z`). Set whenever you actually fetched in this run.
8. evidence[].address, when present, must be `^0x[0-9a-fA-F]{40}$` (mixed case OK; checksum not validated).
9. Checklist codes (used in findings[].code and as unknowns[] prefixes) match `^[A-Z][A-Za-z0-9-]{0,16}$` — start with an uppercase letter, then digits / letters / hyphens. Examples: `E1`, `A3b`, `C2-emergency`, `V4-auditor`. No parens, spaces, dots, slashes, underscores. Use slice-defined codes verbatim. unknowns[] entries must be prefixed with the relevant code + colon (e.g. `"A3b: frontend fetch failed"`).
10. chat_url: ALWAYS null. Default share links (claude.ai/chat, chatgpt.com, gemini.google.com) require viewer login and are not publicly readable. The user enables "Share publicly" after you respond and pastes the public URL into the JSON before opening the PR.

### Thoroughness rules

11. Each per-slice body contains a "MANDATORY INSPECTION CHECKLIST". Every item must EITHER produce an evidence[] entry OR a specific unknowns[] entry naming it by code. Silent skips are rejected as incomplete.
12. Before assigning a grade other than "unknown", rationale.steelman must contain a one-sentence strongest argument for each of red / orange / green, and rationale.verdict must state which fits the evidence and why. If the steel-man for the chosen grade is weaker than for an adjacent grade, you have probably picked the wrong grade. When grade="unknown", set steelman to null and use verdict to summarize what blocked the assessment.
13. Distinguish actor classes (EOA, 2-of-3 multisig, 4-of-7+ multisig with identified signers, emergency-scoped time-capped multisig, on-chain governance vote with timelock) and function classes (claim-of-finalized vs new-request-placement, deposit vs borrow, mint vs redeem) — say which actor holds which power, on what time bound. "An admin can pause" is insufficient.
14. For on-chain slices (control, ability-to-exit, autonomy, verifiability), evidence[] must include ≥1 on-chain URL: a block-explorer URL OR a DeFiPunkd /api/{contract/read,safe/owners} URL (preferred — content-addressed when block-pinned). /api/contract/abi alone is metadata, not on-chain evidence. Source repos tell you what code SHOULD do; deployed contracts tell you what it ACTUALLY does. The "open-access" slice is exempt when claims are entirely about frontend / off-chain operator behavior. CARVE-OUT: `grading_basis="off-chain-only"` is exempt from this rule but is downweighted by the quorum bot regardless of grade.
15. Prompt-meta-check: if your verdict quotes prompt language as evidence ("the protocol meets the 'documented fallback' condition"), re-do the verdict — the prompt describes the rubric, not the protocol. Evidence cites what THIS protocol does, not what the rubric says protocols of type X do.
16. `grading_basis` is one of `"on-chain"` (default; omit field), `"off-chain-only"`, or `"mixed"`. Describes what was READ this run, not the verdict — `grade="unknown"` is allowed under any basis. Set `"off-chain-only"` ONLY when BOTH (a) ≥1 successful fetch of a docs / forum / audit / GitHub URL appears in evidence[], AND (b) ≥1 failed on-chain fetch attempt for THIS run is recorded in unknowns[] with a `-offchain` suffix. Empty `evidence[]` with `"off-chain-only"` is a category error and is rejected by the validator. Set `"mixed"` when some checklist codes were on-chain and others fell back. ABI-only finds (you read the ABI but couldn't read live state) are valid as `grade="unknown"` with the ABI cited; do not infer a grade from ABI shape alone.

### On-chain reading via the DeFiPunkd API

Don't encode calldata, decode return data, or guess at ABIs by hand. Three deterministic GET endpoints return JSON with blockNumber, blockHash, raw calldata, and rawReturnData — content-addressed when block-pinned (`&block=<n>`):

  ABI (auto-resolves proxies):
    https://defipunkd.com/api/contract/abi?chainId=<id>&address=0x...
  View call (any view method on the merged ABI; flat scalar args):
    https://defipunkd.com/api/contract/read?chainId=<id>&address=0x...&method=getOwners
    https://defipunkd.com/api/contract/read?chainId=<id>&address=0x...&method=balanceOf&args=0x...
  Safe (threshold + owners + version in one call):
    https://defipunkd.com/api/safe/owners?chainId=<id>&address=0x...

Use the BARE method name in `&method=` (e.g. `&method=totalSupply`, NOT `&method=totalSupply()`). Browser tools normalize `(` to `%28` and reject the normalized URL; bare names dodge that. Pass arguments via `&args=` (comma-separated, declaration order). Append `&block=<n>` for content-addressed evidence.

Supported chainIds: 1 (ethereum), 10 (optimism), 56 (bsc), 130 (unichain), 137 (polygon), 324 (zksync), 8453 (base), 42161 (arbitrum), 43114 (avalanche), 59144 (linea), 81457 (blast), 534352 (scroll), 11155111 (sepolia).

Use this API for any factual claim about contract ABI shape, view-method return values (owner(), getOwners(), getThreshold(), totalSupply(), implementation(), paused(), MIN_DELAY(), …), and Safe membership. Do NOT invent ABIs or return values from training data.

Note on noisy address_book: the pinned address_book is sourced from prior assessments. It may include token deployments, oracle feeds, peripheral contracts, or mis-classified entries. Skip surfacer URLs that don't fit your slice — fetch only those whose role hints suggest control / pause / upgrade authority.

### Protocol metadata refresh (populate `protocol_metadata` in the output)

DeFiLlama's pinned inputs may be stale or wrong. As a side-effect of this assessment, populate `protocol_metadata` with anything you verify. Leave fields null / empty arrays if you did not verify them — do NOT echo pinned inputs through; null means "not re-verified this run".

- `github`: array of canonical source-code repo URLs.
- `docs_url`: canonical developer / protocol documentation site.
- `audits`: array of `{ firm, url, date }` (date as YYYY-MM or YYYY-MM-DD).
- `governance_forum`: primary discussion forum URL (Discourse, Commonwealth, etc.).
- `voting_token`: `{ chain, address, symbol }` or null. Omit if not token-governed.
- `bug_bounty_url`: public bug bounty page (Immunefi, HackerOne, self-hosted).
- `security_contact`: private-disclosure channel — security@ email or SECURITY.md URL. Distinct from public bug bounty.
- `deployed_contracts_doc`: docs page that lists deployed addresses per chain. Don't enumerate; just link.
- `admin_addresses`: array of `{ chain, address, role, actor_class }` for multisig / timelock / owner / proxy-admin addresses. `actor_class` ∈ `"eoa" | "multisig" | "timelock" | "governance" | "unknown"`. These are the anchors for future runs' address_book.
- `upgradeability`: `"immutable" | "upgradeable" | "mixed" | "unknown"`. "mixed" = some core contracts immutable, others behind proxies.
- `about`: 2–4 sentence plain-English description. Name the user action (stake, borrow, swap, bridge, mint, redeem), the asset / market, and the distinctive mechanism (liquid staking receipt, isolated lending pools, constant-product AMM, intents auction, etc.). Do not restate category / chains / TVL.

Every non-null field in `protocol_metadata` must be backed by ≥1 entry in evidence[].

---

### Slice: ABILITY-TO-EXIT

Evaluate whether users can withdraw their funds on their own terms, even under adversarial admin conditions.

MANDATORY INSPECTION CHECKLIST (every item below must appear in evidence[] OR unknowns[]):
- E1. Enumerate every user-facing exit function in the main contracts: withdraw, redeem, burn, requestWithdrawal, claim, exit, etc. List them by name. Do NOT treat the contract as a monolith.
- E2. For EACH exit function in E1: identify its access modifiers and any pause guards (e.g. _checkResumed, whenNotPaused, onlyRole). Functions that gate REQUEST PLACEMENT often differ from functions that CLAIM FINALIZED FUNDS — check both separately.
- E3. For each pause guard: identify the role holder (which address holds PAUSE_ROLE / GUARDIAN / etc.) and the maximum pause duration. Specifically check whether PAUSE_INFINITELY (or equivalent uncapped pause) is callable, and which actor can call it (single multisig vs governance vote). For role-holder reads use https://defipunkd.com/api/contract/read?chainId=<id>&address=0x...&method=hasRole&args=0x...,0x... or &method=getRoleAdmin&args=0x.... For "is currently paused" checks use &method=paused or &method=isPaused&args=<resume-code>. Use the BARE method name (no parens). Cite the URL with &block=<n> in evidence[].
- E4. EMERGENCY vs GOVERNANCE pause distinction: many protocols have a fast-acting emergency pause capped at N days and a slow governance pause that can be indefinite. Record both paths separately if present, with their time caps and actor classes.
- E5. Queued redemption: documented maximum queue duration, daily withdrawal caps, whether the queue itself is pausable.
- E6. Forced-exit / escape-hatch / permissionless emergency-exit mechanism for adversarial-admin scenarios.
- E7. Frontend dependency: confirm exit functions are directly callable on-chain (e.g. via Etherscan write tab or a generic wallet) without the project's frontend.

Then write the steel-man section per Hard Rule 11. Common red-vs-orange tension on this slice: indefinite pause exists (suggests red) BUT the realistic emergency path is time-capped AND claims of already-finalized exits are not pause-gated (suggests orange). Resolve this by stating who can do what for how long, not by stopping at the worst-case sentence.

Grade rules:
- green   = permissionless exit; pause is either absent, narrowly scoped to clearly-described emergencies with auto-expiry, or capped at ≤7 days; no frontend dependency for exit; claims of already-finalized exits are not pause-gated under any path.
- orange  = pausable with broad scope OR indefinite pause is reachable only through governance vote (not unilateral admin action), OR queued redemption with documented max > 7 days, OR claims-of-finalized are exempt but new-request placement can be paused indefinitely by governance.
- red     = exit requires admin signature, OR ANY actor (including governance) can pause CLAIMS of finalized exits indefinitely, OR there is no on-chain exit function at all (purely custodial), OR pause is held by a single EOA / 2-of-3 multisig with no time cap.
- unknown = checklist incomplete after checking the sources above.

---

### JSON output contract

Return exactly one JSON object inside a single ```json fenced block. Shape:

{
  "schema_version": 4,
  "slug": "<copy protocol.slug from the per-protocol context>",
  "slice": "ability-to-exit",
  "snapshot_generated_at": "<copy snapshot.generated_at from the per-protocol context>",
  "prompt_version": 29,
  "analysis_date": "<copy analysis_date from the per-protocol context>",
  "model": "<exact model name, e.g. claude-opus-4-7 / gpt-5-thinking / gemini-3-pro>",
  "chat_url": null,
  "grading_basis": "on-chain | off-chain-only | mixed (optional; omit for on-chain)",
  "grade": "green | orange | red | unknown",
  "headline": "<one-line summary>",
  "short_headline": "<≤6 words, ≤80 chars; omit if you can't fit>",
  "rationale": {
    "findings": [{ "code": "E1", "text": "<concrete, source-cited finding>" }],
    "steelman": { "red": "<one sentence>", "orange": "<one sentence>", "green": "<one sentence>" },
    "verdict": "Choosing <grade> because <reason ranking one steel-man above the others, citing specific evidence>."
  },
  "evidence": [{ "url": "https://...", "shows": "<what this URL demonstrates>", "chain": "...", "address": "0x...", "commit": "<hex SHA>", "fetched_at": "2026-04-23T11:20:00Z" }],
  "unknowns": ["E3: <thing you looked for but couldn't determine>"],
  "protocol_metadata": {
    "github": ["https://github.com/org/repo"],
    "docs_url": "https://docs.protocol.xyz",
    "audits": [{ "firm": "Trail of Bits", "url": "https://...report.pdf", "date": "2025-09" }],
    "governance_forum": "https://forum.protocol.xyz",
    "voting_token": { "chain": "Ethereum", "address": "0x...", "symbol": "XYZ" },
    "bug_bounty_url": "https://immunefi.com/bounty/protocol",
    "security_contact": "security@protocol.xyz",
    "deployed_contracts_doc": "https://docs.protocol.xyz/deployments",
    "admin_addresses": [{ "chain": "Ethereum", "address": "0x...", "role": "DAO treasury multisig", "actor_class": "multisig" }],
    "upgradeability": "immutable | upgradeable | mixed | unknown",
    "about": "<2–4 sentences>"
  }
}

Rules recap:
- grade="unknown" ⇒ steelman=null; unknowns[] ≥1; evidence[] may be empty.
- grade!="unknown" ⇒ steelman={red,orange,green}; evidence[] ≥1; verdict starts with "Choosing ".
- findings[].code matches the slice's checklist prefix verbatim (E1, C2-emergency, V4a, …); unknowns[] entries are checklist-coded ("E3: …").
- Wrap in a single ```json fence; nothing before or after. URLs are bare strings, never markdown links.

Autonomy Unverified Submit run ↗

### Per-protocol context (ground truth for this run)

- protocol.slug:              aave-horizon-rwa
- protocol.name:              Aave Horizon RWA
- protocol.chains:            Ethereum
- protocol.category:          RWA Lending
- protocol.website:           https://app.aave.com/markets/?marketName=proto_horizon_v3
- protocol.github:            aave, bgd-labs
- protocol.audit_links:       https://github.com/aave/aave-v3-horizon/tree/main/audits, https://github.com/code-423n4/2022-02-aave-lens, https://github.com/code-423n4/2022-02-aave-lens-findings, https://github.com/sherlock-protocol/sherlock-reports/blob/main/audits/2025.02.15%20-%20Final%20-%20Aave%20Public%20Audit%20Contest%20Report.pdf, https://github.com/sherlock-protocol/sherlock-reports/blob/main/audits/2026.02.05%20-%20Final%20-%20Aave%20Labs%20Collaborative%20Audit%20Report%201770295450.pdf, https://github.com/trailofbits/publications/blob/master/reviews/2021-11-aave-v3-securityreview.pdf, https://github.com/trailofbits/publications/blob/master/reviews/2026-02-aave-v4-securityreview.pdf
- snapshot.generated_at:      2026-06-01T11:27:13.878Z
- analysis_date:              2026-06-07
- prompt_version:             29
- address_book:               [
  {
    "chain": "Ethereum",
    "address": "0xAe05Cd22df81871bc7cC2a04BeCfb516bFe332C8",
    "role": "pool"
  },
  {
    "chain": "Ethereum",
    "address": "0x7fc66500c84a76ad7e9c93437bfc5ac33e2ddae9",
    "role": "AAVE governance token"
  }
]

### Pre-built read-API surfacer URLs (verbatim — fetchable as-is)
- https://defipunkd.com/address/1/0xAe05Cd22df81871bc7cC2a04BeCfb516bFe332C8 (pool)
- https://defipunkd.com/address/1/0x7fc66500c84a76ad7e9c93437bfc5ac33e2ddae9 (AAVE governance token)


---

You are contributing a single-slice assessment to defipunkd, a git-native transparency registry for DeFi protocols. Your JSON output will be attached to a pull request and compared against ≥2 other independent runs. Disagreements are surfaced publicly — be conservative, cite everything, return grade="unknown" when a signal cannot be determined, and resist stopping at the first damning finding.

### Per-protocol context (do not infer; these are ground truth)

A "Per-protocol context" block (provided alongside this prompt — either as a user message in API mode, or as a section appended below in copy-paste mode) lists the pinned inputs (protocol.slug, name, chains, category, website, github, audit_links, snapshot.generated_at, analysis_date, prompt_version, address_book) and a list of pre-built read-API surfacer URLs for each pinned address. Treat those values as authoritative for this run.

The pre-built surfacer URLs are accepted by your fetch tool's allowlist because they appear verbatim in the per-protocol context. Each surfacer page pre-executes the contract's zero-arg view methods and renders any address-typed return values as /address/{chainId}/0x… links inline — those rendered links are also fetchable post-fetch. /api/contract/read and /api/safe/owners JSON responses include a top-level `crawl.surfacers` array of /address/{chainId}/0x… URLs for every address-typed value in the result, so you can crawl directly from API responses. For addresses surfaced from non-defipunkd sources (block-explorer pages, GitHub, audit PDFs), the allowlist will reject your generated surfacer URL — record the address in protocol_metadata.admin_addresses and add a checklist-coded entry to unknowns[]; the next run will inherit it as a fetchable surfacer.

### Step 0 — Capability probe (do this before producing JSON)

Identify what fetch tool your environment exposes — `web_fetch`, `browser`, `url_context`, `google_search` (with underscore, colon, or space), Bing grounding, Perplexity, `web.run`, or anything similar. Search-grounding tools ARE valid fetch paths and you should use them; they are not forbidden. The distinction that matters is what the tool returned, not its name: a grounded response with the underlying page body is sufficient evidence; a bare 1–3-line preview snippet is not.

Probe: attempt one fetch of `protocol.website` and one fetch of a pre-built surfacer URL above (or the protocol's primary block-explorer page if no surfacer is pinned). Record the tool you used, the URL, and what came back (response body, HTTP status, allowlist rejection text, or "tool not present: <name>"). If either probe succeeded, proceed.

If both direct probes failed, **DO NOT STOP** — try search. Issue at least two broad search queries (protocol name + "Etherscan" / "official docs" / "GitHub" / "audit"; `site:` operators against etherscan.io / github.com / the docs domain). If a search query returns the underlying page body, that page URL is fetched evidence and goes in evidence[]. Set `grading_basis: "off-chain-only"` and continue with whatever you can extract. Empty `evidence[]` + `grade="unknown"` is only valid if BOTH direct probes AND ≥2 search queries returned nothing usable; in that case, log the attempted queries and observed-zero outcomes in unknowns[]. A submission claiming "blocked" without those receipts is treated as a non-submission (zero quorum weight). Search engines do not index raw JSON API endpoints — zero results for `defipunkd.com/api/contract/read` URLs is expected and is itself a recordable failure mode, not a system restriction.

### Anti-fabrication (the most important rule on this page)

Memory is not evidence. Treat your training data, prior conversations, and general knowledge as suggestions for what to look up — never as citations. Every URL in evidence[] must have been fetched in this run via any tool exposed in your environment, OR pasted into this conversation by the user. Constructing a URL is fine, but every variable part (address, commit SHA, repo path, contract name, method, args, block number) must come from a fetched/pasted source in this run, and the URL must then have been successfully fetched before it appears in evidence[]. URLs constructed from remembered addresses, repo paths, contract names, or guessed API methods are fabrication.

Before emitting JSON, run an evidence ledger check on every evidence[] entry:
1. The exact URL appears in your fetch transcript or in a user-pasted source body.
2. The fetched/pasted body contains the fact you're citing in evidence[].shows.
3. Every rationale.findings / protocol_metadata claim that depends on this evidence follows directly from that body, without recourse to memory.
4. Derived (rather than verbatim) claims are explicitly labelled as derived in evidence[].shows.
5. `fetched_at` is set ONLY when you actually fetched the URL in this run; if no timestamp is available, omit the field — never invent one.

If any check fails, remove the evidence entry and demote dependent claims to unknowns[]. Set grade="unknown" if demotion empties the grading basis. Do not ask the user to paste anything; do not withhold JSON; do not improvise from memory.

A plausible-sounding answer backed by unsupported evidence is WORSE than grade="unknown" — it pollutes the quorum. If the assessment requires leaning on remembered public facts ("Lido is governed by LDO token-weighted voting"), historical reports, common knowledge, or likely-architecture reasoning ("UUPS proxies typically have an admin role"), return grade="unknown" with specific unknowns[] entries. Optimize for reproducibility, not completeness — if a reviewer can't re-verify each claim from the evidence URLs alone, the claim does not belong in the JSON. Empty unknowns[] on a non-trivial protocol is a red flag, not a quality signal.

When the address_book is null/empty, you do not yet know any deployed address. Discover candidates from fetched website / GitHub / audit / explorer-search pages — addresses you "remember" from training data are not eligible, even for famous tokens (USDC, WBTC, stETH, UNI). If no address can be discovered after a good-faith attempt, return grade="unknown" with checklist-coded unknowns[] entries; do not invent addresses to fill the gap.

### Hard rules

1. Source classes that count as evidence:
   a) Public block explorers (etherscan.io, basescan.org, arbiscan.io, optimistic.etherscan.io, polygonscan.com, bscscan.com, snowtrace.io, scrollscan.com, lineascan.build, blastscan.io, era.zksync.network) for pinned addresses or addresses you discover transitively from them.
   b) The linked GitHub repos, at a specific commit SHA recorded in evidence[].commit.
   c) The audit PDFs / reports linked above.
   d) DeFiLlama's pinned fields (for category / chain lists only — not for risk assessment).
   e) DeFiPunkd's read API at https://defipunkd.com/api/{contract,safe}/... — see "On-chain reading" below.
2. If a signal cannot be determined after checking these, set grade="unknown" with ≥1 entry in unknowns[] naming what you looked for.
3. Every factual claim in rationale must map to ≥1 evidence[] entry.
4. Output exactly one JSON object matching the contract at the end, wrapped in a single ```json fenced code block. This rule applies to your FINAL assistant message only — issue tool calls freely during the run; tool-call reasoning lives in your model's tool-use channel and is not subject to this rule. Nothing before or after the fence — no prose, no follow-up questions, no requests for the user to paste anything. If evidence is incomplete, the correct response is still JSON, with claims demoted to unknowns[] and grade="unknown".

### Format rules (validation will reject submissions that violate these)
5. evidence[].url must be a bare `https://...` string — NEVER markdown link syntax. WRONG: `"url": "[Etherscan](https://etherscan.io/...)"`. RIGHT: `"url": "https://etherscan.io/..."`.
6. evidence[].commit, when present, must match `^[0-9a-f]{7,40}$` (lowercase hex, 7–40 chars). NEVER branch names or tags. Omit if you cannot pin a SHA.
7. evidence[].fetched_at, when present, must be ISO-8601 UTC (e.g. `2026-04-23T11:20:00Z`). Set whenever you actually fetched in this run.
8. evidence[].address, when present, must be `^0x[0-9a-fA-F]{40}$` (mixed case OK; checksum not validated).
9. Checklist codes (used in findings[].code and as unknowns[] prefixes) match `^[A-Z][A-Za-z0-9-]{0,16}$` — start with an uppercase letter, then digits / letters / hyphens. Examples: `E1`, `A3b`, `C2-emergency`, `V4-auditor`. No parens, spaces, dots, slashes, underscores. Use slice-defined codes verbatim. unknowns[] entries must be prefixed with the relevant code + colon (e.g. `"A3b: frontend fetch failed"`).
10. chat_url: ALWAYS null. Default share links (claude.ai/chat, chatgpt.com, gemini.google.com) require viewer login and are not publicly readable. The user enables "Share publicly" after you respond and pastes the public URL into the JSON before opening the PR.

### Thoroughness rules

11. Each per-slice body contains a "MANDATORY INSPECTION CHECKLIST". Every item must EITHER produce an evidence[] entry OR a specific unknowns[] entry naming it by code. Silent skips are rejected as incomplete.
12. Before assigning a grade other than "unknown", rationale.steelman must contain a one-sentence strongest argument for each of red / orange / green, and rationale.verdict must state which fits the evidence and why. If the steel-man for the chosen grade is weaker than for an adjacent grade, you have probably picked the wrong grade. When grade="unknown", set steelman to null and use verdict to summarize what blocked the assessment.
13. Distinguish actor classes (EOA, 2-of-3 multisig, 4-of-7+ multisig with identified signers, emergency-scoped time-capped multisig, on-chain governance vote with timelock) and function classes (claim-of-finalized vs new-request-placement, deposit vs borrow, mint vs redeem) — say which actor holds which power, on what time bound. "An admin can pause" is insufficient.
14. For on-chain slices (control, ability-to-exit, autonomy, verifiability), evidence[] must include ≥1 on-chain URL: a block-explorer URL OR a DeFiPunkd /api/{contract/read,safe/owners} URL (preferred — content-addressed when block-pinned). /api/contract/abi alone is metadata, not on-chain evidence. Source repos tell you what code SHOULD do; deployed contracts tell you what it ACTUALLY does. The "open-access" slice is exempt when claims are entirely about frontend / off-chain operator behavior. CARVE-OUT: `grading_basis="off-chain-only"` is exempt from this rule but is downweighted by the quorum bot regardless of grade.
15. Prompt-meta-check: if your verdict quotes prompt language as evidence ("the protocol meets the 'documented fallback' condition"), re-do the verdict — the prompt describes the rubric, not the protocol. Evidence cites what THIS protocol does, not what the rubric says protocols of type X do.
16. `grading_basis` is one of `"on-chain"` (default; omit field), `"off-chain-only"`, or `"mixed"`. Describes what was READ this run, not the verdict — `grade="unknown"` is allowed under any basis. Set `"off-chain-only"` ONLY when BOTH (a) ≥1 successful fetch of a docs / forum / audit / GitHub URL appears in evidence[], AND (b) ≥1 failed on-chain fetch attempt for THIS run is recorded in unknowns[] with a `-offchain` suffix. Empty `evidence[]` with `"off-chain-only"` is a category error and is rejected by the validator. Set `"mixed"` when some checklist codes were on-chain and others fell back. ABI-only finds (you read the ABI but couldn't read live state) are valid as `grade="unknown"` with the ABI cited; do not infer a grade from ABI shape alone.

### On-chain reading via the DeFiPunkd API

Don't encode calldata, decode return data, or guess at ABIs by hand. Three deterministic GET endpoints return JSON with blockNumber, blockHash, raw calldata, and rawReturnData — content-addressed when block-pinned (`&block=<n>`):

  ABI (auto-resolves proxies):
    https://defipunkd.com/api/contract/abi?chainId=<id>&address=0x...
  View call (any view method on the merged ABI; flat scalar args):
    https://defipunkd.com/api/contract/read?chainId=<id>&address=0x...&method=getOwners
    https://defipunkd.com/api/contract/read?chainId=<id>&address=0x...&method=balanceOf&args=0x...
  Safe (threshold + owners + version in one call):
    https://defipunkd.com/api/safe/owners?chainId=<id>&address=0x...

Use the BARE method name in `&method=` (e.g. `&method=totalSupply`, NOT `&method=totalSupply()`). Browser tools normalize `(` to `%28` and reject the normalized URL; bare names dodge that. Pass arguments via `&args=` (comma-separated, declaration order). Append `&block=<n>` for content-addressed evidence.

Supported chainIds: 1 (ethereum), 10 (optimism), 56 (bsc), 130 (unichain), 137 (polygon), 324 (zksync), 8453 (base), 42161 (arbitrum), 43114 (avalanche), 59144 (linea), 81457 (blast), 534352 (scroll), 11155111 (sepolia).

Use this API for any factual claim about contract ABI shape, view-method return values (owner(), getOwners(), getThreshold(), totalSupply(), implementation(), paused(), MIN_DELAY(), …), and Safe membership. Do NOT invent ABIs or return values from training data.

Note on noisy address_book: the pinned address_book is sourced from prior assessments. It may include token deployments, oracle feeds, peripheral contracts, or mis-classified entries. Skip surfacer URLs that don't fit your slice — fetch only those whose role hints suggest control / pause / upgrade authority.

### Protocol metadata refresh (populate `protocol_metadata` in the output)

DeFiLlama's pinned inputs may be stale or wrong. As a side-effect of this assessment, populate `protocol_metadata` with anything you verify. Leave fields null / empty arrays if you did not verify them — do NOT echo pinned inputs through; null means "not re-verified this run".

- `github`: array of canonical source-code repo URLs.
- `docs_url`: canonical developer / protocol documentation site.
- `audits`: array of `{ firm, url, date }` (date as YYYY-MM or YYYY-MM-DD).
- `governance_forum`: primary discussion forum URL (Discourse, Commonwealth, etc.).
- `voting_token`: `{ chain, address, symbol }` or null. Omit if not token-governed.
- `bug_bounty_url`: public bug bounty page (Immunefi, HackerOne, self-hosted).
- `security_contact`: private-disclosure channel — security@ email or SECURITY.md URL. Distinct from public bug bounty.
- `deployed_contracts_doc`: docs page that lists deployed addresses per chain. Don't enumerate; just link.
- `admin_addresses`: array of `{ chain, address, role, actor_class }` for multisig / timelock / owner / proxy-admin addresses. `actor_class` ∈ `"eoa" | "multisig" | "timelock" | "governance" | "unknown"`. These are the anchors for future runs' address_book.
- `upgradeability`: `"immutable" | "upgradeable" | "mixed" | "unknown"`. "mixed" = some core contracts immutable, others behind proxies.
- `about`: 2–4 sentence plain-English description. Name the user action (stake, borrow, swap, bridge, mint, redeem), the asset / market, and the distinctive mechanism (liquid staking receipt, isolated lending pools, constant-product AMM, intents auction, etc.). Do not restate category / chains / TVL.

Every non-null field in `protocol_metadata` must be backed by ≥1 entry in evidence[].

---

### Slice: AUTONOMY

Evaluate this protocol's autonomy: can a failure of anything outside its own contracts cause theft or loss of user principal, loss of unclaimed yield, or materially change the protocol's expected performance? "Autonomy" is not "has zero external touchpoints" — it is "external failures are either survivable or recoverable without user loss". This slice adapts DefiScan v1's Autonomy dimension; dependencies are one of several criteria, not the whole frame.

GUARDRAILS (read before grading):
- Category alone (Liquid Staking, Bridge, RWA Lending, Restaking, …) does NOT force a grade. A category is a hint about where to look; the grade must come from the concrete A1–A9 findings below.
- Base-chain consensus (Ethereum PoS, the chain's validator set, the canonical Deposit Contract at 0x00000000219ab540356cBB839Cbe05303d7705Fa) is the SUBSTRATE, not a dependency, for any protocol deployed on that chain. Do not list "depends on Ethereum" as a finding.
- Oracles or other integrations used by DOWNSTREAM protocols that happen to read this protocol's token (e.g. Chainlink stETH/USD consumed by Aave) are NOT this protocol's dependencies. Count only what THIS protocol's contracts call or trust on-chain. If a feed or contract appears in the protocol's docs only as reference material for third-party integrators, EXCLUDE IT ENTIRELY — do not log it as a finding even with a "peripheral" or "referenced only" caveat.
- "Upgradeable admin can change things" belongs to the CONTROL slice; only count it here when the upgrade surface lets governance silently swap an external dependency (see A9).
- Underlying-asset risk in opt-in, isolated markets is NOT autonomy-red on its own. When a protocol wraps third-party yield-bearing assets (LSTs, LRTs, ERC-4626 vaults, lending receipts, restaked tokens) into per-market silos that users explicitly choose, a failure of one underlying does NOT propagate to other markets and is risk the user opted into per-market. Record it under A4 with depth and propagation scope, but do not let it alone drive a red verdict — red requires an external dependency that cross-cuts the protocol or that the user did not opt into at deposit time. A failure mode that is "if the LRT you deposited is hacked, your principal in that LRT-backed market is impaired" is the underlying's autonomy story, not this protocol's; grade it on whether THIS protocol introduces additional dependencies on top.
- Sub-module enumeration is mandatory before grading. If the protocol ships distinct product lines or modules (e.g., a v2 core AMM plus a newer perps/funding-rate module, a lending pool plus a separate vault layer, an L1 core plus a cross-chain extension), enumerate each in findings and grade against the WORST module weighted by its share of TVS or its blast radius. A green core does not rescue an orange/red sub-module; conversely, a small red sub-module with capped TVS may bound the overall grade to orange. Name each module by its on-chain factory or router address. If you do not know whether a module exists, that is an unknowns[] entry, not silence. EXPLICIT TVS WEIGHTING: in the verdict, state each module's approximate share of total protocol TVS (use "~X%" if exact figures unavailable; check DeFiLlama or block-explorer balances on the module's main contract) and how that share informs the weighted grade. Format: "Module A holds ~X% of TVS (grade: <g>); Module B holds ~Y% (grade: <g>); weighted overall = <grade> because <reason>." If a red sub-module holds <5% of total TVS and is capped, the overall grade may be orange; if it holds >25%, the overall grade is red. Do not let qualitative reasoning substitute for the percentages — write the numbers.

MANDATORY INSPECTION CHECKLIST (every item below must appear in evidence[] OR unknowns[]):
- A1. External contract calls. Enumerate every external contract the core contracts call or read from (oracles, price feeds, AMM pools, lending pools, staking/deposit contracts, yield wrappers). For each, identify the address, the provider, and what user-facing function of this protocol would break or mis-price if that external contract paused, mis-reported, or behaved adversarially. Grep for "oracle", "aggregator", "getPrice", "latestAnswer", "chainlink", "pyth", "redstone" as a starting point. To verify an oracle is live and what it currently reports, hit https://defipunkd.com/api/contract/read?chainId=<id>&address=<oracle>&method=latestAnswer (or &method=latestRoundData, &method=getPrice, &method=description; use the BARE method name without parens) and cite the URL — the response includes blockNumber/blockHash and rawReturnData, which is stronger evidence than a docs page about which feed "should" be used.
- A2. Off-chain actor committees reporting INTO the protocol. Oracle committees, guardian multisigs, DAO-selected validator sets acting as protocol reporters, exit-bus signers, fraud-proof challengers. For each, record committee size, quorum, who picks the members, and what mis-reporting could do (mint, burn, finalize withdrawal, freeze). Distinguish this from governance admins (control slice). NOTE ON STAKING PROTOCOLS: validator slashing and node-operator misbehavior are properties of the base-chain substrate, NOT external dependencies, when the operator set is diversified enough that a coordinated failure caps at <5% principal loss. Count validator/operator risk under A2 ONLY if the operator set is small, non-diversified, or lacks bonding / slashing-insurance / diversification mitigations. A curated set of 30+ independent operators with documented diversification falls under the mitigated path; a 3-operator LST does not. Do not cite the protocol's own risk disclosure as evidence that operator failure = principal loss unless you also check the diversification and bond mitigations.
- A3. Bridge / cross-chain messaging dependencies. Only count bridges that carry material TVL or are required for a core user flow. For each, name the bridge operator (canonical L1↔L2, LayerZero, Wormhole, Axelar, custom multisig), the trust model (canonical, optimistic, light-client, guardian set), and what fraction of TVL or users ride on it. "wstETH exists on 15 chains" is not a finding unless material TVL sits there. Before listing any non-primary chain deployment as a dependency, verify it is still operational as of analysis_date — retired or sunset deployments (e.g., Lido-on-Terra, Lido-on-Solana) belong in unknowns[] or should be omitted, never cited as a current dependency.
- A4. Nested collateral / restaking chains. For restaking / LRT / receipt-of-receipt designs: record the depth of the collateral chain, every actor with slashing or freezing power at each level, and whether a failure N levels deep propagates to user principal here.
- A5. Fork lineage (silent check). If DeFiLlama's forkedFrom is non-empty, record it as one finding and move on. If empty, do NOT add a placeholder finding; it adds noise.
- A6. Fallback mechanisms and circuit breakers. What catches an external failure? Sanity-check contracts on oracle reports, rebase bounds, pause paths triggered by bad prices, second-opinion oracles, max-per-block throughput caps, withdrawal queues that absorb bad reports. Record which A1–A4 risks are mitigated by which fallback, and which are unmitigated. For EACH fallback you cite, state its activation status explicitly: (i) LIVE and enforcing on-chain today, (ii) DEPLOYED but not yet wired / activated (e.g., interface exists but the address is zero or the role is unassigned), or (iii) DOCUMENTED / PROPOSED only (forum post, LIP draft, audit pending). Only (i) counts as mitigation for the grade. A fallback in state (ii) or (iii) should be noted but must not reduce the risk in your steel-man or verdict. If you cannot determine activation status, add an unknowns[] entry rather than assume it is live.
- A7. Sequencer / L1-liveness dependency BEYOND the base-chain substrate. SCOPE — sequencer risk only counts here when the protocol IS its own L2/L3 appchain or app-rollup, where the sequencer is part of the protocol's own stack and a freeze is a protocol-level outage. A protocol permissionlessly deployed on a third-party L2 inherits that L2's sequencer as substrate, not an A7 dependency. Record the sequencer/DA trust model when A7 applies.
- A8. Keeper / relayer / off-chain bot liveness. Protocols that need permissionless-but-necessary off-chain actors (liquidation bots, auto-compounders, deposit relayers, intent solvers). Record whether the role is permissionless, what degrades if nobody runs it (yield paused, bad debt accumulates, positions go stale), and whether the failure mode is graceful or catastrophic.
- A9. Governance-mutable dependency surface. Can an admin or DAO action silently INTRODUCE a NEW EXTERNAL dependency — swap the oracle address to a different provider, register a new staking module that calls an untrusted contract, add a new bridge, route SY through a new external vault — without an exit window for users? Check the upgrade / router / module-registry contracts. Answer: which EXTERNAL dependencies are governance-mutable, who holds that power, and whether there is a timelock or exit window. SCOPE LIMIT — read carefully: A9 is about the *external dependency surface*, not the upgrade surface in general. "The proxyAdmin / EOA can upgrade the router implementation to arbitrary bytecode" is a CONTROL-slice finding (admin can rug), NOT an autonomy-A9 finding. A9 fires only when the upgrade specifically swaps out or adds a contract that THIS protocol calls or trusts (e.g., changing the oracle address from Chainlink to a malicious feed, registering a new SY adapter that points to a third-party vault, redirecting a bridge endpoint). If the only finding is "admin can change implementation," do not log it under A9 and do not let it drive the autonomy grade — note it under control instead. The autonomy-relevant version of the same upgrade key is "admin can swap [specific external address X] without timelock"; that requires identifying the specific external dependency that becomes mutable.

STEEL-MAN (per Hard Rule 13): write one-sentence strongest arguments for red, orange, and green using the A1–A9 findings.

IMPACTED TVS ESTIMATE: the headline MUST include a rough impacted-TVS figure — the fraction of protocol TVS that could be lost or frozen if the worst-unmitigated dependency you identified failed. Use "~X%" if exact numbers are unavailable, "<1%" for de minimis, "unclear" only if A1–A9 left the question genuinely open (in which case grade=unknown is usually correct). Do NOT substitute qualitative phrases like "significant" — give a number or bracket.

GRADE ANCHORS (mapped to DefiScan v1 stages):
- green = Stage 2 equivalent. Failure of any external dependency cannot cause loss of user principal or unclaimed yield. Either there are no material external dependencies, or every critical one has a documented fallback (A6) that keeps users whole. Governance cannot silently introduce new dependencies without an exit window (A9). Impacted TVS under any single-dependency failure: effectively 0.
- orange = Stage 1 equivalent. Failure of some external dependency can cause loss of unclaimed yield, or can materially change expected performance (pause withdrawals, freeze positions, degrade price quality), but cannot cause loss of principal. Committee-based oracles with sanity checks, canonical-only bridges, fallback paths that exist but are incomplete, or governance-mutable dependencies protected by a ≥7-day timelock. Impacted TVS is bounded and recoverable.
- red = Stage 0 equivalent. Failure of an external dependency CAN cause theft or loss of principal. Examples: single-provider oracle with no sanity check or fallback, material TVL on a non-canonical bridge with a guardian multisig, governance can hot-swap oracles or add staking modules with no timelock or exit window, unmitigated keeper-liveness dependency where positions become insolvent if bots stop. Impacted TVS is material.
- unknown = checklist incomplete after inspecting source + verified contracts. Prefer unknown over guessing when A1/A6 could not be reconstructed. RESERVE unknown for cases where the CORE ARCHITECTURE itself is unverifiable — not for cases where you merely cannot enumerate every per-market dependency in a multi-market protocol. If the core router/factory/oracle architecture is verifiable on-chain and you can determine whether the core requires external dependencies, grade the architecture even when an exhaustive per-market external-dependency census is infeasible. Acknowledge the per-market gap in unknowns[] but still issue a grade. Refusing to grade a multi-market protocol because you cannot list every SY/vault/market is over-use of unknown; grade the architecture and say so.

PROMPT-META CHECK (per Hard Rule 17): before finalizing, verify the verdict cites concrete contract addresses, docs, or code — not the rubric itself. If your verdict says "the protocol belongs to a category the rubric marks red", rewrite it with the A1–A9 finding that actually justifies the grade, or drop to grade=unknown.

---

### JSON output contract

Return exactly one JSON object inside a single ```json fenced block. Shape:

{
  "schema_version": 4,
  "slug": "<copy protocol.slug from the per-protocol context>",
  "slice": "autonomy",
  "snapshot_generated_at": "<copy snapshot.generated_at from the per-protocol context>",
  "prompt_version": 29,
  "analysis_date": "<copy analysis_date from the per-protocol context>",
  "model": "<exact model name, e.g. claude-opus-4-7 / gpt-5-thinking / gemini-3-pro>",
  "chat_url": null,
  "grading_basis": "on-chain | off-chain-only | mixed (optional; omit for on-chain)",
  "grade": "green | orange | red | unknown",
  "headline": "<one-line summary>",
  "short_headline": "<≤6 words, ≤80 chars; omit if you can't fit>",
  "rationale": {
    "findings": [{ "code": "E1", "text": "<concrete, source-cited finding>" }],
    "steelman": { "red": "<one sentence>", "orange": "<one sentence>", "green": "<one sentence>" },
    "verdict": "Choosing <grade> because <reason ranking one steel-man above the others, citing specific evidence>."
  },
  "evidence": [{ "url": "https://...", "shows": "<what this URL demonstrates>", "chain": "...", "address": "0x...", "commit": "<hex SHA>", "fetched_at": "2026-04-23T11:20:00Z" }],
  "unknowns": ["E3: <thing you looked for but couldn't determine>"],
  "protocol_metadata": {
    "github": ["https://github.com/org/repo"],
    "docs_url": "https://docs.protocol.xyz",
    "audits": [{ "firm": "Trail of Bits", "url": "https://...report.pdf", "date": "2025-09" }],
    "governance_forum": "https://forum.protocol.xyz",
    "voting_token": { "chain": "Ethereum", "address": "0x...", "symbol": "XYZ" },
    "bug_bounty_url": "https://immunefi.com/bounty/protocol",
    "security_contact": "security@protocol.xyz",
    "deployed_contracts_doc": "https://docs.protocol.xyz/deployments",
    "admin_addresses": [{ "chain": "Ethereum", "address": "0x...", "role": "DAO treasury multisig", "actor_class": "multisig" }],
    "upgradeability": "immutable | upgradeable | mixed | unknown",
    "about": "<2–4 sentences>"
  }
}

Rules recap:
- grade="unknown" ⇒ steelman=null; unknowns[] ≥1; evidence[] may be empty.
- grade!="unknown" ⇒ steelman={red,orange,green}; evidence[] ≥1; verdict starts with "Choosing ".
- findings[].code matches the slice's checklist prefix verbatim (E1, C2-emergency, V4a, …); unknowns[] entries are checklist-coded ("E3: …").
- Wrap in a single ```json fence; nothing before or after. URLs are bare strings, never markdown links.

Open Access Unverified Submit run ↗

### Per-protocol context (ground truth for this run)

- protocol.slug:              aave-horizon-rwa
- protocol.name:              Aave Horizon RWA
- protocol.chains:            Ethereum
- protocol.category:          RWA Lending
- protocol.website:           https://app.aave.com/markets/?marketName=proto_horizon_v3
- protocol.github:            aave, bgd-labs
- protocol.audit_links:       https://github.com/aave/aave-v3-horizon/tree/main/audits, https://github.com/code-423n4/2022-02-aave-lens, https://github.com/code-423n4/2022-02-aave-lens-findings, https://github.com/sherlock-protocol/sherlock-reports/blob/main/audits/2025.02.15%20-%20Final%20-%20Aave%20Public%20Audit%20Contest%20Report.pdf, https://github.com/sherlock-protocol/sherlock-reports/blob/main/audits/2026.02.05%20-%20Final%20-%20Aave%20Labs%20Collaborative%20Audit%20Report%201770295450.pdf, https://github.com/trailofbits/publications/blob/master/reviews/2021-11-aave-v3-securityreview.pdf, https://github.com/trailofbits/publications/blob/master/reviews/2026-02-aave-v4-securityreview.pdf
- snapshot.generated_at:      2026-06-01T11:27:13.878Z
- analysis_date:              2026-06-07
- prompt_version:             29
- address_book:               [
  {
    "chain": "Ethereum",
    "address": "0xAe05Cd22df81871bc7cC2a04BeCfb516bFe332C8",
    "role": "pool"
  },
  {
    "chain": "Ethereum",
    "address": "0x7fc66500c84a76ad7e9c93437bfc5ac33e2ddae9",
    "role": "AAVE governance token"
  }
]

### Pre-built read-API surfacer URLs (verbatim — fetchable as-is)
- https://defipunkd.com/address/1/0xAe05Cd22df81871bc7cC2a04BeCfb516bFe332C8 (pool)
- https://defipunkd.com/address/1/0x7fc66500c84a76ad7e9c93437bfc5ac33e2ddae9 (AAVE governance token)


---

You are contributing a single-slice assessment to defipunkd, a git-native transparency registry for DeFi protocols. Your JSON output will be attached to a pull request and compared against ≥2 other independent runs. Disagreements are surfaced publicly — be conservative, cite everything, return grade="unknown" when a signal cannot be determined, and resist stopping at the first damning finding.

### Per-protocol context (do not infer; these are ground truth)

A "Per-protocol context" block (provided alongside this prompt — either as a user message in API mode, or as a section appended below in copy-paste mode) lists the pinned inputs (protocol.slug, name, chains, category, website, github, audit_links, snapshot.generated_at, analysis_date, prompt_version, address_book) and a list of pre-built read-API surfacer URLs for each pinned address. Treat those values as authoritative for this run.

The pre-built surfacer URLs are accepted by your fetch tool's allowlist because they appear verbatim in the per-protocol context. Each surfacer page pre-executes the contract's zero-arg view methods and renders any address-typed return values as /address/{chainId}/0x… links inline — those rendered links are also fetchable post-fetch. /api/contract/read and /api/safe/owners JSON responses include a top-level `crawl.surfacers` array of /address/{chainId}/0x… URLs for every address-typed value in the result, so you can crawl directly from API responses. For addresses surfaced from non-defipunkd sources (block-explorer pages, GitHub, audit PDFs), the allowlist will reject your generated surfacer URL — record the address in protocol_metadata.admin_addresses and add a checklist-coded entry to unknowns[]; the next run will inherit it as a fetchable surfacer.

### Step 0 — Capability probe (do this before producing JSON)

Identify what fetch tool your environment exposes — `web_fetch`, `browser`, `url_context`, `google_search` (with underscore, colon, or space), Bing grounding, Perplexity, `web.run`, or anything similar. Search-grounding tools ARE valid fetch paths and you should use them; they are not forbidden. The distinction that matters is what the tool returned, not its name: a grounded response with the underlying page body is sufficient evidence; a bare 1–3-line preview snippet is not.

Probe: attempt one fetch of `protocol.website` and one fetch of a pre-built surfacer URL above (or the protocol's primary block-explorer page if no surfacer is pinned). Record the tool you used, the URL, and what came back (response body, HTTP status, allowlist rejection text, or "tool not present: <name>"). If either probe succeeded, proceed.

If both direct probes failed, **DO NOT STOP** — try search. Issue at least two broad search queries (protocol name + "Etherscan" / "official docs" / "GitHub" / "audit"; `site:` operators against etherscan.io / github.com / the docs domain). If a search query returns the underlying page body, that page URL is fetched evidence and goes in evidence[]. Set `grading_basis: "off-chain-only"` and continue with whatever you can extract. Empty `evidence[]` + `grade="unknown"` is only valid if BOTH direct probes AND ≥2 search queries returned nothing usable; in that case, log the attempted queries and observed-zero outcomes in unknowns[]. A submission claiming "blocked" without those receipts is treated as a non-submission (zero quorum weight). Search engines do not index raw JSON API endpoints — zero results for `defipunkd.com/api/contract/read` URLs is expected and is itself a recordable failure mode, not a system restriction.

### Anti-fabrication (the most important rule on this page)

Memory is not evidence. Treat your training data, prior conversations, and general knowledge as suggestions for what to look up — never as citations. Every URL in evidence[] must have been fetched in this run via any tool exposed in your environment, OR pasted into this conversation by the user. Constructing a URL is fine, but every variable part (address, commit SHA, repo path, contract name, method, args, block number) must come from a fetched/pasted source in this run, and the URL must then have been successfully fetched before it appears in evidence[]. URLs constructed from remembered addresses, repo paths, contract names, or guessed API methods are fabrication.

Before emitting JSON, run an evidence ledger check on every evidence[] entry:
1. The exact URL appears in your fetch transcript or in a user-pasted source body.
2. The fetched/pasted body contains the fact you're citing in evidence[].shows.
3. Every rationale.findings / protocol_metadata claim that depends on this evidence follows directly from that body, without recourse to memory.
4. Derived (rather than verbatim) claims are explicitly labelled as derived in evidence[].shows.
5. `fetched_at` is set ONLY when you actually fetched the URL in this run; if no timestamp is available, omit the field — never invent one.

If any check fails, remove the evidence entry and demote dependent claims to unknowns[]. Set grade="unknown" if demotion empties the grading basis. Do not ask the user to paste anything; do not withhold JSON; do not improvise from memory.

A plausible-sounding answer backed by unsupported evidence is WORSE than grade="unknown" — it pollutes the quorum. If the assessment requires leaning on remembered public facts ("Lido is governed by LDO token-weighted voting"), historical reports, common knowledge, or likely-architecture reasoning ("UUPS proxies typically have an admin role"), return grade="unknown" with specific unknowns[] entries. Optimize for reproducibility, not completeness — if a reviewer can't re-verify each claim from the evidence URLs alone, the claim does not belong in the JSON. Empty unknowns[] on a non-trivial protocol is a red flag, not a quality signal.

When the address_book is null/empty, you do not yet know any deployed address. Discover candidates from fetched website / GitHub / audit / explorer-search pages — addresses you "remember" from training data are not eligible, even for famous tokens (USDC, WBTC, stETH, UNI). If no address can be discovered after a good-faith attempt, return grade="unknown" with checklist-coded unknowns[] entries; do not invent addresses to fill the gap.

### Hard rules

1. Source classes that count as evidence:
   a) Public block explorers (etherscan.io, basescan.org, arbiscan.io, optimistic.etherscan.io, polygonscan.com, bscscan.com, snowtrace.io, scrollscan.com, lineascan.build, blastscan.io, era.zksync.network) for pinned addresses or addresses you discover transitively from them.
   b) The linked GitHub repos, at a specific commit SHA recorded in evidence[].commit.
   c) The audit PDFs / reports linked above.
   d) DeFiLlama's pinned fields (for category / chain lists only — not for risk assessment).
   e) DeFiPunkd's read API at https://defipunkd.com/api/{contract,safe}/... — see "On-chain reading" below.
2. If a signal cannot be determined after checking these, set grade="unknown" with ≥1 entry in unknowns[] naming what you looked for.
3. Every factual claim in rationale must map to ≥1 evidence[] entry.
4. Output exactly one JSON object matching the contract at the end, wrapped in a single ```json fenced code block. This rule applies to your FINAL assistant message only — issue tool calls freely during the run; tool-call reasoning lives in your model's tool-use channel and is not subject to this rule. Nothing before or after the fence — no prose, no follow-up questions, no requests for the user to paste anything. If evidence is incomplete, the correct response is still JSON, with claims demoted to unknowns[] and grade="unknown".

### Format rules (validation will reject submissions that violate these)
5. evidence[].url must be a bare `https://...` string — NEVER markdown link syntax. WRONG: `"url": "[Etherscan](https://etherscan.io/...)"`. RIGHT: `"url": "https://etherscan.io/..."`.
6. evidence[].commit, when present, must match `^[0-9a-f]{7,40}$` (lowercase hex, 7–40 chars). NEVER branch names or tags. Omit if you cannot pin a SHA.
7. evidence[].fetched_at, when present, must be ISO-8601 UTC (e.g. `2026-04-23T11:20:00Z`). Set whenever you actually fetched in this run.
8. evidence[].address, when present, must be `^0x[0-9a-fA-F]{40}$` (mixed case OK; checksum not validated).
9. Checklist codes (used in findings[].code and as unknowns[] prefixes) match `^[A-Z][A-Za-z0-9-]{0,16}$` — start with an uppercase letter, then digits / letters / hyphens. Examples: `E1`, `A3b`, `C2-emergency`, `V4-auditor`. No parens, spaces, dots, slashes, underscores. Use slice-defined codes verbatim. unknowns[] entries must be prefixed with the relevant code + colon (e.g. `"A3b: frontend fetch failed"`).
10. chat_url: ALWAYS null. Default share links (claude.ai/chat, chatgpt.com, gemini.google.com) require viewer login and are not publicly readable. The user enables "Share publicly" after you respond and pastes the public URL into the JSON before opening the PR.

### Thoroughness rules

11. Each per-slice body contains a "MANDATORY INSPECTION CHECKLIST". Every item must EITHER produce an evidence[] entry OR a specific unknowns[] entry naming it by code. Silent skips are rejected as incomplete.
12. Before assigning a grade other than "unknown", rationale.steelman must contain a one-sentence strongest argument for each of red / orange / green, and rationale.verdict must state which fits the evidence and why. If the steel-man for the chosen grade is weaker than for an adjacent grade, you have probably picked the wrong grade. When grade="unknown", set steelman to null and use verdict to summarize what blocked the assessment.
13. Distinguish actor classes (EOA, 2-of-3 multisig, 4-of-7+ multisig with identified signers, emergency-scoped time-capped multisig, on-chain governance vote with timelock) and function classes (claim-of-finalized vs new-request-placement, deposit vs borrow, mint vs redeem) — say which actor holds which power, on what time bound. "An admin can pause" is insufficient.
14. For on-chain slices (control, ability-to-exit, autonomy, verifiability), evidence[] must include ≥1 on-chain URL: a block-explorer URL OR a DeFiPunkd /api/{contract/read,safe/owners} URL (preferred — content-addressed when block-pinned). /api/contract/abi alone is metadata, not on-chain evidence. Source repos tell you what code SHOULD do; deployed contracts tell you what it ACTUALLY does. The "open-access" slice is exempt when claims are entirely about frontend / off-chain operator behavior. CARVE-OUT: `grading_basis="off-chain-only"` is exempt from this rule but is downweighted by the quorum bot regardless of grade.
15. Prompt-meta-check: if your verdict quotes prompt language as evidence ("the protocol meets the 'documented fallback' condition"), re-do the verdict — the prompt describes the rubric, not the protocol. Evidence cites what THIS protocol does, not what the rubric says protocols of type X do.
16. `grading_basis` is one of `"on-chain"` (default; omit field), `"off-chain-only"`, or `"mixed"`. Describes what was READ this run, not the verdict — `grade="unknown"` is allowed under any basis. Set `"off-chain-only"` ONLY when BOTH (a) ≥1 successful fetch of a docs / forum / audit / GitHub URL appears in evidence[], AND (b) ≥1 failed on-chain fetch attempt for THIS run is recorded in unknowns[] with a `-offchain` suffix. Empty `evidence[]` with `"off-chain-only"` is a category error and is rejected by the validator. Set `"mixed"` when some checklist codes were on-chain and others fell back. ABI-only finds (you read the ABI but couldn't read live state) are valid as `grade="unknown"` with the ABI cited; do not infer a grade from ABI shape alone.

### On-chain reading via the DeFiPunkd API

Don't encode calldata, decode return data, or guess at ABIs by hand. Three deterministic GET endpoints return JSON with blockNumber, blockHash, raw calldata, and rawReturnData — content-addressed when block-pinned (`&block=<n>`):

  ABI (auto-resolves proxies):
    https://defipunkd.com/api/contract/abi?chainId=<id>&address=0x...
  View call (any view method on the merged ABI; flat scalar args):
    https://defipunkd.com/api/contract/read?chainId=<id>&address=0x...&method=getOwners
    https://defipunkd.com/api/contract/read?chainId=<id>&address=0x...&method=balanceOf&args=0x...
  Safe (threshold + owners + version in one call):
    https://defipunkd.com/api/safe/owners?chainId=<id>&address=0x...

Use the BARE method name in `&method=` (e.g. `&method=totalSupply`, NOT `&method=totalSupply()`). Browser tools normalize `(` to `%28` and reject the normalized URL; bare names dodge that. Pass arguments via `&args=` (comma-separated, declaration order). Append `&block=<n>` for content-addressed evidence.

Supported chainIds: 1 (ethereum), 10 (optimism), 56 (bsc), 130 (unichain), 137 (polygon), 324 (zksync), 8453 (base), 42161 (arbitrum), 43114 (avalanche), 59144 (linea), 81457 (blast), 534352 (scroll), 11155111 (sepolia).

Use this API for any factual claim about contract ABI shape, view-method return values (owner(), getOwners(), getThreshold(), totalSupply(), implementation(), paused(), MIN_DELAY(), …), and Safe membership. Do NOT invent ABIs or return values from training data.

Note on noisy address_book: the pinned address_book is sourced from prior assessments. It may include token deployments, oracle feeds, peripheral contracts, or mis-classified entries. Skip surfacer URLs that don't fit your slice — fetch only those whose role hints suggest control / pause / upgrade authority.

### Protocol metadata refresh (populate `protocol_metadata` in the output)

DeFiLlama's pinned inputs may be stale or wrong. As a side-effect of this assessment, populate `protocol_metadata` with anything you verify. Leave fields null / empty arrays if you did not verify them — do NOT echo pinned inputs through; null means "not re-verified this run".

- `github`: array of canonical source-code repo URLs.
- `docs_url`: canonical developer / protocol documentation site.
- `audits`: array of `{ firm, url, date }` (date as YYYY-MM or YYYY-MM-DD).
- `governance_forum`: primary discussion forum URL (Discourse, Commonwealth, etc.).
- `voting_token`: `{ chain, address, symbol }` or null. Omit if not token-governed.
- `bug_bounty_url`: public bug bounty page (Immunefi, HackerOne, self-hosted).
- `security_contact`: private-disclosure channel — security@ email or SECURITY.md URL. Distinct from public bug bounty.
- `deployed_contracts_doc`: docs page that lists deployed addresses per chain. Don't enumerate; just link.
- `admin_addresses`: array of `{ chain, address, role, actor_class }` for multisig / timelock / owner / proxy-admin addresses. `actor_class` ∈ `"eoa" | "multisig" | "timelock" | "governance" | "unknown"`. These are the anchors for future runs' address_book.
- `upgradeability`: `"immutable" | "upgradeable" | "mixed" | "unknown"`. "mixed" = some core contracts immutable, others behind proxies.
- `about`: 2–4 sentence plain-English description. Name the user action (stake, borrow, swap, bridge, mint, redeem), the asset / market, and the distinctive mechanism (liquid staking receipt, isolated lending pools, constant-product AMM, intents auction, etc.). Do not restate category / chains / TVL.

Every non-null field in `protocol_metadata` must be backed by ≥1 entry in evidence[].

---

### Slice: OPEN-ACCESS

Evaluate who is allowed to use the protocol and whether any of that permission is granted off-chain.

Scope: this slice is about ADMISSION — who can enter, exit, or transact. Operator LIVENESS (what breaks if keepers/oracles go offline) is assessed in the dependencies slice and is out of scope for the grade here. You may note operator dependencies as context, but do not let "the protocol halts if operator X disappears" drive the access grade on its own; that belongs in dependencies. Source verification / contract verification on block explorers is assessed in the verifiability slice and is out of scope here — do NOT let "contract is unverified" drive the access grade.

Framing: the smart contracts are the access layer; frontends are UX. A permissionless contract is reachable by any client (SDK, third-party UI, aggregator, wallet integration). Frontend ToS, IP geo-blocking, and wallet screening are publisher policies on one specific client — they are reported as context but do NOT determine the grade. The grade hinges on (1) what the contract itself permits, and (2) whether the protocol is practically reachable without the official publisher's cooperation.

Meta-check before finalizing: if your verdict cites phrases from this prompt as evidence ("the protocol meets the 'credible alternatives' condition", "this fits the 'documented fallback' rule"), redo the verdict. The prompt describes the rubric; evidence must come from the protocol. A verdict should cite what the protocol does, not what the rubric says.

MANDATORY INSPECTION CHECKLIST (every item below must appear in evidence[] OR unknowns[]):
- A1. Whitelist / allowlist modifiers in user-facing entry points. Grep for "onlyWhitelisted", "onlyRole", "allowlist", "isAccredited", "isKYCed". Note which functions are gated and who can add/remove from the list.
- A2. Off-chain operators in the admission path: keepers, sequencers, privileged relayers, oracle posters whose approval is required to admit a user action (not just to keep the protocol live). For each, identify whether the role is held by a single operator, a permissioned committee, or is permissionless. Enumerate per user-facing function class (deposit vs withdraw-request vs claim-finalized vs transfer) which ones require operator approval to be admitted, and which ones admit users unconditionally. A function whose placement is unconditional but whose downstream settlement depends on an operator is an admission-permissionless function — flag the liveness dependency as context and defer its grading weight to the dependencies slice.
- A3. Frontend restrictions on the official interface — record as context, not as a grade lever. Distinguish:
    - A3-passive: boilerplate ToS clauses (sanctions attestation, restricted-territory self-certification, VPN-circumvention prohibition, "comply with applicable law" eligibility, age of majority).
    - A3-active: runtime enforcement — IP-based geo-blocking, wallet-address screening against a sanctions oracle (Chainalysis, TRM, Elliptic), KYC wall, rendering-blocking jurisdiction banner.
  Record findings under the correct tier. Quote ToS text or banner text in evidence[].shows. These findings populate the headline and rationale but do NOT move the grade by themselves; the grade is set by A1, A2, and the A3b path check below.
- A3b. Independent access paths (the operative grade input). Enumerate paths that do not require the official publisher's cooperation:
    - Published SDK / library / CLI for direct contract interaction.
    - Third-party frontends operated by separate legal entities.
    - Wallet-integrated access (MetaMask Swaps, Safe apps, etc.).
    - DEX / lending / yield aggregators that route through the contracts.
  Record at least one concrete link per path that exists. The protocol does NOT have to self-document these — the test is existence, not UX cost. An A3b-i redistribution of the official UI bound by the same ToS does NOT count as an independent path.
- A4. Sanctions / compliance tooling at the contract level: does the protocol check addresses against OFAC lists or similar on-chain blocklists in the contract itself? (Frontend-only screening belongs in A3.)
- A5. Differentiate read access vs write access: many protocols are read-permissionless (anyone can view state) but write-gated (only certain addresses can deposit/borrow). Record both.
- A6. ToS / Legal links: locate them on the website and produce a VERBATIM quote of any jurisdictional, sanctions, or eligibility clause in evidence[].shows. If you cannot extract the clause text verbatim (SPA render failure, paywall, dead link, etc.), do NOT paraphrase or infer from general knowledge — record the ToS URL in unknowns[] with the reason extraction failed. Assertions about ToS content without a verbatim quote will be downweighted by reviewers.

Then write the steel-man section per Hard Rule 11.

Grade rules (admission-focused; liveness concerns belong in dependencies; source verification belongs in verifiability):
- green   = no contract-level whitelist/KYC on user entry/exit; no operator approval required to admit a user action; AND at least one independent A3b path exists (published SDK, third-party frontend, wallet integration, or aggregator routing). Frontend ToS posture and A3-active enforcement on the official UI do NOT block green when contracts are permissionless and an independent path exists — they are reported as context.
- orange  = contracts admit users unconditionally, BUT the protocol is operationally captured by the official publisher: no published SDK, no third-party frontend, no wallet integration, no aggregator routing. The contract is theoretically open but practically reachable only through the official UI. Also applies when admission requires approval from a permissioned committee that is governance-managed with a documented replacement procedure.
- red     = contract-level whitelist / KYC on user entry/exit, OR admission of a core user action requires approval from a single privileged operator or a small committee with no documented replacement procedure, OR enforces an on-chain blocklist updatable by a single party.
- unknown = checklist incomplete after checking the sources above.

Default-grade guidance: when contracts are fully permissionless AND any A3b independent path exists, the default grade is green regardless of frontend ToS or A3-active enforcement on the official UI. Frontend geo-blocking, sanctions-oracle wallet screening, and ToS sanctions clauses are publisher policies on one client and are reported in findings/headline as context, not as grade levers. To grade orange on operational-capture grounds, the auditor must affirmatively show that ALL independent paths are absent or also gated.

Guideline on committees: where admission depends on a multi-operator committee, the relevant axes are (a) set size, (b) whether replacement/rotation is governed on-chain, (c) whether the replacement procedure is publicly documented. A large set with on-chain governance replacement should not be graded as a single-party operator even if rotation is not instantaneous. A small set with informal replacement should be treated as a single-party operator.

---

### JSON output contract

Return exactly one JSON object inside a single ```json fenced block. Shape:

{
  "schema_version": 4,
  "slug": "<copy protocol.slug from the per-protocol context>",
  "slice": "open-access",
  "snapshot_generated_at": "<copy snapshot.generated_at from the per-protocol context>",
  "prompt_version": 29,
  "analysis_date": "<copy analysis_date from the per-protocol context>",
  "model": "<exact model name, e.g. claude-opus-4-7 / gpt-5-thinking / gemini-3-pro>",
  "chat_url": null,
  "grading_basis": "on-chain | off-chain-only | mixed (optional; omit for on-chain)",
  "grade": "green | orange | red | unknown",
  "headline": "<one-line summary>",
  "short_headline": "<≤6 words, ≤80 chars; omit if you can't fit>",
  "rationale": {
    "findings": [{ "code": "E1", "text": "<concrete, source-cited finding>" }],
    "steelman": { "red": "<one sentence>", "orange": "<one sentence>", "green": "<one sentence>" },
    "verdict": "Choosing <grade> because <reason ranking one steel-man above the others, citing specific evidence>."
  },
  "evidence": [{ "url": "https://...", "shows": "<what this URL demonstrates>", "chain": "...", "address": "0x...", "commit": "<hex SHA>", "fetched_at": "2026-04-23T11:20:00Z" }],
  "unknowns": ["E3: <thing you looked for but couldn't determine>"],
  "protocol_metadata": {
    "github": ["https://github.com/org/repo"],
    "docs_url": "https://docs.protocol.xyz",
    "audits": [{ "firm": "Trail of Bits", "url": "https://...report.pdf", "date": "2025-09" }],
    "governance_forum": "https://forum.protocol.xyz",
    "voting_token": { "chain": "Ethereum", "address": "0x...", "symbol": "XYZ" },
    "bug_bounty_url": "https://immunefi.com/bounty/protocol",
    "security_contact": "security@protocol.xyz",
    "deployed_contracts_doc": "https://docs.protocol.xyz/deployments",
    "admin_addresses": [{ "chain": "Ethereum", "address": "0x...", "role": "DAO treasury multisig", "actor_class": "multisig" }],
    "upgradeability": "immutable | upgradeable | mixed | unknown",
    "about": "<2–4 sentences>"
  }
}

Rules recap:
- grade="unknown" ⇒ steelman=null; unknowns[] ≥1; evidence[] may be empty.
- grade!="unknown" ⇒ steelman={red,orange,green}; evidence[] ≥1; verdict starts with "Choosing ".
- findings[].code matches the slice's checklist prefix verbatim (E1, C2-emergency, V4a, …); unknowns[] entries are checklist-coded ("E3: …").
- Wrap in a single ```json fence; nothing before or after. URLs are bare strings, never markdown links.

Audit all 5 dimensions · one prompt Submit run ↗

### Per-protocol context (ground truth for this run)

- protocol.slug:              aave-horizon-rwa
- protocol.name:              Aave Horizon RWA
- protocol.chains:            Ethereum
- protocol.category:          RWA Lending
- protocol.website:           https://app.aave.com/markets/?marketName=proto_horizon_v3
- protocol.github:            aave, bgd-labs
- protocol.audit_links:       https://github.com/aave/aave-v3-horizon/tree/main/audits, https://github.com/code-423n4/2022-02-aave-lens, https://github.com/code-423n4/2022-02-aave-lens-findings, https://github.com/sherlock-protocol/sherlock-reports/blob/main/audits/2025.02.15%20-%20Final%20-%20Aave%20Public%20Audit%20Contest%20Report.pdf, https://github.com/sherlock-protocol/sherlock-reports/blob/main/audits/2026.02.05%20-%20Final%20-%20Aave%20Labs%20Collaborative%20Audit%20Report%201770295450.pdf, https://github.com/trailofbits/publications/blob/master/reviews/2021-11-aave-v3-securityreview.pdf, https://github.com/trailofbits/publications/blob/master/reviews/2026-02-aave-v4-securityreview.pdf
- snapshot.generated_at:      2026-06-01T11:27:13.878Z
- analysis_date:              2026-06-07
- prompt_version:             29
- address_book:               [
  {
    "chain": "Ethereum",
    "address": "0xAe05Cd22df81871bc7cC2a04BeCfb516bFe332C8",
    "role": "pool"
  },
  {
    "chain": "Ethereum",
    "address": "0x7fc66500c84a76ad7e9c93437bfc5ac33e2ddae9",
    "role": "AAVE governance token"
  }
]

### Pre-built read-API surfacer URLs (verbatim — fetchable as-is)
- https://defipunkd.com/address/1/0xAe05Cd22df81871bc7cC2a04BeCfb516bFe332C8 (pool)
- https://defipunkd.com/address/1/0x7fc66500c84a76ad7e9c93437bfc5ac33e2ddae9 (AAVE governance token)


---

You are contributing a single-slice assessment to defipunkd, a git-native transparency registry for DeFi protocols. Your JSON output will be attached to a pull request and compared against ≥2 other independent runs. Disagreements are surfaced publicly — be conservative, cite everything, return grade="unknown" when a signal cannot be determined, and resist stopping at the first damning finding.

### Per-protocol context (do not infer; these are ground truth)

A "Per-protocol context" block (provided alongside this prompt — either as a user message in API mode, or as a section appended below in copy-paste mode) lists the pinned inputs (protocol.slug, name, chains, category, website, github, audit_links, snapshot.generated_at, analysis_date, prompt_version, address_book) and a list of pre-built read-API surfacer URLs for each pinned address. Treat those values as authoritative for this run.

The pre-built surfacer URLs are accepted by your fetch tool's allowlist because they appear verbatim in the per-protocol context. Each surfacer page pre-executes the contract's zero-arg view methods and renders any address-typed return values as /address/{chainId}/0x… links inline — those rendered links are also fetchable post-fetch. /api/contract/read and /api/safe/owners JSON responses include a top-level `crawl.surfacers` array of /address/{chainId}/0x… URLs for every address-typed value in the result, so you can crawl directly from API responses. For addresses surfaced from non-defipunkd sources (block-explorer pages, GitHub, audit PDFs), the allowlist will reject your generated surfacer URL — record the address in protocol_metadata.admin_addresses and add a checklist-coded entry to unknowns[]; the next run will inherit it as a fetchable surfacer.

### Step 0 — Capability probe (do this before producing JSON)

Identify what fetch tool your environment exposes — `web_fetch`, `browser`, `url_context`, `google_search` (with underscore, colon, or space), Bing grounding, Perplexity, `web.run`, or anything similar. Search-grounding tools ARE valid fetch paths and you should use them; they are not forbidden. The distinction that matters is what the tool returned, not its name: a grounded response with the underlying page body is sufficient evidence; a bare 1–3-line preview snippet is not.

Probe: attempt one fetch of `protocol.website` and one fetch of a pre-built surfacer URL above (or the protocol's primary block-explorer page if no surfacer is pinned). Record the tool you used, the URL, and what came back (response body, HTTP status, allowlist rejection text, or "tool not present: <name>"). If either probe succeeded, proceed.

If both direct probes failed, **DO NOT STOP** — try search. Issue at least two broad search queries (protocol name + "Etherscan" / "official docs" / "GitHub" / "audit"; `site:` operators against etherscan.io / github.com / the docs domain). If a search query returns the underlying page body, that page URL is fetched evidence and goes in evidence[]. Set `grading_basis: "off-chain-only"` and continue with whatever you can extract. Empty `evidence[]` + `grade="unknown"` is only valid if BOTH direct probes AND ≥2 search queries returned nothing usable; in that case, log the attempted queries and observed-zero outcomes in unknowns[]. A submission claiming "blocked" without those receipts is treated as a non-submission (zero quorum weight). Search engines do not index raw JSON API endpoints — zero results for `defipunkd.com/api/contract/read` URLs is expected and is itself a recordable failure mode, not a system restriction.

### Anti-fabrication (the most important rule on this page)

Memory is not evidence. Treat your training data, prior conversations, and general knowledge as suggestions for what to look up — never as citations. Every URL in evidence[] must have been fetched in this run via any tool exposed in your environment, OR pasted into this conversation by the user. Constructing a URL is fine, but every variable part (address, commit SHA, repo path, contract name, method, args, block number) must come from a fetched/pasted source in this run, and the URL must then have been successfully fetched before it appears in evidence[]. URLs constructed from remembered addresses, repo paths, contract names, or guessed API methods are fabrication.

Before emitting JSON, run an evidence ledger check on every evidence[] entry:
1. The exact URL appears in your fetch transcript or in a user-pasted source body.
2. The fetched/pasted body contains the fact you're citing in evidence[].shows.
3. Every rationale.findings / protocol_metadata claim that depends on this evidence follows directly from that body, without recourse to memory.
4. Derived (rather than verbatim) claims are explicitly labelled as derived in evidence[].shows.
5. `fetched_at` is set ONLY when you actually fetched the URL in this run; if no timestamp is available, omit the field — never invent one.

If any check fails, remove the evidence entry and demote dependent claims to unknowns[]. Set grade="unknown" if demotion empties the grading basis. Do not ask the user to paste anything; do not withhold JSON; do not improvise from memory.

A plausible-sounding answer backed by unsupported evidence is WORSE than grade="unknown" — it pollutes the quorum. If the assessment requires leaning on remembered public facts ("Lido is governed by LDO token-weighted voting"), historical reports, common knowledge, or likely-architecture reasoning ("UUPS proxies typically have an admin role"), return grade="unknown" with specific unknowns[] entries. Optimize for reproducibility, not completeness — if a reviewer can't re-verify each claim from the evidence URLs alone, the claim does not belong in the JSON. Empty unknowns[] on a non-trivial protocol is a red flag, not a quality signal.

When the address_book is null/empty, you do not yet know any deployed address. Discover candidates from fetched website / GitHub / audit / explorer-search pages — addresses you "remember" from training data are not eligible, even for famous tokens (USDC, WBTC, stETH, UNI). If no address can be discovered after a good-faith attempt, return grade="unknown" with checklist-coded unknowns[] entries; do not invent addresses to fill the gap.

### Hard rules

1. Source classes that count as evidence:
   a) Public block explorers (etherscan.io, basescan.org, arbiscan.io, optimistic.etherscan.io, polygonscan.com, bscscan.com, snowtrace.io, scrollscan.com, lineascan.build, blastscan.io, era.zksync.network) for pinned addresses or addresses you discover transitively from them.
   b) The linked GitHub repos, at a specific commit SHA recorded in evidence[].commit.
   c) The audit PDFs / reports linked above.
   d) DeFiLlama's pinned fields (for category / chain lists only — not for risk assessment).
   e) DeFiPunkd's read API at https://defipunkd.com/api/{contract,safe}/... — see "On-chain reading" below.
2. If a signal cannot be determined after checking these, set grade="unknown" with ≥1 entry in unknowns[] naming what you looked for.
3. Every factual claim in rationale must map to ≥1 evidence[] entry.
4. Output exactly one JSON object matching the contract at the end, wrapped in a single ```json fenced code block. This rule applies to your FINAL assistant message only — issue tool calls freely during the run; tool-call reasoning lives in your model's tool-use channel and is not subject to this rule. Nothing before or after the fence — no prose, no follow-up questions, no requests for the user to paste anything. If evidence is incomplete, the correct response is still JSON, with claims demoted to unknowns[] and grade="unknown".

### Format rules (validation will reject submissions that violate these)
5. evidence[].url must be a bare `https://...` string — NEVER markdown link syntax. WRONG: `"url": "[Etherscan](https://etherscan.io/...)"`. RIGHT: `"url": "https://etherscan.io/..."`.
6. evidence[].commit, when present, must match `^[0-9a-f]{7,40}$` (lowercase hex, 7–40 chars). NEVER branch names or tags. Omit if you cannot pin a SHA.
7. evidence[].fetched_at, when present, must be ISO-8601 UTC (e.g. `2026-04-23T11:20:00Z`). Set whenever you actually fetched in this run.
8. evidence[].address, when present, must be `^0x[0-9a-fA-F]{40}$` (mixed case OK; checksum not validated).
9. Checklist codes (used in findings[].code and as unknowns[] prefixes) match `^[A-Z][A-Za-z0-9-]{0,16}$` — start with an uppercase letter, then digits / letters / hyphens. Examples: `E1`, `A3b`, `C2-emergency`, `V4-auditor`. No parens, spaces, dots, slashes, underscores. Use slice-defined codes verbatim. unknowns[] entries must be prefixed with the relevant code + colon (e.g. `"A3b: frontend fetch failed"`).
10. chat_url: ALWAYS null. Default share links (claude.ai/chat, chatgpt.com, gemini.google.com) require viewer login and are not publicly readable. The user enables "Share publicly" after you respond and pastes the public URL into the JSON before opening the PR.

### Thoroughness rules

11. Each per-slice body contains a "MANDATORY INSPECTION CHECKLIST". Every item must EITHER produce an evidence[] entry OR a specific unknowns[] entry naming it by code. Silent skips are rejected as incomplete.
12. Before assigning a grade other than "unknown", rationale.steelman must contain a one-sentence strongest argument for each of red / orange / green, and rationale.verdict must state which fits the evidence and why. If the steel-man for the chosen grade is weaker than for an adjacent grade, you have probably picked the wrong grade. When grade="unknown", set steelman to null and use verdict to summarize what blocked the assessment.
13. Distinguish actor classes (EOA, 2-of-3 multisig, 4-of-7+ multisig with identified signers, emergency-scoped time-capped multisig, on-chain governance vote with timelock) and function classes (claim-of-finalized vs new-request-placement, deposit vs borrow, mint vs redeem) — say which actor holds which power, on what time bound. "An admin can pause" is insufficient.
14. For on-chain slices (control, ability-to-exit, autonomy, verifiability), evidence[] must include ≥1 on-chain URL: a block-explorer URL OR a DeFiPunkd /api/{contract/read,safe/owners} URL (preferred — content-addressed when block-pinned). /api/contract/abi alone is metadata, not on-chain evidence. Source repos tell you what code SHOULD do; deployed contracts tell you what it ACTUALLY does. The "open-access" slice is exempt when claims are entirely about frontend / off-chain operator behavior. CARVE-OUT: `grading_basis="off-chain-only"` is exempt from this rule but is downweighted by the quorum bot regardless of grade.
15. Prompt-meta-check: if your verdict quotes prompt language as evidence ("the protocol meets the 'documented fallback' condition"), re-do the verdict — the prompt describes the rubric, not the protocol. Evidence cites what THIS protocol does, not what the rubric says protocols of type X do.
16. `grading_basis` is one of `"on-chain"` (default; omit field), `"off-chain-only"`, or `"mixed"`. Describes what was READ this run, not the verdict — `grade="unknown"` is allowed under any basis. Set `"off-chain-only"` ONLY when BOTH (a) ≥1 successful fetch of a docs / forum / audit / GitHub URL appears in evidence[], AND (b) ≥1 failed on-chain fetch attempt for THIS run is recorded in unknowns[] with a `-offchain` suffix. Empty `evidence[]` with `"off-chain-only"` is a category error and is rejected by the validator. Set `"mixed"` when some checklist codes were on-chain and others fell back. ABI-only finds (you read the ABI but couldn't read live state) are valid as `grade="unknown"` with the ABI cited; do not infer a grade from ABI shape alone.

### On-chain reading via the DeFiPunkd API

Don't encode calldata, decode return data, or guess at ABIs by hand. Three deterministic GET endpoints return JSON with blockNumber, blockHash, raw calldata, and rawReturnData — content-addressed when block-pinned (`&block=<n>`):

  ABI (auto-resolves proxies):
    https://defipunkd.com/api/contract/abi?chainId=<id>&address=0x...
  View call (any view method on the merged ABI; flat scalar args):
    https://defipunkd.com/api/contract/read?chainId=<id>&address=0x...&method=getOwners
    https://defipunkd.com/api/contract/read?chainId=<id>&address=0x...&method=balanceOf&args=0x...
  Safe (threshold + owners + version in one call):
    https://defipunkd.com/api/safe/owners?chainId=<id>&address=0x...

Use the BARE method name in `&method=` (e.g. `&method=totalSupply`, NOT `&method=totalSupply()`). Browser tools normalize `(` to `%28` and reject the normalized URL; bare names dodge that. Pass arguments via `&args=` (comma-separated, declaration order). Append `&block=<n>` for content-addressed evidence.

Supported chainIds: 1 (ethereum), 10 (optimism), 56 (bsc), 130 (unichain), 137 (polygon), 324 (zksync), 8453 (base), 42161 (arbitrum), 43114 (avalanche), 59144 (linea), 81457 (blast), 534352 (scroll), 11155111 (sepolia).

Use this API for any factual claim about contract ABI shape, view-method return values (owner(), getOwners(), getThreshold(), totalSupply(), implementation(), paused(), MIN_DELAY(), …), and Safe membership. Do NOT invent ABIs or return values from training data.

Note on noisy address_book: the pinned address_book is sourced from prior assessments. It may include token deployments, oracle feeds, peripheral contracts, or mis-classified entries. Skip surfacer URLs that don't fit your slice — fetch only those whose role hints suggest control / pause / upgrade authority.

### Protocol metadata refresh (populate `protocol_metadata` in the output)

DeFiLlama's pinned inputs may be stale or wrong. As a side-effect of this assessment, populate `protocol_metadata` with anything you verify. Leave fields null / empty arrays if you did not verify them — do NOT echo pinned inputs through; null means "not re-verified this run".

- `github`: array of canonical source-code repo URLs.
- `docs_url`: canonical developer / protocol documentation site.
- `audits`: array of `{ firm, url, date }` (date as YYYY-MM or YYYY-MM-DD).
- `governance_forum`: primary discussion forum URL (Discourse, Commonwealth, etc.).
- `voting_token`: `{ chain, address, symbol }` or null. Omit if not token-governed.
- `bug_bounty_url`: public bug bounty page (Immunefi, HackerOne, self-hosted).
- `security_contact`: private-disclosure channel — security@ email or SECURITY.md URL. Distinct from public bug bounty.
- `deployed_contracts_doc`: docs page that lists deployed addresses per chain. Don't enumerate; just link.
- `admin_addresses`: array of `{ chain, address, role, actor_class }` for multisig / timelock / owner / proxy-admin addresses. `actor_class` ∈ `"eoa" | "multisig" | "timelock" | "governance" | "unknown"`. These are the anchors for future runs' address_book.
- `upgradeability`: `"immutable" | "upgradeable" | "mixed" | "unknown"`. "mixed" = some core contracts immutable, others behind proxies.
- `about`: 2–4 sentence plain-English description. Name the user action (stake, borrow, swap, bridge, mint, redeem), the asset / market, and the distinctive mechanism (liquid staking receipt, isolated lending pools, constant-product AMM, intents auction, etc.). Do not restate category / chains / TVL.

Every non-null field in `protocol_metadata` must be backed by ≥1 entry in evidence[].

---

### Slice: CONTROL

Evaluate who can change the protocol's rules, how fast, and how broadly.

(Step 0 capability probe and the off-chain-only fallback live in the preamble — those rules apply here.)

### MANDATORY INSPECTION CHECKLIST (every item below must appear in evidence[] OR unknowns[])

- **C1.** For each address you assess: who is the contract owner / admin / pendingAdmin / governor — read these via the block explorer's "Read Contract" tab OR `https://defipunkd.com/api/contract/read?chainId=<id>&address=0x...&method=owner` (BARE method names: `&method=owner`, `&method=admin`, `&method=pendingOwner`, `&method=governor`). For Safes use `/api/safe/owners?chainId=<id>&address=0x...`. When a protocol has multiple major versions deployed (v2/v3/v4), perform C1 reads on the NEWEST deployment separately — newer deployments often have weaker control surfaces than the legacy core.
- **C2.** Upgrade mechanism: transparent proxy / UUPS / Beacon / Diamond / immutable. Identify the proxy admin address. Check upgradeability of GOVERNANCE contracts too — a Governor / Aragon Voting / OZ Governor is often itself a proxy whose admin is the Timelock. Asymmetry: when fund-holding cores are immutable AND governance has no admin path that reaches them, an upgradable Governor/Timelock is T3-only and must NOT drag the verdict below green on that basis alone (see grade rules and the "immutable cores" caveat). Only call upgradability "mixed" if you can name a concrete function on the upgradable surface that reaches T1 or T2 on user funds.
- **C3.** EXECUTION PATH (enumerate every stage, in order, with delays in seconds). The operative path is usually a chain (voting → scheduler → timelock → executor; or governor → queue → execute; or Aragon Voting → DualGovernance → EmergencyProtectedTimelock → AdminExecutor). For each stage, record (a) the contract address, (b) the delay constant name + value in seconds, (c) the URL you read it from (block-explorer Read Contract OR `/api/contract/read?...&method=MIN_DELAY&block=<n>`). Do NOT stop at the first timelock-shaped contract — if its admin is itself called by another contract, keep walking. The grading delay is the SUM OF DELAYS ON THE UNCONTESTED FAST PATH (shortest time a proposal with no opposition can go from submission to executable). Dynamic / contested extensions (veto signaling, rage quit, escrow delay) are modifiers, not the basis — note them separately.
- **C4.** Enumerate EVERY multisig with reachable control — main proxy admin, emergency activation, emergency execution, reseal / pause, gate-seal committees, tiebreaker, per-module admins. For each Safe, fetch threshold + owners + version via `/api/safe/owners?chainId=<id>&address=0x...` (response includes raw eth_call data, so the URL is citable evidence). Enumerate ops/council/incentives multisigs even when off the upgrade path — record their scope so a reader can see they are NOT on the upgrade path. For each: (a) address, (b) threshold / total signers, (c) signer identities classified as insider (team, paid auditors under ongoing engagement, mandated service providers) vs non-insider (independent community members, unaffiliated researchers), (d) the specific power held (upgrade, pause, parameter, etc.).
- **C5.** On-chain governance: Governor / GovernorBravo / OZ Governor / Aragon Voting with token-weighted voting? Record proposal threshold, voting period, quorum, and the timelock delay between queue and execute. Every numeric constant must come from a Read Contract call you can link to, or be in unknowns[] with the C-code. If votingDelay / votingPeriod are denominated in BLOCKS, convert to seconds at the chain's CURRENT block time (Ethereum mainnet ≈ 12s post-Merge, not the 15s in older Compound/Bravo deployments) — cite both block count and converted seconds.
- **C6.** EMERGENCY POWERS: separate emergency-pause / guardian role with a different time cap or different actor than the main upgrade authority? Record it explicitly.
- **C7.** POWER TIER (blast radius). For each privileged path in C3–C6, classify the WORST thing that path can do, choosing the highest applicable tier. Cite the specific function name and any on-chain bound — tier claims without a named function are unsupported.
    - **T1 — FUND-CRITICAL**: replace implementation of contracts holding user funds; change AMM math / accounting / collateral logic; mint unbacked debt or shares; pause withdrawals; drain user-fund treasury; change oracle to attacker-controlled source; replace upgrade admin with EOA.
    - **T2 — ECONOMICALLY MATERIAL**: change fee parameters within bounded ranges; redirect protocol fees; add/remove markets / collateral types; bounded inflation or token mint within hard-capped schedule; spend protocol-owned (non-user) treasury.
    - **T3 — GOVERNANCE-INTERNAL**: change voting rules, quorum, voting period, proposal threshold; upgrade the Governor itself; rotate Timelock admin; mint governance tokens within a capped annual schedule.
    - **T4 — OPERATIONAL**: incentives distribution, grants, ENS / frontend canonicalization, deployment coordination, periphery router deprecation.
  The grade is set by the HIGHEST tier reachable on the uncontested fast path, not the median. State the tier and the binding function in the verdict.

### Read Contract discipline (applies to C3, C4, C5)

Every numeric constant cited (timelock delays, voting periods, multisig thresholds, quorum percentages) must come from EITHER (a) a block-explorer Read Contract URL, OR (b) a DeFiPunkd `/api/contract/read` or `/api/safe/owners` URL (preferred with `&block=<n>` for content-addressed evidence), OR (c) an unknowns[] entry with the C-code. Docs / blog posts are corroboration only — they cannot be the sole citation for a value that is also readable on-chain.

### Off-chain-only substitute hierarchy (when grading_basis="off-chain-only" — see preamble Rule 16)

When on-chain reads were genuinely unreachable this run, eligible off-chain substitutes in priority order:
1. Linked audit PDFs (admin roles, multisig members, timelock delays usually enumerated).
2. Governance forum posts that quote constants from a successful on-chain proposal (cite post URL + linked execution-tx URL).
3. Official protocol docs pages with named addresses and roles (must be on a domain owned by the protocol).
4. GitHub README / SECURITY.md / governance/*.md at a pinned commit SHA.

Forbidden substitutes: third-party blog posts, X / Twitter threads, search-result snippets, model memory. Required degradation: any C-code citing a numeric constant from docs/forum/audit prose ONLY must also carry an `unknowns[]` entry with `-offchain` suffix noting "value not re-read on-chain in this run; corroboration only".

### Grade rules (apply the timelock bar conditional on the highest C7 tier reachable on the fast path)

Security Council standard (used below): a multisig qualifies as "Security Council" only if ALL of: ≥7 signers, ≥51% threshold, ≥50% non-insider signers, every signer publicly announced. Failing any criterion = NOT a Security Council, regardless of signer reputation.

- **green**: highest reachable tier is T3 or T4 regardless of timelock; OR T2 reachable with uncontested-fast-path delay ≥7 days; OR T1 reachable only via immutable contracts (T1 is unreachable); OR T1 reachable with uncontested-fast-path delay ≥7 days combined with a Security Council multisig; OR T1 reachable with uncontested-fast-path delay ≥7 days through active on-chain governance with broad token distribution.
- **orange**: T2 reachable with uncontested-fast-path delay >0 but <7 days; OR T1 reachable with uncontested-fast-path delay >0 but <7 days; OR a multisig failing one or more Security Council criteria sits on a T1/T2 path; OR unclear upgrade authority on a T1/T2 path; OR governance with very short timelock or low quorum on a T1/T2 path.
- **red**: T1 reachable with no timelock by a single EOA or 2-of-3 multisig; OR a T1 upgrade admin that is not a smart contract you can audit.
- **unknown**: completed the checklist but still cannot determine the upgrade authority OR cannot classify the highest tier reachable on the main contracts.

Tiering caveats:
- "Bounded" must be enforced ON-CHAIN to count as T2. A function that sets fees with no upper-bound check is T1 — cite the bound check.
- Recurring T2 economic extraction (e.g. fee redirect with no rate limit) approaches T1 over time. A single proposal that can permanently redirect all future revenue is T1.
- T3 assumes the governance contract cannot itself authorize a T1/T2 action without going through the same timelock. If governance can self-upgrade to bypass the timelock, T3 collapses into T1.
- Do not downgrade tier by hand-waving ("realistically governance would never…"). Tier on what the contract permits, not what feels likely.

Notes:
- **Dynamic / dual-governance timelocks** (Lido, Compound escrow veto): the rubric grades on the uncontested path because that is the path most upgrades take. A dynamic extension that fires only under stake-weighted opposition is a real protection — name it in the green steel-man, but it does not lift an orange fast path into green; state the tension in the verdict.
- **Immutable cores with upgradable governance** (Uniswap-style): if fund-holding contracts are immutable and have no admin-reachable function moving / freezing / re-routing user funds, the highest reachable tier on the upgrade path is T3 — green regardless of timelock. Don't grade this orange just because the Governor is a proxy — that's a C2 fact, not a downgrade. Downgrade only applies if you can cite a concrete function on the upgradable surface that reaches T1 or T2 (privileged hook, upgradable factory controlling fund-routing, fee-switch redirecting protocol revenue without bound).
- **The 7-day bar** reflects the exit-window standard — users need notice after a queued upgrade to withdraw if they disagree. The ability-to-exit slice grades the exit side; this slice grades the delay side; both must hold for users to actually benefit from the delay.

---

### Slice: ABILITY-TO-EXIT

Evaluate whether users can withdraw their funds on their own terms, even under adversarial admin conditions.

MANDATORY INSPECTION CHECKLIST (every item below must appear in evidence[] OR unknowns[]):
- E1. Enumerate every user-facing exit function in the main contracts: withdraw, redeem, burn, requestWithdrawal, claim, exit, etc. List them by name. Do NOT treat the contract as a monolith.
- E2. For EACH exit function in E1: identify its access modifiers and any pause guards (e.g. _checkResumed, whenNotPaused, onlyRole). Functions that gate REQUEST PLACEMENT often differ from functions that CLAIM FINALIZED FUNDS — check both separately.
- E3. For each pause guard: identify the role holder (which address holds PAUSE_ROLE / GUARDIAN / etc.) and the maximum pause duration. Specifically check whether PAUSE_INFINITELY (or equivalent uncapped pause) is callable, and which actor can call it (single multisig vs governance vote). For role-holder reads use https://defipunkd.com/api/contract/read?chainId=<id>&address=0x...&method=hasRole&args=0x...,0x... or &method=getRoleAdmin&args=0x.... For "is currently paused" checks use &method=paused or &method=isPaused&args=<resume-code>. Use the BARE method name (no parens). Cite the URL with &block=<n> in evidence[].
- E4. EMERGENCY vs GOVERNANCE pause distinction: many protocols have a fast-acting emergency pause capped at N days and a slow governance pause that can be indefinite. Record both paths separately if present, with their time caps and actor classes.
- E5. Queued redemption: documented maximum queue duration, daily withdrawal caps, whether the queue itself is pausable.
- E6. Forced-exit / escape-hatch / permissionless emergency-exit mechanism for adversarial-admin scenarios.
- E7. Frontend dependency: confirm exit functions are directly callable on-chain (e.g. via Etherscan write tab or a generic wallet) without the project's frontend.

Then write the steel-man section per Hard Rule 11. Common red-vs-orange tension on this slice: indefinite pause exists (suggests red) BUT the realistic emergency path is time-capped AND claims of already-finalized exits are not pause-gated (suggests orange). Resolve this by stating who can do what for how long, not by stopping at the worst-case sentence.

Grade rules:
- green   = permissionless exit; pause is either absent, narrowly scoped to clearly-described emergencies with auto-expiry, or capped at ≤7 days; no frontend dependency for exit; claims of already-finalized exits are not pause-gated under any path.
- orange  = pausable with broad scope OR indefinite pause is reachable only through governance vote (not unilateral admin action), OR queued redemption with documented max > 7 days, OR claims-of-finalized are exempt but new-request placement can be paused indefinitely by governance.
- red     = exit requires admin signature, OR ANY actor (including governance) can pause CLAIMS of finalized exits indefinitely, OR there is no on-chain exit function at all (purely custodial), OR pause is held by a single EOA / 2-of-3 multisig with no time cap.
- unknown = checklist incomplete after checking the sources above.

---

### Slice: AUTONOMY

Evaluate this protocol's autonomy: can a failure of anything outside its own contracts cause theft or loss of user principal, loss of unclaimed yield, or materially change the protocol's expected performance? "Autonomy" is not "has zero external touchpoints" — it is "external failures are either survivable or recoverable without user loss". This slice adapts DefiScan v1's Autonomy dimension; dependencies are one of several criteria, not the whole frame.

GUARDRAILS (read before grading):
- Category alone (Liquid Staking, Bridge, RWA Lending, Restaking, …) does NOT force a grade. A category is a hint about where to look; the grade must come from the concrete A1–A9 findings below.
- Base-chain consensus (Ethereum PoS, the chain's validator set, the canonical Deposit Contract at 0x00000000219ab540356cBB839Cbe05303d7705Fa) is the SUBSTRATE, not a dependency, for any protocol deployed on that chain. Do not list "depends on Ethereum" as a finding.
- Oracles or other integrations used by DOWNSTREAM protocols that happen to read this protocol's token (e.g. Chainlink stETH/USD consumed by Aave) are NOT this protocol's dependencies. Count only what THIS protocol's contracts call or trust on-chain. If a feed or contract appears in the protocol's docs only as reference material for third-party integrators, EXCLUDE IT ENTIRELY — do not log it as a finding even with a "peripheral" or "referenced only" caveat.
- "Upgradeable admin can change things" belongs to the CONTROL slice; only count it here when the upgrade surface lets governance silently swap an external dependency (see A9).
- Underlying-asset risk in opt-in, isolated markets is NOT autonomy-red on its own. When a protocol wraps third-party yield-bearing assets (LSTs, LRTs, ERC-4626 vaults, lending receipts, restaked tokens) into per-market silos that users explicitly choose, a failure of one underlying does NOT propagate to other markets and is risk the user opted into per-market. Record it under A4 with depth and propagation scope, but do not let it alone drive a red verdict — red requires an external dependency that cross-cuts the protocol or that the user did not opt into at deposit time. A failure mode that is "if the LRT you deposited is hacked, your principal in that LRT-backed market is impaired" is the underlying's autonomy story, not this protocol's; grade it on whether THIS protocol introduces additional dependencies on top.
- Sub-module enumeration is mandatory before grading. If the protocol ships distinct product lines or modules (e.g., a v2 core AMM plus a newer perps/funding-rate module, a lending pool plus a separate vault layer, an L1 core plus a cross-chain extension), enumerate each in findings and grade against the WORST module weighted by its share of TVS or its blast radius. A green core does not rescue an orange/red sub-module; conversely, a small red sub-module with capped TVS may bound the overall grade to orange. Name each module by its on-chain factory or router address. If you do not know whether a module exists, that is an unknowns[] entry, not silence. EXPLICIT TVS WEIGHTING: in the verdict, state each module's approximate share of total protocol TVS (use "~X%" if exact figures unavailable; check DeFiLlama or block-explorer balances on the module's main contract) and how that share informs the weighted grade. Format: "Module A holds ~X% of TVS (grade: <g>); Module B holds ~Y% (grade: <g>); weighted overall = <grade> because <reason>." If a red sub-module holds <5% of total TVS and is capped, the overall grade may be orange; if it holds >25%, the overall grade is red. Do not let qualitative reasoning substitute for the percentages — write the numbers.

MANDATORY INSPECTION CHECKLIST (every item below must appear in evidence[] OR unknowns[]):
- A1. External contract calls. Enumerate every external contract the core contracts call or read from (oracles, price feeds, AMM pools, lending pools, staking/deposit contracts, yield wrappers). For each, identify the address, the provider, and what user-facing function of this protocol would break or mis-price if that external contract paused, mis-reported, or behaved adversarially. Grep for "oracle", "aggregator", "getPrice", "latestAnswer", "chainlink", "pyth", "redstone" as a starting point. To verify an oracle is live and what it currently reports, hit https://defipunkd.com/api/contract/read?chainId=<id>&address=<oracle>&method=latestAnswer (or &method=latestRoundData, &method=getPrice, &method=description; use the BARE method name without parens) and cite the URL — the response includes blockNumber/blockHash and rawReturnData, which is stronger evidence than a docs page about which feed "should" be used.
- A2. Off-chain actor committees reporting INTO the protocol. Oracle committees, guardian multisigs, DAO-selected validator sets acting as protocol reporters, exit-bus signers, fraud-proof challengers. For each, record committee size, quorum, who picks the members, and what mis-reporting could do (mint, burn, finalize withdrawal, freeze). Distinguish this from governance admins (control slice). NOTE ON STAKING PROTOCOLS: validator slashing and node-operator misbehavior are properties of the base-chain substrate, NOT external dependencies, when the operator set is diversified enough that a coordinated failure caps at <5% principal loss. Count validator/operator risk under A2 ONLY if the operator set is small, non-diversified, or lacks bonding / slashing-insurance / diversification mitigations. A curated set of 30+ independent operators with documented diversification falls under the mitigated path; a 3-operator LST does not. Do not cite the protocol's own risk disclosure as evidence that operator failure = principal loss unless you also check the diversification and bond mitigations.
- A3. Bridge / cross-chain messaging dependencies. Only count bridges that carry material TVL or are required for a core user flow. For each, name the bridge operator (canonical L1↔L2, LayerZero, Wormhole, Axelar, custom multisig), the trust model (canonical, optimistic, light-client, guardian set), and what fraction of TVL or users ride on it. "wstETH exists on 15 chains" is not a finding unless material TVL sits there. Before listing any non-primary chain deployment as a dependency, verify it is still operational as of analysis_date — retired or sunset deployments (e.g., Lido-on-Terra, Lido-on-Solana) belong in unknowns[] or should be omitted, never cited as a current dependency.
- A4. Nested collateral / restaking chains. For restaking / LRT / receipt-of-receipt designs: record the depth of the collateral chain, every actor with slashing or freezing power at each level, and whether a failure N levels deep propagates to user principal here.
- A5. Fork lineage (silent check). If DeFiLlama's forkedFrom is non-empty, record it as one finding and move on. If empty, do NOT add a placeholder finding; it adds noise.
- A6. Fallback mechanisms and circuit breakers. What catches an external failure? Sanity-check contracts on oracle reports, rebase bounds, pause paths triggered by bad prices, second-opinion oracles, max-per-block throughput caps, withdrawal queues that absorb bad reports. Record which A1–A4 risks are mitigated by which fallback, and which are unmitigated. For EACH fallback you cite, state its activation status explicitly: (i) LIVE and enforcing on-chain today, (ii) DEPLOYED but not yet wired / activated (e.g., interface exists but the address is zero or the role is unassigned), or (iii) DOCUMENTED / PROPOSED only (forum post, LIP draft, audit pending). Only (i) counts as mitigation for the grade. A fallback in state (ii) or (iii) should be noted but must not reduce the risk in your steel-man or verdict. If you cannot determine activation status, add an unknowns[] entry rather than assume it is live.
- A7. Sequencer / L1-liveness dependency BEYOND the base-chain substrate. SCOPE — sequencer risk only counts here when the protocol IS its own L2/L3 appchain or app-rollup, where the sequencer is part of the protocol's own stack and a freeze is a protocol-level outage. A protocol permissionlessly deployed on a third-party L2 inherits that L2's sequencer as substrate, not an A7 dependency. Record the sequencer/DA trust model when A7 applies.
- A8. Keeper / relayer / off-chain bot liveness. Protocols that need permissionless-but-necessary off-chain actors (liquidation bots, auto-compounders, deposit relayers, intent solvers). Record whether the role is permissionless, what degrades if nobody runs it (yield paused, bad debt accumulates, positions go stale), and whether the failure mode is graceful or catastrophic.
- A9. Governance-mutable dependency surface. Can an admin or DAO action silently INTRODUCE a NEW EXTERNAL dependency — swap the oracle address to a different provider, register a new staking module that calls an untrusted contract, add a new bridge, route SY through a new external vault — without an exit window for users? Check the upgrade / router / module-registry contracts. Answer: which EXTERNAL dependencies are governance-mutable, who holds that power, and whether there is a timelock or exit window. SCOPE LIMIT — read carefully: A9 is about the *external dependency surface*, not the upgrade surface in general. "The proxyAdmin / EOA can upgrade the router implementation to arbitrary bytecode" is a CONTROL-slice finding (admin can rug), NOT an autonomy-A9 finding. A9 fires only when the upgrade specifically swaps out or adds a contract that THIS protocol calls or trusts (e.g., changing the oracle address from Chainlink to a malicious feed, registering a new SY adapter that points to a third-party vault, redirecting a bridge endpoint). If the only finding is "admin can change implementation," do not log it under A9 and do not let it drive the autonomy grade — note it under control instead. The autonomy-relevant version of the same upgrade key is "admin can swap [specific external address X] without timelock"; that requires identifying the specific external dependency that becomes mutable.

STEEL-MAN (per Hard Rule 13): write one-sentence strongest arguments for red, orange, and green using the A1–A9 findings.

IMPACTED TVS ESTIMATE: the headline MUST include a rough impacted-TVS figure — the fraction of protocol TVS that could be lost or frozen if the worst-unmitigated dependency you identified failed. Use "~X%" if exact numbers are unavailable, "<1%" for de minimis, "unclear" only if A1–A9 left the question genuinely open (in which case grade=unknown is usually correct). Do NOT substitute qualitative phrases like "significant" — give a number or bracket.

GRADE ANCHORS (mapped to DefiScan v1 stages):
- green = Stage 2 equivalent. Failure of any external dependency cannot cause loss of user principal or unclaimed yield. Either there are no material external dependencies, or every critical one has a documented fallback (A6) that keeps users whole. Governance cannot silently introduce new dependencies without an exit window (A9). Impacted TVS under any single-dependency failure: effectively 0.
- orange = Stage 1 equivalent. Failure of some external dependency can cause loss of unclaimed yield, or can materially change expected performance (pause withdrawals, freeze positions, degrade price quality), but cannot cause loss of principal. Committee-based oracles with sanity checks, canonical-only bridges, fallback paths that exist but are incomplete, or governance-mutable dependencies protected by a ≥7-day timelock. Impacted TVS is bounded and recoverable.
- red = Stage 0 equivalent. Failure of an external dependency CAN cause theft or loss of principal. Examples: single-provider oracle with no sanity check or fallback, material TVL on a non-canonical bridge with a guardian multisig, governance can hot-swap oracles or add staking modules with no timelock or exit window, unmitigated keeper-liveness dependency where positions become insolvent if bots stop. Impacted TVS is material.
- unknown = checklist incomplete after inspecting source + verified contracts. Prefer unknown over guessing when A1/A6 could not be reconstructed. RESERVE unknown for cases where the CORE ARCHITECTURE itself is unverifiable — not for cases where you merely cannot enumerate every per-market dependency in a multi-market protocol. If the core router/factory/oracle architecture is verifiable on-chain and you can determine whether the core requires external dependencies, grade the architecture even when an exhaustive per-market external-dependency census is infeasible. Acknowledge the per-market gap in unknowns[] but still issue a grade. Refusing to grade a multi-market protocol because you cannot list every SY/vault/market is over-use of unknown; grade the architecture and say so.

PROMPT-META CHECK (per Hard Rule 17): before finalizing, verify the verdict cites concrete contract addresses, docs, or code — not the rubric itself. If your verdict says "the protocol belongs to a category the rubric marks red", rewrite it with the A1–A9 finding that actually justifies the grade, or drop to grade=unknown.

---

### Slice: OPEN-ACCESS

Evaluate who is allowed to use the protocol and whether any of that permission is granted off-chain.

Scope: this slice is about ADMISSION — who can enter, exit, or transact. Operator LIVENESS (what breaks if keepers/oracles go offline) is assessed in the dependencies slice and is out of scope for the grade here. You may note operator dependencies as context, but do not let "the protocol halts if operator X disappears" drive the access grade on its own; that belongs in dependencies. Source verification / contract verification on block explorers is assessed in the verifiability slice and is out of scope here — do NOT let "contract is unverified" drive the access grade.

Framing: the smart contracts are the access layer; frontends are UX. A permissionless contract is reachable by any client (SDK, third-party UI, aggregator, wallet integration). Frontend ToS, IP geo-blocking, and wallet screening are publisher policies on one specific client — they are reported as context but do NOT determine the grade. The grade hinges on (1) what the contract itself permits, and (2) whether the protocol is practically reachable without the official publisher's cooperation.

Meta-check before finalizing: if your verdict cites phrases from this prompt as evidence ("the protocol meets the 'credible alternatives' condition", "this fits the 'documented fallback' rule"), redo the verdict. The prompt describes the rubric; evidence must come from the protocol. A verdict should cite what the protocol does, not what the rubric says.

MANDATORY INSPECTION CHECKLIST (every item below must appear in evidence[] OR unknowns[]):
- A1. Whitelist / allowlist modifiers in user-facing entry points. Grep for "onlyWhitelisted", "onlyRole", "allowlist", "isAccredited", "isKYCed". Note which functions are gated and who can add/remove from the list.
- A2. Off-chain operators in the admission path: keepers, sequencers, privileged relayers, oracle posters whose approval is required to admit a user action (not just to keep the protocol live). For each, identify whether the role is held by a single operator, a permissioned committee, or is permissionless. Enumerate per user-facing function class (deposit vs withdraw-request vs claim-finalized vs transfer) which ones require operator approval to be admitted, and which ones admit users unconditionally. A function whose placement is unconditional but whose downstream settlement depends on an operator is an admission-permissionless function — flag the liveness dependency as context and defer its grading weight to the dependencies slice.
- A3. Frontend restrictions on the official interface — record as context, not as a grade lever. Distinguish:
    - A3-passive: boilerplate ToS clauses (sanctions attestation, restricted-territory self-certification, VPN-circumvention prohibition, "comply with applicable law" eligibility, age of majority).
    - A3-active: runtime enforcement — IP-based geo-blocking, wallet-address screening against a sanctions oracle (Chainalysis, TRM, Elliptic), KYC wall, rendering-blocking jurisdiction banner.
  Record findings under the correct tier. Quote ToS text or banner text in evidence[].shows. These findings populate the headline and rationale but do NOT move the grade by themselves; the grade is set by A1, A2, and the A3b path check below.
- A3b. Independent access paths (the operative grade input). Enumerate paths that do not require the official publisher's cooperation:
    - Published SDK / library / CLI for direct contract interaction.
    - Third-party frontends operated by separate legal entities.
    - Wallet-integrated access (MetaMask Swaps, Safe apps, etc.).
    - DEX / lending / yield aggregators that route through the contracts.
  Record at least one concrete link per path that exists. The protocol does NOT have to self-document these — the test is existence, not UX cost. An A3b-i redistribution of the official UI bound by the same ToS does NOT count as an independent path.
- A4. Sanctions / compliance tooling at the contract level: does the protocol check addresses against OFAC lists or similar on-chain blocklists in the contract itself? (Frontend-only screening belongs in A3.)
- A5. Differentiate read access vs write access: many protocols are read-permissionless (anyone can view state) but write-gated (only certain addresses can deposit/borrow). Record both.
- A6. ToS / Legal links: locate them on the website and produce a VERBATIM quote of any jurisdictional, sanctions, or eligibility clause in evidence[].shows. If you cannot extract the clause text verbatim (SPA render failure, paywall, dead link, etc.), do NOT paraphrase or infer from general knowledge — record the ToS URL in unknowns[] with the reason extraction failed. Assertions about ToS content without a verbatim quote will be downweighted by reviewers.

Then write the steel-man section per Hard Rule 11.

Grade rules (admission-focused; liveness concerns belong in dependencies; source verification belongs in verifiability):
- green   = no contract-level whitelist/KYC on user entry/exit; no operator approval required to admit a user action; AND at least one independent A3b path exists (published SDK, third-party frontend, wallet integration, or aggregator routing). Frontend ToS posture and A3-active enforcement on the official UI do NOT block green when contracts are permissionless and an independent path exists — they are reported as context.
- orange  = contracts admit users unconditionally, BUT the protocol is operationally captured by the official publisher: no published SDK, no third-party frontend, no wallet integration, no aggregator routing. The contract is theoretically open but practically reachable only through the official UI. Also applies when admission requires approval from a permissioned committee that is governance-managed with a documented replacement procedure.
- red     = contract-level whitelist / KYC on user entry/exit, OR admission of a core user action requires approval from a single privileged operator or a small committee with no documented replacement procedure, OR enforces an on-chain blocklist updatable by a single party.
- unknown = checklist incomplete after checking the sources above.

Default-grade guidance: when contracts are fully permissionless AND any A3b independent path exists, the default grade is green regardless of frontend ToS or A3-active enforcement on the official UI. Frontend geo-blocking, sanctions-oracle wallet screening, and ToS sanctions clauses are publisher policies on one client and are reported in findings/headline as context, not as grade levers. To grade orange on operational-capture grounds, the auditor must affirmatively show that ALL independent paths are absent or also gated.

Guideline on committees: where admission depends on a multi-operator committee, the relevant axes are (a) set size, (b) whether replacement/rotation is governed on-chain, (c) whether the replacement procedure is publicly documented. A large set with on-chain governance replacement should not be graded as a single-party operator even if rotation is not instantaneous. A small set with informal replacement should be treated as a single-party operator.

---

### Slice: VERIFIABILITY

Evaluate whether an outsider can independently confirm what the deployed code does.

MANDATORY INSPECTION CHECKLIST (every item below must appear in evidence[] OR unknowns[]):
- V1. For each address you assess: is the bytecode verified on the chain's block explorer? Record the "Contract Source Code Verified" indicator. https://defipunkd.com/api/contract/abi?chainId=<id>&address=0x... returns this as a top-level "verified" boolean plus "abiSource" ("etherscan" / "sourcify") and an inline ABI — useful when the explorer page is rate-limited. If the contract is a proxy, verify BOTH the proxy contract AND the current implementation contract. The same /api/contract/abi response auto-resolves proxies and includes a "proxy.implementation" address when present, so one call covers V1 + V6 in one shot. An explorer "Similar Match" on a well-known proxy pattern (Aragon AppProxyUpgradeable, ERC1967Proxy, OssifiableProxy, OZ TransparentUpgradeableProxy) is expected for that pattern and does NOT count as a verification gap on its own — what matters is that the implementation is independently verified.
- V2. Source-to-repo correspondence: for each verified contract, attempt to find a matching commit in the linked GitHub repos. Record evidence[].commit on a match. Independent compile/bytecode-match is NOT required for green — a recognized public repo whose structure and file contents correspond to the explorer-visible source is sufficient. If you did not pin a commit SHA or run a bytecode diff, record that plainly in unknowns[] and proceed; it is a scope limit, not a downgrade signal.
- V3. Audit coverage: for each URL in protocol.audit_links, open it and record: auditor name, audit date, the specific contracts / commit in scope. Flag audits that predate the current deployment by >6 months without a follow-up review.
- V4. Auditor recognition: the following firms are broadly recognized in Solidity: Trail of Bits, Zellic, Spearbit, OpenZeppelin, ConsenSys Diligence, Certora (formal verification), Quantstamp, Halborn, Peckshield, Sigma Prime, ChainSecurity, Ackee Blockchain, MixBytes, Statemind. Unknown firms are orange-at-best for any green-grade claim. Name the firm explicitly in evidence[].
- V5. Post-audit drift: compare the most recent in-scope audit(s) against the currently-deployed source, weighted by what each contract does and by what the changes actually contain. SCOPE — drift only downgrades the grade when ALL of the following hold: (i) the drifting contract is fund-custody / settlement / accounting-critical (NOT a peripheral router, lens, quoter, or pure-view contract that holds no balances); (ii) the changes are material — new functions, modified access control, modified accounting, modified fund flow — and not refactors / struct relocations / import reorgs / build or CI fixes / formatting; (iii) no later audit, fix-audit, or differential audit from a recognized firm covers the changed files (audits often pin a pre-fix commit while a follow-up reviews the delta — match by file scope, not by commit-hash equality). When you cite drift as a downgrade reason, name the specific behavior change (function added, role granted, accounting formula altered) — "N commits ahead" or "+X/-Y LOC" alone is not evidence of material drift. If you have not sampled the diff content (e.g. via the GitHub compare view or the top commits in the window), record drift as an unknowns[] entry rather than auto-downgrading; commit-count and LOC are starting signals, not findings.
- V6. Implementation vs proxy: a verified proxy with an unverified implementation is effectively unverified. State whether the implementation is verified separately.

EVIDENCE DISCIPLINE (read before writing findings[]):
- Do not assert a specific deploy-commit SHA, bytecode equivalence, or "identical to audited commit" unless you actually fetched the artifact that shows it (e.g., a deployed-addresses JSON you opened, an explorer page you read). Inferred or plausible matches belong in unknowns[], never in findings[] or evidence[].
- Evidence[] entries must correspond to pages/files you actually retrieved this run. A URL you did not open is not evidence.

Then write the steel-man section per Hard Rule 11.

Grade rules:
- green   = deployed bytecode verified on the explorer (proxy AND implementation if proxied; "Similar Match" on a standard proxy pattern is fine per V1), a public source repo exists whose contents correspond to the explorer-visible source, AND ≥1 audit from a recognized firm covering the currently-deployed contracts (≤6 months of drift OR drift was re-audited). A missing local compile-match is not a downgrade — record it in unknowns[] and still grade green if the other conditions hold.
- orange  = verified but with visible drift from the public repo, OR audit scope is stale relative to deployment, OR only minor / unknown-firm audits exist, OR only some of the main contracts are verified, OR proxy verified but implementation only partially verified.
- red     = unverified bytecode (or verified proxy with unverified implementation), OR no audit in protocol.audit_links, OR no public repo.
- unknown = reserved for when the protocol's verifiability posture genuinely cannot be assessed (e.g., explorer and repo both inaccessible for this protocol). Do NOT use unknown merely because you, the analyst, could not run a particular check such as a bytecode diff — that goes in unknowns[] while the grade is still assigned from the evidence you do have.

---

### JSON output contract

Return exactly one JSON array inside a single ```json fenced block. The array MUST contain exactly five objects, one per risk slice, in this exact order: "control", "ability-to-exit", "autonomy", "open-access", "verifiability". Do not include the discovery slice.

Each object has the same shape as a normal slice submission:

{
  "schema_version": 4,
  "slug": "<copy protocol.slug from the per-protocol context>",
  "slice": "<one of: control | ability-to-exit | autonomy | open-access | verifiability>",
  "snapshot_generated_at": "<copy snapshot.generated_at from the per-protocol context>",
  "prompt_version": 29,
  "analysis_date": "<copy analysis_date from the per-protocol context>",
  "model": "<exact model name, e.g. claude-opus-4-7 / gpt-5-thinking / gemini-3-pro>",
  "chat_url": null,
  "grading_basis": "on-chain | off-chain-only | mixed (optional; omit for on-chain)",
  "grade": "green | orange | red | unknown",
  "headline": "<one-line summary>",
  "short_headline": "<≤6 words, ≤80 chars; omit if you can't fit>",
  "rationale": {
    "findings": [{ "code": "E1", "text": "<concrete, source-cited finding>" }],
    "steelman": { "red": "<one sentence>", "orange": "<one sentence>", "green": "<one sentence>" },
    "verdict": "Choosing <grade> because <reason ranking one steel-man above the others, citing specific evidence>."
  },
  "evidence": [{ "url": "https://...", "shows": "<what this URL demonstrates>", "chain": "...", "address": "0x...", "commit": "<hex SHA>", "fetched_at": "2026-04-23T11:20:00Z" }],
  "unknowns": ["E3: <thing you looked for but couldn't determine>"],
  "protocol_metadata": {
    "github": ["https://github.com/org/repo"],
    "docs_url": "https://docs.protocol.xyz",
    "audits": [{ "firm": "Trail of Bits", "url": "https://...report.pdf", "date": "2025-09" }],
    "governance_forum": "https://forum.protocol.xyz",
    "voting_token": { "chain": "Ethereum", "address": "0x...", "symbol": "XYZ" },
    "bug_bounty_url": "https://immunefi.com/bounty/protocol",
    "security_contact": "security@protocol.xyz",
    "deployed_contracts_doc": "https://docs.protocol.xyz/deployments",
    "admin_addresses": [{ "chain": "Ethereum", "address": "0x...", "role": "DAO treasury multisig", "actor_class": "multisig" }],
    "upgradeability": "immutable | upgradeable | mixed | unknown",
    "about": "<2–4 sentences>"
  }
}

Rules recap:
- Produce one complete object for each of these slices only: control, ability-to-exit, autonomy, open-access, verifiability.
- Reuse the same model, chat_url, snapshot_generated_at, prompt_version, analysis_date, and slug values across all five objects.
- grade="unknown" ⇒ steelman=null; unknowns[] ≥1; evidence[] may be empty.
- grade!="unknown" ⇒ steelman={red,orange,green}; evidence[] ≥1; verdict starts with "Choosing ".
- findings[].code matches that object's slice checklist prefix verbatim (C1, E2, AU3, A3b, V4a, …); unknowns[] entries are checklist-coded ("C3: …").
- Wrap the array in a single ```json fence; nothing before or after. URLs are bare strings, never markdown links.

Verifiability tentative

Open source + 11 audits

Protocol publishes a GitHub repository and has at least one audit on record. This is a coarse Phase-0 signal only: auditor reputation, scope, and post-audit review coverage are not yet weighted.

Run your own prompt Submit run ↗

### Per-protocol context (ground truth for this run)

- protocol.slug:              aave-horizon-rwa
- protocol.name:              Aave Horizon RWA
- protocol.chains:            Ethereum
- protocol.category:          RWA Lending
- protocol.website:           https://app.aave.com/markets/?marketName=proto_horizon_v3
- protocol.github:            aave, bgd-labs
- protocol.audit_links:       https://github.com/aave/aave-v3-horizon/tree/main/audits, https://github.com/code-423n4/2022-02-aave-lens, https://github.com/code-423n4/2022-02-aave-lens-findings, https://github.com/sherlock-protocol/sherlock-reports/blob/main/audits/2025.02.15%20-%20Final%20-%20Aave%20Public%20Audit%20Contest%20Report.pdf, https://github.com/sherlock-protocol/sherlock-reports/blob/main/audits/2026.02.05%20-%20Final%20-%20Aave%20Labs%20Collaborative%20Audit%20Report%201770295450.pdf, https://github.com/trailofbits/publications/blob/master/reviews/2021-11-aave-v3-securityreview.pdf, https://github.com/trailofbits/publications/blob/master/reviews/2026-02-aave-v4-securityreview.pdf
- snapshot.generated_at:      2026-06-01T11:27:13.878Z
- analysis_date:              2026-06-07
- prompt_version:             29
- address_book:               [
  {
    "chain": "Ethereum",
    "address": "0xAe05Cd22df81871bc7cC2a04BeCfb516bFe332C8",
    "role": "pool"
  },
  {
    "chain": "Ethereum",
    "address": "0x7fc66500c84a76ad7e9c93437bfc5ac33e2ddae9",
    "role": "AAVE governance token"
  }
]

### Pre-built read-API surfacer URLs (verbatim — fetchable as-is)
- https://defipunkd.com/address/1/0xAe05Cd22df81871bc7cC2a04BeCfb516bFe332C8 (pool)
- https://defipunkd.com/address/1/0x7fc66500c84a76ad7e9c93437bfc5ac33e2ddae9 (AAVE governance token)


---

You are contributing a single-slice assessment to defipunkd, a git-native transparency registry for DeFi protocols. Your JSON output will be attached to a pull request and compared against ≥2 other independent runs. Disagreements are surfaced publicly — be conservative, cite everything, return grade="unknown" when a signal cannot be determined, and resist stopping at the first damning finding.

### Per-protocol context (do not infer; these are ground truth)

A "Per-protocol context" block (provided alongside this prompt — either as a user message in API mode, or as a section appended below in copy-paste mode) lists the pinned inputs (protocol.slug, name, chains, category, website, github, audit_links, snapshot.generated_at, analysis_date, prompt_version, address_book) and a list of pre-built read-API surfacer URLs for each pinned address. Treat those values as authoritative for this run.

The pre-built surfacer URLs are accepted by your fetch tool's allowlist because they appear verbatim in the per-protocol context. Each surfacer page pre-executes the contract's zero-arg view methods and renders any address-typed return values as /address/{chainId}/0x… links inline — those rendered links are also fetchable post-fetch. /api/contract/read and /api/safe/owners JSON responses include a top-level `crawl.surfacers` array of /address/{chainId}/0x… URLs for every address-typed value in the result, so you can crawl directly from API responses. For addresses surfaced from non-defipunkd sources (block-explorer pages, GitHub, audit PDFs), the allowlist will reject your generated surfacer URL — record the address in protocol_metadata.admin_addresses and add a checklist-coded entry to unknowns[]; the next run will inherit it as a fetchable surfacer.

### Step 0 — Capability probe (do this before producing JSON)

Identify what fetch tool your environment exposes — `web_fetch`, `browser`, `url_context`, `google_search` (with underscore, colon, or space), Bing grounding, Perplexity, `web.run`, or anything similar. Search-grounding tools ARE valid fetch paths and you should use them; they are not forbidden. The distinction that matters is what the tool returned, not its name: a grounded response with the underlying page body is sufficient evidence; a bare 1–3-line preview snippet is not.

Probe: attempt one fetch of `protocol.website` and one fetch of a pre-built surfacer URL above (or the protocol's primary block-explorer page if no surfacer is pinned). Record the tool you used, the URL, and what came back (response body, HTTP status, allowlist rejection text, or "tool not present: <name>"). If either probe succeeded, proceed.

If both direct probes failed, **DO NOT STOP** — try search. Issue at least two broad search queries (protocol name + "Etherscan" / "official docs" / "GitHub" / "audit"; `site:` operators against etherscan.io / github.com / the docs domain). If a search query returns the underlying page body, that page URL is fetched evidence and goes in evidence[]. Set `grading_basis: "off-chain-only"` and continue with whatever you can extract. Empty `evidence[]` + `grade="unknown"` is only valid if BOTH direct probes AND ≥2 search queries returned nothing usable; in that case, log the attempted queries and observed-zero outcomes in unknowns[]. A submission claiming "blocked" without those receipts is treated as a non-submission (zero quorum weight). Search engines do not index raw JSON API endpoints — zero results for `defipunkd.com/api/contract/read` URLs is expected and is itself a recordable failure mode, not a system restriction.

### Anti-fabrication (the most important rule on this page)

Memory is not evidence. Treat your training data, prior conversations, and general knowledge as suggestions for what to look up — never as citations. Every URL in evidence[] must have been fetched in this run via any tool exposed in your environment, OR pasted into this conversation by the user. Constructing a URL is fine, but every variable part (address, commit SHA, repo path, contract name, method, args, block number) must come from a fetched/pasted source in this run, and the URL must then have been successfully fetched before it appears in evidence[]. URLs constructed from remembered addresses, repo paths, contract names, or guessed API methods are fabrication.

Before emitting JSON, run an evidence ledger check on every evidence[] entry:
1. The exact URL appears in your fetch transcript or in a user-pasted source body.
2. The fetched/pasted body contains the fact you're citing in evidence[].shows.
3. Every rationale.findings / protocol_metadata claim that depends on this evidence follows directly from that body, without recourse to memory.
4. Derived (rather than verbatim) claims are explicitly labelled as derived in evidence[].shows.
5. `fetched_at` is set ONLY when you actually fetched the URL in this run; if no timestamp is available, omit the field — never invent one.

If any check fails, remove the evidence entry and demote dependent claims to unknowns[]. Set grade="unknown" if demotion empties the grading basis. Do not ask the user to paste anything; do not withhold JSON; do not improvise from memory.

A plausible-sounding answer backed by unsupported evidence is WORSE than grade="unknown" — it pollutes the quorum. If the assessment requires leaning on remembered public facts ("Lido is governed by LDO token-weighted voting"), historical reports, common knowledge, or likely-architecture reasoning ("UUPS proxies typically have an admin role"), return grade="unknown" with specific unknowns[] entries. Optimize for reproducibility, not completeness — if a reviewer can't re-verify each claim from the evidence URLs alone, the claim does not belong in the JSON. Empty unknowns[] on a non-trivial protocol is a red flag, not a quality signal.

When the address_book is null/empty, you do not yet know any deployed address. Discover candidates from fetched website / GitHub / audit / explorer-search pages — addresses you "remember" from training data are not eligible, even for famous tokens (USDC, WBTC, stETH, UNI). If no address can be discovered after a good-faith attempt, return grade="unknown" with checklist-coded unknowns[] entries; do not invent addresses to fill the gap.

### Hard rules

1. Source classes that count as evidence:
   a) Public block explorers (etherscan.io, basescan.org, arbiscan.io, optimistic.etherscan.io, polygonscan.com, bscscan.com, snowtrace.io, scrollscan.com, lineascan.build, blastscan.io, era.zksync.network) for pinned addresses or addresses you discover transitively from them.
   b) The linked GitHub repos, at a specific commit SHA recorded in evidence[].commit.
   c) The audit PDFs / reports linked above.
   d) DeFiLlama's pinned fields (for category / chain lists only — not for risk assessment).
   e) DeFiPunkd's read API at https://defipunkd.com/api/{contract,safe}/... — see "On-chain reading" below.
2. If a signal cannot be determined after checking these, set grade="unknown" with ≥1 entry in unknowns[] naming what you looked for.
3. Every factual claim in rationale must map to ≥1 evidence[] entry.
4. Output exactly one JSON object matching the contract at the end, wrapped in a single ```json fenced code block. This rule applies to your FINAL assistant message only — issue tool calls freely during the run; tool-call reasoning lives in your model's tool-use channel and is not subject to this rule. Nothing before or after the fence — no prose, no follow-up questions, no requests for the user to paste anything. If evidence is incomplete, the correct response is still JSON, with claims demoted to unknowns[] and grade="unknown".

### Format rules (validation will reject submissions that violate these)
5. evidence[].url must be a bare `https://...` string — NEVER markdown link syntax. WRONG: `"url": "[Etherscan](https://etherscan.io/...)"`. RIGHT: `"url": "https://etherscan.io/..."`.
6. evidence[].commit, when present, must match `^[0-9a-f]{7,40}$` (lowercase hex, 7–40 chars). NEVER branch names or tags. Omit if you cannot pin a SHA.
7. evidence[].fetched_at, when present, must be ISO-8601 UTC (e.g. `2026-04-23T11:20:00Z`). Set whenever you actually fetched in this run.
8. evidence[].address, when present, must be `^0x[0-9a-fA-F]{40}$` (mixed case OK; checksum not validated).
9. Checklist codes (used in findings[].code and as unknowns[] prefixes) match `^[A-Z][A-Za-z0-9-]{0,16}$` — start with an uppercase letter, then digits / letters / hyphens. Examples: `E1`, `A3b`, `C2-emergency`, `V4-auditor`. No parens, spaces, dots, slashes, underscores. Use slice-defined codes verbatim. unknowns[] entries must be prefixed with the relevant code + colon (e.g. `"A3b: frontend fetch failed"`).
10. chat_url: ALWAYS null. Default share links (claude.ai/chat, chatgpt.com, gemini.google.com) require viewer login and are not publicly readable. The user enables "Share publicly" after you respond and pastes the public URL into the JSON before opening the PR.

### Thoroughness rules

11. Each per-slice body contains a "MANDATORY INSPECTION CHECKLIST". Every item must EITHER produce an evidence[] entry OR a specific unknowns[] entry naming it by code. Silent skips are rejected as incomplete.
12. Before assigning a grade other than "unknown", rationale.steelman must contain a one-sentence strongest argument for each of red / orange / green, and rationale.verdict must state which fits the evidence and why. If the steel-man for the chosen grade is weaker than for an adjacent grade, you have probably picked the wrong grade. When grade="unknown", set steelman to null and use verdict to summarize what blocked the assessment.
13. Distinguish actor classes (EOA, 2-of-3 multisig, 4-of-7+ multisig with identified signers, emergency-scoped time-capped multisig, on-chain governance vote with timelock) and function classes (claim-of-finalized vs new-request-placement, deposit vs borrow, mint vs redeem) — say which actor holds which power, on what time bound. "An admin can pause" is insufficient.
14. For on-chain slices (control, ability-to-exit, autonomy, verifiability), evidence[] must include ≥1 on-chain URL: a block-explorer URL OR a DeFiPunkd /api/{contract/read,safe/owners} URL (preferred — content-addressed when block-pinned). /api/contract/abi alone is metadata, not on-chain evidence. Source repos tell you what code SHOULD do; deployed contracts tell you what it ACTUALLY does. The "open-access" slice is exempt when claims are entirely about frontend / off-chain operator behavior. CARVE-OUT: `grading_basis="off-chain-only"` is exempt from this rule but is downweighted by the quorum bot regardless of grade.
15. Prompt-meta-check: if your verdict quotes prompt language as evidence ("the protocol meets the 'documented fallback' condition"), re-do the verdict — the prompt describes the rubric, not the protocol. Evidence cites what THIS protocol does, not what the rubric says protocols of type X do.
16. `grading_basis` is one of `"on-chain"` (default; omit field), `"off-chain-only"`, or `"mixed"`. Describes what was READ this run, not the verdict — `grade="unknown"` is allowed under any basis. Set `"off-chain-only"` ONLY when BOTH (a) ≥1 successful fetch of a docs / forum / audit / GitHub URL appears in evidence[], AND (b) ≥1 failed on-chain fetch attempt for THIS run is recorded in unknowns[] with a `-offchain` suffix. Empty `evidence[]` with `"off-chain-only"` is a category error and is rejected by the validator. Set `"mixed"` when some checklist codes were on-chain and others fell back. ABI-only finds (you read the ABI but couldn't read live state) are valid as `grade="unknown"` with the ABI cited; do not infer a grade from ABI shape alone.

### On-chain reading via the DeFiPunkd API

Don't encode calldata, decode return data, or guess at ABIs by hand. Three deterministic GET endpoints return JSON with blockNumber, blockHash, raw calldata, and rawReturnData — content-addressed when block-pinned (`&block=<n>`):

  ABI (auto-resolves proxies):
    https://defipunkd.com/api/contract/abi?chainId=<id>&address=0x...
  View call (any view method on the merged ABI; flat scalar args):
    https://defipunkd.com/api/contract/read?chainId=<id>&address=0x...&method=getOwners
    https://defipunkd.com/api/contract/read?chainId=<id>&address=0x...&method=balanceOf&args=0x...
  Safe (threshold + owners + version in one call):
    https://defipunkd.com/api/safe/owners?chainId=<id>&address=0x...

Use the BARE method name in `&method=` (e.g. `&method=totalSupply`, NOT `&method=totalSupply()`). Browser tools normalize `(` to `%28` and reject the normalized URL; bare names dodge that. Pass arguments via `&args=` (comma-separated, declaration order). Append `&block=<n>` for content-addressed evidence.

Supported chainIds: 1 (ethereum), 10 (optimism), 56 (bsc), 130 (unichain), 137 (polygon), 324 (zksync), 8453 (base), 42161 (arbitrum), 43114 (avalanche), 59144 (linea), 81457 (blast), 534352 (scroll), 11155111 (sepolia).

Use this API for any factual claim about contract ABI shape, view-method return values (owner(), getOwners(), getThreshold(), totalSupply(), implementation(), paused(), MIN_DELAY(), …), and Safe membership. Do NOT invent ABIs or return values from training data.

Note on noisy address_book: the pinned address_book is sourced from prior assessments. It may include token deployments, oracle feeds, peripheral contracts, or mis-classified entries. Skip surfacer URLs that don't fit your slice — fetch only those whose role hints suggest control / pause / upgrade authority.

### Protocol metadata refresh (populate `protocol_metadata` in the output)

DeFiLlama's pinned inputs may be stale or wrong. As a side-effect of this assessment, populate `protocol_metadata` with anything you verify. Leave fields null / empty arrays if you did not verify them — do NOT echo pinned inputs through; null means "not re-verified this run".

- `github`: array of canonical source-code repo URLs.
- `docs_url`: canonical developer / protocol documentation site.
- `audits`: array of `{ firm, url, date }` (date as YYYY-MM or YYYY-MM-DD).
- `governance_forum`: primary discussion forum URL (Discourse, Commonwealth, etc.).
- `voting_token`: `{ chain, address, symbol }` or null. Omit if not token-governed.
- `bug_bounty_url`: public bug bounty page (Immunefi, HackerOne, self-hosted).
- `security_contact`: private-disclosure channel — security@ email or SECURITY.md URL. Distinct from public bug bounty.
- `deployed_contracts_doc`: docs page that lists deployed addresses per chain. Don't enumerate; just link.
- `admin_addresses`: array of `{ chain, address, role, actor_class }` for multisig / timelock / owner / proxy-admin addresses. `actor_class` ∈ `"eoa" | "multisig" | "timelock" | "governance" | "unknown"`. These are the anchors for future runs' address_book.
- `upgradeability`: `"immutable" | "upgradeable" | "mixed" | "unknown"`. "mixed" = some core contracts immutable, others behind proxies.
- `about`: 2–4 sentence plain-English description. Name the user action (stake, borrow, swap, bridge, mint, redeem), the asset / market, and the distinctive mechanism (liquid staking receipt, isolated lending pools, constant-product AMM, intents auction, etc.). Do not restate category / chains / TVL.

Every non-null field in `protocol_metadata` must be backed by ≥1 entry in evidence[].

---

### Slice: VERIFIABILITY

Evaluate whether an outsider can independently confirm what the deployed code does.

MANDATORY INSPECTION CHECKLIST (every item below must appear in evidence[] OR unknowns[]):
- V1. For each address you assess: is the bytecode verified on the chain's block explorer? Record the "Contract Source Code Verified" indicator. https://defipunkd.com/api/contract/abi?chainId=<id>&address=0x... returns this as a top-level "verified" boolean plus "abiSource" ("etherscan" / "sourcify") and an inline ABI — useful when the explorer page is rate-limited. If the contract is a proxy, verify BOTH the proxy contract AND the current implementation contract. The same /api/contract/abi response auto-resolves proxies and includes a "proxy.implementation" address when present, so one call covers V1 + V6 in one shot. An explorer "Similar Match" on a well-known proxy pattern (Aragon AppProxyUpgradeable, ERC1967Proxy, OssifiableProxy, OZ TransparentUpgradeableProxy) is expected for that pattern and does NOT count as a verification gap on its own — what matters is that the implementation is independently verified.
- V2. Source-to-repo correspondence: for each verified contract, attempt to find a matching commit in the linked GitHub repos. Record evidence[].commit on a match. Independent compile/bytecode-match is NOT required for green — a recognized public repo whose structure and file contents correspond to the explorer-visible source is sufficient. If you did not pin a commit SHA or run a bytecode diff, record that plainly in unknowns[] and proceed; it is a scope limit, not a downgrade signal.
- V3. Audit coverage: for each URL in protocol.audit_links, open it and record: auditor name, audit date, the specific contracts / commit in scope. Flag audits that predate the current deployment by >6 months without a follow-up review.
- V4. Auditor recognition: the following firms are broadly recognized in Solidity: Trail of Bits, Zellic, Spearbit, OpenZeppelin, ConsenSys Diligence, Certora (formal verification), Quantstamp, Halborn, Peckshield, Sigma Prime, ChainSecurity, Ackee Blockchain, MixBytes, Statemind. Unknown firms are orange-at-best for any green-grade claim. Name the firm explicitly in evidence[].
- V5. Post-audit drift: compare the most recent in-scope audit(s) against the currently-deployed source, weighted by what each contract does and by what the changes actually contain. SCOPE — drift only downgrades the grade when ALL of the following hold: (i) the drifting contract is fund-custody / settlement / accounting-critical (NOT a peripheral router, lens, quoter, or pure-view contract that holds no balances); (ii) the changes are material — new functions, modified access control, modified accounting, modified fund flow — and not refactors / struct relocations / import reorgs / build or CI fixes / formatting; (iii) no later audit, fix-audit, or differential audit from a recognized firm covers the changed files (audits often pin a pre-fix commit while a follow-up reviews the delta — match by file scope, not by commit-hash equality). When you cite drift as a downgrade reason, name the specific behavior change (function added, role granted, accounting formula altered) — "N commits ahead" or "+X/-Y LOC" alone is not evidence of material drift. If you have not sampled the diff content (e.g. via the GitHub compare view or the top commits in the window), record drift as an unknowns[] entry rather than auto-downgrading; commit-count and LOC are starting signals, not findings.
- V6. Implementation vs proxy: a verified proxy with an unverified implementation is effectively unverified. State whether the implementation is verified separately.

EVIDENCE DISCIPLINE (read before writing findings[]):
- Do not assert a specific deploy-commit SHA, bytecode equivalence, or "identical to audited commit" unless you actually fetched the artifact that shows it (e.g., a deployed-addresses JSON you opened, an explorer page you read). Inferred or plausible matches belong in unknowns[], never in findings[] or evidence[].
- Evidence[] entries must correspond to pages/files you actually retrieved this run. A URL you did not open is not evidence.

Then write the steel-man section per Hard Rule 11.

Grade rules:
- green   = deployed bytecode verified on the explorer (proxy AND implementation if proxied; "Similar Match" on a standard proxy pattern is fine per V1), a public source repo exists whose contents correspond to the explorer-visible source, AND ≥1 audit from a recognized firm covering the currently-deployed contracts (≤6 months of drift OR drift was re-audited). A missing local compile-match is not a downgrade — record it in unknowns[] and still grade green if the other conditions hold.
- orange  = verified but with visible drift from the public repo, OR audit scope is stale relative to deployment, OR only minor / unknown-firm audits exist, OR only some of the main contracts are verified, OR proxy verified but implementation only partially verified.
- red     = unverified bytecode (or verified proxy with unverified implementation), OR no audit in protocol.audit_links, OR no public repo.
- unknown = reserved for when the protocol's verifiability posture genuinely cannot be assessed (e.g., explorer and repo both inaccessible for this protocol). Do NOT use unknown merely because you, the analyst, could not run a particular check such as a bytecode diff — that goes in unknowns[] while the grade is still assigned from the evidence you do have.

---

### JSON output contract

Return exactly one JSON object inside a single ```json fenced block. Shape:

{
  "schema_version": 4,
  "slug": "<copy protocol.slug from the per-protocol context>",
  "slice": "verifiability",
  "snapshot_generated_at": "<copy snapshot.generated_at from the per-protocol context>",
  "prompt_version": 29,
  "analysis_date": "<copy analysis_date from the per-protocol context>",
  "model": "<exact model name, e.g. claude-opus-4-7 / gpt-5-thinking / gemini-3-pro>",
  "chat_url": null,
  "grading_basis": "on-chain | off-chain-only | mixed (optional; omit for on-chain)",
  "grade": "green | orange | red | unknown",
  "headline": "<one-line summary>",
  "short_headline": "<≤6 words, ≤80 chars; omit if you can't fit>",
  "rationale": {
    "findings": [{ "code": "E1", "text": "<concrete, source-cited finding>" }],
    "steelman": { "red": "<one sentence>", "orange": "<one sentence>", "green": "<one sentence>" },
    "verdict": "Choosing <grade> because <reason ranking one steel-man above the others, citing specific evidence>."
  },
  "evidence": [{ "url": "https://...", "shows": "<what this URL demonstrates>", "chain": "...", "address": "0x...", "commit": "<hex SHA>", "fetched_at": "2026-04-23T11:20:00Z" }],
  "unknowns": ["E3: <thing you looked for but couldn't determine>"],
  "protocol_metadata": {
    "github": ["https://github.com/org/repo"],
    "docs_url": "https://docs.protocol.xyz",
    "audits": [{ "firm": "Trail of Bits", "url": "https://...report.pdf", "date": "2025-09" }],
    "governance_forum": "https://forum.protocol.xyz",
    "voting_token": { "chain": "Ethereum", "address": "0x...", "symbol": "XYZ" },
    "bug_bounty_url": "https://immunefi.com/bounty/protocol",
    "security_contact": "security@protocol.xyz",
    "deployed_contracts_doc": "https://docs.protocol.xyz/deployments",
    "admin_addresses": [{ "chain": "Ethereum", "address": "0x...", "role": "DAO treasury multisig", "actor_class": "multisig" }],
    "upgradeability": "immutable | upgradeable | mixed | unknown",
    "about": "<2–4 sentences>"
  }
}

Rules recap:
- grade="unknown" ⇒ steelman=null; unknowns[] ≥1; evidence[] may be empty.
- grade!="unknown" ⇒ steelman={red,orange,green}; evidence[] ≥1; verdict starts with "Choosing ".
- findings[].code matches the slice's checklist prefix verbatim (E1, C2-emergency, V4a, …); unknowns[] entries are checklist-coded ("E3: …").
- Wrap in a single ```json fence; nothing before or after. URLs are bare strings, never markdown links.

Autonomy tentative

Off-chain counterparties reduce autonomy

Real-world-asset lending introduces off-chain legal counterparties, custodians, and enforcement regimes whose failure cannot be caught onchain. At Phase 0 this is a category-level heuristic.

Run your own prompt Submit run ↗

### Per-protocol context (ground truth for this run)

- protocol.slug:              aave-horizon-rwa
- protocol.name:              Aave Horizon RWA
- protocol.chains:            Ethereum
- protocol.category:          RWA Lending
- protocol.website:           https://app.aave.com/markets/?marketName=proto_horizon_v3
- protocol.github:            aave, bgd-labs
- protocol.audit_links:       https://github.com/aave/aave-v3-horizon/tree/main/audits, https://github.com/code-423n4/2022-02-aave-lens, https://github.com/code-423n4/2022-02-aave-lens-findings, https://github.com/sherlock-protocol/sherlock-reports/blob/main/audits/2025.02.15%20-%20Final%20-%20Aave%20Public%20Audit%20Contest%20Report.pdf, https://github.com/sherlock-protocol/sherlock-reports/blob/main/audits/2026.02.05%20-%20Final%20-%20Aave%20Labs%20Collaborative%20Audit%20Report%201770295450.pdf, https://github.com/trailofbits/publications/blob/master/reviews/2021-11-aave-v3-securityreview.pdf, https://github.com/trailofbits/publications/blob/master/reviews/2026-02-aave-v4-securityreview.pdf
- snapshot.generated_at:      2026-06-01T11:27:13.878Z
- analysis_date:              2026-06-07
- prompt_version:             29
- address_book:               [
  {
    "chain": "Ethereum",
    "address": "0xAe05Cd22df81871bc7cC2a04BeCfb516bFe332C8",
    "role": "pool"
  },
  {
    "chain": "Ethereum",
    "address": "0x7fc66500c84a76ad7e9c93437bfc5ac33e2ddae9",
    "role": "AAVE governance token"
  }
]

### Pre-built read-API surfacer URLs (verbatim — fetchable as-is)
- https://defipunkd.com/address/1/0xAe05Cd22df81871bc7cC2a04BeCfb516bFe332C8 (pool)
- https://defipunkd.com/address/1/0x7fc66500c84a76ad7e9c93437bfc5ac33e2ddae9 (AAVE governance token)


---

You are contributing a single-slice assessment to defipunkd, a git-native transparency registry for DeFi protocols. Your JSON output will be attached to a pull request and compared against ≥2 other independent runs. Disagreements are surfaced publicly — be conservative, cite everything, return grade="unknown" when a signal cannot be determined, and resist stopping at the first damning finding.

### Per-protocol context (do not infer; these are ground truth)

A "Per-protocol context" block (provided alongside this prompt — either as a user message in API mode, or as a section appended below in copy-paste mode) lists the pinned inputs (protocol.slug, name, chains, category, website, github, audit_links, snapshot.generated_at, analysis_date, prompt_version, address_book) and a list of pre-built read-API surfacer URLs for each pinned address. Treat those values as authoritative for this run.

The pre-built surfacer URLs are accepted by your fetch tool's allowlist because they appear verbatim in the per-protocol context. Each surfacer page pre-executes the contract's zero-arg view methods and renders any address-typed return values as /address/{chainId}/0x… links inline — those rendered links are also fetchable post-fetch. /api/contract/read and /api/safe/owners JSON responses include a top-level `crawl.surfacers` array of /address/{chainId}/0x… URLs for every address-typed value in the result, so you can crawl directly from API responses. For addresses surfaced from non-defipunkd sources (block-explorer pages, GitHub, audit PDFs), the allowlist will reject your generated surfacer URL — record the address in protocol_metadata.admin_addresses and add a checklist-coded entry to unknowns[]; the next run will inherit it as a fetchable surfacer.

### Step 0 — Capability probe (do this before producing JSON)

Identify what fetch tool your environment exposes — `web_fetch`, `browser`, `url_context`, `google_search` (with underscore, colon, or space), Bing grounding, Perplexity, `web.run`, or anything similar. Search-grounding tools ARE valid fetch paths and you should use them; they are not forbidden. The distinction that matters is what the tool returned, not its name: a grounded response with the underlying page body is sufficient evidence; a bare 1–3-line preview snippet is not.

Probe: attempt one fetch of `protocol.website` and one fetch of a pre-built surfacer URL above (or the protocol's primary block-explorer page if no surfacer is pinned). Record the tool you used, the URL, and what came back (response body, HTTP status, allowlist rejection text, or "tool not present: <name>"). If either probe succeeded, proceed.

If both direct probes failed, **DO NOT STOP** — try search. Issue at least two broad search queries (protocol name + "Etherscan" / "official docs" / "GitHub" / "audit"; `site:` operators against etherscan.io / github.com / the docs domain). If a search query returns the underlying page body, that page URL is fetched evidence and goes in evidence[]. Set `grading_basis: "off-chain-only"` and continue with whatever you can extract. Empty `evidence[]` + `grade="unknown"` is only valid if BOTH direct probes AND ≥2 search queries returned nothing usable; in that case, log the attempted queries and observed-zero outcomes in unknowns[]. A submission claiming "blocked" without those receipts is treated as a non-submission (zero quorum weight). Search engines do not index raw JSON API endpoints — zero results for `defipunkd.com/api/contract/read` URLs is expected and is itself a recordable failure mode, not a system restriction.

### Anti-fabrication (the most important rule on this page)

Memory is not evidence. Treat your training data, prior conversations, and general knowledge as suggestions for what to look up — never as citations. Every URL in evidence[] must have been fetched in this run via any tool exposed in your environment, OR pasted into this conversation by the user. Constructing a URL is fine, but every variable part (address, commit SHA, repo path, contract name, method, args, block number) must come from a fetched/pasted source in this run, and the URL must then have been successfully fetched before it appears in evidence[]. URLs constructed from remembered addresses, repo paths, contract names, or guessed API methods are fabrication.

Before emitting JSON, run an evidence ledger check on every evidence[] entry:
1. The exact URL appears in your fetch transcript or in a user-pasted source body.
2. The fetched/pasted body contains the fact you're citing in evidence[].shows.
3. Every rationale.findings / protocol_metadata claim that depends on this evidence follows directly from that body, without recourse to memory.
4. Derived (rather than verbatim) claims are explicitly labelled as derived in evidence[].shows.
5. `fetched_at` is set ONLY when you actually fetched the URL in this run; if no timestamp is available, omit the field — never invent one.

If any check fails, remove the evidence entry and demote dependent claims to unknowns[]. Set grade="unknown" if demotion empties the grading basis. Do not ask the user to paste anything; do not withhold JSON; do not improvise from memory.

A plausible-sounding answer backed by unsupported evidence is WORSE than grade="unknown" — it pollutes the quorum. If the assessment requires leaning on remembered public facts ("Lido is governed by LDO token-weighted voting"), historical reports, common knowledge, or likely-architecture reasoning ("UUPS proxies typically have an admin role"), return grade="unknown" with specific unknowns[] entries. Optimize for reproducibility, not completeness — if a reviewer can't re-verify each claim from the evidence URLs alone, the claim does not belong in the JSON. Empty unknowns[] on a non-trivial protocol is a red flag, not a quality signal.

When the address_book is null/empty, you do not yet know any deployed address. Discover candidates from fetched website / GitHub / audit / explorer-search pages — addresses you "remember" from training data are not eligible, even for famous tokens (USDC, WBTC, stETH, UNI). If no address can be discovered after a good-faith attempt, return grade="unknown" with checklist-coded unknowns[] entries; do not invent addresses to fill the gap.

### Hard rules

1. Source classes that count as evidence:
   a) Public block explorers (etherscan.io, basescan.org, arbiscan.io, optimistic.etherscan.io, polygonscan.com, bscscan.com, snowtrace.io, scrollscan.com, lineascan.build, blastscan.io, era.zksync.network) for pinned addresses or addresses you discover transitively from them.
   b) The linked GitHub repos, at a specific commit SHA recorded in evidence[].commit.
   c) The audit PDFs / reports linked above.
   d) DeFiLlama's pinned fields (for category / chain lists only — not for risk assessment).
   e) DeFiPunkd's read API at https://defipunkd.com/api/{contract,safe}/... — see "On-chain reading" below.
2. If a signal cannot be determined after checking these, set grade="unknown" with ≥1 entry in unknowns[] naming what you looked for.
3. Every factual claim in rationale must map to ≥1 evidence[] entry.
4. Output exactly one JSON object matching the contract at the end, wrapped in a single ```json fenced code block. This rule applies to your FINAL assistant message only — issue tool calls freely during the run; tool-call reasoning lives in your model's tool-use channel and is not subject to this rule. Nothing before or after the fence — no prose, no follow-up questions, no requests for the user to paste anything. If evidence is incomplete, the correct response is still JSON, with claims demoted to unknowns[] and grade="unknown".

### Format rules (validation will reject submissions that violate these)
5. evidence[].url must be a bare `https://...` string — NEVER markdown link syntax. WRONG: `"url": "[Etherscan](https://etherscan.io/...)"`. RIGHT: `"url": "https://etherscan.io/..."`.
6. evidence[].commit, when present, must match `^[0-9a-f]{7,40}$` (lowercase hex, 7–40 chars). NEVER branch names or tags. Omit if you cannot pin a SHA.
7. evidence[].fetched_at, when present, must be ISO-8601 UTC (e.g. `2026-04-23T11:20:00Z`). Set whenever you actually fetched in this run.
8. evidence[].address, when present, must be `^0x[0-9a-fA-F]{40}$` (mixed case OK; checksum not validated).
9. Checklist codes (used in findings[].code and as unknowns[] prefixes) match `^[A-Z][A-Za-z0-9-]{0,16}$` — start with an uppercase letter, then digits / letters / hyphens. Examples: `E1`, `A3b`, `C2-emergency`, `V4-auditor`. No parens, spaces, dots, slashes, underscores. Use slice-defined codes verbatim. unknowns[] entries must be prefixed with the relevant code + colon (e.g. `"A3b: frontend fetch failed"`).
10. chat_url: ALWAYS null. Default share links (claude.ai/chat, chatgpt.com, gemini.google.com) require viewer login and are not publicly readable. The user enables "Share publicly" after you respond and pastes the public URL into the JSON before opening the PR.

### Thoroughness rules

11. Each per-slice body contains a "MANDATORY INSPECTION CHECKLIST". Every item must EITHER produce an evidence[] entry OR a specific unknowns[] entry naming it by code. Silent skips are rejected as incomplete.
12. Before assigning a grade other than "unknown", rationale.steelman must contain a one-sentence strongest argument for each of red / orange / green, and rationale.verdict must state which fits the evidence and why. If the steel-man for the chosen grade is weaker than for an adjacent grade, you have probably picked the wrong grade. When grade="unknown", set steelman to null and use verdict to summarize what blocked the assessment.
13. Distinguish actor classes (EOA, 2-of-3 multisig, 4-of-7+ multisig with identified signers, emergency-scoped time-capped multisig, on-chain governance vote with timelock) and function classes (claim-of-finalized vs new-request-placement, deposit vs borrow, mint vs redeem) — say which actor holds which power, on what time bound. "An admin can pause" is insufficient.
14. For on-chain slices (control, ability-to-exit, autonomy, verifiability), evidence[] must include ≥1 on-chain URL: a block-explorer URL OR a DeFiPunkd /api/{contract/read,safe/owners} URL (preferred — content-addressed when block-pinned). /api/contract/abi alone is metadata, not on-chain evidence. Source repos tell you what code SHOULD do; deployed contracts tell you what it ACTUALLY does. The "open-access" slice is exempt when claims are entirely about frontend / off-chain operator behavior. CARVE-OUT: `grading_basis="off-chain-only"` is exempt from this rule but is downweighted by the quorum bot regardless of grade.
15. Prompt-meta-check: if your verdict quotes prompt language as evidence ("the protocol meets the 'documented fallback' condition"), re-do the verdict — the prompt describes the rubric, not the protocol. Evidence cites what THIS protocol does, not what the rubric says protocols of type X do.
16. `grading_basis` is one of `"on-chain"` (default; omit field), `"off-chain-only"`, or `"mixed"`. Describes what was READ this run, not the verdict — `grade="unknown"` is allowed under any basis. Set `"off-chain-only"` ONLY when BOTH (a) ≥1 successful fetch of a docs / forum / audit / GitHub URL appears in evidence[], AND (b) ≥1 failed on-chain fetch attempt for THIS run is recorded in unknowns[] with a `-offchain` suffix. Empty `evidence[]` with `"off-chain-only"` is a category error and is rejected by the validator. Set `"mixed"` when some checklist codes were on-chain and others fell back. ABI-only finds (you read the ABI but couldn't read live state) are valid as `grade="unknown"` with the ABI cited; do not infer a grade from ABI shape alone.

### On-chain reading via the DeFiPunkd API

Don't encode calldata, decode return data, or guess at ABIs by hand. Three deterministic GET endpoints return JSON with blockNumber, blockHash, raw calldata, and rawReturnData — content-addressed when block-pinned (`&block=<n>`):

  ABI (auto-resolves proxies):
    https://defipunkd.com/api/contract/abi?chainId=<id>&address=0x...
  View call (any view method on the merged ABI; flat scalar args):
    https://defipunkd.com/api/contract/read?chainId=<id>&address=0x...&method=getOwners
    https://defipunkd.com/api/contract/read?chainId=<id>&address=0x...&method=balanceOf&args=0x...
  Safe (threshold + owners + version in one call):
    https://defipunkd.com/api/safe/owners?chainId=<id>&address=0x...

Use the BARE method name in `&method=` (e.g. `&method=totalSupply`, NOT `&method=totalSupply()`). Browser tools normalize `(` to `%28` and reject the normalized URL; bare names dodge that. Pass arguments via `&args=` (comma-separated, declaration order). Append `&block=<n>` for content-addressed evidence.

Supported chainIds: 1 (ethereum), 10 (optimism), 56 (bsc), 130 (unichain), 137 (polygon), 324 (zksync), 8453 (base), 42161 (arbitrum), 43114 (avalanche), 59144 (linea), 81457 (blast), 534352 (scroll), 11155111 (sepolia).

Use this API for any factual claim about contract ABI shape, view-method return values (owner(), getOwners(), getThreshold(), totalSupply(), implementation(), paused(), MIN_DELAY(), …), and Safe membership. Do NOT invent ABIs or return values from training data.

Note on noisy address_book: the pinned address_book is sourced from prior assessments. It may include token deployments, oracle feeds, peripheral contracts, or mis-classified entries. Skip surfacer URLs that don't fit your slice — fetch only those whose role hints suggest control / pause / upgrade authority.

### Protocol metadata refresh (populate `protocol_metadata` in the output)

DeFiLlama's pinned inputs may be stale or wrong. As a side-effect of this assessment, populate `protocol_metadata` with anything you verify. Leave fields null / empty arrays if you did not verify them — do NOT echo pinned inputs through; null means "not re-verified this run".

- `github`: array of canonical source-code repo URLs.
- `docs_url`: canonical developer / protocol documentation site.
- `audits`: array of `{ firm, url, date }` (date as YYYY-MM or YYYY-MM-DD).
- `governance_forum`: primary discussion forum URL (Discourse, Commonwealth, etc.).
- `voting_token`: `{ chain, address, symbol }` or null. Omit if not token-governed.
- `bug_bounty_url`: public bug bounty page (Immunefi, HackerOne, self-hosted).
- `security_contact`: private-disclosure channel — security@ email or SECURITY.md URL. Distinct from public bug bounty.
- `deployed_contracts_doc`: docs page that lists deployed addresses per chain. Don't enumerate; just link.
- `admin_addresses`: array of `{ chain, address, role, actor_class }` for multisig / timelock / owner / proxy-admin addresses. `actor_class` ∈ `"eoa" | "multisig" | "timelock" | "governance" | "unknown"`. These are the anchors for future runs' address_book.
- `upgradeability`: `"immutable" | "upgradeable" | "mixed" | "unknown"`. "mixed" = some core contracts immutable, others behind proxies.
- `about`: 2–4 sentence plain-English description. Name the user action (stake, borrow, swap, bridge, mint, redeem), the asset / market, and the distinctive mechanism (liquid staking receipt, isolated lending pools, constant-product AMM, intents auction, etc.). Do not restate category / chains / TVL.

Every non-null field in `protocol_metadata` must be backed by ≥1 entry in evidence[].

---

### Slice: AUTONOMY

Evaluate this protocol's autonomy: can a failure of anything outside its own contracts cause theft or loss of user principal, loss of unclaimed yield, or materially change the protocol's expected performance? "Autonomy" is not "has zero external touchpoints" — it is "external failures are either survivable or recoverable without user loss". This slice adapts DefiScan v1's Autonomy dimension; dependencies are one of several criteria, not the whole frame.

GUARDRAILS (read before grading):
- Category alone (Liquid Staking, Bridge, RWA Lending, Restaking, …) does NOT force a grade. A category is a hint about where to look; the grade must come from the concrete A1–A9 findings below.
- Base-chain consensus (Ethereum PoS, the chain's validator set, the canonical Deposit Contract at 0x00000000219ab540356cBB839Cbe05303d7705Fa) is the SUBSTRATE, not a dependency, for any protocol deployed on that chain. Do not list "depends on Ethereum" as a finding.
- Oracles or other integrations used by DOWNSTREAM protocols that happen to read this protocol's token (e.g. Chainlink stETH/USD consumed by Aave) are NOT this protocol's dependencies. Count only what THIS protocol's contracts call or trust on-chain. If a feed or contract appears in the protocol's docs only as reference material for third-party integrators, EXCLUDE IT ENTIRELY — do not log it as a finding even with a "peripheral" or "referenced only" caveat.
- "Upgradeable admin can change things" belongs to the CONTROL slice; only count it here when the upgrade surface lets governance silently swap an external dependency (see A9).
- Underlying-asset risk in opt-in, isolated markets is NOT autonomy-red on its own. When a protocol wraps third-party yield-bearing assets (LSTs, LRTs, ERC-4626 vaults, lending receipts, restaked tokens) into per-market silos that users explicitly choose, a failure of one underlying does NOT propagate to other markets and is risk the user opted into per-market. Record it under A4 with depth and propagation scope, but do not let it alone drive a red verdict — red requires an external dependency that cross-cuts the protocol or that the user did not opt into at deposit time. A failure mode that is "if the LRT you deposited is hacked, your principal in that LRT-backed market is impaired" is the underlying's autonomy story, not this protocol's; grade it on whether THIS protocol introduces additional dependencies on top.
- Sub-module enumeration is mandatory before grading. If the protocol ships distinct product lines or modules (e.g., a v2 core AMM plus a newer perps/funding-rate module, a lending pool plus a separate vault layer, an L1 core plus a cross-chain extension), enumerate each in findings and grade against the WORST module weighted by its share of TVS or its blast radius. A green core does not rescue an orange/red sub-module; conversely, a small red sub-module with capped TVS may bound the overall grade to orange. Name each module by its on-chain factory or router address. If you do not know whether a module exists, that is an unknowns[] entry, not silence. EXPLICIT TVS WEIGHTING: in the verdict, state each module's approximate share of total protocol TVS (use "~X%" if exact figures unavailable; check DeFiLlama or block-explorer balances on the module's main contract) and how that share informs the weighted grade. Format: "Module A holds ~X% of TVS (grade: <g>); Module B holds ~Y% (grade: <g>); weighted overall = <grade> because <reason>." If a red sub-module holds <5% of total TVS and is capped, the overall grade may be orange; if it holds >25%, the overall grade is red. Do not let qualitative reasoning substitute for the percentages — write the numbers.

MANDATORY INSPECTION CHECKLIST (every item below must appear in evidence[] OR unknowns[]):
- A1. External contract calls. Enumerate every external contract the core contracts call or read from (oracles, price feeds, AMM pools, lending pools, staking/deposit contracts, yield wrappers). For each, identify the address, the provider, and what user-facing function of this protocol would break or mis-price if that external contract paused, mis-reported, or behaved adversarially. Grep for "oracle", "aggregator", "getPrice", "latestAnswer", "chainlink", "pyth", "redstone" as a starting point. To verify an oracle is live and what it currently reports, hit https://defipunkd.com/api/contract/read?chainId=<id>&address=<oracle>&method=latestAnswer (or &method=latestRoundData, &method=getPrice, &method=description; use the BARE method name without parens) and cite the URL — the response includes blockNumber/blockHash and rawReturnData, which is stronger evidence than a docs page about which feed "should" be used.
- A2. Off-chain actor committees reporting INTO the protocol. Oracle committees, guardian multisigs, DAO-selected validator sets acting as protocol reporters, exit-bus signers, fraud-proof challengers. For each, record committee size, quorum, who picks the members, and what mis-reporting could do (mint, burn, finalize withdrawal, freeze). Distinguish this from governance admins (control slice). NOTE ON STAKING PROTOCOLS: validator slashing and node-operator misbehavior are properties of the base-chain substrate, NOT external dependencies, when the operator set is diversified enough that a coordinated failure caps at <5% principal loss. Count validator/operator risk under A2 ONLY if the operator set is small, non-diversified, or lacks bonding / slashing-insurance / diversification mitigations. A curated set of 30+ independent operators with documented diversification falls under the mitigated path; a 3-operator LST does not. Do not cite the protocol's own risk disclosure as evidence that operator failure = principal loss unless you also check the diversification and bond mitigations.
- A3. Bridge / cross-chain messaging dependencies. Only count bridges that carry material TVL or are required for a core user flow. For each, name the bridge operator (canonical L1↔L2, LayerZero, Wormhole, Axelar, custom multisig), the trust model (canonical, optimistic, light-client, guardian set), and what fraction of TVL or users ride on it. "wstETH exists on 15 chains" is not a finding unless material TVL sits there. Before listing any non-primary chain deployment as a dependency, verify it is still operational as of analysis_date — retired or sunset deployments (e.g., Lido-on-Terra, Lido-on-Solana) belong in unknowns[] or should be omitted, never cited as a current dependency.
- A4. Nested collateral / restaking chains. For restaking / LRT / receipt-of-receipt designs: record the depth of the collateral chain, every actor with slashing or freezing power at each level, and whether a failure N levels deep propagates to user principal here.
- A5. Fork lineage (silent check). If DeFiLlama's forkedFrom is non-empty, record it as one finding and move on. If empty, do NOT add a placeholder finding; it adds noise.
- A6. Fallback mechanisms and circuit breakers. What catches an external failure? Sanity-check contracts on oracle reports, rebase bounds, pause paths triggered by bad prices, second-opinion oracles, max-per-block throughput caps, withdrawal queues that absorb bad reports. Record which A1–A4 risks are mitigated by which fallback, and which are unmitigated. For EACH fallback you cite, state its activation status explicitly: (i) LIVE and enforcing on-chain today, (ii) DEPLOYED but not yet wired / activated (e.g., interface exists but the address is zero or the role is unassigned), or (iii) DOCUMENTED / PROPOSED only (forum post, LIP draft, audit pending). Only (i) counts as mitigation for the grade. A fallback in state (ii) or (iii) should be noted but must not reduce the risk in your steel-man or verdict. If you cannot determine activation status, add an unknowns[] entry rather than assume it is live.
- A7. Sequencer / L1-liveness dependency BEYOND the base-chain substrate. SCOPE — sequencer risk only counts here when the protocol IS its own L2/L3 appchain or app-rollup, where the sequencer is part of the protocol's own stack and a freeze is a protocol-level outage. A protocol permissionlessly deployed on a third-party L2 inherits that L2's sequencer as substrate, not an A7 dependency. Record the sequencer/DA trust model when A7 applies.
- A8. Keeper / relayer / off-chain bot liveness. Protocols that need permissionless-but-necessary off-chain actors (liquidation bots, auto-compounders, deposit relayers, intent solvers). Record whether the role is permissionless, what degrades if nobody runs it (yield paused, bad debt accumulates, positions go stale), and whether the failure mode is graceful or catastrophic.
- A9. Governance-mutable dependency surface. Can an admin or DAO action silently INTRODUCE a NEW EXTERNAL dependency — swap the oracle address to a different provider, register a new staking module that calls an untrusted contract, add a new bridge, route SY through a new external vault — without an exit window for users? Check the upgrade / router / module-registry contracts. Answer: which EXTERNAL dependencies are governance-mutable, who holds that power, and whether there is a timelock or exit window. SCOPE LIMIT — read carefully: A9 is about the *external dependency surface*, not the upgrade surface in general. "The proxyAdmin / EOA can upgrade the router implementation to arbitrary bytecode" is a CONTROL-slice finding (admin can rug), NOT an autonomy-A9 finding. A9 fires only when the upgrade specifically swaps out or adds a contract that THIS protocol calls or trusts (e.g., changing the oracle address from Chainlink to a malicious feed, registering a new SY adapter that points to a third-party vault, redirecting a bridge endpoint). If the only finding is "admin can change implementation," do not log it under A9 and do not let it drive the autonomy grade — note it under control instead. The autonomy-relevant version of the same upgrade key is "admin can swap [specific external address X] without timelock"; that requires identifying the specific external dependency that becomes mutable.

STEEL-MAN (per Hard Rule 13): write one-sentence strongest arguments for red, orange, and green using the A1–A9 findings.

IMPACTED TVS ESTIMATE: the headline MUST include a rough impacted-TVS figure — the fraction of protocol TVS that could be lost or frozen if the worst-unmitigated dependency you identified failed. Use "~X%" if exact numbers are unavailable, "<1%" for de minimis, "unclear" only if A1–A9 left the question genuinely open (in which case grade=unknown is usually correct). Do NOT substitute qualitative phrases like "significant" — give a number or bracket.

GRADE ANCHORS (mapped to DefiScan v1 stages):
- green = Stage 2 equivalent. Failure of any external dependency cannot cause loss of user principal or unclaimed yield. Either there are no material external dependencies, or every critical one has a documented fallback (A6) that keeps users whole. Governance cannot silently introduce new dependencies without an exit window (A9). Impacted TVS under any single-dependency failure: effectively 0.
- orange = Stage 1 equivalent. Failure of some external dependency can cause loss of unclaimed yield, or can materially change expected performance (pause withdrawals, freeze positions, degrade price quality), but cannot cause loss of principal. Committee-based oracles with sanity checks, canonical-only bridges, fallback paths that exist but are incomplete, or governance-mutable dependencies protected by a ≥7-day timelock. Impacted TVS is bounded and recoverable.
- red = Stage 0 equivalent. Failure of an external dependency CAN cause theft or loss of principal. Examples: single-provider oracle with no sanity check or fallback, material TVL on a non-canonical bridge with a guardian multisig, governance can hot-swap oracles or add staking modules with no timelock or exit window, unmitigated keeper-liveness dependency where positions become insolvent if bots stop. Impacted TVS is material.
- unknown = checklist incomplete after inspecting source + verified contracts. Prefer unknown over guessing when A1/A6 could not be reconstructed. RESERVE unknown for cases where the CORE ARCHITECTURE itself is unverifiable — not for cases where you merely cannot enumerate every per-market dependency in a multi-market protocol. If the core router/factory/oracle architecture is verifiable on-chain and you can determine whether the core requires external dependencies, grade the architecture even when an exhaustive per-market external-dependency census is infeasible. Acknowledge the per-market gap in unknowns[] but still issue a grade. Refusing to grade a multi-market protocol because you cannot list every SY/vault/market is over-use of unknown; grade the architecture and say so.

PROMPT-META CHECK (per Hard Rule 17): before finalizing, verify the verdict cites concrete contract addresses, docs, or code — not the rubric itself. If your verdict says "the protocol belongs to a category the rubric marks red", rewrite it with the A1–A9 finding that actually justifies the grade, or drop to grade=unknown.

---

### JSON output contract

Return exactly one JSON object inside a single ```json fenced block. Shape:

{
  "schema_version": 4,
  "slug": "<copy protocol.slug from the per-protocol context>",
  "slice": "autonomy",
  "snapshot_generated_at": "<copy snapshot.generated_at from the per-protocol context>",
  "prompt_version": 29,
  "analysis_date": "<copy analysis_date from the per-protocol context>",
  "model": "<exact model name, e.g. claude-opus-4-7 / gpt-5-thinking / gemini-3-pro>",
  "chat_url": null,
  "grading_basis": "on-chain | off-chain-only | mixed (optional; omit for on-chain)",
  "grade": "green | orange | red | unknown",
  "headline": "<one-line summary>",
  "short_headline": "<≤6 words, ≤80 chars; omit if you can't fit>",
  "rationale": {
    "findings": [{ "code": "E1", "text": "<concrete, source-cited finding>" }],
    "steelman": { "red": "<one sentence>", "orange": "<one sentence>", "green": "<one sentence>" },
    "verdict": "Choosing <grade> because <reason ranking one steel-man above the others, citing specific evidence>."
  },
  "evidence": [{ "url": "https://...", "shows": "<what this URL demonstrates>", "chain": "...", "address": "0x...", "commit": "<hex SHA>", "fetched_at": "2026-04-23T11:20:00Z" }],
  "unknowns": ["E3: <thing you looked for but couldn't determine>"],
  "protocol_metadata": {
    "github": ["https://github.com/org/repo"],
    "docs_url": "https://docs.protocol.xyz",
    "audits": [{ "firm": "Trail of Bits", "url": "https://...report.pdf", "date": "2025-09" }],
    "governance_forum": "https://forum.protocol.xyz",
    "voting_token": { "chain": "Ethereum", "address": "0x...", "symbol": "XYZ" },
    "bug_bounty_url": "https://immunefi.com/bounty/protocol",
    "security_contact": "security@protocol.xyz",
    "deployed_contracts_doc": "https://docs.protocol.xyz/deployments",
    "admin_addresses": [{ "chain": "Ethereum", "address": "0x...", "role": "DAO treasury multisig", "actor_class": "multisig" }],
    "upgradeability": "immutable | upgradeable | mixed | unknown",
    "about": "<2–4 sentences>"
  }
}

Rules recap:
- grade="unknown" ⇒ steelman=null; unknowns[] ≥1; evidence[] may be empty.
- grade!="unknown" ⇒ steelman={red,orange,green}; evidence[] ≥1; verdict starts with "Choosing ".
- findings[].code matches the slice's checklist prefix verbatim (E1, C2-emergency, V4a, …); unknowns[] entries are checklist-coded ("E3: …").
- Wrap in a single ```json fence; nothing before or after. URLs are bare strings, never markdown links.

3 dimensions not yet assessed (Control, Ability to exit, Open Access)

Control unknown Unverified

Not yet assessed

Who holds admin privileges, how contracts can be upgraded, and how quickly. No automated heuristic grades this at Phase 0; a real assessment arrives when onchain discovery reads roles, owners, and timelocks.

No model has graded this dimension yet. Run the slice prompt through any LLM and submit the JSON — once ≥3 independent runs agree, the quorum bot merges the verdict here.

Submit run ↗

### Per-protocol context (ground truth for this run)

- protocol.slug:              aave-horizon-rwa
- protocol.name:              Aave Horizon RWA
- protocol.chains:            Ethereum
- protocol.category:          RWA Lending
- protocol.website:           https://app.aave.com/markets/?marketName=proto_horizon_v3
- protocol.github:            aave, bgd-labs
- protocol.audit_links:       https://github.com/aave/aave-v3-horizon/tree/main/audits, https://github.com/code-423n4/2022-02-aave-lens, https://github.com/code-423n4/2022-02-aave-lens-findings, https://github.com/sherlock-protocol/sherlock-reports/blob/main/audits/2025.02.15%20-%20Final%20-%20Aave%20Public%20Audit%20Contest%20Report.pdf, https://github.com/sherlock-protocol/sherlock-reports/blob/main/audits/2026.02.05%20-%20Final%20-%20Aave%20Labs%20Collaborative%20Audit%20Report%201770295450.pdf, https://github.com/trailofbits/publications/blob/master/reviews/2021-11-aave-v3-securityreview.pdf, https://github.com/trailofbits/publications/blob/master/reviews/2026-02-aave-v4-securityreview.pdf
- snapshot.generated_at:      2026-06-01T11:27:13.878Z
- analysis_date:              2026-06-07
- prompt_version:             29
- address_book:               [
  {
    "chain": "Ethereum",
    "address": "0xAe05Cd22df81871bc7cC2a04BeCfb516bFe332C8",
    "role": "pool"
  },
  {
    "chain": "Ethereum",
    "address": "0x7fc66500c84a76ad7e9c93437bfc5ac33e2ddae9",
    "role": "AAVE governance token"
  }
]

### Pre-built read-API surfacer URLs (verbatim — fetchable as-is)
- https://defipunkd.com/address/1/0xAe05Cd22df81871bc7cC2a04BeCfb516bFe332C8 (pool)
- https://defipunkd.com/address/1/0x7fc66500c84a76ad7e9c93437bfc5ac33e2ddae9 (AAVE governance token)


---

You are contributing a single-slice assessment to defipunkd, a git-native transparency registry for DeFi protocols. Your JSON output will be attached to a pull request and compared against ≥2 other independent runs. Disagreements are surfaced publicly — be conservative, cite everything, return grade="unknown" when a signal cannot be determined, and resist stopping at the first damning finding.

### Per-protocol context (do not infer; these are ground truth)

A "Per-protocol context" block (provided alongside this prompt — either as a user message in API mode, or as a section appended below in copy-paste mode) lists the pinned inputs (protocol.slug, name, chains, category, website, github, audit_links, snapshot.generated_at, analysis_date, prompt_version, address_book) and a list of pre-built read-API surfacer URLs for each pinned address. Treat those values as authoritative for this run.

The pre-built surfacer URLs are accepted by your fetch tool's allowlist because they appear verbatim in the per-protocol context. Each surfacer page pre-executes the contract's zero-arg view methods and renders any address-typed return values as /address/{chainId}/0x… links inline — those rendered links are also fetchable post-fetch. /api/contract/read and /api/safe/owners JSON responses include a top-level `crawl.surfacers` array of /address/{chainId}/0x… URLs for every address-typed value in the result, so you can crawl directly from API responses. For addresses surfaced from non-defipunkd sources (block-explorer pages, GitHub, audit PDFs), the allowlist will reject your generated surfacer URL — record the address in protocol_metadata.admin_addresses and add a checklist-coded entry to unknowns[]; the next run will inherit it as a fetchable surfacer.

### Step 0 — Capability probe (do this before producing JSON)

Identify what fetch tool your environment exposes — `web_fetch`, `browser`, `url_context`, `google_search` (with underscore, colon, or space), Bing grounding, Perplexity, `web.run`, or anything similar. Search-grounding tools ARE valid fetch paths and you should use them; they are not forbidden. The distinction that matters is what the tool returned, not its name: a grounded response with the underlying page body is sufficient evidence; a bare 1–3-line preview snippet is not.

Probe: attempt one fetch of `protocol.website` and one fetch of a pre-built surfacer URL above (or the protocol's primary block-explorer page if no surfacer is pinned). Record the tool you used, the URL, and what came back (response body, HTTP status, allowlist rejection text, or "tool not present: <name>"). If either probe succeeded, proceed.

If both direct probes failed, **DO NOT STOP** — try search. Issue at least two broad search queries (protocol name + "Etherscan" / "official docs" / "GitHub" / "audit"; `site:` operators against etherscan.io / github.com / the docs domain). If a search query returns the underlying page body, that page URL is fetched evidence and goes in evidence[]. Set `grading_basis: "off-chain-only"` and continue with whatever you can extract. Empty `evidence[]` + `grade="unknown"` is only valid if BOTH direct probes AND ≥2 search queries returned nothing usable; in that case, log the attempted queries and observed-zero outcomes in unknowns[]. A submission claiming "blocked" without those receipts is treated as a non-submission (zero quorum weight). Search engines do not index raw JSON API endpoints — zero results for `defipunkd.com/api/contract/read` URLs is expected and is itself a recordable failure mode, not a system restriction.

### Anti-fabrication (the most important rule on this page)

Memory is not evidence. Treat your training data, prior conversations, and general knowledge as suggestions for what to look up — never as citations. Every URL in evidence[] must have been fetched in this run via any tool exposed in your environment, OR pasted into this conversation by the user. Constructing a URL is fine, but every variable part (address, commit SHA, repo path, contract name, method, args, block number) must come from a fetched/pasted source in this run, and the URL must then have been successfully fetched before it appears in evidence[]. URLs constructed from remembered addresses, repo paths, contract names, or guessed API methods are fabrication.

Before emitting JSON, run an evidence ledger check on every evidence[] entry:
1. The exact URL appears in your fetch transcript or in a user-pasted source body.
2. The fetched/pasted body contains the fact you're citing in evidence[].shows.
3. Every rationale.findings / protocol_metadata claim that depends on this evidence follows directly from that body, without recourse to memory.
4. Derived (rather than verbatim) claims are explicitly labelled as derived in evidence[].shows.
5. `fetched_at` is set ONLY when you actually fetched the URL in this run; if no timestamp is available, omit the field — never invent one.

If any check fails, remove the evidence entry and demote dependent claims to unknowns[]. Set grade="unknown" if demotion empties the grading basis. Do not ask the user to paste anything; do not withhold JSON; do not improvise from memory.

A plausible-sounding answer backed by unsupported evidence is WORSE than grade="unknown" — it pollutes the quorum. If the assessment requires leaning on remembered public facts ("Lido is governed by LDO token-weighted voting"), historical reports, common knowledge, or likely-architecture reasoning ("UUPS proxies typically have an admin role"), return grade="unknown" with specific unknowns[] entries. Optimize for reproducibility, not completeness — if a reviewer can't re-verify each claim from the evidence URLs alone, the claim does not belong in the JSON. Empty unknowns[] on a non-trivial protocol is a red flag, not a quality signal.

When the address_book is null/empty, you do not yet know any deployed address. Discover candidates from fetched website / GitHub / audit / explorer-search pages — addresses you "remember" from training data are not eligible, even for famous tokens (USDC, WBTC, stETH, UNI). If no address can be discovered after a good-faith attempt, return grade="unknown" with checklist-coded unknowns[] entries; do not invent addresses to fill the gap.

### Hard rules

1. Source classes that count as evidence:
   a) Public block explorers (etherscan.io, basescan.org, arbiscan.io, optimistic.etherscan.io, polygonscan.com, bscscan.com, snowtrace.io, scrollscan.com, lineascan.build, blastscan.io, era.zksync.network) for pinned addresses or addresses you discover transitively from them.
   b) The linked GitHub repos, at a specific commit SHA recorded in evidence[].commit.
   c) The audit PDFs / reports linked above.
   d) DeFiLlama's pinned fields (for category / chain lists only — not for risk assessment).
   e) DeFiPunkd's read API at https://defipunkd.com/api/{contract,safe}/... — see "On-chain reading" below.
2. If a signal cannot be determined after checking these, set grade="unknown" with ≥1 entry in unknowns[] naming what you looked for.
3. Every factual claim in rationale must map to ≥1 evidence[] entry.
4. Output exactly one JSON object matching the contract at the end, wrapped in a single ```json fenced code block. This rule applies to your FINAL assistant message only — issue tool calls freely during the run; tool-call reasoning lives in your model's tool-use channel and is not subject to this rule. Nothing before or after the fence — no prose, no follow-up questions, no requests for the user to paste anything. If evidence is incomplete, the correct response is still JSON, with claims demoted to unknowns[] and grade="unknown".

### Format rules (validation will reject submissions that violate these)
5. evidence[].url must be a bare `https://...` string — NEVER markdown link syntax. WRONG: `"url": "[Etherscan](https://etherscan.io/...)"`. RIGHT: `"url": "https://etherscan.io/..."`.
6. evidence[].commit, when present, must match `^[0-9a-f]{7,40}$` (lowercase hex, 7–40 chars). NEVER branch names or tags. Omit if you cannot pin a SHA.
7. evidence[].fetched_at, when present, must be ISO-8601 UTC (e.g. `2026-04-23T11:20:00Z`). Set whenever you actually fetched in this run.
8. evidence[].address, when present, must be `^0x[0-9a-fA-F]{40}$` (mixed case OK; checksum not validated).
9. Checklist codes (used in findings[].code and as unknowns[] prefixes) match `^[A-Z][A-Za-z0-9-]{0,16}$` — start with an uppercase letter, then digits / letters / hyphens. Examples: `E1`, `A3b`, `C2-emergency`, `V4-auditor`. No parens, spaces, dots, slashes, underscores. Use slice-defined codes verbatim. unknowns[] entries must be prefixed with the relevant code + colon (e.g. `"A3b: frontend fetch failed"`).
10. chat_url: ALWAYS null. Default share links (claude.ai/chat, chatgpt.com, gemini.google.com) require viewer login and are not publicly readable. The user enables "Share publicly" after you respond and pastes the public URL into the JSON before opening the PR.

### Thoroughness rules

11. Each per-slice body contains a "MANDATORY INSPECTION CHECKLIST". Every item must EITHER produce an evidence[] entry OR a specific unknowns[] entry naming it by code. Silent skips are rejected as incomplete.
12. Before assigning a grade other than "unknown", rationale.steelman must contain a one-sentence strongest argument for each of red / orange / green, and rationale.verdict must state which fits the evidence and why. If the steel-man for the chosen grade is weaker than for an adjacent grade, you have probably picked the wrong grade. When grade="unknown", set steelman to null and use verdict to summarize what blocked the assessment.
13. Distinguish actor classes (EOA, 2-of-3 multisig, 4-of-7+ multisig with identified signers, emergency-scoped time-capped multisig, on-chain governance vote with timelock) and function classes (claim-of-finalized vs new-request-placement, deposit vs borrow, mint vs redeem) — say which actor holds which power, on what time bound. "An admin can pause" is insufficient.
14. For on-chain slices (control, ability-to-exit, autonomy, verifiability), evidence[] must include ≥1 on-chain URL: a block-explorer URL OR a DeFiPunkd /api/{contract/read,safe/owners} URL (preferred — content-addressed when block-pinned). /api/contract/abi alone is metadata, not on-chain evidence. Source repos tell you what code SHOULD do; deployed contracts tell you what it ACTUALLY does. The "open-access" slice is exempt when claims are entirely about frontend / off-chain operator behavior. CARVE-OUT: `grading_basis="off-chain-only"` is exempt from this rule but is downweighted by the quorum bot regardless of grade.
15. Prompt-meta-check: if your verdict quotes prompt language as evidence ("the protocol meets the 'documented fallback' condition"), re-do the verdict — the prompt describes the rubric, not the protocol. Evidence cites what THIS protocol does, not what the rubric says protocols of type X do.
16. `grading_basis` is one of `"on-chain"` (default; omit field), `"off-chain-only"`, or `"mixed"`. Describes what was READ this run, not the verdict — `grade="unknown"` is allowed under any basis. Set `"off-chain-only"` ONLY when BOTH (a) ≥1 successful fetch of a docs / forum / audit / GitHub URL appears in evidence[], AND (b) ≥1 failed on-chain fetch attempt for THIS run is recorded in unknowns[] with a `-offchain` suffix. Empty `evidence[]` with `"off-chain-only"` is a category error and is rejected by the validator. Set `"mixed"` when some checklist codes were on-chain and others fell back. ABI-only finds (you read the ABI but couldn't read live state) are valid as `grade="unknown"` with the ABI cited; do not infer a grade from ABI shape alone.

### On-chain reading via the DeFiPunkd API

Don't encode calldata, decode return data, or guess at ABIs by hand. Three deterministic GET endpoints return JSON with blockNumber, blockHash, raw calldata, and rawReturnData — content-addressed when block-pinned (`&block=<n>`):

  ABI (auto-resolves proxies):
    https://defipunkd.com/api/contract/abi?chainId=<id>&address=0x...
  View call (any view method on the merged ABI; flat scalar args):
    https://defipunkd.com/api/contract/read?chainId=<id>&address=0x...&method=getOwners
    https://defipunkd.com/api/contract/read?chainId=<id>&address=0x...&method=balanceOf&args=0x...
  Safe (threshold + owners + version in one call):
    https://defipunkd.com/api/safe/owners?chainId=<id>&address=0x...

Use the BARE method name in `&method=` (e.g. `&method=totalSupply`, NOT `&method=totalSupply()`). Browser tools normalize `(` to `%28` and reject the normalized URL; bare names dodge that. Pass arguments via `&args=` (comma-separated, declaration order). Append `&block=<n>` for content-addressed evidence.

Supported chainIds: 1 (ethereum), 10 (optimism), 56 (bsc), 130 (unichain), 137 (polygon), 324 (zksync), 8453 (base), 42161 (arbitrum), 43114 (avalanche), 59144 (linea), 81457 (blast), 534352 (scroll), 11155111 (sepolia).

Use this API for any factual claim about contract ABI shape, view-method return values (owner(), getOwners(), getThreshold(), totalSupply(), implementation(), paused(), MIN_DELAY(), …), and Safe membership. Do NOT invent ABIs or return values from training data.

Note on noisy address_book: the pinned address_book is sourced from prior assessments. It may include token deployments, oracle feeds, peripheral contracts, or mis-classified entries. Skip surfacer URLs that don't fit your slice — fetch only those whose role hints suggest control / pause / upgrade authority.

### Protocol metadata refresh (populate `protocol_metadata` in the output)

DeFiLlama's pinned inputs may be stale or wrong. As a side-effect of this assessment, populate `protocol_metadata` with anything you verify. Leave fields null / empty arrays if you did not verify them — do NOT echo pinned inputs through; null means "not re-verified this run".

- `github`: array of canonical source-code repo URLs.
- `docs_url`: canonical developer / protocol documentation site.
- `audits`: array of `{ firm, url, date }` (date as YYYY-MM or YYYY-MM-DD).
- `governance_forum`: primary discussion forum URL (Discourse, Commonwealth, etc.).
- `voting_token`: `{ chain, address, symbol }` or null. Omit if not token-governed.
- `bug_bounty_url`: public bug bounty page (Immunefi, HackerOne, self-hosted).
- `security_contact`: private-disclosure channel — security@ email or SECURITY.md URL. Distinct from public bug bounty.
- `deployed_contracts_doc`: docs page that lists deployed addresses per chain. Don't enumerate; just link.
- `admin_addresses`: array of `{ chain, address, role, actor_class }` for multisig / timelock / owner / proxy-admin addresses. `actor_class` ∈ `"eoa" | "multisig" | "timelock" | "governance" | "unknown"`. These are the anchors for future runs' address_book.
- `upgradeability`: `"immutable" | "upgradeable" | "mixed" | "unknown"`. "mixed" = some core contracts immutable, others behind proxies.
- `about`: 2–4 sentence plain-English description. Name the user action (stake, borrow, swap, bridge, mint, redeem), the asset / market, and the distinctive mechanism (liquid staking receipt, isolated lending pools, constant-product AMM, intents auction, etc.). Do not restate category / chains / TVL.

Every non-null field in `protocol_metadata` must be backed by ≥1 entry in evidence[].

---

### Slice: CONTROL

Evaluate who can change the protocol's rules, how fast, and how broadly.

(Step 0 capability probe and the off-chain-only fallback live in the preamble — those rules apply here.)

### MANDATORY INSPECTION CHECKLIST (every item below must appear in evidence[] OR unknowns[])

- **C1.** For each address you assess: who is the contract owner / admin / pendingAdmin / governor — read these via the block explorer's "Read Contract" tab OR `https://defipunkd.com/api/contract/read?chainId=<id>&address=0x...&method=owner` (BARE method names: `&method=owner`, `&method=admin`, `&method=pendingOwner`, `&method=governor`). For Safes use `/api/safe/owners?chainId=<id>&address=0x...`. When a protocol has multiple major versions deployed (v2/v3/v4), perform C1 reads on the NEWEST deployment separately — newer deployments often have weaker control surfaces than the legacy core.
- **C2.** Upgrade mechanism: transparent proxy / UUPS / Beacon / Diamond / immutable. Identify the proxy admin address. Check upgradeability of GOVERNANCE contracts too — a Governor / Aragon Voting / OZ Governor is often itself a proxy whose admin is the Timelock. Asymmetry: when fund-holding cores are immutable AND governance has no admin path that reaches them, an upgradable Governor/Timelock is T3-only and must NOT drag the verdict below green on that basis alone (see grade rules and the "immutable cores" caveat). Only call upgradability "mixed" if you can name a concrete function on the upgradable surface that reaches T1 or T2 on user funds.
- **C3.** EXECUTION PATH (enumerate every stage, in order, with delays in seconds). The operative path is usually a chain (voting → scheduler → timelock → executor; or governor → queue → execute; or Aragon Voting → DualGovernance → EmergencyProtectedTimelock → AdminExecutor). For each stage, record (a) the contract address, (b) the delay constant name + value in seconds, (c) the URL you read it from (block-explorer Read Contract OR `/api/contract/read?...&method=MIN_DELAY&block=<n>`). Do NOT stop at the first timelock-shaped contract — if its admin is itself called by another contract, keep walking. The grading delay is the SUM OF DELAYS ON THE UNCONTESTED FAST PATH (shortest time a proposal with no opposition can go from submission to executable). Dynamic / contested extensions (veto signaling, rage quit, escrow delay) are modifiers, not the basis — note them separately.
- **C4.** Enumerate EVERY multisig with reachable control — main proxy admin, emergency activation, emergency execution, reseal / pause, gate-seal committees, tiebreaker, per-module admins. For each Safe, fetch threshold + owners + version via `/api/safe/owners?chainId=<id>&address=0x...` (response includes raw eth_call data, so the URL is citable evidence). Enumerate ops/council/incentives multisigs even when off the upgrade path — record their scope so a reader can see they are NOT on the upgrade path. For each: (a) address, (b) threshold / total signers, (c) signer identities classified as insider (team, paid auditors under ongoing engagement, mandated service providers) vs non-insider (independent community members, unaffiliated researchers), (d) the specific power held (upgrade, pause, parameter, etc.).
- **C5.** On-chain governance: Governor / GovernorBravo / OZ Governor / Aragon Voting with token-weighted voting? Record proposal threshold, voting period, quorum, and the timelock delay between queue and execute. Every numeric constant must come from a Read Contract call you can link to, or be in unknowns[] with the C-code. If votingDelay / votingPeriod are denominated in BLOCKS, convert to seconds at the chain's CURRENT block time (Ethereum mainnet ≈ 12s post-Merge, not the 15s in older Compound/Bravo deployments) — cite both block count and converted seconds.
- **C6.** EMERGENCY POWERS: separate emergency-pause / guardian role with a different time cap or different actor than the main upgrade authority? Record it explicitly.
- **C7.** POWER TIER (blast radius). For each privileged path in C3–C6, classify the WORST thing that path can do, choosing the highest applicable tier. Cite the specific function name and any on-chain bound — tier claims without a named function are unsupported.
    - **T1 — FUND-CRITICAL**: replace implementation of contracts holding user funds; change AMM math / accounting / collateral logic; mint unbacked debt or shares; pause withdrawals; drain user-fund treasury; change oracle to attacker-controlled source; replace upgrade admin with EOA.
    - **T2 — ECONOMICALLY MATERIAL**: change fee parameters within bounded ranges; redirect protocol fees; add/remove markets / collateral types; bounded inflation or token mint within hard-capped schedule; spend protocol-owned (non-user) treasury.
    - **T3 — GOVERNANCE-INTERNAL**: change voting rules, quorum, voting period, proposal threshold; upgrade the Governor itself; rotate Timelock admin; mint governance tokens within a capped annual schedule.
    - **T4 — OPERATIONAL**: incentives distribution, grants, ENS / frontend canonicalization, deployment coordination, periphery router deprecation.
  The grade is set by the HIGHEST tier reachable on the uncontested fast path, not the median. State the tier and the binding function in the verdict.

### Read Contract discipline (applies to C3, C4, C5)

Every numeric constant cited (timelock delays, voting periods, multisig thresholds, quorum percentages) must come from EITHER (a) a block-explorer Read Contract URL, OR (b) a DeFiPunkd `/api/contract/read` or `/api/safe/owners` URL (preferred with `&block=<n>` for content-addressed evidence), OR (c) an unknowns[] entry with the C-code. Docs / blog posts are corroboration only — they cannot be the sole citation for a value that is also readable on-chain.

### Off-chain-only substitute hierarchy (when grading_basis="off-chain-only" — see preamble Rule 16)

When on-chain reads were genuinely unreachable this run, eligible off-chain substitutes in priority order:
1. Linked audit PDFs (admin roles, multisig members, timelock delays usually enumerated).
2. Governance forum posts that quote constants from a successful on-chain proposal (cite post URL + linked execution-tx URL).
3. Official protocol docs pages with named addresses and roles (must be on a domain owned by the protocol).
4. GitHub README / SECURITY.md / governance/*.md at a pinned commit SHA.

Forbidden substitutes: third-party blog posts, X / Twitter threads, search-result snippets, model memory. Required degradation: any C-code citing a numeric constant from docs/forum/audit prose ONLY must also carry an `unknowns[]` entry with `-offchain` suffix noting "value not re-read on-chain in this run; corroboration only".

### Grade rules (apply the timelock bar conditional on the highest C7 tier reachable on the fast path)

Security Council standard (used below): a multisig qualifies as "Security Council" only if ALL of: ≥7 signers, ≥51% threshold, ≥50% non-insider signers, every signer publicly announced. Failing any criterion = NOT a Security Council, regardless of signer reputation.

- **green**: highest reachable tier is T3 or T4 regardless of timelock; OR T2 reachable with uncontested-fast-path delay ≥7 days; OR T1 reachable only via immutable contracts (T1 is unreachable); OR T1 reachable with uncontested-fast-path delay ≥7 days combined with a Security Council multisig; OR T1 reachable with uncontested-fast-path delay ≥7 days through active on-chain governance with broad token distribution.
- **orange**: T2 reachable with uncontested-fast-path delay >0 but <7 days; OR T1 reachable with uncontested-fast-path delay >0 but <7 days; OR a multisig failing one or more Security Council criteria sits on a T1/T2 path; OR unclear upgrade authority on a T1/T2 path; OR governance with very short timelock or low quorum on a T1/T2 path.
- **red**: T1 reachable with no timelock by a single EOA or 2-of-3 multisig; OR a T1 upgrade admin that is not a smart contract you can audit.
- **unknown**: completed the checklist but still cannot determine the upgrade authority OR cannot classify the highest tier reachable on the main contracts.

Tiering caveats:
- "Bounded" must be enforced ON-CHAIN to count as T2. A function that sets fees with no upper-bound check is T1 — cite the bound check.
- Recurring T2 economic extraction (e.g. fee redirect with no rate limit) approaches T1 over time. A single proposal that can permanently redirect all future revenue is T1.
- T3 assumes the governance contract cannot itself authorize a T1/T2 action without going through the same timelock. If governance can self-upgrade to bypass the timelock, T3 collapses into T1.
- Do not downgrade tier by hand-waving ("realistically governance would never…"). Tier on what the contract permits, not what feels likely.

Notes:
- **Dynamic / dual-governance timelocks** (Lido, Compound escrow veto): the rubric grades on the uncontested path because that is the path most upgrades take. A dynamic extension that fires only under stake-weighted opposition is a real protection — name it in the green steel-man, but it does not lift an orange fast path into green; state the tension in the verdict.
- **Immutable cores with upgradable governance** (Uniswap-style): if fund-holding contracts are immutable and have no admin-reachable function moving / freezing / re-routing user funds, the highest reachable tier on the upgrade path is T3 — green regardless of timelock. Don't grade this orange just because the Governor is a proxy — that's a C2 fact, not a downgrade. Downgrade only applies if you can cite a concrete function on the upgradable surface that reaches T1 or T2 (privileged hook, upgradable factory controlling fund-routing, fee-switch redirecting protocol revenue without bound).
- **The 7-day bar** reflects the exit-window standard — users need notice after a queued upgrade to withdraw if they disagree. The ability-to-exit slice grades the exit side; this slice grades the delay side; both must hold for users to actually benefit from the delay.

---

### JSON output contract

Return exactly one JSON object inside a single ```json fenced block. Shape:

{
  "schema_version": 4,
  "slug": "<copy protocol.slug from the per-protocol context>",
  "slice": "control",
  "snapshot_generated_at": "<copy snapshot.generated_at from the per-protocol context>",
  "prompt_version": 29,
  "analysis_date": "<copy analysis_date from the per-protocol context>",
  "model": "<exact model name, e.g. claude-opus-4-7 / gpt-5-thinking / gemini-3-pro>",
  "chat_url": null,
  "grading_basis": "on-chain | off-chain-only | mixed (optional; omit for on-chain)",
  "grade": "green | orange | red | unknown",
  "headline": "<one-line summary>",
  "short_headline": "<≤6 words, ≤80 chars; omit if you can't fit>",
  "rationale": {
    "findings": [{ "code": "E1", "text": "<concrete, source-cited finding>" }],
    "steelman": { "red": "<one sentence>", "orange": "<one sentence>", "green": "<one sentence>" },
    "verdict": "Choosing <grade> because <reason ranking one steel-man above the others, citing specific evidence>."
  },
  "evidence": [{ "url": "https://...", "shows": "<what this URL demonstrates>", "chain": "...", "address": "0x...", "commit": "<hex SHA>", "fetched_at": "2026-04-23T11:20:00Z" }],
  "unknowns": ["E3: <thing you looked for but couldn't determine>"],
  "protocol_metadata": {
    "github": ["https://github.com/org/repo"],
    "docs_url": "https://docs.protocol.xyz",
    "audits": [{ "firm": "Trail of Bits", "url": "https://...report.pdf", "date": "2025-09" }],
    "governance_forum": "https://forum.protocol.xyz",
    "voting_token": { "chain": "Ethereum", "address": "0x...", "symbol": "XYZ" },
    "bug_bounty_url": "https://immunefi.com/bounty/protocol",
    "security_contact": "security@protocol.xyz",
    "deployed_contracts_doc": "https://docs.protocol.xyz/deployments",
    "admin_addresses": [{ "chain": "Ethereum", "address": "0x...", "role": "DAO treasury multisig", "actor_class": "multisig" }],
    "upgradeability": "immutable | upgradeable | mixed | unknown",
    "about": "<2–4 sentences>"
  }
}

Rules recap:
- grade="unknown" ⇒ steelman=null; unknowns[] ≥1; evidence[] may be empty.
- grade!="unknown" ⇒ steelman={red,orange,green}; evidence[] ≥1; verdict starts with "Choosing ".
- findings[].code matches the slice's checklist prefix verbatim (E1, C2-emergency, V4a, …); unknowns[] entries are checklist-coded ("E3: …").
- Wrap in a single ```json fence; nothing before or after. URLs are bare strings, never markdown links.

Ability to exit unknown Unverified

Not yet assessed

Whether users can exit on their own terms if the team disappears or acts adversarially. Requires per-protocol review; not available at Phase 0.

No model has graded this dimension yet. Run the slice prompt through any LLM and submit the JSON — once ≥3 independent runs agree, the quorum bot merges the verdict here.

Submit run ↗

### Per-protocol context (ground truth for this run)

- protocol.slug:              aave-horizon-rwa
- protocol.name:              Aave Horizon RWA
- protocol.chains:            Ethereum
- protocol.category:          RWA Lending
- protocol.website:           https://app.aave.com/markets/?marketName=proto_horizon_v3
- protocol.github:            aave, bgd-labs
- protocol.audit_links:       https://github.com/aave/aave-v3-horizon/tree/main/audits, https://github.com/code-423n4/2022-02-aave-lens, https://github.com/code-423n4/2022-02-aave-lens-findings, https://github.com/sherlock-protocol/sherlock-reports/blob/main/audits/2025.02.15%20-%20Final%20-%20Aave%20Public%20Audit%20Contest%20Report.pdf, https://github.com/sherlock-protocol/sherlock-reports/blob/main/audits/2026.02.05%20-%20Final%20-%20Aave%20Labs%20Collaborative%20Audit%20Report%201770295450.pdf, https://github.com/trailofbits/publications/blob/master/reviews/2021-11-aave-v3-securityreview.pdf, https://github.com/trailofbits/publications/blob/master/reviews/2026-02-aave-v4-securityreview.pdf
- snapshot.generated_at:      2026-06-01T11:27:13.878Z
- analysis_date:              2026-06-07
- prompt_version:             29
- address_book:               [
  {
    "chain": "Ethereum",
    "address": "0xAe05Cd22df81871bc7cC2a04BeCfb516bFe332C8",
    "role": "pool"
  },
  {
    "chain": "Ethereum",
    "address": "0x7fc66500c84a76ad7e9c93437bfc5ac33e2ddae9",
    "role": "AAVE governance token"
  }
]

### Pre-built read-API surfacer URLs (verbatim — fetchable as-is)
- https://defipunkd.com/address/1/0xAe05Cd22df81871bc7cC2a04BeCfb516bFe332C8 (pool)
- https://defipunkd.com/address/1/0x7fc66500c84a76ad7e9c93437bfc5ac33e2ddae9 (AAVE governance token)


---

You are contributing a single-slice assessment to defipunkd, a git-native transparency registry for DeFi protocols. Your JSON output will be attached to a pull request and compared against ≥2 other independent runs. Disagreements are surfaced publicly — be conservative, cite everything, return grade="unknown" when a signal cannot be determined, and resist stopping at the first damning finding.

### Per-protocol context (do not infer; these are ground truth)

A "Per-protocol context" block (provided alongside this prompt — either as a user message in API mode, or as a section appended below in copy-paste mode) lists the pinned inputs (protocol.slug, name, chains, category, website, github, audit_links, snapshot.generated_at, analysis_date, prompt_version, address_book) and a list of pre-built read-API surfacer URLs for each pinned address. Treat those values as authoritative for this run.

The pre-built surfacer URLs are accepted by your fetch tool's allowlist because they appear verbatim in the per-protocol context. Each surfacer page pre-executes the contract's zero-arg view methods and renders any address-typed return values as /address/{chainId}/0x… links inline — those rendered links are also fetchable post-fetch. /api/contract/read and /api/safe/owners JSON responses include a top-level `crawl.surfacers` array of /address/{chainId}/0x… URLs for every address-typed value in the result, so you can crawl directly from API responses. For addresses surfaced from non-defipunkd sources (block-explorer pages, GitHub, audit PDFs), the allowlist will reject your generated surfacer URL — record the address in protocol_metadata.admin_addresses and add a checklist-coded entry to unknowns[]; the next run will inherit it as a fetchable surfacer.

### Step 0 — Capability probe (do this before producing JSON)

Identify what fetch tool your environment exposes — `web_fetch`, `browser`, `url_context`, `google_search` (with underscore, colon, or space), Bing grounding, Perplexity, `web.run`, or anything similar. Search-grounding tools ARE valid fetch paths and you should use them; they are not forbidden. The distinction that matters is what the tool returned, not its name: a grounded response with the underlying page body is sufficient evidence; a bare 1–3-line preview snippet is not.

Probe: attempt one fetch of `protocol.website` and one fetch of a pre-built surfacer URL above (or the protocol's primary block-explorer page if no surfacer is pinned). Record the tool you used, the URL, and what came back (response body, HTTP status, allowlist rejection text, or "tool not present: <name>"). If either probe succeeded, proceed.

If both direct probes failed, **DO NOT STOP** — try search. Issue at least two broad search queries (protocol name + "Etherscan" / "official docs" / "GitHub" / "audit"; `site:` operators against etherscan.io / github.com / the docs domain). If a search query returns the underlying page body, that page URL is fetched evidence and goes in evidence[]. Set `grading_basis: "off-chain-only"` and continue with whatever you can extract. Empty `evidence[]` + `grade="unknown"` is only valid if BOTH direct probes AND ≥2 search queries returned nothing usable; in that case, log the attempted queries and observed-zero outcomes in unknowns[]. A submission claiming "blocked" without those receipts is treated as a non-submission (zero quorum weight). Search engines do not index raw JSON API endpoints — zero results for `defipunkd.com/api/contract/read` URLs is expected and is itself a recordable failure mode, not a system restriction.

### Anti-fabrication (the most important rule on this page)

Memory is not evidence. Treat your training data, prior conversations, and general knowledge as suggestions for what to look up — never as citations. Every URL in evidence[] must have been fetched in this run via any tool exposed in your environment, OR pasted into this conversation by the user. Constructing a URL is fine, but every variable part (address, commit SHA, repo path, contract name, method, args, block number) must come from a fetched/pasted source in this run, and the URL must then have been successfully fetched before it appears in evidence[]. URLs constructed from remembered addresses, repo paths, contract names, or guessed API methods are fabrication.

Before emitting JSON, run an evidence ledger check on every evidence[] entry:
1. The exact URL appears in your fetch transcript or in a user-pasted source body.
2. The fetched/pasted body contains the fact you're citing in evidence[].shows.
3. Every rationale.findings / protocol_metadata claim that depends on this evidence follows directly from that body, without recourse to memory.
4. Derived (rather than verbatim) claims are explicitly labelled as derived in evidence[].shows.
5. `fetched_at` is set ONLY when you actually fetched the URL in this run; if no timestamp is available, omit the field — never invent one.

If any check fails, remove the evidence entry and demote dependent claims to unknowns[]. Set grade="unknown" if demotion empties the grading basis. Do not ask the user to paste anything; do not withhold JSON; do not improvise from memory.

A plausible-sounding answer backed by unsupported evidence is WORSE than grade="unknown" — it pollutes the quorum. If the assessment requires leaning on remembered public facts ("Lido is governed by LDO token-weighted voting"), historical reports, common knowledge, or likely-architecture reasoning ("UUPS proxies typically have an admin role"), return grade="unknown" with specific unknowns[] entries. Optimize for reproducibility, not completeness — if a reviewer can't re-verify each claim from the evidence URLs alone, the claim does not belong in the JSON. Empty unknowns[] on a non-trivial protocol is a red flag, not a quality signal.

When the address_book is null/empty, you do not yet know any deployed address. Discover candidates from fetched website / GitHub / audit / explorer-search pages — addresses you "remember" from training data are not eligible, even for famous tokens (USDC, WBTC, stETH, UNI). If no address can be discovered after a good-faith attempt, return grade="unknown" with checklist-coded unknowns[] entries; do not invent addresses to fill the gap.

### Hard rules

1. Source classes that count as evidence:
   a) Public block explorers (etherscan.io, basescan.org, arbiscan.io, optimistic.etherscan.io, polygonscan.com, bscscan.com, snowtrace.io, scrollscan.com, lineascan.build, blastscan.io, era.zksync.network) for pinned addresses or addresses you discover transitively from them.
   b) The linked GitHub repos, at a specific commit SHA recorded in evidence[].commit.
   c) The audit PDFs / reports linked above.
   d) DeFiLlama's pinned fields (for category / chain lists only — not for risk assessment).
   e) DeFiPunkd's read API at https://defipunkd.com/api/{contract,safe}/... — see "On-chain reading" below.
2. If a signal cannot be determined after checking these, set grade="unknown" with ≥1 entry in unknowns[] naming what you looked for.
3. Every factual claim in rationale must map to ≥1 evidence[] entry.
4. Output exactly one JSON object matching the contract at the end, wrapped in a single ```json fenced code block. This rule applies to your FINAL assistant message only — issue tool calls freely during the run; tool-call reasoning lives in your model's tool-use channel and is not subject to this rule. Nothing before or after the fence — no prose, no follow-up questions, no requests for the user to paste anything. If evidence is incomplete, the correct response is still JSON, with claims demoted to unknowns[] and grade="unknown".

### Format rules (validation will reject submissions that violate these)
5. evidence[].url must be a bare `https://...` string — NEVER markdown link syntax. WRONG: `"url": "[Etherscan](https://etherscan.io/...)"`. RIGHT: `"url": "https://etherscan.io/..."`.
6. evidence[].commit, when present, must match `^[0-9a-f]{7,40}$` (lowercase hex, 7–40 chars). NEVER branch names or tags. Omit if you cannot pin a SHA.
7. evidence[].fetched_at, when present, must be ISO-8601 UTC (e.g. `2026-04-23T11:20:00Z`). Set whenever you actually fetched in this run.
8. evidence[].address, when present, must be `^0x[0-9a-fA-F]{40}$` (mixed case OK; checksum not validated).
9. Checklist codes (used in findings[].code and as unknowns[] prefixes) match `^[A-Z][A-Za-z0-9-]{0,16}$` — start with an uppercase letter, then digits / letters / hyphens. Examples: `E1`, `A3b`, `C2-emergency`, `V4-auditor`. No parens, spaces, dots, slashes, underscores. Use slice-defined codes verbatim. unknowns[] entries must be prefixed with the relevant code + colon (e.g. `"A3b: frontend fetch failed"`).
10. chat_url: ALWAYS null. Default share links (claude.ai/chat, chatgpt.com, gemini.google.com) require viewer login and are not publicly readable. The user enables "Share publicly" after you respond and pastes the public URL into the JSON before opening the PR.

### Thoroughness rules

11. Each per-slice body contains a "MANDATORY INSPECTION CHECKLIST". Every item must EITHER produce an evidence[] entry OR a specific unknowns[] entry naming it by code. Silent skips are rejected as incomplete.
12. Before assigning a grade other than "unknown", rationale.steelman must contain a one-sentence strongest argument for each of red / orange / green, and rationale.verdict must state which fits the evidence and why. If the steel-man for the chosen grade is weaker than for an adjacent grade, you have probably picked the wrong grade. When grade="unknown", set steelman to null and use verdict to summarize what blocked the assessment.
13. Distinguish actor classes (EOA, 2-of-3 multisig, 4-of-7+ multisig with identified signers, emergency-scoped time-capped multisig, on-chain governance vote with timelock) and function classes (claim-of-finalized vs new-request-placement, deposit vs borrow, mint vs redeem) — say which actor holds which power, on what time bound. "An admin can pause" is insufficient.
14. For on-chain slices (control, ability-to-exit, autonomy, verifiability), evidence[] must include ≥1 on-chain URL: a block-explorer URL OR a DeFiPunkd /api/{contract/read,safe/owners} URL (preferred — content-addressed when block-pinned). /api/contract/abi alone is metadata, not on-chain evidence. Source repos tell you what code SHOULD do; deployed contracts tell you what it ACTUALLY does. The "open-access" slice is exempt when claims are entirely about frontend / off-chain operator behavior. CARVE-OUT: `grading_basis="off-chain-only"` is exempt from this rule but is downweighted by the quorum bot regardless of grade.
15. Prompt-meta-check: if your verdict quotes prompt language as evidence ("the protocol meets the 'documented fallback' condition"), re-do the verdict — the prompt describes the rubric, not the protocol. Evidence cites what THIS protocol does, not what the rubric says protocols of type X do.
16. `grading_basis` is one of `"on-chain"` (default; omit field), `"off-chain-only"`, or `"mixed"`. Describes what was READ this run, not the verdict — `grade="unknown"` is allowed under any basis. Set `"off-chain-only"` ONLY when BOTH (a) ≥1 successful fetch of a docs / forum / audit / GitHub URL appears in evidence[], AND (b) ≥1 failed on-chain fetch attempt for THIS run is recorded in unknowns[] with a `-offchain` suffix. Empty `evidence[]` with `"off-chain-only"` is a category error and is rejected by the validator. Set `"mixed"` when some checklist codes were on-chain and others fell back. ABI-only finds (you read the ABI but couldn't read live state) are valid as `grade="unknown"` with the ABI cited; do not infer a grade from ABI shape alone.

### On-chain reading via the DeFiPunkd API

Don't encode calldata, decode return data, or guess at ABIs by hand. Three deterministic GET endpoints return JSON with blockNumber, blockHash, raw calldata, and rawReturnData — content-addressed when block-pinned (`&block=<n>`):

  ABI (auto-resolves proxies):
    https://defipunkd.com/api/contract/abi?chainId=<id>&address=0x...
  View call (any view method on the merged ABI; flat scalar args):
    https://defipunkd.com/api/contract/read?chainId=<id>&address=0x...&method=getOwners
    https://defipunkd.com/api/contract/read?chainId=<id>&address=0x...&method=balanceOf&args=0x...
  Safe (threshold + owners + version in one call):
    https://defipunkd.com/api/safe/owners?chainId=<id>&address=0x...

Use the BARE method name in `&method=` (e.g. `&method=totalSupply`, NOT `&method=totalSupply()`). Browser tools normalize `(` to `%28` and reject the normalized URL; bare names dodge that. Pass arguments via `&args=` (comma-separated, declaration order). Append `&block=<n>` for content-addressed evidence.

Supported chainIds: 1 (ethereum), 10 (optimism), 56 (bsc), 130 (unichain), 137 (polygon), 324 (zksync), 8453 (base), 42161 (arbitrum), 43114 (avalanche), 59144 (linea), 81457 (blast), 534352 (scroll), 11155111 (sepolia).

Use this API for any factual claim about contract ABI shape, view-method return values (owner(), getOwners(), getThreshold(), totalSupply(), implementation(), paused(), MIN_DELAY(), …), and Safe membership. Do NOT invent ABIs or return values from training data.

Note on noisy address_book: the pinned address_book is sourced from prior assessments. It may include token deployments, oracle feeds, peripheral contracts, or mis-classified entries. Skip surfacer URLs that don't fit your slice — fetch only those whose role hints suggest control / pause / upgrade authority.

### Protocol metadata refresh (populate `protocol_metadata` in the output)

DeFiLlama's pinned inputs may be stale or wrong. As a side-effect of this assessment, populate `protocol_metadata` with anything you verify. Leave fields null / empty arrays if you did not verify them — do NOT echo pinned inputs through; null means "not re-verified this run".

- `github`: array of canonical source-code repo URLs.
- `docs_url`: canonical developer / protocol documentation site.
- `audits`: array of `{ firm, url, date }` (date as YYYY-MM or YYYY-MM-DD).
- `governance_forum`: primary discussion forum URL (Discourse, Commonwealth, etc.).
- `voting_token`: `{ chain, address, symbol }` or null. Omit if not token-governed.
- `bug_bounty_url`: public bug bounty page (Immunefi, HackerOne, self-hosted).
- `security_contact`: private-disclosure channel — security@ email or SECURITY.md URL. Distinct from public bug bounty.
- `deployed_contracts_doc`: docs page that lists deployed addresses per chain. Don't enumerate; just link.
- `admin_addresses`: array of `{ chain, address, role, actor_class }` for multisig / timelock / owner / proxy-admin addresses. `actor_class` ∈ `"eoa" | "multisig" | "timelock" | "governance" | "unknown"`. These are the anchors for future runs' address_book.
- `upgradeability`: `"immutable" | "upgradeable" | "mixed" | "unknown"`. "mixed" = some core contracts immutable, others behind proxies.
- `about`: 2–4 sentence plain-English description. Name the user action (stake, borrow, swap, bridge, mint, redeem), the asset / market, and the distinctive mechanism (liquid staking receipt, isolated lending pools, constant-product AMM, intents auction, etc.). Do not restate category / chains / TVL.

Every non-null field in `protocol_metadata` must be backed by ≥1 entry in evidence[].

---

### Slice: ABILITY-TO-EXIT

Evaluate whether users can withdraw their funds on their own terms, even under adversarial admin conditions.

MANDATORY INSPECTION CHECKLIST (every item below must appear in evidence[] OR unknowns[]):
- E1. Enumerate every user-facing exit function in the main contracts: withdraw, redeem, burn, requestWithdrawal, claim, exit, etc. List them by name. Do NOT treat the contract as a monolith.
- E2. For EACH exit function in E1: identify its access modifiers and any pause guards (e.g. _checkResumed, whenNotPaused, onlyRole). Functions that gate REQUEST PLACEMENT often differ from functions that CLAIM FINALIZED FUNDS — check both separately.
- E3. For each pause guard: identify the role holder (which address holds PAUSE_ROLE / GUARDIAN / etc.) and the maximum pause duration. Specifically check whether PAUSE_INFINITELY (or equivalent uncapped pause) is callable, and which actor can call it (single multisig vs governance vote). For role-holder reads use https://defipunkd.com/api/contract/read?chainId=<id>&address=0x...&method=hasRole&args=0x...,0x... or &method=getRoleAdmin&args=0x.... For "is currently paused" checks use &method=paused or &method=isPaused&args=<resume-code>. Use the BARE method name (no parens). Cite the URL with &block=<n> in evidence[].
- E4. EMERGENCY vs GOVERNANCE pause distinction: many protocols have a fast-acting emergency pause capped at N days and a slow governance pause that can be indefinite. Record both paths separately if present, with their time caps and actor classes.
- E5. Queued redemption: documented maximum queue duration, daily withdrawal caps, whether the queue itself is pausable.
- E6. Forced-exit / escape-hatch / permissionless emergency-exit mechanism for adversarial-admin scenarios.
- E7. Frontend dependency: confirm exit functions are directly callable on-chain (e.g. via Etherscan write tab or a generic wallet) without the project's frontend.

Then write the steel-man section per Hard Rule 11. Common red-vs-orange tension on this slice: indefinite pause exists (suggests red) BUT the realistic emergency path is time-capped AND claims of already-finalized exits are not pause-gated (suggests orange). Resolve this by stating who can do what for how long, not by stopping at the worst-case sentence.

Grade rules:
- green   = permissionless exit; pause is either absent, narrowly scoped to clearly-described emergencies with auto-expiry, or capped at ≤7 days; no frontend dependency for exit; claims of already-finalized exits are not pause-gated under any path.
- orange  = pausable with broad scope OR indefinite pause is reachable only through governance vote (not unilateral admin action), OR queued redemption with documented max > 7 days, OR claims-of-finalized are exempt but new-request placement can be paused indefinitely by governance.
- red     = exit requires admin signature, OR ANY actor (including governance) can pause CLAIMS of finalized exits indefinitely, OR there is no on-chain exit function at all (purely custodial), OR pause is held by a single EOA / 2-of-3 multisig with no time cap.
- unknown = checklist incomplete after checking the sources above.

---

### JSON output contract

Return exactly one JSON object inside a single ```json fenced block. Shape:

{
  "schema_version": 4,
  "slug": "<copy protocol.slug from the per-protocol context>",
  "slice": "ability-to-exit",
  "snapshot_generated_at": "<copy snapshot.generated_at from the per-protocol context>",
  "prompt_version": 29,
  "analysis_date": "<copy analysis_date from the per-protocol context>",
  "model": "<exact model name, e.g. claude-opus-4-7 / gpt-5-thinking / gemini-3-pro>",
  "chat_url": null,
  "grading_basis": "on-chain | off-chain-only | mixed (optional; omit for on-chain)",
  "grade": "green | orange | red | unknown",
  "headline": "<one-line summary>",
  "short_headline": "<≤6 words, ≤80 chars; omit if you can't fit>",
  "rationale": {
    "findings": [{ "code": "E1", "text": "<concrete, source-cited finding>" }],
    "steelman": { "red": "<one sentence>", "orange": "<one sentence>", "green": "<one sentence>" },
    "verdict": "Choosing <grade> because <reason ranking one steel-man above the others, citing specific evidence>."
  },
  "evidence": [{ "url": "https://...", "shows": "<what this URL demonstrates>", "chain": "...", "address": "0x...", "commit": "<hex SHA>", "fetched_at": "2026-04-23T11:20:00Z" }],
  "unknowns": ["E3: <thing you looked for but couldn't determine>"],
  "protocol_metadata": {
    "github": ["https://github.com/org/repo"],
    "docs_url": "https://docs.protocol.xyz",
    "audits": [{ "firm": "Trail of Bits", "url": "https://...report.pdf", "date": "2025-09" }],
    "governance_forum": "https://forum.protocol.xyz",
    "voting_token": { "chain": "Ethereum", "address": "0x...", "symbol": "XYZ" },
    "bug_bounty_url": "https://immunefi.com/bounty/protocol",
    "security_contact": "security@protocol.xyz",
    "deployed_contracts_doc": "https://docs.protocol.xyz/deployments",
    "admin_addresses": [{ "chain": "Ethereum", "address": "0x...", "role": "DAO treasury multisig", "actor_class": "multisig" }],
    "upgradeability": "immutable | upgradeable | mixed | unknown",
    "about": "<2–4 sentences>"
  }
}

Rules recap:
- grade="unknown" ⇒ steelman=null; unknowns[] ≥1; evidence[] may be empty.
- grade!="unknown" ⇒ steelman={red,orange,green}; evidence[] ≥1; verdict starts with "Choosing ".
- findings[].code matches the slice's checklist prefix verbatim (E1, C2-emergency, V4a, …); unknowns[] entries are checklist-coded ("E3: …").
- Wrap in a single ```json fence; nothing before or after. URLs are bare strings, never markdown links.

Open Access unknown Unverified

Not yet assessed

Whether the protocol depends on privileged operators, whitelists, geo-restrictions, or off-chain infrastructure. This is not a signal DeFiLlama carries in a usable form; crawler-based detection lands in a later phase.

No model has graded this dimension yet. Run the slice prompt through any LLM and submit the JSON — once ≥3 independent runs agree, the quorum bot merges the verdict here.

Submit run ↗

### Per-protocol context (ground truth for this run)

- protocol.slug:              aave-horizon-rwa
- protocol.name:              Aave Horizon RWA
- protocol.chains:            Ethereum
- protocol.category:          RWA Lending
- protocol.website:           https://app.aave.com/markets/?marketName=proto_horizon_v3
- protocol.github:            aave, bgd-labs
- protocol.audit_links:       https://github.com/aave/aave-v3-horizon/tree/main/audits, https://github.com/code-423n4/2022-02-aave-lens, https://github.com/code-423n4/2022-02-aave-lens-findings, https://github.com/sherlock-protocol/sherlock-reports/blob/main/audits/2025.02.15%20-%20Final%20-%20Aave%20Public%20Audit%20Contest%20Report.pdf, https://github.com/sherlock-protocol/sherlock-reports/blob/main/audits/2026.02.05%20-%20Final%20-%20Aave%20Labs%20Collaborative%20Audit%20Report%201770295450.pdf, https://github.com/trailofbits/publications/blob/master/reviews/2021-11-aave-v3-securityreview.pdf, https://github.com/trailofbits/publications/blob/master/reviews/2026-02-aave-v4-securityreview.pdf
- snapshot.generated_at:      2026-06-01T11:27:13.878Z
- analysis_date:              2026-06-07
- prompt_version:             29
- address_book:               [
  {
    "chain": "Ethereum",
    "address": "0xAe05Cd22df81871bc7cC2a04BeCfb516bFe332C8",
    "role": "pool"
  },
  {
    "chain": "Ethereum",
    "address": "0x7fc66500c84a76ad7e9c93437bfc5ac33e2ddae9",
    "role": "AAVE governance token"
  }
]

### Pre-built read-API surfacer URLs (verbatim — fetchable as-is)
- https://defipunkd.com/address/1/0xAe05Cd22df81871bc7cC2a04BeCfb516bFe332C8 (pool)
- https://defipunkd.com/address/1/0x7fc66500c84a76ad7e9c93437bfc5ac33e2ddae9 (AAVE governance token)


---

You are contributing a single-slice assessment to defipunkd, a git-native transparency registry for DeFi protocols. Your JSON output will be attached to a pull request and compared against ≥2 other independent runs. Disagreements are surfaced publicly — be conservative, cite everything, return grade="unknown" when a signal cannot be determined, and resist stopping at the first damning finding.

### Per-protocol context (do not infer; these are ground truth)

A "Per-protocol context" block (provided alongside this prompt — either as a user message in API mode, or as a section appended below in copy-paste mode) lists the pinned inputs (protocol.slug, name, chains, category, website, github, audit_links, snapshot.generated_at, analysis_date, prompt_version, address_book) and a list of pre-built read-API surfacer URLs for each pinned address. Treat those values as authoritative for this run.

The pre-built surfacer URLs are accepted by your fetch tool's allowlist because they appear verbatim in the per-protocol context. Each surfacer page pre-executes the contract's zero-arg view methods and renders any address-typed return values as /address/{chainId}/0x… links inline — those rendered links are also fetchable post-fetch. /api/contract/read and /api/safe/owners JSON responses include a top-level `crawl.surfacers` array of /address/{chainId}/0x… URLs for every address-typed value in the result, so you can crawl directly from API responses. For addresses surfaced from non-defipunkd sources (block-explorer pages, GitHub, audit PDFs), the allowlist will reject your generated surfacer URL — record the address in protocol_metadata.admin_addresses and add a checklist-coded entry to unknowns[]; the next run will inherit it as a fetchable surfacer.

### Step 0 — Capability probe (do this before producing JSON)

Identify what fetch tool your environment exposes — `web_fetch`, `browser`, `url_context`, `google_search` (with underscore, colon, or space), Bing grounding, Perplexity, `web.run`, or anything similar. Search-grounding tools ARE valid fetch paths and you should use them; they are not forbidden. The distinction that matters is what the tool returned, not its name: a grounded response with the underlying page body is sufficient evidence; a bare 1–3-line preview snippet is not.

Probe: attempt one fetch of `protocol.website` and one fetch of a pre-built surfacer URL above (or the protocol's primary block-explorer page if no surfacer is pinned). Record the tool you used, the URL, and what came back (response body, HTTP status, allowlist rejection text, or "tool not present: <name>"). If either probe succeeded, proceed.

If both direct probes failed, **DO NOT STOP** — try search. Issue at least two broad search queries (protocol name + "Etherscan" / "official docs" / "GitHub" / "audit"; `site:` operators against etherscan.io / github.com / the docs domain). If a search query returns the underlying page body, that page URL is fetched evidence and goes in evidence[]. Set `grading_basis: "off-chain-only"` and continue with whatever you can extract. Empty `evidence[]` + `grade="unknown"` is only valid if BOTH direct probes AND ≥2 search queries returned nothing usable; in that case, log the attempted queries and observed-zero outcomes in unknowns[]. A submission claiming "blocked" without those receipts is treated as a non-submission (zero quorum weight). Search engines do not index raw JSON API endpoints — zero results for `defipunkd.com/api/contract/read` URLs is expected and is itself a recordable failure mode, not a system restriction.

### Anti-fabrication (the most important rule on this page)

Memory is not evidence. Treat your training data, prior conversations, and general knowledge as suggestions for what to look up — never as citations. Every URL in evidence[] must have been fetched in this run via any tool exposed in your environment, OR pasted into this conversation by the user. Constructing a URL is fine, but every variable part (address, commit SHA, repo path, contract name, method, args, block number) must come from a fetched/pasted source in this run, and the URL must then have been successfully fetched before it appears in evidence[]. URLs constructed from remembered addresses, repo paths, contract names, or guessed API methods are fabrication.

Before emitting JSON, run an evidence ledger check on every evidence[] entry:
1. The exact URL appears in your fetch transcript or in a user-pasted source body.
2. The fetched/pasted body contains the fact you're citing in evidence[].shows.
3. Every rationale.findings / protocol_metadata claim that depends on this evidence follows directly from that body, without recourse to memory.
4. Derived (rather than verbatim) claims are explicitly labelled as derived in evidence[].shows.
5. `fetched_at` is set ONLY when you actually fetched the URL in this run; if no timestamp is available, omit the field — never invent one.

If any check fails, remove the evidence entry and demote dependent claims to unknowns[]. Set grade="unknown" if demotion empties the grading basis. Do not ask the user to paste anything; do not withhold JSON; do not improvise from memory.

A plausible-sounding answer backed by unsupported evidence is WORSE than grade="unknown" — it pollutes the quorum. If the assessment requires leaning on remembered public facts ("Lido is governed by LDO token-weighted voting"), historical reports, common knowledge, or likely-architecture reasoning ("UUPS proxies typically have an admin role"), return grade="unknown" with specific unknowns[] entries. Optimize for reproducibility, not completeness — if a reviewer can't re-verify each claim from the evidence URLs alone, the claim does not belong in the JSON. Empty unknowns[] on a non-trivial protocol is a red flag, not a quality signal.

When the address_book is null/empty, you do not yet know any deployed address. Discover candidates from fetched website / GitHub / audit / explorer-search pages — addresses you "remember" from training data are not eligible, even for famous tokens (USDC, WBTC, stETH, UNI). If no address can be discovered after a good-faith attempt, return grade="unknown" with checklist-coded unknowns[] entries; do not invent addresses to fill the gap.

### Hard rules

1. Source classes that count as evidence:
   a) Public block explorers (etherscan.io, basescan.org, arbiscan.io, optimistic.etherscan.io, polygonscan.com, bscscan.com, snowtrace.io, scrollscan.com, lineascan.build, blastscan.io, era.zksync.network) for pinned addresses or addresses you discover transitively from them.
   b) The linked GitHub repos, at a specific commit SHA recorded in evidence[].commit.
   c) The audit PDFs / reports linked above.
   d) DeFiLlama's pinned fields (for category / chain lists only — not for risk assessment).
   e) DeFiPunkd's read API at https://defipunkd.com/api/{contract,safe}/... — see "On-chain reading" below.
2. If a signal cannot be determined after checking these, set grade="unknown" with ≥1 entry in unknowns[] naming what you looked for.
3. Every factual claim in rationale must map to ≥1 evidence[] entry.
4. Output exactly one JSON object matching the contract at the end, wrapped in a single ```json fenced code block. This rule applies to your FINAL assistant message only — issue tool calls freely during the run; tool-call reasoning lives in your model's tool-use channel and is not subject to this rule. Nothing before or after the fence — no prose, no follow-up questions, no requests for the user to paste anything. If evidence is incomplete, the correct response is still JSON, with claims demoted to unknowns[] and grade="unknown".

### Format rules (validation will reject submissions that violate these)
5. evidence[].url must be a bare `https://...` string — NEVER markdown link syntax. WRONG: `"url": "[Etherscan](https://etherscan.io/...)"`. RIGHT: `"url": "https://etherscan.io/..."`.
6. evidence[].commit, when present, must match `^[0-9a-f]{7,40}$` (lowercase hex, 7–40 chars). NEVER branch names or tags. Omit if you cannot pin a SHA.
7. evidence[].fetched_at, when present, must be ISO-8601 UTC (e.g. `2026-04-23T11:20:00Z`). Set whenever you actually fetched in this run.
8. evidence[].address, when present, must be `^0x[0-9a-fA-F]{40}$` (mixed case OK; checksum not validated).
9. Checklist codes (used in findings[].code and as unknowns[] prefixes) match `^[A-Z][A-Za-z0-9-]{0,16}$` — start with an uppercase letter, then digits / letters / hyphens. Examples: `E1`, `A3b`, `C2-emergency`, `V4-auditor`. No parens, spaces, dots, slashes, underscores. Use slice-defined codes verbatim. unknowns[] entries must be prefixed with the relevant code + colon (e.g. `"A3b: frontend fetch failed"`).
10. chat_url: ALWAYS null. Default share links (claude.ai/chat, chatgpt.com, gemini.google.com) require viewer login and are not publicly readable. The user enables "Share publicly" after you respond and pastes the public URL into the JSON before opening the PR.

### Thoroughness rules

11. Each per-slice body contains a "MANDATORY INSPECTION CHECKLIST". Every item must EITHER produce an evidence[] entry OR a specific unknowns[] entry naming it by code. Silent skips are rejected as incomplete.
12. Before assigning a grade other than "unknown", rationale.steelman must contain a one-sentence strongest argument for each of red / orange / green, and rationale.verdict must state which fits the evidence and why. If the steel-man for the chosen grade is weaker than for an adjacent grade, you have probably picked the wrong grade. When grade="unknown", set steelman to null and use verdict to summarize what blocked the assessment.
13. Distinguish actor classes (EOA, 2-of-3 multisig, 4-of-7+ multisig with identified signers, emergency-scoped time-capped multisig, on-chain governance vote with timelock) and function classes (claim-of-finalized vs new-request-placement, deposit vs borrow, mint vs redeem) — say which actor holds which power, on what time bound. "An admin can pause" is insufficient.
14. For on-chain slices (control, ability-to-exit, autonomy, verifiability), evidence[] must include ≥1 on-chain URL: a block-explorer URL OR a DeFiPunkd /api/{contract/read,safe/owners} URL (preferred — content-addressed when block-pinned). /api/contract/abi alone is metadata, not on-chain evidence. Source repos tell you what code SHOULD do; deployed contracts tell you what it ACTUALLY does. The "open-access" slice is exempt when claims are entirely about frontend / off-chain operator behavior. CARVE-OUT: `grading_basis="off-chain-only"` is exempt from this rule but is downweighted by the quorum bot regardless of grade.
15. Prompt-meta-check: if your verdict quotes prompt language as evidence ("the protocol meets the 'documented fallback' condition"), re-do the verdict — the prompt describes the rubric, not the protocol. Evidence cites what THIS protocol does, not what the rubric says protocols of type X do.
16. `grading_basis` is one of `"on-chain"` (default; omit field), `"off-chain-only"`, or `"mixed"`. Describes what was READ this run, not the verdict — `grade="unknown"` is allowed under any basis. Set `"off-chain-only"` ONLY when BOTH (a) ≥1 successful fetch of a docs / forum / audit / GitHub URL appears in evidence[], AND (b) ≥1 failed on-chain fetch attempt for THIS run is recorded in unknowns[] with a `-offchain` suffix. Empty `evidence[]` with `"off-chain-only"` is a category error and is rejected by the validator. Set `"mixed"` when some checklist codes were on-chain and others fell back. ABI-only finds (you read the ABI but couldn't read live state) are valid as `grade="unknown"` with the ABI cited; do not infer a grade from ABI shape alone.

### On-chain reading via the DeFiPunkd API

Don't encode calldata, decode return data, or guess at ABIs by hand. Three deterministic GET endpoints return JSON with blockNumber, blockHash, raw calldata, and rawReturnData — content-addressed when block-pinned (`&block=<n>`):

  ABI (auto-resolves proxies):
    https://defipunkd.com/api/contract/abi?chainId=<id>&address=0x...
  View call (any view method on the merged ABI; flat scalar args):
    https://defipunkd.com/api/contract/read?chainId=<id>&address=0x...&method=getOwners
    https://defipunkd.com/api/contract/read?chainId=<id>&address=0x...&method=balanceOf&args=0x...
  Safe (threshold + owners + version in one call):
    https://defipunkd.com/api/safe/owners?chainId=<id>&address=0x...

Use the BARE method name in `&method=` (e.g. `&method=totalSupply`, NOT `&method=totalSupply()`). Browser tools normalize `(` to `%28` and reject the normalized URL; bare names dodge that. Pass arguments via `&args=` (comma-separated, declaration order). Append `&block=<n>` for content-addressed evidence.

Supported chainIds: 1 (ethereum), 10 (optimism), 56 (bsc), 130 (unichain), 137 (polygon), 324 (zksync), 8453 (base), 42161 (arbitrum), 43114 (avalanche), 59144 (linea), 81457 (blast), 534352 (scroll), 11155111 (sepolia).

Use this API for any factual claim about contract ABI shape, view-method return values (owner(), getOwners(), getThreshold(), totalSupply(), implementation(), paused(), MIN_DELAY(), …), and Safe membership. Do NOT invent ABIs or return values from training data.

Note on noisy address_book: the pinned address_book is sourced from prior assessments. It may include token deployments, oracle feeds, peripheral contracts, or mis-classified entries. Skip surfacer URLs that don't fit your slice — fetch only those whose role hints suggest control / pause / upgrade authority.

### Protocol metadata refresh (populate `protocol_metadata` in the output)

DeFiLlama's pinned inputs may be stale or wrong. As a side-effect of this assessment, populate `protocol_metadata` with anything you verify. Leave fields null / empty arrays if you did not verify them — do NOT echo pinned inputs through; null means "not re-verified this run".

- `github`: array of canonical source-code repo URLs.
- `docs_url`: canonical developer / protocol documentation site.
- `audits`: array of `{ firm, url, date }` (date as YYYY-MM or YYYY-MM-DD).
- `governance_forum`: primary discussion forum URL (Discourse, Commonwealth, etc.).
- `voting_token`: `{ chain, address, symbol }` or null. Omit if not token-governed.
- `bug_bounty_url`: public bug bounty page (Immunefi, HackerOne, self-hosted).
- `security_contact`: private-disclosure channel — security@ email or SECURITY.md URL. Distinct from public bug bounty.
- `deployed_contracts_doc`: docs page that lists deployed addresses per chain. Don't enumerate; just link.
- `admin_addresses`: array of `{ chain, address, role, actor_class }` for multisig / timelock / owner / proxy-admin addresses. `actor_class` ∈ `"eoa" | "multisig" | "timelock" | "governance" | "unknown"`. These are the anchors for future runs' address_book.
- `upgradeability`: `"immutable" | "upgradeable" | "mixed" | "unknown"`. "mixed" = some core contracts immutable, others behind proxies.
- `about`: 2–4 sentence plain-English description. Name the user action (stake, borrow, swap, bridge, mint, redeem), the asset / market, and the distinctive mechanism (liquid staking receipt, isolated lending pools, constant-product AMM, intents auction, etc.). Do not restate category / chains / TVL.

Every non-null field in `protocol_metadata` must be backed by ≥1 entry in evidence[].

---

### Slice: OPEN-ACCESS

Evaluate who is allowed to use the protocol and whether any of that permission is granted off-chain.

Scope: this slice is about ADMISSION — who can enter, exit, or transact. Operator LIVENESS (what breaks if keepers/oracles go offline) is assessed in the dependencies slice and is out of scope for the grade here. You may note operator dependencies as context, but do not let "the protocol halts if operator X disappears" drive the access grade on its own; that belongs in dependencies. Source verification / contract verification on block explorers is assessed in the verifiability slice and is out of scope here — do NOT let "contract is unverified" drive the access grade.

Framing: the smart contracts are the access layer; frontends are UX. A permissionless contract is reachable by any client (SDK, third-party UI, aggregator, wallet integration). Frontend ToS, IP geo-blocking, and wallet screening are publisher policies on one specific client — they are reported as context but do NOT determine the grade. The grade hinges on (1) what the contract itself permits, and (2) whether the protocol is practically reachable without the official publisher's cooperation.

Meta-check before finalizing: if your verdict cites phrases from this prompt as evidence ("the protocol meets the 'credible alternatives' condition", "this fits the 'documented fallback' rule"), redo the verdict. The prompt describes the rubric; evidence must come from the protocol. A verdict should cite what the protocol does, not what the rubric says.

MANDATORY INSPECTION CHECKLIST (every item below must appear in evidence[] OR unknowns[]):
- A1. Whitelist / allowlist modifiers in user-facing entry points. Grep for "onlyWhitelisted", "onlyRole", "allowlist", "isAccredited", "isKYCed". Note which functions are gated and who can add/remove from the list.
- A2. Off-chain operators in the admission path: keepers, sequencers, privileged relayers, oracle posters whose approval is required to admit a user action (not just to keep the protocol live). For each, identify whether the role is held by a single operator, a permissioned committee, or is permissionless. Enumerate per user-facing function class (deposit vs withdraw-request vs claim-finalized vs transfer) which ones require operator approval to be admitted, and which ones admit users unconditionally. A function whose placement is unconditional but whose downstream settlement depends on an operator is an admission-permissionless function — flag the liveness dependency as context and defer its grading weight to the dependencies slice.
- A3. Frontend restrictions on the official interface — record as context, not as a grade lever. Distinguish:
    - A3-passive: boilerplate ToS clauses (sanctions attestation, restricted-territory self-certification, VPN-circumvention prohibition, "comply with applicable law" eligibility, age of majority).
    - A3-active: runtime enforcement — IP-based geo-blocking, wallet-address screening against a sanctions oracle (Chainalysis, TRM, Elliptic), KYC wall, rendering-blocking jurisdiction banner.
  Record findings under the correct tier. Quote ToS text or banner text in evidence[].shows. These findings populate the headline and rationale but do NOT move the grade by themselves; the grade is set by A1, A2, and the A3b path check below.
- A3b. Independent access paths (the operative grade input). Enumerate paths that do not require the official publisher's cooperation:
    - Published SDK / library / CLI for direct contract interaction.
    - Third-party frontends operated by separate legal entities.
    - Wallet-integrated access (MetaMask Swaps, Safe apps, etc.).
    - DEX / lending / yield aggregators that route through the contracts.
  Record at least one concrete link per path that exists. The protocol does NOT have to self-document these — the test is existence, not UX cost. An A3b-i redistribution of the official UI bound by the same ToS does NOT count as an independent path.
- A4. Sanctions / compliance tooling at the contract level: does the protocol check addresses against OFAC lists or similar on-chain blocklists in the contract itself? (Frontend-only screening belongs in A3.)
- A5. Differentiate read access vs write access: many protocols are read-permissionless (anyone can view state) but write-gated (only certain addresses can deposit/borrow). Record both.
- A6. ToS / Legal links: locate them on the website and produce a VERBATIM quote of any jurisdictional, sanctions, or eligibility clause in evidence[].shows. If you cannot extract the clause text verbatim (SPA render failure, paywall, dead link, etc.), do NOT paraphrase or infer from general knowledge — record the ToS URL in unknowns[] with the reason extraction failed. Assertions about ToS content without a verbatim quote will be downweighted by reviewers.

Then write the steel-man section per Hard Rule 11.

Grade rules (admission-focused; liveness concerns belong in dependencies; source verification belongs in verifiability):
- green   = no contract-level whitelist/KYC on user entry/exit; no operator approval required to admit a user action; AND at least one independent A3b path exists (published SDK, third-party frontend, wallet integration, or aggregator routing). Frontend ToS posture and A3-active enforcement on the official UI do NOT block green when contracts are permissionless and an independent path exists — they are reported as context.
- orange  = contracts admit users unconditionally, BUT the protocol is operationally captured by the official publisher: no published SDK, no third-party frontend, no wallet integration, no aggregator routing. The contract is theoretically open but practically reachable only through the official UI. Also applies when admission requires approval from a permissioned committee that is governance-managed with a documented replacement procedure.
- red     = contract-level whitelist / KYC on user entry/exit, OR admission of a core user action requires approval from a single privileged operator or a small committee with no documented replacement procedure, OR enforces an on-chain blocklist updatable by a single party.
- unknown = checklist incomplete after checking the sources above.

Default-grade guidance: when contracts are fully permissionless AND any A3b independent path exists, the default grade is green regardless of frontend ToS or A3-active enforcement on the official UI. Frontend geo-blocking, sanctions-oracle wallet screening, and ToS sanctions clauses are publisher policies on one client and are reported in findings/headline as context, not as grade levers. To grade orange on operational-capture grounds, the auditor must affirmatively show that ALL independent paths are absent or also gated.

Guideline on committees: where admission depends on a multi-operator committee, the relevant axes are (a) set size, (b) whether replacement/rotation is governed on-chain, (c) whether the replacement procedure is publicly documented. A large set with on-chain governance replacement should not be graded as a single-party operator even if rotation is not instantaneous. A small set with informal replacement should be treated as a single-party operator.

---

### JSON output contract

Return exactly one JSON object inside a single ```json fenced block. Shape:

{
  "schema_version": 4,
  "slug": "<copy protocol.slug from the per-protocol context>",
  "slice": "open-access",
  "snapshot_generated_at": "<copy snapshot.generated_at from the per-protocol context>",
  "prompt_version": 29,
  "analysis_date": "<copy analysis_date from the per-protocol context>",
  "model": "<exact model name, e.g. claude-opus-4-7 / gpt-5-thinking / gemini-3-pro>",
  "chat_url": null,
  "grading_basis": "on-chain | off-chain-only | mixed (optional; omit for on-chain)",
  "grade": "green | orange | red | unknown",
  "headline": "<one-line summary>",
  "short_headline": "<≤6 words, ≤80 chars; omit if you can't fit>",
  "rationale": {
    "findings": [{ "code": "E1", "text": "<concrete, source-cited finding>" }],
    "steelman": { "red": "<one sentence>", "orange": "<one sentence>", "green": "<one sentence>" },
    "verdict": "Choosing <grade> because <reason ranking one steel-man above the others, citing specific evidence>."
  },
  "evidence": [{ "url": "https://...", "shows": "<what this URL demonstrates>", "chain": "...", "address": "0x...", "commit": "<hex SHA>", "fetched_at": "2026-04-23T11:20:00Z" }],
  "unknowns": ["E3: <thing you looked for but couldn't determine>"],
  "protocol_metadata": {
    "github": ["https://github.com/org/repo"],
    "docs_url": "https://docs.protocol.xyz",
    "audits": [{ "firm": "Trail of Bits", "url": "https://...report.pdf", "date": "2025-09" }],
    "governance_forum": "https://forum.protocol.xyz",
    "voting_token": { "chain": "Ethereum", "address": "0x...", "symbol": "XYZ" },
    "bug_bounty_url": "https://immunefi.com/bounty/protocol",
    "security_contact": "security@protocol.xyz",
    "deployed_contracts_doc": "https://docs.protocol.xyz/deployments",
    "admin_addresses": [{ "chain": "Ethereum", "address": "0x...", "role": "DAO treasury multisig", "actor_class": "multisig" }],
    "upgradeability": "immutable | upgradeable | mixed | unknown",
    "about": "<2–4 sentences>"
  }
}

Rules recap:
- grade="unknown" ⇒ steelman=null; unknowns[] ≥1; evidence[] may be empty.
- grade!="unknown" ⇒ steelman={red,orange,green}; evidence[] ≥1; verdict starts with "Choosing ".
- findings[].code matches the slice's checklist prefix verbatim (E1, C2-emergency, V4a, …); unknowns[] entries are checklist-coded ("E3: …").
- Wrap in a single ```json fence; nothing before or after. URLs are bare strings, never markdown links.

Stage

Preview of the Phase-3 maturity framework. DeFiPunk'd will adopt DeFiScan v2's stages verbatim; the section is rendered below in its intended shape so the structure is visible today.

Aave Horizon RWA has not yet been assessed under the DeFiScan v2 stage framework.

The walkaway test is the central criterion. Once stages land, protocols reach Stage 1 only if users can exit in the presence of malicious operators even when the emergency council disappears.

Scope of assessment

Stage 0 requirements pending

Stage 1 requirements pending

Stage 2 requirements pending

Learn more about DeFiScan v2 stages →

Contract surface

1addresses
0verified source
0proxies

TVL adapter pinned at 683d369. Sourcecode fetched 2026-05-06. Control fetched 2026-05-07.

Mainnet only


Ethereum	pool	`0xae05…32c8`	discovery	—	—	—	—

TVL $118.7M

Type Lending

Chains Ethereum, Polygon, Avalanche

View on DeFiLlama ↗

Control Exit Autonomy Open Access Verifiable

Verifiability tentative Open source + 11 audits
Control unknown Not yet assessed
Ability to exit unknown Not yet assessed
Autonomy unknown No Phase-0 autonomy signal
Open Access unknown Not yet assessed

Control criteria

Upgradeability Upgradeable Bug bounty audits.sherlock.xyz Governance forum governance.aave.com Docs aave.com

About

Aave V2 is a decentralized non-custodial liquidity protocol enabling users to deposit assets to earn interest and borrow against collateral. The protocol features aTokens (interest-bearing deposits), stable and variable debt tokens, and an upgradeable architecture governed through Aave token-weighted voting. V2 operates across Ethereum, Polygon, and Avalanche with a modular pool system.

Risk analysis

One card per dimension, sorted by severity. Only Verifiability and Autonomy carry automated signals in Phase 0. See methodology for scope.

Audit a dimension yourself · DEFI@home Contribute an LLM-run assessment — any model, any dimension. Three agreeing runs merge automatically into the public record.

Address discovery 4 addresses on file · 1 run Submit run ↗

### Per-protocol context (ground truth for this run)

- protocol.slug:              aave-v2
- protocol.name:              Aave V2
- protocol.chains:            Ethereum, Polygon, Avalanche
- protocol.category:          Lending
- protocol.website:           https://aave.com
- protocol.github:            aave, bgd-labs
- protocol.audit_links:       https://aave.com/security, https://github.com/code-423n4/2022-02-aave-lens, https://github.com/code-423n4/2022-02-aave-lens-findings, https://github.com/sherlock-protocol/sherlock-reports/blob/main/audits/2025.02.15%20-%20Final%20-%20Aave%20Public%20Audit%20Contest%20Report.pdf, https://github.com/sherlock-protocol/sherlock-reports/blob/main/audits/2026.02.05%20-%20Final%20-%20Aave%20Labs%20Collaborative%20Audit%20Report%201770295450.pdf
- snapshot.generated_at:      2026-06-01T11:27:13.878Z
- analysis_date:              2026-06-07
- prompt_version:             29
- address_book:               [
  {
    "chain": "Ethereum",
    "address": "0xb53c1a33016b2dc2ff3653530bff1848a515c8c5",
    "role": "lending_pool_addresses_provider"
  },
  {
    "chain": "Ethereum",
    "address": "0x7d2768dE32b0b80b7a3454c06BdAc94A69DDc7A9",
    "role": "lending_pool"
  },
  {
    "chain": "Ethereum",
    "address": "0x057835Ad21a177dbdd3090bB1CAE03EaCF78Fc6d",
    "role": "protocol_data_provider"
  },
  {
    "chain": "Ethereum",
    "address": "0xec568fffba86c094cf06b22134b23074dfe2252c",
    "role": "governance_v2"
  },
  {
    "chain": "Ethereum",
    "address": "0x7fc66500c84a76ad7e9c93437e434122a1dafd46",
    "role": "AAVE governance token"
  }
]

### Pre-built read-API surfacer URLs (verbatim — fetchable as-is)
- https://defipunkd.com/address/1/0xb53c1a33016b2dc2ff3653530bff1848a515c8c5 (lending_pool_addresses_provider)
- https://defipunkd.com/address/1/0x7d2768dE32b0b80b7a3454c06BdAc94A69DDc7A9 (lending_pool)
- https://defipunkd.com/address/1/0x057835Ad21a177dbdd3090bB1CAE03EaCF78Fc6d (protocol_data_provider)
- https://defipunkd.com/address/1/0xec568fffba86c094cf06b22134b23074dfe2252c (governance_v2)
- https://defipunkd.com/address/1/0x7fc66500c84a76ad7e9c93437e434122a1dafd46 (AAVE governance token)


---

You are contributing a single-slice assessment to defipunkd, a git-native transparency registry for DeFi protocols. Your JSON output will be attached to a pull request and compared against ≥2 other independent runs. Disagreements are surfaced publicly — be conservative, cite everything, return grade="unknown" when a signal cannot be determined, and resist stopping at the first damning finding.

### Per-protocol context (do not infer; these are ground truth)

A "Per-protocol context" block (provided alongside this prompt — either as a user message in API mode, or as a section appended below in copy-paste mode) lists the pinned inputs (protocol.slug, name, chains, category, website, github, audit_links, snapshot.generated_at, analysis_date, prompt_version, address_book) and a list of pre-built read-API surfacer URLs for each pinned address. Treat those values as authoritative for this run.

The pre-built surfacer URLs are accepted by your fetch tool's allowlist because they appear verbatim in the per-protocol context. Each surfacer page pre-executes the contract's zero-arg view methods and renders any address-typed return values as /address/{chainId}/0x… links inline — those rendered links are also fetchable post-fetch. /api/contract/read and /api/safe/owners JSON responses include a top-level `crawl.surfacers` array of /address/{chainId}/0x… URLs for every address-typed value in the result, so you can crawl directly from API responses. For addresses surfaced from non-defipunkd sources (block-explorer pages, GitHub, audit PDFs), the allowlist will reject your generated surfacer URL — record the address in protocol_metadata.admin_addresses and add a checklist-coded entry to unknowns[]; the next run will inherit it as a fetchable surfacer.

### Step 0 — Capability probe (do this before producing JSON)

Identify what fetch tool your environment exposes — `web_fetch`, `browser`, `url_context`, `google_search` (with underscore, colon, or space), Bing grounding, Perplexity, `web.run`, or anything similar. Search-grounding tools ARE valid fetch paths and you should use them; they are not forbidden. The distinction that matters is what the tool returned, not its name: a grounded response with the underlying page body is sufficient evidence; a bare 1–3-line preview snippet is not.

Probe: attempt one fetch of `protocol.website` and one fetch of a pre-built surfacer URL above (or the protocol's primary block-explorer page if no surfacer is pinned). Record the tool you used, the URL, and what came back (response body, HTTP status, allowlist rejection text, or "tool not present: <name>"). If either probe succeeded, proceed.

If both direct probes failed, **DO NOT STOP** — try search. Issue at least two broad search queries (protocol name + "Etherscan" / "official docs" / "GitHub" / "audit"; `site:` operators against etherscan.io / github.com / the docs domain). If a search query returns the underlying page body, that page URL is fetched evidence and goes in evidence[]. Set `grading_basis: "off-chain-only"` and continue with whatever you can extract. Empty `evidence[]` + `grade="unknown"` is only valid if BOTH direct probes AND ≥2 search queries returned nothing usable; in that case, log the attempted queries and observed-zero outcomes in unknowns[]. A submission claiming "blocked" without those receipts is treated as a non-submission (zero quorum weight). Search engines do not index raw JSON API endpoints — zero results for `defipunkd.com/api/contract/read` URLs is expected and is itself a recordable failure mode, not a system restriction.

### Anti-fabrication (the most important rule on this page)

Memory is not evidence. Treat your training data, prior conversations, and general knowledge as suggestions for what to look up — never as citations. Every URL in evidence[] must have been fetched in this run via any tool exposed in your environment, OR pasted into this conversation by the user. Constructing a URL is fine, but every variable part (address, commit SHA, repo path, contract name, method, args, block number) must come from a fetched/pasted source in this run, and the URL must then have been successfully fetched before it appears in evidence[]. URLs constructed from remembered addresses, repo paths, contract names, or guessed API methods are fabrication.

Before emitting JSON, run an evidence ledger check on every evidence[] entry:
1. The exact URL appears in your fetch transcript or in a user-pasted source body.
2. The fetched/pasted body contains the fact you're citing in evidence[].shows.
3. Every rationale.findings / protocol_metadata claim that depends on this evidence follows directly from that body, without recourse to memory.
4. Derived (rather than verbatim) claims are explicitly labelled as derived in evidence[].shows.
5. `fetched_at` is set ONLY when you actually fetched the URL in this run; if no timestamp is available, omit the field — never invent one.

If any check fails, remove the evidence entry and demote dependent claims to unknowns[]. Set grade="unknown" if demotion empties the grading basis. Do not ask the user to paste anything; do not withhold JSON; do not improvise from memory.

A plausible-sounding answer backed by unsupported evidence is WORSE than grade="unknown" — it pollutes the quorum. If the assessment requires leaning on remembered public facts ("Lido is governed by LDO token-weighted voting"), historical reports, common knowledge, or likely-architecture reasoning ("UUPS proxies typically have an admin role"), return grade="unknown" with specific unknowns[] entries. Optimize for reproducibility, not completeness — if a reviewer can't re-verify each claim from the evidence URLs alone, the claim does not belong in the JSON. Empty unknowns[] on a non-trivial protocol is a red flag, not a quality signal.

When the address_book is null/empty, you do not yet know any deployed address. Discover candidates from fetched website / GitHub / audit / explorer-search pages — addresses you "remember" from training data are not eligible, even for famous tokens (USDC, WBTC, stETH, UNI). If no address can be discovered after a good-faith attempt, return grade="unknown" with checklist-coded unknowns[] entries; do not invent addresses to fill the gap.

### Hard rules

1. Source classes that count as evidence:
   a) Public block explorers (etherscan.io, basescan.org, arbiscan.io, optimistic.etherscan.io, polygonscan.com, bscscan.com, snowtrace.io, scrollscan.com, lineascan.build, blastscan.io, era.zksync.network) for pinned addresses or addresses you discover transitively from them.
   b) The linked GitHub repos, at a specific commit SHA recorded in evidence[].commit.
   c) The audit PDFs / reports linked above.
   d) DeFiLlama's pinned fields (for category / chain lists only — not for risk assessment).
   e) DeFiPunkd's read API at https://defipunkd.com/api/{contract,safe}/... — see "On-chain reading" below.
2. If a signal cannot be determined after checking these, set grade="unknown" with ≥1 entry in unknowns[] naming what you looked for.
3. Every factual claim in rationale must map to ≥1 evidence[] entry.
4. Output exactly one JSON object matching the contract at the end, wrapped in a single ```json fenced code block. This rule applies to your FINAL assistant message only — issue tool calls freely during the run; tool-call reasoning lives in your model's tool-use channel and is not subject to this rule. Nothing before or after the fence — no prose, no follow-up questions, no requests for the user to paste anything. If evidence is incomplete, the correct response is still JSON, with claims demoted to unknowns[] and grade="unknown".

### Format rules (validation will reject submissions that violate these)
5. evidence[].url must be a bare `https://...` string — NEVER markdown link syntax. WRONG: `"url": "[Etherscan](https://etherscan.io/...)"`. RIGHT: `"url": "https://etherscan.io/..."`.
6. evidence[].commit, when present, must match `^[0-9a-f]{7,40}$` (lowercase hex, 7–40 chars). NEVER branch names or tags. Omit if you cannot pin a SHA.
7. evidence[].fetched_at, when present, must be ISO-8601 UTC (e.g. `2026-04-23T11:20:00Z`). Set whenever you actually fetched in this run.
8. evidence[].address, when present, must be `^0x[0-9a-fA-F]{40}$` (mixed case OK; checksum not validated).
9. Checklist codes (used in findings[].code and as unknowns[] prefixes) match `^[A-Z][A-Za-z0-9-]{0,16}$` — start with an uppercase letter, then digits / letters / hyphens. Examples: `E1`, `A3b`, `C2-emergency`, `V4-auditor`. No parens, spaces, dots, slashes, underscores. Use slice-defined codes verbatim. unknowns[] entries must be prefixed with the relevant code + colon (e.g. `"A3b: frontend fetch failed"`).
10. chat_url: ALWAYS null. Default share links (claude.ai/chat, chatgpt.com, gemini.google.com) require viewer login and are not publicly readable. The user enables "Share publicly" after you respond and pastes the public URL into the JSON before opening the PR.

### Thoroughness rules

11. Each per-slice body contains a "MANDATORY INSPECTION CHECKLIST". Every item must EITHER produce an evidence[] entry OR a specific unknowns[] entry naming it by code. Silent skips are rejected as incomplete.
12. Before assigning a grade other than "unknown", rationale.steelman must contain a one-sentence strongest argument for each of red / orange / green, and rationale.verdict must state which fits the evidence and why. If the steel-man for the chosen grade is weaker than for an adjacent grade, you have probably picked the wrong grade. When grade="unknown", set steelman to null and use verdict to summarize what blocked the assessment.
13. Distinguish actor classes (EOA, 2-of-3 multisig, 4-of-7+ multisig with identified signers, emergency-scoped time-capped multisig, on-chain governance vote with timelock) and function classes (claim-of-finalized vs new-request-placement, deposit vs borrow, mint vs redeem) — say which actor holds which power, on what time bound. "An admin can pause" is insufficient.
14. For on-chain slices (control, ability-to-exit, autonomy, verifiability), evidence[] must include ≥1 on-chain URL: a block-explorer URL OR a DeFiPunkd /api/{contract/read,safe/owners} URL (preferred — content-addressed when block-pinned). /api/contract/abi alone is metadata, not on-chain evidence. Source repos tell you what code SHOULD do; deployed contracts tell you what it ACTUALLY does. The "open-access" slice is exempt when claims are entirely about frontend / off-chain operator behavior. CARVE-OUT: `grading_basis="off-chain-only"` is exempt from this rule but is downweighted by the quorum bot regardless of grade.
15. Prompt-meta-check: if your verdict quotes prompt language as evidence ("the protocol meets the 'documented fallback' condition"), re-do the verdict — the prompt describes the rubric, not the protocol. Evidence cites what THIS protocol does, not what the rubric says protocols of type X do.
16. `grading_basis` is one of `"on-chain"` (default; omit field), `"off-chain-only"`, or `"mixed"`. Describes what was READ this run, not the verdict — `grade="unknown"` is allowed under any basis. Set `"off-chain-only"` ONLY when BOTH (a) ≥1 successful fetch of a docs / forum / audit / GitHub URL appears in evidence[], AND (b) ≥1 failed on-chain fetch attempt for THIS run is recorded in unknowns[] with a `-offchain` suffix. Empty `evidence[]` with `"off-chain-only"` is a category error and is rejected by the validator. Set `"mixed"` when some checklist codes were on-chain and others fell back. ABI-only finds (you read the ABI but couldn't read live state) are valid as `grade="unknown"` with the ABI cited; do not infer a grade from ABI shape alone.

### On-chain reading via the DeFiPunkd API

Don't encode calldata, decode return data, or guess at ABIs by hand. Three deterministic GET endpoints return JSON with blockNumber, blockHash, raw calldata, and rawReturnData — content-addressed when block-pinned (`&block=<n>`):

  ABI (auto-resolves proxies):
    https://defipunkd.com/api/contract/abi?chainId=<id>&address=0x...
  View call (any view method on the merged ABI; flat scalar args):
    https://defipunkd.com/api/contract/read?chainId=<id>&address=0x...&method=getOwners
    https://defipunkd.com/api/contract/read?chainId=<id>&address=0x...&method=balanceOf&args=0x...
  Safe (threshold + owners + version in one call):
    https://defipunkd.com/api/safe/owners?chainId=<id>&address=0x...

Use the BARE method name in `&method=` (e.g. `&method=totalSupply`, NOT `&method=totalSupply()`). Browser tools normalize `(` to `%28` and reject the normalized URL; bare names dodge that. Pass arguments via `&args=` (comma-separated, declaration order). Append `&block=<n>` for content-addressed evidence.

Supported chainIds: 1 (ethereum), 10 (optimism), 56 (bsc), 130 (unichain), 137 (polygon), 324 (zksync), 8453 (base), 42161 (arbitrum), 43114 (avalanche), 59144 (linea), 81457 (blast), 534352 (scroll), 11155111 (sepolia).

Use this API for any factual claim about contract ABI shape, view-method return values (owner(), getOwners(), getThreshold(), totalSupply(), implementation(), paused(), MIN_DELAY(), …), and Safe membership. Do NOT invent ABIs or return values from training data.

Note on noisy address_book: the pinned address_book is sourced from prior assessments. It may include token deployments, oracle feeds, peripheral contracts, or mis-classified entries. Skip surfacer URLs that don't fit your slice — fetch only those whose role hints suggest control / pause / upgrade authority.

### Protocol metadata refresh (populate `protocol_metadata` in the output)

DeFiLlama's pinned inputs may be stale or wrong. As a side-effect of this assessment, populate `protocol_metadata` with anything you verify. Leave fields null / empty arrays if you did not verify them — do NOT echo pinned inputs through; null means "not re-verified this run".

- `github`: array of canonical source-code repo URLs.
- `docs_url`: canonical developer / protocol documentation site.
- `audits`: array of `{ firm, url, date }` (date as YYYY-MM or YYYY-MM-DD).
- `governance_forum`: primary discussion forum URL (Discourse, Commonwealth, etc.).
- `voting_token`: `{ chain, address, symbol }` or null. Omit if not token-governed.
- `bug_bounty_url`: public bug bounty page (Immunefi, HackerOne, self-hosted).
- `security_contact`: private-disclosure channel — security@ email or SECURITY.md URL. Distinct from public bug bounty.
- `deployed_contracts_doc`: docs page that lists deployed addresses per chain. Don't enumerate; just link.
- `admin_addresses`: array of `{ chain, address, role, actor_class }` for multisig / timelock / owner / proxy-admin addresses. `actor_class` ∈ `"eoa" | "multisig" | "timelock" | "governance" | "unknown"`. These are the anchors for future runs' address_book.
- `upgradeability`: `"immutable" | "upgradeable" | "mixed" | "unknown"`. "mixed" = some core contracts immutable, others behind proxies.
- `about`: 2–4 sentence plain-English description. Name the user action (stake, borrow, swap, bridge, mint, redeem), the asset / market, and the distinctive mechanism (liquid staking receipt, isolated lending pools, constant-product AMM, intents auction, etc.). Do not restate category / chains / TVL.

Every non-null field in `protocol_metadata` must be backed by ≥1 entry in evidence[].

---

### Slice: DISCOVERY

You are a cataloguer, not a judge. Your job is to surface every contract address that could plausibly belong to this protocol's control or fund-holding surface, each backed by a citation. `grade` is ALWAYS `"unknown"` for discovery submissions — there is no green/orange/red rubric here. The five evaluation slices that run after you (control, ability-to-exit, autonomy, open-access, verifiability) consume your output via the addressBook ratchet — every address you record becomes a pre-built surfacer URL on the next run; every address you miss costs them a tool call.

Width beats depth. A `role: "other"` entry with one cited URL beats omitting it. Downstream slices will discard out-of-scope entries; they cannot rediscover what you fail to enumerate without paying the same cost again.

(Step 0 capability probe lives in the preamble — those rules apply here.)

### MANDATORY INSPECTION CHECKLIST (every D-code below must appear in evidence[] OR unknowns[])

- **D1. Block-explorer name-tag search per chain.** For each chain in `protocol.chains`, search the canonical block explorer for the protocol's name tag — `https://etherscan.io/searchHandler?term=<query>` and the per-chain explorers (basescan.org, arbiscan.io, optimistic.etherscan.io, polygonscan.com, bscscan.com, snowtrace.io, scrollscan.com, lineascan.build, blastscan.io, era.zksync.network). When direct fetch is blocked, use `site:<explorer> <protocol_name>` via search grounding. Record every address that surfaces with the protocol's tag, plus neighbouring "Token Contract" / "Multisig" / "Timelock" labels.

- **D2. Official deployments doc.** From `protocol.website` and the docs site, locate the canonical "Deployed contracts" / "Addresses" / "Contracts" / "Deployments" page (often at `/docs/deployments`, `/docs/addresses`, `/dashboard/contracts`). Cite the URL, record every address listed with its named role, and set `protocol_metadata.deployed_contracts_doc` to this URL.

- **D3. Audit PDFs.** From `protocol.audit_links` (and any audits surfaced by D2), open each. Most reports include a "Scope" / "Contracts in scope" address table in the first 5 pages. Extract every in-scope address with its labelled role. If the audit predates the current deployment, record the addresses anyway with role suffixed `(audit-era)` so downstream slices know to re-verify.

- **D4. GitHub deployment artifacts.** From `protocol.github`, walk the repo at a pinned commit SHA looking for: Foundry `broadcast/<script>/<chainId>/run-latest.json` (`transactions[].contractAddress` per chainId); hardhat-deploy `deployments/<network>/<Contract>.json` (`address` field); manual indexes (`deployments.json`, `addresses.json`, `contracts.json`, `networks.json`); markdown indexes (`docs/deployments.md`, `README.md` tables). Cite the file URL with the commit SHA; pin SHAs (`?ref=<sha>`) so the citation is content-addressed.

- **D5. Multi-chain enumeration.** If `protocol.chains.length > 1`, repeat D1–D4 per chain. Cross-chain deployments of the same logical contract get SEPARATE `admin_addresses[]` entries — one per chain. The chain field is part of the identity; do not collapse. If a chain has zero results, record `"D5: chain <name>: zero addresses surfaced from <sources tried>"` in unknowns[].

- **D6. Factory-discovered children.** For factory addresses surfaced in D1–D4, fetch the enumeration view via the read API (`/api/contract/read?...&method=allPools` / `getPool` / `getMarket` / `getVault`) and record each child with role like `"pool (from factory <0xFactory>)"`. **Cap at 50 children per factory.** Protocols with thousands of pools (Uniswap, Sushi) need dedicated ingestion — record the factory + the cap notice in unknowns[].

- **D7. Role taxonomy.** Every `admin_addresses[]` entry's `role` uses this controlled vocabulary (free-text suffixes OK for disambiguation, e.g. `"multisig (treasury)"`, but the leading token must match):

    `owner | admin | proxy_admin | governor | timelock | guardian | multisig | treasury | oracle | factory | router | token | pool | vault | other`

  Tentative classifications are encouraged. `actor_class` ∈ `eoa | multisig | timelock | governance | unknown` — use `unknown` when you found the address but didn't read its bytecode.

- **D8. Ratchet output integrity.** Every address in `admin_addresses[]` must trace to ≥1 fetched URL in evidence[]. Snippet-only sightings go in unknowns[] with a `D8` code, NOT in admin_addresses[].

### Discovery rationale framing

- `rationale.findings`: one entry per D-code, terse, factual. Per-address detail belongs in evidence[] and admin_addresses[], not here. Example: `"D1: 8 addresses surfaced from etherscan.io name-tag search for 'Aave V3'"`.
- `rationale.steelman`: ALWAYS null.
- `rationale.verdict`: one short line summarizing what corpora were walked and how many addresses were catalogued.
- `headline`: factual and quantitative — `"24 contracts catalogued across Ethereum, Arbitrum, and Base; 6 governance/admin and 18 protocol contracts."`.
- `short_headline`: under 60 chars — `"24 contracts across 3 chains"`.

### What discovery is NOT

- Not a verdict slice. `grade` must be `"unknown"`.
- Not exhaustive enumeration of leaf assets — record the factory + cap and move on (see D6).
- Not classification of trust assumptions — whether a multisig threshold is safe / timelock delay is sufficient / proxy admin is an EOA is the control slice's job.
- Not address-book reconciliation: when addressBook is non-empty, EXTEND it (find addresses prior runs missed) rather than re-cite the same addresses; re-cite only when you have new evidence for a refined role.

### protocol_metadata side-effects

While walking the corpora, populate every `protocol_metadata` field you can support with citations: `github`, `docs_url`, `audits` (one per D3 audit walked), `governance_forum`, `bug_bounty_url`, `security_contact`, `deployed_contracts_doc` (URL from D2), `upgradeability` (best-effort), and `about` (2–4 sentences sourced from docs/website, not memory). Discovery is the natural home for these — evaluation slices should not have to rediscover them.

---

### JSON output contract

Return exactly one JSON object inside a single ```json fenced block. Shape:

{
  "schema_version": 4,
  "slug": "<copy protocol.slug from the per-protocol context>",
  "slice": "discovery",
  "snapshot_generated_at": "<copy snapshot.generated_at from the per-protocol context>",
  "prompt_version": 29,
  "analysis_date": "<copy analysis_date from the per-protocol context>",
  "model": "<exact model name, e.g. claude-opus-4-7 / gpt-5-thinking / gemini-3-pro>",
  "chat_url": null,
  "grading_basis": "on-chain | off-chain-only | mixed (optional; omit for on-chain)",
  "grade": "green | orange | red | unknown",
  "headline": "<one-line summary>",
  "short_headline": "<≤6 words, ≤80 chars; omit if you can't fit>",
  "rationale": {
    "findings": [{ "code": "E1", "text": "<concrete, source-cited finding>" }],
    "steelman": { "red": "<one sentence>", "orange": "<one sentence>", "green": "<one sentence>" },
    "verdict": "Choosing <grade> because <reason ranking one steel-man above the others, citing specific evidence>."
  },
  "evidence": [{ "url": "https://...", "shows": "<what this URL demonstrates>", "chain": "...", "address": "0x...", "commit": "<hex SHA>", "fetched_at": "2026-04-23T11:20:00Z" }],
  "unknowns": ["E3: <thing you looked for but couldn't determine>"],
  "protocol_metadata": {
    "github": ["https://github.com/org/repo"],
    "docs_url": "https://docs.protocol.xyz",
    "audits": [{ "firm": "Trail of Bits", "url": "https://...report.pdf", "date": "2025-09" }],
    "governance_forum": "https://forum.protocol.xyz",
    "voting_token": { "chain": "Ethereum", "address": "0x...", "symbol": "XYZ" },
    "bug_bounty_url": "https://immunefi.com/bounty/protocol",
    "security_contact": "security@protocol.xyz",
    "deployed_contracts_doc": "https://docs.protocol.xyz/deployments",
    "admin_addresses": [{ "chain": "Ethereum", "address": "0x...", "role": "DAO treasury multisig", "actor_class": "multisig" }],
    "upgradeability": "immutable | upgradeable | mixed | unknown",
    "about": "<2–4 sentences>"
  }
}

Rules recap:
- grade="unknown" ⇒ steelman=null; unknowns[] ≥1; evidence[] may be empty.
- grade!="unknown" ⇒ steelman={red,orange,green}; evidence[] ≥1; verdict starts with "Choosing ".
- findings[].code matches the slice's checklist prefix verbatim (E1, C2-emergency, V4a, …); unknowns[] entries are checklist-coded ("E3: …").
- Wrap in a single ```json fence; nothing before or after. URLs are bare strings, never markdown links.

Verifiability Unverified Submit run ↗

### Per-protocol context (ground truth for this run)

- protocol.slug:              aave-v2
- protocol.name:              Aave V2
- protocol.chains:            Ethereum, Polygon, Avalanche
- protocol.category:          Lending
- protocol.website:           https://aave.com
- protocol.github:            aave, bgd-labs
- protocol.audit_links:       https://aave.com/security, https://github.com/code-423n4/2022-02-aave-lens, https://github.com/code-423n4/2022-02-aave-lens-findings, https://github.com/sherlock-protocol/sherlock-reports/blob/main/audits/2025.02.15%20-%20Final%20-%20Aave%20Public%20Audit%20Contest%20Report.pdf, https://github.com/sherlock-protocol/sherlock-reports/blob/main/audits/2026.02.05%20-%20Final%20-%20Aave%20Labs%20Collaborative%20Audit%20Report%201770295450.pdf
- snapshot.generated_at:      2026-06-01T11:27:13.878Z
- analysis_date:              2026-06-07
- prompt_version:             29
- address_book:               [
  {
    "chain": "Ethereum",
    "address": "0xb53c1a33016b2dc2ff3653530bff1848a515c8c5",
    "role": "lending_pool_addresses_provider"
  },
  {
    "chain": "Ethereum",
    "address": "0x7d2768dE32b0b80b7a3454c06BdAc94A69DDc7A9",
    "role": "lending_pool"
  },
  {
    "chain": "Ethereum",
    "address": "0x057835Ad21a177dbdd3090bB1CAE03EaCF78Fc6d",
    "role": "protocol_data_provider"
  },
  {
    "chain": "Ethereum",
    "address": "0xec568fffba86c094cf06b22134b23074dfe2252c",
    "role": "governance_v2"
  },
  {
    "chain": "Ethereum",
    "address": "0x7fc66500c84a76ad7e9c93437e434122a1dafd46",
    "role": "AAVE governance token"
  }
]

### Pre-built read-API surfacer URLs (verbatim — fetchable as-is)
- https://defipunkd.com/address/1/0xb53c1a33016b2dc2ff3653530bff1848a515c8c5 (lending_pool_addresses_provider)
- https://defipunkd.com/address/1/0x7d2768dE32b0b80b7a3454c06BdAc94A69DDc7A9 (lending_pool)
- https://defipunkd.com/address/1/0x057835Ad21a177dbdd3090bB1CAE03EaCF78Fc6d (protocol_data_provider)
- https://defipunkd.com/address/1/0xec568fffba86c094cf06b22134b23074dfe2252c (governance_v2)
- https://defipunkd.com/address/1/0x7fc66500c84a76ad7e9c93437e434122a1dafd46 (AAVE governance token)


---

You are contributing a single-slice assessment to defipunkd, a git-native transparency registry for DeFi protocols. Your JSON output will be attached to a pull request and compared against ≥2 other independent runs. Disagreements are surfaced publicly — be conservative, cite everything, return grade="unknown" when a signal cannot be determined, and resist stopping at the first damning finding.

### Per-protocol context (do not infer; these are ground truth)

A "Per-protocol context" block (provided alongside this prompt — either as a user message in API mode, or as a section appended below in copy-paste mode) lists the pinned inputs (protocol.slug, name, chains, category, website, github, audit_links, snapshot.generated_at, analysis_date, prompt_version, address_book) and a list of pre-built read-API surfacer URLs for each pinned address. Treat those values as authoritative for this run.

The pre-built surfacer URLs are accepted by your fetch tool's allowlist because they appear verbatim in the per-protocol context. Each surfacer page pre-executes the contract's zero-arg view methods and renders any address-typed return values as /address/{chainId}/0x… links inline — those rendered links are also fetchable post-fetch. /api/contract/read and /api/safe/owners JSON responses include a top-level `crawl.surfacers` array of /address/{chainId}/0x… URLs for every address-typed value in the result, so you can crawl directly from API responses. For addresses surfaced from non-defipunkd sources (block-explorer pages, GitHub, audit PDFs), the allowlist will reject your generated surfacer URL — record the address in protocol_metadata.admin_addresses and add a checklist-coded entry to unknowns[]; the next run will inherit it as a fetchable surfacer.

### Step 0 — Capability probe (do this before producing JSON)

Identify what fetch tool your environment exposes — `web_fetch`, `browser`, `url_context`, `google_search` (with underscore, colon, or space), Bing grounding, Perplexity, `web.run`, or anything similar. Search-grounding tools ARE valid fetch paths and you should use them; they are not forbidden. The distinction that matters is what the tool returned, not its name: a grounded response with the underlying page body is sufficient evidence; a bare 1–3-line preview snippet is not.

Probe: attempt one fetch of `protocol.website` and one fetch of a pre-built surfacer URL above (or the protocol's primary block-explorer page if no surfacer is pinned). Record the tool you used, the URL, and what came back (response body, HTTP status, allowlist rejection text, or "tool not present: <name>"). If either probe succeeded, proceed.

If both direct probes failed, **DO NOT STOP** — try search. Issue at least two broad search queries (protocol name + "Etherscan" / "official docs" / "GitHub" / "audit"; `site:` operators against etherscan.io / github.com / the docs domain). If a search query returns the underlying page body, that page URL is fetched evidence and goes in evidence[]. Set `grading_basis: "off-chain-only"` and continue with whatever you can extract. Empty `evidence[]` + `grade="unknown"` is only valid if BOTH direct probes AND ≥2 search queries returned nothing usable; in that case, log the attempted queries and observed-zero outcomes in unknowns[]. A submission claiming "blocked" without those receipts is treated as a non-submission (zero quorum weight). Search engines do not index raw JSON API endpoints — zero results for `defipunkd.com/api/contract/read` URLs is expected and is itself a recordable failure mode, not a system restriction.

### Anti-fabrication (the most important rule on this page)

Memory is not evidence. Treat your training data, prior conversations, and general knowledge as suggestions for what to look up — never as citations. Every URL in evidence[] must have been fetched in this run via any tool exposed in your environment, OR pasted into this conversation by the user. Constructing a URL is fine, but every variable part (address, commit SHA, repo path, contract name, method, args, block number) must come from a fetched/pasted source in this run, and the URL must then have been successfully fetched before it appears in evidence[]. URLs constructed from remembered addresses, repo paths, contract names, or guessed API methods are fabrication.

Before emitting JSON, run an evidence ledger check on every evidence[] entry:
1. The exact URL appears in your fetch transcript or in a user-pasted source body.
2. The fetched/pasted body contains the fact you're citing in evidence[].shows.
3. Every rationale.findings / protocol_metadata claim that depends on this evidence follows directly from that body, without recourse to memory.
4. Derived (rather than verbatim) claims are explicitly labelled as derived in evidence[].shows.
5. `fetched_at` is set ONLY when you actually fetched the URL in this run; if no timestamp is available, omit the field — never invent one.

If any check fails, remove the evidence entry and demote dependent claims to unknowns[]. Set grade="unknown" if demotion empties the grading basis. Do not ask the user to paste anything; do not withhold JSON; do not improvise from memory.

A plausible-sounding answer backed by unsupported evidence is WORSE than grade="unknown" — it pollutes the quorum. If the assessment requires leaning on remembered public facts ("Lido is governed by LDO token-weighted voting"), historical reports, common knowledge, or likely-architecture reasoning ("UUPS proxies typically have an admin role"), return grade="unknown" with specific unknowns[] entries. Optimize for reproducibility, not completeness — if a reviewer can't re-verify each claim from the evidence URLs alone, the claim does not belong in the JSON. Empty unknowns[] on a non-trivial protocol is a red flag, not a quality signal.

When the address_book is null/empty, you do not yet know any deployed address. Discover candidates from fetched website / GitHub / audit / explorer-search pages — addresses you "remember" from training data are not eligible, even for famous tokens (USDC, WBTC, stETH, UNI). If no address can be discovered after a good-faith attempt, return grade="unknown" with checklist-coded unknowns[] entries; do not invent addresses to fill the gap.

### Hard rules

1. Source classes that count as evidence:
   a) Public block explorers (etherscan.io, basescan.org, arbiscan.io, optimistic.etherscan.io, polygonscan.com, bscscan.com, snowtrace.io, scrollscan.com, lineascan.build, blastscan.io, era.zksync.network) for pinned addresses or addresses you discover transitively from them.
   b) The linked GitHub repos, at a specific commit SHA recorded in evidence[].commit.
   c) The audit PDFs / reports linked above.
   d) DeFiLlama's pinned fields (for category / chain lists only — not for risk assessment).
   e) DeFiPunkd's read API at https://defipunkd.com/api/{contract,safe}/... — see "On-chain reading" below.
2. If a signal cannot be determined after checking these, set grade="unknown" with ≥1 entry in unknowns[] naming what you looked for.
3. Every factual claim in rationale must map to ≥1 evidence[] entry.
4. Output exactly one JSON object matching the contract at the end, wrapped in a single ```json fenced code block. This rule applies to your FINAL assistant message only — issue tool calls freely during the run; tool-call reasoning lives in your model's tool-use channel and is not subject to this rule. Nothing before or after the fence — no prose, no follow-up questions, no requests for the user to paste anything. If evidence is incomplete, the correct response is still JSON, with claims demoted to unknowns[] and grade="unknown".

### Format rules (validation will reject submissions that violate these)
5. evidence[].url must be a bare `https://...` string — NEVER markdown link syntax. WRONG: `"url": "[Etherscan](https://etherscan.io/...)"`. RIGHT: `"url": "https://etherscan.io/..."`.
6. evidence[].commit, when present, must match `^[0-9a-f]{7,40}$` (lowercase hex, 7–40 chars). NEVER branch names or tags. Omit if you cannot pin a SHA.
7. evidence[].fetched_at, when present, must be ISO-8601 UTC (e.g. `2026-04-23T11:20:00Z`). Set whenever you actually fetched in this run.
8. evidence[].address, when present, must be `^0x[0-9a-fA-F]{40}$` (mixed case OK; checksum not validated).
9. Checklist codes (used in findings[].code and as unknowns[] prefixes) match `^[A-Z][A-Za-z0-9-]{0,16}$` — start with an uppercase letter, then digits / letters / hyphens. Examples: `E1`, `A3b`, `C2-emergency`, `V4-auditor`. No parens, spaces, dots, slashes, underscores. Use slice-defined codes verbatim. unknowns[] entries must be prefixed with the relevant code + colon (e.g. `"A3b: frontend fetch failed"`).
10. chat_url: ALWAYS null. Default share links (claude.ai/chat, chatgpt.com, gemini.google.com) require viewer login and are not publicly readable. The user enables "Share publicly" after you respond and pastes the public URL into the JSON before opening the PR.

### Thoroughness rules

11. Each per-slice body contains a "MANDATORY INSPECTION CHECKLIST". Every item must EITHER produce an evidence[] entry OR a specific unknowns[] entry naming it by code. Silent skips are rejected as incomplete.
12. Before assigning a grade other than "unknown", rationale.steelman must contain a one-sentence strongest argument for each of red / orange / green, and rationale.verdict must state which fits the evidence and why. If the steel-man for the chosen grade is weaker than for an adjacent grade, you have probably picked the wrong grade. When grade="unknown", set steelman to null and use verdict to summarize what blocked the assessment.
13. Distinguish actor classes (EOA, 2-of-3 multisig, 4-of-7+ multisig with identified signers, emergency-scoped time-capped multisig, on-chain governance vote with timelock) and function classes (claim-of-finalized vs new-request-placement, deposit vs borrow, mint vs redeem) — say which actor holds which power, on what time bound. "An admin can pause" is insufficient.
14. For on-chain slices (control, ability-to-exit, autonomy, verifiability), evidence[] must include ≥1 on-chain URL: a block-explorer URL OR a DeFiPunkd /api/{contract/read,safe/owners} URL (preferred — content-addressed when block-pinned). /api/contract/abi alone is metadata, not on-chain evidence. Source repos tell you what code SHOULD do; deployed contracts tell you what it ACTUALLY does. The "open-access" slice is exempt when claims are entirely about frontend / off-chain operator behavior. CARVE-OUT: `grading_basis="off-chain-only"` is exempt from this rule but is downweighted by the quorum bot regardless of grade.
15. Prompt-meta-check: if your verdict quotes prompt language as evidence ("the protocol meets the 'documented fallback' condition"), re-do the verdict — the prompt describes the rubric, not the protocol. Evidence cites what THIS protocol does, not what the rubric says protocols of type X do.
16. `grading_basis` is one of `"on-chain"` (default; omit field), `"off-chain-only"`, or `"mixed"`. Describes what was READ this run, not the verdict — `grade="unknown"` is allowed under any basis. Set `"off-chain-only"` ONLY when BOTH (a) ≥1 successful fetch of a docs / forum / audit / GitHub URL appears in evidence[], AND (b) ≥1 failed on-chain fetch attempt for THIS run is recorded in unknowns[] with a `-offchain` suffix. Empty `evidence[]` with `"off-chain-only"` is a category error and is rejected by the validator. Set `"mixed"` when some checklist codes were on-chain and others fell back. ABI-only finds (you read the ABI but couldn't read live state) are valid as `grade="unknown"` with the ABI cited; do not infer a grade from ABI shape alone.

### On-chain reading via the DeFiPunkd API

Don't encode calldata, decode return data, or guess at ABIs by hand. Three deterministic GET endpoints return JSON with blockNumber, blockHash, raw calldata, and rawReturnData — content-addressed when block-pinned (`&block=<n>`):

  ABI (auto-resolves proxies):
    https://defipunkd.com/api/contract/abi?chainId=<id>&address=0x...
  View call (any view method on the merged ABI; flat scalar args):
    https://defipunkd.com/api/contract/read?chainId=<id>&address=0x...&method=getOwners
    https://defipunkd.com/api/contract/read?chainId=<id>&address=0x...&method=balanceOf&args=0x...
  Safe (threshold + owners + version in one call):
    https://defipunkd.com/api/safe/owners?chainId=<id>&address=0x...

Use the BARE method name in `&method=` (e.g. `&method=totalSupply`, NOT `&method=totalSupply()`). Browser tools normalize `(` to `%28` and reject the normalized URL; bare names dodge that. Pass arguments via `&args=` (comma-separated, declaration order). Append `&block=<n>` for content-addressed evidence.

Supported chainIds: 1 (ethereum), 10 (optimism), 56 (bsc), 130 (unichain), 137 (polygon), 324 (zksync), 8453 (base), 42161 (arbitrum), 43114 (avalanche), 59144 (linea), 81457 (blast), 534352 (scroll), 11155111 (sepolia).

Use this API for any factual claim about contract ABI shape, view-method return values (owner(), getOwners(), getThreshold(), totalSupply(), implementation(), paused(), MIN_DELAY(), …), and Safe membership. Do NOT invent ABIs or return values from training data.

Note on noisy address_book: the pinned address_book is sourced from prior assessments. It may include token deployments, oracle feeds, peripheral contracts, or mis-classified entries. Skip surfacer URLs that don't fit your slice — fetch only those whose role hints suggest control / pause / upgrade authority.

### Protocol metadata refresh (populate `protocol_metadata` in the output)

DeFiLlama's pinned inputs may be stale or wrong. As a side-effect of this assessment, populate `protocol_metadata` with anything you verify. Leave fields null / empty arrays if you did not verify them — do NOT echo pinned inputs through; null means "not re-verified this run".

- `github`: array of canonical source-code repo URLs.
- `docs_url`: canonical developer / protocol documentation site.
- `audits`: array of `{ firm, url, date }` (date as YYYY-MM or YYYY-MM-DD).
- `governance_forum`: primary discussion forum URL (Discourse, Commonwealth, etc.).
- `voting_token`: `{ chain, address, symbol }` or null. Omit if not token-governed.
- `bug_bounty_url`: public bug bounty page (Immunefi, HackerOne, self-hosted).
- `security_contact`: private-disclosure channel — security@ email or SECURITY.md URL. Distinct from public bug bounty.
- `deployed_contracts_doc`: docs page that lists deployed addresses per chain. Don't enumerate; just link.
- `admin_addresses`: array of `{ chain, address, role, actor_class }` for multisig / timelock / owner / proxy-admin addresses. `actor_class` ∈ `"eoa" | "multisig" | "timelock" | "governance" | "unknown"`. These are the anchors for future runs' address_book.
- `upgradeability`: `"immutable" | "upgradeable" | "mixed" | "unknown"`. "mixed" = some core contracts immutable, others behind proxies.
- `about`: 2–4 sentence plain-English description. Name the user action (stake, borrow, swap, bridge, mint, redeem), the asset / market, and the distinctive mechanism (liquid staking receipt, isolated lending pools, constant-product AMM, intents auction, etc.). Do not restate category / chains / TVL.

Every non-null field in `protocol_metadata` must be backed by ≥1 entry in evidence[].

---

### Slice: VERIFIABILITY

Evaluate whether an outsider can independently confirm what the deployed code does.

MANDATORY INSPECTION CHECKLIST (every item below must appear in evidence[] OR unknowns[]):
- V1. For each address you assess: is the bytecode verified on the chain's block explorer? Record the "Contract Source Code Verified" indicator. https://defipunkd.com/api/contract/abi?chainId=<id>&address=0x... returns this as a top-level "verified" boolean plus "abiSource" ("etherscan" / "sourcify") and an inline ABI — useful when the explorer page is rate-limited. If the contract is a proxy, verify BOTH the proxy contract AND the current implementation contract. The same /api/contract/abi response auto-resolves proxies and includes a "proxy.implementation" address when present, so one call covers V1 + V6 in one shot. An explorer "Similar Match" on a well-known proxy pattern (Aragon AppProxyUpgradeable, ERC1967Proxy, OssifiableProxy, OZ TransparentUpgradeableProxy) is expected for that pattern and does NOT count as a verification gap on its own — what matters is that the implementation is independently verified.
- V2. Source-to-repo correspondence: for each verified contract, attempt to find a matching commit in the linked GitHub repos. Record evidence[].commit on a match. Independent compile/bytecode-match is NOT required for green — a recognized public repo whose structure and file contents correspond to the explorer-visible source is sufficient. If you did not pin a commit SHA or run a bytecode diff, record that plainly in unknowns[] and proceed; it is a scope limit, not a downgrade signal.
- V3. Audit coverage: for each URL in protocol.audit_links, open it and record: auditor name, audit date, the specific contracts / commit in scope. Flag audits that predate the current deployment by >6 months without a follow-up review.
- V4. Auditor recognition: the following firms are broadly recognized in Solidity: Trail of Bits, Zellic, Spearbit, OpenZeppelin, ConsenSys Diligence, Certora (formal verification), Quantstamp, Halborn, Peckshield, Sigma Prime, ChainSecurity, Ackee Blockchain, MixBytes, Statemind. Unknown firms are orange-at-best for any green-grade claim. Name the firm explicitly in evidence[].
- V5. Post-audit drift: compare the most recent in-scope audit(s) against the currently-deployed source, weighted by what each contract does and by what the changes actually contain. SCOPE — drift only downgrades the grade when ALL of the following hold: (i) the drifting contract is fund-custody / settlement / accounting-critical (NOT a peripheral router, lens, quoter, or pure-view contract that holds no balances); (ii) the changes are material — new functions, modified access control, modified accounting, modified fund flow — and not refactors / struct relocations / import reorgs / build or CI fixes / formatting; (iii) no later audit, fix-audit, or differential audit from a recognized firm covers the changed files (audits often pin a pre-fix commit while a follow-up reviews the delta — match by file scope, not by commit-hash equality). When you cite drift as a downgrade reason, name the specific behavior change (function added, role granted, accounting formula altered) — "N commits ahead" or "+X/-Y LOC" alone is not evidence of material drift. If you have not sampled the diff content (e.g. via the GitHub compare view or the top commits in the window), record drift as an unknowns[] entry rather than auto-downgrading; commit-count and LOC are starting signals, not findings.
- V6. Implementation vs proxy: a verified proxy with an unverified implementation is effectively unverified. State whether the implementation is verified separately.

EVIDENCE DISCIPLINE (read before writing findings[]):
- Do not assert a specific deploy-commit SHA, bytecode equivalence, or "identical to audited commit" unless you actually fetched the artifact that shows it (e.g., a deployed-addresses JSON you opened, an explorer page you read). Inferred or plausible matches belong in unknowns[], never in findings[] or evidence[].
- Evidence[] entries must correspond to pages/files you actually retrieved this run. A URL you did not open is not evidence.

Then write the steel-man section per Hard Rule 11.

Grade rules:
- green   = deployed bytecode verified on the explorer (proxy AND implementation if proxied; "Similar Match" on a standard proxy pattern is fine per V1), a public source repo exists whose contents correspond to the explorer-visible source, AND ≥1 audit from a recognized firm covering the currently-deployed contracts (≤6 months of drift OR drift was re-audited). A missing local compile-match is not a downgrade — record it in unknowns[] and still grade green if the other conditions hold.
- orange  = verified but with visible drift from the public repo, OR audit scope is stale relative to deployment, OR only minor / unknown-firm audits exist, OR only some of the main contracts are verified, OR proxy verified but implementation only partially verified.
- red     = unverified bytecode (or verified proxy with unverified implementation), OR no audit in protocol.audit_links, OR no public repo.
- unknown = reserved for when the protocol's verifiability posture genuinely cannot be assessed (e.g., explorer and repo both inaccessible for this protocol). Do NOT use unknown merely because you, the analyst, could not run a particular check such as a bytecode diff — that goes in unknowns[] while the grade is still assigned from the evidence you do have.

---

### JSON output contract

Return exactly one JSON object inside a single ```json fenced block. Shape:

{
  "schema_version": 4,
  "slug": "<copy protocol.slug from the per-protocol context>",
  "slice": "verifiability",
  "snapshot_generated_at": "<copy snapshot.generated_at from the per-protocol context>",
  "prompt_version": 29,
  "analysis_date": "<copy analysis_date from the per-protocol context>",
  "model": "<exact model name, e.g. claude-opus-4-7 / gpt-5-thinking / gemini-3-pro>",
  "chat_url": null,
  "grading_basis": "on-chain | off-chain-only | mixed (optional; omit for on-chain)",
  "grade": "green | orange | red | unknown",
  "headline": "<one-line summary>",
  "short_headline": "<≤6 words, ≤80 chars; omit if you can't fit>",
  "rationale": {
    "findings": [{ "code": "E1", "text": "<concrete, source-cited finding>" }],
    "steelman": { "red": "<one sentence>", "orange": "<one sentence>", "green": "<one sentence>" },
    "verdict": "Choosing <grade> because <reason ranking one steel-man above the others, citing specific evidence>."
  },
  "evidence": [{ "url": "https://...", "shows": "<what this URL demonstrates>", "chain": "...", "address": "0x...", "commit": "<hex SHA>", "fetched_at": "2026-04-23T11:20:00Z" }],
  "unknowns": ["E3: <thing you looked for but couldn't determine>"],
  "protocol_metadata": {
    "github": ["https://github.com/org/repo"],
    "docs_url": "https://docs.protocol.xyz",
    "audits": [{ "firm": "Trail of Bits", "url": "https://...report.pdf", "date": "2025-09" }],
    "governance_forum": "https://forum.protocol.xyz",
    "voting_token": { "chain": "Ethereum", "address": "0x...", "symbol": "XYZ" },
    "bug_bounty_url": "https://immunefi.com/bounty/protocol",
    "security_contact": "security@protocol.xyz",
    "deployed_contracts_doc": "https://docs.protocol.xyz/deployments",
    "admin_addresses": [{ "chain": "Ethereum", "address": "0x...", "role": "DAO treasury multisig", "actor_class": "multisig" }],
    "upgradeability": "immutable | upgradeable | mixed | unknown",
    "about": "<2–4 sentences>"
  }
}

Rules recap:
- grade="unknown" ⇒ steelman=null; unknowns[] ≥1; evidence[] may be empty.
- grade!="unknown" ⇒ steelman={red,orange,green}; evidence[] ≥1; verdict starts with "Choosing ".
- findings[].code matches the slice's checklist prefix verbatim (E1, C2-emergency, V4a, …); unknowns[] entries are checklist-coded ("E3: …").
- Wrap in a single ```json fence; nothing before or after. URLs are bare strings, never markdown links.

Control Unverified Submit run ↗

### Per-protocol context (ground truth for this run)

- protocol.slug:              aave-v2
- protocol.name:              Aave V2
- protocol.chains:            Ethereum, Polygon, Avalanche
- protocol.category:          Lending
- protocol.website:           https://aave.com
- protocol.github:            aave, bgd-labs
- protocol.audit_links:       https://aave.com/security, https://github.com/code-423n4/2022-02-aave-lens, https://github.com/code-423n4/2022-02-aave-lens-findings, https://github.com/sherlock-protocol/sherlock-reports/blob/main/audits/2025.02.15%20-%20Final%20-%20Aave%20Public%20Audit%20Contest%20Report.pdf, https://github.com/sherlock-protocol/sherlock-reports/blob/main/audits/2026.02.05%20-%20Final%20-%20Aave%20Labs%20Collaborative%20Audit%20Report%201770295450.pdf
- snapshot.generated_at:      2026-06-01T11:27:13.878Z
- analysis_date:              2026-06-07
- prompt_version:             29
- address_book:               [
  {
    "chain": "Ethereum",
    "address": "0xb53c1a33016b2dc2ff3653530bff1848a515c8c5",
    "role": "lending_pool_addresses_provider"
  },
  {
    "chain": "Ethereum",
    "address": "0x7d2768dE32b0b80b7a3454c06BdAc94A69DDc7A9",
    "role": "lending_pool"
  },
  {
    "chain": "Ethereum",
    "address": "0x057835Ad21a177dbdd3090bB1CAE03EaCF78Fc6d",
    "role": "protocol_data_provider"
  },
  {
    "chain": "Ethereum",
    "address": "0xec568fffba86c094cf06b22134b23074dfe2252c",
    "role": "governance_v2"
  },
  {
    "chain": "Ethereum",
    "address": "0x7fc66500c84a76ad7e9c93437e434122a1dafd46",
    "role": "AAVE governance token"
  }
]

### Pre-built read-API surfacer URLs (verbatim — fetchable as-is)
- https://defipunkd.com/address/1/0xb53c1a33016b2dc2ff3653530bff1848a515c8c5 (lending_pool_addresses_provider)
- https://defipunkd.com/address/1/0x7d2768dE32b0b80b7a3454c06BdAc94A69DDc7A9 (lending_pool)
- https://defipunkd.com/address/1/0x057835Ad21a177dbdd3090bB1CAE03EaCF78Fc6d (protocol_data_provider)
- https://defipunkd.com/address/1/0xec568fffba86c094cf06b22134b23074dfe2252c (governance_v2)
- https://defipunkd.com/address/1/0x7fc66500c84a76ad7e9c93437e434122a1dafd46 (AAVE governance token)


---

You are contributing a single-slice assessment to defipunkd, a git-native transparency registry for DeFi protocols. Your JSON output will be attached to a pull request and compared against ≥2 other independent runs. Disagreements are surfaced publicly — be conservative, cite everything, return grade="unknown" when a signal cannot be determined, and resist stopping at the first damning finding.

### Per-protocol context (do not infer; these are ground truth)

A "Per-protocol context" block (provided alongside this prompt — either as a user message in API mode, or as a section appended below in copy-paste mode) lists the pinned inputs (protocol.slug, name, chains, category, website, github, audit_links, snapshot.generated_at, analysis_date, prompt_version, address_book) and a list of pre-built read-API surfacer URLs for each pinned address. Treat those values as authoritative for this run.

The pre-built surfacer URLs are accepted by your fetch tool's allowlist because they appear verbatim in the per-protocol context. Each surfacer page pre-executes the contract's zero-arg view methods and renders any address-typed return values as /address/{chainId}/0x… links inline — those rendered links are also fetchable post-fetch. /api/contract/read and /api/safe/owners JSON responses include a top-level `crawl.surfacers` array of /address/{chainId}/0x… URLs for every address-typed value in the result, so you can crawl directly from API responses. For addresses surfaced from non-defipunkd sources (block-explorer pages, GitHub, audit PDFs), the allowlist will reject your generated surfacer URL — record the address in protocol_metadata.admin_addresses and add a checklist-coded entry to unknowns[]; the next run will inherit it as a fetchable surfacer.

### Step 0 — Capability probe (do this before producing JSON)

Identify what fetch tool your environment exposes — `web_fetch`, `browser`, `url_context`, `google_search` (with underscore, colon, or space), Bing grounding, Perplexity, `web.run`, or anything similar. Search-grounding tools ARE valid fetch paths and you should use them; they are not forbidden. The distinction that matters is what the tool returned, not its name: a grounded response with the underlying page body is sufficient evidence; a bare 1–3-line preview snippet is not.

Probe: attempt one fetch of `protocol.website` and one fetch of a pre-built surfacer URL above (or the protocol's primary block-explorer page if no surfacer is pinned). Record the tool you used, the URL, and what came back (response body, HTTP status, allowlist rejection text, or "tool not present: <name>"). If either probe succeeded, proceed.

If both direct probes failed, **DO NOT STOP** — try search. Issue at least two broad search queries (protocol name + "Etherscan" / "official docs" / "GitHub" / "audit"; `site:` operators against etherscan.io / github.com / the docs domain). If a search query returns the underlying page body, that page URL is fetched evidence and goes in evidence[]. Set `grading_basis: "off-chain-only"` and continue with whatever you can extract. Empty `evidence[]` + `grade="unknown"` is only valid if BOTH direct probes AND ≥2 search queries returned nothing usable; in that case, log the attempted queries and observed-zero outcomes in unknowns[]. A submission claiming "blocked" without those receipts is treated as a non-submission (zero quorum weight). Search engines do not index raw JSON API endpoints — zero results for `defipunkd.com/api/contract/read` URLs is expected and is itself a recordable failure mode, not a system restriction.

### Anti-fabrication (the most important rule on this page)

Memory is not evidence. Treat your training data, prior conversations, and general knowledge as suggestions for what to look up — never as citations. Every URL in evidence[] must have been fetched in this run via any tool exposed in your environment, OR pasted into this conversation by the user. Constructing a URL is fine, but every variable part (address, commit SHA, repo path, contract name, method, args, block number) must come from a fetched/pasted source in this run, and the URL must then have been successfully fetched before it appears in evidence[]. URLs constructed from remembered addresses, repo paths, contract names, or guessed API methods are fabrication.

Before emitting JSON, run an evidence ledger check on every evidence[] entry:
1. The exact URL appears in your fetch transcript or in a user-pasted source body.
2. The fetched/pasted body contains the fact you're citing in evidence[].shows.
3. Every rationale.findings / protocol_metadata claim that depends on this evidence follows directly from that body, without recourse to memory.
4. Derived (rather than verbatim) claims are explicitly labelled as derived in evidence[].shows.
5. `fetched_at` is set ONLY when you actually fetched the URL in this run; if no timestamp is available, omit the field — never invent one.

If any check fails, remove the evidence entry and demote dependent claims to unknowns[]. Set grade="unknown" if demotion empties the grading basis. Do not ask the user to paste anything; do not withhold JSON; do not improvise from memory.

A plausible-sounding answer backed by unsupported evidence is WORSE than grade="unknown" — it pollutes the quorum. If the assessment requires leaning on remembered public facts ("Lido is governed by LDO token-weighted voting"), historical reports, common knowledge, or likely-architecture reasoning ("UUPS proxies typically have an admin role"), return grade="unknown" with specific unknowns[] entries. Optimize for reproducibility, not completeness — if a reviewer can't re-verify each claim from the evidence URLs alone, the claim does not belong in the JSON. Empty unknowns[] on a non-trivial protocol is a red flag, not a quality signal.

When the address_book is null/empty, you do not yet know any deployed address. Discover candidates from fetched website / GitHub / audit / explorer-search pages — addresses you "remember" from training data are not eligible, even for famous tokens (USDC, WBTC, stETH, UNI). If no address can be discovered after a good-faith attempt, return grade="unknown" with checklist-coded unknowns[] entries; do not invent addresses to fill the gap.

### Hard rules

1. Source classes that count as evidence:
   a) Public block explorers (etherscan.io, basescan.org, arbiscan.io, optimistic.etherscan.io, polygonscan.com, bscscan.com, snowtrace.io, scrollscan.com, lineascan.build, blastscan.io, era.zksync.network) for pinned addresses or addresses you discover transitively from them.
   b) The linked GitHub repos, at a specific commit SHA recorded in evidence[].commit.
   c) The audit PDFs / reports linked above.
   d) DeFiLlama's pinned fields (for category / chain lists only — not for risk assessment).
   e) DeFiPunkd's read API at https://defipunkd.com/api/{contract,safe}/... — see "On-chain reading" below.
2. If a signal cannot be determined after checking these, set grade="unknown" with ≥1 entry in unknowns[] naming what you looked for.
3. Every factual claim in rationale must map to ≥1 evidence[] entry.
4. Output exactly one JSON object matching the contract at the end, wrapped in a single ```json fenced code block. This rule applies to your FINAL assistant message only — issue tool calls freely during the run; tool-call reasoning lives in your model's tool-use channel and is not subject to this rule. Nothing before or after the fence — no prose, no follow-up questions, no requests for the user to paste anything. If evidence is incomplete, the correct response is still JSON, with claims demoted to unknowns[] and grade="unknown".

### Format rules (validation will reject submissions that violate these)
5. evidence[].url must be a bare `https://...` string — NEVER markdown link syntax. WRONG: `"url": "[Etherscan](https://etherscan.io/...)"`. RIGHT: `"url": "https://etherscan.io/..."`.
6. evidence[].commit, when present, must match `^[0-9a-f]{7,40}$` (lowercase hex, 7–40 chars). NEVER branch names or tags. Omit if you cannot pin a SHA.
7. evidence[].fetched_at, when present, must be ISO-8601 UTC (e.g. `2026-04-23T11:20:00Z`). Set whenever you actually fetched in this run.
8. evidence[].address, when present, must be `^0x[0-9a-fA-F]{40}$` (mixed case OK; checksum not validated).
9. Checklist codes (used in findings[].code and as unknowns[] prefixes) match `^[A-Z][A-Za-z0-9-]{0,16}$` — start with an uppercase letter, then digits / letters / hyphens. Examples: `E1`, `A3b`, `C2-emergency`, `V4-auditor`. No parens, spaces, dots, slashes, underscores. Use slice-defined codes verbatim. unknowns[] entries must be prefixed with the relevant code + colon (e.g. `"A3b: frontend fetch failed"`).
10. chat_url: ALWAYS null. Default share links (claude.ai/chat, chatgpt.com, gemini.google.com) require viewer login and are not publicly readable. The user enables "Share publicly" after you respond and pastes the public URL into the JSON before opening the PR.

### Thoroughness rules

11. Each per-slice body contains a "MANDATORY INSPECTION CHECKLIST". Every item must EITHER produce an evidence[] entry OR a specific unknowns[] entry naming it by code. Silent skips are rejected as incomplete.
12. Before assigning a grade other than "unknown", rationale.steelman must contain a one-sentence strongest argument for each of red / orange / green, and rationale.verdict must state which fits the evidence and why. If the steel-man for the chosen grade is weaker than for an adjacent grade, you have probably picked the wrong grade. When grade="unknown", set steelman to null and use verdict to summarize what blocked the assessment.
13. Distinguish actor classes (EOA, 2-of-3 multisig, 4-of-7+ multisig with identified signers, emergency-scoped time-capped multisig, on-chain governance vote with timelock) and function classes (claim-of-finalized vs new-request-placement, deposit vs borrow, mint vs redeem) — say which actor holds which power, on what time bound. "An admin can pause" is insufficient.
14. For on-chain slices (control, ability-to-exit, autonomy, verifiability), evidence[] must include ≥1 on-chain URL: a block-explorer URL OR a DeFiPunkd /api/{contract/read,safe/owners} URL (preferred — content-addressed when block-pinned). /api/contract/abi alone is metadata, not on-chain evidence. Source repos tell you what code SHOULD do; deployed contracts tell you what it ACTUALLY does. The "open-access" slice is exempt when claims are entirely about frontend / off-chain operator behavior. CARVE-OUT: `grading_basis="off-chain-only"` is exempt from this rule but is downweighted by the quorum bot regardless of grade.
15. Prompt-meta-check: if your verdict quotes prompt language as evidence ("the protocol meets the 'documented fallback' condition"), re-do the verdict — the prompt describes the rubric, not the protocol. Evidence cites what THIS protocol does, not what the rubric says protocols of type X do.
16. `grading_basis` is one of `"on-chain"` (default; omit field), `"off-chain-only"`, or `"mixed"`. Describes what was READ this run, not the verdict — `grade="unknown"` is allowed under any basis. Set `"off-chain-only"` ONLY when BOTH (a) ≥1 successful fetch of a docs / forum / audit / GitHub URL appears in evidence[], AND (b) ≥1 failed on-chain fetch attempt for THIS run is recorded in unknowns[] with a `-offchain` suffix. Empty `evidence[]` with `"off-chain-only"` is a category error and is rejected by the validator. Set `"mixed"` when some checklist codes were on-chain and others fell back. ABI-only finds (you read the ABI but couldn't read live state) are valid as `grade="unknown"` with the ABI cited; do not infer a grade from ABI shape alone.

### On-chain reading via the DeFiPunkd API

Don't encode calldata, decode return data, or guess at ABIs by hand. Three deterministic GET endpoints return JSON with blockNumber, blockHash, raw calldata, and rawReturnData — content-addressed when block-pinned (`&block=<n>`):

  ABI (auto-resolves proxies):
    https://defipunkd.com/api/contract/abi?chainId=<id>&address=0x...
  View call (any view method on the merged ABI; flat scalar args):
    https://defipunkd.com/api/contract/read?chainId=<id>&address=0x...&method=getOwners
    https://defipunkd.com/api/contract/read?chainId=<id>&address=0x...&method=balanceOf&args=0x...
  Safe (threshold + owners + version in one call):
    https://defipunkd.com/api/safe/owners?chainId=<id>&address=0x...

Use the BARE method name in `&method=` (e.g. `&method=totalSupply`, NOT `&method=totalSupply()`). Browser tools normalize `(` to `%28` and reject the normalized URL; bare names dodge that. Pass arguments via `&args=` (comma-separated, declaration order). Append `&block=<n>` for content-addressed evidence.

Supported chainIds: 1 (ethereum), 10 (optimism), 56 (bsc), 130 (unichain), 137 (polygon), 324 (zksync), 8453 (base), 42161 (arbitrum), 43114 (avalanche), 59144 (linea), 81457 (blast), 534352 (scroll), 11155111 (sepolia).

Use this API for any factual claim about contract ABI shape, view-method return values (owner(), getOwners(), getThreshold(), totalSupply(), implementation(), paused(), MIN_DELAY(), …), and Safe membership. Do NOT invent ABIs or return values from training data.

Note on noisy address_book: the pinned address_book is sourced from prior assessments. It may include token deployments, oracle feeds, peripheral contracts, or mis-classified entries. Skip surfacer URLs that don't fit your slice — fetch only those whose role hints suggest control / pause / upgrade authority.

### Protocol metadata refresh (populate `protocol_metadata` in the output)

DeFiLlama's pinned inputs may be stale or wrong. As a side-effect of this assessment, populate `protocol_metadata` with anything you verify. Leave fields null / empty arrays if you did not verify them — do NOT echo pinned inputs through; null means "not re-verified this run".

- `github`: array of canonical source-code repo URLs.
- `docs_url`: canonical developer / protocol documentation site.
- `audits`: array of `{ firm, url, date }` (date as YYYY-MM or YYYY-MM-DD).
- `governance_forum`: primary discussion forum URL (Discourse, Commonwealth, etc.).
- `voting_token`: `{ chain, address, symbol }` or null. Omit if not token-governed.
- `bug_bounty_url`: public bug bounty page (Immunefi, HackerOne, self-hosted).
- `security_contact`: private-disclosure channel — security@ email or SECURITY.md URL. Distinct from public bug bounty.
- `deployed_contracts_doc`: docs page that lists deployed addresses per chain. Don't enumerate; just link.
- `admin_addresses`: array of `{ chain, address, role, actor_class }` for multisig / timelock / owner / proxy-admin addresses. `actor_class` ∈ `"eoa" | "multisig" | "timelock" | "governance" | "unknown"`. These are the anchors for future runs' address_book.
- `upgradeability`: `"immutable" | "upgradeable" | "mixed" | "unknown"`. "mixed" = some core contracts immutable, others behind proxies.
- `about`: 2–4 sentence plain-English description. Name the user action (stake, borrow, swap, bridge, mint, redeem), the asset / market, and the distinctive mechanism (liquid staking receipt, isolated lending pools, constant-product AMM, intents auction, etc.). Do not restate category / chains / TVL.

Every non-null field in `protocol_metadata` must be backed by ≥1 entry in evidence[].

---

### Slice: CONTROL

Evaluate who can change the protocol's rules, how fast, and how broadly.

(Step 0 capability probe and the off-chain-only fallback live in the preamble — those rules apply here.)

### MANDATORY INSPECTION CHECKLIST (every item below must appear in evidence[] OR unknowns[])

- **C1.** For each address you assess: who is the contract owner / admin / pendingAdmin / governor — read these via the block explorer's "Read Contract" tab OR `https://defipunkd.com/api/contract/read?chainId=<id>&address=0x...&method=owner` (BARE method names: `&method=owner`, `&method=admin`, `&method=pendingOwner`, `&method=governor`). For Safes use `/api/safe/owners?chainId=<id>&address=0x...`. When a protocol has multiple major versions deployed (v2/v3/v4), perform C1 reads on the NEWEST deployment separately — newer deployments often have weaker control surfaces than the legacy core.
- **C2.** Upgrade mechanism: transparent proxy / UUPS / Beacon / Diamond / immutable. Identify the proxy admin address. Check upgradeability of GOVERNANCE contracts too — a Governor / Aragon Voting / OZ Governor is often itself a proxy whose admin is the Timelock. Asymmetry: when fund-holding cores are immutable AND governance has no admin path that reaches them, an upgradable Governor/Timelock is T3-only and must NOT drag the verdict below green on that basis alone (see grade rules and the "immutable cores" caveat). Only call upgradability "mixed" if you can name a concrete function on the upgradable surface that reaches T1 or T2 on user funds.
- **C3.** EXECUTION PATH (enumerate every stage, in order, with delays in seconds). The operative path is usually a chain (voting → scheduler → timelock → executor; or governor → queue → execute; or Aragon Voting → DualGovernance → EmergencyProtectedTimelock → AdminExecutor). For each stage, record (a) the contract address, (b) the delay constant name + value in seconds, (c) the URL you read it from (block-explorer Read Contract OR `/api/contract/read?...&method=MIN_DELAY&block=<n>`). Do NOT stop at the first timelock-shaped contract — if its admin is itself called by another contract, keep walking. The grading delay is the SUM OF DELAYS ON THE UNCONTESTED FAST PATH (shortest time a proposal with no opposition can go from submission to executable). Dynamic / contested extensions (veto signaling, rage quit, escrow delay) are modifiers, not the basis — note them separately.
- **C4.** Enumerate EVERY multisig with reachable control — main proxy admin, emergency activation, emergency execution, reseal / pause, gate-seal committees, tiebreaker, per-module admins. For each Safe, fetch threshold + owners + version via `/api/safe/owners?chainId=<id>&address=0x...` (response includes raw eth_call data, so the URL is citable evidence). Enumerate ops/council/incentives multisigs even when off the upgrade path — record their scope so a reader can see they are NOT on the upgrade path. For each: (a) address, (b) threshold / total signers, (c) signer identities classified as insider (team, paid auditors under ongoing engagement, mandated service providers) vs non-insider (independent community members, unaffiliated researchers), (d) the specific power held (upgrade, pause, parameter, etc.).
- **C5.** On-chain governance: Governor / GovernorBravo / OZ Governor / Aragon Voting with token-weighted voting? Record proposal threshold, voting period, quorum, and the timelock delay between queue and execute. Every numeric constant must come from a Read Contract call you can link to, or be in unknowns[] with the C-code. If votingDelay / votingPeriod are denominated in BLOCKS, convert to seconds at the chain's CURRENT block time (Ethereum mainnet ≈ 12s post-Merge, not the 15s in older Compound/Bravo deployments) — cite both block count and converted seconds.
- **C6.** EMERGENCY POWERS: separate emergency-pause / guardian role with a different time cap or different actor than the main upgrade authority? Record it explicitly.
- **C7.** POWER TIER (blast radius). For each privileged path in C3–C6, classify the WORST thing that path can do, choosing the highest applicable tier. Cite the specific function name and any on-chain bound — tier claims without a named function are unsupported.
    - **T1 — FUND-CRITICAL**: replace implementation of contracts holding user funds; change AMM math / accounting / collateral logic; mint unbacked debt or shares; pause withdrawals; drain user-fund treasury; change oracle to attacker-controlled source; replace upgrade admin with EOA.
    - **T2 — ECONOMICALLY MATERIAL**: change fee parameters within bounded ranges; redirect protocol fees; add/remove markets / collateral types; bounded inflation or token mint within hard-capped schedule; spend protocol-owned (non-user) treasury.
    - **T3 — GOVERNANCE-INTERNAL**: change voting rules, quorum, voting period, proposal threshold; upgrade the Governor itself; rotate Timelock admin; mint governance tokens within a capped annual schedule.
    - **T4 — OPERATIONAL**: incentives distribution, grants, ENS / frontend canonicalization, deployment coordination, periphery router deprecation.
  The grade is set by the HIGHEST tier reachable on the uncontested fast path, not the median. State the tier and the binding function in the verdict.

### Read Contract discipline (applies to C3, C4, C5)

Every numeric constant cited (timelock delays, voting periods, multisig thresholds, quorum percentages) must come from EITHER (a) a block-explorer Read Contract URL, OR (b) a DeFiPunkd `/api/contract/read` or `/api/safe/owners` URL (preferred with `&block=<n>` for content-addressed evidence), OR (c) an unknowns[] entry with the C-code. Docs / blog posts are corroboration only — they cannot be the sole citation for a value that is also readable on-chain.

### Off-chain-only substitute hierarchy (when grading_basis="off-chain-only" — see preamble Rule 16)

When on-chain reads were genuinely unreachable this run, eligible off-chain substitutes in priority order:
1. Linked audit PDFs (admin roles, multisig members, timelock delays usually enumerated).
2. Governance forum posts that quote constants from a successful on-chain proposal (cite post URL + linked execution-tx URL).
3. Official protocol docs pages with named addresses and roles (must be on a domain owned by the protocol).
4. GitHub README / SECURITY.md / governance/*.md at a pinned commit SHA.

Forbidden substitutes: third-party blog posts, X / Twitter threads, search-result snippets, model memory. Required degradation: any C-code citing a numeric constant from docs/forum/audit prose ONLY must also carry an `unknowns[]` entry with `-offchain` suffix noting "value not re-read on-chain in this run; corroboration only".

### Grade rules (apply the timelock bar conditional on the highest C7 tier reachable on the fast path)

Security Council standard (used below): a multisig qualifies as "Security Council" only if ALL of: ≥7 signers, ≥51% threshold, ≥50% non-insider signers, every signer publicly announced. Failing any criterion = NOT a Security Council, regardless of signer reputation.

- **green**: highest reachable tier is T3 or T4 regardless of timelock; OR T2 reachable with uncontested-fast-path delay ≥7 days; OR T1 reachable only via immutable contracts (T1 is unreachable); OR T1 reachable with uncontested-fast-path delay ≥7 days combined with a Security Council multisig; OR T1 reachable with uncontested-fast-path delay ≥7 days through active on-chain governance with broad token distribution.
- **orange**: T2 reachable with uncontested-fast-path delay >0 but <7 days; OR T1 reachable with uncontested-fast-path delay >0 but <7 days; OR a multisig failing one or more Security Council criteria sits on a T1/T2 path; OR unclear upgrade authority on a T1/T2 path; OR governance with very short timelock or low quorum on a T1/T2 path.
- **red**: T1 reachable with no timelock by a single EOA or 2-of-3 multisig; OR a T1 upgrade admin that is not a smart contract you can audit.
- **unknown**: completed the checklist but still cannot determine the upgrade authority OR cannot classify the highest tier reachable on the main contracts.

Tiering caveats:
- "Bounded" must be enforced ON-CHAIN to count as T2. A function that sets fees with no upper-bound check is T1 — cite the bound check.
- Recurring T2 economic extraction (e.g. fee redirect with no rate limit) approaches T1 over time. A single proposal that can permanently redirect all future revenue is T1.
- T3 assumes the governance contract cannot itself authorize a T1/T2 action without going through the same timelock. If governance can self-upgrade to bypass the timelock, T3 collapses into T1.
- Do not downgrade tier by hand-waving ("realistically governance would never…"). Tier on what the contract permits, not what feels likely.

Notes:
- **Dynamic / dual-governance timelocks** (Lido, Compound escrow veto): the rubric grades on the uncontested path because that is the path most upgrades take. A dynamic extension that fires only under stake-weighted opposition is a real protection — name it in the green steel-man, but it does not lift an orange fast path into green; state the tension in the verdict.
- **Immutable cores with upgradable governance** (Uniswap-style): if fund-holding contracts are immutable and have no admin-reachable function moving / freezing / re-routing user funds, the highest reachable tier on the upgrade path is T3 — green regardless of timelock. Don't grade this orange just because the Governor is a proxy — that's a C2 fact, not a downgrade. Downgrade only applies if you can cite a concrete function on the upgradable surface that reaches T1 or T2 (privileged hook, upgradable factory controlling fund-routing, fee-switch redirecting protocol revenue without bound).
- **The 7-day bar** reflects the exit-window standard — users need notice after a queued upgrade to withdraw if they disagree. The ability-to-exit slice grades the exit side; this slice grades the delay side; both must hold for users to actually benefit from the delay.

---

### JSON output contract

Return exactly one JSON object inside a single ```json fenced block. Shape:

{
  "schema_version": 4,
  "slug": "<copy protocol.slug from the per-protocol context>",
  "slice": "control",
  "snapshot_generated_at": "<copy snapshot.generated_at from the per-protocol context>",
  "prompt_version": 29,
  "analysis_date": "<copy analysis_date from the per-protocol context>",
  "model": "<exact model name, e.g. claude-opus-4-7 / gpt-5-thinking / gemini-3-pro>",
  "chat_url": null,
  "grading_basis": "on-chain | off-chain-only | mixed (optional; omit for on-chain)",
  "grade": "green | orange | red | unknown",
  "headline": "<one-line summary>",
  "short_headline": "<≤6 words, ≤80 chars; omit if you can't fit>",
  "rationale": {
    "findings": [{ "code": "E1", "text": "<concrete, source-cited finding>" }],
    "steelman": { "red": "<one sentence>", "orange": "<one sentence>", "green": "<one sentence>" },
    "verdict": "Choosing <grade> because <reason ranking one steel-man above the others, citing specific evidence>."
  },
  "evidence": [{ "url": "https://...", "shows": "<what this URL demonstrates>", "chain": "...", "address": "0x...", "commit": "<hex SHA>", "fetched_at": "2026-04-23T11:20:00Z" }],
  "unknowns": ["E3: <thing you looked for but couldn't determine>"],
  "protocol_metadata": {
    "github": ["https://github.com/org/repo"],
    "docs_url": "https://docs.protocol.xyz",
    "audits": [{ "firm": "Trail of Bits", "url": "https://...report.pdf", "date": "2025-09" }],
    "governance_forum": "https://forum.protocol.xyz",
    "voting_token": { "chain": "Ethereum", "address": "0x...", "symbol": "XYZ" },
    "bug_bounty_url": "https://immunefi.com/bounty/protocol",
    "security_contact": "security@protocol.xyz",
    "deployed_contracts_doc": "https://docs.protocol.xyz/deployments",
    "admin_addresses": [{ "chain": "Ethereum", "address": "0x...", "role": "DAO treasury multisig", "actor_class": "multisig" }],
    "upgradeability": "immutable | upgradeable | mixed | unknown",
    "about": "<2–4 sentences>"
  }
}

Rules recap:
- grade="unknown" ⇒ steelman=null; unknowns[] ≥1; evidence[] may be empty.
- grade!="unknown" ⇒ steelman={red,orange,green}; evidence[] ≥1; verdict starts with "Choosing ".
- findings[].code matches the slice's checklist prefix verbatim (E1, C2-emergency, V4a, …); unknowns[] entries are checklist-coded ("E3: …").
- Wrap in a single ```json fence; nothing before or after. URLs are bare strings, never markdown links.

Ability to exit Unverified Submit run ↗

### Per-protocol context (ground truth for this run)

- protocol.slug:              aave-v2
- protocol.name:              Aave V2
- protocol.chains:            Ethereum, Polygon, Avalanche
- protocol.category:          Lending
- protocol.website:           https://aave.com
- protocol.github:            aave, bgd-labs
- protocol.audit_links:       https://aave.com/security, https://github.com/code-423n4/2022-02-aave-lens, https://github.com/code-423n4/2022-02-aave-lens-findings, https://github.com/sherlock-protocol/sherlock-reports/blob/main/audits/2025.02.15%20-%20Final%20-%20Aave%20Public%20Audit%20Contest%20Report.pdf, https://github.com/sherlock-protocol/sherlock-reports/blob/main/audits/2026.02.05%20-%20Final%20-%20Aave%20Labs%20Collaborative%20Audit%20Report%201770295450.pdf
- snapshot.generated_at:      2026-06-01T11:27:13.878Z
- analysis_date:              2026-06-07
- prompt_version:             29
- address_book:               [
  {
    "chain": "Ethereum",
    "address": "0xb53c1a33016b2dc2ff3653530bff1848a515c8c5",
    "role": "lending_pool_addresses_provider"
  },
  {
    "chain": "Ethereum",
    "address": "0x7d2768dE32b0b80b7a3454c06BdAc94A69DDc7A9",
    "role": "lending_pool"
  },
  {
    "chain": "Ethereum",
    "address": "0x057835Ad21a177dbdd3090bB1CAE03EaCF78Fc6d",
    "role": "protocol_data_provider"
  },
  {
    "chain": "Ethereum",
    "address": "0xec568fffba86c094cf06b22134b23074dfe2252c",
    "role": "governance_v2"
  },
  {
    "chain": "Ethereum",
    "address": "0x7fc66500c84a76ad7e9c93437e434122a1dafd46",
    "role": "AAVE governance token"
  }
]

### Pre-built read-API surfacer URLs (verbatim — fetchable as-is)
- https://defipunkd.com/address/1/0xb53c1a33016b2dc2ff3653530bff1848a515c8c5 (lending_pool_addresses_provider)
- https://defipunkd.com/address/1/0x7d2768dE32b0b80b7a3454c06BdAc94A69DDc7A9 (lending_pool)
- https://defipunkd.com/address/1/0x057835Ad21a177dbdd3090bB1CAE03EaCF78Fc6d (protocol_data_provider)
- https://defipunkd.com/address/1/0xec568fffba86c094cf06b22134b23074dfe2252c (governance_v2)
- https://defipunkd.com/address/1/0x7fc66500c84a76ad7e9c93437e434122a1dafd46 (AAVE governance token)


---

You are contributing a single-slice assessment to defipunkd, a git-native transparency registry for DeFi protocols. Your JSON output will be attached to a pull request and compared against ≥2 other independent runs. Disagreements are surfaced publicly — be conservative, cite everything, return grade="unknown" when a signal cannot be determined, and resist stopping at the first damning finding.

### Per-protocol context (do not infer; these are ground truth)

A "Per-protocol context" block (provided alongside this prompt — either as a user message in API mode, or as a section appended below in copy-paste mode) lists the pinned inputs (protocol.slug, name, chains, category, website, github, audit_links, snapshot.generated_at, analysis_date, prompt_version, address_book) and a list of pre-built read-API surfacer URLs for each pinned address. Treat those values as authoritative for this run.

The pre-built surfacer URLs are accepted by your fetch tool's allowlist because they appear verbatim in the per-protocol context. Each surfacer page pre-executes the contract's zero-arg view methods and renders any address-typed return values as /address/{chainId}/0x… links inline — those rendered links are also fetchable post-fetch. /api/contract/read and /api/safe/owners JSON responses include a top-level `crawl.surfacers` array of /address/{chainId}/0x… URLs for every address-typed value in the result, so you can crawl directly from API responses. For addresses surfaced from non-defipunkd sources (block-explorer pages, GitHub, audit PDFs), the allowlist will reject your generated surfacer URL — record the address in protocol_metadata.admin_addresses and add a checklist-coded entry to unknowns[]; the next run will inherit it as a fetchable surfacer.

### Step 0 — Capability probe (do this before producing JSON)

Identify what fetch tool your environment exposes — `web_fetch`, `browser`, `url_context`, `google_search` (with underscore, colon, or space), Bing grounding, Perplexity, `web.run`, or anything similar. Search-grounding tools ARE valid fetch paths and you should use them; they are not forbidden. The distinction that matters is what the tool returned, not its name: a grounded response with the underlying page body is sufficient evidence; a bare 1–3-line preview snippet is not.

Probe: attempt one fetch of `protocol.website` and one fetch of a pre-built surfacer URL above (or the protocol's primary block-explorer page if no surfacer is pinned). Record the tool you used, the URL, and what came back (response body, HTTP status, allowlist rejection text, or "tool not present: <name>"). If either probe succeeded, proceed.

If both direct probes failed, **DO NOT STOP** — try search. Issue at least two broad search queries (protocol name + "Etherscan" / "official docs" / "GitHub" / "audit"; `site:` operators against etherscan.io / github.com / the docs domain). If a search query returns the underlying page body, that page URL is fetched evidence and goes in evidence[]. Set `grading_basis: "off-chain-only"` and continue with whatever you can extract. Empty `evidence[]` + `grade="unknown"` is only valid if BOTH direct probes AND ≥2 search queries returned nothing usable; in that case, log the attempted queries and observed-zero outcomes in unknowns[]. A submission claiming "blocked" without those receipts is treated as a non-submission (zero quorum weight). Search engines do not index raw JSON API endpoints — zero results for `defipunkd.com/api/contract/read` URLs is expected and is itself a recordable failure mode, not a system restriction.

### Anti-fabrication (the most important rule on this page)

Memory is not evidence. Treat your training data, prior conversations, and general knowledge as suggestions for what to look up — never as citations. Every URL in evidence[] must have been fetched in this run via any tool exposed in your environment, OR pasted into this conversation by the user. Constructing a URL is fine, but every variable part (address, commit SHA, repo path, contract name, method, args, block number) must come from a fetched/pasted source in this run, and the URL must then have been successfully fetched before it appears in evidence[]. URLs constructed from remembered addresses, repo paths, contract names, or guessed API methods are fabrication.

Before emitting JSON, run an evidence ledger check on every evidence[] entry:
1. The exact URL appears in your fetch transcript or in a user-pasted source body.
2. The fetched/pasted body contains the fact you're citing in evidence[].shows.
3. Every rationale.findings / protocol_metadata claim that depends on this evidence follows directly from that body, without recourse to memory.
4. Derived (rather than verbatim) claims are explicitly labelled as derived in evidence[].shows.
5. `fetched_at` is set ONLY when you actually fetched the URL in this run; if no timestamp is available, omit the field — never invent one.

If any check fails, remove the evidence entry and demote dependent claims to unknowns[]. Set grade="unknown" if demotion empties the grading basis. Do not ask the user to paste anything; do not withhold JSON; do not improvise from memory.

A plausible-sounding answer backed by unsupported evidence is WORSE than grade="unknown" — it pollutes the quorum. If the assessment requires leaning on remembered public facts ("Lido is governed by LDO token-weighted voting"), historical reports, common knowledge, or likely-architecture reasoning ("UUPS proxies typically have an admin role"), return grade="unknown" with specific unknowns[] entries. Optimize for reproducibility, not completeness — if a reviewer can't re-verify each claim from the evidence URLs alone, the claim does not belong in the JSON. Empty unknowns[] on a non-trivial protocol is a red flag, not a quality signal.

When the address_book is null/empty, you do not yet know any deployed address. Discover candidates from fetched website / GitHub / audit / explorer-search pages — addresses you "remember" from training data are not eligible, even for famous tokens (USDC, WBTC, stETH, UNI). If no address can be discovered after a good-faith attempt, return grade="unknown" with checklist-coded unknowns[] entries; do not invent addresses to fill the gap.

### Hard rules

1. Source classes that count as evidence:
   a) Public block explorers (etherscan.io, basescan.org, arbiscan.io, optimistic.etherscan.io, polygonscan.com, bscscan.com, snowtrace.io, scrollscan.com, lineascan.build, blastscan.io, era.zksync.network) for pinned addresses or addresses you discover transitively from them.
   b) The linked GitHub repos, at a specific commit SHA recorded in evidence[].commit.
   c) The audit PDFs / reports linked above.
   d) DeFiLlama's pinned fields (for category / chain lists only — not for risk assessment).
   e) DeFiPunkd's read API at https://defipunkd.com/api/{contract,safe}/... — see "On-chain reading" below.
2. If a signal cannot be determined after checking these, set grade="unknown" with ≥1 entry in unknowns[] naming what you looked for.
3. Every factual claim in rationale must map to ≥1 evidence[] entry.
4. Output exactly one JSON object matching the contract at the end, wrapped in a single ```json fenced code block. This rule applies to your FINAL assistant message only — issue tool calls freely during the run; tool-call reasoning lives in your model's tool-use channel and is not subject to this rule. Nothing before or after the fence — no prose, no follow-up questions, no requests for the user to paste anything. If evidence is incomplete, the correct response is still JSON, with claims demoted to unknowns[] and grade="unknown".

### Format rules (validation will reject submissions that violate these)
5. evidence[].url must be a bare `https://...` string — NEVER markdown link syntax. WRONG: `"url": "[Etherscan](https://etherscan.io/...)"`. RIGHT: `"url": "https://etherscan.io/..."`.
6. evidence[].commit, when present, must match `^[0-9a-f]{7,40}$` (lowercase hex, 7–40 chars). NEVER branch names or tags. Omit if you cannot pin a SHA.
7. evidence[].fetched_at, when present, must be ISO-8601 UTC (e.g. `2026-04-23T11:20:00Z`). Set whenever you actually fetched in this run.
8. evidence[].address, when present, must be `^0x[0-9a-fA-F]{40}$` (mixed case OK; checksum not validated).
9. Checklist codes (used in findings[].code and as unknowns[] prefixes) match `^[A-Z][A-Za-z0-9-]{0,16}$` — start with an uppercase letter, then digits / letters / hyphens. Examples: `E1`, `A3b`, `C2-emergency`, `V4-auditor`. No parens, spaces, dots, slashes, underscores. Use slice-defined codes verbatim. unknowns[] entries must be prefixed with the relevant code + colon (e.g. `"A3b: frontend fetch failed"`).
10. chat_url: ALWAYS null. Default share links (claude.ai/chat, chatgpt.com, gemini.google.com) require viewer login and are not publicly readable. The user enables "Share publicly" after you respond and pastes the public URL into the JSON before opening the PR.

### Thoroughness rules

11. Each per-slice body contains a "MANDATORY INSPECTION CHECKLIST". Every item must EITHER produce an evidence[] entry OR a specific unknowns[] entry naming it by code. Silent skips are rejected as incomplete.
12. Before assigning a grade other than "unknown", rationale.steelman must contain a one-sentence strongest argument for each of red / orange / green, and rationale.verdict must state which fits the evidence and why. If the steel-man for the chosen grade is weaker than for an adjacent grade, you have probably picked the wrong grade. When grade="unknown", set steelman to null and use verdict to summarize what blocked the assessment.
13. Distinguish actor classes (EOA, 2-of-3 multisig, 4-of-7+ multisig with identified signers, emergency-scoped time-capped multisig, on-chain governance vote with timelock) and function classes (claim-of-finalized vs new-request-placement, deposit vs borrow, mint vs redeem) — say which actor holds which power, on what time bound. "An admin can pause" is insufficient.
14. For on-chain slices (control, ability-to-exit, autonomy, verifiability), evidence[] must include ≥1 on-chain URL: a block-explorer URL OR a DeFiPunkd /api/{contract/read,safe/owners} URL (preferred — content-addressed when block-pinned). /api/contract/abi alone is metadata, not on-chain evidence. Source repos tell you what code SHOULD do; deployed contracts tell you what it ACTUALLY does. The "open-access" slice is exempt when claims are entirely about frontend / off-chain operator behavior. CARVE-OUT: `grading_basis="off-chain-only"` is exempt from this rule but is downweighted by the quorum bot regardless of grade.
15. Prompt-meta-check: if your verdict quotes prompt language as evidence ("the protocol meets the 'documented fallback' condition"), re-do the verdict — the prompt describes the rubric, not the protocol. Evidence cites what THIS protocol does, not what the rubric says protocols of type X do.
16. `grading_basis` is one of `"on-chain"` (default; omit field), `"off-chain-only"`, or `"mixed"`. Describes what was READ this run, not the verdict — `grade="unknown"` is allowed under any basis. Set `"off-chain-only"` ONLY when BOTH (a) ≥1 successful fetch of a docs / forum / audit / GitHub URL appears in evidence[], AND (b) ≥1 failed on-chain fetch attempt for THIS run is recorded in unknowns[] with a `-offchain` suffix. Empty `evidence[]` with `"off-chain-only"` is a category error and is rejected by the validator. Set `"mixed"` when some checklist codes were on-chain and others fell back. ABI-only finds (you read the ABI but couldn't read live state) are valid as `grade="unknown"` with the ABI cited; do not infer a grade from ABI shape alone.

### On-chain reading via the DeFiPunkd API

Don't encode calldata, decode return data, or guess at ABIs by hand. Three deterministic GET endpoints return JSON with blockNumber, blockHash, raw calldata, and rawReturnData — content-addressed when block-pinned (`&block=<n>`):

  ABI (auto-resolves proxies):
    https://defipunkd.com/api/contract/abi?chainId=<id>&address=0x...
  View call (any view method on the merged ABI; flat scalar args):
    https://defipunkd.com/api/contract/read?chainId=<id>&address=0x...&method=getOwners
    https://defipunkd.com/api/contract/read?chainId=<id>&address=0x...&method=balanceOf&args=0x...
  Safe (threshold + owners + version in one call):
    https://defipunkd.com/api/safe/owners?chainId=<id>&address=0x...

Use the BARE method name in `&method=` (e.g. `&method=totalSupply`, NOT `&method=totalSupply()`). Browser tools normalize `(` to `%28` and reject the normalized URL; bare names dodge that. Pass arguments via `&args=` (comma-separated, declaration order). Append `&block=<n>` for content-addressed evidence.

Supported chainIds: 1 (ethereum), 10 (optimism), 56 (bsc), 130 (unichain), 137 (polygon), 324 (zksync), 8453 (base), 42161 (arbitrum), 43114 (avalanche), 59144 (linea), 81457 (blast), 534352 (scroll), 11155111 (sepolia).

Use this API for any factual claim about contract ABI shape, view-method return values (owner(), getOwners(), getThreshold(), totalSupply(), implementation(), paused(), MIN_DELAY(), …), and Safe membership. Do NOT invent ABIs or return values from training data.

Note on noisy address_book: the pinned address_book is sourced from prior assessments. It may include token deployments, oracle feeds, peripheral contracts, or mis-classified entries. Skip surfacer URLs that don't fit your slice — fetch only those whose role hints suggest control / pause / upgrade authority.

### Protocol metadata refresh (populate `protocol_metadata` in the output)

DeFiLlama's pinned inputs may be stale or wrong. As a side-effect of this assessment, populate `protocol_metadata` with anything you verify. Leave fields null / empty arrays if you did not verify them — do NOT echo pinned inputs through; null means "not re-verified this run".

- `github`: array of canonical source-code repo URLs.
- `docs_url`: canonical developer / protocol documentation site.
- `audits`: array of `{ firm, url, date }` (date as YYYY-MM or YYYY-MM-DD).
- `governance_forum`: primary discussion forum URL (Discourse, Commonwealth, etc.).
- `voting_token`: `{ chain, address, symbol }` or null. Omit if not token-governed.
- `bug_bounty_url`: public bug bounty page (Immunefi, HackerOne, self-hosted).
- `security_contact`: private-disclosure channel — security@ email or SECURITY.md URL. Distinct from public bug bounty.
- `deployed_contracts_doc`: docs page that lists deployed addresses per chain. Don't enumerate; just link.
- `admin_addresses`: array of `{ chain, address, role, actor_class }` for multisig / timelock / owner / proxy-admin addresses. `actor_class` ∈ `"eoa" | "multisig" | "timelock" | "governance" | "unknown"`. These are the anchors for future runs' address_book.
- `upgradeability`: `"immutable" | "upgradeable" | "mixed" | "unknown"`. "mixed" = some core contracts immutable, others behind proxies.
- `about`: 2–4 sentence plain-English description. Name the user action (stake, borrow, swap, bridge, mint, redeem), the asset / market, and the distinctive mechanism (liquid staking receipt, isolated lending pools, constant-product AMM, intents auction, etc.). Do not restate category / chains / TVL.

Every non-null field in `protocol_metadata` must be backed by ≥1 entry in evidence[].

---

### Slice: ABILITY-TO-EXIT

Evaluate whether users can withdraw their funds on their own terms, even under adversarial admin conditions.

MANDATORY INSPECTION CHECKLIST (every item below must appear in evidence[] OR unknowns[]):
- E1. Enumerate every user-facing exit function in the main contracts: withdraw, redeem, burn, requestWithdrawal, claim, exit, etc. List them by name. Do NOT treat the contract as a monolith.
- E2. For EACH exit function in E1: identify its access modifiers and any pause guards (e.g. _checkResumed, whenNotPaused, onlyRole). Functions that gate REQUEST PLACEMENT often differ from functions that CLAIM FINALIZED FUNDS — check both separately.
- E3. For each pause guard: identify the role holder (which address holds PAUSE_ROLE / GUARDIAN / etc.) and the maximum pause duration. Specifically check whether PAUSE_INFINITELY (or equivalent uncapped pause) is callable, and which actor can call it (single multisig vs governance vote). For role-holder reads use https://defipunkd.com/api/contract/read?chainId=<id>&address=0x...&method=hasRole&args=0x...,0x... or &method=getRoleAdmin&args=0x.... For "is currently paused" checks use &method=paused or &method=isPaused&args=<resume-code>. Use the BARE method name (no parens). Cite the URL with &block=<n> in evidence[].
- E4. EMERGENCY vs GOVERNANCE pause distinction: many protocols have a fast-acting emergency pause capped at N days and a slow governance pause that can be indefinite. Record both paths separately if present, with their time caps and actor classes.
- E5. Queued redemption: documented maximum queue duration, daily withdrawal caps, whether the queue itself is pausable.
- E6. Forced-exit / escape-hatch / permissionless emergency-exit mechanism for adversarial-admin scenarios.
- E7. Frontend dependency: confirm exit functions are directly callable on-chain (e.g. via Etherscan write tab or a generic wallet) without the project's frontend.

Then write the steel-man section per Hard Rule 11. Common red-vs-orange tension on this slice: indefinite pause exists (suggests red) BUT the realistic emergency path is time-capped AND claims of already-finalized exits are not pause-gated (suggests orange). Resolve this by stating who can do what for how long, not by stopping at the worst-case sentence.

Grade rules:
- green   = permissionless exit; pause is either absent, narrowly scoped to clearly-described emergencies with auto-expiry, or capped at ≤7 days; no frontend dependency for exit; claims of already-finalized exits are not pause-gated under any path.
- orange  = pausable with broad scope OR indefinite pause is reachable only through governance vote (not unilateral admin action), OR queued redemption with documented max > 7 days, OR claims-of-finalized are exempt but new-request placement can be paused indefinitely by governance.
- red     = exit requires admin signature, OR ANY actor (including governance) can pause CLAIMS of finalized exits indefinitely, OR there is no on-chain exit function at all (purely custodial), OR pause is held by a single EOA / 2-of-3 multisig with no time cap.
- unknown = checklist incomplete after checking the sources above.

---

### JSON output contract

Return exactly one JSON object inside a single ```json fenced block. Shape:

{
  "schema_version": 4,
  "slug": "<copy protocol.slug from the per-protocol context>",
  "slice": "ability-to-exit",
  "snapshot_generated_at": "<copy snapshot.generated_at from the per-protocol context>",
  "prompt_version": 29,
  "analysis_date": "<copy analysis_date from the per-protocol context>",
  "model": "<exact model name, e.g. claude-opus-4-7 / gpt-5-thinking / gemini-3-pro>",
  "chat_url": null,
  "grading_basis": "on-chain | off-chain-only | mixed (optional; omit for on-chain)",
  "grade": "green | orange | red | unknown",
  "headline": "<one-line summary>",
  "short_headline": "<≤6 words, ≤80 chars; omit if you can't fit>",
  "rationale": {
    "findings": [{ "code": "E1", "text": "<concrete, source-cited finding>" }],
    "steelman": { "red": "<one sentence>", "orange": "<one sentence>", "green": "<one sentence>" },
    "verdict": "Choosing <grade> because <reason ranking one steel-man above the others, citing specific evidence>."
  },
  "evidence": [{ "url": "https://...", "shows": "<what this URL demonstrates>", "chain": "...", "address": "0x...", "commit": "<hex SHA>", "fetched_at": "2026-04-23T11:20:00Z" }],
  "unknowns": ["E3: <thing you looked for but couldn't determine>"],
  "protocol_metadata": {
    "github": ["https://github.com/org/repo"],
    "docs_url": "https://docs.protocol.xyz",
    "audits": [{ "firm": "Trail of Bits", "url": "https://...report.pdf", "date": "2025-09" }],
    "governance_forum": "https://forum.protocol.xyz",
    "voting_token": { "chain": "Ethereum", "address": "0x...", "symbol": "XYZ" },
    "bug_bounty_url": "https://immunefi.com/bounty/protocol",
    "security_contact": "security@protocol.xyz",
    "deployed_contracts_doc": "https://docs.protocol.xyz/deployments",
    "admin_addresses": [{ "chain": "Ethereum", "address": "0x...", "role": "DAO treasury multisig", "actor_class": "multisig" }],
    "upgradeability": "immutable | upgradeable | mixed | unknown",
    "about": "<2–4 sentences>"
  }
}

Rules recap:
- grade="unknown" ⇒ steelman=null; unknowns[] ≥1; evidence[] may be empty.
- grade!="unknown" ⇒ steelman={red,orange,green}; evidence[] ≥1; verdict starts with "Choosing ".
- findings[].code matches the slice's checklist prefix verbatim (E1, C2-emergency, V4a, …); unknowns[] entries are checklist-coded ("E3: …").
- Wrap in a single ```json fence; nothing before or after. URLs are bare strings, never markdown links.

Autonomy Unverified Submit run ↗

### Per-protocol context (ground truth for this run)

- protocol.slug:              aave-v2
- protocol.name:              Aave V2
- protocol.chains:            Ethereum, Polygon, Avalanche
- protocol.category:          Lending
- protocol.website:           https://aave.com
- protocol.github:            aave, bgd-labs
- protocol.audit_links:       https://aave.com/security, https://github.com/code-423n4/2022-02-aave-lens, https://github.com/code-423n4/2022-02-aave-lens-findings, https://github.com/sherlock-protocol/sherlock-reports/blob/main/audits/2025.02.15%20-%20Final%20-%20Aave%20Public%20Audit%20Contest%20Report.pdf, https://github.com/sherlock-protocol/sherlock-reports/blob/main/audits/2026.02.05%20-%20Final%20-%20Aave%20Labs%20Collaborative%20Audit%20Report%201770295450.pdf
- snapshot.generated_at:      2026-06-01T11:27:13.878Z
- analysis_date:              2026-06-07
- prompt_version:             29
- address_book:               [
  {
    "chain": "Ethereum",
    "address": "0xb53c1a33016b2dc2ff3653530bff1848a515c8c5",
    "role": "lending_pool_addresses_provider"
  },
  {
    "chain": "Ethereum",
    "address": "0x7d2768dE32b0b80b7a3454c06BdAc94A69DDc7A9",
    "role": "lending_pool"
  },
  {
    "chain": "Ethereum",
    "address": "0x057835Ad21a177dbdd3090bB1CAE03EaCF78Fc6d",
    "role": "protocol_data_provider"
  },
  {
    "chain": "Ethereum",
    "address": "0xec568fffba86c094cf06b22134b23074dfe2252c",
    "role": "governance_v2"
  },
  {
    "chain": "Ethereum",
    "address": "0x7fc66500c84a76ad7e9c93437e434122a1dafd46",
    "role": "AAVE governance token"
  }
]

### Pre-built read-API surfacer URLs (verbatim — fetchable as-is)
- https://defipunkd.com/address/1/0xb53c1a33016b2dc2ff3653530bff1848a515c8c5 (lending_pool_addresses_provider)
- https://defipunkd.com/address/1/0x7d2768dE32b0b80b7a3454c06BdAc94A69DDc7A9 (lending_pool)
- https://defipunkd.com/address/1/0x057835Ad21a177dbdd3090bB1CAE03EaCF78Fc6d (protocol_data_provider)
- https://defipunkd.com/address/1/0xec568fffba86c094cf06b22134b23074dfe2252c (governance_v2)
- https://defipunkd.com/address/1/0x7fc66500c84a76ad7e9c93437e434122a1dafd46 (AAVE governance token)


---

You are contributing a single-slice assessment to defipunkd, a git-native transparency registry for DeFi protocols. Your JSON output will be attached to a pull request and compared against ≥2 other independent runs. Disagreements are surfaced publicly — be conservative, cite everything, return grade="unknown" when a signal cannot be determined, and resist stopping at the first damning finding.

### Per-protocol context (do not infer; these are ground truth)

A "Per-protocol context" block (provided alongside this prompt — either as a user message in API mode, or as a section appended below in copy-paste mode) lists the pinned inputs (protocol.slug, name, chains, category, website, github, audit_links, snapshot.generated_at, analysis_date, prompt_version, address_book) and a list of pre-built read-API surfacer URLs for each pinned address. Treat those values as authoritative for this run.

The pre-built surfacer URLs are accepted by your fetch tool's allowlist because they appear verbatim in the per-protocol context. Each surfacer page pre-executes the contract's zero-arg view methods and renders any address-typed return values as /address/{chainId}/0x… links inline — those rendered links are also fetchable post-fetch. /api/contract/read and /api/safe/owners JSON responses include a top-level `crawl.surfacers` array of /address/{chainId}/0x… URLs for every address-typed value in the result, so you can crawl directly from API responses. For addresses surfaced from non-defipunkd sources (block-explorer pages, GitHub, audit PDFs), the allowlist will reject your generated surfacer URL — record the address in protocol_metadata.admin_addresses and add a checklist-coded entry to unknowns[]; the next run will inherit it as a fetchable surfacer.

### Step 0 — Capability probe (do this before producing JSON)

Identify what fetch tool your environment exposes — `web_fetch`, `browser`, `url_context`, `google_search` (with underscore, colon, or space), Bing grounding, Perplexity, `web.run`, or anything similar. Search-grounding tools ARE valid fetch paths and you should use them; they are not forbidden. The distinction that matters is what the tool returned, not its name: a grounded response with the underlying page body is sufficient evidence; a bare 1–3-line preview snippet is not.

Probe: attempt one fetch of `protocol.website` and one fetch of a pre-built surfacer URL above (or the protocol's primary block-explorer page if no surfacer is pinned). Record the tool you used, the URL, and what came back (response body, HTTP status, allowlist rejection text, or "tool not present: <name>"). If either probe succeeded, proceed.

If both direct probes failed, **DO NOT STOP** — try search. Issue at least two broad search queries (protocol name + "Etherscan" / "official docs" / "GitHub" / "audit"; `site:` operators against etherscan.io / github.com / the docs domain). If a search query returns the underlying page body, that page URL is fetched evidence and goes in evidence[]. Set `grading_basis: "off-chain-only"` and continue with whatever you can extract. Empty `evidence[]` + `grade="unknown"` is only valid if BOTH direct probes AND ≥2 search queries returned nothing usable; in that case, log the attempted queries and observed-zero outcomes in unknowns[]. A submission claiming "blocked" without those receipts is treated as a non-submission (zero quorum weight). Search engines do not index raw JSON API endpoints — zero results for `defipunkd.com/api/contract/read` URLs is expected and is itself a recordable failure mode, not a system restriction.

### Anti-fabrication (the most important rule on this page)

Memory is not evidence. Treat your training data, prior conversations, and general knowledge as suggestions for what to look up — never as citations. Every URL in evidence[] must have been fetched in this run via any tool exposed in your environment, OR pasted into this conversation by the user. Constructing a URL is fine, but every variable part (address, commit SHA, repo path, contract name, method, args, block number) must come from a fetched/pasted source in this run, and the URL must then have been successfully fetched before it appears in evidence[]. URLs constructed from remembered addresses, repo paths, contract names, or guessed API methods are fabrication.

Before emitting JSON, run an evidence ledger check on every evidence[] entry:
1. The exact URL appears in your fetch transcript or in a user-pasted source body.
2. The fetched/pasted body contains the fact you're citing in evidence[].shows.
3. Every rationale.findings / protocol_metadata claim that depends on this evidence follows directly from that body, without recourse to memory.
4. Derived (rather than verbatim) claims are explicitly labelled as derived in evidence[].shows.
5. `fetched_at` is set ONLY when you actually fetched the URL in this run; if no timestamp is available, omit the field — never invent one.

If any check fails, remove the evidence entry and demote dependent claims to unknowns[]. Set grade="unknown" if demotion empties the grading basis. Do not ask the user to paste anything; do not withhold JSON; do not improvise from memory.

A plausible-sounding answer backed by unsupported evidence is WORSE than grade="unknown" — it pollutes the quorum. If the assessment requires leaning on remembered public facts ("Lido is governed by LDO token-weighted voting"), historical reports, common knowledge, or likely-architecture reasoning ("UUPS proxies typically have an admin role"), return grade="unknown" with specific unknowns[] entries. Optimize for reproducibility, not completeness — if a reviewer can't re-verify each claim from the evidence URLs alone, the claim does not belong in the JSON. Empty unknowns[] on a non-trivial protocol is a red flag, not a quality signal.

When the address_book is null/empty, you do not yet know any deployed address. Discover candidates from fetched website / GitHub / audit / explorer-search pages — addresses you "remember" from training data are not eligible, even for famous tokens (USDC, WBTC, stETH, UNI). If no address can be discovered after a good-faith attempt, return grade="unknown" with checklist-coded unknowns[] entries; do not invent addresses to fill the gap.

### Hard rules

1. Source classes that count as evidence:
   a) Public block explorers (etherscan.io, basescan.org, arbiscan.io, optimistic.etherscan.io, polygonscan.com, bscscan.com, snowtrace.io, scrollscan.com, lineascan.build, blastscan.io, era.zksync.network) for pinned addresses or addresses you discover transitively from them.
   b) The linked GitHub repos, at a specific commit SHA recorded in evidence[].commit.
   c) The audit PDFs / reports linked above.
   d) DeFiLlama's pinned fields (for category / chain lists only — not for risk assessment).
   e) DeFiPunkd's read API at https://defipunkd.com/api/{contract,safe}/... — see "On-chain reading" below.
2. If a signal cannot be determined after checking these, set grade="unknown" with ≥1 entry in unknowns[] naming what you looked for.
3. Every factual claim in rationale must map to ≥1 evidence[] entry.
4. Output exactly one JSON object matching the contract at the end, wrapped in a single ```json fenced code block. This rule applies to your FINAL assistant message only — issue tool calls freely during the run; tool-call reasoning lives in your model's tool-use channel and is not subject to this rule. Nothing before or after the fence — no prose, no follow-up questions, no requests for the user to paste anything. If evidence is incomplete, the correct response is still JSON, with claims demoted to unknowns[] and grade="unknown".

### Format rules (validation will reject submissions that violate these)
5. evidence[].url must be a bare `https://...` string — NEVER markdown link syntax. WRONG: `"url": "[Etherscan](https://etherscan.io/...)"`. RIGHT: `"url": "https://etherscan.io/..."`.
6. evidence[].commit, when present, must match `^[0-9a-f]{7,40}$` (lowercase hex, 7–40 chars). NEVER branch names or tags. Omit if you cannot pin a SHA.
7. evidence[].fetched_at, when present, must be ISO-8601 UTC (e.g. `2026-04-23T11:20:00Z`). Set whenever you actually fetched in this run.
8. evidence[].address, when present, must be `^0x[0-9a-fA-F]{40}$` (mixed case OK; checksum not validated).
9. Checklist codes (used in findings[].code and as unknowns[] prefixes) match `^[A-Z][A-Za-z0-9-]{0,16}$` — start with an uppercase letter, then digits / letters / hyphens. Examples: `E1`, `A3b`, `C2-emergency`, `V4-auditor`. No parens, spaces, dots, slashes, underscores. Use slice-defined codes verbatim. unknowns[] entries must be prefixed with the relevant code + colon (e.g. `"A3b: frontend fetch failed"`).
10. chat_url: ALWAYS null. Default share links (claude.ai/chat, chatgpt.com, gemini.google.com) require viewer login and are not publicly readable. The user enables "Share publicly" after you respond and pastes the public URL into the JSON before opening the PR.

### Thoroughness rules

11. Each per-slice body contains a "MANDATORY INSPECTION CHECKLIST". Every item must EITHER produce an evidence[] entry OR a specific unknowns[] entry naming it by code. Silent skips are rejected as incomplete.
12. Before assigning a grade other than "unknown", rationale.steelman must contain a one-sentence strongest argument for each of red / orange / green, and rationale.verdict must state which fits the evidence and why. If the steel-man for the chosen grade is weaker than for an adjacent grade, you have probably picked the wrong grade. When grade="unknown", set steelman to null and use verdict to summarize what blocked the assessment.
13. Distinguish actor classes (EOA, 2-of-3 multisig, 4-of-7+ multisig with identified signers, emergency-scoped time-capped multisig, on-chain governance vote with timelock) and function classes (claim-of-finalized vs new-request-placement, deposit vs borrow, mint vs redeem) — say which actor holds which power, on what time bound. "An admin can pause" is insufficient.
14. For on-chain slices (control, ability-to-exit, autonomy, verifiability), evidence[] must include ≥1 on-chain URL: a block-explorer URL OR a DeFiPunkd /api/{contract/read,safe/owners} URL (preferred — content-addressed when block-pinned). /api/contract/abi alone is metadata, not on-chain evidence. Source repos tell you what code SHOULD do; deployed contracts tell you what it ACTUALLY does. The "open-access" slice is exempt when claims are entirely about frontend / off-chain operator behavior. CARVE-OUT: `grading_basis="off-chain-only"` is exempt from this rule but is downweighted by the quorum bot regardless of grade.
15. Prompt-meta-check: if your verdict quotes prompt language as evidence ("the protocol meets the 'documented fallback' condition"), re-do the verdict — the prompt describes the rubric, not the protocol. Evidence cites what THIS protocol does, not what the rubric says protocols of type X do.
16. `grading_basis` is one of `"on-chain"` (default; omit field), `"off-chain-only"`, or `"mixed"`. Describes what was READ this run, not the verdict — `grade="unknown"` is allowed under any basis. Set `"off-chain-only"` ONLY when BOTH (a) ≥1 successful fetch of a docs / forum / audit / GitHub URL appears in evidence[], AND (b) ≥1 failed on-chain fetch attempt for THIS run is recorded in unknowns[] with a `-offchain` suffix. Empty `evidence[]` with `"off-chain-only"` is a category error and is rejected by the validator. Set `"mixed"` when some checklist codes were on-chain and others fell back. ABI-only finds (you read the ABI but couldn't read live state) are valid as `grade="unknown"` with the ABI cited; do not infer a grade from ABI shape alone.

### On-chain reading via the DeFiPunkd API

Don't encode calldata, decode return data, or guess at ABIs by hand. Three deterministic GET endpoints return JSON with blockNumber, blockHash, raw calldata, and rawReturnData — content-addressed when block-pinned (`&block=<n>`):

  ABI (auto-resolves proxies):
    https://defipunkd.com/api/contract/abi?chainId=<id>&address=0x...
  View call (any view method on the merged ABI; flat scalar args):
    https://defipunkd.com/api/contract/read?chainId=<id>&address=0x...&method=getOwners
    https://defipunkd.com/api/contract/read?chainId=<id>&address=0x...&method=balanceOf&args=0x...
  Safe (threshold + owners + version in one call):
    https://defipunkd.com/api/safe/owners?chainId=<id>&address=0x...

Use the BARE method name in `&method=` (e.g. `&method=totalSupply`, NOT `&method=totalSupply()`). Browser tools normalize `(` to `%28` and reject the normalized URL; bare names dodge that. Pass arguments via `&args=` (comma-separated, declaration order). Append `&block=<n>` for content-addressed evidence.

Supported chainIds: 1 (ethereum), 10 (optimism), 56 (bsc), 130 (unichain), 137 (polygon), 324 (zksync), 8453 (base), 42161 (arbitrum), 43114 (avalanche), 59144 (linea), 81457 (blast), 534352 (scroll), 11155111 (sepolia).

Use this API for any factual claim about contract ABI shape, view-method return values (owner(), getOwners(), getThreshold(), totalSupply(), implementation(), paused(), MIN_DELAY(), …), and Safe membership. Do NOT invent ABIs or return values from training data.

Note on noisy address_book: the pinned address_book is sourced from prior assessments. It may include token deployments, oracle feeds, peripheral contracts, or mis-classified entries. Skip surfacer URLs that don't fit your slice — fetch only those whose role hints suggest control / pause / upgrade authority.

### Protocol metadata refresh (populate `protocol_metadata` in the output)

DeFiLlama's pinned inputs may be stale or wrong. As a side-effect of this assessment, populate `protocol_metadata` with anything you verify. Leave fields null / empty arrays if you did not verify them — do NOT echo pinned inputs through; null means "not re-verified this run".

- `github`: array of canonical source-code repo URLs.
- `docs_url`: canonical developer / protocol documentation site.
- `audits`: array of `{ firm, url, date }` (date as YYYY-MM or YYYY-MM-DD).
- `governance_forum`: primary discussion forum URL (Discourse, Commonwealth, etc.).
- `voting_token`: `{ chain, address, symbol }` or null. Omit if not token-governed.
- `bug_bounty_url`: public bug bounty page (Immunefi, HackerOne, self-hosted).
- `security_contact`: private-disclosure channel — security@ email or SECURITY.md URL. Distinct from public bug bounty.
- `deployed_contracts_doc`: docs page that lists deployed addresses per chain. Don't enumerate; just link.
- `admin_addresses`: array of `{ chain, address, role, actor_class }` for multisig / timelock / owner / proxy-admin addresses. `actor_class` ∈ `"eoa" | "multisig" | "timelock" | "governance" | "unknown"`. These are the anchors for future runs' address_book.
- `upgradeability`: `"immutable" | "upgradeable" | "mixed" | "unknown"`. "mixed" = some core contracts immutable, others behind proxies.
- `about`: 2–4 sentence plain-English description. Name the user action (stake, borrow, swap, bridge, mint, redeem), the asset / market, and the distinctive mechanism (liquid staking receipt, isolated lending pools, constant-product AMM, intents auction, etc.). Do not restate category / chains / TVL.

Every non-null field in `protocol_metadata` must be backed by ≥1 entry in evidence[].

---

### Slice: AUTONOMY

Evaluate this protocol's autonomy: can a failure of anything outside its own contracts cause theft or loss of user principal, loss of unclaimed yield, or materially change the protocol's expected performance? "Autonomy" is not "has zero external touchpoints" — it is "external failures are either survivable or recoverable without user loss". This slice adapts DefiScan v1's Autonomy dimension; dependencies are one of several criteria, not the whole frame.

GUARDRAILS (read before grading):
- Category alone (Liquid Staking, Bridge, RWA Lending, Restaking, …) does NOT force a grade. A category is a hint about where to look; the grade must come from the concrete A1–A9 findings below.
- Base-chain consensus (Ethereum PoS, the chain's validator set, the canonical Deposit Contract at 0x00000000219ab540356cBB839Cbe05303d7705Fa) is the SUBSTRATE, not a dependency, for any protocol deployed on that chain. Do not list "depends on Ethereum" as a finding.
- Oracles or other integrations used by DOWNSTREAM protocols that happen to read this protocol's token (e.g. Chainlink stETH/USD consumed by Aave) are NOT this protocol's dependencies. Count only what THIS protocol's contracts call or trust on-chain. If a feed or contract appears in the protocol's docs only as reference material for third-party integrators, EXCLUDE IT ENTIRELY — do not log it as a finding even with a "peripheral" or "referenced only" caveat.
- "Upgradeable admin can change things" belongs to the CONTROL slice; only count it here when the upgrade surface lets governance silently swap an external dependency (see A9).
- Underlying-asset risk in opt-in, isolated markets is NOT autonomy-red on its own. When a protocol wraps third-party yield-bearing assets (LSTs, LRTs, ERC-4626 vaults, lending receipts, restaked tokens) into per-market silos that users explicitly choose, a failure of one underlying does NOT propagate to other markets and is risk the user opted into per-market. Record it under A4 with depth and propagation scope, but do not let it alone drive a red verdict — red requires an external dependency that cross-cuts the protocol or that the user did not opt into at deposit time. A failure mode that is "if the LRT you deposited is hacked, your principal in that LRT-backed market is impaired" is the underlying's autonomy story, not this protocol's; grade it on whether THIS protocol introduces additional dependencies on top.
- Sub-module enumeration is mandatory before grading. If the protocol ships distinct product lines or modules (e.g., a v2 core AMM plus a newer perps/funding-rate module, a lending pool plus a separate vault layer, an L1 core plus a cross-chain extension), enumerate each in findings and grade against the WORST module weighted by its share of TVS or its blast radius. A green core does not rescue an orange/red sub-module; conversely, a small red sub-module with capped TVS may bound the overall grade to orange. Name each module by its on-chain factory or router address. If you do not know whether a module exists, that is an unknowns[] entry, not silence. EXPLICIT TVS WEIGHTING: in the verdict, state each module's approximate share of total protocol TVS (use "~X%" if exact figures unavailable; check DeFiLlama or block-explorer balances on the module's main contract) and how that share informs the weighted grade. Format: "Module A holds ~X% of TVS (grade: <g>); Module B holds ~Y% (grade: <g>); weighted overall = <grade> because <reason>." If a red sub-module holds <5% of total TVS and is capped, the overall grade may be orange; if it holds >25%, the overall grade is red. Do not let qualitative reasoning substitute for the percentages — write the numbers.

MANDATORY INSPECTION CHECKLIST (every item below must appear in evidence[] OR unknowns[]):
- A1. External contract calls. Enumerate every external contract the core contracts call or read from (oracles, price feeds, AMM pools, lending pools, staking/deposit contracts, yield wrappers). For each, identify the address, the provider, and what user-facing function of this protocol would break or mis-price if that external contract paused, mis-reported, or behaved adversarially. Grep for "oracle", "aggregator", "getPrice", "latestAnswer", "chainlink", "pyth", "redstone" as a starting point. To verify an oracle is live and what it currently reports, hit https://defipunkd.com/api/contract/read?chainId=<id>&address=<oracle>&method=latestAnswer (or &method=latestRoundData, &method=getPrice, &method=description; use the BARE method name without parens) and cite the URL — the response includes blockNumber/blockHash and rawReturnData, which is stronger evidence than a docs page about which feed "should" be used.
- A2. Off-chain actor committees reporting INTO the protocol. Oracle committees, guardian multisigs, DAO-selected validator sets acting as protocol reporters, exit-bus signers, fraud-proof challengers. For each, record committee size, quorum, who picks the members, and what mis-reporting could do (mint, burn, finalize withdrawal, freeze). Distinguish this from governance admins (control slice). NOTE ON STAKING PROTOCOLS: validator slashing and node-operator misbehavior are properties of the base-chain substrate, NOT external dependencies, when the operator set is diversified enough that a coordinated failure caps at <5% principal loss. Count validator/operator risk under A2 ONLY if the operator set is small, non-diversified, or lacks bonding / slashing-insurance / diversification mitigations. A curated set of 30+ independent operators with documented diversification falls under the mitigated path; a 3-operator LST does not. Do not cite the protocol's own risk disclosure as evidence that operator failure = principal loss unless you also check the diversification and bond mitigations.
- A3. Bridge / cross-chain messaging dependencies. Only count bridges that carry material TVL or are required for a core user flow. For each, name the bridge operator (canonical L1↔L2, LayerZero, Wormhole, Axelar, custom multisig), the trust model (canonical, optimistic, light-client, guardian set), and what fraction of TVL or users ride on it. "wstETH exists on 15 chains" is not a finding unless material TVL sits there. Before listing any non-primary chain deployment as a dependency, verify it is still operational as of analysis_date — retired or sunset deployments (e.g., Lido-on-Terra, Lido-on-Solana) belong in unknowns[] or should be omitted, never cited as a current dependency.
- A4. Nested collateral / restaking chains. For restaking / LRT / receipt-of-receipt designs: record the depth of the collateral chain, every actor with slashing or freezing power at each level, and whether a failure N levels deep propagates to user principal here.
- A5. Fork lineage (silent check). If DeFiLlama's forkedFrom is non-empty, record it as one finding and move on. If empty, do NOT add a placeholder finding; it adds noise.
- A6. Fallback mechanisms and circuit breakers. What catches an external failure? Sanity-check contracts on oracle reports, rebase bounds, pause paths triggered by bad prices, second-opinion oracles, max-per-block throughput caps, withdrawal queues that absorb bad reports. Record which A1–A4 risks are mitigated by which fallback, and which are unmitigated. For EACH fallback you cite, state its activation status explicitly: (i) LIVE and enforcing on-chain today, (ii) DEPLOYED but not yet wired / activated (e.g., interface exists but the address is zero or the role is unassigned), or (iii) DOCUMENTED / PROPOSED only (forum post, LIP draft, audit pending). Only (i) counts as mitigation for the grade. A fallback in state (ii) or (iii) should be noted but must not reduce the risk in your steel-man or verdict. If you cannot determine activation status, add an unknowns[] entry rather than assume it is live.
- A7. Sequencer / L1-liveness dependency BEYOND the base-chain substrate. SCOPE — sequencer risk only counts here when the protocol IS its own L2/L3 appchain or app-rollup, where the sequencer is part of the protocol's own stack and a freeze is a protocol-level outage. A protocol permissionlessly deployed on a third-party L2 inherits that L2's sequencer as substrate, not an A7 dependency. Record the sequencer/DA trust model when A7 applies.
- A8. Keeper / relayer / off-chain bot liveness. Protocols that need permissionless-but-necessary off-chain actors (liquidation bots, auto-compounders, deposit relayers, intent solvers). Record whether the role is permissionless, what degrades if nobody runs it (yield paused, bad debt accumulates, positions go stale), and whether the failure mode is graceful or catastrophic.
- A9. Governance-mutable dependency surface. Can an admin or DAO action silently INTRODUCE a NEW EXTERNAL dependency — swap the oracle address to a different provider, register a new staking module that calls an untrusted contract, add a new bridge, route SY through a new external vault — without an exit window for users? Check the upgrade / router / module-registry contracts. Answer: which EXTERNAL dependencies are governance-mutable, who holds that power, and whether there is a timelock or exit window. SCOPE LIMIT — read carefully: A9 is about the *external dependency surface*, not the upgrade surface in general. "The proxyAdmin / EOA can upgrade the router implementation to arbitrary bytecode" is a CONTROL-slice finding (admin can rug), NOT an autonomy-A9 finding. A9 fires only when the upgrade specifically swaps out or adds a contract that THIS protocol calls or trusts (e.g., changing the oracle address from Chainlink to a malicious feed, registering a new SY adapter that points to a third-party vault, redirecting a bridge endpoint). If the only finding is "admin can change implementation," do not log it under A9 and do not let it drive the autonomy grade — note it under control instead. The autonomy-relevant version of the same upgrade key is "admin can swap [specific external address X] without timelock"; that requires identifying the specific external dependency that becomes mutable.

STEEL-MAN (per Hard Rule 13): write one-sentence strongest arguments for red, orange, and green using the A1–A9 findings.

IMPACTED TVS ESTIMATE: the headline MUST include a rough impacted-TVS figure — the fraction of protocol TVS that could be lost or frozen if the worst-unmitigated dependency you identified failed. Use "~X%" if exact numbers are unavailable, "<1%" for de minimis, "unclear" only if A1–A9 left the question genuinely open (in which case grade=unknown is usually correct). Do NOT substitute qualitative phrases like "significant" — give a number or bracket.

GRADE ANCHORS (mapped to DefiScan v1 stages):
- green = Stage 2 equivalent. Failure of any external dependency cannot cause loss of user principal or unclaimed yield. Either there are no material external dependencies, or every critical one has a documented fallback (A6) that keeps users whole. Governance cannot silently introduce new dependencies without an exit window (A9). Impacted TVS under any single-dependency failure: effectively 0.
- orange = Stage 1 equivalent. Failure of some external dependency can cause loss of unclaimed yield, or can materially change expected performance (pause withdrawals, freeze positions, degrade price quality), but cannot cause loss of principal. Committee-based oracles with sanity checks, canonical-only bridges, fallback paths that exist but are incomplete, or governance-mutable dependencies protected by a ≥7-day timelock. Impacted TVS is bounded and recoverable.
- red = Stage 0 equivalent. Failure of an external dependency CAN cause theft or loss of principal. Examples: single-provider oracle with no sanity check or fallback, material TVL on a non-canonical bridge with a guardian multisig, governance can hot-swap oracles or add staking modules with no timelock or exit window, unmitigated keeper-liveness dependency where positions become insolvent if bots stop. Impacted TVS is material.
- unknown = checklist incomplete after inspecting source + verified contracts. Prefer unknown over guessing when A1/A6 could not be reconstructed. RESERVE unknown for cases where the CORE ARCHITECTURE itself is unverifiable — not for cases where you merely cannot enumerate every per-market dependency in a multi-market protocol. If the core router/factory/oracle architecture is verifiable on-chain and you can determine whether the core requires external dependencies, grade the architecture even when an exhaustive per-market external-dependency census is infeasible. Acknowledge the per-market gap in unknowns[] but still issue a grade. Refusing to grade a multi-market protocol because you cannot list every SY/vault/market is over-use of unknown; grade the architecture and say so.

PROMPT-META CHECK (per Hard Rule 17): before finalizing, verify the verdict cites concrete contract addresses, docs, or code — not the rubric itself. If your verdict says "the protocol belongs to a category the rubric marks red", rewrite it with the A1–A9 finding that actually justifies the grade, or drop to grade=unknown.

---

### JSON output contract

Return exactly one JSON object inside a single ```json fenced block. Shape:

{
  "schema_version": 4,
  "slug": "<copy protocol.slug from the per-protocol context>",
  "slice": "autonomy",
  "snapshot_generated_at": "<copy snapshot.generated_at from the per-protocol context>",
  "prompt_version": 29,
  "analysis_date": "<copy analysis_date from the per-protocol context>",
  "model": "<exact model name, e.g. claude-opus-4-7 / gpt-5-thinking / gemini-3-pro>",
  "chat_url": null,
  "grading_basis": "on-chain | off-chain-only | mixed (optional; omit for on-chain)",
  "grade": "green | orange | red | unknown",
  "headline": "<one-line summary>",
  "short_headline": "<≤6 words, ≤80 chars; omit if you can't fit>",
  "rationale": {
    "findings": [{ "code": "E1", "text": "<concrete, source-cited finding>" }],
    "steelman": { "red": "<one sentence>", "orange": "<one sentence>", "green": "<one sentence>" },
    "verdict": "Choosing <grade> because <reason ranking one steel-man above the others, citing specific evidence>."
  },
  "evidence": [{ "url": "https://...", "shows": "<what this URL demonstrates>", "chain": "...", "address": "0x...", "commit": "<hex SHA>", "fetched_at": "2026-04-23T11:20:00Z" }],
  "unknowns": ["E3: <thing you looked for but couldn't determine>"],
  "protocol_metadata": {
    "github": ["https://github.com/org/repo"],
    "docs_url": "https://docs.protocol.xyz",
    "audits": [{ "firm": "Trail of Bits", "url": "https://...report.pdf", "date": "2025-09" }],
    "governance_forum": "https://forum.protocol.xyz",
    "voting_token": { "chain": "Ethereum", "address": "0x...", "symbol": "XYZ" },
    "bug_bounty_url": "https://immunefi.com/bounty/protocol",
    "security_contact": "security@protocol.xyz",
    "deployed_contracts_doc": "https://docs.protocol.xyz/deployments",
    "admin_addresses": [{ "chain": "Ethereum", "address": "0x...", "role": "DAO treasury multisig", "actor_class": "multisig" }],
    "upgradeability": "immutable | upgradeable | mixed | unknown",
    "about": "<2–4 sentences>"
  }
}

Rules recap:
- grade="unknown" ⇒ steelman=null; unknowns[] ≥1; evidence[] may be empty.
- grade!="unknown" ⇒ steelman={red,orange,green}; evidence[] ≥1; verdict starts with "Choosing ".
- findings[].code matches the slice's checklist prefix verbatim (E1, C2-emergency, V4a, …); unknowns[] entries are checklist-coded ("E3: …").
- Wrap in a single ```json fence; nothing before or after. URLs are bare strings, never markdown links.

Open Access Unverified Submit run ↗

### Per-protocol context (ground truth for this run)

- protocol.slug:              aave-v2
- protocol.name:              Aave V2
- protocol.chains:            Ethereum, Polygon, Avalanche
- protocol.category:          Lending
- protocol.website:           https://aave.com
- protocol.github:            aave, bgd-labs
- protocol.audit_links:       https://aave.com/security, https://github.com/code-423n4/2022-02-aave-lens, https://github.com/code-423n4/2022-02-aave-lens-findings, https://github.com/sherlock-protocol/sherlock-reports/blob/main/audits/2025.02.15%20-%20Final%20-%20Aave%20Public%20Audit%20Contest%20Report.pdf, https://github.com/sherlock-protocol/sherlock-reports/blob/main/audits/2026.02.05%20-%20Final%20-%20Aave%20Labs%20Collaborative%20Audit%20Report%201770295450.pdf
- snapshot.generated_at:      2026-06-01T11:27:13.878Z
- analysis_date:              2026-06-07
- prompt_version:             29
- address_book:               [
  {
    "chain": "Ethereum",
    "address": "0xb53c1a33016b2dc2ff3653530bff1848a515c8c5",
    "role": "lending_pool_addresses_provider"
  },
  {
    "chain": "Ethereum",
    "address": "0x7d2768dE32b0b80b7a3454c06BdAc94A69DDc7A9",
    "role": "lending_pool"
  },
  {
    "chain": "Ethereum",
    "address": "0x057835Ad21a177dbdd3090bB1CAE03EaCF78Fc6d",
    "role": "protocol_data_provider"
  },
  {
    "chain": "Ethereum",
    "address": "0xec568fffba86c094cf06b22134b23074dfe2252c",
    "role": "governance_v2"
  },
  {
    "chain": "Ethereum",
    "address": "0x7fc66500c84a76ad7e9c93437e434122a1dafd46",
    "role": "AAVE governance token"
  }
]

### Pre-built read-API surfacer URLs (verbatim — fetchable as-is)
- https://defipunkd.com/address/1/0xb53c1a33016b2dc2ff3653530bff1848a515c8c5 (lending_pool_addresses_provider)
- https://defipunkd.com/address/1/0x7d2768dE32b0b80b7a3454c06BdAc94A69DDc7A9 (lending_pool)
- https://defipunkd.com/address/1/0x057835Ad21a177dbdd3090bB1CAE03EaCF78Fc6d (protocol_data_provider)
- https://defipunkd.com/address/1/0xec568fffba86c094cf06b22134b23074dfe2252c (governance_v2)
- https://defipunkd.com/address/1/0x7fc66500c84a76ad7e9c93437e434122a1dafd46 (AAVE governance token)


---

You are contributing a single-slice assessment to defipunkd, a git-native transparency registry for DeFi protocols. Your JSON output will be attached to a pull request and compared against ≥2 other independent runs. Disagreements are surfaced publicly — be conservative, cite everything, return grade="unknown" when a signal cannot be determined, and resist stopping at the first damning finding.

### Per-protocol context (do not infer; these are ground truth)

A "Per-protocol context" block (provided alongside this prompt — either as a user message in API mode, or as a section appended below in copy-paste mode) lists the pinned inputs (protocol.slug, name, chains, category, website, github, audit_links, snapshot.generated_at, analysis_date, prompt_version, address_book) and a list of pre-built read-API surfacer URLs for each pinned address. Treat those values as authoritative for this run.

The pre-built surfacer URLs are accepted by your fetch tool's allowlist because they appear verbatim in the per-protocol context. Each surfacer page pre-executes the contract's zero-arg view methods and renders any address-typed return values as /address/{chainId}/0x… links inline — those rendered links are also fetchable post-fetch. /api/contract/read and /api/safe/owners JSON responses include a top-level `crawl.surfacers` array of /address/{chainId}/0x… URLs for every address-typed value in the result, so you can crawl directly from API responses. For addresses surfaced from non-defipunkd sources (block-explorer pages, GitHub, audit PDFs), the allowlist will reject your generated surfacer URL — record the address in protocol_metadata.admin_addresses and add a checklist-coded entry to unknowns[]; the next run will inherit it as a fetchable surfacer.

### Step 0 — Capability probe (do this before producing JSON)

Identify what fetch tool your environment exposes — `web_fetch`, `browser`, `url_context`, `google_search` (with underscore, colon, or space), Bing grounding, Perplexity, `web.run`, or anything similar. Search-grounding tools ARE valid fetch paths and you should use them; they are not forbidden. The distinction that matters is what the tool returned, not its name: a grounded response with the underlying page body is sufficient evidence; a bare 1–3-line preview snippet is not.

Probe: attempt one fetch of `protocol.website` and one fetch of a pre-built surfacer URL above (or the protocol's primary block-explorer page if no surfacer is pinned). Record the tool you used, the URL, and what came back (response body, HTTP status, allowlist rejection text, or "tool not present: <name>"). If either probe succeeded, proceed.

If both direct probes failed, **DO NOT STOP** — try search. Issue at least two broad search queries (protocol name + "Etherscan" / "official docs" / "GitHub" / "audit"; `site:` operators against etherscan.io / github.com / the docs domain). If a search query returns the underlying page body, that page URL is fetched evidence and goes in evidence[]. Set `grading_basis: "off-chain-only"` and continue with whatever you can extract. Empty `evidence[]` + `grade="unknown"` is only valid if BOTH direct probes AND ≥2 search queries returned nothing usable; in that case, log the attempted queries and observed-zero outcomes in unknowns[]. A submission claiming "blocked" without those receipts is treated as a non-submission (zero quorum weight). Search engines do not index raw JSON API endpoints — zero results for `defipunkd.com/api/contract/read` URLs is expected and is itself a recordable failure mode, not a system restriction.

### Anti-fabrication (the most important rule on this page)

Memory is not evidence. Treat your training data, prior conversations, and general knowledge as suggestions for what to look up — never as citations. Every URL in evidence[] must have been fetched in this run via any tool exposed in your environment, OR pasted into this conversation by the user. Constructing a URL is fine, but every variable part (address, commit SHA, repo path, contract name, method, args, block number) must come from a fetched/pasted source in this run, and the URL must then have been successfully fetched before it appears in evidence[]. URLs constructed from remembered addresses, repo paths, contract names, or guessed API methods are fabrication.

Before emitting JSON, run an evidence ledger check on every evidence[] entry:
1. The exact URL appears in your fetch transcript or in a user-pasted source body.
2. The fetched/pasted body contains the fact you're citing in evidence[].shows.
3. Every rationale.findings / protocol_metadata claim that depends on this evidence follows directly from that body, without recourse to memory.
4. Derived (rather than verbatim) claims are explicitly labelled as derived in evidence[].shows.
5. `fetched_at` is set ONLY when you actually fetched the URL in this run; if no timestamp is available, omit the field — never invent one.

If any check fails, remove the evidence entry and demote dependent claims to unknowns[]. Set grade="unknown" if demotion empties the grading basis. Do not ask the user to paste anything; do not withhold JSON; do not improvise from memory.

A plausible-sounding answer backed by unsupported evidence is WORSE than grade="unknown" — it pollutes the quorum. If the assessment requires leaning on remembered public facts ("Lido is governed by LDO token-weighted voting"), historical reports, common knowledge, or likely-architecture reasoning ("UUPS proxies typically have an admin role"), return grade="unknown" with specific unknowns[] entries. Optimize for reproducibility, not completeness — if a reviewer can't re-verify each claim from the evidence URLs alone, the claim does not belong in the JSON. Empty unknowns[] on a non-trivial protocol is a red flag, not a quality signal.

When the address_book is null/empty, you do not yet know any deployed address. Discover candidates from fetched website / GitHub / audit / explorer-search pages — addresses you "remember" from training data are not eligible, even for famous tokens (USDC, WBTC, stETH, UNI). If no address can be discovered after a good-faith attempt, return grade="unknown" with checklist-coded unknowns[] entries; do not invent addresses to fill the gap.

### Hard rules

1. Source classes that count as evidence:
   a) Public block explorers (etherscan.io, basescan.org, arbiscan.io, optimistic.etherscan.io, polygonscan.com, bscscan.com, snowtrace.io, scrollscan.com, lineascan.build, blastscan.io, era.zksync.network) for pinned addresses or addresses you discover transitively from them.
   b) The linked GitHub repos, at a specific commit SHA recorded in evidence[].commit.
   c) The audit PDFs / reports linked above.
   d) DeFiLlama's pinned fields (for category / chain lists only — not for risk assessment).
   e) DeFiPunkd's read API at https://defipunkd.com/api/{contract,safe}/... — see "On-chain reading" below.
2. If a signal cannot be determined after checking these, set grade="unknown" with ≥1 entry in unknowns[] naming what you looked for.
3. Every factual claim in rationale must map to ≥1 evidence[] entry.
4. Output exactly one JSON object matching the contract at the end, wrapped in a single ```json fenced code block. This rule applies to your FINAL assistant message only — issue tool calls freely during the run; tool-call reasoning lives in your model's tool-use channel and is not subject to this rule. Nothing before or after the fence — no prose, no follow-up questions, no requests for the user to paste anything. If evidence is incomplete, the correct response is still JSON, with claims demoted to unknowns[] and grade="unknown".

### Format rules (validation will reject submissions that violate these)
5. evidence[].url must be a bare `https://...` string — NEVER markdown link syntax. WRONG: `"url": "[Etherscan](https://etherscan.io/...)"`. RIGHT: `"url": "https://etherscan.io/..."`.
6. evidence[].commit, when present, must match `^[0-9a-f]{7,40}$` (lowercase hex, 7–40 chars). NEVER branch names or tags. Omit if you cannot pin a SHA.
7. evidence[].fetched_at, when present, must be ISO-8601 UTC (e.g. `2026-04-23T11:20:00Z`). Set whenever you actually fetched in this run.
8. evidence[].address, when present, must be `^0x[0-9a-fA-F]{40}$` (mixed case OK; checksum not validated).
9. Checklist codes (used in findings[].code and as unknowns[] prefixes) match `^[A-Z][A-Za-z0-9-]{0,16}$` — start with an uppercase letter, then digits / letters / hyphens. Examples: `E1`, `A3b`, `C2-emergency`, `V4-auditor`. No parens, spaces, dots, slashes, underscores. Use slice-defined codes verbatim. unknowns[] entries must be prefixed with the relevant code + colon (e.g. `"A3b: frontend fetch failed"`).
10. chat_url: ALWAYS null. Default share links (claude.ai/chat, chatgpt.com, gemini.google.com) require viewer login and are not publicly readable. The user enables "Share publicly" after you respond and pastes the public URL into the JSON before opening the PR.

### Thoroughness rules

11. Each per-slice body contains a "MANDATORY INSPECTION CHECKLIST". Every item must EITHER produce an evidence[] entry OR a specific unknowns[] entry naming it by code. Silent skips are rejected as incomplete.
12. Before assigning a grade other than "unknown", rationale.steelman must contain a one-sentence strongest argument for each of red / orange / green, and rationale.verdict must state which fits the evidence and why. If the steel-man for the chosen grade is weaker than for an adjacent grade, you have probably picked the wrong grade. When grade="unknown", set steelman to null and use verdict to summarize what blocked the assessment.
13. Distinguish actor classes (EOA, 2-of-3 multisig, 4-of-7+ multisig with identified signers, emergency-scoped time-capped multisig, on-chain governance vote with timelock) and function classes (claim-of-finalized vs new-request-placement, deposit vs borrow, mint vs redeem) — say which actor holds which power, on what time bound. "An admin can pause" is insufficient.
14. For on-chain slices (control, ability-to-exit, autonomy, verifiability), evidence[] must include ≥1 on-chain URL: a block-explorer URL OR a DeFiPunkd /api/{contract/read,safe/owners} URL (preferred — content-addressed when block-pinned). /api/contract/abi alone is metadata, not on-chain evidence. Source repos tell you what code SHOULD do; deployed contracts tell you what it ACTUALLY does. The "open-access" slice is exempt when claims are entirely about frontend / off-chain operator behavior. CARVE-OUT: `grading_basis="off-chain-only"` is exempt from this rule but is downweighted by the quorum bot regardless of grade.
15. Prompt-meta-check: if your verdict quotes prompt language as evidence ("the protocol meets the 'documented fallback' condition"), re-do the verdict — the prompt describes the rubric, not the protocol. Evidence cites what THIS protocol does, not what the rubric says protocols of type X do.
16. `grading_basis` is one of `"on-chain"` (default; omit field), `"off-chain-only"`, or `"mixed"`. Describes what was READ this run, not the verdict — `grade="unknown"` is allowed under any basis. Set `"off-chain-only"` ONLY when BOTH (a) ≥1 successful fetch of a docs / forum / audit / GitHub URL appears in evidence[], AND (b) ≥1 failed on-chain fetch attempt for THIS run is recorded in unknowns[] with a `-offchain` suffix. Empty `evidence[]` with `"off-chain-only"` is a category error and is rejected by the validator. Set `"mixed"` when some checklist codes were on-chain and others fell back. ABI-only finds (you read the ABI but couldn't read live state) are valid as `grade="unknown"` with the ABI cited; do not infer a grade from ABI shape alone.

### On-chain reading via the DeFiPunkd API

Don't encode calldata, decode return data, or guess at ABIs by hand. Three deterministic GET endpoints return JSON with blockNumber, blockHash, raw calldata, and rawReturnData — content-addressed when block-pinned (`&block=<n>`):

  ABI (auto-resolves proxies):
    https://defipunkd.com/api/contract/abi?chainId=<id>&address=0x...
  View call (any view method on the merged ABI; flat scalar args):
    https://defipunkd.com/api/contract/read?chainId=<id>&address=0x...&method=getOwners
    https://defipunkd.com/api/contract/read?chainId=<id>&address=0x...&method=balanceOf&args=0x...
  Safe (threshold + owners + version in one call):
    https://defipunkd.com/api/safe/owners?chainId=<id>&address=0x...

Use the BARE method name in `&method=` (e.g. `&method=totalSupply`, NOT `&method=totalSupply()`). Browser tools normalize `(` to `%28` and reject the normalized URL; bare names dodge that. Pass arguments via `&args=` (comma-separated, declaration order). Append `&block=<n>` for content-addressed evidence.

Supported chainIds: 1 (ethereum), 10 (optimism), 56 (bsc), 130 (unichain), 137 (polygon), 324 (zksync), 8453 (base), 42161 (arbitrum), 43114 (avalanche), 59144 (linea), 81457 (blast), 534352 (scroll), 11155111 (sepolia).

Use this API for any factual claim about contract ABI shape, view-method return values (owner(), getOwners(), getThreshold(), totalSupply(), implementation(), paused(), MIN_DELAY(), …), and Safe membership. Do NOT invent ABIs or return values from training data.

Note on noisy address_book: the pinned address_book is sourced from prior assessments. It may include token deployments, oracle feeds, peripheral contracts, or mis-classified entries. Skip surfacer URLs that don't fit your slice — fetch only those whose role hints suggest control / pause / upgrade authority.

### Protocol metadata refresh (populate `protocol_metadata` in the output)

DeFiLlama's pinned inputs may be stale or wrong. As a side-effect of this assessment, populate `protocol_metadata` with anything you verify. Leave fields null / empty arrays if you did not verify them — do NOT echo pinned inputs through; null means "not re-verified this run".

- `github`: array of canonical source-code repo URLs.
- `docs_url`: canonical developer / protocol documentation site.
- `audits`: array of `{ firm, url, date }` (date as YYYY-MM or YYYY-MM-DD).
- `governance_forum`: primary discussion forum URL (Discourse, Commonwealth, etc.).
- `voting_token`: `{ chain, address, symbol }` or null. Omit if not token-governed.
- `bug_bounty_url`: public bug bounty page (Immunefi, HackerOne, self-hosted).
- `security_contact`: private-disclosure channel — security@ email or SECURITY.md URL. Distinct from public bug bounty.
- `deployed_contracts_doc`: docs page that lists deployed addresses per chain. Don't enumerate; just link.
- `admin_addresses`: array of `{ chain, address, role, actor_class }` for multisig / timelock / owner / proxy-admin addresses. `actor_class` ∈ `"eoa" | "multisig" | "timelock" | "governance" | "unknown"`. These are the anchors for future runs' address_book.
- `upgradeability`: `"immutable" | "upgradeable" | "mixed" | "unknown"`. "mixed" = some core contracts immutable, others behind proxies.
- `about`: 2–4 sentence plain-English description. Name the user action (stake, borrow, swap, bridge, mint, redeem), the asset / market, and the distinctive mechanism (liquid staking receipt, isolated lending pools, constant-product AMM, intents auction, etc.). Do not restate category / chains / TVL.

Every non-null field in `protocol_metadata` must be backed by ≥1 entry in evidence[].

---

### Slice: OPEN-ACCESS

Evaluate who is allowed to use the protocol and whether any of that permission is granted off-chain.

Scope: this slice is about ADMISSION — who can enter, exit, or transact. Operator LIVENESS (what breaks if keepers/oracles go offline) is assessed in the dependencies slice and is out of scope for the grade here. You may note operator dependencies as context, but do not let "the protocol halts if operator X disappears" drive the access grade on its own; that belongs in dependencies. Source verification / contract verification on block explorers is assessed in the verifiability slice and is out of scope here — do NOT let "contract is unverified" drive the access grade.

Framing: the smart contracts are the access layer; frontends are UX. A permissionless contract is reachable by any client (SDK, third-party UI, aggregator, wallet integration). Frontend ToS, IP geo-blocking, and wallet screening are publisher policies on one specific client — they are reported as context but do NOT determine the grade. The grade hinges on (1) what the contract itself permits, and (2) whether the protocol is practically reachable without the official publisher's cooperation.

Meta-check before finalizing: if your verdict cites phrases from this prompt as evidence ("the protocol meets the 'credible alternatives' condition", "this fits the 'documented fallback' rule"), redo the verdict. The prompt describes the rubric; evidence must come from the protocol. A verdict should cite what the protocol does, not what the rubric says.

MANDATORY INSPECTION CHECKLIST (every item below must appear in evidence[] OR unknowns[]):
- A1. Whitelist / allowlist modifiers in user-facing entry points. Grep for "onlyWhitelisted", "onlyRole", "allowlist", "isAccredited", "isKYCed". Note which functions are gated and who can add/remove from the list.
- A2. Off-chain operators in the admission path: keepers, sequencers, privileged relayers, oracle posters whose approval is required to admit a user action (not just to keep the protocol live). For each, identify whether the role is held by a single operator, a permissioned committee, or is permissionless. Enumerate per user-facing function class (deposit vs withdraw-request vs claim-finalized vs transfer) which ones require operator approval to be admitted, and which ones admit users unconditionally. A function whose placement is unconditional but whose downstream settlement depends on an operator is an admission-permissionless function — flag the liveness dependency as context and defer its grading weight to the dependencies slice.
- A3. Frontend restrictions on the official interface — record as context, not as a grade lever. Distinguish:
    - A3-passive: boilerplate ToS clauses (sanctions attestation, restricted-territory self-certification, VPN-circumvention prohibition, "comply with applicable law" eligibility, age of majority).
    - A3-active: runtime enforcement — IP-based geo-blocking, wallet-address screening against a sanctions oracle (Chainalysis, TRM, Elliptic), KYC wall, rendering-blocking jurisdiction banner.
  Record findings under the correct tier. Quote ToS text or banner text in evidence[].shows. These findings populate the headline and rationale but do NOT move the grade by themselves; the grade is set by A1, A2, and the A3b path check below.
- A3b. Independent access paths (the operative grade input). Enumerate paths that do not require the official publisher's cooperation:
    - Published SDK / library / CLI for direct contract interaction.
    - Third-party frontends operated by separate legal entities.
    - Wallet-integrated access (MetaMask Swaps, Safe apps, etc.).
    - DEX / lending / yield aggregators that route through the contracts.
  Record at least one concrete link per path that exists. The protocol does NOT have to self-document these — the test is existence, not UX cost. An A3b-i redistribution of the official UI bound by the same ToS does NOT count as an independent path.
- A4. Sanctions / compliance tooling at the contract level: does the protocol check addresses against OFAC lists or similar on-chain blocklists in the contract itself? (Frontend-only screening belongs in A3.)
- A5. Differentiate read access vs write access: many protocols are read-permissionless (anyone can view state) but write-gated (only certain addresses can deposit/borrow). Record both.
- A6. ToS / Legal links: locate them on the website and produce a VERBATIM quote of any jurisdictional, sanctions, or eligibility clause in evidence[].shows. If you cannot extract the clause text verbatim (SPA render failure, paywall, dead link, etc.), do NOT paraphrase or infer from general knowledge — record the ToS URL in unknowns[] with the reason extraction failed. Assertions about ToS content without a verbatim quote will be downweighted by reviewers.

Then write the steel-man section per Hard Rule 11.

Grade rules (admission-focused; liveness concerns belong in dependencies; source verification belongs in verifiability):
- green   = no contract-level whitelist/KYC on user entry/exit; no operator approval required to admit a user action; AND at least one independent A3b path exists (published SDK, third-party frontend, wallet integration, or aggregator routing). Frontend ToS posture and A3-active enforcement on the official UI do NOT block green when contracts are permissionless and an independent path exists — they are reported as context.
- orange  = contracts admit users unconditionally, BUT the protocol is operationally captured by the official publisher: no published SDK, no third-party frontend, no wallet integration, no aggregator routing. The contract is theoretically open but practically reachable only through the official UI. Also applies when admission requires approval from a permissioned committee that is governance-managed with a documented replacement procedure.
- red     = contract-level whitelist / KYC on user entry/exit, OR admission of a core user action requires approval from a single privileged operator or a small committee with no documented replacement procedure, OR enforces an on-chain blocklist updatable by a single party.
- unknown = checklist incomplete after checking the sources above.

Default-grade guidance: when contracts are fully permissionless AND any A3b independent path exists, the default grade is green regardless of frontend ToS or A3-active enforcement on the official UI. Frontend geo-blocking, sanctions-oracle wallet screening, and ToS sanctions clauses are publisher policies on one client and are reported in findings/headline as context, not as grade levers. To grade orange on operational-capture grounds, the auditor must affirmatively show that ALL independent paths are absent or also gated.

Guideline on committees: where admission depends on a multi-operator committee, the relevant axes are (a) set size, (b) whether replacement/rotation is governed on-chain, (c) whether the replacement procedure is publicly documented. A large set with on-chain governance replacement should not be graded as a single-party operator even if rotation is not instantaneous. A small set with informal replacement should be treated as a single-party operator.

---

### JSON output contract

Return exactly one JSON object inside a single ```json fenced block. Shape:

{
  "schema_version": 4,
  "slug": "<copy protocol.slug from the per-protocol context>",
  "slice": "open-access",
  "snapshot_generated_at": "<copy snapshot.generated_at from the per-protocol context>",
  "prompt_version": 29,
  "analysis_date": "<copy analysis_date from the per-protocol context>",
  "model": "<exact model name, e.g. claude-opus-4-7 / gpt-5-thinking / gemini-3-pro>",
  "chat_url": null,
  "grading_basis": "on-chain | off-chain-only | mixed (optional; omit for on-chain)",
  "grade": "green | orange | red | unknown",
  "headline": "<one-line summary>",
  "short_headline": "<≤6 words, ≤80 chars; omit if you can't fit>",
  "rationale": {
    "findings": [{ "code": "E1", "text": "<concrete, source-cited finding>" }],
    "steelman": { "red": "<one sentence>", "orange": "<one sentence>", "green": "<one sentence>" },
    "verdict": "Choosing <grade> because <reason ranking one steel-man above the others, citing specific evidence>."
  },
  "evidence": [{ "url": "https://...", "shows": "<what this URL demonstrates>", "chain": "...", "address": "0x...", "commit": "<hex SHA>", "fetched_at": "2026-04-23T11:20:00Z" }],
  "unknowns": ["E3: <thing you looked for but couldn't determine>"],
  "protocol_metadata": {
    "github": ["https://github.com/org/repo"],
    "docs_url": "https://docs.protocol.xyz",
    "audits": [{ "firm": "Trail of Bits", "url": "https://...report.pdf", "date": "2025-09" }],
    "governance_forum": "https://forum.protocol.xyz",
    "voting_token": { "chain": "Ethereum", "address": "0x...", "symbol": "XYZ" },
    "bug_bounty_url": "https://immunefi.com/bounty/protocol",
    "security_contact": "security@protocol.xyz",
    "deployed_contracts_doc": "https://docs.protocol.xyz/deployments",
    "admin_addresses": [{ "chain": "Ethereum", "address": "0x...", "role": "DAO treasury multisig", "actor_class": "multisig" }],
    "upgradeability": "immutable | upgradeable | mixed | unknown",
    "about": "<2–4 sentences>"
  }
}

Rules recap:
- grade="unknown" ⇒ steelman=null; unknowns[] ≥1; evidence[] may be empty.
- grade!="unknown" ⇒ steelman={red,orange,green}; evidence[] ≥1; verdict starts with "Choosing ".
- findings[].code matches the slice's checklist prefix verbatim (E1, C2-emergency, V4a, …); unknowns[] entries are checklist-coded ("E3: …").
- Wrap in a single ```json fence; nothing before or after. URLs are bare strings, never markdown links.

Audit all 5 dimensions · one prompt Submit run ↗

### Per-protocol context (ground truth for this run)

- protocol.slug:              aave-v2
- protocol.name:              Aave V2
- protocol.chains:            Ethereum, Polygon, Avalanche
- protocol.category:          Lending
- protocol.website:           https://aave.com
- protocol.github:            aave, bgd-labs
- protocol.audit_links:       https://aave.com/security, https://github.com/code-423n4/2022-02-aave-lens, https://github.com/code-423n4/2022-02-aave-lens-findings, https://github.com/sherlock-protocol/sherlock-reports/blob/main/audits/2025.02.15%20-%20Final%20-%20Aave%20Public%20Audit%20Contest%20Report.pdf, https://github.com/sherlock-protocol/sherlock-reports/blob/main/audits/2026.02.05%20-%20Final%20-%20Aave%20Labs%20Collaborative%20Audit%20Report%201770295450.pdf
- snapshot.generated_at:      2026-06-01T11:27:13.878Z
- analysis_date:              2026-06-07
- prompt_version:             29
- address_book:               [
  {
    "chain": "Ethereum",
    "address": "0xb53c1a33016b2dc2ff3653530bff1848a515c8c5",
    "role": "lending_pool_addresses_provider"
  },
  {
    "chain": "Ethereum",
    "address": "0x7d2768dE32b0b80b7a3454c06BdAc94A69DDc7A9",
    "role": "lending_pool"
  },
  {
    "chain": "Ethereum",
    "address": "0x057835Ad21a177dbdd3090bB1CAE03EaCF78Fc6d",
    "role": "protocol_data_provider"
  },
  {
    "chain": "Ethereum",
    "address": "0xec568fffba86c094cf06b22134b23074dfe2252c",
    "role": "governance_v2"
  },
  {
    "chain": "Ethereum",
    "address": "0x7fc66500c84a76ad7e9c93437e434122a1dafd46",
    "role": "AAVE governance token"
  }
]

### Pre-built read-API surfacer URLs (verbatim — fetchable as-is)
- https://defipunkd.com/address/1/0xb53c1a33016b2dc2ff3653530bff1848a515c8c5 (lending_pool_addresses_provider)
- https://defipunkd.com/address/1/0x7d2768dE32b0b80b7a3454c06BdAc94A69DDc7A9 (lending_pool)
- https://defipunkd.com/address/1/0x057835Ad21a177dbdd3090bB1CAE03EaCF78Fc6d (protocol_data_provider)
- https://defipunkd.com/address/1/0xec568fffba86c094cf06b22134b23074dfe2252c (governance_v2)
- https://defipunkd.com/address/1/0x7fc66500c84a76ad7e9c93437e434122a1dafd46 (AAVE governance token)


---

You are contributing a single-slice assessment to defipunkd, a git-native transparency registry for DeFi protocols. Your JSON output will be attached to a pull request and compared against ≥2 other independent runs. Disagreements are surfaced publicly — be conservative, cite everything, return grade="unknown" when a signal cannot be determined, and resist stopping at the first damning finding.

### Per-protocol context (do not infer; these are ground truth)

A "Per-protocol context" block (provided alongside this prompt — either as a user message in API mode, or as a section appended below in copy-paste mode) lists the pinned inputs (protocol.slug, name, chains, category, website, github, audit_links, snapshot.generated_at, analysis_date, prompt_version, address_book) and a list of pre-built read-API surfacer URLs for each pinned address. Treat those values as authoritative for this run.

The pre-built surfacer URLs are accepted by your fetch tool's allowlist because they appear verbatim in the per-protocol context. Each surfacer page pre-executes the contract's zero-arg view methods and renders any address-typed return values as /address/{chainId}/0x… links inline — those rendered links are also fetchable post-fetch. /api/contract/read and /api/safe/owners JSON responses include a top-level `crawl.surfacers` array of /address/{chainId}/0x… URLs for every address-typed value in the result, so you can crawl directly from API responses. For addresses surfaced from non-defipunkd sources (block-explorer pages, GitHub, audit PDFs), the allowlist will reject your generated surfacer URL — record the address in protocol_metadata.admin_addresses and add a checklist-coded entry to unknowns[]; the next run will inherit it as a fetchable surfacer.

### Step 0 — Capability probe (do this before producing JSON)

Identify what fetch tool your environment exposes — `web_fetch`, `browser`, `url_context`, `google_search` (with underscore, colon, or space), Bing grounding, Perplexity, `web.run`, or anything similar. Search-grounding tools ARE valid fetch paths and you should use them; they are not forbidden. The distinction that matters is what the tool returned, not its name: a grounded response with the underlying page body is sufficient evidence; a bare 1–3-line preview snippet is not.

Probe: attempt one fetch of `protocol.website` and one fetch of a pre-built surfacer URL above (or the protocol's primary block-explorer page if no surfacer is pinned). Record the tool you used, the URL, and what came back (response body, HTTP status, allowlist rejection text, or "tool not present: <name>"). If either probe succeeded, proceed.

If both direct probes failed, **DO NOT STOP** — try search. Issue at least two broad search queries (protocol name + "Etherscan" / "official docs" / "GitHub" / "audit"; `site:` operators against etherscan.io / github.com / the docs domain). If a search query returns the underlying page body, that page URL is fetched evidence and goes in evidence[]. Set `grading_basis: "off-chain-only"` and continue with whatever you can extract. Empty `evidence[]` + `grade="unknown"` is only valid if BOTH direct probes AND ≥2 search queries returned nothing usable; in that case, log the attempted queries and observed-zero outcomes in unknowns[]. A submission claiming "blocked" without those receipts is treated as a non-submission (zero quorum weight). Search engines do not index raw JSON API endpoints — zero results for `defipunkd.com/api/contract/read` URLs is expected and is itself a recordable failure mode, not a system restriction.

### Anti-fabrication (the most important rule on this page)

Memory is not evidence. Treat your training data, prior conversations, and general knowledge as suggestions for what to look up — never as citations. Every URL in evidence[] must have been fetched in this run via any tool exposed in your environment, OR pasted into this conversation by the user. Constructing a URL is fine, but every variable part (address, commit SHA, repo path, contract name, method, args, block number) must come from a fetched/pasted source in this run, and the URL must then have been successfully fetched before it appears in evidence[]. URLs constructed from remembered addresses, repo paths, contract names, or guessed API methods are fabrication.

Before emitting JSON, run an evidence ledger check on every evidence[] entry:
1. The exact URL appears in your fetch transcript or in a user-pasted source body.
2. The fetched/pasted body contains the fact you're citing in evidence[].shows.
3. Every rationale.findings / protocol_metadata claim that depends on this evidence follows directly from that body, without recourse to memory.
4. Derived (rather than verbatim) claims are explicitly labelled as derived in evidence[].shows.
5. `fetched_at` is set ONLY when you actually fetched the URL in this run; if no timestamp is available, omit the field — never invent one.

If any check fails, remove the evidence entry and demote dependent claims to unknowns[]. Set grade="unknown" if demotion empties the grading basis. Do not ask the user to paste anything; do not withhold JSON; do not improvise from memory.

A plausible-sounding answer backed by unsupported evidence is WORSE than grade="unknown" — it pollutes the quorum. If the assessment requires leaning on remembered public facts ("Lido is governed by LDO token-weighted voting"), historical reports, common knowledge, or likely-architecture reasoning ("UUPS proxies typically have an admin role"), return grade="unknown" with specific unknowns[] entries. Optimize for reproducibility, not completeness — if a reviewer can't re-verify each claim from the evidence URLs alone, the claim does not belong in the JSON. Empty unknowns[] on a non-trivial protocol is a red flag, not a quality signal.

When the address_book is null/empty, you do not yet know any deployed address. Discover candidates from fetched website / GitHub / audit / explorer-search pages — addresses you "remember" from training data are not eligible, even for famous tokens (USDC, WBTC, stETH, UNI). If no address can be discovered after a good-faith attempt, return grade="unknown" with checklist-coded unknowns[] entries; do not invent addresses to fill the gap.

### Hard rules

1. Source classes that count as evidence:
   a) Public block explorers (etherscan.io, basescan.org, arbiscan.io, optimistic.etherscan.io, polygonscan.com, bscscan.com, snowtrace.io, scrollscan.com, lineascan.build, blastscan.io, era.zksync.network) for pinned addresses or addresses you discover transitively from them.
   b) The linked GitHub repos, at a specific commit SHA recorded in evidence[].commit.
   c) The audit PDFs / reports linked above.
   d) DeFiLlama's pinned fields (for category / chain lists only — not for risk assessment).
   e) DeFiPunkd's read API at https://defipunkd.com/api/{contract,safe}/... — see "On-chain reading" below.
2. If a signal cannot be determined after checking these, set grade="unknown" with ≥1 entry in unknowns[] naming what you looked for.
3. Every factual claim in rationale must map to ≥1 evidence[] entry.
4. Output exactly one JSON object matching the contract at the end, wrapped in a single ```json fenced code block. This rule applies to your FINAL assistant message only — issue tool calls freely during the run; tool-call reasoning lives in your model's tool-use channel and is not subject to this rule. Nothing before or after the fence — no prose, no follow-up questions, no requests for the user to paste anything. If evidence is incomplete, the correct response is still JSON, with claims demoted to unknowns[] and grade="unknown".

### Format rules (validation will reject submissions that violate these)
5. evidence[].url must be a bare `https://...` string — NEVER markdown link syntax. WRONG: `"url": "[Etherscan](https://etherscan.io/...)"`. RIGHT: `"url": "https://etherscan.io/..."`.
6. evidence[].commit, when present, must match `^[0-9a-f]{7,40}$` (lowercase hex, 7–40 chars). NEVER branch names or tags. Omit if you cannot pin a SHA.
7. evidence[].fetched_at, when present, must be ISO-8601 UTC (e.g. `2026-04-23T11:20:00Z`). Set whenever you actually fetched in this run.
8. evidence[].address, when present, must be `^0x[0-9a-fA-F]{40}$` (mixed case OK; checksum not validated).
9. Checklist codes (used in findings[].code and as unknowns[] prefixes) match `^[A-Z][A-Za-z0-9-]{0,16}$` — start with an uppercase letter, then digits / letters / hyphens. Examples: `E1`, `A3b`, `C2-emergency`, `V4-auditor`. No parens, spaces, dots, slashes, underscores. Use slice-defined codes verbatim. unknowns[] entries must be prefixed with the relevant code + colon (e.g. `"A3b: frontend fetch failed"`).
10. chat_url: ALWAYS null. Default share links (claude.ai/chat, chatgpt.com, gemini.google.com) require viewer login and are not publicly readable. The user enables "Share publicly" after you respond and pastes the public URL into the JSON before opening the PR.

### Thoroughness rules

11. Each per-slice body contains a "MANDATORY INSPECTION CHECKLIST". Every item must EITHER produce an evidence[] entry OR a specific unknowns[] entry naming it by code. Silent skips are rejected as incomplete.
12. Before assigning a grade other than "unknown", rationale.steelman must contain a one-sentence strongest argument for each of red / orange / green, and rationale.verdict must state which fits the evidence and why. If the steel-man for the chosen grade is weaker than for an adjacent grade, you have probably picked the wrong grade. When grade="unknown", set steelman to null and use verdict to summarize what blocked the assessment.
13. Distinguish actor classes (EOA, 2-of-3 multisig, 4-of-7+ multisig with identified signers, emergency-scoped time-capped multisig, on-chain governance vote with timelock) and function classes (claim-of-finalized vs new-request-placement, deposit vs borrow, mint vs redeem) — say which actor holds which power, on what time bound. "An admin can pause" is insufficient.
14. For on-chain slices (control, ability-to-exit, autonomy, verifiability), evidence[] must include ≥1 on-chain URL: a block-explorer URL OR a DeFiPunkd /api/{contract/read,safe/owners} URL (preferred — content-addressed when block-pinned). /api/contract/abi alone is metadata, not on-chain evidence. Source repos tell you what code SHOULD do; deployed contracts tell you what it ACTUALLY does. The "open-access" slice is exempt when claims are entirely about frontend / off-chain operator behavior. CARVE-OUT: `grading_basis="off-chain-only"` is exempt from this rule but is downweighted by the quorum bot regardless of grade.
15. Prompt-meta-check: if your verdict quotes prompt language as evidence ("the protocol meets the 'documented fallback' condition"), re-do the verdict — the prompt describes the rubric, not the protocol. Evidence cites what THIS protocol does, not what the rubric says protocols of type X do.
16. `grading_basis` is one of `"on-chain"` (default; omit field), `"off-chain-only"`, or `"mixed"`. Describes what was READ this run, not the verdict — `grade="unknown"` is allowed under any basis. Set `"off-chain-only"` ONLY when BOTH (a) ≥1 successful fetch of a docs / forum / audit / GitHub URL appears in evidence[], AND (b) ≥1 failed on-chain fetch attempt for THIS run is recorded in unknowns[] with a `-offchain` suffix. Empty `evidence[]` with `"off-chain-only"` is a category error and is rejected by the validator. Set `"mixed"` when some checklist codes were on-chain and others fell back. ABI-only finds (you read the ABI but couldn't read live state) are valid as `grade="unknown"` with the ABI cited; do not infer a grade from ABI shape alone.

### On-chain reading via the DeFiPunkd API

Don't encode calldata, decode return data, or guess at ABIs by hand. Three deterministic GET endpoints return JSON with blockNumber, blockHash, raw calldata, and rawReturnData — content-addressed when block-pinned (`&block=<n>`):

  ABI (auto-resolves proxies):
    https://defipunkd.com/api/contract/abi?chainId=<id>&address=0x...
  View call (any view method on the merged ABI; flat scalar args):
    https://defipunkd.com/api/contract/read?chainId=<id>&address=0x...&method=getOwners
    https://defipunkd.com/api/contract/read?chainId=<id>&address=0x...&method=balanceOf&args=0x...
  Safe (threshold + owners + version in one call):
    https://defipunkd.com/api/safe/owners?chainId=<id>&address=0x...

Use the BARE method name in `&method=` (e.g. `&method=totalSupply`, NOT `&method=totalSupply()`). Browser tools normalize `(` to `%28` and reject the normalized URL; bare names dodge that. Pass arguments via `&args=` (comma-separated, declaration order). Append `&block=<n>` for content-addressed evidence.

Supported chainIds: 1 (ethereum), 10 (optimism), 56 (bsc), 130 (unichain), 137 (polygon), 324 (zksync), 8453 (base), 42161 (arbitrum), 43114 (avalanche), 59144 (linea), 81457 (blast), 534352 (scroll), 11155111 (sepolia).

Use this API for any factual claim about contract ABI shape, view-method return values (owner(), getOwners(), getThreshold(), totalSupply(), implementation(), paused(), MIN_DELAY(), …), and Safe membership. Do NOT invent ABIs or return values from training data.

Note on noisy address_book: the pinned address_book is sourced from prior assessments. It may include token deployments, oracle feeds, peripheral contracts, or mis-classified entries. Skip surfacer URLs that don't fit your slice — fetch only those whose role hints suggest control / pause / upgrade authority.

### Protocol metadata refresh (populate `protocol_metadata` in the output)

DeFiLlama's pinned inputs may be stale or wrong. As a side-effect of this assessment, populate `protocol_metadata` with anything you verify. Leave fields null / empty arrays if you did not verify them — do NOT echo pinned inputs through; null means "not re-verified this run".

- `github`: array of canonical source-code repo URLs.
- `docs_url`: canonical developer / protocol documentation site.
- `audits`: array of `{ firm, url, date }` (date as YYYY-MM or YYYY-MM-DD).
- `governance_forum`: primary discussion forum URL (Discourse, Commonwealth, etc.).
- `voting_token`: `{ chain, address, symbol }` or null. Omit if not token-governed.
- `bug_bounty_url`: public bug bounty page (Immunefi, HackerOne, self-hosted).
- `security_contact`: private-disclosure channel — security@ email or SECURITY.md URL. Distinct from public bug bounty.
- `deployed_contracts_doc`: docs page that lists deployed addresses per chain. Don't enumerate; just link.
- `admin_addresses`: array of `{ chain, address, role, actor_class }` for multisig / timelock / owner / proxy-admin addresses. `actor_class` ∈ `"eoa" | "multisig" | "timelock" | "governance" | "unknown"`. These are the anchors for future runs' address_book.
- `upgradeability`: `"immutable" | "upgradeable" | "mixed" | "unknown"`. "mixed" = some core contracts immutable, others behind proxies.
- `about`: 2–4 sentence plain-English description. Name the user action (stake, borrow, swap, bridge, mint, redeem), the asset / market, and the distinctive mechanism (liquid staking receipt, isolated lending pools, constant-product AMM, intents auction, etc.). Do not restate category / chains / TVL.

Every non-null field in `protocol_metadata` must be backed by ≥1 entry in evidence[].

---

### Slice: CONTROL

Evaluate who can change the protocol's rules, how fast, and how broadly.

(Step 0 capability probe and the off-chain-only fallback live in the preamble — those rules apply here.)

### MANDATORY INSPECTION CHECKLIST (every item below must appear in evidence[] OR unknowns[])

- **C1.** For each address you assess: who is the contract owner / admin / pendingAdmin / governor — read these via the block explorer's "Read Contract" tab OR `https://defipunkd.com/api/contract/read?chainId=<id>&address=0x...&method=owner` (BARE method names: `&method=owner`, `&method=admin`, `&method=pendingOwner`, `&method=governor`). For Safes use `/api/safe/owners?chainId=<id>&address=0x...`. When a protocol has multiple major versions deployed (v2/v3/v4), perform C1 reads on the NEWEST deployment separately — newer deployments often have weaker control surfaces than the legacy core.
- **C2.** Upgrade mechanism: transparent proxy / UUPS / Beacon / Diamond / immutable. Identify the proxy admin address. Check upgradeability of GOVERNANCE contracts too — a Governor / Aragon Voting / OZ Governor is often itself a proxy whose admin is the Timelock. Asymmetry: when fund-holding cores are immutable AND governance has no admin path that reaches them, an upgradable Governor/Timelock is T3-only and must NOT drag the verdict below green on that basis alone (see grade rules and the "immutable cores" caveat). Only call upgradability "mixed" if you can name a concrete function on the upgradable surface that reaches T1 or T2 on user funds.
- **C3.** EXECUTION PATH (enumerate every stage, in order, with delays in seconds). The operative path is usually a chain (voting → scheduler → timelock → executor; or governor → queue → execute; or Aragon Voting → DualGovernance → EmergencyProtectedTimelock → AdminExecutor). For each stage, record (a) the contract address, (b) the delay constant name + value in seconds, (c) the URL you read it from (block-explorer Read Contract OR `/api/contract/read?...&method=MIN_DELAY&block=<n>`). Do NOT stop at the first timelock-shaped contract — if its admin is itself called by another contract, keep walking. The grading delay is the SUM OF DELAYS ON THE UNCONTESTED FAST PATH (shortest time a proposal with no opposition can go from submission to executable). Dynamic / contested extensions (veto signaling, rage quit, escrow delay) are modifiers, not the basis — note them separately.
- **C4.** Enumerate EVERY multisig with reachable control — main proxy admin, emergency activation, emergency execution, reseal / pause, gate-seal committees, tiebreaker, per-module admins. For each Safe, fetch threshold + owners + version via `/api/safe/owners?chainId=<id>&address=0x...` (response includes raw eth_call data, so the URL is citable evidence). Enumerate ops/council/incentives multisigs even when off the upgrade path — record their scope so a reader can see they are NOT on the upgrade path. For each: (a) address, (b) threshold / total signers, (c) signer identities classified as insider (team, paid auditors under ongoing engagement, mandated service providers) vs non-insider (independent community members, unaffiliated researchers), (d) the specific power held (upgrade, pause, parameter, etc.).
- **C5.** On-chain governance: Governor / GovernorBravo / OZ Governor / Aragon Voting with token-weighted voting? Record proposal threshold, voting period, quorum, and the timelock delay between queue and execute. Every numeric constant must come from a Read Contract call you can link to, or be in unknowns[] with the C-code. If votingDelay / votingPeriod are denominated in BLOCKS, convert to seconds at the chain's CURRENT block time (Ethereum mainnet ≈ 12s post-Merge, not the 15s in older Compound/Bravo deployments) — cite both block count and converted seconds.
- **C6.** EMERGENCY POWERS: separate emergency-pause / guardian role with a different time cap or different actor than the main upgrade authority? Record it explicitly.
- **C7.** POWER TIER (blast radius). For each privileged path in C3–C6, classify the WORST thing that path can do, choosing the highest applicable tier. Cite the specific function name and any on-chain bound — tier claims without a named function are unsupported.
    - **T1 — FUND-CRITICAL**: replace implementation of contracts holding user funds; change AMM math / accounting / collateral logic; mint unbacked debt or shares; pause withdrawals; drain user-fund treasury; change oracle to attacker-controlled source; replace upgrade admin with EOA.
    - **T2 — ECONOMICALLY MATERIAL**: change fee parameters within bounded ranges; redirect protocol fees; add/remove markets / collateral types; bounded inflation or token mint within hard-capped schedule; spend protocol-owned (non-user) treasury.
    - **T3 — GOVERNANCE-INTERNAL**: change voting rules, quorum, voting period, proposal threshold; upgrade the Governor itself; rotate Timelock admin; mint governance tokens within a capped annual schedule.
    - **T4 — OPERATIONAL**: incentives distribution, grants, ENS / frontend canonicalization, deployment coordination, periphery router deprecation.
  The grade is set by the HIGHEST tier reachable on the uncontested fast path, not the median. State the tier and the binding function in the verdict.

### Read Contract discipline (applies to C3, C4, C5)

Every numeric constant cited (timelock delays, voting periods, multisig thresholds, quorum percentages) must come from EITHER (a) a block-explorer Read Contract URL, OR (b) a DeFiPunkd `/api/contract/read` or `/api/safe/owners` URL (preferred with `&block=<n>` for content-addressed evidence), OR (c) an unknowns[] entry with the C-code. Docs / blog posts are corroboration only — they cannot be the sole citation for a value that is also readable on-chain.

### Off-chain-only substitute hierarchy (when grading_basis="off-chain-only" — see preamble Rule 16)

When on-chain reads were genuinely unreachable this run, eligible off-chain substitutes in priority order:
1. Linked audit PDFs (admin roles, multisig members, timelock delays usually enumerated).
2. Governance forum posts that quote constants from a successful on-chain proposal (cite post URL + linked execution-tx URL).
3. Official protocol docs pages with named addresses and roles (must be on a domain owned by the protocol).
4. GitHub README / SECURITY.md / governance/*.md at a pinned commit SHA.

Forbidden substitutes: third-party blog posts, X / Twitter threads, search-result snippets, model memory. Required degradation: any C-code citing a numeric constant from docs/forum/audit prose ONLY must also carry an `unknowns[]` entry with `-offchain` suffix noting "value not re-read on-chain in this run; corroboration only".

### Grade rules (apply the timelock bar conditional on the highest C7 tier reachable on the fast path)

Security Council standard (used below): a multisig qualifies as "Security Council" only if ALL of: ≥7 signers, ≥51% threshold, ≥50% non-insider signers, every signer publicly announced. Failing any criterion = NOT a Security Council, regardless of signer reputation.

- **green**: highest reachable tier is T3 or T4 regardless of timelock; OR T2 reachable with uncontested-fast-path delay ≥7 days; OR T1 reachable only via immutable contracts (T1 is unreachable); OR T1 reachable with uncontested-fast-path delay ≥7 days combined with a Security Council multisig; OR T1 reachable with uncontested-fast-path delay ≥7 days through active on-chain governance with broad token distribution.
- **orange**: T2 reachable with uncontested-fast-path delay >0 but <7 days; OR T1 reachable with uncontested-fast-path delay >0 but <7 days; OR a multisig failing one or more Security Council criteria sits on a T1/T2 path; OR unclear upgrade authority on a T1/T2 path; OR governance with very short timelock or low quorum on a T1/T2 path.
- **red**: T1 reachable with no timelock by a single EOA or 2-of-3 multisig; OR a T1 upgrade admin that is not a smart contract you can audit.
- **unknown**: completed the checklist but still cannot determine the upgrade authority OR cannot classify the highest tier reachable on the main contracts.

Tiering caveats:
- "Bounded" must be enforced ON-CHAIN to count as T2. A function that sets fees with no upper-bound check is T1 — cite the bound check.
- Recurring T2 economic extraction (e.g. fee redirect with no rate limit) approaches T1 over time. A single proposal that can permanently redirect all future revenue is T1.
- T3 assumes the governance contract cannot itself authorize a T1/T2 action without going through the same timelock. If governance can self-upgrade to bypass the timelock, T3 collapses into T1.
- Do not downgrade tier by hand-waving ("realistically governance would never…"). Tier on what the contract permits, not what feels likely.

Notes:
- **Dynamic / dual-governance timelocks** (Lido, Compound escrow veto): the rubric grades on the uncontested path because that is the path most upgrades take. A dynamic extension that fires only under stake-weighted opposition is a real protection — name it in the green steel-man, but it does not lift an orange fast path into green; state the tension in the verdict.
- **Immutable cores with upgradable governance** (Uniswap-style): if fund-holding contracts are immutable and have no admin-reachable function moving / freezing / re-routing user funds, the highest reachable tier on the upgrade path is T3 — green regardless of timelock. Don't grade this orange just because the Governor is a proxy — that's a C2 fact, not a downgrade. Downgrade only applies if you can cite a concrete function on the upgradable surface that reaches T1 or T2 (privileged hook, upgradable factory controlling fund-routing, fee-switch redirecting protocol revenue without bound).
- **The 7-day bar** reflects the exit-window standard — users need notice after a queued upgrade to withdraw if they disagree. The ability-to-exit slice grades the exit side; this slice grades the delay side; both must hold for users to actually benefit from the delay.

---

### Slice: ABILITY-TO-EXIT

Evaluate whether users can withdraw their funds on their own terms, even under adversarial admin conditions.

MANDATORY INSPECTION CHECKLIST (every item below must appear in evidence[] OR unknowns[]):
- E1. Enumerate every user-facing exit function in the main contracts: withdraw, redeem, burn, requestWithdrawal, claim, exit, etc. List them by name. Do NOT treat the contract as a monolith.
- E2. For EACH exit function in E1: identify its access modifiers and any pause guards (e.g. _checkResumed, whenNotPaused, onlyRole). Functions that gate REQUEST PLACEMENT often differ from functions that CLAIM FINALIZED FUNDS — check both separately.
- E3. For each pause guard: identify the role holder (which address holds PAUSE_ROLE / GUARDIAN / etc.) and the maximum pause duration. Specifically check whether PAUSE_INFINITELY (or equivalent uncapped pause) is callable, and which actor can call it (single multisig vs governance vote). For role-holder reads use https://defipunkd.com/api/contract/read?chainId=<id>&address=0x...&method=hasRole&args=0x...,0x... or &method=getRoleAdmin&args=0x.... For "is currently paused" checks use &method=paused or &method=isPaused&args=<resume-code>. Use the BARE method name (no parens). Cite the URL with &block=<n> in evidence[].
- E4. EMERGENCY vs GOVERNANCE pause distinction: many protocols have a fast-acting emergency pause capped at N days and a slow governance pause that can be indefinite. Record both paths separately if present, with their time caps and actor classes.
- E5. Queued redemption: documented maximum queue duration, daily withdrawal caps, whether the queue itself is pausable.
- E6. Forced-exit / escape-hatch / permissionless emergency-exit mechanism for adversarial-admin scenarios.
- E7. Frontend dependency: confirm exit functions are directly callable on-chain (e.g. via Etherscan write tab or a generic wallet) without the project's frontend.

Then write the steel-man section per Hard Rule 11. Common red-vs-orange tension on this slice: indefinite pause exists (suggests red) BUT the realistic emergency path is time-capped AND claims of already-finalized exits are not pause-gated (suggests orange). Resolve this by stating who can do what for how long, not by stopping at the worst-case sentence.

Grade rules:
- green   = permissionless exit; pause is either absent, narrowly scoped to clearly-described emergencies with auto-expiry, or capped at ≤7 days; no frontend dependency for exit; claims of already-finalized exits are not pause-gated under any path.
- orange  = pausable with broad scope OR indefinite pause is reachable only through governance vote (not unilateral admin action), OR queued redemption with documented max > 7 days, OR claims-of-finalized are exempt but new-request placement can be paused indefinitely by governance.
- red     = exit requires admin signature, OR ANY actor (including governance) can pause CLAIMS of finalized exits indefinitely, OR there is no on-chain exit function at all (purely custodial), OR pause is held by a single EOA / 2-of-3 multisig with no time cap.
- unknown = checklist incomplete after checking the sources above.

---

### Slice: AUTONOMY

Evaluate this protocol's autonomy: can a failure of anything outside its own contracts cause theft or loss of user principal, loss of unclaimed yield, or materially change the protocol's expected performance? "Autonomy" is not "has zero external touchpoints" — it is "external failures are either survivable or recoverable without user loss". This slice adapts DefiScan v1's Autonomy dimension; dependencies are one of several criteria, not the whole frame.

GUARDRAILS (read before grading):
- Category alone (Liquid Staking, Bridge, RWA Lending, Restaking, …) does NOT force a grade. A category is a hint about where to look; the grade must come from the concrete A1–A9 findings below.
- Base-chain consensus (Ethereum PoS, the chain's validator set, the canonical Deposit Contract at 0x00000000219ab540356cBB839Cbe05303d7705Fa) is the SUBSTRATE, not a dependency, for any protocol deployed on that chain. Do not list "depends on Ethereum" as a finding.
- Oracles or other integrations used by DOWNSTREAM protocols that happen to read this protocol's token (e.g. Chainlink stETH/USD consumed by Aave) are NOT this protocol's dependencies. Count only what THIS protocol's contracts call or trust on-chain. If a feed or contract appears in the protocol's docs only as reference material for third-party integrators, EXCLUDE IT ENTIRELY — do not log it as a finding even with a "peripheral" or "referenced only" caveat.
- "Upgradeable admin can change things" belongs to the CONTROL slice; only count it here when the upgrade surface lets governance silently swap an external dependency (see A9).
- Underlying-asset risk in opt-in, isolated markets is NOT autonomy-red on its own. When a protocol wraps third-party yield-bearing assets (LSTs, LRTs, ERC-4626 vaults, lending receipts, restaked tokens) into per-market silos that users explicitly choose, a failure of one underlying does NOT propagate to other markets and is risk the user opted into per-market. Record it under A4 with depth and propagation scope, but do not let it alone drive a red verdict — red requires an external dependency that cross-cuts the protocol or that the user did not opt into at deposit time. A failure mode that is "if the LRT you deposited is hacked, your principal in that LRT-backed market is impaired" is the underlying's autonomy story, not this protocol's; grade it on whether THIS protocol introduces additional dependencies on top.
- Sub-module enumeration is mandatory before grading. If the protocol ships distinct product lines or modules (e.g., a v2 core AMM plus a newer perps/funding-rate module, a lending pool plus a separate vault layer, an L1 core plus a cross-chain extension), enumerate each in findings and grade against the WORST module weighted by its share of TVS or its blast radius. A green core does not rescue an orange/red sub-module; conversely, a small red sub-module with capped TVS may bound the overall grade to orange. Name each module by its on-chain factory or router address. If you do not know whether a module exists, that is an unknowns[] entry, not silence. EXPLICIT TVS WEIGHTING: in the verdict, state each module's approximate share of total protocol TVS (use "~X%" if exact figures unavailable; check DeFiLlama or block-explorer balances on the module's main contract) and how that share informs the weighted grade. Format: "Module A holds ~X% of TVS (grade: <g>); Module B holds ~Y% (grade: <g>); weighted overall = <grade> because <reason>." If a red sub-module holds <5% of total TVS and is capped, the overall grade may be orange; if it holds >25%, the overall grade is red. Do not let qualitative reasoning substitute for the percentages — write the numbers.

MANDATORY INSPECTION CHECKLIST (every item below must appear in evidence[] OR unknowns[]):
- A1. External contract calls. Enumerate every external contract the core contracts call or read from (oracles, price feeds, AMM pools, lending pools, staking/deposit contracts, yield wrappers). For each, identify the address, the provider, and what user-facing function of this protocol would break or mis-price if that external contract paused, mis-reported, or behaved adversarially. Grep for "oracle", "aggregator", "getPrice", "latestAnswer", "chainlink", "pyth", "redstone" as a starting point. To verify an oracle is live and what it currently reports, hit https://defipunkd.com/api/contract/read?chainId=<id>&address=<oracle>&method=latestAnswer (or &method=latestRoundData, &method=getPrice, &method=description; use the BARE method name without parens) and cite the URL — the response includes blockNumber/blockHash and rawReturnData, which is stronger evidence than a docs page about which feed "should" be used.
- A2. Off-chain actor committees reporting INTO the protocol. Oracle committees, guardian multisigs, DAO-selected validator sets acting as protocol reporters, exit-bus signers, fraud-proof challengers. For each, record committee size, quorum, who picks the members, and what mis-reporting could do (mint, burn, finalize withdrawal, freeze). Distinguish this from governance admins (control slice). NOTE ON STAKING PROTOCOLS: validator slashing and node-operator misbehavior are properties of the base-chain substrate, NOT external dependencies, when the operator set is diversified enough that a coordinated failure caps at <5% principal loss. Count validator/operator risk under A2 ONLY if the operator set is small, non-diversified, or lacks bonding / slashing-insurance / diversification mitigations. A curated set of 30+ independent operators with documented diversification falls under the mitigated path; a 3-operator LST does not. Do not cite the protocol's own risk disclosure as evidence that operator failure = principal loss unless you also check the diversification and bond mitigations.
- A3. Bridge / cross-chain messaging dependencies. Only count bridges that carry material TVL or are required for a core user flow. For each, name the bridge operator (canonical L1↔L2, LayerZero, Wormhole, Axelar, custom multisig), the trust model (canonical, optimistic, light-client, guardian set), and what fraction of TVL or users ride on it. "wstETH exists on 15 chains" is not a finding unless material TVL sits there. Before listing any non-primary chain deployment as a dependency, verify it is still operational as of analysis_date — retired or sunset deployments (e.g., Lido-on-Terra, Lido-on-Solana) belong in unknowns[] or should be omitted, never cited as a current dependency.
- A4. Nested collateral / restaking chains. For restaking / LRT / receipt-of-receipt designs: record the depth of the collateral chain, every actor with slashing or freezing power at each level, and whether a failure N levels deep propagates to user principal here.
- A5. Fork lineage (silent check). If DeFiLlama's forkedFrom is non-empty, record it as one finding and move on. If empty, do NOT add a placeholder finding; it adds noise.
- A6. Fallback mechanisms and circuit breakers. What catches an external failure? Sanity-check contracts on oracle reports, rebase bounds, pause paths triggered by bad prices, second-opinion oracles, max-per-block throughput caps, withdrawal queues that absorb bad reports. Record which A1–A4 risks are mitigated by which fallback, and which are unmitigated. For EACH fallback you cite, state its activation status explicitly: (i) LIVE and enforcing on-chain today, (ii) DEPLOYED but not yet wired / activated (e.g., interface exists but the address is zero or the role is unassigned), or (iii) DOCUMENTED / PROPOSED only (forum post, LIP draft, audit pending). Only (i) counts as mitigation for the grade. A fallback in state (ii) or (iii) should be noted but must not reduce the risk in your steel-man or verdict. If you cannot determine activation status, add an unknowns[] entry rather than assume it is live.
- A7. Sequencer / L1-liveness dependency BEYOND the base-chain substrate. SCOPE — sequencer risk only counts here when the protocol IS its own L2/L3 appchain or app-rollup, where the sequencer is part of the protocol's own stack and a freeze is a protocol-level outage. A protocol permissionlessly deployed on a third-party L2 inherits that L2's sequencer as substrate, not an A7 dependency. Record the sequencer/DA trust model when A7 applies.
- A8. Keeper / relayer / off-chain bot liveness. Protocols that need permissionless-but-necessary off-chain actors (liquidation bots, auto-compounders, deposit relayers, intent solvers). Record whether the role is permissionless, what degrades if nobody runs it (yield paused, bad debt accumulates, positions go stale), and whether the failure mode is graceful or catastrophic.
- A9. Governance-mutable dependency surface. Can an admin or DAO action silently INTRODUCE a NEW EXTERNAL dependency — swap the oracle address to a different provider, register a new staking module that calls an untrusted contract, add a new bridge, route SY through a new external vault — without an exit window for users? Check the upgrade / router / module-registry contracts. Answer: which EXTERNAL dependencies are governance-mutable, who holds that power, and whether there is a timelock or exit window. SCOPE LIMIT — read carefully: A9 is about the *external dependency surface*, not the upgrade surface in general. "The proxyAdmin / EOA can upgrade the router implementation to arbitrary bytecode" is a CONTROL-slice finding (admin can rug), NOT an autonomy-A9 finding. A9 fires only when the upgrade specifically swaps out or adds a contract that THIS protocol calls or trusts (e.g., changing the oracle address from Chainlink to a malicious feed, registering a new SY adapter that points to a third-party vault, redirecting a bridge endpoint). If the only finding is "admin can change implementation," do not log it under A9 and do not let it drive the autonomy grade — note it under control instead. The autonomy-relevant version of the same upgrade key is "admin can swap [specific external address X] without timelock"; that requires identifying the specific external dependency that becomes mutable.

STEEL-MAN (per Hard Rule 13): write one-sentence strongest arguments for red, orange, and green using the A1–A9 findings.

IMPACTED TVS ESTIMATE: the headline MUST include a rough impacted-TVS figure — the fraction of protocol TVS that could be lost or frozen if the worst-unmitigated dependency you identified failed. Use "~X%" if exact numbers are unavailable, "<1%" for de minimis, "unclear" only if A1–A9 left the question genuinely open (in which case grade=unknown is usually correct). Do NOT substitute qualitative phrases like "significant" — give a number or bracket.

GRADE ANCHORS (mapped to DefiScan v1 stages):
- green = Stage 2 equivalent. Failure of any external dependency cannot cause loss of user principal or unclaimed yield. Either there are no material external dependencies, or every critical one has a documented fallback (A6) that keeps users whole. Governance cannot silently introduce new dependencies without an exit window (A9). Impacted TVS under any single-dependency failure: effectively 0.
- orange = Stage 1 equivalent. Failure of some external dependency can cause loss of unclaimed yield, or can materially change expected performance (pause withdrawals, freeze positions, degrade price quality), but cannot cause loss of principal. Committee-based oracles with sanity checks, canonical-only bridges, fallback paths that exist but are incomplete, or governance-mutable dependencies protected by a ≥7-day timelock. Impacted TVS is bounded and recoverable.
- red = Stage 0 equivalent. Failure of an external dependency CAN cause theft or loss of principal. Examples: single-provider oracle with no sanity check or fallback, material TVL on a non-canonical bridge with a guardian multisig, governance can hot-swap oracles or add staking modules with no timelock or exit window, unmitigated keeper-liveness dependency where positions become insolvent if bots stop. Impacted TVS is material.
- unknown = checklist incomplete after inspecting source + verified contracts. Prefer unknown over guessing when A1/A6 could not be reconstructed. RESERVE unknown for cases where the CORE ARCHITECTURE itself is unverifiable — not for cases where you merely cannot enumerate every per-market dependency in a multi-market protocol. If the core router/factory/oracle architecture is verifiable on-chain and you can determine whether the core requires external dependencies, grade the architecture even when an exhaustive per-market external-dependency census is infeasible. Acknowledge the per-market gap in unknowns[] but still issue a grade. Refusing to grade a multi-market protocol because you cannot list every SY/vault/market is over-use of unknown; grade the architecture and say so.

PROMPT-META CHECK (per Hard Rule 17): before finalizing, verify the verdict cites concrete contract addresses, docs, or code — not the rubric itself. If your verdict says "the protocol belongs to a category the rubric marks red", rewrite it with the A1–A9 finding that actually justifies the grade, or drop to grade=unknown.

---

### Slice: OPEN-ACCESS

Evaluate who is allowed to use the protocol and whether any of that permission is granted off-chain.

Scope: this slice is about ADMISSION — who can enter, exit, or transact. Operator LIVENESS (what breaks if keepers/oracles go offline) is assessed in the dependencies slice and is out of scope for the grade here. You may note operator dependencies as context, but do not let "the protocol halts if operator X disappears" drive the access grade on its own; that belongs in dependencies. Source verification / contract verification on block explorers is assessed in the verifiability slice and is out of scope here — do NOT let "contract is unverified" drive the access grade.

Framing: the smart contracts are the access layer; frontends are UX. A permissionless contract is reachable by any client (SDK, third-party UI, aggregator, wallet integration). Frontend ToS, IP geo-blocking, and wallet screening are publisher policies on one specific client — they are reported as context but do NOT determine the grade. The grade hinges on (1) what the contract itself permits, and (2) whether the protocol is practically reachable without the official publisher's cooperation.

Meta-check before finalizing: if your verdict cites phrases from this prompt as evidence ("the protocol meets the 'credible alternatives' condition", "this fits the 'documented fallback' rule"), redo the verdict. The prompt describes the rubric; evidence must come from the protocol. A verdict should cite what the protocol does, not what the rubric says.

MANDATORY INSPECTION CHECKLIST (every item below must appear in evidence[] OR unknowns[]):
- A1. Whitelist / allowlist modifiers in user-facing entry points. Grep for "onlyWhitelisted", "onlyRole", "allowlist", "isAccredited", "isKYCed". Note which functions are gated and who can add/remove from the list.
- A2. Off-chain operators in the admission path: keepers, sequencers, privileged relayers, oracle posters whose approval is required to admit a user action (not just to keep the protocol live). For each, identify whether the role is held by a single operator, a permissioned committee, or is permissionless. Enumerate per user-facing function class (deposit vs withdraw-request vs claim-finalized vs transfer) which ones require operator approval to be admitted, and which ones admit users unconditionally. A function whose placement is unconditional but whose downstream settlement depends on an operator is an admission-permissionless function — flag the liveness dependency as context and defer its grading weight to the dependencies slice.
- A3. Frontend restrictions on the official interface — record as context, not as a grade lever. Distinguish:
    - A3-passive: boilerplate ToS clauses (sanctions attestation, restricted-territory self-certification, VPN-circumvention prohibition, "comply with applicable law" eligibility, age of majority).
    - A3-active: runtime enforcement — IP-based geo-blocking, wallet-address screening against a sanctions oracle (Chainalysis, TRM, Elliptic), KYC wall, rendering-blocking jurisdiction banner.
  Record findings under the correct tier. Quote ToS text or banner text in evidence[].shows. These findings populate the headline and rationale but do NOT move the grade by themselves; the grade is set by A1, A2, and the A3b path check below.
- A3b. Independent access paths (the operative grade input). Enumerate paths that do not require the official publisher's cooperation:
    - Published SDK / library / CLI for direct contract interaction.
    - Third-party frontends operated by separate legal entities.
    - Wallet-integrated access (MetaMask Swaps, Safe apps, etc.).
    - DEX / lending / yield aggregators that route through the contracts.
  Record at least one concrete link per path that exists. The protocol does NOT have to self-document these — the test is existence, not UX cost. An A3b-i redistribution of the official UI bound by the same ToS does NOT count as an independent path.
- A4. Sanctions / compliance tooling at the contract level: does the protocol check addresses against OFAC lists or similar on-chain blocklists in the contract itself? (Frontend-only screening belongs in A3.)
- A5. Differentiate read access vs write access: many protocols are read-permissionless (anyone can view state) but write-gated (only certain addresses can deposit/borrow). Record both.
- A6. ToS / Legal links: locate them on the website and produce a VERBATIM quote of any jurisdictional, sanctions, or eligibility clause in evidence[].shows. If you cannot extract the clause text verbatim (SPA render failure, paywall, dead link, etc.), do NOT paraphrase or infer from general knowledge — record the ToS URL in unknowns[] with the reason extraction failed. Assertions about ToS content without a verbatim quote will be downweighted by reviewers.

Then write the steel-man section per Hard Rule 11.

Grade rules (admission-focused; liveness concerns belong in dependencies; source verification belongs in verifiability):
- green   = no contract-level whitelist/KYC on user entry/exit; no operator approval required to admit a user action; AND at least one independent A3b path exists (published SDK, third-party frontend, wallet integration, or aggregator routing). Frontend ToS posture and A3-active enforcement on the official UI do NOT block green when contracts are permissionless and an independent path exists — they are reported as context.
- orange  = contracts admit users unconditionally, BUT the protocol is operationally captured by the official publisher: no published SDK, no third-party frontend, no wallet integration, no aggregator routing. The contract is theoretically open but practically reachable only through the official UI. Also applies when admission requires approval from a permissioned committee that is governance-managed with a documented replacement procedure.
- red     = contract-level whitelist / KYC on user entry/exit, OR admission of a core user action requires approval from a single privileged operator or a small committee with no documented replacement procedure, OR enforces an on-chain blocklist updatable by a single party.
- unknown = checklist incomplete after checking the sources above.

Default-grade guidance: when contracts are fully permissionless AND any A3b independent path exists, the default grade is green regardless of frontend ToS or A3-active enforcement on the official UI. Frontend geo-blocking, sanctions-oracle wallet screening, and ToS sanctions clauses are publisher policies on one client and are reported in findings/headline as context, not as grade levers. To grade orange on operational-capture grounds, the auditor must affirmatively show that ALL independent paths are absent or also gated.

Guideline on committees: where admission depends on a multi-operator committee, the relevant axes are (a) set size, (b) whether replacement/rotation is governed on-chain, (c) whether the replacement procedure is publicly documented. A large set with on-chain governance replacement should not be graded as a single-party operator even if rotation is not instantaneous. A small set with informal replacement should be treated as a single-party operator.

---

### Slice: VERIFIABILITY

Evaluate whether an outsider can independently confirm what the deployed code does.

MANDATORY INSPECTION CHECKLIST (every item below must appear in evidence[] OR unknowns[]):
- V1. For each address you assess: is the bytecode verified on the chain's block explorer? Record the "Contract Source Code Verified" indicator. https://defipunkd.com/api/contract/abi?chainId=<id>&address=0x... returns this as a top-level "verified" boolean plus "abiSource" ("etherscan" / "sourcify") and an inline ABI — useful when the explorer page is rate-limited. If the contract is a proxy, verify BOTH the proxy contract AND the current implementation contract. The same /api/contract/abi response auto-resolves proxies and includes a "proxy.implementation" address when present, so one call covers V1 + V6 in one shot. An explorer "Similar Match" on a well-known proxy pattern (Aragon AppProxyUpgradeable, ERC1967Proxy, OssifiableProxy, OZ TransparentUpgradeableProxy) is expected for that pattern and does NOT count as a verification gap on its own — what matters is that the implementation is independently verified.
- V2. Source-to-repo correspondence: for each verified contract, attempt to find a matching commit in the linked GitHub repos. Record evidence[].commit on a match. Independent compile/bytecode-match is NOT required for green — a recognized public repo whose structure and file contents correspond to the explorer-visible source is sufficient. If you did not pin a commit SHA or run a bytecode diff, record that plainly in unknowns[] and proceed; it is a scope limit, not a downgrade signal.
- V3. Audit coverage: for each URL in protocol.audit_links, open it and record: auditor name, audit date, the specific contracts / commit in scope. Flag audits that predate the current deployment by >6 months without a follow-up review.
- V4. Auditor recognition: the following firms are broadly recognized in Solidity: Trail of Bits, Zellic, Spearbit, OpenZeppelin, ConsenSys Diligence, Certora (formal verification), Quantstamp, Halborn, Peckshield, Sigma Prime, ChainSecurity, Ackee Blockchain, MixBytes, Statemind. Unknown firms are orange-at-best for any green-grade claim. Name the firm explicitly in evidence[].
- V5. Post-audit drift: compare the most recent in-scope audit(s) against the currently-deployed source, weighted by what each contract does and by what the changes actually contain. SCOPE — drift only downgrades the grade when ALL of the following hold: (i) the drifting contract is fund-custody / settlement / accounting-critical (NOT a peripheral router, lens, quoter, or pure-view contract that holds no balances); (ii) the changes are material — new functions, modified access control, modified accounting, modified fund flow — and not refactors / struct relocations / import reorgs / build or CI fixes / formatting; (iii) no later audit, fix-audit, or differential audit from a recognized firm covers the changed files (audits often pin a pre-fix commit while a follow-up reviews the delta — match by file scope, not by commit-hash equality). When you cite drift as a downgrade reason, name the specific behavior change (function added, role granted, accounting formula altered) — "N commits ahead" or "+X/-Y LOC" alone is not evidence of material drift. If you have not sampled the diff content (e.g. via the GitHub compare view or the top commits in the window), record drift as an unknowns[] entry rather than auto-downgrading; commit-count and LOC are starting signals, not findings.
- V6. Implementation vs proxy: a verified proxy with an unverified implementation is effectively unverified. State whether the implementation is verified separately.

EVIDENCE DISCIPLINE (read before writing findings[]):
- Do not assert a specific deploy-commit SHA, bytecode equivalence, or "identical to audited commit" unless you actually fetched the artifact that shows it (e.g., a deployed-addresses JSON you opened, an explorer page you read). Inferred or plausible matches belong in unknowns[], never in findings[] or evidence[].
- Evidence[] entries must correspond to pages/files you actually retrieved this run. A URL you did not open is not evidence.

Then write the steel-man section per Hard Rule 11.

Grade rules:
- green   = deployed bytecode verified on the explorer (proxy AND implementation if proxied; "Similar Match" on a standard proxy pattern is fine per V1), a public source repo exists whose contents correspond to the explorer-visible source, AND ≥1 audit from a recognized firm covering the currently-deployed contracts (≤6 months of drift OR drift was re-audited). A missing local compile-match is not a downgrade — record it in unknowns[] and still grade green if the other conditions hold.
- orange  = verified but with visible drift from the public repo, OR audit scope is stale relative to deployment, OR only minor / unknown-firm audits exist, OR only some of the main contracts are verified, OR proxy verified but implementation only partially verified.
- red     = unverified bytecode (or verified proxy with unverified implementation), OR no audit in protocol.audit_links, OR no public repo.
- unknown = reserved for when the protocol's verifiability posture genuinely cannot be assessed (e.g., explorer and repo both inaccessible for this protocol). Do NOT use unknown merely because you, the analyst, could not run a particular check such as a bytecode diff — that goes in unknowns[] while the grade is still assigned from the evidence you do have.

---

### JSON output contract

Return exactly one JSON array inside a single ```json fenced block. The array MUST contain exactly five objects, one per risk slice, in this exact order: "control", "ability-to-exit", "autonomy", "open-access", "verifiability". Do not include the discovery slice.

Each object has the same shape as a normal slice submission:

{
  "schema_version": 4,
  "slug": "<copy protocol.slug from the per-protocol context>",
  "slice": "<one of: control | ability-to-exit | autonomy | open-access | verifiability>",
  "snapshot_generated_at": "<copy snapshot.generated_at from the per-protocol context>",
  "prompt_version": 29,
  "analysis_date": "<copy analysis_date from the per-protocol context>",
  "model": "<exact model name, e.g. claude-opus-4-7 / gpt-5-thinking / gemini-3-pro>",
  "chat_url": null,
  "grading_basis": "on-chain | off-chain-only | mixed (optional; omit for on-chain)",
  "grade": "green | orange | red | unknown",
  "headline": "<one-line summary>",
  "short_headline": "<≤6 words, ≤80 chars; omit if you can't fit>",
  "rationale": {
    "findings": [{ "code": "E1", "text": "<concrete, source-cited finding>" }],
    "steelman": { "red": "<one sentence>", "orange": "<one sentence>", "green": "<one sentence>" },
    "verdict": "Choosing <grade> because <reason ranking one steel-man above the others, citing specific evidence>."
  },
  "evidence": [{ "url": "https://...", "shows": "<what this URL demonstrates>", "chain": "...", "address": "0x...", "commit": "<hex SHA>", "fetched_at": "2026-04-23T11:20:00Z" }],
  "unknowns": ["E3: <thing you looked for but couldn't determine>"],
  "protocol_metadata": {
    "github": ["https://github.com/org/repo"],
    "docs_url": "https://docs.protocol.xyz",
    "audits": [{ "firm": "Trail of Bits", "url": "https://...report.pdf", "date": "2025-09" }],
    "governance_forum": "https://forum.protocol.xyz",
    "voting_token": { "chain": "Ethereum", "address": "0x...", "symbol": "XYZ" },
    "bug_bounty_url": "https://immunefi.com/bounty/protocol",
    "security_contact": "security@protocol.xyz",
    "deployed_contracts_doc": "https://docs.protocol.xyz/deployments",
    "admin_addresses": [{ "chain": "Ethereum", "address": "0x...", "role": "DAO treasury multisig", "actor_class": "multisig" }],
    "upgradeability": "immutable | upgradeable | mixed | unknown",
    "about": "<2–4 sentences>"
  }
}

Rules recap:
- Produce one complete object for each of these slices only: control, ability-to-exit, autonomy, open-access, verifiability.
- Reuse the same model, chat_url, snapshot_generated_at, prompt_version, analysis_date, and slug values across all five objects.
- grade="unknown" ⇒ steelman=null; unknowns[] ≥1; evidence[] may be empty.
- grade!="unknown" ⇒ steelman={red,orange,green}; evidence[] ≥1; verdict starts with "Choosing ".
- findings[].code matches that object's slice checklist prefix verbatim (C1, E2, AU3, A3b, V4a, …); unknowns[] entries are checklist-coded ("C3: …").
- Wrap the array in a single ```json fence; nothing before or after. URLs are bare strings, never markdown links.

Verifiability tentative

Open source + 11 audits

Protocol publishes a GitHub repository and has at least one audit on record. This is a coarse Phase-0 signal only: auditor reputation, scope, and post-audit review coverage are not yet weighted.

Run your own prompt Submit run ↗

### Per-protocol context (ground truth for this run)

- protocol.slug:              aave-v2
- protocol.name:              Aave V2
- protocol.chains:            Ethereum, Polygon, Avalanche
- protocol.category:          Lending
- protocol.website:           https://aave.com
- protocol.github:            aave, bgd-labs
- protocol.audit_links:       https://aave.com/security, https://github.com/code-423n4/2022-02-aave-lens, https://github.com/code-423n4/2022-02-aave-lens-findings, https://github.com/sherlock-protocol/sherlock-reports/blob/main/audits/2025.02.15%20-%20Final%20-%20Aave%20Public%20Audit%20Contest%20Report.pdf, https://github.com/sherlock-protocol/sherlock-reports/blob/main/audits/2026.02.05%20-%20Final%20-%20Aave%20Labs%20Collaborative%20Audit%20Report%201770295450.pdf
- snapshot.generated_at:      2026-06-01T11:27:13.878Z
- analysis_date:              2026-06-07
- prompt_version:             29
- address_book:               [
  {
    "chain": "Ethereum",
    "address": "0xb53c1a33016b2dc2ff3653530bff1848a515c8c5",
    "role": "lending_pool_addresses_provider"
  },
  {
    "chain": "Ethereum",
    "address": "0x7d2768dE32b0b80b7a3454c06BdAc94A69DDc7A9",
    "role": "lending_pool"
  },
  {
    "chain": "Ethereum",
    "address": "0x057835Ad21a177dbdd3090bB1CAE03EaCF78Fc6d",
    "role": "protocol_data_provider"
  },
  {
    "chain": "Ethereum",
    "address": "0xec568fffba86c094cf06b22134b23074dfe2252c",
    "role": "governance_v2"
  },
  {
    "chain": "Ethereum",
    "address": "0x7fc66500c84a76ad7e9c93437e434122a1dafd46",
    "role": "AAVE governance token"
  }
]

### Pre-built read-API surfacer URLs (verbatim — fetchable as-is)
- https://defipunkd.com/address/1/0xb53c1a33016b2dc2ff3653530bff1848a515c8c5 (lending_pool_addresses_provider)
- https://defipunkd.com/address/1/0x7d2768dE32b0b80b7a3454c06BdAc94A69DDc7A9 (lending_pool)
- https://defipunkd.com/address/1/0x057835Ad21a177dbdd3090bB1CAE03EaCF78Fc6d (protocol_data_provider)
- https://defipunkd.com/address/1/0xec568fffba86c094cf06b22134b23074dfe2252c (governance_v2)
- https://defipunkd.com/address/1/0x7fc66500c84a76ad7e9c93437e434122a1dafd46 (AAVE governance token)


---

You are contributing a single-slice assessment to defipunkd, a git-native transparency registry for DeFi protocols. Your JSON output will be attached to a pull request and compared against ≥2 other independent runs. Disagreements are surfaced publicly — be conservative, cite everything, return grade="unknown" when a signal cannot be determined, and resist stopping at the first damning finding.

### Per-protocol context (do not infer; these are ground truth)

A "Per-protocol context" block (provided alongside this prompt — either as a user message in API mode, or as a section appended below in copy-paste mode) lists the pinned inputs (protocol.slug, name, chains, category, website, github, audit_links, snapshot.generated_at, analysis_date, prompt_version, address_book) and a list of pre-built read-API surfacer URLs for each pinned address. Treat those values as authoritative for this run.

The pre-built surfacer URLs are accepted by your fetch tool's allowlist because they appear verbatim in the per-protocol context. Each surfacer page pre-executes the contract's zero-arg view methods and renders any address-typed return values as /address/{chainId}/0x… links inline — those rendered links are also fetchable post-fetch. /api/contract/read and /api/safe/owners JSON responses include a top-level `crawl.surfacers` array of /address/{chainId}/0x… URLs for every address-typed value in the result, so you can crawl directly from API responses. For addresses surfaced from non-defipunkd sources (block-explorer pages, GitHub, audit PDFs), the allowlist will reject your generated surfacer URL — record the address in protocol_metadata.admin_addresses and add a checklist-coded entry to unknowns[]; the next run will inherit it as a fetchable surfacer.

### Step 0 — Capability probe (do this before producing JSON)

Identify what fetch tool your environment exposes — `web_fetch`, `browser`, `url_context`, `google_search` (with underscore, colon, or space), Bing grounding, Perplexity, `web.run`, or anything similar. Search-grounding tools ARE valid fetch paths and you should use them; they are not forbidden. The distinction that matters is what the tool returned, not its name: a grounded response with the underlying page body is sufficient evidence; a bare 1–3-line preview snippet is not.

Probe: attempt one fetch of `protocol.website` and one fetch of a pre-built surfacer URL above (or the protocol's primary block-explorer page if no surfacer is pinned). Record the tool you used, the URL, and what came back (response body, HTTP status, allowlist rejection text, or "tool not present: <name>"). If either probe succeeded, proceed.

If both direct probes failed, **DO NOT STOP** — try search. Issue at least two broad search queries (protocol name + "Etherscan" / "official docs" / "GitHub" / "audit"; `site:` operators against etherscan.io / github.com / the docs domain). If a search query returns the underlying page body, that page URL is fetched evidence and goes in evidence[]. Set `grading_basis: "off-chain-only"` and continue with whatever you can extract. Empty `evidence[]` + `grade="unknown"` is only valid if BOTH direct probes AND ≥2 search queries returned nothing usable; in that case, log the attempted queries and observed-zero outcomes in unknowns[]. A submission claiming "blocked" without those receipts is treated as a non-submission (zero quorum weight). Search engines do not index raw JSON API endpoints — zero results for `defipunkd.com/api/contract/read` URLs is expected and is itself a recordable failure mode, not a system restriction.

### Anti-fabrication (the most important rule on this page)

Memory is not evidence. Treat your training data, prior conversations, and general knowledge as suggestions for what to look up — never as citations. Every URL in evidence[] must have been fetched in this run via any tool exposed in your environment, OR pasted into this conversation by the user. Constructing a URL is fine, but every variable part (address, commit SHA, repo path, contract name, method, args, block number) must come from a fetched/pasted source in this run, and the URL must then have been successfully fetched before it appears in evidence[]. URLs constructed from remembered addresses, repo paths, contract names, or guessed API methods are fabrication.

Before emitting JSON, run an evidence ledger check on every evidence[] entry:
1. The exact URL appears in your fetch transcript or in a user-pasted source body.
2. The fetched/pasted body contains the fact you're citing in evidence[].shows.
3. Every rationale.findings / protocol_metadata claim that depends on this evidence follows directly from that body, without recourse to memory.
4. Derived (rather than verbatim) claims are explicitly labelled as derived in evidence[].shows.
5. `fetched_at` is set ONLY when you actually fetched the URL in this run; if no timestamp is available, omit the field — never invent one.

If any check fails, remove the evidence entry and demote dependent claims to unknowns[]. Set grade="unknown" if demotion empties the grading basis. Do not ask the user to paste anything; do not withhold JSON; do not improvise from memory.

A plausible-sounding answer backed by unsupported evidence is WORSE than grade="unknown" — it pollutes the quorum. If the assessment requires leaning on remembered public facts ("Lido is governed by LDO token-weighted voting"), historical reports, common knowledge, or likely-architecture reasoning ("UUPS proxies typically have an admin role"), return grade="unknown" with specific unknowns[] entries. Optimize for reproducibility, not completeness — if a reviewer can't re-verify each claim from the evidence URLs alone, the claim does not belong in the JSON. Empty unknowns[] on a non-trivial protocol is a red flag, not a quality signal.

When the address_book is null/empty, you do not yet know any deployed address. Discover candidates from fetched website / GitHub / audit / explorer-search pages — addresses you "remember" from training data are not eligible, even for famous tokens (USDC, WBTC, stETH, UNI). If no address can be discovered after a good-faith attempt, return grade="unknown" with checklist-coded unknowns[] entries; do not invent addresses to fill the gap.

### Hard rules

1. Source classes that count as evidence:
   a) Public block explorers (etherscan.io, basescan.org, arbiscan.io, optimistic.etherscan.io, polygonscan.com, bscscan.com, snowtrace.io, scrollscan.com, lineascan.build, blastscan.io, era.zksync.network) for pinned addresses or addresses you discover transitively from them.
   b) The linked GitHub repos, at a specific commit SHA recorded in evidence[].commit.
   c) The audit PDFs / reports linked above.
   d) DeFiLlama's pinned fields (for category / chain lists only — not for risk assessment).
   e) DeFiPunkd's read API at https://defipunkd.com/api/{contract,safe}/... — see "On-chain reading" below.
2. If a signal cannot be determined after checking these, set grade="unknown" with ≥1 entry in unknowns[] naming what you looked for.
3. Every factual claim in rationale must map to ≥1 evidence[] entry.
4. Output exactly one JSON object matching the contract at the end, wrapped in a single ```json fenced code block. This rule applies to your FINAL assistant message only — issue tool calls freely during the run; tool-call reasoning lives in your model's tool-use channel and is not subject to this rule. Nothing before or after the fence — no prose, no follow-up questions, no requests for the user to paste anything. If evidence is incomplete, the correct response is still JSON, with claims demoted to unknowns[] and grade="unknown".

### Format rules (validation will reject submissions that violate these)
5. evidence[].url must be a bare `https://...` string — NEVER markdown link syntax. WRONG: `"url": "[Etherscan](https://etherscan.io/...)"`. RIGHT: `"url": "https://etherscan.io/..."`.
6. evidence[].commit, when present, must match `^[0-9a-f]{7,40}$` (lowercase hex, 7–40 chars). NEVER branch names or tags. Omit if you cannot pin a SHA.
7. evidence[].fetched_at, when present, must be ISO-8601 UTC (e.g. `2026-04-23T11:20:00Z`). Set whenever you actually fetched in this run.
8. evidence[].address, when present, must be `^0x[0-9a-fA-F]{40}$` (mixed case OK; checksum not validated).
9. Checklist codes (used in findings[].code and as unknowns[] prefixes) match `^[A-Z][A-Za-z0-9-]{0,16}$` — start with an uppercase letter, then digits / letters / hyphens. Examples: `E1`, `A3b`, `C2-emergency`, `V4-auditor`. No parens, spaces, dots, slashes, underscores. Use slice-defined codes verbatim. unknowns[] entries must be prefixed with the relevant code + colon (e.g. `"A3b: frontend fetch failed"`).
10. chat_url: ALWAYS null. Default share links (claude.ai/chat, chatgpt.com, gemini.google.com) require viewer login and are not publicly readable. The user enables "Share publicly" after you respond and pastes the public URL into the JSON before opening the PR.

### Thoroughness rules

11. Each per-slice body contains a "MANDATORY INSPECTION CHECKLIST". Every item must EITHER produce an evidence[] entry OR a specific unknowns[] entry naming it by code. Silent skips are rejected as incomplete.
12. Before assigning a grade other than "unknown", rationale.steelman must contain a one-sentence strongest argument for each of red / orange / green, and rationale.verdict must state which fits the evidence and why. If the steel-man for the chosen grade is weaker than for an adjacent grade, you have probably picked the wrong grade. When grade="unknown", set steelman to null and use verdict to summarize what blocked the assessment.
13. Distinguish actor classes (EOA, 2-of-3 multisig, 4-of-7+ multisig with identified signers, emergency-scoped time-capped multisig, on-chain governance vote with timelock) and function classes (claim-of-finalized vs new-request-placement, deposit vs borrow, mint vs redeem) — say which actor holds which power, on what time bound. "An admin can pause" is insufficient.
14. For on-chain slices (control, ability-to-exit, autonomy, verifiability), evidence[] must include ≥1 on-chain URL: a block-explorer URL OR a DeFiPunkd /api/{contract/read,safe/owners} URL (preferred — content-addressed when block-pinned). /api/contract/abi alone is metadata, not on-chain evidence. Source repos tell you what code SHOULD do; deployed contracts tell you what it ACTUALLY does. The "open-access" slice is exempt when claims are entirely about frontend / off-chain operator behavior. CARVE-OUT: `grading_basis="off-chain-only"` is exempt from this rule but is downweighted by the quorum bot regardless of grade.
15. Prompt-meta-check: if your verdict quotes prompt language as evidence ("the protocol meets the 'documented fallback' condition"), re-do the verdict — the prompt describes the rubric, not the protocol. Evidence cites what THIS protocol does, not what the rubric says protocols of type X do.
16. `grading_basis` is one of `"on-chain"` (default; omit field), `"off-chain-only"`, or `"mixed"`. Describes what was READ this run, not the verdict — `grade="unknown"` is allowed under any basis. Set `"off-chain-only"` ONLY when BOTH (a) ≥1 successful fetch of a docs / forum / audit / GitHub URL appears in evidence[], AND (b) ≥1 failed on-chain fetch attempt for THIS run is recorded in unknowns[] with a `-offchain` suffix. Empty `evidence[]` with `"off-chain-only"` is a category error and is rejected by the validator. Set `"mixed"` when some checklist codes were on-chain and others fell back. ABI-only finds (you read the ABI but couldn't read live state) are valid as `grade="unknown"` with the ABI cited; do not infer a grade from ABI shape alone.

### On-chain reading via the DeFiPunkd API

Don't encode calldata, decode return data, or guess at ABIs by hand. Three deterministic GET endpoints return JSON with blockNumber, blockHash, raw calldata, and rawReturnData — content-addressed when block-pinned (`&block=<n>`):

  ABI (auto-resolves proxies):
    https://defipunkd.com/api/contract/abi?chainId=<id>&address=0x...
  View call (any view method on the merged ABI; flat scalar args):
    https://defipunkd.com/api/contract/read?chainId=<id>&address=0x...&method=getOwners
    https://defipunkd.com/api/contract/read?chainId=<id>&address=0x...&method=balanceOf&args=0x...
  Safe (threshold + owners + version in one call):
    https://defipunkd.com/api/safe/owners?chainId=<id>&address=0x...

Use the BARE method name in `&method=` (e.g. `&method=totalSupply`, NOT `&method=totalSupply()`). Browser tools normalize `(` to `%28` and reject the normalized URL; bare names dodge that. Pass arguments via `&args=` (comma-separated, declaration order). Append `&block=<n>` for content-addressed evidence.

Supported chainIds: 1 (ethereum), 10 (optimism), 56 (bsc), 130 (unichain), 137 (polygon), 324 (zksync), 8453 (base), 42161 (arbitrum), 43114 (avalanche), 59144 (linea), 81457 (blast), 534352 (scroll), 11155111 (sepolia).

Use this API for any factual claim about contract ABI shape, view-method return values (owner(), getOwners(), getThreshold(), totalSupply(), implementation(), paused(), MIN_DELAY(), …), and Safe membership. Do NOT invent ABIs or return values from training data.

Note on noisy address_book: the pinned address_book is sourced from prior assessments. It may include token deployments, oracle feeds, peripheral contracts, or mis-classified entries. Skip surfacer URLs that don't fit your slice — fetch only those whose role hints suggest control / pause / upgrade authority.

### Protocol metadata refresh (populate `protocol_metadata` in the output)

DeFiLlama's pinned inputs may be stale or wrong. As a side-effect of this assessment, populate `protocol_metadata` with anything you verify. Leave fields null / empty arrays if you did not verify them — do NOT echo pinned inputs through; null means "not re-verified this run".

- `github`: array of canonical source-code repo URLs.
- `docs_url`: canonical developer / protocol documentation site.
- `audits`: array of `{ firm, url, date }` (date as YYYY-MM or YYYY-MM-DD).
- `governance_forum`: primary discussion forum URL (Discourse, Commonwealth, etc.).
- `voting_token`: `{ chain, address, symbol }` or null. Omit if not token-governed.
- `bug_bounty_url`: public bug bounty page (Immunefi, HackerOne, self-hosted).
- `security_contact`: private-disclosure channel — security@ email or SECURITY.md URL. Distinct from public bug bounty.
- `deployed_contracts_doc`: docs page that lists deployed addresses per chain. Don't enumerate; just link.
- `admin_addresses`: array of `{ chain, address, role, actor_class }` for multisig / timelock / owner / proxy-admin addresses. `actor_class` ∈ `"eoa" | "multisig" | "timelock" | "governance" | "unknown"`. These are the anchors for future runs' address_book.
- `upgradeability`: `"immutable" | "upgradeable" | "mixed" | "unknown"`. "mixed" = some core contracts immutable, others behind proxies.
- `about`: 2–4 sentence plain-English description. Name the user action (stake, borrow, swap, bridge, mint, redeem), the asset / market, and the distinctive mechanism (liquid staking receipt, isolated lending pools, constant-product AMM, intents auction, etc.). Do not restate category / chains / TVL.

Every non-null field in `protocol_metadata` must be backed by ≥1 entry in evidence[].

---

### Slice: VERIFIABILITY

Evaluate whether an outsider can independently confirm what the deployed code does.

MANDATORY INSPECTION CHECKLIST (every item below must appear in evidence[] OR unknowns[]):
- V1. For each address you assess: is the bytecode verified on the chain's block explorer? Record the "Contract Source Code Verified" indicator. https://defipunkd.com/api/contract/abi?chainId=<id>&address=0x... returns this as a top-level "verified" boolean plus "abiSource" ("etherscan" / "sourcify") and an inline ABI — useful when the explorer page is rate-limited. If the contract is a proxy, verify BOTH the proxy contract AND the current implementation contract. The same /api/contract/abi response auto-resolves proxies and includes a "proxy.implementation" address when present, so one call covers V1 + V6 in one shot. An explorer "Similar Match" on a well-known proxy pattern (Aragon AppProxyUpgradeable, ERC1967Proxy, OssifiableProxy, OZ TransparentUpgradeableProxy) is expected for that pattern and does NOT count as a verification gap on its own — what matters is that the implementation is independently verified.
- V2. Source-to-repo correspondence: for each verified contract, attempt to find a matching commit in the linked GitHub repos. Record evidence[].commit on a match. Independent compile/bytecode-match is NOT required for green — a recognized public repo whose structure and file contents correspond to the explorer-visible source is sufficient. If you did not pin a commit SHA or run a bytecode diff, record that plainly in unknowns[] and proceed; it is a scope limit, not a downgrade signal.
- V3. Audit coverage: for each URL in protocol.audit_links, open it and record: auditor name, audit date, the specific contracts / commit in scope. Flag audits that predate the current deployment by >6 months without a follow-up review.
- V4. Auditor recognition: the following firms are broadly recognized in Solidity: Trail of Bits, Zellic, Spearbit, OpenZeppelin, ConsenSys Diligence, Certora (formal verification), Quantstamp, Halborn, Peckshield, Sigma Prime, ChainSecurity, Ackee Blockchain, MixBytes, Statemind. Unknown firms are orange-at-best for any green-grade claim. Name the firm explicitly in evidence[].
- V5. Post-audit drift: compare the most recent in-scope audit(s) against the currently-deployed source, weighted by what each contract does and by what the changes actually contain. SCOPE — drift only downgrades the grade when ALL of the following hold: (i) the drifting contract is fund-custody / settlement / accounting-critical (NOT a peripheral router, lens, quoter, or pure-view contract that holds no balances); (ii) the changes are material — new functions, modified access control, modified accounting, modified fund flow — and not refactors / struct relocations / import reorgs / build or CI fixes / formatting; (iii) no later audit, fix-audit, or differential audit from a recognized firm covers the changed files (audits often pin a pre-fix commit while a follow-up reviews the delta — match by file scope, not by commit-hash equality). When you cite drift as a downgrade reason, name the specific behavior change (function added, role granted, accounting formula altered) — "N commits ahead" or "+X/-Y LOC" alone is not evidence of material drift. If you have not sampled the diff content (e.g. via the GitHub compare view or the top commits in the window), record drift as an unknowns[] entry rather than auto-downgrading; commit-count and LOC are starting signals, not findings.
- V6. Implementation vs proxy: a verified proxy with an unverified implementation is effectively unverified. State whether the implementation is verified separately.

EVIDENCE DISCIPLINE (read before writing findings[]):
- Do not assert a specific deploy-commit SHA, bytecode equivalence, or "identical to audited commit" unless you actually fetched the artifact that shows it (e.g., a deployed-addresses JSON you opened, an explorer page you read). Inferred or plausible matches belong in unknowns[], never in findings[] or evidence[].
- Evidence[] entries must correspond to pages/files you actually retrieved this run. A URL you did not open is not evidence.

Then write the steel-man section per Hard Rule 11.

Grade rules:
- green   = deployed bytecode verified on the explorer (proxy AND implementation if proxied; "Similar Match" on a standard proxy pattern is fine per V1), a public source repo exists whose contents correspond to the explorer-visible source, AND ≥1 audit from a recognized firm covering the currently-deployed contracts (≤6 months of drift OR drift was re-audited). A missing local compile-match is not a downgrade — record it in unknowns[] and still grade green if the other conditions hold.
- orange  = verified but with visible drift from the public repo, OR audit scope is stale relative to deployment, OR only minor / unknown-firm audits exist, OR only some of the main contracts are verified, OR proxy verified but implementation only partially verified.
- red     = unverified bytecode (or verified proxy with unverified implementation), OR no audit in protocol.audit_links, OR no public repo.
- unknown = reserved for when the protocol's verifiability posture genuinely cannot be assessed (e.g., explorer and repo both inaccessible for this protocol). Do NOT use unknown merely because you, the analyst, could not run a particular check such as a bytecode diff — that goes in unknowns[] while the grade is still assigned from the evidence you do have.

---

### JSON output contract

Return exactly one JSON object inside a single ```json fenced block. Shape:

{
  "schema_version": 4,
  "slug": "<copy protocol.slug from the per-protocol context>",
  "slice": "verifiability",
  "snapshot_generated_at": "<copy snapshot.generated_at from the per-protocol context>",
  "prompt_version": 29,
  "analysis_date": "<copy analysis_date from the per-protocol context>",
  "model": "<exact model name, e.g. claude-opus-4-7 / gpt-5-thinking / gemini-3-pro>",
  "chat_url": null,
  "grading_basis": "on-chain | off-chain-only | mixed (optional; omit for on-chain)",
  "grade": "green | orange | red | unknown",
  "headline": "<one-line summary>",
  "short_headline": "<≤6 words, ≤80 chars; omit if you can't fit>",
  "rationale": {
    "findings": [{ "code": "E1", "text": "<concrete, source-cited finding>" }],
    "steelman": { "red": "<one sentence>", "orange": "<one sentence>", "green": "<one sentence>" },
    "verdict": "Choosing <grade> because <reason ranking one steel-man above the others, citing specific evidence>."
  },
  "evidence": [{ "url": "https://...", "shows": "<what this URL demonstrates>", "chain": "...", "address": "0x...", "commit": "<hex SHA>", "fetched_at": "2026-04-23T11:20:00Z" }],
  "unknowns": ["E3: <thing you looked for but couldn't determine>"],
  "protocol_metadata": {
    "github": ["https://github.com/org/repo"],
    "docs_url": "https://docs.protocol.xyz",
    "audits": [{ "firm": "Trail of Bits", "url": "https://...report.pdf", "date": "2025-09" }],
    "governance_forum": "https://forum.protocol.xyz",
    "voting_token": { "chain": "Ethereum", "address": "0x...", "symbol": "XYZ" },
    "bug_bounty_url": "https://immunefi.com/bounty/protocol",
    "security_contact": "security@protocol.xyz",
    "deployed_contracts_doc": "https://docs.protocol.xyz/deployments",
    "admin_addresses": [{ "chain": "Ethereum", "address": "0x...", "role": "DAO treasury multisig", "actor_class": "multisig" }],
    "upgradeability": "immutable | upgradeable | mixed | unknown",
    "about": "<2–4 sentences>"
  }
}

Rules recap:
- grade="unknown" ⇒ steelman=null; unknowns[] ≥1; evidence[] may be empty.
- grade!="unknown" ⇒ steelman={red,orange,green}; evidence[] ≥1; verdict starts with "Choosing ".
- findings[].code matches the slice's checklist prefix verbatim (E1, C2-emergency, V4a, …); unknowns[] entries are checklist-coded ("E3: …").
- Wrap in a single ```json fence; nothing before or after. URLs are bare strings, never markdown links.

4 dimensions not yet assessed (Control, Ability to exit, Autonomy, Open Access)

Control unknown Unverified

Not yet assessed

No model has graded this dimension yet. Run the slice prompt through any LLM and submit the JSON — once ≥3 independent runs agree, the quorum bot merges the verdict here.

Submit run ↗

### Per-protocol context (ground truth for this run)

- protocol.slug:              aave-v2
- protocol.name:              Aave V2
- protocol.chains:            Ethereum, Polygon, Avalanche
- protocol.category:          Lending
- protocol.website:           https://aave.com
- protocol.github:            aave, bgd-labs
- protocol.audit_links:       https://aave.com/security, https://github.com/code-423n4/2022-02-aave-lens, https://github.com/code-423n4/2022-02-aave-lens-findings, https://github.com/sherlock-protocol/sherlock-reports/blob/main/audits/2025.02.15%20-%20Final%20-%20Aave%20Public%20Audit%20Contest%20Report.pdf, https://github.com/sherlock-protocol/sherlock-reports/blob/main/audits/2026.02.05%20-%20Final%20-%20Aave%20Labs%20Collaborative%20Audit%20Report%201770295450.pdf
- snapshot.generated_at:      2026-06-01T11:27:13.878Z
- analysis_date:              2026-06-07
- prompt_version:             29
- address_book:               [
  {
    "chain": "Ethereum",
    "address": "0xb53c1a33016b2dc2ff3653530bff1848a515c8c5",
    "role": "lending_pool_addresses_provider"
  },
  {
    "chain": "Ethereum",
    "address": "0x7d2768dE32b0b80b7a3454c06BdAc94A69DDc7A9",
    "role": "lending_pool"
  },
  {
    "chain": "Ethereum",
    "address": "0x057835Ad21a177dbdd3090bB1CAE03EaCF78Fc6d",
    "role": "protocol_data_provider"
  },
  {
    "chain": "Ethereum",
    "address": "0xec568fffba86c094cf06b22134b23074dfe2252c",
    "role": "governance_v2"
  },
  {
    "chain": "Ethereum",
    "address": "0x7fc66500c84a76ad7e9c93437e434122a1dafd46",
    "role": "AAVE governance token"
  }
]

### Pre-built read-API surfacer URLs (verbatim — fetchable as-is)
- https://defipunkd.com/address/1/0xb53c1a33016b2dc2ff3653530bff1848a515c8c5 (lending_pool_addresses_provider)
- https://defipunkd.com/address/1/0x7d2768dE32b0b80b7a3454c06BdAc94A69DDc7A9 (lending_pool)
- https://defipunkd.com/address/1/0x057835Ad21a177dbdd3090bB1CAE03EaCF78Fc6d (protocol_data_provider)
- https://defipunkd.com/address/1/0xec568fffba86c094cf06b22134b23074dfe2252c (governance_v2)
- https://defipunkd.com/address/1/0x7fc66500c84a76ad7e9c93437e434122a1dafd46 (AAVE governance token)


---

You are contributing a single-slice assessment to defipunkd, a git-native transparency registry for DeFi protocols. Your JSON output will be attached to a pull request and compared against ≥2 other independent runs. Disagreements are surfaced publicly — be conservative, cite everything, return grade="unknown" when a signal cannot be determined, and resist stopping at the first damning finding.

### Per-protocol context (do not infer; these are ground truth)

A "Per-protocol context" block (provided alongside this prompt — either as a user message in API mode, or as a section appended below in copy-paste mode) lists the pinned inputs (protocol.slug, name, chains, category, website, github, audit_links, snapshot.generated_at, analysis_date, prompt_version, address_book) and a list of pre-built read-API surfacer URLs for each pinned address. Treat those values as authoritative for this run.

The pre-built surfacer URLs are accepted by your fetch tool's allowlist because they appear verbatim in the per-protocol context. Each surfacer page pre-executes the contract's zero-arg view methods and renders any address-typed return values as /address/{chainId}/0x… links inline — those rendered links are also fetchable post-fetch. /api/contract/read and /api/safe/owners JSON responses include a top-level `crawl.surfacers` array of /address/{chainId}/0x… URLs for every address-typed value in the result, so you can crawl directly from API responses. For addresses surfaced from non-defipunkd sources (block-explorer pages, GitHub, audit PDFs), the allowlist will reject your generated surfacer URL — record the address in protocol_metadata.admin_addresses and add a checklist-coded entry to unknowns[]; the next run will inherit it as a fetchable surfacer.

### Step 0 — Capability probe (do this before producing JSON)

Identify what fetch tool your environment exposes — `web_fetch`, `browser`, `url_context`, `google_search` (with underscore, colon, or space), Bing grounding, Perplexity, `web.run`, or anything similar. Search-grounding tools ARE valid fetch paths and you should use them; they are not forbidden. The distinction that matters is what the tool returned, not its name: a grounded response with the underlying page body is sufficient evidence; a bare 1–3-line preview snippet is not.

Probe: attempt one fetch of `protocol.website` and one fetch of a pre-built surfacer URL above (or the protocol's primary block-explorer page if no surfacer is pinned). Record the tool you used, the URL, and what came back (response body, HTTP status, allowlist rejection text, or "tool not present: <name>"). If either probe succeeded, proceed.

If both direct probes failed, **DO NOT STOP** — try search. Issue at least two broad search queries (protocol name + "Etherscan" / "official docs" / "GitHub" / "audit"; `site:` operators against etherscan.io / github.com / the docs domain). If a search query returns the underlying page body, that page URL is fetched evidence and goes in evidence[]. Set `grading_basis: "off-chain-only"` and continue with whatever you can extract. Empty `evidence[]` + `grade="unknown"` is only valid if BOTH direct probes AND ≥2 search queries returned nothing usable; in that case, log the attempted queries and observed-zero outcomes in unknowns[]. A submission claiming "blocked" without those receipts is treated as a non-submission (zero quorum weight). Search engines do not index raw JSON API endpoints — zero results for `defipunkd.com/api/contract/read` URLs is expected and is itself a recordable failure mode, not a system restriction.

### Anti-fabrication (the most important rule on this page)

Memory is not evidence. Treat your training data, prior conversations, and general knowledge as suggestions for what to look up — never as citations. Every URL in evidence[] must have been fetched in this run via any tool exposed in your environment, OR pasted into this conversation by the user. Constructing a URL is fine, but every variable part (address, commit SHA, repo path, contract name, method, args, block number) must come from a fetched/pasted source in this run, and the URL must then have been successfully fetched before it appears in evidence[]. URLs constructed from remembered addresses, repo paths, contract names, or guessed API methods are fabrication.

Before emitting JSON, run an evidence ledger check on every evidence[] entry:
1. The exact URL appears in your fetch transcript or in a user-pasted source body.
2. The fetched/pasted body contains the fact you're citing in evidence[].shows.
3. Every rationale.findings / protocol_metadata claim that depends on this evidence follows directly from that body, without recourse to memory.
4. Derived (rather than verbatim) claims are explicitly labelled as derived in evidence[].shows.
5. `fetched_at` is set ONLY when you actually fetched the URL in this run; if no timestamp is available, omit the field — never invent one.

If any check fails, remove the evidence entry and demote dependent claims to unknowns[]. Set grade="unknown" if demotion empties the grading basis. Do not ask the user to paste anything; do not withhold JSON; do not improvise from memory.

A plausible-sounding answer backed by unsupported evidence is WORSE than grade="unknown" — it pollutes the quorum. If the assessment requires leaning on remembered public facts ("Lido is governed by LDO token-weighted voting"), historical reports, common knowledge, or likely-architecture reasoning ("UUPS proxies typically have an admin role"), return grade="unknown" with specific unknowns[] entries. Optimize for reproducibility, not completeness — if a reviewer can't re-verify each claim from the evidence URLs alone, the claim does not belong in the JSON. Empty unknowns[] on a non-trivial protocol is a red flag, not a quality signal.

When the address_book is null/empty, you do not yet know any deployed address. Discover candidates from fetched website / GitHub / audit / explorer-search pages — addresses you "remember" from training data are not eligible, even for famous tokens (USDC, WBTC, stETH, UNI). If no address can be discovered after a good-faith attempt, return grade="unknown" with checklist-coded unknowns[] entries; do not invent addresses to fill the gap.

### Hard rules

1. Source classes that count as evidence:
   a) Public block explorers (etherscan.io, basescan.org, arbiscan.io, optimistic.etherscan.io, polygonscan.com, bscscan.com, snowtrace.io, scrollscan.com, lineascan.build, blastscan.io, era.zksync.network) for pinned addresses or addresses you discover transitively from them.
   b) The linked GitHub repos, at a specific commit SHA recorded in evidence[].commit.
   c) The audit PDFs / reports linked above.
   d) DeFiLlama's pinned fields (for category / chain lists only — not for risk assessment).
   e) DeFiPunkd's read API at https://defipunkd.com/api/{contract,safe}/... — see "On-chain reading" below.
2. If a signal cannot be determined after checking these, set grade="unknown" with ≥1 entry in unknowns[] naming what you looked for.
3. Every factual claim in rationale must map to ≥1 evidence[] entry.
4. Output exactly one JSON object matching the contract at the end, wrapped in a single ```json fenced code block. This rule applies to your FINAL assistant message only — issue tool calls freely during the run; tool-call reasoning lives in your model's tool-use channel and is not subject to this rule. Nothing before or after the fence — no prose, no follow-up questions, no requests for the user to paste anything. If evidence is incomplete, the correct response is still JSON, with claims demoted to unknowns[] and grade="unknown".

### Format rules (validation will reject submissions that violate these)
5. evidence[].url must be a bare `https://...` string — NEVER markdown link syntax. WRONG: `"url": "[Etherscan](https://etherscan.io/...)"`. RIGHT: `"url": "https://etherscan.io/..."`.
6. evidence[].commit, when present, must match `^[0-9a-f]{7,40}$` (lowercase hex, 7–40 chars). NEVER branch names or tags. Omit if you cannot pin a SHA.
7. evidence[].fetched_at, when present, must be ISO-8601 UTC (e.g. `2026-04-23T11:20:00Z`). Set whenever you actually fetched in this run.
8. evidence[].address, when present, must be `^0x[0-9a-fA-F]{40}$` (mixed case OK; checksum not validated).
9. Checklist codes (used in findings[].code and as unknowns[] prefixes) match `^[A-Z][A-Za-z0-9-]{0,16}$` — start with an uppercase letter, then digits / letters / hyphens. Examples: `E1`, `A3b`, `C2-emergency`, `V4-auditor`. No parens, spaces, dots, slashes, underscores. Use slice-defined codes verbatim. unknowns[] entries must be prefixed with the relevant code + colon (e.g. `"A3b: frontend fetch failed"`).
10. chat_url: ALWAYS null. Default share links (claude.ai/chat, chatgpt.com, gemini.google.com) require viewer login and are not publicly readable. The user enables "Share publicly" after you respond and pastes the public URL into the JSON before opening the PR.

### Thoroughness rules

11. Each per-slice body contains a "MANDATORY INSPECTION CHECKLIST". Every item must EITHER produce an evidence[] entry OR a specific unknowns[] entry naming it by code. Silent skips are rejected as incomplete.
12. Before assigning a grade other than "unknown", rationale.steelman must contain a one-sentence strongest argument for each of red / orange / green, and rationale.verdict must state which fits the evidence and why. If the steel-man for the chosen grade is weaker than for an adjacent grade, you have probably picked the wrong grade. When grade="unknown", set steelman to null and use verdict to summarize what blocked the assessment.
13. Distinguish actor classes (EOA, 2-of-3 multisig, 4-of-7+ multisig with identified signers, emergency-scoped time-capped multisig, on-chain governance vote with timelock) and function classes (claim-of-finalized vs new-request-placement, deposit vs borrow, mint vs redeem) — say which actor holds which power, on what time bound. "An admin can pause" is insufficient.
14. For on-chain slices (control, ability-to-exit, autonomy, verifiability), evidence[] must include ≥1 on-chain URL: a block-explorer URL OR a DeFiPunkd /api/{contract/read,safe/owners} URL (preferred — content-addressed when block-pinned). /api/contract/abi alone is metadata, not on-chain evidence. Source repos tell you what code SHOULD do; deployed contracts tell you what it ACTUALLY does. The "open-access" slice is exempt when claims are entirely about frontend / off-chain operator behavior. CARVE-OUT: `grading_basis="off-chain-only"` is exempt from this rule but is downweighted by the quorum bot regardless of grade.
15. Prompt-meta-check: if your verdict quotes prompt language as evidence ("the protocol meets the 'documented fallback' condition"), re-do the verdict — the prompt describes the rubric, not the protocol. Evidence cites what THIS protocol does, not what the rubric says protocols of type X do.
16. `grading_basis` is one of `"on-chain"` (default; omit field), `"off-chain-only"`, or `"mixed"`. Describes what was READ this run, not the verdict — `grade="unknown"` is allowed under any basis. Set `"off-chain-only"` ONLY when BOTH (a) ≥1 successful fetch of a docs / forum / audit / GitHub URL appears in evidence[], AND (b) ≥1 failed on-chain fetch attempt for THIS run is recorded in unknowns[] with a `-offchain` suffix. Empty `evidence[]` with `"off-chain-only"` is a category error and is rejected by the validator. Set `"mixed"` when some checklist codes were on-chain and others fell back. ABI-only finds (you read the ABI but couldn't read live state) are valid as `grade="unknown"` with the ABI cited; do not infer a grade from ABI shape alone.

### On-chain reading via the DeFiPunkd API

Don't encode calldata, decode return data, or guess at ABIs by hand. Three deterministic GET endpoints return JSON with blockNumber, blockHash, raw calldata, and rawReturnData — content-addressed when block-pinned (`&block=<n>`):

  ABI (auto-resolves proxies):
    https://defipunkd.com/api/contract/abi?chainId=<id>&address=0x...
  View call (any view method on the merged ABI; flat scalar args):
    https://defipunkd.com/api/contract/read?chainId=<id>&address=0x...&method=getOwners
    https://defipunkd.com/api/contract/read?chainId=<id>&address=0x...&method=balanceOf&args=0x...
  Safe (threshold + owners + version in one call):
    https://defipunkd.com/api/safe/owners?chainId=<id>&address=0x...

Use the BARE method name in `&method=` (e.g. `&method=totalSupply`, NOT `&method=totalSupply()`). Browser tools normalize `(` to `%28` and reject the normalized URL; bare names dodge that. Pass arguments via `&args=` (comma-separated, declaration order). Append `&block=<n>` for content-addressed evidence.

Supported chainIds: 1 (ethereum), 10 (optimism), 56 (bsc), 130 (unichain), 137 (polygon), 324 (zksync), 8453 (base), 42161 (arbitrum), 43114 (avalanche), 59144 (linea), 81457 (blast), 534352 (scroll), 11155111 (sepolia).

Use this API for any factual claim about contract ABI shape, view-method return values (owner(), getOwners(), getThreshold(), totalSupply(), implementation(), paused(), MIN_DELAY(), …), and Safe membership. Do NOT invent ABIs or return values from training data.

Note on noisy address_book: the pinned address_book is sourced from prior assessments. It may include token deployments, oracle feeds, peripheral contracts, or mis-classified entries. Skip surfacer URLs that don't fit your slice — fetch only those whose role hints suggest control / pause / upgrade authority.

### Protocol metadata refresh (populate `protocol_metadata` in the output)

DeFiLlama's pinned inputs may be stale or wrong. As a side-effect of this assessment, populate `protocol_metadata` with anything you verify. Leave fields null / empty arrays if you did not verify them — do NOT echo pinned inputs through; null means "not re-verified this run".

- `github`: array of canonical source-code repo URLs.
- `docs_url`: canonical developer / protocol documentation site.
- `audits`: array of `{ firm, url, date }` (date as YYYY-MM or YYYY-MM-DD).
- `governance_forum`: primary discussion forum URL (Discourse, Commonwealth, etc.).
- `voting_token`: `{ chain, address, symbol }` or null. Omit if not token-governed.
- `bug_bounty_url`: public bug bounty page (Immunefi, HackerOne, self-hosted).
- `security_contact`: private-disclosure channel — security@ email or SECURITY.md URL. Distinct from public bug bounty.
- `deployed_contracts_doc`: docs page that lists deployed addresses per chain. Don't enumerate; just link.
- `admin_addresses`: array of `{ chain, address, role, actor_class }` for multisig / timelock / owner / proxy-admin addresses. `actor_class` ∈ `"eoa" | "multisig" | "timelock" | "governance" | "unknown"`. These are the anchors for future runs' address_book.
- `upgradeability`: `"immutable" | "upgradeable" | "mixed" | "unknown"`. "mixed" = some core contracts immutable, others behind proxies.
- `about`: 2–4 sentence plain-English description. Name the user action (stake, borrow, swap, bridge, mint, redeem), the asset / market, and the distinctive mechanism (liquid staking receipt, isolated lending pools, constant-product AMM, intents auction, etc.). Do not restate category / chains / TVL.

Every non-null field in `protocol_metadata` must be backed by ≥1 entry in evidence[].

---

### Slice: CONTROL

Evaluate who can change the protocol's rules, how fast, and how broadly.

(Step 0 capability probe and the off-chain-only fallback live in the preamble — those rules apply here.)

### MANDATORY INSPECTION CHECKLIST (every item below must appear in evidence[] OR unknowns[])

- **C1.** For each address you assess: who is the contract owner / admin / pendingAdmin / governor — read these via the block explorer's "Read Contract" tab OR `https://defipunkd.com/api/contract/read?chainId=<id>&address=0x...&method=owner` (BARE method names: `&method=owner`, `&method=admin`, `&method=pendingOwner`, `&method=governor`). For Safes use `/api/safe/owners?chainId=<id>&address=0x...`. When a protocol has multiple major versions deployed (v2/v3/v4), perform C1 reads on the NEWEST deployment separately — newer deployments often have weaker control surfaces than the legacy core.
- **C2.** Upgrade mechanism: transparent proxy / UUPS / Beacon / Diamond / immutable. Identify the proxy admin address. Check upgradeability of GOVERNANCE contracts too — a Governor / Aragon Voting / OZ Governor is often itself a proxy whose admin is the Timelock. Asymmetry: when fund-holding cores are immutable AND governance has no admin path that reaches them, an upgradable Governor/Timelock is T3-only and must NOT drag the verdict below green on that basis alone (see grade rules and the "immutable cores" caveat). Only call upgradability "mixed" if you can name a concrete function on the upgradable surface that reaches T1 or T2 on user funds.
- **C3.** EXECUTION PATH (enumerate every stage, in order, with delays in seconds). The operative path is usually a chain (voting → scheduler → timelock → executor; or governor → queue → execute; or Aragon Voting → DualGovernance → EmergencyProtectedTimelock → AdminExecutor). For each stage, record (a) the contract address, (b) the delay constant name + value in seconds, (c) the URL you read it from (block-explorer Read Contract OR `/api/contract/read?...&method=MIN_DELAY&block=<n>`). Do NOT stop at the first timelock-shaped contract — if its admin is itself called by another contract, keep walking. The grading delay is the SUM OF DELAYS ON THE UNCONTESTED FAST PATH (shortest time a proposal with no opposition can go from submission to executable). Dynamic / contested extensions (veto signaling, rage quit, escrow delay) are modifiers, not the basis — note them separately.
- **C4.** Enumerate EVERY multisig with reachable control — main proxy admin, emergency activation, emergency execution, reseal / pause, gate-seal committees, tiebreaker, per-module admins. For each Safe, fetch threshold + owners + version via `/api/safe/owners?chainId=<id>&address=0x...` (response includes raw eth_call data, so the URL is citable evidence). Enumerate ops/council/incentives multisigs even when off the upgrade path — record their scope so a reader can see they are NOT on the upgrade path. For each: (a) address, (b) threshold / total signers, (c) signer identities classified as insider (team, paid auditors under ongoing engagement, mandated service providers) vs non-insider (independent community members, unaffiliated researchers), (d) the specific power held (upgrade, pause, parameter, etc.).
- **C5.** On-chain governance: Governor / GovernorBravo / OZ Governor / Aragon Voting with token-weighted voting? Record proposal threshold, voting period, quorum, and the timelock delay between queue and execute. Every numeric constant must come from a Read Contract call you can link to, or be in unknowns[] with the C-code. If votingDelay / votingPeriod are denominated in BLOCKS, convert to seconds at the chain's CURRENT block time (Ethereum mainnet ≈ 12s post-Merge, not the 15s in older Compound/Bravo deployments) — cite both block count and converted seconds.
- **C6.** EMERGENCY POWERS: separate emergency-pause / guardian role with a different time cap or different actor than the main upgrade authority? Record it explicitly.
- **C7.** POWER TIER (blast radius). For each privileged path in C3–C6, classify the WORST thing that path can do, choosing the highest applicable tier. Cite the specific function name and any on-chain bound — tier claims without a named function are unsupported.
    - **T1 — FUND-CRITICAL**: replace implementation of contracts holding user funds; change AMM math / accounting / collateral logic; mint unbacked debt or shares; pause withdrawals; drain user-fund treasury; change oracle to attacker-controlled source; replace upgrade admin with EOA.
    - **T2 — ECONOMICALLY MATERIAL**: change fee parameters within bounded ranges; redirect protocol fees; add/remove markets / collateral types; bounded inflation or token mint within hard-capped schedule; spend protocol-owned (non-user) treasury.
    - **T3 — GOVERNANCE-INTERNAL**: change voting rules, quorum, voting period, proposal threshold; upgrade the Governor itself; rotate Timelock admin; mint governance tokens within a capped annual schedule.
    - **T4 — OPERATIONAL**: incentives distribution, grants, ENS / frontend canonicalization, deployment coordination, periphery router deprecation.
  The grade is set by the HIGHEST tier reachable on the uncontested fast path, not the median. State the tier and the binding function in the verdict.

### Read Contract discipline (applies to C3, C4, C5)

Every numeric constant cited (timelock delays, voting periods, multisig thresholds, quorum percentages) must come from EITHER (a) a block-explorer Read Contract URL, OR (b) a DeFiPunkd `/api/contract/read` or `/api/safe/owners` URL (preferred with `&block=<n>` for content-addressed evidence), OR (c) an unknowns[] entry with the C-code. Docs / blog posts are corroboration only — they cannot be the sole citation for a value that is also readable on-chain.

### Off-chain-only substitute hierarchy (when grading_basis="off-chain-only" — see preamble Rule 16)

When on-chain reads were genuinely unreachable this run, eligible off-chain substitutes in priority order:
1. Linked audit PDFs (admin roles, multisig members, timelock delays usually enumerated).
2. Governance forum posts that quote constants from a successful on-chain proposal (cite post URL + linked execution-tx URL).
3. Official protocol docs pages with named addresses and roles (must be on a domain owned by the protocol).
4. GitHub README / SECURITY.md / governance/*.md at a pinned commit SHA.

Forbidden substitutes: third-party blog posts, X / Twitter threads, search-result snippets, model memory. Required degradation: any C-code citing a numeric constant from docs/forum/audit prose ONLY must also carry an `unknowns[]` entry with `-offchain` suffix noting "value not re-read on-chain in this run; corroboration only".

### Grade rules (apply the timelock bar conditional on the highest C7 tier reachable on the fast path)

Security Council standard (used below): a multisig qualifies as "Security Council" only if ALL of: ≥7 signers, ≥51% threshold, ≥50% non-insider signers, every signer publicly announced. Failing any criterion = NOT a Security Council, regardless of signer reputation.

- **green**: highest reachable tier is T3 or T4 regardless of timelock; OR T2 reachable with uncontested-fast-path delay ≥7 days; OR T1 reachable only via immutable contracts (T1 is unreachable); OR T1 reachable with uncontested-fast-path delay ≥7 days combined with a Security Council multisig; OR T1 reachable with uncontested-fast-path delay ≥7 days through active on-chain governance with broad token distribution.
- **orange**: T2 reachable with uncontested-fast-path delay >0 but <7 days; OR T1 reachable with uncontested-fast-path delay >0 but <7 days; OR a multisig failing one or more Security Council criteria sits on a T1/T2 path; OR unclear upgrade authority on a T1/T2 path; OR governance with very short timelock or low quorum on a T1/T2 path.
- **red**: T1 reachable with no timelock by a single EOA or 2-of-3 multisig; OR a T1 upgrade admin that is not a smart contract you can audit.
- **unknown**: completed the checklist but still cannot determine the upgrade authority OR cannot classify the highest tier reachable on the main contracts.

Tiering caveats:
- "Bounded" must be enforced ON-CHAIN to count as T2. A function that sets fees with no upper-bound check is T1 — cite the bound check.
- Recurring T2 economic extraction (e.g. fee redirect with no rate limit) approaches T1 over time. A single proposal that can permanently redirect all future revenue is T1.
- T3 assumes the governance contract cannot itself authorize a T1/T2 action without going through the same timelock. If governance can self-upgrade to bypass the timelock, T3 collapses into T1.
- Do not downgrade tier by hand-waving ("realistically governance would never…"). Tier on what the contract permits, not what feels likely.

Notes:
- **Dynamic / dual-governance timelocks** (Lido, Compound escrow veto): the rubric grades on the uncontested path because that is the path most upgrades take. A dynamic extension that fires only under stake-weighted opposition is a real protection — name it in the green steel-man, but it does not lift an orange fast path into green; state the tension in the verdict.
- **Immutable cores with upgradable governance** (Uniswap-style): if fund-holding contracts are immutable and have no admin-reachable function moving / freezing / re-routing user funds, the highest reachable tier on the upgrade path is T3 — green regardless of timelock. Don't grade this orange just because the Governor is a proxy — that's a C2 fact, not a downgrade. Downgrade only applies if you can cite a concrete function on the upgradable surface that reaches T1 or T2 (privileged hook, upgradable factory controlling fund-routing, fee-switch redirecting protocol revenue without bound).
- **The 7-day bar** reflects the exit-window standard — users need notice after a queued upgrade to withdraw if they disagree. The ability-to-exit slice grades the exit side; this slice grades the delay side; both must hold for users to actually benefit from the delay.

---

### JSON output contract

Return exactly one JSON object inside a single ```json fenced block. Shape:

{
  "schema_version": 4,
  "slug": "<copy protocol.slug from the per-protocol context>",
  "slice": "control",
  "snapshot_generated_at": "<copy snapshot.generated_at from the per-protocol context>",
  "prompt_version": 29,
  "analysis_date": "<copy analysis_date from the per-protocol context>",
  "model": "<exact model name, e.g. claude-opus-4-7 / gpt-5-thinking / gemini-3-pro>",
  "chat_url": null,
  "grading_basis": "on-chain | off-chain-only | mixed (optional; omit for on-chain)",
  "grade": "green | orange | red | unknown",
  "headline": "<one-line summary>",
  "short_headline": "<≤6 words, ≤80 chars; omit if you can't fit>",
  "rationale": {
    "findings": [{ "code": "E1", "text": "<concrete, source-cited finding>" }],
    "steelman": { "red": "<one sentence>", "orange": "<one sentence>", "green": "<one sentence>" },
    "verdict": "Choosing <grade> because <reason ranking one steel-man above the others, citing specific evidence>."
  },
  "evidence": [{ "url": "https://...", "shows": "<what this URL demonstrates>", "chain": "...", "address": "0x...", "commit": "<hex SHA>", "fetched_at": "2026-04-23T11:20:00Z" }],
  "unknowns": ["E3: <thing you looked for but couldn't determine>"],
  "protocol_metadata": {
    "github": ["https://github.com/org/repo"],
    "docs_url": "https://docs.protocol.xyz",
    "audits": [{ "firm": "Trail of Bits", "url": "https://...report.pdf", "date": "2025-09" }],
    "governance_forum": "https://forum.protocol.xyz",
    "voting_token": { "chain": "Ethereum", "address": "0x...", "symbol": "XYZ" },
    "bug_bounty_url": "https://immunefi.com/bounty/protocol",
    "security_contact": "security@protocol.xyz",
    "deployed_contracts_doc": "https://docs.protocol.xyz/deployments",
    "admin_addresses": [{ "chain": "Ethereum", "address": "0x...", "role": "DAO treasury multisig", "actor_class": "multisig" }],
    "upgradeability": "immutable | upgradeable | mixed | unknown",
    "about": "<2–4 sentences>"
  }
}

Rules recap:
- grade="unknown" ⇒ steelman=null; unknowns[] ≥1; evidence[] may be empty.
- grade!="unknown" ⇒ steelman={red,orange,green}; evidence[] ≥1; verdict starts with "Choosing ".
- findings[].code matches the slice's checklist prefix verbatim (E1, C2-emergency, V4a, …); unknowns[] entries are checklist-coded ("E3: …").
- Wrap in a single ```json fence; nothing before or after. URLs are bare strings, never markdown links.

Ability to exit unknown Unverified

Not yet assessed

Whether users can exit on their own terms if the team disappears or acts adversarially. Requires per-protocol review; not available at Phase 0.

No model has graded this dimension yet. Run the slice prompt through any LLM and submit the JSON — once ≥3 independent runs agree, the quorum bot merges the verdict here.

Submit run ↗

### Per-protocol context (ground truth for this run)

- protocol.slug:              aave-v2
- protocol.name:              Aave V2
- protocol.chains:            Ethereum, Polygon, Avalanche
- protocol.category:          Lending
- protocol.website:           https://aave.com
- protocol.github:            aave, bgd-labs
- protocol.audit_links:       https://aave.com/security, https://github.com/code-423n4/2022-02-aave-lens, https://github.com/code-423n4/2022-02-aave-lens-findings, https://github.com/sherlock-protocol/sherlock-reports/blob/main/audits/2025.02.15%20-%20Final%20-%20Aave%20Public%20Audit%20Contest%20Report.pdf, https://github.com/sherlock-protocol/sherlock-reports/blob/main/audits/2026.02.05%20-%20Final%20-%20Aave%20Labs%20Collaborative%20Audit%20Report%201770295450.pdf
- snapshot.generated_at:      2026-06-01T11:27:13.878Z
- analysis_date:              2026-06-07
- prompt_version:             29
- address_book:               [
  {
    "chain": "Ethereum",
    "address": "0xb53c1a33016b2dc2ff3653530bff1848a515c8c5",
    "role": "lending_pool_addresses_provider"
  },
  {
    "chain": "Ethereum",
    "address": "0x7d2768dE32b0b80b7a3454c06BdAc94A69DDc7A9",
    "role": "lending_pool"
  },
  {
    "chain": "Ethereum",
    "address": "0x057835Ad21a177dbdd3090bB1CAE03EaCF78Fc6d",
    "role": "protocol_data_provider"
  },
  {
    "chain": "Ethereum",
    "address": "0xec568fffba86c094cf06b22134b23074dfe2252c",
    "role": "governance_v2"
  },
  {
    "chain": "Ethereum",
    "address": "0x7fc66500c84a76ad7e9c93437e434122a1dafd46",
    "role": "AAVE governance token"
  }
]

### Pre-built read-API surfacer URLs (verbatim — fetchable as-is)
- https://defipunkd.com/address/1/0xb53c1a33016b2dc2ff3653530bff1848a515c8c5 (lending_pool_addresses_provider)
- https://defipunkd.com/address/1/0x7d2768dE32b0b80b7a3454c06BdAc94A69DDc7A9 (lending_pool)
- https://defipunkd.com/address/1/0x057835Ad21a177dbdd3090bB1CAE03EaCF78Fc6d (protocol_data_provider)
- https://defipunkd.com/address/1/0xec568fffba86c094cf06b22134b23074dfe2252c (governance_v2)
- https://defipunkd.com/address/1/0x7fc66500c84a76ad7e9c93437e434122a1dafd46 (AAVE governance token)


---

You are contributing a single-slice assessment to defipunkd, a git-native transparency registry for DeFi protocols. Your JSON output will be attached to a pull request and compared against ≥2 other independent runs. Disagreements are surfaced publicly — be conservative, cite everything, return grade="unknown" when a signal cannot be determined, and resist stopping at the first damning finding.

### Per-protocol context (do not infer; these are ground truth)

A "Per-protocol context" block (provided alongside this prompt — either as a user message in API mode, or as a section appended below in copy-paste mode) lists the pinned inputs (protocol.slug, name, chains, category, website, github, audit_links, snapshot.generated_at, analysis_date, prompt_version, address_book) and a list of pre-built read-API surfacer URLs for each pinned address. Treat those values as authoritative for this run.

The pre-built surfacer URLs are accepted by your fetch tool's allowlist because they appear verbatim in the per-protocol context. Each surfacer page pre-executes the contract's zero-arg view methods and renders any address-typed return values as /address/{chainId}/0x… links inline — those rendered links are also fetchable post-fetch. /api/contract/read and /api/safe/owners JSON responses include a top-level `crawl.surfacers` array of /address/{chainId}/0x… URLs for every address-typed value in the result, so you can crawl directly from API responses. For addresses surfaced from non-defipunkd sources (block-explorer pages, GitHub, audit PDFs), the allowlist will reject your generated surfacer URL — record the address in protocol_metadata.admin_addresses and add a checklist-coded entry to unknowns[]; the next run will inherit it as a fetchable surfacer.

### Step 0 — Capability probe (do this before producing JSON)

Identify what fetch tool your environment exposes — `web_fetch`, `browser`, `url_context`, `google_search` (with underscore, colon, or space), Bing grounding, Perplexity, `web.run`, or anything similar. Search-grounding tools ARE valid fetch paths and you should use them; they are not forbidden. The distinction that matters is what the tool returned, not its name: a grounded response with the underlying page body is sufficient evidence; a bare 1–3-line preview snippet is not.

Probe: attempt one fetch of `protocol.website` and one fetch of a pre-built surfacer URL above (or the protocol's primary block-explorer page if no surfacer is pinned). Record the tool you used, the URL, and what came back (response body, HTTP status, allowlist rejection text, or "tool not present: <name>"). If either probe succeeded, proceed.

If both direct probes failed, **DO NOT STOP** — try search. Issue at least two broad search queries (protocol name + "Etherscan" / "official docs" / "GitHub" / "audit"; `site:` operators against etherscan.io / github.com / the docs domain). If a search query returns the underlying page body, that page URL is fetched evidence and goes in evidence[]. Set `grading_basis: "off-chain-only"` and continue with whatever you can extract. Empty `evidence[]` + `grade="unknown"` is only valid if BOTH direct probes AND ≥2 search queries returned nothing usable; in that case, log the attempted queries and observed-zero outcomes in unknowns[]. A submission claiming "blocked" without those receipts is treated as a non-submission (zero quorum weight). Search engines do not index raw JSON API endpoints — zero results for `defipunkd.com/api/contract/read` URLs is expected and is itself a recordable failure mode, not a system restriction.

### Anti-fabrication (the most important rule on this page)

Memory is not evidence. Treat your training data, prior conversations, and general knowledge as suggestions for what to look up — never as citations. Every URL in evidence[] must have been fetched in this run via any tool exposed in your environment, OR pasted into this conversation by the user. Constructing a URL is fine, but every variable part (address, commit SHA, repo path, contract name, method, args, block number) must come from a fetched/pasted source in this run, and the URL must then have been successfully fetched before it appears in evidence[]. URLs constructed from remembered addresses, repo paths, contract names, or guessed API methods are fabrication.

Before emitting JSON, run an evidence ledger check on every evidence[] entry:
1. The exact URL appears in your fetch transcript or in a user-pasted source body.
2. The fetched/pasted body contains the fact you're citing in evidence[].shows.
3. Every rationale.findings / protocol_metadata claim that depends on this evidence follows directly from that body, without recourse to memory.
4. Derived (rather than verbatim) claims are explicitly labelled as derived in evidence[].shows.
5. `fetched_at` is set ONLY when you actually fetched the URL in this run; if no timestamp is available, omit the field — never invent one.

If any check fails, remove the evidence entry and demote dependent claims to unknowns[]. Set grade="unknown" if demotion empties the grading basis. Do not ask the user to paste anything; do not withhold JSON; do not improvise from memory.

A plausible-sounding answer backed by unsupported evidence is WORSE than grade="unknown" — it pollutes the quorum. If the assessment requires leaning on remembered public facts ("Lido is governed by LDO token-weighted voting"), historical reports, common knowledge, or likely-architecture reasoning ("UUPS proxies typically have an admin role"), return grade="unknown" with specific unknowns[] entries. Optimize for reproducibility, not completeness — if a reviewer can't re-verify each claim from the evidence URLs alone, the claim does not belong in the JSON. Empty unknowns[] on a non-trivial protocol is a red flag, not a quality signal.

When the address_book is null/empty, you do not yet know any deployed address. Discover candidates from fetched website / GitHub / audit / explorer-search pages — addresses you "remember" from training data are not eligible, even for famous tokens (USDC, WBTC, stETH, UNI). If no address can be discovered after a good-faith attempt, return grade="unknown" with checklist-coded unknowns[] entries; do not invent addresses to fill the gap.

### Hard rules

1. Source classes that count as evidence:
   a) Public block explorers (etherscan.io, basescan.org, arbiscan.io, optimistic.etherscan.io, polygonscan.com, bscscan.com, snowtrace.io, scrollscan.com, lineascan.build, blastscan.io, era.zksync.network) for pinned addresses or addresses you discover transitively from them.
   b) The linked GitHub repos, at a specific commit SHA recorded in evidence[].commit.
   c) The audit PDFs / reports linked above.
   d) DeFiLlama's pinned fields (for category / chain lists only — not for risk assessment).
   e) DeFiPunkd's read API at https://defipunkd.com/api/{contract,safe}/... — see "On-chain reading" below.
2. If a signal cannot be determined after checking these, set grade="unknown" with ≥1 entry in unknowns[] naming what you looked for.
3. Every factual claim in rationale must map to ≥1 evidence[] entry.
4. Output exactly one JSON object matching the contract at the end, wrapped in a single ```json fenced code block. This rule applies to your FINAL assistant message only — issue tool calls freely during the run; tool-call reasoning lives in your model's tool-use channel and is not subject to this rule. Nothing before or after the fence — no prose, no follow-up questions, no requests for the user to paste anything. If evidence is incomplete, the correct response is still JSON, with claims demoted to unknowns[] and grade="unknown".

### Format rules (validation will reject submissions that violate these)
5. evidence[].url must be a bare `https://...` string — NEVER markdown link syntax. WRONG: `"url": "[Etherscan](https://etherscan.io/...)"`. RIGHT: `"url": "https://etherscan.io/..."`.
6. evidence[].commit, when present, must match `^[0-9a-f]{7,40}$` (lowercase hex, 7–40 chars). NEVER branch names or tags. Omit if you cannot pin a SHA.
7. evidence[].fetched_at, when present, must be ISO-8601 UTC (e.g. `2026-04-23T11:20:00Z`). Set whenever you actually fetched in this run.
8. evidence[].address, when present, must be `^0x[0-9a-fA-F]{40}$` (mixed case OK; checksum not validated).
9. Checklist codes (used in findings[].code and as unknowns[] prefixes) match `^[A-Z][A-Za-z0-9-]{0,16}$` — start with an uppercase letter, then digits / letters / hyphens. Examples: `E1`, `A3b`, `C2-emergency`, `V4-auditor`. No parens, spaces, dots, slashes, underscores. Use slice-defined codes verbatim. unknowns[] entries must be prefixed with the relevant code + colon (e.g. `"A3b: frontend fetch failed"`).
10. chat_url: ALWAYS null. Default share links (claude.ai/chat, chatgpt.com, gemini.google.com) require viewer login and are not publicly readable. The user enables "Share publicly" after you respond and pastes the public URL into the JSON before opening the PR.

### Thoroughness rules

11. Each per-slice body contains a "MANDATORY INSPECTION CHECKLIST". Every item must EITHER produce an evidence[] entry OR a specific unknowns[] entry naming it by code. Silent skips are rejected as incomplete.
12. Before assigning a grade other than "unknown", rationale.steelman must contain a one-sentence strongest argument for each of red / orange / green, and rationale.verdict must state which fits the evidence and why. If the steel-man for the chosen grade is weaker than for an adjacent grade, you have probably picked the wrong grade. When grade="unknown", set steelman to null and use verdict to summarize what blocked the assessment.
13. Distinguish actor classes (EOA, 2-of-3 multisig, 4-of-7+ multisig with identified signers, emergency-scoped time-capped multisig, on-chain governance vote with timelock) and function classes (claim-of-finalized vs new-request-placement, deposit vs borrow, mint vs redeem) — say which actor holds which power, on what time bound. "An admin can pause" is insufficient.
14. For on-chain slices (control, ability-to-exit, autonomy, verifiability), evidence[] must include ≥1 on-chain URL: a block-explorer URL OR a DeFiPunkd /api/{contract/read,safe/owners} URL (preferred — content-addressed when block-pinned). /api/contract/abi alone is metadata, not on-chain evidence. Source repos tell you what code SHOULD do; deployed contracts tell you what it ACTUALLY does. The "open-access" slice is exempt when claims are entirely about frontend / off-chain operator behavior. CARVE-OUT: `grading_basis="off-chain-only"` is exempt from this rule but is downweighted by the quorum bot regardless of grade.
15. Prompt-meta-check: if your verdict quotes prompt language as evidence ("the protocol meets the 'documented fallback' condition"), re-do the verdict — the prompt describes the rubric, not the protocol. Evidence cites what THIS protocol does, not what the rubric says protocols of type X do.
16. `grading_basis` is one of `"on-chain"` (default; omit field), `"off-chain-only"`, or `"mixed"`. Describes what was READ this run, not the verdict — `grade="unknown"` is allowed under any basis. Set `"off-chain-only"` ONLY when BOTH (a) ≥1 successful fetch of a docs / forum / audit / GitHub URL appears in evidence[], AND (b) ≥1 failed on-chain fetch attempt for THIS run is recorded in unknowns[] with a `-offchain` suffix. Empty `evidence[]` with `"off-chain-only"` is a category error and is rejected by the validator. Set `"mixed"` when some checklist codes were on-chain and others fell back. ABI-only finds (you read the ABI but couldn't read live state) are valid as `grade="unknown"` with the ABI cited; do not infer a grade from ABI shape alone.

### On-chain reading via the DeFiPunkd API

Don't encode calldata, decode return data, or guess at ABIs by hand. Three deterministic GET endpoints return JSON with blockNumber, blockHash, raw calldata, and rawReturnData — content-addressed when block-pinned (`&block=<n>`):

  ABI (auto-resolves proxies):
    https://defipunkd.com/api/contract/abi?chainId=<id>&address=0x...
  View call (any view method on the merged ABI; flat scalar args):
    https://defipunkd.com/api/contract/read?chainId=<id>&address=0x...&method=getOwners
    https://defipunkd.com/api/contract/read?chainId=<id>&address=0x...&method=balanceOf&args=0x...
  Safe (threshold + owners + version in one call):
    https://defipunkd.com/api/safe/owners?chainId=<id>&address=0x...

Use the BARE method name in `&method=` (e.g. `&method=totalSupply`, NOT `&method=totalSupply()`). Browser tools normalize `(` to `%28` and reject the normalized URL; bare names dodge that. Pass arguments via `&args=` (comma-separated, declaration order). Append `&block=<n>` for content-addressed evidence.

Supported chainIds: 1 (ethereum), 10 (optimism), 56 (bsc), 130 (unichain), 137 (polygon), 324 (zksync), 8453 (base), 42161 (arbitrum), 43114 (avalanche), 59144 (linea), 81457 (blast), 534352 (scroll), 11155111 (sepolia).

Use this API for any factual claim about contract ABI shape, view-method return values (owner(), getOwners(), getThreshold(), totalSupply(), implementation(), paused(), MIN_DELAY(), …), and Safe membership. Do NOT invent ABIs or return values from training data.

Note on noisy address_book: the pinned address_book is sourced from prior assessments. It may include token deployments, oracle feeds, peripheral contracts, or mis-classified entries. Skip surfacer URLs that don't fit your slice — fetch only those whose role hints suggest control / pause / upgrade authority.

### Protocol metadata refresh (populate `protocol_metadata` in the output)

DeFiLlama's pinned inputs may be stale or wrong. As a side-effect of this assessment, populate `protocol_metadata` with anything you verify. Leave fields null / empty arrays if you did not verify them — do NOT echo pinned inputs through; null means "not re-verified this run".

- `github`: array of canonical source-code repo URLs.
- `docs_url`: canonical developer / protocol documentation site.
- `audits`: array of `{ firm, url, date }` (date as YYYY-MM or YYYY-MM-DD).
- `governance_forum`: primary discussion forum URL (Discourse, Commonwealth, etc.).
- `voting_token`: `{ chain, address, symbol }` or null. Omit if not token-governed.
- `bug_bounty_url`: public bug bounty page (Immunefi, HackerOne, self-hosted).
- `security_contact`: private-disclosure channel — security@ email or SECURITY.md URL. Distinct from public bug bounty.
- `deployed_contracts_doc`: docs page that lists deployed addresses per chain. Don't enumerate; just link.
- `admin_addresses`: array of `{ chain, address, role, actor_class }` for multisig / timelock / owner / proxy-admin addresses. `actor_class` ∈ `"eoa" | "multisig" | "timelock" | "governance" | "unknown"`. These are the anchors for future runs' address_book.
- `upgradeability`: `"immutable" | "upgradeable" | "mixed" | "unknown"`. "mixed" = some core contracts immutable, others behind proxies.
- `about`: 2–4 sentence plain-English description. Name the user action (stake, borrow, swap, bridge, mint, redeem), the asset / market, and the distinctive mechanism (liquid staking receipt, isolated lending pools, constant-product AMM, intents auction, etc.). Do not restate category / chains / TVL.

Every non-null field in `protocol_metadata` must be backed by ≥1 entry in evidence[].

---

### Slice: ABILITY-TO-EXIT

Evaluate whether users can withdraw their funds on their own terms, even under adversarial admin conditions.

MANDATORY INSPECTION CHECKLIST (every item below must appear in evidence[] OR unknowns[]):
- E1. Enumerate every user-facing exit function in the main contracts: withdraw, redeem, burn, requestWithdrawal, claim, exit, etc. List them by name. Do NOT treat the contract as a monolith.
- E2. For EACH exit function in E1: identify its access modifiers and any pause guards (e.g. _checkResumed, whenNotPaused, onlyRole). Functions that gate REQUEST PLACEMENT often differ from functions that CLAIM FINALIZED FUNDS — check both separately.
- E3. For each pause guard: identify the role holder (which address holds PAUSE_ROLE / GUARDIAN / etc.) and the maximum pause duration. Specifically check whether PAUSE_INFINITELY (or equivalent uncapped pause) is callable, and which actor can call it (single multisig vs governance vote). For role-holder reads use https://defipunkd.com/api/contract/read?chainId=<id>&address=0x...&method=hasRole&args=0x...,0x... or &method=getRoleAdmin&args=0x.... For "is currently paused" checks use &method=paused or &method=isPaused&args=<resume-code>. Use the BARE method name (no parens). Cite the URL with &block=<n> in evidence[].
- E4. EMERGENCY vs GOVERNANCE pause distinction: many protocols have a fast-acting emergency pause capped at N days and a slow governance pause that can be indefinite. Record both paths separately if present, with their time caps and actor classes.
- E5. Queued redemption: documented maximum queue duration, daily withdrawal caps, whether the queue itself is pausable.
- E6. Forced-exit / escape-hatch / permissionless emergency-exit mechanism for adversarial-admin scenarios.
- E7. Frontend dependency: confirm exit functions are directly callable on-chain (e.g. via Etherscan write tab or a generic wallet) without the project's frontend.

Then write the steel-man section per Hard Rule 11. Common red-vs-orange tension on this slice: indefinite pause exists (suggests red) BUT the realistic emergency path is time-capped AND claims of already-finalized exits are not pause-gated (suggests orange). Resolve this by stating who can do what for how long, not by stopping at the worst-case sentence.

Grade rules:
- green   = permissionless exit; pause is either absent, narrowly scoped to clearly-described emergencies with auto-expiry, or capped at ≤7 days; no frontend dependency for exit; claims of already-finalized exits are not pause-gated under any path.
- orange  = pausable with broad scope OR indefinite pause is reachable only through governance vote (not unilateral admin action), OR queued redemption with documented max > 7 days, OR claims-of-finalized are exempt but new-request placement can be paused indefinitely by governance.
- red     = exit requires admin signature, OR ANY actor (including governance) can pause CLAIMS of finalized exits indefinitely, OR there is no on-chain exit function at all (purely custodial), OR pause is held by a single EOA / 2-of-3 multisig with no time cap.
- unknown = checklist incomplete after checking the sources above.

---

### JSON output contract

Return exactly one JSON object inside a single ```json fenced block. Shape:

{
  "schema_version": 4,
  "slug": "<copy protocol.slug from the per-protocol context>",
  "slice": "ability-to-exit",
  "snapshot_generated_at": "<copy snapshot.generated_at from the per-protocol context>",
  "prompt_version": 29,
  "analysis_date": "<copy analysis_date from the per-protocol context>",
  "model": "<exact model name, e.g. claude-opus-4-7 / gpt-5-thinking / gemini-3-pro>",
  "chat_url": null,
  "grading_basis": "on-chain | off-chain-only | mixed (optional; omit for on-chain)",
  "grade": "green | orange | red | unknown",
  "headline": "<one-line summary>",
  "short_headline": "<≤6 words, ≤80 chars; omit if you can't fit>",
  "rationale": {
    "findings": [{ "code": "E1", "text": "<concrete, source-cited finding>" }],
    "steelman": { "red": "<one sentence>", "orange": "<one sentence>", "green": "<one sentence>" },
    "verdict": "Choosing <grade> because <reason ranking one steel-man above the others, citing specific evidence>."
  },
  "evidence": [{ "url": "https://...", "shows": "<what this URL demonstrates>", "chain": "...", "address": "0x...", "commit": "<hex SHA>", "fetched_at": "2026-04-23T11:20:00Z" }],
  "unknowns": ["E3: <thing you looked for but couldn't determine>"],
  "protocol_metadata": {
    "github": ["https://github.com/org/repo"],
    "docs_url": "https://docs.protocol.xyz",
    "audits": [{ "firm": "Trail of Bits", "url": "https://...report.pdf", "date": "2025-09" }],
    "governance_forum": "https://forum.protocol.xyz",
    "voting_token": { "chain": "Ethereum", "address": "0x...", "symbol": "XYZ" },
    "bug_bounty_url": "https://immunefi.com/bounty/protocol",
    "security_contact": "security@protocol.xyz",
    "deployed_contracts_doc": "https://docs.protocol.xyz/deployments",
    "admin_addresses": [{ "chain": "Ethereum", "address": "0x...", "role": "DAO treasury multisig", "actor_class": "multisig" }],
    "upgradeability": "immutable | upgradeable | mixed | unknown",
    "about": "<2–4 sentences>"
  }
}

Rules recap:
- grade="unknown" ⇒ steelman=null; unknowns[] ≥1; evidence[] may be empty.
- grade!="unknown" ⇒ steelman={red,orange,green}; evidence[] ≥1; verdict starts with "Choosing ".
- findings[].code matches the slice's checklist prefix verbatim (E1, C2-emergency, V4a, …); unknowns[] entries are checklist-coded ("E3: …").
- Wrap in a single ```json fence; nothing before or after. URLs are bare strings, never markdown links.

Autonomy unknown Unverified

No Phase-0 autonomy signal

Neither the category heuristic nor the forkedFrom signal fires for this protocol. A real autonomy graph (oracles, bridges, fallbacks, governance-mutable dependencies) arrives with Phase-2 onchain discovery.

No model has graded this dimension yet. Run the slice prompt through any LLM and submit the JSON — once ≥3 independent runs agree, the quorum bot merges the verdict here.

Submit run ↗

### Per-protocol context (ground truth for this run)

- protocol.slug:              aave-v2
- protocol.name:              Aave V2
- protocol.chains:            Ethereum, Polygon, Avalanche
- protocol.category:          Lending
- protocol.website:           https://aave.com
- protocol.github:            aave, bgd-labs
- protocol.audit_links:       https://aave.com/security, https://github.com/code-423n4/2022-02-aave-lens, https://github.com/code-423n4/2022-02-aave-lens-findings, https://github.com/sherlock-protocol/sherlock-reports/blob/main/audits/2025.02.15%20-%20Final%20-%20Aave%20Public%20Audit%20Contest%20Report.pdf, https://github.com/sherlock-protocol/sherlock-reports/blob/main/audits/2026.02.05%20-%20Final%20-%20Aave%20Labs%20Collaborative%20Audit%20Report%201770295450.pdf
- snapshot.generated_at:      2026-06-01T11:27:13.878Z
- analysis_date:              2026-06-07
- prompt_version:             29
- address_book:               [
  {
    "chain": "Ethereum",
    "address": "0xb53c1a33016b2dc2ff3653530bff1848a515c8c5",
    "role": "lending_pool_addresses_provider"
  },
  {
    "chain": "Ethereum",
    "address": "0x7d2768dE32b0b80b7a3454c06BdAc94A69DDc7A9",
    "role": "lending_pool"
  },
  {
    "chain": "Ethereum",
    "address": "0x057835Ad21a177dbdd3090bB1CAE03EaCF78Fc6d",
    "role": "protocol_data_provider"
  },
  {
    "chain": "Ethereum",
    "address": "0xec568fffba86c094cf06b22134b23074dfe2252c",
    "role": "governance_v2"
  },
  {
    "chain": "Ethereum",
    "address": "0x7fc66500c84a76ad7e9c93437e434122a1dafd46",
    "role": "AAVE governance token"
  }
]

### Pre-built read-API surfacer URLs (verbatim — fetchable as-is)
- https://defipunkd.com/address/1/0xb53c1a33016b2dc2ff3653530bff1848a515c8c5 (lending_pool_addresses_provider)
- https://defipunkd.com/address/1/0x7d2768dE32b0b80b7a3454c06BdAc94A69DDc7A9 (lending_pool)
- https://defipunkd.com/address/1/0x057835Ad21a177dbdd3090bB1CAE03EaCF78Fc6d (protocol_data_provider)
- https://defipunkd.com/address/1/0xec568fffba86c094cf06b22134b23074dfe2252c (governance_v2)
- https://defipunkd.com/address/1/0x7fc66500c84a76ad7e9c93437e434122a1dafd46 (AAVE governance token)


---

You are contributing a single-slice assessment to defipunkd, a git-native transparency registry for DeFi protocols. Your JSON output will be attached to a pull request and compared against ≥2 other independent runs. Disagreements are surfaced publicly — be conservative, cite everything, return grade="unknown" when a signal cannot be determined, and resist stopping at the first damning finding.

### Per-protocol context (do not infer; these are ground truth)

A "Per-protocol context" block (provided alongside this prompt — either as a user message in API mode, or as a section appended below in copy-paste mode) lists the pinned inputs (protocol.slug, name, chains, category, website, github, audit_links, snapshot.generated_at, analysis_date, prompt_version, address_book) and a list of pre-built read-API surfacer URLs for each pinned address. Treat those values as authoritative for this run.

The pre-built surfacer URLs are accepted by your fetch tool's allowlist because they appear verbatim in the per-protocol context. Each surfacer page pre-executes the contract's zero-arg view methods and renders any address-typed return values as /address/{chainId}/0x… links inline — those rendered links are also fetchable post-fetch. /api/contract/read and /api/safe/owners JSON responses include a top-level `crawl.surfacers` array of /address/{chainId}/0x… URLs for every address-typed value in the result, so you can crawl directly from API responses. For addresses surfaced from non-defipunkd sources (block-explorer pages, GitHub, audit PDFs), the allowlist will reject your generated surfacer URL — record the address in protocol_metadata.admin_addresses and add a checklist-coded entry to unknowns[]; the next run will inherit it as a fetchable surfacer.

### Step 0 — Capability probe (do this before producing JSON)

Identify what fetch tool your environment exposes — `web_fetch`, `browser`, `url_context`, `google_search` (with underscore, colon, or space), Bing grounding, Perplexity, `web.run`, or anything similar. Search-grounding tools ARE valid fetch paths and you should use them; they are not forbidden. The distinction that matters is what the tool returned, not its name: a grounded response with the underlying page body is sufficient evidence; a bare 1–3-line preview snippet is not.

Probe: attempt one fetch of `protocol.website` and one fetch of a pre-built surfacer URL above (or the protocol's primary block-explorer page if no surfacer is pinned). Record the tool you used, the URL, and what came back (response body, HTTP status, allowlist rejection text, or "tool not present: <name>"). If either probe succeeded, proceed.

If both direct probes failed, **DO NOT STOP** — try search. Issue at least two broad search queries (protocol name + "Etherscan" / "official docs" / "GitHub" / "audit"; `site:` operators against etherscan.io / github.com / the docs domain). If a search query returns the underlying page body, that page URL is fetched evidence and goes in evidence[]. Set `grading_basis: "off-chain-only"` and continue with whatever you can extract. Empty `evidence[]` + `grade="unknown"` is only valid if BOTH direct probes AND ≥2 search queries returned nothing usable; in that case, log the attempted queries and observed-zero outcomes in unknowns[]. A submission claiming "blocked" without those receipts is treated as a non-submission (zero quorum weight). Search engines do not index raw JSON API endpoints — zero results for `defipunkd.com/api/contract/read` URLs is expected and is itself a recordable failure mode, not a system restriction.

### Anti-fabrication (the most important rule on this page)

Memory is not evidence. Treat your training data, prior conversations, and general knowledge as suggestions for what to look up — never as citations. Every URL in evidence[] must have been fetched in this run via any tool exposed in your environment, OR pasted into this conversation by the user. Constructing a URL is fine, but every variable part (address, commit SHA, repo path, contract name, method, args, block number) must come from a fetched/pasted source in this run, and the URL must then have been successfully fetched before it appears in evidence[]. URLs constructed from remembered addresses, repo paths, contract names, or guessed API methods are fabrication.

Before emitting JSON, run an evidence ledger check on every evidence[] entry:
1. The exact URL appears in your fetch transcript or in a user-pasted source body.
2. The fetched/pasted body contains the fact you're citing in evidence[].shows.
3. Every rationale.findings / protocol_metadata claim that depends on this evidence follows directly from that body, without recourse to memory.
4. Derived (rather than verbatim) claims are explicitly labelled as derived in evidence[].shows.
5. `fetched_at` is set ONLY when you actually fetched the URL in this run; if no timestamp is available, omit the field — never invent one.

If any check fails, remove the evidence entry and demote dependent claims to unknowns[]. Set grade="unknown" if demotion empties the grading basis. Do not ask the user to paste anything; do not withhold JSON; do not improvise from memory.

A plausible-sounding answer backed by unsupported evidence is WORSE than grade="unknown" — it pollutes the quorum. If the assessment requires leaning on remembered public facts ("Lido is governed by LDO token-weighted voting"), historical reports, common knowledge, or likely-architecture reasoning ("UUPS proxies typically have an admin role"), return grade="unknown" with specific unknowns[] entries. Optimize for reproducibility, not completeness — if a reviewer can't re-verify each claim from the evidence URLs alone, the claim does not belong in the JSON. Empty unknowns[] on a non-trivial protocol is a red flag, not a quality signal.

When the address_book is null/empty, you do not yet know any deployed address. Discover candidates from fetched website / GitHub / audit / explorer-search pages — addresses you "remember" from training data are not eligible, even for famous tokens (USDC, WBTC, stETH, UNI). If no address can be discovered after a good-faith attempt, return grade="unknown" with checklist-coded unknowns[] entries; do not invent addresses to fill the gap.

### Hard rules

1. Source classes that count as evidence:
   a) Public block explorers (etherscan.io, basescan.org, arbiscan.io, optimistic.etherscan.io, polygonscan.com, bscscan.com, snowtrace.io, scrollscan.com, lineascan.build, blastscan.io, era.zksync.network) for pinned addresses or addresses you discover transitively from them.
   b) The linked GitHub repos, at a specific commit SHA recorded in evidence[].commit.
   c) The audit PDFs / reports linked above.
   d) DeFiLlama's pinned fields (for category / chain lists only — not for risk assessment).
   e) DeFiPunkd's read API at https://defipunkd.com/api/{contract,safe}/... — see "On-chain reading" below.
2. If a signal cannot be determined after checking these, set grade="unknown" with ≥1 entry in unknowns[] naming what you looked for.
3. Every factual claim in rationale must map to ≥1 evidence[] entry.
4. Output exactly one JSON object matching the contract at the end, wrapped in a single ```json fenced code block. This rule applies to your FINAL assistant message only — issue tool calls freely during the run; tool-call reasoning lives in your model's tool-use channel and is not subject to this rule. Nothing before or after the fence — no prose, no follow-up questions, no requests for the user to paste anything. If evidence is incomplete, the correct response is still JSON, with claims demoted to unknowns[] and grade="unknown".

### Format rules (validation will reject submissions that violate these)
5. evidence[].url must be a bare `https://...` string — NEVER markdown link syntax. WRONG: `"url": "[Etherscan](https://etherscan.io/...)"`. RIGHT: `"url": "https://etherscan.io/..."`.
6. evidence[].commit, when present, must match `^[0-9a-f]{7,40}$` (lowercase hex, 7–40 chars). NEVER branch names or tags. Omit if you cannot pin a SHA.
7. evidence[].fetched_at, when present, must be ISO-8601 UTC (e.g. `2026-04-23T11:20:00Z`). Set whenever you actually fetched in this run.
8. evidence[].address, when present, must be `^0x[0-9a-fA-F]{40}$` (mixed case OK; checksum not validated).
9. Checklist codes (used in findings[].code and as unknowns[] prefixes) match `^[A-Z][A-Za-z0-9-]{0,16}$` — start with an uppercase letter, then digits / letters / hyphens. Examples: `E1`, `A3b`, `C2-emergency`, `V4-auditor`. No parens, spaces, dots, slashes, underscores. Use slice-defined codes verbatim. unknowns[] entries must be prefixed with the relevant code + colon (e.g. `"A3b: frontend fetch failed"`).
10. chat_url: ALWAYS null. Default share links (claude.ai/chat, chatgpt.com, gemini.google.com) require viewer login and are not publicly readable. The user enables "Share publicly" after you respond and pastes the public URL into the JSON before opening the PR.

### Thoroughness rules

11. Each per-slice body contains a "MANDATORY INSPECTION CHECKLIST". Every item must EITHER produce an evidence[] entry OR a specific unknowns[] entry naming it by code. Silent skips are rejected as incomplete.
12. Before assigning a grade other than "unknown", rationale.steelman must contain a one-sentence strongest argument for each of red / orange / green, and rationale.verdict must state which fits the evidence and why. If the steel-man for the chosen grade is weaker than for an adjacent grade, you have probably picked the wrong grade. When grade="unknown", set steelman to null and use verdict to summarize what blocked the assessment.
13. Distinguish actor classes (EOA, 2-of-3 multisig, 4-of-7+ multisig with identified signers, emergency-scoped time-capped multisig, on-chain governance vote with timelock) and function classes (claim-of-finalized vs new-request-placement, deposit vs borrow, mint vs redeem) — say which actor holds which power, on what time bound. "An admin can pause" is insufficient.
14. For on-chain slices (control, ability-to-exit, autonomy, verifiability), evidence[] must include ≥1 on-chain URL: a block-explorer URL OR a DeFiPunkd /api/{contract/read,safe/owners} URL (preferred — content-addressed when block-pinned). /api/contract/abi alone is metadata, not on-chain evidence. Source repos tell you what code SHOULD do; deployed contracts tell you what it ACTUALLY does. The "open-access" slice is exempt when claims are entirely about frontend / off-chain operator behavior. CARVE-OUT: `grading_basis="off-chain-only"` is exempt from this rule but is downweighted by the quorum bot regardless of grade.
15. Prompt-meta-check: if your verdict quotes prompt language as evidence ("the protocol meets the 'documented fallback' condition"), re-do the verdict — the prompt describes the rubric, not the protocol. Evidence cites what THIS protocol does, not what the rubric says protocols of type X do.
16. `grading_basis` is one of `"on-chain"` (default; omit field), `"off-chain-only"`, or `"mixed"`. Describes what was READ this run, not the verdict — `grade="unknown"` is allowed under any basis. Set `"off-chain-only"` ONLY when BOTH (a) ≥1 successful fetch of a docs / forum / audit / GitHub URL appears in evidence[], AND (b) ≥1 failed on-chain fetch attempt for THIS run is recorded in unknowns[] with a `-offchain` suffix. Empty `evidence[]` with `"off-chain-only"` is a category error and is rejected by the validator. Set `"mixed"` when some checklist codes were on-chain and others fell back. ABI-only finds (you read the ABI but couldn't read live state) are valid as `grade="unknown"` with the ABI cited; do not infer a grade from ABI shape alone.

### On-chain reading via the DeFiPunkd API

Don't encode calldata, decode return data, or guess at ABIs by hand. Three deterministic GET endpoints return JSON with blockNumber, blockHash, raw calldata, and rawReturnData — content-addressed when block-pinned (`&block=<n>`):

  ABI (auto-resolves proxies):
    https://defipunkd.com/api/contract/abi?chainId=<id>&address=0x...
  View call (any view method on the merged ABI; flat scalar args):
    https://defipunkd.com/api/contract/read?chainId=<id>&address=0x...&method=getOwners
    https://defipunkd.com/api/contract/read?chainId=<id>&address=0x...&method=balanceOf&args=0x...
  Safe (threshold + owners + version in one call):
    https://defipunkd.com/api/safe/owners?chainId=<id>&address=0x...

Use the BARE method name in `&method=` (e.g. `&method=totalSupply`, NOT `&method=totalSupply()`). Browser tools normalize `(` to `%28` and reject the normalized URL; bare names dodge that. Pass arguments via `&args=` (comma-separated, declaration order). Append `&block=<n>` for content-addressed evidence.

Supported chainIds: 1 (ethereum), 10 (optimism), 56 (bsc), 130 (unichain), 137 (polygon), 324 (zksync), 8453 (base), 42161 (arbitrum), 43114 (avalanche), 59144 (linea), 81457 (blast), 534352 (scroll), 11155111 (sepolia).

Use this API for any factual claim about contract ABI shape, view-method return values (owner(), getOwners(), getThreshold(), totalSupply(), implementation(), paused(), MIN_DELAY(), …), and Safe membership. Do NOT invent ABIs or return values from training data.

Note on noisy address_book: the pinned address_book is sourced from prior assessments. It may include token deployments, oracle feeds, peripheral contracts, or mis-classified entries. Skip surfacer URLs that don't fit your slice — fetch only those whose role hints suggest control / pause / upgrade authority.

### Protocol metadata refresh (populate `protocol_metadata` in the output)

DeFiLlama's pinned inputs may be stale or wrong. As a side-effect of this assessment, populate `protocol_metadata` with anything you verify. Leave fields null / empty arrays if you did not verify them — do NOT echo pinned inputs through; null means "not re-verified this run".

- `github`: array of canonical source-code repo URLs.
- `docs_url`: canonical developer / protocol documentation site.
- `audits`: array of `{ firm, url, date }` (date as YYYY-MM or YYYY-MM-DD).
- `governance_forum`: primary discussion forum URL (Discourse, Commonwealth, etc.).
- `voting_token`: `{ chain, address, symbol }` or null. Omit if not token-governed.
- `bug_bounty_url`: public bug bounty page (Immunefi, HackerOne, self-hosted).
- `security_contact`: private-disclosure channel — security@ email or SECURITY.md URL. Distinct from public bug bounty.
- `deployed_contracts_doc`: docs page that lists deployed addresses per chain. Don't enumerate; just link.
- `admin_addresses`: array of `{ chain, address, role, actor_class }` for multisig / timelock / owner / proxy-admin addresses. `actor_class` ∈ `"eoa" | "multisig" | "timelock" | "governance" | "unknown"`. These are the anchors for future runs' address_book.
- `upgradeability`: `"immutable" | "upgradeable" | "mixed" | "unknown"`. "mixed" = some core contracts immutable, others behind proxies.
- `about`: 2–4 sentence plain-English description. Name the user action (stake, borrow, swap, bridge, mint, redeem), the asset / market, and the distinctive mechanism (liquid staking receipt, isolated lending pools, constant-product AMM, intents auction, etc.). Do not restate category / chains / TVL.

Every non-null field in `protocol_metadata` must be backed by ≥1 entry in evidence[].

---

### Slice: AUTONOMY

Evaluate this protocol's autonomy: can a failure of anything outside its own contracts cause theft or loss of user principal, loss of unclaimed yield, or materially change the protocol's expected performance? "Autonomy" is not "has zero external touchpoints" — it is "external failures are either survivable or recoverable without user loss". This slice adapts DefiScan v1's Autonomy dimension; dependencies are one of several criteria, not the whole frame.

GUARDRAILS (read before grading):
- Category alone (Liquid Staking, Bridge, RWA Lending, Restaking, …) does NOT force a grade. A category is a hint about where to look; the grade must come from the concrete A1–A9 findings below.
- Base-chain consensus (Ethereum PoS, the chain's validator set, the canonical Deposit Contract at 0x00000000219ab540356cBB839Cbe05303d7705Fa) is the SUBSTRATE, not a dependency, for any protocol deployed on that chain. Do not list "depends on Ethereum" as a finding.
- Oracles or other integrations used by DOWNSTREAM protocols that happen to read this protocol's token (e.g. Chainlink stETH/USD consumed by Aave) are NOT this protocol's dependencies. Count only what THIS protocol's contracts call or trust on-chain. If a feed or contract appears in the protocol's docs only as reference material for third-party integrators, EXCLUDE IT ENTIRELY — do not log it as a finding even with a "peripheral" or "referenced only" caveat.
- "Upgradeable admin can change things" belongs to the CONTROL slice; only count it here when the upgrade surface lets governance silently swap an external dependency (see A9).
- Underlying-asset risk in opt-in, isolated markets is NOT autonomy-red on its own. When a protocol wraps third-party yield-bearing assets (LSTs, LRTs, ERC-4626 vaults, lending receipts, restaked tokens) into per-market silos that users explicitly choose, a failure of one underlying does NOT propagate to other markets and is risk the user opted into per-market. Record it under A4 with depth and propagation scope, but do not let it alone drive a red verdict — red requires an external dependency that cross-cuts the protocol or that the user did not opt into at deposit time. A failure mode that is "if the LRT you deposited is hacked, your principal in that LRT-backed market is impaired" is the underlying's autonomy story, not this protocol's; grade it on whether THIS protocol introduces additional dependencies on top.
- Sub-module enumeration is mandatory before grading. If the protocol ships distinct product lines or modules (e.g., a v2 core AMM plus a newer perps/funding-rate module, a lending pool plus a separate vault layer, an L1 core plus a cross-chain extension), enumerate each in findings and grade against the WORST module weighted by its share of TVS or its blast radius. A green core does not rescue an orange/red sub-module; conversely, a small red sub-module with capped TVS may bound the overall grade to orange. Name each module by its on-chain factory or router address. If you do not know whether a module exists, that is an unknowns[] entry, not silence. EXPLICIT TVS WEIGHTING: in the verdict, state each module's approximate share of total protocol TVS (use "~X%" if exact figures unavailable; check DeFiLlama or block-explorer balances on the module's main contract) and how that share informs the weighted grade. Format: "Module A holds ~X% of TVS (grade: <g>); Module B holds ~Y% (grade: <g>); weighted overall = <grade> because <reason>." If a red sub-module holds <5% of total TVS and is capped, the overall grade may be orange; if it holds >25%, the overall grade is red. Do not let qualitative reasoning substitute for the percentages — write the numbers.

MANDATORY INSPECTION CHECKLIST (every item below must appear in evidence[] OR unknowns[]):
- A1. External contract calls. Enumerate every external contract the core contracts call or read from (oracles, price feeds, AMM pools, lending pools, staking/deposit contracts, yield wrappers). For each, identify the address, the provider, and what user-facing function of this protocol would break or mis-price if that external contract paused, mis-reported, or behaved adversarially. Grep for "oracle", "aggregator", "getPrice", "latestAnswer", "chainlink", "pyth", "redstone" as a starting point. To verify an oracle is live and what it currently reports, hit https://defipunkd.com/api/contract/read?chainId=<id>&address=<oracle>&method=latestAnswer (or &method=latestRoundData, &method=getPrice, &method=description; use the BARE method name without parens) and cite the URL — the response includes blockNumber/blockHash and rawReturnData, which is stronger evidence than a docs page about which feed "should" be used.
- A2. Off-chain actor committees reporting INTO the protocol. Oracle committees, guardian multisigs, DAO-selected validator sets acting as protocol reporters, exit-bus signers, fraud-proof challengers. For each, record committee size, quorum, who picks the members, and what mis-reporting could do (mint, burn, finalize withdrawal, freeze). Distinguish this from governance admins (control slice). NOTE ON STAKING PROTOCOLS: validator slashing and node-operator misbehavior are properties of the base-chain substrate, NOT external dependencies, when the operator set is diversified enough that a coordinated failure caps at <5% principal loss. Count validator/operator risk under A2 ONLY if the operator set is small, non-diversified, or lacks bonding / slashing-insurance / diversification mitigations. A curated set of 30+ independent operators with documented diversification falls under the mitigated path; a 3-operator LST does not. Do not cite the protocol's own risk disclosure as evidence that operator failure = principal loss unless you also check the diversification and bond mitigations.
- A3. Bridge / cross-chain messaging dependencies. Only count bridges that carry material TVL or are required for a core user flow. For each, name the bridge operator (canonical L1↔L2, LayerZero, Wormhole, Axelar, custom multisig), the trust model (canonical, optimistic, light-client, guardian set), and what fraction of TVL or users ride on it. "wstETH exists on 15 chains" is not a finding unless material TVL sits there. Before listing any non-primary chain deployment as a dependency, verify it is still operational as of analysis_date — retired or sunset deployments (e.g., Lido-on-Terra, Lido-on-Solana) belong in unknowns[] or should be omitted, never cited as a current dependency.
- A4. Nested collateral / restaking chains. For restaking / LRT / receipt-of-receipt designs: record the depth of the collateral chain, every actor with slashing or freezing power at each level, and whether a failure N levels deep propagates to user principal here.
- A5. Fork lineage (silent check). If DeFiLlama's forkedFrom is non-empty, record it as one finding and move on. If empty, do NOT add a placeholder finding; it adds noise.
- A6. Fallback mechanisms and circuit breakers. What catches an external failure? Sanity-check contracts on oracle reports, rebase bounds, pause paths triggered by bad prices, second-opinion oracles, max-per-block throughput caps, withdrawal queues that absorb bad reports. Record which A1–A4 risks are mitigated by which fallback, and which are unmitigated. For EACH fallback you cite, state its activation status explicitly: (i) LIVE and enforcing on-chain today, (ii) DEPLOYED but not yet wired / activated (e.g., interface exists but the address is zero or the role is unassigned), or (iii) DOCUMENTED / PROPOSED only (forum post, LIP draft, audit pending). Only (i) counts as mitigation for the grade. A fallback in state (ii) or (iii) should be noted but must not reduce the risk in your steel-man or verdict. If you cannot determine activation status, add an unknowns[] entry rather than assume it is live.
- A7. Sequencer / L1-liveness dependency BEYOND the base-chain substrate. SCOPE — sequencer risk only counts here when the protocol IS its own L2/L3 appchain or app-rollup, where the sequencer is part of the protocol's own stack and a freeze is a protocol-level outage. A protocol permissionlessly deployed on a third-party L2 inherits that L2's sequencer as substrate, not an A7 dependency. Record the sequencer/DA trust model when A7 applies.
- A8. Keeper / relayer / off-chain bot liveness. Protocols that need permissionless-but-necessary off-chain actors (liquidation bots, auto-compounders, deposit relayers, intent solvers). Record whether the role is permissionless, what degrades if nobody runs it (yield paused, bad debt accumulates, positions go stale), and whether the failure mode is graceful or catastrophic.
- A9. Governance-mutable dependency surface. Can an admin or DAO action silently INTRODUCE a NEW EXTERNAL dependency — swap the oracle address to a different provider, register a new staking module that calls an untrusted contract, add a new bridge, route SY through a new external vault — without an exit window for users? Check the upgrade / router / module-registry contracts. Answer: which EXTERNAL dependencies are governance-mutable, who holds that power, and whether there is a timelock or exit window. SCOPE LIMIT — read carefully: A9 is about the *external dependency surface*, not the upgrade surface in general. "The proxyAdmin / EOA can upgrade the router implementation to arbitrary bytecode" is a CONTROL-slice finding (admin can rug), NOT an autonomy-A9 finding. A9 fires only when the upgrade specifically swaps out or adds a contract that THIS protocol calls or trusts (e.g., changing the oracle address from Chainlink to a malicious feed, registering a new SY adapter that points to a third-party vault, redirecting a bridge endpoint). If the only finding is "admin can change implementation," do not log it under A9 and do not let it drive the autonomy grade — note it under control instead. The autonomy-relevant version of the same upgrade key is "admin can swap [specific external address X] without timelock"; that requires identifying the specific external dependency that becomes mutable.

STEEL-MAN (per Hard Rule 13): write one-sentence strongest arguments for red, orange, and green using the A1–A9 findings.

IMPACTED TVS ESTIMATE: the headline MUST include a rough impacted-TVS figure — the fraction of protocol TVS that could be lost or frozen if the worst-unmitigated dependency you identified failed. Use "~X%" if exact numbers are unavailable, "<1%" for de minimis, "unclear" only if A1–A9 left the question genuinely open (in which case grade=unknown is usually correct). Do NOT substitute qualitative phrases like "significant" — give a number or bracket.

GRADE ANCHORS (mapped to DefiScan v1 stages):
- green = Stage 2 equivalent. Failure of any external dependency cannot cause loss of user principal or unclaimed yield. Either there are no material external dependencies, or every critical one has a documented fallback (A6) that keeps users whole. Governance cannot silently introduce new dependencies without an exit window (A9). Impacted TVS under any single-dependency failure: effectively 0.
- orange = Stage 1 equivalent. Failure of some external dependency can cause loss of unclaimed yield, or can materially change expected performance (pause withdrawals, freeze positions, degrade price quality), but cannot cause loss of principal. Committee-based oracles with sanity checks, canonical-only bridges, fallback paths that exist but are incomplete, or governance-mutable dependencies protected by a ≥7-day timelock. Impacted TVS is bounded and recoverable.
- red = Stage 0 equivalent. Failure of an external dependency CAN cause theft or loss of principal. Examples: single-provider oracle with no sanity check or fallback, material TVL on a non-canonical bridge with a guardian multisig, governance can hot-swap oracles or add staking modules with no timelock or exit window, unmitigated keeper-liveness dependency where positions become insolvent if bots stop. Impacted TVS is material.
- unknown = checklist incomplete after inspecting source + verified contracts. Prefer unknown over guessing when A1/A6 could not be reconstructed. RESERVE unknown for cases where the CORE ARCHITECTURE itself is unverifiable — not for cases where you merely cannot enumerate every per-market dependency in a multi-market protocol. If the core router/factory/oracle architecture is verifiable on-chain and you can determine whether the core requires external dependencies, grade the architecture even when an exhaustive per-market external-dependency census is infeasible. Acknowledge the per-market gap in unknowns[] but still issue a grade. Refusing to grade a multi-market protocol because you cannot list every SY/vault/market is over-use of unknown; grade the architecture and say so.

PROMPT-META CHECK (per Hard Rule 17): before finalizing, verify the verdict cites concrete contract addresses, docs, or code — not the rubric itself. If your verdict says "the protocol belongs to a category the rubric marks red", rewrite it with the A1–A9 finding that actually justifies the grade, or drop to grade=unknown.

---

### JSON output contract

Return exactly one JSON object inside a single ```json fenced block. Shape:

{
  "schema_version": 4,
  "slug": "<copy protocol.slug from the per-protocol context>",
  "slice": "autonomy",
  "snapshot_generated_at": "<copy snapshot.generated_at from the per-protocol context>",
  "prompt_version": 29,
  "analysis_date": "<copy analysis_date from the per-protocol context>",
  "model": "<exact model name, e.g. claude-opus-4-7 / gpt-5-thinking / gemini-3-pro>",
  "chat_url": null,
  "grading_basis": "on-chain | off-chain-only | mixed (optional; omit for on-chain)",
  "grade": "green | orange | red | unknown",
  "headline": "<one-line summary>",
  "short_headline": "<≤6 words, ≤80 chars; omit if you can't fit>",
  "rationale": {
    "findings": [{ "code": "E1", "text": "<concrete, source-cited finding>" }],
    "steelman": { "red": "<one sentence>", "orange": "<one sentence>", "green": "<one sentence>" },
    "verdict": "Choosing <grade> because <reason ranking one steel-man above the others, citing specific evidence>."
  },
  "evidence": [{ "url": "https://...", "shows": "<what this URL demonstrates>", "chain": "...", "address": "0x...", "commit": "<hex SHA>", "fetched_at": "2026-04-23T11:20:00Z" }],
  "unknowns": ["E3: <thing you looked for but couldn't determine>"],
  "protocol_metadata": {
    "github": ["https://github.com/org/repo"],
    "docs_url": "https://docs.protocol.xyz",
    "audits": [{ "firm": "Trail of Bits", "url": "https://...report.pdf", "date": "2025-09" }],
    "governance_forum": "https://forum.protocol.xyz",
    "voting_token": { "chain": "Ethereum", "address": "0x...", "symbol": "XYZ" },
    "bug_bounty_url": "https://immunefi.com/bounty/protocol",
    "security_contact": "security@protocol.xyz",
    "deployed_contracts_doc": "https://docs.protocol.xyz/deployments",
    "admin_addresses": [{ "chain": "Ethereum", "address": "0x...", "role": "DAO treasury multisig", "actor_class": "multisig" }],
    "upgradeability": "immutable | upgradeable | mixed | unknown",
    "about": "<2–4 sentences>"
  }
}

Rules recap:
- grade="unknown" ⇒ steelman=null; unknowns[] ≥1; evidence[] may be empty.
- grade!="unknown" ⇒ steelman={red,orange,green}; evidence[] ≥1; verdict starts with "Choosing ".
- findings[].code matches the slice's checklist prefix verbatim (E1, C2-emergency, V4a, …); unknowns[] entries are checklist-coded ("E3: …").
- Wrap in a single ```json fence; nothing before or after. URLs are bare strings, never markdown links.

Open Access unknown Unverified

Not yet assessed

No model has graded this dimension yet. Run the slice prompt through any LLM and submit the JSON — once ≥3 independent runs agree, the quorum bot merges the verdict here.

Submit run ↗

### Per-protocol context (ground truth for this run)

- protocol.slug:              aave-v2
- protocol.name:              Aave V2
- protocol.chains:            Ethereum, Polygon, Avalanche
- protocol.category:          Lending
- protocol.website:           https://aave.com
- protocol.github:            aave, bgd-labs
- protocol.audit_links:       https://aave.com/security, https://github.com/code-423n4/2022-02-aave-lens, https://github.com/code-423n4/2022-02-aave-lens-findings, https://github.com/sherlock-protocol/sherlock-reports/blob/main/audits/2025.02.15%20-%20Final%20-%20Aave%20Public%20Audit%20Contest%20Report.pdf, https://github.com/sherlock-protocol/sherlock-reports/blob/main/audits/2026.02.05%20-%20Final%20-%20Aave%20Labs%20Collaborative%20Audit%20Report%201770295450.pdf
- snapshot.generated_at:      2026-06-01T11:27:13.878Z
- analysis_date:              2026-06-07
- prompt_version:             29
- address_book:               [
  {
    "chain": "Ethereum",
    "address": "0xb53c1a33016b2dc2ff3653530bff1848a515c8c5",
    "role": "lending_pool_addresses_provider"
  },
  {
    "chain": "Ethereum",
    "address": "0x7d2768dE32b0b80b7a3454c06BdAc94A69DDc7A9",
    "role": "lending_pool"
  },
  {
    "chain": "Ethereum",
    "address": "0x057835Ad21a177dbdd3090bB1CAE03EaCF78Fc6d",
    "role": "protocol_data_provider"
  },
  {
    "chain": "Ethereum",
    "address": "0xec568fffba86c094cf06b22134b23074dfe2252c",
    "role": "governance_v2"
  },
  {
    "chain": "Ethereum",
    "address": "0x7fc66500c84a76ad7e9c93437e434122a1dafd46",
    "role": "AAVE governance token"
  }
]

### Pre-built read-API surfacer URLs (verbatim — fetchable as-is)
- https://defipunkd.com/address/1/0xb53c1a33016b2dc2ff3653530bff1848a515c8c5 (lending_pool_addresses_provider)
- https://defipunkd.com/address/1/0x7d2768dE32b0b80b7a3454c06BdAc94A69DDc7A9 (lending_pool)
- https://defipunkd.com/address/1/0x057835Ad21a177dbdd3090bB1CAE03EaCF78Fc6d (protocol_data_provider)
- https://defipunkd.com/address/1/0xec568fffba86c094cf06b22134b23074dfe2252c (governance_v2)
- https://defipunkd.com/address/1/0x7fc66500c84a76ad7e9c93437e434122a1dafd46 (AAVE governance token)


---

You are contributing a single-slice assessment to defipunkd, a git-native transparency registry for DeFi protocols. Your JSON output will be attached to a pull request and compared against ≥2 other independent runs. Disagreements are surfaced publicly — be conservative, cite everything, return grade="unknown" when a signal cannot be determined, and resist stopping at the first damning finding.

### Per-protocol context (do not infer; these are ground truth)

A "Per-protocol context" block (provided alongside this prompt — either as a user message in API mode, or as a section appended below in copy-paste mode) lists the pinned inputs (protocol.slug, name, chains, category, website, github, audit_links, snapshot.generated_at, analysis_date, prompt_version, address_book) and a list of pre-built read-API surfacer URLs for each pinned address. Treat those values as authoritative for this run.

The pre-built surfacer URLs are accepted by your fetch tool's allowlist because they appear verbatim in the per-protocol context. Each surfacer page pre-executes the contract's zero-arg view methods and renders any address-typed return values as /address/{chainId}/0x… links inline — those rendered links are also fetchable post-fetch. /api/contract/read and /api/safe/owners JSON responses include a top-level `crawl.surfacers` array of /address/{chainId}/0x… URLs for every address-typed value in the result, so you can crawl directly from API responses. For addresses surfaced from non-defipunkd sources (block-explorer pages, GitHub, audit PDFs), the allowlist will reject your generated surfacer URL — record the address in protocol_metadata.admin_addresses and add a checklist-coded entry to unknowns[]; the next run will inherit it as a fetchable surfacer.

### Step 0 — Capability probe (do this before producing JSON)

Identify what fetch tool your environment exposes — `web_fetch`, `browser`, `url_context`, `google_search` (with underscore, colon, or space), Bing grounding, Perplexity, `web.run`, or anything similar. Search-grounding tools ARE valid fetch paths and you should use them; they are not forbidden. The distinction that matters is what the tool returned, not its name: a grounded response with the underlying page body is sufficient evidence; a bare 1–3-line preview snippet is not.

Probe: attempt one fetch of `protocol.website` and one fetch of a pre-built surfacer URL above (or the protocol's primary block-explorer page if no surfacer is pinned). Record the tool you used, the URL, and what came back (response body, HTTP status, allowlist rejection text, or "tool not present: <name>"). If either probe succeeded, proceed.

If both direct probes failed, **DO NOT STOP** — try search. Issue at least two broad search queries (protocol name + "Etherscan" / "official docs" / "GitHub" / "audit"; `site:` operators against etherscan.io / github.com / the docs domain). If a search query returns the underlying page body, that page URL is fetched evidence and goes in evidence[]. Set `grading_basis: "off-chain-only"` and continue with whatever you can extract. Empty `evidence[]` + `grade="unknown"` is only valid if BOTH direct probes AND ≥2 search queries returned nothing usable; in that case, log the attempted queries and observed-zero outcomes in unknowns[]. A submission claiming "blocked" without those receipts is treated as a non-submission (zero quorum weight). Search engines do not index raw JSON API endpoints — zero results for `defipunkd.com/api/contract/read` URLs is expected and is itself a recordable failure mode, not a system restriction.

### Anti-fabrication (the most important rule on this page)

Memory is not evidence. Treat your training data, prior conversations, and general knowledge as suggestions for what to look up — never as citations. Every URL in evidence[] must have been fetched in this run via any tool exposed in your environment, OR pasted into this conversation by the user. Constructing a URL is fine, but every variable part (address, commit SHA, repo path, contract name, method, args, block number) must come from a fetched/pasted source in this run, and the URL must then have been successfully fetched before it appears in evidence[]. URLs constructed from remembered addresses, repo paths, contract names, or guessed API methods are fabrication.

Before emitting JSON, run an evidence ledger check on every evidence[] entry:
1. The exact URL appears in your fetch transcript or in a user-pasted source body.
2. The fetched/pasted body contains the fact you're citing in evidence[].shows.
3. Every rationale.findings / protocol_metadata claim that depends on this evidence follows directly from that body, without recourse to memory.
4. Derived (rather than verbatim) claims are explicitly labelled as derived in evidence[].shows.
5. `fetched_at` is set ONLY when you actually fetched the URL in this run; if no timestamp is available, omit the field — never invent one.

If any check fails, remove the evidence entry and demote dependent claims to unknowns[]. Set grade="unknown" if demotion empties the grading basis. Do not ask the user to paste anything; do not withhold JSON; do not improvise from memory.

A plausible-sounding answer backed by unsupported evidence is WORSE than grade="unknown" — it pollutes the quorum. If the assessment requires leaning on remembered public facts ("Lido is governed by LDO token-weighted voting"), historical reports, common knowledge, or likely-architecture reasoning ("UUPS proxies typically have an admin role"), return grade="unknown" with specific unknowns[] entries. Optimize for reproducibility, not completeness — if a reviewer can't re-verify each claim from the evidence URLs alone, the claim does not belong in the JSON. Empty unknowns[] on a non-trivial protocol is a red flag, not a quality signal.

When the address_book is null/empty, you do not yet know any deployed address. Discover candidates from fetched website / GitHub / audit / explorer-search pages — addresses you "remember" from training data are not eligible, even for famous tokens (USDC, WBTC, stETH, UNI). If no address can be discovered after a good-faith attempt, return grade="unknown" with checklist-coded unknowns[] entries; do not invent addresses to fill the gap.

### Hard rules

1. Source classes that count as evidence:
   a) Public block explorers (etherscan.io, basescan.org, arbiscan.io, optimistic.etherscan.io, polygonscan.com, bscscan.com, snowtrace.io, scrollscan.com, lineascan.build, blastscan.io, era.zksync.network) for pinned addresses or addresses you discover transitively from them.
   b) The linked GitHub repos, at a specific commit SHA recorded in evidence[].commit.
   c) The audit PDFs / reports linked above.
   d) DeFiLlama's pinned fields (for category / chain lists only — not for risk assessment).
   e) DeFiPunkd's read API at https://defipunkd.com/api/{contract,safe}/... — see "On-chain reading" below.
2. If a signal cannot be determined after checking these, set grade="unknown" with ≥1 entry in unknowns[] naming what you looked for.
3. Every factual claim in rationale must map to ≥1 evidence[] entry.
4. Output exactly one JSON object matching the contract at the end, wrapped in a single ```json fenced code block. This rule applies to your FINAL assistant message only — issue tool calls freely during the run; tool-call reasoning lives in your model's tool-use channel and is not subject to this rule. Nothing before or after the fence — no prose, no follow-up questions, no requests for the user to paste anything. If evidence is incomplete, the correct response is still JSON, with claims demoted to unknowns[] and grade="unknown".

### Format rules (validation will reject submissions that violate these)
5. evidence[].url must be a bare `https://...` string — NEVER markdown link syntax. WRONG: `"url": "[Etherscan](https://etherscan.io/...)"`. RIGHT: `"url": "https://etherscan.io/..."`.
6. evidence[].commit, when present, must match `^[0-9a-f]{7,40}$` (lowercase hex, 7–40 chars). NEVER branch names or tags. Omit if you cannot pin a SHA.
7. evidence[].fetched_at, when present, must be ISO-8601 UTC (e.g. `2026-04-23T11:20:00Z`). Set whenever you actually fetched in this run.
8. evidence[].address, when present, must be `^0x[0-9a-fA-F]{40}$` (mixed case OK; checksum not validated).
9. Checklist codes (used in findings[].code and as unknowns[] prefixes) match `^[A-Z][A-Za-z0-9-]{0,16}$` — start with an uppercase letter, then digits / letters / hyphens. Examples: `E1`, `A3b`, `C2-emergency`, `V4-auditor`. No parens, spaces, dots, slashes, underscores. Use slice-defined codes verbatim. unknowns[] entries must be prefixed with the relevant code + colon (e.g. `"A3b: frontend fetch failed"`).
10. chat_url: ALWAYS null. Default share links (claude.ai/chat, chatgpt.com, gemini.google.com) require viewer login and are not publicly readable. The user enables "Share publicly" after you respond and pastes the public URL into the JSON before opening the PR.

### Thoroughness rules

11. Each per-slice body contains a "MANDATORY INSPECTION CHECKLIST". Every item must EITHER produce an evidence[] entry OR a specific unknowns[] entry naming it by code. Silent skips are rejected as incomplete.
12. Before assigning a grade other than "unknown", rationale.steelman must contain a one-sentence strongest argument for each of red / orange / green, and rationale.verdict must state which fits the evidence and why. If the steel-man for the chosen grade is weaker than for an adjacent grade, you have probably picked the wrong grade. When grade="unknown", set steelman to null and use verdict to summarize what blocked the assessment.
13. Distinguish actor classes (EOA, 2-of-3 multisig, 4-of-7+ multisig with identified signers, emergency-scoped time-capped multisig, on-chain governance vote with timelock) and function classes (claim-of-finalized vs new-request-placement, deposit vs borrow, mint vs redeem) — say which actor holds which power, on what time bound. "An admin can pause" is insufficient.
14. For on-chain slices (control, ability-to-exit, autonomy, verifiability), evidence[] must include ≥1 on-chain URL: a block-explorer URL OR a DeFiPunkd /api/{contract/read,safe/owners} URL (preferred — content-addressed when block-pinned). /api/contract/abi alone is metadata, not on-chain evidence. Source repos tell you what code SHOULD do; deployed contracts tell you what it ACTUALLY does. The "open-access" slice is exempt when claims are entirely about frontend / off-chain operator behavior. CARVE-OUT: `grading_basis="off-chain-only"` is exempt from this rule but is downweighted by the quorum bot regardless of grade.
15. Prompt-meta-check: if your verdict quotes prompt language as evidence ("the protocol meets the 'documented fallback' condition"), re-do the verdict — the prompt describes the rubric, not the protocol. Evidence cites what THIS protocol does, not what the rubric says protocols of type X do.
16. `grading_basis` is one of `"on-chain"` (default; omit field), `"off-chain-only"`, or `"mixed"`. Describes what was READ this run, not the verdict — `grade="unknown"` is allowed under any basis. Set `"off-chain-only"` ONLY when BOTH (a) ≥1 successful fetch of a docs / forum / audit / GitHub URL appears in evidence[], AND (b) ≥1 failed on-chain fetch attempt for THIS run is recorded in unknowns[] with a `-offchain` suffix. Empty `evidence[]` with `"off-chain-only"` is a category error and is rejected by the validator. Set `"mixed"` when some checklist codes were on-chain and others fell back. ABI-only finds (you read the ABI but couldn't read live state) are valid as `grade="unknown"` with the ABI cited; do not infer a grade from ABI shape alone.

### On-chain reading via the DeFiPunkd API

Don't encode calldata, decode return data, or guess at ABIs by hand. Three deterministic GET endpoints return JSON with blockNumber, blockHash, raw calldata, and rawReturnData — content-addressed when block-pinned (`&block=<n>`):

  ABI (auto-resolves proxies):
    https://defipunkd.com/api/contract/abi?chainId=<id>&address=0x...
  View call (any view method on the merged ABI; flat scalar args):
    https://defipunkd.com/api/contract/read?chainId=<id>&address=0x...&method=getOwners
    https://defipunkd.com/api/contract/read?chainId=<id>&address=0x...&method=balanceOf&args=0x...
  Safe (threshold + owners + version in one call):
    https://defipunkd.com/api/safe/owners?chainId=<id>&address=0x...

Use the BARE method name in `&method=` (e.g. `&method=totalSupply`, NOT `&method=totalSupply()`). Browser tools normalize `(` to `%28` and reject the normalized URL; bare names dodge that. Pass arguments via `&args=` (comma-separated, declaration order). Append `&block=<n>` for content-addressed evidence.

Supported chainIds: 1 (ethereum), 10 (optimism), 56 (bsc), 130 (unichain), 137 (polygon), 324 (zksync), 8453 (base), 42161 (arbitrum), 43114 (avalanche), 59144 (linea), 81457 (blast), 534352 (scroll), 11155111 (sepolia).

Use this API for any factual claim about contract ABI shape, view-method return values (owner(), getOwners(), getThreshold(), totalSupply(), implementation(), paused(), MIN_DELAY(), …), and Safe membership. Do NOT invent ABIs or return values from training data.

Note on noisy address_book: the pinned address_book is sourced from prior assessments. It may include token deployments, oracle feeds, peripheral contracts, or mis-classified entries. Skip surfacer URLs that don't fit your slice — fetch only those whose role hints suggest control / pause / upgrade authority.

### Protocol metadata refresh (populate `protocol_metadata` in the output)

DeFiLlama's pinned inputs may be stale or wrong. As a side-effect of this assessment, populate `protocol_metadata` with anything you verify. Leave fields null / empty arrays if you did not verify them — do NOT echo pinned inputs through; null means "not re-verified this run".

- `github`: array of canonical source-code repo URLs.
- `docs_url`: canonical developer / protocol documentation site.
- `audits`: array of `{ firm, url, date }` (date as YYYY-MM or YYYY-MM-DD).
- `governance_forum`: primary discussion forum URL (Discourse, Commonwealth, etc.).
- `voting_token`: `{ chain, address, symbol }` or null. Omit if not token-governed.
- `bug_bounty_url`: public bug bounty page (Immunefi, HackerOne, self-hosted).
- `security_contact`: private-disclosure channel — security@ email or SECURITY.md URL. Distinct from public bug bounty.
- `deployed_contracts_doc`: docs page that lists deployed addresses per chain. Don't enumerate; just link.
- `admin_addresses`: array of `{ chain, address, role, actor_class }` for multisig / timelock / owner / proxy-admin addresses. `actor_class` ∈ `"eoa" | "multisig" | "timelock" | "governance" | "unknown"`. These are the anchors for future runs' address_book.
- `upgradeability`: `"immutable" | "upgradeable" | "mixed" | "unknown"`. "mixed" = some core contracts immutable, others behind proxies.
- `about`: 2–4 sentence plain-English description. Name the user action (stake, borrow, swap, bridge, mint, redeem), the asset / market, and the distinctive mechanism (liquid staking receipt, isolated lending pools, constant-product AMM, intents auction, etc.). Do not restate category / chains / TVL.

Every non-null field in `protocol_metadata` must be backed by ≥1 entry in evidence[].

---

### Slice: OPEN-ACCESS

Evaluate who is allowed to use the protocol and whether any of that permission is granted off-chain.

Scope: this slice is about ADMISSION — who can enter, exit, or transact. Operator LIVENESS (what breaks if keepers/oracles go offline) is assessed in the dependencies slice and is out of scope for the grade here. You may note operator dependencies as context, but do not let "the protocol halts if operator X disappears" drive the access grade on its own; that belongs in dependencies. Source verification / contract verification on block explorers is assessed in the verifiability slice and is out of scope here — do NOT let "contract is unverified" drive the access grade.

Framing: the smart contracts are the access layer; frontends are UX. A permissionless contract is reachable by any client (SDK, third-party UI, aggregator, wallet integration). Frontend ToS, IP geo-blocking, and wallet screening are publisher policies on one specific client — they are reported as context but do NOT determine the grade. The grade hinges on (1) what the contract itself permits, and (2) whether the protocol is practically reachable without the official publisher's cooperation.

Meta-check before finalizing: if your verdict cites phrases from this prompt as evidence ("the protocol meets the 'credible alternatives' condition", "this fits the 'documented fallback' rule"), redo the verdict. The prompt describes the rubric; evidence must come from the protocol. A verdict should cite what the protocol does, not what the rubric says.

MANDATORY INSPECTION CHECKLIST (every item below must appear in evidence[] OR unknowns[]):
- A1. Whitelist / allowlist modifiers in user-facing entry points. Grep for "onlyWhitelisted", "onlyRole", "allowlist", "isAccredited", "isKYCed". Note which functions are gated and who can add/remove from the list.
- A2. Off-chain operators in the admission path: keepers, sequencers, privileged relayers, oracle posters whose approval is required to admit a user action (not just to keep the protocol live). For each, identify whether the role is held by a single operator, a permissioned committee, or is permissionless. Enumerate per user-facing function class (deposit vs withdraw-request vs claim-finalized vs transfer) which ones require operator approval to be admitted, and which ones admit users unconditionally. A function whose placement is unconditional but whose downstream settlement depends on an operator is an admission-permissionless function — flag the liveness dependency as context and defer its grading weight to the dependencies slice.
- A3. Frontend restrictions on the official interface — record as context, not as a grade lever. Distinguish:
    - A3-passive: boilerplate ToS clauses (sanctions attestation, restricted-territory self-certification, VPN-circumvention prohibition, "comply with applicable law" eligibility, age of majority).
    - A3-active: runtime enforcement — IP-based geo-blocking, wallet-address screening against a sanctions oracle (Chainalysis, TRM, Elliptic), KYC wall, rendering-blocking jurisdiction banner.
  Record findings under the correct tier. Quote ToS text or banner text in evidence[].shows. These findings populate the headline and rationale but do NOT move the grade by themselves; the grade is set by A1, A2, and the A3b path check below.
- A3b. Independent access paths (the operative grade input). Enumerate paths that do not require the official publisher's cooperation:
    - Published SDK / library / CLI for direct contract interaction.
    - Third-party frontends operated by separate legal entities.
    - Wallet-integrated access (MetaMask Swaps, Safe apps, etc.).
    - DEX / lending / yield aggregators that route through the contracts.
  Record at least one concrete link per path that exists. The protocol does NOT have to self-document these — the test is existence, not UX cost. An A3b-i redistribution of the official UI bound by the same ToS does NOT count as an independent path.
- A4. Sanctions / compliance tooling at the contract level: does the protocol check addresses against OFAC lists or similar on-chain blocklists in the contract itself? (Frontend-only screening belongs in A3.)
- A5. Differentiate read access vs write access: many protocols are read-permissionless (anyone can view state) but write-gated (only certain addresses can deposit/borrow). Record both.
- A6. ToS / Legal links: locate them on the website and produce a VERBATIM quote of any jurisdictional, sanctions, or eligibility clause in evidence[].shows. If you cannot extract the clause text verbatim (SPA render failure, paywall, dead link, etc.), do NOT paraphrase or infer from general knowledge — record the ToS URL in unknowns[] with the reason extraction failed. Assertions about ToS content without a verbatim quote will be downweighted by reviewers.

Then write the steel-man section per Hard Rule 11.

Grade rules (admission-focused; liveness concerns belong in dependencies; source verification belongs in verifiability):
- green   = no contract-level whitelist/KYC on user entry/exit; no operator approval required to admit a user action; AND at least one independent A3b path exists (published SDK, third-party frontend, wallet integration, or aggregator routing). Frontend ToS posture and A3-active enforcement on the official UI do NOT block green when contracts are permissionless and an independent path exists — they are reported as context.
- orange  = contracts admit users unconditionally, BUT the protocol is operationally captured by the official publisher: no published SDK, no third-party frontend, no wallet integration, no aggregator routing. The contract is theoretically open but practically reachable only through the official UI. Also applies when admission requires approval from a permissioned committee that is governance-managed with a documented replacement procedure.
- red     = contract-level whitelist / KYC on user entry/exit, OR admission of a core user action requires approval from a single privileged operator or a small committee with no documented replacement procedure, OR enforces an on-chain blocklist updatable by a single party.
- unknown = checklist incomplete after checking the sources above.

Default-grade guidance: when contracts are fully permissionless AND any A3b independent path exists, the default grade is green regardless of frontend ToS or A3-active enforcement on the official UI. Frontend geo-blocking, sanctions-oracle wallet screening, and ToS sanctions clauses are publisher policies on one client and are reported in findings/headline as context, not as grade levers. To grade orange on operational-capture grounds, the auditor must affirmatively show that ALL independent paths are absent or also gated.

Guideline on committees: where admission depends on a multi-operator committee, the relevant axes are (a) set size, (b) whether replacement/rotation is governed on-chain, (c) whether the replacement procedure is publicly documented. A large set with on-chain governance replacement should not be graded as a single-party operator even if rotation is not instantaneous. A small set with informal replacement should be treated as a single-party operator.

---

### JSON output contract

Return exactly one JSON object inside a single ```json fenced block. Shape:

{
  "schema_version": 4,
  "slug": "<copy protocol.slug from the per-protocol context>",
  "slice": "open-access",
  "snapshot_generated_at": "<copy snapshot.generated_at from the per-protocol context>",
  "prompt_version": 29,
  "analysis_date": "<copy analysis_date from the per-protocol context>",
  "model": "<exact model name, e.g. claude-opus-4-7 / gpt-5-thinking / gemini-3-pro>",
  "chat_url": null,
  "grading_basis": "on-chain | off-chain-only | mixed (optional; omit for on-chain)",
  "grade": "green | orange | red | unknown",
  "headline": "<one-line summary>",
  "short_headline": "<≤6 words, ≤80 chars; omit if you can't fit>",
  "rationale": {
    "findings": [{ "code": "E1", "text": "<concrete, source-cited finding>" }],
    "steelman": { "red": "<one sentence>", "orange": "<one sentence>", "green": "<one sentence>" },
    "verdict": "Choosing <grade> because <reason ranking one steel-man above the others, citing specific evidence>."
  },
  "evidence": [{ "url": "https://...", "shows": "<what this URL demonstrates>", "chain": "...", "address": "0x...", "commit": "<hex SHA>", "fetched_at": "2026-04-23T11:20:00Z" }],
  "unknowns": ["E3: <thing you looked for but couldn't determine>"],
  "protocol_metadata": {
    "github": ["https://github.com/org/repo"],
    "docs_url": "https://docs.protocol.xyz",
    "audits": [{ "firm": "Trail of Bits", "url": "https://...report.pdf", "date": "2025-09" }],
    "governance_forum": "https://forum.protocol.xyz",
    "voting_token": { "chain": "Ethereum", "address": "0x...", "symbol": "XYZ" },
    "bug_bounty_url": "https://immunefi.com/bounty/protocol",
    "security_contact": "security@protocol.xyz",
    "deployed_contracts_doc": "https://docs.protocol.xyz/deployments",
    "admin_addresses": [{ "chain": "Ethereum", "address": "0x...", "role": "DAO treasury multisig", "actor_class": "multisig" }],
    "upgradeability": "immutable | upgradeable | mixed | unknown",
    "about": "<2–4 sentences>"
  }
}

Rules recap:
- grade="unknown" ⇒ steelman=null; unknowns[] ≥1; evidence[] may be empty.
- grade!="unknown" ⇒ steelman={red,orange,green}; evidence[] ≥1; verdict starts with "Choosing ".
- findings[].code matches the slice's checklist prefix verbatim (E1, C2-emergency, V4a, …); unknowns[] entries are checklist-coded ("E3: …").
- Wrap in a single ```json fence; nothing before or after. URLs are bare strings, never markdown links.

Stage

Preview of the Phase-3 maturity framework. DeFiPunk'd will adopt DeFiScan v2's stages verbatim; the section is rendered below in its intended shape so the structure is visible today.

Aave V2 has not yet been assessed under the DeFiScan v2 stage framework.

The walkaway test is the central criterion. Once stages land, protocols reach Stage 1 only if users can exit in the presence of malicious operators even when the emergency council disappears.

Scope of assessment

Stage 0 requirements pending

Stage 1 requirements pending

Stage 2 requirements pending

Learn more about DeFiScan v2 stages →

Contract surface

9addresses
4verified source
4proxies

TVL adapter pinned at 683d369. Sourcecode fetched 2026-05-06. Control fetched 2026-05-14.

Mainnet only


ammMarket	ammMarket	`0x7937…ffcb`	TVL	—	—	—	—
ethereum	InitializableAdminUpgradeabilityProxy	`0x7fc6…dae9`	TVL	✓	proxy	—	—
ethereum	InitializableAdminUpgradeabilityProxy	`0x4da2…70f5`	TVL	✓	proxy	—	—
ethereum	InitializableAdminUpgradeabilityProxy	`0x41a0…4f84`	TVL	✓	proxy	—	—
ethereum	InitializableAdminUpgradeabilityProxy	`0xa111…fb47`	TVL	✓	proxy	—	—
Ethereum	governance_v2	`0xec56…252c`	discovery	—	—	—	governance
Ethereum	lending_pool	`0x7d27…c7a9`	discovery	—	—	—	—
Ethereum	lending_pool_addresses_provider	`0xb53c…c8c5`	discovery	—	—	—	governance
Ethereum	protocol_data_provider	`0x0578…fc6d`	discovery	—	—	—	—

TVL $85.4M

Type Lending

Chain Ethereum

View on DeFiLlama ↗

Control Exit Autonomy Open Access Verifiable

Verifiability tentative Open source + 6 audits
Control unknown Not yet assessed
Ability to exit unknown Not yet assessed
Autonomy unknown No Phase-0 autonomy signal
Open Access unknown Not yet assessed

Control criteria

Upgradeability — Bug bounty immunefi.com Governance forum — Docs —

About

Aave V4 is a lending protocol on Ethereum.

Risk analysis

One card per dimension, sorted by severity. Only Verifiability and Autonomy carry automated signals in Phase 0. See methodology for scope.

Audit a dimension yourself · DEFI@home Contribute an LLM-run assessment — any model, any dimension. Three agreeing runs merge automatically into the public record.

Address discovery 0 addresses on file · 0 runs ⚑ Run first Submit run ↗

### Per-protocol context (ground truth for this run)

- protocol.slug:              aave-v4
- protocol.name:              Aave V4
- protocol.chains:            Ethereum
- protocol.category:          Lending
- protocol.website:           https://aave.com
- protocol.github:            aave, bgd-labs
- protocol.audit_links:       https://aave.com/security, https://github.com/code-423n4/2022-02-aave-lens, https://github.com/code-423n4/2022-02-aave-lens-findings, https://github.com/sherlock-protocol/sherlock-reports/blob/main/audits/2025.02.15%20-%20Final%20-%20Aave%20Public%20Audit%20Contest%20Report.pdf, https://github.com/sherlock-protocol/sherlock-reports/blob/main/audits/2026.02.05%20-%20Final%20-%20Aave%20Labs%20Collaborative%20Audit%20Report%201770295450.pdf, https://github.com/trailofbits/publications/blob/master/reviews/2026-02-aave-v4-securityreview.pdf
- snapshot.generated_at:      2026-06-01T11:27:13.878Z
- analysis_date:              2026-06-07
- prompt_version:             29
- address_book:               null

### Pre-built read-API surfacer URLs (verbatim — fetchable as-is)
(no addresses pinned in this run — discover candidates from fetched website / GitHub / audit / explorer pages, record discovered addresses in evidence[] and protocol_metadata.admin_addresses, and put any reads you couldn't perform in unknowns[]. The next assessment will inherit your discoveries.)


---

You are contributing a single-slice assessment to defipunkd, a git-native transparency registry for DeFi protocols. Your JSON output will be attached to a pull request and compared against ≥2 other independent runs. Disagreements are surfaced publicly — be conservative, cite everything, return grade="unknown" when a signal cannot be determined, and resist stopping at the first damning finding.

### Per-protocol context (do not infer; these are ground truth)

A "Per-protocol context" block (provided alongside this prompt — either as a user message in API mode, or as a section appended below in copy-paste mode) lists the pinned inputs (protocol.slug, name, chains, category, website, github, audit_links, snapshot.generated_at, analysis_date, prompt_version, address_book) and a list of pre-built read-API surfacer URLs for each pinned address. Treat those values as authoritative for this run.

The pre-built surfacer URLs are accepted by your fetch tool's allowlist because they appear verbatim in the per-protocol context. Each surfacer page pre-executes the contract's zero-arg view methods and renders any address-typed return values as /address/{chainId}/0x… links inline — those rendered links are also fetchable post-fetch. /api/contract/read and /api/safe/owners JSON responses include a top-level `crawl.surfacers` array of /address/{chainId}/0x… URLs for every address-typed value in the result, so you can crawl directly from API responses. For addresses surfaced from non-defipunkd sources (block-explorer pages, GitHub, audit PDFs), the allowlist will reject your generated surfacer URL — record the address in protocol_metadata.admin_addresses and add a checklist-coded entry to unknowns[]; the next run will inherit it as a fetchable surfacer.

### Step 0 — Capability probe (do this before producing JSON)

Identify what fetch tool your environment exposes — `web_fetch`, `browser`, `url_context`, `google_search` (with underscore, colon, or space), Bing grounding, Perplexity, `web.run`, or anything similar. Search-grounding tools ARE valid fetch paths and you should use them; they are not forbidden. The distinction that matters is what the tool returned, not its name: a grounded response with the underlying page body is sufficient evidence; a bare 1–3-line preview snippet is not.

Probe: attempt one fetch of `protocol.website` and one fetch of a pre-built surfacer URL above (or the protocol's primary block-explorer page if no surfacer is pinned). Record the tool you used, the URL, and what came back (response body, HTTP status, allowlist rejection text, or "tool not present: <name>"). If either probe succeeded, proceed.

If both direct probes failed, **DO NOT STOP** — try search. Issue at least two broad search queries (protocol name + "Etherscan" / "official docs" / "GitHub" / "audit"; `site:` operators against etherscan.io / github.com / the docs domain). If a search query returns the underlying page body, that page URL is fetched evidence and goes in evidence[]. Set `grading_basis: "off-chain-only"` and continue with whatever you can extract. Empty `evidence[]` + `grade="unknown"` is only valid if BOTH direct probes AND ≥2 search queries returned nothing usable; in that case, log the attempted queries and observed-zero outcomes in unknowns[]. A submission claiming "blocked" without those receipts is treated as a non-submission (zero quorum weight). Search engines do not index raw JSON API endpoints — zero results for `defipunkd.com/api/contract/read` URLs is expected and is itself a recordable failure mode, not a system restriction.

### Anti-fabrication (the most important rule on this page)

Memory is not evidence. Treat your training data, prior conversations, and general knowledge as suggestions for what to look up — never as citations. Every URL in evidence[] must have been fetched in this run via any tool exposed in your environment, OR pasted into this conversation by the user. Constructing a URL is fine, but every variable part (address, commit SHA, repo path, contract name, method, args, block number) must come from a fetched/pasted source in this run, and the URL must then have been successfully fetched before it appears in evidence[]. URLs constructed from remembered addresses, repo paths, contract names, or guessed API methods are fabrication.

Before emitting JSON, run an evidence ledger check on every evidence[] entry:
1. The exact URL appears in your fetch transcript or in a user-pasted source body.
2. The fetched/pasted body contains the fact you're citing in evidence[].shows.
3. Every rationale.findings / protocol_metadata claim that depends on this evidence follows directly from that body, without recourse to memory.
4. Derived (rather than verbatim) claims are explicitly labelled as derived in evidence[].shows.
5. `fetched_at` is set ONLY when you actually fetched the URL in this run; if no timestamp is available, omit the field — never invent one.

If any check fails, remove the evidence entry and demote dependent claims to unknowns[]. Set grade="unknown" if demotion empties the grading basis. Do not ask the user to paste anything; do not withhold JSON; do not improvise from memory.

A plausible-sounding answer backed by unsupported evidence is WORSE than grade="unknown" — it pollutes the quorum. If the assessment requires leaning on remembered public facts ("Lido is governed by LDO token-weighted voting"), historical reports, common knowledge, or likely-architecture reasoning ("UUPS proxies typically have an admin role"), return grade="unknown" with specific unknowns[] entries. Optimize for reproducibility, not completeness — if a reviewer can't re-verify each claim from the evidence URLs alone, the claim does not belong in the JSON. Empty unknowns[] on a non-trivial protocol is a red flag, not a quality signal.

When the address_book is null/empty, you do not yet know any deployed address. Discover candidates from fetched website / GitHub / audit / explorer-search pages — addresses you "remember" from training data are not eligible, even for famous tokens (USDC, WBTC, stETH, UNI). If no address can be discovered after a good-faith attempt, return grade="unknown" with checklist-coded unknowns[] entries; do not invent addresses to fill the gap.

### Hard rules

1. Source classes that count as evidence:
   a) Public block explorers (etherscan.io, basescan.org, arbiscan.io, optimistic.etherscan.io, polygonscan.com, bscscan.com, snowtrace.io, scrollscan.com, lineascan.build, blastscan.io, era.zksync.network) for pinned addresses or addresses you discover transitively from them.
   b) The linked GitHub repos, at a specific commit SHA recorded in evidence[].commit.
   c) The audit PDFs / reports linked above.
   d) DeFiLlama's pinned fields (for category / chain lists only — not for risk assessment).
   e) DeFiPunkd's read API at https://defipunkd.com/api/{contract,safe}/... — see "On-chain reading" below.
2. If a signal cannot be determined after checking these, set grade="unknown" with ≥1 entry in unknowns[] naming what you looked for.
3. Every factual claim in rationale must map to ≥1 evidence[] entry.
4. Output exactly one JSON object matching the contract at the end, wrapped in a single ```json fenced code block. This rule applies to your FINAL assistant message only — issue tool calls freely during the run; tool-call reasoning lives in your model's tool-use channel and is not subject to this rule. Nothing before or after the fence — no prose, no follow-up questions, no requests for the user to paste anything. If evidence is incomplete, the correct response is still JSON, with claims demoted to unknowns[] and grade="unknown".

### Format rules (validation will reject submissions that violate these)
5. evidence[].url must be a bare `https://...` string — NEVER markdown link syntax. WRONG: `"url": "[Etherscan](https://etherscan.io/...)"`. RIGHT: `"url": "https://etherscan.io/..."`.
6. evidence[].commit, when present, must match `^[0-9a-f]{7,40}$` (lowercase hex, 7–40 chars). NEVER branch names or tags. Omit if you cannot pin a SHA.
7. evidence[].fetched_at, when present, must be ISO-8601 UTC (e.g. `2026-04-23T11:20:00Z`). Set whenever you actually fetched in this run.
8. evidence[].address, when present, must be `^0x[0-9a-fA-F]{40}$` (mixed case OK; checksum not validated).
9. Checklist codes (used in findings[].code and as unknowns[] prefixes) match `^[A-Z][A-Za-z0-9-]{0,16}$` — start with an uppercase letter, then digits / letters / hyphens. Examples: `E1`, `A3b`, `C2-emergency`, `V4-auditor`. No parens, spaces, dots, slashes, underscores. Use slice-defined codes verbatim. unknowns[] entries must be prefixed with the relevant code + colon (e.g. `"A3b: frontend fetch failed"`).
10. chat_url: ALWAYS null. Default share links (claude.ai/chat, chatgpt.com, gemini.google.com) require viewer login and are not publicly readable. The user enables "Share publicly" after you respond and pastes the public URL into the JSON before opening the PR.

### Thoroughness rules

11. Each per-slice body contains a "MANDATORY INSPECTION CHECKLIST". Every item must EITHER produce an evidence[] entry OR a specific unknowns[] entry naming it by code. Silent skips are rejected as incomplete.
12. Before assigning a grade other than "unknown", rationale.steelman must contain a one-sentence strongest argument for each of red / orange / green, and rationale.verdict must state which fits the evidence and why. If the steel-man for the chosen grade is weaker than for an adjacent grade, you have probably picked the wrong grade. When grade="unknown", set steelman to null and use verdict to summarize what blocked the assessment.
13. Distinguish actor classes (EOA, 2-of-3 multisig, 4-of-7+ multisig with identified signers, emergency-scoped time-capped multisig, on-chain governance vote with timelock) and function classes (claim-of-finalized vs new-request-placement, deposit vs borrow, mint vs redeem) — say which actor holds which power, on what time bound. "An admin can pause" is insufficient.
14. For on-chain slices (control, ability-to-exit, autonomy, verifiability), evidence[] must include ≥1 on-chain URL: a block-explorer URL OR a DeFiPunkd /api/{contract/read,safe/owners} URL (preferred — content-addressed when block-pinned). /api/contract/abi alone is metadata, not on-chain evidence. Source repos tell you what code SHOULD do; deployed contracts tell you what it ACTUALLY does. The "open-access" slice is exempt when claims are entirely about frontend / off-chain operator behavior. CARVE-OUT: `grading_basis="off-chain-only"` is exempt from this rule but is downweighted by the quorum bot regardless of grade.
15. Prompt-meta-check: if your verdict quotes prompt language as evidence ("the protocol meets the 'documented fallback' condition"), re-do the verdict — the prompt describes the rubric, not the protocol. Evidence cites what THIS protocol does, not what the rubric says protocols of type X do.
16. `grading_basis` is one of `"on-chain"` (default; omit field), `"off-chain-only"`, or `"mixed"`. Describes what was READ this run, not the verdict — `grade="unknown"` is allowed under any basis. Set `"off-chain-only"` ONLY when BOTH (a) ≥1 successful fetch of a docs / forum / audit / GitHub URL appears in evidence[], AND (b) ≥1 failed on-chain fetch attempt for THIS run is recorded in unknowns[] with a `-offchain` suffix. Empty `evidence[]` with `"off-chain-only"` is a category error and is rejected by the validator. Set `"mixed"` when some checklist codes were on-chain and others fell back. ABI-only finds (you read the ABI but couldn't read live state) are valid as `grade="unknown"` with the ABI cited; do not infer a grade from ABI shape alone.

### On-chain reading via the DeFiPunkd API

Don't encode calldata, decode return data, or guess at ABIs by hand. Three deterministic GET endpoints return JSON with blockNumber, blockHash, raw calldata, and rawReturnData — content-addressed when block-pinned (`&block=<n>`):

  ABI (auto-resolves proxies):
    https://defipunkd.com/api/contract/abi?chainId=<id>&address=0x...
  View call (any view method on the merged ABI; flat scalar args):
    https://defipunkd.com/api/contract/read?chainId=<id>&address=0x...&method=getOwners
    https://defipunkd.com/api/contract/read?chainId=<id>&address=0x...&method=balanceOf&args=0x...
  Safe (threshold + owners + version in one call):
    https://defipunkd.com/api/safe/owners?chainId=<id>&address=0x...

Use the BARE method name in `&method=` (e.g. `&method=totalSupply`, NOT `&method=totalSupply()`). Browser tools normalize `(` to `%28` and reject the normalized URL; bare names dodge that. Pass arguments via `&args=` (comma-separated, declaration order). Append `&block=<n>` for content-addressed evidence.

Supported chainIds: 1 (ethereum), 10 (optimism), 56 (bsc), 130 (unichain), 137 (polygon), 324 (zksync), 8453 (base), 42161 (arbitrum), 43114 (avalanche), 59144 (linea), 81457 (blast), 534352 (scroll), 11155111 (sepolia).

Use this API for any factual claim about contract ABI shape, view-method return values (owner(), getOwners(), getThreshold(), totalSupply(), implementation(), paused(), MIN_DELAY(), …), and Safe membership. Do NOT invent ABIs or return values from training data.

Note on noisy address_book: the pinned address_book is sourced from prior assessments. It may include token deployments, oracle feeds, peripheral contracts, or mis-classified entries. Skip surfacer URLs that don't fit your slice — fetch only those whose role hints suggest control / pause / upgrade authority.

### Protocol metadata refresh (populate `protocol_metadata` in the output)

DeFiLlama's pinned inputs may be stale or wrong. As a side-effect of this assessment, populate `protocol_metadata` with anything you verify. Leave fields null / empty arrays if you did not verify them — do NOT echo pinned inputs through; null means "not re-verified this run".

- `github`: array of canonical source-code repo URLs.
- `docs_url`: canonical developer / protocol documentation site.
- `audits`: array of `{ firm, url, date }` (date as YYYY-MM or YYYY-MM-DD).
- `governance_forum`: primary discussion forum URL (Discourse, Commonwealth, etc.).
- `voting_token`: `{ chain, address, symbol }` or null. Omit if not token-governed.
- `bug_bounty_url`: public bug bounty page (Immunefi, HackerOne, self-hosted).
- `security_contact`: private-disclosure channel — security@ email or SECURITY.md URL. Distinct from public bug bounty.
- `deployed_contracts_doc`: docs page that lists deployed addresses per chain. Don't enumerate; just link.
- `admin_addresses`: array of `{ chain, address, role, actor_class }` for multisig / timelock / owner / proxy-admin addresses. `actor_class` ∈ `"eoa" | "multisig" | "timelock" | "governance" | "unknown"`. These are the anchors for future runs' address_book.
- `upgradeability`: `"immutable" | "upgradeable" | "mixed" | "unknown"`. "mixed" = some core contracts immutable, others behind proxies.
- `about`: 2–4 sentence plain-English description. Name the user action (stake, borrow, swap, bridge, mint, redeem), the asset / market, and the distinctive mechanism (liquid staking receipt, isolated lending pools, constant-product AMM, intents auction, etc.). Do not restate category / chains / TVL.

Every non-null field in `protocol_metadata` must be backed by ≥1 entry in evidence[].

---

### Slice: DISCOVERY

You are a cataloguer, not a judge. Your job is to surface every contract address that could plausibly belong to this protocol's control or fund-holding surface, each backed by a citation. `grade` is ALWAYS `"unknown"` for discovery submissions — there is no green/orange/red rubric here. The five evaluation slices that run after you (control, ability-to-exit, autonomy, open-access, verifiability) consume your output via the addressBook ratchet — every address you record becomes a pre-built surfacer URL on the next run; every address you miss costs them a tool call.

Width beats depth. A `role: "other"` entry with one cited URL beats omitting it. Downstream slices will discard out-of-scope entries; they cannot rediscover what you fail to enumerate without paying the same cost again.

(Step 0 capability probe lives in the preamble — those rules apply here.)

### MANDATORY INSPECTION CHECKLIST (every D-code below must appear in evidence[] OR unknowns[])

- **D1. Block-explorer name-tag search per chain.** For each chain in `protocol.chains`, search the canonical block explorer for the protocol's name tag — `https://etherscan.io/searchHandler?term=<query>` and the per-chain explorers (basescan.org, arbiscan.io, optimistic.etherscan.io, polygonscan.com, bscscan.com, snowtrace.io, scrollscan.com, lineascan.build, blastscan.io, era.zksync.network). When direct fetch is blocked, use `site:<explorer> <protocol_name>` via search grounding. Record every address that surfaces with the protocol's tag, plus neighbouring "Token Contract" / "Multisig" / "Timelock" labels.

- **D2. Official deployments doc.** From `protocol.website` and the docs site, locate the canonical "Deployed contracts" / "Addresses" / "Contracts" / "Deployments" page (often at `/docs/deployments`, `/docs/addresses`, `/dashboard/contracts`). Cite the URL, record every address listed with its named role, and set `protocol_metadata.deployed_contracts_doc` to this URL.

- **D3. Audit PDFs.** From `protocol.audit_links` (and any audits surfaced by D2), open each. Most reports include a "Scope" / "Contracts in scope" address table in the first 5 pages. Extract every in-scope address with its labelled role. If the audit predates the current deployment, record the addresses anyway with role suffixed `(audit-era)` so downstream slices know to re-verify.

- **D4. GitHub deployment artifacts.** From `protocol.github`, walk the repo at a pinned commit SHA looking for: Foundry `broadcast/<script>/<chainId>/run-latest.json` (`transactions[].contractAddress` per chainId); hardhat-deploy `deployments/<network>/<Contract>.json` (`address` field); manual indexes (`deployments.json`, `addresses.json`, `contracts.json`, `networks.json`); markdown indexes (`docs/deployments.md`, `README.md` tables). Cite the file URL with the commit SHA; pin SHAs (`?ref=<sha>`) so the citation is content-addressed.

- **D5. Multi-chain enumeration.** If `protocol.chains.length > 1`, repeat D1–D4 per chain. Cross-chain deployments of the same logical contract get SEPARATE `admin_addresses[]` entries — one per chain. The chain field is part of the identity; do not collapse. If a chain has zero results, record `"D5: chain <name>: zero addresses surfaced from <sources tried>"` in unknowns[].

- **D6. Factory-discovered children.** For factory addresses surfaced in D1–D4, fetch the enumeration view via the read API (`/api/contract/read?...&method=allPools` / `getPool` / `getMarket` / `getVault`) and record each child with role like `"pool (from factory <0xFactory>)"`. **Cap at 50 children per factory.** Protocols with thousands of pools (Uniswap, Sushi) need dedicated ingestion — record the factory + the cap notice in unknowns[].

- **D7. Role taxonomy.** Every `admin_addresses[]` entry's `role` uses this controlled vocabulary (free-text suffixes OK for disambiguation, e.g. `"multisig (treasury)"`, but the leading token must match):

    `owner | admin | proxy_admin | governor | timelock | guardian | multisig | treasury | oracle | factory | router | token | pool | vault | other`

  Tentative classifications are encouraged. `actor_class` ∈ `eoa | multisig | timelock | governance | unknown` — use `unknown` when you found the address but didn't read its bytecode.

- **D8. Ratchet output integrity.** Every address in `admin_addresses[]` must trace to ≥1 fetched URL in evidence[]. Snippet-only sightings go in unknowns[] with a `D8` code, NOT in admin_addresses[].

### Discovery rationale framing

- `rationale.findings`: one entry per D-code, terse, factual. Per-address detail belongs in evidence[] and admin_addresses[], not here. Example: `"D1: 8 addresses surfaced from etherscan.io name-tag search for 'Aave V3'"`.
- `rationale.steelman`: ALWAYS null.
- `rationale.verdict`: one short line summarizing what corpora were walked and how many addresses were catalogued.
- `headline`: factual and quantitative — `"24 contracts catalogued across Ethereum, Arbitrum, and Base; 6 governance/admin and 18 protocol contracts."`.
- `short_headline`: under 60 chars — `"24 contracts across 3 chains"`.

### What discovery is NOT

- Not a verdict slice. `grade` must be `"unknown"`.
- Not exhaustive enumeration of leaf assets — record the factory + cap and move on (see D6).
- Not classification of trust assumptions — whether a multisig threshold is safe / timelock delay is sufficient / proxy admin is an EOA is the control slice's job.
- Not address-book reconciliation: when addressBook is non-empty, EXTEND it (find addresses prior runs missed) rather than re-cite the same addresses; re-cite only when you have new evidence for a refined role.

### protocol_metadata side-effects

While walking the corpora, populate every `protocol_metadata` field you can support with citations: `github`, `docs_url`, `audits` (one per D3 audit walked), `governance_forum`, `bug_bounty_url`, `security_contact`, `deployed_contracts_doc` (URL from D2), `upgradeability` (best-effort), and `about` (2–4 sentences sourced from docs/website, not memory). Discovery is the natural home for these — evaluation slices should not have to rediscover them.

---

### JSON output contract

Return exactly one JSON object inside a single ```json fenced block. Shape:

{
  "schema_version": 4,
  "slug": "<copy protocol.slug from the per-protocol context>",
  "slice": "discovery",
  "snapshot_generated_at": "<copy snapshot.generated_at from the per-protocol context>",
  "prompt_version": 29,
  "analysis_date": "<copy analysis_date from the per-protocol context>",
  "model": "<exact model name, e.g. claude-opus-4-7 / gpt-5-thinking / gemini-3-pro>",
  "chat_url": null,
  "grading_basis": "on-chain | off-chain-only | mixed (optional; omit for on-chain)",
  "grade": "green | orange | red | unknown",
  "headline": "<one-line summary>",
  "short_headline": "<≤6 words, ≤80 chars; omit if you can't fit>",
  "rationale": {
    "findings": [{ "code": "E1", "text": "<concrete, source-cited finding>" }],
    "steelman": { "red": "<one sentence>", "orange": "<one sentence>", "green": "<one sentence>" },
    "verdict": "Choosing <grade> because <reason ranking one steel-man above the others, citing specific evidence>."
  },
  "evidence": [{ "url": "https://...", "shows": "<what this URL demonstrates>", "chain": "...", "address": "0x...", "commit": "<hex SHA>", "fetched_at": "2026-04-23T11:20:00Z" }],
  "unknowns": ["E3: <thing you looked for but couldn't determine>"],
  "protocol_metadata": {
    "github": ["https://github.com/org/repo"],
    "docs_url": "https://docs.protocol.xyz",
    "audits": [{ "firm": "Trail of Bits", "url": "https://...report.pdf", "date": "2025-09" }],
    "governance_forum": "https://forum.protocol.xyz",
    "voting_token": { "chain": "Ethereum", "address": "0x...", "symbol": "XYZ" },
    "bug_bounty_url": "https://immunefi.com/bounty/protocol",
    "security_contact": "security@protocol.xyz",
    "deployed_contracts_doc": "https://docs.protocol.xyz/deployments",
    "admin_addresses": [{ "chain": "Ethereum", "address": "0x...", "role": "DAO treasury multisig", "actor_class": "multisig" }],
    "upgradeability": "immutable | upgradeable | mixed | unknown",
    "about": "<2–4 sentences>"
  }
}

Rules recap:
- grade="unknown" ⇒ steelman=null; unknowns[] ≥1; evidence[] may be empty.
- grade!="unknown" ⇒ steelman={red,orange,green}; evidence[] ≥1; verdict starts with "Choosing ".
- findings[].code matches the slice's checklist prefix verbatim (E1, C2-emergency, V4a, …); unknowns[] entries are checklist-coded ("E3: …").
- Wrap in a single ```json fence; nothing before or after. URLs are bare strings, never markdown links.

Verifiability Unverified Submit run ↗

### Per-protocol context (ground truth for this run)

- protocol.slug:              aave-v4
- protocol.name:              Aave V4
- protocol.chains:            Ethereum
- protocol.category:          Lending
- protocol.website:           https://aave.com
- protocol.github:            aave, bgd-labs
- protocol.audit_links:       https://aave.com/security, https://github.com/code-423n4/2022-02-aave-lens, https://github.com/code-423n4/2022-02-aave-lens-findings, https://github.com/sherlock-protocol/sherlock-reports/blob/main/audits/2025.02.15%20-%20Final%20-%20Aave%20Public%20Audit%20Contest%20Report.pdf, https://github.com/sherlock-protocol/sherlock-reports/blob/main/audits/2026.02.05%20-%20Final%20-%20Aave%20Labs%20Collaborative%20Audit%20Report%201770295450.pdf, https://github.com/trailofbits/publications/blob/master/reviews/2026-02-aave-v4-securityreview.pdf
- snapshot.generated_at:      2026-06-01T11:27:13.878Z
- analysis_date:              2026-06-07
- prompt_version:             29
- address_book:               null

### Pre-built read-API surfacer URLs (verbatim — fetchable as-is)
(no addresses pinned in this run — discover candidates from fetched website / GitHub / audit / explorer pages, record discovered addresses in evidence[] and protocol_metadata.admin_addresses, and put any reads you couldn't perform in unknowns[]. The next assessment will inherit your discoveries.)


---

You are contributing a single-slice assessment to defipunkd, a git-native transparency registry for DeFi protocols. Your JSON output will be attached to a pull request and compared against ≥2 other independent runs. Disagreements are surfaced publicly — be conservative, cite everything, return grade="unknown" when a signal cannot be determined, and resist stopping at the first damning finding.

### Per-protocol context (do not infer; these are ground truth)

A "Per-protocol context" block (provided alongside this prompt — either as a user message in API mode, or as a section appended below in copy-paste mode) lists the pinned inputs (protocol.slug, name, chains, category, website, github, audit_links, snapshot.generated_at, analysis_date, prompt_version, address_book) and a list of pre-built read-API surfacer URLs for each pinned address. Treat those values as authoritative for this run.

The pre-built surfacer URLs are accepted by your fetch tool's allowlist because they appear verbatim in the per-protocol context. Each surfacer page pre-executes the contract's zero-arg view methods and renders any address-typed return values as /address/{chainId}/0x… links inline — those rendered links are also fetchable post-fetch. /api/contract/read and /api/safe/owners JSON responses include a top-level `crawl.surfacers` array of /address/{chainId}/0x… URLs for every address-typed value in the result, so you can crawl directly from API responses. For addresses surfaced from non-defipunkd sources (block-explorer pages, GitHub, audit PDFs), the allowlist will reject your generated surfacer URL — record the address in protocol_metadata.admin_addresses and add a checklist-coded entry to unknowns[]; the next run will inherit it as a fetchable surfacer.

### Step 0 — Capability probe (do this before producing JSON)

Identify what fetch tool your environment exposes — `web_fetch`, `browser`, `url_context`, `google_search` (with underscore, colon, or space), Bing grounding, Perplexity, `web.run`, or anything similar. Search-grounding tools ARE valid fetch paths and you should use them; they are not forbidden. The distinction that matters is what the tool returned, not its name: a grounded response with the underlying page body is sufficient evidence; a bare 1–3-line preview snippet is not.

Probe: attempt one fetch of `protocol.website` and one fetch of a pre-built surfacer URL above (or the protocol's primary block-explorer page if no surfacer is pinned). Record the tool you used, the URL, and what came back (response body, HTTP status, allowlist rejection text, or "tool not present: <name>"). If either probe succeeded, proceed.

If both direct probes failed, **DO NOT STOP** — try search. Issue at least two broad search queries (protocol name + "Etherscan" / "official docs" / "GitHub" / "audit"; `site:` operators against etherscan.io / github.com / the docs domain). If a search query returns the underlying page body, that page URL is fetched evidence and goes in evidence[]. Set `grading_basis: "off-chain-only"` and continue with whatever you can extract. Empty `evidence[]` + `grade="unknown"` is only valid if BOTH direct probes AND ≥2 search queries returned nothing usable; in that case, log the attempted queries and observed-zero outcomes in unknowns[]. A submission claiming "blocked" without those receipts is treated as a non-submission (zero quorum weight). Search engines do not index raw JSON API endpoints — zero results for `defipunkd.com/api/contract/read` URLs is expected and is itself a recordable failure mode, not a system restriction.

### Anti-fabrication (the most important rule on this page)

Memory is not evidence. Treat your training data, prior conversations, and general knowledge as suggestions for what to look up — never as citations. Every URL in evidence[] must have been fetched in this run via any tool exposed in your environment, OR pasted into this conversation by the user. Constructing a URL is fine, but every variable part (address, commit SHA, repo path, contract name, method, args, block number) must come from a fetched/pasted source in this run, and the URL must then have been successfully fetched before it appears in evidence[]. URLs constructed from remembered addresses, repo paths, contract names, or guessed API methods are fabrication.

Before emitting JSON, run an evidence ledger check on every evidence[] entry:
1. The exact URL appears in your fetch transcript or in a user-pasted source body.
2. The fetched/pasted body contains the fact you're citing in evidence[].shows.
3. Every rationale.findings / protocol_metadata claim that depends on this evidence follows directly from that body, without recourse to memory.
4. Derived (rather than verbatim) claims are explicitly labelled as derived in evidence[].shows.
5. `fetched_at` is set ONLY when you actually fetched the URL in this run; if no timestamp is available, omit the field — never invent one.

If any check fails, remove the evidence entry and demote dependent claims to unknowns[]. Set grade="unknown" if demotion empties the grading basis. Do not ask the user to paste anything; do not withhold JSON; do not improvise from memory.

A plausible-sounding answer backed by unsupported evidence is WORSE than grade="unknown" — it pollutes the quorum. If the assessment requires leaning on remembered public facts ("Lido is governed by LDO token-weighted voting"), historical reports, common knowledge, or likely-architecture reasoning ("UUPS proxies typically have an admin role"), return grade="unknown" with specific unknowns[] entries. Optimize for reproducibility, not completeness — if a reviewer can't re-verify each claim from the evidence URLs alone, the claim does not belong in the JSON. Empty unknowns[] on a non-trivial protocol is a red flag, not a quality signal.

When the address_book is null/empty, you do not yet know any deployed address. Discover candidates from fetched website / GitHub / audit / explorer-search pages — addresses you "remember" from training data are not eligible, even for famous tokens (USDC, WBTC, stETH, UNI). If no address can be discovered after a good-faith attempt, return grade="unknown" with checklist-coded unknowns[] entries; do not invent addresses to fill the gap.

### Hard rules

1. Source classes that count as evidence:
   a) Public block explorers (etherscan.io, basescan.org, arbiscan.io, optimistic.etherscan.io, polygonscan.com, bscscan.com, snowtrace.io, scrollscan.com, lineascan.build, blastscan.io, era.zksync.network) for pinned addresses or addresses you discover transitively from them.
   b) The linked GitHub repos, at a specific commit SHA recorded in evidence[].commit.
   c) The audit PDFs / reports linked above.
   d) DeFiLlama's pinned fields (for category / chain lists only — not for risk assessment).
   e) DeFiPunkd's read API at https://defipunkd.com/api/{contract,safe}/... — see "On-chain reading" below.
2. If a signal cannot be determined after checking these, set grade="unknown" with ≥1 entry in unknowns[] naming what you looked for.
3. Every factual claim in rationale must map to ≥1 evidence[] entry.
4. Output exactly one JSON object matching the contract at the end, wrapped in a single ```json fenced code block. This rule applies to your FINAL assistant message only — issue tool calls freely during the run; tool-call reasoning lives in your model's tool-use channel and is not subject to this rule. Nothing before or after the fence — no prose, no follow-up questions, no requests for the user to paste anything. If evidence is incomplete, the correct response is still JSON, with claims demoted to unknowns[] and grade="unknown".

### Format rules (validation will reject submissions that violate these)
5. evidence[].url must be a bare `https://...` string — NEVER markdown link syntax. WRONG: `"url": "[Etherscan](https://etherscan.io/...)"`. RIGHT: `"url": "https://etherscan.io/..."`.
6. evidence[].commit, when present, must match `^[0-9a-f]{7,40}$` (lowercase hex, 7–40 chars). NEVER branch names or tags. Omit if you cannot pin a SHA.
7. evidence[].fetched_at, when present, must be ISO-8601 UTC (e.g. `2026-04-23T11:20:00Z`). Set whenever you actually fetched in this run.
8. evidence[].address, when present, must be `^0x[0-9a-fA-F]{40}$` (mixed case OK; checksum not validated).
9. Checklist codes (used in findings[].code and as unknowns[] prefixes) match `^[A-Z][A-Za-z0-9-]{0,16}$` — start with an uppercase letter, then digits / letters / hyphens. Examples: `E1`, `A3b`, `C2-emergency`, `V4-auditor`. No parens, spaces, dots, slashes, underscores. Use slice-defined codes verbatim. unknowns[] entries must be prefixed with the relevant code + colon (e.g. `"A3b: frontend fetch failed"`).
10. chat_url: ALWAYS null. Default share links (claude.ai/chat, chatgpt.com, gemini.google.com) require viewer login and are not publicly readable. The user enables "Share publicly" after you respond and pastes the public URL into the JSON before opening the PR.

### Thoroughness rules

11. Each per-slice body contains a "MANDATORY INSPECTION CHECKLIST". Every item must EITHER produce an evidence[] entry OR a specific unknowns[] entry naming it by code. Silent skips are rejected as incomplete.
12. Before assigning a grade other than "unknown", rationale.steelman must contain a one-sentence strongest argument for each of red / orange / green, and rationale.verdict must state which fits the evidence and why. If the steel-man for the chosen grade is weaker than for an adjacent grade, you have probably picked the wrong grade. When grade="unknown", set steelman to null and use verdict to summarize what blocked the assessment.
13. Distinguish actor classes (EOA, 2-of-3 multisig, 4-of-7+ multisig with identified signers, emergency-scoped time-capped multisig, on-chain governance vote with timelock) and function classes (claim-of-finalized vs new-request-placement, deposit vs borrow, mint vs redeem) — say which actor holds which power, on what time bound. "An admin can pause" is insufficient.
14. For on-chain slices (control, ability-to-exit, autonomy, verifiability), evidence[] must include ≥1 on-chain URL: a block-explorer URL OR a DeFiPunkd /api/{contract/read,safe/owners} URL (preferred — content-addressed when block-pinned). /api/contract/abi alone is metadata, not on-chain evidence. Source repos tell you what code SHOULD do; deployed contracts tell you what it ACTUALLY does. The "open-access" slice is exempt when claims are entirely about frontend / off-chain operator behavior. CARVE-OUT: `grading_basis="off-chain-only"` is exempt from this rule but is downweighted by the quorum bot regardless of grade.
15. Prompt-meta-check: if your verdict quotes prompt language as evidence ("the protocol meets the 'documented fallback' condition"), re-do the verdict — the prompt describes the rubric, not the protocol. Evidence cites what THIS protocol does, not what the rubric says protocols of type X do.
16. `grading_basis` is one of `"on-chain"` (default; omit field), `"off-chain-only"`, or `"mixed"`. Describes what was READ this run, not the verdict — `grade="unknown"` is allowed under any basis. Set `"off-chain-only"` ONLY when BOTH (a) ≥1 successful fetch of a docs / forum / audit / GitHub URL appears in evidence[], AND (b) ≥1 failed on-chain fetch attempt for THIS run is recorded in unknowns[] with a `-offchain` suffix. Empty `evidence[]` with `"off-chain-only"` is a category error and is rejected by the validator. Set `"mixed"` when some checklist codes were on-chain and others fell back. ABI-only finds (you read the ABI but couldn't read live state) are valid as `grade="unknown"` with the ABI cited; do not infer a grade from ABI shape alone.

### On-chain reading via the DeFiPunkd API

Don't encode calldata, decode return data, or guess at ABIs by hand. Three deterministic GET endpoints return JSON with blockNumber, blockHash, raw calldata, and rawReturnData — content-addressed when block-pinned (`&block=<n>`):

  ABI (auto-resolves proxies):
    https://defipunkd.com/api/contract/abi?chainId=<id>&address=0x...
  View call (any view method on the merged ABI; flat scalar args):
    https://defipunkd.com/api/contract/read?chainId=<id>&address=0x...&method=getOwners
    https://defipunkd.com/api/contract/read?chainId=<id>&address=0x...&method=balanceOf&args=0x...
  Safe (threshold + owners + version in one call):
    https://defipunkd.com/api/safe/owners?chainId=<id>&address=0x...

Use the BARE method name in `&method=` (e.g. `&method=totalSupply`, NOT `&method=totalSupply()`). Browser tools normalize `(` to `%28` and reject the normalized URL; bare names dodge that. Pass arguments via `&args=` (comma-separated, declaration order). Append `&block=<n>` for content-addressed evidence.

Supported chainIds: 1 (ethereum), 10 (optimism), 56 (bsc), 130 (unichain), 137 (polygon), 324 (zksync), 8453 (base), 42161 (arbitrum), 43114 (avalanche), 59144 (linea), 81457 (blast), 534352 (scroll), 11155111 (sepolia).

Use this API for any factual claim about contract ABI shape, view-method return values (owner(), getOwners(), getThreshold(), totalSupply(), implementation(), paused(), MIN_DELAY(), …), and Safe membership. Do NOT invent ABIs or return values from training data.

Note on noisy address_book: the pinned address_book is sourced from prior assessments. It may include token deployments, oracle feeds, peripheral contracts, or mis-classified entries. Skip surfacer URLs that don't fit your slice — fetch only those whose role hints suggest control / pause / upgrade authority.

### Protocol metadata refresh (populate `protocol_metadata` in the output)

DeFiLlama's pinned inputs may be stale or wrong. As a side-effect of this assessment, populate `protocol_metadata` with anything you verify. Leave fields null / empty arrays if you did not verify them — do NOT echo pinned inputs through; null means "not re-verified this run".

- `github`: array of canonical source-code repo URLs.
- `docs_url`: canonical developer / protocol documentation site.
- `audits`: array of `{ firm, url, date }` (date as YYYY-MM or YYYY-MM-DD).
- `governance_forum`: primary discussion forum URL (Discourse, Commonwealth, etc.).
- `voting_token`: `{ chain, address, symbol }` or null. Omit if not token-governed.
- `bug_bounty_url`: public bug bounty page (Immunefi, HackerOne, self-hosted).
- `security_contact`: private-disclosure channel — security@ email or SECURITY.md URL. Distinct from public bug bounty.
- `deployed_contracts_doc`: docs page that lists deployed addresses per chain. Don't enumerate; just link.
- `admin_addresses`: array of `{ chain, address, role, actor_class }` for multisig / timelock / owner / proxy-admin addresses. `actor_class` ∈ `"eoa" | "multisig" | "timelock" | "governance" | "unknown"`. These are the anchors for future runs' address_book.
- `upgradeability`: `"immutable" | "upgradeable" | "mixed" | "unknown"`. "mixed" = some core contracts immutable, others behind proxies.
- `about`: 2–4 sentence plain-English description. Name the user action (stake, borrow, swap, bridge, mint, redeem), the asset / market, and the distinctive mechanism (liquid staking receipt, isolated lending pools, constant-product AMM, intents auction, etc.). Do not restate category / chains / TVL.

Every non-null field in `protocol_metadata` must be backed by ≥1 entry in evidence[].

---

### Slice: VERIFIABILITY

Evaluate whether an outsider can independently confirm what the deployed code does.

MANDATORY INSPECTION CHECKLIST (every item below must appear in evidence[] OR unknowns[]):
- V1. For each address you assess: is the bytecode verified on the chain's block explorer? Record the "Contract Source Code Verified" indicator. https://defipunkd.com/api/contract/abi?chainId=<id>&address=0x... returns this as a top-level "verified" boolean plus "abiSource" ("etherscan" / "sourcify") and an inline ABI — useful when the explorer page is rate-limited. If the contract is a proxy, verify BOTH the proxy contract AND the current implementation contract. The same /api/contract/abi response auto-resolves proxies and includes a "proxy.implementation" address when present, so one call covers V1 + V6 in one shot. An explorer "Similar Match" on a well-known proxy pattern (Aragon AppProxyUpgradeable, ERC1967Proxy, OssifiableProxy, OZ TransparentUpgradeableProxy) is expected for that pattern and does NOT count as a verification gap on its own — what matters is that the implementation is independently verified.
- V2. Source-to-repo correspondence: for each verified contract, attempt to find a matching commit in the linked GitHub repos. Record evidence[].commit on a match. Independent compile/bytecode-match is NOT required for green — a recognized public repo whose structure and file contents correspond to the explorer-visible source is sufficient. If you did not pin a commit SHA or run a bytecode diff, record that plainly in unknowns[] and proceed; it is a scope limit, not a downgrade signal.
- V3. Audit coverage: for each URL in protocol.audit_links, open it and record: auditor name, audit date, the specific contracts / commit in scope. Flag audits that predate the current deployment by >6 months without a follow-up review.
- V4. Auditor recognition: the following firms are broadly recognized in Solidity: Trail of Bits, Zellic, Spearbit, OpenZeppelin, ConsenSys Diligence, Certora (formal verification), Quantstamp, Halborn, Peckshield, Sigma Prime, ChainSecurity, Ackee Blockchain, MixBytes, Statemind. Unknown firms are orange-at-best for any green-grade claim. Name the firm explicitly in evidence[].
- V5. Post-audit drift: compare the most recent in-scope audit(s) against the currently-deployed source, weighted by what each contract does and by what the changes actually contain. SCOPE — drift only downgrades the grade when ALL of the following hold: (i) the drifting contract is fund-custody / settlement / accounting-critical (NOT a peripheral router, lens, quoter, or pure-view contract that holds no balances); (ii) the changes are material — new functions, modified access control, modified accounting, modified fund flow — and not refactors / struct relocations / import reorgs / build or CI fixes / formatting; (iii) no later audit, fix-audit, or differential audit from a recognized firm covers the changed files (audits often pin a pre-fix commit while a follow-up reviews the delta — match by file scope, not by commit-hash equality). When you cite drift as a downgrade reason, name the specific behavior change (function added, role granted, accounting formula altered) — "N commits ahead" or "+X/-Y LOC" alone is not evidence of material drift. If you have not sampled the diff content (e.g. via the GitHub compare view or the top commits in the window), record drift as an unknowns[] entry rather than auto-downgrading; commit-count and LOC are starting signals, not findings.
- V6. Implementation vs proxy: a verified proxy with an unverified implementation is effectively unverified. State whether the implementation is verified separately.

EVIDENCE DISCIPLINE (read before writing findings[]):
- Do not assert a specific deploy-commit SHA, bytecode equivalence, or "identical to audited commit" unless you actually fetched the artifact that shows it (e.g., a deployed-addresses JSON you opened, an explorer page you read). Inferred or plausible matches belong in unknowns[], never in findings[] or evidence[].
- Evidence[] entries must correspond to pages/files you actually retrieved this run. A URL you did not open is not evidence.

Then write the steel-man section per Hard Rule 11.

Grade rules:
- green   = deployed bytecode verified on the explorer (proxy AND implementation if proxied; "Similar Match" on a standard proxy pattern is fine per V1), a public source repo exists whose contents correspond to the explorer-visible source, AND ≥1 audit from a recognized firm covering the currently-deployed contracts (≤6 months of drift OR drift was re-audited). A missing local compile-match is not a downgrade — record it in unknowns[] and still grade green if the other conditions hold.
- orange  = verified but with visible drift from the public repo, OR audit scope is stale relative to deployment, OR only minor / unknown-firm audits exist, OR only some of the main contracts are verified, OR proxy verified but implementation only partially verified.
- red     = unverified bytecode (or verified proxy with unverified implementation), OR no audit in protocol.audit_links, OR no public repo.
- unknown = reserved for when the protocol's verifiability posture genuinely cannot be assessed (e.g., explorer and repo both inaccessible for this protocol). Do NOT use unknown merely because you, the analyst, could not run a particular check such as a bytecode diff — that goes in unknowns[] while the grade is still assigned from the evidence you do have.

---

### JSON output contract

Return exactly one JSON object inside a single ```json fenced block. Shape:

{
  "schema_version": 4,
  "slug": "<copy protocol.slug from the per-protocol context>",
  "slice": "verifiability",
  "snapshot_generated_at": "<copy snapshot.generated_at from the per-protocol context>",
  "prompt_version": 29,
  "analysis_date": "<copy analysis_date from the per-protocol context>",
  "model": "<exact model name, e.g. claude-opus-4-7 / gpt-5-thinking / gemini-3-pro>",
  "chat_url": null,
  "grading_basis": "on-chain | off-chain-only | mixed (optional; omit for on-chain)",
  "grade": "green | orange | red | unknown",
  "headline": "<one-line summary>",
  "short_headline": "<≤6 words, ≤80 chars; omit if you can't fit>",
  "rationale": {
    "findings": [{ "code": "E1", "text": "<concrete, source-cited finding>" }],
    "steelman": { "red": "<one sentence>", "orange": "<one sentence>", "green": "<one sentence>" },
    "verdict": "Choosing <grade> because <reason ranking one steel-man above the others, citing specific evidence>."
  },
  "evidence": [{ "url": "https://...", "shows": "<what this URL demonstrates>", "chain": "...", "address": "0x...", "commit": "<hex SHA>", "fetched_at": "2026-04-23T11:20:00Z" }],
  "unknowns": ["E3: <thing you looked for but couldn't determine>"],
  "protocol_metadata": {
    "github": ["https://github.com/org/repo"],
    "docs_url": "https://docs.protocol.xyz",
    "audits": [{ "firm": "Trail of Bits", "url": "https://...report.pdf", "date": "2025-09" }],
    "governance_forum": "https://forum.protocol.xyz",
    "voting_token": { "chain": "Ethereum", "address": "0x...", "symbol": "XYZ" },
    "bug_bounty_url": "https://immunefi.com/bounty/protocol",
    "security_contact": "security@protocol.xyz",
    "deployed_contracts_doc": "https://docs.protocol.xyz/deployments",
    "admin_addresses": [{ "chain": "Ethereum", "address": "0x...", "role": "DAO treasury multisig", "actor_class": "multisig" }],
    "upgradeability": "immutable | upgradeable | mixed | unknown",
    "about": "<2–4 sentences>"
  }
}

Rules recap:
- grade="unknown" ⇒ steelman=null; unknowns[] ≥1; evidence[] may be empty.
- grade!="unknown" ⇒ steelman={red,orange,green}; evidence[] ≥1; verdict starts with "Choosing ".
- findings[].code matches the slice's checklist prefix verbatim (E1, C2-emergency, V4a, …); unknowns[] entries are checklist-coded ("E3: …").
- Wrap in a single ```json fence; nothing before or after. URLs are bare strings, never markdown links.

Control Unverified Submit run ↗

### Per-protocol context (ground truth for this run)

- protocol.slug:              aave-v4
- protocol.name:              Aave V4
- protocol.chains:            Ethereum
- protocol.category:          Lending
- protocol.website:           https://aave.com
- protocol.github:            aave, bgd-labs
- protocol.audit_links:       https://aave.com/security, https://github.com/code-423n4/2022-02-aave-lens, https://github.com/code-423n4/2022-02-aave-lens-findings, https://github.com/sherlock-protocol/sherlock-reports/blob/main/audits/2025.02.15%20-%20Final%20-%20Aave%20Public%20Audit%20Contest%20Report.pdf, https://github.com/sherlock-protocol/sherlock-reports/blob/main/audits/2026.02.05%20-%20Final%20-%20Aave%20Labs%20Collaborative%20Audit%20Report%201770295450.pdf, https://github.com/trailofbits/publications/blob/master/reviews/2026-02-aave-v4-securityreview.pdf
- snapshot.generated_at:      2026-06-01T11:27:13.878Z
- analysis_date:              2026-06-07
- prompt_version:             29
- address_book:               null

### Pre-built read-API surfacer URLs (verbatim — fetchable as-is)
(no addresses pinned in this run — discover candidates from fetched website / GitHub / audit / explorer pages, record discovered addresses in evidence[] and protocol_metadata.admin_addresses, and put any reads you couldn't perform in unknowns[]. The next assessment will inherit your discoveries.)


---

You are contributing a single-slice assessment to defipunkd, a git-native transparency registry for DeFi protocols. Your JSON output will be attached to a pull request and compared against ≥2 other independent runs. Disagreements are surfaced publicly — be conservative, cite everything, return grade="unknown" when a signal cannot be determined, and resist stopping at the first damning finding.

### Per-protocol context (do not infer; these are ground truth)

A "Per-protocol context" block (provided alongside this prompt — either as a user message in API mode, or as a section appended below in copy-paste mode) lists the pinned inputs (protocol.slug, name, chains, category, website, github, audit_links, snapshot.generated_at, analysis_date, prompt_version, address_book) and a list of pre-built read-API surfacer URLs for each pinned address. Treat those values as authoritative for this run.

The pre-built surfacer URLs are accepted by your fetch tool's allowlist because they appear verbatim in the per-protocol context. Each surfacer page pre-executes the contract's zero-arg view methods and renders any address-typed return values as /address/{chainId}/0x… links inline — those rendered links are also fetchable post-fetch. /api/contract/read and /api/safe/owners JSON responses include a top-level `crawl.surfacers` array of /address/{chainId}/0x… URLs for every address-typed value in the result, so you can crawl directly from API responses. For addresses surfaced from non-defipunkd sources (block-explorer pages, GitHub, audit PDFs), the allowlist will reject your generated surfacer URL — record the address in protocol_metadata.admin_addresses and add a checklist-coded entry to unknowns[]; the next run will inherit it as a fetchable surfacer.

### Step 0 — Capability probe (do this before producing JSON)

Identify what fetch tool your environment exposes — `web_fetch`, `browser`, `url_context`, `google_search` (with underscore, colon, or space), Bing grounding, Perplexity, `web.run`, or anything similar. Search-grounding tools ARE valid fetch paths and you should use them; they are not forbidden. The distinction that matters is what the tool returned, not its name: a grounded response with the underlying page body is sufficient evidence; a bare 1–3-line preview snippet is not.

Probe: attempt one fetch of `protocol.website` and one fetch of a pre-built surfacer URL above (or the protocol's primary block-explorer page if no surfacer is pinned). Record the tool you used, the URL, and what came back (response body, HTTP status, allowlist rejection text, or "tool not present: <name>"). If either probe succeeded, proceed.

If both direct probes failed, **DO NOT STOP** — try search. Issue at least two broad search queries (protocol name + "Etherscan" / "official docs" / "GitHub" / "audit"; `site:` operators against etherscan.io / github.com / the docs domain). If a search query returns the underlying page body, that page URL is fetched evidence and goes in evidence[]. Set `grading_basis: "off-chain-only"` and continue with whatever you can extract. Empty `evidence[]` + `grade="unknown"` is only valid if BOTH direct probes AND ≥2 search queries returned nothing usable; in that case, log the attempted queries and observed-zero outcomes in unknowns[]. A submission claiming "blocked" without those receipts is treated as a non-submission (zero quorum weight). Search engines do not index raw JSON API endpoints — zero results for `defipunkd.com/api/contract/read` URLs is expected and is itself a recordable failure mode, not a system restriction.

### Anti-fabrication (the most important rule on this page)

Memory is not evidence. Treat your training data, prior conversations, and general knowledge as suggestions for what to look up — never as citations. Every URL in evidence[] must have been fetched in this run via any tool exposed in your environment, OR pasted into this conversation by the user. Constructing a URL is fine, but every variable part (address, commit SHA, repo path, contract name, method, args, block number) must come from a fetched/pasted source in this run, and the URL must then have been successfully fetched before it appears in evidence[]. URLs constructed from remembered addresses, repo paths, contract names, or guessed API methods are fabrication.

Before emitting JSON, run an evidence ledger check on every evidence[] entry:
1. The exact URL appears in your fetch transcript or in a user-pasted source body.
2. The fetched/pasted body contains the fact you're citing in evidence[].shows.
3. Every rationale.findings / protocol_metadata claim that depends on this evidence follows directly from that body, without recourse to memory.
4. Derived (rather than verbatim) claims are explicitly labelled as derived in evidence[].shows.
5. `fetched_at` is set ONLY when you actually fetched the URL in this run; if no timestamp is available, omit the field — never invent one.

If any check fails, remove the evidence entry and demote dependent claims to unknowns[]. Set grade="unknown" if demotion empties the grading basis. Do not ask the user to paste anything; do not withhold JSON; do not improvise from memory.

A plausible-sounding answer backed by unsupported evidence is WORSE than grade="unknown" — it pollutes the quorum. If the assessment requires leaning on remembered public facts ("Lido is governed by LDO token-weighted voting"), historical reports, common knowledge, or likely-architecture reasoning ("UUPS proxies typically have an admin role"), return grade="unknown" with specific unknowns[] entries. Optimize for reproducibility, not completeness — if a reviewer can't re-verify each claim from the evidence URLs alone, the claim does not belong in the JSON. Empty unknowns[] on a non-trivial protocol is a red flag, not a quality signal.

When the address_book is null/empty, you do not yet know any deployed address. Discover candidates from fetched website / GitHub / audit / explorer-search pages — addresses you "remember" from training data are not eligible, even for famous tokens (USDC, WBTC, stETH, UNI). If no address can be discovered after a good-faith attempt, return grade="unknown" with checklist-coded unknowns[] entries; do not invent addresses to fill the gap.

### Hard rules

1. Source classes that count as evidence:
   a) Public block explorers (etherscan.io, basescan.org, arbiscan.io, optimistic.etherscan.io, polygonscan.com, bscscan.com, snowtrace.io, scrollscan.com, lineascan.build, blastscan.io, era.zksync.network) for pinned addresses or addresses you discover transitively from them.
   b) The linked GitHub repos, at a specific commit SHA recorded in evidence[].commit.
   c) The audit PDFs / reports linked above.
   d) DeFiLlama's pinned fields (for category / chain lists only — not for risk assessment).
   e) DeFiPunkd's read API at https://defipunkd.com/api/{contract,safe}/... — see "On-chain reading" below.
2. If a signal cannot be determined after checking these, set grade="unknown" with ≥1 entry in unknowns[] naming what you looked for.
3. Every factual claim in rationale must map to ≥1 evidence[] entry.
4. Output exactly one JSON object matching the contract at the end, wrapped in a single ```json fenced code block. This rule applies to your FINAL assistant message only — issue tool calls freely during the run; tool-call reasoning lives in your model's tool-use channel and is not subject to this rule. Nothing before or after the fence — no prose, no follow-up questions, no requests for the user to paste anything. If evidence is incomplete, the correct response is still JSON, with claims demoted to unknowns[] and grade="unknown".

### Format rules (validation will reject submissions that violate these)
5. evidence[].url must be a bare `https://...` string — NEVER markdown link syntax. WRONG: `"url": "[Etherscan](https://etherscan.io/...)"`. RIGHT: `"url": "https://etherscan.io/..."`.
6. evidence[].commit, when present, must match `^[0-9a-f]{7,40}$` (lowercase hex, 7–40 chars). NEVER branch names or tags. Omit if you cannot pin a SHA.
7. evidence[].fetched_at, when present, must be ISO-8601 UTC (e.g. `2026-04-23T11:20:00Z`). Set whenever you actually fetched in this run.
8. evidence[].address, when present, must be `^0x[0-9a-fA-F]{40}$` (mixed case OK; checksum not validated).
9. Checklist codes (used in findings[].code and as unknowns[] prefixes) match `^[A-Z][A-Za-z0-9-]{0,16}$` — start with an uppercase letter, then digits / letters / hyphens. Examples: `E1`, `A3b`, `C2-emergency`, `V4-auditor`. No parens, spaces, dots, slashes, underscores. Use slice-defined codes verbatim. unknowns[] entries must be prefixed with the relevant code + colon (e.g. `"A3b: frontend fetch failed"`).
10. chat_url: ALWAYS null. Default share links (claude.ai/chat, chatgpt.com, gemini.google.com) require viewer login and are not publicly readable. The user enables "Share publicly" after you respond and pastes the public URL into the JSON before opening the PR.

### Thoroughness rules

11. Each per-slice body contains a "MANDATORY INSPECTION CHECKLIST". Every item must EITHER produce an evidence[] entry OR a specific unknowns[] entry naming it by code. Silent skips are rejected as incomplete.
12. Before assigning a grade other than "unknown", rationale.steelman must contain a one-sentence strongest argument for each of red / orange / green, and rationale.verdict must state which fits the evidence and why. If the steel-man for the chosen grade is weaker than for an adjacent grade, you have probably picked the wrong grade. When grade="unknown", set steelman to null and use verdict to summarize what blocked the assessment.
13. Distinguish actor classes (EOA, 2-of-3 multisig, 4-of-7+ multisig with identified signers, emergency-scoped time-capped multisig, on-chain governance vote with timelock) and function classes (claim-of-finalized vs new-request-placement, deposit vs borrow, mint vs redeem) — say which actor holds which power, on what time bound. "An admin can pause" is insufficient.
14. For on-chain slices (control, ability-to-exit, autonomy, verifiability), evidence[] must include ≥1 on-chain URL: a block-explorer URL OR a DeFiPunkd /api/{contract/read,safe/owners} URL (preferred — content-addressed when block-pinned). /api/contract/abi alone is metadata, not on-chain evidence. Source repos tell you what code SHOULD do; deployed contracts tell you what it ACTUALLY does. The "open-access" slice is exempt when claims are entirely about frontend / off-chain operator behavior. CARVE-OUT: `grading_basis="off-chain-only"` is exempt from this rule but is downweighted by the quorum bot regardless of grade.
15. Prompt-meta-check: if your verdict quotes prompt language as evidence ("the protocol meets the 'documented fallback' condition"), re-do the verdict — the prompt describes the rubric, not the protocol. Evidence cites what THIS protocol does, not what the rubric says protocols of type X do.
16. `grading_basis` is one of `"on-chain"` (default; omit field), `"off-chain-only"`, or `"mixed"`. Describes what was READ this run, not the verdict — `grade="unknown"` is allowed under any basis. Set `"off-chain-only"` ONLY when BOTH (a) ≥1 successful fetch of a docs / forum / audit / GitHub URL appears in evidence[], AND (b) ≥1 failed on-chain fetch attempt for THIS run is recorded in unknowns[] with a `-offchain` suffix. Empty `evidence[]` with `"off-chain-only"` is a category error and is rejected by the validator. Set `"mixed"` when some checklist codes were on-chain and others fell back. ABI-only finds (you read the ABI but couldn't read live state) are valid as `grade="unknown"` with the ABI cited; do not infer a grade from ABI shape alone.

### On-chain reading via the DeFiPunkd API

Don't encode calldata, decode return data, or guess at ABIs by hand. Three deterministic GET endpoints return JSON with blockNumber, blockHash, raw calldata, and rawReturnData — content-addressed when block-pinned (`&block=<n>`):

  ABI (auto-resolves proxies):
    https://defipunkd.com/api/contract/abi?chainId=<id>&address=0x...
  View call (any view method on the merged ABI; flat scalar args):
    https://defipunkd.com/api/contract/read?chainId=<id>&address=0x...&method=getOwners
    https://defipunkd.com/api/contract/read?chainId=<id>&address=0x...&method=balanceOf&args=0x...
  Safe (threshold + owners + version in one call):
    https://defipunkd.com/api/safe/owners?chainId=<id>&address=0x...

Use the BARE method name in `&method=` (e.g. `&method=totalSupply`, NOT `&method=totalSupply()`). Browser tools normalize `(` to `%28` and reject the normalized URL; bare names dodge that. Pass arguments via `&args=` (comma-separated, declaration order). Append `&block=<n>` for content-addressed evidence.

Supported chainIds: 1 (ethereum), 10 (optimism), 56 (bsc), 130 (unichain), 137 (polygon), 324 (zksync), 8453 (base), 42161 (arbitrum), 43114 (avalanche), 59144 (linea), 81457 (blast), 534352 (scroll), 11155111 (sepolia).

Use this API for any factual claim about contract ABI shape, view-method return values (owner(), getOwners(), getThreshold(), totalSupply(), implementation(), paused(), MIN_DELAY(), …), and Safe membership. Do NOT invent ABIs or return values from training data.

Note on noisy address_book: the pinned address_book is sourced from prior assessments. It may include token deployments, oracle feeds, peripheral contracts, or mis-classified entries. Skip surfacer URLs that don't fit your slice — fetch only those whose role hints suggest control / pause / upgrade authority.

### Protocol metadata refresh (populate `protocol_metadata` in the output)

DeFiLlama's pinned inputs may be stale or wrong. As a side-effect of this assessment, populate `protocol_metadata` with anything you verify. Leave fields null / empty arrays if you did not verify them — do NOT echo pinned inputs through; null means "not re-verified this run".

- `github`: array of canonical source-code repo URLs.
- `docs_url`: canonical developer / protocol documentation site.
- `audits`: array of `{ firm, url, date }` (date as YYYY-MM or YYYY-MM-DD).
- `governance_forum`: primary discussion forum URL (Discourse, Commonwealth, etc.).
- `voting_token`: `{ chain, address, symbol }` or null. Omit if not token-governed.
- `bug_bounty_url`: public bug bounty page (Immunefi, HackerOne, self-hosted).
- `security_contact`: private-disclosure channel — security@ email or SECURITY.md URL. Distinct from public bug bounty.
- `deployed_contracts_doc`: docs page that lists deployed addresses per chain. Don't enumerate; just link.
- `admin_addresses`: array of `{ chain, address, role, actor_class }` for multisig / timelock / owner / proxy-admin addresses. `actor_class` ∈ `"eoa" | "multisig" | "timelock" | "governance" | "unknown"`. These are the anchors for future runs' address_book.
- `upgradeability`: `"immutable" | "upgradeable" | "mixed" | "unknown"`. "mixed" = some core contracts immutable, others behind proxies.
- `about`: 2–4 sentence plain-English description. Name the user action (stake, borrow, swap, bridge, mint, redeem), the asset / market, and the distinctive mechanism (liquid staking receipt, isolated lending pools, constant-product AMM, intents auction, etc.). Do not restate category / chains / TVL.

Every non-null field in `protocol_metadata` must be backed by ≥1 entry in evidence[].

---

### Slice: CONTROL

Evaluate who can change the protocol's rules, how fast, and how broadly.

(Step 0 capability probe and the off-chain-only fallback live in the preamble — those rules apply here.)

### MANDATORY INSPECTION CHECKLIST (every item below must appear in evidence[] OR unknowns[])

- **C1.** For each address you assess: who is the contract owner / admin / pendingAdmin / governor — read these via the block explorer's "Read Contract" tab OR `https://defipunkd.com/api/contract/read?chainId=<id>&address=0x...&method=owner` (BARE method names: `&method=owner`, `&method=admin`, `&method=pendingOwner`, `&method=governor`). For Safes use `/api/safe/owners?chainId=<id>&address=0x...`. When a protocol has multiple major versions deployed (v2/v3/v4), perform C1 reads on the NEWEST deployment separately — newer deployments often have weaker control surfaces than the legacy core.
- **C2.** Upgrade mechanism: transparent proxy / UUPS / Beacon / Diamond / immutable. Identify the proxy admin address. Check upgradeability of GOVERNANCE contracts too — a Governor / Aragon Voting / OZ Governor is often itself a proxy whose admin is the Timelock. Asymmetry: when fund-holding cores are immutable AND governance has no admin path that reaches them, an upgradable Governor/Timelock is T3-only and must NOT drag the verdict below green on that basis alone (see grade rules and the "immutable cores" caveat). Only call upgradability "mixed" if you can name a concrete function on the upgradable surface that reaches T1 or T2 on user funds.
- **C3.** EXECUTION PATH (enumerate every stage, in order, with delays in seconds). The operative path is usually a chain (voting → scheduler → timelock → executor; or governor → queue → execute; or Aragon Voting → DualGovernance → EmergencyProtectedTimelock → AdminExecutor). For each stage, record (a) the contract address, (b) the delay constant name + value in seconds, (c) the URL you read it from (block-explorer Read Contract OR `/api/contract/read?...&method=MIN_DELAY&block=<n>`). Do NOT stop at the first timelock-shaped contract — if its admin is itself called by another contract, keep walking. The grading delay is the SUM OF DELAYS ON THE UNCONTESTED FAST PATH (shortest time a proposal with no opposition can go from submission to executable). Dynamic / contested extensions (veto signaling, rage quit, escrow delay) are modifiers, not the basis — note them separately.
- **C4.** Enumerate EVERY multisig with reachable control — main proxy admin, emergency activation, emergency execution, reseal / pause, gate-seal committees, tiebreaker, per-module admins. For each Safe, fetch threshold + owners + version via `/api/safe/owners?chainId=<id>&address=0x...` (response includes raw eth_call data, so the URL is citable evidence). Enumerate ops/council/incentives multisigs even when off the upgrade path — record their scope so a reader can see they are NOT on the upgrade path. For each: (a) address, (b) threshold / total signers, (c) signer identities classified as insider (team, paid auditors under ongoing engagement, mandated service providers) vs non-insider (independent community members, unaffiliated researchers), (d) the specific power held (upgrade, pause, parameter, etc.).
- **C5.** On-chain governance: Governor / GovernorBravo / OZ Governor / Aragon Voting with token-weighted voting? Record proposal threshold, voting period, quorum, and the timelock delay between queue and execute. Every numeric constant must come from a Read Contract call you can link to, or be in unknowns[] with the C-code. If votingDelay / votingPeriod are denominated in BLOCKS, convert to seconds at the chain's CURRENT block time (Ethereum mainnet ≈ 12s post-Merge, not the 15s in older Compound/Bravo deployments) — cite both block count and converted seconds.
- **C6.** EMERGENCY POWERS: separate emergency-pause / guardian role with a different time cap or different actor than the main upgrade authority? Record it explicitly.
- **C7.** POWER TIER (blast radius). For each privileged path in C3–C6, classify the WORST thing that path can do, choosing the highest applicable tier. Cite the specific function name and any on-chain bound — tier claims without a named function are unsupported.
    - **T1 — FUND-CRITICAL**: replace implementation of contracts holding user funds; change AMM math / accounting / collateral logic; mint unbacked debt or shares; pause withdrawals; drain user-fund treasury; change oracle to attacker-controlled source; replace upgrade admin with EOA.
    - **T2 — ECONOMICALLY MATERIAL**: change fee parameters within bounded ranges; redirect protocol fees; add/remove markets / collateral types; bounded inflation or token mint within hard-capped schedule; spend protocol-owned (non-user) treasury.
    - **T3 — GOVERNANCE-INTERNAL**: change voting rules, quorum, voting period, proposal threshold; upgrade the Governor itself; rotate Timelock admin; mint governance tokens within a capped annual schedule.
    - **T4 — OPERATIONAL**: incentives distribution, grants, ENS / frontend canonicalization, deployment coordination, periphery router deprecation.
  The grade is set by the HIGHEST tier reachable on the uncontested fast path, not the median. State the tier and the binding function in the verdict.

### Read Contract discipline (applies to C3, C4, C5)

Every numeric constant cited (timelock delays, voting periods, multisig thresholds, quorum percentages) must come from EITHER (a) a block-explorer Read Contract URL, OR (b) a DeFiPunkd `/api/contract/read` or `/api/safe/owners` URL (preferred with `&block=<n>` for content-addressed evidence), OR (c) an unknowns[] entry with the C-code. Docs / blog posts are corroboration only — they cannot be the sole citation for a value that is also readable on-chain.

### Off-chain-only substitute hierarchy (when grading_basis="off-chain-only" — see preamble Rule 16)

When on-chain reads were genuinely unreachable this run, eligible off-chain substitutes in priority order:
1. Linked audit PDFs (admin roles, multisig members, timelock delays usually enumerated).
2. Governance forum posts that quote constants from a successful on-chain proposal (cite post URL + linked execution-tx URL).
3. Official protocol docs pages with named addresses and roles (must be on a domain owned by the protocol).
4. GitHub README / SECURITY.md / governance/*.md at a pinned commit SHA.

Forbidden substitutes: third-party blog posts, X / Twitter threads, search-result snippets, model memory. Required degradation: any C-code citing a numeric constant from docs/forum/audit prose ONLY must also carry an `unknowns[]` entry with `-offchain` suffix noting "value not re-read on-chain in this run; corroboration only".

### Grade rules (apply the timelock bar conditional on the highest C7 tier reachable on the fast path)

Security Council standard (used below): a multisig qualifies as "Security Council" only if ALL of: ≥7 signers, ≥51% threshold, ≥50% non-insider signers, every signer publicly announced. Failing any criterion = NOT a Security Council, regardless of signer reputation.

- **green**: highest reachable tier is T3 or T4 regardless of timelock; OR T2 reachable with uncontested-fast-path delay ≥7 days; OR T1 reachable only via immutable contracts (T1 is unreachable); OR T1 reachable with uncontested-fast-path delay ≥7 days combined with a Security Council multisig; OR T1 reachable with uncontested-fast-path delay ≥7 days through active on-chain governance with broad token distribution.
- **orange**: T2 reachable with uncontested-fast-path delay >0 but <7 days; OR T1 reachable with uncontested-fast-path delay >0 but <7 days; OR a multisig failing one or more Security Council criteria sits on a T1/T2 path; OR unclear upgrade authority on a T1/T2 path; OR governance with very short timelock or low quorum on a T1/T2 path.
- **red**: T1 reachable with no timelock by a single EOA or 2-of-3 multisig; OR a T1 upgrade admin that is not a smart contract you can audit.
- **unknown**: completed the checklist but still cannot determine the upgrade authority OR cannot classify the highest tier reachable on the main contracts.

Tiering caveats:
- "Bounded" must be enforced ON-CHAIN to count as T2. A function that sets fees with no upper-bound check is T1 — cite the bound check.
- Recurring T2 economic extraction (e.g. fee redirect with no rate limit) approaches T1 over time. A single proposal that can permanently redirect all future revenue is T1.
- T3 assumes the governance contract cannot itself authorize a T1/T2 action without going through the same timelock. If governance can self-upgrade to bypass the timelock, T3 collapses into T1.
- Do not downgrade tier by hand-waving ("realistically governance would never…"). Tier on what the contract permits, not what feels likely.

Notes:
- **Dynamic / dual-governance timelocks** (Lido, Compound escrow veto): the rubric grades on the uncontested path because that is the path most upgrades take. A dynamic extension that fires only under stake-weighted opposition is a real protection — name it in the green steel-man, but it does not lift an orange fast path into green; state the tension in the verdict.
- **Immutable cores with upgradable governance** (Uniswap-style): if fund-holding contracts are immutable and have no admin-reachable function moving / freezing / re-routing user funds, the highest reachable tier on the upgrade path is T3 — green regardless of timelock. Don't grade this orange just because the Governor is a proxy — that's a C2 fact, not a downgrade. Downgrade only applies if you can cite a concrete function on the upgradable surface that reaches T1 or T2 (privileged hook, upgradable factory controlling fund-routing, fee-switch redirecting protocol revenue without bound).
- **The 7-day bar** reflects the exit-window standard — users need notice after a queued upgrade to withdraw if they disagree. The ability-to-exit slice grades the exit side; this slice grades the delay side; both must hold for users to actually benefit from the delay.

---

### JSON output contract

Return exactly one JSON object inside a single ```json fenced block. Shape:

{
  "schema_version": 4,
  "slug": "<copy protocol.slug from the per-protocol context>",
  "slice": "control",
  "snapshot_generated_at": "<copy snapshot.generated_at from the per-protocol context>",
  "prompt_version": 29,
  "analysis_date": "<copy analysis_date from the per-protocol context>",
  "model": "<exact model name, e.g. claude-opus-4-7 / gpt-5-thinking / gemini-3-pro>",
  "chat_url": null,
  "grading_basis": "on-chain | off-chain-only | mixed (optional; omit for on-chain)",
  "grade": "green | orange | red | unknown",
  "headline": "<one-line summary>",
  "short_headline": "<≤6 words, ≤80 chars; omit if you can't fit>",
  "rationale": {
    "findings": [{ "code": "E1", "text": "<concrete, source-cited finding>" }],
    "steelman": { "red": "<one sentence>", "orange": "<one sentence>", "green": "<one sentence>" },
    "verdict": "Choosing <grade> because <reason ranking one steel-man above the others, citing specific evidence>."
  },
  "evidence": [{ "url": "https://...", "shows": "<what this URL demonstrates>", "chain": "...", "address": "0x...", "commit": "<hex SHA>", "fetched_at": "2026-04-23T11:20:00Z" }],
  "unknowns": ["E3: <thing you looked for but couldn't determine>"],
  "protocol_metadata": {
    "github": ["https://github.com/org/repo"],
    "docs_url": "https://docs.protocol.xyz",
    "audits": [{ "firm": "Trail of Bits", "url": "https://...report.pdf", "date": "2025-09" }],
    "governance_forum": "https://forum.protocol.xyz",
    "voting_token": { "chain": "Ethereum", "address": "0x...", "symbol": "XYZ" },
    "bug_bounty_url": "https://immunefi.com/bounty/protocol",
    "security_contact": "security@protocol.xyz",
    "deployed_contracts_doc": "https://docs.protocol.xyz/deployments",
    "admin_addresses": [{ "chain": "Ethereum", "address": "0x...", "role": "DAO treasury multisig", "actor_class": "multisig" }],
    "upgradeability": "immutable | upgradeable | mixed | unknown",
    "about": "<2–4 sentences>"
  }
}

Rules recap:
- grade="unknown" ⇒ steelman=null; unknowns[] ≥1; evidence[] may be empty.
- grade!="unknown" ⇒ steelman={red,orange,green}; evidence[] ≥1; verdict starts with "Choosing ".
- findings[].code matches the slice's checklist prefix verbatim (E1, C2-emergency, V4a, …); unknowns[] entries are checklist-coded ("E3: …").
- Wrap in a single ```json fence; nothing before or after. URLs are bare strings, never markdown links.

Ability to exit Unverified Submit run ↗

### Per-protocol context (ground truth for this run)

- protocol.slug:              aave-v4
- protocol.name:              Aave V4
- protocol.chains:            Ethereum
- protocol.category:          Lending
- protocol.website:           https://aave.com
- protocol.github:            aave, bgd-labs
- protocol.audit_links:       https://aave.com/security, https://github.com/code-423n4/2022-02-aave-lens, https://github.com/code-423n4/2022-02-aave-lens-findings, https://github.com/sherlock-protocol/sherlock-reports/blob/main/audits/2025.02.15%20-%20Final%20-%20Aave%20Public%20Audit%20Contest%20Report.pdf, https://github.com/sherlock-protocol/sherlock-reports/blob/main/audits/2026.02.05%20-%20Final%20-%20Aave%20Labs%20Collaborative%20Audit%20Report%201770295450.pdf, https://github.com/trailofbits/publications/blob/master/reviews/2026-02-aave-v4-securityreview.pdf
- snapshot.generated_at:      2026-06-01T11:27:13.878Z
- analysis_date:              2026-06-07
- prompt_version:             29
- address_book:               null

### Pre-built read-API surfacer URLs (verbatim — fetchable as-is)
(no addresses pinned in this run — discover candidates from fetched website / GitHub / audit / explorer pages, record discovered addresses in evidence[] and protocol_metadata.admin_addresses, and put any reads you couldn't perform in unknowns[]. The next assessment will inherit your discoveries.)


---

You are contributing a single-slice assessment to defipunkd, a git-native transparency registry for DeFi protocols. Your JSON output will be attached to a pull request and compared against ≥2 other independent runs. Disagreements are surfaced publicly — be conservative, cite everything, return grade="unknown" when a signal cannot be determined, and resist stopping at the first damning finding.

### Per-protocol context (do not infer; these are ground truth)

A "Per-protocol context" block (provided alongside this prompt — either as a user message in API mode, or as a section appended below in copy-paste mode) lists the pinned inputs (protocol.slug, name, chains, category, website, github, audit_links, snapshot.generated_at, analysis_date, prompt_version, address_book) and a list of pre-built read-API surfacer URLs for each pinned address. Treat those values as authoritative for this run.

The pre-built surfacer URLs are accepted by your fetch tool's allowlist because they appear verbatim in the per-protocol context. Each surfacer page pre-executes the contract's zero-arg view methods and renders any address-typed return values as /address/{chainId}/0x… links inline — those rendered links are also fetchable post-fetch. /api/contract/read and /api/safe/owners JSON responses include a top-level `crawl.surfacers` array of /address/{chainId}/0x… URLs for every address-typed value in the result, so you can crawl directly from API responses. For addresses surfaced from non-defipunkd sources (block-explorer pages, GitHub, audit PDFs), the allowlist will reject your generated surfacer URL — record the address in protocol_metadata.admin_addresses and add a checklist-coded entry to unknowns[]; the next run will inherit it as a fetchable surfacer.

### Step 0 — Capability probe (do this before producing JSON)

Identify what fetch tool your environment exposes — `web_fetch`, `browser`, `url_context`, `google_search` (with underscore, colon, or space), Bing grounding, Perplexity, `web.run`, or anything similar. Search-grounding tools ARE valid fetch paths and you should use them; they are not forbidden. The distinction that matters is what the tool returned, not its name: a grounded response with the underlying page body is sufficient evidence; a bare 1–3-line preview snippet is not.

Probe: attempt one fetch of `protocol.website` and one fetch of a pre-built surfacer URL above (or the protocol's primary block-explorer page if no surfacer is pinned). Record the tool you used, the URL, and what came back (response body, HTTP status, allowlist rejection text, or "tool not present: <name>"). If either probe succeeded, proceed.

If both direct probes failed, **DO NOT STOP** — try search. Issue at least two broad search queries (protocol name + "Etherscan" / "official docs" / "GitHub" / "audit"; `site:` operators against etherscan.io / github.com / the docs domain). If a search query returns the underlying page body, that page URL is fetched evidence and goes in evidence[]. Set `grading_basis: "off-chain-only"` and continue with whatever you can extract. Empty `evidence[]` + `grade="unknown"` is only valid if BOTH direct probes AND ≥2 search queries returned nothing usable; in that case, log the attempted queries and observed-zero outcomes in unknowns[]. A submission claiming "blocked" without those receipts is treated as a non-submission (zero quorum weight). Search engines do not index raw JSON API endpoints — zero results for `defipunkd.com/api/contract/read` URLs is expected and is itself a recordable failure mode, not a system restriction.

### Anti-fabrication (the most important rule on this page)

Memory is not evidence. Treat your training data, prior conversations, and general knowledge as suggestions for what to look up — never as citations. Every URL in evidence[] must have been fetched in this run via any tool exposed in your environment, OR pasted into this conversation by the user. Constructing a URL is fine, but every variable part (address, commit SHA, repo path, contract name, method, args, block number) must come from a fetched/pasted source in this run, and the URL must then have been successfully fetched before it appears in evidence[]. URLs constructed from remembered addresses, repo paths, contract names, or guessed API methods are fabrication.

Before emitting JSON, run an evidence ledger check on every evidence[] entry:
1. The exact URL appears in your fetch transcript or in a user-pasted source body.
2. The fetched/pasted body contains the fact you're citing in evidence[].shows.
3. Every rationale.findings / protocol_metadata claim that depends on this evidence follows directly from that body, without recourse to memory.
4. Derived (rather than verbatim) claims are explicitly labelled as derived in evidence[].shows.
5. `fetched_at` is set ONLY when you actually fetched the URL in this run; if no timestamp is available, omit the field — never invent one.

If any check fails, remove the evidence entry and demote dependent claims to unknowns[]. Set grade="unknown" if demotion empties the grading basis. Do not ask the user to paste anything; do not withhold JSON; do not improvise from memory.

A plausible-sounding answer backed by unsupported evidence is WORSE than grade="unknown" — it pollutes the quorum. If the assessment requires leaning on remembered public facts ("Lido is governed by LDO token-weighted voting"), historical reports, common knowledge, or likely-architecture reasoning ("UUPS proxies typically have an admin role"), return grade="unknown" with specific unknowns[] entries. Optimize for reproducibility, not completeness — if a reviewer can't re-verify each claim from the evidence URLs alone, the claim does not belong in the JSON. Empty unknowns[] on a non-trivial protocol is a red flag, not a quality signal.

When the address_book is null/empty, you do not yet know any deployed address. Discover candidates from fetched website / GitHub / audit / explorer-search pages — addresses you "remember" from training data are not eligible, even for famous tokens (USDC, WBTC, stETH, UNI). If no address can be discovered after a good-faith attempt, return grade="unknown" with checklist-coded unknowns[] entries; do not invent addresses to fill the gap.

### Hard rules

1. Source classes that count as evidence:
   a) Public block explorers (etherscan.io, basescan.org, arbiscan.io, optimistic.etherscan.io, polygonscan.com, bscscan.com, snowtrace.io, scrollscan.com, lineascan.build, blastscan.io, era.zksync.network) for pinned addresses or addresses you discover transitively from them.
   b) The linked GitHub repos, at a specific commit SHA recorded in evidence[].commit.
   c) The audit PDFs / reports linked above.
   d) DeFiLlama's pinned fields (for category / chain lists only — not for risk assessment).
   e) DeFiPunkd's read API at https://defipunkd.com/api/{contract,safe}/... — see "On-chain reading" below.
2. If a signal cannot be determined after checking these, set grade="unknown" with ≥1 entry in unknowns[] naming what you looked for.
3. Every factual claim in rationale must map to ≥1 evidence[] entry.
4. Output exactly one JSON object matching the contract at the end, wrapped in a single ```json fenced code block. This rule applies to your FINAL assistant message only — issue tool calls freely during the run; tool-call reasoning lives in your model's tool-use channel and is not subject to this rule. Nothing before or after the fence — no prose, no follow-up questions, no requests for the user to paste anything. If evidence is incomplete, the correct response is still JSON, with claims demoted to unknowns[] and grade="unknown".

### Format rules (validation will reject submissions that violate these)
5. evidence[].url must be a bare `https://...` string — NEVER markdown link syntax. WRONG: `"url": "[Etherscan](https://etherscan.io/...)"`. RIGHT: `"url": "https://etherscan.io/..."`.
6. evidence[].commit, when present, must match `^[0-9a-f]{7,40}$` (lowercase hex, 7–40 chars). NEVER branch names or tags. Omit if you cannot pin a SHA.
7. evidence[].fetched_at, when present, must be ISO-8601 UTC (e.g. `2026-04-23T11:20:00Z`). Set whenever you actually fetched in this run.
8. evidence[].address, when present, must be `^0x[0-9a-fA-F]{40}$` (mixed case OK; checksum not validated).
9. Checklist codes (used in findings[].code and as unknowns[] prefixes) match `^[A-Z][A-Za-z0-9-]{0,16}$` — start with an uppercase letter, then digits / letters / hyphens. Examples: `E1`, `A3b`, `C2-emergency`, `V4-auditor`. No parens, spaces, dots, slashes, underscores. Use slice-defined codes verbatim. unknowns[] entries must be prefixed with the relevant code + colon (e.g. `"A3b: frontend fetch failed"`).
10. chat_url: ALWAYS null. Default share links (claude.ai/chat, chatgpt.com, gemini.google.com) require viewer login and are not publicly readable. The user enables "Share publicly" after you respond and pastes the public URL into the JSON before opening the PR.

### Thoroughness rules

11. Each per-slice body contains a "MANDATORY INSPECTION CHECKLIST". Every item must EITHER produce an evidence[] entry OR a specific unknowns[] entry naming it by code. Silent skips are rejected as incomplete.
12. Before assigning a grade other than "unknown", rationale.steelman must contain a one-sentence strongest argument for each of red / orange / green, and rationale.verdict must state which fits the evidence and why. If the steel-man for the chosen grade is weaker than for an adjacent grade, you have probably picked the wrong grade. When grade="unknown", set steelman to null and use verdict to summarize what blocked the assessment.
13. Distinguish actor classes (EOA, 2-of-3 multisig, 4-of-7+ multisig with identified signers, emergency-scoped time-capped multisig, on-chain governance vote with timelock) and function classes (claim-of-finalized vs new-request-placement, deposit vs borrow, mint vs redeem) — say which actor holds which power, on what time bound. "An admin can pause" is insufficient.
14. For on-chain slices (control, ability-to-exit, autonomy, verifiability), evidence[] must include ≥1 on-chain URL: a block-explorer URL OR a DeFiPunkd /api/{contract/read,safe/owners} URL (preferred — content-addressed when block-pinned). /api/contract/abi alone is metadata, not on-chain evidence. Source repos tell you what code SHOULD do; deployed contracts tell you what it ACTUALLY does. The "open-access" slice is exempt when claims are entirely about frontend / off-chain operator behavior. CARVE-OUT: `grading_basis="off-chain-only"` is exempt from this rule but is downweighted by the quorum bot regardless of grade.
15. Prompt-meta-check: if your verdict quotes prompt language as evidence ("the protocol meets the 'documented fallback' condition"), re-do the verdict — the prompt describes the rubric, not the protocol. Evidence cites what THIS protocol does, not what the rubric says protocols of type X do.
16. `grading_basis` is one of `"on-chain"` (default; omit field), `"off-chain-only"`, or `"mixed"`. Describes what was READ this run, not the verdict — `grade="unknown"` is allowed under any basis. Set `"off-chain-only"` ONLY when BOTH (a) ≥1 successful fetch of a docs / forum / audit / GitHub URL appears in evidence[], AND (b) ≥1 failed on-chain fetch attempt for THIS run is recorded in unknowns[] with a `-offchain` suffix. Empty `evidence[]` with `"off-chain-only"` is a category error and is rejected by the validator. Set `"mixed"` when some checklist codes were on-chain and others fell back. ABI-only finds (you read the ABI but couldn't read live state) are valid as `grade="unknown"` with the ABI cited; do not infer a grade from ABI shape alone.

### On-chain reading via the DeFiPunkd API

Don't encode calldata, decode return data, or guess at ABIs by hand. Three deterministic GET endpoints return JSON with blockNumber, blockHash, raw calldata, and rawReturnData — content-addressed when block-pinned (`&block=<n>`):

  ABI (auto-resolves proxies):
    https://defipunkd.com/api/contract/abi?chainId=<id>&address=0x...
  View call (any view method on the merged ABI; flat scalar args):
    https://defipunkd.com/api/contract/read?chainId=<id>&address=0x...&method=getOwners
    https://defipunkd.com/api/contract/read?chainId=<id>&address=0x...&method=balanceOf&args=0x...
  Safe (threshold + owners + version in one call):
    https://defipunkd.com/api/safe/owners?chainId=<id>&address=0x...

Use the BARE method name in `&method=` (e.g. `&method=totalSupply`, NOT `&method=totalSupply()`). Browser tools normalize `(` to `%28` and reject the normalized URL; bare names dodge that. Pass arguments via `&args=` (comma-separated, declaration order). Append `&block=<n>` for content-addressed evidence.

Supported chainIds: 1 (ethereum), 10 (optimism), 56 (bsc), 130 (unichain), 137 (polygon), 324 (zksync), 8453 (base), 42161 (arbitrum), 43114 (avalanche), 59144 (linea), 81457 (blast), 534352 (scroll), 11155111 (sepolia).

Use this API for any factual claim about contract ABI shape, view-method return values (owner(), getOwners(), getThreshold(), totalSupply(), implementation(), paused(), MIN_DELAY(), …), and Safe membership. Do NOT invent ABIs or return values from training data.

Note on noisy address_book: the pinned address_book is sourced from prior assessments. It may include token deployments, oracle feeds, peripheral contracts, or mis-classified entries. Skip surfacer URLs that don't fit your slice — fetch only those whose role hints suggest control / pause / upgrade authority.

### Protocol metadata refresh (populate `protocol_metadata` in the output)

DeFiLlama's pinned inputs may be stale or wrong. As a side-effect of this assessment, populate `protocol_metadata` with anything you verify. Leave fields null / empty arrays if you did not verify them — do NOT echo pinned inputs through; null means "not re-verified this run".

- `github`: array of canonical source-code repo URLs.
- `docs_url`: canonical developer / protocol documentation site.
- `audits`: array of `{ firm, url, date }` (date as YYYY-MM or YYYY-MM-DD).
- `governance_forum`: primary discussion forum URL (Discourse, Commonwealth, etc.).
- `voting_token`: `{ chain, address, symbol }` or null. Omit if not token-governed.
- `bug_bounty_url`: public bug bounty page (Immunefi, HackerOne, self-hosted).
- `security_contact`: private-disclosure channel — security@ email or SECURITY.md URL. Distinct from public bug bounty.
- `deployed_contracts_doc`: docs page that lists deployed addresses per chain. Don't enumerate; just link.
- `admin_addresses`: array of `{ chain, address, role, actor_class }` for multisig / timelock / owner / proxy-admin addresses. `actor_class` ∈ `"eoa" | "multisig" | "timelock" | "governance" | "unknown"`. These are the anchors for future runs' address_book.
- `upgradeability`: `"immutable" | "upgradeable" | "mixed" | "unknown"`. "mixed" = some core contracts immutable, others behind proxies.
- `about`: 2–4 sentence plain-English description. Name the user action (stake, borrow, swap, bridge, mint, redeem), the asset / market, and the distinctive mechanism (liquid staking receipt, isolated lending pools, constant-product AMM, intents auction, etc.). Do not restate category / chains / TVL.

Every non-null field in `protocol_metadata` must be backed by ≥1 entry in evidence[].

---

### Slice: ABILITY-TO-EXIT

Evaluate whether users can withdraw their funds on their own terms, even under adversarial admin conditions.

MANDATORY INSPECTION CHECKLIST (every item below must appear in evidence[] OR unknowns[]):
- E1. Enumerate every user-facing exit function in the main contracts: withdraw, redeem, burn, requestWithdrawal, claim, exit, etc. List them by name. Do NOT treat the contract as a monolith.
- E2. For EACH exit function in E1: identify its access modifiers and any pause guards (e.g. _checkResumed, whenNotPaused, onlyRole). Functions that gate REQUEST PLACEMENT often differ from functions that CLAIM FINALIZED FUNDS — check both separately.
- E3. For each pause guard: identify the role holder (which address holds PAUSE_ROLE / GUARDIAN / etc.) and the maximum pause duration. Specifically check whether PAUSE_INFINITELY (or equivalent uncapped pause) is callable, and which actor can call it (single multisig vs governance vote). For role-holder reads use https://defipunkd.com/api/contract/read?chainId=<id>&address=0x...&method=hasRole&args=0x...,0x... or &method=getRoleAdmin&args=0x.... For "is currently paused" checks use &method=paused or &method=isPaused&args=<resume-code>. Use the BARE method name (no parens). Cite the URL with &block=<n> in evidence[].
- E4. EMERGENCY vs GOVERNANCE pause distinction: many protocols have a fast-acting emergency pause capped at N days and a slow governance pause that can be indefinite. Record both paths separately if present, with their time caps and actor classes.
- E5. Queued redemption: documented maximum queue duration, daily withdrawal caps, whether the queue itself is pausable.
- E6. Forced-exit / escape-hatch / permissionless emergency-exit mechanism for adversarial-admin scenarios.
- E7. Frontend dependency: confirm exit functions are directly callable on-chain (e.g. via Etherscan write tab or a generic wallet) without the project's frontend.

Then write the steel-man section per Hard Rule 11. Common red-vs-orange tension on this slice: indefinite pause exists (suggests red) BUT the realistic emergency path is time-capped AND claims of already-finalized exits are not pause-gated (suggests orange). Resolve this by stating who can do what for how long, not by stopping at the worst-case sentence.

Grade rules:
- green   = permissionless exit; pause is either absent, narrowly scoped to clearly-described emergencies with auto-expiry, or capped at ≤7 days; no frontend dependency for exit; claims of already-finalized exits are not pause-gated under any path.
- orange  = pausable with broad scope OR indefinite pause is reachable only through governance vote (not unilateral admin action), OR queued redemption with documented max > 7 days, OR claims-of-finalized are exempt but new-request placement can be paused indefinitely by governance.
- red     = exit requires admin signature, OR ANY actor (including governance) can pause CLAIMS of finalized exits indefinitely, OR there is no on-chain exit function at all (purely custodial), OR pause is held by a single EOA / 2-of-3 multisig with no time cap.
- unknown = checklist incomplete after checking the sources above.

---

### JSON output contract

Return exactly one JSON object inside a single ```json fenced block. Shape:

{
  "schema_version": 4,
  "slug": "<copy protocol.slug from the per-protocol context>",
  "slice": "ability-to-exit",
  "snapshot_generated_at": "<copy snapshot.generated_at from the per-protocol context>",
  "prompt_version": 29,
  "analysis_date": "<copy analysis_date from the per-protocol context>",
  "model": "<exact model name, e.g. claude-opus-4-7 / gpt-5-thinking / gemini-3-pro>",
  "chat_url": null,
  "grading_basis": "on-chain | off-chain-only | mixed (optional; omit for on-chain)",
  "grade": "green | orange | red | unknown",
  "headline": "<one-line summary>",
  "short_headline": "<≤6 words, ≤80 chars; omit if you can't fit>",
  "rationale": {
    "findings": [{ "code": "E1", "text": "<concrete, source-cited finding>" }],
    "steelman": { "red": "<one sentence>", "orange": "<one sentence>", "green": "<one sentence>" },
    "verdict": "Choosing <grade> because <reason ranking one steel-man above the others, citing specific evidence>."
  },
  "evidence": [{ "url": "https://...", "shows": "<what this URL demonstrates>", "chain": "...", "address": "0x...", "commit": "<hex SHA>", "fetched_at": "2026-04-23T11:20:00Z" }],
  "unknowns": ["E3: <thing you looked for but couldn't determine>"],
  "protocol_metadata": {
    "github": ["https://github.com/org/repo"],
    "docs_url": "https://docs.protocol.xyz",
    "audits": [{ "firm": "Trail of Bits", "url": "https://...report.pdf", "date": "2025-09" }],
    "governance_forum": "https://forum.protocol.xyz",
    "voting_token": { "chain": "Ethereum", "address": "0x...", "symbol": "XYZ" },
    "bug_bounty_url": "https://immunefi.com/bounty/protocol",
    "security_contact": "security@protocol.xyz",
    "deployed_contracts_doc": "https://docs.protocol.xyz/deployments",
    "admin_addresses": [{ "chain": "Ethereum", "address": "0x...", "role": "DAO treasury multisig", "actor_class": "multisig" }],
    "upgradeability": "immutable | upgradeable | mixed | unknown",
    "about": "<2–4 sentences>"
  }
}

Rules recap:
- grade="unknown" ⇒ steelman=null; unknowns[] ≥1; evidence[] may be empty.
- grade!="unknown" ⇒ steelman={red,orange,green}; evidence[] ≥1; verdict starts with "Choosing ".
- findings[].code matches the slice's checklist prefix verbatim (E1, C2-emergency, V4a, …); unknowns[] entries are checklist-coded ("E3: …").
- Wrap in a single ```json fence; nothing before or after. URLs are bare strings, never markdown links.

Autonomy Unverified Submit run ↗

### Per-protocol context (ground truth for this run)

- protocol.slug:              aave-v4
- protocol.name:              Aave V4
- protocol.chains:            Ethereum
- protocol.category:          Lending
- protocol.website:           https://aave.com
- protocol.github:            aave, bgd-labs
- protocol.audit_links:       https://aave.com/security, https://github.com/code-423n4/2022-02-aave-lens, https://github.com/code-423n4/2022-02-aave-lens-findings, https://github.com/sherlock-protocol/sherlock-reports/blob/main/audits/2025.02.15%20-%20Final%20-%20Aave%20Public%20Audit%20Contest%20Report.pdf, https://github.com/sherlock-protocol/sherlock-reports/blob/main/audits/2026.02.05%20-%20Final%20-%20Aave%20Labs%20Collaborative%20Audit%20Report%201770295450.pdf, https://github.com/trailofbits/publications/blob/master/reviews/2026-02-aave-v4-securityreview.pdf
- snapshot.generated_at:      2026-06-01T11:27:13.878Z
- analysis_date:              2026-06-07
- prompt_version:             29
- address_book:               null

### Pre-built read-API surfacer URLs (verbatim — fetchable as-is)
(no addresses pinned in this run — discover candidates from fetched website / GitHub / audit / explorer pages, record discovered addresses in evidence[] and protocol_metadata.admin_addresses, and put any reads you couldn't perform in unknowns[]. The next assessment will inherit your discoveries.)


---

You are contributing a single-slice assessment to defipunkd, a git-native transparency registry for DeFi protocols. Your JSON output will be attached to a pull request and compared against ≥2 other independent runs. Disagreements are surfaced publicly — be conservative, cite everything, return grade="unknown" when a signal cannot be determined, and resist stopping at the first damning finding.

### Per-protocol context (do not infer; these are ground truth)

A "Per-protocol context" block (provided alongside this prompt — either as a user message in API mode, or as a section appended below in copy-paste mode) lists the pinned inputs (protocol.slug, name, chains, category, website, github, audit_links, snapshot.generated_at, analysis_date, prompt_version, address_book) and a list of pre-built read-API surfacer URLs for each pinned address. Treat those values as authoritative for this run.

The pre-built surfacer URLs are accepted by your fetch tool's allowlist because they appear verbatim in the per-protocol context. Each surfacer page pre-executes the contract's zero-arg view methods and renders any address-typed return values as /address/{chainId}/0x… links inline — those rendered links are also fetchable post-fetch. /api/contract/read and /api/safe/owners JSON responses include a top-level `crawl.surfacers` array of /address/{chainId}/0x… URLs for every address-typed value in the result, so you can crawl directly from API responses. For addresses surfaced from non-defipunkd sources (block-explorer pages, GitHub, audit PDFs), the allowlist will reject your generated surfacer URL — record the address in protocol_metadata.admin_addresses and add a checklist-coded entry to unknowns[]; the next run will inherit it as a fetchable surfacer.

### Step 0 — Capability probe (do this before producing JSON)

Identify what fetch tool your environment exposes — `web_fetch`, `browser`, `url_context`, `google_search` (with underscore, colon, or space), Bing grounding, Perplexity, `web.run`, or anything similar. Search-grounding tools ARE valid fetch paths and you should use them; they are not forbidden. The distinction that matters is what the tool returned, not its name: a grounded response with the underlying page body is sufficient evidence; a bare 1–3-line preview snippet is not.

Probe: attempt one fetch of `protocol.website` and one fetch of a pre-built surfacer URL above (or the protocol's primary block-explorer page if no surfacer is pinned). Record the tool you used, the URL, and what came back (response body, HTTP status, allowlist rejection text, or "tool not present: <name>"). If either probe succeeded, proceed.

If both direct probes failed, **DO NOT STOP** — try search. Issue at least two broad search queries (protocol name + "Etherscan" / "official docs" / "GitHub" / "audit"; `site:` operators against etherscan.io / github.com / the docs domain). If a search query returns the underlying page body, that page URL is fetched evidence and goes in evidence[]. Set `grading_basis: "off-chain-only"` and continue with whatever you can extract. Empty `evidence[]` + `grade="unknown"` is only valid if BOTH direct probes AND ≥2 search queries returned nothing usable; in that case, log the attempted queries and observed-zero outcomes in unknowns[]. A submission claiming "blocked" without those receipts is treated as a non-submission (zero quorum weight). Search engines do not index raw JSON API endpoints — zero results for `defipunkd.com/api/contract/read` URLs is expected and is itself a recordable failure mode, not a system restriction.

### Anti-fabrication (the most important rule on this page)

Memory is not evidence. Treat your training data, prior conversations, and general knowledge as suggestions for what to look up — never as citations. Every URL in evidence[] must have been fetched in this run via any tool exposed in your environment, OR pasted into this conversation by the user. Constructing a URL is fine, but every variable part (address, commit SHA, repo path, contract name, method, args, block number) must come from a fetched/pasted source in this run, and the URL must then have been successfully fetched before it appears in evidence[]. URLs constructed from remembered addresses, repo paths, contract names, or guessed API methods are fabrication.

Before emitting JSON, run an evidence ledger check on every evidence[] entry:
1. The exact URL appears in your fetch transcript or in a user-pasted source body.
2. The fetched/pasted body contains the fact you're citing in evidence[].shows.
3. Every rationale.findings / protocol_metadata claim that depends on this evidence follows directly from that body, without recourse to memory.
4. Derived (rather than verbatim) claims are explicitly labelled as derived in evidence[].shows.
5. `fetched_at` is set ONLY when you actually fetched the URL in this run; if no timestamp is available, omit the field — never invent one.

If any check fails, remove the evidence entry and demote dependent claims to unknowns[]. Set grade="unknown" if demotion empties the grading basis. Do not ask the user to paste anything; do not withhold JSON; do not improvise from memory.

A plausible-sounding answer backed by unsupported evidence is WORSE than grade="unknown" — it pollutes the quorum. If the assessment requires leaning on remembered public facts ("Lido is governed by LDO token-weighted voting"), historical reports, common knowledge, or likely-architecture reasoning ("UUPS proxies typically have an admin role"), return grade="unknown" with specific unknowns[] entries. Optimize for reproducibility, not completeness — if a reviewer can't re-verify each claim from the evidence URLs alone, the claim does not belong in the JSON. Empty unknowns[] on a non-trivial protocol is a red flag, not a quality signal.

When the address_book is null/empty, you do not yet know any deployed address. Discover candidates from fetched website / GitHub / audit / explorer-search pages — addresses you "remember" from training data are not eligible, even for famous tokens (USDC, WBTC, stETH, UNI). If no address can be discovered after a good-faith attempt, return grade="unknown" with checklist-coded unknowns[] entries; do not invent addresses to fill the gap.

### Hard rules

1. Source classes that count as evidence:
   a) Public block explorers (etherscan.io, basescan.org, arbiscan.io, optimistic.etherscan.io, polygonscan.com, bscscan.com, snowtrace.io, scrollscan.com, lineascan.build, blastscan.io, era.zksync.network) for pinned addresses or addresses you discover transitively from them.
   b) The linked GitHub repos, at a specific commit SHA recorded in evidence[].commit.
   c) The audit PDFs / reports linked above.
   d) DeFiLlama's pinned fields (for category / chain lists only — not for risk assessment).
   e) DeFiPunkd's read API at https://defipunkd.com/api/{contract,safe}/... — see "On-chain reading" below.
2. If a signal cannot be determined after checking these, set grade="unknown" with ≥1 entry in unknowns[] naming what you looked for.
3. Every factual claim in rationale must map to ≥1 evidence[] entry.
4. Output exactly one JSON object matching the contract at the end, wrapped in a single ```json fenced code block. This rule applies to your FINAL assistant message only — issue tool calls freely during the run; tool-call reasoning lives in your model's tool-use channel and is not subject to this rule. Nothing before or after the fence — no prose, no follow-up questions, no requests for the user to paste anything. If evidence is incomplete, the correct response is still JSON, with claims demoted to unknowns[] and grade="unknown".

### Format rules (validation will reject submissions that violate these)
5. evidence[].url must be a bare `https://...` string — NEVER markdown link syntax. WRONG: `"url": "[Etherscan](https://etherscan.io/...)"`. RIGHT: `"url": "https://etherscan.io/..."`.
6. evidence[].commit, when present, must match `^[0-9a-f]{7,40}$` (lowercase hex, 7–40 chars). NEVER branch names or tags. Omit if you cannot pin a SHA.
7. evidence[].fetched_at, when present, must be ISO-8601 UTC (e.g. `2026-04-23T11:20:00Z`). Set whenever you actually fetched in this run.
8. evidence[].address, when present, must be `^0x[0-9a-fA-F]{40}$` (mixed case OK; checksum not validated).
9. Checklist codes (used in findings[].code and as unknowns[] prefixes) match `^[A-Z][A-Za-z0-9-]{0,16}$` — start with an uppercase letter, then digits / letters / hyphens. Examples: `E1`, `A3b`, `C2-emergency`, `V4-auditor`. No parens, spaces, dots, slashes, underscores. Use slice-defined codes verbatim. unknowns[] entries must be prefixed with the relevant code + colon (e.g. `"A3b: frontend fetch failed"`).
10. chat_url: ALWAYS null. Default share links (claude.ai/chat, chatgpt.com, gemini.google.com) require viewer login and are not publicly readable. The user enables "Share publicly" after you respond and pastes the public URL into the JSON before opening the PR.

### Thoroughness rules

11. Each per-slice body contains a "MANDATORY INSPECTION CHECKLIST". Every item must EITHER produce an evidence[] entry OR a specific unknowns[] entry naming it by code. Silent skips are rejected as incomplete.
12. Before assigning a grade other than "unknown", rationale.steelman must contain a one-sentence strongest argument for each of red / orange / green, and rationale.verdict must state which fits the evidence and why. If the steel-man for the chosen grade is weaker than for an adjacent grade, you have probably picked the wrong grade. When grade="unknown", set steelman to null and use verdict to summarize what blocked the assessment.
13. Distinguish actor classes (EOA, 2-of-3 multisig, 4-of-7+ multisig with identified signers, emergency-scoped time-capped multisig, on-chain governance vote with timelock) and function classes (claim-of-finalized vs new-request-placement, deposit vs borrow, mint vs redeem) — say which actor holds which power, on what time bound. "An admin can pause" is insufficient.
14. For on-chain slices (control, ability-to-exit, autonomy, verifiability), evidence[] must include ≥1 on-chain URL: a block-explorer URL OR a DeFiPunkd /api/{contract/read,safe/owners} URL (preferred — content-addressed when block-pinned). /api/contract/abi alone is metadata, not on-chain evidence. Source repos tell you what code SHOULD do; deployed contracts tell you what it ACTUALLY does. The "open-access" slice is exempt when claims are entirely about frontend / off-chain operator behavior. CARVE-OUT: `grading_basis="off-chain-only"` is exempt from this rule but is downweighted by the quorum bot regardless of grade.
15. Prompt-meta-check: if your verdict quotes prompt language as evidence ("the protocol meets the 'documented fallback' condition"), re-do the verdict — the prompt describes the rubric, not the protocol. Evidence cites what THIS protocol does, not what the rubric says protocols of type X do.
16. `grading_basis` is one of `"on-chain"` (default; omit field), `"off-chain-only"`, or `"mixed"`. Describes what was READ this run, not the verdict — `grade="unknown"` is allowed under any basis. Set `"off-chain-only"` ONLY when BOTH (a) ≥1 successful fetch of a docs / forum / audit / GitHub URL appears in evidence[], AND (b) ≥1 failed on-chain fetch attempt for THIS run is recorded in unknowns[] with a `-offchain` suffix. Empty `evidence[]` with `"off-chain-only"` is a category error and is rejected by the validator. Set `"mixed"` when some checklist codes were on-chain and others fell back. ABI-only finds (you read the ABI but couldn't read live state) are valid as `grade="unknown"` with the ABI cited; do not infer a grade from ABI shape alone.

### On-chain reading via the DeFiPunkd API

Don't encode calldata, decode return data, or guess at ABIs by hand. Three deterministic GET endpoints return JSON with blockNumber, blockHash, raw calldata, and rawReturnData — content-addressed when block-pinned (`&block=<n>`):

  ABI (auto-resolves proxies):
    https://defipunkd.com/api/contract/abi?chainId=<id>&address=0x...
  View call (any view method on the merged ABI; flat scalar args):
    https://defipunkd.com/api/contract/read?chainId=<id>&address=0x...&method=getOwners
    https://defipunkd.com/api/contract/read?chainId=<id>&address=0x...&method=balanceOf&args=0x...
  Safe (threshold + owners + version in one call):
    https://defipunkd.com/api/safe/owners?chainId=<id>&address=0x...

Use the BARE method name in `&method=` (e.g. `&method=totalSupply`, NOT `&method=totalSupply()`). Browser tools normalize `(` to `%28` and reject the normalized URL; bare names dodge that. Pass arguments via `&args=` (comma-separated, declaration order). Append `&block=<n>` for content-addressed evidence.

Supported chainIds: 1 (ethereum), 10 (optimism), 56 (bsc), 130 (unichain), 137 (polygon), 324 (zksync), 8453 (base), 42161 (arbitrum), 43114 (avalanche), 59144 (linea), 81457 (blast), 534352 (scroll), 11155111 (sepolia).

Use this API for any factual claim about contract ABI shape, view-method return values (owner(), getOwners(), getThreshold(), totalSupply(), implementation(), paused(), MIN_DELAY(), …), and Safe membership. Do NOT invent ABIs or return values from training data.

Note on noisy address_book: the pinned address_book is sourced from prior assessments. It may include token deployments, oracle feeds, peripheral contracts, or mis-classified entries. Skip surfacer URLs that don't fit your slice — fetch only those whose role hints suggest control / pause / upgrade authority.

### Protocol metadata refresh (populate `protocol_metadata` in the output)

DeFiLlama's pinned inputs may be stale or wrong. As a side-effect of this assessment, populate `protocol_metadata` with anything you verify. Leave fields null / empty arrays if you did not verify them — do NOT echo pinned inputs through; null means "not re-verified this run".

- `github`: array of canonical source-code repo URLs.
- `docs_url`: canonical developer / protocol documentation site.
- `audits`: array of `{ firm, url, date }` (date as YYYY-MM or YYYY-MM-DD).
- `governance_forum`: primary discussion forum URL (Discourse, Commonwealth, etc.).
- `voting_token`: `{ chain, address, symbol }` or null. Omit if not token-governed.
- `bug_bounty_url`: public bug bounty page (Immunefi, HackerOne, self-hosted).
- `security_contact`: private-disclosure channel — security@ email or SECURITY.md URL. Distinct from public bug bounty.
- `deployed_contracts_doc`: docs page that lists deployed addresses per chain. Don't enumerate; just link.
- `admin_addresses`: array of `{ chain, address, role, actor_class }` for multisig / timelock / owner / proxy-admin addresses. `actor_class` ∈ `"eoa" | "multisig" | "timelock" | "governance" | "unknown"`. These are the anchors for future runs' address_book.
- `upgradeability`: `"immutable" | "upgradeable" | "mixed" | "unknown"`. "mixed" = some core contracts immutable, others behind proxies.
- `about`: 2–4 sentence plain-English description. Name the user action (stake, borrow, swap, bridge, mint, redeem), the asset / market, and the distinctive mechanism (liquid staking receipt, isolated lending pools, constant-product AMM, intents auction, etc.). Do not restate category / chains / TVL.

Every non-null field in `protocol_metadata` must be backed by ≥1 entry in evidence[].

---

### Slice: AUTONOMY

Evaluate this protocol's autonomy: can a failure of anything outside its own contracts cause theft or loss of user principal, loss of unclaimed yield, or materially change the protocol's expected performance? "Autonomy" is not "has zero external touchpoints" — it is "external failures are either survivable or recoverable without user loss". This slice adapts DefiScan v1's Autonomy dimension; dependencies are one of several criteria, not the whole frame.

GUARDRAILS (read before grading):
- Category alone (Liquid Staking, Bridge, RWA Lending, Restaking, …) does NOT force a grade. A category is a hint about where to look; the grade must come from the concrete A1–A9 findings below.
- Base-chain consensus (Ethereum PoS, the chain's validator set, the canonical Deposit Contract at 0x00000000219ab540356cBB839Cbe05303d7705Fa) is the SUBSTRATE, not a dependency, for any protocol deployed on that chain. Do not list "depends on Ethereum" as a finding.
- Oracles or other integrations used by DOWNSTREAM protocols that happen to read this protocol's token (e.g. Chainlink stETH/USD consumed by Aave) are NOT this protocol's dependencies. Count only what THIS protocol's contracts call or trust on-chain. If a feed or contract appears in the protocol's docs only as reference material for third-party integrators, EXCLUDE IT ENTIRELY — do not log it as a finding even with a "peripheral" or "referenced only" caveat.
- "Upgradeable admin can change things" belongs to the CONTROL slice; only count it here when the upgrade surface lets governance silently swap an external dependency (see A9).
- Underlying-asset risk in opt-in, isolated markets is NOT autonomy-red on its own. When a protocol wraps third-party yield-bearing assets (LSTs, LRTs, ERC-4626 vaults, lending receipts, restaked tokens) into per-market silos that users explicitly choose, a failure of one underlying does NOT propagate to other markets and is risk the user opted into per-market. Record it under A4 with depth and propagation scope, but do not let it alone drive a red verdict — red requires an external dependency that cross-cuts the protocol or that the user did not opt into at deposit time. A failure mode that is "if the LRT you deposited is hacked, your principal in that LRT-backed market is impaired" is the underlying's autonomy story, not this protocol's; grade it on whether THIS protocol introduces additional dependencies on top.
- Sub-module enumeration is mandatory before grading. If the protocol ships distinct product lines or modules (e.g., a v2 core AMM plus a newer perps/funding-rate module, a lending pool plus a separate vault layer, an L1 core plus a cross-chain extension), enumerate each in findings and grade against the WORST module weighted by its share of TVS or its blast radius. A green core does not rescue an orange/red sub-module; conversely, a small red sub-module with capped TVS may bound the overall grade to orange. Name each module by its on-chain factory or router address. If you do not know whether a module exists, that is an unknowns[] entry, not silence. EXPLICIT TVS WEIGHTING: in the verdict, state each module's approximate share of total protocol TVS (use "~X%" if exact figures unavailable; check DeFiLlama or block-explorer balances on the module's main contract) and how that share informs the weighted grade. Format: "Module A holds ~X% of TVS (grade: <g>); Module B holds ~Y% (grade: <g>); weighted overall = <grade> because <reason>." If a red sub-module holds <5% of total TVS and is capped, the overall grade may be orange; if it holds >25%, the overall grade is red. Do not let qualitative reasoning substitute for the percentages — write the numbers.

MANDATORY INSPECTION CHECKLIST (every item below must appear in evidence[] OR unknowns[]):
- A1. External contract calls. Enumerate every external contract the core contracts call or read from (oracles, price feeds, AMM pools, lending pools, staking/deposit contracts, yield wrappers). For each, identify the address, the provider, and what user-facing function of this protocol would break or mis-price if that external contract paused, mis-reported, or behaved adversarially. Grep for "oracle", "aggregator", "getPrice", "latestAnswer", "chainlink", "pyth", "redstone" as a starting point. To verify an oracle is live and what it currently reports, hit https://defipunkd.com/api/contract/read?chainId=<id>&address=<oracle>&method=latestAnswer (or &method=latestRoundData, &method=getPrice, &method=description; use the BARE method name without parens) and cite the URL — the response includes blockNumber/blockHash and rawReturnData, which is stronger evidence than a docs page about which feed "should" be used.
- A2. Off-chain actor committees reporting INTO the protocol. Oracle committees, guardian multisigs, DAO-selected validator sets acting as protocol reporters, exit-bus signers, fraud-proof challengers. For each, record committee size, quorum, who picks the members, and what mis-reporting could do (mint, burn, finalize withdrawal, freeze). Distinguish this from governance admins (control slice). NOTE ON STAKING PROTOCOLS: validator slashing and node-operator misbehavior are properties of the base-chain substrate, NOT external dependencies, when the operator set is diversified enough that a coordinated failure caps at <5% principal loss. Count validator/operator risk under A2 ONLY if the operator set is small, non-diversified, or lacks bonding / slashing-insurance / diversification mitigations. A curated set of 30+ independent operators with documented diversification falls under the mitigated path; a 3-operator LST does not. Do not cite the protocol's own risk disclosure as evidence that operator failure = principal loss unless you also check the diversification and bond mitigations.
- A3. Bridge / cross-chain messaging dependencies. Only count bridges that carry material TVL or are required for a core user flow. For each, name the bridge operator (canonical L1↔L2, LayerZero, Wormhole, Axelar, custom multisig), the trust model (canonical, optimistic, light-client, guardian set), and what fraction of TVL or users ride on it. "wstETH exists on 15 chains" is not a finding unless material TVL sits there. Before listing any non-primary chain deployment as a dependency, verify it is still operational as of analysis_date — retired or sunset deployments (e.g., Lido-on-Terra, Lido-on-Solana) belong in unknowns[] or should be omitted, never cited as a current dependency.
- A4. Nested collateral / restaking chains. For restaking / LRT / receipt-of-receipt designs: record the depth of the collateral chain, every actor with slashing or freezing power at each level, and whether a failure N levels deep propagates to user principal here.
- A5. Fork lineage (silent check). If DeFiLlama's forkedFrom is non-empty, record it as one finding and move on. If empty, do NOT add a placeholder finding; it adds noise.
- A6. Fallback mechanisms and circuit breakers. What catches an external failure? Sanity-check contracts on oracle reports, rebase bounds, pause paths triggered by bad prices, second-opinion oracles, max-per-block throughput caps, withdrawal queues that absorb bad reports. Record which A1–A4 risks are mitigated by which fallback, and which are unmitigated. For EACH fallback you cite, state its activation status explicitly: (i) LIVE and enforcing on-chain today, (ii) DEPLOYED but not yet wired / activated (e.g., interface exists but the address is zero or the role is unassigned), or (iii) DOCUMENTED / PROPOSED only (forum post, LIP draft, audit pending). Only (i) counts as mitigation for the grade. A fallback in state (ii) or (iii) should be noted but must not reduce the risk in your steel-man or verdict. If you cannot determine activation status, add an unknowns[] entry rather than assume it is live.
- A7. Sequencer / L1-liveness dependency BEYOND the base-chain substrate. SCOPE — sequencer risk only counts here when the protocol IS its own L2/L3 appchain or app-rollup, where the sequencer is part of the protocol's own stack and a freeze is a protocol-level outage. A protocol permissionlessly deployed on a third-party L2 inherits that L2's sequencer as substrate, not an A7 dependency. Record the sequencer/DA trust model when A7 applies.
- A8. Keeper / relayer / off-chain bot liveness. Protocols that need permissionless-but-necessary off-chain actors (liquidation bots, auto-compounders, deposit relayers, intent solvers). Record whether the role is permissionless, what degrades if nobody runs it (yield paused, bad debt accumulates, positions go stale), and whether the failure mode is graceful or catastrophic.
- A9. Governance-mutable dependency surface. Can an admin or DAO action silently INTRODUCE a NEW EXTERNAL dependency — swap the oracle address to a different provider, register a new staking module that calls an untrusted contract, add a new bridge, route SY through a new external vault — without an exit window for users? Check the upgrade / router / module-registry contracts. Answer: which EXTERNAL dependencies are governance-mutable, who holds that power, and whether there is a timelock or exit window. SCOPE LIMIT — read carefully: A9 is about the *external dependency surface*, not the upgrade surface in general. "The proxyAdmin / EOA can upgrade the router implementation to arbitrary bytecode" is a CONTROL-slice finding (admin can rug), NOT an autonomy-A9 finding. A9 fires only when the upgrade specifically swaps out or adds a contract that THIS protocol calls or trusts (e.g., changing the oracle address from Chainlink to a malicious feed, registering a new SY adapter that points to a third-party vault, redirecting a bridge endpoint). If the only finding is "admin can change implementation," do not log it under A9 and do not let it drive the autonomy grade — note it under control instead. The autonomy-relevant version of the same upgrade key is "admin can swap [specific external address X] without timelock"; that requires identifying the specific external dependency that becomes mutable.

STEEL-MAN (per Hard Rule 13): write one-sentence strongest arguments for red, orange, and green using the A1–A9 findings.

IMPACTED TVS ESTIMATE: the headline MUST include a rough impacted-TVS figure — the fraction of protocol TVS that could be lost or frozen if the worst-unmitigated dependency you identified failed. Use "~X%" if exact numbers are unavailable, "<1%" for de minimis, "unclear" only if A1–A9 left the question genuinely open (in which case grade=unknown is usually correct). Do NOT substitute qualitative phrases like "significant" — give a number or bracket.

GRADE ANCHORS (mapped to DefiScan v1 stages):
- green = Stage 2 equivalent. Failure of any external dependency cannot cause loss of user principal or unclaimed yield. Either there are no material external dependencies, or every critical one has a documented fallback (A6) that keeps users whole. Governance cannot silently introduce new dependencies without an exit window (A9). Impacted TVS under any single-dependency failure: effectively 0.
- orange = Stage 1 equivalent. Failure of some external dependency can cause loss of unclaimed yield, or can materially change expected performance (pause withdrawals, freeze positions, degrade price quality), but cannot cause loss of principal. Committee-based oracles with sanity checks, canonical-only bridges, fallback paths that exist but are incomplete, or governance-mutable dependencies protected by a ≥7-day timelock. Impacted TVS is bounded and recoverable.
- red = Stage 0 equivalent. Failure of an external dependency CAN cause theft or loss of principal. Examples: single-provider oracle with no sanity check or fallback, material TVL on a non-canonical bridge with a guardian multisig, governance can hot-swap oracles or add staking modules with no timelock or exit window, unmitigated keeper-liveness dependency where positions become insolvent if bots stop. Impacted TVS is material.
- unknown = checklist incomplete after inspecting source + verified contracts. Prefer unknown over guessing when A1/A6 could not be reconstructed. RESERVE unknown for cases where the CORE ARCHITECTURE itself is unverifiable — not for cases where you merely cannot enumerate every per-market dependency in a multi-market protocol. If the core router/factory/oracle architecture is verifiable on-chain and you can determine whether the core requires external dependencies, grade the architecture even when an exhaustive per-market external-dependency census is infeasible. Acknowledge the per-market gap in unknowns[] but still issue a grade. Refusing to grade a multi-market protocol because you cannot list every SY/vault/market is over-use of unknown; grade the architecture and say so.

PROMPT-META CHECK (per Hard Rule 17): before finalizing, verify the verdict cites concrete contract addresses, docs, or code — not the rubric itself. If your verdict says "the protocol belongs to a category the rubric marks red", rewrite it with the A1–A9 finding that actually justifies the grade, or drop to grade=unknown.

---

### JSON output contract

Return exactly one JSON object inside a single ```json fenced block. Shape:

{
  "schema_version": 4,
  "slug": "<copy protocol.slug from the per-protocol context>",
  "slice": "autonomy",
  "snapshot_generated_at": "<copy snapshot.generated_at from the per-protocol context>",
  "prompt_version": 29,
  "analysis_date": "<copy analysis_date from the per-protocol context>",
  "model": "<exact model name, e.g. claude-opus-4-7 / gpt-5-thinking / gemini-3-pro>",
  "chat_url": null,
  "grading_basis": "on-chain | off-chain-only | mixed (optional; omit for on-chain)",
  "grade": "green | orange | red | unknown",
  "headline": "<one-line summary>",
  "short_headline": "<≤6 words, ≤80 chars; omit if you can't fit>",
  "rationale": {
    "findings": [{ "code": "E1", "text": "<concrete, source-cited finding>" }],
    "steelman": { "red": "<one sentence>", "orange": "<one sentence>", "green": "<one sentence>" },
    "verdict": "Choosing <grade> because <reason ranking one steel-man above the others, citing specific evidence>."
  },
  "evidence": [{ "url": "https://...", "shows": "<what this URL demonstrates>", "chain": "...", "address": "0x...", "commit": "<hex SHA>", "fetched_at": "2026-04-23T11:20:00Z" }],
  "unknowns": ["E3: <thing you looked for but couldn't determine>"],
  "protocol_metadata": {
    "github": ["https://github.com/org/repo"],
    "docs_url": "https://docs.protocol.xyz",
    "audits": [{ "firm": "Trail of Bits", "url": "https://...report.pdf", "date": "2025-09" }],
    "governance_forum": "https://forum.protocol.xyz",
    "voting_token": { "chain": "Ethereum", "address": "0x...", "symbol": "XYZ" },
    "bug_bounty_url": "https://immunefi.com/bounty/protocol",
    "security_contact": "security@protocol.xyz",
    "deployed_contracts_doc": "https://docs.protocol.xyz/deployments",
    "admin_addresses": [{ "chain": "Ethereum", "address": "0x...", "role": "DAO treasury multisig", "actor_class": "multisig" }],
    "upgradeability": "immutable | upgradeable | mixed | unknown",
    "about": "<2–4 sentences>"
  }
}

Rules recap:
- grade="unknown" ⇒ steelman=null; unknowns[] ≥1; evidence[] may be empty.
- grade!="unknown" ⇒ steelman={red,orange,green}; evidence[] ≥1; verdict starts with "Choosing ".
- findings[].code matches the slice's checklist prefix verbatim (E1, C2-emergency, V4a, …); unknowns[] entries are checklist-coded ("E3: …").
- Wrap in a single ```json fence; nothing before or after. URLs are bare strings, never markdown links.

Open Access Unverified Submit run ↗

### Per-protocol context (ground truth for this run)

- protocol.slug:              aave-v4
- protocol.name:              Aave V4
- protocol.chains:            Ethereum
- protocol.category:          Lending
- protocol.website:           https://aave.com
- protocol.github:            aave, bgd-labs
- protocol.audit_links:       https://aave.com/security, https://github.com/code-423n4/2022-02-aave-lens, https://github.com/code-423n4/2022-02-aave-lens-findings, https://github.com/sherlock-protocol/sherlock-reports/blob/main/audits/2025.02.15%20-%20Final%20-%20Aave%20Public%20Audit%20Contest%20Report.pdf, https://github.com/sherlock-protocol/sherlock-reports/blob/main/audits/2026.02.05%20-%20Final%20-%20Aave%20Labs%20Collaborative%20Audit%20Report%201770295450.pdf, https://github.com/trailofbits/publications/blob/master/reviews/2026-02-aave-v4-securityreview.pdf
- snapshot.generated_at:      2026-06-01T11:27:13.878Z
- analysis_date:              2026-06-07
- prompt_version:             29
- address_book:               null

### Pre-built read-API surfacer URLs (verbatim — fetchable as-is)
(no addresses pinned in this run — discover candidates from fetched website / GitHub / audit / explorer pages, record discovered addresses in evidence[] and protocol_metadata.admin_addresses, and put any reads you couldn't perform in unknowns[]. The next assessment will inherit your discoveries.)


---

You are contributing a single-slice assessment to defipunkd, a git-native transparency registry for DeFi protocols. Your JSON output will be attached to a pull request and compared against ≥2 other independent runs. Disagreements are surfaced publicly — be conservative, cite everything, return grade="unknown" when a signal cannot be determined, and resist stopping at the first damning finding.

### Per-protocol context (do not infer; these are ground truth)

A "Per-protocol context" block (provided alongside this prompt — either as a user message in API mode, or as a section appended below in copy-paste mode) lists the pinned inputs (protocol.slug, name, chains, category, website, github, audit_links, snapshot.generated_at, analysis_date, prompt_version, address_book) and a list of pre-built read-API surfacer URLs for each pinned address. Treat those values as authoritative for this run.

The pre-built surfacer URLs are accepted by your fetch tool's allowlist because they appear verbatim in the per-protocol context. Each surfacer page pre-executes the contract's zero-arg view methods and renders any address-typed return values as /address/{chainId}/0x… links inline — those rendered links are also fetchable post-fetch. /api/contract/read and /api/safe/owners JSON responses include a top-level `crawl.surfacers` array of /address/{chainId}/0x… URLs for every address-typed value in the result, so you can crawl directly from API responses. For addresses surfaced from non-defipunkd sources (block-explorer pages, GitHub, audit PDFs), the allowlist will reject your generated surfacer URL — record the address in protocol_metadata.admin_addresses and add a checklist-coded entry to unknowns[]; the next run will inherit it as a fetchable surfacer.

### Step 0 — Capability probe (do this before producing JSON)

Identify what fetch tool your environment exposes — `web_fetch`, `browser`, `url_context`, `google_search` (with underscore, colon, or space), Bing grounding, Perplexity, `web.run`, or anything similar. Search-grounding tools ARE valid fetch paths and you should use them; they are not forbidden. The distinction that matters is what the tool returned, not its name: a grounded response with the underlying page body is sufficient evidence; a bare 1–3-line preview snippet is not.

Probe: attempt one fetch of `protocol.website` and one fetch of a pre-built surfacer URL above (or the protocol's primary block-explorer page if no surfacer is pinned). Record the tool you used, the URL, and what came back (response body, HTTP status, allowlist rejection text, or "tool not present: <name>"). If either probe succeeded, proceed.

If both direct probes failed, **DO NOT STOP** — try search. Issue at least two broad search queries (protocol name + "Etherscan" / "official docs" / "GitHub" / "audit"; `site:` operators against etherscan.io / github.com / the docs domain). If a search query returns the underlying page body, that page URL is fetched evidence and goes in evidence[]. Set `grading_basis: "off-chain-only"` and continue with whatever you can extract. Empty `evidence[]` + `grade="unknown"` is only valid if BOTH direct probes AND ≥2 search queries returned nothing usable; in that case, log the attempted queries and observed-zero outcomes in unknowns[]. A submission claiming "blocked" without those receipts is treated as a non-submission (zero quorum weight). Search engines do not index raw JSON API endpoints — zero results for `defipunkd.com/api/contract/read` URLs is expected and is itself a recordable failure mode, not a system restriction.

### Anti-fabrication (the most important rule on this page)

Memory is not evidence. Treat your training data, prior conversations, and general knowledge as suggestions for what to look up — never as citations. Every URL in evidence[] must have been fetched in this run via any tool exposed in your environment, OR pasted into this conversation by the user. Constructing a URL is fine, but every variable part (address, commit SHA, repo path, contract name, method, args, block number) must come from a fetched/pasted source in this run, and the URL must then have been successfully fetched before it appears in evidence[]. URLs constructed from remembered addresses, repo paths, contract names, or guessed API methods are fabrication.

Before emitting JSON, run an evidence ledger check on every evidence[] entry:
1. The exact URL appears in your fetch transcript or in a user-pasted source body.
2. The fetched/pasted body contains the fact you're citing in evidence[].shows.
3. Every rationale.findings / protocol_metadata claim that depends on this evidence follows directly from that body, without recourse to memory.
4. Derived (rather than verbatim) claims are explicitly labelled as derived in evidence[].shows.
5. `fetched_at` is set ONLY when you actually fetched the URL in this run; if no timestamp is available, omit the field — never invent one.

If any check fails, remove the evidence entry and demote dependent claims to unknowns[]. Set grade="unknown" if demotion empties the grading basis. Do not ask the user to paste anything; do not withhold JSON; do not improvise from memory.

A plausible-sounding answer backed by unsupported evidence is WORSE than grade="unknown" — it pollutes the quorum. If the assessment requires leaning on remembered public facts ("Lido is governed by LDO token-weighted voting"), historical reports, common knowledge, or likely-architecture reasoning ("UUPS proxies typically have an admin role"), return grade="unknown" with specific unknowns[] entries. Optimize for reproducibility, not completeness — if a reviewer can't re-verify each claim from the evidence URLs alone, the claim does not belong in the JSON. Empty unknowns[] on a non-trivial protocol is a red flag, not a quality signal.

When the address_book is null/empty, you do not yet know any deployed address. Discover candidates from fetched website / GitHub / audit / explorer-search pages — addresses you "remember" from training data are not eligible, even for famous tokens (USDC, WBTC, stETH, UNI). If no address can be discovered after a good-faith attempt, return grade="unknown" with checklist-coded unknowns[] entries; do not invent addresses to fill the gap.

### Hard rules

1. Source classes that count as evidence:
   a) Public block explorers (etherscan.io, basescan.org, arbiscan.io, optimistic.etherscan.io, polygonscan.com, bscscan.com, snowtrace.io, scrollscan.com, lineascan.build, blastscan.io, era.zksync.network) for pinned addresses or addresses you discover transitively from them.
   b) The linked GitHub repos, at a specific commit SHA recorded in evidence[].commit.
   c) The audit PDFs / reports linked above.
   d) DeFiLlama's pinned fields (for category / chain lists only — not for risk assessment).
   e) DeFiPunkd's read API at https://defipunkd.com/api/{contract,safe}/... — see "On-chain reading" below.
2. If a signal cannot be determined after checking these, set grade="unknown" with ≥1 entry in unknowns[] naming what you looked for.
3. Every factual claim in rationale must map to ≥1 evidence[] entry.
4. Output exactly one JSON object matching the contract at the end, wrapped in a single ```json fenced code block. This rule applies to your FINAL assistant message only — issue tool calls freely during the run; tool-call reasoning lives in your model's tool-use channel and is not subject to this rule. Nothing before or after the fence — no prose, no follow-up questions, no requests for the user to paste anything. If evidence is incomplete, the correct response is still JSON, with claims demoted to unknowns[] and grade="unknown".

### Format rules (validation will reject submissions that violate these)
5. evidence[].url must be a bare `https://...` string — NEVER markdown link syntax. WRONG: `"url": "[Etherscan](https://etherscan.io/...)"`. RIGHT: `"url": "https://etherscan.io/..."`.
6. evidence[].commit, when present, must match `^[0-9a-f]{7,40}$` (lowercase hex, 7–40 chars). NEVER branch names or tags. Omit if you cannot pin a SHA.
7. evidence[].fetched_at, when present, must be ISO-8601 UTC (e.g. `2026-04-23T11:20:00Z`). Set whenever you actually fetched in this run.
8. evidence[].address, when present, must be `^0x[0-9a-fA-F]{40}$` (mixed case OK; checksum not validated).
9. Checklist codes (used in findings[].code and as unknowns[] prefixes) match `^[A-Z][A-Za-z0-9-]{0,16}$` — start with an uppercase letter, then digits / letters / hyphens. Examples: `E1`, `A3b`, `C2-emergency`, `V4-auditor`. No parens, spaces, dots, slashes, underscores. Use slice-defined codes verbatim. unknowns[] entries must be prefixed with the relevant code + colon (e.g. `"A3b: frontend fetch failed"`).
10. chat_url: ALWAYS null. Default share links (claude.ai/chat, chatgpt.com, gemini.google.com) require viewer login and are not publicly readable. The user enables "Share publicly" after you respond and pastes the public URL into the JSON before opening the PR.

### Thoroughness rules

11. Each per-slice body contains a "MANDATORY INSPECTION CHECKLIST". Every item must EITHER produce an evidence[] entry OR a specific unknowns[] entry naming it by code. Silent skips are rejected as incomplete.
12. Before assigning a grade other than "unknown", rationale.steelman must contain a one-sentence strongest argument for each of red / orange / green, and rationale.verdict must state which fits the evidence and why. If the steel-man for the chosen grade is weaker than for an adjacent grade, you have probably picked the wrong grade. When grade="unknown", set steelman to null and use verdict to summarize what blocked the assessment.
13. Distinguish actor classes (EOA, 2-of-3 multisig, 4-of-7+ multisig with identified signers, emergency-scoped time-capped multisig, on-chain governance vote with timelock) and function classes (claim-of-finalized vs new-request-placement, deposit vs borrow, mint vs redeem) — say which actor holds which power, on what time bound. "An admin can pause" is insufficient.
14. For on-chain slices (control, ability-to-exit, autonomy, verifiability), evidence[] must include ≥1 on-chain URL: a block-explorer URL OR a DeFiPunkd /api/{contract/read,safe/owners} URL (preferred — content-addressed when block-pinned). /api/contract/abi alone is metadata, not on-chain evidence. Source repos tell you what code SHOULD do; deployed contracts tell you what it ACTUALLY does. The "open-access" slice is exempt when claims are entirely about frontend / off-chain operator behavior. CARVE-OUT: `grading_basis="off-chain-only"` is exempt from this rule but is downweighted by the quorum bot regardless of grade.
15. Prompt-meta-check: if your verdict quotes prompt language as evidence ("the protocol meets the 'documented fallback' condition"), re-do the verdict — the prompt describes the rubric, not the protocol. Evidence cites what THIS protocol does, not what the rubric says protocols of type X do.
16. `grading_basis` is one of `"on-chain"` (default; omit field), `"off-chain-only"`, or `"mixed"`. Describes what was READ this run, not the verdict — `grade="unknown"` is allowed under any basis. Set `"off-chain-only"` ONLY when BOTH (a) ≥1 successful fetch of a docs / forum / audit / GitHub URL appears in evidence[], AND (b) ≥1 failed on-chain fetch attempt for THIS run is recorded in unknowns[] with a `-offchain` suffix. Empty `evidence[]` with `"off-chain-only"` is a category error and is rejected by the validator. Set `"mixed"` when some checklist codes were on-chain and others fell back. ABI-only finds (you read the ABI but couldn't read live state) are valid as `grade="unknown"` with the ABI cited; do not infer a grade from ABI shape alone.

### On-chain reading via the DeFiPunkd API

Don't encode calldata, decode return data, or guess at ABIs by hand. Three deterministic GET endpoints return JSON with blockNumber, blockHash, raw calldata, and rawReturnData — content-addressed when block-pinned (`&block=<n>`):

  ABI (auto-resolves proxies):
    https://defipunkd.com/api/contract/abi?chainId=<id>&address=0x...
  View call (any view method on the merged ABI; flat scalar args):
    https://defipunkd.com/api/contract/read?chainId=<id>&address=0x...&method=getOwners
    https://defipunkd.com/api/contract/read?chainId=<id>&address=0x...&method=balanceOf&args=0x...
  Safe (threshold + owners + version in one call):
    https://defipunkd.com/api/safe/owners?chainId=<id>&address=0x...

Use the BARE method name in `&method=` (e.g. `&method=totalSupply`, NOT `&method=totalSupply()`). Browser tools normalize `(` to `%28` and reject the normalized URL; bare names dodge that. Pass arguments via `&args=` (comma-separated, declaration order). Append `&block=<n>` for content-addressed evidence.

Supported chainIds: 1 (ethereum), 10 (optimism), 56 (bsc), 130 (unichain), 137 (polygon), 324 (zksync), 8453 (base), 42161 (arbitrum), 43114 (avalanche), 59144 (linea), 81457 (blast), 534352 (scroll), 11155111 (sepolia).

Use this API for any factual claim about contract ABI shape, view-method return values (owner(), getOwners(), getThreshold(), totalSupply(), implementation(), paused(), MIN_DELAY(), …), and Safe membership. Do NOT invent ABIs or return values from training data.

Note on noisy address_book: the pinned address_book is sourced from prior assessments. It may include token deployments, oracle feeds, peripheral contracts, or mis-classified entries. Skip surfacer URLs that don't fit your slice — fetch only those whose role hints suggest control / pause / upgrade authority.

### Protocol metadata refresh (populate `protocol_metadata` in the output)

DeFiLlama's pinned inputs may be stale or wrong. As a side-effect of this assessment, populate `protocol_metadata` with anything you verify. Leave fields null / empty arrays if you did not verify them — do NOT echo pinned inputs through; null means "not re-verified this run".

- `github`: array of canonical source-code repo URLs.
- `docs_url`: canonical developer / protocol documentation site.
- `audits`: array of `{ firm, url, date }` (date as YYYY-MM or YYYY-MM-DD).
- `governance_forum`: primary discussion forum URL (Discourse, Commonwealth, etc.).
- `voting_token`: `{ chain, address, symbol }` or null. Omit if not token-governed.
- `bug_bounty_url`: public bug bounty page (Immunefi, HackerOne, self-hosted).
- `security_contact`: private-disclosure channel — security@ email or SECURITY.md URL. Distinct from public bug bounty.
- `deployed_contracts_doc`: docs page that lists deployed addresses per chain. Don't enumerate; just link.
- `admin_addresses`: array of `{ chain, address, role, actor_class }` for multisig / timelock / owner / proxy-admin addresses. `actor_class` ∈ `"eoa" | "multisig" | "timelock" | "governance" | "unknown"`. These are the anchors for future runs' address_book.
- `upgradeability`: `"immutable" | "upgradeable" | "mixed" | "unknown"`. "mixed" = some core contracts immutable, others behind proxies.
- `about`: 2–4 sentence plain-English description. Name the user action (stake, borrow, swap, bridge, mint, redeem), the asset / market, and the distinctive mechanism (liquid staking receipt, isolated lending pools, constant-product AMM, intents auction, etc.). Do not restate category / chains / TVL.

Every non-null field in `protocol_metadata` must be backed by ≥1 entry in evidence[].

---

### Slice: OPEN-ACCESS

Evaluate who is allowed to use the protocol and whether any of that permission is granted off-chain.

Scope: this slice is about ADMISSION — who can enter, exit, or transact. Operator LIVENESS (what breaks if keepers/oracles go offline) is assessed in the dependencies slice and is out of scope for the grade here. You may note operator dependencies as context, but do not let "the protocol halts if operator X disappears" drive the access grade on its own; that belongs in dependencies. Source verification / contract verification on block explorers is assessed in the verifiability slice and is out of scope here — do NOT let "contract is unverified" drive the access grade.

Framing: the smart contracts are the access layer; frontends are UX. A permissionless contract is reachable by any client (SDK, third-party UI, aggregator, wallet integration). Frontend ToS, IP geo-blocking, and wallet screening are publisher policies on one specific client — they are reported as context but do NOT determine the grade. The grade hinges on (1) what the contract itself permits, and (2) whether the protocol is practically reachable without the official publisher's cooperation.

Meta-check before finalizing: if your verdict cites phrases from this prompt as evidence ("the protocol meets the 'credible alternatives' condition", "this fits the 'documented fallback' rule"), redo the verdict. The prompt describes the rubric; evidence must come from the protocol. A verdict should cite what the protocol does, not what the rubric says.

MANDATORY INSPECTION CHECKLIST (every item below must appear in evidence[] OR unknowns[]):
- A1. Whitelist / allowlist modifiers in user-facing entry points. Grep for "onlyWhitelisted", "onlyRole", "allowlist", "isAccredited", "isKYCed". Note which functions are gated and who can add/remove from the list.
- A2. Off-chain operators in the admission path: keepers, sequencers, privileged relayers, oracle posters whose approval is required to admit a user action (not just to keep the protocol live). For each, identify whether the role is held by a single operator, a permissioned committee, or is permissionless. Enumerate per user-facing function class (deposit vs withdraw-request vs claim-finalized vs transfer) which ones require operator approval to be admitted, and which ones admit users unconditionally. A function whose placement is unconditional but whose downstream settlement depends on an operator is an admission-permissionless function — flag the liveness dependency as context and defer its grading weight to the dependencies slice.
- A3. Frontend restrictions on the official interface — record as context, not as a grade lever. Distinguish:
    - A3-passive: boilerplate ToS clauses (sanctions attestation, restricted-territory self-certification, VPN-circumvention prohibition, "comply with applicable law" eligibility, age of majority).
    - A3-active: runtime enforcement — IP-based geo-blocking, wallet-address screening against a sanctions oracle (Chainalysis, TRM, Elliptic), KYC wall, rendering-blocking jurisdiction banner.
  Record findings under the correct tier. Quote ToS text or banner text in evidence[].shows. These findings populate the headline and rationale but do NOT move the grade by themselves; the grade is set by A1, A2, and the A3b path check below.
- A3b. Independent access paths (the operative grade input). Enumerate paths that do not require the official publisher's cooperation:
    - Published SDK / library / CLI for direct contract interaction.
    - Third-party frontends operated by separate legal entities.
    - Wallet-integrated access (MetaMask Swaps, Safe apps, etc.).
    - DEX / lending / yield aggregators that route through the contracts.
  Record at least one concrete link per path that exists. The protocol does NOT have to self-document these — the test is existence, not UX cost. An A3b-i redistribution of the official UI bound by the same ToS does NOT count as an independent path.
- A4. Sanctions / compliance tooling at the contract level: does the protocol check addresses against OFAC lists or similar on-chain blocklists in the contract itself? (Frontend-only screening belongs in A3.)
- A5. Differentiate read access vs write access: many protocols are read-permissionless (anyone can view state) but write-gated (only certain addresses can deposit/borrow). Record both.
- A6. ToS / Legal links: locate them on the website and produce a VERBATIM quote of any jurisdictional, sanctions, or eligibility clause in evidence[].shows. If you cannot extract the clause text verbatim (SPA render failure, paywall, dead link, etc.), do NOT paraphrase or infer from general knowledge — record the ToS URL in unknowns[] with the reason extraction failed. Assertions about ToS content without a verbatim quote will be downweighted by reviewers.

Then write the steel-man section per Hard Rule 11.

Grade rules (admission-focused; liveness concerns belong in dependencies; source verification belongs in verifiability):
- green   = no contract-level whitelist/KYC on user entry/exit; no operator approval required to admit a user action; AND at least one independent A3b path exists (published SDK, third-party frontend, wallet integration, or aggregator routing). Frontend ToS posture and A3-active enforcement on the official UI do NOT block green when contracts are permissionless and an independent path exists — they are reported as context.
- orange  = contracts admit users unconditionally, BUT the protocol is operationally captured by the official publisher: no published SDK, no third-party frontend, no wallet integration, no aggregator routing. The contract is theoretically open but practically reachable only through the official UI. Also applies when admission requires approval from a permissioned committee that is governance-managed with a documented replacement procedure.
- red     = contract-level whitelist / KYC on user entry/exit, OR admission of a core user action requires approval from a single privileged operator or a small committee with no documented replacement procedure, OR enforces an on-chain blocklist updatable by a single party.
- unknown = checklist incomplete after checking the sources above.

Default-grade guidance: when contracts are fully permissionless AND any A3b independent path exists, the default grade is green regardless of frontend ToS or A3-active enforcement on the official UI. Frontend geo-blocking, sanctions-oracle wallet screening, and ToS sanctions clauses are publisher policies on one client and are reported in findings/headline as context, not as grade levers. To grade orange on operational-capture grounds, the auditor must affirmatively show that ALL independent paths are absent or also gated.

Guideline on committees: where admission depends on a multi-operator committee, the relevant axes are (a) set size, (b) whether replacement/rotation is governed on-chain, (c) whether the replacement procedure is publicly documented. A large set with on-chain governance replacement should not be graded as a single-party operator even if rotation is not instantaneous. A small set with informal replacement should be treated as a single-party operator.

---

### JSON output contract

Return exactly one JSON object inside a single ```json fenced block. Shape:

{
  "schema_version": 4,
  "slug": "<copy protocol.slug from the per-protocol context>",
  "slice": "open-access",
  "snapshot_generated_at": "<copy snapshot.generated_at from the per-protocol context>",
  "prompt_version": 29,
  "analysis_date": "<copy analysis_date from the per-protocol context>",
  "model": "<exact model name, e.g. claude-opus-4-7 / gpt-5-thinking / gemini-3-pro>",
  "chat_url": null,
  "grading_basis": "on-chain | off-chain-only | mixed (optional; omit for on-chain)",
  "grade": "green | orange | red | unknown",
  "headline": "<one-line summary>",
  "short_headline": "<≤6 words, ≤80 chars; omit if you can't fit>",
  "rationale": {
    "findings": [{ "code": "E1", "text": "<concrete, source-cited finding>" }],
    "steelman": { "red": "<one sentence>", "orange": "<one sentence>", "green": "<one sentence>" },
    "verdict": "Choosing <grade> because <reason ranking one steel-man above the others, citing specific evidence>."
  },
  "evidence": [{ "url": "https://...", "shows": "<what this URL demonstrates>", "chain": "...", "address": "0x...", "commit": "<hex SHA>", "fetched_at": "2026-04-23T11:20:00Z" }],
  "unknowns": ["E3: <thing you looked for but couldn't determine>"],
  "protocol_metadata": {
    "github": ["https://github.com/org/repo"],
    "docs_url": "https://docs.protocol.xyz",
    "audits": [{ "firm": "Trail of Bits", "url": "https://...report.pdf", "date": "2025-09" }],
    "governance_forum": "https://forum.protocol.xyz",
    "voting_token": { "chain": "Ethereum", "address": "0x...", "symbol": "XYZ" },
    "bug_bounty_url": "https://immunefi.com/bounty/protocol",
    "security_contact": "security@protocol.xyz",
    "deployed_contracts_doc": "https://docs.protocol.xyz/deployments",
    "admin_addresses": [{ "chain": "Ethereum", "address": "0x...", "role": "DAO treasury multisig", "actor_class": "multisig" }],
    "upgradeability": "immutable | upgradeable | mixed | unknown",
    "about": "<2–4 sentences>"
  }
}

Rules recap:
- grade="unknown" ⇒ steelman=null; unknowns[] ≥1; evidence[] may be empty.
- grade!="unknown" ⇒ steelman={red,orange,green}; evidence[] ≥1; verdict starts with "Choosing ".
- findings[].code matches the slice's checklist prefix verbatim (E1, C2-emergency, V4a, …); unknowns[] entries are checklist-coded ("E3: …").
- Wrap in a single ```json fence; nothing before or after. URLs are bare strings, never markdown links.

Audit all 5 dimensions · one prompt Submit run ↗

### Per-protocol context (ground truth for this run)

- protocol.slug:              aave-v4
- protocol.name:              Aave V4
- protocol.chains:            Ethereum
- protocol.category:          Lending
- protocol.website:           https://aave.com
- protocol.github:            aave, bgd-labs
- protocol.audit_links:       https://aave.com/security, https://github.com/code-423n4/2022-02-aave-lens, https://github.com/code-423n4/2022-02-aave-lens-findings, https://github.com/sherlock-protocol/sherlock-reports/blob/main/audits/2025.02.15%20-%20Final%20-%20Aave%20Public%20Audit%20Contest%20Report.pdf, https://github.com/sherlock-protocol/sherlock-reports/blob/main/audits/2026.02.05%20-%20Final%20-%20Aave%20Labs%20Collaborative%20Audit%20Report%201770295450.pdf, https://github.com/trailofbits/publications/blob/master/reviews/2026-02-aave-v4-securityreview.pdf
- snapshot.generated_at:      2026-06-01T11:27:13.878Z
- analysis_date:              2026-06-07
- prompt_version:             29
- address_book:               null

### Pre-built read-API surfacer URLs (verbatim — fetchable as-is)
(no addresses pinned in this run — discover candidates from fetched website / GitHub / audit / explorer pages, record discovered addresses in evidence[] and protocol_metadata.admin_addresses, and put any reads you couldn't perform in unknowns[]. The next assessment will inherit your discoveries.)


---

You are contributing a single-slice assessment to defipunkd, a git-native transparency registry for DeFi protocols. Your JSON output will be attached to a pull request and compared against ≥2 other independent runs. Disagreements are surfaced publicly — be conservative, cite everything, return grade="unknown" when a signal cannot be determined, and resist stopping at the first damning finding.

### Per-protocol context (do not infer; these are ground truth)

A "Per-protocol context" block (provided alongside this prompt — either as a user message in API mode, or as a section appended below in copy-paste mode) lists the pinned inputs (protocol.slug, name, chains, category, website, github, audit_links, snapshot.generated_at, analysis_date, prompt_version, address_book) and a list of pre-built read-API surfacer URLs for each pinned address. Treat those values as authoritative for this run.

The pre-built surfacer URLs are accepted by your fetch tool's allowlist because they appear verbatim in the per-protocol context. Each surfacer page pre-executes the contract's zero-arg view methods and renders any address-typed return values as /address/{chainId}/0x… links inline — those rendered links are also fetchable post-fetch. /api/contract/read and /api/safe/owners JSON responses include a top-level `crawl.surfacers` array of /address/{chainId}/0x… URLs for every address-typed value in the result, so you can crawl directly from API responses. For addresses surfaced from non-defipunkd sources (block-explorer pages, GitHub, audit PDFs), the allowlist will reject your generated surfacer URL — record the address in protocol_metadata.admin_addresses and add a checklist-coded entry to unknowns[]; the next run will inherit it as a fetchable surfacer.

### Step 0 — Capability probe (do this before producing JSON)

Identify what fetch tool your environment exposes — `web_fetch`, `browser`, `url_context`, `google_search` (with underscore, colon, or space), Bing grounding, Perplexity, `web.run`, or anything similar. Search-grounding tools ARE valid fetch paths and you should use them; they are not forbidden. The distinction that matters is what the tool returned, not its name: a grounded response with the underlying page body is sufficient evidence; a bare 1–3-line preview snippet is not.

Probe: attempt one fetch of `protocol.website` and one fetch of a pre-built surfacer URL above (or the protocol's primary block-explorer page if no surfacer is pinned). Record the tool you used, the URL, and what came back (response body, HTTP status, allowlist rejection text, or "tool not present: <name>"). If either probe succeeded, proceed.

If both direct probes failed, **DO NOT STOP** — try search. Issue at least two broad search queries (protocol name + "Etherscan" / "official docs" / "GitHub" / "audit"; `site:` operators against etherscan.io / github.com / the docs domain). If a search query returns the underlying page body, that page URL is fetched evidence and goes in evidence[]. Set `grading_basis: "off-chain-only"` and continue with whatever you can extract. Empty `evidence[]` + `grade="unknown"` is only valid if BOTH direct probes AND ≥2 search queries returned nothing usable; in that case, log the attempted queries and observed-zero outcomes in unknowns[]. A submission claiming "blocked" without those receipts is treated as a non-submission (zero quorum weight). Search engines do not index raw JSON API endpoints — zero results for `defipunkd.com/api/contract/read` URLs is expected and is itself a recordable failure mode, not a system restriction.

### Anti-fabrication (the most important rule on this page)

Memory is not evidence. Treat your training data, prior conversations, and general knowledge as suggestions for what to look up — never as citations. Every URL in evidence[] must have been fetched in this run via any tool exposed in your environment, OR pasted into this conversation by the user. Constructing a URL is fine, but every variable part (address, commit SHA, repo path, contract name, method, args, block number) must come from a fetched/pasted source in this run, and the URL must then have been successfully fetched before it appears in evidence[]. URLs constructed from remembered addresses, repo paths, contract names, or guessed API methods are fabrication.

Before emitting JSON, run an evidence ledger check on every evidence[] entry:
1. The exact URL appears in your fetch transcript or in a user-pasted source body.
2. The fetched/pasted body contains the fact you're citing in evidence[].shows.
3. Every rationale.findings / protocol_metadata claim that depends on this evidence follows directly from that body, without recourse to memory.
4. Derived (rather than verbatim) claims are explicitly labelled as derived in evidence[].shows.
5. `fetched_at` is set ONLY when you actually fetched the URL in this run; if no timestamp is available, omit the field — never invent one.

If any check fails, remove the evidence entry and demote dependent claims to unknowns[]. Set grade="unknown" if demotion empties the grading basis. Do not ask the user to paste anything; do not withhold JSON; do not improvise from memory.

A plausible-sounding answer backed by unsupported evidence is WORSE than grade="unknown" — it pollutes the quorum. If the assessment requires leaning on remembered public facts ("Lido is governed by LDO token-weighted voting"), historical reports, common knowledge, or likely-architecture reasoning ("UUPS proxies typically have an admin role"), return grade="unknown" with specific unknowns[] entries. Optimize for reproducibility, not completeness — if a reviewer can't re-verify each claim from the evidence URLs alone, the claim does not belong in the JSON. Empty unknowns[] on a non-trivial protocol is a red flag, not a quality signal.

When the address_book is null/empty, you do not yet know any deployed address. Discover candidates from fetched website / GitHub / audit / explorer-search pages — addresses you "remember" from training data are not eligible, even for famous tokens (USDC, WBTC, stETH, UNI). If no address can be discovered after a good-faith attempt, return grade="unknown" with checklist-coded unknowns[] entries; do not invent addresses to fill the gap.

### Hard rules

1. Source classes that count as evidence:
   a) Public block explorers (etherscan.io, basescan.org, arbiscan.io, optimistic.etherscan.io, polygonscan.com, bscscan.com, snowtrace.io, scrollscan.com, lineascan.build, blastscan.io, era.zksync.network) for pinned addresses or addresses you discover transitively from them.
   b) The linked GitHub repos, at a specific commit SHA recorded in evidence[].commit.
   c) The audit PDFs / reports linked above.
   d) DeFiLlama's pinned fields (for category / chain lists only — not for risk assessment).
   e) DeFiPunkd's read API at https://defipunkd.com/api/{contract,safe}/... — see "On-chain reading" below.
2. If a signal cannot be determined after checking these, set grade="unknown" with ≥1 entry in unknowns[] naming what you looked for.
3. Every factual claim in rationale must map to ≥1 evidence[] entry.
4. Output exactly one JSON object matching the contract at the end, wrapped in a single ```json fenced code block. This rule applies to your FINAL assistant message only — issue tool calls freely during the run; tool-call reasoning lives in your model's tool-use channel and is not subject to this rule. Nothing before or after the fence — no prose, no follow-up questions, no requests for the user to paste anything. If evidence is incomplete, the correct response is still JSON, with claims demoted to unknowns[] and grade="unknown".

### Format rules (validation will reject submissions that violate these)
5. evidence[].url must be a bare `https://...` string — NEVER markdown link syntax. WRONG: `"url": "[Etherscan](https://etherscan.io/...)"`. RIGHT: `"url": "https://etherscan.io/..."`.
6. evidence[].commit, when present, must match `^[0-9a-f]{7,40}$` (lowercase hex, 7–40 chars). NEVER branch names or tags. Omit if you cannot pin a SHA.
7. evidence[].fetched_at, when present, must be ISO-8601 UTC (e.g. `2026-04-23T11:20:00Z`). Set whenever you actually fetched in this run.
8. evidence[].address, when present, must be `^0x[0-9a-fA-F]{40}$` (mixed case OK; checksum not validated).
9. Checklist codes (used in findings[].code and as unknowns[] prefixes) match `^[A-Z][A-Za-z0-9-]{0,16}$` — start with an uppercase letter, then digits / letters / hyphens. Examples: `E1`, `A3b`, `C2-emergency`, `V4-auditor`. No parens, spaces, dots, slashes, underscores. Use slice-defined codes verbatim. unknowns[] entries must be prefixed with the relevant code + colon (e.g. `"A3b: frontend fetch failed"`).
10. chat_url: ALWAYS null. Default share links (claude.ai/chat, chatgpt.com, gemini.google.com) require viewer login and are not publicly readable. The user enables "Share publicly" after you respond and pastes the public URL into the JSON before opening the PR.

### Thoroughness rules

11. Each per-slice body contains a "MANDATORY INSPECTION CHECKLIST". Every item must EITHER produce an evidence[] entry OR a specific unknowns[] entry naming it by code. Silent skips are rejected as incomplete.
12. Before assigning a grade other than "unknown", rationale.steelman must contain a one-sentence strongest argument for each of red / orange / green, and rationale.verdict must state which fits the evidence and why. If the steel-man for the chosen grade is weaker than for an adjacent grade, you have probably picked the wrong grade. When grade="unknown", set steelman to null and use verdict to summarize what blocked the assessment.
13. Distinguish actor classes (EOA, 2-of-3 multisig, 4-of-7+ multisig with identified signers, emergency-scoped time-capped multisig, on-chain governance vote with timelock) and function classes (claim-of-finalized vs new-request-placement, deposit vs borrow, mint vs redeem) — say which actor holds which power, on what time bound. "An admin can pause" is insufficient.
14. For on-chain slices (control, ability-to-exit, autonomy, verifiability), evidence[] must include ≥1 on-chain URL: a block-explorer URL OR a DeFiPunkd /api/{contract/read,safe/owners} URL (preferred — content-addressed when block-pinned). /api/contract/abi alone is metadata, not on-chain evidence. Source repos tell you what code SHOULD do; deployed contracts tell you what it ACTUALLY does. The "open-access" slice is exempt when claims are entirely about frontend / off-chain operator behavior. CARVE-OUT: `grading_basis="off-chain-only"` is exempt from this rule but is downweighted by the quorum bot regardless of grade.
15. Prompt-meta-check: if your verdict quotes prompt language as evidence ("the protocol meets the 'documented fallback' condition"), re-do the verdict — the prompt describes the rubric, not the protocol. Evidence cites what THIS protocol does, not what the rubric says protocols of type X do.
16. `grading_basis` is one of `"on-chain"` (default; omit field), `"off-chain-only"`, or `"mixed"`. Describes what was READ this run, not the verdict — `grade="unknown"` is allowed under any basis. Set `"off-chain-only"` ONLY when BOTH (a) ≥1 successful fetch of a docs / forum / audit / GitHub URL appears in evidence[], AND (b) ≥1 failed on-chain fetch attempt for THIS run is recorded in unknowns[] with a `-offchain` suffix. Empty `evidence[]` with `"off-chain-only"` is a category error and is rejected by the validator. Set `"mixed"` when some checklist codes were on-chain and others fell back. ABI-only finds (you read the ABI but couldn't read live state) are valid as `grade="unknown"` with the ABI cited; do not infer a grade from ABI shape alone.

### On-chain reading via the DeFiPunkd API

Don't encode calldata, decode return data, or guess at ABIs by hand. Three deterministic GET endpoints return JSON with blockNumber, blockHash, raw calldata, and rawReturnData — content-addressed when block-pinned (`&block=<n>`):

  ABI (auto-resolves proxies):
    https://defipunkd.com/api/contract/abi?chainId=<id>&address=0x...
  View call (any view method on the merged ABI; flat scalar args):
    https://defipunkd.com/api/contract/read?chainId=<id>&address=0x...&method=getOwners
    https://defipunkd.com/api/contract/read?chainId=<id>&address=0x...&method=balanceOf&args=0x...
  Safe (threshold + owners + version in one call):
    https://defipunkd.com/api/safe/owners?chainId=<id>&address=0x...

Use the BARE method name in `&method=` (e.g. `&method=totalSupply`, NOT `&method=totalSupply()`). Browser tools normalize `(` to `%28` and reject the normalized URL; bare names dodge that. Pass arguments via `&args=` (comma-separated, declaration order). Append `&block=<n>` for content-addressed evidence.

Supported chainIds: 1 (ethereum), 10 (optimism), 56 (bsc), 130 (unichain), 137 (polygon), 324 (zksync), 8453 (base), 42161 (arbitrum), 43114 (avalanche), 59144 (linea), 81457 (blast), 534352 (scroll), 11155111 (sepolia).

Use this API for any factual claim about contract ABI shape, view-method return values (owner(), getOwners(), getThreshold(), totalSupply(), implementation(), paused(), MIN_DELAY(), …), and Safe membership. Do NOT invent ABIs or return values from training data.

Note on noisy address_book: the pinned address_book is sourced from prior assessments. It may include token deployments, oracle feeds, peripheral contracts, or mis-classified entries. Skip surfacer URLs that don't fit your slice — fetch only those whose role hints suggest control / pause / upgrade authority.

### Protocol metadata refresh (populate `protocol_metadata` in the output)

DeFiLlama's pinned inputs may be stale or wrong. As a side-effect of this assessment, populate `protocol_metadata` with anything you verify. Leave fields null / empty arrays if you did not verify them — do NOT echo pinned inputs through; null means "not re-verified this run".

- `github`: array of canonical source-code repo URLs.
- `docs_url`: canonical developer / protocol documentation site.
- `audits`: array of `{ firm, url, date }` (date as YYYY-MM or YYYY-MM-DD).
- `governance_forum`: primary discussion forum URL (Discourse, Commonwealth, etc.).
- `voting_token`: `{ chain, address, symbol }` or null. Omit if not token-governed.
- `bug_bounty_url`: public bug bounty page (Immunefi, HackerOne, self-hosted).
- `security_contact`: private-disclosure channel — security@ email or SECURITY.md URL. Distinct from public bug bounty.
- `deployed_contracts_doc`: docs page that lists deployed addresses per chain. Don't enumerate; just link.
- `admin_addresses`: array of `{ chain, address, role, actor_class }` for multisig / timelock / owner / proxy-admin addresses. `actor_class` ∈ `"eoa" | "multisig" | "timelock" | "governance" | "unknown"`. These are the anchors for future runs' address_book.
- `upgradeability`: `"immutable" | "upgradeable" | "mixed" | "unknown"`. "mixed" = some core contracts immutable, others behind proxies.
- `about`: 2–4 sentence plain-English description. Name the user action (stake, borrow, swap, bridge, mint, redeem), the asset / market, and the distinctive mechanism (liquid staking receipt, isolated lending pools, constant-product AMM, intents auction, etc.). Do not restate category / chains / TVL.

Every non-null field in `protocol_metadata` must be backed by ≥1 entry in evidence[].

---

### Slice: CONTROL

Evaluate who can change the protocol's rules, how fast, and how broadly.

(Step 0 capability probe and the off-chain-only fallback live in the preamble — those rules apply here.)

### MANDATORY INSPECTION CHECKLIST (every item below must appear in evidence[] OR unknowns[])

- **C1.** For each address you assess: who is the contract owner / admin / pendingAdmin / governor — read these via the block explorer's "Read Contract" tab OR `https://defipunkd.com/api/contract/read?chainId=<id>&address=0x...&method=owner` (BARE method names: `&method=owner`, `&method=admin`, `&method=pendingOwner`, `&method=governor`). For Safes use `/api/safe/owners?chainId=<id>&address=0x...`. When a protocol has multiple major versions deployed (v2/v3/v4), perform C1 reads on the NEWEST deployment separately — newer deployments often have weaker control surfaces than the legacy core.
- **C2.** Upgrade mechanism: transparent proxy / UUPS / Beacon / Diamond / immutable. Identify the proxy admin address. Check upgradeability of GOVERNANCE contracts too — a Governor / Aragon Voting / OZ Governor is often itself a proxy whose admin is the Timelock. Asymmetry: when fund-holding cores are immutable AND governance has no admin path that reaches them, an upgradable Governor/Timelock is T3-only and must NOT drag the verdict below green on that basis alone (see grade rules and the "immutable cores" caveat). Only call upgradability "mixed" if you can name a concrete function on the upgradable surface that reaches T1 or T2 on user funds.
- **C3.** EXECUTION PATH (enumerate every stage, in order, with delays in seconds). The operative path is usually a chain (voting → scheduler → timelock → executor; or governor → queue → execute; or Aragon Voting → DualGovernance → EmergencyProtectedTimelock → AdminExecutor). For each stage, record (a) the contract address, (b) the delay constant name + value in seconds, (c) the URL you read it from (block-explorer Read Contract OR `/api/contract/read?...&method=MIN_DELAY&block=<n>`). Do NOT stop at the first timelock-shaped contract — if its admin is itself called by another contract, keep walking. The grading delay is the SUM OF DELAYS ON THE UNCONTESTED FAST PATH (shortest time a proposal with no opposition can go from submission to executable). Dynamic / contested extensions (veto signaling, rage quit, escrow delay) are modifiers, not the basis — note them separately.
- **C4.** Enumerate EVERY multisig with reachable control — main proxy admin, emergency activation, emergency execution, reseal / pause, gate-seal committees, tiebreaker, per-module admins. For each Safe, fetch threshold + owners + version via `/api/safe/owners?chainId=<id>&address=0x...` (response includes raw eth_call data, so the URL is citable evidence). Enumerate ops/council/incentives multisigs even when off the upgrade path — record their scope so a reader can see they are NOT on the upgrade path. For each: (a) address, (b) threshold / total signers, (c) signer identities classified as insider (team, paid auditors under ongoing engagement, mandated service providers) vs non-insider (independent community members, unaffiliated researchers), (d) the specific power held (upgrade, pause, parameter, etc.).
- **C5.** On-chain governance: Governor / GovernorBravo / OZ Governor / Aragon Voting with token-weighted voting? Record proposal threshold, voting period, quorum, and the timelock delay between queue and execute. Every numeric constant must come from a Read Contract call you can link to, or be in unknowns[] with the C-code. If votingDelay / votingPeriod are denominated in BLOCKS, convert to seconds at the chain's CURRENT block time (Ethereum mainnet ≈ 12s post-Merge, not the 15s in older Compound/Bravo deployments) — cite both block count and converted seconds.
- **C6.** EMERGENCY POWERS: separate emergency-pause / guardian role with a different time cap or different actor than the main upgrade authority? Record it explicitly.
- **C7.** POWER TIER (blast radius). For each privileged path in C3–C6, classify the WORST thing that path can do, choosing the highest applicable tier. Cite the specific function name and any on-chain bound — tier claims without a named function are unsupported.
    - **T1 — FUND-CRITICAL**: replace implementation of contracts holding user funds; change AMM math / accounting / collateral logic; mint unbacked debt or shares; pause withdrawals; drain user-fund treasury; change oracle to attacker-controlled source; replace upgrade admin with EOA.
    - **T2 — ECONOMICALLY MATERIAL**: change fee parameters within bounded ranges; redirect protocol fees; add/remove markets / collateral types; bounded inflation or token mint within hard-capped schedule; spend protocol-owned (non-user) treasury.
    - **T3 — GOVERNANCE-INTERNAL**: change voting rules, quorum, voting period, proposal threshold; upgrade the Governor itself; rotate Timelock admin; mint governance tokens within a capped annual schedule.
    - **T4 — OPERATIONAL**: incentives distribution, grants, ENS / frontend canonicalization, deployment coordination, periphery router deprecation.
  The grade is set by the HIGHEST tier reachable on the uncontested fast path, not the median. State the tier and the binding function in the verdict.

### Read Contract discipline (applies to C3, C4, C5)

Every numeric constant cited (timelock delays, voting periods, multisig thresholds, quorum percentages) must come from EITHER (a) a block-explorer Read Contract URL, OR (b) a DeFiPunkd `/api/contract/read` or `/api/safe/owners` URL (preferred with `&block=<n>` for content-addressed evidence), OR (c) an unknowns[] entry with the C-code. Docs / blog posts are corroboration only — they cannot be the sole citation for a value that is also readable on-chain.

### Off-chain-only substitute hierarchy (when grading_basis="off-chain-only" — see preamble Rule 16)

When on-chain reads were genuinely unreachable this run, eligible off-chain substitutes in priority order:
1. Linked audit PDFs (admin roles, multisig members, timelock delays usually enumerated).
2. Governance forum posts that quote constants from a successful on-chain proposal (cite post URL + linked execution-tx URL).
3. Official protocol docs pages with named addresses and roles (must be on a domain owned by the protocol).
4. GitHub README / SECURITY.md / governance/*.md at a pinned commit SHA.

Forbidden substitutes: third-party blog posts, X / Twitter threads, search-result snippets, model memory. Required degradation: any C-code citing a numeric constant from docs/forum/audit prose ONLY must also carry an `unknowns[]` entry with `-offchain` suffix noting "value not re-read on-chain in this run; corroboration only".

### Grade rules (apply the timelock bar conditional on the highest C7 tier reachable on the fast path)

Security Council standard (used below): a multisig qualifies as "Security Council" only if ALL of: ≥7 signers, ≥51% threshold, ≥50% non-insider signers, every signer publicly announced. Failing any criterion = NOT a Security Council, regardless of signer reputation.

- **green**: highest reachable tier is T3 or T4 regardless of timelock; OR T2 reachable with uncontested-fast-path delay ≥7 days; OR T1 reachable only via immutable contracts (T1 is unreachable); OR T1 reachable with uncontested-fast-path delay ≥7 days combined with a Security Council multisig; OR T1 reachable with uncontested-fast-path delay ≥7 days through active on-chain governance with broad token distribution.
- **orange**: T2 reachable with uncontested-fast-path delay >0 but <7 days; OR T1 reachable with uncontested-fast-path delay >0 but <7 days; OR a multisig failing one or more Security Council criteria sits on a T1/T2 path; OR unclear upgrade authority on a T1/T2 path; OR governance with very short timelock or low quorum on a T1/T2 path.
- **red**: T1 reachable with no timelock by a single EOA or 2-of-3 multisig; OR a T1 upgrade admin that is not a smart contract you can audit.
- **unknown**: completed the checklist but still cannot determine the upgrade authority OR cannot classify the highest tier reachable on the main contracts.

Tiering caveats:
- "Bounded" must be enforced ON-CHAIN to count as T2. A function that sets fees with no upper-bound check is T1 — cite the bound check.
- Recurring T2 economic extraction (e.g. fee redirect with no rate limit) approaches T1 over time. A single proposal that can permanently redirect all future revenue is T1.
- T3 assumes the governance contract cannot itself authorize a T1/T2 action without going through the same timelock. If governance can self-upgrade to bypass the timelock, T3 collapses into T1.
- Do not downgrade tier by hand-waving ("realistically governance would never…"). Tier on what the contract permits, not what feels likely.

Notes:
- **Dynamic / dual-governance timelocks** (Lido, Compound escrow veto): the rubric grades on the uncontested path because that is the path most upgrades take. A dynamic extension that fires only under stake-weighted opposition is a real protection — name it in the green steel-man, but it does not lift an orange fast path into green; state the tension in the verdict.
- **Immutable cores with upgradable governance** (Uniswap-style): if fund-holding contracts are immutable and have no admin-reachable function moving / freezing / re-routing user funds, the highest reachable tier on the upgrade path is T3 — green regardless of timelock. Don't grade this orange just because the Governor is a proxy — that's a C2 fact, not a downgrade. Downgrade only applies if you can cite a concrete function on the upgradable surface that reaches T1 or T2 (privileged hook, upgradable factory controlling fund-routing, fee-switch redirecting protocol revenue without bound).
- **The 7-day bar** reflects the exit-window standard — users need notice after a queued upgrade to withdraw if they disagree. The ability-to-exit slice grades the exit side; this slice grades the delay side; both must hold for users to actually benefit from the delay.

---

### Slice: ABILITY-TO-EXIT

Evaluate whether users can withdraw their funds on their own terms, even under adversarial admin conditions.

MANDATORY INSPECTION CHECKLIST (every item below must appear in evidence[] OR unknowns[]):
- E1. Enumerate every user-facing exit function in the main contracts: withdraw, redeem, burn, requestWithdrawal, claim, exit, etc. List them by name. Do NOT treat the contract as a monolith.
- E2. For EACH exit function in E1: identify its access modifiers and any pause guards (e.g. _checkResumed, whenNotPaused, onlyRole). Functions that gate REQUEST PLACEMENT often differ from functions that CLAIM FINALIZED FUNDS — check both separately.
- E3. For each pause guard: identify the role holder (which address holds PAUSE_ROLE / GUARDIAN / etc.) and the maximum pause duration. Specifically check whether PAUSE_INFINITELY (or equivalent uncapped pause) is callable, and which actor can call it (single multisig vs governance vote). For role-holder reads use https://defipunkd.com/api/contract/read?chainId=<id>&address=0x...&method=hasRole&args=0x...,0x... or &method=getRoleAdmin&args=0x.... For "is currently paused" checks use &method=paused or &method=isPaused&args=<resume-code>. Use the BARE method name (no parens). Cite the URL with &block=<n> in evidence[].
- E4. EMERGENCY vs GOVERNANCE pause distinction: many protocols have a fast-acting emergency pause capped at N days and a slow governance pause that can be indefinite. Record both paths separately if present, with their time caps and actor classes.
- E5. Queued redemption: documented maximum queue duration, daily withdrawal caps, whether the queue itself is pausable.
- E6. Forced-exit / escape-hatch / permissionless emergency-exit mechanism for adversarial-admin scenarios.
- E7. Frontend dependency: confirm exit functions are directly callable on-chain (e.g. via Etherscan write tab or a generic wallet) without the project's frontend.

Then write the steel-man section per Hard Rule 11. Common red-vs-orange tension on this slice: indefinite pause exists (suggests red) BUT the realistic emergency path is time-capped AND claims of already-finalized exits are not pause-gated (suggests orange). Resolve this by stating who can do what for how long, not by stopping at the worst-case sentence.

Grade rules:
- green   = permissionless exit; pause is either absent, narrowly scoped to clearly-described emergencies with auto-expiry, or capped at ≤7 days; no frontend dependency for exit; claims of already-finalized exits are not pause-gated under any path.
- orange  = pausable with broad scope OR indefinite pause is reachable only through governance vote (not unilateral admin action), OR queued redemption with documented max > 7 days, OR claims-of-finalized are exempt but new-request placement can be paused indefinitely by governance.
- red     = exit requires admin signature, OR ANY actor (including governance) can pause CLAIMS of finalized exits indefinitely, OR there is no on-chain exit function at all (purely custodial), OR pause is held by a single EOA / 2-of-3 multisig with no time cap.
- unknown = checklist incomplete after checking the sources above.

---

### Slice: AUTONOMY

Evaluate this protocol's autonomy: can a failure of anything outside its own contracts cause theft or loss of user principal, loss of unclaimed yield, or materially change the protocol's expected performance? "Autonomy" is not "has zero external touchpoints" — it is "external failures are either survivable or recoverable without user loss". This slice adapts DefiScan v1's Autonomy dimension; dependencies are one of several criteria, not the whole frame.

GUARDRAILS (read before grading):
- Category alone (Liquid Staking, Bridge, RWA Lending, Restaking, …) does NOT force a grade. A category is a hint about where to look; the grade must come from the concrete A1–A9 findings below.
- Base-chain consensus (Ethereum PoS, the chain's validator set, the canonical Deposit Contract at 0x00000000219ab540356cBB839Cbe05303d7705Fa) is the SUBSTRATE, not a dependency, for any protocol deployed on that chain. Do not list "depends on Ethereum" as a finding.
- Oracles or other integrations used by DOWNSTREAM protocols that happen to read this protocol's token (e.g. Chainlink stETH/USD consumed by Aave) are NOT this protocol's dependencies. Count only what THIS protocol's contracts call or trust on-chain. If a feed or contract appears in the protocol's docs only as reference material for third-party integrators, EXCLUDE IT ENTIRELY — do not log it as a finding even with a "peripheral" or "referenced only" caveat.
- "Upgradeable admin can change things" belongs to the CONTROL slice; only count it here when the upgrade surface lets governance silently swap an external dependency (see A9).
- Underlying-asset risk in opt-in, isolated markets is NOT autonomy-red on its own. When a protocol wraps third-party yield-bearing assets (LSTs, LRTs, ERC-4626 vaults, lending receipts, restaked tokens) into per-market silos that users explicitly choose, a failure of one underlying does NOT propagate to other markets and is risk the user opted into per-market. Record it under A4 with depth and propagation scope, but do not let it alone drive a red verdict — red requires an external dependency that cross-cuts the protocol or that the user did not opt into at deposit time. A failure mode that is "if the LRT you deposited is hacked, your principal in that LRT-backed market is impaired" is the underlying's autonomy story, not this protocol's; grade it on whether THIS protocol introduces additional dependencies on top.
- Sub-module enumeration is mandatory before grading. If the protocol ships distinct product lines or modules (e.g., a v2 core AMM plus a newer perps/funding-rate module, a lending pool plus a separate vault layer, an L1 core plus a cross-chain extension), enumerate each in findings and grade against the WORST module weighted by its share of TVS or its blast radius. A green core does not rescue an orange/red sub-module; conversely, a small red sub-module with capped TVS may bound the overall grade to orange. Name each module by its on-chain factory or router address. If you do not know whether a module exists, that is an unknowns[] entry, not silence. EXPLICIT TVS WEIGHTING: in the verdict, state each module's approximate share of total protocol TVS (use "~X%" if exact figures unavailable; check DeFiLlama or block-explorer balances on the module's main contract) and how that share informs the weighted grade. Format: "Module A holds ~X% of TVS (grade: <g>); Module B holds ~Y% (grade: <g>); weighted overall = <grade> because <reason>." If a red sub-module holds <5% of total TVS and is capped, the overall grade may be orange; if it holds >25%, the overall grade is red. Do not let qualitative reasoning substitute for the percentages — write the numbers.

MANDATORY INSPECTION CHECKLIST (every item below must appear in evidence[] OR unknowns[]):
- A1. External contract calls. Enumerate every external contract the core contracts call or read from (oracles, price feeds, AMM pools, lending pools, staking/deposit contracts, yield wrappers). For each, identify the address, the provider, and what user-facing function of this protocol would break or mis-price if that external contract paused, mis-reported, or behaved adversarially. Grep for "oracle", "aggregator", "getPrice", "latestAnswer", "chainlink", "pyth", "redstone" as a starting point. To verify an oracle is live and what it currently reports, hit https://defipunkd.com/api/contract/read?chainId=<id>&address=<oracle>&method=latestAnswer (or &method=latestRoundData, &method=getPrice, &method=description; use the BARE method name without parens) and cite the URL — the response includes blockNumber/blockHash and rawReturnData, which is stronger evidence than a docs page about which feed "should" be used.
- A2. Off-chain actor committees reporting INTO the protocol. Oracle committees, guardian multisigs, DAO-selected validator sets acting as protocol reporters, exit-bus signers, fraud-proof challengers. For each, record committee size, quorum, who picks the members, and what mis-reporting could do (mint, burn, finalize withdrawal, freeze). Distinguish this from governance admins (control slice). NOTE ON STAKING PROTOCOLS: validator slashing and node-operator misbehavior are properties of the base-chain substrate, NOT external dependencies, when the operator set is diversified enough that a coordinated failure caps at <5% principal loss. Count validator/operator risk under A2 ONLY if the operator set is small, non-diversified, or lacks bonding / slashing-insurance / diversification mitigations. A curated set of 30+ independent operators with documented diversification falls under the mitigated path; a 3-operator LST does not. Do not cite the protocol's own risk disclosure as evidence that operator failure = principal loss unless you also check the diversification and bond mitigations.
- A3. Bridge / cross-chain messaging dependencies. Only count bridges that carry material TVL or are required for a core user flow. For each, name the bridge operator (canonical L1↔L2, LayerZero, Wormhole, Axelar, custom multisig), the trust model (canonical, optimistic, light-client, guardian set), and what fraction of TVL or users ride on it. "wstETH exists on 15 chains" is not a finding unless material TVL sits there. Before listing any non-primary chain deployment as a dependency, verify it is still operational as of analysis_date — retired or sunset deployments (e.g., Lido-on-Terra, Lido-on-Solana) belong in unknowns[] or should be omitted, never cited as a current dependency.
- A4. Nested collateral / restaking chains. For restaking / LRT / receipt-of-receipt designs: record the depth of the collateral chain, every actor with slashing or freezing power at each level, and whether a failure N levels deep propagates to user principal here.
- A5. Fork lineage (silent check). If DeFiLlama's forkedFrom is non-empty, record it as one finding and move on. If empty, do NOT add a placeholder finding; it adds noise.
- A6. Fallback mechanisms and circuit breakers. What catches an external failure? Sanity-check contracts on oracle reports, rebase bounds, pause paths triggered by bad prices, second-opinion oracles, max-per-block throughput caps, withdrawal queues that absorb bad reports. Record which A1–A4 risks are mitigated by which fallback, and which are unmitigated. For EACH fallback you cite, state its activation status explicitly: (i) LIVE and enforcing on-chain today, (ii) DEPLOYED but not yet wired / activated (e.g., interface exists but the address is zero or the role is unassigned), or (iii) DOCUMENTED / PROPOSED only (forum post, LIP draft, audit pending). Only (i) counts as mitigation for the grade. A fallback in state (ii) or (iii) should be noted but must not reduce the risk in your steel-man or verdict. If you cannot determine activation status, add an unknowns[] entry rather than assume it is live.
- A7. Sequencer / L1-liveness dependency BEYOND the base-chain substrate. SCOPE — sequencer risk only counts here when the protocol IS its own L2/L3 appchain or app-rollup, where the sequencer is part of the protocol's own stack and a freeze is a protocol-level outage. A protocol permissionlessly deployed on a third-party L2 inherits that L2's sequencer as substrate, not an A7 dependency. Record the sequencer/DA trust model when A7 applies.
- A8. Keeper / relayer / off-chain bot liveness. Protocols that need permissionless-but-necessary off-chain actors (liquidation bots, auto-compounders, deposit relayers, intent solvers). Record whether the role is permissionless, what degrades if nobody runs it (yield paused, bad debt accumulates, positions go stale), and whether the failure mode is graceful or catastrophic.
- A9. Governance-mutable dependency surface. Can an admin or DAO action silently INTRODUCE a NEW EXTERNAL dependency — swap the oracle address to a different provider, register a new staking module that calls an untrusted contract, add a new bridge, route SY through a new external vault — without an exit window for users? Check the upgrade / router / module-registry contracts. Answer: which EXTERNAL dependencies are governance-mutable, who holds that power, and whether there is a timelock or exit window. SCOPE LIMIT — read carefully: A9 is about the *external dependency surface*, not the upgrade surface in general. "The proxyAdmin / EOA can upgrade the router implementation to arbitrary bytecode" is a CONTROL-slice finding (admin can rug), NOT an autonomy-A9 finding. A9 fires only when the upgrade specifically swaps out or adds a contract that THIS protocol calls or trusts (e.g., changing the oracle address from Chainlink to a malicious feed, registering a new SY adapter that points to a third-party vault, redirecting a bridge endpoint). If the only finding is "admin can change implementation," do not log it under A9 and do not let it drive the autonomy grade — note it under control instead. The autonomy-relevant version of the same upgrade key is "admin can swap [specific external address X] without timelock"; that requires identifying the specific external dependency that becomes mutable.

STEEL-MAN (per Hard Rule 13): write one-sentence strongest arguments for red, orange, and green using the A1–A9 findings.

IMPACTED TVS ESTIMATE: the headline MUST include a rough impacted-TVS figure — the fraction of protocol TVS that could be lost or frozen if the worst-unmitigated dependency you identified failed. Use "~X%" if exact numbers are unavailable, "<1%" for de minimis, "unclear" only if A1–A9 left the question genuinely open (in which case grade=unknown is usually correct). Do NOT substitute qualitative phrases like "significant" — give a number or bracket.

GRADE ANCHORS (mapped to DefiScan v1 stages):
- green = Stage 2 equivalent. Failure of any external dependency cannot cause loss of user principal or unclaimed yield. Either there are no material external dependencies, or every critical one has a documented fallback (A6) that keeps users whole. Governance cannot silently introduce new dependencies without an exit window (A9). Impacted TVS under any single-dependency failure: effectively 0.
- orange = Stage 1 equivalent. Failure of some external dependency can cause loss of unclaimed yield, or can materially change expected performance (pause withdrawals, freeze positions, degrade price quality), but cannot cause loss of principal. Committee-based oracles with sanity checks, canonical-only bridges, fallback paths that exist but are incomplete, or governance-mutable dependencies protected by a ≥7-day timelock. Impacted TVS is bounded and recoverable.
- red = Stage 0 equivalent. Failure of an external dependency CAN cause theft or loss of principal. Examples: single-provider oracle with no sanity check or fallback, material TVL on a non-canonical bridge with a guardian multisig, governance can hot-swap oracles or add staking modules with no timelock or exit window, unmitigated keeper-liveness dependency where positions become insolvent if bots stop. Impacted TVS is material.
- unknown = checklist incomplete after inspecting source + verified contracts. Prefer unknown over guessing when A1/A6 could not be reconstructed. RESERVE unknown for cases where the CORE ARCHITECTURE itself is unverifiable — not for cases where you merely cannot enumerate every per-market dependency in a multi-market protocol. If the core router/factory/oracle architecture is verifiable on-chain and you can determine whether the core requires external dependencies, grade the architecture even when an exhaustive per-market external-dependency census is infeasible. Acknowledge the per-market gap in unknowns[] but still issue a grade. Refusing to grade a multi-market protocol because you cannot list every SY/vault/market is over-use of unknown; grade the architecture and say so.

PROMPT-META CHECK (per Hard Rule 17): before finalizing, verify the verdict cites concrete contract addresses, docs, or code — not the rubric itself. If your verdict says "the protocol belongs to a category the rubric marks red", rewrite it with the A1–A9 finding that actually justifies the grade, or drop to grade=unknown.

---

### Slice: OPEN-ACCESS

Evaluate who is allowed to use the protocol and whether any of that permission is granted off-chain.

Scope: this slice is about ADMISSION — who can enter, exit, or transact. Operator LIVENESS (what breaks if keepers/oracles go offline) is assessed in the dependencies slice and is out of scope for the grade here. You may note operator dependencies as context, but do not let "the protocol halts if operator X disappears" drive the access grade on its own; that belongs in dependencies. Source verification / contract verification on block explorers is assessed in the verifiability slice and is out of scope here — do NOT let "contract is unverified" drive the access grade.

Framing: the smart contracts are the access layer; frontends are UX. A permissionless contract is reachable by any client (SDK, third-party UI, aggregator, wallet integration). Frontend ToS, IP geo-blocking, and wallet screening are publisher policies on one specific client — they are reported as context but do NOT determine the grade. The grade hinges on (1) what the contract itself permits, and (2) whether the protocol is practically reachable without the official publisher's cooperation.

Meta-check before finalizing: if your verdict cites phrases from this prompt as evidence ("the protocol meets the 'credible alternatives' condition", "this fits the 'documented fallback' rule"), redo the verdict. The prompt describes the rubric; evidence must come from the protocol. A verdict should cite what the protocol does, not what the rubric says.

MANDATORY INSPECTION CHECKLIST (every item below must appear in evidence[] OR unknowns[]):
- A1. Whitelist / allowlist modifiers in user-facing entry points. Grep for "onlyWhitelisted", "onlyRole", "allowlist", "isAccredited", "isKYCed". Note which functions are gated and who can add/remove from the list.
- A2. Off-chain operators in the admission path: keepers, sequencers, privileged relayers, oracle posters whose approval is required to admit a user action (not just to keep the protocol live). For each, identify whether the role is held by a single operator, a permissioned committee, or is permissionless. Enumerate per user-facing function class (deposit vs withdraw-request vs claim-finalized vs transfer) which ones require operator approval to be admitted, and which ones admit users unconditionally. A function whose placement is unconditional but whose downstream settlement depends on an operator is an admission-permissionless function — flag the liveness dependency as context and defer its grading weight to the dependencies slice.
- A3. Frontend restrictions on the official interface — record as context, not as a grade lever. Distinguish:
    - A3-passive: boilerplate ToS clauses (sanctions attestation, restricted-territory self-certification, VPN-circumvention prohibition, "comply with applicable law" eligibility, age of majority).
    - A3-active: runtime enforcement — IP-based geo-blocking, wallet-address screening against a sanctions oracle (Chainalysis, TRM, Elliptic), KYC wall, rendering-blocking jurisdiction banner.
  Record findings under the correct tier. Quote ToS text or banner text in evidence[].shows. These findings populate the headline and rationale but do NOT move the grade by themselves; the grade is set by A1, A2, and the A3b path check below.
- A3b. Independent access paths (the operative grade input). Enumerate paths that do not require the official publisher's cooperation:
    - Published SDK / library / CLI for direct contract interaction.
    - Third-party frontends operated by separate legal entities.
    - Wallet-integrated access (MetaMask Swaps, Safe apps, etc.).
    - DEX / lending / yield aggregators that route through the contracts.
  Record at least one concrete link per path that exists. The protocol does NOT have to self-document these — the test is existence, not UX cost. An A3b-i redistribution of the official UI bound by the same ToS does NOT count as an independent path.
- A4. Sanctions / compliance tooling at the contract level: does the protocol check addresses against OFAC lists or similar on-chain blocklists in the contract itself? (Frontend-only screening belongs in A3.)
- A5. Differentiate read access vs write access: many protocols are read-permissionless (anyone can view state) but write-gated (only certain addresses can deposit/borrow). Record both.
- A6. ToS / Legal links: locate them on the website and produce a VERBATIM quote of any jurisdictional, sanctions, or eligibility clause in evidence[].shows. If you cannot extract the clause text verbatim (SPA render failure, paywall, dead link, etc.), do NOT paraphrase or infer from general knowledge — record the ToS URL in unknowns[] with the reason extraction failed. Assertions about ToS content without a verbatim quote will be downweighted by reviewers.

Then write the steel-man section per Hard Rule 11.

Grade rules (admission-focused; liveness concerns belong in dependencies; source verification belongs in verifiability):
- green   = no contract-level whitelist/KYC on user entry/exit; no operator approval required to admit a user action; AND at least one independent A3b path exists (published SDK, third-party frontend, wallet integration, or aggregator routing). Frontend ToS posture and A3-active enforcement on the official UI do NOT block green when contracts are permissionless and an independent path exists — they are reported as context.
- orange  = contracts admit users unconditionally, BUT the protocol is operationally captured by the official publisher: no published SDK, no third-party frontend, no wallet integration, no aggregator routing. The contract is theoretically open but practically reachable only through the official UI. Also applies when admission requires approval from a permissioned committee that is governance-managed with a documented replacement procedure.
- red     = contract-level whitelist / KYC on user entry/exit, OR admission of a core user action requires approval from a single privileged operator or a small committee with no documented replacement procedure, OR enforces an on-chain blocklist updatable by a single party.
- unknown = checklist incomplete after checking the sources above.

Default-grade guidance: when contracts are fully permissionless AND any A3b independent path exists, the default grade is green regardless of frontend ToS or A3-active enforcement on the official UI. Frontend geo-blocking, sanctions-oracle wallet screening, and ToS sanctions clauses are publisher policies on one client and are reported in findings/headline as context, not as grade levers. To grade orange on operational-capture grounds, the auditor must affirmatively show that ALL independent paths are absent or also gated.

Guideline on committees: where admission depends on a multi-operator committee, the relevant axes are (a) set size, (b) whether replacement/rotation is governed on-chain, (c) whether the replacement procedure is publicly documented. A large set with on-chain governance replacement should not be graded as a single-party operator even if rotation is not instantaneous. A small set with informal replacement should be treated as a single-party operator.

---

### Slice: VERIFIABILITY

Evaluate whether an outsider can independently confirm what the deployed code does.

MANDATORY INSPECTION CHECKLIST (every item below must appear in evidence[] OR unknowns[]):
- V1. For each address you assess: is the bytecode verified on the chain's block explorer? Record the "Contract Source Code Verified" indicator. https://defipunkd.com/api/contract/abi?chainId=<id>&address=0x... returns this as a top-level "verified" boolean plus "abiSource" ("etherscan" / "sourcify") and an inline ABI — useful when the explorer page is rate-limited. If the contract is a proxy, verify BOTH the proxy contract AND the current implementation contract. The same /api/contract/abi response auto-resolves proxies and includes a "proxy.implementation" address when present, so one call covers V1 + V6 in one shot. An explorer "Similar Match" on a well-known proxy pattern (Aragon AppProxyUpgradeable, ERC1967Proxy, OssifiableProxy, OZ TransparentUpgradeableProxy) is expected for that pattern and does NOT count as a verification gap on its own — what matters is that the implementation is independently verified.
- V2. Source-to-repo correspondence: for each verified contract, attempt to find a matching commit in the linked GitHub repos. Record evidence[].commit on a match. Independent compile/bytecode-match is NOT required for green — a recognized public repo whose structure and file contents correspond to the explorer-visible source is sufficient. If you did not pin a commit SHA or run a bytecode diff, record that plainly in unknowns[] and proceed; it is a scope limit, not a downgrade signal.
- V3. Audit coverage: for each URL in protocol.audit_links, open it and record: auditor name, audit date, the specific contracts / commit in scope. Flag audits that predate the current deployment by >6 months without a follow-up review.
- V4. Auditor recognition: the following firms are broadly recognized in Solidity: Trail of Bits, Zellic, Spearbit, OpenZeppelin, ConsenSys Diligence, Certora (formal verification), Quantstamp, Halborn, Peckshield, Sigma Prime, ChainSecurity, Ackee Blockchain, MixBytes, Statemind. Unknown firms are orange-at-best for any green-grade claim. Name the firm explicitly in evidence[].
- V5. Post-audit drift: compare the most recent in-scope audit(s) against the currently-deployed source, weighted by what each contract does and by what the changes actually contain. SCOPE — drift only downgrades the grade when ALL of the following hold: (i) the drifting contract is fund-custody / settlement / accounting-critical (NOT a peripheral router, lens, quoter, or pure-view contract that holds no balances); (ii) the changes are material — new functions, modified access control, modified accounting, modified fund flow — and not refactors / struct relocations / import reorgs / build or CI fixes / formatting; (iii) no later audit, fix-audit, or differential audit from a recognized firm covers the changed files (audits often pin a pre-fix commit while a follow-up reviews the delta — match by file scope, not by commit-hash equality). When you cite drift as a downgrade reason, name the specific behavior change (function added, role granted, accounting formula altered) — "N commits ahead" or "+X/-Y LOC" alone is not evidence of material drift. If you have not sampled the diff content (e.g. via the GitHub compare view or the top commits in the window), record drift as an unknowns[] entry rather than auto-downgrading; commit-count and LOC are starting signals, not findings.
- V6. Implementation vs proxy: a verified proxy with an unverified implementation is effectively unverified. State whether the implementation is verified separately.

EVIDENCE DISCIPLINE (read before writing findings[]):
- Do not assert a specific deploy-commit SHA, bytecode equivalence, or "identical to audited commit" unless you actually fetched the artifact that shows it (e.g., a deployed-addresses JSON you opened, an explorer page you read). Inferred or plausible matches belong in unknowns[], never in findings[] or evidence[].
- Evidence[] entries must correspond to pages/files you actually retrieved this run. A URL you did not open is not evidence.

Then write the steel-man section per Hard Rule 11.

Grade rules:
- green   = deployed bytecode verified on the explorer (proxy AND implementation if proxied; "Similar Match" on a standard proxy pattern is fine per V1), a public source repo exists whose contents correspond to the explorer-visible source, AND ≥1 audit from a recognized firm covering the currently-deployed contracts (≤6 months of drift OR drift was re-audited). A missing local compile-match is not a downgrade — record it in unknowns[] and still grade green if the other conditions hold.
- orange  = verified but with visible drift from the public repo, OR audit scope is stale relative to deployment, OR only minor / unknown-firm audits exist, OR only some of the main contracts are verified, OR proxy verified but implementation only partially verified.
- red     = unverified bytecode (or verified proxy with unverified implementation), OR no audit in protocol.audit_links, OR no public repo.
- unknown = reserved for when the protocol's verifiability posture genuinely cannot be assessed (e.g., explorer and repo both inaccessible for this protocol). Do NOT use unknown merely because you, the analyst, could not run a particular check such as a bytecode diff — that goes in unknowns[] while the grade is still assigned from the evidence you do have.

---

### JSON output contract

Return exactly one JSON array inside a single ```json fenced block. The array MUST contain exactly five objects, one per risk slice, in this exact order: "control", "ability-to-exit", "autonomy", "open-access", "verifiability". Do not include the discovery slice.

Each object has the same shape as a normal slice submission:

{
  "schema_version": 4,
  "slug": "<copy protocol.slug from the per-protocol context>",
  "slice": "<one of: control | ability-to-exit | autonomy | open-access | verifiability>",
  "snapshot_generated_at": "<copy snapshot.generated_at from the per-protocol context>",
  "prompt_version": 29,
  "analysis_date": "<copy analysis_date from the per-protocol context>",
  "model": "<exact model name, e.g. claude-opus-4-7 / gpt-5-thinking / gemini-3-pro>",
  "chat_url": null,
  "grading_basis": "on-chain | off-chain-only | mixed (optional; omit for on-chain)",
  "grade": "green | orange | red | unknown",
  "headline": "<one-line summary>",
  "short_headline": "<≤6 words, ≤80 chars; omit if you can't fit>",
  "rationale": {
    "findings": [{ "code": "E1", "text": "<concrete, source-cited finding>" }],
    "steelman": { "red": "<one sentence>", "orange": "<one sentence>", "green": "<one sentence>" },
    "verdict": "Choosing <grade> because <reason ranking one steel-man above the others, citing specific evidence>."
  },
  "evidence": [{ "url": "https://...", "shows": "<what this URL demonstrates>", "chain": "...", "address": "0x...", "commit": "<hex SHA>", "fetched_at": "2026-04-23T11:20:00Z" }],
  "unknowns": ["E3: <thing you looked for but couldn't determine>"],
  "protocol_metadata": {
    "github": ["https://github.com/org/repo"],
    "docs_url": "https://docs.protocol.xyz",
    "audits": [{ "firm": "Trail of Bits", "url": "https://...report.pdf", "date": "2025-09" }],
    "governance_forum": "https://forum.protocol.xyz",
    "voting_token": { "chain": "Ethereum", "address": "0x...", "symbol": "XYZ" },
    "bug_bounty_url": "https://immunefi.com/bounty/protocol",
    "security_contact": "security@protocol.xyz",
    "deployed_contracts_doc": "https://docs.protocol.xyz/deployments",
    "admin_addresses": [{ "chain": "Ethereum", "address": "0x...", "role": "DAO treasury multisig", "actor_class": "multisig" }],
    "upgradeability": "immutable | upgradeable | mixed | unknown",
    "about": "<2–4 sentences>"
  }
}

Rules recap:
- Produce one complete object for each of these slices only: control, ability-to-exit, autonomy, open-access, verifiability.
- Reuse the same model, chat_url, snapshot_generated_at, prompt_version, analysis_date, and slug values across all five objects.
- grade="unknown" ⇒ steelman=null; unknowns[] ≥1; evidence[] may be empty.
- grade!="unknown" ⇒ steelman={red,orange,green}; evidence[] ≥1; verdict starts with "Choosing ".
- findings[].code matches that object's slice checklist prefix verbatim (C1, E2, AU3, A3b, V4a, …); unknowns[] entries are checklist-coded ("C3: …").
- Wrap the array in a single ```json fence; nothing before or after. URLs are bare strings, never markdown links.

Verifiability tentative

Open source + 6 audits

Protocol publishes a GitHub repository and has at least one audit on record. This is a coarse Phase-0 signal only: auditor reputation, scope, and post-audit review coverage are not yet weighted.

Run your own prompt Submit run ↗

### Per-protocol context (ground truth for this run)

- protocol.slug:              aave-v4
- protocol.name:              Aave V4
- protocol.chains:            Ethereum
- protocol.category:          Lending
- protocol.website:           https://aave.com
- protocol.github:            aave, bgd-labs
- protocol.audit_links:       https://aave.com/security, https://github.com/code-423n4/2022-02-aave-lens, https://github.com/code-423n4/2022-02-aave-lens-findings, https://github.com/sherlock-protocol/sherlock-reports/blob/main/audits/2025.02.15%20-%20Final%20-%20Aave%20Public%20Audit%20Contest%20Report.pdf, https://github.com/sherlock-protocol/sherlock-reports/blob/main/audits/2026.02.05%20-%20Final%20-%20Aave%20Labs%20Collaborative%20Audit%20Report%201770295450.pdf, https://github.com/trailofbits/publications/blob/master/reviews/2026-02-aave-v4-securityreview.pdf
- snapshot.generated_at:      2026-06-01T11:27:13.878Z
- analysis_date:              2026-06-07
- prompt_version:             29
- address_book:               null

### Pre-built read-API surfacer URLs (verbatim — fetchable as-is)
(no addresses pinned in this run — discover candidates from fetched website / GitHub / audit / explorer pages, record discovered addresses in evidence[] and protocol_metadata.admin_addresses, and put any reads you couldn't perform in unknowns[]. The next assessment will inherit your discoveries.)


---

You are contributing a single-slice assessment to defipunkd, a git-native transparency registry for DeFi protocols. Your JSON output will be attached to a pull request and compared against ≥2 other independent runs. Disagreements are surfaced publicly — be conservative, cite everything, return grade="unknown" when a signal cannot be determined, and resist stopping at the first damning finding.

### Per-protocol context (do not infer; these are ground truth)

A "Per-protocol context" block (provided alongside this prompt — either as a user message in API mode, or as a section appended below in copy-paste mode) lists the pinned inputs (protocol.slug, name, chains, category, website, github, audit_links, snapshot.generated_at, analysis_date, prompt_version, address_book) and a list of pre-built read-API surfacer URLs for each pinned address. Treat those values as authoritative for this run.

The pre-built surfacer URLs are accepted by your fetch tool's allowlist because they appear verbatim in the per-protocol context. Each surfacer page pre-executes the contract's zero-arg view methods and renders any address-typed return values as /address/{chainId}/0x… links inline — those rendered links are also fetchable post-fetch. /api/contract/read and /api/safe/owners JSON responses include a top-level `crawl.surfacers` array of /address/{chainId}/0x… URLs for every address-typed value in the result, so you can crawl directly from API responses. For addresses surfaced from non-defipunkd sources (block-explorer pages, GitHub, audit PDFs), the allowlist will reject your generated surfacer URL — record the address in protocol_metadata.admin_addresses and add a checklist-coded entry to unknowns[]; the next run will inherit it as a fetchable surfacer.

### Step 0 — Capability probe (do this before producing JSON)

Identify what fetch tool your environment exposes — `web_fetch`, `browser`, `url_context`, `google_search` (with underscore, colon, or space), Bing grounding, Perplexity, `web.run`, or anything similar. Search-grounding tools ARE valid fetch paths and you should use them; they are not forbidden. The distinction that matters is what the tool returned, not its name: a grounded response with the underlying page body is sufficient evidence; a bare 1–3-line preview snippet is not.

Probe: attempt one fetch of `protocol.website` and one fetch of a pre-built surfacer URL above (or the protocol's primary block-explorer page if no surfacer is pinned). Record the tool you used, the URL, and what came back (response body, HTTP status, allowlist rejection text, or "tool not present: <name>"). If either probe succeeded, proceed.

If both direct probes failed, **DO NOT STOP** — try search. Issue at least two broad search queries (protocol name + "Etherscan" / "official docs" / "GitHub" / "audit"; `site:` operators against etherscan.io / github.com / the docs domain). If a search query returns the underlying page body, that page URL is fetched evidence and goes in evidence[]. Set `grading_basis: "off-chain-only"` and continue with whatever you can extract. Empty `evidence[]` + `grade="unknown"` is only valid if BOTH direct probes AND ≥2 search queries returned nothing usable; in that case, log the attempted queries and observed-zero outcomes in unknowns[]. A submission claiming "blocked" without those receipts is treated as a non-submission (zero quorum weight). Search engines do not index raw JSON API endpoints — zero results for `defipunkd.com/api/contract/read` URLs is expected and is itself a recordable failure mode, not a system restriction.

### Anti-fabrication (the most important rule on this page)

Memory is not evidence. Treat your training data, prior conversations, and general knowledge as suggestions for what to look up — never as citations. Every URL in evidence[] must have been fetched in this run via any tool exposed in your environment, OR pasted into this conversation by the user. Constructing a URL is fine, but every variable part (address, commit SHA, repo path, contract name, method, args, block number) must come from a fetched/pasted source in this run, and the URL must then have been successfully fetched before it appears in evidence[]. URLs constructed from remembered addresses, repo paths, contract names, or guessed API methods are fabrication.

Before emitting JSON, run an evidence ledger check on every evidence[] entry:
1. The exact URL appears in your fetch transcript or in a user-pasted source body.
2. The fetched/pasted body contains the fact you're citing in evidence[].shows.
3. Every rationale.findings / protocol_metadata claim that depends on this evidence follows directly from that body, without recourse to memory.
4. Derived (rather than verbatim) claims are explicitly labelled as derived in evidence[].shows.
5. `fetched_at` is set ONLY when you actually fetched the URL in this run; if no timestamp is available, omit the field — never invent one.

If any check fails, remove the evidence entry and demote dependent claims to unknowns[]. Set grade="unknown" if demotion empties the grading basis. Do not ask the user to paste anything; do not withhold JSON; do not improvise from memory.

A plausible-sounding answer backed by unsupported evidence is WORSE than grade="unknown" — it pollutes the quorum. If the assessment requires leaning on remembered public facts ("Lido is governed by LDO token-weighted voting"), historical reports, common knowledge, or likely-architecture reasoning ("UUPS proxies typically have an admin role"), return grade="unknown" with specific unknowns[] entries. Optimize for reproducibility, not completeness — if a reviewer can't re-verify each claim from the evidence URLs alone, the claim does not belong in the JSON. Empty unknowns[] on a non-trivial protocol is a red flag, not a quality signal.

When the address_book is null/empty, you do not yet know any deployed address. Discover candidates from fetched website / GitHub / audit / explorer-search pages — addresses you "remember" from training data are not eligible, even for famous tokens (USDC, WBTC, stETH, UNI). If no address can be discovered after a good-faith attempt, return grade="unknown" with checklist-coded unknowns[] entries; do not invent addresses to fill the gap.

### Hard rules

1. Source classes that count as evidence:
   a) Public block explorers (etherscan.io, basescan.org, arbiscan.io, optimistic.etherscan.io, polygonscan.com, bscscan.com, snowtrace.io, scrollscan.com, lineascan.build, blastscan.io, era.zksync.network) for pinned addresses or addresses you discover transitively from them.
   b) The linked GitHub repos, at a specific commit SHA recorded in evidence[].commit.
   c) The audit PDFs / reports linked above.
   d) DeFiLlama's pinned fields (for category / chain lists only — not for risk assessment).
   e) DeFiPunkd's read API at https://defipunkd.com/api/{contract,safe}/... — see "On-chain reading" below.
2. If a signal cannot be determined after checking these, set grade="unknown" with ≥1 entry in unknowns[] naming what you looked for.
3. Every factual claim in rationale must map to ≥1 evidence[] entry.
4. Output exactly one JSON object matching the contract at the end, wrapped in a single ```json fenced code block. This rule applies to your FINAL assistant message only — issue tool calls freely during the run; tool-call reasoning lives in your model's tool-use channel and is not subject to this rule. Nothing before or after the fence — no prose, no follow-up questions, no requests for the user to paste anything. If evidence is incomplete, the correct response is still JSON, with claims demoted to unknowns[] and grade="unknown".

### Format rules (validation will reject submissions that violate these)
5. evidence[].url must be a bare `https://...` string — NEVER markdown link syntax. WRONG: `"url": "[Etherscan](https://etherscan.io/...)"`. RIGHT: `"url": "https://etherscan.io/..."`.
6. evidence[].commit, when present, must match `^[0-9a-f]{7,40}$` (lowercase hex, 7–40 chars). NEVER branch names or tags. Omit if you cannot pin a SHA.
7. evidence[].fetched_at, when present, must be ISO-8601 UTC (e.g. `2026-04-23T11:20:00Z`). Set whenever you actually fetched in this run.
8. evidence[].address, when present, must be `^0x[0-9a-fA-F]{40}$` (mixed case OK; checksum not validated).
9. Checklist codes (used in findings[].code and as unknowns[] prefixes) match `^[A-Z][A-Za-z0-9-]{0,16}$` — start with an uppercase letter, then digits / letters / hyphens. Examples: `E1`, `A3b`, `C2-emergency`, `V4-auditor`. No parens, spaces, dots, slashes, underscores. Use slice-defined codes verbatim. unknowns[] entries must be prefixed with the relevant code + colon (e.g. `"A3b: frontend fetch failed"`).
10. chat_url: ALWAYS null. Default share links (claude.ai/chat, chatgpt.com, gemini.google.com) require viewer login and are not publicly readable. The user enables "Share publicly" after you respond and pastes the public URL into the JSON before opening the PR.

### Thoroughness rules

11. Each per-slice body contains a "MANDATORY INSPECTION CHECKLIST". Every item must EITHER produce an evidence[] entry OR a specific unknowns[] entry naming it by code. Silent skips are rejected as incomplete.
12. Before assigning a grade other than "unknown", rationale.steelman must contain a one-sentence strongest argument for each of red / orange / green, and rationale.verdict must state which fits the evidence and why. If the steel-man for the chosen grade is weaker than for an adjacent grade, you have probably picked the wrong grade. When grade="unknown", set steelman to null and use verdict to summarize what blocked the assessment.
13. Distinguish actor classes (EOA, 2-of-3 multisig, 4-of-7+ multisig with identified signers, emergency-scoped time-capped multisig, on-chain governance vote with timelock) and function classes (claim-of-finalized vs new-request-placement, deposit vs borrow, mint vs redeem) — say which actor holds which power, on what time bound. "An admin can pause" is insufficient.
14. For on-chain slices (control, ability-to-exit, autonomy, verifiability), evidence[] must include ≥1 on-chain URL: a block-explorer URL OR a DeFiPunkd /api/{contract/read,safe/owners} URL (preferred — content-addressed when block-pinned). /api/contract/abi alone is metadata, not on-chain evidence. Source repos tell you what code SHOULD do; deployed contracts tell you what it ACTUALLY does. The "open-access" slice is exempt when claims are entirely about frontend / off-chain operator behavior. CARVE-OUT: `grading_basis="off-chain-only"` is exempt from this rule but is downweighted by the quorum bot regardless of grade.
15. Prompt-meta-check: if your verdict quotes prompt language as evidence ("the protocol meets the 'documented fallback' condition"), re-do the verdict — the prompt describes the rubric, not the protocol. Evidence cites what THIS protocol does, not what the rubric says protocols of type X do.
16. `grading_basis` is one of `"on-chain"` (default; omit field), `"off-chain-only"`, or `"mixed"`. Describes what was READ this run, not the verdict — `grade="unknown"` is allowed under any basis. Set `"off-chain-only"` ONLY when BOTH (a) ≥1 successful fetch of a docs / forum / audit / GitHub URL appears in evidence[], AND (b) ≥1 failed on-chain fetch attempt for THIS run is recorded in unknowns[] with a `-offchain` suffix. Empty `evidence[]` with `"off-chain-only"` is a category error and is rejected by the validator. Set `"mixed"` when some checklist codes were on-chain and others fell back. ABI-only finds (you read the ABI but couldn't read live state) are valid as `grade="unknown"` with the ABI cited; do not infer a grade from ABI shape alone.

### On-chain reading via the DeFiPunkd API

Don't encode calldata, decode return data, or guess at ABIs by hand. Three deterministic GET endpoints return JSON with blockNumber, blockHash, raw calldata, and rawReturnData — content-addressed when block-pinned (`&block=<n>`):

  ABI (auto-resolves proxies):
    https://defipunkd.com/api/contract/abi?chainId=<id>&address=0x...
  View call (any view method on the merged ABI; flat scalar args):
    https://defipunkd.com/api/contract/read?chainId=<id>&address=0x...&method=getOwners
    https://defipunkd.com/api/contract/read?chainId=<id>&address=0x...&method=balanceOf&args=0x...
  Safe (threshold + owners + version in one call):
    https://defipunkd.com/api/safe/owners?chainId=<id>&address=0x...

Use the BARE method name in `&method=` (e.g. `&method=totalSupply`, NOT `&method=totalSupply()`). Browser tools normalize `(` to `%28` and reject the normalized URL; bare names dodge that. Pass arguments via `&args=` (comma-separated, declaration order). Append `&block=<n>` for content-addressed evidence.

Supported chainIds: 1 (ethereum), 10 (optimism), 56 (bsc), 130 (unichain), 137 (polygon), 324 (zksync), 8453 (base), 42161 (arbitrum), 43114 (avalanche), 59144 (linea), 81457 (blast), 534352 (scroll), 11155111 (sepolia).

Use this API for any factual claim about contract ABI shape, view-method return values (owner(), getOwners(), getThreshold(), totalSupply(), implementation(), paused(), MIN_DELAY(), …), and Safe membership. Do NOT invent ABIs or return values from training data.

Note on noisy address_book: the pinned address_book is sourced from prior assessments. It may include token deployments, oracle feeds, peripheral contracts, or mis-classified entries. Skip surfacer URLs that don't fit your slice — fetch only those whose role hints suggest control / pause / upgrade authority.

### Protocol metadata refresh (populate `protocol_metadata` in the output)

DeFiLlama's pinned inputs may be stale or wrong. As a side-effect of this assessment, populate `protocol_metadata` with anything you verify. Leave fields null / empty arrays if you did not verify them — do NOT echo pinned inputs through; null means "not re-verified this run".

- `github`: array of canonical source-code repo URLs.
- `docs_url`: canonical developer / protocol documentation site.
- `audits`: array of `{ firm, url, date }` (date as YYYY-MM or YYYY-MM-DD).
- `governance_forum`: primary discussion forum URL (Discourse, Commonwealth, etc.).
- `voting_token`: `{ chain, address, symbol }` or null. Omit if not token-governed.
- `bug_bounty_url`: public bug bounty page (Immunefi, HackerOne, self-hosted).
- `security_contact`: private-disclosure channel — security@ email or SECURITY.md URL. Distinct from public bug bounty.
- `deployed_contracts_doc`: docs page that lists deployed addresses per chain. Don't enumerate; just link.
- `admin_addresses`: array of `{ chain, address, role, actor_class }` for multisig / timelock / owner / proxy-admin addresses. `actor_class` ∈ `"eoa" | "multisig" | "timelock" | "governance" | "unknown"`. These are the anchors for future runs' address_book.
- `upgradeability`: `"immutable" | "upgradeable" | "mixed" | "unknown"`. "mixed" = some core contracts immutable, others behind proxies.
- `about`: 2–4 sentence plain-English description. Name the user action (stake, borrow, swap, bridge, mint, redeem), the asset / market, and the distinctive mechanism (liquid staking receipt, isolated lending pools, constant-product AMM, intents auction, etc.). Do not restate category / chains / TVL.

Every non-null field in `protocol_metadata` must be backed by ≥1 entry in evidence[].

---

### Slice: VERIFIABILITY

Evaluate whether an outsider can independently confirm what the deployed code does.

MANDATORY INSPECTION CHECKLIST (every item below must appear in evidence[] OR unknowns[]):
- V1. For each address you assess: is the bytecode verified on the chain's block explorer? Record the "Contract Source Code Verified" indicator. https://defipunkd.com/api/contract/abi?chainId=<id>&address=0x... returns this as a top-level "verified" boolean plus "abiSource" ("etherscan" / "sourcify") and an inline ABI — useful when the explorer page is rate-limited. If the contract is a proxy, verify BOTH the proxy contract AND the current implementation contract. The same /api/contract/abi response auto-resolves proxies and includes a "proxy.implementation" address when present, so one call covers V1 + V6 in one shot. An explorer "Similar Match" on a well-known proxy pattern (Aragon AppProxyUpgradeable, ERC1967Proxy, OssifiableProxy, OZ TransparentUpgradeableProxy) is expected for that pattern and does NOT count as a verification gap on its own — what matters is that the implementation is independently verified.
- V2. Source-to-repo correspondence: for each verified contract, attempt to find a matching commit in the linked GitHub repos. Record evidence[].commit on a match. Independent compile/bytecode-match is NOT required for green — a recognized public repo whose structure and file contents correspond to the explorer-visible source is sufficient. If you did not pin a commit SHA or run a bytecode diff, record that plainly in unknowns[] and proceed; it is a scope limit, not a downgrade signal.
- V3. Audit coverage: for each URL in protocol.audit_links, open it and record: auditor name, audit date, the specific contracts / commit in scope. Flag audits that predate the current deployment by >6 months without a follow-up review.
- V4. Auditor recognition: the following firms are broadly recognized in Solidity: Trail of Bits, Zellic, Spearbit, OpenZeppelin, ConsenSys Diligence, Certora (formal verification), Quantstamp, Halborn, Peckshield, Sigma Prime, ChainSecurity, Ackee Blockchain, MixBytes, Statemind. Unknown firms are orange-at-best for any green-grade claim. Name the firm explicitly in evidence[].
- V5. Post-audit drift: compare the most recent in-scope audit(s) against the currently-deployed source, weighted by what each contract does and by what the changes actually contain. SCOPE — drift only downgrades the grade when ALL of the following hold: (i) the drifting contract is fund-custody / settlement / accounting-critical (NOT a peripheral router, lens, quoter, or pure-view contract that holds no balances); (ii) the changes are material — new functions, modified access control, modified accounting, modified fund flow — and not refactors / struct relocations / import reorgs / build or CI fixes / formatting; (iii) no later audit, fix-audit, or differential audit from a recognized firm covers the changed files (audits often pin a pre-fix commit while a follow-up reviews the delta — match by file scope, not by commit-hash equality). When you cite drift as a downgrade reason, name the specific behavior change (function added, role granted, accounting formula altered) — "N commits ahead" or "+X/-Y LOC" alone is not evidence of material drift. If you have not sampled the diff content (e.g. via the GitHub compare view or the top commits in the window), record drift as an unknowns[] entry rather than auto-downgrading; commit-count and LOC are starting signals, not findings.
- V6. Implementation vs proxy: a verified proxy with an unverified implementation is effectively unverified. State whether the implementation is verified separately.

EVIDENCE DISCIPLINE (read before writing findings[]):
- Do not assert a specific deploy-commit SHA, bytecode equivalence, or "identical to audited commit" unless you actually fetched the artifact that shows it (e.g., a deployed-addresses JSON you opened, an explorer page you read). Inferred or plausible matches belong in unknowns[], never in findings[] or evidence[].
- Evidence[] entries must correspond to pages/files you actually retrieved this run. A URL you did not open is not evidence.

Then write the steel-man section per Hard Rule 11.

Grade rules:
- green   = deployed bytecode verified on the explorer (proxy AND implementation if proxied; "Similar Match" on a standard proxy pattern is fine per V1), a public source repo exists whose contents correspond to the explorer-visible source, AND ≥1 audit from a recognized firm covering the currently-deployed contracts (≤6 months of drift OR drift was re-audited). A missing local compile-match is not a downgrade — record it in unknowns[] and still grade green if the other conditions hold.
- orange  = verified but with visible drift from the public repo, OR audit scope is stale relative to deployment, OR only minor / unknown-firm audits exist, OR only some of the main contracts are verified, OR proxy verified but implementation only partially verified.
- red     = unverified bytecode (or verified proxy with unverified implementation), OR no audit in protocol.audit_links, OR no public repo.
- unknown = reserved for when the protocol's verifiability posture genuinely cannot be assessed (e.g., explorer and repo both inaccessible for this protocol). Do NOT use unknown merely because you, the analyst, could not run a particular check such as a bytecode diff — that goes in unknowns[] while the grade is still assigned from the evidence you do have.

---

### JSON output contract

Return exactly one JSON object inside a single ```json fenced block. Shape:

{
  "schema_version": 4,
  "slug": "<copy protocol.slug from the per-protocol context>",
  "slice": "verifiability",
  "snapshot_generated_at": "<copy snapshot.generated_at from the per-protocol context>",
  "prompt_version": 29,
  "analysis_date": "<copy analysis_date from the per-protocol context>",
  "model": "<exact model name, e.g. claude-opus-4-7 / gpt-5-thinking / gemini-3-pro>",
  "chat_url": null,
  "grading_basis": "on-chain | off-chain-only | mixed (optional; omit for on-chain)",
  "grade": "green | orange | red | unknown",
  "headline": "<one-line summary>",
  "short_headline": "<≤6 words, ≤80 chars; omit if you can't fit>",
  "rationale": {
    "findings": [{ "code": "E1", "text": "<concrete, source-cited finding>" }],
    "steelman": { "red": "<one sentence>", "orange": "<one sentence>", "green": "<one sentence>" },
    "verdict": "Choosing <grade> because <reason ranking one steel-man above the others, citing specific evidence>."
  },
  "evidence": [{ "url": "https://...", "shows": "<what this URL demonstrates>", "chain": "...", "address": "0x...", "commit": "<hex SHA>", "fetched_at": "2026-04-23T11:20:00Z" }],
  "unknowns": ["E3: <thing you looked for but couldn't determine>"],
  "protocol_metadata": {
    "github": ["https://github.com/org/repo"],
    "docs_url": "https://docs.protocol.xyz",
    "audits": [{ "firm": "Trail of Bits", "url": "https://...report.pdf", "date": "2025-09" }],
    "governance_forum": "https://forum.protocol.xyz",
    "voting_token": { "chain": "Ethereum", "address": "0x...", "symbol": "XYZ" },
    "bug_bounty_url": "https://immunefi.com/bounty/protocol",
    "security_contact": "security@protocol.xyz",
    "deployed_contracts_doc": "https://docs.protocol.xyz/deployments",
    "admin_addresses": [{ "chain": "Ethereum", "address": "0x...", "role": "DAO treasury multisig", "actor_class": "multisig" }],
    "upgradeability": "immutable | upgradeable | mixed | unknown",
    "about": "<2–4 sentences>"
  }
}

Rules recap:
- grade="unknown" ⇒ steelman=null; unknowns[] ≥1; evidence[] may be empty.
- grade!="unknown" ⇒ steelman={red,orange,green}; evidence[] ≥1; verdict starts with "Choosing ".
- findings[].code matches the slice's checklist prefix verbatim (E1, C2-emergency, V4a, …); unknowns[] entries are checklist-coded ("E3: …").
- Wrap in a single ```json fence; nothing before or after. URLs are bare strings, never markdown links.

4 dimensions not yet assessed (Control, Ability to exit, Autonomy, Open Access)

Control unknown Unverified

Not yet assessed

No model has graded this dimension yet. Run the slice prompt through any LLM and submit the JSON — once ≥3 independent runs agree, the quorum bot merges the verdict here.

Submit run ↗

### Per-protocol context (ground truth for this run)

- protocol.slug:              aave-v4
- protocol.name:              Aave V4
- protocol.chains:            Ethereum
- protocol.category:          Lending
- protocol.website:           https://aave.com
- protocol.github:            aave, bgd-labs
- protocol.audit_links:       https://aave.com/security, https://github.com/code-423n4/2022-02-aave-lens, https://github.com/code-423n4/2022-02-aave-lens-findings, https://github.com/sherlock-protocol/sherlock-reports/blob/main/audits/2025.02.15%20-%20Final%20-%20Aave%20Public%20Audit%20Contest%20Report.pdf, https://github.com/sherlock-protocol/sherlock-reports/blob/main/audits/2026.02.05%20-%20Final%20-%20Aave%20Labs%20Collaborative%20Audit%20Report%201770295450.pdf, https://github.com/trailofbits/publications/blob/master/reviews/2026-02-aave-v4-securityreview.pdf
- snapshot.generated_at:      2026-06-01T11:27:13.878Z
- analysis_date:              2026-06-07
- prompt_version:             29
- address_book:               null

### Pre-built read-API surfacer URLs (verbatim — fetchable as-is)
(no addresses pinned in this run — discover candidates from fetched website / GitHub / audit / explorer pages, record discovered addresses in evidence[] and protocol_metadata.admin_addresses, and put any reads you couldn't perform in unknowns[]. The next assessment will inherit your discoveries.)


---

You are contributing a single-slice assessment to defipunkd, a git-native transparency registry for DeFi protocols. Your JSON output will be attached to a pull request and compared against ≥2 other independent runs. Disagreements are surfaced publicly — be conservative, cite everything, return grade="unknown" when a signal cannot be determined, and resist stopping at the first damning finding.

### Per-protocol context (do not infer; these are ground truth)

A "Per-protocol context" block (provided alongside this prompt — either as a user message in API mode, or as a section appended below in copy-paste mode) lists the pinned inputs (protocol.slug, name, chains, category, website, github, audit_links, snapshot.generated_at, analysis_date, prompt_version, address_book) and a list of pre-built read-API surfacer URLs for each pinned address. Treat those values as authoritative for this run.

The pre-built surfacer URLs are accepted by your fetch tool's allowlist because they appear verbatim in the per-protocol context. Each surfacer page pre-executes the contract's zero-arg view methods and renders any address-typed return values as /address/{chainId}/0x… links inline — those rendered links are also fetchable post-fetch. /api/contract/read and /api/safe/owners JSON responses include a top-level `crawl.surfacers` array of /address/{chainId}/0x… URLs for every address-typed value in the result, so you can crawl directly from API responses. For addresses surfaced from non-defipunkd sources (block-explorer pages, GitHub, audit PDFs), the allowlist will reject your generated surfacer URL — record the address in protocol_metadata.admin_addresses and add a checklist-coded entry to unknowns[]; the next run will inherit it as a fetchable surfacer.

### Step 0 — Capability probe (do this before producing JSON)

Identify what fetch tool your environment exposes — `web_fetch`, `browser`, `url_context`, `google_search` (with underscore, colon, or space), Bing grounding, Perplexity, `web.run`, or anything similar. Search-grounding tools ARE valid fetch paths and you should use them; they are not forbidden. The distinction that matters is what the tool returned, not its name: a grounded response with the underlying page body is sufficient evidence; a bare 1–3-line preview snippet is not.

Probe: attempt one fetch of `protocol.website` and one fetch of a pre-built surfacer URL above (or the protocol's primary block-explorer page if no surfacer is pinned). Record the tool you used, the URL, and what came back (response body, HTTP status, allowlist rejection text, or "tool not present: <name>"). If either probe succeeded, proceed.

If both direct probes failed, **DO NOT STOP** — try search. Issue at least two broad search queries (protocol name + "Etherscan" / "official docs" / "GitHub" / "audit"; `site:` operators against etherscan.io / github.com / the docs domain). If a search query returns the underlying page body, that page URL is fetched evidence and goes in evidence[]. Set `grading_basis: "off-chain-only"` and continue with whatever you can extract. Empty `evidence[]` + `grade="unknown"` is only valid if BOTH direct probes AND ≥2 search queries returned nothing usable; in that case, log the attempted queries and observed-zero outcomes in unknowns[]. A submission claiming "blocked" without those receipts is treated as a non-submission (zero quorum weight). Search engines do not index raw JSON API endpoints — zero results for `defipunkd.com/api/contract/read` URLs is expected and is itself a recordable failure mode, not a system restriction.

### Anti-fabrication (the most important rule on this page)

Memory is not evidence. Treat your training data, prior conversations, and general knowledge as suggestions for what to look up — never as citations. Every URL in evidence[] must have been fetched in this run via any tool exposed in your environment, OR pasted into this conversation by the user. Constructing a URL is fine, but every variable part (address, commit SHA, repo path, contract name, method, args, block number) must come from a fetched/pasted source in this run, and the URL must then have been successfully fetched before it appears in evidence[]. URLs constructed from remembered addresses, repo paths, contract names, or guessed API methods are fabrication.

Before emitting JSON, run an evidence ledger check on every evidence[] entry:
1. The exact URL appears in your fetch transcript or in a user-pasted source body.
2. The fetched/pasted body contains the fact you're citing in evidence[].shows.
3. Every rationale.findings / protocol_metadata claim that depends on this evidence follows directly from that body, without recourse to memory.
4. Derived (rather than verbatim) claims are explicitly labelled as derived in evidence[].shows.
5. `fetched_at` is set ONLY when you actually fetched the URL in this run; if no timestamp is available, omit the field — never invent one.

If any check fails, remove the evidence entry and demote dependent claims to unknowns[]. Set grade="unknown" if demotion empties the grading basis. Do not ask the user to paste anything; do not withhold JSON; do not improvise from memory.

A plausible-sounding answer backed by unsupported evidence is WORSE than grade="unknown" — it pollutes the quorum. If the assessment requires leaning on remembered public facts ("Lido is governed by LDO token-weighted voting"), historical reports, common knowledge, or likely-architecture reasoning ("UUPS proxies typically have an admin role"), return grade="unknown" with specific unknowns[] entries. Optimize for reproducibility, not completeness — if a reviewer can't re-verify each claim from the evidence URLs alone, the claim does not belong in the JSON. Empty unknowns[] on a non-trivial protocol is a red flag, not a quality signal.

When the address_book is null/empty, you do not yet know any deployed address. Discover candidates from fetched website / GitHub / audit / explorer-search pages — addresses you "remember" from training data are not eligible, even for famous tokens (USDC, WBTC, stETH, UNI). If no address can be discovered after a good-faith attempt, return grade="unknown" with checklist-coded unknowns[] entries; do not invent addresses to fill the gap.

### Hard rules

1. Source classes that count as evidence:
   a) Public block explorers (etherscan.io, basescan.org, arbiscan.io, optimistic.etherscan.io, polygonscan.com, bscscan.com, snowtrace.io, scrollscan.com, lineascan.build, blastscan.io, era.zksync.network) for pinned addresses or addresses you discover transitively from them.
   b) The linked GitHub repos, at a specific commit SHA recorded in evidence[].commit.
   c) The audit PDFs / reports linked above.
   d) DeFiLlama's pinned fields (for category / chain lists only — not for risk assessment).
   e) DeFiPunkd's read API at https://defipunkd.com/api/{contract,safe}/... — see "On-chain reading" below.
2. If a signal cannot be determined after checking these, set grade="unknown" with ≥1 entry in unknowns[] naming what you looked for.
3. Every factual claim in rationale must map to ≥1 evidence[] entry.
4. Output exactly one JSON object matching the contract at the end, wrapped in a single ```json fenced code block. This rule applies to your FINAL assistant message only — issue tool calls freely during the run; tool-call reasoning lives in your model's tool-use channel and is not subject to this rule. Nothing before or after the fence — no prose, no follow-up questions, no requests for the user to paste anything. If evidence is incomplete, the correct response is still JSON, with claims demoted to unknowns[] and grade="unknown".

### Format rules (validation will reject submissions that violate these)
5. evidence[].url must be a bare `https://...` string — NEVER markdown link syntax. WRONG: `"url": "[Etherscan](https://etherscan.io/...)"`. RIGHT: `"url": "https://etherscan.io/..."`.
6. evidence[].commit, when present, must match `^[0-9a-f]{7,40}$` (lowercase hex, 7–40 chars). NEVER branch names or tags. Omit if you cannot pin a SHA.
7. evidence[].fetched_at, when present, must be ISO-8601 UTC (e.g. `2026-04-23T11:20:00Z`). Set whenever you actually fetched in this run.
8. evidence[].address, when present, must be `^0x[0-9a-fA-F]{40}$` (mixed case OK; checksum not validated).
9. Checklist codes (used in findings[].code and as unknowns[] prefixes) match `^[A-Z][A-Za-z0-9-]{0,16}$` — start with an uppercase letter, then digits / letters / hyphens. Examples: `E1`, `A3b`, `C2-emergency`, `V4-auditor`. No parens, spaces, dots, slashes, underscores. Use slice-defined codes verbatim. unknowns[] entries must be prefixed with the relevant code + colon (e.g. `"A3b: frontend fetch failed"`).
10. chat_url: ALWAYS null. Default share links (claude.ai/chat, chatgpt.com, gemini.google.com) require viewer login and are not publicly readable. The user enables "Share publicly" after you respond and pastes the public URL into the JSON before opening the PR.

### Thoroughness rules

11. Each per-slice body contains a "MANDATORY INSPECTION CHECKLIST". Every item must EITHER produce an evidence[] entry OR a specific unknowns[] entry naming it by code. Silent skips are rejected as incomplete.
12. Before assigning a grade other than "unknown", rationale.steelman must contain a one-sentence strongest argument for each of red / orange / green, and rationale.verdict must state which fits the evidence and why. If the steel-man for the chosen grade is weaker than for an adjacent grade, you have probably picked the wrong grade. When grade="unknown", set steelman to null and use verdict to summarize what blocked the assessment.
13. Distinguish actor classes (EOA, 2-of-3 multisig, 4-of-7+ multisig with identified signers, emergency-scoped time-capped multisig, on-chain governance vote with timelock) and function classes (claim-of-finalized vs new-request-placement, deposit vs borrow, mint vs redeem) — say which actor holds which power, on what time bound. "An admin can pause" is insufficient.
14. For on-chain slices (control, ability-to-exit, autonomy, verifiability), evidence[] must include ≥1 on-chain URL: a block-explorer URL OR a DeFiPunkd /api/{contract/read,safe/owners} URL (preferred — content-addressed when block-pinned). /api/contract/abi alone is metadata, not on-chain evidence. Source repos tell you what code SHOULD do; deployed contracts tell you what it ACTUALLY does. The "open-access" slice is exempt when claims are entirely about frontend / off-chain operator behavior. CARVE-OUT: `grading_basis="off-chain-only"` is exempt from this rule but is downweighted by the quorum bot regardless of grade.
15. Prompt-meta-check: if your verdict quotes prompt language as evidence ("the protocol meets the 'documented fallback' condition"), re-do the verdict — the prompt describes the rubric, not the protocol. Evidence cites what THIS protocol does, not what the rubric says protocols of type X do.
16. `grading_basis` is one of `"on-chain"` (default; omit field), `"off-chain-only"`, or `"mixed"`. Describes what was READ this run, not the verdict — `grade="unknown"` is allowed under any basis. Set `"off-chain-only"` ONLY when BOTH (a) ≥1 successful fetch of a docs / forum / audit / GitHub URL appears in evidence[], AND (b) ≥1 failed on-chain fetch attempt for THIS run is recorded in unknowns[] with a `-offchain` suffix. Empty `evidence[]` with `"off-chain-only"` is a category error and is rejected by the validator. Set `"mixed"` when some checklist codes were on-chain and others fell back. ABI-only finds (you read the ABI but couldn't read live state) are valid as `grade="unknown"` with the ABI cited; do not infer a grade from ABI shape alone.

### On-chain reading via the DeFiPunkd API

Don't encode calldata, decode return data, or guess at ABIs by hand. Three deterministic GET endpoints return JSON with blockNumber, blockHash, raw calldata, and rawReturnData — content-addressed when block-pinned (`&block=<n>`):

  ABI (auto-resolves proxies):
    https://defipunkd.com/api/contract/abi?chainId=<id>&address=0x...
  View call (any view method on the merged ABI; flat scalar args):
    https://defipunkd.com/api/contract/read?chainId=<id>&address=0x...&method=getOwners
    https://defipunkd.com/api/contract/read?chainId=<id>&address=0x...&method=balanceOf&args=0x...
  Safe (threshold + owners + version in one call):
    https://defipunkd.com/api/safe/owners?chainId=<id>&address=0x...

Use the BARE method name in `&method=` (e.g. `&method=totalSupply`, NOT `&method=totalSupply()`). Browser tools normalize `(` to `%28` and reject the normalized URL; bare names dodge that. Pass arguments via `&args=` (comma-separated, declaration order). Append `&block=<n>` for content-addressed evidence.

Supported chainIds: 1 (ethereum), 10 (optimism), 56 (bsc), 130 (unichain), 137 (polygon), 324 (zksync), 8453 (base), 42161 (arbitrum), 43114 (avalanche), 59144 (linea), 81457 (blast), 534352 (scroll), 11155111 (sepolia).

Use this API for any factual claim about contract ABI shape, view-method return values (owner(), getOwners(), getThreshold(), totalSupply(), implementation(), paused(), MIN_DELAY(), …), and Safe membership. Do NOT invent ABIs or return values from training data.

Note on noisy address_book: the pinned address_book is sourced from prior assessments. It may include token deployments, oracle feeds, peripheral contracts, or mis-classified entries. Skip surfacer URLs that don't fit your slice — fetch only those whose role hints suggest control / pause / upgrade authority.

### Protocol metadata refresh (populate `protocol_metadata` in the output)

DeFiLlama's pinned inputs may be stale or wrong. As a side-effect of this assessment, populate `protocol_metadata` with anything you verify. Leave fields null / empty arrays if you did not verify them — do NOT echo pinned inputs through; null means "not re-verified this run".

- `github`: array of canonical source-code repo URLs.
- `docs_url`: canonical developer / protocol documentation site.
- `audits`: array of `{ firm, url, date }` (date as YYYY-MM or YYYY-MM-DD).
- `governance_forum`: primary discussion forum URL (Discourse, Commonwealth, etc.).
- `voting_token`: `{ chain, address, symbol }` or null. Omit if not token-governed.
- `bug_bounty_url`: public bug bounty page (Immunefi, HackerOne, self-hosted).
- `security_contact`: private-disclosure channel — security@ email or SECURITY.md URL. Distinct from public bug bounty.
- `deployed_contracts_doc`: docs page that lists deployed addresses per chain. Don't enumerate; just link.
- `admin_addresses`: array of `{ chain, address, role, actor_class }` for multisig / timelock / owner / proxy-admin addresses. `actor_class` ∈ `"eoa" | "multisig" | "timelock" | "governance" | "unknown"`. These are the anchors for future runs' address_book.
- `upgradeability`: `"immutable" | "upgradeable" | "mixed" | "unknown"`. "mixed" = some core contracts immutable, others behind proxies.
- `about`: 2–4 sentence plain-English description. Name the user action (stake, borrow, swap, bridge, mint, redeem), the asset / market, and the distinctive mechanism (liquid staking receipt, isolated lending pools, constant-product AMM, intents auction, etc.). Do not restate category / chains / TVL.

Every non-null field in `protocol_metadata` must be backed by ≥1 entry in evidence[].

---

### Slice: CONTROL

Evaluate who can change the protocol's rules, how fast, and how broadly.

(Step 0 capability probe and the off-chain-only fallback live in the preamble — those rules apply here.)

### MANDATORY INSPECTION CHECKLIST (every item below must appear in evidence[] OR unknowns[])

- **C1.** For each address you assess: who is the contract owner / admin / pendingAdmin / governor — read these via the block explorer's "Read Contract" tab OR `https://defipunkd.com/api/contract/read?chainId=<id>&address=0x...&method=owner` (BARE method names: `&method=owner`, `&method=admin`, `&method=pendingOwner`, `&method=governor`). For Safes use `/api/safe/owners?chainId=<id>&address=0x...`. When a protocol has multiple major versions deployed (v2/v3/v4), perform C1 reads on the NEWEST deployment separately — newer deployments often have weaker control surfaces than the legacy core.
- **C2.** Upgrade mechanism: transparent proxy / UUPS / Beacon / Diamond / immutable. Identify the proxy admin address. Check upgradeability of GOVERNANCE contracts too — a Governor / Aragon Voting / OZ Governor is often itself a proxy whose admin is the Timelock. Asymmetry: when fund-holding cores are immutable AND governance has no admin path that reaches them, an upgradable Governor/Timelock is T3-only and must NOT drag the verdict below green on that basis alone (see grade rules and the "immutable cores" caveat). Only call upgradability "mixed" if you can name a concrete function on the upgradable surface that reaches T1 or T2 on user funds.
- **C3.** EXECUTION PATH (enumerate every stage, in order, with delays in seconds). The operative path is usually a chain (voting → scheduler → timelock → executor; or governor → queue → execute; or Aragon Voting → DualGovernance → EmergencyProtectedTimelock → AdminExecutor). For each stage, record (a) the contract address, (b) the delay constant name + value in seconds, (c) the URL you read it from (block-explorer Read Contract OR `/api/contract/read?...&method=MIN_DELAY&block=<n>`). Do NOT stop at the first timelock-shaped contract — if its admin is itself called by another contract, keep walking. The grading delay is the SUM OF DELAYS ON THE UNCONTESTED FAST PATH (shortest time a proposal with no opposition can go from submission to executable). Dynamic / contested extensions (veto signaling, rage quit, escrow delay) are modifiers, not the basis — note them separately.
- **C4.** Enumerate EVERY multisig with reachable control — main proxy admin, emergency activation, emergency execution, reseal / pause, gate-seal committees, tiebreaker, per-module admins. For each Safe, fetch threshold + owners + version via `/api/safe/owners?chainId=<id>&address=0x...` (response includes raw eth_call data, so the URL is citable evidence). Enumerate ops/council/incentives multisigs even when off the upgrade path — record their scope so a reader can see they are NOT on the upgrade path. For each: (a) address, (b) threshold / total signers, (c) signer identities classified as insider (team, paid auditors under ongoing engagement, mandated service providers) vs non-insider (independent community members, unaffiliated researchers), (d) the specific power held (upgrade, pause, parameter, etc.).
- **C5.** On-chain governance: Governor / GovernorBravo / OZ Governor / Aragon Voting with token-weighted voting? Record proposal threshold, voting period, quorum, and the timelock delay between queue and execute. Every numeric constant must come from a Read Contract call you can link to, or be in unknowns[] with the C-code. If votingDelay / votingPeriod are denominated in BLOCKS, convert to seconds at the chain's CURRENT block time (Ethereum mainnet ≈ 12s post-Merge, not the 15s in older Compound/Bravo deployments) — cite both block count and converted seconds.
- **C6.** EMERGENCY POWERS: separate emergency-pause / guardian role with a different time cap or different actor than the main upgrade authority? Record it explicitly.
- **C7.** POWER TIER (blast radius). For each privileged path in C3–C6, classify the WORST thing that path can do, choosing the highest applicable tier. Cite the specific function name and any on-chain bound — tier claims without a named function are unsupported.
    - **T1 — FUND-CRITICAL**: replace implementation of contracts holding user funds; change AMM math / accounting / collateral logic; mint unbacked debt or shares; pause withdrawals; drain user-fund treasury; change oracle to attacker-controlled source; replace upgrade admin with EOA.
    - **T2 — ECONOMICALLY MATERIAL**: change fee parameters within bounded ranges; redirect protocol fees; add/remove markets / collateral types; bounded inflation or token mint within hard-capped schedule; spend protocol-owned (non-user) treasury.
    - **T3 — GOVERNANCE-INTERNAL**: change voting rules, quorum, voting period, proposal threshold; upgrade the Governor itself; rotate Timelock admin; mint governance tokens within a capped annual schedule.
    - **T4 — OPERATIONAL**: incentives distribution, grants, ENS / frontend canonicalization, deployment coordination, periphery router deprecation.
  The grade is set by the HIGHEST tier reachable on the uncontested fast path, not the median. State the tier and the binding function in the verdict.

### Read Contract discipline (applies to C3, C4, C5)

Every numeric constant cited (timelock delays, voting periods, multisig thresholds, quorum percentages) must come from EITHER (a) a block-explorer Read Contract URL, OR (b) a DeFiPunkd `/api/contract/read` or `/api/safe/owners` URL (preferred with `&block=<n>` for content-addressed evidence), OR (c) an unknowns[] entry with the C-code. Docs / blog posts are corroboration only — they cannot be the sole citation for a value that is also readable on-chain.

### Off-chain-only substitute hierarchy (when grading_basis="off-chain-only" — see preamble Rule 16)

When on-chain reads were genuinely unreachable this run, eligible off-chain substitutes in priority order:
1. Linked audit PDFs (admin roles, multisig members, timelock delays usually enumerated).
2. Governance forum posts that quote constants from a successful on-chain proposal (cite post URL + linked execution-tx URL).
3. Official protocol docs pages with named addresses and roles (must be on a domain owned by the protocol).
4. GitHub README / SECURITY.md / governance/*.md at a pinned commit SHA.

Forbidden substitutes: third-party blog posts, X / Twitter threads, search-result snippets, model memory. Required degradation: any C-code citing a numeric constant from docs/forum/audit prose ONLY must also carry an `unknowns[]` entry with `-offchain` suffix noting "value not re-read on-chain in this run; corroboration only".

### Grade rules (apply the timelock bar conditional on the highest C7 tier reachable on the fast path)

Security Council standard (used below): a multisig qualifies as "Security Council" only if ALL of: ≥7 signers, ≥51% threshold, ≥50% non-insider signers, every signer publicly announced. Failing any criterion = NOT a Security Council, regardless of signer reputation.

- **green**: highest reachable tier is T3 or T4 regardless of timelock; OR T2 reachable with uncontested-fast-path delay ≥7 days; OR T1 reachable only via immutable contracts (T1 is unreachable); OR T1 reachable with uncontested-fast-path delay ≥7 days combined with a Security Council multisig; OR T1 reachable with uncontested-fast-path delay ≥7 days through active on-chain governance with broad token distribution.
- **orange**: T2 reachable with uncontested-fast-path delay >0 but <7 days; OR T1 reachable with uncontested-fast-path delay >0 but <7 days; OR a multisig failing one or more Security Council criteria sits on a T1/T2 path; OR unclear upgrade authority on a T1/T2 path; OR governance with very short timelock or low quorum on a T1/T2 path.
- **red**: T1 reachable with no timelock by a single EOA or 2-of-3 multisig; OR a T1 upgrade admin that is not a smart contract you can audit.
- **unknown**: completed the checklist but still cannot determine the upgrade authority OR cannot classify the highest tier reachable on the main contracts.

Tiering caveats:
- "Bounded" must be enforced ON-CHAIN to count as T2. A function that sets fees with no upper-bound check is T1 — cite the bound check.
- Recurring T2 economic extraction (e.g. fee redirect with no rate limit) approaches T1 over time. A single proposal that can permanently redirect all future revenue is T1.
- T3 assumes the governance contract cannot itself authorize a T1/T2 action without going through the same timelock. If governance can self-upgrade to bypass the timelock, T3 collapses into T1.
- Do not downgrade tier by hand-waving ("realistically governance would never…"). Tier on what the contract permits, not what feels likely.

Notes:
- **Dynamic / dual-governance timelocks** (Lido, Compound escrow veto): the rubric grades on the uncontested path because that is the path most upgrades take. A dynamic extension that fires only under stake-weighted opposition is a real protection — name it in the green steel-man, but it does not lift an orange fast path into green; state the tension in the verdict.
- **Immutable cores with upgradable governance** (Uniswap-style): if fund-holding contracts are immutable and have no admin-reachable function moving / freezing / re-routing user funds, the highest reachable tier on the upgrade path is T3 — green regardless of timelock. Don't grade this orange just because the Governor is a proxy — that's a C2 fact, not a downgrade. Downgrade only applies if you can cite a concrete function on the upgradable surface that reaches T1 or T2 (privileged hook, upgradable factory controlling fund-routing, fee-switch redirecting protocol revenue without bound).
- **The 7-day bar** reflects the exit-window standard — users need notice after a queued upgrade to withdraw if they disagree. The ability-to-exit slice grades the exit side; this slice grades the delay side; both must hold for users to actually benefit from the delay.

---

### JSON output contract

Return exactly one JSON object inside a single ```json fenced block. Shape:

{
  "schema_version": 4,
  "slug": "<copy protocol.slug from the per-protocol context>",
  "slice": "control",
  "snapshot_generated_at": "<copy snapshot.generated_at from the per-protocol context>",
  "prompt_version": 29,
  "analysis_date": "<copy analysis_date from the per-protocol context>",
  "model": "<exact model name, e.g. claude-opus-4-7 / gpt-5-thinking / gemini-3-pro>",
  "chat_url": null,
  "grading_basis": "on-chain | off-chain-only | mixed (optional; omit for on-chain)",
  "grade": "green | orange | red | unknown",
  "headline": "<one-line summary>",
  "short_headline": "<≤6 words, ≤80 chars; omit if you can't fit>",
  "rationale": {
    "findings": [{ "code": "E1", "text": "<concrete, source-cited finding>" }],
    "steelman": { "red": "<one sentence>", "orange": "<one sentence>", "green": "<one sentence>" },
    "verdict": "Choosing <grade> because <reason ranking one steel-man above the others, citing specific evidence>."
  },
  "evidence": [{ "url": "https://...", "shows": "<what this URL demonstrates>", "chain": "...", "address": "0x...", "commit": "<hex SHA>", "fetched_at": "2026-04-23T11:20:00Z" }],
  "unknowns": ["E3: <thing you looked for but couldn't determine>"],
  "protocol_metadata": {
    "github": ["https://github.com/org/repo"],
    "docs_url": "https://docs.protocol.xyz",
    "audits": [{ "firm": "Trail of Bits", "url": "https://...report.pdf", "date": "2025-09" }],
    "governance_forum": "https://forum.protocol.xyz",
    "voting_token": { "chain": "Ethereum", "address": "0x...", "symbol": "XYZ" },
    "bug_bounty_url": "https://immunefi.com/bounty/protocol",
    "security_contact": "security@protocol.xyz",
    "deployed_contracts_doc": "https://docs.protocol.xyz/deployments",
    "admin_addresses": [{ "chain": "Ethereum", "address": "0x...", "role": "DAO treasury multisig", "actor_class": "multisig" }],
    "upgradeability": "immutable | upgradeable | mixed | unknown",
    "about": "<2–4 sentences>"
  }
}

Rules recap:
- grade="unknown" ⇒ steelman=null; unknowns[] ≥1; evidence[] may be empty.
- grade!="unknown" ⇒ steelman={red,orange,green}; evidence[] ≥1; verdict starts with "Choosing ".
- findings[].code matches the slice's checklist prefix verbatim (E1, C2-emergency, V4a, …); unknowns[] entries are checklist-coded ("E3: …").
- Wrap in a single ```json fence; nothing before or after. URLs are bare strings, never markdown links.

Ability to exit unknown Unverified

Not yet assessed

Whether users can exit on their own terms if the team disappears or acts adversarially. Requires per-protocol review; not available at Phase 0.

No model has graded this dimension yet. Run the slice prompt through any LLM and submit the JSON — once ≥3 independent runs agree, the quorum bot merges the verdict here.

Submit run ↗

### Per-protocol context (ground truth for this run)

- protocol.slug:              aave-v4
- protocol.name:              Aave V4
- protocol.chains:            Ethereum
- protocol.category:          Lending
- protocol.website:           https://aave.com
- protocol.github:            aave, bgd-labs
- protocol.audit_links:       https://aave.com/security, https://github.com/code-423n4/2022-02-aave-lens, https://github.com/code-423n4/2022-02-aave-lens-findings, https://github.com/sherlock-protocol/sherlock-reports/blob/main/audits/2025.02.15%20-%20Final%20-%20Aave%20Public%20Audit%20Contest%20Report.pdf, https://github.com/sherlock-protocol/sherlock-reports/blob/main/audits/2026.02.05%20-%20Final%20-%20Aave%20Labs%20Collaborative%20Audit%20Report%201770295450.pdf, https://github.com/trailofbits/publications/blob/master/reviews/2026-02-aave-v4-securityreview.pdf
- snapshot.generated_at:      2026-06-01T11:27:13.878Z
- analysis_date:              2026-06-07
- prompt_version:             29
- address_book:               null

### Pre-built read-API surfacer URLs (verbatim — fetchable as-is)
(no addresses pinned in this run — discover candidates from fetched website / GitHub / audit / explorer pages, record discovered addresses in evidence[] and protocol_metadata.admin_addresses, and put any reads you couldn't perform in unknowns[]. The next assessment will inherit your discoveries.)


---

You are contributing a single-slice assessment to defipunkd, a git-native transparency registry for DeFi protocols. Your JSON output will be attached to a pull request and compared against ≥2 other independent runs. Disagreements are surfaced publicly — be conservative, cite everything, return grade="unknown" when a signal cannot be determined, and resist stopping at the first damning finding.

### Per-protocol context (do not infer; these are ground truth)

A "Per-protocol context" block (provided alongside this prompt — either as a user message in API mode, or as a section appended below in copy-paste mode) lists the pinned inputs (protocol.slug, name, chains, category, website, github, audit_links, snapshot.generated_at, analysis_date, prompt_version, address_book) and a list of pre-built read-API surfacer URLs for each pinned address. Treat those values as authoritative for this run.

The pre-built surfacer URLs are accepted by your fetch tool's allowlist because they appear verbatim in the per-protocol context. Each surfacer page pre-executes the contract's zero-arg view methods and renders any address-typed return values as /address/{chainId}/0x… links inline — those rendered links are also fetchable post-fetch. /api/contract/read and /api/safe/owners JSON responses include a top-level `crawl.surfacers` array of /address/{chainId}/0x… URLs for every address-typed value in the result, so you can crawl directly from API responses. For addresses surfaced from non-defipunkd sources (block-explorer pages, GitHub, audit PDFs), the allowlist will reject your generated surfacer URL — record the address in protocol_metadata.admin_addresses and add a checklist-coded entry to unknowns[]; the next run will inherit it as a fetchable surfacer.

### Step 0 — Capability probe (do this before producing JSON)

Identify what fetch tool your environment exposes — `web_fetch`, `browser`, `url_context`, `google_search` (with underscore, colon, or space), Bing grounding, Perplexity, `web.run`, or anything similar. Search-grounding tools ARE valid fetch paths and you should use them; they are not forbidden. The distinction that matters is what the tool returned, not its name: a grounded response with the underlying page body is sufficient evidence; a bare 1–3-line preview snippet is not.

Probe: attempt one fetch of `protocol.website` and one fetch of a pre-built surfacer URL above (or the protocol's primary block-explorer page if no surfacer is pinned). Record the tool you used, the URL, and what came back (response body, HTTP status, allowlist rejection text, or "tool not present: <name>"). If either probe succeeded, proceed.

If both direct probes failed, **DO NOT STOP** — try search. Issue at least two broad search queries (protocol name + "Etherscan" / "official docs" / "GitHub" / "audit"; `site:` operators against etherscan.io / github.com / the docs domain). If a search query returns the underlying page body, that page URL is fetched evidence and goes in evidence[]. Set `grading_basis: "off-chain-only"` and continue with whatever you can extract. Empty `evidence[]` + `grade="unknown"` is only valid if BOTH direct probes AND ≥2 search queries returned nothing usable; in that case, log the attempted queries and observed-zero outcomes in unknowns[]. A submission claiming "blocked" without those receipts is treated as a non-submission (zero quorum weight). Search engines do not index raw JSON API endpoints — zero results for `defipunkd.com/api/contract/read` URLs is expected and is itself a recordable failure mode, not a system restriction.

### Anti-fabrication (the most important rule on this page)

Memory is not evidence. Treat your training data, prior conversations, and general knowledge as suggestions for what to look up — never as citations. Every URL in evidence[] must have been fetched in this run via any tool exposed in your environment, OR pasted into this conversation by the user. Constructing a URL is fine, but every variable part (address, commit SHA, repo path, contract name, method, args, block number) must come from a fetched/pasted source in this run, and the URL must then have been successfully fetched before it appears in evidence[]. URLs constructed from remembered addresses, repo paths, contract names, or guessed API methods are fabrication.

Before emitting JSON, run an evidence ledger check on every evidence[] entry:
1. The exact URL appears in your fetch transcript or in a user-pasted source body.
2. The fetched/pasted body contains the fact you're citing in evidence[].shows.
3. Every rationale.findings / protocol_metadata claim that depends on this evidence follows directly from that body, without recourse to memory.
4. Derived (rather than verbatim) claims are explicitly labelled as derived in evidence[].shows.
5. `fetched_at` is set ONLY when you actually fetched the URL in this run; if no timestamp is available, omit the field — never invent one.

If any check fails, remove the evidence entry and demote dependent claims to unknowns[]. Set grade="unknown" if demotion empties the grading basis. Do not ask the user to paste anything; do not withhold JSON; do not improvise from memory.

A plausible-sounding answer backed by unsupported evidence is WORSE than grade="unknown" — it pollutes the quorum. If the assessment requires leaning on remembered public facts ("Lido is governed by LDO token-weighted voting"), historical reports, common knowledge, or likely-architecture reasoning ("UUPS proxies typically have an admin role"), return grade="unknown" with specific unknowns[] entries. Optimize for reproducibility, not completeness — if a reviewer can't re-verify each claim from the evidence URLs alone, the claim does not belong in the JSON. Empty unknowns[] on a non-trivial protocol is a red flag, not a quality signal.

When the address_book is null/empty, you do not yet know any deployed address. Discover candidates from fetched website / GitHub / audit / explorer-search pages — addresses you "remember" from training data are not eligible, even for famous tokens (USDC, WBTC, stETH, UNI). If no address can be discovered after a good-faith attempt, return grade="unknown" with checklist-coded unknowns[] entries; do not invent addresses to fill the gap.

### Hard rules

1. Source classes that count as evidence:
   a) Public block explorers (etherscan.io, basescan.org, arbiscan.io, optimistic.etherscan.io, polygonscan.com, bscscan.com, snowtrace.io, scrollscan.com, lineascan.build, blastscan.io, era.zksync.network) for pinned addresses or addresses you discover transitively from them.
   b) The linked GitHub repos, at a specific commit SHA recorded in evidence[].commit.
   c) The audit PDFs / reports linked above.
   d) DeFiLlama's pinned fields (for category / chain lists only — not for risk assessment).
   e) DeFiPunkd's read API at https://defipunkd.com/api/{contract,safe}/... — see "On-chain reading" below.
2. If a signal cannot be determined after checking these, set grade="unknown" with ≥1 entry in unknowns[] naming what you looked for.
3. Every factual claim in rationale must map to ≥1 evidence[] entry.
4. Output exactly one JSON object matching the contract at the end, wrapped in a single ```json fenced code block. This rule applies to your FINAL assistant message only — issue tool calls freely during the run; tool-call reasoning lives in your model's tool-use channel and is not subject to this rule. Nothing before or after the fence — no prose, no follow-up questions, no requests for the user to paste anything. If evidence is incomplete, the correct response is still JSON, with claims demoted to unknowns[] and grade="unknown".

### Format rules (validation will reject submissions that violate these)
5. evidence[].url must be a bare `https://...` string — NEVER markdown link syntax. WRONG: `"url": "[Etherscan](https://etherscan.io/...)"`. RIGHT: `"url": "https://etherscan.io/..."`.
6. evidence[].commit, when present, must match `^[0-9a-f]{7,40}$` (lowercase hex, 7–40 chars). NEVER branch names or tags. Omit if you cannot pin a SHA.
7. evidence[].fetched_at, when present, must be ISO-8601 UTC (e.g. `2026-04-23T11:20:00Z`). Set whenever you actually fetched in this run.
8. evidence[].address, when present, must be `^0x[0-9a-fA-F]{40}$` (mixed case OK; checksum not validated).
9. Checklist codes (used in findings[].code and as unknowns[] prefixes) match `^[A-Z][A-Za-z0-9-]{0,16}$` — start with an uppercase letter, then digits / letters / hyphens. Examples: `E1`, `A3b`, `C2-emergency`, `V4-auditor`. No parens, spaces, dots, slashes, underscores. Use slice-defined codes verbatim. unknowns[] entries must be prefixed with the relevant code + colon (e.g. `"A3b: frontend fetch failed"`).
10. chat_url: ALWAYS null. Default share links (claude.ai/chat, chatgpt.com, gemini.google.com) require viewer login and are not publicly readable. The user enables "Share publicly" after you respond and pastes the public URL into the JSON before opening the PR.

### Thoroughness rules

11. Each per-slice body contains a "MANDATORY INSPECTION CHECKLIST". Every item must EITHER produce an evidence[] entry OR a specific unknowns[] entry naming it by code. Silent skips are rejected as incomplete.
12. Before assigning a grade other than "unknown", rationale.steelman must contain a one-sentence strongest argument for each of red / orange / green, and rationale.verdict must state which fits the evidence and why. If the steel-man for the chosen grade is weaker than for an adjacent grade, you have probably picked the wrong grade. When grade="unknown", set steelman to null and use verdict to summarize what blocked the assessment.
13. Distinguish actor classes (EOA, 2-of-3 multisig, 4-of-7+ multisig with identified signers, emergency-scoped time-capped multisig, on-chain governance vote with timelock) and function classes (claim-of-finalized vs new-request-placement, deposit vs borrow, mint vs redeem) — say which actor holds which power, on what time bound. "An admin can pause" is insufficient.
14. For on-chain slices (control, ability-to-exit, autonomy, verifiability), evidence[] must include ≥1 on-chain URL: a block-explorer URL OR a DeFiPunkd /api/{contract/read,safe/owners} URL (preferred — content-addressed when block-pinned). /api/contract/abi alone is metadata, not on-chain evidence. Source repos tell you what code SHOULD do; deployed contracts tell you what it ACTUALLY does. The "open-access" slice is exempt when claims are entirely about frontend / off-chain operator behavior. CARVE-OUT: `grading_basis="off-chain-only"` is exempt from this rule but is downweighted by the quorum bot regardless of grade.
15. Prompt-meta-check: if your verdict quotes prompt language as evidence ("the protocol meets the 'documented fallback' condition"), re-do the verdict — the prompt describes the rubric, not the protocol. Evidence cites what THIS protocol does, not what the rubric says protocols of type X do.
16. `grading_basis` is one of `"on-chain"` (default; omit field), `"off-chain-only"`, or `"mixed"`. Describes what was READ this run, not the verdict — `grade="unknown"` is allowed under any basis. Set `"off-chain-only"` ONLY when BOTH (a) ≥1 successful fetch of a docs / forum / audit / GitHub URL appears in evidence[], AND (b) ≥1 failed on-chain fetch attempt for THIS run is recorded in unknowns[] with a `-offchain` suffix. Empty `evidence[]` with `"off-chain-only"` is a category error and is rejected by the validator. Set `"mixed"` when some checklist codes were on-chain and others fell back. ABI-only finds (you read the ABI but couldn't read live state) are valid as `grade="unknown"` with the ABI cited; do not infer a grade from ABI shape alone.

### On-chain reading via the DeFiPunkd API

Don't encode calldata, decode return data, or guess at ABIs by hand. Three deterministic GET endpoints return JSON with blockNumber, blockHash, raw calldata, and rawReturnData — content-addressed when block-pinned (`&block=<n>`):

  ABI (auto-resolves proxies):
    https://defipunkd.com/api/contract/abi?chainId=<id>&address=0x...
  View call (any view method on the merged ABI; flat scalar args):
    https://defipunkd.com/api/contract/read?chainId=<id>&address=0x...&method=getOwners
    https://defipunkd.com/api/contract/read?chainId=<id>&address=0x...&method=balanceOf&args=0x...
  Safe (threshold + owners + version in one call):
    https://defipunkd.com/api/safe/owners?chainId=<id>&address=0x...

Use the BARE method name in `&method=` (e.g. `&method=totalSupply`, NOT `&method=totalSupply()`). Browser tools normalize `(` to `%28` and reject the normalized URL; bare names dodge that. Pass arguments via `&args=` (comma-separated, declaration order). Append `&block=<n>` for content-addressed evidence.

Supported chainIds: 1 (ethereum), 10 (optimism), 56 (bsc), 130 (unichain), 137 (polygon), 324 (zksync), 8453 (base), 42161 (arbitrum), 43114 (avalanche), 59144 (linea), 81457 (blast), 534352 (scroll), 11155111 (sepolia).

Use this API for any factual claim about contract ABI shape, view-method return values (owner(), getOwners(), getThreshold(), totalSupply(), implementation(), paused(), MIN_DELAY(), …), and Safe membership. Do NOT invent ABIs or return values from training data.

Note on noisy address_book: the pinned address_book is sourced from prior assessments. It may include token deployments, oracle feeds, peripheral contracts, or mis-classified entries. Skip surfacer URLs that don't fit your slice — fetch only those whose role hints suggest control / pause / upgrade authority.

### Protocol metadata refresh (populate `protocol_metadata` in the output)

DeFiLlama's pinned inputs may be stale or wrong. As a side-effect of this assessment, populate `protocol_metadata` with anything you verify. Leave fields null / empty arrays if you did not verify them — do NOT echo pinned inputs through; null means "not re-verified this run".

- `github`: array of canonical source-code repo URLs.
- `docs_url`: canonical developer / protocol documentation site.
- `audits`: array of `{ firm, url, date }` (date as YYYY-MM or YYYY-MM-DD).
- `governance_forum`: primary discussion forum URL (Discourse, Commonwealth, etc.).
- `voting_token`: `{ chain, address, symbol }` or null. Omit if not token-governed.
- `bug_bounty_url`: public bug bounty page (Immunefi, HackerOne, self-hosted).
- `security_contact`: private-disclosure channel — security@ email or SECURITY.md URL. Distinct from public bug bounty.
- `deployed_contracts_doc`: docs page that lists deployed addresses per chain. Don't enumerate; just link.
- `admin_addresses`: array of `{ chain, address, role, actor_class }` for multisig / timelock / owner / proxy-admin addresses. `actor_class` ∈ `"eoa" | "multisig" | "timelock" | "governance" | "unknown"`. These are the anchors for future runs' address_book.
- `upgradeability`: `"immutable" | "upgradeable" | "mixed" | "unknown"`. "mixed" = some core contracts immutable, others behind proxies.
- `about`: 2–4 sentence plain-English description. Name the user action (stake, borrow, swap, bridge, mint, redeem), the asset / market, and the distinctive mechanism (liquid staking receipt, isolated lending pools, constant-product AMM, intents auction, etc.). Do not restate category / chains / TVL.

Every non-null field in `protocol_metadata` must be backed by ≥1 entry in evidence[].

---

### Slice: ABILITY-TO-EXIT

Evaluate whether users can withdraw their funds on their own terms, even under adversarial admin conditions.

MANDATORY INSPECTION CHECKLIST (every item below must appear in evidence[] OR unknowns[]):
- E1. Enumerate every user-facing exit function in the main contracts: withdraw, redeem, burn, requestWithdrawal, claim, exit, etc. List them by name. Do NOT treat the contract as a monolith.
- E2. For EACH exit function in E1: identify its access modifiers and any pause guards (e.g. _checkResumed, whenNotPaused, onlyRole). Functions that gate REQUEST PLACEMENT often differ from functions that CLAIM FINALIZED FUNDS — check both separately.
- E3. For each pause guard: identify the role holder (which address holds PAUSE_ROLE / GUARDIAN / etc.) and the maximum pause duration. Specifically check whether PAUSE_INFINITELY (or equivalent uncapped pause) is callable, and which actor can call it (single multisig vs governance vote). For role-holder reads use https://defipunkd.com/api/contract/read?chainId=<id>&address=0x...&method=hasRole&args=0x...,0x... or &method=getRoleAdmin&args=0x.... For "is currently paused" checks use &method=paused or &method=isPaused&args=<resume-code>. Use the BARE method name (no parens). Cite the URL with &block=<n> in evidence[].
- E4. EMERGENCY vs GOVERNANCE pause distinction: many protocols have a fast-acting emergency pause capped at N days and a slow governance pause that can be indefinite. Record both paths separately if present, with their time caps and actor classes.
- E5. Queued redemption: documented maximum queue duration, daily withdrawal caps, whether the queue itself is pausable.
- E6. Forced-exit / escape-hatch / permissionless emergency-exit mechanism for adversarial-admin scenarios.
- E7. Frontend dependency: confirm exit functions are directly callable on-chain (e.g. via Etherscan write tab or a generic wallet) without the project's frontend.

Then write the steel-man section per Hard Rule 11. Common red-vs-orange tension on this slice: indefinite pause exists (suggests red) BUT the realistic emergency path is time-capped AND claims of already-finalized exits are not pause-gated (suggests orange). Resolve this by stating who can do what for how long, not by stopping at the worst-case sentence.

Grade rules:
- green   = permissionless exit; pause is either absent, narrowly scoped to clearly-described emergencies with auto-expiry, or capped at ≤7 days; no frontend dependency for exit; claims of already-finalized exits are not pause-gated under any path.
- orange  = pausable with broad scope OR indefinite pause is reachable only through governance vote (not unilateral admin action), OR queued redemption with documented max > 7 days, OR claims-of-finalized are exempt but new-request placement can be paused indefinitely by governance.
- red     = exit requires admin signature, OR ANY actor (including governance) can pause CLAIMS of finalized exits indefinitely, OR there is no on-chain exit function at all (purely custodial), OR pause is held by a single EOA / 2-of-3 multisig with no time cap.
- unknown = checklist incomplete after checking the sources above.

---

### JSON output contract

Return exactly one JSON object inside a single ```json fenced block. Shape:

{
  "schema_version": 4,
  "slug": "<copy protocol.slug from the per-protocol context>",
  "slice": "ability-to-exit",
  "snapshot_generated_at": "<copy snapshot.generated_at from the per-protocol context>",
  "prompt_version": 29,
  "analysis_date": "<copy analysis_date from the per-protocol context>",
  "model": "<exact model name, e.g. claude-opus-4-7 / gpt-5-thinking / gemini-3-pro>",
  "chat_url": null,
  "grading_basis": "on-chain | off-chain-only | mixed (optional; omit for on-chain)",
  "grade": "green | orange | red | unknown",
  "headline": "<one-line summary>",
  "short_headline": "<≤6 words, ≤80 chars; omit if you can't fit>",
  "rationale": {
    "findings": [{ "code": "E1", "text": "<concrete, source-cited finding>" }],
    "steelman": { "red": "<one sentence>", "orange": "<one sentence>", "green": "<one sentence>" },
    "verdict": "Choosing <grade> because <reason ranking one steel-man above the others, citing specific evidence>."
  },
  "evidence": [{ "url": "https://...", "shows": "<what this URL demonstrates>", "chain": "...", "address": "0x...", "commit": "<hex SHA>", "fetched_at": "2026-04-23T11:20:00Z" }],
  "unknowns": ["E3: <thing you looked for but couldn't determine>"],
  "protocol_metadata": {
    "github": ["https://github.com/org/repo"],
    "docs_url": "https://docs.protocol.xyz",
    "audits": [{ "firm": "Trail of Bits", "url": "https://...report.pdf", "date": "2025-09" }],
    "governance_forum": "https://forum.protocol.xyz",
    "voting_token": { "chain": "Ethereum", "address": "0x...", "symbol": "XYZ" },
    "bug_bounty_url": "https://immunefi.com/bounty/protocol",
    "security_contact": "security@protocol.xyz",
    "deployed_contracts_doc": "https://docs.protocol.xyz/deployments",
    "admin_addresses": [{ "chain": "Ethereum", "address": "0x...", "role": "DAO treasury multisig", "actor_class": "multisig" }],
    "upgradeability": "immutable | upgradeable | mixed | unknown",
    "about": "<2–4 sentences>"
  }
}

Rules recap:
- grade="unknown" ⇒ steelman=null; unknowns[] ≥1; evidence[] may be empty.
- grade!="unknown" ⇒ steelman={red,orange,green}; evidence[] ≥1; verdict starts with "Choosing ".
- findings[].code matches the slice's checklist prefix verbatim (E1, C2-emergency, V4a, …); unknowns[] entries are checklist-coded ("E3: …").
- Wrap in a single ```json fence; nothing before or after. URLs are bare strings, never markdown links.

Autonomy unknown Unverified

No Phase-0 autonomy signal

No model has graded this dimension yet. Run the slice prompt through any LLM and submit the JSON — once ≥3 independent runs agree, the quorum bot merges the verdict here.

Submit run ↗

### Per-protocol context (ground truth for this run)

- protocol.slug:              aave-v4
- protocol.name:              Aave V4
- protocol.chains:            Ethereum
- protocol.category:          Lending
- protocol.website:           https://aave.com
- protocol.github:            aave, bgd-labs
- protocol.audit_links:       https://aave.com/security, https://github.com/code-423n4/2022-02-aave-lens, https://github.com/code-423n4/2022-02-aave-lens-findings, https://github.com/sherlock-protocol/sherlock-reports/blob/main/audits/2025.02.15%20-%20Final%20-%20Aave%20Public%20Audit%20Contest%20Report.pdf, https://github.com/sherlock-protocol/sherlock-reports/blob/main/audits/2026.02.05%20-%20Final%20-%20Aave%20Labs%20Collaborative%20Audit%20Report%201770295450.pdf, https://github.com/trailofbits/publications/blob/master/reviews/2026-02-aave-v4-securityreview.pdf
- snapshot.generated_at:      2026-06-01T11:27:13.878Z
- analysis_date:              2026-06-07
- prompt_version:             29
- address_book:               null

### Pre-built read-API surfacer URLs (verbatim — fetchable as-is)
(no addresses pinned in this run — discover candidates from fetched website / GitHub / audit / explorer pages, record discovered addresses in evidence[] and protocol_metadata.admin_addresses, and put any reads you couldn't perform in unknowns[]. The next assessment will inherit your discoveries.)


---

You are contributing a single-slice assessment to defipunkd, a git-native transparency registry for DeFi protocols. Your JSON output will be attached to a pull request and compared against ≥2 other independent runs. Disagreements are surfaced publicly — be conservative, cite everything, return grade="unknown" when a signal cannot be determined, and resist stopping at the first damning finding.

### Per-protocol context (do not infer; these are ground truth)

A "Per-protocol context" block (provided alongside this prompt — either as a user message in API mode, or as a section appended below in copy-paste mode) lists the pinned inputs (protocol.slug, name, chains, category, website, github, audit_links, snapshot.generated_at, analysis_date, prompt_version, address_book) and a list of pre-built read-API surfacer URLs for each pinned address. Treat those values as authoritative for this run.

The pre-built surfacer URLs are accepted by your fetch tool's allowlist because they appear verbatim in the per-protocol context. Each surfacer page pre-executes the contract's zero-arg view methods and renders any address-typed return values as /address/{chainId}/0x… links inline — those rendered links are also fetchable post-fetch. /api/contract/read and /api/safe/owners JSON responses include a top-level `crawl.surfacers` array of /address/{chainId}/0x… URLs for every address-typed value in the result, so you can crawl directly from API responses. For addresses surfaced from non-defipunkd sources (block-explorer pages, GitHub, audit PDFs), the allowlist will reject your generated surfacer URL — record the address in protocol_metadata.admin_addresses and add a checklist-coded entry to unknowns[]; the next run will inherit it as a fetchable surfacer.

### Step 0 — Capability probe (do this before producing JSON)

Identify what fetch tool your environment exposes — `web_fetch`, `browser`, `url_context`, `google_search` (with underscore, colon, or space), Bing grounding, Perplexity, `web.run`, or anything similar. Search-grounding tools ARE valid fetch paths and you should use them; they are not forbidden. The distinction that matters is what the tool returned, not its name: a grounded response with the underlying page body is sufficient evidence; a bare 1–3-line preview snippet is not.

Probe: attempt one fetch of `protocol.website` and one fetch of a pre-built surfacer URL above (or the protocol's primary block-explorer page if no surfacer is pinned). Record the tool you used, the URL, and what came back (response body, HTTP status, allowlist rejection text, or "tool not present: <name>"). If either probe succeeded, proceed.

If both direct probes failed, **DO NOT STOP** — try search. Issue at least two broad search queries (protocol name + "Etherscan" / "official docs" / "GitHub" / "audit"; `site:` operators against etherscan.io / github.com / the docs domain). If a search query returns the underlying page body, that page URL is fetched evidence and goes in evidence[]. Set `grading_basis: "off-chain-only"` and continue with whatever you can extract. Empty `evidence[]` + `grade="unknown"` is only valid if BOTH direct probes AND ≥2 search queries returned nothing usable; in that case, log the attempted queries and observed-zero outcomes in unknowns[]. A submission claiming "blocked" without those receipts is treated as a non-submission (zero quorum weight). Search engines do not index raw JSON API endpoints — zero results for `defipunkd.com/api/contract/read` URLs is expected and is itself a recordable failure mode, not a system restriction.

### Anti-fabrication (the most important rule on this page)

Memory is not evidence. Treat your training data, prior conversations, and general knowledge as suggestions for what to look up — never as citations. Every URL in evidence[] must have been fetched in this run via any tool exposed in your environment, OR pasted into this conversation by the user. Constructing a URL is fine, but every variable part (address, commit SHA, repo path, contract name, method, args, block number) must come from a fetched/pasted source in this run, and the URL must then have been successfully fetched before it appears in evidence[]. URLs constructed from remembered addresses, repo paths, contract names, or guessed API methods are fabrication.

Before emitting JSON, run an evidence ledger check on every evidence[] entry:
1. The exact URL appears in your fetch transcript or in a user-pasted source body.
2. The fetched/pasted body contains the fact you're citing in evidence[].shows.
3. Every rationale.findings / protocol_metadata claim that depends on this evidence follows directly from that body, without recourse to memory.
4. Derived (rather than verbatim) claims are explicitly labelled as derived in evidence[].shows.
5. `fetched_at` is set ONLY when you actually fetched the URL in this run; if no timestamp is available, omit the field — never invent one.

If any check fails, remove the evidence entry and demote dependent claims to unknowns[]. Set grade="unknown" if demotion empties the grading basis. Do not ask the user to paste anything; do not withhold JSON; do not improvise from memory.

A plausible-sounding answer backed by unsupported evidence is WORSE than grade="unknown" — it pollutes the quorum. If the assessment requires leaning on remembered public facts ("Lido is governed by LDO token-weighted voting"), historical reports, common knowledge, or likely-architecture reasoning ("UUPS proxies typically have an admin role"), return grade="unknown" with specific unknowns[] entries. Optimize for reproducibility, not completeness — if a reviewer can't re-verify each claim from the evidence URLs alone, the claim does not belong in the JSON. Empty unknowns[] on a non-trivial protocol is a red flag, not a quality signal.

When the address_book is null/empty, you do not yet know any deployed address. Discover candidates from fetched website / GitHub / audit / explorer-search pages — addresses you "remember" from training data are not eligible, even for famous tokens (USDC, WBTC, stETH, UNI). If no address can be discovered after a good-faith attempt, return grade="unknown" with checklist-coded unknowns[] entries; do not invent addresses to fill the gap.

### Hard rules

1. Source classes that count as evidence:
   a) Public block explorers (etherscan.io, basescan.org, arbiscan.io, optimistic.etherscan.io, polygonscan.com, bscscan.com, snowtrace.io, scrollscan.com, lineascan.build, blastscan.io, era.zksync.network) for pinned addresses or addresses you discover transitively from them.
   b) The linked GitHub repos, at a specific commit SHA recorded in evidence[].commit.
   c) The audit PDFs / reports linked above.
   d) DeFiLlama's pinned fields (for category / chain lists only — not for risk assessment).
   e) DeFiPunkd's read API at https://defipunkd.com/api/{contract,safe}/... — see "On-chain reading" below.
2. If a signal cannot be determined after checking these, set grade="unknown" with ≥1 entry in unknowns[] naming what you looked for.
3. Every factual claim in rationale must map to ≥1 evidence[] entry.
4. Output exactly one JSON object matching the contract at the end, wrapped in a single ```json fenced code block. This rule applies to your FINAL assistant message only — issue tool calls freely during the run; tool-call reasoning lives in your model's tool-use channel and is not subject to this rule. Nothing before or after the fence — no prose, no follow-up questions, no requests for the user to paste anything. If evidence is incomplete, the correct response is still JSON, with claims demoted to unknowns[] and grade="unknown".

### Format rules (validation will reject submissions that violate these)
5. evidence[].url must be a bare `https://...` string — NEVER markdown link syntax. WRONG: `"url": "[Etherscan](https://etherscan.io/...)"`. RIGHT: `"url": "https://etherscan.io/..."`.
6. evidence[].commit, when present, must match `^[0-9a-f]{7,40}$` (lowercase hex, 7–40 chars). NEVER branch names or tags. Omit if you cannot pin a SHA.
7. evidence[].fetched_at, when present, must be ISO-8601 UTC (e.g. `2026-04-23T11:20:00Z`). Set whenever you actually fetched in this run.
8. evidence[].address, when present, must be `^0x[0-9a-fA-F]{40}$` (mixed case OK; checksum not validated).
9. Checklist codes (used in findings[].code and as unknowns[] prefixes) match `^[A-Z][A-Za-z0-9-]{0,16}$` — start with an uppercase letter, then digits / letters / hyphens. Examples: `E1`, `A3b`, `C2-emergency`, `V4-auditor`. No parens, spaces, dots, slashes, underscores. Use slice-defined codes verbatim. unknowns[] entries must be prefixed with the relevant code + colon (e.g. `"A3b: frontend fetch failed"`).
10. chat_url: ALWAYS null. Default share links (claude.ai/chat, chatgpt.com, gemini.google.com) require viewer login and are not publicly readable. The user enables "Share publicly" after you respond and pastes the public URL into the JSON before opening the PR.

### Thoroughness rules

11. Each per-slice body contains a "MANDATORY INSPECTION CHECKLIST". Every item must EITHER produce an evidence[] entry OR a specific unknowns[] entry naming it by code. Silent skips are rejected as incomplete.
12. Before assigning a grade other than "unknown", rationale.steelman must contain a one-sentence strongest argument for each of red / orange / green, and rationale.verdict must state which fits the evidence and why. If the steel-man for the chosen grade is weaker than for an adjacent grade, you have probably picked the wrong grade. When grade="unknown", set steelman to null and use verdict to summarize what blocked the assessment.
13. Distinguish actor classes (EOA, 2-of-3 multisig, 4-of-7+ multisig with identified signers, emergency-scoped time-capped multisig, on-chain governance vote with timelock) and function classes (claim-of-finalized vs new-request-placement, deposit vs borrow, mint vs redeem) — say which actor holds which power, on what time bound. "An admin can pause" is insufficient.
14. For on-chain slices (control, ability-to-exit, autonomy, verifiability), evidence[] must include ≥1 on-chain URL: a block-explorer URL OR a DeFiPunkd /api/{contract/read,safe/owners} URL (preferred — content-addressed when block-pinned). /api/contract/abi alone is metadata, not on-chain evidence. Source repos tell you what code SHOULD do; deployed contracts tell you what it ACTUALLY does. The "open-access" slice is exempt when claims are entirely about frontend / off-chain operator behavior. CARVE-OUT: `grading_basis="off-chain-only"` is exempt from this rule but is downweighted by the quorum bot regardless of grade.
15. Prompt-meta-check: if your verdict quotes prompt language as evidence ("the protocol meets the 'documented fallback' condition"), re-do the verdict — the prompt describes the rubric, not the protocol. Evidence cites what THIS protocol does, not what the rubric says protocols of type X do.
16. `grading_basis` is one of `"on-chain"` (default; omit field), `"off-chain-only"`, or `"mixed"`. Describes what was READ this run, not the verdict — `grade="unknown"` is allowed under any basis. Set `"off-chain-only"` ONLY when BOTH (a) ≥1 successful fetch of a docs / forum / audit / GitHub URL appears in evidence[], AND (b) ≥1 failed on-chain fetch attempt for THIS run is recorded in unknowns[] with a `-offchain` suffix. Empty `evidence[]` with `"off-chain-only"` is a category error and is rejected by the validator. Set `"mixed"` when some checklist codes were on-chain and others fell back. ABI-only finds (you read the ABI but couldn't read live state) are valid as `grade="unknown"` with the ABI cited; do not infer a grade from ABI shape alone.

### On-chain reading via the DeFiPunkd API

Don't encode calldata, decode return data, or guess at ABIs by hand. Three deterministic GET endpoints return JSON with blockNumber, blockHash, raw calldata, and rawReturnData — content-addressed when block-pinned (`&block=<n>`):

  ABI (auto-resolves proxies):
    https://defipunkd.com/api/contract/abi?chainId=<id>&address=0x...
  View call (any view method on the merged ABI; flat scalar args):
    https://defipunkd.com/api/contract/read?chainId=<id>&address=0x...&method=getOwners
    https://defipunkd.com/api/contract/read?chainId=<id>&address=0x...&method=balanceOf&args=0x...
  Safe (threshold + owners + version in one call):
    https://defipunkd.com/api/safe/owners?chainId=<id>&address=0x...

Use the BARE method name in `&method=` (e.g. `&method=totalSupply`, NOT `&method=totalSupply()`). Browser tools normalize `(` to `%28` and reject the normalized URL; bare names dodge that. Pass arguments via `&args=` (comma-separated, declaration order). Append `&block=<n>` for content-addressed evidence.

Supported chainIds: 1 (ethereum), 10 (optimism), 56 (bsc), 130 (unichain), 137 (polygon), 324 (zksync), 8453 (base), 42161 (arbitrum), 43114 (avalanche), 59144 (linea), 81457 (blast), 534352 (scroll), 11155111 (sepolia).

Use this API for any factual claim about contract ABI shape, view-method return values (owner(), getOwners(), getThreshold(), totalSupply(), implementation(), paused(), MIN_DELAY(), …), and Safe membership. Do NOT invent ABIs or return values from training data.

Note on noisy address_book: the pinned address_book is sourced from prior assessments. It may include token deployments, oracle feeds, peripheral contracts, or mis-classified entries. Skip surfacer URLs that don't fit your slice — fetch only those whose role hints suggest control / pause / upgrade authority.

### Protocol metadata refresh (populate `protocol_metadata` in the output)

DeFiLlama's pinned inputs may be stale or wrong. As a side-effect of this assessment, populate `protocol_metadata` with anything you verify. Leave fields null / empty arrays if you did not verify them — do NOT echo pinned inputs through; null means "not re-verified this run".

- `github`: array of canonical source-code repo URLs.
- `docs_url`: canonical developer / protocol documentation site.
- `audits`: array of `{ firm, url, date }` (date as YYYY-MM or YYYY-MM-DD).
- `governance_forum`: primary discussion forum URL (Discourse, Commonwealth, etc.).
- `voting_token`: `{ chain, address, symbol }` or null. Omit if not token-governed.
- `bug_bounty_url`: public bug bounty page (Immunefi, HackerOne, self-hosted).
- `security_contact`: private-disclosure channel — security@ email or SECURITY.md URL. Distinct from public bug bounty.
- `deployed_contracts_doc`: docs page that lists deployed addresses per chain. Don't enumerate; just link.
- `admin_addresses`: array of `{ chain, address, role, actor_class }` for multisig / timelock / owner / proxy-admin addresses. `actor_class` ∈ `"eoa" | "multisig" | "timelock" | "governance" | "unknown"`. These are the anchors for future runs' address_book.
- `upgradeability`: `"immutable" | "upgradeable" | "mixed" | "unknown"`. "mixed" = some core contracts immutable, others behind proxies.
- `about`: 2–4 sentence plain-English description. Name the user action (stake, borrow, swap, bridge, mint, redeem), the asset / market, and the distinctive mechanism (liquid staking receipt, isolated lending pools, constant-product AMM, intents auction, etc.). Do not restate category / chains / TVL.

Every non-null field in `protocol_metadata` must be backed by ≥1 entry in evidence[].

---

### Slice: AUTONOMY

Evaluate this protocol's autonomy: can a failure of anything outside its own contracts cause theft or loss of user principal, loss of unclaimed yield, or materially change the protocol's expected performance? "Autonomy" is not "has zero external touchpoints" — it is "external failures are either survivable or recoverable without user loss". This slice adapts DefiScan v1's Autonomy dimension; dependencies are one of several criteria, not the whole frame.

GUARDRAILS (read before grading):
- Category alone (Liquid Staking, Bridge, RWA Lending, Restaking, …) does NOT force a grade. A category is a hint about where to look; the grade must come from the concrete A1–A9 findings below.
- Base-chain consensus (Ethereum PoS, the chain's validator set, the canonical Deposit Contract at 0x00000000219ab540356cBB839Cbe05303d7705Fa) is the SUBSTRATE, not a dependency, for any protocol deployed on that chain. Do not list "depends on Ethereum" as a finding.
- Oracles or other integrations used by DOWNSTREAM protocols that happen to read this protocol's token (e.g. Chainlink stETH/USD consumed by Aave) are NOT this protocol's dependencies. Count only what THIS protocol's contracts call or trust on-chain. If a feed or contract appears in the protocol's docs only as reference material for third-party integrators, EXCLUDE IT ENTIRELY — do not log it as a finding even with a "peripheral" or "referenced only" caveat.
- "Upgradeable admin can change things" belongs to the CONTROL slice; only count it here when the upgrade surface lets governance silently swap an external dependency (see A9).
- Underlying-asset risk in opt-in, isolated markets is NOT autonomy-red on its own. When a protocol wraps third-party yield-bearing assets (LSTs, LRTs, ERC-4626 vaults, lending receipts, restaked tokens) into per-market silos that users explicitly choose, a failure of one underlying does NOT propagate to other markets and is risk the user opted into per-market. Record it under A4 with depth and propagation scope, but do not let it alone drive a red verdict — red requires an external dependency that cross-cuts the protocol or that the user did not opt into at deposit time. A failure mode that is "if the LRT you deposited is hacked, your principal in that LRT-backed market is impaired" is the underlying's autonomy story, not this protocol's; grade it on whether THIS protocol introduces additional dependencies on top.
- Sub-module enumeration is mandatory before grading. If the protocol ships distinct product lines or modules (e.g., a v2 core AMM plus a newer perps/funding-rate module, a lending pool plus a separate vault layer, an L1 core plus a cross-chain extension), enumerate each in findings and grade against the WORST module weighted by its share of TVS or its blast radius. A green core does not rescue an orange/red sub-module; conversely, a small red sub-module with capped TVS may bound the overall grade to orange. Name each module by its on-chain factory or router address. If you do not know whether a module exists, that is an unknowns[] entry, not silence. EXPLICIT TVS WEIGHTING: in the verdict, state each module's approximate share of total protocol TVS (use "~X%" if exact figures unavailable; check DeFiLlama or block-explorer balances on the module's main contract) and how that share informs the weighted grade. Format: "Module A holds ~X% of TVS (grade: <g>); Module B holds ~Y% (grade: <g>); weighted overall = <grade> because <reason>." If a red sub-module holds <5% of total TVS and is capped, the overall grade may be orange; if it holds >25%, the overall grade is red. Do not let qualitative reasoning substitute for the percentages — write the numbers.

MANDATORY INSPECTION CHECKLIST (every item below must appear in evidence[] OR unknowns[]):
- A1. External contract calls. Enumerate every external contract the core contracts call or read from (oracles, price feeds, AMM pools, lending pools, staking/deposit contracts, yield wrappers). For each, identify the address, the provider, and what user-facing function of this protocol would break or mis-price if that external contract paused, mis-reported, or behaved adversarially. Grep for "oracle", "aggregator", "getPrice", "latestAnswer", "chainlink", "pyth", "redstone" as a starting point. To verify an oracle is live and what it currently reports, hit https://defipunkd.com/api/contract/read?chainId=<id>&address=<oracle>&method=latestAnswer (or &method=latestRoundData, &method=getPrice, &method=description; use the BARE method name without parens) and cite the URL — the response includes blockNumber/blockHash and rawReturnData, which is stronger evidence than a docs page about which feed "should" be used.
- A2. Off-chain actor committees reporting INTO the protocol. Oracle committees, guardian multisigs, DAO-selected validator sets acting as protocol reporters, exit-bus signers, fraud-proof challengers. For each, record committee size, quorum, who picks the members, and what mis-reporting could do (mint, burn, finalize withdrawal, freeze). Distinguish this from governance admins (control slice). NOTE ON STAKING PROTOCOLS: validator slashing and node-operator misbehavior are properties of the base-chain substrate, NOT external dependencies, when the operator set is diversified enough that a coordinated failure caps at <5% principal loss. Count validator/operator risk under A2 ONLY if the operator set is small, non-diversified, or lacks bonding / slashing-insurance / diversification mitigations. A curated set of 30+ independent operators with documented diversification falls under the mitigated path; a 3-operator LST does not. Do not cite the protocol's own risk disclosure as evidence that operator failure = principal loss unless you also check the diversification and bond mitigations.
- A3. Bridge / cross-chain messaging dependencies. Only count bridges that carry material TVL or are required for a core user flow. For each, name the bridge operator (canonical L1↔L2, LayerZero, Wormhole, Axelar, custom multisig), the trust model (canonical, optimistic, light-client, guardian set), and what fraction of TVL or users ride on it. "wstETH exists on 15 chains" is not a finding unless material TVL sits there. Before listing any non-primary chain deployment as a dependency, verify it is still operational as of analysis_date — retired or sunset deployments (e.g., Lido-on-Terra, Lido-on-Solana) belong in unknowns[] or should be omitted, never cited as a current dependency.
- A4. Nested collateral / restaking chains. For restaking / LRT / receipt-of-receipt designs: record the depth of the collateral chain, every actor with slashing or freezing power at each level, and whether a failure N levels deep propagates to user principal here.
- A5. Fork lineage (silent check). If DeFiLlama's forkedFrom is non-empty, record it as one finding and move on. If empty, do NOT add a placeholder finding; it adds noise.
- A6. Fallback mechanisms and circuit breakers. What catches an external failure? Sanity-check contracts on oracle reports, rebase bounds, pause paths triggered by bad prices, second-opinion oracles, max-per-block throughput caps, withdrawal queues that absorb bad reports. Record which A1–A4 risks are mitigated by which fallback, and which are unmitigated. For EACH fallback you cite, state its activation status explicitly: (i) LIVE and enforcing on-chain today, (ii) DEPLOYED but not yet wired / activated (e.g., interface exists but the address is zero or the role is unassigned), or (iii) DOCUMENTED / PROPOSED only (forum post, LIP draft, audit pending). Only (i) counts as mitigation for the grade. A fallback in state (ii) or (iii) should be noted but must not reduce the risk in your steel-man or verdict. If you cannot determine activation status, add an unknowns[] entry rather than assume it is live.
- A7. Sequencer / L1-liveness dependency BEYOND the base-chain substrate. SCOPE — sequencer risk only counts here when the protocol IS its own L2/L3 appchain or app-rollup, where the sequencer is part of the protocol's own stack and a freeze is a protocol-level outage. A protocol permissionlessly deployed on a third-party L2 inherits that L2's sequencer as substrate, not an A7 dependency. Record the sequencer/DA trust model when A7 applies.
- A8. Keeper / relayer / off-chain bot liveness. Protocols that need permissionless-but-necessary off-chain actors (liquidation bots, auto-compounders, deposit relayers, intent solvers). Record whether the role is permissionless, what degrades if nobody runs it (yield paused, bad debt accumulates, positions go stale), and whether the failure mode is graceful or catastrophic.
- A9. Governance-mutable dependency surface. Can an admin or DAO action silently INTRODUCE a NEW EXTERNAL dependency — swap the oracle address to a different provider, register a new staking module that calls an untrusted contract, add a new bridge, route SY through a new external vault — without an exit window for users? Check the upgrade / router / module-registry contracts. Answer: which EXTERNAL dependencies are governance-mutable, who holds that power, and whether there is a timelock or exit window. SCOPE LIMIT — read carefully: A9 is about the *external dependency surface*, not the upgrade surface in general. "The proxyAdmin / EOA can upgrade the router implementation to arbitrary bytecode" is a CONTROL-slice finding (admin can rug), NOT an autonomy-A9 finding. A9 fires only when the upgrade specifically swaps out or adds a contract that THIS protocol calls or trusts (e.g., changing the oracle address from Chainlink to a malicious feed, registering a new SY adapter that points to a third-party vault, redirecting a bridge endpoint). If the only finding is "admin can change implementation," do not log it under A9 and do not let it drive the autonomy grade — note it under control instead. The autonomy-relevant version of the same upgrade key is "admin can swap [specific external address X] without timelock"; that requires identifying the specific external dependency that becomes mutable.

STEEL-MAN (per Hard Rule 13): write one-sentence strongest arguments for red, orange, and green using the A1–A9 findings.

IMPACTED TVS ESTIMATE: the headline MUST include a rough impacted-TVS figure — the fraction of protocol TVS that could be lost or frozen if the worst-unmitigated dependency you identified failed. Use "~X%" if exact numbers are unavailable, "<1%" for de minimis, "unclear" only if A1–A9 left the question genuinely open (in which case grade=unknown is usually correct). Do NOT substitute qualitative phrases like "significant" — give a number or bracket.

GRADE ANCHORS (mapped to DefiScan v1 stages):
- green = Stage 2 equivalent. Failure of any external dependency cannot cause loss of user principal or unclaimed yield. Either there are no material external dependencies, or every critical one has a documented fallback (A6) that keeps users whole. Governance cannot silently introduce new dependencies without an exit window (A9). Impacted TVS under any single-dependency failure: effectively 0.
- orange = Stage 1 equivalent. Failure of some external dependency can cause loss of unclaimed yield, or can materially change expected performance (pause withdrawals, freeze positions, degrade price quality), but cannot cause loss of principal. Committee-based oracles with sanity checks, canonical-only bridges, fallback paths that exist but are incomplete, or governance-mutable dependencies protected by a ≥7-day timelock. Impacted TVS is bounded and recoverable.
- red = Stage 0 equivalent. Failure of an external dependency CAN cause theft or loss of principal. Examples: single-provider oracle with no sanity check or fallback, material TVL on a non-canonical bridge with a guardian multisig, governance can hot-swap oracles or add staking modules with no timelock or exit window, unmitigated keeper-liveness dependency where positions become insolvent if bots stop. Impacted TVS is material.
- unknown = checklist incomplete after inspecting source + verified contracts. Prefer unknown over guessing when A1/A6 could not be reconstructed. RESERVE unknown for cases where the CORE ARCHITECTURE itself is unverifiable — not for cases where you merely cannot enumerate every per-market dependency in a multi-market protocol. If the core router/factory/oracle architecture is verifiable on-chain and you can determine whether the core requires external dependencies, grade the architecture even when an exhaustive per-market external-dependency census is infeasible. Acknowledge the per-market gap in unknowns[] but still issue a grade. Refusing to grade a multi-market protocol because you cannot list every SY/vault/market is over-use of unknown; grade the architecture and say so.

PROMPT-META CHECK (per Hard Rule 17): before finalizing, verify the verdict cites concrete contract addresses, docs, or code — not the rubric itself. If your verdict says "the protocol belongs to a category the rubric marks red", rewrite it with the A1–A9 finding that actually justifies the grade, or drop to grade=unknown.

---

### JSON output contract

Return exactly one JSON object inside a single ```json fenced block. Shape:

{
  "schema_version": 4,
  "slug": "<copy protocol.slug from the per-protocol context>",
  "slice": "autonomy",
  "snapshot_generated_at": "<copy snapshot.generated_at from the per-protocol context>",
  "prompt_version": 29,
  "analysis_date": "<copy analysis_date from the per-protocol context>",
  "model": "<exact model name, e.g. claude-opus-4-7 / gpt-5-thinking / gemini-3-pro>",
  "chat_url": null,
  "grading_basis": "on-chain | off-chain-only | mixed (optional; omit for on-chain)",
  "grade": "green | orange | red | unknown",
  "headline": "<one-line summary>",
  "short_headline": "<≤6 words, ≤80 chars; omit if you can't fit>",
  "rationale": {
    "findings": [{ "code": "E1", "text": "<concrete, source-cited finding>" }],
    "steelman": { "red": "<one sentence>", "orange": "<one sentence>", "green": "<one sentence>" },
    "verdict": "Choosing <grade> because <reason ranking one steel-man above the others, citing specific evidence>."
  },
  "evidence": [{ "url": "https://...", "shows": "<what this URL demonstrates>", "chain": "...", "address": "0x...", "commit": "<hex SHA>", "fetched_at": "2026-04-23T11:20:00Z" }],
  "unknowns": ["E3: <thing you looked for but couldn't determine>"],
  "protocol_metadata": {
    "github": ["https://github.com/org/repo"],
    "docs_url": "https://docs.protocol.xyz",
    "audits": [{ "firm": "Trail of Bits", "url": "https://...report.pdf", "date": "2025-09" }],
    "governance_forum": "https://forum.protocol.xyz",
    "voting_token": { "chain": "Ethereum", "address": "0x...", "symbol": "XYZ" },
    "bug_bounty_url": "https://immunefi.com/bounty/protocol",
    "security_contact": "security@protocol.xyz",
    "deployed_contracts_doc": "https://docs.protocol.xyz/deployments",
    "admin_addresses": [{ "chain": "Ethereum", "address": "0x...", "role": "DAO treasury multisig", "actor_class": "multisig" }],
    "upgradeability": "immutable | upgradeable | mixed | unknown",
    "about": "<2–4 sentences>"
  }
}

Rules recap:
- grade="unknown" ⇒ steelman=null; unknowns[] ≥1; evidence[] may be empty.
- grade!="unknown" ⇒ steelman={red,orange,green}; evidence[] ≥1; verdict starts with "Choosing ".
- findings[].code matches the slice's checklist prefix verbatim (E1, C2-emergency, V4a, …); unknowns[] entries are checklist-coded ("E3: …").
- Wrap in a single ```json fence; nothing before or after. URLs are bare strings, never markdown links.

Open Access unknown Unverified

Not yet assessed

No model has graded this dimension yet. Run the slice prompt through any LLM and submit the JSON — once ≥3 independent runs agree, the quorum bot merges the verdict here.

Submit run ↗

### Per-protocol context (ground truth for this run)

- protocol.slug:              aave-v4
- protocol.name:              Aave V4
- protocol.chains:            Ethereum
- protocol.category:          Lending
- protocol.website:           https://aave.com
- protocol.github:            aave, bgd-labs
- protocol.audit_links:       https://aave.com/security, https://github.com/code-423n4/2022-02-aave-lens, https://github.com/code-423n4/2022-02-aave-lens-findings, https://github.com/sherlock-protocol/sherlock-reports/blob/main/audits/2025.02.15%20-%20Final%20-%20Aave%20Public%20Audit%20Contest%20Report.pdf, https://github.com/sherlock-protocol/sherlock-reports/blob/main/audits/2026.02.05%20-%20Final%20-%20Aave%20Labs%20Collaborative%20Audit%20Report%201770295450.pdf, https://github.com/trailofbits/publications/blob/master/reviews/2026-02-aave-v4-securityreview.pdf
- snapshot.generated_at:      2026-06-01T11:27:13.878Z
- analysis_date:              2026-06-07
- prompt_version:             29
- address_book:               null

### Pre-built read-API surfacer URLs (verbatim — fetchable as-is)
(no addresses pinned in this run — discover candidates from fetched website / GitHub / audit / explorer pages, record discovered addresses in evidence[] and protocol_metadata.admin_addresses, and put any reads you couldn't perform in unknowns[]. The next assessment will inherit your discoveries.)


---

You are contributing a single-slice assessment to defipunkd, a git-native transparency registry for DeFi protocols. Your JSON output will be attached to a pull request and compared against ≥2 other independent runs. Disagreements are surfaced publicly — be conservative, cite everything, return grade="unknown" when a signal cannot be determined, and resist stopping at the first damning finding.

### Per-protocol context (do not infer; these are ground truth)

A "Per-protocol context" block (provided alongside this prompt — either as a user message in API mode, or as a section appended below in copy-paste mode) lists the pinned inputs (protocol.slug, name, chains, category, website, github, audit_links, snapshot.generated_at, analysis_date, prompt_version, address_book) and a list of pre-built read-API surfacer URLs for each pinned address. Treat those values as authoritative for this run.

The pre-built surfacer URLs are accepted by your fetch tool's allowlist because they appear verbatim in the per-protocol context. Each surfacer page pre-executes the contract's zero-arg view methods and renders any address-typed return values as /address/{chainId}/0x… links inline — those rendered links are also fetchable post-fetch. /api/contract/read and /api/safe/owners JSON responses include a top-level `crawl.surfacers` array of /address/{chainId}/0x… URLs for every address-typed value in the result, so you can crawl directly from API responses. For addresses surfaced from non-defipunkd sources (block-explorer pages, GitHub, audit PDFs), the allowlist will reject your generated surfacer URL — record the address in protocol_metadata.admin_addresses and add a checklist-coded entry to unknowns[]; the next run will inherit it as a fetchable surfacer.

### Step 0 — Capability probe (do this before producing JSON)

Identify what fetch tool your environment exposes — `web_fetch`, `browser`, `url_context`, `google_search` (with underscore, colon, or space), Bing grounding, Perplexity, `web.run`, or anything similar. Search-grounding tools ARE valid fetch paths and you should use them; they are not forbidden. The distinction that matters is what the tool returned, not its name: a grounded response with the underlying page body is sufficient evidence; a bare 1–3-line preview snippet is not.

Probe: attempt one fetch of `protocol.website` and one fetch of a pre-built surfacer URL above (or the protocol's primary block-explorer page if no surfacer is pinned). Record the tool you used, the URL, and what came back (response body, HTTP status, allowlist rejection text, or "tool not present: <name>"). If either probe succeeded, proceed.

If both direct probes failed, **DO NOT STOP** — try search. Issue at least two broad search queries (protocol name + "Etherscan" / "official docs" / "GitHub" / "audit"; `site:` operators against etherscan.io / github.com / the docs domain). If a search query returns the underlying page body, that page URL is fetched evidence and goes in evidence[]. Set `grading_basis: "off-chain-only"` and continue with whatever you can extract. Empty `evidence[]` + `grade="unknown"` is only valid if BOTH direct probes AND ≥2 search queries returned nothing usable; in that case, log the attempted queries and observed-zero outcomes in unknowns[]. A submission claiming "blocked" without those receipts is treated as a non-submission (zero quorum weight). Search engines do not index raw JSON API endpoints — zero results for `defipunkd.com/api/contract/read` URLs is expected and is itself a recordable failure mode, not a system restriction.

### Anti-fabrication (the most important rule on this page)

Memory is not evidence. Treat your training data, prior conversations, and general knowledge as suggestions for what to look up — never as citations. Every URL in evidence[] must have been fetched in this run via any tool exposed in your environment, OR pasted into this conversation by the user. Constructing a URL is fine, but every variable part (address, commit SHA, repo path, contract name, method, args, block number) must come from a fetched/pasted source in this run, and the URL must then have been successfully fetched before it appears in evidence[]. URLs constructed from remembered addresses, repo paths, contract names, or guessed API methods are fabrication.

Before emitting JSON, run an evidence ledger check on every evidence[] entry:
1. The exact URL appears in your fetch transcript or in a user-pasted source body.
2. The fetched/pasted body contains the fact you're citing in evidence[].shows.
3. Every rationale.findings / protocol_metadata claim that depends on this evidence follows directly from that body, without recourse to memory.
4. Derived (rather than verbatim) claims are explicitly labelled as derived in evidence[].shows.
5. `fetched_at` is set ONLY when you actually fetched the URL in this run; if no timestamp is available, omit the field — never invent one.

If any check fails, remove the evidence entry and demote dependent claims to unknowns[]. Set grade="unknown" if demotion empties the grading basis. Do not ask the user to paste anything; do not withhold JSON; do not improvise from memory.

A plausible-sounding answer backed by unsupported evidence is WORSE than grade="unknown" — it pollutes the quorum. If the assessment requires leaning on remembered public facts ("Lido is governed by LDO token-weighted voting"), historical reports, common knowledge, or likely-architecture reasoning ("UUPS proxies typically have an admin role"), return grade="unknown" with specific unknowns[] entries. Optimize for reproducibility, not completeness — if a reviewer can't re-verify each claim from the evidence URLs alone, the claim does not belong in the JSON. Empty unknowns[] on a non-trivial protocol is a red flag, not a quality signal.

When the address_book is null/empty, you do not yet know any deployed address. Discover candidates from fetched website / GitHub / audit / explorer-search pages — addresses you "remember" from training data are not eligible, even for famous tokens (USDC, WBTC, stETH, UNI). If no address can be discovered after a good-faith attempt, return grade="unknown" with checklist-coded unknowns[] entries; do not invent addresses to fill the gap.

### Hard rules

1. Source classes that count as evidence:
   a) Public block explorers (etherscan.io, basescan.org, arbiscan.io, optimistic.etherscan.io, polygonscan.com, bscscan.com, snowtrace.io, scrollscan.com, lineascan.build, blastscan.io, era.zksync.network) for pinned addresses or addresses you discover transitively from them.
   b) The linked GitHub repos, at a specific commit SHA recorded in evidence[].commit.
   c) The audit PDFs / reports linked above.
   d) DeFiLlama's pinned fields (for category / chain lists only — not for risk assessment).
   e) DeFiPunkd's read API at https://defipunkd.com/api/{contract,safe}/... — see "On-chain reading" below.
2. If a signal cannot be determined after checking these, set grade="unknown" with ≥1 entry in unknowns[] naming what you looked for.
3. Every factual claim in rationale must map to ≥1 evidence[] entry.
4. Output exactly one JSON object matching the contract at the end, wrapped in a single ```json fenced code block. This rule applies to your FINAL assistant message only — issue tool calls freely during the run; tool-call reasoning lives in your model's tool-use channel and is not subject to this rule. Nothing before or after the fence — no prose, no follow-up questions, no requests for the user to paste anything. If evidence is incomplete, the correct response is still JSON, with claims demoted to unknowns[] and grade="unknown".

### Format rules (validation will reject submissions that violate these)
5. evidence[].url must be a bare `https://...` string — NEVER markdown link syntax. WRONG: `"url": "[Etherscan](https://etherscan.io/...)"`. RIGHT: `"url": "https://etherscan.io/..."`.
6. evidence[].commit, when present, must match `^[0-9a-f]{7,40}$` (lowercase hex, 7–40 chars). NEVER branch names or tags. Omit if you cannot pin a SHA.
7. evidence[].fetched_at, when present, must be ISO-8601 UTC (e.g. `2026-04-23T11:20:00Z`). Set whenever you actually fetched in this run.
8. evidence[].address, when present, must be `^0x[0-9a-fA-F]{40}$` (mixed case OK; checksum not validated).
9. Checklist codes (used in findings[].code and as unknowns[] prefixes) match `^[A-Z][A-Za-z0-9-]{0,16}$` — start with an uppercase letter, then digits / letters / hyphens. Examples: `E1`, `A3b`, `C2-emergency`, `V4-auditor`. No parens, spaces, dots, slashes, underscores. Use slice-defined codes verbatim. unknowns[] entries must be prefixed with the relevant code + colon (e.g. `"A3b: frontend fetch failed"`).
10. chat_url: ALWAYS null. Default share links (claude.ai/chat, chatgpt.com, gemini.google.com) require viewer login and are not publicly readable. The user enables "Share publicly" after you respond and pastes the public URL into the JSON before opening the PR.

### Thoroughness rules

11. Each per-slice body contains a "MANDATORY INSPECTION CHECKLIST". Every item must EITHER produce an evidence[] entry OR a specific unknowns[] entry naming it by code. Silent skips are rejected as incomplete.
12. Before assigning a grade other than "unknown", rationale.steelman must contain a one-sentence strongest argument for each of red / orange / green, and rationale.verdict must state which fits the evidence and why. If the steel-man for the chosen grade is weaker than for an adjacent grade, you have probably picked the wrong grade. When grade="unknown", set steelman to null and use verdict to summarize what blocked the assessment.
13. Distinguish actor classes (EOA, 2-of-3 multisig, 4-of-7+ multisig with identified signers, emergency-scoped time-capped multisig, on-chain governance vote with timelock) and function classes (claim-of-finalized vs new-request-placement, deposit vs borrow, mint vs redeem) — say which actor holds which power, on what time bound. "An admin can pause" is insufficient.
14. For on-chain slices (control, ability-to-exit, autonomy, verifiability), evidence[] must include ≥1 on-chain URL: a block-explorer URL OR a DeFiPunkd /api/{contract/read,safe/owners} URL (preferred — content-addressed when block-pinned). /api/contract/abi alone is metadata, not on-chain evidence. Source repos tell you what code SHOULD do; deployed contracts tell you what it ACTUALLY does. The "open-access" slice is exempt when claims are entirely about frontend / off-chain operator behavior. CARVE-OUT: `grading_basis="off-chain-only"` is exempt from this rule but is downweighted by the quorum bot regardless of grade.
15. Prompt-meta-check: if your verdict quotes prompt language as evidence ("the protocol meets the 'documented fallback' condition"), re-do the verdict — the prompt describes the rubric, not the protocol. Evidence cites what THIS protocol does, not what the rubric says protocols of type X do.
16. `grading_basis` is one of `"on-chain"` (default; omit field), `"off-chain-only"`, or `"mixed"`. Describes what was READ this run, not the verdict — `grade="unknown"` is allowed under any basis. Set `"off-chain-only"` ONLY when BOTH (a) ≥1 successful fetch of a docs / forum / audit / GitHub URL appears in evidence[], AND (b) ≥1 failed on-chain fetch attempt for THIS run is recorded in unknowns[] with a `-offchain` suffix. Empty `evidence[]` with `"off-chain-only"` is a category error and is rejected by the validator. Set `"mixed"` when some checklist codes were on-chain and others fell back. ABI-only finds (you read the ABI but couldn't read live state) are valid as `grade="unknown"` with the ABI cited; do not infer a grade from ABI shape alone.

### On-chain reading via the DeFiPunkd API

Don't encode calldata, decode return data, or guess at ABIs by hand. Three deterministic GET endpoints return JSON with blockNumber, blockHash, raw calldata, and rawReturnData — content-addressed when block-pinned (`&block=<n>`):

  ABI (auto-resolves proxies):
    https://defipunkd.com/api/contract/abi?chainId=<id>&address=0x...
  View call (any view method on the merged ABI; flat scalar args):
    https://defipunkd.com/api/contract/read?chainId=<id>&address=0x...&method=getOwners
    https://defipunkd.com/api/contract/read?chainId=<id>&address=0x...&method=balanceOf&args=0x...
  Safe (threshold + owners + version in one call):
    https://defipunkd.com/api/safe/owners?chainId=<id>&address=0x...

Use the BARE method name in `&method=` (e.g. `&method=totalSupply`, NOT `&method=totalSupply()`). Browser tools normalize `(` to `%28` and reject the normalized URL; bare names dodge that. Pass arguments via `&args=` (comma-separated, declaration order). Append `&block=<n>` for content-addressed evidence.

Supported chainIds: 1 (ethereum), 10 (optimism), 56 (bsc), 130 (unichain), 137 (polygon), 324 (zksync), 8453 (base), 42161 (arbitrum), 43114 (avalanche), 59144 (linea), 81457 (blast), 534352 (scroll), 11155111 (sepolia).

Use this API for any factual claim about contract ABI shape, view-method return values (owner(), getOwners(), getThreshold(), totalSupply(), implementation(), paused(), MIN_DELAY(), …), and Safe membership. Do NOT invent ABIs or return values from training data.

Note on noisy address_book: the pinned address_book is sourced from prior assessments. It may include token deployments, oracle feeds, peripheral contracts, or mis-classified entries. Skip surfacer URLs that don't fit your slice — fetch only those whose role hints suggest control / pause / upgrade authority.

### Protocol metadata refresh (populate `protocol_metadata` in the output)

DeFiLlama's pinned inputs may be stale or wrong. As a side-effect of this assessment, populate `protocol_metadata` with anything you verify. Leave fields null / empty arrays if you did not verify them — do NOT echo pinned inputs through; null means "not re-verified this run".

- `github`: array of canonical source-code repo URLs.
- `docs_url`: canonical developer / protocol documentation site.
- `audits`: array of `{ firm, url, date }` (date as YYYY-MM or YYYY-MM-DD).
- `governance_forum`: primary discussion forum URL (Discourse, Commonwealth, etc.).
- `voting_token`: `{ chain, address, symbol }` or null. Omit if not token-governed.
- `bug_bounty_url`: public bug bounty page (Immunefi, HackerOne, self-hosted).
- `security_contact`: private-disclosure channel — security@ email or SECURITY.md URL. Distinct from public bug bounty.
- `deployed_contracts_doc`: docs page that lists deployed addresses per chain. Don't enumerate; just link.
- `admin_addresses`: array of `{ chain, address, role, actor_class }` for multisig / timelock / owner / proxy-admin addresses. `actor_class` ∈ `"eoa" | "multisig" | "timelock" | "governance" | "unknown"`. These are the anchors for future runs' address_book.
- `upgradeability`: `"immutable" | "upgradeable" | "mixed" | "unknown"`. "mixed" = some core contracts immutable, others behind proxies.
- `about`: 2–4 sentence plain-English description. Name the user action (stake, borrow, swap, bridge, mint, redeem), the asset / market, and the distinctive mechanism (liquid staking receipt, isolated lending pools, constant-product AMM, intents auction, etc.). Do not restate category / chains / TVL.

Every non-null field in `protocol_metadata` must be backed by ≥1 entry in evidence[].

---

### Slice: OPEN-ACCESS

Evaluate who is allowed to use the protocol and whether any of that permission is granted off-chain.

Scope: this slice is about ADMISSION — who can enter, exit, or transact. Operator LIVENESS (what breaks if keepers/oracles go offline) is assessed in the dependencies slice and is out of scope for the grade here. You may note operator dependencies as context, but do not let "the protocol halts if operator X disappears" drive the access grade on its own; that belongs in dependencies. Source verification / contract verification on block explorers is assessed in the verifiability slice and is out of scope here — do NOT let "contract is unverified" drive the access grade.

Framing: the smart contracts are the access layer; frontends are UX. A permissionless contract is reachable by any client (SDK, third-party UI, aggregator, wallet integration). Frontend ToS, IP geo-blocking, and wallet screening are publisher policies on one specific client — they are reported as context but do NOT determine the grade. The grade hinges on (1) what the contract itself permits, and (2) whether the protocol is practically reachable without the official publisher's cooperation.

Meta-check before finalizing: if your verdict cites phrases from this prompt as evidence ("the protocol meets the 'credible alternatives' condition", "this fits the 'documented fallback' rule"), redo the verdict. The prompt describes the rubric; evidence must come from the protocol. A verdict should cite what the protocol does, not what the rubric says.

MANDATORY INSPECTION CHECKLIST (every item below must appear in evidence[] OR unknowns[]):
- A1. Whitelist / allowlist modifiers in user-facing entry points. Grep for "onlyWhitelisted", "onlyRole", "allowlist", "isAccredited", "isKYCed". Note which functions are gated and who can add/remove from the list.
- A2. Off-chain operators in the admission path: keepers, sequencers, privileged relayers, oracle posters whose approval is required to admit a user action (not just to keep the protocol live). For each, identify whether the role is held by a single operator, a permissioned committee, or is permissionless. Enumerate per user-facing function class (deposit vs withdraw-request vs claim-finalized vs transfer) which ones require operator approval to be admitted, and which ones admit users unconditionally. A function whose placement is unconditional but whose downstream settlement depends on an operator is an admission-permissionless function — flag the liveness dependency as context and defer its grading weight to the dependencies slice.
- A3. Frontend restrictions on the official interface — record as context, not as a grade lever. Distinguish:
    - A3-passive: boilerplate ToS clauses (sanctions attestation, restricted-territory self-certification, VPN-circumvention prohibition, "comply with applicable law" eligibility, age of majority).
    - A3-active: runtime enforcement — IP-based geo-blocking, wallet-address screening against a sanctions oracle (Chainalysis, TRM, Elliptic), KYC wall, rendering-blocking jurisdiction banner.
  Record findings under the correct tier. Quote ToS text or banner text in evidence[].shows. These findings populate the headline and rationale but do NOT move the grade by themselves; the grade is set by A1, A2, and the A3b path check below.
- A3b. Independent access paths (the operative grade input). Enumerate paths that do not require the official publisher's cooperation:
    - Published SDK / library / CLI for direct contract interaction.
    - Third-party frontends operated by separate legal entities.
    - Wallet-integrated access (MetaMask Swaps, Safe apps, etc.).
    - DEX / lending / yield aggregators that route through the contracts.
  Record at least one concrete link per path that exists. The protocol does NOT have to self-document these — the test is existence, not UX cost. An A3b-i redistribution of the official UI bound by the same ToS does NOT count as an independent path.
- A4. Sanctions / compliance tooling at the contract level: does the protocol check addresses against OFAC lists or similar on-chain blocklists in the contract itself? (Frontend-only screening belongs in A3.)
- A5. Differentiate read access vs write access: many protocols are read-permissionless (anyone can view state) but write-gated (only certain addresses can deposit/borrow). Record both.
- A6. ToS / Legal links: locate them on the website and produce a VERBATIM quote of any jurisdictional, sanctions, or eligibility clause in evidence[].shows. If you cannot extract the clause text verbatim (SPA render failure, paywall, dead link, etc.), do NOT paraphrase or infer from general knowledge — record the ToS URL in unknowns[] with the reason extraction failed. Assertions about ToS content without a verbatim quote will be downweighted by reviewers.

Then write the steel-man section per Hard Rule 11.

Grade rules (admission-focused; liveness concerns belong in dependencies; source verification belongs in verifiability):
- green   = no contract-level whitelist/KYC on user entry/exit; no operator approval required to admit a user action; AND at least one independent A3b path exists (published SDK, third-party frontend, wallet integration, or aggregator routing). Frontend ToS posture and A3-active enforcement on the official UI do NOT block green when contracts are permissionless and an independent path exists — they are reported as context.
- orange  = contracts admit users unconditionally, BUT the protocol is operationally captured by the official publisher: no published SDK, no third-party frontend, no wallet integration, no aggregator routing. The contract is theoretically open but practically reachable only through the official UI. Also applies when admission requires approval from a permissioned committee that is governance-managed with a documented replacement procedure.
- red     = contract-level whitelist / KYC on user entry/exit, OR admission of a core user action requires approval from a single privileged operator or a small committee with no documented replacement procedure, OR enforces an on-chain blocklist updatable by a single party.
- unknown = checklist incomplete after checking the sources above.

Default-grade guidance: when contracts are fully permissionless AND any A3b independent path exists, the default grade is green regardless of frontend ToS or A3-active enforcement on the official UI. Frontend geo-blocking, sanctions-oracle wallet screening, and ToS sanctions clauses are publisher policies on one client and are reported in findings/headline as context, not as grade levers. To grade orange on operational-capture grounds, the auditor must affirmatively show that ALL independent paths are absent or also gated.

Guideline on committees: where admission depends on a multi-operator committee, the relevant axes are (a) set size, (b) whether replacement/rotation is governed on-chain, (c) whether the replacement procedure is publicly documented. A large set with on-chain governance replacement should not be graded as a single-party operator even if rotation is not instantaneous. A small set with informal replacement should be treated as a single-party operator.

---

### JSON output contract

Return exactly one JSON object inside a single ```json fenced block. Shape:

{
  "schema_version": 4,
  "slug": "<copy protocol.slug from the per-protocol context>",
  "slice": "open-access",
  "snapshot_generated_at": "<copy snapshot.generated_at from the per-protocol context>",
  "prompt_version": 29,
  "analysis_date": "<copy analysis_date from the per-protocol context>",
  "model": "<exact model name, e.g. claude-opus-4-7 / gpt-5-thinking / gemini-3-pro>",
  "chat_url": null,
  "grading_basis": "on-chain | off-chain-only | mixed (optional; omit for on-chain)",
  "grade": "green | orange | red | unknown",
  "headline": "<one-line summary>",
  "short_headline": "<≤6 words, ≤80 chars; omit if you can't fit>",
  "rationale": {
    "findings": [{ "code": "E1", "text": "<concrete, source-cited finding>" }],
    "steelman": { "red": "<one sentence>", "orange": "<one sentence>", "green": "<one sentence>" },
    "verdict": "Choosing <grade> because <reason ranking one steel-man above the others, citing specific evidence>."
  },
  "evidence": [{ "url": "https://...", "shows": "<what this URL demonstrates>", "chain": "...", "address": "0x...", "commit": "<hex SHA>", "fetched_at": "2026-04-23T11:20:00Z" }],
  "unknowns": ["E3: <thing you looked for but couldn't determine>"],
  "protocol_metadata": {
    "github": ["https://github.com/org/repo"],
    "docs_url": "https://docs.protocol.xyz",
    "audits": [{ "firm": "Trail of Bits", "url": "https://...report.pdf", "date": "2025-09" }],
    "governance_forum": "https://forum.protocol.xyz",
    "voting_token": { "chain": "Ethereum", "address": "0x...", "symbol": "XYZ" },
    "bug_bounty_url": "https://immunefi.com/bounty/protocol",
    "security_contact": "security@protocol.xyz",
    "deployed_contracts_doc": "https://docs.protocol.xyz/deployments",
    "admin_addresses": [{ "chain": "Ethereum", "address": "0x...", "role": "DAO treasury multisig", "actor_class": "multisig" }],
    "upgradeability": "immutable | upgradeable | mixed | unknown",
    "about": "<2–4 sentences>"
  }
}

Rules recap:
- grade="unknown" ⇒ steelman=null; unknowns[] ≥1; evidence[] may be empty.
- grade!="unknown" ⇒ steelman={red,orange,green}; evidence[] ≥1; verdict starts with "Choosing ".
- findings[].code matches the slice's checklist prefix verbatim (E1, C2-emergency, V4a, …); unknowns[] entries are checklist-coded ("E3: …").
- Wrap in a single ```json fence; nothing before or after. URLs are bare strings, never markdown links.

Stage

Preview of the Phase-3 maturity framework. DeFiPunk'd will adopt DeFiScan v2's stages verbatim; the section is rendered below in its intended shape so the structure is visible today.

Aave V4 has not yet been assessed under the DeFiScan v2 stage framework.

The walkaway test is the central criterion. Once stages land, protocols reach Stage 1 only if users can exit in the presence of malicious operators even when the emergency council disappears.

Scope of assessment

Stage 0 requirements pending

Stage 1 requirements pending

Stage 2 requirements pending

Learn more about DeFiScan v2 stages →

TVL $6.7M

Type Lending

Chain Ethereum

View on DeFiLlama ↗

Control Exit Autonomy Open Access Verifiable

Verifiability tentative Open source + 5 audits
Control unknown Not yet assessed
Ability to exit unknown Not yet assessed
Autonomy unknown No Phase-0 autonomy signal
Open Access unknown Not yet assessed

Control criteria

Upgradeability — Bug bounty immunefi.com Governance forum — Docs —

About

Aave V1 is a lending protocol on Ethereum.

Risk analysis

One card per dimension, sorted by severity. Only Verifiability and Autonomy carry automated signals in Phase 0. See methodology for scope.

Audit a dimension yourself · DEFI@home Contribute an LLM-run assessment — any model, any dimension. Three agreeing runs merge automatically into the public record.

Address discovery 0 addresses on file · 0 runs ⚑ Run first Submit run ↗

### Per-protocol context (ground truth for this run)

- protocol.slug:              aave-v1
- protocol.name:              Aave V1
- protocol.chains:            Ethereum
- protocol.category:          Lending
- protocol.website:           https://aave.com
- protocol.github:            aave, bgd-labs
- protocol.audit_links:       https://aave.com/security, https://github.com/code-423n4/2022-02-aave-lens, https://github.com/code-423n4/2022-02-aave-lens-findings, https://github.com/sherlock-protocol/sherlock-reports/blob/main/audits/2025.02.15%20-%20Final%20-%20Aave%20Public%20Audit%20Contest%20Report.pdf, https://github.com/sherlock-protocol/sherlock-reports/blob/main/audits/2026.02.05%20-%20Final%20-%20Aave%20Labs%20Collaborative%20Audit%20Report%201770295450.pdf
- snapshot.generated_at:      2026-06-01T11:27:13.878Z
- analysis_date:              2026-06-07
- prompt_version:             29
- address_book:               null

### Pre-built read-API surfacer URLs (verbatim — fetchable as-is)
(no addresses pinned in this run — discover candidates from fetched website / GitHub / audit / explorer pages, record discovered addresses in evidence[] and protocol_metadata.admin_addresses, and put any reads you couldn't perform in unknowns[]. The next assessment will inherit your discoveries.)


---

You are contributing a single-slice assessment to defipunkd, a git-native transparency registry for DeFi protocols. Your JSON output will be attached to a pull request and compared against ≥2 other independent runs. Disagreements are surfaced publicly — be conservative, cite everything, return grade="unknown" when a signal cannot be determined, and resist stopping at the first damning finding.

### Per-protocol context (do not infer; these are ground truth)

A "Per-protocol context" block (provided alongside this prompt — either as a user message in API mode, or as a section appended below in copy-paste mode) lists the pinned inputs (protocol.slug, name, chains, category, website, github, audit_links, snapshot.generated_at, analysis_date, prompt_version, address_book) and a list of pre-built read-API surfacer URLs for each pinned address. Treat those values as authoritative for this run.

The pre-built surfacer URLs are accepted by your fetch tool's allowlist because they appear verbatim in the per-protocol context. Each surfacer page pre-executes the contract's zero-arg view methods and renders any address-typed return values as /address/{chainId}/0x… links inline — those rendered links are also fetchable post-fetch. /api/contract/read and /api/safe/owners JSON responses include a top-level `crawl.surfacers` array of /address/{chainId}/0x… URLs for every address-typed value in the result, so you can crawl directly from API responses. For addresses surfaced from non-defipunkd sources (block-explorer pages, GitHub, audit PDFs), the allowlist will reject your generated surfacer URL — record the address in protocol_metadata.admin_addresses and add a checklist-coded entry to unknowns[]; the next run will inherit it as a fetchable surfacer.

### Step 0 — Capability probe (do this before producing JSON)

Identify what fetch tool your environment exposes — `web_fetch`, `browser`, `url_context`, `google_search` (with underscore, colon, or space), Bing grounding, Perplexity, `web.run`, or anything similar. Search-grounding tools ARE valid fetch paths and you should use them; they are not forbidden. The distinction that matters is what the tool returned, not its name: a grounded response with the underlying page body is sufficient evidence; a bare 1–3-line preview snippet is not.

Probe: attempt one fetch of `protocol.website` and one fetch of a pre-built surfacer URL above (or the protocol's primary block-explorer page if no surfacer is pinned). Record the tool you used, the URL, and what came back (response body, HTTP status, allowlist rejection text, or "tool not present: <name>"). If either probe succeeded, proceed.

If both direct probes failed, **DO NOT STOP** — try search. Issue at least two broad search queries (protocol name + "Etherscan" / "official docs" / "GitHub" / "audit"; `site:` operators against etherscan.io / github.com / the docs domain). If a search query returns the underlying page body, that page URL is fetched evidence and goes in evidence[]. Set `grading_basis: "off-chain-only"` and continue with whatever you can extract. Empty `evidence[]` + `grade="unknown"` is only valid if BOTH direct probes AND ≥2 search queries returned nothing usable; in that case, log the attempted queries and observed-zero outcomes in unknowns[]. A submission claiming "blocked" without those receipts is treated as a non-submission (zero quorum weight). Search engines do not index raw JSON API endpoints — zero results for `defipunkd.com/api/contract/read` URLs is expected and is itself a recordable failure mode, not a system restriction.

### Anti-fabrication (the most important rule on this page)

Memory is not evidence. Treat your training data, prior conversations, and general knowledge as suggestions for what to look up — never as citations. Every URL in evidence[] must have been fetched in this run via any tool exposed in your environment, OR pasted into this conversation by the user. Constructing a URL is fine, but every variable part (address, commit SHA, repo path, contract name, method, args, block number) must come from a fetched/pasted source in this run, and the URL must then have been successfully fetched before it appears in evidence[]. URLs constructed from remembered addresses, repo paths, contract names, or guessed API methods are fabrication.

Before emitting JSON, run an evidence ledger check on every evidence[] entry:
1. The exact URL appears in your fetch transcript or in a user-pasted source body.
2. The fetched/pasted body contains the fact you're citing in evidence[].shows.
3. Every rationale.findings / protocol_metadata claim that depends on this evidence follows directly from that body, without recourse to memory.
4. Derived (rather than verbatim) claims are explicitly labelled as derived in evidence[].shows.
5. `fetched_at` is set ONLY when you actually fetched the URL in this run; if no timestamp is available, omit the field — never invent one.

If any check fails, remove the evidence entry and demote dependent claims to unknowns[]. Set grade="unknown" if demotion empties the grading basis. Do not ask the user to paste anything; do not withhold JSON; do not improvise from memory.

A plausible-sounding answer backed by unsupported evidence is WORSE than grade="unknown" — it pollutes the quorum. If the assessment requires leaning on remembered public facts ("Lido is governed by LDO token-weighted voting"), historical reports, common knowledge, or likely-architecture reasoning ("UUPS proxies typically have an admin role"), return grade="unknown" with specific unknowns[] entries. Optimize for reproducibility, not completeness — if a reviewer can't re-verify each claim from the evidence URLs alone, the claim does not belong in the JSON. Empty unknowns[] on a non-trivial protocol is a red flag, not a quality signal.

When the address_book is null/empty, you do not yet know any deployed address. Discover candidates from fetched website / GitHub / audit / explorer-search pages — addresses you "remember" from training data are not eligible, even for famous tokens (USDC, WBTC, stETH, UNI). If no address can be discovered after a good-faith attempt, return grade="unknown" with checklist-coded unknowns[] entries; do not invent addresses to fill the gap.

### Hard rules

1. Source classes that count as evidence:
   a) Public block explorers (etherscan.io, basescan.org, arbiscan.io, optimistic.etherscan.io, polygonscan.com, bscscan.com, snowtrace.io, scrollscan.com, lineascan.build, blastscan.io, era.zksync.network) for pinned addresses or addresses you discover transitively from them.
   b) The linked GitHub repos, at a specific commit SHA recorded in evidence[].commit.
   c) The audit PDFs / reports linked above.
   d) DeFiLlama's pinned fields (for category / chain lists only — not for risk assessment).
   e) DeFiPunkd's read API at https://defipunkd.com/api/{contract,safe}/... — see "On-chain reading" below.
2. If a signal cannot be determined after checking these, set grade="unknown" with ≥1 entry in unknowns[] naming what you looked for.
3. Every factual claim in rationale must map to ≥1 evidence[] entry.
4. Output exactly one JSON object matching the contract at the end, wrapped in a single ```json fenced code block. This rule applies to your FINAL assistant message only — issue tool calls freely during the run; tool-call reasoning lives in your model's tool-use channel and is not subject to this rule. Nothing before or after the fence — no prose, no follow-up questions, no requests for the user to paste anything. If evidence is incomplete, the correct response is still JSON, with claims demoted to unknowns[] and grade="unknown".

### Format rules (validation will reject submissions that violate these)
5. evidence[].url must be a bare `https://...` string — NEVER markdown link syntax. WRONG: `"url": "[Etherscan](https://etherscan.io/...)"`. RIGHT: `"url": "https://etherscan.io/..."`.
6. evidence[].commit, when present, must match `^[0-9a-f]{7,40}$` (lowercase hex, 7–40 chars). NEVER branch names or tags. Omit if you cannot pin a SHA.
7. evidence[].fetched_at, when present, must be ISO-8601 UTC (e.g. `2026-04-23T11:20:00Z`). Set whenever you actually fetched in this run.
8. evidence[].address, when present, must be `^0x[0-9a-fA-F]{40}$` (mixed case OK; checksum not validated).
9. Checklist codes (used in findings[].code and as unknowns[] prefixes) match `^[A-Z][A-Za-z0-9-]{0,16}$` — start with an uppercase letter, then digits / letters / hyphens. Examples: `E1`, `A3b`, `C2-emergency`, `V4-auditor`. No parens, spaces, dots, slashes, underscores. Use slice-defined codes verbatim. unknowns[] entries must be prefixed with the relevant code + colon (e.g. `"A3b: frontend fetch failed"`).
10. chat_url: ALWAYS null. Default share links (claude.ai/chat, chatgpt.com, gemini.google.com) require viewer login and are not publicly readable. The user enables "Share publicly" after you respond and pastes the public URL into the JSON before opening the PR.

### Thoroughness rules

11. Each per-slice body contains a "MANDATORY INSPECTION CHECKLIST". Every item must EITHER produce an evidence[] entry OR a specific unknowns[] entry naming it by code. Silent skips are rejected as incomplete.
12. Before assigning a grade other than "unknown", rationale.steelman must contain a one-sentence strongest argument for each of red / orange / green, and rationale.verdict must state which fits the evidence and why. If the steel-man for the chosen grade is weaker than for an adjacent grade, you have probably picked the wrong grade. When grade="unknown", set steelman to null and use verdict to summarize what blocked the assessment.
13. Distinguish actor classes (EOA, 2-of-3 multisig, 4-of-7+ multisig with identified signers, emergency-scoped time-capped multisig, on-chain governance vote with timelock) and function classes (claim-of-finalized vs new-request-placement, deposit vs borrow, mint vs redeem) — say which actor holds which power, on what time bound. "An admin can pause" is insufficient.
14. For on-chain slices (control, ability-to-exit, autonomy, verifiability), evidence[] must include ≥1 on-chain URL: a block-explorer URL OR a DeFiPunkd /api/{contract/read,safe/owners} URL (preferred — content-addressed when block-pinned). /api/contract/abi alone is metadata, not on-chain evidence. Source repos tell you what code SHOULD do; deployed contracts tell you what it ACTUALLY does. The "open-access" slice is exempt when claims are entirely about frontend / off-chain operator behavior. CARVE-OUT: `grading_basis="off-chain-only"` is exempt from this rule but is downweighted by the quorum bot regardless of grade.
15. Prompt-meta-check: if your verdict quotes prompt language as evidence ("the protocol meets the 'documented fallback' condition"), re-do the verdict — the prompt describes the rubric, not the protocol. Evidence cites what THIS protocol does, not what the rubric says protocols of type X do.
16. `grading_basis` is one of `"on-chain"` (default; omit field), `"off-chain-only"`, or `"mixed"`. Describes what was READ this run, not the verdict — `grade="unknown"` is allowed under any basis. Set `"off-chain-only"` ONLY when BOTH (a) ≥1 successful fetch of a docs / forum / audit / GitHub URL appears in evidence[], AND (b) ≥1 failed on-chain fetch attempt for THIS run is recorded in unknowns[] with a `-offchain` suffix. Empty `evidence[]` with `"off-chain-only"` is a category error and is rejected by the validator. Set `"mixed"` when some checklist codes were on-chain and others fell back. ABI-only finds (you read the ABI but couldn't read live state) are valid as `grade="unknown"` with the ABI cited; do not infer a grade from ABI shape alone.

### On-chain reading via the DeFiPunkd API

Don't encode calldata, decode return data, or guess at ABIs by hand. Three deterministic GET endpoints return JSON with blockNumber, blockHash, raw calldata, and rawReturnData — content-addressed when block-pinned (`&block=<n>`):

  ABI (auto-resolves proxies):
    https://defipunkd.com/api/contract/abi?chainId=<id>&address=0x...
  View call (any view method on the merged ABI; flat scalar args):
    https://defipunkd.com/api/contract/read?chainId=<id>&address=0x...&method=getOwners
    https://defipunkd.com/api/contract/read?chainId=<id>&address=0x...&method=balanceOf&args=0x...
  Safe (threshold + owners + version in one call):
    https://defipunkd.com/api/safe/owners?chainId=<id>&address=0x...

Use the BARE method name in `&method=` (e.g. `&method=totalSupply`, NOT `&method=totalSupply()`). Browser tools normalize `(` to `%28` and reject the normalized URL; bare names dodge that. Pass arguments via `&args=` (comma-separated, declaration order). Append `&block=<n>` for content-addressed evidence.

Supported chainIds: 1 (ethereum), 10 (optimism), 56 (bsc), 130 (unichain), 137 (polygon), 324 (zksync), 8453 (base), 42161 (arbitrum), 43114 (avalanche), 59144 (linea), 81457 (blast), 534352 (scroll), 11155111 (sepolia).

Use this API for any factual claim about contract ABI shape, view-method return values (owner(), getOwners(), getThreshold(), totalSupply(), implementation(), paused(), MIN_DELAY(), …), and Safe membership. Do NOT invent ABIs or return values from training data.

Note on noisy address_book: the pinned address_book is sourced from prior assessments. It may include token deployments, oracle feeds, peripheral contracts, or mis-classified entries. Skip surfacer URLs that don't fit your slice — fetch only those whose role hints suggest control / pause / upgrade authority.

### Protocol metadata refresh (populate `protocol_metadata` in the output)

DeFiLlama's pinned inputs may be stale or wrong. As a side-effect of this assessment, populate `protocol_metadata` with anything you verify. Leave fields null / empty arrays if you did not verify them — do NOT echo pinned inputs through; null means "not re-verified this run".

- `github`: array of canonical source-code repo URLs.
- `docs_url`: canonical developer / protocol documentation site.
- `audits`: array of `{ firm, url, date }` (date as YYYY-MM or YYYY-MM-DD).
- `governance_forum`: primary discussion forum URL (Discourse, Commonwealth, etc.).
- `voting_token`: `{ chain, address, symbol }` or null. Omit if not token-governed.
- `bug_bounty_url`: public bug bounty page (Immunefi, HackerOne, self-hosted).
- `security_contact`: private-disclosure channel — security@ email or SECURITY.md URL. Distinct from public bug bounty.
- `deployed_contracts_doc`: docs page that lists deployed addresses per chain. Don't enumerate; just link.
- `admin_addresses`: array of `{ chain, address, role, actor_class }` for multisig / timelock / owner / proxy-admin addresses. `actor_class` ∈ `"eoa" | "multisig" | "timelock" | "governance" | "unknown"`. These are the anchors for future runs' address_book.
- `upgradeability`: `"immutable" | "upgradeable" | "mixed" | "unknown"`. "mixed" = some core contracts immutable, others behind proxies.
- `about`: 2–4 sentence plain-English description. Name the user action (stake, borrow, swap, bridge, mint, redeem), the asset / market, and the distinctive mechanism (liquid staking receipt, isolated lending pools, constant-product AMM, intents auction, etc.). Do not restate category / chains / TVL.

Every non-null field in `protocol_metadata` must be backed by ≥1 entry in evidence[].

---

### Slice: DISCOVERY

You are a cataloguer, not a judge. Your job is to surface every contract address that could plausibly belong to this protocol's control or fund-holding surface, each backed by a citation. `grade` is ALWAYS `"unknown"` for discovery submissions — there is no green/orange/red rubric here. The five evaluation slices that run after you (control, ability-to-exit, autonomy, open-access, verifiability) consume your output via the addressBook ratchet — every address you record becomes a pre-built surfacer URL on the next run; every address you miss costs them a tool call.

Width beats depth. A `role: "other"` entry with one cited URL beats omitting it. Downstream slices will discard out-of-scope entries; they cannot rediscover what you fail to enumerate without paying the same cost again.

(Step 0 capability probe lives in the preamble — those rules apply here.)

### MANDATORY INSPECTION CHECKLIST (every D-code below must appear in evidence[] OR unknowns[])

- **D1. Block-explorer name-tag search per chain.** For each chain in `protocol.chains`, search the canonical block explorer for the protocol's name tag — `https://etherscan.io/searchHandler?term=<query>` and the per-chain explorers (basescan.org, arbiscan.io, optimistic.etherscan.io, polygonscan.com, bscscan.com, snowtrace.io, scrollscan.com, lineascan.build, blastscan.io, era.zksync.network). When direct fetch is blocked, use `site:<explorer> <protocol_name>` via search grounding. Record every address that surfaces with the protocol's tag, plus neighbouring "Token Contract" / "Multisig" / "Timelock" labels.

- **D2. Official deployments doc.** From `protocol.website` and the docs site, locate the canonical "Deployed contracts" / "Addresses" / "Contracts" / "Deployments" page (often at `/docs/deployments`, `/docs/addresses`, `/dashboard/contracts`). Cite the URL, record every address listed with its named role, and set `protocol_metadata.deployed_contracts_doc` to this URL.

- **D3. Audit PDFs.** From `protocol.audit_links` (and any audits surfaced by D2), open each. Most reports include a "Scope" / "Contracts in scope" address table in the first 5 pages. Extract every in-scope address with its labelled role. If the audit predates the current deployment, record the addresses anyway with role suffixed `(audit-era)` so downstream slices know to re-verify.

- **D4. GitHub deployment artifacts.** From `protocol.github`, walk the repo at a pinned commit SHA looking for: Foundry `broadcast/<script>/<chainId>/run-latest.json` (`transactions[].contractAddress` per chainId); hardhat-deploy `deployments/<network>/<Contract>.json` (`address` field); manual indexes (`deployments.json`, `addresses.json`, `contracts.json`, `networks.json`); markdown indexes (`docs/deployments.md`, `README.md` tables). Cite the file URL with the commit SHA; pin SHAs (`?ref=<sha>`) so the citation is content-addressed.

- **D5. Multi-chain enumeration.** If `protocol.chains.length > 1`, repeat D1–D4 per chain. Cross-chain deployments of the same logical contract get SEPARATE `admin_addresses[]` entries — one per chain. The chain field is part of the identity; do not collapse. If a chain has zero results, record `"D5: chain <name>: zero addresses surfaced from <sources tried>"` in unknowns[].

- **D6. Factory-discovered children.** For factory addresses surfaced in D1–D4, fetch the enumeration view via the read API (`/api/contract/read?...&method=allPools` / `getPool` / `getMarket` / `getVault`) and record each child with role like `"pool (from factory <0xFactory>)"`. **Cap at 50 children per factory.** Protocols with thousands of pools (Uniswap, Sushi) need dedicated ingestion — record the factory + the cap notice in unknowns[].

- **D7. Role taxonomy.** Every `admin_addresses[]` entry's `role` uses this controlled vocabulary (free-text suffixes OK for disambiguation, e.g. `"multisig (treasury)"`, but the leading token must match):

    `owner | admin | proxy_admin | governor | timelock | guardian | multisig | treasury | oracle | factory | router | token | pool | vault | other`

  Tentative classifications are encouraged. `actor_class` ∈ `eoa | multisig | timelock | governance | unknown` — use `unknown` when you found the address but didn't read its bytecode.

- **D8. Ratchet output integrity.** Every address in `admin_addresses[]` must trace to ≥1 fetched URL in evidence[]. Snippet-only sightings go in unknowns[] with a `D8` code, NOT in admin_addresses[].

### Discovery rationale framing

- `rationale.findings`: one entry per D-code, terse, factual. Per-address detail belongs in evidence[] and admin_addresses[], not here. Example: `"D1: 8 addresses surfaced from etherscan.io name-tag search for 'Aave V3'"`.
- `rationale.steelman`: ALWAYS null.
- `rationale.verdict`: one short line summarizing what corpora were walked and how many addresses were catalogued.
- `headline`: factual and quantitative — `"24 contracts catalogued across Ethereum, Arbitrum, and Base; 6 governance/admin and 18 protocol contracts."`.
- `short_headline`: under 60 chars — `"24 contracts across 3 chains"`.

### What discovery is NOT

- Not a verdict slice. `grade` must be `"unknown"`.
- Not exhaustive enumeration of leaf assets — record the factory + cap and move on (see D6).
- Not classification of trust assumptions — whether a multisig threshold is safe / timelock delay is sufficient / proxy admin is an EOA is the control slice's job.
- Not address-book reconciliation: when addressBook is non-empty, EXTEND it (find addresses prior runs missed) rather than re-cite the same addresses; re-cite only when you have new evidence for a refined role.

### protocol_metadata side-effects

While walking the corpora, populate every `protocol_metadata` field you can support with citations: `github`, `docs_url`, `audits` (one per D3 audit walked), `governance_forum`, `bug_bounty_url`, `security_contact`, `deployed_contracts_doc` (URL from D2), `upgradeability` (best-effort), and `about` (2–4 sentences sourced from docs/website, not memory). Discovery is the natural home for these — evaluation slices should not have to rediscover them.

---

### JSON output contract

Return exactly one JSON object inside a single ```json fenced block. Shape:

{
  "schema_version": 4,
  "slug": "<copy protocol.slug from the per-protocol context>",
  "slice": "discovery",
  "snapshot_generated_at": "<copy snapshot.generated_at from the per-protocol context>",
  "prompt_version": 29,
  "analysis_date": "<copy analysis_date from the per-protocol context>",
  "model": "<exact model name, e.g. claude-opus-4-7 / gpt-5-thinking / gemini-3-pro>",
  "chat_url": null,
  "grading_basis": "on-chain | off-chain-only | mixed (optional; omit for on-chain)",
  "grade": "green | orange | red | unknown",
  "headline": "<one-line summary>",
  "short_headline": "<≤6 words, ≤80 chars; omit if you can't fit>",
  "rationale": {
    "findings": [{ "code": "E1", "text": "<concrete, source-cited finding>" }],
    "steelman": { "red": "<one sentence>", "orange": "<one sentence>", "green": "<one sentence>" },
    "verdict": "Choosing <grade> because <reason ranking one steel-man above the others, citing specific evidence>."
  },
  "evidence": [{ "url": "https://...", "shows": "<what this URL demonstrates>", "chain": "...", "address": "0x...", "commit": "<hex SHA>", "fetched_at": "2026-04-23T11:20:00Z" }],
  "unknowns": ["E3: <thing you looked for but couldn't determine>"],
  "protocol_metadata": {
    "github": ["https://github.com/org/repo"],
    "docs_url": "https://docs.protocol.xyz",
    "audits": [{ "firm": "Trail of Bits", "url": "https://...report.pdf", "date": "2025-09" }],
    "governance_forum": "https://forum.protocol.xyz",
    "voting_token": { "chain": "Ethereum", "address": "0x...", "symbol": "XYZ" },
    "bug_bounty_url": "https://immunefi.com/bounty/protocol",
    "security_contact": "security@protocol.xyz",
    "deployed_contracts_doc": "https://docs.protocol.xyz/deployments",
    "admin_addresses": [{ "chain": "Ethereum", "address": "0x...", "role": "DAO treasury multisig", "actor_class": "multisig" }],
    "upgradeability": "immutable | upgradeable | mixed | unknown",
    "about": "<2–4 sentences>"
  }
}

Rules recap:
- grade="unknown" ⇒ steelman=null; unknowns[] ≥1; evidence[] may be empty.
- grade!="unknown" ⇒ steelman={red,orange,green}; evidence[] ≥1; verdict starts with "Choosing ".
- findings[].code matches the slice's checklist prefix verbatim (E1, C2-emergency, V4a, …); unknowns[] entries are checklist-coded ("E3: …").
- Wrap in a single ```json fence; nothing before or after. URLs are bare strings, never markdown links.

Verifiability Unverified Submit run ↗

### Per-protocol context (ground truth for this run)

- protocol.slug:              aave-v1
- protocol.name:              Aave V1
- protocol.chains:            Ethereum
- protocol.category:          Lending
- protocol.website:           https://aave.com
- protocol.github:            aave, bgd-labs
- protocol.audit_links:       https://aave.com/security, https://github.com/code-423n4/2022-02-aave-lens, https://github.com/code-423n4/2022-02-aave-lens-findings, https://github.com/sherlock-protocol/sherlock-reports/blob/main/audits/2025.02.15%20-%20Final%20-%20Aave%20Public%20Audit%20Contest%20Report.pdf, https://github.com/sherlock-protocol/sherlock-reports/blob/main/audits/2026.02.05%20-%20Final%20-%20Aave%20Labs%20Collaborative%20Audit%20Report%201770295450.pdf
- snapshot.generated_at:      2026-06-01T11:27:13.878Z
- analysis_date:              2026-06-07
- prompt_version:             29
- address_book:               null

### Pre-built read-API surfacer URLs (verbatim — fetchable as-is)
(no addresses pinned in this run — discover candidates from fetched website / GitHub / audit / explorer pages, record discovered addresses in evidence[] and protocol_metadata.admin_addresses, and put any reads you couldn't perform in unknowns[]. The next assessment will inherit your discoveries.)


---

You are contributing a single-slice assessment to defipunkd, a git-native transparency registry for DeFi protocols. Your JSON output will be attached to a pull request and compared against ≥2 other independent runs. Disagreements are surfaced publicly — be conservative, cite everything, return grade="unknown" when a signal cannot be determined, and resist stopping at the first damning finding.

### Per-protocol context (do not infer; these are ground truth)

A "Per-protocol context" block (provided alongside this prompt — either as a user message in API mode, or as a section appended below in copy-paste mode) lists the pinned inputs (protocol.slug, name, chains, category, website, github, audit_links, snapshot.generated_at, analysis_date, prompt_version, address_book) and a list of pre-built read-API surfacer URLs for each pinned address. Treat those values as authoritative for this run.

The pre-built surfacer URLs are accepted by your fetch tool's allowlist because they appear verbatim in the per-protocol context. Each surfacer page pre-executes the contract's zero-arg view methods and renders any address-typed return values as /address/{chainId}/0x… links inline — those rendered links are also fetchable post-fetch. /api/contract/read and /api/safe/owners JSON responses include a top-level `crawl.surfacers` array of /address/{chainId}/0x… URLs for every address-typed value in the result, so you can crawl directly from API responses. For addresses surfaced from non-defipunkd sources (block-explorer pages, GitHub, audit PDFs), the allowlist will reject your generated surfacer URL — record the address in protocol_metadata.admin_addresses and add a checklist-coded entry to unknowns[]; the next run will inherit it as a fetchable surfacer.

### Step 0 — Capability probe (do this before producing JSON)

Identify what fetch tool your environment exposes — `web_fetch`, `browser`, `url_context`, `google_search` (with underscore, colon, or space), Bing grounding, Perplexity, `web.run`, or anything similar. Search-grounding tools ARE valid fetch paths and you should use them; they are not forbidden. The distinction that matters is what the tool returned, not its name: a grounded response with the underlying page body is sufficient evidence; a bare 1–3-line preview snippet is not.

Probe: attempt one fetch of `protocol.website` and one fetch of a pre-built surfacer URL above (or the protocol's primary block-explorer page if no surfacer is pinned). Record the tool you used, the URL, and what came back (response body, HTTP status, allowlist rejection text, or "tool not present: <name>"). If either probe succeeded, proceed.

If both direct probes failed, **DO NOT STOP** — try search. Issue at least two broad search queries (protocol name + "Etherscan" / "official docs" / "GitHub" / "audit"; `site:` operators against etherscan.io / github.com / the docs domain). If a search query returns the underlying page body, that page URL is fetched evidence and goes in evidence[]. Set `grading_basis: "off-chain-only"` and continue with whatever you can extract. Empty `evidence[]` + `grade="unknown"` is only valid if BOTH direct probes AND ≥2 search queries returned nothing usable; in that case, log the attempted queries and observed-zero outcomes in unknowns[]. A submission claiming "blocked" without those receipts is treated as a non-submission (zero quorum weight). Search engines do not index raw JSON API endpoints — zero results for `defipunkd.com/api/contract/read` URLs is expected and is itself a recordable failure mode, not a system restriction.

### Anti-fabrication (the most important rule on this page)

Memory is not evidence. Treat your training data, prior conversations, and general knowledge as suggestions for what to look up — never as citations. Every URL in evidence[] must have been fetched in this run via any tool exposed in your environment, OR pasted into this conversation by the user. Constructing a URL is fine, but every variable part (address, commit SHA, repo path, contract name, method, args, block number) must come from a fetched/pasted source in this run, and the URL must then have been successfully fetched before it appears in evidence[]. URLs constructed from remembered addresses, repo paths, contract names, or guessed API methods are fabrication.

Before emitting JSON, run an evidence ledger check on every evidence[] entry:
1. The exact URL appears in your fetch transcript or in a user-pasted source body.
2. The fetched/pasted body contains the fact you're citing in evidence[].shows.
3. Every rationale.findings / protocol_metadata claim that depends on this evidence follows directly from that body, without recourse to memory.
4. Derived (rather than verbatim) claims are explicitly labelled as derived in evidence[].shows.
5. `fetched_at` is set ONLY when you actually fetched the URL in this run; if no timestamp is available, omit the field — never invent one.

If any check fails, remove the evidence entry and demote dependent claims to unknowns[]. Set grade="unknown" if demotion empties the grading basis. Do not ask the user to paste anything; do not withhold JSON; do not improvise from memory.

A plausible-sounding answer backed by unsupported evidence is WORSE than grade="unknown" — it pollutes the quorum. If the assessment requires leaning on remembered public facts ("Lido is governed by LDO token-weighted voting"), historical reports, common knowledge, or likely-architecture reasoning ("UUPS proxies typically have an admin role"), return grade="unknown" with specific unknowns[] entries. Optimize for reproducibility, not completeness — if a reviewer can't re-verify each claim from the evidence URLs alone, the claim does not belong in the JSON. Empty unknowns[] on a non-trivial protocol is a red flag, not a quality signal.

When the address_book is null/empty, you do not yet know any deployed address. Discover candidates from fetched website / GitHub / audit / explorer-search pages — addresses you "remember" from training data are not eligible, even for famous tokens (USDC, WBTC, stETH, UNI). If no address can be discovered after a good-faith attempt, return grade="unknown" with checklist-coded unknowns[] entries; do not invent addresses to fill the gap.

### Hard rules

1. Source classes that count as evidence:
   a) Public block explorers (etherscan.io, basescan.org, arbiscan.io, optimistic.etherscan.io, polygonscan.com, bscscan.com, snowtrace.io, scrollscan.com, lineascan.build, blastscan.io, era.zksync.network) for pinned addresses or addresses you discover transitively from them.
   b) The linked GitHub repos, at a specific commit SHA recorded in evidence[].commit.
   c) The audit PDFs / reports linked above.
   d) DeFiLlama's pinned fields (for category / chain lists only — not for risk assessment).
   e) DeFiPunkd's read API at https://defipunkd.com/api/{contract,safe}/... — see "On-chain reading" below.
2. If a signal cannot be determined after checking these, set grade="unknown" with ≥1 entry in unknowns[] naming what you looked for.
3. Every factual claim in rationale must map to ≥1 evidence[] entry.
4. Output exactly one JSON object matching the contract at the end, wrapped in a single ```json fenced code block. This rule applies to your FINAL assistant message only — issue tool calls freely during the run; tool-call reasoning lives in your model's tool-use channel and is not subject to this rule. Nothing before or after the fence — no prose, no follow-up questions, no requests for the user to paste anything. If evidence is incomplete, the correct response is still JSON, with claims demoted to unknowns[] and grade="unknown".

### Format rules (validation will reject submissions that violate these)
5. evidence[].url must be a bare `https://...` string — NEVER markdown link syntax. WRONG: `"url": "[Etherscan](https://etherscan.io/...)"`. RIGHT: `"url": "https://etherscan.io/..."`.
6. evidence[].commit, when present, must match `^[0-9a-f]{7,40}$` (lowercase hex, 7–40 chars). NEVER branch names or tags. Omit if you cannot pin a SHA.
7. evidence[].fetched_at, when present, must be ISO-8601 UTC (e.g. `2026-04-23T11:20:00Z`). Set whenever you actually fetched in this run.
8. evidence[].address, when present, must be `^0x[0-9a-fA-F]{40}$` (mixed case OK; checksum not validated).
9. Checklist codes (used in findings[].code and as unknowns[] prefixes) match `^[A-Z][A-Za-z0-9-]{0,16}$` — start with an uppercase letter, then digits / letters / hyphens. Examples: `E1`, `A3b`, `C2-emergency`, `V4-auditor`. No parens, spaces, dots, slashes, underscores. Use slice-defined codes verbatim. unknowns[] entries must be prefixed with the relevant code + colon (e.g. `"A3b: frontend fetch failed"`).
10. chat_url: ALWAYS null. Default share links (claude.ai/chat, chatgpt.com, gemini.google.com) require viewer login and are not publicly readable. The user enables "Share publicly" after you respond and pastes the public URL into the JSON before opening the PR.

### Thoroughness rules

11. Each per-slice body contains a "MANDATORY INSPECTION CHECKLIST". Every item must EITHER produce an evidence[] entry OR a specific unknowns[] entry naming it by code. Silent skips are rejected as incomplete.
12. Before assigning a grade other than "unknown", rationale.steelman must contain a one-sentence strongest argument for each of red / orange / green, and rationale.verdict must state which fits the evidence and why. If the steel-man for the chosen grade is weaker than for an adjacent grade, you have probably picked the wrong grade. When grade="unknown", set steelman to null and use verdict to summarize what blocked the assessment.
13. Distinguish actor classes (EOA, 2-of-3 multisig, 4-of-7+ multisig with identified signers, emergency-scoped time-capped multisig, on-chain governance vote with timelock) and function classes (claim-of-finalized vs new-request-placement, deposit vs borrow, mint vs redeem) — say which actor holds which power, on what time bound. "An admin can pause" is insufficient.
14. For on-chain slices (control, ability-to-exit, autonomy, verifiability), evidence[] must include ≥1 on-chain URL: a block-explorer URL OR a DeFiPunkd /api/{contract/read,safe/owners} URL (preferred — content-addressed when block-pinned). /api/contract/abi alone is metadata, not on-chain evidence. Source repos tell you what code SHOULD do; deployed contracts tell you what it ACTUALLY does. The "open-access" slice is exempt when claims are entirely about frontend / off-chain operator behavior. CARVE-OUT: `grading_basis="off-chain-only"` is exempt from this rule but is downweighted by the quorum bot regardless of grade.
15. Prompt-meta-check: if your verdict quotes prompt language as evidence ("the protocol meets the 'documented fallback' condition"), re-do the verdict — the prompt describes the rubric, not the protocol. Evidence cites what THIS protocol does, not what the rubric says protocols of type X do.
16. `grading_basis` is one of `"on-chain"` (default; omit field), `"off-chain-only"`, or `"mixed"`. Describes what was READ this run, not the verdict — `grade="unknown"` is allowed under any basis. Set `"off-chain-only"` ONLY when BOTH (a) ≥1 successful fetch of a docs / forum / audit / GitHub URL appears in evidence[], AND (b) ≥1 failed on-chain fetch attempt for THIS run is recorded in unknowns[] with a `-offchain` suffix. Empty `evidence[]` with `"off-chain-only"` is a category error and is rejected by the validator. Set `"mixed"` when some checklist codes were on-chain and others fell back. ABI-only finds (you read the ABI but couldn't read live state) are valid as `grade="unknown"` with the ABI cited; do not infer a grade from ABI shape alone.

### On-chain reading via the DeFiPunkd API

Don't encode calldata, decode return data, or guess at ABIs by hand. Three deterministic GET endpoints return JSON with blockNumber, blockHash, raw calldata, and rawReturnData — content-addressed when block-pinned (`&block=<n>`):

  ABI (auto-resolves proxies):
    https://defipunkd.com/api/contract/abi?chainId=<id>&address=0x...
  View call (any view method on the merged ABI; flat scalar args):
    https://defipunkd.com/api/contract/read?chainId=<id>&address=0x...&method=getOwners
    https://defipunkd.com/api/contract/read?chainId=<id>&address=0x...&method=balanceOf&args=0x...
  Safe (threshold + owners + version in one call):
    https://defipunkd.com/api/safe/owners?chainId=<id>&address=0x...

Use the BARE method name in `&method=` (e.g. `&method=totalSupply`, NOT `&method=totalSupply()`). Browser tools normalize `(` to `%28` and reject the normalized URL; bare names dodge that. Pass arguments via `&args=` (comma-separated, declaration order). Append `&block=<n>` for content-addressed evidence.

Supported chainIds: 1 (ethereum), 10 (optimism), 56 (bsc), 130 (unichain), 137 (polygon), 324 (zksync), 8453 (base), 42161 (arbitrum), 43114 (avalanche), 59144 (linea), 81457 (blast), 534352 (scroll), 11155111 (sepolia).

Use this API for any factual claim about contract ABI shape, view-method return values (owner(), getOwners(), getThreshold(), totalSupply(), implementation(), paused(), MIN_DELAY(), …), and Safe membership. Do NOT invent ABIs or return values from training data.

Note on noisy address_book: the pinned address_book is sourced from prior assessments. It may include token deployments, oracle feeds, peripheral contracts, or mis-classified entries. Skip surfacer URLs that don't fit your slice — fetch only those whose role hints suggest control / pause / upgrade authority.

### Protocol metadata refresh (populate `protocol_metadata` in the output)

DeFiLlama's pinned inputs may be stale or wrong. As a side-effect of this assessment, populate `protocol_metadata` with anything you verify. Leave fields null / empty arrays if you did not verify them — do NOT echo pinned inputs through; null means "not re-verified this run".

- `github`: array of canonical source-code repo URLs.
- `docs_url`: canonical developer / protocol documentation site.
- `audits`: array of `{ firm, url, date }` (date as YYYY-MM or YYYY-MM-DD).
- `governance_forum`: primary discussion forum URL (Discourse, Commonwealth, etc.).
- `voting_token`: `{ chain, address, symbol }` or null. Omit if not token-governed.
- `bug_bounty_url`: public bug bounty page (Immunefi, HackerOne, self-hosted).
- `security_contact`: private-disclosure channel — security@ email or SECURITY.md URL. Distinct from public bug bounty.
- `deployed_contracts_doc`: docs page that lists deployed addresses per chain. Don't enumerate; just link.
- `admin_addresses`: array of `{ chain, address, role, actor_class }` for multisig / timelock / owner / proxy-admin addresses. `actor_class` ∈ `"eoa" | "multisig" | "timelock" | "governance" | "unknown"`. These are the anchors for future runs' address_book.
- `upgradeability`: `"immutable" | "upgradeable" | "mixed" | "unknown"`. "mixed" = some core contracts immutable, others behind proxies.
- `about`: 2–4 sentence plain-English description. Name the user action (stake, borrow, swap, bridge, mint, redeem), the asset / market, and the distinctive mechanism (liquid staking receipt, isolated lending pools, constant-product AMM, intents auction, etc.). Do not restate category / chains / TVL.

Every non-null field in `protocol_metadata` must be backed by ≥1 entry in evidence[].

---

### Slice: VERIFIABILITY

Evaluate whether an outsider can independently confirm what the deployed code does.

MANDATORY INSPECTION CHECKLIST (every item below must appear in evidence[] OR unknowns[]):
- V1. For each address you assess: is the bytecode verified on the chain's block explorer? Record the "Contract Source Code Verified" indicator. https://defipunkd.com/api/contract/abi?chainId=<id>&address=0x... returns this as a top-level "verified" boolean plus "abiSource" ("etherscan" / "sourcify") and an inline ABI — useful when the explorer page is rate-limited. If the contract is a proxy, verify BOTH the proxy contract AND the current implementation contract. The same /api/contract/abi response auto-resolves proxies and includes a "proxy.implementation" address when present, so one call covers V1 + V6 in one shot. An explorer "Similar Match" on a well-known proxy pattern (Aragon AppProxyUpgradeable, ERC1967Proxy, OssifiableProxy, OZ TransparentUpgradeableProxy) is expected for that pattern and does NOT count as a verification gap on its own — what matters is that the implementation is independently verified.
- V2. Source-to-repo correspondence: for each verified contract, attempt to find a matching commit in the linked GitHub repos. Record evidence[].commit on a match. Independent compile/bytecode-match is NOT required for green — a recognized public repo whose structure and file contents correspond to the explorer-visible source is sufficient. If you did not pin a commit SHA or run a bytecode diff, record that plainly in unknowns[] and proceed; it is a scope limit, not a downgrade signal.
- V3. Audit coverage: for each URL in protocol.audit_links, open it and record: auditor name, audit date, the specific contracts / commit in scope. Flag audits that predate the current deployment by >6 months without a follow-up review.
- V4. Auditor recognition: the following firms are broadly recognized in Solidity: Trail of Bits, Zellic, Spearbit, OpenZeppelin, ConsenSys Diligence, Certora (formal verification), Quantstamp, Halborn, Peckshield, Sigma Prime, ChainSecurity, Ackee Blockchain, MixBytes, Statemind. Unknown firms are orange-at-best for any green-grade claim. Name the firm explicitly in evidence[].
- V5. Post-audit drift: compare the most recent in-scope audit(s) against the currently-deployed source, weighted by what each contract does and by what the changes actually contain. SCOPE — drift only downgrades the grade when ALL of the following hold: (i) the drifting contract is fund-custody / settlement / accounting-critical (NOT a peripheral router, lens, quoter, or pure-view contract that holds no balances); (ii) the changes are material — new functions, modified access control, modified accounting, modified fund flow — and not refactors / struct relocations / import reorgs / build or CI fixes / formatting; (iii) no later audit, fix-audit, or differential audit from a recognized firm covers the changed files (audits often pin a pre-fix commit while a follow-up reviews the delta — match by file scope, not by commit-hash equality). When you cite drift as a downgrade reason, name the specific behavior change (function added, role granted, accounting formula altered) — "N commits ahead" or "+X/-Y LOC" alone is not evidence of material drift. If you have not sampled the diff content (e.g. via the GitHub compare view or the top commits in the window), record drift as an unknowns[] entry rather than auto-downgrading; commit-count and LOC are starting signals, not findings.
- V6. Implementation vs proxy: a verified proxy with an unverified implementation is effectively unverified. State whether the implementation is verified separately.

EVIDENCE DISCIPLINE (read before writing findings[]):
- Do not assert a specific deploy-commit SHA, bytecode equivalence, or "identical to audited commit" unless you actually fetched the artifact that shows it (e.g., a deployed-addresses JSON you opened, an explorer page you read). Inferred or plausible matches belong in unknowns[], never in findings[] or evidence[].
- Evidence[] entries must correspond to pages/files you actually retrieved this run. A URL you did not open is not evidence.

Then write the steel-man section per Hard Rule 11.

Grade rules:
- green   = deployed bytecode verified on the explorer (proxy AND implementation if proxied; "Similar Match" on a standard proxy pattern is fine per V1), a public source repo exists whose contents correspond to the explorer-visible source, AND ≥1 audit from a recognized firm covering the currently-deployed contracts (≤6 months of drift OR drift was re-audited). A missing local compile-match is not a downgrade — record it in unknowns[] and still grade green if the other conditions hold.
- orange  = verified but with visible drift from the public repo, OR audit scope is stale relative to deployment, OR only minor / unknown-firm audits exist, OR only some of the main contracts are verified, OR proxy verified but implementation only partially verified.
- red     = unverified bytecode (or verified proxy with unverified implementation), OR no audit in protocol.audit_links, OR no public repo.
- unknown = reserved for when the protocol's verifiability posture genuinely cannot be assessed (e.g., explorer and repo both inaccessible for this protocol). Do NOT use unknown merely because you, the analyst, could not run a particular check such as a bytecode diff — that goes in unknowns[] while the grade is still assigned from the evidence you do have.

---

### JSON output contract

Return exactly one JSON object inside a single ```json fenced block. Shape:

{
  "schema_version": 4,
  "slug": "<copy protocol.slug from the per-protocol context>",
  "slice": "verifiability",
  "snapshot_generated_at": "<copy snapshot.generated_at from the per-protocol context>",
  "prompt_version": 29,
  "analysis_date": "<copy analysis_date from the per-protocol context>",
  "model": "<exact model name, e.g. claude-opus-4-7 / gpt-5-thinking / gemini-3-pro>",
  "chat_url": null,
  "grading_basis": "on-chain | off-chain-only | mixed (optional; omit for on-chain)",
  "grade": "green | orange | red | unknown",
  "headline": "<one-line summary>",
  "short_headline": "<≤6 words, ≤80 chars; omit if you can't fit>",
  "rationale": {
    "findings": [{ "code": "E1", "text": "<concrete, source-cited finding>" }],
    "steelman": { "red": "<one sentence>", "orange": "<one sentence>", "green": "<one sentence>" },
    "verdict": "Choosing <grade> because <reason ranking one steel-man above the others, citing specific evidence>."
  },
  "evidence": [{ "url": "https://...", "shows": "<what this URL demonstrates>", "chain": "...", "address": "0x...", "commit": "<hex SHA>", "fetched_at": "2026-04-23T11:20:00Z" }],
  "unknowns": ["E3: <thing you looked for but couldn't determine>"],
  "protocol_metadata": {
    "github": ["https://github.com/org/repo"],
    "docs_url": "https://docs.protocol.xyz",
    "audits": [{ "firm": "Trail of Bits", "url": "https://...report.pdf", "date": "2025-09" }],
    "governance_forum": "https://forum.protocol.xyz",
    "voting_token": { "chain": "Ethereum", "address": "0x...", "symbol": "XYZ" },
    "bug_bounty_url": "https://immunefi.com/bounty/protocol",
    "security_contact": "security@protocol.xyz",
    "deployed_contracts_doc": "https://docs.protocol.xyz/deployments",
    "admin_addresses": [{ "chain": "Ethereum", "address": "0x...", "role": "DAO treasury multisig", "actor_class": "multisig" }],
    "upgradeability": "immutable | upgradeable | mixed | unknown",
    "about": "<2–4 sentences>"
  }
}

Rules recap:
- grade="unknown" ⇒ steelman=null; unknowns[] ≥1; evidence[] may be empty.
- grade!="unknown" ⇒ steelman={red,orange,green}; evidence[] ≥1; verdict starts with "Choosing ".
- findings[].code matches the slice's checklist prefix verbatim (E1, C2-emergency, V4a, …); unknowns[] entries are checklist-coded ("E3: …").
- Wrap in a single ```json fence; nothing before or after. URLs are bare strings, never markdown links.

Control Unverified Submit run ↗

### Per-protocol context (ground truth for this run)

- protocol.slug:              aave-v1
- protocol.name:              Aave V1
- protocol.chains:            Ethereum
- protocol.category:          Lending
- protocol.website:           https://aave.com
- protocol.github:            aave, bgd-labs
- protocol.audit_links:       https://aave.com/security, https://github.com/code-423n4/2022-02-aave-lens, https://github.com/code-423n4/2022-02-aave-lens-findings, https://github.com/sherlock-protocol/sherlock-reports/blob/main/audits/2025.02.15%20-%20Final%20-%20Aave%20Public%20Audit%20Contest%20Report.pdf, https://github.com/sherlock-protocol/sherlock-reports/blob/main/audits/2026.02.05%20-%20Final%20-%20Aave%20Labs%20Collaborative%20Audit%20Report%201770295450.pdf
- snapshot.generated_at:      2026-06-01T11:27:13.878Z
- analysis_date:              2026-06-07
- prompt_version:             29
- address_book:               null

### Pre-built read-API surfacer URLs (verbatim — fetchable as-is)
(no addresses pinned in this run — discover candidates from fetched website / GitHub / audit / explorer pages, record discovered addresses in evidence[] and protocol_metadata.admin_addresses, and put any reads you couldn't perform in unknowns[]. The next assessment will inherit your discoveries.)


---

You are contributing a single-slice assessment to defipunkd, a git-native transparency registry for DeFi protocols. Your JSON output will be attached to a pull request and compared against ≥2 other independent runs. Disagreements are surfaced publicly — be conservative, cite everything, return grade="unknown" when a signal cannot be determined, and resist stopping at the first damning finding.

### Per-protocol context (do not infer; these are ground truth)

A "Per-protocol context" block (provided alongside this prompt — either as a user message in API mode, or as a section appended below in copy-paste mode) lists the pinned inputs (protocol.slug, name, chains, category, website, github, audit_links, snapshot.generated_at, analysis_date, prompt_version, address_book) and a list of pre-built read-API surfacer URLs for each pinned address. Treat those values as authoritative for this run.

The pre-built surfacer URLs are accepted by your fetch tool's allowlist because they appear verbatim in the per-protocol context. Each surfacer page pre-executes the contract's zero-arg view methods and renders any address-typed return values as /address/{chainId}/0x… links inline — those rendered links are also fetchable post-fetch. /api/contract/read and /api/safe/owners JSON responses include a top-level `crawl.surfacers` array of /address/{chainId}/0x… URLs for every address-typed value in the result, so you can crawl directly from API responses. For addresses surfaced from non-defipunkd sources (block-explorer pages, GitHub, audit PDFs), the allowlist will reject your generated surfacer URL — record the address in protocol_metadata.admin_addresses and add a checklist-coded entry to unknowns[]; the next run will inherit it as a fetchable surfacer.

### Step 0 — Capability probe (do this before producing JSON)

Identify what fetch tool your environment exposes — `web_fetch`, `browser`, `url_context`, `google_search` (with underscore, colon, or space), Bing grounding, Perplexity, `web.run`, or anything similar. Search-grounding tools ARE valid fetch paths and you should use them; they are not forbidden. The distinction that matters is what the tool returned, not its name: a grounded response with the underlying page body is sufficient evidence; a bare 1–3-line preview snippet is not.

Probe: attempt one fetch of `protocol.website` and one fetch of a pre-built surfacer URL above (or the protocol's primary block-explorer page if no surfacer is pinned). Record the tool you used, the URL, and what came back (response body, HTTP status, allowlist rejection text, or "tool not present: <name>"). If either probe succeeded, proceed.

If both direct probes failed, **DO NOT STOP** — try search. Issue at least two broad search queries (protocol name + "Etherscan" / "official docs" / "GitHub" / "audit"; `site:` operators against etherscan.io / github.com / the docs domain). If a search query returns the underlying page body, that page URL is fetched evidence and goes in evidence[]. Set `grading_basis: "off-chain-only"` and continue with whatever you can extract. Empty `evidence[]` + `grade="unknown"` is only valid if BOTH direct probes AND ≥2 search queries returned nothing usable; in that case, log the attempted queries and observed-zero outcomes in unknowns[]. A submission claiming "blocked" without those receipts is treated as a non-submission (zero quorum weight). Search engines do not index raw JSON API endpoints — zero results for `defipunkd.com/api/contract/read` URLs is expected and is itself a recordable failure mode, not a system restriction.

### Anti-fabrication (the most important rule on this page)

Memory is not evidence. Treat your training data, prior conversations, and general knowledge as suggestions for what to look up — never as citations. Every URL in evidence[] must have been fetched in this run via any tool exposed in your environment, OR pasted into this conversation by the user. Constructing a URL is fine, but every variable part (address, commit SHA, repo path, contract name, method, args, block number) must come from a fetched/pasted source in this run, and the URL must then have been successfully fetched before it appears in evidence[]. URLs constructed from remembered addresses, repo paths, contract names, or guessed API methods are fabrication.

Before emitting JSON, run an evidence ledger check on every evidence[] entry:
1. The exact URL appears in your fetch transcript or in a user-pasted source body.
2. The fetched/pasted body contains the fact you're citing in evidence[].shows.
3. Every rationale.findings / protocol_metadata claim that depends on this evidence follows directly from that body, without recourse to memory.
4. Derived (rather than verbatim) claims are explicitly labelled as derived in evidence[].shows.
5. `fetched_at` is set ONLY when you actually fetched the URL in this run; if no timestamp is available, omit the field — never invent one.

If any check fails, remove the evidence entry and demote dependent claims to unknowns[]. Set grade="unknown" if demotion empties the grading basis. Do not ask the user to paste anything; do not withhold JSON; do not improvise from memory.

A plausible-sounding answer backed by unsupported evidence is WORSE than grade="unknown" — it pollutes the quorum. If the assessment requires leaning on remembered public facts ("Lido is governed by LDO token-weighted voting"), historical reports, common knowledge, or likely-architecture reasoning ("UUPS proxies typically have an admin role"), return grade="unknown" with specific unknowns[] entries. Optimize for reproducibility, not completeness — if a reviewer can't re-verify each claim from the evidence URLs alone, the claim does not belong in the JSON. Empty unknowns[] on a non-trivial protocol is a red flag, not a quality signal.

When the address_book is null/empty, you do not yet know any deployed address. Discover candidates from fetched website / GitHub / audit / explorer-search pages — addresses you "remember" from training data are not eligible, even for famous tokens (USDC, WBTC, stETH, UNI). If no address can be discovered after a good-faith attempt, return grade="unknown" with checklist-coded unknowns[] entries; do not invent addresses to fill the gap.

### Hard rules

1. Source classes that count as evidence:
   a) Public block explorers (etherscan.io, basescan.org, arbiscan.io, optimistic.etherscan.io, polygonscan.com, bscscan.com, snowtrace.io, scrollscan.com, lineascan.build, blastscan.io, era.zksync.network) for pinned addresses or addresses you discover transitively from them.
   b) The linked GitHub repos, at a specific commit SHA recorded in evidence[].commit.
   c) The audit PDFs / reports linked above.
   d) DeFiLlama's pinned fields (for category / chain lists only — not for risk assessment).
   e) DeFiPunkd's read API at https://defipunkd.com/api/{contract,safe}/... — see "On-chain reading" below.
2. If a signal cannot be determined after checking these, set grade="unknown" with ≥1 entry in unknowns[] naming what you looked for.
3. Every factual claim in rationale must map to ≥1 evidence[] entry.
4. Output exactly one JSON object matching the contract at the end, wrapped in a single ```json fenced code block. This rule applies to your FINAL assistant message only — issue tool calls freely during the run; tool-call reasoning lives in your model's tool-use channel and is not subject to this rule. Nothing before or after the fence — no prose, no follow-up questions, no requests for the user to paste anything. If evidence is incomplete, the correct response is still JSON, with claims demoted to unknowns[] and grade="unknown".

### Format rules (validation will reject submissions that violate these)
5. evidence[].url must be a bare `https://...` string — NEVER markdown link syntax. WRONG: `"url": "[Etherscan](https://etherscan.io/...)"`. RIGHT: `"url": "https://etherscan.io/..."`.
6. evidence[].commit, when present, must match `^[0-9a-f]{7,40}$` (lowercase hex, 7–40 chars). NEVER branch names or tags. Omit if you cannot pin a SHA.
7. evidence[].fetched_at, when present, must be ISO-8601 UTC (e.g. `2026-04-23T11:20:00Z`). Set whenever you actually fetched in this run.
8. evidence[].address, when present, must be `^0x[0-9a-fA-F]{40}$` (mixed case OK; checksum not validated).
9. Checklist codes (used in findings[].code and as unknowns[] prefixes) match `^[A-Z][A-Za-z0-9-]{0,16}$` — start with an uppercase letter, then digits / letters / hyphens. Examples: `E1`, `A3b`, `C2-emergency`, `V4-auditor`. No parens, spaces, dots, slashes, underscores. Use slice-defined codes verbatim. unknowns[] entries must be prefixed with the relevant code + colon (e.g. `"A3b: frontend fetch failed"`).
10. chat_url: ALWAYS null. Default share links (claude.ai/chat, chatgpt.com, gemini.google.com) require viewer login and are not publicly readable. The user enables "Share publicly" after you respond and pastes the public URL into the JSON before opening the PR.

### Thoroughness rules

11. Each per-slice body contains a "MANDATORY INSPECTION CHECKLIST". Every item must EITHER produce an evidence[] entry OR a specific unknowns[] entry naming it by code. Silent skips are rejected as incomplete.
12. Before assigning a grade other than "unknown", rationale.steelman must contain a one-sentence strongest argument for each of red / orange / green, and rationale.verdict must state which fits the evidence and why. If the steel-man for the chosen grade is weaker than for an adjacent grade, you have probably picked the wrong grade. When grade="unknown", set steelman to null and use verdict to summarize what blocked the assessment.
13. Distinguish actor classes (EOA, 2-of-3 multisig, 4-of-7+ multisig with identified signers, emergency-scoped time-capped multisig, on-chain governance vote with timelock) and function classes (claim-of-finalized vs new-request-placement, deposit vs borrow, mint vs redeem) — say which actor holds which power, on what time bound. "An admin can pause" is insufficient.
14. For on-chain slices (control, ability-to-exit, autonomy, verifiability), evidence[] must include ≥1 on-chain URL: a block-explorer URL OR a DeFiPunkd /api/{contract/read,safe/owners} URL (preferred — content-addressed when block-pinned). /api/contract/abi alone is metadata, not on-chain evidence. Source repos tell you what code SHOULD do; deployed contracts tell you what it ACTUALLY does. The "open-access" slice is exempt when claims are entirely about frontend / off-chain operator behavior. CARVE-OUT: `grading_basis="off-chain-only"` is exempt from this rule but is downweighted by the quorum bot regardless of grade.
15. Prompt-meta-check: if your verdict quotes prompt language as evidence ("the protocol meets the 'documented fallback' condition"), re-do the verdict — the prompt describes the rubric, not the protocol. Evidence cites what THIS protocol does, not what the rubric says protocols of type X do.
16. `grading_basis` is one of `"on-chain"` (default; omit field), `"off-chain-only"`, or `"mixed"`. Describes what was READ this run, not the verdict — `grade="unknown"` is allowed under any basis. Set `"off-chain-only"` ONLY when BOTH (a) ≥1 successful fetch of a docs / forum / audit / GitHub URL appears in evidence[], AND (b) ≥1 failed on-chain fetch attempt for THIS run is recorded in unknowns[] with a `-offchain` suffix. Empty `evidence[]` with `"off-chain-only"` is a category error and is rejected by the validator. Set `"mixed"` when some checklist codes were on-chain and others fell back. ABI-only finds (you read the ABI but couldn't read live state) are valid as `grade="unknown"` with the ABI cited; do not infer a grade from ABI shape alone.

### On-chain reading via the DeFiPunkd API

Don't encode calldata, decode return data, or guess at ABIs by hand. Three deterministic GET endpoints return JSON with blockNumber, blockHash, raw calldata, and rawReturnData — content-addressed when block-pinned (`&block=<n>`):

  ABI (auto-resolves proxies):
    https://defipunkd.com/api/contract/abi?chainId=<id>&address=0x...
  View call (any view method on the merged ABI; flat scalar args):
    https://defipunkd.com/api/contract/read?chainId=<id>&address=0x...&method=getOwners
    https://defipunkd.com/api/contract/read?chainId=<id>&address=0x...&method=balanceOf&args=0x...
  Safe (threshold + owners + version in one call):
    https://defipunkd.com/api/safe/owners?chainId=<id>&address=0x...

Use the BARE method name in `&method=` (e.g. `&method=totalSupply`, NOT `&method=totalSupply()`). Browser tools normalize `(` to `%28` and reject the normalized URL; bare names dodge that. Pass arguments via `&args=` (comma-separated, declaration order). Append `&block=<n>` for content-addressed evidence.

Supported chainIds: 1 (ethereum), 10 (optimism), 56 (bsc), 130 (unichain), 137 (polygon), 324 (zksync), 8453 (base), 42161 (arbitrum), 43114 (avalanche), 59144 (linea), 81457 (blast), 534352 (scroll), 11155111 (sepolia).

Use this API for any factual claim about contract ABI shape, view-method return values (owner(), getOwners(), getThreshold(), totalSupply(), implementation(), paused(), MIN_DELAY(), …), and Safe membership. Do NOT invent ABIs or return values from training data.

Note on noisy address_book: the pinned address_book is sourced from prior assessments. It may include token deployments, oracle feeds, peripheral contracts, or mis-classified entries. Skip surfacer URLs that don't fit your slice — fetch only those whose role hints suggest control / pause / upgrade authority.

### Protocol metadata refresh (populate `protocol_metadata` in the output)

DeFiLlama's pinned inputs may be stale or wrong. As a side-effect of this assessment, populate `protocol_metadata` with anything you verify. Leave fields null / empty arrays if you did not verify them — do NOT echo pinned inputs through; null means "not re-verified this run".

- `github`: array of canonical source-code repo URLs.
- `docs_url`: canonical developer / protocol documentation site.
- `audits`: array of `{ firm, url, date }` (date as YYYY-MM or YYYY-MM-DD).
- `governance_forum`: primary discussion forum URL (Discourse, Commonwealth, etc.).
- `voting_token`: `{ chain, address, symbol }` or null. Omit if not token-governed.
- `bug_bounty_url`: public bug bounty page (Immunefi, HackerOne, self-hosted).
- `security_contact`: private-disclosure channel — security@ email or SECURITY.md URL. Distinct from public bug bounty.
- `deployed_contracts_doc`: docs page that lists deployed addresses per chain. Don't enumerate; just link.
- `admin_addresses`: array of `{ chain, address, role, actor_class }` for multisig / timelock / owner / proxy-admin addresses. `actor_class` ∈ `"eoa" | "multisig" | "timelock" | "governance" | "unknown"`. These are the anchors for future runs' address_book.
- `upgradeability`: `"immutable" | "upgradeable" | "mixed" | "unknown"`. "mixed" = some core contracts immutable, others behind proxies.
- `about`: 2–4 sentence plain-English description. Name the user action (stake, borrow, swap, bridge, mint, redeem), the asset / market, and the distinctive mechanism (liquid staking receipt, isolated lending pools, constant-product AMM, intents auction, etc.). Do not restate category / chains / TVL.

Every non-null field in `protocol_metadata` must be backed by ≥1 entry in evidence[].

---

### Slice: CONTROL

Evaluate who can change the protocol's rules, how fast, and how broadly.

(Step 0 capability probe and the off-chain-only fallback live in the preamble — those rules apply here.)

### MANDATORY INSPECTION CHECKLIST (every item below must appear in evidence[] OR unknowns[])

- **C1.** For each address you assess: who is the contract owner / admin / pendingAdmin / governor — read these via the block explorer's "Read Contract" tab OR `https://defipunkd.com/api/contract/read?chainId=<id>&address=0x...&method=owner` (BARE method names: `&method=owner`, `&method=admin`, `&method=pendingOwner`, `&method=governor`). For Safes use `/api/safe/owners?chainId=<id>&address=0x...`. When a protocol has multiple major versions deployed (v2/v3/v4), perform C1 reads on the NEWEST deployment separately — newer deployments often have weaker control surfaces than the legacy core.
- **C2.** Upgrade mechanism: transparent proxy / UUPS / Beacon / Diamond / immutable. Identify the proxy admin address. Check upgradeability of GOVERNANCE contracts too — a Governor / Aragon Voting / OZ Governor is often itself a proxy whose admin is the Timelock. Asymmetry: when fund-holding cores are immutable AND governance has no admin path that reaches them, an upgradable Governor/Timelock is T3-only and must NOT drag the verdict below green on that basis alone (see grade rules and the "immutable cores" caveat). Only call upgradability "mixed" if you can name a concrete function on the upgradable surface that reaches T1 or T2 on user funds.
- **C3.** EXECUTION PATH (enumerate every stage, in order, with delays in seconds). The operative path is usually a chain (voting → scheduler → timelock → executor; or governor → queue → execute; or Aragon Voting → DualGovernance → EmergencyProtectedTimelock → AdminExecutor). For each stage, record (a) the contract address, (b) the delay constant name + value in seconds, (c) the URL you read it from (block-explorer Read Contract OR `/api/contract/read?...&method=MIN_DELAY&block=<n>`). Do NOT stop at the first timelock-shaped contract — if its admin is itself called by another contract, keep walking. The grading delay is the SUM OF DELAYS ON THE UNCONTESTED FAST PATH (shortest time a proposal with no opposition can go from submission to executable). Dynamic / contested extensions (veto signaling, rage quit, escrow delay) are modifiers, not the basis — note them separately.
- **C4.** Enumerate EVERY multisig with reachable control — main proxy admin, emergency activation, emergency execution, reseal / pause, gate-seal committees, tiebreaker, per-module admins. For each Safe, fetch threshold + owners + version via `/api/safe/owners?chainId=<id>&address=0x...` (response includes raw eth_call data, so the URL is citable evidence). Enumerate ops/council/incentives multisigs even when off the upgrade path — record their scope so a reader can see they are NOT on the upgrade path. For each: (a) address, (b) threshold / total signers, (c) signer identities classified as insider (team, paid auditors under ongoing engagement, mandated service providers) vs non-insider (independent community members, unaffiliated researchers), (d) the specific power held (upgrade, pause, parameter, etc.).
- **C5.** On-chain governance: Governor / GovernorBravo / OZ Governor / Aragon Voting with token-weighted voting? Record proposal threshold, voting period, quorum, and the timelock delay between queue and execute. Every numeric constant must come from a Read Contract call you can link to, or be in unknowns[] with the C-code. If votingDelay / votingPeriod are denominated in BLOCKS, convert to seconds at the chain's CURRENT block time (Ethereum mainnet ≈ 12s post-Merge, not the 15s in older Compound/Bravo deployments) — cite both block count and converted seconds.
- **C6.** EMERGENCY POWERS: separate emergency-pause / guardian role with a different time cap or different actor than the main upgrade authority? Record it explicitly.
- **C7.** POWER TIER (blast radius). For each privileged path in C3–C6, classify the WORST thing that path can do, choosing the highest applicable tier. Cite the specific function name and any on-chain bound — tier claims without a named function are unsupported.
    - **T1 — FUND-CRITICAL**: replace implementation of contracts holding user funds; change AMM math / accounting / collateral logic; mint unbacked debt or shares; pause withdrawals; drain user-fund treasury; change oracle to attacker-controlled source; replace upgrade admin with EOA.
    - **T2 — ECONOMICALLY MATERIAL**: change fee parameters within bounded ranges; redirect protocol fees; add/remove markets / collateral types; bounded inflation or token mint within hard-capped schedule; spend protocol-owned (non-user) treasury.
    - **T3 — GOVERNANCE-INTERNAL**: change voting rules, quorum, voting period, proposal threshold; upgrade the Governor itself; rotate Timelock admin; mint governance tokens within a capped annual schedule.
    - **T4 — OPERATIONAL**: incentives distribution, grants, ENS / frontend canonicalization, deployment coordination, periphery router deprecation.
  The grade is set by the HIGHEST tier reachable on the uncontested fast path, not the median. State the tier and the binding function in the verdict.

### Read Contract discipline (applies to C3, C4, C5)

Every numeric constant cited (timelock delays, voting periods, multisig thresholds, quorum percentages) must come from EITHER (a) a block-explorer Read Contract URL, OR (b) a DeFiPunkd `/api/contract/read` or `/api/safe/owners` URL (preferred with `&block=<n>` for content-addressed evidence), OR (c) an unknowns[] entry with the C-code. Docs / blog posts are corroboration only — they cannot be the sole citation for a value that is also readable on-chain.

### Off-chain-only substitute hierarchy (when grading_basis="off-chain-only" — see preamble Rule 16)

When on-chain reads were genuinely unreachable this run, eligible off-chain substitutes in priority order:
1. Linked audit PDFs (admin roles, multisig members, timelock delays usually enumerated).
2. Governance forum posts that quote constants from a successful on-chain proposal (cite post URL + linked execution-tx URL).
3. Official protocol docs pages with named addresses and roles (must be on a domain owned by the protocol).
4. GitHub README / SECURITY.md / governance/*.md at a pinned commit SHA.

Forbidden substitutes: third-party blog posts, X / Twitter threads, search-result snippets, model memory. Required degradation: any C-code citing a numeric constant from docs/forum/audit prose ONLY must also carry an `unknowns[]` entry with `-offchain` suffix noting "value not re-read on-chain in this run; corroboration only".

### Grade rules (apply the timelock bar conditional on the highest C7 tier reachable on the fast path)

Security Council standard (used below): a multisig qualifies as "Security Council" only if ALL of: ≥7 signers, ≥51% threshold, ≥50% non-insider signers, every signer publicly announced. Failing any criterion = NOT a Security Council, regardless of signer reputation.

- **green**: highest reachable tier is T3 or T4 regardless of timelock; OR T2 reachable with uncontested-fast-path delay ≥7 days; OR T1 reachable only via immutable contracts (T1 is unreachable); OR T1 reachable with uncontested-fast-path delay ≥7 days combined with a Security Council multisig; OR T1 reachable with uncontested-fast-path delay ≥7 days through active on-chain governance with broad token distribution.
- **orange**: T2 reachable with uncontested-fast-path delay >0 but <7 days; OR T1 reachable with uncontested-fast-path delay >0 but <7 days; OR a multisig failing one or more Security Council criteria sits on a T1/T2 path; OR unclear upgrade authority on a T1/T2 path; OR governance with very short timelock or low quorum on a T1/T2 path.
- **red**: T1 reachable with no timelock by a single EOA or 2-of-3 multisig; OR a T1 upgrade admin that is not a smart contract you can audit.
- **unknown**: completed the checklist but still cannot determine the upgrade authority OR cannot classify the highest tier reachable on the main contracts.

Tiering caveats:
- "Bounded" must be enforced ON-CHAIN to count as T2. A function that sets fees with no upper-bound check is T1 — cite the bound check.
- Recurring T2 economic extraction (e.g. fee redirect with no rate limit) approaches T1 over time. A single proposal that can permanently redirect all future revenue is T1.
- T3 assumes the governance contract cannot itself authorize a T1/T2 action without going through the same timelock. If governance can self-upgrade to bypass the timelock, T3 collapses into T1.
- Do not downgrade tier by hand-waving ("realistically governance would never…"). Tier on what the contract permits, not what feels likely.

Notes:
- **Dynamic / dual-governance timelocks** (Lido, Compound escrow veto): the rubric grades on the uncontested path because that is the path most upgrades take. A dynamic extension that fires only under stake-weighted opposition is a real protection — name it in the green steel-man, but it does not lift an orange fast path into green; state the tension in the verdict.
- **Immutable cores with upgradable governance** (Uniswap-style): if fund-holding contracts are immutable and have no admin-reachable function moving / freezing / re-routing user funds, the highest reachable tier on the upgrade path is T3 — green regardless of timelock. Don't grade this orange just because the Governor is a proxy — that's a C2 fact, not a downgrade. Downgrade only applies if you can cite a concrete function on the upgradable surface that reaches T1 or T2 (privileged hook, upgradable factory controlling fund-routing, fee-switch redirecting protocol revenue without bound).
- **The 7-day bar** reflects the exit-window standard — users need notice after a queued upgrade to withdraw if they disagree. The ability-to-exit slice grades the exit side; this slice grades the delay side; both must hold for users to actually benefit from the delay.

---

### JSON output contract

Return exactly one JSON object inside a single ```json fenced block. Shape:

{
  "schema_version": 4,
  "slug": "<copy protocol.slug from the per-protocol context>",
  "slice": "control",
  "snapshot_generated_at": "<copy snapshot.generated_at from the per-protocol context>",
  "prompt_version": 29,
  "analysis_date": "<copy analysis_date from the per-protocol context>",
  "model": "<exact model name, e.g. claude-opus-4-7 / gpt-5-thinking / gemini-3-pro>",
  "chat_url": null,
  "grading_basis": "on-chain | off-chain-only | mixed (optional; omit for on-chain)",
  "grade": "green | orange | red | unknown",
  "headline": "<one-line summary>",
  "short_headline": "<≤6 words, ≤80 chars; omit if you can't fit>",
  "rationale": {
    "findings": [{ "code": "E1", "text": "<concrete, source-cited finding>" }],
    "steelman": { "red": "<one sentence>", "orange": "<one sentence>", "green": "<one sentence>" },
    "verdict": "Choosing <grade> because <reason ranking one steel-man above the others, citing specific evidence>."
  },
  "evidence": [{ "url": "https://...", "shows": "<what this URL demonstrates>", "chain": "...", "address": "0x...", "commit": "<hex SHA>", "fetched_at": "2026-04-23T11:20:00Z" }],
  "unknowns": ["E3: <thing you looked for but couldn't determine>"],
  "protocol_metadata": {
    "github": ["https://github.com/org/repo"],
    "docs_url": "https://docs.protocol.xyz",
    "audits": [{ "firm": "Trail of Bits", "url": "https://...report.pdf", "date": "2025-09" }],
    "governance_forum": "https://forum.protocol.xyz",
    "voting_token": { "chain": "Ethereum", "address": "0x...", "symbol": "XYZ" },
    "bug_bounty_url": "https://immunefi.com/bounty/protocol",
    "security_contact": "security@protocol.xyz",
    "deployed_contracts_doc": "https://docs.protocol.xyz/deployments",
    "admin_addresses": [{ "chain": "Ethereum", "address": "0x...", "role": "DAO treasury multisig", "actor_class": "multisig" }],
    "upgradeability": "immutable | upgradeable | mixed | unknown",
    "about": "<2–4 sentences>"
  }
}

Rules recap:
- grade="unknown" ⇒ steelman=null; unknowns[] ≥1; evidence[] may be empty.
- grade!="unknown" ⇒ steelman={red,orange,green}; evidence[] ≥1; verdict starts with "Choosing ".
- findings[].code matches the slice's checklist prefix verbatim (E1, C2-emergency, V4a, …); unknowns[] entries are checklist-coded ("E3: …").
- Wrap in a single ```json fence; nothing before or after. URLs are bare strings, never markdown links.

Ability to exit Unverified Submit run ↗

### Per-protocol context (ground truth for this run)

- protocol.slug:              aave-v1
- protocol.name:              Aave V1
- protocol.chains:            Ethereum
- protocol.category:          Lending
- protocol.website:           https://aave.com
- protocol.github:            aave, bgd-labs
- protocol.audit_links:       https://aave.com/security, https://github.com/code-423n4/2022-02-aave-lens, https://github.com/code-423n4/2022-02-aave-lens-findings, https://github.com/sherlock-protocol/sherlock-reports/blob/main/audits/2025.02.15%20-%20Final%20-%20Aave%20Public%20Audit%20Contest%20Report.pdf, https://github.com/sherlock-protocol/sherlock-reports/blob/main/audits/2026.02.05%20-%20Final%20-%20Aave%20Labs%20Collaborative%20Audit%20Report%201770295450.pdf
- snapshot.generated_at:      2026-06-01T11:27:13.878Z
- analysis_date:              2026-06-07
- prompt_version:             29
- address_book:               null

### Pre-built read-API surfacer URLs (verbatim — fetchable as-is)
(no addresses pinned in this run — discover candidates from fetched website / GitHub / audit / explorer pages, record discovered addresses in evidence[] and protocol_metadata.admin_addresses, and put any reads you couldn't perform in unknowns[]. The next assessment will inherit your discoveries.)


---

You are contributing a single-slice assessment to defipunkd, a git-native transparency registry for DeFi protocols. Your JSON output will be attached to a pull request and compared against ≥2 other independent runs. Disagreements are surfaced publicly — be conservative, cite everything, return grade="unknown" when a signal cannot be determined, and resist stopping at the first damning finding.

### Per-protocol context (do not infer; these are ground truth)

A "Per-protocol context" block (provided alongside this prompt — either as a user message in API mode, or as a section appended below in copy-paste mode) lists the pinned inputs (protocol.slug, name, chains, category, website, github, audit_links, snapshot.generated_at, analysis_date, prompt_version, address_book) and a list of pre-built read-API surfacer URLs for each pinned address. Treat those values as authoritative for this run.

The pre-built surfacer URLs are accepted by your fetch tool's allowlist because they appear verbatim in the per-protocol context. Each surfacer page pre-executes the contract's zero-arg view methods and renders any address-typed return values as /address/{chainId}/0x… links inline — those rendered links are also fetchable post-fetch. /api/contract/read and /api/safe/owners JSON responses include a top-level `crawl.surfacers` array of /address/{chainId}/0x… URLs for every address-typed value in the result, so you can crawl directly from API responses. For addresses surfaced from non-defipunkd sources (block-explorer pages, GitHub, audit PDFs), the allowlist will reject your generated surfacer URL — record the address in protocol_metadata.admin_addresses and add a checklist-coded entry to unknowns[]; the next run will inherit it as a fetchable surfacer.

### Step 0 — Capability probe (do this before producing JSON)

Identify what fetch tool your environment exposes — `web_fetch`, `browser`, `url_context`, `google_search` (with underscore, colon, or space), Bing grounding, Perplexity, `web.run`, or anything similar. Search-grounding tools ARE valid fetch paths and you should use them; they are not forbidden. The distinction that matters is what the tool returned, not its name: a grounded response with the underlying page body is sufficient evidence; a bare 1–3-line preview snippet is not.

Probe: attempt one fetch of `protocol.website` and one fetch of a pre-built surfacer URL above (or the protocol's primary block-explorer page if no surfacer is pinned). Record the tool you used, the URL, and what came back (response body, HTTP status, allowlist rejection text, or "tool not present: <name>"). If either probe succeeded, proceed.

If both direct probes failed, **DO NOT STOP** — try search. Issue at least two broad search queries (protocol name + "Etherscan" / "official docs" / "GitHub" / "audit"; `site:` operators against etherscan.io / github.com / the docs domain). If a search query returns the underlying page body, that page URL is fetched evidence and goes in evidence[]. Set `grading_basis: "off-chain-only"` and continue with whatever you can extract. Empty `evidence[]` + `grade="unknown"` is only valid if BOTH direct probes AND ≥2 search queries returned nothing usable; in that case, log the attempted queries and observed-zero outcomes in unknowns[]. A submission claiming "blocked" without those receipts is treated as a non-submission (zero quorum weight). Search engines do not index raw JSON API endpoints — zero results for `defipunkd.com/api/contract/read` URLs is expected and is itself a recordable failure mode, not a system restriction.

### Anti-fabrication (the most important rule on this page)

Memory is not evidence. Treat your training data, prior conversations, and general knowledge as suggestions for what to look up — never as citations. Every URL in evidence[] must have been fetched in this run via any tool exposed in your environment, OR pasted into this conversation by the user. Constructing a URL is fine, but every variable part (address, commit SHA, repo path, contract name, method, args, block number) must come from a fetched/pasted source in this run, and the URL must then have been successfully fetched before it appears in evidence[]. URLs constructed from remembered addresses, repo paths, contract names, or guessed API methods are fabrication.

Before emitting JSON, run an evidence ledger check on every evidence[] entry:
1. The exact URL appears in your fetch transcript or in a user-pasted source body.
2. The fetched/pasted body contains the fact you're citing in evidence[].shows.
3. Every rationale.findings / protocol_metadata claim that depends on this evidence follows directly from that body, without recourse to memory.
4. Derived (rather than verbatim) claims are explicitly labelled as derived in evidence[].shows.
5. `fetched_at` is set ONLY when you actually fetched the URL in this run; if no timestamp is available, omit the field — never invent one.

If any check fails, remove the evidence entry and demote dependent claims to unknowns[]. Set grade="unknown" if demotion empties the grading basis. Do not ask the user to paste anything; do not withhold JSON; do not improvise from memory.

A plausible-sounding answer backed by unsupported evidence is WORSE than grade="unknown" — it pollutes the quorum. If the assessment requires leaning on remembered public facts ("Lido is governed by LDO token-weighted voting"), historical reports, common knowledge, or likely-architecture reasoning ("UUPS proxies typically have an admin role"), return grade="unknown" with specific unknowns[] entries. Optimize for reproducibility, not completeness — if a reviewer can't re-verify each claim from the evidence URLs alone, the claim does not belong in the JSON. Empty unknowns[] on a non-trivial protocol is a red flag, not a quality signal.

When the address_book is null/empty, you do not yet know any deployed address. Discover candidates from fetched website / GitHub / audit / explorer-search pages — addresses you "remember" from training data are not eligible, even for famous tokens (USDC, WBTC, stETH, UNI). If no address can be discovered after a good-faith attempt, return grade="unknown" with checklist-coded unknowns[] entries; do not invent addresses to fill the gap.

### Hard rules

1. Source classes that count as evidence:
   a) Public block explorers (etherscan.io, basescan.org, arbiscan.io, optimistic.etherscan.io, polygonscan.com, bscscan.com, snowtrace.io, scrollscan.com, lineascan.build, blastscan.io, era.zksync.network) for pinned addresses or addresses you discover transitively from them.
   b) The linked GitHub repos, at a specific commit SHA recorded in evidence[].commit.
   c) The audit PDFs / reports linked above.
   d) DeFiLlama's pinned fields (for category / chain lists only — not for risk assessment).
   e) DeFiPunkd's read API at https://defipunkd.com/api/{contract,safe}/... — see "On-chain reading" below.
2. If a signal cannot be determined after checking these, set grade="unknown" with ≥1 entry in unknowns[] naming what you looked for.
3. Every factual claim in rationale must map to ≥1 evidence[] entry.
4. Output exactly one JSON object matching the contract at the end, wrapped in a single ```json fenced code block. This rule applies to your FINAL assistant message only — issue tool calls freely during the run; tool-call reasoning lives in your model's tool-use channel and is not subject to this rule. Nothing before or after the fence — no prose, no follow-up questions, no requests for the user to paste anything. If evidence is incomplete, the correct response is still JSON, with claims demoted to unknowns[] and grade="unknown".

### Format rules (validation will reject submissions that violate these)
5. evidence[].url must be a bare `https://...` string — NEVER markdown link syntax. WRONG: `"url": "[Etherscan](https://etherscan.io/...)"`. RIGHT: `"url": "https://etherscan.io/..."`.
6. evidence[].commit, when present, must match `^[0-9a-f]{7,40}$` (lowercase hex, 7–40 chars). NEVER branch names or tags. Omit if you cannot pin a SHA.
7. evidence[].fetched_at, when present, must be ISO-8601 UTC (e.g. `2026-04-23T11:20:00Z`). Set whenever you actually fetched in this run.
8. evidence[].address, when present, must be `^0x[0-9a-fA-F]{40}$` (mixed case OK; checksum not validated).
9. Checklist codes (used in findings[].code and as unknowns[] prefixes) match `^[A-Z][A-Za-z0-9-]{0,16}$` — start with an uppercase letter, then digits / letters / hyphens. Examples: `E1`, `A3b`, `C2-emergency`, `V4-auditor`. No parens, spaces, dots, slashes, underscores. Use slice-defined codes verbatim. unknowns[] entries must be prefixed with the relevant code + colon (e.g. `"A3b: frontend fetch failed"`).
10. chat_url: ALWAYS null. Default share links (claude.ai/chat, chatgpt.com, gemini.google.com) require viewer login and are not publicly readable. The user enables "Share publicly" after you respond and pastes the public URL into the JSON before opening the PR.

### Thoroughness rules

11. Each per-slice body contains a "MANDATORY INSPECTION CHECKLIST". Every item must EITHER produce an evidence[] entry OR a specific unknowns[] entry naming it by code. Silent skips are rejected as incomplete.
12. Before assigning a grade other than "unknown", rationale.steelman must contain a one-sentence strongest argument for each of red / orange / green, and rationale.verdict must state which fits the evidence and why. If the steel-man for the chosen grade is weaker than for an adjacent grade, you have probably picked the wrong grade. When grade="unknown", set steelman to null and use verdict to summarize what blocked the assessment.
13. Distinguish actor classes (EOA, 2-of-3 multisig, 4-of-7+ multisig with identified signers, emergency-scoped time-capped multisig, on-chain governance vote with timelock) and function classes (claim-of-finalized vs new-request-placement, deposit vs borrow, mint vs redeem) — say which actor holds which power, on what time bound. "An admin can pause" is insufficient.
14. For on-chain slices (control, ability-to-exit, autonomy, verifiability), evidence[] must include ≥1 on-chain URL: a block-explorer URL OR a DeFiPunkd /api/{contract/read,safe/owners} URL (preferred — content-addressed when block-pinned). /api/contract/abi alone is metadata, not on-chain evidence. Source repos tell you what code SHOULD do; deployed contracts tell you what it ACTUALLY does. The "open-access" slice is exempt when claims are entirely about frontend / off-chain operator behavior. CARVE-OUT: `grading_basis="off-chain-only"` is exempt from this rule but is downweighted by the quorum bot regardless of grade.
15. Prompt-meta-check: if your verdict quotes prompt language as evidence ("the protocol meets the 'documented fallback' condition"), re-do the verdict — the prompt describes the rubric, not the protocol. Evidence cites what THIS protocol does, not what the rubric says protocols of type X do.
16. `grading_basis` is one of `"on-chain"` (default; omit field), `"off-chain-only"`, or `"mixed"`. Describes what was READ this run, not the verdict — `grade="unknown"` is allowed under any basis. Set `"off-chain-only"` ONLY when BOTH (a) ≥1 successful fetch of a docs / forum / audit / GitHub URL appears in evidence[], AND (b) ≥1 failed on-chain fetch attempt for THIS run is recorded in unknowns[] with a `-offchain` suffix. Empty `evidence[]` with `"off-chain-only"` is a category error and is rejected by the validator. Set `"mixed"` when some checklist codes were on-chain and others fell back. ABI-only finds (you read the ABI but couldn't read live state) are valid as `grade="unknown"` with the ABI cited; do not infer a grade from ABI shape alone.

### On-chain reading via the DeFiPunkd API

Don't encode calldata, decode return data, or guess at ABIs by hand. Three deterministic GET endpoints return JSON with blockNumber, blockHash, raw calldata, and rawReturnData — content-addressed when block-pinned (`&block=<n>`):

  ABI (auto-resolves proxies):
    https://defipunkd.com/api/contract/abi?chainId=<id>&address=0x...
  View call (any view method on the merged ABI; flat scalar args):
    https://defipunkd.com/api/contract/read?chainId=<id>&address=0x...&method=getOwners
    https://defipunkd.com/api/contract/read?chainId=<id>&address=0x...&method=balanceOf&args=0x...
  Safe (threshold + owners + version in one call):
    https://defipunkd.com/api/safe/owners?chainId=<id>&address=0x...

Use the BARE method name in `&method=` (e.g. `&method=totalSupply`, NOT `&method=totalSupply()`). Browser tools normalize `(` to `%28` and reject the normalized URL; bare names dodge that. Pass arguments via `&args=` (comma-separated, declaration order). Append `&block=<n>` for content-addressed evidence.

Supported chainIds: 1 (ethereum), 10 (optimism), 56 (bsc), 130 (unichain), 137 (polygon), 324 (zksync), 8453 (base), 42161 (arbitrum), 43114 (avalanche), 59144 (linea), 81457 (blast), 534352 (scroll), 11155111 (sepolia).

Use this API for any factual claim about contract ABI shape, view-method return values (owner(), getOwners(), getThreshold(), totalSupply(), implementation(), paused(), MIN_DELAY(), …), and Safe membership. Do NOT invent ABIs or return values from training data.

Note on noisy address_book: the pinned address_book is sourced from prior assessments. It may include token deployments, oracle feeds, peripheral contracts, or mis-classified entries. Skip surfacer URLs that don't fit your slice — fetch only those whose role hints suggest control / pause / upgrade authority.

### Protocol metadata refresh (populate `protocol_metadata` in the output)

DeFiLlama's pinned inputs may be stale or wrong. As a side-effect of this assessment, populate `protocol_metadata` with anything you verify. Leave fields null / empty arrays if you did not verify them — do NOT echo pinned inputs through; null means "not re-verified this run".

- `github`: array of canonical source-code repo URLs.
- `docs_url`: canonical developer / protocol documentation site.
- `audits`: array of `{ firm, url, date }` (date as YYYY-MM or YYYY-MM-DD).
- `governance_forum`: primary discussion forum URL (Discourse, Commonwealth, etc.).
- `voting_token`: `{ chain, address, symbol }` or null. Omit if not token-governed.
- `bug_bounty_url`: public bug bounty page (Immunefi, HackerOne, self-hosted).
- `security_contact`: private-disclosure channel — security@ email or SECURITY.md URL. Distinct from public bug bounty.
- `deployed_contracts_doc`: docs page that lists deployed addresses per chain. Don't enumerate; just link.
- `admin_addresses`: array of `{ chain, address, role, actor_class }` for multisig / timelock / owner / proxy-admin addresses. `actor_class` ∈ `"eoa" | "multisig" | "timelock" | "governance" | "unknown"`. These are the anchors for future runs' address_book.
- `upgradeability`: `"immutable" | "upgradeable" | "mixed" | "unknown"`. "mixed" = some core contracts immutable, others behind proxies.
- `about`: 2–4 sentence plain-English description. Name the user action (stake, borrow, swap, bridge, mint, redeem), the asset / market, and the distinctive mechanism (liquid staking receipt, isolated lending pools, constant-product AMM, intents auction, etc.). Do not restate category / chains / TVL.

Every non-null field in `protocol_metadata` must be backed by ≥1 entry in evidence[].

---

### Slice: ABILITY-TO-EXIT

Evaluate whether users can withdraw their funds on their own terms, even under adversarial admin conditions.

MANDATORY INSPECTION CHECKLIST (every item below must appear in evidence[] OR unknowns[]):
- E1. Enumerate every user-facing exit function in the main contracts: withdraw, redeem, burn, requestWithdrawal, claim, exit, etc. List them by name. Do NOT treat the contract as a monolith.
- E2. For EACH exit function in E1: identify its access modifiers and any pause guards (e.g. _checkResumed, whenNotPaused, onlyRole). Functions that gate REQUEST PLACEMENT often differ from functions that CLAIM FINALIZED FUNDS — check both separately.
- E3. For each pause guard: identify the role holder (which address holds PAUSE_ROLE / GUARDIAN / etc.) and the maximum pause duration. Specifically check whether PAUSE_INFINITELY (or equivalent uncapped pause) is callable, and which actor can call it (single multisig vs governance vote). For role-holder reads use https://defipunkd.com/api/contract/read?chainId=<id>&address=0x...&method=hasRole&args=0x...,0x... or &method=getRoleAdmin&args=0x.... For "is currently paused" checks use &method=paused or &method=isPaused&args=<resume-code>. Use the BARE method name (no parens). Cite the URL with &block=<n> in evidence[].
- E4. EMERGENCY vs GOVERNANCE pause distinction: many protocols have a fast-acting emergency pause capped at N days and a slow governance pause that can be indefinite. Record both paths separately if present, with their time caps and actor classes.
- E5. Queued redemption: documented maximum queue duration, daily withdrawal caps, whether the queue itself is pausable.
- E6. Forced-exit / escape-hatch / permissionless emergency-exit mechanism for adversarial-admin scenarios.
- E7. Frontend dependency: confirm exit functions are directly callable on-chain (e.g. via Etherscan write tab or a generic wallet) without the project's frontend.

Then write the steel-man section per Hard Rule 11. Common red-vs-orange tension on this slice: indefinite pause exists (suggests red) BUT the realistic emergency path is time-capped AND claims of already-finalized exits are not pause-gated (suggests orange). Resolve this by stating who can do what for how long, not by stopping at the worst-case sentence.

Grade rules:
- green   = permissionless exit; pause is either absent, narrowly scoped to clearly-described emergencies with auto-expiry, or capped at ≤7 days; no frontend dependency for exit; claims of already-finalized exits are not pause-gated under any path.
- orange  = pausable with broad scope OR indefinite pause is reachable only through governance vote (not unilateral admin action), OR queued redemption with documented max > 7 days, OR claims-of-finalized are exempt but new-request placement can be paused indefinitely by governance.
- red     = exit requires admin signature, OR ANY actor (including governance) can pause CLAIMS of finalized exits indefinitely, OR there is no on-chain exit function at all (purely custodial), OR pause is held by a single EOA / 2-of-3 multisig with no time cap.
- unknown = checklist incomplete after checking the sources above.

---

### JSON output contract

Return exactly one JSON object inside a single ```json fenced block. Shape:

{
  "schema_version": 4,
  "slug": "<copy protocol.slug from the per-protocol context>",
  "slice": "ability-to-exit",
  "snapshot_generated_at": "<copy snapshot.generated_at from the per-protocol context>",
  "prompt_version": 29,
  "analysis_date": "<copy analysis_date from the per-protocol context>",
  "model": "<exact model name, e.g. claude-opus-4-7 / gpt-5-thinking / gemini-3-pro>",
  "chat_url": null,
  "grading_basis": "on-chain | off-chain-only | mixed (optional; omit for on-chain)",
  "grade": "green | orange | red | unknown",
  "headline": "<one-line summary>",
  "short_headline": "<≤6 words, ≤80 chars; omit if you can't fit>",
  "rationale": {
    "findings": [{ "code": "E1", "text": "<concrete, source-cited finding>" }],
    "steelman": { "red": "<one sentence>", "orange": "<one sentence>", "green": "<one sentence>" },
    "verdict": "Choosing <grade> because <reason ranking one steel-man above the others, citing specific evidence>."
  },
  "evidence": [{ "url": "https://...", "shows": "<what this URL demonstrates>", "chain": "...", "address": "0x...", "commit": "<hex SHA>", "fetched_at": "2026-04-23T11:20:00Z" }],
  "unknowns": ["E3: <thing you looked for but couldn't determine>"],
  "protocol_metadata": {
    "github": ["https://github.com/org/repo"],
    "docs_url": "https://docs.protocol.xyz",
    "audits": [{ "firm": "Trail of Bits", "url": "https://...report.pdf", "date": "2025-09" }],
    "governance_forum": "https://forum.protocol.xyz",
    "voting_token": { "chain": "Ethereum", "address": "0x...", "symbol": "XYZ" },
    "bug_bounty_url": "https://immunefi.com/bounty/protocol",
    "security_contact": "security@protocol.xyz",
    "deployed_contracts_doc": "https://docs.protocol.xyz/deployments",
    "admin_addresses": [{ "chain": "Ethereum", "address": "0x...", "role": "DAO treasury multisig", "actor_class": "multisig" }],
    "upgradeability": "immutable | upgradeable | mixed | unknown",
    "about": "<2–4 sentences>"
  }
}

Rules recap:
- grade="unknown" ⇒ steelman=null; unknowns[] ≥1; evidence[] may be empty.
- grade!="unknown" ⇒ steelman={red,orange,green}; evidence[] ≥1; verdict starts with "Choosing ".
- findings[].code matches the slice's checklist prefix verbatim (E1, C2-emergency, V4a, …); unknowns[] entries are checklist-coded ("E3: …").
- Wrap in a single ```json fence; nothing before or after. URLs are bare strings, never markdown links.

Autonomy Unverified Submit run ↗

### Per-protocol context (ground truth for this run)

- protocol.slug:              aave-v1
- protocol.name:              Aave V1
- protocol.chains:            Ethereum
- protocol.category:          Lending
- protocol.website:           https://aave.com
- protocol.github:            aave, bgd-labs
- protocol.audit_links:       https://aave.com/security, https://github.com/code-423n4/2022-02-aave-lens, https://github.com/code-423n4/2022-02-aave-lens-findings, https://github.com/sherlock-protocol/sherlock-reports/blob/main/audits/2025.02.15%20-%20Final%20-%20Aave%20Public%20Audit%20Contest%20Report.pdf, https://github.com/sherlock-protocol/sherlock-reports/blob/main/audits/2026.02.05%20-%20Final%20-%20Aave%20Labs%20Collaborative%20Audit%20Report%201770295450.pdf
- snapshot.generated_at:      2026-06-01T11:27:13.878Z
- analysis_date:              2026-06-07
- prompt_version:             29
- address_book:               null

### Pre-built read-API surfacer URLs (verbatim — fetchable as-is)
(no addresses pinned in this run — discover candidates from fetched website / GitHub / audit / explorer pages, record discovered addresses in evidence[] and protocol_metadata.admin_addresses, and put any reads you couldn't perform in unknowns[]. The next assessment will inherit your discoveries.)


---

You are contributing a single-slice assessment to defipunkd, a git-native transparency registry for DeFi protocols. Your JSON output will be attached to a pull request and compared against ≥2 other independent runs. Disagreements are surfaced publicly — be conservative, cite everything, return grade="unknown" when a signal cannot be determined, and resist stopping at the first damning finding.

### Per-protocol context (do not infer; these are ground truth)

A "Per-protocol context" block (provided alongside this prompt — either as a user message in API mode, or as a section appended below in copy-paste mode) lists the pinned inputs (protocol.slug, name, chains, category, website, github, audit_links, snapshot.generated_at, analysis_date, prompt_version, address_book) and a list of pre-built read-API surfacer URLs for each pinned address. Treat those values as authoritative for this run.

The pre-built surfacer URLs are accepted by your fetch tool's allowlist because they appear verbatim in the per-protocol context. Each surfacer page pre-executes the contract's zero-arg view methods and renders any address-typed return values as /address/{chainId}/0x… links inline — those rendered links are also fetchable post-fetch. /api/contract/read and /api/safe/owners JSON responses include a top-level `crawl.surfacers` array of /address/{chainId}/0x… URLs for every address-typed value in the result, so you can crawl directly from API responses. For addresses surfaced from non-defipunkd sources (block-explorer pages, GitHub, audit PDFs), the allowlist will reject your generated surfacer URL — record the address in protocol_metadata.admin_addresses and add a checklist-coded entry to unknowns[]; the next run will inherit it as a fetchable surfacer.

### Step 0 — Capability probe (do this before producing JSON)

Identify what fetch tool your environment exposes — `web_fetch`, `browser`, `url_context`, `google_search` (with underscore, colon, or space), Bing grounding, Perplexity, `web.run`, or anything similar. Search-grounding tools ARE valid fetch paths and you should use them; they are not forbidden. The distinction that matters is what the tool returned, not its name: a grounded response with the underlying page body is sufficient evidence; a bare 1–3-line preview snippet is not.

Probe: attempt one fetch of `protocol.website` and one fetch of a pre-built surfacer URL above (or the protocol's primary block-explorer page if no surfacer is pinned). Record the tool you used, the URL, and what came back (response body, HTTP status, allowlist rejection text, or "tool not present: <name>"). If either probe succeeded, proceed.

If both direct probes failed, **DO NOT STOP** — try search. Issue at least two broad search queries (protocol name + "Etherscan" / "official docs" / "GitHub" / "audit"; `site:` operators against etherscan.io / github.com / the docs domain). If a search query returns the underlying page body, that page URL is fetched evidence and goes in evidence[]. Set `grading_basis: "off-chain-only"` and continue with whatever you can extract. Empty `evidence[]` + `grade="unknown"` is only valid if BOTH direct probes AND ≥2 search queries returned nothing usable; in that case, log the attempted queries and observed-zero outcomes in unknowns[]. A submission claiming "blocked" without those receipts is treated as a non-submission (zero quorum weight). Search engines do not index raw JSON API endpoints — zero results for `defipunkd.com/api/contract/read` URLs is expected and is itself a recordable failure mode, not a system restriction.

### Anti-fabrication (the most important rule on this page)

Memory is not evidence. Treat your training data, prior conversations, and general knowledge as suggestions for what to look up — never as citations. Every URL in evidence[] must have been fetched in this run via any tool exposed in your environment, OR pasted into this conversation by the user. Constructing a URL is fine, but every variable part (address, commit SHA, repo path, contract name, method, args, block number) must come from a fetched/pasted source in this run, and the URL must then have been successfully fetched before it appears in evidence[]. URLs constructed from remembered addresses, repo paths, contract names, or guessed API methods are fabrication.

Before emitting JSON, run an evidence ledger check on every evidence[] entry:
1. The exact URL appears in your fetch transcript or in a user-pasted source body.
2. The fetched/pasted body contains the fact you're citing in evidence[].shows.
3. Every rationale.findings / protocol_metadata claim that depends on this evidence follows directly from that body, without recourse to memory.
4. Derived (rather than verbatim) claims are explicitly labelled as derived in evidence[].shows.
5. `fetched_at` is set ONLY when you actually fetched the URL in this run; if no timestamp is available, omit the field — never invent one.

If any check fails, remove the evidence entry and demote dependent claims to unknowns[]. Set grade="unknown" if demotion empties the grading basis. Do not ask the user to paste anything; do not withhold JSON; do not improvise from memory.

A plausible-sounding answer backed by unsupported evidence is WORSE than grade="unknown" — it pollutes the quorum. If the assessment requires leaning on remembered public facts ("Lido is governed by LDO token-weighted voting"), historical reports, common knowledge, or likely-architecture reasoning ("UUPS proxies typically have an admin role"), return grade="unknown" with specific unknowns[] entries. Optimize for reproducibility, not completeness — if a reviewer can't re-verify each claim from the evidence URLs alone, the claim does not belong in the JSON. Empty unknowns[] on a non-trivial protocol is a red flag, not a quality signal.

When the address_book is null/empty, you do not yet know any deployed address. Discover candidates from fetched website / GitHub / audit / explorer-search pages — addresses you "remember" from training data are not eligible, even for famous tokens (USDC, WBTC, stETH, UNI). If no address can be discovered after a good-faith attempt, return grade="unknown" with checklist-coded unknowns[] entries; do not invent addresses to fill the gap.

### Hard rules

1. Source classes that count as evidence:
   a) Public block explorers (etherscan.io, basescan.org, arbiscan.io, optimistic.etherscan.io, polygonscan.com, bscscan.com, snowtrace.io, scrollscan.com, lineascan.build, blastscan.io, era.zksync.network) for pinned addresses or addresses you discover transitively from them.
   b) The linked GitHub repos, at a specific commit SHA recorded in evidence[].commit.
   c) The audit PDFs / reports linked above.
   d) DeFiLlama's pinned fields (for category / chain lists only — not for risk assessment).
   e) DeFiPunkd's read API at https://defipunkd.com/api/{contract,safe}/... — see "On-chain reading" below.
2. If a signal cannot be determined after checking these, set grade="unknown" with ≥1 entry in unknowns[] naming what you looked for.
3. Every factual claim in rationale must map to ≥1 evidence[] entry.
4. Output exactly one JSON object matching the contract at the end, wrapped in a single ```json fenced code block. This rule applies to your FINAL assistant message only — issue tool calls freely during the run; tool-call reasoning lives in your model's tool-use channel and is not subject to this rule. Nothing before or after the fence — no prose, no follow-up questions, no requests for the user to paste anything. If evidence is incomplete, the correct response is still JSON, with claims demoted to unknowns[] and grade="unknown".

### Format rules (validation will reject submissions that violate these)
5. evidence[].url must be a bare `https://...` string — NEVER markdown link syntax. WRONG: `"url": "[Etherscan](https://etherscan.io/...)"`. RIGHT: `"url": "https://etherscan.io/..."`.
6. evidence[].commit, when present, must match `^[0-9a-f]{7,40}$` (lowercase hex, 7–40 chars). NEVER branch names or tags. Omit if you cannot pin a SHA.
7. evidence[].fetched_at, when present, must be ISO-8601 UTC (e.g. `2026-04-23T11:20:00Z`). Set whenever you actually fetched in this run.
8. evidence[].address, when present, must be `^0x[0-9a-fA-F]{40}$` (mixed case OK; checksum not validated).
9. Checklist codes (used in findings[].code and as unknowns[] prefixes) match `^[A-Z][A-Za-z0-9-]{0,16}$` — start with an uppercase letter, then digits / letters / hyphens. Examples: `E1`, `A3b`, `C2-emergency`, `V4-auditor`. No parens, spaces, dots, slashes, underscores. Use slice-defined codes verbatim. unknowns[] entries must be prefixed with the relevant code + colon (e.g. `"A3b: frontend fetch failed"`).
10. chat_url: ALWAYS null. Default share links (claude.ai/chat, chatgpt.com, gemini.google.com) require viewer login and are not publicly readable. The user enables "Share publicly" after you respond and pastes the public URL into the JSON before opening the PR.

### Thoroughness rules

11. Each per-slice body contains a "MANDATORY INSPECTION CHECKLIST". Every item must EITHER produce an evidence[] entry OR a specific unknowns[] entry naming it by code. Silent skips are rejected as incomplete.
12. Before assigning a grade other than "unknown", rationale.steelman must contain a one-sentence strongest argument for each of red / orange / green, and rationale.verdict must state which fits the evidence and why. If the steel-man for the chosen grade is weaker than for an adjacent grade, you have probably picked the wrong grade. When grade="unknown", set steelman to null and use verdict to summarize what blocked the assessment.
13. Distinguish actor classes (EOA, 2-of-3 multisig, 4-of-7+ multisig with identified signers, emergency-scoped time-capped multisig, on-chain governance vote with timelock) and function classes (claim-of-finalized vs new-request-placement, deposit vs borrow, mint vs redeem) — say which actor holds which power, on what time bound. "An admin can pause" is insufficient.
14. For on-chain slices (control, ability-to-exit, autonomy, verifiability), evidence[] must include ≥1 on-chain URL: a block-explorer URL OR a DeFiPunkd /api/{contract/read,safe/owners} URL (preferred — content-addressed when block-pinned). /api/contract/abi alone is metadata, not on-chain evidence. Source repos tell you what code SHOULD do; deployed contracts tell you what it ACTUALLY does. The "open-access" slice is exempt when claims are entirely about frontend / off-chain operator behavior. CARVE-OUT: `grading_basis="off-chain-only"` is exempt from this rule but is downweighted by the quorum bot regardless of grade.
15. Prompt-meta-check: if your verdict quotes prompt language as evidence ("the protocol meets the 'documented fallback' condition"), re-do the verdict — the prompt describes the rubric, not the protocol. Evidence cites what THIS protocol does, not what the rubric says protocols of type X do.
16. `grading_basis` is one of `"on-chain"` (default; omit field), `"off-chain-only"`, or `"mixed"`. Describes what was READ this run, not the verdict — `grade="unknown"` is allowed under any basis. Set `"off-chain-only"` ONLY when BOTH (a) ≥1 successful fetch of a docs / forum / audit / GitHub URL appears in evidence[], AND (b) ≥1 failed on-chain fetch attempt for THIS run is recorded in unknowns[] with a `-offchain` suffix. Empty `evidence[]` with `"off-chain-only"` is a category error and is rejected by the validator. Set `"mixed"` when some checklist codes were on-chain and others fell back. ABI-only finds (you read the ABI but couldn't read live state) are valid as `grade="unknown"` with the ABI cited; do not infer a grade from ABI shape alone.

### On-chain reading via the DeFiPunkd API

Don't encode calldata, decode return data, or guess at ABIs by hand. Three deterministic GET endpoints return JSON with blockNumber, blockHash, raw calldata, and rawReturnData — content-addressed when block-pinned (`&block=<n>`):

  ABI (auto-resolves proxies):
    https://defipunkd.com/api/contract/abi?chainId=<id>&address=0x...
  View call (any view method on the merged ABI; flat scalar args):
    https://defipunkd.com/api/contract/read?chainId=<id>&address=0x...&method=getOwners
    https://defipunkd.com/api/contract/read?chainId=<id>&address=0x...&method=balanceOf&args=0x...
  Safe (threshold + owners + version in one call):
    https://defipunkd.com/api/safe/owners?chainId=<id>&address=0x...

Use the BARE method name in `&method=` (e.g. `&method=totalSupply`, NOT `&method=totalSupply()`). Browser tools normalize `(` to `%28` and reject the normalized URL; bare names dodge that. Pass arguments via `&args=` (comma-separated, declaration order). Append `&block=<n>` for content-addressed evidence.

Supported chainIds: 1 (ethereum), 10 (optimism), 56 (bsc), 130 (unichain), 137 (polygon), 324 (zksync), 8453 (base), 42161 (arbitrum), 43114 (avalanche), 59144 (linea), 81457 (blast), 534352 (scroll), 11155111 (sepolia).

Use this API for any factual claim about contract ABI shape, view-method return values (owner(), getOwners(), getThreshold(), totalSupply(), implementation(), paused(), MIN_DELAY(), …), and Safe membership. Do NOT invent ABIs or return values from training data.

Note on noisy address_book: the pinned address_book is sourced from prior assessments. It may include token deployments, oracle feeds, peripheral contracts, or mis-classified entries. Skip surfacer URLs that don't fit your slice — fetch only those whose role hints suggest control / pause / upgrade authority.

### Protocol metadata refresh (populate `protocol_metadata` in the output)

DeFiLlama's pinned inputs may be stale or wrong. As a side-effect of this assessment, populate `protocol_metadata` with anything you verify. Leave fields null / empty arrays if you did not verify them — do NOT echo pinned inputs through; null means "not re-verified this run".

- `github`: array of canonical source-code repo URLs.
- `docs_url`: canonical developer / protocol documentation site.
- `audits`: array of `{ firm, url, date }` (date as YYYY-MM or YYYY-MM-DD).
- `governance_forum`: primary discussion forum URL (Discourse, Commonwealth, etc.).
- `voting_token`: `{ chain, address, symbol }` or null. Omit if not token-governed.
- `bug_bounty_url`: public bug bounty page (Immunefi, HackerOne, self-hosted).
- `security_contact`: private-disclosure channel — security@ email or SECURITY.md URL. Distinct from public bug bounty.
- `deployed_contracts_doc`: docs page that lists deployed addresses per chain. Don't enumerate; just link.
- `admin_addresses`: array of `{ chain, address, role, actor_class }` for multisig / timelock / owner / proxy-admin addresses. `actor_class` ∈ `"eoa" | "multisig" | "timelock" | "governance" | "unknown"`. These are the anchors for future runs' address_book.
- `upgradeability`: `"immutable" | "upgradeable" | "mixed" | "unknown"`. "mixed" = some core contracts immutable, others behind proxies.
- `about`: 2–4 sentence plain-English description. Name the user action (stake, borrow, swap, bridge, mint, redeem), the asset / market, and the distinctive mechanism (liquid staking receipt, isolated lending pools, constant-product AMM, intents auction, etc.). Do not restate category / chains / TVL.

Every non-null field in `protocol_metadata` must be backed by ≥1 entry in evidence[].

---

### Slice: AUTONOMY

Evaluate this protocol's autonomy: can a failure of anything outside its own contracts cause theft or loss of user principal, loss of unclaimed yield, or materially change the protocol's expected performance? "Autonomy" is not "has zero external touchpoints" — it is "external failures are either survivable or recoverable without user loss". This slice adapts DefiScan v1's Autonomy dimension; dependencies are one of several criteria, not the whole frame.

GUARDRAILS (read before grading):
- Category alone (Liquid Staking, Bridge, RWA Lending, Restaking, …) does NOT force a grade. A category is a hint about where to look; the grade must come from the concrete A1–A9 findings below.
- Base-chain consensus (Ethereum PoS, the chain's validator set, the canonical Deposit Contract at 0x00000000219ab540356cBB839Cbe05303d7705Fa) is the SUBSTRATE, not a dependency, for any protocol deployed on that chain. Do not list "depends on Ethereum" as a finding.
- Oracles or other integrations used by DOWNSTREAM protocols that happen to read this protocol's token (e.g. Chainlink stETH/USD consumed by Aave) are NOT this protocol's dependencies. Count only what THIS protocol's contracts call or trust on-chain. If a feed or contract appears in the protocol's docs only as reference material for third-party integrators, EXCLUDE IT ENTIRELY — do not log it as a finding even with a "peripheral" or "referenced only" caveat.
- "Upgradeable admin can change things" belongs to the CONTROL slice; only count it here when the upgrade surface lets governance silently swap an external dependency (see A9).
- Underlying-asset risk in opt-in, isolated markets is NOT autonomy-red on its own. When a protocol wraps third-party yield-bearing assets (LSTs, LRTs, ERC-4626 vaults, lending receipts, restaked tokens) into per-market silos that users explicitly choose, a failure of one underlying does NOT propagate to other markets and is risk the user opted into per-market. Record it under A4 with depth and propagation scope, but do not let it alone drive a red verdict — red requires an external dependency that cross-cuts the protocol or that the user did not opt into at deposit time. A failure mode that is "if the LRT you deposited is hacked, your principal in that LRT-backed market is impaired" is the underlying's autonomy story, not this protocol's; grade it on whether THIS protocol introduces additional dependencies on top.
- Sub-module enumeration is mandatory before grading. If the protocol ships distinct product lines or modules (e.g., a v2 core AMM plus a newer perps/funding-rate module, a lending pool plus a separate vault layer, an L1 core plus a cross-chain extension), enumerate each in findings and grade against the WORST module weighted by its share of TVS or its blast radius. A green core does not rescue an orange/red sub-module; conversely, a small red sub-module with capped TVS may bound the overall grade to orange. Name each module by its on-chain factory or router address. If you do not know whether a module exists, that is an unknowns[] entry, not silence. EXPLICIT TVS WEIGHTING: in the verdict, state each module's approximate share of total protocol TVS (use "~X%" if exact figures unavailable; check DeFiLlama or block-explorer balances on the module's main contract) and how that share informs the weighted grade. Format: "Module A holds ~X% of TVS (grade: <g>); Module B holds ~Y% (grade: <g>); weighted overall = <grade> because <reason>." If a red sub-module holds <5% of total TVS and is capped, the overall grade may be orange; if it holds >25%, the overall grade is red. Do not let qualitative reasoning substitute for the percentages — write the numbers.

MANDATORY INSPECTION CHECKLIST (every item below must appear in evidence[] OR unknowns[]):
- A1. External contract calls. Enumerate every external contract the core contracts call or read from (oracles, price feeds, AMM pools, lending pools, staking/deposit contracts, yield wrappers). For each, identify the address, the provider, and what user-facing function of this protocol would break or mis-price if that external contract paused, mis-reported, or behaved adversarially. Grep for "oracle", "aggregator", "getPrice", "latestAnswer", "chainlink", "pyth", "redstone" as a starting point. To verify an oracle is live and what it currently reports, hit https://defipunkd.com/api/contract/read?chainId=<id>&address=<oracle>&method=latestAnswer (or &method=latestRoundData, &method=getPrice, &method=description; use the BARE method name without parens) and cite the URL — the response includes blockNumber/blockHash and rawReturnData, which is stronger evidence than a docs page about which feed "should" be used.
- A2. Off-chain actor committees reporting INTO the protocol. Oracle committees, guardian multisigs, DAO-selected validator sets acting as protocol reporters, exit-bus signers, fraud-proof challengers. For each, record committee size, quorum, who picks the members, and what mis-reporting could do (mint, burn, finalize withdrawal, freeze). Distinguish this from governance admins (control slice). NOTE ON STAKING PROTOCOLS: validator slashing and node-operator misbehavior are properties of the base-chain substrate, NOT external dependencies, when the operator set is diversified enough that a coordinated failure caps at <5% principal loss. Count validator/operator risk under A2 ONLY if the operator set is small, non-diversified, or lacks bonding / slashing-insurance / diversification mitigations. A curated set of 30+ independent operators with documented diversification falls under the mitigated path; a 3-operator LST does not. Do not cite the protocol's own risk disclosure as evidence that operator failure = principal loss unless you also check the diversification and bond mitigations.
- A3. Bridge / cross-chain messaging dependencies. Only count bridges that carry material TVL or are required for a core user flow. For each, name the bridge operator (canonical L1↔L2, LayerZero, Wormhole, Axelar, custom multisig), the trust model (canonical, optimistic, light-client, guardian set), and what fraction of TVL or users ride on it. "wstETH exists on 15 chains" is not a finding unless material TVL sits there. Before listing any non-primary chain deployment as a dependency, verify it is still operational as of analysis_date — retired or sunset deployments (e.g., Lido-on-Terra, Lido-on-Solana) belong in unknowns[] or should be omitted, never cited as a current dependency.
- A4. Nested collateral / restaking chains. For restaking / LRT / receipt-of-receipt designs: record the depth of the collateral chain, every actor with slashing or freezing power at each level, and whether a failure N levels deep propagates to user principal here.
- A5. Fork lineage (silent check). If DeFiLlama's forkedFrom is non-empty, record it as one finding and move on. If empty, do NOT add a placeholder finding; it adds noise.
- A6. Fallback mechanisms and circuit breakers. What catches an external failure? Sanity-check contracts on oracle reports, rebase bounds, pause paths triggered by bad prices, second-opinion oracles, max-per-block throughput caps, withdrawal queues that absorb bad reports. Record which A1–A4 risks are mitigated by which fallback, and which are unmitigated. For EACH fallback you cite, state its activation status explicitly: (i) LIVE and enforcing on-chain today, (ii) DEPLOYED but not yet wired / activated (e.g., interface exists but the address is zero or the role is unassigned), or (iii) DOCUMENTED / PROPOSED only (forum post, LIP draft, audit pending). Only (i) counts as mitigation for the grade. A fallback in state (ii) or (iii) should be noted but must not reduce the risk in your steel-man or verdict. If you cannot determine activation status, add an unknowns[] entry rather than assume it is live.
- A7. Sequencer / L1-liveness dependency BEYOND the base-chain substrate. SCOPE — sequencer risk only counts here when the protocol IS its own L2/L3 appchain or app-rollup, where the sequencer is part of the protocol's own stack and a freeze is a protocol-level outage. A protocol permissionlessly deployed on a third-party L2 inherits that L2's sequencer as substrate, not an A7 dependency. Record the sequencer/DA trust model when A7 applies.
- A8. Keeper / relayer / off-chain bot liveness. Protocols that need permissionless-but-necessary off-chain actors (liquidation bots, auto-compounders, deposit relayers, intent solvers). Record whether the role is permissionless, what degrades if nobody runs it (yield paused, bad debt accumulates, positions go stale), and whether the failure mode is graceful or catastrophic.
- A9. Governance-mutable dependency surface. Can an admin or DAO action silently INTRODUCE a NEW EXTERNAL dependency — swap the oracle address to a different provider, register a new staking module that calls an untrusted contract, add a new bridge, route SY through a new external vault — without an exit window for users? Check the upgrade / router / module-registry contracts. Answer: which EXTERNAL dependencies are governance-mutable, who holds that power, and whether there is a timelock or exit window. SCOPE LIMIT — read carefully: A9 is about the *external dependency surface*, not the upgrade surface in general. "The proxyAdmin / EOA can upgrade the router implementation to arbitrary bytecode" is a CONTROL-slice finding (admin can rug), NOT an autonomy-A9 finding. A9 fires only when the upgrade specifically swaps out or adds a contract that THIS protocol calls or trusts (e.g., changing the oracle address from Chainlink to a malicious feed, registering a new SY adapter that points to a third-party vault, redirecting a bridge endpoint). If the only finding is "admin can change implementation," do not log it under A9 and do not let it drive the autonomy grade — note it under control instead. The autonomy-relevant version of the same upgrade key is "admin can swap [specific external address X] without timelock"; that requires identifying the specific external dependency that becomes mutable.

STEEL-MAN (per Hard Rule 13): write one-sentence strongest arguments for red, orange, and green using the A1–A9 findings.

IMPACTED TVS ESTIMATE: the headline MUST include a rough impacted-TVS figure — the fraction of protocol TVS that could be lost or frozen if the worst-unmitigated dependency you identified failed. Use "~X%" if exact numbers are unavailable, "<1%" for de minimis, "unclear" only if A1–A9 left the question genuinely open (in which case grade=unknown is usually correct). Do NOT substitute qualitative phrases like "significant" — give a number or bracket.

GRADE ANCHORS (mapped to DefiScan v1 stages):
- green = Stage 2 equivalent. Failure of any external dependency cannot cause loss of user principal or unclaimed yield. Either there are no material external dependencies, or every critical one has a documented fallback (A6) that keeps users whole. Governance cannot silently introduce new dependencies without an exit window (A9). Impacted TVS under any single-dependency failure: effectively 0.
- orange = Stage 1 equivalent. Failure of some external dependency can cause loss of unclaimed yield, or can materially change expected performance (pause withdrawals, freeze positions, degrade price quality), but cannot cause loss of principal. Committee-based oracles with sanity checks, canonical-only bridges, fallback paths that exist but are incomplete, or governance-mutable dependencies protected by a ≥7-day timelock. Impacted TVS is bounded and recoverable.
- red = Stage 0 equivalent. Failure of an external dependency CAN cause theft or loss of principal. Examples: single-provider oracle with no sanity check or fallback, material TVL on a non-canonical bridge with a guardian multisig, governance can hot-swap oracles or add staking modules with no timelock or exit window, unmitigated keeper-liveness dependency where positions become insolvent if bots stop. Impacted TVS is material.
- unknown = checklist incomplete after inspecting source + verified contracts. Prefer unknown over guessing when A1/A6 could not be reconstructed. RESERVE unknown for cases where the CORE ARCHITECTURE itself is unverifiable — not for cases where you merely cannot enumerate every per-market dependency in a multi-market protocol. If the core router/factory/oracle architecture is verifiable on-chain and you can determine whether the core requires external dependencies, grade the architecture even when an exhaustive per-market external-dependency census is infeasible. Acknowledge the per-market gap in unknowns[] but still issue a grade. Refusing to grade a multi-market protocol because you cannot list every SY/vault/market is over-use of unknown; grade the architecture and say so.

PROMPT-META CHECK (per Hard Rule 17): before finalizing, verify the verdict cites concrete contract addresses, docs, or code — not the rubric itself. If your verdict says "the protocol belongs to a category the rubric marks red", rewrite it with the A1–A9 finding that actually justifies the grade, or drop to grade=unknown.

---

### JSON output contract

Return exactly one JSON object inside a single ```json fenced block. Shape:

{
  "schema_version": 4,
  "slug": "<copy protocol.slug from the per-protocol context>",
  "slice": "autonomy",
  "snapshot_generated_at": "<copy snapshot.generated_at from the per-protocol context>",
  "prompt_version": 29,
  "analysis_date": "<copy analysis_date from the per-protocol context>",
  "model": "<exact model name, e.g. claude-opus-4-7 / gpt-5-thinking / gemini-3-pro>",
  "chat_url": null,
  "grading_basis": "on-chain | off-chain-only | mixed (optional; omit for on-chain)",
  "grade": "green | orange | red | unknown",
  "headline": "<one-line summary>",
  "short_headline": "<≤6 words, ≤80 chars; omit if you can't fit>",
  "rationale": {
    "findings": [{ "code": "E1", "text": "<concrete, source-cited finding>" }],
    "steelman": { "red": "<one sentence>", "orange": "<one sentence>", "green": "<one sentence>" },
    "verdict": "Choosing <grade> because <reason ranking one steel-man above the others, citing specific evidence>."
  },
  "evidence": [{ "url": "https://...", "shows": "<what this URL demonstrates>", "chain": "...", "address": "0x...", "commit": "<hex SHA>", "fetched_at": "2026-04-23T11:20:00Z" }],
  "unknowns": ["E3: <thing you looked for but couldn't determine>"],
  "protocol_metadata": {
    "github": ["https://github.com/org/repo"],
    "docs_url": "https://docs.protocol.xyz",
    "audits": [{ "firm": "Trail of Bits", "url": "https://...report.pdf", "date": "2025-09" }],
    "governance_forum": "https://forum.protocol.xyz",
    "voting_token": { "chain": "Ethereum", "address": "0x...", "symbol": "XYZ" },
    "bug_bounty_url": "https://immunefi.com/bounty/protocol",
    "security_contact": "security@protocol.xyz",
    "deployed_contracts_doc": "https://docs.protocol.xyz/deployments",
    "admin_addresses": [{ "chain": "Ethereum", "address": "0x...", "role": "DAO treasury multisig", "actor_class": "multisig" }],
    "upgradeability": "immutable | upgradeable | mixed | unknown",
    "about": "<2–4 sentences>"
  }
}

Rules recap:
- grade="unknown" ⇒ steelman=null; unknowns[] ≥1; evidence[] may be empty.
- grade!="unknown" ⇒ steelman={red,orange,green}; evidence[] ≥1; verdict starts with "Choosing ".
- findings[].code matches the slice's checklist prefix verbatim (E1, C2-emergency, V4a, …); unknowns[] entries are checklist-coded ("E3: …").
- Wrap in a single ```json fence; nothing before or after. URLs are bare strings, never markdown links.

Open Access Unverified Submit run ↗

### Per-protocol context (ground truth for this run)

- protocol.slug:              aave-v1
- protocol.name:              Aave V1
- protocol.chains:            Ethereum
- protocol.category:          Lending
- protocol.website:           https://aave.com
- protocol.github:            aave, bgd-labs
- protocol.audit_links:       https://aave.com/security, https://github.com/code-423n4/2022-02-aave-lens, https://github.com/code-423n4/2022-02-aave-lens-findings, https://github.com/sherlock-protocol/sherlock-reports/blob/main/audits/2025.02.15%20-%20Final%20-%20Aave%20Public%20Audit%20Contest%20Report.pdf, https://github.com/sherlock-protocol/sherlock-reports/blob/main/audits/2026.02.05%20-%20Final%20-%20Aave%20Labs%20Collaborative%20Audit%20Report%201770295450.pdf
- snapshot.generated_at:      2026-06-01T11:27:13.878Z
- analysis_date:              2026-06-07
- prompt_version:             29
- address_book:               null

### Pre-built read-API surfacer URLs (verbatim — fetchable as-is)
(no addresses pinned in this run — discover candidates from fetched website / GitHub / audit / explorer pages, record discovered addresses in evidence[] and protocol_metadata.admin_addresses, and put any reads you couldn't perform in unknowns[]. The next assessment will inherit your discoveries.)


---

You are contributing a single-slice assessment to defipunkd, a git-native transparency registry for DeFi protocols. Your JSON output will be attached to a pull request and compared against ≥2 other independent runs. Disagreements are surfaced publicly — be conservative, cite everything, return grade="unknown" when a signal cannot be determined, and resist stopping at the first damning finding.

### Per-protocol context (do not infer; these are ground truth)

A "Per-protocol context" block (provided alongside this prompt — either as a user message in API mode, or as a section appended below in copy-paste mode) lists the pinned inputs (protocol.slug, name, chains, category, website, github, audit_links, snapshot.generated_at, analysis_date, prompt_version, address_book) and a list of pre-built read-API surfacer URLs for each pinned address. Treat those values as authoritative for this run.

The pre-built surfacer URLs are accepted by your fetch tool's allowlist because they appear verbatim in the per-protocol context. Each surfacer page pre-executes the contract's zero-arg view methods and renders any address-typed return values as /address/{chainId}/0x… links inline — those rendered links are also fetchable post-fetch. /api/contract/read and /api/safe/owners JSON responses include a top-level `crawl.surfacers` array of /address/{chainId}/0x… URLs for every address-typed value in the result, so you can crawl directly from API responses. For addresses surfaced from non-defipunkd sources (block-explorer pages, GitHub, audit PDFs), the allowlist will reject your generated surfacer URL — record the address in protocol_metadata.admin_addresses and add a checklist-coded entry to unknowns[]; the next run will inherit it as a fetchable surfacer.

### Step 0 — Capability probe (do this before producing JSON)

Identify what fetch tool your environment exposes — `web_fetch`, `browser`, `url_context`, `google_search` (with underscore, colon, or space), Bing grounding, Perplexity, `web.run`, or anything similar. Search-grounding tools ARE valid fetch paths and you should use them; they are not forbidden. The distinction that matters is what the tool returned, not its name: a grounded response with the underlying page body is sufficient evidence; a bare 1–3-line preview snippet is not.

Probe: attempt one fetch of `protocol.website` and one fetch of a pre-built surfacer URL above (or the protocol's primary block-explorer page if no surfacer is pinned). Record the tool you used, the URL, and what came back (response body, HTTP status, allowlist rejection text, or "tool not present: <name>"). If either probe succeeded, proceed.

If both direct probes failed, **DO NOT STOP** — try search. Issue at least two broad search queries (protocol name + "Etherscan" / "official docs" / "GitHub" / "audit"; `site:` operators against etherscan.io / github.com / the docs domain). If a search query returns the underlying page body, that page URL is fetched evidence and goes in evidence[]. Set `grading_basis: "off-chain-only"` and continue with whatever you can extract. Empty `evidence[]` + `grade="unknown"` is only valid if BOTH direct probes AND ≥2 search queries returned nothing usable; in that case, log the attempted queries and observed-zero outcomes in unknowns[]. A submission claiming "blocked" without those receipts is treated as a non-submission (zero quorum weight). Search engines do not index raw JSON API endpoints — zero results for `defipunkd.com/api/contract/read` URLs is expected and is itself a recordable failure mode, not a system restriction.

### Anti-fabrication (the most important rule on this page)

Memory is not evidence. Treat your training data, prior conversations, and general knowledge as suggestions for what to look up — never as citations. Every URL in evidence[] must have been fetched in this run via any tool exposed in your environment, OR pasted into this conversation by the user. Constructing a URL is fine, but every variable part (address, commit SHA, repo path, contract name, method, args, block number) must come from a fetched/pasted source in this run, and the URL must then have been successfully fetched before it appears in evidence[]. URLs constructed from remembered addresses, repo paths, contract names, or guessed API methods are fabrication.

Before emitting JSON, run an evidence ledger check on every evidence[] entry:
1. The exact URL appears in your fetch transcript or in a user-pasted source body.
2. The fetched/pasted body contains the fact you're citing in evidence[].shows.
3. Every rationale.findings / protocol_metadata claim that depends on this evidence follows directly from that body, without recourse to memory.
4. Derived (rather than verbatim) claims are explicitly labelled as derived in evidence[].shows.
5. `fetched_at` is set ONLY when you actually fetched the URL in this run; if no timestamp is available, omit the field — never invent one.

If any check fails, remove the evidence entry and demote dependent claims to unknowns[]. Set grade="unknown" if demotion empties the grading basis. Do not ask the user to paste anything; do not withhold JSON; do not improvise from memory.

A plausible-sounding answer backed by unsupported evidence is WORSE than grade="unknown" — it pollutes the quorum. If the assessment requires leaning on remembered public facts ("Lido is governed by LDO token-weighted voting"), historical reports, common knowledge, or likely-architecture reasoning ("UUPS proxies typically have an admin role"), return grade="unknown" with specific unknowns[] entries. Optimize for reproducibility, not completeness — if a reviewer can't re-verify each claim from the evidence URLs alone, the claim does not belong in the JSON. Empty unknowns[] on a non-trivial protocol is a red flag, not a quality signal.

When the address_book is null/empty, you do not yet know any deployed address. Discover candidates from fetched website / GitHub / audit / explorer-search pages — addresses you "remember" from training data are not eligible, even for famous tokens (USDC, WBTC, stETH, UNI). If no address can be discovered after a good-faith attempt, return grade="unknown" with checklist-coded unknowns[] entries; do not invent addresses to fill the gap.

### Hard rules

1. Source classes that count as evidence:
   a) Public block explorers (etherscan.io, basescan.org, arbiscan.io, optimistic.etherscan.io, polygonscan.com, bscscan.com, snowtrace.io, scrollscan.com, lineascan.build, blastscan.io, era.zksync.network) for pinned addresses or addresses you discover transitively from them.
   b) The linked GitHub repos, at a specific commit SHA recorded in evidence[].commit.
   c) The audit PDFs / reports linked above.
   d) DeFiLlama's pinned fields (for category / chain lists only — not for risk assessment).
   e) DeFiPunkd's read API at https://defipunkd.com/api/{contract,safe}/... — see "On-chain reading" below.
2. If a signal cannot be determined after checking these, set grade="unknown" with ≥1 entry in unknowns[] naming what you looked for.
3. Every factual claim in rationale must map to ≥1 evidence[] entry.
4. Output exactly one JSON object matching the contract at the end, wrapped in a single ```json fenced code block. This rule applies to your FINAL assistant message only — issue tool calls freely during the run; tool-call reasoning lives in your model's tool-use channel and is not subject to this rule. Nothing before or after the fence — no prose, no follow-up questions, no requests for the user to paste anything. If evidence is incomplete, the correct response is still JSON, with claims demoted to unknowns[] and grade="unknown".

### Format rules (validation will reject submissions that violate these)
5. evidence[].url must be a bare `https://...` string — NEVER markdown link syntax. WRONG: `"url": "[Etherscan](https://etherscan.io/...)"`. RIGHT: `"url": "https://etherscan.io/..."`.
6. evidence[].commit, when present, must match `^[0-9a-f]{7,40}$` (lowercase hex, 7–40 chars). NEVER branch names or tags. Omit if you cannot pin a SHA.
7. evidence[].fetched_at, when present, must be ISO-8601 UTC (e.g. `2026-04-23T11:20:00Z`). Set whenever you actually fetched in this run.
8. evidence[].address, when present, must be `^0x[0-9a-fA-F]{40}$` (mixed case OK; checksum not validated).
9. Checklist codes (used in findings[].code and as unknowns[] prefixes) match `^[A-Z][A-Za-z0-9-]{0,16}$` — start with an uppercase letter, then digits / letters / hyphens. Examples: `E1`, `A3b`, `C2-emergency`, `V4-auditor`. No parens, spaces, dots, slashes, underscores. Use slice-defined codes verbatim. unknowns[] entries must be prefixed with the relevant code + colon (e.g. `"A3b: frontend fetch failed"`).
10. chat_url: ALWAYS null. Default share links (claude.ai/chat, chatgpt.com, gemini.google.com) require viewer login and are not publicly readable. The user enables "Share publicly" after you respond and pastes the public URL into the JSON before opening the PR.

### Thoroughness rules

11. Each per-slice body contains a "MANDATORY INSPECTION CHECKLIST". Every item must EITHER produce an evidence[] entry OR a specific unknowns[] entry naming it by code. Silent skips are rejected as incomplete.
12. Before assigning a grade other than "unknown", rationale.steelman must contain a one-sentence strongest argument for each of red / orange / green, and rationale.verdict must state which fits the evidence and why. If the steel-man for the chosen grade is weaker than for an adjacent grade, you have probably picked the wrong grade. When grade="unknown", set steelman to null and use verdict to summarize what blocked the assessment.
13. Distinguish actor classes (EOA, 2-of-3 multisig, 4-of-7+ multisig with identified signers, emergency-scoped time-capped multisig, on-chain governance vote with timelock) and function classes (claim-of-finalized vs new-request-placement, deposit vs borrow, mint vs redeem) — say which actor holds which power, on what time bound. "An admin can pause" is insufficient.
14. For on-chain slices (control, ability-to-exit, autonomy, verifiability), evidence[] must include ≥1 on-chain URL: a block-explorer URL OR a DeFiPunkd /api/{contract/read,safe/owners} URL (preferred — content-addressed when block-pinned). /api/contract/abi alone is metadata, not on-chain evidence. Source repos tell you what code SHOULD do; deployed contracts tell you what it ACTUALLY does. The "open-access" slice is exempt when claims are entirely about frontend / off-chain operator behavior. CARVE-OUT: `grading_basis="off-chain-only"` is exempt from this rule but is downweighted by the quorum bot regardless of grade.
15. Prompt-meta-check: if your verdict quotes prompt language as evidence ("the protocol meets the 'documented fallback' condition"), re-do the verdict — the prompt describes the rubric, not the protocol. Evidence cites what THIS protocol does, not what the rubric says protocols of type X do.
16. `grading_basis` is one of `"on-chain"` (default; omit field), `"off-chain-only"`, or `"mixed"`. Describes what was READ this run, not the verdict — `grade="unknown"` is allowed under any basis. Set `"off-chain-only"` ONLY when BOTH (a) ≥1 successful fetch of a docs / forum / audit / GitHub URL appears in evidence[], AND (b) ≥1 failed on-chain fetch attempt for THIS run is recorded in unknowns[] with a `-offchain` suffix. Empty `evidence[]` with `"off-chain-only"` is a category error and is rejected by the validator. Set `"mixed"` when some checklist codes were on-chain and others fell back. ABI-only finds (you read the ABI but couldn't read live state) are valid as `grade="unknown"` with the ABI cited; do not infer a grade from ABI shape alone.

### On-chain reading via the DeFiPunkd API

Don't encode calldata, decode return data, or guess at ABIs by hand. Three deterministic GET endpoints return JSON with blockNumber, blockHash, raw calldata, and rawReturnData — content-addressed when block-pinned (`&block=<n>`):

  ABI (auto-resolves proxies):
    https://defipunkd.com/api/contract/abi?chainId=<id>&address=0x...
  View call (any view method on the merged ABI; flat scalar args):
    https://defipunkd.com/api/contract/read?chainId=<id>&address=0x...&method=getOwners
    https://defipunkd.com/api/contract/read?chainId=<id>&address=0x...&method=balanceOf&args=0x...
  Safe (threshold + owners + version in one call):
    https://defipunkd.com/api/safe/owners?chainId=<id>&address=0x...

Use the BARE method name in `&method=` (e.g. `&method=totalSupply`, NOT `&method=totalSupply()`). Browser tools normalize `(` to `%28` and reject the normalized URL; bare names dodge that. Pass arguments via `&args=` (comma-separated, declaration order). Append `&block=<n>` for content-addressed evidence.

Supported chainIds: 1 (ethereum), 10 (optimism), 56 (bsc), 130 (unichain), 137 (polygon), 324 (zksync), 8453 (base), 42161 (arbitrum), 43114 (avalanche), 59144 (linea), 81457 (blast), 534352 (scroll), 11155111 (sepolia).

Use this API for any factual claim about contract ABI shape, view-method return values (owner(), getOwners(), getThreshold(), totalSupply(), implementation(), paused(), MIN_DELAY(), …), and Safe membership. Do NOT invent ABIs or return values from training data.

Note on noisy address_book: the pinned address_book is sourced from prior assessments. It may include token deployments, oracle feeds, peripheral contracts, or mis-classified entries. Skip surfacer URLs that don't fit your slice — fetch only those whose role hints suggest control / pause / upgrade authority.

### Protocol metadata refresh (populate `protocol_metadata` in the output)

DeFiLlama's pinned inputs may be stale or wrong. As a side-effect of this assessment, populate `protocol_metadata` with anything you verify. Leave fields null / empty arrays if you did not verify them — do NOT echo pinned inputs through; null means "not re-verified this run".

- `github`: array of canonical source-code repo URLs.
- `docs_url`: canonical developer / protocol documentation site.
- `audits`: array of `{ firm, url, date }` (date as YYYY-MM or YYYY-MM-DD).
- `governance_forum`: primary discussion forum URL (Discourse, Commonwealth, etc.).
- `voting_token`: `{ chain, address, symbol }` or null. Omit if not token-governed.
- `bug_bounty_url`: public bug bounty page (Immunefi, HackerOne, self-hosted).
- `security_contact`: private-disclosure channel — security@ email or SECURITY.md URL. Distinct from public bug bounty.
- `deployed_contracts_doc`: docs page that lists deployed addresses per chain. Don't enumerate; just link.
- `admin_addresses`: array of `{ chain, address, role, actor_class }` for multisig / timelock / owner / proxy-admin addresses. `actor_class` ∈ `"eoa" | "multisig" | "timelock" | "governance" | "unknown"`. These are the anchors for future runs' address_book.
- `upgradeability`: `"immutable" | "upgradeable" | "mixed" | "unknown"`. "mixed" = some core contracts immutable, others behind proxies.
- `about`: 2–4 sentence plain-English description. Name the user action (stake, borrow, swap, bridge, mint, redeem), the asset / market, and the distinctive mechanism (liquid staking receipt, isolated lending pools, constant-product AMM, intents auction, etc.). Do not restate category / chains / TVL.

Every non-null field in `protocol_metadata` must be backed by ≥1 entry in evidence[].

---

### Slice: OPEN-ACCESS

Evaluate who is allowed to use the protocol and whether any of that permission is granted off-chain.

Scope: this slice is about ADMISSION — who can enter, exit, or transact. Operator LIVENESS (what breaks if keepers/oracles go offline) is assessed in the dependencies slice and is out of scope for the grade here. You may note operator dependencies as context, but do not let "the protocol halts if operator X disappears" drive the access grade on its own; that belongs in dependencies. Source verification / contract verification on block explorers is assessed in the verifiability slice and is out of scope here — do NOT let "contract is unverified" drive the access grade.

Framing: the smart contracts are the access layer; frontends are UX. A permissionless contract is reachable by any client (SDK, third-party UI, aggregator, wallet integration). Frontend ToS, IP geo-blocking, and wallet screening are publisher policies on one specific client — they are reported as context but do NOT determine the grade. The grade hinges on (1) what the contract itself permits, and (2) whether the protocol is practically reachable without the official publisher's cooperation.

Meta-check before finalizing: if your verdict cites phrases from this prompt as evidence ("the protocol meets the 'credible alternatives' condition", "this fits the 'documented fallback' rule"), redo the verdict. The prompt describes the rubric; evidence must come from the protocol. A verdict should cite what the protocol does, not what the rubric says.

MANDATORY INSPECTION CHECKLIST (every item below must appear in evidence[] OR unknowns[]):
- A1. Whitelist / allowlist modifiers in user-facing entry points. Grep for "onlyWhitelisted", "onlyRole", "allowlist", "isAccredited", "isKYCed". Note which functions are gated and who can add/remove from the list.
- A2. Off-chain operators in the admission path: keepers, sequencers, privileged relayers, oracle posters whose approval is required to admit a user action (not just to keep the protocol live). For each, identify whether the role is held by a single operator, a permissioned committee, or is permissionless. Enumerate per user-facing function class (deposit vs withdraw-request vs claim-finalized vs transfer) which ones require operator approval to be admitted, and which ones admit users unconditionally. A function whose placement is unconditional but whose downstream settlement depends on an operator is an admission-permissionless function — flag the liveness dependency as context and defer its grading weight to the dependencies slice.
- A3. Frontend restrictions on the official interface — record as context, not as a grade lever. Distinguish:
    - A3-passive: boilerplate ToS clauses (sanctions attestation, restricted-territory self-certification, VPN-circumvention prohibition, "comply with applicable law" eligibility, age of majority).
    - A3-active: runtime enforcement — IP-based geo-blocking, wallet-address screening against a sanctions oracle (Chainalysis, TRM, Elliptic), KYC wall, rendering-blocking jurisdiction banner.
  Record findings under the correct tier. Quote ToS text or banner text in evidence[].shows. These findings populate the headline and rationale but do NOT move the grade by themselves; the grade is set by A1, A2, and the A3b path check below.
- A3b. Independent access paths (the operative grade input). Enumerate paths that do not require the official publisher's cooperation:
    - Published SDK / library / CLI for direct contract interaction.
    - Third-party frontends operated by separate legal entities.
    - Wallet-integrated access (MetaMask Swaps, Safe apps, etc.).
    - DEX / lending / yield aggregators that route through the contracts.
  Record at least one concrete link per path that exists. The protocol does NOT have to self-document these — the test is existence, not UX cost. An A3b-i redistribution of the official UI bound by the same ToS does NOT count as an independent path.
- A4. Sanctions / compliance tooling at the contract level: does the protocol check addresses against OFAC lists or similar on-chain blocklists in the contract itself? (Frontend-only screening belongs in A3.)
- A5. Differentiate read access vs write access: many protocols are read-permissionless (anyone can view state) but write-gated (only certain addresses can deposit/borrow). Record both.
- A6. ToS / Legal links: locate them on the website and produce a VERBATIM quote of any jurisdictional, sanctions, or eligibility clause in evidence[].shows. If you cannot extract the clause text verbatim (SPA render failure, paywall, dead link, etc.), do NOT paraphrase or infer from general knowledge — record the ToS URL in unknowns[] with the reason extraction failed. Assertions about ToS content without a verbatim quote will be downweighted by reviewers.

Then write the steel-man section per Hard Rule 11.

Grade rules (admission-focused; liveness concerns belong in dependencies; source verification belongs in verifiability):
- green   = no contract-level whitelist/KYC on user entry/exit; no operator approval required to admit a user action; AND at least one independent A3b path exists (published SDK, third-party frontend, wallet integration, or aggregator routing). Frontend ToS posture and A3-active enforcement on the official UI do NOT block green when contracts are permissionless and an independent path exists — they are reported as context.
- orange  = contracts admit users unconditionally, BUT the protocol is operationally captured by the official publisher: no published SDK, no third-party frontend, no wallet integration, no aggregator routing. The contract is theoretically open but practically reachable only through the official UI. Also applies when admission requires approval from a permissioned committee that is governance-managed with a documented replacement procedure.
- red     = contract-level whitelist / KYC on user entry/exit, OR admission of a core user action requires approval from a single privileged operator or a small committee with no documented replacement procedure, OR enforces an on-chain blocklist updatable by a single party.
- unknown = checklist incomplete after checking the sources above.

Default-grade guidance: when contracts are fully permissionless AND any A3b independent path exists, the default grade is green regardless of frontend ToS or A3-active enforcement on the official UI. Frontend geo-blocking, sanctions-oracle wallet screening, and ToS sanctions clauses are publisher policies on one client and are reported in findings/headline as context, not as grade levers. To grade orange on operational-capture grounds, the auditor must affirmatively show that ALL independent paths are absent or also gated.

Guideline on committees: where admission depends on a multi-operator committee, the relevant axes are (a) set size, (b) whether replacement/rotation is governed on-chain, (c) whether the replacement procedure is publicly documented. A large set with on-chain governance replacement should not be graded as a single-party operator even if rotation is not instantaneous. A small set with informal replacement should be treated as a single-party operator.

---

### JSON output contract

Return exactly one JSON object inside a single ```json fenced block. Shape:

{
  "schema_version": 4,
  "slug": "<copy protocol.slug from the per-protocol context>",
  "slice": "open-access",
  "snapshot_generated_at": "<copy snapshot.generated_at from the per-protocol context>",
  "prompt_version": 29,
  "analysis_date": "<copy analysis_date from the per-protocol context>",
  "model": "<exact model name, e.g. claude-opus-4-7 / gpt-5-thinking / gemini-3-pro>",
  "chat_url": null,
  "grading_basis": "on-chain | off-chain-only | mixed (optional; omit for on-chain)",
  "grade": "green | orange | red | unknown",
  "headline": "<one-line summary>",
  "short_headline": "<≤6 words, ≤80 chars; omit if you can't fit>",
  "rationale": {
    "findings": [{ "code": "E1", "text": "<concrete, source-cited finding>" }],
    "steelman": { "red": "<one sentence>", "orange": "<one sentence>", "green": "<one sentence>" },
    "verdict": "Choosing <grade> because <reason ranking one steel-man above the others, citing specific evidence>."
  },
  "evidence": [{ "url": "https://...", "shows": "<what this URL demonstrates>", "chain": "...", "address": "0x...", "commit": "<hex SHA>", "fetched_at": "2026-04-23T11:20:00Z" }],
  "unknowns": ["E3: <thing you looked for but couldn't determine>"],
  "protocol_metadata": {
    "github": ["https://github.com/org/repo"],
    "docs_url": "https://docs.protocol.xyz",
    "audits": [{ "firm": "Trail of Bits", "url": "https://...report.pdf", "date": "2025-09" }],
    "governance_forum": "https://forum.protocol.xyz",
    "voting_token": { "chain": "Ethereum", "address": "0x...", "symbol": "XYZ" },
    "bug_bounty_url": "https://immunefi.com/bounty/protocol",
    "security_contact": "security@protocol.xyz",
    "deployed_contracts_doc": "https://docs.protocol.xyz/deployments",
    "admin_addresses": [{ "chain": "Ethereum", "address": "0x...", "role": "DAO treasury multisig", "actor_class": "multisig" }],
    "upgradeability": "immutable | upgradeable | mixed | unknown",
    "about": "<2–4 sentences>"
  }
}

Rules recap:
- grade="unknown" ⇒ steelman=null; unknowns[] ≥1; evidence[] may be empty.
- grade!="unknown" ⇒ steelman={red,orange,green}; evidence[] ≥1; verdict starts with "Choosing ".
- findings[].code matches the slice's checklist prefix verbatim (E1, C2-emergency, V4a, …); unknowns[] entries are checklist-coded ("E3: …").
- Wrap in a single ```json fence; nothing before or after. URLs are bare strings, never markdown links.

Audit all 5 dimensions · one prompt Submit run ↗

### Per-protocol context (ground truth for this run)

- protocol.slug:              aave-v1
- protocol.name:              Aave V1
- protocol.chains:            Ethereum
- protocol.category:          Lending
- protocol.website:           https://aave.com
- protocol.github:            aave, bgd-labs
- protocol.audit_links:       https://aave.com/security, https://github.com/code-423n4/2022-02-aave-lens, https://github.com/code-423n4/2022-02-aave-lens-findings, https://github.com/sherlock-protocol/sherlock-reports/blob/main/audits/2025.02.15%20-%20Final%20-%20Aave%20Public%20Audit%20Contest%20Report.pdf, https://github.com/sherlock-protocol/sherlock-reports/blob/main/audits/2026.02.05%20-%20Final%20-%20Aave%20Labs%20Collaborative%20Audit%20Report%201770295450.pdf
- snapshot.generated_at:      2026-06-01T11:27:13.878Z
- analysis_date:              2026-06-07
- prompt_version:             29
- address_book:               null

### Pre-built read-API surfacer URLs (verbatim — fetchable as-is)
(no addresses pinned in this run — discover candidates from fetched website / GitHub / audit / explorer pages, record discovered addresses in evidence[] and protocol_metadata.admin_addresses, and put any reads you couldn't perform in unknowns[]. The next assessment will inherit your discoveries.)


---

You are contributing a single-slice assessment to defipunkd, a git-native transparency registry for DeFi protocols. Your JSON output will be attached to a pull request and compared against ≥2 other independent runs. Disagreements are surfaced publicly — be conservative, cite everything, return grade="unknown" when a signal cannot be determined, and resist stopping at the first damning finding.

### Per-protocol context (do not infer; these are ground truth)

A "Per-protocol context" block (provided alongside this prompt — either as a user message in API mode, or as a section appended below in copy-paste mode) lists the pinned inputs (protocol.slug, name, chains, category, website, github, audit_links, snapshot.generated_at, analysis_date, prompt_version, address_book) and a list of pre-built read-API surfacer URLs for each pinned address. Treat those values as authoritative for this run.

The pre-built surfacer URLs are accepted by your fetch tool's allowlist because they appear verbatim in the per-protocol context. Each surfacer page pre-executes the contract's zero-arg view methods and renders any address-typed return values as /address/{chainId}/0x… links inline — those rendered links are also fetchable post-fetch. /api/contract/read and /api/safe/owners JSON responses include a top-level `crawl.surfacers` array of /address/{chainId}/0x… URLs for every address-typed value in the result, so you can crawl directly from API responses. For addresses surfaced from non-defipunkd sources (block-explorer pages, GitHub, audit PDFs), the allowlist will reject your generated surfacer URL — record the address in protocol_metadata.admin_addresses and add a checklist-coded entry to unknowns[]; the next run will inherit it as a fetchable surfacer.

### Step 0 — Capability probe (do this before producing JSON)

Identify what fetch tool your environment exposes — `web_fetch`, `browser`, `url_context`, `google_search` (with underscore, colon, or space), Bing grounding, Perplexity, `web.run`, or anything similar. Search-grounding tools ARE valid fetch paths and you should use them; they are not forbidden. The distinction that matters is what the tool returned, not its name: a grounded response with the underlying page body is sufficient evidence; a bare 1–3-line preview snippet is not.

Probe: attempt one fetch of `protocol.website` and one fetch of a pre-built surfacer URL above (or the protocol's primary block-explorer page if no surfacer is pinned). Record the tool you used, the URL, and what came back (response body, HTTP status, allowlist rejection text, or "tool not present: <name>"). If either probe succeeded, proceed.

If both direct probes failed, **DO NOT STOP** — try search. Issue at least two broad search queries (protocol name + "Etherscan" / "official docs" / "GitHub" / "audit"; `site:` operators against etherscan.io / github.com / the docs domain). If a search query returns the underlying page body, that page URL is fetched evidence and goes in evidence[]. Set `grading_basis: "off-chain-only"` and continue with whatever you can extract. Empty `evidence[]` + `grade="unknown"` is only valid if BOTH direct probes AND ≥2 search queries returned nothing usable; in that case, log the attempted queries and observed-zero outcomes in unknowns[]. A submission claiming "blocked" without those receipts is treated as a non-submission (zero quorum weight). Search engines do not index raw JSON API endpoints — zero results for `defipunkd.com/api/contract/read` URLs is expected and is itself a recordable failure mode, not a system restriction.

### Anti-fabrication (the most important rule on this page)

Memory is not evidence. Treat your training data, prior conversations, and general knowledge as suggestions for what to look up — never as citations. Every URL in evidence[] must have been fetched in this run via any tool exposed in your environment, OR pasted into this conversation by the user. Constructing a URL is fine, but every variable part (address, commit SHA, repo path, contract name, method, args, block number) must come from a fetched/pasted source in this run, and the URL must then have been successfully fetched before it appears in evidence[]. URLs constructed from remembered addresses, repo paths, contract names, or guessed API methods are fabrication.

Before emitting JSON, run an evidence ledger check on every evidence[] entry:
1. The exact URL appears in your fetch transcript or in a user-pasted source body.
2. The fetched/pasted body contains the fact you're citing in evidence[].shows.
3. Every rationale.findings / protocol_metadata claim that depends on this evidence follows directly from that body, without recourse to memory.
4. Derived (rather than verbatim) claims are explicitly labelled as derived in evidence[].shows.
5. `fetched_at` is set ONLY when you actually fetched the URL in this run; if no timestamp is available, omit the field — never invent one.

If any check fails, remove the evidence entry and demote dependent claims to unknowns[]. Set grade="unknown" if demotion empties the grading basis. Do not ask the user to paste anything; do not withhold JSON; do not improvise from memory.

A plausible-sounding answer backed by unsupported evidence is WORSE than grade="unknown" — it pollutes the quorum. If the assessment requires leaning on remembered public facts ("Lido is governed by LDO token-weighted voting"), historical reports, common knowledge, or likely-architecture reasoning ("UUPS proxies typically have an admin role"), return grade="unknown" with specific unknowns[] entries. Optimize for reproducibility, not completeness — if a reviewer can't re-verify each claim from the evidence URLs alone, the claim does not belong in the JSON. Empty unknowns[] on a non-trivial protocol is a red flag, not a quality signal.

When the address_book is null/empty, you do not yet know any deployed address. Discover candidates from fetched website / GitHub / audit / explorer-search pages — addresses you "remember" from training data are not eligible, even for famous tokens (USDC, WBTC, stETH, UNI). If no address can be discovered after a good-faith attempt, return grade="unknown" with checklist-coded unknowns[] entries; do not invent addresses to fill the gap.

### Hard rules

1. Source classes that count as evidence:
   a) Public block explorers (etherscan.io, basescan.org, arbiscan.io, optimistic.etherscan.io, polygonscan.com, bscscan.com, snowtrace.io, scrollscan.com, lineascan.build, blastscan.io, era.zksync.network) for pinned addresses or addresses you discover transitively from them.
   b) The linked GitHub repos, at a specific commit SHA recorded in evidence[].commit.
   c) The audit PDFs / reports linked above.
   d) DeFiLlama's pinned fields (for category / chain lists only — not for risk assessment).
   e) DeFiPunkd's read API at https://defipunkd.com/api/{contract,safe}/... — see "On-chain reading" below.
2. If a signal cannot be determined after checking these, set grade="unknown" with ≥1 entry in unknowns[] naming what you looked for.
3. Every factual claim in rationale must map to ≥1 evidence[] entry.
4. Output exactly one JSON object matching the contract at the end, wrapped in a single ```json fenced code block. This rule applies to your FINAL assistant message only — issue tool calls freely during the run; tool-call reasoning lives in your model's tool-use channel and is not subject to this rule. Nothing before or after the fence — no prose, no follow-up questions, no requests for the user to paste anything. If evidence is incomplete, the correct response is still JSON, with claims demoted to unknowns[] and grade="unknown".

### Format rules (validation will reject submissions that violate these)
5. evidence[].url must be a bare `https://...` string — NEVER markdown link syntax. WRONG: `"url": "[Etherscan](https://etherscan.io/...)"`. RIGHT: `"url": "https://etherscan.io/..."`.
6. evidence[].commit, when present, must match `^[0-9a-f]{7,40}$` (lowercase hex, 7–40 chars). NEVER branch names or tags. Omit if you cannot pin a SHA.
7. evidence[].fetched_at, when present, must be ISO-8601 UTC (e.g. `2026-04-23T11:20:00Z`). Set whenever you actually fetched in this run.
8. evidence[].address, when present, must be `^0x[0-9a-fA-F]{40}$` (mixed case OK; checksum not validated).
9. Checklist codes (used in findings[].code and as unknowns[] prefixes) match `^[A-Z][A-Za-z0-9-]{0,16}$` — start with an uppercase letter, then digits / letters / hyphens. Examples: `E1`, `A3b`, `C2-emergency`, `V4-auditor`. No parens, spaces, dots, slashes, underscores. Use slice-defined codes verbatim. unknowns[] entries must be prefixed with the relevant code + colon (e.g. `"A3b: frontend fetch failed"`).
10. chat_url: ALWAYS null. Default share links (claude.ai/chat, chatgpt.com, gemini.google.com) require viewer login and are not publicly readable. The user enables "Share publicly" after you respond and pastes the public URL into the JSON before opening the PR.

### Thoroughness rules

11. Each per-slice body contains a "MANDATORY INSPECTION CHECKLIST". Every item must EITHER produce an evidence[] entry OR a specific unknowns[] entry naming it by code. Silent skips are rejected as incomplete.
12. Before assigning a grade other than "unknown", rationale.steelman must contain a one-sentence strongest argument for each of red / orange / green, and rationale.verdict must state which fits the evidence and why. If the steel-man for the chosen grade is weaker than for an adjacent grade, you have probably picked the wrong grade. When grade="unknown", set steelman to null and use verdict to summarize what blocked the assessment.
13. Distinguish actor classes (EOA, 2-of-3 multisig, 4-of-7+ multisig with identified signers, emergency-scoped time-capped multisig, on-chain governance vote with timelock) and function classes (claim-of-finalized vs new-request-placement, deposit vs borrow, mint vs redeem) — say which actor holds which power, on what time bound. "An admin can pause" is insufficient.
14. For on-chain slices (control, ability-to-exit, autonomy, verifiability), evidence[] must include ≥1 on-chain URL: a block-explorer URL OR a DeFiPunkd /api/{contract/read,safe/owners} URL (preferred — content-addressed when block-pinned). /api/contract/abi alone is metadata, not on-chain evidence. Source repos tell you what code SHOULD do; deployed contracts tell you what it ACTUALLY does. The "open-access" slice is exempt when claims are entirely about frontend / off-chain operator behavior. CARVE-OUT: `grading_basis="off-chain-only"` is exempt from this rule but is downweighted by the quorum bot regardless of grade.
15. Prompt-meta-check: if your verdict quotes prompt language as evidence ("the protocol meets the 'documented fallback' condition"), re-do the verdict — the prompt describes the rubric, not the protocol. Evidence cites what THIS protocol does, not what the rubric says protocols of type X do.
16. `grading_basis` is one of `"on-chain"` (default; omit field), `"off-chain-only"`, or `"mixed"`. Describes what was READ this run, not the verdict — `grade="unknown"` is allowed under any basis. Set `"off-chain-only"` ONLY when BOTH (a) ≥1 successful fetch of a docs / forum / audit / GitHub URL appears in evidence[], AND (b) ≥1 failed on-chain fetch attempt for THIS run is recorded in unknowns[] with a `-offchain` suffix. Empty `evidence[]` with `"off-chain-only"` is a category error and is rejected by the validator. Set `"mixed"` when some checklist codes were on-chain and others fell back. ABI-only finds (you read the ABI but couldn't read live state) are valid as `grade="unknown"` with the ABI cited; do not infer a grade from ABI shape alone.

### On-chain reading via the DeFiPunkd API

Don't encode calldata, decode return data, or guess at ABIs by hand. Three deterministic GET endpoints return JSON with blockNumber, blockHash, raw calldata, and rawReturnData — content-addressed when block-pinned (`&block=<n>`):

  ABI (auto-resolves proxies):
    https://defipunkd.com/api/contract/abi?chainId=<id>&address=0x...
  View call (any view method on the merged ABI; flat scalar args):
    https://defipunkd.com/api/contract/read?chainId=<id>&address=0x...&method=getOwners
    https://defipunkd.com/api/contract/read?chainId=<id>&address=0x...&method=balanceOf&args=0x...
  Safe (threshold + owners + version in one call):
    https://defipunkd.com/api/safe/owners?chainId=<id>&address=0x...

Use the BARE method name in `&method=` (e.g. `&method=totalSupply`, NOT `&method=totalSupply()`). Browser tools normalize `(` to `%28` and reject the normalized URL; bare names dodge that. Pass arguments via `&args=` (comma-separated, declaration order). Append `&block=<n>` for content-addressed evidence.

Supported chainIds: 1 (ethereum), 10 (optimism), 56 (bsc), 130 (unichain), 137 (polygon), 324 (zksync), 8453 (base), 42161 (arbitrum), 43114 (avalanche), 59144 (linea), 81457 (blast), 534352 (scroll), 11155111 (sepolia).

Use this API for any factual claim about contract ABI shape, view-method return values (owner(), getOwners(), getThreshold(), totalSupply(), implementation(), paused(), MIN_DELAY(), …), and Safe membership. Do NOT invent ABIs or return values from training data.

Note on noisy address_book: the pinned address_book is sourced from prior assessments. It may include token deployments, oracle feeds, peripheral contracts, or mis-classified entries. Skip surfacer URLs that don't fit your slice — fetch only those whose role hints suggest control / pause / upgrade authority.

### Protocol metadata refresh (populate `protocol_metadata` in the output)

DeFiLlama's pinned inputs may be stale or wrong. As a side-effect of this assessment, populate `protocol_metadata` with anything you verify. Leave fields null / empty arrays if you did not verify them — do NOT echo pinned inputs through; null means "not re-verified this run".

- `github`: array of canonical source-code repo URLs.
- `docs_url`: canonical developer / protocol documentation site.
- `audits`: array of `{ firm, url, date }` (date as YYYY-MM or YYYY-MM-DD).
- `governance_forum`: primary discussion forum URL (Discourse, Commonwealth, etc.).
- `voting_token`: `{ chain, address, symbol }` or null. Omit if not token-governed.
- `bug_bounty_url`: public bug bounty page (Immunefi, HackerOne, self-hosted).
- `security_contact`: private-disclosure channel — security@ email or SECURITY.md URL. Distinct from public bug bounty.
- `deployed_contracts_doc`: docs page that lists deployed addresses per chain. Don't enumerate; just link.
- `admin_addresses`: array of `{ chain, address, role, actor_class }` for multisig / timelock / owner / proxy-admin addresses. `actor_class` ∈ `"eoa" | "multisig" | "timelock" | "governance" | "unknown"`. These are the anchors for future runs' address_book.
- `upgradeability`: `"immutable" | "upgradeable" | "mixed" | "unknown"`. "mixed" = some core contracts immutable, others behind proxies.
- `about`: 2–4 sentence plain-English description. Name the user action (stake, borrow, swap, bridge, mint, redeem), the asset / market, and the distinctive mechanism (liquid staking receipt, isolated lending pools, constant-product AMM, intents auction, etc.). Do not restate category / chains / TVL.

Every non-null field in `protocol_metadata` must be backed by ≥1 entry in evidence[].

---

### Slice: CONTROL

Evaluate who can change the protocol's rules, how fast, and how broadly.

(Step 0 capability probe and the off-chain-only fallback live in the preamble — those rules apply here.)

### MANDATORY INSPECTION CHECKLIST (every item below must appear in evidence[] OR unknowns[])

- **C1.** For each address you assess: who is the contract owner / admin / pendingAdmin / governor — read these via the block explorer's "Read Contract" tab OR `https://defipunkd.com/api/contract/read?chainId=<id>&address=0x...&method=owner` (BARE method names: `&method=owner`, `&method=admin`, `&method=pendingOwner`, `&method=governor`). For Safes use `/api/safe/owners?chainId=<id>&address=0x...`. When a protocol has multiple major versions deployed (v2/v3/v4), perform C1 reads on the NEWEST deployment separately — newer deployments often have weaker control surfaces than the legacy core.
- **C2.** Upgrade mechanism: transparent proxy / UUPS / Beacon / Diamond / immutable. Identify the proxy admin address. Check upgradeability of GOVERNANCE contracts too — a Governor / Aragon Voting / OZ Governor is often itself a proxy whose admin is the Timelock. Asymmetry: when fund-holding cores are immutable AND governance has no admin path that reaches them, an upgradable Governor/Timelock is T3-only and must NOT drag the verdict below green on that basis alone (see grade rules and the "immutable cores" caveat). Only call upgradability "mixed" if you can name a concrete function on the upgradable surface that reaches T1 or T2 on user funds.
- **C3.** EXECUTION PATH (enumerate every stage, in order, with delays in seconds). The operative path is usually a chain (voting → scheduler → timelock → executor; or governor → queue → execute; or Aragon Voting → DualGovernance → EmergencyProtectedTimelock → AdminExecutor). For each stage, record (a) the contract address, (b) the delay constant name + value in seconds, (c) the URL you read it from (block-explorer Read Contract OR `/api/contract/read?...&method=MIN_DELAY&block=<n>`). Do NOT stop at the first timelock-shaped contract — if its admin is itself called by another contract, keep walking. The grading delay is the SUM OF DELAYS ON THE UNCONTESTED FAST PATH (shortest time a proposal with no opposition can go from submission to executable). Dynamic / contested extensions (veto signaling, rage quit, escrow delay) are modifiers, not the basis — note them separately.
- **C4.** Enumerate EVERY multisig with reachable control — main proxy admin, emergency activation, emergency execution, reseal / pause, gate-seal committees, tiebreaker, per-module admins. For each Safe, fetch threshold + owners + version via `/api/safe/owners?chainId=<id>&address=0x...` (response includes raw eth_call data, so the URL is citable evidence). Enumerate ops/council/incentives multisigs even when off the upgrade path — record their scope so a reader can see they are NOT on the upgrade path. For each: (a) address, (b) threshold / total signers, (c) signer identities classified as insider (team, paid auditors under ongoing engagement, mandated service providers) vs non-insider (independent community members, unaffiliated researchers), (d) the specific power held (upgrade, pause, parameter, etc.).
- **C5.** On-chain governance: Governor / GovernorBravo / OZ Governor / Aragon Voting with token-weighted voting? Record proposal threshold, voting period, quorum, and the timelock delay between queue and execute. Every numeric constant must come from a Read Contract call you can link to, or be in unknowns[] with the C-code. If votingDelay / votingPeriod are denominated in BLOCKS, convert to seconds at the chain's CURRENT block time (Ethereum mainnet ≈ 12s post-Merge, not the 15s in older Compound/Bravo deployments) — cite both block count and converted seconds.
- **C6.** EMERGENCY POWERS: separate emergency-pause / guardian role with a different time cap or different actor than the main upgrade authority? Record it explicitly.
- **C7.** POWER TIER (blast radius). For each privileged path in C3–C6, classify the WORST thing that path can do, choosing the highest applicable tier. Cite the specific function name and any on-chain bound — tier claims without a named function are unsupported.
    - **T1 — FUND-CRITICAL**: replace implementation of contracts holding user funds; change AMM math / accounting / collateral logic; mint unbacked debt or shares; pause withdrawals; drain user-fund treasury; change oracle to attacker-controlled source; replace upgrade admin with EOA.
    - **T2 — ECONOMICALLY MATERIAL**: change fee parameters within bounded ranges; redirect protocol fees; add/remove markets / collateral types; bounded inflation or token mint within hard-capped schedule; spend protocol-owned (non-user) treasury.
    - **T3 — GOVERNANCE-INTERNAL**: change voting rules, quorum, voting period, proposal threshold; upgrade the Governor itself; rotate Timelock admin; mint governance tokens within a capped annual schedule.
    - **T4 — OPERATIONAL**: incentives distribution, grants, ENS / frontend canonicalization, deployment coordination, periphery router deprecation.
  The grade is set by the HIGHEST tier reachable on the uncontested fast path, not the median. State the tier and the binding function in the verdict.

### Read Contract discipline (applies to C3, C4, C5)

Every numeric constant cited (timelock delays, voting periods, multisig thresholds, quorum percentages) must come from EITHER (a) a block-explorer Read Contract URL, OR (b) a DeFiPunkd `/api/contract/read` or `/api/safe/owners` URL (preferred with `&block=<n>` for content-addressed evidence), OR (c) an unknowns[] entry with the C-code. Docs / blog posts are corroboration only — they cannot be the sole citation for a value that is also readable on-chain.

### Off-chain-only substitute hierarchy (when grading_basis="off-chain-only" — see preamble Rule 16)

When on-chain reads were genuinely unreachable this run, eligible off-chain substitutes in priority order:
1. Linked audit PDFs (admin roles, multisig members, timelock delays usually enumerated).
2. Governance forum posts that quote constants from a successful on-chain proposal (cite post URL + linked execution-tx URL).
3. Official protocol docs pages with named addresses and roles (must be on a domain owned by the protocol).
4. GitHub README / SECURITY.md / governance/*.md at a pinned commit SHA.

Forbidden substitutes: third-party blog posts, X / Twitter threads, search-result snippets, model memory. Required degradation: any C-code citing a numeric constant from docs/forum/audit prose ONLY must also carry an `unknowns[]` entry with `-offchain` suffix noting "value not re-read on-chain in this run; corroboration only".

### Grade rules (apply the timelock bar conditional on the highest C7 tier reachable on the fast path)

Security Council standard (used below): a multisig qualifies as "Security Council" only if ALL of: ≥7 signers, ≥51% threshold, ≥50% non-insider signers, every signer publicly announced. Failing any criterion = NOT a Security Council, regardless of signer reputation.

- **green**: highest reachable tier is T3 or T4 regardless of timelock; OR T2 reachable with uncontested-fast-path delay ≥7 days; OR T1 reachable only via immutable contracts (T1 is unreachable); OR T1 reachable with uncontested-fast-path delay ≥7 days combined with a Security Council multisig; OR T1 reachable with uncontested-fast-path delay ≥7 days through active on-chain governance with broad token distribution.
- **orange**: T2 reachable with uncontested-fast-path delay >0 but <7 days; OR T1 reachable with uncontested-fast-path delay >0 but <7 days; OR a multisig failing one or more Security Council criteria sits on a T1/T2 path; OR unclear upgrade authority on a T1/T2 path; OR governance with very short timelock or low quorum on a T1/T2 path.
- **red**: T1 reachable with no timelock by a single EOA or 2-of-3 multisig; OR a T1 upgrade admin that is not a smart contract you can audit.
- **unknown**: completed the checklist but still cannot determine the upgrade authority OR cannot classify the highest tier reachable on the main contracts.

Tiering caveats:
- "Bounded" must be enforced ON-CHAIN to count as T2. A function that sets fees with no upper-bound check is T1 — cite the bound check.
- Recurring T2 economic extraction (e.g. fee redirect with no rate limit) approaches T1 over time. A single proposal that can permanently redirect all future revenue is T1.
- T3 assumes the governance contract cannot itself authorize a T1/T2 action without going through the same timelock. If governance can self-upgrade to bypass the timelock, T3 collapses into T1.
- Do not downgrade tier by hand-waving ("realistically governance would never…"). Tier on what the contract permits, not what feels likely.

Notes:
- **Dynamic / dual-governance timelocks** (Lido, Compound escrow veto): the rubric grades on the uncontested path because that is the path most upgrades take. A dynamic extension that fires only under stake-weighted opposition is a real protection — name it in the green steel-man, but it does not lift an orange fast path into green; state the tension in the verdict.
- **Immutable cores with upgradable governance** (Uniswap-style): if fund-holding contracts are immutable and have no admin-reachable function moving / freezing / re-routing user funds, the highest reachable tier on the upgrade path is T3 — green regardless of timelock. Don't grade this orange just because the Governor is a proxy — that's a C2 fact, not a downgrade. Downgrade only applies if you can cite a concrete function on the upgradable surface that reaches T1 or T2 (privileged hook, upgradable factory controlling fund-routing, fee-switch redirecting protocol revenue without bound).
- **The 7-day bar** reflects the exit-window standard — users need notice after a queued upgrade to withdraw if they disagree. The ability-to-exit slice grades the exit side; this slice grades the delay side; both must hold for users to actually benefit from the delay.

---

### Slice: ABILITY-TO-EXIT

Evaluate whether users can withdraw their funds on their own terms, even under adversarial admin conditions.

MANDATORY INSPECTION CHECKLIST (every item below must appear in evidence[] OR unknowns[]):
- E1. Enumerate every user-facing exit function in the main contracts: withdraw, redeem, burn, requestWithdrawal, claim, exit, etc. List them by name. Do NOT treat the contract as a monolith.
- E2. For EACH exit function in E1: identify its access modifiers and any pause guards (e.g. _checkResumed, whenNotPaused, onlyRole). Functions that gate REQUEST PLACEMENT often differ from functions that CLAIM FINALIZED FUNDS — check both separately.
- E3. For each pause guard: identify the role holder (which address holds PAUSE_ROLE / GUARDIAN / etc.) and the maximum pause duration. Specifically check whether PAUSE_INFINITELY (or equivalent uncapped pause) is callable, and which actor can call it (single multisig vs governance vote). For role-holder reads use https://defipunkd.com/api/contract/read?chainId=<id>&address=0x...&method=hasRole&args=0x...,0x... or &method=getRoleAdmin&args=0x.... For "is currently paused" checks use &method=paused or &method=isPaused&args=<resume-code>. Use the BARE method name (no parens). Cite the URL with &block=<n> in evidence[].
- E4. EMERGENCY vs GOVERNANCE pause distinction: many protocols have a fast-acting emergency pause capped at N days and a slow governance pause that can be indefinite. Record both paths separately if present, with their time caps and actor classes.
- E5. Queued redemption: documented maximum queue duration, daily withdrawal caps, whether the queue itself is pausable.
- E6. Forced-exit / escape-hatch / permissionless emergency-exit mechanism for adversarial-admin scenarios.
- E7. Frontend dependency: confirm exit functions are directly callable on-chain (e.g. via Etherscan write tab or a generic wallet) without the project's frontend.

Then write the steel-man section per Hard Rule 11. Common red-vs-orange tension on this slice: indefinite pause exists (suggests red) BUT the realistic emergency path is time-capped AND claims of already-finalized exits are not pause-gated (suggests orange). Resolve this by stating who can do what for how long, not by stopping at the worst-case sentence.

Grade rules:
- green   = permissionless exit; pause is either absent, narrowly scoped to clearly-described emergencies with auto-expiry, or capped at ≤7 days; no frontend dependency for exit; claims of already-finalized exits are not pause-gated under any path.
- orange  = pausable with broad scope OR indefinite pause is reachable only through governance vote (not unilateral admin action), OR queued redemption with documented max > 7 days, OR claims-of-finalized are exempt but new-request placement can be paused indefinitely by governance.
- red     = exit requires admin signature, OR ANY actor (including governance) can pause CLAIMS of finalized exits indefinitely, OR there is no on-chain exit function at all (purely custodial), OR pause is held by a single EOA / 2-of-3 multisig with no time cap.
- unknown = checklist incomplete after checking the sources above.

---

### Slice: AUTONOMY

Evaluate this protocol's autonomy: can a failure of anything outside its own contracts cause theft or loss of user principal, loss of unclaimed yield, or materially change the protocol's expected performance? "Autonomy" is not "has zero external touchpoints" — it is "external failures are either survivable or recoverable without user loss". This slice adapts DefiScan v1's Autonomy dimension; dependencies are one of several criteria, not the whole frame.

GUARDRAILS (read before grading):
- Category alone (Liquid Staking, Bridge, RWA Lending, Restaking, …) does NOT force a grade. A category is a hint about where to look; the grade must come from the concrete A1–A9 findings below.
- Base-chain consensus (Ethereum PoS, the chain's validator set, the canonical Deposit Contract at 0x00000000219ab540356cBB839Cbe05303d7705Fa) is the SUBSTRATE, not a dependency, for any protocol deployed on that chain. Do not list "depends on Ethereum" as a finding.
- Oracles or other integrations used by DOWNSTREAM protocols that happen to read this protocol's token (e.g. Chainlink stETH/USD consumed by Aave) are NOT this protocol's dependencies. Count only what THIS protocol's contracts call or trust on-chain. If a feed or contract appears in the protocol's docs only as reference material for third-party integrators, EXCLUDE IT ENTIRELY — do not log it as a finding even with a "peripheral" or "referenced only" caveat.
- "Upgradeable admin can change things" belongs to the CONTROL slice; only count it here when the upgrade surface lets governance silently swap an external dependency (see A9).
- Underlying-asset risk in opt-in, isolated markets is NOT autonomy-red on its own. When a protocol wraps third-party yield-bearing assets (LSTs, LRTs, ERC-4626 vaults, lending receipts, restaked tokens) into per-market silos that users explicitly choose, a failure of one underlying does NOT propagate to other markets and is risk the user opted into per-market. Record it under A4 with depth and propagation scope, but do not let it alone drive a red verdict — red requires an external dependency that cross-cuts the protocol or that the user did not opt into at deposit time. A failure mode that is "if the LRT you deposited is hacked, your principal in that LRT-backed market is impaired" is the underlying's autonomy story, not this protocol's; grade it on whether THIS protocol introduces additional dependencies on top.
- Sub-module enumeration is mandatory before grading. If the protocol ships distinct product lines or modules (e.g., a v2 core AMM plus a newer perps/funding-rate module, a lending pool plus a separate vault layer, an L1 core plus a cross-chain extension), enumerate each in findings and grade against the WORST module weighted by its share of TVS or its blast radius. A green core does not rescue an orange/red sub-module; conversely, a small red sub-module with capped TVS may bound the overall grade to orange. Name each module by its on-chain factory or router address. If you do not know whether a module exists, that is an unknowns[] entry, not silence. EXPLICIT TVS WEIGHTING: in the verdict, state each module's approximate share of total protocol TVS (use "~X%" if exact figures unavailable; check DeFiLlama or block-explorer balances on the module's main contract) and how that share informs the weighted grade. Format: "Module A holds ~X% of TVS (grade: <g>); Module B holds ~Y% (grade: <g>); weighted overall = <grade> because <reason>." If a red sub-module holds <5% of total TVS and is capped, the overall grade may be orange; if it holds >25%, the overall grade is red. Do not let qualitative reasoning substitute for the percentages — write the numbers.

MANDATORY INSPECTION CHECKLIST (every item below must appear in evidence[] OR unknowns[]):
- A1. External contract calls. Enumerate every external contract the core contracts call or read from (oracles, price feeds, AMM pools, lending pools, staking/deposit contracts, yield wrappers). For each, identify the address, the provider, and what user-facing function of this protocol would break or mis-price if that external contract paused, mis-reported, or behaved adversarially. Grep for "oracle", "aggregator", "getPrice", "latestAnswer", "chainlink", "pyth", "redstone" as a starting point. To verify an oracle is live and what it currently reports, hit https://defipunkd.com/api/contract/read?chainId=<id>&address=<oracle>&method=latestAnswer (or &method=latestRoundData, &method=getPrice, &method=description; use the BARE method name without parens) and cite the URL — the response includes blockNumber/blockHash and rawReturnData, which is stronger evidence than a docs page about which feed "should" be used.
- A2. Off-chain actor committees reporting INTO the protocol. Oracle committees, guardian multisigs, DAO-selected validator sets acting as protocol reporters, exit-bus signers, fraud-proof challengers. For each, record committee size, quorum, who picks the members, and what mis-reporting could do (mint, burn, finalize withdrawal, freeze). Distinguish this from governance admins (control slice). NOTE ON STAKING PROTOCOLS: validator slashing and node-operator misbehavior are properties of the base-chain substrate, NOT external dependencies, when the operator set is diversified enough that a coordinated failure caps at <5% principal loss. Count validator/operator risk under A2 ONLY if the operator set is small, non-diversified, or lacks bonding / slashing-insurance / diversification mitigations. A curated set of 30+ independent operators with documented diversification falls under the mitigated path; a 3-operator LST does not. Do not cite the protocol's own risk disclosure as evidence that operator failure = principal loss unless you also check the diversification and bond mitigations.
- A3. Bridge / cross-chain messaging dependencies. Only count bridges that carry material TVL or are required for a core user flow. For each, name the bridge operator (canonical L1↔L2, LayerZero, Wormhole, Axelar, custom multisig), the trust model (canonical, optimistic, light-client, guardian set), and what fraction of TVL or users ride on it. "wstETH exists on 15 chains" is not a finding unless material TVL sits there. Before listing any non-primary chain deployment as a dependency, verify it is still operational as of analysis_date — retired or sunset deployments (e.g., Lido-on-Terra, Lido-on-Solana) belong in unknowns[] or should be omitted, never cited as a current dependency.
- A4. Nested collateral / restaking chains. For restaking / LRT / receipt-of-receipt designs: record the depth of the collateral chain, every actor with slashing or freezing power at each level, and whether a failure N levels deep propagates to user principal here.
- A5. Fork lineage (silent check). If DeFiLlama's forkedFrom is non-empty, record it as one finding and move on. If empty, do NOT add a placeholder finding; it adds noise.
- A6. Fallback mechanisms and circuit breakers. What catches an external failure? Sanity-check contracts on oracle reports, rebase bounds, pause paths triggered by bad prices, second-opinion oracles, max-per-block throughput caps, withdrawal queues that absorb bad reports. Record which A1–A4 risks are mitigated by which fallback, and which are unmitigated. For EACH fallback you cite, state its activation status explicitly: (i) LIVE and enforcing on-chain today, (ii) DEPLOYED but not yet wired / activated (e.g., interface exists but the address is zero or the role is unassigned), or (iii) DOCUMENTED / PROPOSED only (forum post, LIP draft, audit pending). Only (i) counts as mitigation for the grade. A fallback in state (ii) or (iii) should be noted but must not reduce the risk in your steel-man or verdict. If you cannot determine activation status, add an unknowns[] entry rather than assume it is live.
- A7. Sequencer / L1-liveness dependency BEYOND the base-chain substrate. SCOPE — sequencer risk only counts here when the protocol IS its own L2/L3 appchain or app-rollup, where the sequencer is part of the protocol's own stack and a freeze is a protocol-level outage. A protocol permissionlessly deployed on a third-party L2 inherits that L2's sequencer as substrate, not an A7 dependency. Record the sequencer/DA trust model when A7 applies.
- A8. Keeper / relayer / off-chain bot liveness. Protocols that need permissionless-but-necessary off-chain actors (liquidation bots, auto-compounders, deposit relayers, intent solvers). Record whether the role is permissionless, what degrades if nobody runs it (yield paused, bad debt accumulates, positions go stale), and whether the failure mode is graceful or catastrophic.
- A9. Governance-mutable dependency surface. Can an admin or DAO action silently INTRODUCE a NEW EXTERNAL dependency — swap the oracle address to a different provider, register a new staking module that calls an untrusted contract, add a new bridge, route SY through a new external vault — without an exit window for users? Check the upgrade / router / module-registry contracts. Answer: which EXTERNAL dependencies are governance-mutable, who holds that power, and whether there is a timelock or exit window. SCOPE LIMIT — read carefully: A9 is about the *external dependency surface*, not the upgrade surface in general. "The proxyAdmin / EOA can upgrade the router implementation to arbitrary bytecode" is a CONTROL-slice finding (admin can rug), NOT an autonomy-A9 finding. A9 fires only when the upgrade specifically swaps out or adds a contract that THIS protocol calls or trusts (e.g., changing the oracle address from Chainlink to a malicious feed, registering a new SY adapter that points to a third-party vault, redirecting a bridge endpoint). If the only finding is "admin can change implementation," do not log it under A9 and do not let it drive the autonomy grade — note it under control instead. The autonomy-relevant version of the same upgrade key is "admin can swap [specific external address X] without timelock"; that requires identifying the specific external dependency that becomes mutable.

STEEL-MAN (per Hard Rule 13): write one-sentence strongest arguments for red, orange, and green using the A1–A9 findings.

IMPACTED TVS ESTIMATE: the headline MUST include a rough impacted-TVS figure — the fraction of protocol TVS that could be lost or frozen if the worst-unmitigated dependency you identified failed. Use "~X%" if exact numbers are unavailable, "<1%" for de minimis, "unclear" only if A1–A9 left the question genuinely open (in which case grade=unknown is usually correct). Do NOT substitute qualitative phrases like "significant" — give a number or bracket.

GRADE ANCHORS (mapped to DefiScan v1 stages):
- green = Stage 2 equivalent. Failure of any external dependency cannot cause loss of user principal or unclaimed yield. Either there are no material external dependencies, or every critical one has a documented fallback (A6) that keeps users whole. Governance cannot silently introduce new dependencies without an exit window (A9). Impacted TVS under any single-dependency failure: effectively 0.
- orange = Stage 1 equivalent. Failure of some external dependency can cause loss of unclaimed yield, or can materially change expected performance (pause withdrawals, freeze positions, degrade price quality), but cannot cause loss of principal. Committee-based oracles with sanity checks, canonical-only bridges, fallback paths that exist but are incomplete, or governance-mutable dependencies protected by a ≥7-day timelock. Impacted TVS is bounded and recoverable.
- red = Stage 0 equivalent. Failure of an external dependency CAN cause theft or loss of principal. Examples: single-provider oracle with no sanity check or fallback, material TVL on a non-canonical bridge with a guardian multisig, governance can hot-swap oracles or add staking modules with no timelock or exit window, unmitigated keeper-liveness dependency where positions become insolvent if bots stop. Impacted TVS is material.
- unknown = checklist incomplete after inspecting source + verified contracts. Prefer unknown over guessing when A1/A6 could not be reconstructed. RESERVE unknown for cases where the CORE ARCHITECTURE itself is unverifiable — not for cases where you merely cannot enumerate every per-market dependency in a multi-market protocol. If the core router/factory/oracle architecture is verifiable on-chain and you can determine whether the core requires external dependencies, grade the architecture even when an exhaustive per-market external-dependency census is infeasible. Acknowledge the per-market gap in unknowns[] but still issue a grade. Refusing to grade a multi-market protocol because you cannot list every SY/vault/market is over-use of unknown; grade the architecture and say so.

PROMPT-META CHECK (per Hard Rule 17): before finalizing, verify the verdict cites concrete contract addresses, docs, or code — not the rubric itself. If your verdict says "the protocol belongs to a category the rubric marks red", rewrite it with the A1–A9 finding that actually justifies the grade, or drop to grade=unknown.

---

### Slice: OPEN-ACCESS

Evaluate who is allowed to use the protocol and whether any of that permission is granted off-chain.

Scope: this slice is about ADMISSION — who can enter, exit, or transact. Operator LIVENESS (what breaks if keepers/oracles go offline) is assessed in the dependencies slice and is out of scope for the grade here. You may note operator dependencies as context, but do not let "the protocol halts if operator X disappears" drive the access grade on its own; that belongs in dependencies. Source verification / contract verification on block explorers is assessed in the verifiability slice and is out of scope here — do NOT let "contract is unverified" drive the access grade.

Framing: the smart contracts are the access layer; frontends are UX. A permissionless contract is reachable by any client (SDK, third-party UI, aggregator, wallet integration). Frontend ToS, IP geo-blocking, and wallet screening are publisher policies on one specific client — they are reported as context but do NOT determine the grade. The grade hinges on (1) what the contract itself permits, and (2) whether the protocol is practically reachable without the official publisher's cooperation.

Meta-check before finalizing: if your verdict cites phrases from this prompt as evidence ("the protocol meets the 'credible alternatives' condition", "this fits the 'documented fallback' rule"), redo the verdict. The prompt describes the rubric; evidence must come from the protocol. A verdict should cite what the protocol does, not what the rubric says.

MANDATORY INSPECTION CHECKLIST (every item below must appear in evidence[] OR unknowns[]):
- A1. Whitelist / allowlist modifiers in user-facing entry points. Grep for "onlyWhitelisted", "onlyRole", "allowlist", "isAccredited", "isKYCed". Note which functions are gated and who can add/remove from the list.
- A2. Off-chain operators in the admission path: keepers, sequencers, privileged relayers, oracle posters whose approval is required to admit a user action (not just to keep the protocol live). For each, identify whether the role is held by a single operator, a permissioned committee, or is permissionless. Enumerate per user-facing function class (deposit vs withdraw-request vs claim-finalized vs transfer) which ones require operator approval to be admitted, and which ones admit users unconditionally. A function whose placement is unconditional but whose downstream settlement depends on an operator is an admission-permissionless function — flag the liveness dependency as context and defer its grading weight to the dependencies slice.
- A3. Frontend restrictions on the official interface — record as context, not as a grade lever. Distinguish:
    - A3-passive: boilerplate ToS clauses (sanctions attestation, restricted-territory self-certification, VPN-circumvention prohibition, "comply with applicable law" eligibility, age of majority).
    - A3-active: runtime enforcement — IP-based geo-blocking, wallet-address screening against a sanctions oracle (Chainalysis, TRM, Elliptic), KYC wall, rendering-blocking jurisdiction banner.
  Record findings under the correct tier. Quote ToS text or banner text in evidence[].shows. These findings populate the headline and rationale but do NOT move the grade by themselves; the grade is set by A1, A2, and the A3b path check below.
- A3b. Independent access paths (the operative grade input). Enumerate paths that do not require the official publisher's cooperation:
    - Published SDK / library / CLI for direct contract interaction.
    - Third-party frontends operated by separate legal entities.
    - Wallet-integrated access (MetaMask Swaps, Safe apps, etc.).
    - DEX / lending / yield aggregators that route through the contracts.
  Record at least one concrete link per path that exists. The protocol does NOT have to self-document these — the test is existence, not UX cost. An A3b-i redistribution of the official UI bound by the same ToS does NOT count as an independent path.
- A4. Sanctions / compliance tooling at the contract level: does the protocol check addresses against OFAC lists or similar on-chain blocklists in the contract itself? (Frontend-only screening belongs in A3.)
- A5. Differentiate read access vs write access: many protocols are read-permissionless (anyone can view state) but write-gated (only certain addresses can deposit/borrow). Record both.
- A6. ToS / Legal links: locate them on the website and produce a VERBATIM quote of any jurisdictional, sanctions, or eligibility clause in evidence[].shows. If you cannot extract the clause text verbatim (SPA render failure, paywall, dead link, etc.), do NOT paraphrase or infer from general knowledge — record the ToS URL in unknowns[] with the reason extraction failed. Assertions about ToS content without a verbatim quote will be downweighted by reviewers.

Then write the steel-man section per Hard Rule 11.

Grade rules (admission-focused; liveness concerns belong in dependencies; source verification belongs in verifiability):
- green   = no contract-level whitelist/KYC on user entry/exit; no operator approval required to admit a user action; AND at least one independent A3b path exists (published SDK, third-party frontend, wallet integration, or aggregator routing). Frontend ToS posture and A3-active enforcement on the official UI do NOT block green when contracts are permissionless and an independent path exists — they are reported as context.
- orange  = contracts admit users unconditionally, BUT the protocol is operationally captured by the official publisher: no published SDK, no third-party frontend, no wallet integration, no aggregator routing. The contract is theoretically open but practically reachable only through the official UI. Also applies when admission requires approval from a permissioned committee that is governance-managed with a documented replacement procedure.
- red     = contract-level whitelist / KYC on user entry/exit, OR admission of a core user action requires approval from a single privileged operator or a small committee with no documented replacement procedure, OR enforces an on-chain blocklist updatable by a single party.
- unknown = checklist incomplete after checking the sources above.

Default-grade guidance: when contracts are fully permissionless AND any A3b independent path exists, the default grade is green regardless of frontend ToS or A3-active enforcement on the official UI. Frontend geo-blocking, sanctions-oracle wallet screening, and ToS sanctions clauses are publisher policies on one client and are reported in findings/headline as context, not as grade levers. To grade orange on operational-capture grounds, the auditor must affirmatively show that ALL independent paths are absent or also gated.

Guideline on committees: where admission depends on a multi-operator committee, the relevant axes are (a) set size, (b) whether replacement/rotation is governed on-chain, (c) whether the replacement procedure is publicly documented. A large set with on-chain governance replacement should not be graded as a single-party operator even if rotation is not instantaneous. A small set with informal replacement should be treated as a single-party operator.

---

### Slice: VERIFIABILITY

Evaluate whether an outsider can independently confirm what the deployed code does.

MANDATORY INSPECTION CHECKLIST (every item below must appear in evidence[] OR unknowns[]):
- V1. For each address you assess: is the bytecode verified on the chain's block explorer? Record the "Contract Source Code Verified" indicator. https://defipunkd.com/api/contract/abi?chainId=<id>&address=0x... returns this as a top-level "verified" boolean plus "abiSource" ("etherscan" / "sourcify") and an inline ABI — useful when the explorer page is rate-limited. If the contract is a proxy, verify BOTH the proxy contract AND the current implementation contract. The same /api/contract/abi response auto-resolves proxies and includes a "proxy.implementation" address when present, so one call covers V1 + V6 in one shot. An explorer "Similar Match" on a well-known proxy pattern (Aragon AppProxyUpgradeable, ERC1967Proxy, OssifiableProxy, OZ TransparentUpgradeableProxy) is expected for that pattern and does NOT count as a verification gap on its own — what matters is that the implementation is independently verified.
- V2. Source-to-repo correspondence: for each verified contract, attempt to find a matching commit in the linked GitHub repos. Record evidence[].commit on a match. Independent compile/bytecode-match is NOT required for green — a recognized public repo whose structure and file contents correspond to the explorer-visible source is sufficient. If you did not pin a commit SHA or run a bytecode diff, record that plainly in unknowns[] and proceed; it is a scope limit, not a downgrade signal.
- V3. Audit coverage: for each URL in protocol.audit_links, open it and record: auditor name, audit date, the specific contracts / commit in scope. Flag audits that predate the current deployment by >6 months without a follow-up review.
- V4. Auditor recognition: the following firms are broadly recognized in Solidity: Trail of Bits, Zellic, Spearbit, OpenZeppelin, ConsenSys Diligence, Certora (formal verification), Quantstamp, Halborn, Peckshield, Sigma Prime, ChainSecurity, Ackee Blockchain, MixBytes, Statemind. Unknown firms are orange-at-best for any green-grade claim. Name the firm explicitly in evidence[].
- V5. Post-audit drift: compare the most recent in-scope audit(s) against the currently-deployed source, weighted by what each contract does and by what the changes actually contain. SCOPE — drift only downgrades the grade when ALL of the following hold: (i) the drifting contract is fund-custody / settlement / accounting-critical (NOT a peripheral router, lens, quoter, or pure-view contract that holds no balances); (ii) the changes are material — new functions, modified access control, modified accounting, modified fund flow — and not refactors / struct relocations / import reorgs / build or CI fixes / formatting; (iii) no later audit, fix-audit, or differential audit from a recognized firm covers the changed files (audits often pin a pre-fix commit while a follow-up reviews the delta — match by file scope, not by commit-hash equality). When you cite drift as a downgrade reason, name the specific behavior change (function added, role granted, accounting formula altered) — "N commits ahead" or "+X/-Y LOC" alone is not evidence of material drift. If you have not sampled the diff content (e.g. via the GitHub compare view or the top commits in the window), record drift as an unknowns[] entry rather than auto-downgrading; commit-count and LOC are starting signals, not findings.
- V6. Implementation vs proxy: a verified proxy with an unverified implementation is effectively unverified. State whether the implementation is verified separately.

EVIDENCE DISCIPLINE (read before writing findings[]):
- Do not assert a specific deploy-commit SHA, bytecode equivalence, or "identical to audited commit" unless you actually fetched the artifact that shows it (e.g., a deployed-addresses JSON you opened, an explorer page you read). Inferred or plausible matches belong in unknowns[], never in findings[] or evidence[].
- Evidence[] entries must correspond to pages/files you actually retrieved this run. A URL you did not open is not evidence.

Then write the steel-man section per Hard Rule 11.

Grade rules:
- green   = deployed bytecode verified on the explorer (proxy AND implementation if proxied; "Similar Match" on a standard proxy pattern is fine per V1), a public source repo exists whose contents correspond to the explorer-visible source, AND ≥1 audit from a recognized firm covering the currently-deployed contracts (≤6 months of drift OR drift was re-audited). A missing local compile-match is not a downgrade — record it in unknowns[] and still grade green if the other conditions hold.
- orange  = verified but with visible drift from the public repo, OR audit scope is stale relative to deployment, OR only minor / unknown-firm audits exist, OR only some of the main contracts are verified, OR proxy verified but implementation only partially verified.
- red     = unverified bytecode (or verified proxy with unverified implementation), OR no audit in protocol.audit_links, OR no public repo.
- unknown = reserved for when the protocol's verifiability posture genuinely cannot be assessed (e.g., explorer and repo both inaccessible for this protocol). Do NOT use unknown merely because you, the analyst, could not run a particular check such as a bytecode diff — that goes in unknowns[] while the grade is still assigned from the evidence you do have.

---

### JSON output contract

Return exactly one JSON array inside a single ```json fenced block. The array MUST contain exactly five objects, one per risk slice, in this exact order: "control", "ability-to-exit", "autonomy", "open-access", "verifiability". Do not include the discovery slice.

Each object has the same shape as a normal slice submission:

{
  "schema_version": 4,
  "slug": "<copy protocol.slug from the per-protocol context>",
  "slice": "<one of: control | ability-to-exit | autonomy | open-access | verifiability>",
  "snapshot_generated_at": "<copy snapshot.generated_at from the per-protocol context>",
  "prompt_version": 29,
  "analysis_date": "<copy analysis_date from the per-protocol context>",
  "model": "<exact model name, e.g. claude-opus-4-7 / gpt-5-thinking / gemini-3-pro>",
  "chat_url": null,
  "grading_basis": "on-chain | off-chain-only | mixed (optional; omit for on-chain)",
  "grade": "green | orange | red | unknown",
  "headline": "<one-line summary>",
  "short_headline": "<≤6 words, ≤80 chars; omit if you can't fit>",
  "rationale": {
    "findings": [{ "code": "E1", "text": "<concrete, source-cited finding>" }],
    "steelman": { "red": "<one sentence>", "orange": "<one sentence>", "green": "<one sentence>" },
    "verdict": "Choosing <grade> because <reason ranking one steel-man above the others, citing specific evidence>."
  },
  "evidence": [{ "url": "https://...", "shows": "<what this URL demonstrates>", "chain": "...", "address": "0x...", "commit": "<hex SHA>", "fetched_at": "2026-04-23T11:20:00Z" }],
  "unknowns": ["E3: <thing you looked for but couldn't determine>"],
  "protocol_metadata": {
    "github": ["https://github.com/org/repo"],
    "docs_url": "https://docs.protocol.xyz",
    "audits": [{ "firm": "Trail of Bits", "url": "https://...report.pdf", "date": "2025-09" }],
    "governance_forum": "https://forum.protocol.xyz",
    "voting_token": { "chain": "Ethereum", "address": "0x...", "symbol": "XYZ" },
    "bug_bounty_url": "https://immunefi.com/bounty/protocol",
    "security_contact": "security@protocol.xyz",
    "deployed_contracts_doc": "https://docs.protocol.xyz/deployments",
    "admin_addresses": [{ "chain": "Ethereum", "address": "0x...", "role": "DAO treasury multisig", "actor_class": "multisig" }],
    "upgradeability": "immutable | upgradeable | mixed | unknown",
    "about": "<2–4 sentences>"
  }
}

Rules recap:
- Produce one complete object for each of these slices only: control, ability-to-exit, autonomy, open-access, verifiability.
- Reuse the same model, chat_url, snapshot_generated_at, prompt_version, analysis_date, and slug values across all five objects.
- grade="unknown" ⇒ steelman=null; unknowns[] ≥1; evidence[] may be empty.
- grade!="unknown" ⇒ steelman={red,orange,green}; evidence[] ≥1; verdict starts with "Choosing ".
- findings[].code matches that object's slice checklist prefix verbatim (C1, E2, AU3, A3b, V4a, …); unknowns[] entries are checklist-coded ("C3: …").
- Wrap the array in a single ```json fence; nothing before or after. URLs are bare strings, never markdown links.

Verifiability tentative

Open source + 5 audits

Protocol publishes a GitHub repository and has at least one audit on record. This is a coarse Phase-0 signal only: auditor reputation, scope, and post-audit review coverage are not yet weighted.

Run your own prompt Submit run ↗

### Per-protocol context (ground truth for this run)

- protocol.slug:              aave-v1
- protocol.name:              Aave V1
- protocol.chains:            Ethereum
- protocol.category:          Lending
- protocol.website:           https://aave.com
- protocol.github:            aave, bgd-labs
- protocol.audit_links:       https://aave.com/security, https://github.com/code-423n4/2022-02-aave-lens, https://github.com/code-423n4/2022-02-aave-lens-findings, https://github.com/sherlock-protocol/sherlock-reports/blob/main/audits/2025.02.15%20-%20Final%20-%20Aave%20Public%20Audit%20Contest%20Report.pdf, https://github.com/sherlock-protocol/sherlock-reports/blob/main/audits/2026.02.05%20-%20Final%20-%20Aave%20Labs%20Collaborative%20Audit%20Report%201770295450.pdf
- snapshot.generated_at:      2026-06-01T11:27:13.878Z
- analysis_date:              2026-06-07
- prompt_version:             29
- address_book:               null

### Pre-built read-API surfacer URLs (verbatim — fetchable as-is)
(no addresses pinned in this run — discover candidates from fetched website / GitHub / audit / explorer pages, record discovered addresses in evidence[] and protocol_metadata.admin_addresses, and put any reads you couldn't perform in unknowns[]. The next assessment will inherit your discoveries.)


---

You are contributing a single-slice assessment to defipunkd, a git-native transparency registry for DeFi protocols. Your JSON output will be attached to a pull request and compared against ≥2 other independent runs. Disagreements are surfaced publicly — be conservative, cite everything, return grade="unknown" when a signal cannot be determined, and resist stopping at the first damning finding.

### Per-protocol context (do not infer; these are ground truth)

A "Per-protocol context" block (provided alongside this prompt — either as a user message in API mode, or as a section appended below in copy-paste mode) lists the pinned inputs (protocol.slug, name, chains, category, website, github, audit_links, snapshot.generated_at, analysis_date, prompt_version, address_book) and a list of pre-built read-API surfacer URLs for each pinned address. Treat those values as authoritative for this run.

The pre-built surfacer URLs are accepted by your fetch tool's allowlist because they appear verbatim in the per-protocol context. Each surfacer page pre-executes the contract's zero-arg view methods and renders any address-typed return values as /address/{chainId}/0x… links inline — those rendered links are also fetchable post-fetch. /api/contract/read and /api/safe/owners JSON responses include a top-level `crawl.surfacers` array of /address/{chainId}/0x… URLs for every address-typed value in the result, so you can crawl directly from API responses. For addresses surfaced from non-defipunkd sources (block-explorer pages, GitHub, audit PDFs), the allowlist will reject your generated surfacer URL — record the address in protocol_metadata.admin_addresses and add a checklist-coded entry to unknowns[]; the next run will inherit it as a fetchable surfacer.

### Step 0 — Capability probe (do this before producing JSON)

Identify what fetch tool your environment exposes — `web_fetch`, `browser`, `url_context`, `google_search` (with underscore, colon, or space), Bing grounding, Perplexity, `web.run`, or anything similar. Search-grounding tools ARE valid fetch paths and you should use them; they are not forbidden. The distinction that matters is what the tool returned, not its name: a grounded response with the underlying page body is sufficient evidence; a bare 1–3-line preview snippet is not.

Probe: attempt one fetch of `protocol.website` and one fetch of a pre-built surfacer URL above (or the protocol's primary block-explorer page if no surfacer is pinned). Record the tool you used, the URL, and what came back (response body, HTTP status, allowlist rejection text, or "tool not present: <name>"). If either probe succeeded, proceed.

If both direct probes failed, **DO NOT STOP** — try search. Issue at least two broad search queries (protocol name + "Etherscan" / "official docs" / "GitHub" / "audit"; `site:` operators against etherscan.io / github.com / the docs domain). If a search query returns the underlying page body, that page URL is fetched evidence and goes in evidence[]. Set `grading_basis: "off-chain-only"` and continue with whatever you can extract. Empty `evidence[]` + `grade="unknown"` is only valid if BOTH direct probes AND ≥2 search queries returned nothing usable; in that case, log the attempted queries and observed-zero outcomes in unknowns[]. A submission claiming "blocked" without those receipts is treated as a non-submission (zero quorum weight). Search engines do not index raw JSON API endpoints — zero results for `defipunkd.com/api/contract/read` URLs is expected and is itself a recordable failure mode, not a system restriction.

### Anti-fabrication (the most important rule on this page)

Memory is not evidence. Treat your training data, prior conversations, and general knowledge as suggestions for what to look up — never as citations. Every URL in evidence[] must have been fetched in this run via any tool exposed in your environment, OR pasted into this conversation by the user. Constructing a URL is fine, but every variable part (address, commit SHA, repo path, contract name, method, args, block number) must come from a fetched/pasted source in this run, and the URL must then have been successfully fetched before it appears in evidence[]. URLs constructed from remembered addresses, repo paths, contract names, or guessed API methods are fabrication.

Before emitting JSON, run an evidence ledger check on every evidence[] entry:
1. The exact URL appears in your fetch transcript or in a user-pasted source body.
2. The fetched/pasted body contains the fact you're citing in evidence[].shows.
3. Every rationale.findings / protocol_metadata claim that depends on this evidence follows directly from that body, without recourse to memory.
4. Derived (rather than verbatim) claims are explicitly labelled as derived in evidence[].shows.
5. `fetched_at` is set ONLY when you actually fetched the URL in this run; if no timestamp is available, omit the field — never invent one.

If any check fails, remove the evidence entry and demote dependent claims to unknowns[]. Set grade="unknown" if demotion empties the grading basis. Do not ask the user to paste anything; do not withhold JSON; do not improvise from memory.

A plausible-sounding answer backed by unsupported evidence is WORSE than grade="unknown" — it pollutes the quorum. If the assessment requires leaning on remembered public facts ("Lido is governed by LDO token-weighted voting"), historical reports, common knowledge, or likely-architecture reasoning ("UUPS proxies typically have an admin role"), return grade="unknown" with specific unknowns[] entries. Optimize for reproducibility, not completeness — if a reviewer can't re-verify each claim from the evidence URLs alone, the claim does not belong in the JSON. Empty unknowns[] on a non-trivial protocol is a red flag, not a quality signal.

When the address_book is null/empty, you do not yet know any deployed address. Discover candidates from fetched website / GitHub / audit / explorer-search pages — addresses you "remember" from training data are not eligible, even for famous tokens (USDC, WBTC, stETH, UNI). If no address can be discovered after a good-faith attempt, return grade="unknown" with checklist-coded unknowns[] entries; do not invent addresses to fill the gap.

### Hard rules

1. Source classes that count as evidence:
   a) Public block explorers (etherscan.io, basescan.org, arbiscan.io, optimistic.etherscan.io, polygonscan.com, bscscan.com, snowtrace.io, scrollscan.com, lineascan.build, blastscan.io, era.zksync.network) for pinned addresses or addresses you discover transitively from them.
   b) The linked GitHub repos, at a specific commit SHA recorded in evidence[].commit.
   c) The audit PDFs / reports linked above.
   d) DeFiLlama's pinned fields (for category / chain lists only — not for risk assessment).
   e) DeFiPunkd's read API at https://defipunkd.com/api/{contract,safe}/... — see "On-chain reading" below.
2. If a signal cannot be determined after checking these, set grade="unknown" with ≥1 entry in unknowns[] naming what you looked for.
3. Every factual claim in rationale must map to ≥1 evidence[] entry.
4. Output exactly one JSON object matching the contract at the end, wrapped in a single ```json fenced code block. This rule applies to your FINAL assistant message only — issue tool calls freely during the run; tool-call reasoning lives in your model's tool-use channel and is not subject to this rule. Nothing before or after the fence — no prose, no follow-up questions, no requests for the user to paste anything. If evidence is incomplete, the correct response is still JSON, with claims demoted to unknowns[] and grade="unknown".

### Format rules (validation will reject submissions that violate these)
5. evidence[].url must be a bare `https://...` string — NEVER markdown link syntax. WRONG: `"url": "[Etherscan](https://etherscan.io/...)"`. RIGHT: `"url": "https://etherscan.io/..."`.
6. evidence[].commit, when present, must match `^[0-9a-f]{7,40}$` (lowercase hex, 7–40 chars). NEVER branch names or tags. Omit if you cannot pin a SHA.
7. evidence[].fetched_at, when present, must be ISO-8601 UTC (e.g. `2026-04-23T11:20:00Z`). Set whenever you actually fetched in this run.
8. evidence[].address, when present, must be `^0x[0-9a-fA-F]{40}$` (mixed case OK; checksum not validated).
9. Checklist codes (used in findings[].code and as unknowns[] prefixes) match `^[A-Z][A-Za-z0-9-]{0,16}$` — start with an uppercase letter, then digits / letters / hyphens. Examples: `E1`, `A3b`, `C2-emergency`, `V4-auditor`. No parens, spaces, dots, slashes, underscores. Use slice-defined codes verbatim. unknowns[] entries must be prefixed with the relevant code + colon (e.g. `"A3b: frontend fetch failed"`).
10. chat_url: ALWAYS null. Default share links (claude.ai/chat, chatgpt.com, gemini.google.com) require viewer login and are not publicly readable. The user enables "Share publicly" after you respond and pastes the public URL into the JSON before opening the PR.

### Thoroughness rules

11. Each per-slice body contains a "MANDATORY INSPECTION CHECKLIST". Every item must EITHER produce an evidence[] entry OR a specific unknowns[] entry naming it by code. Silent skips are rejected as incomplete.
12. Before assigning a grade other than "unknown", rationale.steelman must contain a one-sentence strongest argument for each of red / orange / green, and rationale.verdict must state which fits the evidence and why. If the steel-man for the chosen grade is weaker than for an adjacent grade, you have probably picked the wrong grade. When grade="unknown", set steelman to null and use verdict to summarize what blocked the assessment.
13. Distinguish actor classes (EOA, 2-of-3 multisig, 4-of-7+ multisig with identified signers, emergency-scoped time-capped multisig, on-chain governance vote with timelock) and function classes (claim-of-finalized vs new-request-placement, deposit vs borrow, mint vs redeem) — say which actor holds which power, on what time bound. "An admin can pause" is insufficient.
14. For on-chain slices (control, ability-to-exit, autonomy, verifiability), evidence[] must include ≥1 on-chain URL: a block-explorer URL OR a DeFiPunkd /api/{contract/read,safe/owners} URL (preferred — content-addressed when block-pinned). /api/contract/abi alone is metadata, not on-chain evidence. Source repos tell you what code SHOULD do; deployed contracts tell you what it ACTUALLY does. The "open-access" slice is exempt when claims are entirely about frontend / off-chain operator behavior. CARVE-OUT: `grading_basis="off-chain-only"` is exempt from this rule but is downweighted by the quorum bot regardless of grade.
15. Prompt-meta-check: if your verdict quotes prompt language as evidence ("the protocol meets the 'documented fallback' condition"), re-do the verdict — the prompt describes the rubric, not the protocol. Evidence cites what THIS protocol does, not what the rubric says protocols of type X do.
16. `grading_basis` is one of `"on-chain"` (default; omit field), `"off-chain-only"`, or `"mixed"`. Describes what was READ this run, not the verdict — `grade="unknown"` is allowed under any basis. Set `"off-chain-only"` ONLY when BOTH (a) ≥1 successful fetch of a docs / forum / audit / GitHub URL appears in evidence[], AND (b) ≥1 failed on-chain fetch attempt for THIS run is recorded in unknowns[] with a `-offchain` suffix. Empty `evidence[]` with `"off-chain-only"` is a category error and is rejected by the validator. Set `"mixed"` when some checklist codes were on-chain and others fell back. ABI-only finds (you read the ABI but couldn't read live state) are valid as `grade="unknown"` with the ABI cited; do not infer a grade from ABI shape alone.

### On-chain reading via the DeFiPunkd API

Don't encode calldata, decode return data, or guess at ABIs by hand. Three deterministic GET endpoints return JSON with blockNumber, blockHash, raw calldata, and rawReturnData — content-addressed when block-pinned (`&block=<n>`):

  ABI (auto-resolves proxies):
    https://defipunkd.com/api/contract/abi?chainId=<id>&address=0x...
  View call (any view method on the merged ABI; flat scalar args):
    https://defipunkd.com/api/contract/read?chainId=<id>&address=0x...&method=getOwners
    https://defipunkd.com/api/contract/read?chainId=<id>&address=0x...&method=balanceOf&args=0x...
  Safe (threshold + owners + version in one call):
    https://defipunkd.com/api/safe/owners?chainId=<id>&address=0x...

Use the BARE method name in `&method=` (e.g. `&method=totalSupply`, NOT `&method=totalSupply()`). Browser tools normalize `(` to `%28` and reject the normalized URL; bare names dodge that. Pass arguments via `&args=` (comma-separated, declaration order). Append `&block=<n>` for content-addressed evidence.

Supported chainIds: 1 (ethereum), 10 (optimism), 56 (bsc), 130 (unichain), 137 (polygon), 324 (zksync), 8453 (base), 42161 (arbitrum), 43114 (avalanche), 59144 (linea), 81457 (blast), 534352 (scroll), 11155111 (sepolia).

Use this API for any factual claim about contract ABI shape, view-method return values (owner(), getOwners(), getThreshold(), totalSupply(), implementation(), paused(), MIN_DELAY(), …), and Safe membership. Do NOT invent ABIs or return values from training data.

Note on noisy address_book: the pinned address_book is sourced from prior assessments. It may include token deployments, oracle feeds, peripheral contracts, or mis-classified entries. Skip surfacer URLs that don't fit your slice — fetch only those whose role hints suggest control / pause / upgrade authority.

### Protocol metadata refresh (populate `protocol_metadata` in the output)

DeFiLlama's pinned inputs may be stale or wrong. As a side-effect of this assessment, populate `protocol_metadata` with anything you verify. Leave fields null / empty arrays if you did not verify them — do NOT echo pinned inputs through; null means "not re-verified this run".

- `github`: array of canonical source-code repo URLs.
- `docs_url`: canonical developer / protocol documentation site.
- `audits`: array of `{ firm, url, date }` (date as YYYY-MM or YYYY-MM-DD).
- `governance_forum`: primary discussion forum URL (Discourse, Commonwealth, etc.).
- `voting_token`: `{ chain, address, symbol }` or null. Omit if not token-governed.
- `bug_bounty_url`: public bug bounty page (Immunefi, HackerOne, self-hosted).
- `security_contact`: private-disclosure channel — security@ email or SECURITY.md URL. Distinct from public bug bounty.
- `deployed_contracts_doc`: docs page that lists deployed addresses per chain. Don't enumerate; just link.
- `admin_addresses`: array of `{ chain, address, role, actor_class }` for multisig / timelock / owner / proxy-admin addresses. `actor_class` ∈ `"eoa" | "multisig" | "timelock" | "governance" | "unknown"`. These are the anchors for future runs' address_book.
- `upgradeability`: `"immutable" | "upgradeable" | "mixed" | "unknown"`. "mixed" = some core contracts immutable, others behind proxies.
- `about`: 2–4 sentence plain-English description. Name the user action (stake, borrow, swap, bridge, mint, redeem), the asset / market, and the distinctive mechanism (liquid staking receipt, isolated lending pools, constant-product AMM, intents auction, etc.). Do not restate category / chains / TVL.

Every non-null field in `protocol_metadata` must be backed by ≥1 entry in evidence[].

---

### Slice: VERIFIABILITY

Evaluate whether an outsider can independently confirm what the deployed code does.

MANDATORY INSPECTION CHECKLIST (every item below must appear in evidence[] OR unknowns[]):
- V1. For each address you assess: is the bytecode verified on the chain's block explorer? Record the "Contract Source Code Verified" indicator. https://defipunkd.com/api/contract/abi?chainId=<id>&address=0x... returns this as a top-level "verified" boolean plus "abiSource" ("etherscan" / "sourcify") and an inline ABI — useful when the explorer page is rate-limited. If the contract is a proxy, verify BOTH the proxy contract AND the current implementation contract. The same /api/contract/abi response auto-resolves proxies and includes a "proxy.implementation" address when present, so one call covers V1 + V6 in one shot. An explorer "Similar Match" on a well-known proxy pattern (Aragon AppProxyUpgradeable, ERC1967Proxy, OssifiableProxy, OZ TransparentUpgradeableProxy) is expected for that pattern and does NOT count as a verification gap on its own — what matters is that the implementation is independently verified.
- V2. Source-to-repo correspondence: for each verified contract, attempt to find a matching commit in the linked GitHub repos. Record evidence[].commit on a match. Independent compile/bytecode-match is NOT required for green — a recognized public repo whose structure and file contents correspond to the explorer-visible source is sufficient. If you did not pin a commit SHA or run a bytecode diff, record that plainly in unknowns[] and proceed; it is a scope limit, not a downgrade signal.
- V3. Audit coverage: for each URL in protocol.audit_links, open it and record: auditor name, audit date, the specific contracts / commit in scope. Flag audits that predate the current deployment by >6 months without a follow-up review.
- V4. Auditor recognition: the following firms are broadly recognized in Solidity: Trail of Bits, Zellic, Spearbit, OpenZeppelin, ConsenSys Diligence, Certora (formal verification), Quantstamp, Halborn, Peckshield, Sigma Prime, ChainSecurity, Ackee Blockchain, MixBytes, Statemind. Unknown firms are orange-at-best for any green-grade claim. Name the firm explicitly in evidence[].
- V5. Post-audit drift: compare the most recent in-scope audit(s) against the currently-deployed source, weighted by what each contract does and by what the changes actually contain. SCOPE — drift only downgrades the grade when ALL of the following hold: (i) the drifting contract is fund-custody / settlement / accounting-critical (NOT a peripheral router, lens, quoter, or pure-view contract that holds no balances); (ii) the changes are material — new functions, modified access control, modified accounting, modified fund flow — and not refactors / struct relocations / import reorgs / build or CI fixes / formatting; (iii) no later audit, fix-audit, or differential audit from a recognized firm covers the changed files (audits often pin a pre-fix commit while a follow-up reviews the delta — match by file scope, not by commit-hash equality). When you cite drift as a downgrade reason, name the specific behavior change (function added, role granted, accounting formula altered) — "N commits ahead" or "+X/-Y LOC" alone is not evidence of material drift. If you have not sampled the diff content (e.g. via the GitHub compare view or the top commits in the window), record drift as an unknowns[] entry rather than auto-downgrading; commit-count and LOC are starting signals, not findings.
- V6. Implementation vs proxy: a verified proxy with an unverified implementation is effectively unverified. State whether the implementation is verified separately.

EVIDENCE DISCIPLINE (read before writing findings[]):
- Do not assert a specific deploy-commit SHA, bytecode equivalence, or "identical to audited commit" unless you actually fetched the artifact that shows it (e.g., a deployed-addresses JSON you opened, an explorer page you read). Inferred or plausible matches belong in unknowns[], never in findings[] or evidence[].
- Evidence[] entries must correspond to pages/files you actually retrieved this run. A URL you did not open is not evidence.

Then write the steel-man section per Hard Rule 11.

Grade rules:
- green   = deployed bytecode verified on the explorer (proxy AND implementation if proxied; "Similar Match" on a standard proxy pattern is fine per V1), a public source repo exists whose contents correspond to the explorer-visible source, AND ≥1 audit from a recognized firm covering the currently-deployed contracts (≤6 months of drift OR drift was re-audited). A missing local compile-match is not a downgrade — record it in unknowns[] and still grade green if the other conditions hold.
- orange  = verified but with visible drift from the public repo, OR audit scope is stale relative to deployment, OR only minor / unknown-firm audits exist, OR only some of the main contracts are verified, OR proxy verified but implementation only partially verified.
- red     = unverified bytecode (or verified proxy with unverified implementation), OR no audit in protocol.audit_links, OR no public repo.
- unknown = reserved for when the protocol's verifiability posture genuinely cannot be assessed (e.g., explorer and repo both inaccessible for this protocol). Do NOT use unknown merely because you, the analyst, could not run a particular check such as a bytecode diff — that goes in unknowns[] while the grade is still assigned from the evidence you do have.

---

### JSON output contract

Return exactly one JSON object inside a single ```json fenced block. Shape:

{
  "schema_version": 4,
  "slug": "<copy protocol.slug from the per-protocol context>",
  "slice": "verifiability",
  "snapshot_generated_at": "<copy snapshot.generated_at from the per-protocol context>",
  "prompt_version": 29,
  "analysis_date": "<copy analysis_date from the per-protocol context>",
  "model": "<exact model name, e.g. claude-opus-4-7 / gpt-5-thinking / gemini-3-pro>",
  "chat_url": null,
  "grading_basis": "on-chain | off-chain-only | mixed (optional; omit for on-chain)",
  "grade": "green | orange | red | unknown",
  "headline": "<one-line summary>",
  "short_headline": "<≤6 words, ≤80 chars; omit if you can't fit>",
  "rationale": {
    "findings": [{ "code": "E1", "text": "<concrete, source-cited finding>" }],
    "steelman": { "red": "<one sentence>", "orange": "<one sentence>", "green": "<one sentence>" },
    "verdict": "Choosing <grade> because <reason ranking one steel-man above the others, citing specific evidence>."
  },
  "evidence": [{ "url": "https://...", "shows": "<what this URL demonstrates>", "chain": "...", "address": "0x...", "commit": "<hex SHA>", "fetched_at": "2026-04-23T11:20:00Z" }],
  "unknowns": ["E3: <thing you looked for but couldn't determine>"],
  "protocol_metadata": {
    "github": ["https://github.com/org/repo"],
    "docs_url": "https://docs.protocol.xyz",
    "audits": [{ "firm": "Trail of Bits", "url": "https://...report.pdf", "date": "2025-09" }],
    "governance_forum": "https://forum.protocol.xyz",
    "voting_token": { "chain": "Ethereum", "address": "0x...", "symbol": "XYZ" },
    "bug_bounty_url": "https://immunefi.com/bounty/protocol",
    "security_contact": "security@protocol.xyz",
    "deployed_contracts_doc": "https://docs.protocol.xyz/deployments",
    "admin_addresses": [{ "chain": "Ethereum", "address": "0x...", "role": "DAO treasury multisig", "actor_class": "multisig" }],
    "upgradeability": "immutable | upgradeable | mixed | unknown",
    "about": "<2–4 sentences>"
  }
}

Rules recap:
- grade="unknown" ⇒ steelman=null; unknowns[] ≥1; evidence[] may be empty.
- grade!="unknown" ⇒ steelman={red,orange,green}; evidence[] ≥1; verdict starts with "Choosing ".
- findings[].code matches the slice's checklist prefix verbatim (E1, C2-emergency, V4a, …); unknowns[] entries are checklist-coded ("E3: …").
- Wrap in a single ```json fence; nothing before or after. URLs are bare strings, never markdown links.

4 dimensions not yet assessed (Control, Ability to exit, Autonomy, Open Access)

Control unknown Unverified

Not yet assessed

No model has graded this dimension yet. Run the slice prompt through any LLM and submit the JSON — once ≥3 independent runs agree, the quorum bot merges the verdict here.

Submit run ↗

### Per-protocol context (ground truth for this run)

- protocol.slug:              aave-v1
- protocol.name:              Aave V1
- protocol.chains:            Ethereum
- protocol.category:          Lending
- protocol.website:           https://aave.com
- protocol.github:            aave, bgd-labs
- protocol.audit_links:       https://aave.com/security, https://github.com/code-423n4/2022-02-aave-lens, https://github.com/code-423n4/2022-02-aave-lens-findings, https://github.com/sherlock-protocol/sherlock-reports/blob/main/audits/2025.02.15%20-%20Final%20-%20Aave%20Public%20Audit%20Contest%20Report.pdf, https://github.com/sherlock-protocol/sherlock-reports/blob/main/audits/2026.02.05%20-%20Final%20-%20Aave%20Labs%20Collaborative%20Audit%20Report%201770295450.pdf
- snapshot.generated_at:      2026-06-01T11:27:13.878Z
- analysis_date:              2026-06-07
- prompt_version:             29
- address_book:               null

### Pre-built read-API surfacer URLs (verbatim — fetchable as-is)
(no addresses pinned in this run — discover candidates from fetched website / GitHub / audit / explorer pages, record discovered addresses in evidence[] and protocol_metadata.admin_addresses, and put any reads you couldn't perform in unknowns[]. The next assessment will inherit your discoveries.)


---

You are contributing a single-slice assessment to defipunkd, a git-native transparency registry for DeFi protocols. Your JSON output will be attached to a pull request and compared against ≥2 other independent runs. Disagreements are surfaced publicly — be conservative, cite everything, return grade="unknown" when a signal cannot be determined, and resist stopping at the first damning finding.

### Per-protocol context (do not infer; these are ground truth)

A "Per-protocol context" block (provided alongside this prompt — either as a user message in API mode, or as a section appended below in copy-paste mode) lists the pinned inputs (protocol.slug, name, chains, category, website, github, audit_links, snapshot.generated_at, analysis_date, prompt_version, address_book) and a list of pre-built read-API surfacer URLs for each pinned address. Treat those values as authoritative for this run.

The pre-built surfacer URLs are accepted by your fetch tool's allowlist because they appear verbatim in the per-protocol context. Each surfacer page pre-executes the contract's zero-arg view methods and renders any address-typed return values as /address/{chainId}/0x… links inline — those rendered links are also fetchable post-fetch. /api/contract/read and /api/safe/owners JSON responses include a top-level `crawl.surfacers` array of /address/{chainId}/0x… URLs for every address-typed value in the result, so you can crawl directly from API responses. For addresses surfaced from non-defipunkd sources (block-explorer pages, GitHub, audit PDFs), the allowlist will reject your generated surfacer URL — record the address in protocol_metadata.admin_addresses and add a checklist-coded entry to unknowns[]; the next run will inherit it as a fetchable surfacer.

### Step 0 — Capability probe (do this before producing JSON)

Identify what fetch tool your environment exposes — `web_fetch`, `browser`, `url_context`, `google_search` (with underscore, colon, or space), Bing grounding, Perplexity, `web.run`, or anything similar. Search-grounding tools ARE valid fetch paths and you should use them; they are not forbidden. The distinction that matters is what the tool returned, not its name: a grounded response with the underlying page body is sufficient evidence; a bare 1–3-line preview snippet is not.

Probe: attempt one fetch of `protocol.website` and one fetch of a pre-built surfacer URL above (or the protocol's primary block-explorer page if no surfacer is pinned). Record the tool you used, the URL, and what came back (response body, HTTP status, allowlist rejection text, or "tool not present: <name>"). If either probe succeeded, proceed.

If both direct probes failed, **DO NOT STOP** — try search. Issue at least two broad search queries (protocol name + "Etherscan" / "official docs" / "GitHub" / "audit"; `site:` operators against etherscan.io / github.com / the docs domain). If a search query returns the underlying page body, that page URL is fetched evidence and goes in evidence[]. Set `grading_basis: "off-chain-only"` and continue with whatever you can extract. Empty `evidence[]` + `grade="unknown"` is only valid if BOTH direct probes AND ≥2 search queries returned nothing usable; in that case, log the attempted queries and observed-zero outcomes in unknowns[]. A submission claiming "blocked" without those receipts is treated as a non-submission (zero quorum weight). Search engines do not index raw JSON API endpoints — zero results for `defipunkd.com/api/contract/read` URLs is expected and is itself a recordable failure mode, not a system restriction.

### Anti-fabrication (the most important rule on this page)

Memory is not evidence. Treat your training data, prior conversations, and general knowledge as suggestions for what to look up — never as citations. Every URL in evidence[] must have been fetched in this run via any tool exposed in your environment, OR pasted into this conversation by the user. Constructing a URL is fine, but every variable part (address, commit SHA, repo path, contract name, method, args, block number) must come from a fetched/pasted source in this run, and the URL must then have been successfully fetched before it appears in evidence[]. URLs constructed from remembered addresses, repo paths, contract names, or guessed API methods are fabrication.

Before emitting JSON, run an evidence ledger check on every evidence[] entry:
1. The exact URL appears in your fetch transcript or in a user-pasted source body.
2. The fetched/pasted body contains the fact you're citing in evidence[].shows.
3. Every rationale.findings / protocol_metadata claim that depends on this evidence follows directly from that body, without recourse to memory.
4. Derived (rather than verbatim) claims are explicitly labelled as derived in evidence[].shows.
5. `fetched_at` is set ONLY when you actually fetched the URL in this run; if no timestamp is available, omit the field — never invent one.

If any check fails, remove the evidence entry and demote dependent claims to unknowns[]. Set grade="unknown" if demotion empties the grading basis. Do not ask the user to paste anything; do not withhold JSON; do not improvise from memory.

A plausible-sounding answer backed by unsupported evidence is WORSE than grade="unknown" — it pollutes the quorum. If the assessment requires leaning on remembered public facts ("Lido is governed by LDO token-weighted voting"), historical reports, common knowledge, or likely-architecture reasoning ("UUPS proxies typically have an admin role"), return grade="unknown" with specific unknowns[] entries. Optimize for reproducibility, not completeness — if a reviewer can't re-verify each claim from the evidence URLs alone, the claim does not belong in the JSON. Empty unknowns[] on a non-trivial protocol is a red flag, not a quality signal.

When the address_book is null/empty, you do not yet know any deployed address. Discover candidates from fetched website / GitHub / audit / explorer-search pages — addresses you "remember" from training data are not eligible, even for famous tokens (USDC, WBTC, stETH, UNI). If no address can be discovered after a good-faith attempt, return grade="unknown" with checklist-coded unknowns[] entries; do not invent addresses to fill the gap.

### Hard rules

1. Source classes that count as evidence:
   a) Public block explorers (etherscan.io, basescan.org, arbiscan.io, optimistic.etherscan.io, polygonscan.com, bscscan.com, snowtrace.io, scrollscan.com, lineascan.build, blastscan.io, era.zksync.network) for pinned addresses or addresses you discover transitively from them.
   b) The linked GitHub repos, at a specific commit SHA recorded in evidence[].commit.
   c) The audit PDFs / reports linked above.
   d) DeFiLlama's pinned fields (for category / chain lists only — not for risk assessment).
   e) DeFiPunkd's read API at https://defipunkd.com/api/{contract,safe}/... — see "On-chain reading" below.
2. If a signal cannot be determined after checking these, set grade="unknown" with ≥1 entry in unknowns[] naming what you looked for.
3. Every factual claim in rationale must map to ≥1 evidence[] entry.
4. Output exactly one JSON object matching the contract at the end, wrapped in a single ```json fenced code block. This rule applies to your FINAL assistant message only — issue tool calls freely during the run; tool-call reasoning lives in your model's tool-use channel and is not subject to this rule. Nothing before or after the fence — no prose, no follow-up questions, no requests for the user to paste anything. If evidence is incomplete, the correct response is still JSON, with claims demoted to unknowns[] and grade="unknown".

### Format rules (validation will reject submissions that violate these)
5. evidence[].url must be a bare `https://...` string — NEVER markdown link syntax. WRONG: `"url": "[Etherscan](https://etherscan.io/...)"`. RIGHT: `"url": "https://etherscan.io/..."`.
6. evidence[].commit, when present, must match `^[0-9a-f]{7,40}$` (lowercase hex, 7–40 chars). NEVER branch names or tags. Omit if you cannot pin a SHA.
7. evidence[].fetched_at, when present, must be ISO-8601 UTC (e.g. `2026-04-23T11:20:00Z`). Set whenever you actually fetched in this run.
8. evidence[].address, when present, must be `^0x[0-9a-fA-F]{40}$` (mixed case OK; checksum not validated).
9. Checklist codes (used in findings[].code and as unknowns[] prefixes) match `^[A-Z][A-Za-z0-9-]{0,16}$` — start with an uppercase letter, then digits / letters / hyphens. Examples: `E1`, `A3b`, `C2-emergency`, `V4-auditor`. No parens, spaces, dots, slashes, underscores. Use slice-defined codes verbatim. unknowns[] entries must be prefixed with the relevant code + colon (e.g. `"A3b: frontend fetch failed"`).
10. chat_url: ALWAYS null. Default share links (claude.ai/chat, chatgpt.com, gemini.google.com) require viewer login and are not publicly readable. The user enables "Share publicly" after you respond and pastes the public URL into the JSON before opening the PR.

### Thoroughness rules

11. Each per-slice body contains a "MANDATORY INSPECTION CHECKLIST". Every item must EITHER produce an evidence[] entry OR a specific unknowns[] entry naming it by code. Silent skips are rejected as incomplete.
12. Before assigning a grade other than "unknown", rationale.steelman must contain a one-sentence strongest argument for each of red / orange / green, and rationale.verdict must state which fits the evidence and why. If the steel-man for the chosen grade is weaker than for an adjacent grade, you have probably picked the wrong grade. When grade="unknown", set steelman to null and use verdict to summarize what blocked the assessment.
13. Distinguish actor classes (EOA, 2-of-3 multisig, 4-of-7+ multisig with identified signers, emergency-scoped time-capped multisig, on-chain governance vote with timelock) and function classes (claim-of-finalized vs new-request-placement, deposit vs borrow, mint vs redeem) — say which actor holds which power, on what time bound. "An admin can pause" is insufficient.
14. For on-chain slices (control, ability-to-exit, autonomy, verifiability), evidence[] must include ≥1 on-chain URL: a block-explorer URL OR a DeFiPunkd /api/{contract/read,safe/owners} URL (preferred — content-addressed when block-pinned). /api/contract/abi alone is metadata, not on-chain evidence. Source repos tell you what code SHOULD do; deployed contracts tell you what it ACTUALLY does. The "open-access" slice is exempt when claims are entirely about frontend / off-chain operator behavior. CARVE-OUT: `grading_basis="off-chain-only"` is exempt from this rule but is downweighted by the quorum bot regardless of grade.
15. Prompt-meta-check: if your verdict quotes prompt language as evidence ("the protocol meets the 'documented fallback' condition"), re-do the verdict — the prompt describes the rubric, not the protocol. Evidence cites what THIS protocol does, not what the rubric says protocols of type X do.
16. `grading_basis` is one of `"on-chain"` (default; omit field), `"off-chain-only"`, or `"mixed"`. Describes what was READ this run, not the verdict — `grade="unknown"` is allowed under any basis. Set `"off-chain-only"` ONLY when BOTH (a) ≥1 successful fetch of a docs / forum / audit / GitHub URL appears in evidence[], AND (b) ≥1 failed on-chain fetch attempt for THIS run is recorded in unknowns[] with a `-offchain` suffix. Empty `evidence[]` with `"off-chain-only"` is a category error and is rejected by the validator. Set `"mixed"` when some checklist codes were on-chain and others fell back. ABI-only finds (you read the ABI but couldn't read live state) are valid as `grade="unknown"` with the ABI cited; do not infer a grade from ABI shape alone.

### On-chain reading via the DeFiPunkd API

Don't encode calldata, decode return data, or guess at ABIs by hand. Three deterministic GET endpoints return JSON with blockNumber, blockHash, raw calldata, and rawReturnData — content-addressed when block-pinned (`&block=<n>`):

  ABI (auto-resolves proxies):
    https://defipunkd.com/api/contract/abi?chainId=<id>&address=0x...
  View call (any view method on the merged ABI; flat scalar args):
    https://defipunkd.com/api/contract/read?chainId=<id>&address=0x...&method=getOwners
    https://defipunkd.com/api/contract/read?chainId=<id>&address=0x...&method=balanceOf&args=0x...
  Safe (threshold + owners + version in one call):
    https://defipunkd.com/api/safe/owners?chainId=<id>&address=0x...

Use the BARE method name in `&method=` (e.g. `&method=totalSupply`, NOT `&method=totalSupply()`). Browser tools normalize `(` to `%28` and reject the normalized URL; bare names dodge that. Pass arguments via `&args=` (comma-separated, declaration order). Append `&block=<n>` for content-addressed evidence.

Supported chainIds: 1 (ethereum), 10 (optimism), 56 (bsc), 130 (unichain), 137 (polygon), 324 (zksync), 8453 (base), 42161 (arbitrum), 43114 (avalanche), 59144 (linea), 81457 (blast), 534352 (scroll), 11155111 (sepolia).

Use this API for any factual claim about contract ABI shape, view-method return values (owner(), getOwners(), getThreshold(), totalSupply(), implementation(), paused(), MIN_DELAY(), …), and Safe membership. Do NOT invent ABIs or return values from training data.

Note on noisy address_book: the pinned address_book is sourced from prior assessments. It may include token deployments, oracle feeds, peripheral contracts, or mis-classified entries. Skip surfacer URLs that don't fit your slice — fetch only those whose role hints suggest control / pause / upgrade authority.

### Protocol metadata refresh (populate `protocol_metadata` in the output)

DeFiLlama's pinned inputs may be stale or wrong. As a side-effect of this assessment, populate `protocol_metadata` with anything you verify. Leave fields null / empty arrays if you did not verify them — do NOT echo pinned inputs through; null means "not re-verified this run".

- `github`: array of canonical source-code repo URLs.
- `docs_url`: canonical developer / protocol documentation site.
- `audits`: array of `{ firm, url, date }` (date as YYYY-MM or YYYY-MM-DD).
- `governance_forum`: primary discussion forum URL (Discourse, Commonwealth, etc.).
- `voting_token`: `{ chain, address, symbol }` or null. Omit if not token-governed.
- `bug_bounty_url`: public bug bounty page (Immunefi, HackerOne, self-hosted).
- `security_contact`: private-disclosure channel — security@ email or SECURITY.md URL. Distinct from public bug bounty.
- `deployed_contracts_doc`: docs page that lists deployed addresses per chain. Don't enumerate; just link.
- `admin_addresses`: array of `{ chain, address, role, actor_class }` for multisig / timelock / owner / proxy-admin addresses. `actor_class` ∈ `"eoa" | "multisig" | "timelock" | "governance" | "unknown"`. These are the anchors for future runs' address_book.
- `upgradeability`: `"immutable" | "upgradeable" | "mixed" | "unknown"`. "mixed" = some core contracts immutable, others behind proxies.
- `about`: 2–4 sentence plain-English description. Name the user action (stake, borrow, swap, bridge, mint, redeem), the asset / market, and the distinctive mechanism (liquid staking receipt, isolated lending pools, constant-product AMM, intents auction, etc.). Do not restate category / chains / TVL.

Every non-null field in `protocol_metadata` must be backed by ≥1 entry in evidence[].

---

### Slice: CONTROL

Evaluate who can change the protocol's rules, how fast, and how broadly.

(Step 0 capability probe and the off-chain-only fallback live in the preamble — those rules apply here.)

### MANDATORY INSPECTION CHECKLIST (every item below must appear in evidence[] OR unknowns[])

- **C1.** For each address you assess: who is the contract owner / admin / pendingAdmin / governor — read these via the block explorer's "Read Contract" tab OR `https://defipunkd.com/api/contract/read?chainId=<id>&address=0x...&method=owner` (BARE method names: `&method=owner`, `&method=admin`, `&method=pendingOwner`, `&method=governor`). For Safes use `/api/safe/owners?chainId=<id>&address=0x...`. When a protocol has multiple major versions deployed (v2/v3/v4), perform C1 reads on the NEWEST deployment separately — newer deployments often have weaker control surfaces than the legacy core.
- **C2.** Upgrade mechanism: transparent proxy / UUPS / Beacon / Diamond / immutable. Identify the proxy admin address. Check upgradeability of GOVERNANCE contracts too — a Governor / Aragon Voting / OZ Governor is often itself a proxy whose admin is the Timelock. Asymmetry: when fund-holding cores are immutable AND governance has no admin path that reaches them, an upgradable Governor/Timelock is T3-only and must NOT drag the verdict below green on that basis alone (see grade rules and the "immutable cores" caveat). Only call upgradability "mixed" if you can name a concrete function on the upgradable surface that reaches T1 or T2 on user funds.
- **C3.** EXECUTION PATH (enumerate every stage, in order, with delays in seconds). The operative path is usually a chain (voting → scheduler → timelock → executor; or governor → queue → execute; or Aragon Voting → DualGovernance → EmergencyProtectedTimelock → AdminExecutor). For each stage, record (a) the contract address, (b) the delay constant name + value in seconds, (c) the URL you read it from (block-explorer Read Contract OR `/api/contract/read?...&method=MIN_DELAY&block=<n>`). Do NOT stop at the first timelock-shaped contract — if its admin is itself called by another contract, keep walking. The grading delay is the SUM OF DELAYS ON THE UNCONTESTED FAST PATH (shortest time a proposal with no opposition can go from submission to executable). Dynamic / contested extensions (veto signaling, rage quit, escrow delay) are modifiers, not the basis — note them separately.
- **C4.** Enumerate EVERY multisig with reachable control — main proxy admin, emergency activation, emergency execution, reseal / pause, gate-seal committees, tiebreaker, per-module admins. For each Safe, fetch threshold + owners + version via `/api/safe/owners?chainId=<id>&address=0x...` (response includes raw eth_call data, so the URL is citable evidence). Enumerate ops/council/incentives multisigs even when off the upgrade path — record their scope so a reader can see they are NOT on the upgrade path. For each: (a) address, (b) threshold / total signers, (c) signer identities classified as insider (team, paid auditors under ongoing engagement, mandated service providers) vs non-insider (independent community members, unaffiliated researchers), (d) the specific power held (upgrade, pause, parameter, etc.).
- **C5.** On-chain governance: Governor / GovernorBravo / OZ Governor / Aragon Voting with token-weighted voting? Record proposal threshold, voting period, quorum, and the timelock delay between queue and execute. Every numeric constant must come from a Read Contract call you can link to, or be in unknowns[] with the C-code. If votingDelay / votingPeriod are denominated in BLOCKS, convert to seconds at the chain's CURRENT block time (Ethereum mainnet ≈ 12s post-Merge, not the 15s in older Compound/Bravo deployments) — cite both block count and converted seconds.
- **C6.** EMERGENCY POWERS: separate emergency-pause / guardian role with a different time cap or different actor than the main upgrade authority? Record it explicitly.
- **C7.** POWER TIER (blast radius). For each privileged path in C3–C6, classify the WORST thing that path can do, choosing the highest applicable tier. Cite the specific function name and any on-chain bound — tier claims without a named function are unsupported.
    - **T1 — FUND-CRITICAL**: replace implementation of contracts holding user funds; change AMM math / accounting / collateral logic; mint unbacked debt or shares; pause withdrawals; drain user-fund treasury; change oracle to attacker-controlled source; replace upgrade admin with EOA.
    - **T2 — ECONOMICALLY MATERIAL**: change fee parameters within bounded ranges; redirect protocol fees; add/remove markets / collateral types; bounded inflation or token mint within hard-capped schedule; spend protocol-owned (non-user) treasury.
    - **T3 — GOVERNANCE-INTERNAL**: change voting rules, quorum, voting period, proposal threshold; upgrade the Governor itself; rotate Timelock admin; mint governance tokens within a capped annual schedule.
    - **T4 — OPERATIONAL**: incentives distribution, grants, ENS / frontend canonicalization, deployment coordination, periphery router deprecation.
  The grade is set by the HIGHEST tier reachable on the uncontested fast path, not the median. State the tier and the binding function in the verdict.

### Read Contract discipline (applies to C3, C4, C5)

Every numeric constant cited (timelock delays, voting periods, multisig thresholds, quorum percentages) must come from EITHER (a) a block-explorer Read Contract URL, OR (b) a DeFiPunkd `/api/contract/read` or `/api/safe/owners` URL (preferred with `&block=<n>` for content-addressed evidence), OR (c) an unknowns[] entry with the C-code. Docs / blog posts are corroboration only — they cannot be the sole citation for a value that is also readable on-chain.

### Off-chain-only substitute hierarchy (when grading_basis="off-chain-only" — see preamble Rule 16)

When on-chain reads were genuinely unreachable this run, eligible off-chain substitutes in priority order:
1. Linked audit PDFs (admin roles, multisig members, timelock delays usually enumerated).
2. Governance forum posts that quote constants from a successful on-chain proposal (cite post URL + linked execution-tx URL).
3. Official protocol docs pages with named addresses and roles (must be on a domain owned by the protocol).
4. GitHub README / SECURITY.md / governance/*.md at a pinned commit SHA.

Forbidden substitutes: third-party blog posts, X / Twitter threads, search-result snippets, model memory. Required degradation: any C-code citing a numeric constant from docs/forum/audit prose ONLY must also carry an `unknowns[]` entry with `-offchain` suffix noting "value not re-read on-chain in this run; corroboration only".

### Grade rules (apply the timelock bar conditional on the highest C7 tier reachable on the fast path)

Security Council standard (used below): a multisig qualifies as "Security Council" only if ALL of: ≥7 signers, ≥51% threshold, ≥50% non-insider signers, every signer publicly announced. Failing any criterion = NOT a Security Council, regardless of signer reputation.

- **green**: highest reachable tier is T3 or T4 regardless of timelock; OR T2 reachable with uncontested-fast-path delay ≥7 days; OR T1 reachable only via immutable contracts (T1 is unreachable); OR T1 reachable with uncontested-fast-path delay ≥7 days combined with a Security Council multisig; OR T1 reachable with uncontested-fast-path delay ≥7 days through active on-chain governance with broad token distribution.
- **orange**: T2 reachable with uncontested-fast-path delay >0 but <7 days; OR T1 reachable with uncontested-fast-path delay >0 but <7 days; OR a multisig failing one or more Security Council criteria sits on a T1/T2 path; OR unclear upgrade authority on a T1/T2 path; OR governance with very short timelock or low quorum on a T1/T2 path.
- **red**: T1 reachable with no timelock by a single EOA or 2-of-3 multisig; OR a T1 upgrade admin that is not a smart contract you can audit.
- **unknown**: completed the checklist but still cannot determine the upgrade authority OR cannot classify the highest tier reachable on the main contracts.

Tiering caveats:
- "Bounded" must be enforced ON-CHAIN to count as T2. A function that sets fees with no upper-bound check is T1 — cite the bound check.
- Recurring T2 economic extraction (e.g. fee redirect with no rate limit) approaches T1 over time. A single proposal that can permanently redirect all future revenue is T1.
- T3 assumes the governance contract cannot itself authorize a T1/T2 action without going through the same timelock. If governance can self-upgrade to bypass the timelock, T3 collapses into T1.
- Do not downgrade tier by hand-waving ("realistically governance would never…"). Tier on what the contract permits, not what feels likely.

Notes:
- **Dynamic / dual-governance timelocks** (Lido, Compound escrow veto): the rubric grades on the uncontested path because that is the path most upgrades take. A dynamic extension that fires only under stake-weighted opposition is a real protection — name it in the green steel-man, but it does not lift an orange fast path into green; state the tension in the verdict.
- **Immutable cores with upgradable governance** (Uniswap-style): if fund-holding contracts are immutable and have no admin-reachable function moving / freezing / re-routing user funds, the highest reachable tier on the upgrade path is T3 — green regardless of timelock. Don't grade this orange just because the Governor is a proxy — that's a C2 fact, not a downgrade. Downgrade only applies if you can cite a concrete function on the upgradable surface that reaches T1 or T2 (privileged hook, upgradable factory controlling fund-routing, fee-switch redirecting protocol revenue without bound).
- **The 7-day bar** reflects the exit-window standard — users need notice after a queued upgrade to withdraw if they disagree. The ability-to-exit slice grades the exit side; this slice grades the delay side; both must hold for users to actually benefit from the delay.

---

### JSON output contract

Return exactly one JSON object inside a single ```json fenced block. Shape:

{
  "schema_version": 4,
  "slug": "<copy protocol.slug from the per-protocol context>",
  "slice": "control",
  "snapshot_generated_at": "<copy snapshot.generated_at from the per-protocol context>",
  "prompt_version": 29,
  "analysis_date": "<copy analysis_date from the per-protocol context>",
  "model": "<exact model name, e.g. claude-opus-4-7 / gpt-5-thinking / gemini-3-pro>",
  "chat_url": null,
  "grading_basis": "on-chain | off-chain-only | mixed (optional; omit for on-chain)",
  "grade": "green | orange | red | unknown",
  "headline": "<one-line summary>",
  "short_headline": "<≤6 words, ≤80 chars; omit if you can't fit>",
  "rationale": {
    "findings": [{ "code": "E1", "text": "<concrete, source-cited finding>" }],
    "steelman": { "red": "<one sentence>", "orange": "<one sentence>", "green": "<one sentence>" },
    "verdict": "Choosing <grade> because <reason ranking one steel-man above the others, citing specific evidence>."
  },
  "evidence": [{ "url": "https://...", "shows": "<what this URL demonstrates>", "chain": "...", "address": "0x...", "commit": "<hex SHA>", "fetched_at": "2026-04-23T11:20:00Z" }],
  "unknowns": ["E3: <thing you looked for but couldn't determine>"],
  "protocol_metadata": {
    "github": ["https://github.com/org/repo"],
    "docs_url": "https://docs.protocol.xyz",
    "audits": [{ "firm": "Trail of Bits", "url": "https://...report.pdf", "date": "2025-09" }],
    "governance_forum": "https://forum.protocol.xyz",
    "voting_token": { "chain": "Ethereum", "address": "0x...", "symbol": "XYZ" },
    "bug_bounty_url": "https://immunefi.com/bounty/protocol",
    "security_contact": "security@protocol.xyz",
    "deployed_contracts_doc": "https://docs.protocol.xyz/deployments",
    "admin_addresses": [{ "chain": "Ethereum", "address": "0x...", "role": "DAO treasury multisig", "actor_class": "multisig" }],
    "upgradeability": "immutable | upgradeable | mixed | unknown",
    "about": "<2–4 sentences>"
  }
}

Rules recap:
- grade="unknown" ⇒ steelman=null; unknowns[] ≥1; evidence[] may be empty.
- grade!="unknown" ⇒ steelman={red,orange,green}; evidence[] ≥1; verdict starts with "Choosing ".
- findings[].code matches the slice's checklist prefix verbatim (E1, C2-emergency, V4a, …); unknowns[] entries are checklist-coded ("E3: …").
- Wrap in a single ```json fence; nothing before or after. URLs are bare strings, never markdown links.

Ability to exit unknown Unverified

Not yet assessed

Whether users can exit on their own terms if the team disappears or acts adversarially. Requires per-protocol review; not available at Phase 0.

No model has graded this dimension yet. Run the slice prompt through any LLM and submit the JSON — once ≥3 independent runs agree, the quorum bot merges the verdict here.

Submit run ↗

### Per-protocol context (ground truth for this run)

- protocol.slug:              aave-v1
- protocol.name:              Aave V1
- protocol.chains:            Ethereum
- protocol.category:          Lending
- protocol.website:           https://aave.com
- protocol.github:            aave, bgd-labs
- protocol.audit_links:       https://aave.com/security, https://github.com/code-423n4/2022-02-aave-lens, https://github.com/code-423n4/2022-02-aave-lens-findings, https://github.com/sherlock-protocol/sherlock-reports/blob/main/audits/2025.02.15%20-%20Final%20-%20Aave%20Public%20Audit%20Contest%20Report.pdf, https://github.com/sherlock-protocol/sherlock-reports/blob/main/audits/2026.02.05%20-%20Final%20-%20Aave%20Labs%20Collaborative%20Audit%20Report%201770295450.pdf
- snapshot.generated_at:      2026-06-01T11:27:13.878Z
- analysis_date:              2026-06-07
- prompt_version:             29
- address_book:               null

### Pre-built read-API surfacer URLs (verbatim — fetchable as-is)
(no addresses pinned in this run — discover candidates from fetched website / GitHub / audit / explorer pages, record discovered addresses in evidence[] and protocol_metadata.admin_addresses, and put any reads you couldn't perform in unknowns[]. The next assessment will inherit your discoveries.)


---

You are contributing a single-slice assessment to defipunkd, a git-native transparency registry for DeFi protocols. Your JSON output will be attached to a pull request and compared against ≥2 other independent runs. Disagreements are surfaced publicly — be conservative, cite everything, return grade="unknown" when a signal cannot be determined, and resist stopping at the first damning finding.

### Per-protocol context (do not infer; these are ground truth)

A "Per-protocol context" block (provided alongside this prompt — either as a user message in API mode, or as a section appended below in copy-paste mode) lists the pinned inputs (protocol.slug, name, chains, category, website, github, audit_links, snapshot.generated_at, analysis_date, prompt_version, address_book) and a list of pre-built read-API surfacer URLs for each pinned address. Treat those values as authoritative for this run.

The pre-built surfacer URLs are accepted by your fetch tool's allowlist because they appear verbatim in the per-protocol context. Each surfacer page pre-executes the contract's zero-arg view methods and renders any address-typed return values as /address/{chainId}/0x… links inline — those rendered links are also fetchable post-fetch. /api/contract/read and /api/safe/owners JSON responses include a top-level `crawl.surfacers` array of /address/{chainId}/0x… URLs for every address-typed value in the result, so you can crawl directly from API responses. For addresses surfaced from non-defipunkd sources (block-explorer pages, GitHub, audit PDFs), the allowlist will reject your generated surfacer URL — record the address in protocol_metadata.admin_addresses and add a checklist-coded entry to unknowns[]; the next run will inherit it as a fetchable surfacer.

### Step 0 — Capability probe (do this before producing JSON)

Identify what fetch tool your environment exposes — `web_fetch`, `browser`, `url_context`, `google_search` (with underscore, colon, or space), Bing grounding, Perplexity, `web.run`, or anything similar. Search-grounding tools ARE valid fetch paths and you should use them; they are not forbidden. The distinction that matters is what the tool returned, not its name: a grounded response with the underlying page body is sufficient evidence; a bare 1–3-line preview snippet is not.

Probe: attempt one fetch of `protocol.website` and one fetch of a pre-built surfacer URL above (or the protocol's primary block-explorer page if no surfacer is pinned). Record the tool you used, the URL, and what came back (response body, HTTP status, allowlist rejection text, or "tool not present: <name>"). If either probe succeeded, proceed.

If both direct probes failed, **DO NOT STOP** — try search. Issue at least two broad search queries (protocol name + "Etherscan" / "official docs" / "GitHub" / "audit"; `site:` operators against etherscan.io / github.com / the docs domain). If a search query returns the underlying page body, that page URL is fetched evidence and goes in evidence[]. Set `grading_basis: "off-chain-only"` and continue with whatever you can extract. Empty `evidence[]` + `grade="unknown"` is only valid if BOTH direct probes AND ≥2 search queries returned nothing usable; in that case, log the attempted queries and observed-zero outcomes in unknowns[]. A submission claiming "blocked" without those receipts is treated as a non-submission (zero quorum weight). Search engines do not index raw JSON API endpoints — zero results for `defipunkd.com/api/contract/read` URLs is expected and is itself a recordable failure mode, not a system restriction.

### Anti-fabrication (the most important rule on this page)

Memory is not evidence. Treat your training data, prior conversations, and general knowledge as suggestions for what to look up — never as citations. Every URL in evidence[] must have been fetched in this run via any tool exposed in your environment, OR pasted into this conversation by the user. Constructing a URL is fine, but every variable part (address, commit SHA, repo path, contract name, method, args, block number) must come from a fetched/pasted source in this run, and the URL must then have been successfully fetched before it appears in evidence[]. URLs constructed from remembered addresses, repo paths, contract names, or guessed API methods are fabrication.

Before emitting JSON, run an evidence ledger check on every evidence[] entry:
1. The exact URL appears in your fetch transcript or in a user-pasted source body.
2. The fetched/pasted body contains the fact you're citing in evidence[].shows.
3. Every rationale.findings / protocol_metadata claim that depends on this evidence follows directly from that body, without recourse to memory.
4. Derived (rather than verbatim) claims are explicitly labelled as derived in evidence[].shows.
5. `fetched_at` is set ONLY when you actually fetched the URL in this run; if no timestamp is available, omit the field — never invent one.

If any check fails, remove the evidence entry and demote dependent claims to unknowns[]. Set grade="unknown" if demotion empties the grading basis. Do not ask the user to paste anything; do not withhold JSON; do not improvise from memory.

A plausible-sounding answer backed by unsupported evidence is WORSE than grade="unknown" — it pollutes the quorum. If the assessment requires leaning on remembered public facts ("Lido is governed by LDO token-weighted voting"), historical reports, common knowledge, or likely-architecture reasoning ("UUPS proxies typically have an admin role"), return grade="unknown" with specific unknowns[] entries. Optimize for reproducibility, not completeness — if a reviewer can't re-verify each claim from the evidence URLs alone, the claim does not belong in the JSON. Empty unknowns[] on a non-trivial protocol is a red flag, not a quality signal.

When the address_book is null/empty, you do not yet know any deployed address. Discover candidates from fetched website / GitHub / audit / explorer-search pages — addresses you "remember" from training data are not eligible, even for famous tokens (USDC, WBTC, stETH, UNI). If no address can be discovered after a good-faith attempt, return grade="unknown" with checklist-coded unknowns[] entries; do not invent addresses to fill the gap.

### Hard rules

1. Source classes that count as evidence:
   a) Public block explorers (etherscan.io, basescan.org, arbiscan.io, optimistic.etherscan.io, polygonscan.com, bscscan.com, snowtrace.io, scrollscan.com, lineascan.build, blastscan.io, era.zksync.network) for pinned addresses or addresses you discover transitively from them.
   b) The linked GitHub repos, at a specific commit SHA recorded in evidence[].commit.
   c) The audit PDFs / reports linked above.
   d) DeFiLlama's pinned fields (for category / chain lists only — not for risk assessment).
   e) DeFiPunkd's read API at https://defipunkd.com/api/{contract,safe}/... — see "On-chain reading" below.
2. If a signal cannot be determined after checking these, set grade="unknown" with ≥1 entry in unknowns[] naming what you looked for.
3. Every factual claim in rationale must map to ≥1 evidence[] entry.
4. Output exactly one JSON object matching the contract at the end, wrapped in a single ```json fenced code block. This rule applies to your FINAL assistant message only — issue tool calls freely during the run; tool-call reasoning lives in your model's tool-use channel and is not subject to this rule. Nothing before or after the fence — no prose, no follow-up questions, no requests for the user to paste anything. If evidence is incomplete, the correct response is still JSON, with claims demoted to unknowns[] and grade="unknown".

### Format rules (validation will reject submissions that violate these)
5. evidence[].url must be a bare `https://...` string — NEVER markdown link syntax. WRONG: `"url": "[Etherscan](https://etherscan.io/...)"`. RIGHT: `"url": "https://etherscan.io/..."`.
6. evidence[].commit, when present, must match `^[0-9a-f]{7,40}$` (lowercase hex, 7–40 chars). NEVER branch names or tags. Omit if you cannot pin a SHA.
7. evidence[].fetched_at, when present, must be ISO-8601 UTC (e.g. `2026-04-23T11:20:00Z`). Set whenever you actually fetched in this run.
8. evidence[].address, when present, must be `^0x[0-9a-fA-F]{40}$` (mixed case OK; checksum not validated).
9. Checklist codes (used in findings[].code and as unknowns[] prefixes) match `^[A-Z][A-Za-z0-9-]{0,16}$` — start with an uppercase letter, then digits / letters / hyphens. Examples: `E1`, `A3b`, `C2-emergency`, `V4-auditor`. No parens, spaces, dots, slashes, underscores. Use slice-defined codes verbatim. unknowns[] entries must be prefixed with the relevant code + colon (e.g. `"A3b: frontend fetch failed"`).
10. chat_url: ALWAYS null. Default share links (claude.ai/chat, chatgpt.com, gemini.google.com) require viewer login and are not publicly readable. The user enables "Share publicly" after you respond and pastes the public URL into the JSON before opening the PR.

### Thoroughness rules

11. Each per-slice body contains a "MANDATORY INSPECTION CHECKLIST". Every item must EITHER produce an evidence[] entry OR a specific unknowns[] entry naming it by code. Silent skips are rejected as incomplete.
12. Before assigning a grade other than "unknown", rationale.steelman must contain a one-sentence strongest argument for each of red / orange / green, and rationale.verdict must state which fits the evidence and why. If the steel-man for the chosen grade is weaker than for an adjacent grade, you have probably picked the wrong grade. When grade="unknown", set steelman to null and use verdict to summarize what blocked the assessment.
13. Distinguish actor classes (EOA, 2-of-3 multisig, 4-of-7+ multisig with identified signers, emergency-scoped time-capped multisig, on-chain governance vote with timelock) and function classes (claim-of-finalized vs new-request-placement, deposit vs borrow, mint vs redeem) — say which actor holds which power, on what time bound. "An admin can pause" is insufficient.
14. For on-chain slices (control, ability-to-exit, autonomy, verifiability), evidence[] must include ≥1 on-chain URL: a block-explorer URL OR a DeFiPunkd /api/{contract/read,safe/owners} URL (preferred — content-addressed when block-pinned). /api/contract/abi alone is metadata, not on-chain evidence. Source repos tell you what code SHOULD do; deployed contracts tell you what it ACTUALLY does. The "open-access" slice is exempt when claims are entirely about frontend / off-chain operator behavior. CARVE-OUT: `grading_basis="off-chain-only"` is exempt from this rule but is downweighted by the quorum bot regardless of grade.
15. Prompt-meta-check: if your verdict quotes prompt language as evidence ("the protocol meets the 'documented fallback' condition"), re-do the verdict — the prompt describes the rubric, not the protocol. Evidence cites what THIS protocol does, not what the rubric says protocols of type X do.
16. `grading_basis` is one of `"on-chain"` (default; omit field), `"off-chain-only"`, or `"mixed"`. Describes what was READ this run, not the verdict — `grade="unknown"` is allowed under any basis. Set `"off-chain-only"` ONLY when BOTH (a) ≥1 successful fetch of a docs / forum / audit / GitHub URL appears in evidence[], AND (b) ≥1 failed on-chain fetch attempt for THIS run is recorded in unknowns[] with a `-offchain` suffix. Empty `evidence[]` with `"off-chain-only"` is a category error and is rejected by the validator. Set `"mixed"` when some checklist codes were on-chain and others fell back. ABI-only finds (you read the ABI but couldn't read live state) are valid as `grade="unknown"` with the ABI cited; do not infer a grade from ABI shape alone.

### On-chain reading via the DeFiPunkd API

Don't encode calldata, decode return data, or guess at ABIs by hand. Three deterministic GET endpoints return JSON with blockNumber, blockHash, raw calldata, and rawReturnData — content-addressed when block-pinned (`&block=<n>`):

  ABI (auto-resolves proxies):
    https://defipunkd.com/api/contract/abi?chainId=<id>&address=0x...
  View call (any view method on the merged ABI; flat scalar args):
    https://defipunkd.com/api/contract/read?chainId=<id>&address=0x...&method=getOwners
    https://defipunkd.com/api/contract/read?chainId=<id>&address=0x...&method=balanceOf&args=0x...
  Safe (threshold + owners + version in one call):
    https://defipunkd.com/api/safe/owners?chainId=<id>&address=0x...

Use the BARE method name in `&method=` (e.g. `&method=totalSupply`, NOT `&method=totalSupply()`). Browser tools normalize `(` to `%28` and reject the normalized URL; bare names dodge that. Pass arguments via `&args=` (comma-separated, declaration order). Append `&block=<n>` for content-addressed evidence.

Supported chainIds: 1 (ethereum), 10 (optimism), 56 (bsc), 130 (unichain), 137 (polygon), 324 (zksync), 8453 (base), 42161 (arbitrum), 43114 (avalanche), 59144 (linea), 81457 (blast), 534352 (scroll), 11155111 (sepolia).

Use this API for any factual claim about contract ABI shape, view-method return values (owner(), getOwners(), getThreshold(), totalSupply(), implementation(), paused(), MIN_DELAY(), …), and Safe membership. Do NOT invent ABIs or return values from training data.

Note on noisy address_book: the pinned address_book is sourced from prior assessments. It may include token deployments, oracle feeds, peripheral contracts, or mis-classified entries. Skip surfacer URLs that don't fit your slice — fetch only those whose role hints suggest control / pause / upgrade authority.

### Protocol metadata refresh (populate `protocol_metadata` in the output)

DeFiLlama's pinned inputs may be stale or wrong. As a side-effect of this assessment, populate `protocol_metadata` with anything you verify. Leave fields null / empty arrays if you did not verify them — do NOT echo pinned inputs through; null means "not re-verified this run".

- `github`: array of canonical source-code repo URLs.
- `docs_url`: canonical developer / protocol documentation site.
- `audits`: array of `{ firm, url, date }` (date as YYYY-MM or YYYY-MM-DD).
- `governance_forum`: primary discussion forum URL (Discourse, Commonwealth, etc.).
- `voting_token`: `{ chain, address, symbol }` or null. Omit if not token-governed.
- `bug_bounty_url`: public bug bounty page (Immunefi, HackerOne, self-hosted).
- `security_contact`: private-disclosure channel — security@ email or SECURITY.md URL. Distinct from public bug bounty.
- `deployed_contracts_doc`: docs page that lists deployed addresses per chain. Don't enumerate; just link.
- `admin_addresses`: array of `{ chain, address, role, actor_class }` for multisig / timelock / owner / proxy-admin addresses. `actor_class` ∈ `"eoa" | "multisig" | "timelock" | "governance" | "unknown"`. These are the anchors for future runs' address_book.
- `upgradeability`: `"immutable" | "upgradeable" | "mixed" | "unknown"`. "mixed" = some core contracts immutable, others behind proxies.
- `about`: 2–4 sentence plain-English description. Name the user action (stake, borrow, swap, bridge, mint, redeem), the asset / market, and the distinctive mechanism (liquid staking receipt, isolated lending pools, constant-product AMM, intents auction, etc.). Do not restate category / chains / TVL.

Every non-null field in `protocol_metadata` must be backed by ≥1 entry in evidence[].

---

### Slice: ABILITY-TO-EXIT

Evaluate whether users can withdraw their funds on their own terms, even under adversarial admin conditions.

MANDATORY INSPECTION CHECKLIST (every item below must appear in evidence[] OR unknowns[]):
- E1. Enumerate every user-facing exit function in the main contracts: withdraw, redeem, burn, requestWithdrawal, claim, exit, etc. List them by name. Do NOT treat the contract as a monolith.
- E2. For EACH exit function in E1: identify its access modifiers and any pause guards (e.g. _checkResumed, whenNotPaused, onlyRole). Functions that gate REQUEST PLACEMENT often differ from functions that CLAIM FINALIZED FUNDS — check both separately.
- E3. For each pause guard: identify the role holder (which address holds PAUSE_ROLE / GUARDIAN / etc.) and the maximum pause duration. Specifically check whether PAUSE_INFINITELY (or equivalent uncapped pause) is callable, and which actor can call it (single multisig vs governance vote). For role-holder reads use https://defipunkd.com/api/contract/read?chainId=<id>&address=0x...&method=hasRole&args=0x...,0x... or &method=getRoleAdmin&args=0x.... For "is currently paused" checks use &method=paused or &method=isPaused&args=<resume-code>. Use the BARE method name (no parens). Cite the URL with &block=<n> in evidence[].
- E4. EMERGENCY vs GOVERNANCE pause distinction: many protocols have a fast-acting emergency pause capped at N days and a slow governance pause that can be indefinite. Record both paths separately if present, with their time caps and actor classes.
- E5. Queued redemption: documented maximum queue duration, daily withdrawal caps, whether the queue itself is pausable.
- E6. Forced-exit / escape-hatch / permissionless emergency-exit mechanism for adversarial-admin scenarios.
- E7. Frontend dependency: confirm exit functions are directly callable on-chain (e.g. via Etherscan write tab or a generic wallet) without the project's frontend.

Then write the steel-man section per Hard Rule 11. Common red-vs-orange tension on this slice: indefinite pause exists (suggests red) BUT the realistic emergency path is time-capped AND claims of already-finalized exits are not pause-gated (suggests orange). Resolve this by stating who can do what for how long, not by stopping at the worst-case sentence.

Grade rules:
- green   = permissionless exit; pause is either absent, narrowly scoped to clearly-described emergencies with auto-expiry, or capped at ≤7 days; no frontend dependency for exit; claims of already-finalized exits are not pause-gated under any path.
- orange  = pausable with broad scope OR indefinite pause is reachable only through governance vote (not unilateral admin action), OR queued redemption with documented max > 7 days, OR claims-of-finalized are exempt but new-request placement can be paused indefinitely by governance.
- red     = exit requires admin signature, OR ANY actor (including governance) can pause CLAIMS of finalized exits indefinitely, OR there is no on-chain exit function at all (purely custodial), OR pause is held by a single EOA / 2-of-3 multisig with no time cap.
- unknown = checklist incomplete after checking the sources above.

---

### JSON output contract

Return exactly one JSON object inside a single ```json fenced block. Shape:

{
  "schema_version": 4,
  "slug": "<copy protocol.slug from the per-protocol context>",
  "slice": "ability-to-exit",
  "snapshot_generated_at": "<copy snapshot.generated_at from the per-protocol context>",
  "prompt_version": 29,
  "analysis_date": "<copy analysis_date from the per-protocol context>",
  "model": "<exact model name, e.g. claude-opus-4-7 / gpt-5-thinking / gemini-3-pro>",
  "chat_url": null,
  "grading_basis": "on-chain | off-chain-only | mixed (optional; omit for on-chain)",
  "grade": "green | orange | red | unknown",
  "headline": "<one-line summary>",
  "short_headline": "<≤6 words, ≤80 chars; omit if you can't fit>",
  "rationale": {
    "findings": [{ "code": "E1", "text": "<concrete, source-cited finding>" }],
    "steelman": { "red": "<one sentence>", "orange": "<one sentence>", "green": "<one sentence>" },
    "verdict": "Choosing <grade> because <reason ranking one steel-man above the others, citing specific evidence>."
  },
  "evidence": [{ "url": "https://...", "shows": "<what this URL demonstrates>", "chain": "...", "address": "0x...", "commit": "<hex SHA>", "fetched_at": "2026-04-23T11:20:00Z" }],
  "unknowns": ["E3: <thing you looked for but couldn't determine>"],
  "protocol_metadata": {
    "github": ["https://github.com/org/repo"],
    "docs_url": "https://docs.protocol.xyz",
    "audits": [{ "firm": "Trail of Bits", "url": "https://...report.pdf", "date": "2025-09" }],
    "governance_forum": "https://forum.protocol.xyz",
    "voting_token": { "chain": "Ethereum", "address": "0x...", "symbol": "XYZ" },
    "bug_bounty_url": "https://immunefi.com/bounty/protocol",
    "security_contact": "security@protocol.xyz",
    "deployed_contracts_doc": "https://docs.protocol.xyz/deployments",
    "admin_addresses": [{ "chain": "Ethereum", "address": "0x...", "role": "DAO treasury multisig", "actor_class": "multisig" }],
    "upgradeability": "immutable | upgradeable | mixed | unknown",
    "about": "<2–4 sentences>"
  }
}

Rules recap:
- grade="unknown" ⇒ steelman=null; unknowns[] ≥1; evidence[] may be empty.
- grade!="unknown" ⇒ steelman={red,orange,green}; evidence[] ≥1; verdict starts with "Choosing ".
- findings[].code matches the slice's checklist prefix verbatim (E1, C2-emergency, V4a, …); unknowns[] entries are checklist-coded ("E3: …").
- Wrap in a single ```json fence; nothing before or after. URLs are bare strings, never markdown links.

Autonomy unknown Unverified

No Phase-0 autonomy signal

No model has graded this dimension yet. Run the slice prompt through any LLM and submit the JSON — once ≥3 independent runs agree, the quorum bot merges the verdict here.

Submit run ↗

### Per-protocol context (ground truth for this run)

- protocol.slug:              aave-v1
- protocol.name:              Aave V1
- protocol.chains:            Ethereum
- protocol.category:          Lending
- protocol.website:           https://aave.com
- protocol.github:            aave, bgd-labs
- protocol.audit_links:       https://aave.com/security, https://github.com/code-423n4/2022-02-aave-lens, https://github.com/code-423n4/2022-02-aave-lens-findings, https://github.com/sherlock-protocol/sherlock-reports/blob/main/audits/2025.02.15%20-%20Final%20-%20Aave%20Public%20Audit%20Contest%20Report.pdf, https://github.com/sherlock-protocol/sherlock-reports/blob/main/audits/2026.02.05%20-%20Final%20-%20Aave%20Labs%20Collaborative%20Audit%20Report%201770295450.pdf
- snapshot.generated_at:      2026-06-01T11:27:13.878Z
- analysis_date:              2026-06-07
- prompt_version:             29
- address_book:               null

### Pre-built read-API surfacer URLs (verbatim — fetchable as-is)
(no addresses pinned in this run — discover candidates from fetched website / GitHub / audit / explorer pages, record discovered addresses in evidence[] and protocol_metadata.admin_addresses, and put any reads you couldn't perform in unknowns[]. The next assessment will inherit your discoveries.)


---

You are contributing a single-slice assessment to defipunkd, a git-native transparency registry for DeFi protocols. Your JSON output will be attached to a pull request and compared against ≥2 other independent runs. Disagreements are surfaced publicly — be conservative, cite everything, return grade="unknown" when a signal cannot be determined, and resist stopping at the first damning finding.

### Per-protocol context (do not infer; these are ground truth)

A "Per-protocol context" block (provided alongside this prompt — either as a user message in API mode, or as a section appended below in copy-paste mode) lists the pinned inputs (protocol.slug, name, chains, category, website, github, audit_links, snapshot.generated_at, analysis_date, prompt_version, address_book) and a list of pre-built read-API surfacer URLs for each pinned address. Treat those values as authoritative for this run.

The pre-built surfacer URLs are accepted by your fetch tool's allowlist because they appear verbatim in the per-protocol context. Each surfacer page pre-executes the contract's zero-arg view methods and renders any address-typed return values as /address/{chainId}/0x… links inline — those rendered links are also fetchable post-fetch. /api/contract/read and /api/safe/owners JSON responses include a top-level `crawl.surfacers` array of /address/{chainId}/0x… URLs for every address-typed value in the result, so you can crawl directly from API responses. For addresses surfaced from non-defipunkd sources (block-explorer pages, GitHub, audit PDFs), the allowlist will reject your generated surfacer URL — record the address in protocol_metadata.admin_addresses and add a checklist-coded entry to unknowns[]; the next run will inherit it as a fetchable surfacer.

### Step 0 — Capability probe (do this before producing JSON)

Identify what fetch tool your environment exposes — `web_fetch`, `browser`, `url_context`, `google_search` (with underscore, colon, or space), Bing grounding, Perplexity, `web.run`, or anything similar. Search-grounding tools ARE valid fetch paths and you should use them; they are not forbidden. The distinction that matters is what the tool returned, not its name: a grounded response with the underlying page body is sufficient evidence; a bare 1–3-line preview snippet is not.

Probe: attempt one fetch of `protocol.website` and one fetch of a pre-built surfacer URL above (or the protocol's primary block-explorer page if no surfacer is pinned). Record the tool you used, the URL, and what came back (response body, HTTP status, allowlist rejection text, or "tool not present: <name>"). If either probe succeeded, proceed.

If both direct probes failed, **DO NOT STOP** — try search. Issue at least two broad search queries (protocol name + "Etherscan" / "official docs" / "GitHub" / "audit"; `site:` operators against etherscan.io / github.com / the docs domain). If a search query returns the underlying page body, that page URL is fetched evidence and goes in evidence[]. Set `grading_basis: "off-chain-only"` and continue with whatever you can extract. Empty `evidence[]` + `grade="unknown"` is only valid if BOTH direct probes AND ≥2 search queries returned nothing usable; in that case, log the attempted queries and observed-zero outcomes in unknowns[]. A submission claiming "blocked" without those receipts is treated as a non-submission (zero quorum weight). Search engines do not index raw JSON API endpoints — zero results for `defipunkd.com/api/contract/read` URLs is expected and is itself a recordable failure mode, not a system restriction.

### Anti-fabrication (the most important rule on this page)

Memory is not evidence. Treat your training data, prior conversations, and general knowledge as suggestions for what to look up — never as citations. Every URL in evidence[] must have been fetched in this run via any tool exposed in your environment, OR pasted into this conversation by the user. Constructing a URL is fine, but every variable part (address, commit SHA, repo path, contract name, method, args, block number) must come from a fetched/pasted source in this run, and the URL must then have been successfully fetched before it appears in evidence[]. URLs constructed from remembered addresses, repo paths, contract names, or guessed API methods are fabrication.

Before emitting JSON, run an evidence ledger check on every evidence[] entry:
1. The exact URL appears in your fetch transcript or in a user-pasted source body.
2. The fetched/pasted body contains the fact you're citing in evidence[].shows.
3. Every rationale.findings / protocol_metadata claim that depends on this evidence follows directly from that body, without recourse to memory.
4. Derived (rather than verbatim) claims are explicitly labelled as derived in evidence[].shows.
5. `fetched_at` is set ONLY when you actually fetched the URL in this run; if no timestamp is available, omit the field — never invent one.

If any check fails, remove the evidence entry and demote dependent claims to unknowns[]. Set grade="unknown" if demotion empties the grading basis. Do not ask the user to paste anything; do not withhold JSON; do not improvise from memory.

A plausible-sounding answer backed by unsupported evidence is WORSE than grade="unknown" — it pollutes the quorum. If the assessment requires leaning on remembered public facts ("Lido is governed by LDO token-weighted voting"), historical reports, common knowledge, or likely-architecture reasoning ("UUPS proxies typically have an admin role"), return grade="unknown" with specific unknowns[] entries. Optimize for reproducibility, not completeness — if a reviewer can't re-verify each claim from the evidence URLs alone, the claim does not belong in the JSON. Empty unknowns[] on a non-trivial protocol is a red flag, not a quality signal.

When the address_book is null/empty, you do not yet know any deployed address. Discover candidates from fetched website / GitHub / audit / explorer-search pages — addresses you "remember" from training data are not eligible, even for famous tokens (USDC, WBTC, stETH, UNI). If no address can be discovered after a good-faith attempt, return grade="unknown" with checklist-coded unknowns[] entries; do not invent addresses to fill the gap.

### Hard rules

1. Source classes that count as evidence:
   a) Public block explorers (etherscan.io, basescan.org, arbiscan.io, optimistic.etherscan.io, polygonscan.com, bscscan.com, snowtrace.io, scrollscan.com, lineascan.build, blastscan.io, era.zksync.network) for pinned addresses or addresses you discover transitively from them.
   b) The linked GitHub repos, at a specific commit SHA recorded in evidence[].commit.
   c) The audit PDFs / reports linked above.
   d) DeFiLlama's pinned fields (for category / chain lists only — not for risk assessment).
   e) DeFiPunkd's read API at https://defipunkd.com/api/{contract,safe}/... — see "On-chain reading" below.
2. If a signal cannot be determined after checking these, set grade="unknown" with ≥1 entry in unknowns[] naming what you looked for.
3. Every factual claim in rationale must map to ≥1 evidence[] entry.
4. Output exactly one JSON object matching the contract at the end, wrapped in a single ```json fenced code block. This rule applies to your FINAL assistant message only — issue tool calls freely during the run; tool-call reasoning lives in your model's tool-use channel and is not subject to this rule. Nothing before or after the fence — no prose, no follow-up questions, no requests for the user to paste anything. If evidence is incomplete, the correct response is still JSON, with claims demoted to unknowns[] and grade="unknown".

### Format rules (validation will reject submissions that violate these)
5. evidence[].url must be a bare `https://...` string — NEVER markdown link syntax. WRONG: `"url": "[Etherscan](https://etherscan.io/...)"`. RIGHT: `"url": "https://etherscan.io/..."`.
6. evidence[].commit, when present, must match `^[0-9a-f]{7,40}$` (lowercase hex, 7–40 chars). NEVER branch names or tags. Omit if you cannot pin a SHA.
7. evidence[].fetched_at, when present, must be ISO-8601 UTC (e.g. `2026-04-23T11:20:00Z`). Set whenever you actually fetched in this run.
8. evidence[].address, when present, must be `^0x[0-9a-fA-F]{40}$` (mixed case OK; checksum not validated).
9. Checklist codes (used in findings[].code and as unknowns[] prefixes) match `^[A-Z][A-Za-z0-9-]{0,16}$` — start with an uppercase letter, then digits / letters / hyphens. Examples: `E1`, `A3b`, `C2-emergency`, `V4-auditor`. No parens, spaces, dots, slashes, underscores. Use slice-defined codes verbatim. unknowns[] entries must be prefixed with the relevant code + colon (e.g. `"A3b: frontend fetch failed"`).
10. chat_url: ALWAYS null. Default share links (claude.ai/chat, chatgpt.com, gemini.google.com) require viewer login and are not publicly readable. The user enables "Share publicly" after you respond and pastes the public URL into the JSON before opening the PR.

### Thoroughness rules

11. Each per-slice body contains a "MANDATORY INSPECTION CHECKLIST". Every item must EITHER produce an evidence[] entry OR a specific unknowns[] entry naming it by code. Silent skips are rejected as incomplete.
12. Before assigning a grade other than "unknown", rationale.steelman must contain a one-sentence strongest argument for each of red / orange / green, and rationale.verdict must state which fits the evidence and why. If the steel-man for the chosen grade is weaker than for an adjacent grade, you have probably picked the wrong grade. When grade="unknown", set steelman to null and use verdict to summarize what blocked the assessment.
13. Distinguish actor classes (EOA, 2-of-3 multisig, 4-of-7+ multisig with identified signers, emergency-scoped time-capped multisig, on-chain governance vote with timelock) and function classes (claim-of-finalized vs new-request-placement, deposit vs borrow, mint vs redeem) — say which actor holds which power, on what time bound. "An admin can pause" is insufficient.
14. For on-chain slices (control, ability-to-exit, autonomy, verifiability), evidence[] must include ≥1 on-chain URL: a block-explorer URL OR a DeFiPunkd /api/{contract/read,safe/owners} URL (preferred — content-addressed when block-pinned). /api/contract/abi alone is metadata, not on-chain evidence. Source repos tell you what code SHOULD do; deployed contracts tell you what it ACTUALLY does. The "open-access" slice is exempt when claims are entirely about frontend / off-chain operator behavior. CARVE-OUT: `grading_basis="off-chain-only"` is exempt from this rule but is downweighted by the quorum bot regardless of grade.
15. Prompt-meta-check: if your verdict quotes prompt language as evidence ("the protocol meets the 'documented fallback' condition"), re-do the verdict — the prompt describes the rubric, not the protocol. Evidence cites what THIS protocol does, not what the rubric says protocols of type X do.
16. `grading_basis` is one of `"on-chain"` (default; omit field), `"off-chain-only"`, or `"mixed"`. Describes what was READ this run, not the verdict — `grade="unknown"` is allowed under any basis. Set `"off-chain-only"` ONLY when BOTH (a) ≥1 successful fetch of a docs / forum / audit / GitHub URL appears in evidence[], AND (b) ≥1 failed on-chain fetch attempt for THIS run is recorded in unknowns[] with a `-offchain` suffix. Empty `evidence[]` with `"off-chain-only"` is a category error and is rejected by the validator. Set `"mixed"` when some checklist codes were on-chain and others fell back. ABI-only finds (you read the ABI but couldn't read live state) are valid as `grade="unknown"` with the ABI cited; do not infer a grade from ABI shape alone.

### On-chain reading via the DeFiPunkd API

Don't encode calldata, decode return data, or guess at ABIs by hand. Three deterministic GET endpoints return JSON with blockNumber, blockHash, raw calldata, and rawReturnData — content-addressed when block-pinned (`&block=<n>`):

  ABI (auto-resolves proxies):
    https://defipunkd.com/api/contract/abi?chainId=<id>&address=0x...
  View call (any view method on the merged ABI; flat scalar args):
    https://defipunkd.com/api/contract/read?chainId=<id>&address=0x...&method=getOwners
    https://defipunkd.com/api/contract/read?chainId=<id>&address=0x...&method=balanceOf&args=0x...
  Safe (threshold + owners + version in one call):
    https://defipunkd.com/api/safe/owners?chainId=<id>&address=0x...

Use the BARE method name in `&method=` (e.g. `&method=totalSupply`, NOT `&method=totalSupply()`). Browser tools normalize `(` to `%28` and reject the normalized URL; bare names dodge that. Pass arguments via `&args=` (comma-separated, declaration order). Append `&block=<n>` for content-addressed evidence.

Supported chainIds: 1 (ethereum), 10 (optimism), 56 (bsc), 130 (unichain), 137 (polygon), 324 (zksync), 8453 (base), 42161 (arbitrum), 43114 (avalanche), 59144 (linea), 81457 (blast), 534352 (scroll), 11155111 (sepolia).

Use this API for any factual claim about contract ABI shape, view-method return values (owner(), getOwners(), getThreshold(), totalSupply(), implementation(), paused(), MIN_DELAY(), …), and Safe membership. Do NOT invent ABIs or return values from training data.

Note on noisy address_book: the pinned address_book is sourced from prior assessments. It may include token deployments, oracle feeds, peripheral contracts, or mis-classified entries. Skip surfacer URLs that don't fit your slice — fetch only those whose role hints suggest control / pause / upgrade authority.

### Protocol metadata refresh (populate `protocol_metadata` in the output)

DeFiLlama's pinned inputs may be stale or wrong. As a side-effect of this assessment, populate `protocol_metadata` with anything you verify. Leave fields null / empty arrays if you did not verify them — do NOT echo pinned inputs through; null means "not re-verified this run".

- `github`: array of canonical source-code repo URLs.
- `docs_url`: canonical developer / protocol documentation site.
- `audits`: array of `{ firm, url, date }` (date as YYYY-MM or YYYY-MM-DD).
- `governance_forum`: primary discussion forum URL (Discourse, Commonwealth, etc.).
- `voting_token`: `{ chain, address, symbol }` or null. Omit if not token-governed.
- `bug_bounty_url`: public bug bounty page (Immunefi, HackerOne, self-hosted).
- `security_contact`: private-disclosure channel — security@ email or SECURITY.md URL. Distinct from public bug bounty.
- `deployed_contracts_doc`: docs page that lists deployed addresses per chain. Don't enumerate; just link.
- `admin_addresses`: array of `{ chain, address, role, actor_class }` for multisig / timelock / owner / proxy-admin addresses. `actor_class` ∈ `"eoa" | "multisig" | "timelock" | "governance" | "unknown"`. These are the anchors for future runs' address_book.
- `upgradeability`: `"immutable" | "upgradeable" | "mixed" | "unknown"`. "mixed" = some core contracts immutable, others behind proxies.
- `about`: 2–4 sentence plain-English description. Name the user action (stake, borrow, swap, bridge, mint, redeem), the asset / market, and the distinctive mechanism (liquid staking receipt, isolated lending pools, constant-product AMM, intents auction, etc.). Do not restate category / chains / TVL.

Every non-null field in `protocol_metadata` must be backed by ≥1 entry in evidence[].

---

### Slice: AUTONOMY

Evaluate this protocol's autonomy: can a failure of anything outside its own contracts cause theft or loss of user principal, loss of unclaimed yield, or materially change the protocol's expected performance? "Autonomy" is not "has zero external touchpoints" — it is "external failures are either survivable or recoverable without user loss". This slice adapts DefiScan v1's Autonomy dimension; dependencies are one of several criteria, not the whole frame.

GUARDRAILS (read before grading):
- Category alone (Liquid Staking, Bridge, RWA Lending, Restaking, …) does NOT force a grade. A category is a hint about where to look; the grade must come from the concrete A1–A9 findings below.
- Base-chain consensus (Ethereum PoS, the chain's validator set, the canonical Deposit Contract at 0x00000000219ab540356cBB839Cbe05303d7705Fa) is the SUBSTRATE, not a dependency, for any protocol deployed on that chain. Do not list "depends on Ethereum" as a finding.
- Oracles or other integrations used by DOWNSTREAM protocols that happen to read this protocol's token (e.g. Chainlink stETH/USD consumed by Aave) are NOT this protocol's dependencies. Count only what THIS protocol's contracts call or trust on-chain. If a feed or contract appears in the protocol's docs only as reference material for third-party integrators, EXCLUDE IT ENTIRELY — do not log it as a finding even with a "peripheral" or "referenced only" caveat.
- "Upgradeable admin can change things" belongs to the CONTROL slice; only count it here when the upgrade surface lets governance silently swap an external dependency (see A9).
- Underlying-asset risk in opt-in, isolated markets is NOT autonomy-red on its own. When a protocol wraps third-party yield-bearing assets (LSTs, LRTs, ERC-4626 vaults, lending receipts, restaked tokens) into per-market silos that users explicitly choose, a failure of one underlying does NOT propagate to other markets and is risk the user opted into per-market. Record it under A4 with depth and propagation scope, but do not let it alone drive a red verdict — red requires an external dependency that cross-cuts the protocol or that the user did not opt into at deposit time. A failure mode that is "if the LRT you deposited is hacked, your principal in that LRT-backed market is impaired" is the underlying's autonomy story, not this protocol's; grade it on whether THIS protocol introduces additional dependencies on top.
- Sub-module enumeration is mandatory before grading. If the protocol ships distinct product lines or modules (e.g., a v2 core AMM plus a newer perps/funding-rate module, a lending pool plus a separate vault layer, an L1 core plus a cross-chain extension), enumerate each in findings and grade against the WORST module weighted by its share of TVS or its blast radius. A green core does not rescue an orange/red sub-module; conversely, a small red sub-module with capped TVS may bound the overall grade to orange. Name each module by its on-chain factory or router address. If you do not know whether a module exists, that is an unknowns[] entry, not silence. EXPLICIT TVS WEIGHTING: in the verdict, state each module's approximate share of total protocol TVS (use "~X%" if exact figures unavailable; check DeFiLlama or block-explorer balances on the module's main contract) and how that share informs the weighted grade. Format: "Module A holds ~X% of TVS (grade: <g>); Module B holds ~Y% (grade: <g>); weighted overall = <grade> because <reason>." If a red sub-module holds <5% of total TVS and is capped, the overall grade may be orange; if it holds >25%, the overall grade is red. Do not let qualitative reasoning substitute for the percentages — write the numbers.

MANDATORY INSPECTION CHECKLIST (every item below must appear in evidence[] OR unknowns[]):
- A1. External contract calls. Enumerate every external contract the core contracts call or read from (oracles, price feeds, AMM pools, lending pools, staking/deposit contracts, yield wrappers). For each, identify the address, the provider, and what user-facing function of this protocol would break or mis-price if that external contract paused, mis-reported, or behaved adversarially. Grep for "oracle", "aggregator", "getPrice", "latestAnswer", "chainlink", "pyth", "redstone" as a starting point. To verify an oracle is live and what it currently reports, hit https://defipunkd.com/api/contract/read?chainId=<id>&address=<oracle>&method=latestAnswer (or &method=latestRoundData, &method=getPrice, &method=description; use the BARE method name without parens) and cite the URL — the response includes blockNumber/blockHash and rawReturnData, which is stronger evidence than a docs page about which feed "should" be used.
- A2. Off-chain actor committees reporting INTO the protocol. Oracle committees, guardian multisigs, DAO-selected validator sets acting as protocol reporters, exit-bus signers, fraud-proof challengers. For each, record committee size, quorum, who picks the members, and what mis-reporting could do (mint, burn, finalize withdrawal, freeze). Distinguish this from governance admins (control slice). NOTE ON STAKING PROTOCOLS: validator slashing and node-operator misbehavior are properties of the base-chain substrate, NOT external dependencies, when the operator set is diversified enough that a coordinated failure caps at <5% principal loss. Count validator/operator risk under A2 ONLY if the operator set is small, non-diversified, or lacks bonding / slashing-insurance / diversification mitigations. A curated set of 30+ independent operators with documented diversification falls under the mitigated path; a 3-operator LST does not. Do not cite the protocol's own risk disclosure as evidence that operator failure = principal loss unless you also check the diversification and bond mitigations.
- A3. Bridge / cross-chain messaging dependencies. Only count bridges that carry material TVL or are required for a core user flow. For each, name the bridge operator (canonical L1↔L2, LayerZero, Wormhole, Axelar, custom multisig), the trust model (canonical, optimistic, light-client, guardian set), and what fraction of TVL or users ride on it. "wstETH exists on 15 chains" is not a finding unless material TVL sits there. Before listing any non-primary chain deployment as a dependency, verify it is still operational as of analysis_date — retired or sunset deployments (e.g., Lido-on-Terra, Lido-on-Solana) belong in unknowns[] or should be omitted, never cited as a current dependency.
- A4. Nested collateral / restaking chains. For restaking / LRT / receipt-of-receipt designs: record the depth of the collateral chain, every actor with slashing or freezing power at each level, and whether a failure N levels deep propagates to user principal here.
- A5. Fork lineage (silent check). If DeFiLlama's forkedFrom is non-empty, record it as one finding and move on. If empty, do NOT add a placeholder finding; it adds noise.
- A6. Fallback mechanisms and circuit breakers. What catches an external failure? Sanity-check contracts on oracle reports, rebase bounds, pause paths triggered by bad prices, second-opinion oracles, max-per-block throughput caps, withdrawal queues that absorb bad reports. Record which A1–A4 risks are mitigated by which fallback, and which are unmitigated. For EACH fallback you cite, state its activation status explicitly: (i) LIVE and enforcing on-chain today, (ii) DEPLOYED but not yet wired / activated (e.g., interface exists but the address is zero or the role is unassigned), or (iii) DOCUMENTED / PROPOSED only (forum post, LIP draft, audit pending). Only (i) counts as mitigation for the grade. A fallback in state (ii) or (iii) should be noted but must not reduce the risk in your steel-man or verdict. If you cannot determine activation status, add an unknowns[] entry rather than assume it is live.
- A7. Sequencer / L1-liveness dependency BEYOND the base-chain substrate. SCOPE — sequencer risk only counts here when the protocol IS its own L2/L3 appchain or app-rollup, where the sequencer is part of the protocol's own stack and a freeze is a protocol-level outage. A protocol permissionlessly deployed on a third-party L2 inherits that L2's sequencer as substrate, not an A7 dependency. Record the sequencer/DA trust model when A7 applies.
- A8. Keeper / relayer / off-chain bot liveness. Protocols that need permissionless-but-necessary off-chain actors (liquidation bots, auto-compounders, deposit relayers, intent solvers). Record whether the role is permissionless, what degrades if nobody runs it (yield paused, bad debt accumulates, positions go stale), and whether the failure mode is graceful or catastrophic.
- A9. Governance-mutable dependency surface. Can an admin or DAO action silently INTRODUCE a NEW EXTERNAL dependency — swap the oracle address to a different provider, register a new staking module that calls an untrusted contract, add a new bridge, route SY through a new external vault — without an exit window for users? Check the upgrade / router / module-registry contracts. Answer: which EXTERNAL dependencies are governance-mutable, who holds that power, and whether there is a timelock or exit window. SCOPE LIMIT — read carefully: A9 is about the *external dependency surface*, not the upgrade surface in general. "The proxyAdmin / EOA can upgrade the router implementation to arbitrary bytecode" is a CONTROL-slice finding (admin can rug), NOT an autonomy-A9 finding. A9 fires only when the upgrade specifically swaps out or adds a contract that THIS protocol calls or trusts (e.g., changing the oracle address from Chainlink to a malicious feed, registering a new SY adapter that points to a third-party vault, redirecting a bridge endpoint). If the only finding is "admin can change implementation," do not log it under A9 and do not let it drive the autonomy grade — note it under control instead. The autonomy-relevant version of the same upgrade key is "admin can swap [specific external address X] without timelock"; that requires identifying the specific external dependency that becomes mutable.

STEEL-MAN (per Hard Rule 13): write one-sentence strongest arguments for red, orange, and green using the A1–A9 findings.

IMPACTED TVS ESTIMATE: the headline MUST include a rough impacted-TVS figure — the fraction of protocol TVS that could be lost or frozen if the worst-unmitigated dependency you identified failed. Use "~X%" if exact numbers are unavailable, "<1%" for de minimis, "unclear" only if A1–A9 left the question genuinely open (in which case grade=unknown is usually correct). Do NOT substitute qualitative phrases like "significant" — give a number or bracket.

GRADE ANCHORS (mapped to DefiScan v1 stages):
- green = Stage 2 equivalent. Failure of any external dependency cannot cause loss of user principal or unclaimed yield. Either there are no material external dependencies, or every critical one has a documented fallback (A6) that keeps users whole. Governance cannot silently introduce new dependencies without an exit window (A9). Impacted TVS under any single-dependency failure: effectively 0.
- orange = Stage 1 equivalent. Failure of some external dependency can cause loss of unclaimed yield, or can materially change expected performance (pause withdrawals, freeze positions, degrade price quality), but cannot cause loss of principal. Committee-based oracles with sanity checks, canonical-only bridges, fallback paths that exist but are incomplete, or governance-mutable dependencies protected by a ≥7-day timelock. Impacted TVS is bounded and recoverable.
- red = Stage 0 equivalent. Failure of an external dependency CAN cause theft or loss of principal. Examples: single-provider oracle with no sanity check or fallback, material TVL on a non-canonical bridge with a guardian multisig, governance can hot-swap oracles or add staking modules with no timelock or exit window, unmitigated keeper-liveness dependency where positions become insolvent if bots stop. Impacted TVS is material.
- unknown = checklist incomplete after inspecting source + verified contracts. Prefer unknown over guessing when A1/A6 could not be reconstructed. RESERVE unknown for cases where the CORE ARCHITECTURE itself is unverifiable — not for cases where you merely cannot enumerate every per-market dependency in a multi-market protocol. If the core router/factory/oracle architecture is verifiable on-chain and you can determine whether the core requires external dependencies, grade the architecture even when an exhaustive per-market external-dependency census is infeasible. Acknowledge the per-market gap in unknowns[] but still issue a grade. Refusing to grade a multi-market protocol because you cannot list every SY/vault/market is over-use of unknown; grade the architecture and say so.

PROMPT-META CHECK (per Hard Rule 17): before finalizing, verify the verdict cites concrete contract addresses, docs, or code — not the rubric itself. If your verdict says "the protocol belongs to a category the rubric marks red", rewrite it with the A1–A9 finding that actually justifies the grade, or drop to grade=unknown.

---

### JSON output contract

Return exactly one JSON object inside a single ```json fenced block. Shape:

{
  "schema_version": 4,
  "slug": "<copy protocol.slug from the per-protocol context>",
  "slice": "autonomy",
  "snapshot_generated_at": "<copy snapshot.generated_at from the per-protocol context>",
  "prompt_version": 29,
  "analysis_date": "<copy analysis_date from the per-protocol context>",
  "model": "<exact model name, e.g. claude-opus-4-7 / gpt-5-thinking / gemini-3-pro>",
  "chat_url": null,
  "grading_basis": "on-chain | off-chain-only | mixed (optional; omit for on-chain)",
  "grade": "green | orange | red | unknown",
  "headline": "<one-line summary>",
  "short_headline": "<≤6 words, ≤80 chars; omit if you can't fit>",
  "rationale": {
    "findings": [{ "code": "E1", "text": "<concrete, source-cited finding>" }],
    "steelman": { "red": "<one sentence>", "orange": "<one sentence>", "green": "<one sentence>" },
    "verdict": "Choosing <grade> because <reason ranking one steel-man above the others, citing specific evidence>."
  },
  "evidence": [{ "url": "https://...", "shows": "<what this URL demonstrates>", "chain": "...", "address": "0x...", "commit": "<hex SHA>", "fetched_at": "2026-04-23T11:20:00Z" }],
  "unknowns": ["E3: <thing you looked for but couldn't determine>"],
  "protocol_metadata": {
    "github": ["https://github.com/org/repo"],
    "docs_url": "https://docs.protocol.xyz",
    "audits": [{ "firm": "Trail of Bits", "url": "https://...report.pdf", "date": "2025-09" }],
    "governance_forum": "https://forum.protocol.xyz",
    "voting_token": { "chain": "Ethereum", "address": "0x...", "symbol": "XYZ" },
    "bug_bounty_url": "https://immunefi.com/bounty/protocol",
    "security_contact": "security@protocol.xyz",
    "deployed_contracts_doc": "https://docs.protocol.xyz/deployments",
    "admin_addresses": [{ "chain": "Ethereum", "address": "0x...", "role": "DAO treasury multisig", "actor_class": "multisig" }],
    "upgradeability": "immutable | upgradeable | mixed | unknown",
    "about": "<2–4 sentences>"
  }
}

Rules recap:
- grade="unknown" ⇒ steelman=null; unknowns[] ≥1; evidence[] may be empty.
- grade!="unknown" ⇒ steelman={red,orange,green}; evidence[] ≥1; verdict starts with "Choosing ".
- findings[].code matches the slice's checklist prefix verbatim (E1, C2-emergency, V4a, …); unknowns[] entries are checklist-coded ("E3: …").
- Wrap in a single ```json fence; nothing before or after. URLs are bare strings, never markdown links.

Open Access unknown Unverified

Not yet assessed

No model has graded this dimension yet. Run the slice prompt through any LLM and submit the JSON — once ≥3 independent runs agree, the quorum bot merges the verdict here.

Submit run ↗

### Per-protocol context (ground truth for this run)

- protocol.slug:              aave-v1
- protocol.name:              Aave V1
- protocol.chains:            Ethereum
- protocol.category:          Lending
- protocol.website:           https://aave.com
- protocol.github:            aave, bgd-labs
- protocol.audit_links:       https://aave.com/security, https://github.com/code-423n4/2022-02-aave-lens, https://github.com/code-423n4/2022-02-aave-lens-findings, https://github.com/sherlock-protocol/sherlock-reports/blob/main/audits/2025.02.15%20-%20Final%20-%20Aave%20Public%20Audit%20Contest%20Report.pdf, https://github.com/sherlock-protocol/sherlock-reports/blob/main/audits/2026.02.05%20-%20Final%20-%20Aave%20Labs%20Collaborative%20Audit%20Report%201770295450.pdf
- snapshot.generated_at:      2026-06-01T11:27:13.878Z
- analysis_date:              2026-06-07
- prompt_version:             29
- address_book:               null

### Pre-built read-API surfacer URLs (verbatim — fetchable as-is)
(no addresses pinned in this run — discover candidates from fetched website / GitHub / audit / explorer pages, record discovered addresses in evidence[] and protocol_metadata.admin_addresses, and put any reads you couldn't perform in unknowns[]. The next assessment will inherit your discoveries.)


---

You are contributing a single-slice assessment to defipunkd, a git-native transparency registry for DeFi protocols. Your JSON output will be attached to a pull request and compared against ≥2 other independent runs. Disagreements are surfaced publicly — be conservative, cite everything, return grade="unknown" when a signal cannot be determined, and resist stopping at the first damning finding.

### Per-protocol context (do not infer; these are ground truth)

A "Per-protocol context" block (provided alongside this prompt — either as a user message in API mode, or as a section appended below in copy-paste mode) lists the pinned inputs (protocol.slug, name, chains, category, website, github, audit_links, snapshot.generated_at, analysis_date, prompt_version, address_book) and a list of pre-built read-API surfacer URLs for each pinned address. Treat those values as authoritative for this run.

The pre-built surfacer URLs are accepted by your fetch tool's allowlist because they appear verbatim in the per-protocol context. Each surfacer page pre-executes the contract's zero-arg view methods and renders any address-typed return values as /address/{chainId}/0x… links inline — those rendered links are also fetchable post-fetch. /api/contract/read and /api/safe/owners JSON responses include a top-level `crawl.surfacers` array of /address/{chainId}/0x… URLs for every address-typed value in the result, so you can crawl directly from API responses. For addresses surfaced from non-defipunkd sources (block-explorer pages, GitHub, audit PDFs), the allowlist will reject your generated surfacer URL — record the address in protocol_metadata.admin_addresses and add a checklist-coded entry to unknowns[]; the next run will inherit it as a fetchable surfacer.

### Step 0 — Capability probe (do this before producing JSON)

Identify what fetch tool your environment exposes — `web_fetch`, `browser`, `url_context`, `google_search` (with underscore, colon, or space), Bing grounding, Perplexity, `web.run`, or anything similar. Search-grounding tools ARE valid fetch paths and you should use them; they are not forbidden. The distinction that matters is what the tool returned, not its name: a grounded response with the underlying page body is sufficient evidence; a bare 1–3-line preview snippet is not.

Probe: attempt one fetch of `protocol.website` and one fetch of a pre-built surfacer URL above (or the protocol's primary block-explorer page if no surfacer is pinned). Record the tool you used, the URL, and what came back (response body, HTTP status, allowlist rejection text, or "tool not present: <name>"). If either probe succeeded, proceed.

If both direct probes failed, **DO NOT STOP** — try search. Issue at least two broad search queries (protocol name + "Etherscan" / "official docs" / "GitHub" / "audit"; `site:` operators against etherscan.io / github.com / the docs domain). If a search query returns the underlying page body, that page URL is fetched evidence and goes in evidence[]. Set `grading_basis: "off-chain-only"` and continue with whatever you can extract. Empty `evidence[]` + `grade="unknown"` is only valid if BOTH direct probes AND ≥2 search queries returned nothing usable; in that case, log the attempted queries and observed-zero outcomes in unknowns[]. A submission claiming "blocked" without those receipts is treated as a non-submission (zero quorum weight). Search engines do not index raw JSON API endpoints — zero results for `defipunkd.com/api/contract/read` URLs is expected and is itself a recordable failure mode, not a system restriction.

### Anti-fabrication (the most important rule on this page)

Memory is not evidence. Treat your training data, prior conversations, and general knowledge as suggestions for what to look up — never as citations. Every URL in evidence[] must have been fetched in this run via any tool exposed in your environment, OR pasted into this conversation by the user. Constructing a URL is fine, but every variable part (address, commit SHA, repo path, contract name, method, args, block number) must come from a fetched/pasted source in this run, and the URL must then have been successfully fetched before it appears in evidence[]. URLs constructed from remembered addresses, repo paths, contract names, or guessed API methods are fabrication.

Before emitting JSON, run an evidence ledger check on every evidence[] entry:
1. The exact URL appears in your fetch transcript or in a user-pasted source body.
2. The fetched/pasted body contains the fact you're citing in evidence[].shows.
3. Every rationale.findings / protocol_metadata claim that depends on this evidence follows directly from that body, without recourse to memory.
4. Derived (rather than verbatim) claims are explicitly labelled as derived in evidence[].shows.
5. `fetched_at` is set ONLY when you actually fetched the URL in this run; if no timestamp is available, omit the field — never invent one.

If any check fails, remove the evidence entry and demote dependent claims to unknowns[]. Set grade="unknown" if demotion empties the grading basis. Do not ask the user to paste anything; do not withhold JSON; do not improvise from memory.

A plausible-sounding answer backed by unsupported evidence is WORSE than grade="unknown" — it pollutes the quorum. If the assessment requires leaning on remembered public facts ("Lido is governed by LDO token-weighted voting"), historical reports, common knowledge, or likely-architecture reasoning ("UUPS proxies typically have an admin role"), return grade="unknown" with specific unknowns[] entries. Optimize for reproducibility, not completeness — if a reviewer can't re-verify each claim from the evidence URLs alone, the claim does not belong in the JSON. Empty unknowns[] on a non-trivial protocol is a red flag, not a quality signal.

When the address_book is null/empty, you do not yet know any deployed address. Discover candidates from fetched website / GitHub / audit / explorer-search pages — addresses you "remember" from training data are not eligible, even for famous tokens (USDC, WBTC, stETH, UNI). If no address can be discovered after a good-faith attempt, return grade="unknown" with checklist-coded unknowns[] entries; do not invent addresses to fill the gap.

### Hard rules

1. Source classes that count as evidence:
   a) Public block explorers (etherscan.io, basescan.org, arbiscan.io, optimistic.etherscan.io, polygonscan.com, bscscan.com, snowtrace.io, scrollscan.com, lineascan.build, blastscan.io, era.zksync.network) for pinned addresses or addresses you discover transitively from them.
   b) The linked GitHub repos, at a specific commit SHA recorded in evidence[].commit.
   c) The audit PDFs / reports linked above.
   d) DeFiLlama's pinned fields (for category / chain lists only — not for risk assessment).
   e) DeFiPunkd's read API at https://defipunkd.com/api/{contract,safe}/... — see "On-chain reading" below.
2. If a signal cannot be determined after checking these, set grade="unknown" with ≥1 entry in unknowns[] naming what you looked for.
3. Every factual claim in rationale must map to ≥1 evidence[] entry.
4. Output exactly one JSON object matching the contract at the end, wrapped in a single ```json fenced code block. This rule applies to your FINAL assistant message only — issue tool calls freely during the run; tool-call reasoning lives in your model's tool-use channel and is not subject to this rule. Nothing before or after the fence — no prose, no follow-up questions, no requests for the user to paste anything. If evidence is incomplete, the correct response is still JSON, with claims demoted to unknowns[] and grade="unknown".

### Format rules (validation will reject submissions that violate these)
5. evidence[].url must be a bare `https://...` string — NEVER markdown link syntax. WRONG: `"url": "[Etherscan](https://etherscan.io/...)"`. RIGHT: `"url": "https://etherscan.io/..."`.
6. evidence[].commit, when present, must match `^[0-9a-f]{7,40}$` (lowercase hex, 7–40 chars). NEVER branch names or tags. Omit if you cannot pin a SHA.
7. evidence[].fetched_at, when present, must be ISO-8601 UTC (e.g. `2026-04-23T11:20:00Z`). Set whenever you actually fetched in this run.
8. evidence[].address, when present, must be `^0x[0-9a-fA-F]{40}$` (mixed case OK; checksum not validated).
9. Checklist codes (used in findings[].code and as unknowns[] prefixes) match `^[A-Z][A-Za-z0-9-]{0,16}$` — start with an uppercase letter, then digits / letters / hyphens. Examples: `E1`, `A3b`, `C2-emergency`, `V4-auditor`. No parens, spaces, dots, slashes, underscores. Use slice-defined codes verbatim. unknowns[] entries must be prefixed with the relevant code + colon (e.g. `"A3b: frontend fetch failed"`).
10. chat_url: ALWAYS null. Default share links (claude.ai/chat, chatgpt.com, gemini.google.com) require viewer login and are not publicly readable. The user enables "Share publicly" after you respond and pastes the public URL into the JSON before opening the PR.

### Thoroughness rules

11. Each per-slice body contains a "MANDATORY INSPECTION CHECKLIST". Every item must EITHER produce an evidence[] entry OR a specific unknowns[] entry naming it by code. Silent skips are rejected as incomplete.
12. Before assigning a grade other than "unknown", rationale.steelman must contain a one-sentence strongest argument for each of red / orange / green, and rationale.verdict must state which fits the evidence and why. If the steel-man for the chosen grade is weaker than for an adjacent grade, you have probably picked the wrong grade. When grade="unknown", set steelman to null and use verdict to summarize what blocked the assessment.
13. Distinguish actor classes (EOA, 2-of-3 multisig, 4-of-7+ multisig with identified signers, emergency-scoped time-capped multisig, on-chain governance vote with timelock) and function classes (claim-of-finalized vs new-request-placement, deposit vs borrow, mint vs redeem) — say which actor holds which power, on what time bound. "An admin can pause" is insufficient.
14. For on-chain slices (control, ability-to-exit, autonomy, verifiability), evidence[] must include ≥1 on-chain URL: a block-explorer URL OR a DeFiPunkd /api/{contract/read,safe/owners} URL (preferred — content-addressed when block-pinned). /api/contract/abi alone is metadata, not on-chain evidence. Source repos tell you what code SHOULD do; deployed contracts tell you what it ACTUALLY does. The "open-access" slice is exempt when claims are entirely about frontend / off-chain operator behavior. CARVE-OUT: `grading_basis="off-chain-only"` is exempt from this rule but is downweighted by the quorum bot regardless of grade.
15. Prompt-meta-check: if your verdict quotes prompt language as evidence ("the protocol meets the 'documented fallback' condition"), re-do the verdict — the prompt describes the rubric, not the protocol. Evidence cites what THIS protocol does, not what the rubric says protocols of type X do.
16. `grading_basis` is one of `"on-chain"` (default; omit field), `"off-chain-only"`, or `"mixed"`. Describes what was READ this run, not the verdict — `grade="unknown"` is allowed under any basis. Set `"off-chain-only"` ONLY when BOTH (a) ≥1 successful fetch of a docs / forum / audit / GitHub URL appears in evidence[], AND (b) ≥1 failed on-chain fetch attempt for THIS run is recorded in unknowns[] with a `-offchain` suffix. Empty `evidence[]` with `"off-chain-only"` is a category error and is rejected by the validator. Set `"mixed"` when some checklist codes were on-chain and others fell back. ABI-only finds (you read the ABI but couldn't read live state) are valid as `grade="unknown"` with the ABI cited; do not infer a grade from ABI shape alone.

### On-chain reading via the DeFiPunkd API

Don't encode calldata, decode return data, or guess at ABIs by hand. Three deterministic GET endpoints return JSON with blockNumber, blockHash, raw calldata, and rawReturnData — content-addressed when block-pinned (`&block=<n>`):

  ABI (auto-resolves proxies):
    https://defipunkd.com/api/contract/abi?chainId=<id>&address=0x...
  View call (any view method on the merged ABI; flat scalar args):
    https://defipunkd.com/api/contract/read?chainId=<id>&address=0x...&method=getOwners
    https://defipunkd.com/api/contract/read?chainId=<id>&address=0x...&method=balanceOf&args=0x...
  Safe (threshold + owners + version in one call):
    https://defipunkd.com/api/safe/owners?chainId=<id>&address=0x...

Use the BARE method name in `&method=` (e.g. `&method=totalSupply`, NOT `&method=totalSupply()`). Browser tools normalize `(` to `%28` and reject the normalized URL; bare names dodge that. Pass arguments via `&args=` (comma-separated, declaration order). Append `&block=<n>` for content-addressed evidence.

Supported chainIds: 1 (ethereum), 10 (optimism), 56 (bsc), 130 (unichain), 137 (polygon), 324 (zksync), 8453 (base), 42161 (arbitrum), 43114 (avalanche), 59144 (linea), 81457 (blast), 534352 (scroll), 11155111 (sepolia).

Use this API for any factual claim about contract ABI shape, view-method return values (owner(), getOwners(), getThreshold(), totalSupply(), implementation(), paused(), MIN_DELAY(), …), and Safe membership. Do NOT invent ABIs or return values from training data.

Note on noisy address_book: the pinned address_book is sourced from prior assessments. It may include token deployments, oracle feeds, peripheral contracts, or mis-classified entries. Skip surfacer URLs that don't fit your slice — fetch only those whose role hints suggest control / pause / upgrade authority.

### Protocol metadata refresh (populate `protocol_metadata` in the output)

DeFiLlama's pinned inputs may be stale or wrong. As a side-effect of this assessment, populate `protocol_metadata` with anything you verify. Leave fields null / empty arrays if you did not verify them — do NOT echo pinned inputs through; null means "not re-verified this run".

- `github`: array of canonical source-code repo URLs.
- `docs_url`: canonical developer / protocol documentation site.
- `audits`: array of `{ firm, url, date }` (date as YYYY-MM or YYYY-MM-DD).
- `governance_forum`: primary discussion forum URL (Discourse, Commonwealth, etc.).
- `voting_token`: `{ chain, address, symbol }` or null. Omit if not token-governed.
- `bug_bounty_url`: public bug bounty page (Immunefi, HackerOne, self-hosted).
- `security_contact`: private-disclosure channel — security@ email or SECURITY.md URL. Distinct from public bug bounty.
- `deployed_contracts_doc`: docs page that lists deployed addresses per chain. Don't enumerate; just link.
- `admin_addresses`: array of `{ chain, address, role, actor_class }` for multisig / timelock / owner / proxy-admin addresses. `actor_class` ∈ `"eoa" | "multisig" | "timelock" | "governance" | "unknown"`. These are the anchors for future runs' address_book.
- `upgradeability`: `"immutable" | "upgradeable" | "mixed" | "unknown"`. "mixed" = some core contracts immutable, others behind proxies.
- `about`: 2–4 sentence plain-English description. Name the user action (stake, borrow, swap, bridge, mint, redeem), the asset / market, and the distinctive mechanism (liquid staking receipt, isolated lending pools, constant-product AMM, intents auction, etc.). Do not restate category / chains / TVL.

Every non-null field in `protocol_metadata` must be backed by ≥1 entry in evidence[].

---

### Slice: OPEN-ACCESS

Evaluate who is allowed to use the protocol and whether any of that permission is granted off-chain.

Scope: this slice is about ADMISSION — who can enter, exit, or transact. Operator LIVENESS (what breaks if keepers/oracles go offline) is assessed in the dependencies slice and is out of scope for the grade here. You may note operator dependencies as context, but do not let "the protocol halts if operator X disappears" drive the access grade on its own; that belongs in dependencies. Source verification / contract verification on block explorers is assessed in the verifiability slice and is out of scope here — do NOT let "contract is unverified" drive the access grade.

Framing: the smart contracts are the access layer; frontends are UX. A permissionless contract is reachable by any client (SDK, third-party UI, aggregator, wallet integration). Frontend ToS, IP geo-blocking, and wallet screening are publisher policies on one specific client — they are reported as context but do NOT determine the grade. The grade hinges on (1) what the contract itself permits, and (2) whether the protocol is practically reachable without the official publisher's cooperation.

Meta-check before finalizing: if your verdict cites phrases from this prompt as evidence ("the protocol meets the 'credible alternatives' condition", "this fits the 'documented fallback' rule"), redo the verdict. The prompt describes the rubric; evidence must come from the protocol. A verdict should cite what the protocol does, not what the rubric says.

MANDATORY INSPECTION CHECKLIST (every item below must appear in evidence[] OR unknowns[]):
- A1. Whitelist / allowlist modifiers in user-facing entry points. Grep for "onlyWhitelisted", "onlyRole", "allowlist", "isAccredited", "isKYCed". Note which functions are gated and who can add/remove from the list.
- A2. Off-chain operators in the admission path: keepers, sequencers, privileged relayers, oracle posters whose approval is required to admit a user action (not just to keep the protocol live). For each, identify whether the role is held by a single operator, a permissioned committee, or is permissionless. Enumerate per user-facing function class (deposit vs withdraw-request vs claim-finalized vs transfer) which ones require operator approval to be admitted, and which ones admit users unconditionally. A function whose placement is unconditional but whose downstream settlement depends on an operator is an admission-permissionless function — flag the liveness dependency as context and defer its grading weight to the dependencies slice.
- A3. Frontend restrictions on the official interface — record as context, not as a grade lever. Distinguish:
    - A3-passive: boilerplate ToS clauses (sanctions attestation, restricted-territory self-certification, VPN-circumvention prohibition, "comply with applicable law" eligibility, age of majority).
    - A3-active: runtime enforcement — IP-based geo-blocking, wallet-address screening against a sanctions oracle (Chainalysis, TRM, Elliptic), KYC wall, rendering-blocking jurisdiction banner.
  Record findings under the correct tier. Quote ToS text or banner text in evidence[].shows. These findings populate the headline and rationale but do NOT move the grade by themselves; the grade is set by A1, A2, and the A3b path check below.
- A3b. Independent access paths (the operative grade input). Enumerate paths that do not require the official publisher's cooperation:
    - Published SDK / library / CLI for direct contract interaction.
    - Third-party frontends operated by separate legal entities.
    - Wallet-integrated access (MetaMask Swaps, Safe apps, etc.).
    - DEX / lending / yield aggregators that route through the contracts.
  Record at least one concrete link per path that exists. The protocol does NOT have to self-document these — the test is existence, not UX cost. An A3b-i redistribution of the official UI bound by the same ToS does NOT count as an independent path.
- A4. Sanctions / compliance tooling at the contract level: does the protocol check addresses against OFAC lists or similar on-chain blocklists in the contract itself? (Frontend-only screening belongs in A3.)
- A5. Differentiate read access vs write access: many protocols are read-permissionless (anyone can view state) but write-gated (only certain addresses can deposit/borrow). Record both.
- A6. ToS / Legal links: locate them on the website and produce a VERBATIM quote of any jurisdictional, sanctions, or eligibility clause in evidence[].shows. If you cannot extract the clause text verbatim (SPA render failure, paywall, dead link, etc.), do NOT paraphrase or infer from general knowledge — record the ToS URL in unknowns[] with the reason extraction failed. Assertions about ToS content without a verbatim quote will be downweighted by reviewers.

Then write the steel-man section per Hard Rule 11.

Grade rules (admission-focused; liveness concerns belong in dependencies; source verification belongs in verifiability):
- green   = no contract-level whitelist/KYC on user entry/exit; no operator approval required to admit a user action; AND at least one independent A3b path exists (published SDK, third-party frontend, wallet integration, or aggregator routing). Frontend ToS posture and A3-active enforcement on the official UI do NOT block green when contracts are permissionless and an independent path exists — they are reported as context.
- orange  = contracts admit users unconditionally, BUT the protocol is operationally captured by the official publisher: no published SDK, no third-party frontend, no wallet integration, no aggregator routing. The contract is theoretically open but practically reachable only through the official UI. Also applies when admission requires approval from a permissioned committee that is governance-managed with a documented replacement procedure.
- red     = contract-level whitelist / KYC on user entry/exit, OR admission of a core user action requires approval from a single privileged operator or a small committee with no documented replacement procedure, OR enforces an on-chain blocklist updatable by a single party.
- unknown = checklist incomplete after checking the sources above.

Default-grade guidance: when contracts are fully permissionless AND any A3b independent path exists, the default grade is green regardless of frontend ToS or A3-active enforcement on the official UI. Frontend geo-blocking, sanctions-oracle wallet screening, and ToS sanctions clauses are publisher policies on one client and are reported in findings/headline as context, not as grade levers. To grade orange on operational-capture grounds, the auditor must affirmatively show that ALL independent paths are absent or also gated.

Guideline on committees: where admission depends on a multi-operator committee, the relevant axes are (a) set size, (b) whether replacement/rotation is governed on-chain, (c) whether the replacement procedure is publicly documented. A large set with on-chain governance replacement should not be graded as a single-party operator even if rotation is not instantaneous. A small set with informal replacement should be treated as a single-party operator.

---

### JSON output contract

Return exactly one JSON object inside a single ```json fenced block. Shape:

{
  "schema_version": 4,
  "slug": "<copy protocol.slug from the per-protocol context>",
  "slice": "open-access",
  "snapshot_generated_at": "<copy snapshot.generated_at from the per-protocol context>",
  "prompt_version": 29,
  "analysis_date": "<copy analysis_date from the per-protocol context>",
  "model": "<exact model name, e.g. claude-opus-4-7 / gpt-5-thinking / gemini-3-pro>",
  "chat_url": null,
  "grading_basis": "on-chain | off-chain-only | mixed (optional; omit for on-chain)",
  "grade": "green | orange | red | unknown",
  "headline": "<one-line summary>",
  "short_headline": "<≤6 words, ≤80 chars; omit if you can't fit>",
  "rationale": {
    "findings": [{ "code": "E1", "text": "<concrete, source-cited finding>" }],
    "steelman": { "red": "<one sentence>", "orange": "<one sentence>", "green": "<one sentence>" },
    "verdict": "Choosing <grade> because <reason ranking one steel-man above the others, citing specific evidence>."
  },
  "evidence": [{ "url": "https://...", "shows": "<what this URL demonstrates>", "chain": "...", "address": "0x...", "commit": "<hex SHA>", "fetched_at": "2026-04-23T11:20:00Z" }],
  "unknowns": ["E3: <thing you looked for but couldn't determine>"],
  "protocol_metadata": {
    "github": ["https://github.com/org/repo"],
    "docs_url": "https://docs.protocol.xyz",
    "audits": [{ "firm": "Trail of Bits", "url": "https://...report.pdf", "date": "2025-09" }],
    "governance_forum": "https://forum.protocol.xyz",
    "voting_token": { "chain": "Ethereum", "address": "0x...", "symbol": "XYZ" },
    "bug_bounty_url": "https://immunefi.com/bounty/protocol",
    "security_contact": "security@protocol.xyz",
    "deployed_contracts_doc": "https://docs.protocol.xyz/deployments",
    "admin_addresses": [{ "chain": "Ethereum", "address": "0x...", "role": "DAO treasury multisig", "actor_class": "multisig" }],
    "upgradeability": "immutable | upgradeable | mixed | unknown",
    "about": "<2–4 sentences>"
  }
}

Rules recap:
- grade="unknown" ⇒ steelman=null; unknowns[] ≥1; evidence[] may be empty.
- grade!="unknown" ⇒ steelman={red,orange,green}; evidence[] ≥1; verdict starts with "Choosing ".
- findings[].code matches the slice's checklist prefix verbatim (E1, C2-emergency, V4a, …); unknowns[] entries are checklist-coded ("E3: …").
- Wrap in a single ```json fence; nothing before or after. URLs are bare strings, never markdown links.

Stage

Preview of the Phase-3 maturity framework. DeFiPunk'd will adopt DeFiScan v2's stages verbatim; the section is rendered below in its intended shape so the structure is visible today.

Aave V1 has not yet been assessed under the DeFiScan v2 stage framework.

The walkaway test is the central criterion. Once stages land, protocols reach Stage 1 only if users can exit in the presence of malicious operators even when the emergency council disappears.

Scope of assessment

Stage 0 requirements pending

Stage 1 requirements pending

Stage 2 requirements pending

Learn more about DeFiScan v2 stages →

TVL $1.7M

Type Lending

Chain Aptos

View on DeFiLlama ↗

Control Exit Autonomy Open Access Verifiable

Verifiability tentative Open source + 6 audits
Control unknown Not yet assessed
Ability to exit unknown Not yet assessed
Autonomy unknown No Phase-0 autonomy signal
Open Access unknown Not yet assessed

Control criteria

Upgradeability — Bug bounty immunefi.com Governance forum — Docs —

About

Aave Aptos is a lending protocol on Aptos.

Risk analysis

One card per dimension, sorted by severity. Only Verifiability and Autonomy carry automated signals in Phase 0. See methodology for scope.

Audit a dimension yourself · DEFI@home Contribute an LLM-run assessment — any model, any dimension. Three agreeing runs merge automatically into the public record.

Address discovery 0 addresses on file · 0 runs ⚑ Run first Submit run ↗

### Per-protocol context (ground truth for this run)

- protocol.slug:              aave-aptos
- protocol.name:              Aave Aptos
- protocol.chains:            Aptos
- protocol.category:          Lending
- protocol.website:           https://aave.com
- protocol.github:            aave, bgd-labs
- protocol.audit_links:       https://github.com/code-423n4/2022-02-aave-lens, https://github.com/code-423n4/2022-02-aave-lens-findings, https://github.com/sherlock-protocol/sherlock-reports/blob/main/audits/2025.02.15%20-%20Final%20-%20Aave%20Public%20Audit%20Contest%20Report.pdf, https://github.com/sherlock-protocol/sherlock-reports/blob/main/audits/2026.02.05%20-%20Final%20-%20Aave%20Labs%20Collaborative%20Audit%20Report%201770295450.pdf, https://github.com/trailofbits/publications/blob/master/reviews/2021-11-aave-v3-securityreview.pdf, https://github.com/trailofbits/publications/blob/master/reviews/2026-02-aave-v4-securityreview.pdf
- snapshot.generated_at:      2026-06-01T11:27:13.878Z
- analysis_date:              2026-06-07
- prompt_version:             29
- address_book:               null

### Pre-built read-API surfacer URLs (verbatim — fetchable as-is)
(no addresses pinned in this run — discover candidates from fetched website / GitHub / audit / explorer pages, record discovered addresses in evidence[] and protocol_metadata.admin_addresses, and put any reads you couldn't perform in unknowns[]. The next assessment will inherit your discoveries.)


---

You are contributing a single-slice assessment to defipunkd, a git-native transparency registry for DeFi protocols. Your JSON output will be attached to a pull request and compared against ≥2 other independent runs. Disagreements are surfaced publicly — be conservative, cite everything, return grade="unknown" when a signal cannot be determined, and resist stopping at the first damning finding.

### Per-protocol context (do not infer; these are ground truth)

A "Per-protocol context" block (provided alongside this prompt — either as a user message in API mode, or as a section appended below in copy-paste mode) lists the pinned inputs (protocol.slug, name, chains, category, website, github, audit_links, snapshot.generated_at, analysis_date, prompt_version, address_book) and a list of pre-built read-API surfacer URLs for each pinned address. Treat those values as authoritative for this run.

The pre-built surfacer URLs are accepted by your fetch tool's allowlist because they appear verbatim in the per-protocol context. Each surfacer page pre-executes the contract's zero-arg view methods and renders any address-typed return values as /address/{chainId}/0x… links inline — those rendered links are also fetchable post-fetch. /api/contract/read and /api/safe/owners JSON responses include a top-level `crawl.surfacers` array of /address/{chainId}/0x… URLs for every address-typed value in the result, so you can crawl directly from API responses. For addresses surfaced from non-defipunkd sources (block-explorer pages, GitHub, audit PDFs), the allowlist will reject your generated surfacer URL — record the address in protocol_metadata.admin_addresses and add a checklist-coded entry to unknowns[]; the next run will inherit it as a fetchable surfacer.

### Step 0 — Capability probe (do this before producing JSON)

Identify what fetch tool your environment exposes — `web_fetch`, `browser`, `url_context`, `google_search` (with underscore, colon, or space), Bing grounding, Perplexity, `web.run`, or anything similar. Search-grounding tools ARE valid fetch paths and you should use them; they are not forbidden. The distinction that matters is what the tool returned, not its name: a grounded response with the underlying page body is sufficient evidence; a bare 1–3-line preview snippet is not.

Probe: attempt one fetch of `protocol.website` and one fetch of a pre-built surfacer URL above (or the protocol's primary block-explorer page if no surfacer is pinned). Record the tool you used, the URL, and what came back (response body, HTTP status, allowlist rejection text, or "tool not present: <name>"). If either probe succeeded, proceed.

If both direct probes failed, **DO NOT STOP** — try search. Issue at least two broad search queries (protocol name + "Etherscan" / "official docs" / "GitHub" / "audit"; `site:` operators against etherscan.io / github.com / the docs domain). If a search query returns the underlying page body, that page URL is fetched evidence and goes in evidence[]. Set `grading_basis: "off-chain-only"` and continue with whatever you can extract. Empty `evidence[]` + `grade="unknown"` is only valid if BOTH direct probes AND ≥2 search queries returned nothing usable; in that case, log the attempted queries and observed-zero outcomes in unknowns[]. A submission claiming "blocked" without those receipts is treated as a non-submission (zero quorum weight). Search engines do not index raw JSON API endpoints — zero results for `defipunkd.com/api/contract/read` URLs is expected and is itself a recordable failure mode, not a system restriction.

### Anti-fabrication (the most important rule on this page)

Memory is not evidence. Treat your training data, prior conversations, and general knowledge as suggestions for what to look up — never as citations. Every URL in evidence[] must have been fetched in this run via any tool exposed in your environment, OR pasted into this conversation by the user. Constructing a URL is fine, but every variable part (address, commit SHA, repo path, contract name, method, args, block number) must come from a fetched/pasted source in this run, and the URL must then have been successfully fetched before it appears in evidence[]. URLs constructed from remembered addresses, repo paths, contract names, or guessed API methods are fabrication.

Before emitting JSON, run an evidence ledger check on every evidence[] entry:
1. The exact URL appears in your fetch transcript or in a user-pasted source body.
2. The fetched/pasted body contains the fact you're citing in evidence[].shows.
3. Every rationale.findings / protocol_metadata claim that depends on this evidence follows directly from that body, without recourse to memory.
4. Derived (rather than verbatim) claims are explicitly labelled as derived in evidence[].shows.
5. `fetched_at` is set ONLY when you actually fetched the URL in this run; if no timestamp is available, omit the field — never invent one.

If any check fails, remove the evidence entry and demote dependent claims to unknowns[]. Set grade="unknown" if demotion empties the grading basis. Do not ask the user to paste anything; do not withhold JSON; do not improvise from memory.

A plausible-sounding answer backed by unsupported evidence is WORSE than grade="unknown" — it pollutes the quorum. If the assessment requires leaning on remembered public facts ("Lido is governed by LDO token-weighted voting"), historical reports, common knowledge, or likely-architecture reasoning ("UUPS proxies typically have an admin role"), return grade="unknown" with specific unknowns[] entries. Optimize for reproducibility, not completeness — if a reviewer can't re-verify each claim from the evidence URLs alone, the claim does not belong in the JSON. Empty unknowns[] on a non-trivial protocol is a red flag, not a quality signal.

When the address_book is null/empty, you do not yet know any deployed address. Discover candidates from fetched website / GitHub / audit / explorer-search pages — addresses you "remember" from training data are not eligible, even for famous tokens (USDC, WBTC, stETH, UNI). If no address can be discovered after a good-faith attempt, return grade="unknown" with checklist-coded unknowns[] entries; do not invent addresses to fill the gap.

### Hard rules

1. Source classes that count as evidence:
   a) Public block explorers (etherscan.io, basescan.org, arbiscan.io, optimistic.etherscan.io, polygonscan.com, bscscan.com, snowtrace.io, scrollscan.com, lineascan.build, blastscan.io, era.zksync.network) for pinned addresses or addresses you discover transitively from them.
   b) The linked GitHub repos, at a specific commit SHA recorded in evidence[].commit.
   c) The audit PDFs / reports linked above.
   d) DeFiLlama's pinned fields (for category / chain lists only — not for risk assessment).
   e) DeFiPunkd's read API at https://defipunkd.com/api/{contract,safe}/... — see "On-chain reading" below.
2. If a signal cannot be determined after checking these, set grade="unknown" with ≥1 entry in unknowns[] naming what you looked for.
3. Every factual claim in rationale must map to ≥1 evidence[] entry.
4. Output exactly one JSON object matching the contract at the end, wrapped in a single ```json fenced code block. This rule applies to your FINAL assistant message only — issue tool calls freely during the run; tool-call reasoning lives in your model's tool-use channel and is not subject to this rule. Nothing before or after the fence — no prose, no follow-up questions, no requests for the user to paste anything. If evidence is incomplete, the correct response is still JSON, with claims demoted to unknowns[] and grade="unknown".

### Format rules (validation will reject submissions that violate these)
5. evidence[].url must be a bare `https://...` string — NEVER markdown link syntax. WRONG: `"url": "[Etherscan](https://etherscan.io/...)"`. RIGHT: `"url": "https://etherscan.io/..."`.
6. evidence[].commit, when present, must match `^[0-9a-f]{7,40}$` (lowercase hex, 7–40 chars). NEVER branch names or tags. Omit if you cannot pin a SHA.
7. evidence[].fetched_at, when present, must be ISO-8601 UTC (e.g. `2026-04-23T11:20:00Z`). Set whenever you actually fetched in this run.
8. evidence[].address, when present, must be `^0x[0-9a-fA-F]{40}$` (mixed case OK; checksum not validated).
9. Checklist codes (used in findings[].code and as unknowns[] prefixes) match `^[A-Z][A-Za-z0-9-]{0,16}$` — start with an uppercase letter, then digits / letters / hyphens. Examples: `E1`, `A3b`, `C2-emergency`, `V4-auditor`. No parens, spaces, dots, slashes, underscores. Use slice-defined codes verbatim. unknowns[] entries must be prefixed with the relevant code + colon (e.g. `"A3b: frontend fetch failed"`).
10. chat_url: ALWAYS null. Default share links (claude.ai/chat, chatgpt.com, gemini.google.com) require viewer login and are not publicly readable. The user enables "Share publicly" after you respond and pastes the public URL into the JSON before opening the PR.

### Thoroughness rules

11. Each per-slice body contains a "MANDATORY INSPECTION CHECKLIST". Every item must EITHER produce an evidence[] entry OR a specific unknowns[] entry naming it by code. Silent skips are rejected as incomplete.
12. Before assigning a grade other than "unknown", rationale.steelman must contain a one-sentence strongest argument for each of red / orange / green, and rationale.verdict must state which fits the evidence and why. If the steel-man for the chosen grade is weaker than for an adjacent grade, you have probably picked the wrong grade. When grade="unknown", set steelman to null and use verdict to summarize what blocked the assessment.
13. Distinguish actor classes (EOA, 2-of-3 multisig, 4-of-7+ multisig with identified signers, emergency-scoped time-capped multisig, on-chain governance vote with timelock) and function classes (claim-of-finalized vs new-request-placement, deposit vs borrow, mint vs redeem) — say which actor holds which power, on what time bound. "An admin can pause" is insufficient.
14. For on-chain slices (control, ability-to-exit, autonomy, verifiability), evidence[] must include ≥1 on-chain URL: a block-explorer URL OR a DeFiPunkd /api/{contract/read,safe/owners} URL (preferred — content-addressed when block-pinned). /api/contract/abi alone is metadata, not on-chain evidence. Source repos tell you what code SHOULD do; deployed contracts tell you what it ACTUALLY does. The "open-access" slice is exempt when claims are entirely about frontend / off-chain operator behavior. CARVE-OUT: `grading_basis="off-chain-only"` is exempt from this rule but is downweighted by the quorum bot regardless of grade.
15. Prompt-meta-check: if your verdict quotes prompt language as evidence ("the protocol meets the 'documented fallback' condition"), re-do the verdict — the prompt describes the rubric, not the protocol. Evidence cites what THIS protocol does, not what the rubric says protocols of type X do.
16. `grading_basis` is one of `"on-chain"` (default; omit field), `"off-chain-only"`, or `"mixed"`. Describes what was READ this run, not the verdict — `grade="unknown"` is allowed under any basis. Set `"off-chain-only"` ONLY when BOTH (a) ≥1 successful fetch of a docs / forum / audit / GitHub URL appears in evidence[], AND (b) ≥1 failed on-chain fetch attempt for THIS run is recorded in unknowns[] with a `-offchain` suffix. Empty `evidence[]` with `"off-chain-only"` is a category error and is rejected by the validator. Set `"mixed"` when some checklist codes were on-chain and others fell back. ABI-only finds (you read the ABI but couldn't read live state) are valid as `grade="unknown"` with the ABI cited; do not infer a grade from ABI shape alone.

### On-chain reading via the DeFiPunkd API

Don't encode calldata, decode return data, or guess at ABIs by hand. Three deterministic GET endpoints return JSON with blockNumber, blockHash, raw calldata, and rawReturnData — content-addressed when block-pinned (`&block=<n>`):

  ABI (auto-resolves proxies):
    https://defipunkd.com/api/contract/abi?chainId=<id>&address=0x...
  View call (any view method on the merged ABI; flat scalar args):
    https://defipunkd.com/api/contract/read?chainId=<id>&address=0x...&method=getOwners
    https://defipunkd.com/api/contract/read?chainId=<id>&address=0x...&method=balanceOf&args=0x...
  Safe (threshold + owners + version in one call):
    https://defipunkd.com/api/safe/owners?chainId=<id>&address=0x...

Use the BARE method name in `&method=` (e.g. `&method=totalSupply`, NOT `&method=totalSupply()`). Browser tools normalize `(` to `%28` and reject the normalized URL; bare names dodge that. Pass arguments via `&args=` (comma-separated, declaration order). Append `&block=<n>` for content-addressed evidence.

Supported chainIds: 1 (ethereum), 10 (optimism), 56 (bsc), 130 (unichain), 137 (polygon), 324 (zksync), 8453 (base), 42161 (arbitrum), 43114 (avalanche), 59144 (linea), 81457 (blast), 534352 (scroll), 11155111 (sepolia).

Use this API for any factual claim about contract ABI shape, view-method return values (owner(), getOwners(), getThreshold(), totalSupply(), implementation(), paused(), MIN_DELAY(), …), and Safe membership. Do NOT invent ABIs or return values from training data.

Note on noisy address_book: the pinned address_book is sourced from prior assessments. It may include token deployments, oracle feeds, peripheral contracts, or mis-classified entries. Skip surfacer URLs that don't fit your slice — fetch only those whose role hints suggest control / pause / upgrade authority.

### Protocol metadata refresh (populate `protocol_metadata` in the output)

DeFiLlama's pinned inputs may be stale or wrong. As a side-effect of this assessment, populate `protocol_metadata` with anything you verify. Leave fields null / empty arrays if you did not verify them — do NOT echo pinned inputs through; null means "not re-verified this run".

- `github`: array of canonical source-code repo URLs.
- `docs_url`: canonical developer / protocol documentation site.
- `audits`: array of `{ firm, url, date }` (date as YYYY-MM or YYYY-MM-DD).
- `governance_forum`: primary discussion forum URL (Discourse, Commonwealth, etc.).
- `voting_token`: `{ chain, address, symbol }` or null. Omit if not token-governed.
- `bug_bounty_url`: public bug bounty page (Immunefi, HackerOne, self-hosted).
- `security_contact`: private-disclosure channel — security@ email or SECURITY.md URL. Distinct from public bug bounty.
- `deployed_contracts_doc`: docs page that lists deployed addresses per chain. Don't enumerate; just link.
- `admin_addresses`: array of `{ chain, address, role, actor_class }` for multisig / timelock / owner / proxy-admin addresses. `actor_class` ∈ `"eoa" | "multisig" | "timelock" | "governance" | "unknown"`. These are the anchors for future runs' address_book.
- `upgradeability`: `"immutable" | "upgradeable" | "mixed" | "unknown"`. "mixed" = some core contracts immutable, others behind proxies.
- `about`: 2–4 sentence plain-English description. Name the user action (stake, borrow, swap, bridge, mint, redeem), the asset / market, and the distinctive mechanism (liquid staking receipt, isolated lending pools, constant-product AMM, intents auction, etc.). Do not restate category / chains / TVL.

Every non-null field in `protocol_metadata` must be backed by ≥1 entry in evidence[].

---

### Slice: DISCOVERY

You are a cataloguer, not a judge. Your job is to surface every contract address that could plausibly belong to this protocol's control or fund-holding surface, each backed by a citation. `grade` is ALWAYS `"unknown"` for discovery submissions — there is no green/orange/red rubric here. The five evaluation slices that run after you (control, ability-to-exit, autonomy, open-access, verifiability) consume your output via the addressBook ratchet — every address you record becomes a pre-built surfacer URL on the next run; every address you miss costs them a tool call.

Width beats depth. A `role: "other"` entry with one cited URL beats omitting it. Downstream slices will discard out-of-scope entries; they cannot rediscover what you fail to enumerate without paying the same cost again.

(Step 0 capability probe lives in the preamble — those rules apply here.)

### MANDATORY INSPECTION CHECKLIST (every D-code below must appear in evidence[] OR unknowns[])

- **D1. Block-explorer name-tag search per chain.** For each chain in `protocol.chains`, search the canonical block explorer for the protocol's name tag — `https://etherscan.io/searchHandler?term=<query>` and the per-chain explorers (basescan.org, arbiscan.io, optimistic.etherscan.io, polygonscan.com, bscscan.com, snowtrace.io, scrollscan.com, lineascan.build, blastscan.io, era.zksync.network). When direct fetch is blocked, use `site:<explorer> <protocol_name>` via search grounding. Record every address that surfaces with the protocol's tag, plus neighbouring "Token Contract" / "Multisig" / "Timelock" labels.

- **D2. Official deployments doc.** From `protocol.website` and the docs site, locate the canonical "Deployed contracts" / "Addresses" / "Contracts" / "Deployments" page (often at `/docs/deployments`, `/docs/addresses`, `/dashboard/contracts`). Cite the URL, record every address listed with its named role, and set `protocol_metadata.deployed_contracts_doc` to this URL.

- **D3. Audit PDFs.** From `protocol.audit_links` (and any audits surfaced by D2), open each. Most reports include a "Scope" / "Contracts in scope" address table in the first 5 pages. Extract every in-scope address with its labelled role. If the audit predates the current deployment, record the addresses anyway with role suffixed `(audit-era)` so downstream slices know to re-verify.

- **D4. GitHub deployment artifacts.** From `protocol.github`, walk the repo at a pinned commit SHA looking for: Foundry `broadcast/<script>/<chainId>/run-latest.json` (`transactions[].contractAddress` per chainId); hardhat-deploy `deployments/<network>/<Contract>.json` (`address` field); manual indexes (`deployments.json`, `addresses.json`, `contracts.json`, `networks.json`); markdown indexes (`docs/deployments.md`, `README.md` tables). Cite the file URL with the commit SHA; pin SHAs (`?ref=<sha>`) so the citation is content-addressed.

- **D5. Multi-chain enumeration.** If `protocol.chains.length > 1`, repeat D1–D4 per chain. Cross-chain deployments of the same logical contract get SEPARATE `admin_addresses[]` entries — one per chain. The chain field is part of the identity; do not collapse. If a chain has zero results, record `"D5: chain <name>: zero addresses surfaced from <sources tried>"` in unknowns[].

- **D6. Factory-discovered children.** For factory addresses surfaced in D1–D4, fetch the enumeration view via the read API (`/api/contract/read?...&method=allPools` / `getPool` / `getMarket` / `getVault`) and record each child with role like `"pool (from factory <0xFactory>)"`. **Cap at 50 children per factory.** Protocols with thousands of pools (Uniswap, Sushi) need dedicated ingestion — record the factory + the cap notice in unknowns[].

- **D7. Role taxonomy.** Every `admin_addresses[]` entry's `role` uses this controlled vocabulary (free-text suffixes OK for disambiguation, e.g. `"multisig (treasury)"`, but the leading token must match):

    `owner | admin | proxy_admin | governor | timelock | guardian | multisig | treasury | oracle | factory | router | token | pool | vault | other`

  Tentative classifications are encouraged. `actor_class` ∈ `eoa | multisig | timelock | governance | unknown` — use `unknown` when you found the address but didn't read its bytecode.

- **D8. Ratchet output integrity.** Every address in `admin_addresses[]` must trace to ≥1 fetched URL in evidence[]. Snippet-only sightings go in unknowns[] with a `D8` code, NOT in admin_addresses[].

### Discovery rationale framing

- `rationale.findings`: one entry per D-code, terse, factual. Per-address detail belongs in evidence[] and admin_addresses[], not here. Example: `"D1: 8 addresses surfaced from etherscan.io name-tag search for 'Aave V3'"`.
- `rationale.steelman`: ALWAYS null.
- `rationale.verdict`: one short line summarizing what corpora were walked and how many addresses were catalogued.
- `headline`: factual and quantitative — `"24 contracts catalogued across Ethereum, Arbitrum, and Base; 6 governance/admin and 18 protocol contracts."`.
- `short_headline`: under 60 chars — `"24 contracts across 3 chains"`.

### What discovery is NOT

- Not a verdict slice. `grade` must be `"unknown"`.
- Not exhaustive enumeration of leaf assets — record the factory + cap and move on (see D6).
- Not classification of trust assumptions — whether a multisig threshold is safe / timelock delay is sufficient / proxy admin is an EOA is the control slice's job.
- Not address-book reconciliation: when addressBook is non-empty, EXTEND it (find addresses prior runs missed) rather than re-cite the same addresses; re-cite only when you have new evidence for a refined role.

### protocol_metadata side-effects

While walking the corpora, populate every `protocol_metadata` field you can support with citations: `github`, `docs_url`, `audits` (one per D3 audit walked), `governance_forum`, `bug_bounty_url`, `security_contact`, `deployed_contracts_doc` (URL from D2), `upgradeability` (best-effort), and `about` (2–4 sentences sourced from docs/website, not memory). Discovery is the natural home for these — evaluation slices should not have to rediscover them.

---

### JSON output contract

Return exactly one JSON object inside a single ```json fenced block. Shape:

{
  "schema_version": 4,
  "slug": "<copy protocol.slug from the per-protocol context>",
  "slice": "discovery",
  "snapshot_generated_at": "<copy snapshot.generated_at from the per-protocol context>",
  "prompt_version": 29,
  "analysis_date": "<copy analysis_date from the per-protocol context>",
  "model": "<exact model name, e.g. claude-opus-4-7 / gpt-5-thinking / gemini-3-pro>",
  "chat_url": null,
  "grading_basis": "on-chain | off-chain-only | mixed (optional; omit for on-chain)",
  "grade": "green | orange | red | unknown",
  "headline": "<one-line summary>",
  "short_headline": "<≤6 words, ≤80 chars; omit if you can't fit>",
  "rationale": {
    "findings": [{ "code": "E1", "text": "<concrete, source-cited finding>" }],
    "steelman": { "red": "<one sentence>", "orange": "<one sentence>", "green": "<one sentence>" },
    "verdict": "Choosing <grade> because <reason ranking one steel-man above the others, citing specific evidence>."
  },
  "evidence": [{ "url": "https://...", "shows": "<what this URL demonstrates>", "chain": "...", "address": "0x...", "commit": "<hex SHA>", "fetched_at": "2026-04-23T11:20:00Z" }],
  "unknowns": ["E3: <thing you looked for but couldn't determine>"],
  "protocol_metadata": {
    "github": ["https://github.com/org/repo"],
    "docs_url": "https://docs.protocol.xyz",
    "audits": [{ "firm": "Trail of Bits", "url": "https://...report.pdf", "date": "2025-09" }],
    "governance_forum": "https://forum.protocol.xyz",
    "voting_token": { "chain": "Ethereum", "address": "0x...", "symbol": "XYZ" },
    "bug_bounty_url": "https://immunefi.com/bounty/protocol",
    "security_contact": "security@protocol.xyz",
    "deployed_contracts_doc": "https://docs.protocol.xyz/deployments",
    "admin_addresses": [{ "chain": "Ethereum", "address": "0x...", "role": "DAO treasury multisig", "actor_class": "multisig" }],
    "upgradeability": "immutable | upgradeable | mixed | unknown",
    "about": "<2–4 sentences>"
  }
}

Rules recap:
- grade="unknown" ⇒ steelman=null; unknowns[] ≥1; evidence[] may be empty.
- grade!="unknown" ⇒ steelman={red,orange,green}; evidence[] ≥1; verdict starts with "Choosing ".
- findings[].code matches the slice's checklist prefix verbatim (E1, C2-emergency, V4a, …); unknowns[] entries are checklist-coded ("E3: …").
- Wrap in a single ```json fence; nothing before or after. URLs are bare strings, never markdown links.

Verifiability Unverified Submit run ↗

### Per-protocol context (ground truth for this run)

- protocol.slug:              aave-aptos
- protocol.name:              Aave Aptos
- protocol.chains:            Aptos
- protocol.category:          Lending
- protocol.website:           https://aave.com
- protocol.github:            aave, bgd-labs
- protocol.audit_links:       https://github.com/code-423n4/2022-02-aave-lens, https://github.com/code-423n4/2022-02-aave-lens-findings, https://github.com/sherlock-protocol/sherlock-reports/blob/main/audits/2025.02.15%20-%20Final%20-%20Aave%20Public%20Audit%20Contest%20Report.pdf, https://github.com/sherlock-protocol/sherlock-reports/blob/main/audits/2026.02.05%20-%20Final%20-%20Aave%20Labs%20Collaborative%20Audit%20Report%201770295450.pdf, https://github.com/trailofbits/publications/blob/master/reviews/2021-11-aave-v3-securityreview.pdf, https://github.com/trailofbits/publications/blob/master/reviews/2026-02-aave-v4-securityreview.pdf
- snapshot.generated_at:      2026-06-01T11:27:13.878Z
- analysis_date:              2026-06-07
- prompt_version:             29
- address_book:               null

### Pre-built read-API surfacer URLs (verbatim — fetchable as-is)
(no addresses pinned in this run — discover candidates from fetched website / GitHub / audit / explorer pages, record discovered addresses in evidence[] and protocol_metadata.admin_addresses, and put any reads you couldn't perform in unknowns[]. The next assessment will inherit your discoveries.)


---

You are contributing a single-slice assessment to defipunkd, a git-native transparency registry for DeFi protocols. Your JSON output will be attached to a pull request and compared against ≥2 other independent runs. Disagreements are surfaced publicly — be conservative, cite everything, return grade="unknown" when a signal cannot be determined, and resist stopping at the first damning finding.

### Per-protocol context (do not infer; these are ground truth)

A "Per-protocol context" block (provided alongside this prompt — either as a user message in API mode, or as a section appended below in copy-paste mode) lists the pinned inputs (protocol.slug, name, chains, category, website, github, audit_links, snapshot.generated_at, analysis_date, prompt_version, address_book) and a list of pre-built read-API surfacer URLs for each pinned address. Treat those values as authoritative for this run.

The pre-built surfacer URLs are accepted by your fetch tool's allowlist because they appear verbatim in the per-protocol context. Each surfacer page pre-executes the contract's zero-arg view methods and renders any address-typed return values as /address/{chainId}/0x… links inline — those rendered links are also fetchable post-fetch. /api/contract/read and /api/safe/owners JSON responses include a top-level `crawl.surfacers` array of /address/{chainId}/0x… URLs for every address-typed value in the result, so you can crawl directly from API responses. For addresses surfaced from non-defipunkd sources (block-explorer pages, GitHub, audit PDFs), the allowlist will reject your generated surfacer URL — record the address in protocol_metadata.admin_addresses and add a checklist-coded entry to unknowns[]; the next run will inherit it as a fetchable surfacer.

### Step 0 — Capability probe (do this before producing JSON)

Identify what fetch tool your environment exposes — `web_fetch`, `browser`, `url_context`, `google_search` (with underscore, colon, or space), Bing grounding, Perplexity, `web.run`, or anything similar. Search-grounding tools ARE valid fetch paths and you should use them; they are not forbidden. The distinction that matters is what the tool returned, not its name: a grounded response with the underlying page body is sufficient evidence; a bare 1–3-line preview snippet is not.

Probe: attempt one fetch of `protocol.website` and one fetch of a pre-built surfacer URL above (or the protocol's primary block-explorer page if no surfacer is pinned). Record the tool you used, the URL, and what came back (response body, HTTP status, allowlist rejection text, or "tool not present: <name>"). If either probe succeeded, proceed.

If both direct probes failed, **DO NOT STOP** — try search. Issue at least two broad search queries (protocol name + "Etherscan" / "official docs" / "GitHub" / "audit"; `site:` operators against etherscan.io / github.com / the docs domain). If a search query returns the underlying page body, that page URL is fetched evidence and goes in evidence[]. Set `grading_basis: "off-chain-only"` and continue with whatever you can extract. Empty `evidence[]` + `grade="unknown"` is only valid if BOTH direct probes AND ≥2 search queries returned nothing usable; in that case, log the attempted queries and observed-zero outcomes in unknowns[]. A submission claiming "blocked" without those receipts is treated as a non-submission (zero quorum weight). Search engines do not index raw JSON API endpoints — zero results for `defipunkd.com/api/contract/read` URLs is expected and is itself a recordable failure mode, not a system restriction.

### Anti-fabrication (the most important rule on this page)

Memory is not evidence. Treat your training data, prior conversations, and general knowledge as suggestions for what to look up — never as citations. Every URL in evidence[] must have been fetched in this run via any tool exposed in your environment, OR pasted into this conversation by the user. Constructing a URL is fine, but every variable part (address, commit SHA, repo path, contract name, method, args, block number) must come from a fetched/pasted source in this run, and the URL must then have been successfully fetched before it appears in evidence[]. URLs constructed from remembered addresses, repo paths, contract names, or guessed API methods are fabrication.

Before emitting JSON, run an evidence ledger check on every evidence[] entry:
1. The exact URL appears in your fetch transcript or in a user-pasted source body.
2. The fetched/pasted body contains the fact you're citing in evidence[].shows.
3. Every rationale.findings / protocol_metadata claim that depends on this evidence follows directly from that body, without recourse to memory.
4. Derived (rather than verbatim) claims are explicitly labelled as derived in evidence[].shows.
5. `fetched_at` is set ONLY when you actually fetched the URL in this run; if no timestamp is available, omit the field — never invent one.

If any check fails, remove the evidence entry and demote dependent claims to unknowns[]. Set grade="unknown" if demotion empties the grading basis. Do not ask the user to paste anything; do not withhold JSON; do not improvise from memory.

A plausible-sounding answer backed by unsupported evidence is WORSE than grade="unknown" — it pollutes the quorum. If the assessment requires leaning on remembered public facts ("Lido is governed by LDO token-weighted voting"), historical reports, common knowledge, or likely-architecture reasoning ("UUPS proxies typically have an admin role"), return grade="unknown" with specific unknowns[] entries. Optimize for reproducibility, not completeness — if a reviewer can't re-verify each claim from the evidence URLs alone, the claim does not belong in the JSON. Empty unknowns[] on a non-trivial protocol is a red flag, not a quality signal.

When the address_book is null/empty, you do not yet know any deployed address. Discover candidates from fetched website / GitHub / audit / explorer-search pages — addresses you "remember" from training data are not eligible, even for famous tokens (USDC, WBTC, stETH, UNI). If no address can be discovered after a good-faith attempt, return grade="unknown" with checklist-coded unknowns[] entries; do not invent addresses to fill the gap.

### Hard rules

1. Source classes that count as evidence:
   a) Public block explorers (etherscan.io, basescan.org, arbiscan.io, optimistic.etherscan.io, polygonscan.com, bscscan.com, snowtrace.io, scrollscan.com, lineascan.build, blastscan.io, era.zksync.network) for pinned addresses or addresses you discover transitively from them.
   b) The linked GitHub repos, at a specific commit SHA recorded in evidence[].commit.
   c) The audit PDFs / reports linked above.
   d) DeFiLlama's pinned fields (for category / chain lists only — not for risk assessment).
   e) DeFiPunkd's read API at https://defipunkd.com/api/{contract,safe}/... — see "On-chain reading" below.
2. If a signal cannot be determined after checking these, set grade="unknown" with ≥1 entry in unknowns[] naming what you looked for.
3. Every factual claim in rationale must map to ≥1 evidence[] entry.
4. Output exactly one JSON object matching the contract at the end, wrapped in a single ```json fenced code block. This rule applies to your FINAL assistant message only — issue tool calls freely during the run; tool-call reasoning lives in your model's tool-use channel and is not subject to this rule. Nothing before or after the fence — no prose, no follow-up questions, no requests for the user to paste anything. If evidence is incomplete, the correct response is still JSON, with claims demoted to unknowns[] and grade="unknown".

### Format rules (validation will reject submissions that violate these)
5. evidence[].url must be a bare `https://...` string — NEVER markdown link syntax. WRONG: `"url": "[Etherscan](https://etherscan.io/...)"`. RIGHT: `"url": "https://etherscan.io/..."`.
6. evidence[].commit, when present, must match `^[0-9a-f]{7,40}$` (lowercase hex, 7–40 chars). NEVER branch names or tags. Omit if you cannot pin a SHA.
7. evidence[].fetched_at, when present, must be ISO-8601 UTC (e.g. `2026-04-23T11:20:00Z`). Set whenever you actually fetched in this run.
8. evidence[].address, when present, must be `^0x[0-9a-fA-F]{40}$` (mixed case OK; checksum not validated).
9. Checklist codes (used in findings[].code and as unknowns[] prefixes) match `^[A-Z][A-Za-z0-9-]{0,16}$` — start with an uppercase letter, then digits / letters / hyphens. Examples: `E1`, `A3b`, `C2-emergency`, `V4-auditor`. No parens, spaces, dots, slashes, underscores. Use slice-defined codes verbatim. unknowns[] entries must be prefixed with the relevant code + colon (e.g. `"A3b: frontend fetch failed"`).
10. chat_url: ALWAYS null. Default share links (claude.ai/chat, chatgpt.com, gemini.google.com) require viewer login and are not publicly readable. The user enables "Share publicly" after you respond and pastes the public URL into the JSON before opening the PR.

### Thoroughness rules

11. Each per-slice body contains a "MANDATORY INSPECTION CHECKLIST". Every item must EITHER produce an evidence[] entry OR a specific unknowns[] entry naming it by code. Silent skips are rejected as incomplete.
12. Before assigning a grade other than "unknown", rationale.steelman must contain a one-sentence strongest argument for each of red / orange / green, and rationale.verdict must state which fits the evidence and why. If the steel-man for the chosen grade is weaker than for an adjacent grade, you have probably picked the wrong grade. When grade="unknown", set steelman to null and use verdict to summarize what blocked the assessment.
13. Distinguish actor classes (EOA, 2-of-3 multisig, 4-of-7+ multisig with identified signers, emergency-scoped time-capped multisig, on-chain governance vote with timelock) and function classes (claim-of-finalized vs new-request-placement, deposit vs borrow, mint vs redeem) — say which actor holds which power, on what time bound. "An admin can pause" is insufficient.
14. For on-chain slices (control, ability-to-exit, autonomy, verifiability), evidence[] must include ≥1 on-chain URL: a block-explorer URL OR a DeFiPunkd /api/{contract/read,safe/owners} URL (preferred — content-addressed when block-pinned). /api/contract/abi alone is metadata, not on-chain evidence. Source repos tell you what code SHOULD do; deployed contracts tell you what it ACTUALLY does. The "open-access" slice is exempt when claims are entirely about frontend / off-chain operator behavior. CARVE-OUT: `grading_basis="off-chain-only"` is exempt from this rule but is downweighted by the quorum bot regardless of grade.
15. Prompt-meta-check: if your verdict quotes prompt language as evidence ("the protocol meets the 'documented fallback' condition"), re-do the verdict — the prompt describes the rubric, not the protocol. Evidence cites what THIS protocol does, not what the rubric says protocols of type X do.
16. `grading_basis` is one of `"on-chain"` (default; omit field), `"off-chain-only"`, or `"mixed"`. Describes what was READ this run, not the verdict — `grade="unknown"` is allowed under any basis. Set `"off-chain-only"` ONLY when BOTH (a) ≥1 successful fetch of a docs / forum / audit / GitHub URL appears in evidence[], AND (b) ≥1 failed on-chain fetch attempt for THIS run is recorded in unknowns[] with a `-offchain` suffix. Empty `evidence[]` with `"off-chain-only"` is a category error and is rejected by the validator. Set `"mixed"` when some checklist codes were on-chain and others fell back. ABI-only finds (you read the ABI but couldn't read live state) are valid as `grade="unknown"` with the ABI cited; do not infer a grade from ABI shape alone.

### On-chain reading via the DeFiPunkd API

Don't encode calldata, decode return data, or guess at ABIs by hand. Three deterministic GET endpoints return JSON with blockNumber, blockHash, raw calldata, and rawReturnData — content-addressed when block-pinned (`&block=<n>`):

  ABI (auto-resolves proxies):
    https://defipunkd.com/api/contract/abi?chainId=<id>&address=0x...
  View call (any view method on the merged ABI; flat scalar args):
    https://defipunkd.com/api/contract/read?chainId=<id>&address=0x...&method=getOwners
    https://defipunkd.com/api/contract/read?chainId=<id>&address=0x...&method=balanceOf&args=0x...
  Safe (threshold + owners + version in one call):
    https://defipunkd.com/api/safe/owners?chainId=<id>&address=0x...

Use the BARE method name in `&method=` (e.g. `&method=totalSupply`, NOT `&method=totalSupply()`). Browser tools normalize `(` to `%28` and reject the normalized URL; bare names dodge that. Pass arguments via `&args=` (comma-separated, declaration order). Append `&block=<n>` for content-addressed evidence.

Supported chainIds: 1 (ethereum), 10 (optimism), 56 (bsc), 130 (unichain), 137 (polygon), 324 (zksync), 8453 (base), 42161 (arbitrum), 43114 (avalanche), 59144 (linea), 81457 (blast), 534352 (scroll), 11155111 (sepolia).

Use this API for any factual claim about contract ABI shape, view-method return values (owner(), getOwners(), getThreshold(), totalSupply(), implementation(), paused(), MIN_DELAY(), …), and Safe membership. Do NOT invent ABIs or return values from training data.

Note on noisy address_book: the pinned address_book is sourced from prior assessments. It may include token deployments, oracle feeds, peripheral contracts, or mis-classified entries. Skip surfacer URLs that don't fit your slice — fetch only those whose role hints suggest control / pause / upgrade authority.

### Protocol metadata refresh (populate `protocol_metadata` in the output)

DeFiLlama's pinned inputs may be stale or wrong. As a side-effect of this assessment, populate `protocol_metadata` with anything you verify. Leave fields null / empty arrays if you did not verify them — do NOT echo pinned inputs through; null means "not re-verified this run".

- `github`: array of canonical source-code repo URLs.
- `docs_url`: canonical developer / protocol documentation site.
- `audits`: array of `{ firm, url, date }` (date as YYYY-MM or YYYY-MM-DD).
- `governance_forum`: primary discussion forum URL (Discourse, Commonwealth, etc.).
- `voting_token`: `{ chain, address, symbol }` or null. Omit if not token-governed.
- `bug_bounty_url`: public bug bounty page (Immunefi, HackerOne, self-hosted).
- `security_contact`: private-disclosure channel — security@ email or SECURITY.md URL. Distinct from public bug bounty.
- `deployed_contracts_doc`: docs page that lists deployed addresses per chain. Don't enumerate; just link.
- `admin_addresses`: array of `{ chain, address, role, actor_class }` for multisig / timelock / owner / proxy-admin addresses. `actor_class` ∈ `"eoa" | "multisig" | "timelock" | "governance" | "unknown"`. These are the anchors for future runs' address_book.
- `upgradeability`: `"immutable" | "upgradeable" | "mixed" | "unknown"`. "mixed" = some core contracts immutable, others behind proxies.
- `about`: 2–4 sentence plain-English description. Name the user action (stake, borrow, swap, bridge, mint, redeem), the asset / market, and the distinctive mechanism (liquid staking receipt, isolated lending pools, constant-product AMM, intents auction, etc.). Do not restate category / chains / TVL.

Every non-null field in `protocol_metadata` must be backed by ≥1 entry in evidence[].

---

### Slice: VERIFIABILITY

Evaluate whether an outsider can independently confirm what the deployed code does.

MANDATORY INSPECTION CHECKLIST (every item below must appear in evidence[] OR unknowns[]):
- V1. For each address you assess: is the bytecode verified on the chain's block explorer? Record the "Contract Source Code Verified" indicator. https://defipunkd.com/api/contract/abi?chainId=<id>&address=0x... returns this as a top-level "verified" boolean plus "abiSource" ("etherscan" / "sourcify") and an inline ABI — useful when the explorer page is rate-limited. If the contract is a proxy, verify BOTH the proxy contract AND the current implementation contract. The same /api/contract/abi response auto-resolves proxies and includes a "proxy.implementation" address when present, so one call covers V1 + V6 in one shot. An explorer "Similar Match" on a well-known proxy pattern (Aragon AppProxyUpgradeable, ERC1967Proxy, OssifiableProxy, OZ TransparentUpgradeableProxy) is expected for that pattern and does NOT count as a verification gap on its own — what matters is that the implementation is independently verified.
- V2. Source-to-repo correspondence: for each verified contract, attempt to find a matching commit in the linked GitHub repos. Record evidence[].commit on a match. Independent compile/bytecode-match is NOT required for green — a recognized public repo whose structure and file contents correspond to the explorer-visible source is sufficient. If you did not pin a commit SHA or run a bytecode diff, record that plainly in unknowns[] and proceed; it is a scope limit, not a downgrade signal.
- V3. Audit coverage: for each URL in protocol.audit_links, open it and record: auditor name, audit date, the specific contracts / commit in scope. Flag audits that predate the current deployment by >6 months without a follow-up review.
- V4. Auditor recognition: the following firms are broadly recognized in Solidity: Trail of Bits, Zellic, Spearbit, OpenZeppelin, ConsenSys Diligence, Certora (formal verification), Quantstamp, Halborn, Peckshield, Sigma Prime, ChainSecurity, Ackee Blockchain, MixBytes, Statemind. Unknown firms are orange-at-best for any green-grade claim. Name the firm explicitly in evidence[].
- V5. Post-audit drift: compare the most recent in-scope audit(s) against the currently-deployed source, weighted by what each contract does and by what the changes actually contain. SCOPE — drift only downgrades the grade when ALL of the following hold: (i) the drifting contract is fund-custody / settlement / accounting-critical (NOT a peripheral router, lens, quoter, or pure-view contract that holds no balances); (ii) the changes are material — new functions, modified access control, modified accounting, modified fund flow — and not refactors / struct relocations / import reorgs / build or CI fixes / formatting; (iii) no later audit, fix-audit, or differential audit from a recognized firm covers the changed files (audits often pin a pre-fix commit while a follow-up reviews the delta — match by file scope, not by commit-hash equality). When you cite drift as a downgrade reason, name the specific behavior change (function added, role granted, accounting formula altered) — "N commits ahead" or "+X/-Y LOC" alone is not evidence of material drift. If you have not sampled the diff content (e.g. via the GitHub compare view or the top commits in the window), record drift as an unknowns[] entry rather than auto-downgrading; commit-count and LOC are starting signals, not findings.
- V6. Implementation vs proxy: a verified proxy with an unverified implementation is effectively unverified. State whether the implementation is verified separately.

EVIDENCE DISCIPLINE (read before writing findings[]):
- Do not assert a specific deploy-commit SHA, bytecode equivalence, or "identical to audited commit" unless you actually fetched the artifact that shows it (e.g., a deployed-addresses JSON you opened, an explorer page you read). Inferred or plausible matches belong in unknowns[], never in findings[] or evidence[].
- Evidence[] entries must correspond to pages/files you actually retrieved this run. A URL you did not open is not evidence.

Then write the steel-man section per Hard Rule 11.

Grade rules:
- green   = deployed bytecode verified on the explorer (proxy AND implementation if proxied; "Similar Match" on a standard proxy pattern is fine per V1), a public source repo exists whose contents correspond to the explorer-visible source, AND ≥1 audit from a recognized firm covering the currently-deployed contracts (≤6 months of drift OR drift was re-audited). A missing local compile-match is not a downgrade — record it in unknowns[] and still grade green if the other conditions hold.
- orange  = verified but with visible drift from the public repo, OR audit scope is stale relative to deployment, OR only minor / unknown-firm audits exist, OR only some of the main contracts are verified, OR proxy verified but implementation only partially verified.
- red     = unverified bytecode (or verified proxy with unverified implementation), OR no audit in protocol.audit_links, OR no public repo.
- unknown = reserved for when the protocol's verifiability posture genuinely cannot be assessed (e.g., explorer and repo both inaccessible for this protocol). Do NOT use unknown merely because you, the analyst, could not run a particular check such as a bytecode diff — that goes in unknowns[] while the grade is still assigned from the evidence you do have.

---

### JSON output contract

Return exactly one JSON object inside a single ```json fenced block. Shape:

{
  "schema_version": 4,
  "slug": "<copy protocol.slug from the per-protocol context>",
  "slice": "verifiability",
  "snapshot_generated_at": "<copy snapshot.generated_at from the per-protocol context>",
  "prompt_version": 29,
  "analysis_date": "<copy analysis_date from the per-protocol context>",
  "model": "<exact model name, e.g. claude-opus-4-7 / gpt-5-thinking / gemini-3-pro>",
  "chat_url": null,
  "grading_basis": "on-chain | off-chain-only | mixed (optional; omit for on-chain)",
  "grade": "green | orange | red | unknown",
  "headline": "<one-line summary>",
  "short_headline": "<≤6 words, ≤80 chars; omit if you can't fit>",
  "rationale": {
    "findings": [{ "code": "E1", "text": "<concrete, source-cited finding>" }],
    "steelman": { "red": "<one sentence>", "orange": "<one sentence>", "green": "<one sentence>" },
    "verdict": "Choosing <grade> because <reason ranking one steel-man above the others, citing specific evidence>."
  },
  "evidence": [{ "url": "https://...", "shows": "<what this URL demonstrates>", "chain": "...", "address": "0x...", "commit": "<hex SHA>", "fetched_at": "2026-04-23T11:20:00Z" }],
  "unknowns": ["E3: <thing you looked for but couldn't determine>"],
  "protocol_metadata": {
    "github": ["https://github.com/org/repo"],
    "docs_url": "https://docs.protocol.xyz",
    "audits": [{ "firm": "Trail of Bits", "url": "https://...report.pdf", "date": "2025-09" }],
    "governance_forum": "https://forum.protocol.xyz",
    "voting_token": { "chain": "Ethereum", "address": "0x...", "symbol": "XYZ" },
    "bug_bounty_url": "https://immunefi.com/bounty/protocol",
    "security_contact": "security@protocol.xyz",
    "deployed_contracts_doc": "https://docs.protocol.xyz/deployments",
    "admin_addresses": [{ "chain": "Ethereum", "address": "0x...", "role": "DAO treasury multisig", "actor_class": "multisig" }],
    "upgradeability": "immutable | upgradeable | mixed | unknown",
    "about": "<2–4 sentences>"
  }
}

Rules recap:
- grade="unknown" ⇒ steelman=null; unknowns[] ≥1; evidence[] may be empty.
- grade!="unknown" ⇒ steelman={red,orange,green}; evidence[] ≥1; verdict starts with "Choosing ".
- findings[].code matches the slice's checklist prefix verbatim (E1, C2-emergency, V4a, …); unknowns[] entries are checklist-coded ("E3: …").
- Wrap in a single ```json fence; nothing before or after. URLs are bare strings, never markdown links.

Control Unverified Submit run ↗

### Per-protocol context (ground truth for this run)

- protocol.slug:              aave-aptos
- protocol.name:              Aave Aptos
- protocol.chains:            Aptos
- protocol.category:          Lending
- protocol.website:           https://aave.com
- protocol.github:            aave, bgd-labs
- protocol.audit_links:       https://github.com/code-423n4/2022-02-aave-lens, https://github.com/code-423n4/2022-02-aave-lens-findings, https://github.com/sherlock-protocol/sherlock-reports/blob/main/audits/2025.02.15%20-%20Final%20-%20Aave%20Public%20Audit%20Contest%20Report.pdf, https://github.com/sherlock-protocol/sherlock-reports/blob/main/audits/2026.02.05%20-%20Final%20-%20Aave%20Labs%20Collaborative%20Audit%20Report%201770295450.pdf, https://github.com/trailofbits/publications/blob/master/reviews/2021-11-aave-v3-securityreview.pdf, https://github.com/trailofbits/publications/blob/master/reviews/2026-02-aave-v4-securityreview.pdf
- snapshot.generated_at:      2026-06-01T11:27:13.878Z
- analysis_date:              2026-06-07
- prompt_version:             29
- address_book:               null

### Pre-built read-API surfacer URLs (verbatim — fetchable as-is)
(no addresses pinned in this run — discover candidates from fetched website / GitHub / audit / explorer pages, record discovered addresses in evidence[] and protocol_metadata.admin_addresses, and put any reads you couldn't perform in unknowns[]. The next assessment will inherit your discoveries.)


---

You are contributing a single-slice assessment to defipunkd, a git-native transparency registry for DeFi protocols. Your JSON output will be attached to a pull request and compared against ≥2 other independent runs. Disagreements are surfaced publicly — be conservative, cite everything, return grade="unknown" when a signal cannot be determined, and resist stopping at the first damning finding.

### Per-protocol context (do not infer; these are ground truth)

A "Per-protocol context" block (provided alongside this prompt — either as a user message in API mode, or as a section appended below in copy-paste mode) lists the pinned inputs (protocol.slug, name, chains, category, website, github, audit_links, snapshot.generated_at, analysis_date, prompt_version, address_book) and a list of pre-built read-API surfacer URLs for each pinned address. Treat those values as authoritative for this run.

The pre-built surfacer URLs are accepted by your fetch tool's allowlist because they appear verbatim in the per-protocol context. Each surfacer page pre-executes the contract's zero-arg view methods and renders any address-typed return values as /address/{chainId}/0x… links inline — those rendered links are also fetchable post-fetch. /api/contract/read and /api/safe/owners JSON responses include a top-level `crawl.surfacers` array of /address/{chainId}/0x… URLs for every address-typed value in the result, so you can crawl directly from API responses. For addresses surfaced from non-defipunkd sources (block-explorer pages, GitHub, audit PDFs), the allowlist will reject your generated surfacer URL — record the address in protocol_metadata.admin_addresses and add a checklist-coded entry to unknowns[]; the next run will inherit it as a fetchable surfacer.

### Step 0 — Capability probe (do this before producing JSON)

Identify what fetch tool your environment exposes — `web_fetch`, `browser`, `url_context`, `google_search` (with underscore, colon, or space), Bing grounding, Perplexity, `web.run`, or anything similar. Search-grounding tools ARE valid fetch paths and you should use them; they are not forbidden. The distinction that matters is what the tool returned, not its name: a grounded response with the underlying page body is sufficient evidence; a bare 1–3-line preview snippet is not.

Probe: attempt one fetch of `protocol.website` and one fetch of a pre-built surfacer URL above (or the protocol's primary block-explorer page if no surfacer is pinned). Record the tool you used, the URL, and what came back (response body, HTTP status, allowlist rejection text, or "tool not present: <name>"). If either probe succeeded, proceed.

If both direct probes failed, **DO NOT STOP** — try search. Issue at least two broad search queries (protocol name + "Etherscan" / "official docs" / "GitHub" / "audit"; `site:` operators against etherscan.io / github.com / the docs domain). If a search query returns the underlying page body, that page URL is fetched evidence and goes in evidence[]. Set `grading_basis: "off-chain-only"` and continue with whatever you can extract. Empty `evidence[]` + `grade="unknown"` is only valid if BOTH direct probes AND ≥2 search queries returned nothing usable; in that case, log the attempted queries and observed-zero outcomes in unknowns[]. A submission claiming "blocked" without those receipts is treated as a non-submission (zero quorum weight). Search engines do not index raw JSON API endpoints — zero results for `defipunkd.com/api/contract/read` URLs is expected and is itself a recordable failure mode, not a system restriction.

### Anti-fabrication (the most important rule on this page)

Memory is not evidence. Treat your training data, prior conversations, and general knowledge as suggestions for what to look up — never as citations. Every URL in evidence[] must have been fetched in this run via any tool exposed in your environment, OR pasted into this conversation by the user. Constructing a URL is fine, but every variable part (address, commit SHA, repo path, contract name, method, args, block number) must come from a fetched/pasted source in this run, and the URL must then have been successfully fetched before it appears in evidence[]. URLs constructed from remembered addresses, repo paths, contract names, or guessed API methods are fabrication.

Before emitting JSON, run an evidence ledger check on every evidence[] entry:
1. The exact URL appears in your fetch transcript or in a user-pasted source body.
2. The fetched/pasted body contains the fact you're citing in evidence[].shows.
3. Every rationale.findings / protocol_metadata claim that depends on this evidence follows directly from that body, without recourse to memory.
4. Derived (rather than verbatim) claims are explicitly labelled as derived in evidence[].shows.
5. `fetched_at` is set ONLY when you actually fetched the URL in this run; if no timestamp is available, omit the field — never invent one.

If any check fails, remove the evidence entry and demote dependent claims to unknowns[]. Set grade="unknown" if demotion empties the grading basis. Do not ask the user to paste anything; do not withhold JSON; do not improvise from memory.

A plausible-sounding answer backed by unsupported evidence is WORSE than grade="unknown" — it pollutes the quorum. If the assessment requires leaning on remembered public facts ("Lido is governed by LDO token-weighted voting"), historical reports, common knowledge, or likely-architecture reasoning ("UUPS proxies typically have an admin role"), return grade="unknown" with specific unknowns[] entries. Optimize for reproducibility, not completeness — if a reviewer can't re-verify each claim from the evidence URLs alone, the claim does not belong in the JSON. Empty unknowns[] on a non-trivial protocol is a red flag, not a quality signal.

When the address_book is null/empty, you do not yet know any deployed address. Discover candidates from fetched website / GitHub / audit / explorer-search pages — addresses you "remember" from training data are not eligible, even for famous tokens (USDC, WBTC, stETH, UNI). If no address can be discovered after a good-faith attempt, return grade="unknown" with checklist-coded unknowns[] entries; do not invent addresses to fill the gap.

### Hard rules

1. Source classes that count as evidence:
   a) Public block explorers (etherscan.io, basescan.org, arbiscan.io, optimistic.etherscan.io, polygonscan.com, bscscan.com, snowtrace.io, scrollscan.com, lineascan.build, blastscan.io, era.zksync.network) for pinned addresses or addresses you discover transitively from them.
   b) The linked GitHub repos, at a specific commit SHA recorded in evidence[].commit.
   c) The audit PDFs / reports linked above.
   d) DeFiLlama's pinned fields (for category / chain lists only — not for risk assessment).
   e) DeFiPunkd's read API at https://defipunkd.com/api/{contract,safe}/... — see "On-chain reading" below.
2. If a signal cannot be determined after checking these, set grade="unknown" with ≥1 entry in unknowns[] naming what you looked for.
3. Every factual claim in rationale must map to ≥1 evidence[] entry.
4. Output exactly one JSON object matching the contract at the end, wrapped in a single ```json fenced code block. This rule applies to your FINAL assistant message only — issue tool calls freely during the run; tool-call reasoning lives in your model's tool-use channel and is not subject to this rule. Nothing before or after the fence — no prose, no follow-up questions, no requests for the user to paste anything. If evidence is incomplete, the correct response is still JSON, with claims demoted to unknowns[] and grade="unknown".

### Format rules (validation will reject submissions that violate these)
5. evidence[].url must be a bare `https://...` string — NEVER markdown link syntax. WRONG: `"url": "[Etherscan](https://etherscan.io/...)"`. RIGHT: `"url": "https://etherscan.io/..."`.
6. evidence[].commit, when present, must match `^[0-9a-f]{7,40}$` (lowercase hex, 7–40 chars). NEVER branch names or tags. Omit if you cannot pin a SHA.
7. evidence[].fetched_at, when present, must be ISO-8601 UTC (e.g. `2026-04-23T11:20:00Z`). Set whenever you actually fetched in this run.
8. evidence[].address, when present, must be `^0x[0-9a-fA-F]{40}$` (mixed case OK; checksum not validated).
9. Checklist codes (used in findings[].code and as unknowns[] prefixes) match `^[A-Z][A-Za-z0-9-]{0,16}$` — start with an uppercase letter, then digits / letters / hyphens. Examples: `E1`, `A3b`, `C2-emergency`, `V4-auditor`. No parens, spaces, dots, slashes, underscores. Use slice-defined codes verbatim. unknowns[] entries must be prefixed with the relevant code + colon (e.g. `"A3b: frontend fetch failed"`).
10. chat_url: ALWAYS null. Default share links (claude.ai/chat, chatgpt.com, gemini.google.com) require viewer login and are not publicly readable. The user enables "Share publicly" after you respond and pastes the public URL into the JSON before opening the PR.

### Thoroughness rules

11. Each per-slice body contains a "MANDATORY INSPECTION CHECKLIST". Every item must EITHER produce an evidence[] entry OR a specific unknowns[] entry naming it by code. Silent skips are rejected as incomplete.
12. Before assigning a grade other than "unknown", rationale.steelman must contain a one-sentence strongest argument for each of red / orange / green, and rationale.verdict must state which fits the evidence and why. If the steel-man for the chosen grade is weaker than for an adjacent grade, you have probably picked the wrong grade. When grade="unknown", set steelman to null and use verdict to summarize what blocked the assessment.
13. Distinguish actor classes (EOA, 2-of-3 multisig, 4-of-7+ multisig with identified signers, emergency-scoped time-capped multisig, on-chain governance vote with timelock) and function classes (claim-of-finalized vs new-request-placement, deposit vs borrow, mint vs redeem) — say which actor holds which power, on what time bound. "An admin can pause" is insufficient.
14. For on-chain slices (control, ability-to-exit, autonomy, verifiability), evidence[] must include ≥1 on-chain URL: a block-explorer URL OR a DeFiPunkd /api/{contract/read,safe/owners} URL (preferred — content-addressed when block-pinned). /api/contract/abi alone is metadata, not on-chain evidence. Source repos tell you what code SHOULD do; deployed contracts tell you what it ACTUALLY does. The "open-access" slice is exempt when claims are entirely about frontend / off-chain operator behavior. CARVE-OUT: `grading_basis="off-chain-only"` is exempt from this rule but is downweighted by the quorum bot regardless of grade.
15. Prompt-meta-check: if your verdict quotes prompt language as evidence ("the protocol meets the 'documented fallback' condition"), re-do the verdict — the prompt describes the rubric, not the protocol. Evidence cites what THIS protocol does, not what the rubric says protocols of type X do.
16. `grading_basis` is one of `"on-chain"` (default; omit field), `"off-chain-only"`, or `"mixed"`. Describes what was READ this run, not the verdict — `grade="unknown"` is allowed under any basis. Set `"off-chain-only"` ONLY when BOTH (a) ≥1 successful fetch of a docs / forum / audit / GitHub URL appears in evidence[], AND (b) ≥1 failed on-chain fetch attempt for THIS run is recorded in unknowns[] with a `-offchain` suffix. Empty `evidence[]` with `"off-chain-only"` is a category error and is rejected by the validator. Set `"mixed"` when some checklist codes were on-chain and others fell back. ABI-only finds (you read the ABI but couldn't read live state) are valid as `grade="unknown"` with the ABI cited; do not infer a grade from ABI shape alone.

### On-chain reading via the DeFiPunkd API

Don't encode calldata, decode return data, or guess at ABIs by hand. Three deterministic GET endpoints return JSON with blockNumber, blockHash, raw calldata, and rawReturnData — content-addressed when block-pinned (`&block=<n>`):

  ABI (auto-resolves proxies):
    https://defipunkd.com/api/contract/abi?chainId=<id>&address=0x...
  View call (any view method on the merged ABI; flat scalar args):
    https://defipunkd.com/api/contract/read?chainId=<id>&address=0x...&method=getOwners
    https://defipunkd.com/api/contract/read?chainId=<id>&address=0x...&method=balanceOf&args=0x...
  Safe (threshold + owners + version in one call):
    https://defipunkd.com/api/safe/owners?chainId=<id>&address=0x...

Use the BARE method name in `&method=` (e.g. `&method=totalSupply`, NOT `&method=totalSupply()`). Browser tools normalize `(` to `%28` and reject the normalized URL; bare names dodge that. Pass arguments via `&args=` (comma-separated, declaration order). Append `&block=<n>` for content-addressed evidence.

Supported chainIds: 1 (ethereum), 10 (optimism), 56 (bsc), 130 (unichain), 137 (polygon), 324 (zksync), 8453 (base), 42161 (arbitrum), 43114 (avalanche), 59144 (linea), 81457 (blast), 534352 (scroll), 11155111 (sepolia).

Use this API for any factual claim about contract ABI shape, view-method return values (owner(), getOwners(), getThreshold(), totalSupply(), implementation(), paused(), MIN_DELAY(), …), and Safe membership. Do NOT invent ABIs or return values from training data.

Note on noisy address_book: the pinned address_book is sourced from prior assessments. It may include token deployments, oracle feeds, peripheral contracts, or mis-classified entries. Skip surfacer URLs that don't fit your slice — fetch only those whose role hints suggest control / pause / upgrade authority.

### Protocol metadata refresh (populate `protocol_metadata` in the output)

DeFiLlama's pinned inputs may be stale or wrong. As a side-effect of this assessment, populate `protocol_metadata` with anything you verify. Leave fields null / empty arrays if you did not verify them — do NOT echo pinned inputs through; null means "not re-verified this run".

- `github`: array of canonical source-code repo URLs.
- `docs_url`: canonical developer / protocol documentation site.
- `audits`: array of `{ firm, url, date }` (date as YYYY-MM or YYYY-MM-DD).
- `governance_forum`: primary discussion forum URL (Discourse, Commonwealth, etc.).
- `voting_token`: `{ chain, address, symbol }` or null. Omit if not token-governed.
- `bug_bounty_url`: public bug bounty page (Immunefi, HackerOne, self-hosted).
- `security_contact`: private-disclosure channel — security@ email or SECURITY.md URL. Distinct from public bug bounty.
- `deployed_contracts_doc`: docs page that lists deployed addresses per chain. Don't enumerate; just link.
- `admin_addresses`: array of `{ chain, address, role, actor_class }` for multisig / timelock / owner / proxy-admin addresses. `actor_class` ∈ `"eoa" | "multisig" | "timelock" | "governance" | "unknown"`. These are the anchors for future runs' address_book.
- `upgradeability`: `"immutable" | "upgradeable" | "mixed" | "unknown"`. "mixed" = some core contracts immutable, others behind proxies.
- `about`: 2–4 sentence plain-English description. Name the user action (stake, borrow, swap, bridge, mint, redeem), the asset / market, and the distinctive mechanism (liquid staking receipt, isolated lending pools, constant-product AMM, intents auction, etc.). Do not restate category / chains / TVL.

Every non-null field in `protocol_metadata` must be backed by ≥1 entry in evidence[].

---

### Slice: CONTROL

Evaluate who can change the protocol's rules, how fast, and how broadly.

(Step 0 capability probe and the off-chain-only fallback live in the preamble — those rules apply here.)

### MANDATORY INSPECTION CHECKLIST (every item below must appear in evidence[] OR unknowns[])

- **C1.** For each address you assess: who is the contract owner / admin / pendingAdmin / governor — read these via the block explorer's "Read Contract" tab OR `https://defipunkd.com/api/contract/read?chainId=<id>&address=0x...&method=owner` (BARE method names: `&method=owner`, `&method=admin`, `&method=pendingOwner`, `&method=governor`). For Safes use `/api/safe/owners?chainId=<id>&address=0x...`. When a protocol has multiple major versions deployed (v2/v3/v4), perform C1 reads on the NEWEST deployment separately — newer deployments often have weaker control surfaces than the legacy core.
- **C2.** Upgrade mechanism: transparent proxy / UUPS / Beacon / Diamond / immutable. Identify the proxy admin address. Check upgradeability of GOVERNANCE contracts too — a Governor / Aragon Voting / OZ Governor is often itself a proxy whose admin is the Timelock. Asymmetry: when fund-holding cores are immutable AND governance has no admin path that reaches them, an upgradable Governor/Timelock is T3-only and must NOT drag the verdict below green on that basis alone (see grade rules and the "immutable cores" caveat). Only call upgradability "mixed" if you can name a concrete function on the upgradable surface that reaches T1 or T2 on user funds.
- **C3.** EXECUTION PATH (enumerate every stage, in order, with delays in seconds). The operative path is usually a chain (voting → scheduler → timelock → executor; or governor → queue → execute; or Aragon Voting → DualGovernance → EmergencyProtectedTimelock → AdminExecutor). For each stage, record (a) the contract address, (b) the delay constant name + value in seconds, (c) the URL you read it from (block-explorer Read Contract OR `/api/contract/read?...&method=MIN_DELAY&block=<n>`). Do NOT stop at the first timelock-shaped contract — if its admin is itself called by another contract, keep walking. The grading delay is the SUM OF DELAYS ON THE UNCONTESTED FAST PATH (shortest time a proposal with no opposition can go from submission to executable). Dynamic / contested extensions (veto signaling, rage quit, escrow delay) are modifiers, not the basis — note them separately.
- **C4.** Enumerate EVERY multisig with reachable control — main proxy admin, emergency activation, emergency execution, reseal / pause, gate-seal committees, tiebreaker, per-module admins. For each Safe, fetch threshold + owners + version via `/api/safe/owners?chainId=<id>&address=0x...` (response includes raw eth_call data, so the URL is citable evidence). Enumerate ops/council/incentives multisigs even when off the upgrade path — record their scope so a reader can see they are NOT on the upgrade path. For each: (a) address, (b) threshold / total signers, (c) signer identities classified as insider (team, paid auditors under ongoing engagement, mandated service providers) vs non-insider (independent community members, unaffiliated researchers), (d) the specific power held (upgrade, pause, parameter, etc.).
- **C5.** On-chain governance: Governor / GovernorBravo / OZ Governor / Aragon Voting with token-weighted voting? Record proposal threshold, voting period, quorum, and the timelock delay between queue and execute. Every numeric constant must come from a Read Contract call you can link to, or be in unknowns[] with the C-code. If votingDelay / votingPeriod are denominated in BLOCKS, convert to seconds at the chain's CURRENT block time (Ethereum mainnet ≈ 12s post-Merge, not the 15s in older Compound/Bravo deployments) — cite both block count and converted seconds.
- **C6.** EMERGENCY POWERS: separate emergency-pause / guardian role with a different time cap or different actor than the main upgrade authority? Record it explicitly.
- **C7.** POWER TIER (blast radius). For each privileged path in C3–C6, classify the WORST thing that path can do, choosing the highest applicable tier. Cite the specific function name and any on-chain bound — tier claims without a named function are unsupported.
    - **T1 — FUND-CRITICAL**: replace implementation of contracts holding user funds; change AMM math / accounting / collateral logic; mint unbacked debt or shares; pause withdrawals; drain user-fund treasury; change oracle to attacker-controlled source; replace upgrade admin with EOA.
    - **T2 — ECONOMICALLY MATERIAL**: change fee parameters within bounded ranges; redirect protocol fees; add/remove markets / collateral types; bounded inflation or token mint within hard-capped schedule; spend protocol-owned (non-user) treasury.
    - **T3 — GOVERNANCE-INTERNAL**: change voting rules, quorum, voting period, proposal threshold; upgrade the Governor itself; rotate Timelock admin; mint governance tokens within a capped annual schedule.
    - **T4 — OPERATIONAL**: incentives distribution, grants, ENS / frontend canonicalization, deployment coordination, periphery router deprecation.
  The grade is set by the HIGHEST tier reachable on the uncontested fast path, not the median. State the tier and the binding function in the verdict.

### Read Contract discipline (applies to C3, C4, C5)

Every numeric constant cited (timelock delays, voting periods, multisig thresholds, quorum percentages) must come from EITHER (a) a block-explorer Read Contract URL, OR (b) a DeFiPunkd `/api/contract/read` or `/api/safe/owners` URL (preferred with `&block=<n>` for content-addressed evidence), OR (c) an unknowns[] entry with the C-code. Docs / blog posts are corroboration only — they cannot be the sole citation for a value that is also readable on-chain.

### Off-chain-only substitute hierarchy (when grading_basis="off-chain-only" — see preamble Rule 16)

When on-chain reads were genuinely unreachable this run, eligible off-chain substitutes in priority order:
1. Linked audit PDFs (admin roles, multisig members, timelock delays usually enumerated).
2. Governance forum posts that quote constants from a successful on-chain proposal (cite post URL + linked execution-tx URL).
3. Official protocol docs pages with named addresses and roles (must be on a domain owned by the protocol).
4. GitHub README / SECURITY.md / governance/*.md at a pinned commit SHA.

Forbidden substitutes: third-party blog posts, X / Twitter threads, search-result snippets, model memory. Required degradation: any C-code citing a numeric constant from docs/forum/audit prose ONLY must also carry an `unknowns[]` entry with `-offchain` suffix noting "value not re-read on-chain in this run; corroboration only".

### Grade rules (apply the timelock bar conditional on the highest C7 tier reachable on the fast path)

Security Council standard (used below): a multisig qualifies as "Security Council" only if ALL of: ≥7 signers, ≥51% threshold, ≥50% non-insider signers, every signer publicly announced. Failing any criterion = NOT a Security Council, regardless of signer reputation.

- **green**: highest reachable tier is T3 or T4 regardless of timelock; OR T2 reachable with uncontested-fast-path delay ≥7 days; OR T1 reachable only via immutable contracts (T1 is unreachable); OR T1 reachable with uncontested-fast-path delay ≥7 days combined with a Security Council multisig; OR T1 reachable with uncontested-fast-path delay ≥7 days through active on-chain governance with broad token distribution.
- **orange**: T2 reachable with uncontested-fast-path delay >0 but <7 days; OR T1 reachable with uncontested-fast-path delay >0 but <7 days; OR a multisig failing one or more Security Council criteria sits on a T1/T2 path; OR unclear upgrade authority on a T1/T2 path; OR governance with very short timelock or low quorum on a T1/T2 path.
- **red**: T1 reachable with no timelock by a single EOA or 2-of-3 multisig; OR a T1 upgrade admin that is not a smart contract you can audit.
- **unknown**: completed the checklist but still cannot determine the upgrade authority OR cannot classify the highest tier reachable on the main contracts.

Tiering caveats:
- "Bounded" must be enforced ON-CHAIN to count as T2. A function that sets fees with no upper-bound check is T1 — cite the bound check.
- Recurring T2 economic extraction (e.g. fee redirect with no rate limit) approaches T1 over time. A single proposal that can permanently redirect all future revenue is T1.
- T3 assumes the governance contract cannot itself authorize a T1/T2 action without going through the same timelock. If governance can self-upgrade to bypass the timelock, T3 collapses into T1.
- Do not downgrade tier by hand-waving ("realistically governance would never…"). Tier on what the contract permits, not what feels likely.

Notes:
- **Dynamic / dual-governance timelocks** (Lido, Compound escrow veto): the rubric grades on the uncontested path because that is the path most upgrades take. A dynamic extension that fires only under stake-weighted opposition is a real protection — name it in the green steel-man, but it does not lift an orange fast path into green; state the tension in the verdict.
- **Immutable cores with upgradable governance** (Uniswap-style): if fund-holding contracts are immutable and have no admin-reachable function moving / freezing / re-routing user funds, the highest reachable tier on the upgrade path is T3 — green regardless of timelock. Don't grade this orange just because the Governor is a proxy — that's a C2 fact, not a downgrade. Downgrade only applies if you can cite a concrete function on the upgradable surface that reaches T1 or T2 (privileged hook, upgradable factory controlling fund-routing, fee-switch redirecting protocol revenue without bound).
- **The 7-day bar** reflects the exit-window standard — users need notice after a queued upgrade to withdraw if they disagree. The ability-to-exit slice grades the exit side; this slice grades the delay side; both must hold for users to actually benefit from the delay.

---

### JSON output contract

Return exactly one JSON object inside a single ```json fenced block. Shape:

{
  "schema_version": 4,
  "slug": "<copy protocol.slug from the per-protocol context>",
  "slice": "control",
  "snapshot_generated_at": "<copy snapshot.generated_at from the per-protocol context>",
  "prompt_version": 29,
  "analysis_date": "<copy analysis_date from the per-protocol context>",
  "model": "<exact model name, e.g. claude-opus-4-7 / gpt-5-thinking / gemini-3-pro>",
  "chat_url": null,
  "grading_basis": "on-chain | off-chain-only | mixed (optional; omit for on-chain)",
  "grade": "green | orange | red | unknown",
  "headline": "<one-line summary>",
  "short_headline": "<≤6 words, ≤80 chars; omit if you can't fit>",
  "rationale": {
    "findings": [{ "code": "E1", "text": "<concrete, source-cited finding>" }],
    "steelman": { "red": "<one sentence>", "orange": "<one sentence>", "green": "<one sentence>" },
    "verdict": "Choosing <grade> because <reason ranking one steel-man above the others, citing specific evidence>."
  },
  "evidence": [{ "url": "https://...", "shows": "<what this URL demonstrates>", "chain": "...", "address": "0x...", "commit": "<hex SHA>", "fetched_at": "2026-04-23T11:20:00Z" }],
  "unknowns": ["E3: <thing you looked for but couldn't determine>"],
  "protocol_metadata": {
    "github": ["https://github.com/org/repo"],
    "docs_url": "https://docs.protocol.xyz",
    "audits": [{ "firm": "Trail of Bits", "url": "https://...report.pdf", "date": "2025-09" }],
    "governance_forum": "https://forum.protocol.xyz",
    "voting_token": { "chain": "Ethereum", "address": "0x...", "symbol": "XYZ" },
    "bug_bounty_url": "https://immunefi.com/bounty/protocol",
    "security_contact": "security@protocol.xyz",
    "deployed_contracts_doc": "https://docs.protocol.xyz/deployments",
    "admin_addresses": [{ "chain": "Ethereum", "address": "0x...", "role": "DAO treasury multisig", "actor_class": "multisig" }],
    "upgradeability": "immutable | upgradeable | mixed | unknown",
    "about": "<2–4 sentences>"
  }
}

Rules recap:
- grade="unknown" ⇒ steelman=null; unknowns[] ≥1; evidence[] may be empty.
- grade!="unknown" ⇒ steelman={red,orange,green}; evidence[] ≥1; verdict starts with "Choosing ".
- findings[].code matches the slice's checklist prefix verbatim (E1, C2-emergency, V4a, …); unknowns[] entries are checklist-coded ("E3: …").
- Wrap in a single ```json fence; nothing before or after. URLs are bare strings, never markdown links.

Ability to exit Unverified Submit run ↗

### Per-protocol context (ground truth for this run)

- protocol.slug:              aave-aptos
- protocol.name:              Aave Aptos
- protocol.chains:            Aptos
- protocol.category:          Lending
- protocol.website:           https://aave.com
- protocol.github:            aave, bgd-labs
- protocol.audit_links:       https://github.com/code-423n4/2022-02-aave-lens, https://github.com/code-423n4/2022-02-aave-lens-findings, https://github.com/sherlock-protocol/sherlock-reports/blob/main/audits/2025.02.15%20-%20Final%20-%20Aave%20Public%20Audit%20Contest%20Report.pdf, https://github.com/sherlock-protocol/sherlock-reports/blob/main/audits/2026.02.05%20-%20Final%20-%20Aave%20Labs%20Collaborative%20Audit%20Report%201770295450.pdf, https://github.com/trailofbits/publications/blob/master/reviews/2021-11-aave-v3-securityreview.pdf, https://github.com/trailofbits/publications/blob/master/reviews/2026-02-aave-v4-securityreview.pdf
- snapshot.generated_at:      2026-06-01T11:27:13.878Z
- analysis_date:              2026-06-07
- prompt_version:             29
- address_book:               null

### Pre-built read-API surfacer URLs (verbatim — fetchable as-is)
(no addresses pinned in this run — discover candidates from fetched website / GitHub / audit / explorer pages, record discovered addresses in evidence[] and protocol_metadata.admin_addresses, and put any reads you couldn't perform in unknowns[]. The next assessment will inherit your discoveries.)


---

You are contributing a single-slice assessment to defipunkd, a git-native transparency registry for DeFi protocols. Your JSON output will be attached to a pull request and compared against ≥2 other independent runs. Disagreements are surfaced publicly — be conservative, cite everything, return grade="unknown" when a signal cannot be determined, and resist stopping at the first damning finding.

### Per-protocol context (do not infer; these are ground truth)

A "Per-protocol context" block (provided alongside this prompt — either as a user message in API mode, or as a section appended below in copy-paste mode) lists the pinned inputs (protocol.slug, name, chains, category, website, github, audit_links, snapshot.generated_at, analysis_date, prompt_version, address_book) and a list of pre-built read-API surfacer URLs for each pinned address. Treat those values as authoritative for this run.

The pre-built surfacer URLs are accepted by your fetch tool's allowlist because they appear verbatim in the per-protocol context. Each surfacer page pre-executes the contract's zero-arg view methods and renders any address-typed return values as /address/{chainId}/0x… links inline — those rendered links are also fetchable post-fetch. /api/contract/read and /api/safe/owners JSON responses include a top-level `crawl.surfacers` array of /address/{chainId}/0x… URLs for every address-typed value in the result, so you can crawl directly from API responses. For addresses surfaced from non-defipunkd sources (block-explorer pages, GitHub, audit PDFs), the allowlist will reject your generated surfacer URL — record the address in protocol_metadata.admin_addresses and add a checklist-coded entry to unknowns[]; the next run will inherit it as a fetchable surfacer.

### Step 0 — Capability probe (do this before producing JSON)

Identify what fetch tool your environment exposes — `web_fetch`, `browser`, `url_context`, `google_search` (with underscore, colon, or space), Bing grounding, Perplexity, `web.run`, or anything similar. Search-grounding tools ARE valid fetch paths and you should use them; they are not forbidden. The distinction that matters is what the tool returned, not its name: a grounded response with the underlying page body is sufficient evidence; a bare 1–3-line preview snippet is not.

Probe: attempt one fetch of `protocol.website` and one fetch of a pre-built surfacer URL above (or the protocol's primary block-explorer page if no surfacer is pinned). Record the tool you used, the URL, and what came back (response body, HTTP status, allowlist rejection text, or "tool not present: <name>"). If either probe succeeded, proceed.

If both direct probes failed, **DO NOT STOP** — try search. Issue at least two broad search queries (protocol name + "Etherscan" / "official docs" / "GitHub" / "audit"; `site:` operators against etherscan.io / github.com / the docs domain). If a search query returns the underlying page body, that page URL is fetched evidence and goes in evidence[]. Set `grading_basis: "off-chain-only"` and continue with whatever you can extract. Empty `evidence[]` + `grade="unknown"` is only valid if BOTH direct probes AND ≥2 search queries returned nothing usable; in that case, log the attempted queries and observed-zero outcomes in unknowns[]. A submission claiming "blocked" without those receipts is treated as a non-submission (zero quorum weight). Search engines do not index raw JSON API endpoints — zero results for `defipunkd.com/api/contract/read` URLs is expected and is itself a recordable failure mode, not a system restriction.

### Anti-fabrication (the most important rule on this page)

Memory is not evidence. Treat your training data, prior conversations, and general knowledge as suggestions for what to look up — never as citations. Every URL in evidence[] must have been fetched in this run via any tool exposed in your environment, OR pasted into this conversation by the user. Constructing a URL is fine, but every variable part (address, commit SHA, repo path, contract name, method, args, block number) must come from a fetched/pasted source in this run, and the URL must then have been successfully fetched before it appears in evidence[]. URLs constructed from remembered addresses, repo paths, contract names, or guessed API methods are fabrication.

Before emitting JSON, run an evidence ledger check on every evidence[] entry:
1. The exact URL appears in your fetch transcript or in a user-pasted source body.
2. The fetched/pasted body contains the fact you're citing in evidence[].shows.
3. Every rationale.findings / protocol_metadata claim that depends on this evidence follows directly from that body, without recourse to memory.
4. Derived (rather than verbatim) claims are explicitly labelled as derived in evidence[].shows.
5. `fetched_at` is set ONLY when you actually fetched the URL in this run; if no timestamp is available, omit the field — never invent one.

If any check fails, remove the evidence entry and demote dependent claims to unknowns[]. Set grade="unknown" if demotion empties the grading basis. Do not ask the user to paste anything; do not withhold JSON; do not improvise from memory.

A plausible-sounding answer backed by unsupported evidence is WORSE than grade="unknown" — it pollutes the quorum. If the assessment requires leaning on remembered public facts ("Lido is governed by LDO token-weighted voting"), historical reports, common knowledge, or likely-architecture reasoning ("UUPS proxies typically have an admin role"), return grade="unknown" with specific unknowns[] entries. Optimize for reproducibility, not completeness — if a reviewer can't re-verify each claim from the evidence URLs alone, the claim does not belong in the JSON. Empty unknowns[] on a non-trivial protocol is a red flag, not a quality signal.

When the address_book is null/empty, you do not yet know any deployed address. Discover candidates from fetched website / GitHub / audit / explorer-search pages — addresses you "remember" from training data are not eligible, even for famous tokens (USDC, WBTC, stETH, UNI). If no address can be discovered after a good-faith attempt, return grade="unknown" with checklist-coded unknowns[] entries; do not invent addresses to fill the gap.

### Hard rules

1. Source classes that count as evidence:
   a) Public block explorers (etherscan.io, basescan.org, arbiscan.io, optimistic.etherscan.io, polygonscan.com, bscscan.com, snowtrace.io, scrollscan.com, lineascan.build, blastscan.io, era.zksync.network) for pinned addresses or addresses you discover transitively from them.
   b) The linked GitHub repos, at a specific commit SHA recorded in evidence[].commit.
   c) The audit PDFs / reports linked above.
   d) DeFiLlama's pinned fields (for category / chain lists only — not for risk assessment).
   e) DeFiPunkd's read API at https://defipunkd.com/api/{contract,safe}/... — see "On-chain reading" below.
2. If a signal cannot be determined after checking these, set grade="unknown" with ≥1 entry in unknowns[] naming what you looked for.
3. Every factual claim in rationale must map to ≥1 evidence[] entry.
4. Output exactly one JSON object matching the contract at the end, wrapped in a single ```json fenced code block. This rule applies to your FINAL assistant message only — issue tool calls freely during the run; tool-call reasoning lives in your model's tool-use channel and is not subject to this rule. Nothing before or after the fence — no prose, no follow-up questions, no requests for the user to paste anything. If evidence is incomplete, the correct response is still JSON, with claims demoted to unknowns[] and grade="unknown".

### Format rules (validation will reject submissions that violate these)
5. evidence[].url must be a bare `https://...` string — NEVER markdown link syntax. WRONG: `"url": "[Etherscan](https://etherscan.io/...)"`. RIGHT: `"url": "https://etherscan.io/..."`.
6. evidence[].commit, when present, must match `^[0-9a-f]{7,40}$` (lowercase hex, 7–40 chars). NEVER branch names or tags. Omit if you cannot pin a SHA.
7. evidence[].fetched_at, when present, must be ISO-8601 UTC (e.g. `2026-04-23T11:20:00Z`). Set whenever you actually fetched in this run.
8. evidence[].address, when present, must be `^0x[0-9a-fA-F]{40}$` (mixed case OK; checksum not validated).
9. Checklist codes (used in findings[].code and as unknowns[] prefixes) match `^[A-Z][A-Za-z0-9-]{0,16}$` — start with an uppercase letter, then digits / letters / hyphens. Examples: `E1`, `A3b`, `C2-emergency`, `V4-auditor`. No parens, spaces, dots, slashes, underscores. Use slice-defined codes verbatim. unknowns[] entries must be prefixed with the relevant code + colon (e.g. `"A3b: frontend fetch failed"`).
10. chat_url: ALWAYS null. Default share links (claude.ai/chat, chatgpt.com, gemini.google.com) require viewer login and are not publicly readable. The user enables "Share publicly" after you respond and pastes the public URL into the JSON before opening the PR.

### Thoroughness rules

11. Each per-slice body contains a "MANDATORY INSPECTION CHECKLIST". Every item must EITHER produce an evidence[] entry OR a specific unknowns[] entry naming it by code. Silent skips are rejected as incomplete.
12. Before assigning a grade other than "unknown", rationale.steelman must contain a one-sentence strongest argument for each of red / orange / green, and rationale.verdict must state which fits the evidence and why. If the steel-man for the chosen grade is weaker than for an adjacent grade, you have probably picked the wrong grade. When grade="unknown", set steelman to null and use verdict to summarize what blocked the assessment.
13. Distinguish actor classes (EOA, 2-of-3 multisig, 4-of-7+ multisig with identified signers, emergency-scoped time-capped multisig, on-chain governance vote with timelock) and function classes (claim-of-finalized vs new-request-placement, deposit vs borrow, mint vs redeem) — say which actor holds which power, on what time bound. "An admin can pause" is insufficient.
14. For on-chain slices (control, ability-to-exit, autonomy, verifiability), evidence[] must include ≥1 on-chain URL: a block-explorer URL OR a DeFiPunkd /api/{contract/read,safe/owners} URL (preferred — content-addressed when block-pinned). /api/contract/abi alone is metadata, not on-chain evidence. Source repos tell you what code SHOULD do; deployed contracts tell you what it ACTUALLY does. The "open-access" slice is exempt when claims are entirely about frontend / off-chain operator behavior. CARVE-OUT: `grading_basis="off-chain-only"` is exempt from this rule but is downweighted by the quorum bot regardless of grade.
15. Prompt-meta-check: if your verdict quotes prompt language as evidence ("the protocol meets the 'documented fallback' condition"), re-do the verdict — the prompt describes the rubric, not the protocol. Evidence cites what THIS protocol does, not what the rubric says protocols of type X do.
16. `grading_basis` is one of `"on-chain"` (default; omit field), `"off-chain-only"`, or `"mixed"`. Describes what was READ this run, not the verdict — `grade="unknown"` is allowed under any basis. Set `"off-chain-only"` ONLY when BOTH (a) ≥1 successful fetch of a docs / forum / audit / GitHub URL appears in evidence[], AND (b) ≥1 failed on-chain fetch attempt for THIS run is recorded in unknowns[] with a `-offchain` suffix. Empty `evidence[]` with `"off-chain-only"` is a category error and is rejected by the validator. Set `"mixed"` when some checklist codes were on-chain and others fell back. ABI-only finds (you read the ABI but couldn't read live state) are valid as `grade="unknown"` with the ABI cited; do not infer a grade from ABI shape alone.

### On-chain reading via the DeFiPunkd API

Don't encode calldata, decode return data, or guess at ABIs by hand. Three deterministic GET endpoints return JSON with blockNumber, blockHash, raw calldata, and rawReturnData — content-addressed when block-pinned (`&block=<n>`):

  ABI (auto-resolves proxies):
    https://defipunkd.com/api/contract/abi?chainId=<id>&address=0x...
  View call (any view method on the merged ABI; flat scalar args):
    https://defipunkd.com/api/contract/read?chainId=<id>&address=0x...&method=getOwners
    https://defipunkd.com/api/contract/read?chainId=<id>&address=0x...&method=balanceOf&args=0x...
  Safe (threshold + owners + version in one call):
    https://defipunkd.com/api/safe/owners?chainId=<id>&address=0x...

Use the BARE method name in `&method=` (e.g. `&method=totalSupply`, NOT `&method=totalSupply()`). Browser tools normalize `(` to `%28` and reject the normalized URL; bare names dodge that. Pass arguments via `&args=` (comma-separated, declaration order). Append `&block=<n>` for content-addressed evidence.

Supported chainIds: 1 (ethereum), 10 (optimism), 56 (bsc), 130 (unichain), 137 (polygon), 324 (zksync), 8453 (base), 42161 (arbitrum), 43114 (avalanche), 59144 (linea), 81457 (blast), 534352 (scroll), 11155111 (sepolia).

Use this API for any factual claim about contract ABI shape, view-method return values (owner(), getOwners(), getThreshold(), totalSupply(), implementation(), paused(), MIN_DELAY(), …), and Safe membership. Do NOT invent ABIs or return values from training data.

Note on noisy address_book: the pinned address_book is sourced from prior assessments. It may include token deployments, oracle feeds, peripheral contracts, or mis-classified entries. Skip surfacer URLs that don't fit your slice — fetch only those whose role hints suggest control / pause / upgrade authority.

### Protocol metadata refresh (populate `protocol_metadata` in the output)

DeFiLlama's pinned inputs may be stale or wrong. As a side-effect of this assessment, populate `protocol_metadata` with anything you verify. Leave fields null / empty arrays if you did not verify them — do NOT echo pinned inputs through; null means "not re-verified this run".

- `github`: array of canonical source-code repo URLs.
- `docs_url`: canonical developer / protocol documentation site.
- `audits`: array of `{ firm, url, date }` (date as YYYY-MM or YYYY-MM-DD).
- `governance_forum`: primary discussion forum URL (Discourse, Commonwealth, etc.).
- `voting_token`: `{ chain, address, symbol }` or null. Omit if not token-governed.
- `bug_bounty_url`: public bug bounty page (Immunefi, HackerOne, self-hosted).
- `security_contact`: private-disclosure channel — security@ email or SECURITY.md URL. Distinct from public bug bounty.
- `deployed_contracts_doc`: docs page that lists deployed addresses per chain. Don't enumerate; just link.
- `admin_addresses`: array of `{ chain, address, role, actor_class }` for multisig / timelock / owner / proxy-admin addresses. `actor_class` ∈ `"eoa" | "multisig" | "timelock" | "governance" | "unknown"`. These are the anchors for future runs' address_book.
- `upgradeability`: `"immutable" | "upgradeable" | "mixed" | "unknown"`. "mixed" = some core contracts immutable, others behind proxies.
- `about`: 2–4 sentence plain-English description. Name the user action (stake, borrow, swap, bridge, mint, redeem), the asset / market, and the distinctive mechanism (liquid staking receipt, isolated lending pools, constant-product AMM, intents auction, etc.). Do not restate category / chains / TVL.

Every non-null field in `protocol_metadata` must be backed by ≥1 entry in evidence[].

---

### Slice: ABILITY-TO-EXIT

Evaluate whether users can withdraw their funds on their own terms, even under adversarial admin conditions.

MANDATORY INSPECTION CHECKLIST (every item below must appear in evidence[] OR unknowns[]):
- E1. Enumerate every user-facing exit function in the main contracts: withdraw, redeem, burn, requestWithdrawal, claim, exit, etc. List them by name. Do NOT treat the contract as a monolith.
- E2. For EACH exit function in E1: identify its access modifiers and any pause guards (e.g. _checkResumed, whenNotPaused, onlyRole). Functions that gate REQUEST PLACEMENT often differ from functions that CLAIM FINALIZED FUNDS — check both separately.
- E3. For each pause guard: identify the role holder (which address holds PAUSE_ROLE / GUARDIAN / etc.) and the maximum pause duration. Specifically check whether PAUSE_INFINITELY (or equivalent uncapped pause) is callable, and which actor can call it (single multisig vs governance vote). For role-holder reads use https://defipunkd.com/api/contract/read?chainId=<id>&address=0x...&method=hasRole&args=0x...,0x... or &method=getRoleAdmin&args=0x.... For "is currently paused" checks use &method=paused or &method=isPaused&args=<resume-code>. Use the BARE method name (no parens). Cite the URL with &block=<n> in evidence[].
- E4. EMERGENCY vs GOVERNANCE pause distinction: many protocols have a fast-acting emergency pause capped at N days and a slow governance pause that can be indefinite. Record both paths separately if present, with their time caps and actor classes.
- E5. Queued redemption: documented maximum queue duration, daily withdrawal caps, whether the queue itself is pausable.
- E6. Forced-exit / escape-hatch / permissionless emergency-exit mechanism for adversarial-admin scenarios.
- E7. Frontend dependency: confirm exit functions are directly callable on-chain (e.g. via Etherscan write tab or a generic wallet) without the project's frontend.

Then write the steel-man section per Hard Rule 11. Common red-vs-orange tension on this slice: indefinite pause exists (suggests red) BUT the realistic emergency path is time-capped AND claims of already-finalized exits are not pause-gated (suggests orange). Resolve this by stating who can do what for how long, not by stopping at the worst-case sentence.

Grade rules:
- green   = permissionless exit; pause is either absent, narrowly scoped to clearly-described emergencies with auto-expiry, or capped at ≤7 days; no frontend dependency for exit; claims of already-finalized exits are not pause-gated under any path.
- orange  = pausable with broad scope OR indefinite pause is reachable only through governance vote (not unilateral admin action), OR queued redemption with documented max > 7 days, OR claims-of-finalized are exempt but new-request placement can be paused indefinitely by governance.
- red     = exit requires admin signature, OR ANY actor (including governance) can pause CLAIMS of finalized exits indefinitely, OR there is no on-chain exit function at all (purely custodial), OR pause is held by a single EOA / 2-of-3 multisig with no time cap.
- unknown = checklist incomplete after checking the sources above.

---

### JSON output contract

Return exactly one JSON object inside a single ```json fenced block. Shape:

{
  "schema_version": 4,
  "slug": "<copy protocol.slug from the per-protocol context>",
  "slice": "ability-to-exit",
  "snapshot_generated_at": "<copy snapshot.generated_at from the per-protocol context>",
  "prompt_version": 29,
  "analysis_date": "<copy analysis_date from the per-protocol context>",
  "model": "<exact model name, e.g. claude-opus-4-7 / gpt-5-thinking / gemini-3-pro>",
  "chat_url": null,
  "grading_basis": "on-chain | off-chain-only | mixed (optional; omit for on-chain)",
  "grade": "green | orange | red | unknown",
  "headline": "<one-line summary>",
  "short_headline": "<≤6 words, ≤80 chars; omit if you can't fit>",
  "rationale": {
    "findings": [{ "code": "E1", "text": "<concrete, source-cited finding>" }],
    "steelman": { "red": "<one sentence>", "orange": "<one sentence>", "green": "<one sentence>" },
    "verdict": "Choosing <grade> because <reason ranking one steel-man above the others, citing specific evidence>."
  },
  "evidence": [{ "url": "https://...", "shows": "<what this URL demonstrates>", "chain": "...", "address": "0x...", "commit": "<hex SHA>", "fetched_at": "2026-04-23T11:20:00Z" }],
  "unknowns": ["E3: <thing you looked for but couldn't determine>"],
  "protocol_metadata": {
    "github": ["https://github.com/org/repo"],
    "docs_url": "https://docs.protocol.xyz",
    "audits": [{ "firm": "Trail of Bits", "url": "https://...report.pdf", "date": "2025-09" }],
    "governance_forum": "https://forum.protocol.xyz",
    "voting_token": { "chain": "Ethereum", "address": "0x...", "symbol": "XYZ" },
    "bug_bounty_url": "https://immunefi.com/bounty/protocol",
    "security_contact": "security@protocol.xyz",
    "deployed_contracts_doc": "https://docs.protocol.xyz/deployments",
    "admin_addresses": [{ "chain": "Ethereum", "address": "0x...", "role": "DAO treasury multisig", "actor_class": "multisig" }],
    "upgradeability": "immutable | upgradeable | mixed | unknown",
    "about": "<2–4 sentences>"
  }
}

Rules recap:
- grade="unknown" ⇒ steelman=null; unknowns[] ≥1; evidence[] may be empty.
- grade!="unknown" ⇒ steelman={red,orange,green}; evidence[] ≥1; verdict starts with "Choosing ".
- findings[].code matches the slice's checklist prefix verbatim (E1, C2-emergency, V4a, …); unknowns[] entries are checklist-coded ("E3: …").
- Wrap in a single ```json fence; nothing before or after. URLs are bare strings, never markdown links.

Autonomy Unverified Submit run ↗

### Per-protocol context (ground truth for this run)

- protocol.slug:              aave-aptos
- protocol.name:              Aave Aptos
- protocol.chains:            Aptos
- protocol.category:          Lending
- protocol.website:           https://aave.com
- protocol.github:            aave, bgd-labs
- protocol.audit_links:       https://github.com/code-423n4/2022-02-aave-lens, https://github.com/code-423n4/2022-02-aave-lens-findings, https://github.com/sherlock-protocol/sherlock-reports/blob/main/audits/2025.02.15%20-%20Final%20-%20Aave%20Public%20Audit%20Contest%20Report.pdf, https://github.com/sherlock-protocol/sherlock-reports/blob/main/audits/2026.02.05%20-%20Final%20-%20Aave%20Labs%20Collaborative%20Audit%20Report%201770295450.pdf, https://github.com/trailofbits/publications/blob/master/reviews/2021-11-aave-v3-securityreview.pdf, https://github.com/trailofbits/publications/blob/master/reviews/2026-02-aave-v4-securityreview.pdf
- snapshot.generated_at:      2026-06-01T11:27:13.878Z
- analysis_date:              2026-06-07
- prompt_version:             29
- address_book:               null

### Pre-built read-API surfacer URLs (verbatim — fetchable as-is)
(no addresses pinned in this run — discover candidates from fetched website / GitHub / audit / explorer pages, record discovered addresses in evidence[] and protocol_metadata.admin_addresses, and put any reads you couldn't perform in unknowns[]. The next assessment will inherit your discoveries.)


---

You are contributing a single-slice assessment to defipunkd, a git-native transparency registry for DeFi protocols. Your JSON output will be attached to a pull request and compared against ≥2 other independent runs. Disagreements are surfaced publicly — be conservative, cite everything, return grade="unknown" when a signal cannot be determined, and resist stopping at the first damning finding.

### Per-protocol context (do not infer; these are ground truth)

A "Per-protocol context" block (provided alongside this prompt — either as a user message in API mode, or as a section appended below in copy-paste mode) lists the pinned inputs (protocol.slug, name, chains, category, website, github, audit_links, snapshot.generated_at, analysis_date, prompt_version, address_book) and a list of pre-built read-API surfacer URLs for each pinned address. Treat those values as authoritative for this run.

The pre-built surfacer URLs are accepted by your fetch tool's allowlist because they appear verbatim in the per-protocol context. Each surfacer page pre-executes the contract's zero-arg view methods and renders any address-typed return values as /address/{chainId}/0x… links inline — those rendered links are also fetchable post-fetch. /api/contract/read and /api/safe/owners JSON responses include a top-level `crawl.surfacers` array of /address/{chainId}/0x… URLs for every address-typed value in the result, so you can crawl directly from API responses. For addresses surfaced from non-defipunkd sources (block-explorer pages, GitHub, audit PDFs), the allowlist will reject your generated surfacer URL — record the address in protocol_metadata.admin_addresses and add a checklist-coded entry to unknowns[]; the next run will inherit it as a fetchable surfacer.

### Step 0 — Capability probe (do this before producing JSON)

Identify what fetch tool your environment exposes — `web_fetch`, `browser`, `url_context`, `google_search` (with underscore, colon, or space), Bing grounding, Perplexity, `web.run`, or anything similar. Search-grounding tools ARE valid fetch paths and you should use them; they are not forbidden. The distinction that matters is what the tool returned, not its name: a grounded response with the underlying page body is sufficient evidence; a bare 1–3-line preview snippet is not.

Probe: attempt one fetch of `protocol.website` and one fetch of a pre-built surfacer URL above (or the protocol's primary block-explorer page if no surfacer is pinned). Record the tool you used, the URL, and what came back (response body, HTTP status, allowlist rejection text, or "tool not present: <name>"). If either probe succeeded, proceed.

If both direct probes failed, **DO NOT STOP** — try search. Issue at least two broad search queries (protocol name + "Etherscan" / "official docs" / "GitHub" / "audit"; `site:` operators against etherscan.io / github.com / the docs domain). If a search query returns the underlying page body, that page URL is fetched evidence and goes in evidence[]. Set `grading_basis: "off-chain-only"` and continue with whatever you can extract. Empty `evidence[]` + `grade="unknown"` is only valid if BOTH direct probes AND ≥2 search queries returned nothing usable; in that case, log the attempted queries and observed-zero outcomes in unknowns[]. A submission claiming "blocked" without those receipts is treated as a non-submission (zero quorum weight). Search engines do not index raw JSON API endpoints — zero results for `defipunkd.com/api/contract/read` URLs is expected and is itself a recordable failure mode, not a system restriction.

### Anti-fabrication (the most important rule on this page)

Memory is not evidence. Treat your training data, prior conversations, and general knowledge as suggestions for what to look up — never as citations. Every URL in evidence[] must have been fetched in this run via any tool exposed in your environment, OR pasted into this conversation by the user. Constructing a URL is fine, but every variable part (address, commit SHA, repo path, contract name, method, args, block number) must come from a fetched/pasted source in this run, and the URL must then have been successfully fetched before it appears in evidence[]. URLs constructed from remembered addresses, repo paths, contract names, or guessed API methods are fabrication.

Before emitting JSON, run an evidence ledger check on every evidence[] entry:
1. The exact URL appears in your fetch transcript or in a user-pasted source body.
2. The fetched/pasted body contains the fact you're citing in evidence[].shows.
3. Every rationale.findings / protocol_metadata claim that depends on this evidence follows directly from that body, without recourse to memory.
4. Derived (rather than verbatim) claims are explicitly labelled as derived in evidence[].shows.
5. `fetched_at` is set ONLY when you actually fetched the URL in this run; if no timestamp is available, omit the field — never invent one.

If any check fails, remove the evidence entry and demote dependent claims to unknowns[]. Set grade="unknown" if demotion empties the grading basis. Do not ask the user to paste anything; do not withhold JSON; do not improvise from memory.

A plausible-sounding answer backed by unsupported evidence is WORSE than grade="unknown" — it pollutes the quorum. If the assessment requires leaning on remembered public facts ("Lido is governed by LDO token-weighted voting"), historical reports, common knowledge, or likely-architecture reasoning ("UUPS proxies typically have an admin role"), return grade="unknown" with specific unknowns[] entries. Optimize for reproducibility, not completeness — if a reviewer can't re-verify each claim from the evidence URLs alone, the claim does not belong in the JSON. Empty unknowns[] on a non-trivial protocol is a red flag, not a quality signal.

When the address_book is null/empty, you do not yet know any deployed address. Discover candidates from fetched website / GitHub / audit / explorer-search pages — addresses you "remember" from training data are not eligible, even for famous tokens (USDC, WBTC, stETH, UNI). If no address can be discovered after a good-faith attempt, return grade="unknown" with checklist-coded unknowns[] entries; do not invent addresses to fill the gap.

### Hard rules

1. Source classes that count as evidence:
   a) Public block explorers (etherscan.io, basescan.org, arbiscan.io, optimistic.etherscan.io, polygonscan.com, bscscan.com, snowtrace.io, scrollscan.com, lineascan.build, blastscan.io, era.zksync.network) for pinned addresses or addresses you discover transitively from them.
   b) The linked GitHub repos, at a specific commit SHA recorded in evidence[].commit.
   c) The audit PDFs / reports linked above.
   d) DeFiLlama's pinned fields (for category / chain lists only — not for risk assessment).
   e) DeFiPunkd's read API at https://defipunkd.com/api/{contract,safe}/... — see "On-chain reading" below.
2. If a signal cannot be determined after checking these, set grade="unknown" with ≥1 entry in unknowns[] naming what you looked for.
3. Every factual claim in rationale must map to ≥1 evidence[] entry.
4. Output exactly one JSON object matching the contract at the end, wrapped in a single ```json fenced code block. This rule applies to your FINAL assistant message only — issue tool calls freely during the run; tool-call reasoning lives in your model's tool-use channel and is not subject to this rule. Nothing before or after the fence — no prose, no follow-up questions, no requests for the user to paste anything. If evidence is incomplete, the correct response is still JSON, with claims demoted to unknowns[] and grade="unknown".

### Format rules (validation will reject submissions that violate these)
5. evidence[].url must be a bare `https://...` string — NEVER markdown link syntax. WRONG: `"url": "[Etherscan](https://etherscan.io/...)"`. RIGHT: `"url": "https://etherscan.io/..."`.
6. evidence[].commit, when present, must match `^[0-9a-f]{7,40}$` (lowercase hex, 7–40 chars). NEVER branch names or tags. Omit if you cannot pin a SHA.
7. evidence[].fetched_at, when present, must be ISO-8601 UTC (e.g. `2026-04-23T11:20:00Z`). Set whenever you actually fetched in this run.
8. evidence[].address, when present, must be `^0x[0-9a-fA-F]{40}$` (mixed case OK; checksum not validated).
9. Checklist codes (used in findings[].code and as unknowns[] prefixes) match `^[A-Z][A-Za-z0-9-]{0,16}$` — start with an uppercase letter, then digits / letters / hyphens. Examples: `E1`, `A3b`, `C2-emergency`, `V4-auditor`. No parens, spaces, dots, slashes, underscores. Use slice-defined codes verbatim. unknowns[] entries must be prefixed with the relevant code + colon (e.g. `"A3b: frontend fetch failed"`).
10. chat_url: ALWAYS null. Default share links (claude.ai/chat, chatgpt.com, gemini.google.com) require viewer login and are not publicly readable. The user enables "Share publicly" after you respond and pastes the public URL into the JSON before opening the PR.

### Thoroughness rules

11. Each per-slice body contains a "MANDATORY INSPECTION CHECKLIST". Every item must EITHER produce an evidence[] entry OR a specific unknowns[] entry naming it by code. Silent skips are rejected as incomplete.
12. Before assigning a grade other than "unknown", rationale.steelman must contain a one-sentence strongest argument for each of red / orange / green, and rationale.verdict must state which fits the evidence and why. If the steel-man for the chosen grade is weaker than for an adjacent grade, you have probably picked the wrong grade. When grade="unknown", set steelman to null and use verdict to summarize what blocked the assessment.
13. Distinguish actor classes (EOA, 2-of-3 multisig, 4-of-7+ multisig with identified signers, emergency-scoped time-capped multisig, on-chain governance vote with timelock) and function classes (claim-of-finalized vs new-request-placement, deposit vs borrow, mint vs redeem) — say which actor holds which power, on what time bound. "An admin can pause" is insufficient.
14. For on-chain slices (control, ability-to-exit, autonomy, verifiability), evidence[] must include ≥1 on-chain URL: a block-explorer URL OR a DeFiPunkd /api/{contract/read,safe/owners} URL (preferred — content-addressed when block-pinned). /api/contract/abi alone is metadata, not on-chain evidence. Source repos tell you what code SHOULD do; deployed contracts tell you what it ACTUALLY does. The "open-access" slice is exempt when claims are entirely about frontend / off-chain operator behavior. CARVE-OUT: `grading_basis="off-chain-only"` is exempt from this rule but is downweighted by the quorum bot regardless of grade.
15. Prompt-meta-check: if your verdict quotes prompt language as evidence ("the protocol meets the 'documented fallback' condition"), re-do the verdict — the prompt describes the rubric, not the protocol. Evidence cites what THIS protocol does, not what the rubric says protocols of type X do.
16. `grading_basis` is one of `"on-chain"` (default; omit field), `"off-chain-only"`, or `"mixed"`. Describes what was READ this run, not the verdict — `grade="unknown"` is allowed under any basis. Set `"off-chain-only"` ONLY when BOTH (a) ≥1 successful fetch of a docs / forum / audit / GitHub URL appears in evidence[], AND (b) ≥1 failed on-chain fetch attempt for THIS run is recorded in unknowns[] with a `-offchain` suffix. Empty `evidence[]` with `"off-chain-only"` is a category error and is rejected by the validator. Set `"mixed"` when some checklist codes were on-chain and others fell back. ABI-only finds (you read the ABI but couldn't read live state) are valid as `grade="unknown"` with the ABI cited; do not infer a grade from ABI shape alone.

### On-chain reading via the DeFiPunkd API

Don't encode calldata, decode return data, or guess at ABIs by hand. Three deterministic GET endpoints return JSON with blockNumber, blockHash, raw calldata, and rawReturnData — content-addressed when block-pinned (`&block=<n>`):

  ABI (auto-resolves proxies):
    https://defipunkd.com/api/contract/abi?chainId=<id>&address=0x...
  View call (any view method on the merged ABI; flat scalar args):
    https://defipunkd.com/api/contract/read?chainId=<id>&address=0x...&method=getOwners
    https://defipunkd.com/api/contract/read?chainId=<id>&address=0x...&method=balanceOf&args=0x...
  Safe (threshold + owners + version in one call):
    https://defipunkd.com/api/safe/owners?chainId=<id>&address=0x...

Use the BARE method name in `&method=` (e.g. `&method=totalSupply`, NOT `&method=totalSupply()`). Browser tools normalize `(` to `%28` and reject the normalized URL; bare names dodge that. Pass arguments via `&args=` (comma-separated, declaration order). Append `&block=<n>` for content-addressed evidence.

Supported chainIds: 1 (ethereum), 10 (optimism), 56 (bsc), 130 (unichain), 137 (polygon), 324 (zksync), 8453 (base), 42161 (arbitrum), 43114 (avalanche), 59144 (linea), 81457 (blast), 534352 (scroll), 11155111 (sepolia).

Use this API for any factual claim about contract ABI shape, view-method return values (owner(), getOwners(), getThreshold(), totalSupply(), implementation(), paused(), MIN_DELAY(), …), and Safe membership. Do NOT invent ABIs or return values from training data.

Note on noisy address_book: the pinned address_book is sourced from prior assessments. It may include token deployments, oracle feeds, peripheral contracts, or mis-classified entries. Skip surfacer URLs that don't fit your slice — fetch only those whose role hints suggest control / pause / upgrade authority.

### Protocol metadata refresh (populate `protocol_metadata` in the output)

DeFiLlama's pinned inputs may be stale or wrong. As a side-effect of this assessment, populate `protocol_metadata` with anything you verify. Leave fields null / empty arrays if you did not verify them — do NOT echo pinned inputs through; null means "not re-verified this run".

- `github`: array of canonical source-code repo URLs.
- `docs_url`: canonical developer / protocol documentation site.
- `audits`: array of `{ firm, url, date }` (date as YYYY-MM or YYYY-MM-DD).
- `governance_forum`: primary discussion forum URL (Discourse, Commonwealth, etc.).
- `voting_token`: `{ chain, address, symbol }` or null. Omit if not token-governed.
- `bug_bounty_url`: public bug bounty page (Immunefi, HackerOne, self-hosted).
- `security_contact`: private-disclosure channel — security@ email or SECURITY.md URL. Distinct from public bug bounty.
- `deployed_contracts_doc`: docs page that lists deployed addresses per chain. Don't enumerate; just link.
- `admin_addresses`: array of `{ chain, address, role, actor_class }` for multisig / timelock / owner / proxy-admin addresses. `actor_class` ∈ `"eoa" | "multisig" | "timelock" | "governance" | "unknown"`. These are the anchors for future runs' address_book.
- `upgradeability`: `"immutable" | "upgradeable" | "mixed" | "unknown"`. "mixed" = some core contracts immutable, others behind proxies.
- `about`: 2–4 sentence plain-English description. Name the user action (stake, borrow, swap, bridge, mint, redeem), the asset / market, and the distinctive mechanism (liquid staking receipt, isolated lending pools, constant-product AMM, intents auction, etc.). Do not restate category / chains / TVL.

Every non-null field in `protocol_metadata` must be backed by ≥1 entry in evidence[].

---

### Slice: AUTONOMY

Evaluate this protocol's autonomy: can a failure of anything outside its own contracts cause theft or loss of user principal, loss of unclaimed yield, or materially change the protocol's expected performance? "Autonomy" is not "has zero external touchpoints" — it is "external failures are either survivable or recoverable without user loss". This slice adapts DefiScan v1's Autonomy dimension; dependencies are one of several criteria, not the whole frame.

GUARDRAILS (read before grading):
- Category alone (Liquid Staking, Bridge, RWA Lending, Restaking, …) does NOT force a grade. A category is a hint about where to look; the grade must come from the concrete A1–A9 findings below.
- Base-chain consensus (Ethereum PoS, the chain's validator set, the canonical Deposit Contract at 0x00000000219ab540356cBB839Cbe05303d7705Fa) is the SUBSTRATE, not a dependency, for any protocol deployed on that chain. Do not list "depends on Ethereum" as a finding.
- Oracles or other integrations used by DOWNSTREAM protocols that happen to read this protocol's token (e.g. Chainlink stETH/USD consumed by Aave) are NOT this protocol's dependencies. Count only what THIS protocol's contracts call or trust on-chain. If a feed or contract appears in the protocol's docs only as reference material for third-party integrators, EXCLUDE IT ENTIRELY — do not log it as a finding even with a "peripheral" or "referenced only" caveat.
- "Upgradeable admin can change things" belongs to the CONTROL slice; only count it here when the upgrade surface lets governance silently swap an external dependency (see A9).
- Underlying-asset risk in opt-in, isolated markets is NOT autonomy-red on its own. When a protocol wraps third-party yield-bearing assets (LSTs, LRTs, ERC-4626 vaults, lending receipts, restaked tokens) into per-market silos that users explicitly choose, a failure of one underlying does NOT propagate to other markets and is risk the user opted into per-market. Record it under A4 with depth and propagation scope, but do not let it alone drive a red verdict — red requires an external dependency that cross-cuts the protocol or that the user did not opt into at deposit time. A failure mode that is "if the LRT you deposited is hacked, your principal in that LRT-backed market is impaired" is the underlying's autonomy story, not this protocol's; grade it on whether THIS protocol introduces additional dependencies on top.
- Sub-module enumeration is mandatory before grading. If the protocol ships distinct product lines or modules (e.g., a v2 core AMM plus a newer perps/funding-rate module, a lending pool plus a separate vault layer, an L1 core plus a cross-chain extension), enumerate each in findings and grade against the WORST module weighted by its share of TVS or its blast radius. A green core does not rescue an orange/red sub-module; conversely, a small red sub-module with capped TVS may bound the overall grade to orange. Name each module by its on-chain factory or router address. If you do not know whether a module exists, that is an unknowns[] entry, not silence. EXPLICIT TVS WEIGHTING: in the verdict, state each module's approximate share of total protocol TVS (use "~X%" if exact figures unavailable; check DeFiLlama or block-explorer balances on the module's main contract) and how that share informs the weighted grade. Format: "Module A holds ~X% of TVS (grade: <g>); Module B holds ~Y% (grade: <g>); weighted overall = <grade> because <reason>." If a red sub-module holds <5% of total TVS and is capped, the overall grade may be orange; if it holds >25%, the overall grade is red. Do not let qualitative reasoning substitute for the percentages — write the numbers.

MANDATORY INSPECTION CHECKLIST (every item below must appear in evidence[] OR unknowns[]):
- A1. External contract calls. Enumerate every external contract the core contracts call or read from (oracles, price feeds, AMM pools, lending pools, staking/deposit contracts, yield wrappers). For each, identify the address, the provider, and what user-facing function of this protocol would break or mis-price if that external contract paused, mis-reported, or behaved adversarially. Grep for "oracle", "aggregator", "getPrice", "latestAnswer", "chainlink", "pyth", "redstone" as a starting point. To verify an oracle is live and what it currently reports, hit https://defipunkd.com/api/contract/read?chainId=<id>&address=<oracle>&method=latestAnswer (or &method=latestRoundData, &method=getPrice, &method=description; use the BARE method name without parens) and cite the URL — the response includes blockNumber/blockHash and rawReturnData, which is stronger evidence than a docs page about which feed "should" be used.
- A2. Off-chain actor committees reporting INTO the protocol. Oracle committees, guardian multisigs, DAO-selected validator sets acting as protocol reporters, exit-bus signers, fraud-proof challengers. For each, record committee size, quorum, who picks the members, and what mis-reporting could do (mint, burn, finalize withdrawal, freeze). Distinguish this from governance admins (control slice). NOTE ON STAKING PROTOCOLS: validator slashing and node-operator misbehavior are properties of the base-chain substrate, NOT external dependencies, when the operator set is diversified enough that a coordinated failure caps at <5% principal loss. Count validator/operator risk under A2 ONLY if the operator set is small, non-diversified, or lacks bonding / slashing-insurance / diversification mitigations. A curated set of 30+ independent operators with documented diversification falls under the mitigated path; a 3-operator LST does not. Do not cite the protocol's own risk disclosure as evidence that operator failure = principal loss unless you also check the diversification and bond mitigations.
- A3. Bridge / cross-chain messaging dependencies. Only count bridges that carry material TVL or are required for a core user flow. For each, name the bridge operator (canonical L1↔L2, LayerZero, Wormhole, Axelar, custom multisig), the trust model (canonical, optimistic, light-client, guardian set), and what fraction of TVL or users ride on it. "wstETH exists on 15 chains" is not a finding unless material TVL sits there. Before listing any non-primary chain deployment as a dependency, verify it is still operational as of analysis_date — retired or sunset deployments (e.g., Lido-on-Terra, Lido-on-Solana) belong in unknowns[] or should be omitted, never cited as a current dependency.
- A4. Nested collateral / restaking chains. For restaking / LRT / receipt-of-receipt designs: record the depth of the collateral chain, every actor with slashing or freezing power at each level, and whether a failure N levels deep propagates to user principal here.
- A5. Fork lineage (silent check). If DeFiLlama's forkedFrom is non-empty, record it as one finding and move on. If empty, do NOT add a placeholder finding; it adds noise.
- A6. Fallback mechanisms and circuit breakers. What catches an external failure? Sanity-check contracts on oracle reports, rebase bounds, pause paths triggered by bad prices, second-opinion oracles, max-per-block throughput caps, withdrawal queues that absorb bad reports. Record which A1–A4 risks are mitigated by which fallback, and which are unmitigated. For EACH fallback you cite, state its activation status explicitly: (i) LIVE and enforcing on-chain today, (ii) DEPLOYED but not yet wired / activated (e.g., interface exists but the address is zero or the role is unassigned), or (iii) DOCUMENTED / PROPOSED only (forum post, LIP draft, audit pending). Only (i) counts as mitigation for the grade. A fallback in state (ii) or (iii) should be noted but must not reduce the risk in your steel-man or verdict. If you cannot determine activation status, add an unknowns[] entry rather than assume it is live.
- A7. Sequencer / L1-liveness dependency BEYOND the base-chain substrate. SCOPE — sequencer risk only counts here when the protocol IS its own L2/L3 appchain or app-rollup, where the sequencer is part of the protocol's own stack and a freeze is a protocol-level outage. A protocol permissionlessly deployed on a third-party L2 inherits that L2's sequencer as substrate, not an A7 dependency. Record the sequencer/DA trust model when A7 applies.
- A8. Keeper / relayer / off-chain bot liveness. Protocols that need permissionless-but-necessary off-chain actors (liquidation bots, auto-compounders, deposit relayers, intent solvers). Record whether the role is permissionless, what degrades if nobody runs it (yield paused, bad debt accumulates, positions go stale), and whether the failure mode is graceful or catastrophic.
- A9. Governance-mutable dependency surface. Can an admin or DAO action silently INTRODUCE a NEW EXTERNAL dependency — swap the oracle address to a different provider, register a new staking module that calls an untrusted contract, add a new bridge, route SY through a new external vault — without an exit window for users? Check the upgrade / router / module-registry contracts. Answer: which EXTERNAL dependencies are governance-mutable, who holds that power, and whether there is a timelock or exit window. SCOPE LIMIT — read carefully: A9 is about the *external dependency surface*, not the upgrade surface in general. "The proxyAdmin / EOA can upgrade the router implementation to arbitrary bytecode" is a CONTROL-slice finding (admin can rug), NOT an autonomy-A9 finding. A9 fires only when the upgrade specifically swaps out or adds a contract that THIS protocol calls or trusts (e.g., changing the oracle address from Chainlink to a malicious feed, registering a new SY adapter that points to a third-party vault, redirecting a bridge endpoint). If the only finding is "admin can change implementation," do not log it under A9 and do not let it drive the autonomy grade — note it under control instead. The autonomy-relevant version of the same upgrade key is "admin can swap [specific external address X] without timelock"; that requires identifying the specific external dependency that becomes mutable.

STEEL-MAN (per Hard Rule 13): write one-sentence strongest arguments for red, orange, and green using the A1–A9 findings.

IMPACTED TVS ESTIMATE: the headline MUST include a rough impacted-TVS figure — the fraction of protocol TVS that could be lost or frozen if the worst-unmitigated dependency you identified failed. Use "~X%" if exact numbers are unavailable, "<1%" for de minimis, "unclear" only if A1–A9 left the question genuinely open (in which case grade=unknown is usually correct). Do NOT substitute qualitative phrases like "significant" — give a number or bracket.

GRADE ANCHORS (mapped to DefiScan v1 stages):
- green = Stage 2 equivalent. Failure of any external dependency cannot cause loss of user principal or unclaimed yield. Either there are no material external dependencies, or every critical one has a documented fallback (A6) that keeps users whole. Governance cannot silently introduce new dependencies without an exit window (A9). Impacted TVS under any single-dependency failure: effectively 0.
- orange = Stage 1 equivalent. Failure of some external dependency can cause loss of unclaimed yield, or can materially change expected performance (pause withdrawals, freeze positions, degrade price quality), but cannot cause loss of principal. Committee-based oracles with sanity checks, canonical-only bridges, fallback paths that exist but are incomplete, or governance-mutable dependencies protected by a ≥7-day timelock. Impacted TVS is bounded and recoverable.
- red = Stage 0 equivalent. Failure of an external dependency CAN cause theft or loss of principal. Examples: single-provider oracle with no sanity check or fallback, material TVL on a non-canonical bridge with a guardian multisig, governance can hot-swap oracles or add staking modules with no timelock or exit window, unmitigated keeper-liveness dependency where positions become insolvent if bots stop. Impacted TVS is material.
- unknown = checklist incomplete after inspecting source + verified contracts. Prefer unknown over guessing when A1/A6 could not be reconstructed. RESERVE unknown for cases where the CORE ARCHITECTURE itself is unverifiable — not for cases where you merely cannot enumerate every per-market dependency in a multi-market protocol. If the core router/factory/oracle architecture is verifiable on-chain and you can determine whether the core requires external dependencies, grade the architecture even when an exhaustive per-market external-dependency census is infeasible. Acknowledge the per-market gap in unknowns[] but still issue a grade. Refusing to grade a multi-market protocol because you cannot list every SY/vault/market is over-use of unknown; grade the architecture and say so.

PROMPT-META CHECK (per Hard Rule 17): before finalizing, verify the verdict cites concrete contract addresses, docs, or code — not the rubric itself. If your verdict says "the protocol belongs to a category the rubric marks red", rewrite it with the A1–A9 finding that actually justifies the grade, or drop to grade=unknown.

---

### JSON output contract

Return exactly one JSON object inside a single ```json fenced block. Shape:

{
  "schema_version": 4,
  "slug": "<copy protocol.slug from the per-protocol context>",
  "slice": "autonomy",
  "snapshot_generated_at": "<copy snapshot.generated_at from the per-protocol context>",
  "prompt_version": 29,
  "analysis_date": "<copy analysis_date from the per-protocol context>",
  "model": "<exact model name, e.g. claude-opus-4-7 / gpt-5-thinking / gemini-3-pro>",
  "chat_url": null,
  "grading_basis": "on-chain | off-chain-only | mixed (optional; omit for on-chain)",
  "grade": "green | orange | red | unknown",
  "headline": "<one-line summary>",
  "short_headline": "<≤6 words, ≤80 chars; omit if you can't fit>",
  "rationale": {
    "findings": [{ "code": "E1", "text": "<concrete, source-cited finding>" }],
    "steelman": { "red": "<one sentence>", "orange": "<one sentence>", "green": "<one sentence>" },
    "verdict": "Choosing <grade> because <reason ranking one steel-man above the others, citing specific evidence>."
  },
  "evidence": [{ "url": "https://...", "shows": "<what this URL demonstrates>", "chain": "...", "address": "0x...", "commit": "<hex SHA>", "fetched_at": "2026-04-23T11:20:00Z" }],
  "unknowns": ["E3: <thing you looked for but couldn't determine>"],
  "protocol_metadata": {
    "github": ["https://github.com/org/repo"],
    "docs_url": "https://docs.protocol.xyz",
    "audits": [{ "firm": "Trail of Bits", "url": "https://...report.pdf", "date": "2025-09" }],
    "governance_forum": "https://forum.protocol.xyz",
    "voting_token": { "chain": "Ethereum", "address": "0x...", "symbol": "XYZ" },
    "bug_bounty_url": "https://immunefi.com/bounty/protocol",
    "security_contact": "security@protocol.xyz",
    "deployed_contracts_doc": "https://docs.protocol.xyz/deployments",
    "admin_addresses": [{ "chain": "Ethereum", "address": "0x...", "role": "DAO treasury multisig", "actor_class": "multisig" }],
    "upgradeability": "immutable | upgradeable | mixed | unknown",
    "about": "<2–4 sentences>"
  }
}

Rules recap:
- grade="unknown" ⇒ steelman=null; unknowns[] ≥1; evidence[] may be empty.
- grade!="unknown" ⇒ steelman={red,orange,green}; evidence[] ≥1; verdict starts with "Choosing ".
- findings[].code matches the slice's checklist prefix verbatim (E1, C2-emergency, V4a, …); unknowns[] entries are checklist-coded ("E3: …").
- Wrap in a single ```json fence; nothing before or after. URLs are bare strings, never markdown links.

Open Access Unverified Submit run ↗

### Per-protocol context (ground truth for this run)

- protocol.slug:              aave-aptos
- protocol.name:              Aave Aptos
- protocol.chains:            Aptos
- protocol.category:          Lending
- protocol.website:           https://aave.com
- protocol.github:            aave, bgd-labs
- protocol.audit_links:       https://github.com/code-423n4/2022-02-aave-lens, https://github.com/code-423n4/2022-02-aave-lens-findings, https://github.com/sherlock-protocol/sherlock-reports/blob/main/audits/2025.02.15%20-%20Final%20-%20Aave%20Public%20Audit%20Contest%20Report.pdf, https://github.com/sherlock-protocol/sherlock-reports/blob/main/audits/2026.02.05%20-%20Final%20-%20Aave%20Labs%20Collaborative%20Audit%20Report%201770295450.pdf, https://github.com/trailofbits/publications/blob/master/reviews/2021-11-aave-v3-securityreview.pdf, https://github.com/trailofbits/publications/blob/master/reviews/2026-02-aave-v4-securityreview.pdf
- snapshot.generated_at:      2026-06-01T11:27:13.878Z
- analysis_date:              2026-06-07
- prompt_version:             29
- address_book:               null

### Pre-built read-API surfacer URLs (verbatim — fetchable as-is)
(no addresses pinned in this run — discover candidates from fetched website / GitHub / audit / explorer pages, record discovered addresses in evidence[] and protocol_metadata.admin_addresses, and put any reads you couldn't perform in unknowns[]. The next assessment will inherit your discoveries.)


---

You are contributing a single-slice assessment to defipunkd, a git-native transparency registry for DeFi protocols. Your JSON output will be attached to a pull request and compared against ≥2 other independent runs. Disagreements are surfaced publicly — be conservative, cite everything, return grade="unknown" when a signal cannot be determined, and resist stopping at the first damning finding.

### Per-protocol context (do not infer; these are ground truth)

A "Per-protocol context" block (provided alongside this prompt — either as a user message in API mode, or as a section appended below in copy-paste mode) lists the pinned inputs (protocol.slug, name, chains, category, website, github, audit_links, snapshot.generated_at, analysis_date, prompt_version, address_book) and a list of pre-built read-API surfacer URLs for each pinned address. Treat those values as authoritative for this run.

The pre-built surfacer URLs are accepted by your fetch tool's allowlist because they appear verbatim in the per-protocol context. Each surfacer page pre-executes the contract's zero-arg view methods and renders any address-typed return values as /address/{chainId}/0x… links inline — those rendered links are also fetchable post-fetch. /api/contract/read and /api/safe/owners JSON responses include a top-level `crawl.surfacers` array of /address/{chainId}/0x… URLs for every address-typed value in the result, so you can crawl directly from API responses. For addresses surfaced from non-defipunkd sources (block-explorer pages, GitHub, audit PDFs), the allowlist will reject your generated surfacer URL — record the address in protocol_metadata.admin_addresses and add a checklist-coded entry to unknowns[]; the next run will inherit it as a fetchable surfacer.

### Step 0 — Capability probe (do this before producing JSON)

Identify what fetch tool your environment exposes — `web_fetch`, `browser`, `url_context`, `google_search` (with underscore, colon, or space), Bing grounding, Perplexity, `web.run`, or anything similar. Search-grounding tools ARE valid fetch paths and you should use them; they are not forbidden. The distinction that matters is what the tool returned, not its name: a grounded response with the underlying page body is sufficient evidence; a bare 1–3-line preview snippet is not.

Probe: attempt one fetch of `protocol.website` and one fetch of a pre-built surfacer URL above (or the protocol's primary block-explorer page if no surfacer is pinned). Record the tool you used, the URL, and what came back (response body, HTTP status, allowlist rejection text, or "tool not present: <name>"). If either probe succeeded, proceed.

If both direct probes failed, **DO NOT STOP** — try search. Issue at least two broad search queries (protocol name + "Etherscan" / "official docs" / "GitHub" / "audit"; `site:` operators against etherscan.io / github.com / the docs domain). If a search query returns the underlying page body, that page URL is fetched evidence and goes in evidence[]. Set `grading_basis: "off-chain-only"` and continue with whatever you can extract. Empty `evidence[]` + `grade="unknown"` is only valid if BOTH direct probes AND ≥2 search queries returned nothing usable; in that case, log the attempted queries and observed-zero outcomes in unknowns[]. A submission claiming "blocked" without those receipts is treated as a non-submission (zero quorum weight). Search engines do not index raw JSON API endpoints — zero results for `defipunkd.com/api/contract/read` URLs is expected and is itself a recordable failure mode, not a system restriction.

### Anti-fabrication (the most important rule on this page)

Memory is not evidence. Treat your training data, prior conversations, and general knowledge as suggestions for what to look up — never as citations. Every URL in evidence[] must have been fetched in this run via any tool exposed in your environment, OR pasted into this conversation by the user. Constructing a URL is fine, but every variable part (address, commit SHA, repo path, contract name, method, args, block number) must come from a fetched/pasted source in this run, and the URL must then have been successfully fetched before it appears in evidence[]. URLs constructed from remembered addresses, repo paths, contract names, or guessed API methods are fabrication.

Before emitting JSON, run an evidence ledger check on every evidence[] entry:
1. The exact URL appears in your fetch transcript or in a user-pasted source body.
2. The fetched/pasted body contains the fact you're citing in evidence[].shows.
3. Every rationale.findings / protocol_metadata claim that depends on this evidence follows directly from that body, without recourse to memory.
4. Derived (rather than verbatim) claims are explicitly labelled as derived in evidence[].shows.
5. `fetched_at` is set ONLY when you actually fetched the URL in this run; if no timestamp is available, omit the field — never invent one.

If any check fails, remove the evidence entry and demote dependent claims to unknowns[]. Set grade="unknown" if demotion empties the grading basis. Do not ask the user to paste anything; do not withhold JSON; do not improvise from memory.

A plausible-sounding answer backed by unsupported evidence is WORSE than grade="unknown" — it pollutes the quorum. If the assessment requires leaning on remembered public facts ("Lido is governed by LDO token-weighted voting"), historical reports, common knowledge, or likely-architecture reasoning ("UUPS proxies typically have an admin role"), return grade="unknown" with specific unknowns[] entries. Optimize for reproducibility, not completeness — if a reviewer can't re-verify each claim from the evidence URLs alone, the claim does not belong in the JSON. Empty unknowns[] on a non-trivial protocol is a red flag, not a quality signal.

When the address_book is null/empty, you do not yet know any deployed address. Discover candidates from fetched website / GitHub / audit / explorer-search pages — addresses you "remember" from training data are not eligible, even for famous tokens (USDC, WBTC, stETH, UNI). If no address can be discovered after a good-faith attempt, return grade="unknown" with checklist-coded unknowns[] entries; do not invent addresses to fill the gap.

### Hard rules

1. Source classes that count as evidence:
   a) Public block explorers (etherscan.io, basescan.org, arbiscan.io, optimistic.etherscan.io, polygonscan.com, bscscan.com, snowtrace.io, scrollscan.com, lineascan.build, blastscan.io, era.zksync.network) for pinned addresses or addresses you discover transitively from them.
   b) The linked GitHub repos, at a specific commit SHA recorded in evidence[].commit.
   c) The audit PDFs / reports linked above.
   d) DeFiLlama's pinned fields (for category / chain lists only — not for risk assessment).
   e) DeFiPunkd's read API at https://defipunkd.com/api/{contract,safe}/... — see "On-chain reading" below.
2. If a signal cannot be determined after checking these, set grade="unknown" with ≥1 entry in unknowns[] naming what you looked for.
3. Every factual claim in rationale must map to ≥1 evidence[] entry.
4. Output exactly one JSON object matching the contract at the end, wrapped in a single ```json fenced code block. This rule applies to your FINAL assistant message only — issue tool calls freely during the run; tool-call reasoning lives in your model's tool-use channel and is not subject to this rule. Nothing before or after the fence — no prose, no follow-up questions, no requests for the user to paste anything. If evidence is incomplete, the correct response is still JSON, with claims demoted to unknowns[] and grade="unknown".

### Format rules (validation will reject submissions that violate these)
5. evidence[].url must be a bare `https://...` string — NEVER markdown link syntax. WRONG: `"url": "[Etherscan](https://etherscan.io/...)"`. RIGHT: `"url": "https://etherscan.io/..."`.
6. evidence[].commit, when present, must match `^[0-9a-f]{7,40}$` (lowercase hex, 7–40 chars). NEVER branch names or tags. Omit if you cannot pin a SHA.
7. evidence[].fetched_at, when present, must be ISO-8601 UTC (e.g. `2026-04-23T11:20:00Z`). Set whenever you actually fetched in this run.
8. evidence[].address, when present, must be `^0x[0-9a-fA-F]{40}$` (mixed case OK; checksum not validated).
9. Checklist codes (used in findings[].code and as unknowns[] prefixes) match `^[A-Z][A-Za-z0-9-]{0,16}$` — start with an uppercase letter, then digits / letters / hyphens. Examples: `E1`, `A3b`, `C2-emergency`, `V4-auditor`. No parens, spaces, dots, slashes, underscores. Use slice-defined codes verbatim. unknowns[] entries must be prefixed with the relevant code + colon (e.g. `"A3b: frontend fetch failed"`).
10. chat_url: ALWAYS null. Default share links (claude.ai/chat, chatgpt.com, gemini.google.com) require viewer login and are not publicly readable. The user enables "Share publicly" after you respond and pastes the public URL into the JSON before opening the PR.

### Thoroughness rules

11. Each per-slice body contains a "MANDATORY INSPECTION CHECKLIST". Every item must EITHER produce an evidence[] entry OR a specific unknowns[] entry naming it by code. Silent skips are rejected as incomplete.
12. Before assigning a grade other than "unknown", rationale.steelman must contain a one-sentence strongest argument for each of red / orange / green, and rationale.verdict must state which fits the evidence and why. If the steel-man for the chosen grade is weaker than for an adjacent grade, you have probably picked the wrong grade. When grade="unknown", set steelman to null and use verdict to summarize what blocked the assessment.
13. Distinguish actor classes (EOA, 2-of-3 multisig, 4-of-7+ multisig with identified signers, emergency-scoped time-capped multisig, on-chain governance vote with timelock) and function classes (claim-of-finalized vs new-request-placement, deposit vs borrow, mint vs redeem) — say which actor holds which power, on what time bound. "An admin can pause" is insufficient.
14. For on-chain slices (control, ability-to-exit, autonomy, verifiability), evidence[] must include ≥1 on-chain URL: a block-explorer URL OR a DeFiPunkd /api/{contract/read,safe/owners} URL (preferred — content-addressed when block-pinned). /api/contract/abi alone is metadata, not on-chain evidence. Source repos tell you what code SHOULD do; deployed contracts tell you what it ACTUALLY does. The "open-access" slice is exempt when claims are entirely about frontend / off-chain operator behavior. CARVE-OUT: `grading_basis="off-chain-only"` is exempt from this rule but is downweighted by the quorum bot regardless of grade.
15. Prompt-meta-check: if your verdict quotes prompt language as evidence ("the protocol meets the 'documented fallback' condition"), re-do the verdict — the prompt describes the rubric, not the protocol. Evidence cites what THIS protocol does, not what the rubric says protocols of type X do.
16. `grading_basis` is one of `"on-chain"` (default; omit field), `"off-chain-only"`, or `"mixed"`. Describes what was READ this run, not the verdict — `grade="unknown"` is allowed under any basis. Set `"off-chain-only"` ONLY when BOTH (a) ≥1 successful fetch of a docs / forum / audit / GitHub URL appears in evidence[], AND (b) ≥1 failed on-chain fetch attempt for THIS run is recorded in unknowns[] with a `-offchain` suffix. Empty `evidence[]` with `"off-chain-only"` is a category error and is rejected by the validator. Set `"mixed"` when some checklist codes were on-chain and others fell back. ABI-only finds (you read the ABI but couldn't read live state) are valid as `grade="unknown"` with the ABI cited; do not infer a grade from ABI shape alone.

### On-chain reading via the DeFiPunkd API

Don't encode calldata, decode return data, or guess at ABIs by hand. Three deterministic GET endpoints return JSON with blockNumber, blockHash, raw calldata, and rawReturnData — content-addressed when block-pinned (`&block=<n>`):

  ABI (auto-resolves proxies):
    https://defipunkd.com/api/contract/abi?chainId=<id>&address=0x...
  View call (any view method on the merged ABI; flat scalar args):
    https://defipunkd.com/api/contract/read?chainId=<id>&address=0x...&method=getOwners
    https://defipunkd.com/api/contract/read?chainId=<id>&address=0x...&method=balanceOf&args=0x...
  Safe (threshold + owners + version in one call):
    https://defipunkd.com/api/safe/owners?chainId=<id>&address=0x...

Use the BARE method name in `&method=` (e.g. `&method=totalSupply`, NOT `&method=totalSupply()`). Browser tools normalize `(` to `%28` and reject the normalized URL; bare names dodge that. Pass arguments via `&args=` (comma-separated, declaration order). Append `&block=<n>` for content-addressed evidence.

Supported chainIds: 1 (ethereum), 10 (optimism), 56 (bsc), 130 (unichain), 137 (polygon), 324 (zksync), 8453 (base), 42161 (arbitrum), 43114 (avalanche), 59144 (linea), 81457 (blast), 534352 (scroll), 11155111 (sepolia).

Use this API for any factual claim about contract ABI shape, view-method return values (owner(), getOwners(), getThreshold(), totalSupply(), implementation(), paused(), MIN_DELAY(), …), and Safe membership. Do NOT invent ABIs or return values from training data.

Note on noisy address_book: the pinned address_book is sourced from prior assessments. It may include token deployments, oracle feeds, peripheral contracts, or mis-classified entries. Skip surfacer URLs that don't fit your slice — fetch only those whose role hints suggest control / pause / upgrade authority.

### Protocol metadata refresh (populate `protocol_metadata` in the output)

DeFiLlama's pinned inputs may be stale or wrong. As a side-effect of this assessment, populate `protocol_metadata` with anything you verify. Leave fields null / empty arrays if you did not verify them — do NOT echo pinned inputs through; null means "not re-verified this run".

- `github`: array of canonical source-code repo URLs.
- `docs_url`: canonical developer / protocol documentation site.
- `audits`: array of `{ firm, url, date }` (date as YYYY-MM or YYYY-MM-DD).
- `governance_forum`: primary discussion forum URL (Discourse, Commonwealth, etc.).
- `voting_token`: `{ chain, address, symbol }` or null. Omit if not token-governed.
- `bug_bounty_url`: public bug bounty page (Immunefi, HackerOne, self-hosted).
- `security_contact`: private-disclosure channel — security@ email or SECURITY.md URL. Distinct from public bug bounty.
- `deployed_contracts_doc`: docs page that lists deployed addresses per chain. Don't enumerate; just link.
- `admin_addresses`: array of `{ chain, address, role, actor_class }` for multisig / timelock / owner / proxy-admin addresses. `actor_class` ∈ `"eoa" | "multisig" | "timelock" | "governance" | "unknown"`. These are the anchors for future runs' address_book.
- `upgradeability`: `"immutable" | "upgradeable" | "mixed" | "unknown"`. "mixed" = some core contracts immutable, others behind proxies.
- `about`: 2–4 sentence plain-English description. Name the user action (stake, borrow, swap, bridge, mint, redeem), the asset / market, and the distinctive mechanism (liquid staking receipt, isolated lending pools, constant-product AMM, intents auction, etc.). Do not restate category / chains / TVL.

Every non-null field in `protocol_metadata` must be backed by ≥1 entry in evidence[].

---

### Slice: OPEN-ACCESS

Evaluate who is allowed to use the protocol and whether any of that permission is granted off-chain.

Scope: this slice is about ADMISSION — who can enter, exit, or transact. Operator LIVENESS (what breaks if keepers/oracles go offline) is assessed in the dependencies slice and is out of scope for the grade here. You may note operator dependencies as context, but do not let "the protocol halts if operator X disappears" drive the access grade on its own; that belongs in dependencies. Source verification / contract verification on block explorers is assessed in the verifiability slice and is out of scope here — do NOT let "contract is unverified" drive the access grade.

Framing: the smart contracts are the access layer; frontends are UX. A permissionless contract is reachable by any client (SDK, third-party UI, aggregator, wallet integration). Frontend ToS, IP geo-blocking, and wallet screening are publisher policies on one specific client — they are reported as context but do NOT determine the grade. The grade hinges on (1) what the contract itself permits, and (2) whether the protocol is practically reachable without the official publisher's cooperation.

Meta-check before finalizing: if your verdict cites phrases from this prompt as evidence ("the protocol meets the 'credible alternatives' condition", "this fits the 'documented fallback' rule"), redo the verdict. The prompt describes the rubric; evidence must come from the protocol. A verdict should cite what the protocol does, not what the rubric says.

MANDATORY INSPECTION CHECKLIST (every item below must appear in evidence[] OR unknowns[]):
- A1. Whitelist / allowlist modifiers in user-facing entry points. Grep for "onlyWhitelisted", "onlyRole", "allowlist", "isAccredited", "isKYCed". Note which functions are gated and who can add/remove from the list.
- A2. Off-chain operators in the admission path: keepers, sequencers, privileged relayers, oracle posters whose approval is required to admit a user action (not just to keep the protocol live). For each, identify whether the role is held by a single operator, a permissioned committee, or is permissionless. Enumerate per user-facing function class (deposit vs withdraw-request vs claim-finalized vs transfer) which ones require operator approval to be admitted, and which ones admit users unconditionally. A function whose placement is unconditional but whose downstream settlement depends on an operator is an admission-permissionless function — flag the liveness dependency as context and defer its grading weight to the dependencies slice.
- A3. Frontend restrictions on the official interface — record as context, not as a grade lever. Distinguish:
    - A3-passive: boilerplate ToS clauses (sanctions attestation, restricted-territory self-certification, VPN-circumvention prohibition, "comply with applicable law" eligibility, age of majority).
    - A3-active: runtime enforcement — IP-based geo-blocking, wallet-address screening against a sanctions oracle (Chainalysis, TRM, Elliptic), KYC wall, rendering-blocking jurisdiction banner.
  Record findings under the correct tier. Quote ToS text or banner text in evidence[].shows. These findings populate the headline and rationale but do NOT move the grade by themselves; the grade is set by A1, A2, and the A3b path check below.
- A3b. Independent access paths (the operative grade input). Enumerate paths that do not require the official publisher's cooperation:
    - Published SDK / library / CLI for direct contract interaction.
    - Third-party frontends operated by separate legal entities.
    - Wallet-integrated access (MetaMask Swaps, Safe apps, etc.).
    - DEX / lending / yield aggregators that route through the contracts.
  Record at least one concrete link per path that exists. The protocol does NOT have to self-document these — the test is existence, not UX cost. An A3b-i redistribution of the official UI bound by the same ToS does NOT count as an independent path.
- A4. Sanctions / compliance tooling at the contract level: does the protocol check addresses against OFAC lists or similar on-chain blocklists in the contract itself? (Frontend-only screening belongs in A3.)
- A5. Differentiate read access vs write access: many protocols are read-permissionless (anyone can view state) but write-gated (only certain addresses can deposit/borrow). Record both.
- A6. ToS / Legal links: locate them on the website and produce a VERBATIM quote of any jurisdictional, sanctions, or eligibility clause in evidence[].shows. If you cannot extract the clause text verbatim (SPA render failure, paywall, dead link, etc.), do NOT paraphrase or infer from general knowledge — record the ToS URL in unknowns[] with the reason extraction failed. Assertions about ToS content without a verbatim quote will be downweighted by reviewers.

Then write the steel-man section per Hard Rule 11.

Grade rules (admission-focused; liveness concerns belong in dependencies; source verification belongs in verifiability):
- green   = no contract-level whitelist/KYC on user entry/exit; no operator approval required to admit a user action; AND at least one independent A3b path exists (published SDK, third-party frontend, wallet integration, or aggregator routing). Frontend ToS posture and A3-active enforcement on the official UI do NOT block green when contracts are permissionless and an independent path exists — they are reported as context.
- orange  = contracts admit users unconditionally, BUT the protocol is operationally captured by the official publisher: no published SDK, no third-party frontend, no wallet integration, no aggregator routing. The contract is theoretically open but practically reachable only through the official UI. Also applies when admission requires approval from a permissioned committee that is governance-managed with a documented replacement procedure.
- red     = contract-level whitelist / KYC on user entry/exit, OR admission of a core user action requires approval from a single privileged operator or a small committee with no documented replacement procedure, OR enforces an on-chain blocklist updatable by a single party.
- unknown = checklist incomplete after checking the sources above.

Default-grade guidance: when contracts are fully permissionless AND any A3b independent path exists, the default grade is green regardless of frontend ToS or A3-active enforcement on the official UI. Frontend geo-blocking, sanctions-oracle wallet screening, and ToS sanctions clauses are publisher policies on one client and are reported in findings/headline as context, not as grade levers. To grade orange on operational-capture grounds, the auditor must affirmatively show that ALL independent paths are absent or also gated.

Guideline on committees: where admission depends on a multi-operator committee, the relevant axes are (a) set size, (b) whether replacement/rotation is governed on-chain, (c) whether the replacement procedure is publicly documented. A large set with on-chain governance replacement should not be graded as a single-party operator even if rotation is not instantaneous. A small set with informal replacement should be treated as a single-party operator.

---

### JSON output contract

Return exactly one JSON object inside a single ```json fenced block. Shape:

{
  "schema_version": 4,
  "slug": "<copy protocol.slug from the per-protocol context>",
  "slice": "open-access",
  "snapshot_generated_at": "<copy snapshot.generated_at from the per-protocol context>",
  "prompt_version": 29,
  "analysis_date": "<copy analysis_date from the per-protocol context>",
  "model": "<exact model name, e.g. claude-opus-4-7 / gpt-5-thinking / gemini-3-pro>",
  "chat_url": null,
  "grading_basis": "on-chain | off-chain-only | mixed (optional; omit for on-chain)",
  "grade": "green | orange | red | unknown",
  "headline": "<one-line summary>",
  "short_headline": "<≤6 words, ≤80 chars; omit if you can't fit>",
  "rationale": {
    "findings": [{ "code": "E1", "text": "<concrete, source-cited finding>" }],
    "steelman": { "red": "<one sentence>", "orange": "<one sentence>", "green": "<one sentence>" },
    "verdict": "Choosing <grade> because <reason ranking one steel-man above the others, citing specific evidence>."
  },
  "evidence": [{ "url": "https://...", "shows": "<what this URL demonstrates>", "chain": "...", "address": "0x...", "commit": "<hex SHA>", "fetched_at": "2026-04-23T11:20:00Z" }],
  "unknowns": ["E3: <thing you looked for but couldn't determine>"],
  "protocol_metadata": {
    "github": ["https://github.com/org/repo"],
    "docs_url": "https://docs.protocol.xyz",
    "audits": [{ "firm": "Trail of Bits", "url": "https://...report.pdf", "date": "2025-09" }],
    "governance_forum": "https://forum.protocol.xyz",
    "voting_token": { "chain": "Ethereum", "address": "0x...", "symbol": "XYZ" },
    "bug_bounty_url": "https://immunefi.com/bounty/protocol",
    "security_contact": "security@protocol.xyz",
    "deployed_contracts_doc": "https://docs.protocol.xyz/deployments",
    "admin_addresses": [{ "chain": "Ethereum", "address": "0x...", "role": "DAO treasury multisig", "actor_class": "multisig" }],
    "upgradeability": "immutable | upgradeable | mixed | unknown",
    "about": "<2–4 sentences>"
  }
}

Rules recap:
- grade="unknown" ⇒ steelman=null; unknowns[] ≥1; evidence[] may be empty.
- grade!="unknown" ⇒ steelman={red,orange,green}; evidence[] ≥1; verdict starts with "Choosing ".
- findings[].code matches the slice's checklist prefix verbatim (E1, C2-emergency, V4a, …); unknowns[] entries are checklist-coded ("E3: …").
- Wrap in a single ```json fence; nothing before or after. URLs are bare strings, never markdown links.

Audit all 5 dimensions · one prompt Submit run ↗

### Per-protocol context (ground truth for this run)

- protocol.slug:              aave-aptos
- protocol.name:              Aave Aptos
- protocol.chains:            Aptos
- protocol.category:          Lending
- protocol.website:           https://aave.com
- protocol.github:            aave, bgd-labs
- protocol.audit_links:       https://github.com/code-423n4/2022-02-aave-lens, https://github.com/code-423n4/2022-02-aave-lens-findings, https://github.com/sherlock-protocol/sherlock-reports/blob/main/audits/2025.02.15%20-%20Final%20-%20Aave%20Public%20Audit%20Contest%20Report.pdf, https://github.com/sherlock-protocol/sherlock-reports/blob/main/audits/2026.02.05%20-%20Final%20-%20Aave%20Labs%20Collaborative%20Audit%20Report%201770295450.pdf, https://github.com/trailofbits/publications/blob/master/reviews/2021-11-aave-v3-securityreview.pdf, https://github.com/trailofbits/publications/blob/master/reviews/2026-02-aave-v4-securityreview.pdf
- snapshot.generated_at:      2026-06-01T11:27:13.878Z
- analysis_date:              2026-06-07
- prompt_version:             29
- address_book:               null

### Pre-built read-API surfacer URLs (verbatim — fetchable as-is)
(no addresses pinned in this run — discover candidates from fetched website / GitHub / audit / explorer pages, record discovered addresses in evidence[] and protocol_metadata.admin_addresses, and put any reads you couldn't perform in unknowns[]. The next assessment will inherit your discoveries.)


---

You are contributing a single-slice assessment to defipunkd, a git-native transparency registry for DeFi protocols. Your JSON output will be attached to a pull request and compared against ≥2 other independent runs. Disagreements are surfaced publicly — be conservative, cite everything, return grade="unknown" when a signal cannot be determined, and resist stopping at the first damning finding.

### Per-protocol context (do not infer; these are ground truth)

A "Per-protocol context" block (provided alongside this prompt — either as a user message in API mode, or as a section appended below in copy-paste mode) lists the pinned inputs (protocol.slug, name, chains, category, website, github, audit_links, snapshot.generated_at, analysis_date, prompt_version, address_book) and a list of pre-built read-API surfacer URLs for each pinned address. Treat those values as authoritative for this run.

The pre-built surfacer URLs are accepted by your fetch tool's allowlist because they appear verbatim in the per-protocol context. Each surfacer page pre-executes the contract's zero-arg view methods and renders any address-typed return values as /address/{chainId}/0x… links inline — those rendered links are also fetchable post-fetch. /api/contract/read and /api/safe/owners JSON responses include a top-level `crawl.surfacers` array of /address/{chainId}/0x… URLs for every address-typed value in the result, so you can crawl directly from API responses. For addresses surfaced from non-defipunkd sources (block-explorer pages, GitHub, audit PDFs), the allowlist will reject your generated surfacer URL — record the address in protocol_metadata.admin_addresses and add a checklist-coded entry to unknowns[]; the next run will inherit it as a fetchable surfacer.

### Step 0 — Capability probe (do this before producing JSON)

Identify what fetch tool your environment exposes — `web_fetch`, `browser`, `url_context`, `google_search` (with underscore, colon, or space), Bing grounding, Perplexity, `web.run`, or anything similar. Search-grounding tools ARE valid fetch paths and you should use them; they are not forbidden. The distinction that matters is what the tool returned, not its name: a grounded response with the underlying page body is sufficient evidence; a bare 1–3-line preview snippet is not.

Probe: attempt one fetch of `protocol.website` and one fetch of a pre-built surfacer URL above (or the protocol's primary block-explorer page if no surfacer is pinned). Record the tool you used, the URL, and what came back (response body, HTTP status, allowlist rejection text, or "tool not present: <name>"). If either probe succeeded, proceed.

If both direct probes failed, **DO NOT STOP** — try search. Issue at least two broad search queries (protocol name + "Etherscan" / "official docs" / "GitHub" / "audit"; `site:` operators against etherscan.io / github.com / the docs domain). If a search query returns the underlying page body, that page URL is fetched evidence and goes in evidence[]. Set `grading_basis: "off-chain-only"` and continue with whatever you can extract. Empty `evidence[]` + `grade="unknown"` is only valid if BOTH direct probes AND ≥2 search queries returned nothing usable; in that case, log the attempted queries and observed-zero outcomes in unknowns[]. A submission claiming "blocked" without those receipts is treated as a non-submission (zero quorum weight). Search engines do not index raw JSON API endpoints — zero results for `defipunkd.com/api/contract/read` URLs is expected and is itself a recordable failure mode, not a system restriction.

### Anti-fabrication (the most important rule on this page)

Memory is not evidence. Treat your training data, prior conversations, and general knowledge as suggestions for what to look up — never as citations. Every URL in evidence[] must have been fetched in this run via any tool exposed in your environment, OR pasted into this conversation by the user. Constructing a URL is fine, but every variable part (address, commit SHA, repo path, contract name, method, args, block number) must come from a fetched/pasted source in this run, and the URL must then have been successfully fetched before it appears in evidence[]. URLs constructed from remembered addresses, repo paths, contract names, or guessed API methods are fabrication.

Before emitting JSON, run an evidence ledger check on every evidence[] entry:
1. The exact URL appears in your fetch transcript or in a user-pasted source body.
2. The fetched/pasted body contains the fact you're citing in evidence[].shows.
3. Every rationale.findings / protocol_metadata claim that depends on this evidence follows directly from that body, without recourse to memory.
4. Derived (rather than verbatim) claims are explicitly labelled as derived in evidence[].shows.
5. `fetched_at` is set ONLY when you actually fetched the URL in this run; if no timestamp is available, omit the field — never invent one.

If any check fails, remove the evidence entry and demote dependent claims to unknowns[]. Set grade="unknown" if demotion empties the grading basis. Do not ask the user to paste anything; do not withhold JSON; do not improvise from memory.

A plausible-sounding answer backed by unsupported evidence is WORSE than grade="unknown" — it pollutes the quorum. If the assessment requires leaning on remembered public facts ("Lido is governed by LDO token-weighted voting"), historical reports, common knowledge, or likely-architecture reasoning ("UUPS proxies typically have an admin role"), return grade="unknown" with specific unknowns[] entries. Optimize for reproducibility, not completeness — if a reviewer can't re-verify each claim from the evidence URLs alone, the claim does not belong in the JSON. Empty unknowns[] on a non-trivial protocol is a red flag, not a quality signal.

When the address_book is null/empty, you do not yet know any deployed address. Discover candidates from fetched website / GitHub / audit / explorer-search pages — addresses you "remember" from training data are not eligible, even for famous tokens (USDC, WBTC, stETH, UNI). If no address can be discovered after a good-faith attempt, return grade="unknown" with checklist-coded unknowns[] entries; do not invent addresses to fill the gap.

### Hard rules

1. Source classes that count as evidence:
   a) Public block explorers (etherscan.io, basescan.org, arbiscan.io, optimistic.etherscan.io, polygonscan.com, bscscan.com, snowtrace.io, scrollscan.com, lineascan.build, blastscan.io, era.zksync.network) for pinned addresses or addresses you discover transitively from them.
   b) The linked GitHub repos, at a specific commit SHA recorded in evidence[].commit.
   c) The audit PDFs / reports linked above.
   d) DeFiLlama's pinned fields (for category / chain lists only — not for risk assessment).
   e) DeFiPunkd's read API at https://defipunkd.com/api/{contract,safe}/... — see "On-chain reading" below.
2. If a signal cannot be determined after checking these, set grade="unknown" with ≥1 entry in unknowns[] naming what you looked for.
3. Every factual claim in rationale must map to ≥1 evidence[] entry.
4. Output exactly one JSON object matching the contract at the end, wrapped in a single ```json fenced code block. This rule applies to your FINAL assistant message only — issue tool calls freely during the run; tool-call reasoning lives in your model's tool-use channel and is not subject to this rule. Nothing before or after the fence — no prose, no follow-up questions, no requests for the user to paste anything. If evidence is incomplete, the correct response is still JSON, with claims demoted to unknowns[] and grade="unknown".

### Format rules (validation will reject submissions that violate these)
5. evidence[].url must be a bare `https://...` string — NEVER markdown link syntax. WRONG: `"url": "[Etherscan](https://etherscan.io/...)"`. RIGHT: `"url": "https://etherscan.io/..."`.
6. evidence[].commit, when present, must match `^[0-9a-f]{7,40}$` (lowercase hex, 7–40 chars). NEVER branch names or tags. Omit if you cannot pin a SHA.
7. evidence[].fetched_at, when present, must be ISO-8601 UTC (e.g. `2026-04-23T11:20:00Z`). Set whenever you actually fetched in this run.
8. evidence[].address, when present, must be `^0x[0-9a-fA-F]{40}$` (mixed case OK; checksum not validated).
9. Checklist codes (used in findings[].code and as unknowns[] prefixes) match `^[A-Z][A-Za-z0-9-]{0,16}$` — start with an uppercase letter, then digits / letters / hyphens. Examples: `E1`, `A3b`, `C2-emergency`, `V4-auditor`. No parens, spaces, dots, slashes, underscores. Use slice-defined codes verbatim. unknowns[] entries must be prefixed with the relevant code + colon (e.g. `"A3b: frontend fetch failed"`).
10. chat_url: ALWAYS null. Default share links (claude.ai/chat, chatgpt.com, gemini.google.com) require viewer login and are not publicly readable. The user enables "Share publicly" after you respond and pastes the public URL into the JSON before opening the PR.

### Thoroughness rules

11. Each per-slice body contains a "MANDATORY INSPECTION CHECKLIST". Every item must EITHER produce an evidence[] entry OR a specific unknowns[] entry naming it by code. Silent skips are rejected as incomplete.
12. Before assigning a grade other than "unknown", rationale.steelman must contain a one-sentence strongest argument for each of red / orange / green, and rationale.verdict must state which fits the evidence and why. If the steel-man for the chosen grade is weaker than for an adjacent grade, you have probably picked the wrong grade. When grade="unknown", set steelman to null and use verdict to summarize what blocked the assessment.
13. Distinguish actor classes (EOA, 2-of-3 multisig, 4-of-7+ multisig with identified signers, emergency-scoped time-capped multisig, on-chain governance vote with timelock) and function classes (claim-of-finalized vs new-request-placement, deposit vs borrow, mint vs redeem) — say which actor holds which power, on what time bound. "An admin can pause" is insufficient.
14. For on-chain slices (control, ability-to-exit, autonomy, verifiability), evidence[] must include ≥1 on-chain URL: a block-explorer URL OR a DeFiPunkd /api/{contract/read,safe/owners} URL (preferred — content-addressed when block-pinned). /api/contract/abi alone is metadata, not on-chain evidence. Source repos tell you what code SHOULD do; deployed contracts tell you what it ACTUALLY does. The "open-access" slice is exempt when claims are entirely about frontend / off-chain operator behavior. CARVE-OUT: `grading_basis="off-chain-only"` is exempt from this rule but is downweighted by the quorum bot regardless of grade.
15. Prompt-meta-check: if your verdict quotes prompt language as evidence ("the protocol meets the 'documented fallback' condition"), re-do the verdict — the prompt describes the rubric, not the protocol. Evidence cites what THIS protocol does, not what the rubric says protocols of type X do.
16. `grading_basis` is one of `"on-chain"` (default; omit field), `"off-chain-only"`, or `"mixed"`. Describes what was READ this run, not the verdict — `grade="unknown"` is allowed under any basis. Set `"off-chain-only"` ONLY when BOTH (a) ≥1 successful fetch of a docs / forum / audit / GitHub URL appears in evidence[], AND (b) ≥1 failed on-chain fetch attempt for THIS run is recorded in unknowns[] with a `-offchain` suffix. Empty `evidence[]` with `"off-chain-only"` is a category error and is rejected by the validator. Set `"mixed"` when some checklist codes were on-chain and others fell back. ABI-only finds (you read the ABI but couldn't read live state) are valid as `grade="unknown"` with the ABI cited; do not infer a grade from ABI shape alone.

### On-chain reading via the DeFiPunkd API

Don't encode calldata, decode return data, or guess at ABIs by hand. Three deterministic GET endpoints return JSON with blockNumber, blockHash, raw calldata, and rawReturnData — content-addressed when block-pinned (`&block=<n>`):

  ABI (auto-resolves proxies):
    https://defipunkd.com/api/contract/abi?chainId=<id>&address=0x...
  View call (any view method on the merged ABI; flat scalar args):
    https://defipunkd.com/api/contract/read?chainId=<id>&address=0x...&method=getOwners
    https://defipunkd.com/api/contract/read?chainId=<id>&address=0x...&method=balanceOf&args=0x...
  Safe (threshold + owners + version in one call):
    https://defipunkd.com/api/safe/owners?chainId=<id>&address=0x...

Use the BARE method name in `&method=` (e.g. `&method=totalSupply`, NOT `&method=totalSupply()`). Browser tools normalize `(` to `%28` and reject the normalized URL; bare names dodge that. Pass arguments via `&args=` (comma-separated, declaration order). Append `&block=<n>` for content-addressed evidence.

Supported chainIds: 1 (ethereum), 10 (optimism), 56 (bsc), 130 (unichain), 137 (polygon), 324 (zksync), 8453 (base), 42161 (arbitrum), 43114 (avalanche), 59144 (linea), 81457 (blast), 534352 (scroll), 11155111 (sepolia).

Use this API for any factual claim about contract ABI shape, view-method return values (owner(), getOwners(), getThreshold(), totalSupply(), implementation(), paused(), MIN_DELAY(), …), and Safe membership. Do NOT invent ABIs or return values from training data.

Note on noisy address_book: the pinned address_book is sourced from prior assessments. It may include token deployments, oracle feeds, peripheral contracts, or mis-classified entries. Skip surfacer URLs that don't fit your slice — fetch only those whose role hints suggest control / pause / upgrade authority.

### Protocol metadata refresh (populate `protocol_metadata` in the output)

DeFiLlama's pinned inputs may be stale or wrong. As a side-effect of this assessment, populate `protocol_metadata` with anything you verify. Leave fields null / empty arrays if you did not verify them — do NOT echo pinned inputs through; null means "not re-verified this run".

- `github`: array of canonical source-code repo URLs.
- `docs_url`: canonical developer / protocol documentation site.
- `audits`: array of `{ firm, url, date }` (date as YYYY-MM or YYYY-MM-DD).
- `governance_forum`: primary discussion forum URL (Discourse, Commonwealth, etc.).
- `voting_token`: `{ chain, address, symbol }` or null. Omit if not token-governed.
- `bug_bounty_url`: public bug bounty page (Immunefi, HackerOne, self-hosted).
- `security_contact`: private-disclosure channel — security@ email or SECURITY.md URL. Distinct from public bug bounty.
- `deployed_contracts_doc`: docs page that lists deployed addresses per chain. Don't enumerate; just link.
- `admin_addresses`: array of `{ chain, address, role, actor_class }` for multisig / timelock / owner / proxy-admin addresses. `actor_class` ∈ `"eoa" | "multisig" | "timelock" | "governance" | "unknown"`. These are the anchors for future runs' address_book.
- `upgradeability`: `"immutable" | "upgradeable" | "mixed" | "unknown"`. "mixed" = some core contracts immutable, others behind proxies.
- `about`: 2–4 sentence plain-English description. Name the user action (stake, borrow, swap, bridge, mint, redeem), the asset / market, and the distinctive mechanism (liquid staking receipt, isolated lending pools, constant-product AMM, intents auction, etc.). Do not restate category / chains / TVL.

Every non-null field in `protocol_metadata` must be backed by ≥1 entry in evidence[].

---

### Slice: CONTROL

Evaluate who can change the protocol's rules, how fast, and how broadly.

(Step 0 capability probe and the off-chain-only fallback live in the preamble — those rules apply here.)

### MANDATORY INSPECTION CHECKLIST (every item below must appear in evidence[] OR unknowns[])

- **C1.** For each address you assess: who is the contract owner / admin / pendingAdmin / governor — read these via the block explorer's "Read Contract" tab OR `https://defipunkd.com/api/contract/read?chainId=<id>&address=0x...&method=owner` (BARE method names: `&method=owner`, `&method=admin`, `&method=pendingOwner`, `&method=governor`). For Safes use `/api/safe/owners?chainId=<id>&address=0x...`. When a protocol has multiple major versions deployed (v2/v3/v4), perform C1 reads on the NEWEST deployment separately — newer deployments often have weaker control surfaces than the legacy core.
- **C2.** Upgrade mechanism: transparent proxy / UUPS / Beacon / Diamond / immutable. Identify the proxy admin address. Check upgradeability of GOVERNANCE contracts too — a Governor / Aragon Voting / OZ Governor is often itself a proxy whose admin is the Timelock. Asymmetry: when fund-holding cores are immutable AND governance has no admin path that reaches them, an upgradable Governor/Timelock is T3-only and must NOT drag the verdict below green on that basis alone (see grade rules and the "immutable cores" caveat). Only call upgradability "mixed" if you can name a concrete function on the upgradable surface that reaches T1 or T2 on user funds.
- **C3.** EXECUTION PATH (enumerate every stage, in order, with delays in seconds). The operative path is usually a chain (voting → scheduler → timelock → executor; or governor → queue → execute; or Aragon Voting → DualGovernance → EmergencyProtectedTimelock → AdminExecutor). For each stage, record (a) the contract address, (b) the delay constant name + value in seconds, (c) the URL you read it from (block-explorer Read Contract OR `/api/contract/read?...&method=MIN_DELAY&block=<n>`). Do NOT stop at the first timelock-shaped contract — if its admin is itself called by another contract, keep walking. The grading delay is the SUM OF DELAYS ON THE UNCONTESTED FAST PATH (shortest time a proposal with no opposition can go from submission to executable). Dynamic / contested extensions (veto signaling, rage quit, escrow delay) are modifiers, not the basis — note them separately.
- **C4.** Enumerate EVERY multisig with reachable control — main proxy admin, emergency activation, emergency execution, reseal / pause, gate-seal committees, tiebreaker, per-module admins. For each Safe, fetch threshold + owners + version via `/api/safe/owners?chainId=<id>&address=0x...` (response includes raw eth_call data, so the URL is citable evidence). Enumerate ops/council/incentives multisigs even when off the upgrade path — record their scope so a reader can see they are NOT on the upgrade path. For each: (a) address, (b) threshold / total signers, (c) signer identities classified as insider (team, paid auditors under ongoing engagement, mandated service providers) vs non-insider (independent community members, unaffiliated researchers), (d) the specific power held (upgrade, pause, parameter, etc.).
- **C5.** On-chain governance: Governor / GovernorBravo / OZ Governor / Aragon Voting with token-weighted voting? Record proposal threshold, voting period, quorum, and the timelock delay between queue and execute. Every numeric constant must come from a Read Contract call you can link to, or be in unknowns[] with the C-code. If votingDelay / votingPeriod are denominated in BLOCKS, convert to seconds at the chain's CURRENT block time (Ethereum mainnet ≈ 12s post-Merge, not the 15s in older Compound/Bravo deployments) — cite both block count and converted seconds.
- **C6.** EMERGENCY POWERS: separate emergency-pause / guardian role with a different time cap or different actor than the main upgrade authority? Record it explicitly.
- **C7.** POWER TIER (blast radius). For each privileged path in C3–C6, classify the WORST thing that path can do, choosing the highest applicable tier. Cite the specific function name and any on-chain bound — tier claims without a named function are unsupported.
    - **T1 — FUND-CRITICAL**: replace implementation of contracts holding user funds; change AMM math / accounting / collateral logic; mint unbacked debt or shares; pause withdrawals; drain user-fund treasury; change oracle to attacker-controlled source; replace upgrade admin with EOA.
    - **T2 — ECONOMICALLY MATERIAL**: change fee parameters within bounded ranges; redirect protocol fees; add/remove markets / collateral types; bounded inflation or token mint within hard-capped schedule; spend protocol-owned (non-user) treasury.
    - **T3 — GOVERNANCE-INTERNAL**: change voting rules, quorum, voting period, proposal threshold; upgrade the Governor itself; rotate Timelock admin; mint governance tokens within a capped annual schedule.
    - **T4 — OPERATIONAL**: incentives distribution, grants, ENS / frontend canonicalization, deployment coordination, periphery router deprecation.
  The grade is set by the HIGHEST tier reachable on the uncontested fast path, not the median. State the tier and the binding function in the verdict.

### Read Contract discipline (applies to C3, C4, C5)

Every numeric constant cited (timelock delays, voting periods, multisig thresholds, quorum percentages) must come from EITHER (a) a block-explorer Read Contract URL, OR (b) a DeFiPunkd `/api/contract/read` or `/api/safe/owners` URL (preferred with `&block=<n>` for content-addressed evidence), OR (c) an unknowns[] entry with the C-code. Docs / blog posts are corroboration only — they cannot be the sole citation for a value that is also readable on-chain.

### Off-chain-only substitute hierarchy (when grading_basis="off-chain-only" — see preamble Rule 16)

When on-chain reads were genuinely unreachable this run, eligible off-chain substitutes in priority order:
1. Linked audit PDFs (admin roles, multisig members, timelock delays usually enumerated).
2. Governance forum posts that quote constants from a successful on-chain proposal (cite post URL + linked execution-tx URL).
3. Official protocol docs pages with named addresses and roles (must be on a domain owned by the protocol).
4. GitHub README / SECURITY.md / governance/*.md at a pinned commit SHA.

Forbidden substitutes: third-party blog posts, X / Twitter threads, search-result snippets, model memory. Required degradation: any C-code citing a numeric constant from docs/forum/audit prose ONLY must also carry an `unknowns[]` entry with `-offchain` suffix noting "value not re-read on-chain in this run; corroboration only".

### Grade rules (apply the timelock bar conditional on the highest C7 tier reachable on the fast path)

Security Council standard (used below): a multisig qualifies as "Security Council" only if ALL of: ≥7 signers, ≥51% threshold, ≥50% non-insider signers, every signer publicly announced. Failing any criterion = NOT a Security Council, regardless of signer reputation.

- **green**: highest reachable tier is T3 or T4 regardless of timelock; OR T2 reachable with uncontested-fast-path delay ≥7 days; OR T1 reachable only via immutable contracts (T1 is unreachable); OR T1 reachable with uncontested-fast-path delay ≥7 days combined with a Security Council multisig; OR T1 reachable with uncontested-fast-path delay ≥7 days through active on-chain governance with broad token distribution.
- **orange**: T2 reachable with uncontested-fast-path delay >0 but <7 days; OR T1 reachable with uncontested-fast-path delay >0 but <7 days; OR a multisig failing one or more Security Council criteria sits on a T1/T2 path; OR unclear upgrade authority on a T1/T2 path; OR governance with very short timelock or low quorum on a T1/T2 path.
- **red**: T1 reachable with no timelock by a single EOA or 2-of-3 multisig; OR a T1 upgrade admin that is not a smart contract you can audit.
- **unknown**: completed the checklist but still cannot determine the upgrade authority OR cannot classify the highest tier reachable on the main contracts.

Tiering caveats:
- "Bounded" must be enforced ON-CHAIN to count as T2. A function that sets fees with no upper-bound check is T1 — cite the bound check.
- Recurring T2 economic extraction (e.g. fee redirect with no rate limit) approaches T1 over time. A single proposal that can permanently redirect all future revenue is T1.
- T3 assumes the governance contract cannot itself authorize a T1/T2 action without going through the same timelock. If governance can self-upgrade to bypass the timelock, T3 collapses into T1.
- Do not downgrade tier by hand-waving ("realistically governance would never…"). Tier on what the contract permits, not what feels likely.

Notes:
- **Dynamic / dual-governance timelocks** (Lido, Compound escrow veto): the rubric grades on the uncontested path because that is the path most upgrades take. A dynamic extension that fires only under stake-weighted opposition is a real protection — name it in the green steel-man, but it does not lift an orange fast path into green; state the tension in the verdict.
- **Immutable cores with upgradable governance** (Uniswap-style): if fund-holding contracts are immutable and have no admin-reachable function moving / freezing / re-routing user funds, the highest reachable tier on the upgrade path is T3 — green regardless of timelock. Don't grade this orange just because the Governor is a proxy — that's a C2 fact, not a downgrade. Downgrade only applies if you can cite a concrete function on the upgradable surface that reaches T1 or T2 (privileged hook, upgradable factory controlling fund-routing, fee-switch redirecting protocol revenue without bound).
- **The 7-day bar** reflects the exit-window standard — users need notice after a queued upgrade to withdraw if they disagree. The ability-to-exit slice grades the exit side; this slice grades the delay side; both must hold for users to actually benefit from the delay.

---

### Slice: ABILITY-TO-EXIT

Evaluate whether users can withdraw their funds on their own terms, even under adversarial admin conditions.

MANDATORY INSPECTION CHECKLIST (every item below must appear in evidence[] OR unknowns[]):
- E1. Enumerate every user-facing exit function in the main contracts: withdraw, redeem, burn, requestWithdrawal, claim, exit, etc. List them by name. Do NOT treat the contract as a monolith.
- E2. For EACH exit function in E1: identify its access modifiers and any pause guards (e.g. _checkResumed, whenNotPaused, onlyRole). Functions that gate REQUEST PLACEMENT often differ from functions that CLAIM FINALIZED FUNDS — check both separately.
- E3. For each pause guard: identify the role holder (which address holds PAUSE_ROLE / GUARDIAN / etc.) and the maximum pause duration. Specifically check whether PAUSE_INFINITELY (or equivalent uncapped pause) is callable, and which actor can call it (single multisig vs governance vote). For role-holder reads use https://defipunkd.com/api/contract/read?chainId=<id>&address=0x...&method=hasRole&args=0x...,0x... or &method=getRoleAdmin&args=0x.... For "is currently paused" checks use &method=paused or &method=isPaused&args=<resume-code>. Use the BARE method name (no parens). Cite the URL with &block=<n> in evidence[].
- E4. EMERGENCY vs GOVERNANCE pause distinction: many protocols have a fast-acting emergency pause capped at N days and a slow governance pause that can be indefinite. Record both paths separately if present, with their time caps and actor classes.
- E5. Queued redemption: documented maximum queue duration, daily withdrawal caps, whether the queue itself is pausable.
- E6. Forced-exit / escape-hatch / permissionless emergency-exit mechanism for adversarial-admin scenarios.
- E7. Frontend dependency: confirm exit functions are directly callable on-chain (e.g. via Etherscan write tab or a generic wallet) without the project's frontend.

Then write the steel-man section per Hard Rule 11. Common red-vs-orange tension on this slice: indefinite pause exists (suggests red) BUT the realistic emergency path is time-capped AND claims of already-finalized exits are not pause-gated (suggests orange). Resolve this by stating who can do what for how long, not by stopping at the worst-case sentence.

Grade rules:
- green   = permissionless exit; pause is either absent, narrowly scoped to clearly-described emergencies with auto-expiry, or capped at ≤7 days; no frontend dependency for exit; claims of already-finalized exits are not pause-gated under any path.
- orange  = pausable with broad scope OR indefinite pause is reachable only through governance vote (not unilateral admin action), OR queued redemption with documented max > 7 days, OR claims-of-finalized are exempt but new-request placement can be paused indefinitely by governance.
- red     = exit requires admin signature, OR ANY actor (including governance) can pause CLAIMS of finalized exits indefinitely, OR there is no on-chain exit function at all (purely custodial), OR pause is held by a single EOA / 2-of-3 multisig with no time cap.
- unknown = checklist incomplete after checking the sources above.

---

### Slice: AUTONOMY

Evaluate this protocol's autonomy: can a failure of anything outside its own contracts cause theft or loss of user principal, loss of unclaimed yield, or materially change the protocol's expected performance? "Autonomy" is not "has zero external touchpoints" — it is "external failures are either survivable or recoverable without user loss". This slice adapts DefiScan v1's Autonomy dimension; dependencies are one of several criteria, not the whole frame.

GUARDRAILS (read before grading):
- Category alone (Liquid Staking, Bridge, RWA Lending, Restaking, …) does NOT force a grade. A category is a hint about where to look; the grade must come from the concrete A1–A9 findings below.
- Base-chain consensus (Ethereum PoS, the chain's validator set, the canonical Deposit Contract at 0x00000000219ab540356cBB839Cbe05303d7705Fa) is the SUBSTRATE, not a dependency, for any protocol deployed on that chain. Do not list "depends on Ethereum" as a finding.
- Oracles or other integrations used by DOWNSTREAM protocols that happen to read this protocol's token (e.g. Chainlink stETH/USD consumed by Aave) are NOT this protocol's dependencies. Count only what THIS protocol's contracts call or trust on-chain. If a feed or contract appears in the protocol's docs only as reference material for third-party integrators, EXCLUDE IT ENTIRELY — do not log it as a finding even with a "peripheral" or "referenced only" caveat.
- "Upgradeable admin can change things" belongs to the CONTROL slice; only count it here when the upgrade surface lets governance silently swap an external dependency (see A9).
- Underlying-asset risk in opt-in, isolated markets is NOT autonomy-red on its own. When a protocol wraps third-party yield-bearing assets (LSTs, LRTs, ERC-4626 vaults, lending receipts, restaked tokens) into per-market silos that users explicitly choose, a failure of one underlying does NOT propagate to other markets and is risk the user opted into per-market. Record it under A4 with depth and propagation scope, but do not let it alone drive a red verdict — red requires an external dependency that cross-cuts the protocol or that the user did not opt into at deposit time. A failure mode that is "if the LRT you deposited is hacked, your principal in that LRT-backed market is impaired" is the underlying's autonomy story, not this protocol's; grade it on whether THIS protocol introduces additional dependencies on top.
- Sub-module enumeration is mandatory before grading. If the protocol ships distinct product lines or modules (e.g., a v2 core AMM plus a newer perps/funding-rate module, a lending pool plus a separate vault layer, an L1 core plus a cross-chain extension), enumerate each in findings and grade against the WORST module weighted by its share of TVS or its blast radius. A green core does not rescue an orange/red sub-module; conversely, a small red sub-module with capped TVS may bound the overall grade to orange. Name each module by its on-chain factory or router address. If you do not know whether a module exists, that is an unknowns[] entry, not silence. EXPLICIT TVS WEIGHTING: in the verdict, state each module's approximate share of total protocol TVS (use "~X%" if exact figures unavailable; check DeFiLlama or block-explorer balances on the module's main contract) and how that share informs the weighted grade. Format: "Module A holds ~X% of TVS (grade: <g>); Module B holds ~Y% (grade: <g>); weighted overall = <grade> because <reason>." If a red sub-module holds <5% of total TVS and is capped, the overall grade may be orange; if it holds >25%, the overall grade is red. Do not let qualitative reasoning substitute for the percentages — write the numbers.

MANDATORY INSPECTION CHECKLIST (every item below must appear in evidence[] OR unknowns[]):
- A1. External contract calls. Enumerate every external contract the core contracts call or read from (oracles, price feeds, AMM pools, lending pools, staking/deposit contracts, yield wrappers). For each, identify the address, the provider, and what user-facing function of this protocol would break or mis-price if that external contract paused, mis-reported, or behaved adversarially. Grep for "oracle", "aggregator", "getPrice", "latestAnswer", "chainlink", "pyth", "redstone" as a starting point. To verify an oracle is live and what it currently reports, hit https://defipunkd.com/api/contract/read?chainId=<id>&address=<oracle>&method=latestAnswer (or &method=latestRoundData, &method=getPrice, &method=description; use the BARE method name without parens) and cite the URL — the response includes blockNumber/blockHash and rawReturnData, which is stronger evidence than a docs page about which feed "should" be used.
- A2. Off-chain actor committees reporting INTO the protocol. Oracle committees, guardian multisigs, DAO-selected validator sets acting as protocol reporters, exit-bus signers, fraud-proof challengers. For each, record committee size, quorum, who picks the members, and what mis-reporting could do (mint, burn, finalize withdrawal, freeze). Distinguish this from governance admins (control slice). NOTE ON STAKING PROTOCOLS: validator slashing and node-operator misbehavior are properties of the base-chain substrate, NOT external dependencies, when the operator set is diversified enough that a coordinated failure caps at <5% principal loss. Count validator/operator risk under A2 ONLY if the operator set is small, non-diversified, or lacks bonding / slashing-insurance / diversification mitigations. A curated set of 30+ independent operators with documented diversification falls under the mitigated path; a 3-operator LST does not. Do not cite the protocol's own risk disclosure as evidence that operator failure = principal loss unless you also check the diversification and bond mitigations.
- A3. Bridge / cross-chain messaging dependencies. Only count bridges that carry material TVL or are required for a core user flow. For each, name the bridge operator (canonical L1↔L2, LayerZero, Wormhole, Axelar, custom multisig), the trust model (canonical, optimistic, light-client, guardian set), and what fraction of TVL or users ride on it. "wstETH exists on 15 chains" is not a finding unless material TVL sits there. Before listing any non-primary chain deployment as a dependency, verify it is still operational as of analysis_date — retired or sunset deployments (e.g., Lido-on-Terra, Lido-on-Solana) belong in unknowns[] or should be omitted, never cited as a current dependency.
- A4. Nested collateral / restaking chains. For restaking / LRT / receipt-of-receipt designs: record the depth of the collateral chain, every actor with slashing or freezing power at each level, and whether a failure N levels deep propagates to user principal here.
- A5. Fork lineage (silent check). If DeFiLlama's forkedFrom is non-empty, record it as one finding and move on. If empty, do NOT add a placeholder finding; it adds noise.
- A6. Fallback mechanisms and circuit breakers. What catches an external failure? Sanity-check contracts on oracle reports, rebase bounds, pause paths triggered by bad prices, second-opinion oracles, max-per-block throughput caps, withdrawal queues that absorb bad reports. Record which A1–A4 risks are mitigated by which fallback, and which are unmitigated. For EACH fallback you cite, state its activation status explicitly: (i) LIVE and enforcing on-chain today, (ii) DEPLOYED but not yet wired / activated (e.g., interface exists but the address is zero or the role is unassigned), or (iii) DOCUMENTED / PROPOSED only (forum post, LIP draft, audit pending). Only (i) counts as mitigation for the grade. A fallback in state (ii) or (iii) should be noted but must not reduce the risk in your steel-man or verdict. If you cannot determine activation status, add an unknowns[] entry rather than assume it is live.
- A7. Sequencer / L1-liveness dependency BEYOND the base-chain substrate. SCOPE — sequencer risk only counts here when the protocol IS its own L2/L3 appchain or app-rollup, where the sequencer is part of the protocol's own stack and a freeze is a protocol-level outage. A protocol permissionlessly deployed on a third-party L2 inherits that L2's sequencer as substrate, not an A7 dependency. Record the sequencer/DA trust model when A7 applies.
- A8. Keeper / relayer / off-chain bot liveness. Protocols that need permissionless-but-necessary off-chain actors (liquidation bots, auto-compounders, deposit relayers, intent solvers). Record whether the role is permissionless, what degrades if nobody runs it (yield paused, bad debt accumulates, positions go stale), and whether the failure mode is graceful or catastrophic.
- A9. Governance-mutable dependency surface. Can an admin or DAO action silently INTRODUCE a NEW EXTERNAL dependency — swap the oracle address to a different provider, register a new staking module that calls an untrusted contract, add a new bridge, route SY through a new external vault — without an exit window for users? Check the upgrade / router / module-registry contracts. Answer: which EXTERNAL dependencies are governance-mutable, who holds that power, and whether there is a timelock or exit window. SCOPE LIMIT — read carefully: A9 is about the *external dependency surface*, not the upgrade surface in general. "The proxyAdmin / EOA can upgrade the router implementation to arbitrary bytecode" is a CONTROL-slice finding (admin can rug), NOT an autonomy-A9 finding. A9 fires only when the upgrade specifically swaps out or adds a contract that THIS protocol calls or trusts (e.g., changing the oracle address from Chainlink to a malicious feed, registering a new SY adapter that points to a third-party vault, redirecting a bridge endpoint). If the only finding is "admin can change implementation," do not log it under A9 and do not let it drive the autonomy grade — note it under control instead. The autonomy-relevant version of the same upgrade key is "admin can swap [specific external address X] without timelock"; that requires identifying the specific external dependency that becomes mutable.

STEEL-MAN (per Hard Rule 13): write one-sentence strongest arguments for red, orange, and green using the A1–A9 findings.

IMPACTED TVS ESTIMATE: the headline MUST include a rough impacted-TVS figure — the fraction of protocol TVS that could be lost or frozen if the worst-unmitigated dependency you identified failed. Use "~X%" if exact numbers are unavailable, "<1%" for de minimis, "unclear" only if A1–A9 left the question genuinely open (in which case grade=unknown is usually correct). Do NOT substitute qualitative phrases like "significant" — give a number or bracket.

GRADE ANCHORS (mapped to DefiScan v1 stages):
- green = Stage 2 equivalent. Failure of any external dependency cannot cause loss of user principal or unclaimed yield. Either there are no material external dependencies, or every critical one has a documented fallback (A6) that keeps users whole. Governance cannot silently introduce new dependencies without an exit window (A9). Impacted TVS under any single-dependency failure: effectively 0.
- orange = Stage 1 equivalent. Failure of some external dependency can cause loss of unclaimed yield, or can materially change expected performance (pause withdrawals, freeze positions, degrade price quality), but cannot cause loss of principal. Committee-based oracles with sanity checks, canonical-only bridges, fallback paths that exist but are incomplete, or governance-mutable dependencies protected by a ≥7-day timelock. Impacted TVS is bounded and recoverable.
- red = Stage 0 equivalent. Failure of an external dependency CAN cause theft or loss of principal. Examples: single-provider oracle with no sanity check or fallback, material TVL on a non-canonical bridge with a guardian multisig, governance can hot-swap oracles or add staking modules with no timelock or exit window, unmitigated keeper-liveness dependency where positions become insolvent if bots stop. Impacted TVS is material.
- unknown = checklist incomplete after inspecting source + verified contracts. Prefer unknown over guessing when A1/A6 could not be reconstructed. RESERVE unknown for cases where the CORE ARCHITECTURE itself is unverifiable — not for cases where you merely cannot enumerate every per-market dependency in a multi-market protocol. If the core router/factory/oracle architecture is verifiable on-chain and you can determine whether the core requires external dependencies, grade the architecture even when an exhaustive per-market external-dependency census is infeasible. Acknowledge the per-market gap in unknowns[] but still issue a grade. Refusing to grade a multi-market protocol because you cannot list every SY/vault/market is over-use of unknown; grade the architecture and say so.

PROMPT-META CHECK (per Hard Rule 17): before finalizing, verify the verdict cites concrete contract addresses, docs, or code — not the rubric itself. If your verdict says "the protocol belongs to a category the rubric marks red", rewrite it with the A1–A9 finding that actually justifies the grade, or drop to grade=unknown.

---

### Slice: OPEN-ACCESS

Evaluate who is allowed to use the protocol and whether any of that permission is granted off-chain.

Scope: this slice is about ADMISSION — who can enter, exit, or transact. Operator LIVENESS (what breaks if keepers/oracles go offline) is assessed in the dependencies slice and is out of scope for the grade here. You may note operator dependencies as context, but do not let "the protocol halts if operator X disappears" drive the access grade on its own; that belongs in dependencies. Source verification / contract verification on block explorers is assessed in the verifiability slice and is out of scope here — do NOT let "contract is unverified" drive the access grade.

Framing: the smart contracts are the access layer; frontends are UX. A permissionless contract is reachable by any client (SDK, third-party UI, aggregator, wallet integration). Frontend ToS, IP geo-blocking, and wallet screening are publisher policies on one specific client — they are reported as context but do NOT determine the grade. The grade hinges on (1) what the contract itself permits, and (2) whether the protocol is practically reachable without the official publisher's cooperation.

Meta-check before finalizing: if your verdict cites phrases from this prompt as evidence ("the protocol meets the 'credible alternatives' condition", "this fits the 'documented fallback' rule"), redo the verdict. The prompt describes the rubric; evidence must come from the protocol. A verdict should cite what the protocol does, not what the rubric says.

MANDATORY INSPECTION CHECKLIST (every item below must appear in evidence[] OR unknowns[]):
- A1. Whitelist / allowlist modifiers in user-facing entry points. Grep for "onlyWhitelisted", "onlyRole", "allowlist", "isAccredited", "isKYCed". Note which functions are gated and who can add/remove from the list.
- A2. Off-chain operators in the admission path: keepers, sequencers, privileged relayers, oracle posters whose approval is required to admit a user action (not just to keep the protocol live). For each, identify whether the role is held by a single operator, a permissioned committee, or is permissionless. Enumerate per user-facing function class (deposit vs withdraw-request vs claim-finalized vs transfer) which ones require operator approval to be admitted, and which ones admit users unconditionally. A function whose placement is unconditional but whose downstream settlement depends on an operator is an admission-permissionless function — flag the liveness dependency as context and defer its grading weight to the dependencies slice.
- A3. Frontend restrictions on the official interface — record as context, not as a grade lever. Distinguish:
    - A3-passive: boilerplate ToS clauses (sanctions attestation, restricted-territory self-certification, VPN-circumvention prohibition, "comply with applicable law" eligibility, age of majority).
    - A3-active: runtime enforcement — IP-based geo-blocking, wallet-address screening against a sanctions oracle (Chainalysis, TRM, Elliptic), KYC wall, rendering-blocking jurisdiction banner.
  Record findings under the correct tier. Quote ToS text or banner text in evidence[].shows. These findings populate the headline and rationale but do NOT move the grade by themselves; the grade is set by A1, A2, and the A3b path check below.
- A3b. Independent access paths (the operative grade input). Enumerate paths that do not require the official publisher's cooperation:
    - Published SDK / library / CLI for direct contract interaction.
    - Third-party frontends operated by separate legal entities.
    - Wallet-integrated access (MetaMask Swaps, Safe apps, etc.).
    - DEX / lending / yield aggregators that route through the contracts.
  Record at least one concrete link per path that exists. The protocol does NOT have to self-document these — the test is existence, not UX cost. An A3b-i redistribution of the official UI bound by the same ToS does NOT count as an independent path.
- A4. Sanctions / compliance tooling at the contract level: does the protocol check addresses against OFAC lists or similar on-chain blocklists in the contract itself? (Frontend-only screening belongs in A3.)
- A5. Differentiate read access vs write access: many protocols are read-permissionless (anyone can view state) but write-gated (only certain addresses can deposit/borrow). Record both.
- A6. ToS / Legal links: locate them on the website and produce a VERBATIM quote of any jurisdictional, sanctions, or eligibility clause in evidence[].shows. If you cannot extract the clause text verbatim (SPA render failure, paywall, dead link, etc.), do NOT paraphrase or infer from general knowledge — record the ToS URL in unknowns[] with the reason extraction failed. Assertions about ToS content without a verbatim quote will be downweighted by reviewers.

Then write the steel-man section per Hard Rule 11.

Grade rules (admission-focused; liveness concerns belong in dependencies; source verification belongs in verifiability):
- green   = no contract-level whitelist/KYC on user entry/exit; no operator approval required to admit a user action; AND at least one independent A3b path exists (published SDK, third-party frontend, wallet integration, or aggregator routing). Frontend ToS posture and A3-active enforcement on the official UI do NOT block green when contracts are permissionless and an independent path exists — they are reported as context.
- orange  = contracts admit users unconditionally, BUT the protocol is operationally captured by the official publisher: no published SDK, no third-party frontend, no wallet integration, no aggregator routing. The contract is theoretically open but practically reachable only through the official UI. Also applies when admission requires approval from a permissioned committee that is governance-managed with a documented replacement procedure.
- red     = contract-level whitelist / KYC on user entry/exit, OR admission of a core user action requires approval from a single privileged operator or a small committee with no documented replacement procedure, OR enforces an on-chain blocklist updatable by a single party.
- unknown = checklist incomplete after checking the sources above.

Default-grade guidance: when contracts are fully permissionless AND any A3b independent path exists, the default grade is green regardless of frontend ToS or A3-active enforcement on the official UI. Frontend geo-blocking, sanctions-oracle wallet screening, and ToS sanctions clauses are publisher policies on one client and are reported in findings/headline as context, not as grade levers. To grade orange on operational-capture grounds, the auditor must affirmatively show that ALL independent paths are absent or also gated.

Guideline on committees: where admission depends on a multi-operator committee, the relevant axes are (a) set size, (b) whether replacement/rotation is governed on-chain, (c) whether the replacement procedure is publicly documented. A large set with on-chain governance replacement should not be graded as a single-party operator even if rotation is not instantaneous. A small set with informal replacement should be treated as a single-party operator.

---

### Slice: VERIFIABILITY

Evaluate whether an outsider can independently confirm what the deployed code does.

MANDATORY INSPECTION CHECKLIST (every item below must appear in evidence[] OR unknowns[]):
- V1. For each address you assess: is the bytecode verified on the chain's block explorer? Record the "Contract Source Code Verified" indicator. https://defipunkd.com/api/contract/abi?chainId=<id>&address=0x... returns this as a top-level "verified" boolean plus "abiSource" ("etherscan" / "sourcify") and an inline ABI — useful when the explorer page is rate-limited. If the contract is a proxy, verify BOTH the proxy contract AND the current implementation contract. The same /api/contract/abi response auto-resolves proxies and includes a "proxy.implementation" address when present, so one call covers V1 + V6 in one shot. An explorer "Similar Match" on a well-known proxy pattern (Aragon AppProxyUpgradeable, ERC1967Proxy, OssifiableProxy, OZ TransparentUpgradeableProxy) is expected for that pattern and does NOT count as a verification gap on its own — what matters is that the implementation is independently verified.
- V2. Source-to-repo correspondence: for each verified contract, attempt to find a matching commit in the linked GitHub repos. Record evidence[].commit on a match. Independent compile/bytecode-match is NOT required for green — a recognized public repo whose structure and file contents correspond to the explorer-visible source is sufficient. If you did not pin a commit SHA or run a bytecode diff, record that plainly in unknowns[] and proceed; it is a scope limit, not a downgrade signal.
- V3. Audit coverage: for each URL in protocol.audit_links, open it and record: auditor name, audit date, the specific contracts / commit in scope. Flag audits that predate the current deployment by >6 months without a follow-up review.
- V4. Auditor recognition: the following firms are broadly recognized in Solidity: Trail of Bits, Zellic, Spearbit, OpenZeppelin, ConsenSys Diligence, Certora (formal verification), Quantstamp, Halborn, Peckshield, Sigma Prime, ChainSecurity, Ackee Blockchain, MixBytes, Statemind. Unknown firms are orange-at-best for any green-grade claim. Name the firm explicitly in evidence[].
- V5. Post-audit drift: compare the most recent in-scope audit(s) against the currently-deployed source, weighted by what each contract does and by what the changes actually contain. SCOPE — drift only downgrades the grade when ALL of the following hold: (i) the drifting contract is fund-custody / settlement / accounting-critical (NOT a peripheral router, lens, quoter, or pure-view contract that holds no balances); (ii) the changes are material — new functions, modified access control, modified accounting, modified fund flow — and not refactors / struct relocations / import reorgs / build or CI fixes / formatting; (iii) no later audit, fix-audit, or differential audit from a recognized firm covers the changed files (audits often pin a pre-fix commit while a follow-up reviews the delta — match by file scope, not by commit-hash equality). When you cite drift as a downgrade reason, name the specific behavior change (function added, role granted, accounting formula altered) — "N commits ahead" or "+X/-Y LOC" alone is not evidence of material drift. If you have not sampled the diff content (e.g. via the GitHub compare view or the top commits in the window), record drift as an unknowns[] entry rather than auto-downgrading; commit-count and LOC are starting signals, not findings.
- V6. Implementation vs proxy: a verified proxy with an unverified implementation is effectively unverified. State whether the implementation is verified separately.

EVIDENCE DISCIPLINE (read before writing findings[]):
- Do not assert a specific deploy-commit SHA, bytecode equivalence, or "identical to audited commit" unless you actually fetched the artifact that shows it (e.g., a deployed-addresses JSON you opened, an explorer page you read). Inferred or plausible matches belong in unknowns[], never in findings[] or evidence[].
- Evidence[] entries must correspond to pages/files you actually retrieved this run. A URL you did not open is not evidence.

Then write the steel-man section per Hard Rule 11.

Grade rules:
- green   = deployed bytecode verified on the explorer (proxy AND implementation if proxied; "Similar Match" on a standard proxy pattern is fine per V1), a public source repo exists whose contents correspond to the explorer-visible source, AND ≥1 audit from a recognized firm covering the currently-deployed contracts (≤6 months of drift OR drift was re-audited). A missing local compile-match is not a downgrade — record it in unknowns[] and still grade green if the other conditions hold.
- orange  = verified but with visible drift from the public repo, OR audit scope is stale relative to deployment, OR only minor / unknown-firm audits exist, OR only some of the main contracts are verified, OR proxy verified but implementation only partially verified.
- red     = unverified bytecode (or verified proxy with unverified implementation), OR no audit in protocol.audit_links, OR no public repo.
- unknown = reserved for when the protocol's verifiability posture genuinely cannot be assessed (e.g., explorer and repo both inaccessible for this protocol). Do NOT use unknown merely because you, the analyst, could not run a particular check such as a bytecode diff — that goes in unknowns[] while the grade is still assigned from the evidence you do have.

---

### JSON output contract

Return exactly one JSON array inside a single ```json fenced block. The array MUST contain exactly five objects, one per risk slice, in this exact order: "control", "ability-to-exit", "autonomy", "open-access", "verifiability". Do not include the discovery slice.

Each object has the same shape as a normal slice submission:

{
  "schema_version": 4,
  "slug": "<copy protocol.slug from the per-protocol context>",
  "slice": "<one of: control | ability-to-exit | autonomy | open-access | verifiability>",
  "snapshot_generated_at": "<copy snapshot.generated_at from the per-protocol context>",
  "prompt_version": 29,
  "analysis_date": "<copy analysis_date from the per-protocol context>",
  "model": "<exact model name, e.g. claude-opus-4-7 / gpt-5-thinking / gemini-3-pro>",
  "chat_url": null,
  "grading_basis": "on-chain | off-chain-only | mixed (optional; omit for on-chain)",
  "grade": "green | orange | red | unknown",
  "headline": "<one-line summary>",
  "short_headline": "<≤6 words, ≤80 chars; omit if you can't fit>",
  "rationale": {
    "findings": [{ "code": "E1", "text": "<concrete, source-cited finding>" }],
    "steelman": { "red": "<one sentence>", "orange": "<one sentence>", "green": "<one sentence>" },
    "verdict": "Choosing <grade> because <reason ranking one steel-man above the others, citing specific evidence>."
  },
  "evidence": [{ "url": "https://...", "shows": "<what this URL demonstrates>", "chain": "...", "address": "0x...", "commit": "<hex SHA>", "fetched_at": "2026-04-23T11:20:00Z" }],
  "unknowns": ["E3: <thing you looked for but couldn't determine>"],
  "protocol_metadata": {
    "github": ["https://github.com/org/repo"],
    "docs_url": "https://docs.protocol.xyz",
    "audits": [{ "firm": "Trail of Bits", "url": "https://...report.pdf", "date": "2025-09" }],
    "governance_forum": "https://forum.protocol.xyz",
    "voting_token": { "chain": "Ethereum", "address": "0x...", "symbol": "XYZ" },
    "bug_bounty_url": "https://immunefi.com/bounty/protocol",
    "security_contact": "security@protocol.xyz",
    "deployed_contracts_doc": "https://docs.protocol.xyz/deployments",
    "admin_addresses": [{ "chain": "Ethereum", "address": "0x...", "role": "DAO treasury multisig", "actor_class": "multisig" }],
    "upgradeability": "immutable | upgradeable | mixed | unknown",
    "about": "<2–4 sentences>"
  }
}

Rules recap:
- Produce one complete object for each of these slices only: control, ability-to-exit, autonomy, open-access, verifiability.
- Reuse the same model, chat_url, snapshot_generated_at, prompt_version, analysis_date, and slug values across all five objects.
- grade="unknown" ⇒ steelman=null; unknowns[] ≥1; evidence[] may be empty.
- grade!="unknown" ⇒ steelman={red,orange,green}; evidence[] ≥1; verdict starts with "Choosing ".
- findings[].code matches that object's slice checklist prefix verbatim (C1, E2, AU3, A3b, V4a, …); unknowns[] entries are checklist-coded ("C3: …").
- Wrap the array in a single ```json fence; nothing before or after. URLs are bare strings, never markdown links.

Verifiability tentative

Open source + 6 audits

Protocol publishes a GitHub repository and has at least one audit on record. This is a coarse Phase-0 signal only: auditor reputation, scope, and post-audit review coverage are not yet weighted.

Run your own prompt Submit run ↗

### Per-protocol context (ground truth for this run)

- protocol.slug:              aave-aptos
- protocol.name:              Aave Aptos
- protocol.chains:            Aptos
- protocol.category:          Lending
- protocol.website:           https://aave.com
- protocol.github:            aave, bgd-labs
- protocol.audit_links:       https://github.com/code-423n4/2022-02-aave-lens, https://github.com/code-423n4/2022-02-aave-lens-findings, https://github.com/sherlock-protocol/sherlock-reports/blob/main/audits/2025.02.15%20-%20Final%20-%20Aave%20Public%20Audit%20Contest%20Report.pdf, https://github.com/sherlock-protocol/sherlock-reports/blob/main/audits/2026.02.05%20-%20Final%20-%20Aave%20Labs%20Collaborative%20Audit%20Report%201770295450.pdf, https://github.com/trailofbits/publications/blob/master/reviews/2021-11-aave-v3-securityreview.pdf, https://github.com/trailofbits/publications/blob/master/reviews/2026-02-aave-v4-securityreview.pdf
- snapshot.generated_at:      2026-06-01T11:27:13.878Z
- analysis_date:              2026-06-07
- prompt_version:             29
- address_book:               null

### Pre-built read-API surfacer URLs (verbatim — fetchable as-is)
(no addresses pinned in this run — discover candidates from fetched website / GitHub / audit / explorer pages, record discovered addresses in evidence[] and protocol_metadata.admin_addresses, and put any reads you couldn't perform in unknowns[]. The next assessment will inherit your discoveries.)


---

You are contributing a single-slice assessment to defipunkd, a git-native transparency registry for DeFi protocols. Your JSON output will be attached to a pull request and compared against ≥2 other independent runs. Disagreements are surfaced publicly — be conservative, cite everything, return grade="unknown" when a signal cannot be determined, and resist stopping at the first damning finding.

### Per-protocol context (do not infer; these are ground truth)

A "Per-protocol context" block (provided alongside this prompt — either as a user message in API mode, or as a section appended below in copy-paste mode) lists the pinned inputs (protocol.slug, name, chains, category, website, github, audit_links, snapshot.generated_at, analysis_date, prompt_version, address_book) and a list of pre-built read-API surfacer URLs for each pinned address. Treat those values as authoritative for this run.

The pre-built surfacer URLs are accepted by your fetch tool's allowlist because they appear verbatim in the per-protocol context. Each surfacer page pre-executes the contract's zero-arg view methods and renders any address-typed return values as /address/{chainId}/0x… links inline — those rendered links are also fetchable post-fetch. /api/contract/read and /api/safe/owners JSON responses include a top-level `crawl.surfacers` array of /address/{chainId}/0x… URLs for every address-typed value in the result, so you can crawl directly from API responses. For addresses surfaced from non-defipunkd sources (block-explorer pages, GitHub, audit PDFs), the allowlist will reject your generated surfacer URL — record the address in protocol_metadata.admin_addresses and add a checklist-coded entry to unknowns[]; the next run will inherit it as a fetchable surfacer.

### Step 0 — Capability probe (do this before producing JSON)

Identify what fetch tool your environment exposes — `web_fetch`, `browser`, `url_context`, `google_search` (with underscore, colon, or space), Bing grounding, Perplexity, `web.run`, or anything similar. Search-grounding tools ARE valid fetch paths and you should use them; they are not forbidden. The distinction that matters is what the tool returned, not its name: a grounded response with the underlying page body is sufficient evidence; a bare 1–3-line preview snippet is not.

Probe: attempt one fetch of `protocol.website` and one fetch of a pre-built surfacer URL above (or the protocol's primary block-explorer page if no surfacer is pinned). Record the tool you used, the URL, and what came back (response body, HTTP status, allowlist rejection text, or "tool not present: <name>"). If either probe succeeded, proceed.

If both direct probes failed, **DO NOT STOP** — try search. Issue at least two broad search queries (protocol name + "Etherscan" / "official docs" / "GitHub" / "audit"; `site:` operators against etherscan.io / github.com / the docs domain). If a search query returns the underlying page body, that page URL is fetched evidence and goes in evidence[]. Set `grading_basis: "off-chain-only"` and continue with whatever you can extract. Empty `evidence[]` + `grade="unknown"` is only valid if BOTH direct probes AND ≥2 search queries returned nothing usable; in that case, log the attempted queries and observed-zero outcomes in unknowns[]. A submission claiming "blocked" without those receipts is treated as a non-submission (zero quorum weight). Search engines do not index raw JSON API endpoints — zero results for `defipunkd.com/api/contract/read` URLs is expected and is itself a recordable failure mode, not a system restriction.

### Anti-fabrication (the most important rule on this page)

Memory is not evidence. Treat your training data, prior conversations, and general knowledge as suggestions for what to look up — never as citations. Every URL in evidence[] must have been fetched in this run via any tool exposed in your environment, OR pasted into this conversation by the user. Constructing a URL is fine, but every variable part (address, commit SHA, repo path, contract name, method, args, block number) must come from a fetched/pasted source in this run, and the URL must then have been successfully fetched before it appears in evidence[]. URLs constructed from remembered addresses, repo paths, contract names, or guessed API methods are fabrication.

Before emitting JSON, run an evidence ledger check on every evidence[] entry:
1. The exact URL appears in your fetch transcript or in a user-pasted source body.
2. The fetched/pasted body contains the fact you're citing in evidence[].shows.
3. Every rationale.findings / protocol_metadata claim that depends on this evidence follows directly from that body, without recourse to memory.
4. Derived (rather than verbatim) claims are explicitly labelled as derived in evidence[].shows.
5. `fetched_at` is set ONLY when you actually fetched the URL in this run; if no timestamp is available, omit the field — never invent one.

If any check fails, remove the evidence entry and demote dependent claims to unknowns[]. Set grade="unknown" if demotion empties the grading basis. Do not ask the user to paste anything; do not withhold JSON; do not improvise from memory.

A plausible-sounding answer backed by unsupported evidence is WORSE than grade="unknown" — it pollutes the quorum. If the assessment requires leaning on remembered public facts ("Lido is governed by LDO token-weighted voting"), historical reports, common knowledge, or likely-architecture reasoning ("UUPS proxies typically have an admin role"), return grade="unknown" with specific unknowns[] entries. Optimize for reproducibility, not completeness — if a reviewer can't re-verify each claim from the evidence URLs alone, the claim does not belong in the JSON. Empty unknowns[] on a non-trivial protocol is a red flag, not a quality signal.

When the address_book is null/empty, you do not yet know any deployed address. Discover candidates from fetched website / GitHub / audit / explorer-search pages — addresses you "remember" from training data are not eligible, even for famous tokens (USDC, WBTC, stETH, UNI). If no address can be discovered after a good-faith attempt, return grade="unknown" with checklist-coded unknowns[] entries; do not invent addresses to fill the gap.

### Hard rules

1. Source classes that count as evidence:
   a) Public block explorers (etherscan.io, basescan.org, arbiscan.io, optimistic.etherscan.io, polygonscan.com, bscscan.com, snowtrace.io, scrollscan.com, lineascan.build, blastscan.io, era.zksync.network) for pinned addresses or addresses you discover transitively from them.
   b) The linked GitHub repos, at a specific commit SHA recorded in evidence[].commit.
   c) The audit PDFs / reports linked above.
   d) DeFiLlama's pinned fields (for category / chain lists only — not for risk assessment).
   e) DeFiPunkd's read API at https://defipunkd.com/api/{contract,safe}/... — see "On-chain reading" below.
2. If a signal cannot be determined after checking these, set grade="unknown" with ≥1 entry in unknowns[] naming what you looked for.
3. Every factual claim in rationale must map to ≥1 evidence[] entry.
4. Output exactly one JSON object matching the contract at the end, wrapped in a single ```json fenced code block. This rule applies to your FINAL assistant message only — issue tool calls freely during the run; tool-call reasoning lives in your model's tool-use channel and is not subject to this rule. Nothing before or after the fence — no prose, no follow-up questions, no requests for the user to paste anything. If evidence is incomplete, the correct response is still JSON, with claims demoted to unknowns[] and grade="unknown".

### Format rules (validation will reject submissions that violate these)
5. evidence[].url must be a bare `https://...` string — NEVER markdown link syntax. WRONG: `"url": "[Etherscan](https://etherscan.io/...)"`. RIGHT: `"url": "https://etherscan.io/..."`.
6. evidence[].commit, when present, must match `^[0-9a-f]{7,40}$` (lowercase hex, 7–40 chars). NEVER branch names or tags. Omit if you cannot pin a SHA.
7. evidence[].fetched_at, when present, must be ISO-8601 UTC (e.g. `2026-04-23T11:20:00Z`). Set whenever you actually fetched in this run.
8. evidence[].address, when present, must be `^0x[0-9a-fA-F]{40}$` (mixed case OK; checksum not validated).
9. Checklist codes (used in findings[].code and as unknowns[] prefixes) match `^[A-Z][A-Za-z0-9-]{0,16}$` — start with an uppercase letter, then digits / letters / hyphens. Examples: `E1`, `A3b`, `C2-emergency`, `V4-auditor`. No parens, spaces, dots, slashes, underscores. Use slice-defined codes verbatim. unknowns[] entries must be prefixed with the relevant code + colon (e.g. `"A3b: frontend fetch failed"`).
10. chat_url: ALWAYS null. Default share links (claude.ai/chat, chatgpt.com, gemini.google.com) require viewer login and are not publicly readable. The user enables "Share publicly" after you respond and pastes the public URL into the JSON before opening the PR.

### Thoroughness rules

11. Each per-slice body contains a "MANDATORY INSPECTION CHECKLIST". Every item must EITHER produce an evidence[] entry OR a specific unknowns[] entry naming it by code. Silent skips are rejected as incomplete.
12. Before assigning a grade other than "unknown", rationale.steelman must contain a one-sentence strongest argument for each of red / orange / green, and rationale.verdict must state which fits the evidence and why. If the steel-man for the chosen grade is weaker than for an adjacent grade, you have probably picked the wrong grade. When grade="unknown", set steelman to null and use verdict to summarize what blocked the assessment.
13. Distinguish actor classes (EOA, 2-of-3 multisig, 4-of-7+ multisig with identified signers, emergency-scoped time-capped multisig, on-chain governance vote with timelock) and function classes (claim-of-finalized vs new-request-placement, deposit vs borrow, mint vs redeem) — say which actor holds which power, on what time bound. "An admin can pause" is insufficient.
14. For on-chain slices (control, ability-to-exit, autonomy, verifiability), evidence[] must include ≥1 on-chain URL: a block-explorer URL OR a DeFiPunkd /api/{contract/read,safe/owners} URL (preferred — content-addressed when block-pinned). /api/contract/abi alone is metadata, not on-chain evidence. Source repos tell you what code SHOULD do; deployed contracts tell you what it ACTUALLY does. The "open-access" slice is exempt when claims are entirely about frontend / off-chain operator behavior. CARVE-OUT: `grading_basis="off-chain-only"` is exempt from this rule but is downweighted by the quorum bot regardless of grade.
15. Prompt-meta-check: if your verdict quotes prompt language as evidence ("the protocol meets the 'documented fallback' condition"), re-do the verdict — the prompt describes the rubric, not the protocol. Evidence cites what THIS protocol does, not what the rubric says protocols of type X do.
16. `grading_basis` is one of `"on-chain"` (default; omit field), `"off-chain-only"`, or `"mixed"`. Describes what was READ this run, not the verdict — `grade="unknown"` is allowed under any basis. Set `"off-chain-only"` ONLY when BOTH (a) ≥1 successful fetch of a docs / forum / audit / GitHub URL appears in evidence[], AND (b) ≥1 failed on-chain fetch attempt for THIS run is recorded in unknowns[] with a `-offchain` suffix. Empty `evidence[]` with `"off-chain-only"` is a category error and is rejected by the validator. Set `"mixed"` when some checklist codes were on-chain and others fell back. ABI-only finds (you read the ABI but couldn't read live state) are valid as `grade="unknown"` with the ABI cited; do not infer a grade from ABI shape alone.

### On-chain reading via the DeFiPunkd API

Don't encode calldata, decode return data, or guess at ABIs by hand. Three deterministic GET endpoints return JSON with blockNumber, blockHash, raw calldata, and rawReturnData — content-addressed when block-pinned (`&block=<n>`):

  ABI (auto-resolves proxies):
    https://defipunkd.com/api/contract/abi?chainId=<id>&address=0x...
  View call (any view method on the merged ABI; flat scalar args):
    https://defipunkd.com/api/contract/read?chainId=<id>&address=0x...&method=getOwners
    https://defipunkd.com/api/contract/read?chainId=<id>&address=0x...&method=balanceOf&args=0x...
  Safe (threshold + owners + version in one call):
    https://defipunkd.com/api/safe/owners?chainId=<id>&address=0x...

Use the BARE method name in `&method=` (e.g. `&method=totalSupply`, NOT `&method=totalSupply()`). Browser tools normalize `(` to `%28` and reject the normalized URL; bare names dodge that. Pass arguments via `&args=` (comma-separated, declaration order). Append `&block=<n>` for content-addressed evidence.

Supported chainIds: 1 (ethereum), 10 (optimism), 56 (bsc), 130 (unichain), 137 (polygon), 324 (zksync), 8453 (base), 42161 (arbitrum), 43114 (avalanche), 59144 (linea), 81457 (blast), 534352 (scroll), 11155111 (sepolia).

Use this API for any factual claim about contract ABI shape, view-method return values (owner(), getOwners(), getThreshold(), totalSupply(), implementation(), paused(), MIN_DELAY(), …), and Safe membership. Do NOT invent ABIs or return values from training data.

Note on noisy address_book: the pinned address_book is sourced from prior assessments. It may include token deployments, oracle feeds, peripheral contracts, or mis-classified entries. Skip surfacer URLs that don't fit your slice — fetch only those whose role hints suggest control / pause / upgrade authority.

### Protocol metadata refresh (populate `protocol_metadata` in the output)

DeFiLlama's pinned inputs may be stale or wrong. As a side-effect of this assessment, populate `protocol_metadata` with anything you verify. Leave fields null / empty arrays if you did not verify them — do NOT echo pinned inputs through; null means "not re-verified this run".

- `github`: array of canonical source-code repo URLs.
- `docs_url`: canonical developer / protocol documentation site.
- `audits`: array of `{ firm, url, date }` (date as YYYY-MM or YYYY-MM-DD).
- `governance_forum`: primary discussion forum URL (Discourse, Commonwealth, etc.).
- `voting_token`: `{ chain, address, symbol }` or null. Omit if not token-governed.
- `bug_bounty_url`: public bug bounty page (Immunefi, HackerOne, self-hosted).
- `security_contact`: private-disclosure channel — security@ email or SECURITY.md URL. Distinct from public bug bounty.
- `deployed_contracts_doc`: docs page that lists deployed addresses per chain. Don't enumerate; just link.
- `admin_addresses`: array of `{ chain, address, role, actor_class }` for multisig / timelock / owner / proxy-admin addresses. `actor_class` ∈ `"eoa" | "multisig" | "timelock" | "governance" | "unknown"`. These are the anchors for future runs' address_book.
- `upgradeability`: `"immutable" | "upgradeable" | "mixed" | "unknown"`. "mixed" = some core contracts immutable, others behind proxies.
- `about`: 2–4 sentence plain-English description. Name the user action (stake, borrow, swap, bridge, mint, redeem), the asset / market, and the distinctive mechanism (liquid staking receipt, isolated lending pools, constant-product AMM, intents auction, etc.). Do not restate category / chains / TVL.

Every non-null field in `protocol_metadata` must be backed by ≥1 entry in evidence[].

---

### Slice: VERIFIABILITY

Evaluate whether an outsider can independently confirm what the deployed code does.

MANDATORY INSPECTION CHECKLIST (every item below must appear in evidence[] OR unknowns[]):
- V1. For each address you assess: is the bytecode verified on the chain's block explorer? Record the "Contract Source Code Verified" indicator. https://defipunkd.com/api/contract/abi?chainId=<id>&address=0x... returns this as a top-level "verified" boolean plus "abiSource" ("etherscan" / "sourcify") and an inline ABI — useful when the explorer page is rate-limited. If the contract is a proxy, verify BOTH the proxy contract AND the current implementation contract. The same /api/contract/abi response auto-resolves proxies and includes a "proxy.implementation" address when present, so one call covers V1 + V6 in one shot. An explorer "Similar Match" on a well-known proxy pattern (Aragon AppProxyUpgradeable, ERC1967Proxy, OssifiableProxy, OZ TransparentUpgradeableProxy) is expected for that pattern and does NOT count as a verification gap on its own — what matters is that the implementation is independently verified.
- V2. Source-to-repo correspondence: for each verified contract, attempt to find a matching commit in the linked GitHub repos. Record evidence[].commit on a match. Independent compile/bytecode-match is NOT required for green — a recognized public repo whose structure and file contents correspond to the explorer-visible source is sufficient. If you did not pin a commit SHA or run a bytecode diff, record that plainly in unknowns[] and proceed; it is a scope limit, not a downgrade signal.
- V3. Audit coverage: for each URL in protocol.audit_links, open it and record: auditor name, audit date, the specific contracts / commit in scope. Flag audits that predate the current deployment by >6 months without a follow-up review.
- V4. Auditor recognition: the following firms are broadly recognized in Solidity: Trail of Bits, Zellic, Spearbit, OpenZeppelin, ConsenSys Diligence, Certora (formal verification), Quantstamp, Halborn, Peckshield, Sigma Prime, ChainSecurity, Ackee Blockchain, MixBytes, Statemind. Unknown firms are orange-at-best for any green-grade claim. Name the firm explicitly in evidence[].
- V5. Post-audit drift: compare the most recent in-scope audit(s) against the currently-deployed source, weighted by what each contract does and by what the changes actually contain. SCOPE — drift only downgrades the grade when ALL of the following hold: (i) the drifting contract is fund-custody / settlement / accounting-critical (NOT a peripheral router, lens, quoter, or pure-view contract that holds no balances); (ii) the changes are material — new functions, modified access control, modified accounting, modified fund flow — and not refactors / struct relocations / import reorgs / build or CI fixes / formatting; (iii) no later audit, fix-audit, or differential audit from a recognized firm covers the changed files (audits often pin a pre-fix commit while a follow-up reviews the delta — match by file scope, not by commit-hash equality). When you cite drift as a downgrade reason, name the specific behavior change (function added, role granted, accounting formula altered) — "N commits ahead" or "+X/-Y LOC" alone is not evidence of material drift. If you have not sampled the diff content (e.g. via the GitHub compare view or the top commits in the window), record drift as an unknowns[] entry rather than auto-downgrading; commit-count and LOC are starting signals, not findings.
- V6. Implementation vs proxy: a verified proxy with an unverified implementation is effectively unverified. State whether the implementation is verified separately.

EVIDENCE DISCIPLINE (read before writing findings[]):
- Do not assert a specific deploy-commit SHA, bytecode equivalence, or "identical to audited commit" unless you actually fetched the artifact that shows it (e.g., a deployed-addresses JSON you opened, an explorer page you read). Inferred or plausible matches belong in unknowns[], never in findings[] or evidence[].
- Evidence[] entries must correspond to pages/files you actually retrieved this run. A URL you did not open is not evidence.

Then write the steel-man section per Hard Rule 11.

Grade rules:
- green   = deployed bytecode verified on the explorer (proxy AND implementation if proxied; "Similar Match" on a standard proxy pattern is fine per V1), a public source repo exists whose contents correspond to the explorer-visible source, AND ≥1 audit from a recognized firm covering the currently-deployed contracts (≤6 months of drift OR drift was re-audited). A missing local compile-match is not a downgrade — record it in unknowns[] and still grade green if the other conditions hold.
- orange  = verified but with visible drift from the public repo, OR audit scope is stale relative to deployment, OR only minor / unknown-firm audits exist, OR only some of the main contracts are verified, OR proxy verified but implementation only partially verified.
- red     = unverified bytecode (or verified proxy with unverified implementation), OR no audit in protocol.audit_links, OR no public repo.
- unknown = reserved for when the protocol's verifiability posture genuinely cannot be assessed (e.g., explorer and repo both inaccessible for this protocol). Do NOT use unknown merely because you, the analyst, could not run a particular check such as a bytecode diff — that goes in unknowns[] while the grade is still assigned from the evidence you do have.

---

### JSON output contract

Return exactly one JSON object inside a single ```json fenced block. Shape:

{
  "schema_version": 4,
  "slug": "<copy protocol.slug from the per-protocol context>",
  "slice": "verifiability",
  "snapshot_generated_at": "<copy snapshot.generated_at from the per-protocol context>",
  "prompt_version": 29,
  "analysis_date": "<copy analysis_date from the per-protocol context>",
  "model": "<exact model name, e.g. claude-opus-4-7 / gpt-5-thinking / gemini-3-pro>",
  "chat_url": null,
  "grading_basis": "on-chain | off-chain-only | mixed (optional; omit for on-chain)",
  "grade": "green | orange | red | unknown",
  "headline": "<one-line summary>",
  "short_headline": "<≤6 words, ≤80 chars; omit if you can't fit>",
  "rationale": {
    "findings": [{ "code": "E1", "text": "<concrete, source-cited finding>" }],
    "steelman": { "red": "<one sentence>", "orange": "<one sentence>", "green": "<one sentence>" },
    "verdict": "Choosing <grade> because <reason ranking one steel-man above the others, citing specific evidence>."
  },
  "evidence": [{ "url": "https://...", "shows": "<what this URL demonstrates>", "chain": "...", "address": "0x...", "commit": "<hex SHA>", "fetched_at": "2026-04-23T11:20:00Z" }],
  "unknowns": ["E3: <thing you looked for but couldn't determine>"],
  "protocol_metadata": {
    "github": ["https://github.com/org/repo"],
    "docs_url": "https://docs.protocol.xyz",
    "audits": [{ "firm": "Trail of Bits", "url": "https://...report.pdf", "date": "2025-09" }],
    "governance_forum": "https://forum.protocol.xyz",
    "voting_token": { "chain": "Ethereum", "address": "0x...", "symbol": "XYZ" },
    "bug_bounty_url": "https://immunefi.com/bounty/protocol",
    "security_contact": "security@protocol.xyz",
    "deployed_contracts_doc": "https://docs.protocol.xyz/deployments",
    "admin_addresses": [{ "chain": "Ethereum", "address": "0x...", "role": "DAO treasury multisig", "actor_class": "multisig" }],
    "upgradeability": "immutable | upgradeable | mixed | unknown",
    "about": "<2–4 sentences>"
  }
}

Rules recap:
- grade="unknown" ⇒ steelman=null; unknowns[] ≥1; evidence[] may be empty.
- grade!="unknown" ⇒ steelman={red,orange,green}; evidence[] ≥1; verdict starts with "Choosing ".
- findings[].code matches the slice's checklist prefix verbatim (E1, C2-emergency, V4a, …); unknowns[] entries are checklist-coded ("E3: …").
- Wrap in a single ```json fence; nothing before or after. URLs are bare strings, never markdown links.

4 dimensions not yet assessed (Control, Ability to exit, Autonomy, Open Access)

Control unknown Unverified

Not yet assessed

No model has graded this dimension yet. Run the slice prompt through any LLM and submit the JSON — once ≥3 independent runs agree, the quorum bot merges the verdict here.

Submit run ↗

### Per-protocol context (ground truth for this run)

- protocol.slug:              aave-aptos
- protocol.name:              Aave Aptos
- protocol.chains:            Aptos
- protocol.category:          Lending
- protocol.website:           https://aave.com
- protocol.github:            aave, bgd-labs
- protocol.audit_links:       https://github.com/code-423n4/2022-02-aave-lens, https://github.com/code-423n4/2022-02-aave-lens-findings, https://github.com/sherlock-protocol/sherlock-reports/blob/main/audits/2025.02.15%20-%20Final%20-%20Aave%20Public%20Audit%20Contest%20Report.pdf, https://github.com/sherlock-protocol/sherlock-reports/blob/main/audits/2026.02.05%20-%20Final%20-%20Aave%20Labs%20Collaborative%20Audit%20Report%201770295450.pdf, https://github.com/trailofbits/publications/blob/master/reviews/2021-11-aave-v3-securityreview.pdf, https://github.com/trailofbits/publications/blob/master/reviews/2026-02-aave-v4-securityreview.pdf
- snapshot.generated_at:      2026-06-01T11:27:13.878Z
- analysis_date:              2026-06-07
- prompt_version:             29
- address_book:               null

### Pre-built read-API surfacer URLs (verbatim — fetchable as-is)
(no addresses pinned in this run — discover candidates from fetched website / GitHub / audit / explorer pages, record discovered addresses in evidence[] and protocol_metadata.admin_addresses, and put any reads you couldn't perform in unknowns[]. The next assessment will inherit your discoveries.)


---

You are contributing a single-slice assessment to defipunkd, a git-native transparency registry for DeFi protocols. Your JSON output will be attached to a pull request and compared against ≥2 other independent runs. Disagreements are surfaced publicly — be conservative, cite everything, return grade="unknown" when a signal cannot be determined, and resist stopping at the first damning finding.

### Per-protocol context (do not infer; these are ground truth)

A "Per-protocol context" block (provided alongside this prompt — either as a user message in API mode, or as a section appended below in copy-paste mode) lists the pinned inputs (protocol.slug, name, chains, category, website, github, audit_links, snapshot.generated_at, analysis_date, prompt_version, address_book) and a list of pre-built read-API surfacer URLs for each pinned address. Treat those values as authoritative for this run.

The pre-built surfacer URLs are accepted by your fetch tool's allowlist because they appear verbatim in the per-protocol context. Each surfacer page pre-executes the contract's zero-arg view methods and renders any address-typed return values as /address/{chainId}/0x… links inline — those rendered links are also fetchable post-fetch. /api/contract/read and /api/safe/owners JSON responses include a top-level `crawl.surfacers` array of /address/{chainId}/0x… URLs for every address-typed value in the result, so you can crawl directly from API responses. For addresses surfaced from non-defipunkd sources (block-explorer pages, GitHub, audit PDFs), the allowlist will reject your generated surfacer URL — record the address in protocol_metadata.admin_addresses and add a checklist-coded entry to unknowns[]; the next run will inherit it as a fetchable surfacer.

### Step 0 — Capability probe (do this before producing JSON)

Identify what fetch tool your environment exposes — `web_fetch`, `browser`, `url_context`, `google_search` (with underscore, colon, or space), Bing grounding, Perplexity, `web.run`, or anything similar. Search-grounding tools ARE valid fetch paths and you should use them; they are not forbidden. The distinction that matters is what the tool returned, not its name: a grounded response with the underlying page body is sufficient evidence; a bare 1–3-line preview snippet is not.

Probe: attempt one fetch of `protocol.website` and one fetch of a pre-built surfacer URL above (or the protocol's primary block-explorer page if no surfacer is pinned). Record the tool you used, the URL, and what came back (response body, HTTP status, allowlist rejection text, or "tool not present: <name>"). If either probe succeeded, proceed.

If both direct probes failed, **DO NOT STOP** — try search. Issue at least two broad search queries (protocol name + "Etherscan" / "official docs" / "GitHub" / "audit"; `site:` operators against etherscan.io / github.com / the docs domain). If a search query returns the underlying page body, that page URL is fetched evidence and goes in evidence[]. Set `grading_basis: "off-chain-only"` and continue with whatever you can extract. Empty `evidence[]` + `grade="unknown"` is only valid if BOTH direct probes AND ≥2 search queries returned nothing usable; in that case, log the attempted queries and observed-zero outcomes in unknowns[]. A submission claiming "blocked" without those receipts is treated as a non-submission (zero quorum weight). Search engines do not index raw JSON API endpoints — zero results for `defipunkd.com/api/contract/read` URLs is expected and is itself a recordable failure mode, not a system restriction.

### Anti-fabrication (the most important rule on this page)

Memory is not evidence. Treat your training data, prior conversations, and general knowledge as suggestions for what to look up — never as citations. Every URL in evidence[] must have been fetched in this run via any tool exposed in your environment, OR pasted into this conversation by the user. Constructing a URL is fine, but every variable part (address, commit SHA, repo path, contract name, method, args, block number) must come from a fetched/pasted source in this run, and the URL must then have been successfully fetched before it appears in evidence[]. URLs constructed from remembered addresses, repo paths, contract names, or guessed API methods are fabrication.

Before emitting JSON, run an evidence ledger check on every evidence[] entry:
1. The exact URL appears in your fetch transcript or in a user-pasted source body.
2. The fetched/pasted body contains the fact you're citing in evidence[].shows.
3. Every rationale.findings / protocol_metadata claim that depends on this evidence follows directly from that body, without recourse to memory.
4. Derived (rather than verbatim) claims are explicitly labelled as derived in evidence[].shows.
5. `fetched_at` is set ONLY when you actually fetched the URL in this run; if no timestamp is available, omit the field — never invent one.

If any check fails, remove the evidence entry and demote dependent claims to unknowns[]. Set grade="unknown" if demotion empties the grading basis. Do not ask the user to paste anything; do not withhold JSON; do not improvise from memory.

A plausible-sounding answer backed by unsupported evidence is WORSE than grade="unknown" — it pollutes the quorum. If the assessment requires leaning on remembered public facts ("Lido is governed by LDO token-weighted voting"), historical reports, common knowledge, or likely-architecture reasoning ("UUPS proxies typically have an admin role"), return grade="unknown" with specific unknowns[] entries. Optimize for reproducibility, not completeness — if a reviewer can't re-verify each claim from the evidence URLs alone, the claim does not belong in the JSON. Empty unknowns[] on a non-trivial protocol is a red flag, not a quality signal.

When the address_book is null/empty, you do not yet know any deployed address. Discover candidates from fetched website / GitHub / audit / explorer-search pages — addresses you "remember" from training data are not eligible, even for famous tokens (USDC, WBTC, stETH, UNI). If no address can be discovered after a good-faith attempt, return grade="unknown" with checklist-coded unknowns[] entries; do not invent addresses to fill the gap.

### Hard rules

1. Source classes that count as evidence:
   a) Public block explorers (etherscan.io, basescan.org, arbiscan.io, optimistic.etherscan.io, polygonscan.com, bscscan.com, snowtrace.io, scrollscan.com, lineascan.build, blastscan.io, era.zksync.network) for pinned addresses or addresses you discover transitively from them.
   b) The linked GitHub repos, at a specific commit SHA recorded in evidence[].commit.
   c) The audit PDFs / reports linked above.
   d) DeFiLlama's pinned fields (for category / chain lists only — not for risk assessment).
   e) DeFiPunkd's read API at https://defipunkd.com/api/{contract,safe}/... — see "On-chain reading" below.
2. If a signal cannot be determined after checking these, set grade="unknown" with ≥1 entry in unknowns[] naming what you looked for.
3. Every factual claim in rationale must map to ≥1 evidence[] entry.
4. Output exactly one JSON object matching the contract at the end, wrapped in a single ```json fenced code block. This rule applies to your FINAL assistant message only — issue tool calls freely during the run; tool-call reasoning lives in your model's tool-use channel and is not subject to this rule. Nothing before or after the fence — no prose, no follow-up questions, no requests for the user to paste anything. If evidence is incomplete, the correct response is still JSON, with claims demoted to unknowns[] and grade="unknown".

### Format rules (validation will reject submissions that violate these)
5. evidence[].url must be a bare `https://...` string — NEVER markdown link syntax. WRONG: `"url": "[Etherscan](https://etherscan.io/...)"`. RIGHT: `"url": "https://etherscan.io/..."`.
6. evidence[].commit, when present, must match `^[0-9a-f]{7,40}$` (lowercase hex, 7–40 chars). NEVER branch names or tags. Omit if you cannot pin a SHA.
7. evidence[].fetched_at, when present, must be ISO-8601 UTC (e.g. `2026-04-23T11:20:00Z`). Set whenever you actually fetched in this run.
8. evidence[].address, when present, must be `^0x[0-9a-fA-F]{40}$` (mixed case OK; checksum not validated).
9. Checklist codes (used in findings[].code and as unknowns[] prefixes) match `^[A-Z][A-Za-z0-9-]{0,16}$` — start with an uppercase letter, then digits / letters / hyphens. Examples: `E1`, `A3b`, `C2-emergency`, `V4-auditor`. No parens, spaces, dots, slashes, underscores. Use slice-defined codes verbatim. unknowns[] entries must be prefixed with the relevant code + colon (e.g. `"A3b: frontend fetch failed"`).
10. chat_url: ALWAYS null. Default share links (claude.ai/chat, chatgpt.com, gemini.google.com) require viewer login and are not publicly readable. The user enables "Share publicly" after you respond and pastes the public URL into the JSON before opening the PR.

### Thoroughness rules

11. Each per-slice body contains a "MANDATORY INSPECTION CHECKLIST". Every item must EITHER produce an evidence[] entry OR a specific unknowns[] entry naming it by code. Silent skips are rejected as incomplete.
12. Before assigning a grade other than "unknown", rationale.steelman must contain a one-sentence strongest argument for each of red / orange / green, and rationale.verdict must state which fits the evidence and why. If the steel-man for the chosen grade is weaker than for an adjacent grade, you have probably picked the wrong grade. When grade="unknown", set steelman to null and use verdict to summarize what blocked the assessment.
13. Distinguish actor classes (EOA, 2-of-3 multisig, 4-of-7+ multisig with identified signers, emergency-scoped time-capped multisig, on-chain governance vote with timelock) and function classes (claim-of-finalized vs new-request-placement, deposit vs borrow, mint vs redeem) — say which actor holds which power, on what time bound. "An admin can pause" is insufficient.
14. For on-chain slices (control, ability-to-exit, autonomy, verifiability), evidence[] must include ≥1 on-chain URL: a block-explorer URL OR a DeFiPunkd /api/{contract/read,safe/owners} URL (preferred — content-addressed when block-pinned). /api/contract/abi alone is metadata, not on-chain evidence. Source repos tell you what code SHOULD do; deployed contracts tell you what it ACTUALLY does. The "open-access" slice is exempt when claims are entirely about frontend / off-chain operator behavior. CARVE-OUT: `grading_basis="off-chain-only"` is exempt from this rule but is downweighted by the quorum bot regardless of grade.
15. Prompt-meta-check: if your verdict quotes prompt language as evidence ("the protocol meets the 'documented fallback' condition"), re-do the verdict — the prompt describes the rubric, not the protocol. Evidence cites what THIS protocol does, not what the rubric says protocols of type X do.
16. `grading_basis` is one of `"on-chain"` (default; omit field), `"off-chain-only"`, or `"mixed"`. Describes what was READ this run, not the verdict — `grade="unknown"` is allowed under any basis. Set `"off-chain-only"` ONLY when BOTH (a) ≥1 successful fetch of a docs / forum / audit / GitHub URL appears in evidence[], AND (b) ≥1 failed on-chain fetch attempt for THIS run is recorded in unknowns[] with a `-offchain` suffix. Empty `evidence[]` with `"off-chain-only"` is a category error and is rejected by the validator. Set `"mixed"` when some checklist codes were on-chain and others fell back. ABI-only finds (you read the ABI but couldn't read live state) are valid as `grade="unknown"` with the ABI cited; do not infer a grade from ABI shape alone.

### On-chain reading via the DeFiPunkd API

Don't encode calldata, decode return data, or guess at ABIs by hand. Three deterministic GET endpoints return JSON with blockNumber, blockHash, raw calldata, and rawReturnData — content-addressed when block-pinned (`&block=<n>`):

  ABI (auto-resolves proxies):
    https://defipunkd.com/api/contract/abi?chainId=<id>&address=0x...
  View call (any view method on the merged ABI; flat scalar args):
    https://defipunkd.com/api/contract/read?chainId=<id>&address=0x...&method=getOwners
    https://defipunkd.com/api/contract/read?chainId=<id>&address=0x...&method=balanceOf&args=0x...
  Safe (threshold + owners + version in one call):
    https://defipunkd.com/api/safe/owners?chainId=<id>&address=0x...

Use the BARE method name in `&method=` (e.g. `&method=totalSupply`, NOT `&method=totalSupply()`). Browser tools normalize `(` to `%28` and reject the normalized URL; bare names dodge that. Pass arguments via `&args=` (comma-separated, declaration order). Append `&block=<n>` for content-addressed evidence.

Supported chainIds: 1 (ethereum), 10 (optimism), 56 (bsc), 130 (unichain), 137 (polygon), 324 (zksync), 8453 (base), 42161 (arbitrum), 43114 (avalanche), 59144 (linea), 81457 (blast), 534352 (scroll), 11155111 (sepolia).

Use this API for any factual claim about contract ABI shape, view-method return values (owner(), getOwners(), getThreshold(), totalSupply(), implementation(), paused(), MIN_DELAY(), …), and Safe membership. Do NOT invent ABIs or return values from training data.

Note on noisy address_book: the pinned address_book is sourced from prior assessments. It may include token deployments, oracle feeds, peripheral contracts, or mis-classified entries. Skip surfacer URLs that don't fit your slice — fetch only those whose role hints suggest control / pause / upgrade authority.

### Protocol metadata refresh (populate `protocol_metadata` in the output)

DeFiLlama's pinned inputs may be stale or wrong. As a side-effect of this assessment, populate `protocol_metadata` with anything you verify. Leave fields null / empty arrays if you did not verify them — do NOT echo pinned inputs through; null means "not re-verified this run".

- `github`: array of canonical source-code repo URLs.
- `docs_url`: canonical developer / protocol documentation site.
- `audits`: array of `{ firm, url, date }` (date as YYYY-MM or YYYY-MM-DD).
- `governance_forum`: primary discussion forum URL (Discourse, Commonwealth, etc.).
- `voting_token`: `{ chain, address, symbol }` or null. Omit if not token-governed.
- `bug_bounty_url`: public bug bounty page (Immunefi, HackerOne, self-hosted).
- `security_contact`: private-disclosure channel — security@ email or SECURITY.md URL. Distinct from public bug bounty.
- `deployed_contracts_doc`: docs page that lists deployed addresses per chain. Don't enumerate; just link.
- `admin_addresses`: array of `{ chain, address, role, actor_class }` for multisig / timelock / owner / proxy-admin addresses. `actor_class` ∈ `"eoa" | "multisig" | "timelock" | "governance" | "unknown"`. These are the anchors for future runs' address_book.
- `upgradeability`: `"immutable" | "upgradeable" | "mixed" | "unknown"`. "mixed" = some core contracts immutable, others behind proxies.
- `about`: 2–4 sentence plain-English description. Name the user action (stake, borrow, swap, bridge, mint, redeem), the asset / market, and the distinctive mechanism (liquid staking receipt, isolated lending pools, constant-product AMM, intents auction, etc.). Do not restate category / chains / TVL.

Every non-null field in `protocol_metadata` must be backed by ≥1 entry in evidence[].

---

### Slice: CONTROL

Evaluate who can change the protocol's rules, how fast, and how broadly.

(Step 0 capability probe and the off-chain-only fallback live in the preamble — those rules apply here.)

### MANDATORY INSPECTION CHECKLIST (every item below must appear in evidence[] OR unknowns[])

- **C1.** For each address you assess: who is the contract owner / admin / pendingAdmin / governor — read these via the block explorer's "Read Contract" tab OR `https://defipunkd.com/api/contract/read?chainId=<id>&address=0x...&method=owner` (BARE method names: `&method=owner`, `&method=admin`, `&method=pendingOwner`, `&method=governor`). For Safes use `/api/safe/owners?chainId=<id>&address=0x...`. When a protocol has multiple major versions deployed (v2/v3/v4), perform C1 reads on the NEWEST deployment separately — newer deployments often have weaker control surfaces than the legacy core.
- **C2.** Upgrade mechanism: transparent proxy / UUPS / Beacon / Diamond / immutable. Identify the proxy admin address. Check upgradeability of GOVERNANCE contracts too — a Governor / Aragon Voting / OZ Governor is often itself a proxy whose admin is the Timelock. Asymmetry: when fund-holding cores are immutable AND governance has no admin path that reaches them, an upgradable Governor/Timelock is T3-only and must NOT drag the verdict below green on that basis alone (see grade rules and the "immutable cores" caveat). Only call upgradability "mixed" if you can name a concrete function on the upgradable surface that reaches T1 or T2 on user funds.
- **C3.** EXECUTION PATH (enumerate every stage, in order, with delays in seconds). The operative path is usually a chain (voting → scheduler → timelock → executor; or governor → queue → execute; or Aragon Voting → DualGovernance → EmergencyProtectedTimelock → AdminExecutor). For each stage, record (a) the contract address, (b) the delay constant name + value in seconds, (c) the URL you read it from (block-explorer Read Contract OR `/api/contract/read?...&method=MIN_DELAY&block=<n>`). Do NOT stop at the first timelock-shaped contract — if its admin is itself called by another contract, keep walking. The grading delay is the SUM OF DELAYS ON THE UNCONTESTED FAST PATH (shortest time a proposal with no opposition can go from submission to executable). Dynamic / contested extensions (veto signaling, rage quit, escrow delay) are modifiers, not the basis — note them separately.
- **C4.** Enumerate EVERY multisig with reachable control — main proxy admin, emergency activation, emergency execution, reseal / pause, gate-seal committees, tiebreaker, per-module admins. For each Safe, fetch threshold + owners + version via `/api/safe/owners?chainId=<id>&address=0x...` (response includes raw eth_call data, so the URL is citable evidence). Enumerate ops/council/incentives multisigs even when off the upgrade path — record their scope so a reader can see they are NOT on the upgrade path. For each: (a) address, (b) threshold / total signers, (c) signer identities classified as insider (team, paid auditors under ongoing engagement, mandated service providers) vs non-insider (independent community members, unaffiliated researchers), (d) the specific power held (upgrade, pause, parameter, etc.).
- **C5.** On-chain governance: Governor / GovernorBravo / OZ Governor / Aragon Voting with token-weighted voting? Record proposal threshold, voting period, quorum, and the timelock delay between queue and execute. Every numeric constant must come from a Read Contract call you can link to, or be in unknowns[] with the C-code. If votingDelay / votingPeriod are denominated in BLOCKS, convert to seconds at the chain's CURRENT block time (Ethereum mainnet ≈ 12s post-Merge, not the 15s in older Compound/Bravo deployments) — cite both block count and converted seconds.
- **C6.** EMERGENCY POWERS: separate emergency-pause / guardian role with a different time cap or different actor than the main upgrade authority? Record it explicitly.
- **C7.** POWER TIER (blast radius). For each privileged path in C3–C6, classify the WORST thing that path can do, choosing the highest applicable tier. Cite the specific function name and any on-chain bound — tier claims without a named function are unsupported.
    - **T1 — FUND-CRITICAL**: replace implementation of contracts holding user funds; change AMM math / accounting / collateral logic; mint unbacked debt or shares; pause withdrawals; drain user-fund treasury; change oracle to attacker-controlled source; replace upgrade admin with EOA.
    - **T2 — ECONOMICALLY MATERIAL**: change fee parameters within bounded ranges; redirect protocol fees; add/remove markets / collateral types; bounded inflation or token mint within hard-capped schedule; spend protocol-owned (non-user) treasury.
    - **T3 — GOVERNANCE-INTERNAL**: change voting rules, quorum, voting period, proposal threshold; upgrade the Governor itself; rotate Timelock admin; mint governance tokens within a capped annual schedule.
    - **T4 — OPERATIONAL**: incentives distribution, grants, ENS / frontend canonicalization, deployment coordination, periphery router deprecation.
  The grade is set by the HIGHEST tier reachable on the uncontested fast path, not the median. State the tier and the binding function in the verdict.

### Read Contract discipline (applies to C3, C4, C5)

Every numeric constant cited (timelock delays, voting periods, multisig thresholds, quorum percentages) must come from EITHER (a) a block-explorer Read Contract URL, OR (b) a DeFiPunkd `/api/contract/read` or `/api/safe/owners` URL (preferred with `&block=<n>` for content-addressed evidence), OR (c) an unknowns[] entry with the C-code. Docs / blog posts are corroboration only — they cannot be the sole citation for a value that is also readable on-chain.

### Off-chain-only substitute hierarchy (when grading_basis="off-chain-only" — see preamble Rule 16)

When on-chain reads were genuinely unreachable this run, eligible off-chain substitutes in priority order:
1. Linked audit PDFs (admin roles, multisig members, timelock delays usually enumerated).
2. Governance forum posts that quote constants from a successful on-chain proposal (cite post URL + linked execution-tx URL).
3. Official protocol docs pages with named addresses and roles (must be on a domain owned by the protocol).
4. GitHub README / SECURITY.md / governance/*.md at a pinned commit SHA.

Forbidden substitutes: third-party blog posts, X / Twitter threads, search-result snippets, model memory. Required degradation: any C-code citing a numeric constant from docs/forum/audit prose ONLY must also carry an `unknowns[]` entry with `-offchain` suffix noting "value not re-read on-chain in this run; corroboration only".

### Grade rules (apply the timelock bar conditional on the highest C7 tier reachable on the fast path)

Security Council standard (used below): a multisig qualifies as "Security Council" only if ALL of: ≥7 signers, ≥51% threshold, ≥50% non-insider signers, every signer publicly announced. Failing any criterion = NOT a Security Council, regardless of signer reputation.

- **green**: highest reachable tier is T3 or T4 regardless of timelock; OR T2 reachable with uncontested-fast-path delay ≥7 days; OR T1 reachable only via immutable contracts (T1 is unreachable); OR T1 reachable with uncontested-fast-path delay ≥7 days combined with a Security Council multisig; OR T1 reachable with uncontested-fast-path delay ≥7 days through active on-chain governance with broad token distribution.
- **orange**: T2 reachable with uncontested-fast-path delay >0 but <7 days; OR T1 reachable with uncontested-fast-path delay >0 but <7 days; OR a multisig failing one or more Security Council criteria sits on a T1/T2 path; OR unclear upgrade authority on a T1/T2 path; OR governance with very short timelock or low quorum on a T1/T2 path.
- **red**: T1 reachable with no timelock by a single EOA or 2-of-3 multisig; OR a T1 upgrade admin that is not a smart contract you can audit.
- **unknown**: completed the checklist but still cannot determine the upgrade authority OR cannot classify the highest tier reachable on the main contracts.

Tiering caveats:
- "Bounded" must be enforced ON-CHAIN to count as T2. A function that sets fees with no upper-bound check is T1 — cite the bound check.
- Recurring T2 economic extraction (e.g. fee redirect with no rate limit) approaches T1 over time. A single proposal that can permanently redirect all future revenue is T1.
- T3 assumes the governance contract cannot itself authorize a T1/T2 action without going through the same timelock. If governance can self-upgrade to bypass the timelock, T3 collapses into T1.
- Do not downgrade tier by hand-waving ("realistically governance would never…"). Tier on what the contract permits, not what feels likely.

Notes:
- **Dynamic / dual-governance timelocks** (Lido, Compound escrow veto): the rubric grades on the uncontested path because that is the path most upgrades take. A dynamic extension that fires only under stake-weighted opposition is a real protection — name it in the green steel-man, but it does not lift an orange fast path into green; state the tension in the verdict.
- **Immutable cores with upgradable governance** (Uniswap-style): if fund-holding contracts are immutable and have no admin-reachable function moving / freezing / re-routing user funds, the highest reachable tier on the upgrade path is T3 — green regardless of timelock. Don't grade this orange just because the Governor is a proxy — that's a C2 fact, not a downgrade. Downgrade only applies if you can cite a concrete function on the upgradable surface that reaches T1 or T2 (privileged hook, upgradable factory controlling fund-routing, fee-switch redirecting protocol revenue without bound).
- **The 7-day bar** reflects the exit-window standard — users need notice after a queued upgrade to withdraw if they disagree. The ability-to-exit slice grades the exit side; this slice grades the delay side; both must hold for users to actually benefit from the delay.

---

### JSON output contract

Return exactly one JSON object inside a single ```json fenced block. Shape:

{
  "schema_version": 4,
  "slug": "<copy protocol.slug from the per-protocol context>",
  "slice": "control",
  "snapshot_generated_at": "<copy snapshot.generated_at from the per-protocol context>",
  "prompt_version": 29,
  "analysis_date": "<copy analysis_date from the per-protocol context>",
  "model": "<exact model name, e.g. claude-opus-4-7 / gpt-5-thinking / gemini-3-pro>",
  "chat_url": null,
  "grading_basis": "on-chain | off-chain-only | mixed (optional; omit for on-chain)",
  "grade": "green | orange | red | unknown",
  "headline": "<one-line summary>",
  "short_headline": "<≤6 words, ≤80 chars; omit if you can't fit>",
  "rationale": {
    "findings": [{ "code": "E1", "text": "<concrete, source-cited finding>" }],
    "steelman": { "red": "<one sentence>", "orange": "<one sentence>", "green": "<one sentence>" },
    "verdict": "Choosing <grade> because <reason ranking one steel-man above the others, citing specific evidence>."
  },
  "evidence": [{ "url": "https://...", "shows": "<what this URL demonstrates>", "chain": "...", "address": "0x...", "commit": "<hex SHA>", "fetched_at": "2026-04-23T11:20:00Z" }],
  "unknowns": ["E3: <thing you looked for but couldn't determine>"],
  "protocol_metadata": {
    "github": ["https://github.com/org/repo"],
    "docs_url": "https://docs.protocol.xyz",
    "audits": [{ "firm": "Trail of Bits", "url": "https://...report.pdf", "date": "2025-09" }],
    "governance_forum": "https://forum.protocol.xyz",
    "voting_token": { "chain": "Ethereum", "address": "0x...", "symbol": "XYZ" },
    "bug_bounty_url": "https://immunefi.com/bounty/protocol",
    "security_contact": "security@protocol.xyz",
    "deployed_contracts_doc": "https://docs.protocol.xyz/deployments",
    "admin_addresses": [{ "chain": "Ethereum", "address": "0x...", "role": "DAO treasury multisig", "actor_class": "multisig" }],
    "upgradeability": "immutable | upgradeable | mixed | unknown",
    "about": "<2–4 sentences>"
  }
}

Rules recap:
- grade="unknown" ⇒ steelman=null; unknowns[] ≥1; evidence[] may be empty.
- grade!="unknown" ⇒ steelman={red,orange,green}; evidence[] ≥1; verdict starts with "Choosing ".
- findings[].code matches the slice's checklist prefix verbatim (E1, C2-emergency, V4a, …); unknowns[] entries are checklist-coded ("E3: …").
- Wrap in a single ```json fence; nothing before or after. URLs are bare strings, never markdown links.

Ability to exit unknown Unverified

Not yet assessed

Whether users can exit on their own terms if the team disappears or acts adversarially. Requires per-protocol review; not available at Phase 0.

No model has graded this dimension yet. Run the slice prompt through any LLM and submit the JSON — once ≥3 independent runs agree, the quorum bot merges the verdict here.

Submit run ↗

### Per-protocol context (ground truth for this run)

- protocol.slug:              aave-aptos
- protocol.name:              Aave Aptos
- protocol.chains:            Aptos
- protocol.category:          Lending
- protocol.website:           https://aave.com
- protocol.github:            aave, bgd-labs
- protocol.audit_links:       https://github.com/code-423n4/2022-02-aave-lens, https://github.com/code-423n4/2022-02-aave-lens-findings, https://github.com/sherlock-protocol/sherlock-reports/blob/main/audits/2025.02.15%20-%20Final%20-%20Aave%20Public%20Audit%20Contest%20Report.pdf, https://github.com/sherlock-protocol/sherlock-reports/blob/main/audits/2026.02.05%20-%20Final%20-%20Aave%20Labs%20Collaborative%20Audit%20Report%201770295450.pdf, https://github.com/trailofbits/publications/blob/master/reviews/2021-11-aave-v3-securityreview.pdf, https://github.com/trailofbits/publications/blob/master/reviews/2026-02-aave-v4-securityreview.pdf
- snapshot.generated_at:      2026-06-01T11:27:13.878Z
- analysis_date:              2026-06-07
- prompt_version:             29
- address_book:               null

### Pre-built read-API surfacer URLs (verbatim — fetchable as-is)
(no addresses pinned in this run — discover candidates from fetched website / GitHub / audit / explorer pages, record discovered addresses in evidence[] and protocol_metadata.admin_addresses, and put any reads you couldn't perform in unknowns[]. The next assessment will inherit your discoveries.)


---

You are contributing a single-slice assessment to defipunkd, a git-native transparency registry for DeFi protocols. Your JSON output will be attached to a pull request and compared against ≥2 other independent runs. Disagreements are surfaced publicly — be conservative, cite everything, return grade="unknown" when a signal cannot be determined, and resist stopping at the first damning finding.

### Per-protocol context (do not infer; these are ground truth)

A "Per-protocol context" block (provided alongside this prompt — either as a user message in API mode, or as a section appended below in copy-paste mode) lists the pinned inputs (protocol.slug, name, chains, category, website, github, audit_links, snapshot.generated_at, analysis_date, prompt_version, address_book) and a list of pre-built read-API surfacer URLs for each pinned address. Treat those values as authoritative for this run.

The pre-built surfacer URLs are accepted by your fetch tool's allowlist because they appear verbatim in the per-protocol context. Each surfacer page pre-executes the contract's zero-arg view methods and renders any address-typed return values as /address/{chainId}/0x… links inline — those rendered links are also fetchable post-fetch. /api/contract/read and /api/safe/owners JSON responses include a top-level `crawl.surfacers` array of /address/{chainId}/0x… URLs for every address-typed value in the result, so you can crawl directly from API responses. For addresses surfaced from non-defipunkd sources (block-explorer pages, GitHub, audit PDFs), the allowlist will reject your generated surfacer URL — record the address in protocol_metadata.admin_addresses and add a checklist-coded entry to unknowns[]; the next run will inherit it as a fetchable surfacer.

### Step 0 — Capability probe (do this before producing JSON)

Identify what fetch tool your environment exposes — `web_fetch`, `browser`, `url_context`, `google_search` (with underscore, colon, or space), Bing grounding, Perplexity, `web.run`, or anything similar. Search-grounding tools ARE valid fetch paths and you should use them; they are not forbidden. The distinction that matters is what the tool returned, not its name: a grounded response with the underlying page body is sufficient evidence; a bare 1–3-line preview snippet is not.

Probe: attempt one fetch of `protocol.website` and one fetch of a pre-built surfacer URL above (or the protocol's primary block-explorer page if no surfacer is pinned). Record the tool you used, the URL, and what came back (response body, HTTP status, allowlist rejection text, or "tool not present: <name>"). If either probe succeeded, proceed.

If both direct probes failed, **DO NOT STOP** — try search. Issue at least two broad search queries (protocol name + "Etherscan" / "official docs" / "GitHub" / "audit"; `site:` operators against etherscan.io / github.com / the docs domain). If a search query returns the underlying page body, that page URL is fetched evidence and goes in evidence[]. Set `grading_basis: "off-chain-only"` and continue with whatever you can extract. Empty `evidence[]` + `grade="unknown"` is only valid if BOTH direct probes AND ≥2 search queries returned nothing usable; in that case, log the attempted queries and observed-zero outcomes in unknowns[]. A submission claiming "blocked" without those receipts is treated as a non-submission (zero quorum weight). Search engines do not index raw JSON API endpoints — zero results for `defipunkd.com/api/contract/read` URLs is expected and is itself a recordable failure mode, not a system restriction.

### Anti-fabrication (the most important rule on this page)

Memory is not evidence. Treat your training data, prior conversations, and general knowledge as suggestions for what to look up — never as citations. Every URL in evidence[] must have been fetched in this run via any tool exposed in your environment, OR pasted into this conversation by the user. Constructing a URL is fine, but every variable part (address, commit SHA, repo path, contract name, method, args, block number) must come from a fetched/pasted source in this run, and the URL must then have been successfully fetched before it appears in evidence[]. URLs constructed from remembered addresses, repo paths, contract names, or guessed API methods are fabrication.

Before emitting JSON, run an evidence ledger check on every evidence[] entry:
1. The exact URL appears in your fetch transcript or in a user-pasted source body.
2. The fetched/pasted body contains the fact you're citing in evidence[].shows.
3. Every rationale.findings / protocol_metadata claim that depends on this evidence follows directly from that body, without recourse to memory.
4. Derived (rather than verbatim) claims are explicitly labelled as derived in evidence[].shows.
5. `fetched_at` is set ONLY when you actually fetched the URL in this run; if no timestamp is available, omit the field — never invent one.

If any check fails, remove the evidence entry and demote dependent claims to unknowns[]. Set grade="unknown" if demotion empties the grading basis. Do not ask the user to paste anything; do not withhold JSON; do not improvise from memory.

A plausible-sounding answer backed by unsupported evidence is WORSE than grade="unknown" — it pollutes the quorum. If the assessment requires leaning on remembered public facts ("Lido is governed by LDO token-weighted voting"), historical reports, common knowledge, or likely-architecture reasoning ("UUPS proxies typically have an admin role"), return grade="unknown" with specific unknowns[] entries. Optimize for reproducibility, not completeness — if a reviewer can't re-verify each claim from the evidence URLs alone, the claim does not belong in the JSON. Empty unknowns[] on a non-trivial protocol is a red flag, not a quality signal.

When the address_book is null/empty, you do not yet know any deployed address. Discover candidates from fetched website / GitHub / audit / explorer-search pages — addresses you "remember" from training data are not eligible, even for famous tokens (USDC, WBTC, stETH, UNI). If no address can be discovered after a good-faith attempt, return grade="unknown" with checklist-coded unknowns[] entries; do not invent addresses to fill the gap.

### Hard rules

1. Source classes that count as evidence:
   a) Public block explorers (etherscan.io, basescan.org, arbiscan.io, optimistic.etherscan.io, polygonscan.com, bscscan.com, snowtrace.io, scrollscan.com, lineascan.build, blastscan.io, era.zksync.network) for pinned addresses or addresses you discover transitively from them.
   b) The linked GitHub repos, at a specific commit SHA recorded in evidence[].commit.
   c) The audit PDFs / reports linked above.
   d) DeFiLlama's pinned fields (for category / chain lists only — not for risk assessment).
   e) DeFiPunkd's read API at https://defipunkd.com/api/{contract,safe}/... — see "On-chain reading" below.
2. If a signal cannot be determined after checking these, set grade="unknown" with ≥1 entry in unknowns[] naming what you looked for.
3. Every factual claim in rationale must map to ≥1 evidence[] entry.
4. Output exactly one JSON object matching the contract at the end, wrapped in a single ```json fenced code block. This rule applies to your FINAL assistant message only — issue tool calls freely during the run; tool-call reasoning lives in your model's tool-use channel and is not subject to this rule. Nothing before or after the fence — no prose, no follow-up questions, no requests for the user to paste anything. If evidence is incomplete, the correct response is still JSON, with claims demoted to unknowns[] and grade="unknown".

### Format rules (validation will reject submissions that violate these)
5. evidence[].url must be a bare `https://...` string — NEVER markdown link syntax. WRONG: `"url": "[Etherscan](https://etherscan.io/...)"`. RIGHT: `"url": "https://etherscan.io/..."`.
6. evidence[].commit, when present, must match `^[0-9a-f]{7,40}$` (lowercase hex, 7–40 chars). NEVER branch names or tags. Omit if you cannot pin a SHA.
7. evidence[].fetched_at, when present, must be ISO-8601 UTC (e.g. `2026-04-23T11:20:00Z`). Set whenever you actually fetched in this run.
8. evidence[].address, when present, must be `^0x[0-9a-fA-F]{40}$` (mixed case OK; checksum not validated).
9. Checklist codes (used in findings[].code and as unknowns[] prefixes) match `^[A-Z][A-Za-z0-9-]{0,16}$` — start with an uppercase letter, then digits / letters / hyphens. Examples: `E1`, `A3b`, `C2-emergency`, `V4-auditor`. No parens, spaces, dots, slashes, underscores. Use slice-defined codes verbatim. unknowns[] entries must be prefixed with the relevant code + colon (e.g. `"A3b: frontend fetch failed"`).
10. chat_url: ALWAYS null. Default share links (claude.ai/chat, chatgpt.com, gemini.google.com) require viewer login and are not publicly readable. The user enables "Share publicly" after you respond and pastes the public URL into the JSON before opening the PR.

### Thoroughness rules

11. Each per-slice body contains a "MANDATORY INSPECTION CHECKLIST". Every item must EITHER produce an evidence[] entry OR a specific unknowns[] entry naming it by code. Silent skips are rejected as incomplete.
12. Before assigning a grade other than "unknown", rationale.steelman must contain a one-sentence strongest argument for each of red / orange / green, and rationale.verdict must state which fits the evidence and why. If the steel-man for the chosen grade is weaker than for an adjacent grade, you have probably picked the wrong grade. When grade="unknown", set steelman to null and use verdict to summarize what blocked the assessment.
13. Distinguish actor classes (EOA, 2-of-3 multisig, 4-of-7+ multisig with identified signers, emergency-scoped time-capped multisig, on-chain governance vote with timelock) and function classes (claim-of-finalized vs new-request-placement, deposit vs borrow, mint vs redeem) — say which actor holds which power, on what time bound. "An admin can pause" is insufficient.
14. For on-chain slices (control, ability-to-exit, autonomy, verifiability), evidence[] must include ≥1 on-chain URL: a block-explorer URL OR a DeFiPunkd /api/{contract/read,safe/owners} URL (preferred — content-addressed when block-pinned). /api/contract/abi alone is metadata, not on-chain evidence. Source repos tell you what code SHOULD do; deployed contracts tell you what it ACTUALLY does. The "open-access" slice is exempt when claims are entirely about frontend / off-chain operator behavior. CARVE-OUT: `grading_basis="off-chain-only"` is exempt from this rule but is downweighted by the quorum bot regardless of grade.
15. Prompt-meta-check: if your verdict quotes prompt language as evidence ("the protocol meets the 'documented fallback' condition"), re-do the verdict — the prompt describes the rubric, not the protocol. Evidence cites what THIS protocol does, not what the rubric says protocols of type X do.
16. `grading_basis` is one of `"on-chain"` (default; omit field), `"off-chain-only"`, or `"mixed"`. Describes what was READ this run, not the verdict — `grade="unknown"` is allowed under any basis. Set `"off-chain-only"` ONLY when BOTH (a) ≥1 successful fetch of a docs / forum / audit / GitHub URL appears in evidence[], AND (b) ≥1 failed on-chain fetch attempt for THIS run is recorded in unknowns[] with a `-offchain` suffix. Empty `evidence[]` with `"off-chain-only"` is a category error and is rejected by the validator. Set `"mixed"` when some checklist codes were on-chain and others fell back. ABI-only finds (you read the ABI but couldn't read live state) are valid as `grade="unknown"` with the ABI cited; do not infer a grade from ABI shape alone.

### On-chain reading via the DeFiPunkd API

Don't encode calldata, decode return data, or guess at ABIs by hand. Three deterministic GET endpoints return JSON with blockNumber, blockHash, raw calldata, and rawReturnData — content-addressed when block-pinned (`&block=<n>`):

  ABI (auto-resolves proxies):
    https://defipunkd.com/api/contract/abi?chainId=<id>&address=0x...
  View call (any view method on the merged ABI; flat scalar args):
    https://defipunkd.com/api/contract/read?chainId=<id>&address=0x...&method=getOwners
    https://defipunkd.com/api/contract/read?chainId=<id>&address=0x...&method=balanceOf&args=0x...
  Safe (threshold + owners + version in one call):
    https://defipunkd.com/api/safe/owners?chainId=<id>&address=0x...

Use the BARE method name in `&method=` (e.g. `&method=totalSupply`, NOT `&method=totalSupply()`). Browser tools normalize `(` to `%28` and reject the normalized URL; bare names dodge that. Pass arguments via `&args=` (comma-separated, declaration order). Append `&block=<n>` for content-addressed evidence.

Supported chainIds: 1 (ethereum), 10 (optimism), 56 (bsc), 130 (unichain), 137 (polygon), 324 (zksync), 8453 (base), 42161 (arbitrum), 43114 (avalanche), 59144 (linea), 81457 (blast), 534352 (scroll), 11155111 (sepolia).

Use this API for any factual claim about contract ABI shape, view-method return values (owner(), getOwners(), getThreshold(), totalSupply(), implementation(), paused(), MIN_DELAY(), …), and Safe membership. Do NOT invent ABIs or return values from training data.

Note on noisy address_book: the pinned address_book is sourced from prior assessments. It may include token deployments, oracle feeds, peripheral contracts, or mis-classified entries. Skip surfacer URLs that don't fit your slice — fetch only those whose role hints suggest control / pause / upgrade authority.

### Protocol metadata refresh (populate `protocol_metadata` in the output)

DeFiLlama's pinned inputs may be stale or wrong. As a side-effect of this assessment, populate `protocol_metadata` with anything you verify. Leave fields null / empty arrays if you did not verify them — do NOT echo pinned inputs through; null means "not re-verified this run".

- `github`: array of canonical source-code repo URLs.
- `docs_url`: canonical developer / protocol documentation site.
- `audits`: array of `{ firm, url, date }` (date as YYYY-MM or YYYY-MM-DD).
- `governance_forum`: primary discussion forum URL (Discourse, Commonwealth, etc.).
- `voting_token`: `{ chain, address, symbol }` or null. Omit if not token-governed.
- `bug_bounty_url`: public bug bounty page (Immunefi, HackerOne, self-hosted).
- `security_contact`: private-disclosure channel — security@ email or SECURITY.md URL. Distinct from public bug bounty.
- `deployed_contracts_doc`: docs page that lists deployed addresses per chain. Don't enumerate; just link.
- `admin_addresses`: array of `{ chain, address, role, actor_class }` for multisig / timelock / owner / proxy-admin addresses. `actor_class` ∈ `"eoa" | "multisig" | "timelock" | "governance" | "unknown"`. These are the anchors for future runs' address_book.
- `upgradeability`: `"immutable" | "upgradeable" | "mixed" | "unknown"`. "mixed" = some core contracts immutable, others behind proxies.
- `about`: 2–4 sentence plain-English description. Name the user action (stake, borrow, swap, bridge, mint, redeem), the asset / market, and the distinctive mechanism (liquid staking receipt, isolated lending pools, constant-product AMM, intents auction, etc.). Do not restate category / chains / TVL.

Every non-null field in `protocol_metadata` must be backed by ≥1 entry in evidence[].

---

### Slice: ABILITY-TO-EXIT

Evaluate whether users can withdraw their funds on their own terms, even under adversarial admin conditions.

MANDATORY INSPECTION CHECKLIST (every item below must appear in evidence[] OR unknowns[]):
- E1. Enumerate every user-facing exit function in the main contracts: withdraw, redeem, burn, requestWithdrawal, claim, exit, etc. List them by name. Do NOT treat the contract as a monolith.
- E2. For EACH exit function in E1: identify its access modifiers and any pause guards (e.g. _checkResumed, whenNotPaused, onlyRole). Functions that gate REQUEST PLACEMENT often differ from functions that CLAIM FINALIZED FUNDS — check both separately.
- E3. For each pause guard: identify the role holder (which address holds PAUSE_ROLE / GUARDIAN / etc.) and the maximum pause duration. Specifically check whether PAUSE_INFINITELY (or equivalent uncapped pause) is callable, and which actor can call it (single multisig vs governance vote). For role-holder reads use https://defipunkd.com/api/contract/read?chainId=<id>&address=0x...&method=hasRole&args=0x...,0x... or &method=getRoleAdmin&args=0x.... For "is currently paused" checks use &method=paused or &method=isPaused&args=<resume-code>. Use the BARE method name (no parens). Cite the URL with &block=<n> in evidence[].
- E4. EMERGENCY vs GOVERNANCE pause distinction: many protocols have a fast-acting emergency pause capped at N days and a slow governance pause that can be indefinite. Record both paths separately if present, with their time caps and actor classes.
- E5. Queued redemption: documented maximum queue duration, daily withdrawal caps, whether the queue itself is pausable.
- E6. Forced-exit / escape-hatch / permissionless emergency-exit mechanism for adversarial-admin scenarios.
- E7. Frontend dependency: confirm exit functions are directly callable on-chain (e.g. via Etherscan write tab or a generic wallet) without the project's frontend.

Then write the steel-man section per Hard Rule 11. Common red-vs-orange tension on this slice: indefinite pause exists (suggests red) BUT the realistic emergency path is time-capped AND claims of already-finalized exits are not pause-gated (suggests orange). Resolve this by stating who can do what for how long, not by stopping at the worst-case sentence.

Grade rules:
- green   = permissionless exit; pause is either absent, narrowly scoped to clearly-described emergencies with auto-expiry, or capped at ≤7 days; no frontend dependency for exit; claims of already-finalized exits are not pause-gated under any path.
- orange  = pausable with broad scope OR indefinite pause is reachable only through governance vote (not unilateral admin action), OR queued redemption with documented max > 7 days, OR claims-of-finalized are exempt but new-request placement can be paused indefinitely by governance.
- red     = exit requires admin signature, OR ANY actor (including governance) can pause CLAIMS of finalized exits indefinitely, OR there is no on-chain exit function at all (purely custodial), OR pause is held by a single EOA / 2-of-3 multisig with no time cap.
- unknown = checklist incomplete after checking the sources above.

---

### JSON output contract

Return exactly one JSON object inside a single ```json fenced block. Shape:

{
  "schema_version": 4,
  "slug": "<copy protocol.slug from the per-protocol context>",
  "slice": "ability-to-exit",
  "snapshot_generated_at": "<copy snapshot.generated_at from the per-protocol context>",
  "prompt_version": 29,
  "analysis_date": "<copy analysis_date from the per-protocol context>",
  "model": "<exact model name, e.g. claude-opus-4-7 / gpt-5-thinking / gemini-3-pro>",
  "chat_url": null,
  "grading_basis": "on-chain | off-chain-only | mixed (optional; omit for on-chain)",
  "grade": "green | orange | red | unknown",
  "headline": "<one-line summary>",
  "short_headline": "<≤6 words, ≤80 chars; omit if you can't fit>",
  "rationale": {
    "findings": [{ "code": "E1", "text": "<concrete, source-cited finding>" }],
    "steelman": { "red": "<one sentence>", "orange": "<one sentence>", "green": "<one sentence>" },
    "verdict": "Choosing <grade> because <reason ranking one steel-man above the others, citing specific evidence>."
  },
  "evidence": [{ "url": "https://...", "shows": "<what this URL demonstrates>", "chain": "...", "address": "0x...", "commit": "<hex SHA>", "fetched_at": "2026-04-23T11:20:00Z" }],
  "unknowns": ["E3: <thing you looked for but couldn't determine>"],
  "protocol_metadata": {
    "github": ["https://github.com/org/repo"],
    "docs_url": "https://docs.protocol.xyz",
    "audits": [{ "firm": "Trail of Bits", "url": "https://...report.pdf", "date": "2025-09" }],
    "governance_forum": "https://forum.protocol.xyz",
    "voting_token": { "chain": "Ethereum", "address": "0x...", "symbol": "XYZ" },
    "bug_bounty_url": "https://immunefi.com/bounty/protocol",
    "security_contact": "security@protocol.xyz",
    "deployed_contracts_doc": "https://docs.protocol.xyz/deployments",
    "admin_addresses": [{ "chain": "Ethereum", "address": "0x...", "role": "DAO treasury multisig", "actor_class": "multisig" }],
    "upgradeability": "immutable | upgradeable | mixed | unknown",
    "about": "<2–4 sentences>"
  }
}

Rules recap:
- grade="unknown" ⇒ steelman=null; unknowns[] ≥1; evidence[] may be empty.
- grade!="unknown" ⇒ steelman={red,orange,green}; evidence[] ≥1; verdict starts with "Choosing ".
- findings[].code matches the slice's checklist prefix verbatim (E1, C2-emergency, V4a, …); unknowns[] entries are checklist-coded ("E3: …").
- Wrap in a single ```json fence; nothing before or after. URLs are bare strings, never markdown links.

Autonomy unknown Unverified

No Phase-0 autonomy signal

No model has graded this dimension yet. Run the slice prompt through any LLM and submit the JSON — once ≥3 independent runs agree, the quorum bot merges the verdict here.

Submit run ↗

### Per-protocol context (ground truth for this run)

- protocol.slug:              aave-aptos
- protocol.name:              Aave Aptos
- protocol.chains:            Aptos
- protocol.category:          Lending
- protocol.website:           https://aave.com
- protocol.github:            aave, bgd-labs
- protocol.audit_links:       https://github.com/code-423n4/2022-02-aave-lens, https://github.com/code-423n4/2022-02-aave-lens-findings, https://github.com/sherlock-protocol/sherlock-reports/blob/main/audits/2025.02.15%20-%20Final%20-%20Aave%20Public%20Audit%20Contest%20Report.pdf, https://github.com/sherlock-protocol/sherlock-reports/blob/main/audits/2026.02.05%20-%20Final%20-%20Aave%20Labs%20Collaborative%20Audit%20Report%201770295450.pdf, https://github.com/trailofbits/publications/blob/master/reviews/2021-11-aave-v3-securityreview.pdf, https://github.com/trailofbits/publications/blob/master/reviews/2026-02-aave-v4-securityreview.pdf
- snapshot.generated_at:      2026-06-01T11:27:13.878Z
- analysis_date:              2026-06-07
- prompt_version:             29
- address_book:               null

### Pre-built read-API surfacer URLs (verbatim — fetchable as-is)
(no addresses pinned in this run — discover candidates from fetched website / GitHub / audit / explorer pages, record discovered addresses in evidence[] and protocol_metadata.admin_addresses, and put any reads you couldn't perform in unknowns[]. The next assessment will inherit your discoveries.)


---

You are contributing a single-slice assessment to defipunkd, a git-native transparency registry for DeFi protocols. Your JSON output will be attached to a pull request and compared against ≥2 other independent runs. Disagreements are surfaced publicly — be conservative, cite everything, return grade="unknown" when a signal cannot be determined, and resist stopping at the first damning finding.

### Per-protocol context (do not infer; these are ground truth)

A "Per-protocol context" block (provided alongside this prompt — either as a user message in API mode, or as a section appended below in copy-paste mode) lists the pinned inputs (protocol.slug, name, chains, category, website, github, audit_links, snapshot.generated_at, analysis_date, prompt_version, address_book) and a list of pre-built read-API surfacer URLs for each pinned address. Treat those values as authoritative for this run.

The pre-built surfacer URLs are accepted by your fetch tool's allowlist because they appear verbatim in the per-protocol context. Each surfacer page pre-executes the contract's zero-arg view methods and renders any address-typed return values as /address/{chainId}/0x… links inline — those rendered links are also fetchable post-fetch. /api/contract/read and /api/safe/owners JSON responses include a top-level `crawl.surfacers` array of /address/{chainId}/0x… URLs for every address-typed value in the result, so you can crawl directly from API responses. For addresses surfaced from non-defipunkd sources (block-explorer pages, GitHub, audit PDFs), the allowlist will reject your generated surfacer URL — record the address in protocol_metadata.admin_addresses and add a checklist-coded entry to unknowns[]; the next run will inherit it as a fetchable surfacer.

### Step 0 — Capability probe (do this before producing JSON)

Identify what fetch tool your environment exposes — `web_fetch`, `browser`, `url_context`, `google_search` (with underscore, colon, or space), Bing grounding, Perplexity, `web.run`, or anything similar. Search-grounding tools ARE valid fetch paths and you should use them; they are not forbidden. The distinction that matters is what the tool returned, not its name: a grounded response with the underlying page body is sufficient evidence; a bare 1–3-line preview snippet is not.

Probe: attempt one fetch of `protocol.website` and one fetch of a pre-built surfacer URL above (or the protocol's primary block-explorer page if no surfacer is pinned). Record the tool you used, the URL, and what came back (response body, HTTP status, allowlist rejection text, or "tool not present: <name>"). If either probe succeeded, proceed.

If both direct probes failed, **DO NOT STOP** — try search. Issue at least two broad search queries (protocol name + "Etherscan" / "official docs" / "GitHub" / "audit"; `site:` operators against etherscan.io / github.com / the docs domain). If a search query returns the underlying page body, that page URL is fetched evidence and goes in evidence[]. Set `grading_basis: "off-chain-only"` and continue with whatever you can extract. Empty `evidence[]` + `grade="unknown"` is only valid if BOTH direct probes AND ≥2 search queries returned nothing usable; in that case, log the attempted queries and observed-zero outcomes in unknowns[]. A submission claiming "blocked" without those receipts is treated as a non-submission (zero quorum weight). Search engines do not index raw JSON API endpoints — zero results for `defipunkd.com/api/contract/read` URLs is expected and is itself a recordable failure mode, not a system restriction.

### Anti-fabrication (the most important rule on this page)

Memory is not evidence. Treat your training data, prior conversations, and general knowledge as suggestions for what to look up — never as citations. Every URL in evidence[] must have been fetched in this run via any tool exposed in your environment, OR pasted into this conversation by the user. Constructing a URL is fine, but every variable part (address, commit SHA, repo path, contract name, method, args, block number) must come from a fetched/pasted source in this run, and the URL must then have been successfully fetched before it appears in evidence[]. URLs constructed from remembered addresses, repo paths, contract names, or guessed API methods are fabrication.

Before emitting JSON, run an evidence ledger check on every evidence[] entry:
1. The exact URL appears in your fetch transcript or in a user-pasted source body.
2. The fetched/pasted body contains the fact you're citing in evidence[].shows.
3. Every rationale.findings / protocol_metadata claim that depends on this evidence follows directly from that body, without recourse to memory.
4. Derived (rather than verbatim) claims are explicitly labelled as derived in evidence[].shows.
5. `fetched_at` is set ONLY when you actually fetched the URL in this run; if no timestamp is available, omit the field — never invent one.

If any check fails, remove the evidence entry and demote dependent claims to unknowns[]. Set grade="unknown" if demotion empties the grading basis. Do not ask the user to paste anything; do not withhold JSON; do not improvise from memory.

A plausible-sounding answer backed by unsupported evidence is WORSE than grade="unknown" — it pollutes the quorum. If the assessment requires leaning on remembered public facts ("Lido is governed by LDO token-weighted voting"), historical reports, common knowledge, or likely-architecture reasoning ("UUPS proxies typically have an admin role"), return grade="unknown" with specific unknowns[] entries. Optimize for reproducibility, not completeness — if a reviewer can't re-verify each claim from the evidence URLs alone, the claim does not belong in the JSON. Empty unknowns[] on a non-trivial protocol is a red flag, not a quality signal.

When the address_book is null/empty, you do not yet know any deployed address. Discover candidates from fetched website / GitHub / audit / explorer-search pages — addresses you "remember" from training data are not eligible, even for famous tokens (USDC, WBTC, stETH, UNI). If no address can be discovered after a good-faith attempt, return grade="unknown" with checklist-coded unknowns[] entries; do not invent addresses to fill the gap.

### Hard rules

1. Source classes that count as evidence:
   a) Public block explorers (etherscan.io, basescan.org, arbiscan.io, optimistic.etherscan.io, polygonscan.com, bscscan.com, snowtrace.io, scrollscan.com, lineascan.build, blastscan.io, era.zksync.network) for pinned addresses or addresses you discover transitively from them.
   b) The linked GitHub repos, at a specific commit SHA recorded in evidence[].commit.
   c) The audit PDFs / reports linked above.
   d) DeFiLlama's pinned fields (for category / chain lists only — not for risk assessment).
   e) DeFiPunkd's read API at https://defipunkd.com/api/{contract,safe}/... — see "On-chain reading" below.
2. If a signal cannot be determined after checking these, set grade="unknown" with ≥1 entry in unknowns[] naming what you looked for.
3. Every factual claim in rationale must map to ≥1 evidence[] entry.
4. Output exactly one JSON object matching the contract at the end, wrapped in a single ```json fenced code block. This rule applies to your FINAL assistant message only — issue tool calls freely during the run; tool-call reasoning lives in your model's tool-use channel and is not subject to this rule. Nothing before or after the fence — no prose, no follow-up questions, no requests for the user to paste anything. If evidence is incomplete, the correct response is still JSON, with claims demoted to unknowns[] and grade="unknown".

### Format rules (validation will reject submissions that violate these)
5. evidence[].url must be a bare `https://...` string — NEVER markdown link syntax. WRONG: `"url": "[Etherscan](https://etherscan.io/...)"`. RIGHT: `"url": "https://etherscan.io/..."`.
6. evidence[].commit, when present, must match `^[0-9a-f]{7,40}$` (lowercase hex, 7–40 chars). NEVER branch names or tags. Omit if you cannot pin a SHA.
7. evidence[].fetched_at, when present, must be ISO-8601 UTC (e.g. `2026-04-23T11:20:00Z`). Set whenever you actually fetched in this run.
8. evidence[].address, when present, must be `^0x[0-9a-fA-F]{40}$` (mixed case OK; checksum not validated).
9. Checklist codes (used in findings[].code and as unknowns[] prefixes) match `^[A-Z][A-Za-z0-9-]{0,16}$` — start with an uppercase letter, then digits / letters / hyphens. Examples: `E1`, `A3b`, `C2-emergency`, `V4-auditor`. No parens, spaces, dots, slashes, underscores. Use slice-defined codes verbatim. unknowns[] entries must be prefixed with the relevant code + colon (e.g. `"A3b: frontend fetch failed"`).
10. chat_url: ALWAYS null. Default share links (claude.ai/chat, chatgpt.com, gemini.google.com) require viewer login and are not publicly readable. The user enables "Share publicly" after you respond and pastes the public URL into the JSON before opening the PR.

### Thoroughness rules

11. Each per-slice body contains a "MANDATORY INSPECTION CHECKLIST". Every item must EITHER produce an evidence[] entry OR a specific unknowns[] entry naming it by code. Silent skips are rejected as incomplete.
12. Before assigning a grade other than "unknown", rationale.steelman must contain a one-sentence strongest argument for each of red / orange / green, and rationale.verdict must state which fits the evidence and why. If the steel-man for the chosen grade is weaker than for an adjacent grade, you have probably picked the wrong grade. When grade="unknown", set steelman to null and use verdict to summarize what blocked the assessment.
13. Distinguish actor classes (EOA, 2-of-3 multisig, 4-of-7+ multisig with identified signers, emergency-scoped time-capped multisig, on-chain governance vote with timelock) and function classes (claim-of-finalized vs new-request-placement, deposit vs borrow, mint vs redeem) — say which actor holds which power, on what time bound. "An admin can pause" is insufficient.
14. For on-chain slices (control, ability-to-exit, autonomy, verifiability), evidence[] must include ≥1 on-chain URL: a block-explorer URL OR a DeFiPunkd /api/{contract/read,safe/owners} URL (preferred — content-addressed when block-pinned). /api/contract/abi alone is metadata, not on-chain evidence. Source repos tell you what code SHOULD do; deployed contracts tell you what it ACTUALLY does. The "open-access" slice is exempt when claims are entirely about frontend / off-chain operator behavior. CARVE-OUT: `grading_basis="off-chain-only"` is exempt from this rule but is downweighted by the quorum bot regardless of grade.
15. Prompt-meta-check: if your verdict quotes prompt language as evidence ("the protocol meets the 'documented fallback' condition"), re-do the verdict — the prompt describes the rubric, not the protocol. Evidence cites what THIS protocol does, not what the rubric says protocols of type X do.
16. `grading_basis` is one of `"on-chain"` (default; omit field), `"off-chain-only"`, or `"mixed"`. Describes what was READ this run, not the verdict — `grade="unknown"` is allowed under any basis. Set `"off-chain-only"` ONLY when BOTH (a) ≥1 successful fetch of a docs / forum / audit / GitHub URL appears in evidence[], AND (b) ≥1 failed on-chain fetch attempt for THIS run is recorded in unknowns[] with a `-offchain` suffix. Empty `evidence[]` with `"off-chain-only"` is a category error and is rejected by the validator. Set `"mixed"` when some checklist codes were on-chain and others fell back. ABI-only finds (you read the ABI but couldn't read live state) are valid as `grade="unknown"` with the ABI cited; do not infer a grade from ABI shape alone.

### On-chain reading via the DeFiPunkd API

Don't encode calldata, decode return data, or guess at ABIs by hand. Three deterministic GET endpoints return JSON with blockNumber, blockHash, raw calldata, and rawReturnData — content-addressed when block-pinned (`&block=<n>`):

  ABI (auto-resolves proxies):
    https://defipunkd.com/api/contract/abi?chainId=<id>&address=0x...
  View call (any view method on the merged ABI; flat scalar args):
    https://defipunkd.com/api/contract/read?chainId=<id>&address=0x...&method=getOwners
    https://defipunkd.com/api/contract/read?chainId=<id>&address=0x...&method=balanceOf&args=0x...
  Safe (threshold + owners + version in one call):
    https://defipunkd.com/api/safe/owners?chainId=<id>&address=0x...

Use the BARE method name in `&method=` (e.g. `&method=totalSupply`, NOT `&method=totalSupply()`). Browser tools normalize `(` to `%28` and reject the normalized URL; bare names dodge that. Pass arguments via `&args=` (comma-separated, declaration order). Append `&block=<n>` for content-addressed evidence.

Supported chainIds: 1 (ethereum), 10 (optimism), 56 (bsc), 130 (unichain), 137 (polygon), 324 (zksync), 8453 (base), 42161 (arbitrum), 43114 (avalanche), 59144 (linea), 81457 (blast), 534352 (scroll), 11155111 (sepolia).

Use this API for any factual claim about contract ABI shape, view-method return values (owner(), getOwners(), getThreshold(), totalSupply(), implementation(), paused(), MIN_DELAY(), …), and Safe membership. Do NOT invent ABIs or return values from training data.

Note on noisy address_book: the pinned address_book is sourced from prior assessments. It may include token deployments, oracle feeds, peripheral contracts, or mis-classified entries. Skip surfacer URLs that don't fit your slice — fetch only those whose role hints suggest control / pause / upgrade authority.

### Protocol metadata refresh (populate `protocol_metadata` in the output)

DeFiLlama's pinned inputs may be stale or wrong. As a side-effect of this assessment, populate `protocol_metadata` with anything you verify. Leave fields null / empty arrays if you did not verify them — do NOT echo pinned inputs through; null means "not re-verified this run".

- `github`: array of canonical source-code repo URLs.
- `docs_url`: canonical developer / protocol documentation site.
- `audits`: array of `{ firm, url, date }` (date as YYYY-MM or YYYY-MM-DD).
- `governance_forum`: primary discussion forum URL (Discourse, Commonwealth, etc.).
- `voting_token`: `{ chain, address, symbol }` or null. Omit if not token-governed.
- `bug_bounty_url`: public bug bounty page (Immunefi, HackerOne, self-hosted).
- `security_contact`: private-disclosure channel — security@ email or SECURITY.md URL. Distinct from public bug bounty.
- `deployed_contracts_doc`: docs page that lists deployed addresses per chain. Don't enumerate; just link.
- `admin_addresses`: array of `{ chain, address, role, actor_class }` for multisig / timelock / owner / proxy-admin addresses. `actor_class` ∈ `"eoa" | "multisig" | "timelock" | "governance" | "unknown"`. These are the anchors for future runs' address_book.
- `upgradeability`: `"immutable" | "upgradeable" | "mixed" | "unknown"`. "mixed" = some core contracts immutable, others behind proxies.
- `about`: 2–4 sentence plain-English description. Name the user action (stake, borrow, swap, bridge, mint, redeem), the asset / market, and the distinctive mechanism (liquid staking receipt, isolated lending pools, constant-product AMM, intents auction, etc.). Do not restate category / chains / TVL.

Every non-null field in `protocol_metadata` must be backed by ≥1 entry in evidence[].

---

### Slice: AUTONOMY

Evaluate this protocol's autonomy: can a failure of anything outside its own contracts cause theft or loss of user principal, loss of unclaimed yield, or materially change the protocol's expected performance? "Autonomy" is not "has zero external touchpoints" — it is "external failures are either survivable or recoverable without user loss". This slice adapts DefiScan v1's Autonomy dimension; dependencies are one of several criteria, not the whole frame.

GUARDRAILS (read before grading):
- Category alone (Liquid Staking, Bridge, RWA Lending, Restaking, …) does NOT force a grade. A category is a hint about where to look; the grade must come from the concrete A1–A9 findings below.
- Base-chain consensus (Ethereum PoS, the chain's validator set, the canonical Deposit Contract at 0x00000000219ab540356cBB839Cbe05303d7705Fa) is the SUBSTRATE, not a dependency, for any protocol deployed on that chain. Do not list "depends on Ethereum" as a finding.
- Oracles or other integrations used by DOWNSTREAM protocols that happen to read this protocol's token (e.g. Chainlink stETH/USD consumed by Aave) are NOT this protocol's dependencies. Count only what THIS protocol's contracts call or trust on-chain. If a feed or contract appears in the protocol's docs only as reference material for third-party integrators, EXCLUDE IT ENTIRELY — do not log it as a finding even with a "peripheral" or "referenced only" caveat.
- "Upgradeable admin can change things" belongs to the CONTROL slice; only count it here when the upgrade surface lets governance silently swap an external dependency (see A9).
- Underlying-asset risk in opt-in, isolated markets is NOT autonomy-red on its own. When a protocol wraps third-party yield-bearing assets (LSTs, LRTs, ERC-4626 vaults, lending receipts, restaked tokens) into per-market silos that users explicitly choose, a failure of one underlying does NOT propagate to other markets and is risk the user opted into per-market. Record it under A4 with depth and propagation scope, but do not let it alone drive a red verdict — red requires an external dependency that cross-cuts the protocol or that the user did not opt into at deposit time. A failure mode that is "if the LRT you deposited is hacked, your principal in that LRT-backed market is impaired" is the underlying's autonomy story, not this protocol's; grade it on whether THIS protocol introduces additional dependencies on top.
- Sub-module enumeration is mandatory before grading. If the protocol ships distinct product lines or modules (e.g., a v2 core AMM plus a newer perps/funding-rate module, a lending pool plus a separate vault layer, an L1 core plus a cross-chain extension), enumerate each in findings and grade against the WORST module weighted by its share of TVS or its blast radius. A green core does not rescue an orange/red sub-module; conversely, a small red sub-module with capped TVS may bound the overall grade to orange. Name each module by its on-chain factory or router address. If you do not know whether a module exists, that is an unknowns[] entry, not silence. EXPLICIT TVS WEIGHTING: in the verdict, state each module's approximate share of total protocol TVS (use "~X%" if exact figures unavailable; check DeFiLlama or block-explorer balances on the module's main contract) and how that share informs the weighted grade. Format: "Module A holds ~X% of TVS (grade: <g>); Module B holds ~Y% (grade: <g>); weighted overall = <grade> because <reason>." If a red sub-module holds <5% of total TVS and is capped, the overall grade may be orange; if it holds >25%, the overall grade is red. Do not let qualitative reasoning substitute for the percentages — write the numbers.

MANDATORY INSPECTION CHECKLIST (every item below must appear in evidence[] OR unknowns[]):
- A1. External contract calls. Enumerate every external contract the core contracts call or read from (oracles, price feeds, AMM pools, lending pools, staking/deposit contracts, yield wrappers). For each, identify the address, the provider, and what user-facing function of this protocol would break or mis-price if that external contract paused, mis-reported, or behaved adversarially. Grep for "oracle", "aggregator", "getPrice", "latestAnswer", "chainlink", "pyth", "redstone" as a starting point. To verify an oracle is live and what it currently reports, hit https://defipunkd.com/api/contract/read?chainId=<id>&address=<oracle>&method=latestAnswer (or &method=latestRoundData, &method=getPrice, &method=description; use the BARE method name without parens) and cite the URL — the response includes blockNumber/blockHash and rawReturnData, which is stronger evidence than a docs page about which feed "should" be used.
- A2. Off-chain actor committees reporting INTO the protocol. Oracle committees, guardian multisigs, DAO-selected validator sets acting as protocol reporters, exit-bus signers, fraud-proof challengers. For each, record committee size, quorum, who picks the members, and what mis-reporting could do (mint, burn, finalize withdrawal, freeze). Distinguish this from governance admins (control slice). NOTE ON STAKING PROTOCOLS: validator slashing and node-operator misbehavior are properties of the base-chain substrate, NOT external dependencies, when the operator set is diversified enough that a coordinated failure caps at <5% principal loss. Count validator/operator risk under A2 ONLY if the operator set is small, non-diversified, or lacks bonding / slashing-insurance / diversification mitigations. A curated set of 30+ independent operators with documented diversification falls under the mitigated path; a 3-operator LST does not. Do not cite the protocol's own risk disclosure as evidence that operator failure = principal loss unless you also check the diversification and bond mitigations.
- A3. Bridge / cross-chain messaging dependencies. Only count bridges that carry material TVL or are required for a core user flow. For each, name the bridge operator (canonical L1↔L2, LayerZero, Wormhole, Axelar, custom multisig), the trust model (canonical, optimistic, light-client, guardian set), and what fraction of TVL or users ride on it. "wstETH exists on 15 chains" is not a finding unless material TVL sits there. Before listing any non-primary chain deployment as a dependency, verify it is still operational as of analysis_date — retired or sunset deployments (e.g., Lido-on-Terra, Lido-on-Solana) belong in unknowns[] or should be omitted, never cited as a current dependency.
- A4. Nested collateral / restaking chains. For restaking / LRT / receipt-of-receipt designs: record the depth of the collateral chain, every actor with slashing or freezing power at each level, and whether a failure N levels deep propagates to user principal here.
- A5. Fork lineage (silent check). If DeFiLlama's forkedFrom is non-empty, record it as one finding and move on. If empty, do NOT add a placeholder finding; it adds noise.
- A6. Fallback mechanisms and circuit breakers. What catches an external failure? Sanity-check contracts on oracle reports, rebase bounds, pause paths triggered by bad prices, second-opinion oracles, max-per-block throughput caps, withdrawal queues that absorb bad reports. Record which A1–A4 risks are mitigated by which fallback, and which are unmitigated. For EACH fallback you cite, state its activation status explicitly: (i) LIVE and enforcing on-chain today, (ii) DEPLOYED but not yet wired / activated (e.g., interface exists but the address is zero or the role is unassigned), or (iii) DOCUMENTED / PROPOSED only (forum post, LIP draft, audit pending). Only (i) counts as mitigation for the grade. A fallback in state (ii) or (iii) should be noted but must not reduce the risk in your steel-man or verdict. If you cannot determine activation status, add an unknowns[] entry rather than assume it is live.
- A7. Sequencer / L1-liveness dependency BEYOND the base-chain substrate. SCOPE — sequencer risk only counts here when the protocol IS its own L2/L3 appchain or app-rollup, where the sequencer is part of the protocol's own stack and a freeze is a protocol-level outage. A protocol permissionlessly deployed on a third-party L2 inherits that L2's sequencer as substrate, not an A7 dependency. Record the sequencer/DA trust model when A7 applies.
- A8. Keeper / relayer / off-chain bot liveness. Protocols that need permissionless-but-necessary off-chain actors (liquidation bots, auto-compounders, deposit relayers, intent solvers). Record whether the role is permissionless, what degrades if nobody runs it (yield paused, bad debt accumulates, positions go stale), and whether the failure mode is graceful or catastrophic.
- A9. Governance-mutable dependency surface. Can an admin or DAO action silently INTRODUCE a NEW EXTERNAL dependency — swap the oracle address to a different provider, register a new staking module that calls an untrusted contract, add a new bridge, route SY through a new external vault — without an exit window for users? Check the upgrade / router / module-registry contracts. Answer: which EXTERNAL dependencies are governance-mutable, who holds that power, and whether there is a timelock or exit window. SCOPE LIMIT — read carefully: A9 is about the *external dependency surface*, not the upgrade surface in general. "The proxyAdmin / EOA can upgrade the router implementation to arbitrary bytecode" is a CONTROL-slice finding (admin can rug), NOT an autonomy-A9 finding. A9 fires only when the upgrade specifically swaps out or adds a contract that THIS protocol calls or trusts (e.g., changing the oracle address from Chainlink to a malicious feed, registering a new SY adapter that points to a third-party vault, redirecting a bridge endpoint). If the only finding is "admin can change implementation," do not log it under A9 and do not let it drive the autonomy grade — note it under control instead. The autonomy-relevant version of the same upgrade key is "admin can swap [specific external address X] without timelock"; that requires identifying the specific external dependency that becomes mutable.

STEEL-MAN (per Hard Rule 13): write one-sentence strongest arguments for red, orange, and green using the A1–A9 findings.

IMPACTED TVS ESTIMATE: the headline MUST include a rough impacted-TVS figure — the fraction of protocol TVS that could be lost or frozen if the worst-unmitigated dependency you identified failed. Use "~X%" if exact numbers are unavailable, "<1%" for de minimis, "unclear" only if A1–A9 left the question genuinely open (in which case grade=unknown is usually correct). Do NOT substitute qualitative phrases like "significant" — give a number or bracket.

GRADE ANCHORS (mapped to DefiScan v1 stages):
- green = Stage 2 equivalent. Failure of any external dependency cannot cause loss of user principal or unclaimed yield. Either there are no material external dependencies, or every critical one has a documented fallback (A6) that keeps users whole. Governance cannot silently introduce new dependencies without an exit window (A9). Impacted TVS under any single-dependency failure: effectively 0.
- orange = Stage 1 equivalent. Failure of some external dependency can cause loss of unclaimed yield, or can materially change expected performance (pause withdrawals, freeze positions, degrade price quality), but cannot cause loss of principal. Committee-based oracles with sanity checks, canonical-only bridges, fallback paths that exist but are incomplete, or governance-mutable dependencies protected by a ≥7-day timelock. Impacted TVS is bounded and recoverable.
- red = Stage 0 equivalent. Failure of an external dependency CAN cause theft or loss of principal. Examples: single-provider oracle with no sanity check or fallback, material TVL on a non-canonical bridge with a guardian multisig, governance can hot-swap oracles or add staking modules with no timelock or exit window, unmitigated keeper-liveness dependency where positions become insolvent if bots stop. Impacted TVS is material.
- unknown = checklist incomplete after inspecting source + verified contracts. Prefer unknown over guessing when A1/A6 could not be reconstructed. RESERVE unknown for cases where the CORE ARCHITECTURE itself is unverifiable — not for cases where you merely cannot enumerate every per-market dependency in a multi-market protocol. If the core router/factory/oracle architecture is verifiable on-chain and you can determine whether the core requires external dependencies, grade the architecture even when an exhaustive per-market external-dependency census is infeasible. Acknowledge the per-market gap in unknowns[] but still issue a grade. Refusing to grade a multi-market protocol because you cannot list every SY/vault/market is over-use of unknown; grade the architecture and say so.

PROMPT-META CHECK (per Hard Rule 17): before finalizing, verify the verdict cites concrete contract addresses, docs, or code — not the rubric itself. If your verdict says "the protocol belongs to a category the rubric marks red", rewrite it with the A1–A9 finding that actually justifies the grade, or drop to grade=unknown.

---

### JSON output contract

Return exactly one JSON object inside a single ```json fenced block. Shape:

{
  "schema_version": 4,
  "slug": "<copy protocol.slug from the per-protocol context>",
  "slice": "autonomy",
  "snapshot_generated_at": "<copy snapshot.generated_at from the per-protocol context>",
  "prompt_version": 29,
  "analysis_date": "<copy analysis_date from the per-protocol context>",
  "model": "<exact model name, e.g. claude-opus-4-7 / gpt-5-thinking / gemini-3-pro>",
  "chat_url": null,
  "grading_basis": "on-chain | off-chain-only | mixed (optional; omit for on-chain)",
  "grade": "green | orange | red | unknown",
  "headline": "<one-line summary>",
  "short_headline": "<≤6 words, ≤80 chars; omit if you can't fit>",
  "rationale": {
    "findings": [{ "code": "E1", "text": "<concrete, source-cited finding>" }],
    "steelman": { "red": "<one sentence>", "orange": "<one sentence>", "green": "<one sentence>" },
    "verdict": "Choosing <grade> because <reason ranking one steel-man above the others, citing specific evidence>."
  },
  "evidence": [{ "url": "https://...", "shows": "<what this URL demonstrates>", "chain": "...", "address": "0x...", "commit": "<hex SHA>", "fetched_at": "2026-04-23T11:20:00Z" }],
  "unknowns": ["E3: <thing you looked for but couldn't determine>"],
  "protocol_metadata": {
    "github": ["https://github.com/org/repo"],
    "docs_url": "https://docs.protocol.xyz",
    "audits": [{ "firm": "Trail of Bits", "url": "https://...report.pdf", "date": "2025-09" }],
    "governance_forum": "https://forum.protocol.xyz",
    "voting_token": { "chain": "Ethereum", "address": "0x...", "symbol": "XYZ" },
    "bug_bounty_url": "https://immunefi.com/bounty/protocol",
    "security_contact": "security@protocol.xyz",
    "deployed_contracts_doc": "https://docs.protocol.xyz/deployments",
    "admin_addresses": [{ "chain": "Ethereum", "address": "0x...", "role": "DAO treasury multisig", "actor_class": "multisig" }],
    "upgradeability": "immutable | upgradeable | mixed | unknown",
    "about": "<2–4 sentences>"
  }
}

Rules recap:
- grade="unknown" ⇒ steelman=null; unknowns[] ≥1; evidence[] may be empty.
- grade!="unknown" ⇒ steelman={red,orange,green}; evidence[] ≥1; verdict starts with "Choosing ".
- findings[].code matches the slice's checklist prefix verbatim (E1, C2-emergency, V4a, …); unknowns[] entries are checklist-coded ("E3: …").
- Wrap in a single ```json fence; nothing before or after. URLs are bare strings, never markdown links.

Open Access unknown Unverified

Not yet assessed

No model has graded this dimension yet. Run the slice prompt through any LLM and submit the JSON — once ≥3 independent runs agree, the quorum bot merges the verdict here.

Submit run ↗

### Per-protocol context (ground truth for this run)

- protocol.slug:              aave-aptos
- protocol.name:              Aave Aptos
- protocol.chains:            Aptos
- protocol.category:          Lending
- protocol.website:           https://aave.com
- protocol.github:            aave, bgd-labs
- protocol.audit_links:       https://github.com/code-423n4/2022-02-aave-lens, https://github.com/code-423n4/2022-02-aave-lens-findings, https://github.com/sherlock-protocol/sherlock-reports/blob/main/audits/2025.02.15%20-%20Final%20-%20Aave%20Public%20Audit%20Contest%20Report.pdf, https://github.com/sherlock-protocol/sherlock-reports/blob/main/audits/2026.02.05%20-%20Final%20-%20Aave%20Labs%20Collaborative%20Audit%20Report%201770295450.pdf, https://github.com/trailofbits/publications/blob/master/reviews/2021-11-aave-v3-securityreview.pdf, https://github.com/trailofbits/publications/blob/master/reviews/2026-02-aave-v4-securityreview.pdf
- snapshot.generated_at:      2026-06-01T11:27:13.878Z
- analysis_date:              2026-06-07
- prompt_version:             29
- address_book:               null

### Pre-built read-API surfacer URLs (verbatim — fetchable as-is)
(no addresses pinned in this run — discover candidates from fetched website / GitHub / audit / explorer pages, record discovered addresses in evidence[] and protocol_metadata.admin_addresses, and put any reads you couldn't perform in unknowns[]. The next assessment will inherit your discoveries.)


---

You are contributing a single-slice assessment to defipunkd, a git-native transparency registry for DeFi protocols. Your JSON output will be attached to a pull request and compared against ≥2 other independent runs. Disagreements are surfaced publicly — be conservative, cite everything, return grade="unknown" when a signal cannot be determined, and resist stopping at the first damning finding.

### Per-protocol context (do not infer; these are ground truth)

A "Per-protocol context" block (provided alongside this prompt — either as a user message in API mode, or as a section appended below in copy-paste mode) lists the pinned inputs (protocol.slug, name, chains, category, website, github, audit_links, snapshot.generated_at, analysis_date, prompt_version, address_book) and a list of pre-built read-API surfacer URLs for each pinned address. Treat those values as authoritative for this run.

The pre-built surfacer URLs are accepted by your fetch tool's allowlist because they appear verbatim in the per-protocol context. Each surfacer page pre-executes the contract's zero-arg view methods and renders any address-typed return values as /address/{chainId}/0x… links inline — those rendered links are also fetchable post-fetch. /api/contract/read and /api/safe/owners JSON responses include a top-level `crawl.surfacers` array of /address/{chainId}/0x… URLs for every address-typed value in the result, so you can crawl directly from API responses. For addresses surfaced from non-defipunkd sources (block-explorer pages, GitHub, audit PDFs), the allowlist will reject your generated surfacer URL — record the address in protocol_metadata.admin_addresses and add a checklist-coded entry to unknowns[]; the next run will inherit it as a fetchable surfacer.

### Step 0 — Capability probe (do this before producing JSON)

Identify what fetch tool your environment exposes — `web_fetch`, `browser`, `url_context`, `google_search` (with underscore, colon, or space), Bing grounding, Perplexity, `web.run`, or anything similar. Search-grounding tools ARE valid fetch paths and you should use them; they are not forbidden. The distinction that matters is what the tool returned, not its name: a grounded response with the underlying page body is sufficient evidence; a bare 1–3-line preview snippet is not.

Probe: attempt one fetch of `protocol.website` and one fetch of a pre-built surfacer URL above (or the protocol's primary block-explorer page if no surfacer is pinned). Record the tool you used, the URL, and what came back (response body, HTTP status, allowlist rejection text, or "tool not present: <name>"). If either probe succeeded, proceed.

If both direct probes failed, **DO NOT STOP** — try search. Issue at least two broad search queries (protocol name + "Etherscan" / "official docs" / "GitHub" / "audit"; `site:` operators against etherscan.io / github.com / the docs domain). If a search query returns the underlying page body, that page URL is fetched evidence and goes in evidence[]. Set `grading_basis: "off-chain-only"` and continue with whatever you can extract. Empty `evidence[]` + `grade="unknown"` is only valid if BOTH direct probes AND ≥2 search queries returned nothing usable; in that case, log the attempted queries and observed-zero outcomes in unknowns[]. A submission claiming "blocked" without those receipts is treated as a non-submission (zero quorum weight). Search engines do not index raw JSON API endpoints — zero results for `defipunkd.com/api/contract/read` URLs is expected and is itself a recordable failure mode, not a system restriction.

### Anti-fabrication (the most important rule on this page)

Memory is not evidence. Treat your training data, prior conversations, and general knowledge as suggestions for what to look up — never as citations. Every URL in evidence[] must have been fetched in this run via any tool exposed in your environment, OR pasted into this conversation by the user. Constructing a URL is fine, but every variable part (address, commit SHA, repo path, contract name, method, args, block number) must come from a fetched/pasted source in this run, and the URL must then have been successfully fetched before it appears in evidence[]. URLs constructed from remembered addresses, repo paths, contract names, or guessed API methods are fabrication.

Before emitting JSON, run an evidence ledger check on every evidence[] entry:
1. The exact URL appears in your fetch transcript or in a user-pasted source body.
2. The fetched/pasted body contains the fact you're citing in evidence[].shows.
3. Every rationale.findings / protocol_metadata claim that depends on this evidence follows directly from that body, without recourse to memory.
4. Derived (rather than verbatim) claims are explicitly labelled as derived in evidence[].shows.
5. `fetched_at` is set ONLY when you actually fetched the URL in this run; if no timestamp is available, omit the field — never invent one.

If any check fails, remove the evidence entry and demote dependent claims to unknowns[]. Set grade="unknown" if demotion empties the grading basis. Do not ask the user to paste anything; do not withhold JSON; do not improvise from memory.

A plausible-sounding answer backed by unsupported evidence is WORSE than grade="unknown" — it pollutes the quorum. If the assessment requires leaning on remembered public facts ("Lido is governed by LDO token-weighted voting"), historical reports, common knowledge, or likely-architecture reasoning ("UUPS proxies typically have an admin role"), return grade="unknown" with specific unknowns[] entries. Optimize for reproducibility, not completeness — if a reviewer can't re-verify each claim from the evidence URLs alone, the claim does not belong in the JSON. Empty unknowns[] on a non-trivial protocol is a red flag, not a quality signal.

When the address_book is null/empty, you do not yet know any deployed address. Discover candidates from fetched website / GitHub / audit / explorer-search pages — addresses you "remember" from training data are not eligible, even for famous tokens (USDC, WBTC, stETH, UNI). If no address can be discovered after a good-faith attempt, return grade="unknown" with checklist-coded unknowns[] entries; do not invent addresses to fill the gap.

### Hard rules

1. Source classes that count as evidence:
   a) Public block explorers (etherscan.io, basescan.org, arbiscan.io, optimistic.etherscan.io, polygonscan.com, bscscan.com, snowtrace.io, scrollscan.com, lineascan.build, blastscan.io, era.zksync.network) for pinned addresses or addresses you discover transitively from them.
   b) The linked GitHub repos, at a specific commit SHA recorded in evidence[].commit.
   c) The audit PDFs / reports linked above.
   d) DeFiLlama's pinned fields (for category / chain lists only — not for risk assessment).
   e) DeFiPunkd's read API at https://defipunkd.com/api/{contract,safe}/... — see "On-chain reading" below.
2. If a signal cannot be determined after checking these, set grade="unknown" with ≥1 entry in unknowns[] naming what you looked for.
3. Every factual claim in rationale must map to ≥1 evidence[] entry.
4. Output exactly one JSON object matching the contract at the end, wrapped in a single ```json fenced code block. This rule applies to your FINAL assistant message only — issue tool calls freely during the run; tool-call reasoning lives in your model's tool-use channel and is not subject to this rule. Nothing before or after the fence — no prose, no follow-up questions, no requests for the user to paste anything. If evidence is incomplete, the correct response is still JSON, with claims demoted to unknowns[] and grade="unknown".

### Format rules (validation will reject submissions that violate these)
5. evidence[].url must be a bare `https://...` string — NEVER markdown link syntax. WRONG: `"url": "[Etherscan](https://etherscan.io/...)"`. RIGHT: `"url": "https://etherscan.io/..."`.
6. evidence[].commit, when present, must match `^[0-9a-f]{7,40}$` (lowercase hex, 7–40 chars). NEVER branch names or tags. Omit if you cannot pin a SHA.
7. evidence[].fetched_at, when present, must be ISO-8601 UTC (e.g. `2026-04-23T11:20:00Z`). Set whenever you actually fetched in this run.
8. evidence[].address, when present, must be `^0x[0-9a-fA-F]{40}$` (mixed case OK; checksum not validated).
9. Checklist codes (used in findings[].code and as unknowns[] prefixes) match `^[A-Z][A-Za-z0-9-]{0,16}$` — start with an uppercase letter, then digits / letters / hyphens. Examples: `E1`, `A3b`, `C2-emergency`, `V4-auditor`. No parens, spaces, dots, slashes, underscores. Use slice-defined codes verbatim. unknowns[] entries must be prefixed with the relevant code + colon (e.g. `"A3b: frontend fetch failed"`).
10. chat_url: ALWAYS null. Default share links (claude.ai/chat, chatgpt.com, gemini.google.com) require viewer login and are not publicly readable. The user enables "Share publicly" after you respond and pastes the public URL into the JSON before opening the PR.

### Thoroughness rules

11. Each per-slice body contains a "MANDATORY INSPECTION CHECKLIST". Every item must EITHER produce an evidence[] entry OR a specific unknowns[] entry naming it by code. Silent skips are rejected as incomplete.
12. Before assigning a grade other than "unknown", rationale.steelman must contain a one-sentence strongest argument for each of red / orange / green, and rationale.verdict must state which fits the evidence and why. If the steel-man for the chosen grade is weaker than for an adjacent grade, you have probably picked the wrong grade. When grade="unknown", set steelman to null and use verdict to summarize what blocked the assessment.
13. Distinguish actor classes (EOA, 2-of-3 multisig, 4-of-7+ multisig with identified signers, emergency-scoped time-capped multisig, on-chain governance vote with timelock) and function classes (claim-of-finalized vs new-request-placement, deposit vs borrow, mint vs redeem) — say which actor holds which power, on what time bound. "An admin can pause" is insufficient.
14. For on-chain slices (control, ability-to-exit, autonomy, verifiability), evidence[] must include ≥1 on-chain URL: a block-explorer URL OR a DeFiPunkd /api/{contract/read,safe/owners} URL (preferred — content-addressed when block-pinned). /api/contract/abi alone is metadata, not on-chain evidence. Source repos tell you what code SHOULD do; deployed contracts tell you what it ACTUALLY does. The "open-access" slice is exempt when claims are entirely about frontend / off-chain operator behavior. CARVE-OUT: `grading_basis="off-chain-only"` is exempt from this rule but is downweighted by the quorum bot regardless of grade.
15. Prompt-meta-check: if your verdict quotes prompt language as evidence ("the protocol meets the 'documented fallback' condition"), re-do the verdict — the prompt describes the rubric, not the protocol. Evidence cites what THIS protocol does, not what the rubric says protocols of type X do.
16. `grading_basis` is one of `"on-chain"` (default; omit field), `"off-chain-only"`, or `"mixed"`. Describes what was READ this run, not the verdict — `grade="unknown"` is allowed under any basis. Set `"off-chain-only"` ONLY when BOTH (a) ≥1 successful fetch of a docs / forum / audit / GitHub URL appears in evidence[], AND (b) ≥1 failed on-chain fetch attempt for THIS run is recorded in unknowns[] with a `-offchain` suffix. Empty `evidence[]` with `"off-chain-only"` is a category error and is rejected by the validator. Set `"mixed"` when some checklist codes were on-chain and others fell back. ABI-only finds (you read the ABI but couldn't read live state) are valid as `grade="unknown"` with the ABI cited; do not infer a grade from ABI shape alone.

### On-chain reading via the DeFiPunkd API

Don't encode calldata, decode return data, or guess at ABIs by hand. Three deterministic GET endpoints return JSON with blockNumber, blockHash, raw calldata, and rawReturnData — content-addressed when block-pinned (`&block=<n>`):

  ABI (auto-resolves proxies):
    https://defipunkd.com/api/contract/abi?chainId=<id>&address=0x...
  View call (any view method on the merged ABI; flat scalar args):
    https://defipunkd.com/api/contract/read?chainId=<id>&address=0x...&method=getOwners
    https://defipunkd.com/api/contract/read?chainId=<id>&address=0x...&method=balanceOf&args=0x...
  Safe (threshold + owners + version in one call):
    https://defipunkd.com/api/safe/owners?chainId=<id>&address=0x...

Use the BARE method name in `&method=` (e.g. `&method=totalSupply`, NOT `&method=totalSupply()`). Browser tools normalize `(` to `%28` and reject the normalized URL; bare names dodge that. Pass arguments via `&args=` (comma-separated, declaration order). Append `&block=<n>` for content-addressed evidence.

Supported chainIds: 1 (ethereum), 10 (optimism), 56 (bsc), 130 (unichain), 137 (polygon), 324 (zksync), 8453 (base), 42161 (arbitrum), 43114 (avalanche), 59144 (linea), 81457 (blast), 534352 (scroll), 11155111 (sepolia).

Use this API for any factual claim about contract ABI shape, view-method return values (owner(), getOwners(), getThreshold(), totalSupply(), implementation(), paused(), MIN_DELAY(), …), and Safe membership. Do NOT invent ABIs or return values from training data.

Note on noisy address_book: the pinned address_book is sourced from prior assessments. It may include token deployments, oracle feeds, peripheral contracts, or mis-classified entries. Skip surfacer URLs that don't fit your slice — fetch only those whose role hints suggest control / pause / upgrade authority.

### Protocol metadata refresh (populate `protocol_metadata` in the output)

DeFiLlama's pinned inputs may be stale or wrong. As a side-effect of this assessment, populate `protocol_metadata` with anything you verify. Leave fields null / empty arrays if you did not verify them — do NOT echo pinned inputs through; null means "not re-verified this run".

- `github`: array of canonical source-code repo URLs.
- `docs_url`: canonical developer / protocol documentation site.
- `audits`: array of `{ firm, url, date }` (date as YYYY-MM or YYYY-MM-DD).
- `governance_forum`: primary discussion forum URL (Discourse, Commonwealth, etc.).
- `voting_token`: `{ chain, address, symbol }` or null. Omit if not token-governed.
- `bug_bounty_url`: public bug bounty page (Immunefi, HackerOne, self-hosted).
- `security_contact`: private-disclosure channel — security@ email or SECURITY.md URL. Distinct from public bug bounty.
- `deployed_contracts_doc`: docs page that lists deployed addresses per chain. Don't enumerate; just link.
- `admin_addresses`: array of `{ chain, address, role, actor_class }` for multisig / timelock / owner / proxy-admin addresses. `actor_class` ∈ `"eoa" | "multisig" | "timelock" | "governance" | "unknown"`. These are the anchors for future runs' address_book.
- `upgradeability`: `"immutable" | "upgradeable" | "mixed" | "unknown"`. "mixed" = some core contracts immutable, others behind proxies.
- `about`: 2–4 sentence plain-English description. Name the user action (stake, borrow, swap, bridge, mint, redeem), the asset / market, and the distinctive mechanism (liquid staking receipt, isolated lending pools, constant-product AMM, intents auction, etc.). Do not restate category / chains / TVL.

Every non-null field in `protocol_metadata` must be backed by ≥1 entry in evidence[].

---

### Slice: OPEN-ACCESS

Evaluate who is allowed to use the protocol and whether any of that permission is granted off-chain.

Scope: this slice is about ADMISSION — who can enter, exit, or transact. Operator LIVENESS (what breaks if keepers/oracles go offline) is assessed in the dependencies slice and is out of scope for the grade here. You may note operator dependencies as context, but do not let "the protocol halts if operator X disappears" drive the access grade on its own; that belongs in dependencies. Source verification / contract verification on block explorers is assessed in the verifiability slice and is out of scope here — do NOT let "contract is unverified" drive the access grade.

Framing: the smart contracts are the access layer; frontends are UX. A permissionless contract is reachable by any client (SDK, third-party UI, aggregator, wallet integration). Frontend ToS, IP geo-blocking, and wallet screening are publisher policies on one specific client — they are reported as context but do NOT determine the grade. The grade hinges on (1) what the contract itself permits, and (2) whether the protocol is practically reachable without the official publisher's cooperation.

Meta-check before finalizing: if your verdict cites phrases from this prompt as evidence ("the protocol meets the 'credible alternatives' condition", "this fits the 'documented fallback' rule"), redo the verdict. The prompt describes the rubric; evidence must come from the protocol. A verdict should cite what the protocol does, not what the rubric says.

MANDATORY INSPECTION CHECKLIST (every item below must appear in evidence[] OR unknowns[]):
- A1. Whitelist / allowlist modifiers in user-facing entry points. Grep for "onlyWhitelisted", "onlyRole", "allowlist", "isAccredited", "isKYCed". Note which functions are gated and who can add/remove from the list.
- A2. Off-chain operators in the admission path: keepers, sequencers, privileged relayers, oracle posters whose approval is required to admit a user action (not just to keep the protocol live). For each, identify whether the role is held by a single operator, a permissioned committee, or is permissionless. Enumerate per user-facing function class (deposit vs withdraw-request vs claim-finalized vs transfer) which ones require operator approval to be admitted, and which ones admit users unconditionally. A function whose placement is unconditional but whose downstream settlement depends on an operator is an admission-permissionless function — flag the liveness dependency as context and defer its grading weight to the dependencies slice.
- A3. Frontend restrictions on the official interface — record as context, not as a grade lever. Distinguish:
    - A3-passive: boilerplate ToS clauses (sanctions attestation, restricted-territory self-certification, VPN-circumvention prohibition, "comply with applicable law" eligibility, age of majority).
    - A3-active: runtime enforcement — IP-based geo-blocking, wallet-address screening against a sanctions oracle (Chainalysis, TRM, Elliptic), KYC wall, rendering-blocking jurisdiction banner.
  Record findings under the correct tier. Quote ToS text or banner text in evidence[].shows. These findings populate the headline and rationale but do NOT move the grade by themselves; the grade is set by A1, A2, and the A3b path check below.
- A3b. Independent access paths (the operative grade input). Enumerate paths that do not require the official publisher's cooperation:
    - Published SDK / library / CLI for direct contract interaction.
    - Third-party frontends operated by separate legal entities.
    - Wallet-integrated access (MetaMask Swaps, Safe apps, etc.).
    - DEX / lending / yield aggregators that route through the contracts.
  Record at least one concrete link per path that exists. The protocol does NOT have to self-document these — the test is existence, not UX cost. An A3b-i redistribution of the official UI bound by the same ToS does NOT count as an independent path.
- A4. Sanctions / compliance tooling at the contract level: does the protocol check addresses against OFAC lists or similar on-chain blocklists in the contract itself? (Frontend-only screening belongs in A3.)
- A5. Differentiate read access vs write access: many protocols are read-permissionless (anyone can view state) but write-gated (only certain addresses can deposit/borrow). Record both.
- A6. ToS / Legal links: locate them on the website and produce a VERBATIM quote of any jurisdictional, sanctions, or eligibility clause in evidence[].shows. If you cannot extract the clause text verbatim (SPA render failure, paywall, dead link, etc.), do NOT paraphrase or infer from general knowledge — record the ToS URL in unknowns[] with the reason extraction failed. Assertions about ToS content without a verbatim quote will be downweighted by reviewers.

Then write the steel-man section per Hard Rule 11.

Grade rules (admission-focused; liveness concerns belong in dependencies; source verification belongs in verifiability):
- green   = no contract-level whitelist/KYC on user entry/exit; no operator approval required to admit a user action; AND at least one independent A3b path exists (published SDK, third-party frontend, wallet integration, or aggregator routing). Frontend ToS posture and A3-active enforcement on the official UI do NOT block green when contracts are permissionless and an independent path exists — they are reported as context.
- orange  = contracts admit users unconditionally, BUT the protocol is operationally captured by the official publisher: no published SDK, no third-party frontend, no wallet integration, no aggregator routing. The contract is theoretically open but practically reachable only through the official UI. Also applies when admission requires approval from a permissioned committee that is governance-managed with a documented replacement procedure.
- red     = contract-level whitelist / KYC on user entry/exit, OR admission of a core user action requires approval from a single privileged operator or a small committee with no documented replacement procedure, OR enforces an on-chain blocklist updatable by a single party.
- unknown = checklist incomplete after checking the sources above.

Default-grade guidance: when contracts are fully permissionless AND any A3b independent path exists, the default grade is green regardless of frontend ToS or A3-active enforcement on the official UI. Frontend geo-blocking, sanctions-oracle wallet screening, and ToS sanctions clauses are publisher policies on one client and are reported in findings/headline as context, not as grade levers. To grade orange on operational-capture grounds, the auditor must affirmatively show that ALL independent paths are absent or also gated.

Guideline on committees: where admission depends on a multi-operator committee, the relevant axes are (a) set size, (b) whether replacement/rotation is governed on-chain, (c) whether the replacement procedure is publicly documented. A large set with on-chain governance replacement should not be graded as a single-party operator even if rotation is not instantaneous. A small set with informal replacement should be treated as a single-party operator.

---

### JSON output contract

Return exactly one JSON object inside a single ```json fenced block. Shape:

{
  "schema_version": 4,
  "slug": "<copy protocol.slug from the per-protocol context>",
  "slice": "open-access",
  "snapshot_generated_at": "<copy snapshot.generated_at from the per-protocol context>",
  "prompt_version": 29,
  "analysis_date": "<copy analysis_date from the per-protocol context>",
  "model": "<exact model name, e.g. claude-opus-4-7 / gpt-5-thinking / gemini-3-pro>",
  "chat_url": null,
  "grading_basis": "on-chain | off-chain-only | mixed (optional; omit for on-chain)",
  "grade": "green | orange | red | unknown",
  "headline": "<one-line summary>",
  "short_headline": "<≤6 words, ≤80 chars; omit if you can't fit>",
  "rationale": {
    "findings": [{ "code": "E1", "text": "<concrete, source-cited finding>" }],
    "steelman": { "red": "<one sentence>", "orange": "<one sentence>", "green": "<one sentence>" },
    "verdict": "Choosing <grade> because <reason ranking one steel-man above the others, citing specific evidence>."
  },
  "evidence": [{ "url": "https://...", "shows": "<what this URL demonstrates>", "chain": "...", "address": "0x...", "commit": "<hex SHA>", "fetched_at": "2026-04-23T11:20:00Z" }],
  "unknowns": ["E3: <thing you looked for but couldn't determine>"],
  "protocol_metadata": {
    "github": ["https://github.com/org/repo"],
    "docs_url": "https://docs.protocol.xyz",
    "audits": [{ "firm": "Trail of Bits", "url": "https://...report.pdf", "date": "2025-09" }],
    "governance_forum": "https://forum.protocol.xyz",
    "voting_token": { "chain": "Ethereum", "address": "0x...", "symbol": "XYZ" },
    "bug_bounty_url": "https://immunefi.com/bounty/protocol",
    "security_contact": "security@protocol.xyz",
    "deployed_contracts_doc": "https://docs.protocol.xyz/deployments",
    "admin_addresses": [{ "chain": "Ethereum", "address": "0x...", "role": "DAO treasury multisig", "actor_class": "multisig" }],
    "upgradeability": "immutable | upgradeable | mixed | unknown",
    "about": "<2–4 sentences>"
  }
}

Rules recap:
- grade="unknown" ⇒ steelman=null; unknowns[] ≥1; evidence[] may be empty.
- grade!="unknown" ⇒ steelman={red,orange,green}; evidence[] ≥1; verdict starts with "Choosing ".
- findings[].code matches the slice's checklist prefix verbatim (E1, C2-emergency, V4a, …); unknowns[] entries are checklist-coded ("E3: …").
- Wrap in a single ```json fence; nothing before or after. URLs are bare strings, never markdown links.

Stage

Preview of the Phase-3 maturity framework. DeFiPunk'd will adopt DeFiScan v2's stages verbatim; the section is rendered below in its intended shape so the structure is visible today.

Aave Aptos has not yet been assessed under the DeFiScan v2 stage framework.

The walkaway test is the central criterion. Once stages land, protocols reach Stage 1 only if users can exit in the presence of malicious operators even when the emergency council disappears.

Scope of assessment

Stage 0 requirements pending

Stage 1 requirements pending

Stage 2 requirements pending

Learn more about DeFiScan v2 stages →

TVL $57.2K

Type Lending

Chain Ethereum

View on DeFiLlama ↗

Control Exit Autonomy Open Access Verifiable

Verifiability tentative Open source + 7 audits
Control unknown Not yet assessed
Ability to exit unknown Not yet assessed
Autonomy unknown No Phase-0 autonomy signal
Open Access unknown Not yet assessed

Control criteria

Upgradeability — Bug bounty immunefi.com Governance forum — Docs —

About

Aave Arc is a lending protocol on Ethereum.

Risk analysis

One card per dimension, sorted by severity. Only Verifiability and Autonomy carry automated signals in Phase 0. See methodology for scope.

Audit a dimension yourself · DEFI@home Contribute an LLM-run assessment — any model, any dimension. Three agreeing runs merge automatically into the public record.

Address discovery 0 addresses on file · 0 runs ⚑ Run first Submit run ↗

### Per-protocol context (ground truth for this run)

- protocol.slug:              aave-arc
- protocol.name:              Aave Arc
- protocol.chains:            Ethereum
- protocol.category:          Lending
- protocol.website:           https://aave.com
- protocol.github:            aave, bgd-labs
- protocol.audit_links:       https://aave.com/security, https://github.com/code-423n4/2022-02-aave-lens, https://github.com/code-423n4/2022-02-aave-lens-findings, https://github.com/sherlock-protocol/sherlock-reports/blob/main/audits/2025.02.15%20-%20Final%20-%20Aave%20Public%20Audit%20Contest%20Report.pdf, https://github.com/sherlock-protocol/sherlock-reports/blob/main/audits/2026.02.05%20-%20Final%20-%20Aave%20Labs%20Collaborative%20Audit%20Report%201770295450.pdf, https://github.com/trailofbits/publications/blob/master/reviews/2021-11-aave-v3-securityreview.pdf, https://github.com/trailofbits/publications/blob/master/reviews/2026-02-aave-v4-securityreview.pdf
- snapshot.generated_at:      2026-06-01T11:27:13.878Z
- analysis_date:              2026-06-07
- prompt_version:             29
- address_book:               null

### Pre-built read-API surfacer URLs (verbatim — fetchable as-is)
(no addresses pinned in this run — discover candidates from fetched website / GitHub / audit / explorer pages, record discovered addresses in evidence[] and protocol_metadata.admin_addresses, and put any reads you couldn't perform in unknowns[]. The next assessment will inherit your discoveries.)


---

You are contributing a single-slice assessment to defipunkd, a git-native transparency registry for DeFi protocols. Your JSON output will be attached to a pull request and compared against ≥2 other independent runs. Disagreements are surfaced publicly — be conservative, cite everything, return grade="unknown" when a signal cannot be determined, and resist stopping at the first damning finding.

### Per-protocol context (do not infer; these are ground truth)

A "Per-protocol context" block (provided alongside this prompt — either as a user message in API mode, or as a section appended below in copy-paste mode) lists the pinned inputs (protocol.slug, name, chains, category, website, github, audit_links, snapshot.generated_at, analysis_date, prompt_version, address_book) and a list of pre-built read-API surfacer URLs for each pinned address. Treat those values as authoritative for this run.

The pre-built surfacer URLs are accepted by your fetch tool's allowlist because they appear verbatim in the per-protocol context. Each surfacer page pre-executes the contract's zero-arg view methods and renders any address-typed return values as /address/{chainId}/0x… links inline — those rendered links are also fetchable post-fetch. /api/contract/read and /api/safe/owners JSON responses include a top-level `crawl.surfacers` array of /address/{chainId}/0x… URLs for every address-typed value in the result, so you can crawl directly from API responses. For addresses surfaced from non-defipunkd sources (block-explorer pages, GitHub, audit PDFs), the allowlist will reject your generated surfacer URL — record the address in protocol_metadata.admin_addresses and add a checklist-coded entry to unknowns[]; the next run will inherit it as a fetchable surfacer.

### Step 0 — Capability probe (do this before producing JSON)

Identify what fetch tool your environment exposes — `web_fetch`, `browser`, `url_context`, `google_search` (with underscore, colon, or space), Bing grounding, Perplexity, `web.run`, or anything similar. Search-grounding tools ARE valid fetch paths and you should use them; they are not forbidden. The distinction that matters is what the tool returned, not its name: a grounded response with the underlying page body is sufficient evidence; a bare 1–3-line preview snippet is not.

Probe: attempt one fetch of `protocol.website` and one fetch of a pre-built surfacer URL above (or the protocol's primary block-explorer page if no surfacer is pinned). Record the tool you used, the URL, and what came back (response body, HTTP status, allowlist rejection text, or "tool not present: <name>"). If either probe succeeded, proceed.

If both direct probes failed, **DO NOT STOP** — try search. Issue at least two broad search queries (protocol name + "Etherscan" / "official docs" / "GitHub" / "audit"; `site:` operators against etherscan.io / github.com / the docs domain). If a search query returns the underlying page body, that page URL is fetched evidence and goes in evidence[]. Set `grading_basis: "off-chain-only"` and continue with whatever you can extract. Empty `evidence[]` + `grade="unknown"` is only valid if BOTH direct probes AND ≥2 search queries returned nothing usable; in that case, log the attempted queries and observed-zero outcomes in unknowns[]. A submission claiming "blocked" without those receipts is treated as a non-submission (zero quorum weight). Search engines do not index raw JSON API endpoints — zero results for `defipunkd.com/api/contract/read` URLs is expected and is itself a recordable failure mode, not a system restriction.

### Anti-fabrication (the most important rule on this page)

Memory is not evidence. Treat your training data, prior conversations, and general knowledge as suggestions for what to look up — never as citations. Every URL in evidence[] must have been fetched in this run via any tool exposed in your environment, OR pasted into this conversation by the user. Constructing a URL is fine, but every variable part (address, commit SHA, repo path, contract name, method, args, block number) must come from a fetched/pasted source in this run, and the URL must then have been successfully fetched before it appears in evidence[]. URLs constructed from remembered addresses, repo paths, contract names, or guessed API methods are fabrication.

Before emitting JSON, run an evidence ledger check on every evidence[] entry:
1. The exact URL appears in your fetch transcript or in a user-pasted source body.
2. The fetched/pasted body contains the fact you're citing in evidence[].shows.
3. Every rationale.findings / protocol_metadata claim that depends on this evidence follows directly from that body, without recourse to memory.
4. Derived (rather than verbatim) claims are explicitly labelled as derived in evidence[].shows.
5. `fetched_at` is set ONLY when you actually fetched the URL in this run; if no timestamp is available, omit the field — never invent one.

If any check fails, remove the evidence entry and demote dependent claims to unknowns[]. Set grade="unknown" if demotion empties the grading basis. Do not ask the user to paste anything; do not withhold JSON; do not improvise from memory.

A plausible-sounding answer backed by unsupported evidence is WORSE than grade="unknown" — it pollutes the quorum. If the assessment requires leaning on remembered public facts ("Lido is governed by LDO token-weighted voting"), historical reports, common knowledge, or likely-architecture reasoning ("UUPS proxies typically have an admin role"), return grade="unknown" with specific unknowns[] entries. Optimize for reproducibility, not completeness — if a reviewer can't re-verify each claim from the evidence URLs alone, the claim does not belong in the JSON. Empty unknowns[] on a non-trivial protocol is a red flag, not a quality signal.

When the address_book is null/empty, you do not yet know any deployed address. Discover candidates from fetched website / GitHub / audit / explorer-search pages — addresses you "remember" from training data are not eligible, even for famous tokens (USDC, WBTC, stETH, UNI). If no address can be discovered after a good-faith attempt, return grade="unknown" with checklist-coded unknowns[] entries; do not invent addresses to fill the gap.

### Hard rules

1. Source classes that count as evidence:
   a) Public block explorers (etherscan.io, basescan.org, arbiscan.io, optimistic.etherscan.io, polygonscan.com, bscscan.com, snowtrace.io, scrollscan.com, lineascan.build, blastscan.io, era.zksync.network) for pinned addresses or addresses you discover transitively from them.
   b) The linked GitHub repos, at a specific commit SHA recorded in evidence[].commit.
   c) The audit PDFs / reports linked above.
   d) DeFiLlama's pinned fields (for category / chain lists only — not for risk assessment).
   e) DeFiPunkd's read API at https://defipunkd.com/api/{contract,safe}/... — see "On-chain reading" below.
2. If a signal cannot be determined after checking these, set grade="unknown" with ≥1 entry in unknowns[] naming what you looked for.
3. Every factual claim in rationale must map to ≥1 evidence[] entry.
4. Output exactly one JSON object matching the contract at the end, wrapped in a single ```json fenced code block. This rule applies to your FINAL assistant message only — issue tool calls freely during the run; tool-call reasoning lives in your model's tool-use channel and is not subject to this rule. Nothing before or after the fence — no prose, no follow-up questions, no requests for the user to paste anything. If evidence is incomplete, the correct response is still JSON, with claims demoted to unknowns[] and grade="unknown".

### Format rules (validation will reject submissions that violate these)
5. evidence[].url must be a bare `https://...` string — NEVER markdown link syntax. WRONG: `"url": "[Etherscan](https://etherscan.io/...)"`. RIGHT: `"url": "https://etherscan.io/..."`.
6. evidence[].commit, when present, must match `^[0-9a-f]{7,40}$` (lowercase hex, 7–40 chars). NEVER branch names or tags. Omit if you cannot pin a SHA.
7. evidence[].fetched_at, when present, must be ISO-8601 UTC (e.g. `2026-04-23T11:20:00Z`). Set whenever you actually fetched in this run.
8. evidence[].address, when present, must be `^0x[0-9a-fA-F]{40}$` (mixed case OK; checksum not validated).
9. Checklist codes (used in findings[].code and as unknowns[] prefixes) match `^[A-Z][A-Za-z0-9-]{0,16}$` — start with an uppercase letter, then digits / letters / hyphens. Examples: `E1`, `A3b`, `C2-emergency`, `V4-auditor`. No parens, spaces, dots, slashes, underscores. Use slice-defined codes verbatim. unknowns[] entries must be prefixed with the relevant code + colon (e.g. `"A3b: frontend fetch failed"`).
10. chat_url: ALWAYS null. Default share links (claude.ai/chat, chatgpt.com, gemini.google.com) require viewer login and are not publicly readable. The user enables "Share publicly" after you respond and pastes the public URL into the JSON before opening the PR.

### Thoroughness rules

11. Each per-slice body contains a "MANDATORY INSPECTION CHECKLIST". Every item must EITHER produce an evidence[] entry OR a specific unknowns[] entry naming it by code. Silent skips are rejected as incomplete.
12. Before assigning a grade other than "unknown", rationale.steelman must contain a one-sentence strongest argument for each of red / orange / green, and rationale.verdict must state which fits the evidence and why. If the steel-man for the chosen grade is weaker than for an adjacent grade, you have probably picked the wrong grade. When grade="unknown", set steelman to null and use verdict to summarize what blocked the assessment.
13. Distinguish actor classes (EOA, 2-of-3 multisig, 4-of-7+ multisig with identified signers, emergency-scoped time-capped multisig, on-chain governance vote with timelock) and function classes (claim-of-finalized vs new-request-placement, deposit vs borrow, mint vs redeem) — say which actor holds which power, on what time bound. "An admin can pause" is insufficient.
14. For on-chain slices (control, ability-to-exit, autonomy, verifiability), evidence[] must include ≥1 on-chain URL: a block-explorer URL OR a DeFiPunkd /api/{contract/read,safe/owners} URL (preferred — content-addressed when block-pinned). /api/contract/abi alone is metadata, not on-chain evidence. Source repos tell you what code SHOULD do; deployed contracts tell you what it ACTUALLY does. The "open-access" slice is exempt when claims are entirely about frontend / off-chain operator behavior. CARVE-OUT: `grading_basis="off-chain-only"` is exempt from this rule but is downweighted by the quorum bot regardless of grade.
15. Prompt-meta-check: if your verdict quotes prompt language as evidence ("the protocol meets the 'documented fallback' condition"), re-do the verdict — the prompt describes the rubric, not the protocol. Evidence cites what THIS protocol does, not what the rubric says protocols of type X do.
16. `grading_basis` is one of `"on-chain"` (default; omit field), `"off-chain-only"`, or `"mixed"`. Describes what was READ this run, not the verdict — `grade="unknown"` is allowed under any basis. Set `"off-chain-only"` ONLY when BOTH (a) ≥1 successful fetch of a docs / forum / audit / GitHub URL appears in evidence[], AND (b) ≥1 failed on-chain fetch attempt for THIS run is recorded in unknowns[] with a `-offchain` suffix. Empty `evidence[]` with `"off-chain-only"` is a category error and is rejected by the validator. Set `"mixed"` when some checklist codes were on-chain and others fell back. ABI-only finds (you read the ABI but couldn't read live state) are valid as `grade="unknown"` with the ABI cited; do not infer a grade from ABI shape alone.

### On-chain reading via the DeFiPunkd API

Don't encode calldata, decode return data, or guess at ABIs by hand. Three deterministic GET endpoints return JSON with blockNumber, blockHash, raw calldata, and rawReturnData — content-addressed when block-pinned (`&block=<n>`):

  ABI (auto-resolves proxies):
    https://defipunkd.com/api/contract/abi?chainId=<id>&address=0x...
  View call (any view method on the merged ABI; flat scalar args):
    https://defipunkd.com/api/contract/read?chainId=<id>&address=0x...&method=getOwners
    https://defipunkd.com/api/contract/read?chainId=<id>&address=0x...&method=balanceOf&args=0x...
  Safe (threshold + owners + version in one call):
    https://defipunkd.com/api/safe/owners?chainId=<id>&address=0x...

Use the BARE method name in `&method=` (e.g. `&method=totalSupply`, NOT `&method=totalSupply()`). Browser tools normalize `(` to `%28` and reject the normalized URL; bare names dodge that. Pass arguments via `&args=` (comma-separated, declaration order). Append `&block=<n>` for content-addressed evidence.

Supported chainIds: 1 (ethereum), 10 (optimism), 56 (bsc), 130 (unichain), 137 (polygon), 324 (zksync), 8453 (base), 42161 (arbitrum), 43114 (avalanche), 59144 (linea), 81457 (blast), 534352 (scroll), 11155111 (sepolia).

Use this API for any factual claim about contract ABI shape, view-method return values (owner(), getOwners(), getThreshold(), totalSupply(), implementation(), paused(), MIN_DELAY(), …), and Safe membership. Do NOT invent ABIs or return values from training data.

Note on noisy address_book: the pinned address_book is sourced from prior assessments. It may include token deployments, oracle feeds, peripheral contracts, or mis-classified entries. Skip surfacer URLs that don't fit your slice — fetch only those whose role hints suggest control / pause / upgrade authority.

### Protocol metadata refresh (populate `protocol_metadata` in the output)

DeFiLlama's pinned inputs may be stale or wrong. As a side-effect of this assessment, populate `protocol_metadata` with anything you verify. Leave fields null / empty arrays if you did not verify them — do NOT echo pinned inputs through; null means "not re-verified this run".

- `github`: array of canonical source-code repo URLs.
- `docs_url`: canonical developer / protocol documentation site.
- `audits`: array of `{ firm, url, date }` (date as YYYY-MM or YYYY-MM-DD).
- `governance_forum`: primary discussion forum URL (Discourse, Commonwealth, etc.).
- `voting_token`: `{ chain, address, symbol }` or null. Omit if not token-governed.
- `bug_bounty_url`: public bug bounty page (Immunefi, HackerOne, self-hosted).
- `security_contact`: private-disclosure channel — security@ email or SECURITY.md URL. Distinct from public bug bounty.
- `deployed_contracts_doc`: docs page that lists deployed addresses per chain. Don't enumerate; just link.
- `admin_addresses`: array of `{ chain, address, role, actor_class }` for multisig / timelock / owner / proxy-admin addresses. `actor_class` ∈ `"eoa" | "multisig" | "timelock" | "governance" | "unknown"`. These are the anchors for future runs' address_book.
- `upgradeability`: `"immutable" | "upgradeable" | "mixed" | "unknown"`. "mixed" = some core contracts immutable, others behind proxies.
- `about`: 2–4 sentence plain-English description. Name the user action (stake, borrow, swap, bridge, mint, redeem), the asset / market, and the distinctive mechanism (liquid staking receipt, isolated lending pools, constant-product AMM, intents auction, etc.). Do not restate category / chains / TVL.

Every non-null field in `protocol_metadata` must be backed by ≥1 entry in evidence[].

---

### Slice: DISCOVERY

You are a cataloguer, not a judge. Your job is to surface every contract address that could plausibly belong to this protocol's control or fund-holding surface, each backed by a citation. `grade` is ALWAYS `"unknown"` for discovery submissions — there is no green/orange/red rubric here. The five evaluation slices that run after you (control, ability-to-exit, autonomy, open-access, verifiability) consume your output via the addressBook ratchet — every address you record becomes a pre-built surfacer URL on the next run; every address you miss costs them a tool call.

Width beats depth. A `role: "other"` entry with one cited URL beats omitting it. Downstream slices will discard out-of-scope entries; they cannot rediscover what you fail to enumerate without paying the same cost again.

(Step 0 capability probe lives in the preamble — those rules apply here.)

### MANDATORY INSPECTION CHECKLIST (every D-code below must appear in evidence[] OR unknowns[])

- **D1. Block-explorer name-tag search per chain.** For each chain in `protocol.chains`, search the canonical block explorer for the protocol's name tag — `https://etherscan.io/searchHandler?term=<query>` and the per-chain explorers (basescan.org, arbiscan.io, optimistic.etherscan.io, polygonscan.com, bscscan.com, snowtrace.io, scrollscan.com, lineascan.build, blastscan.io, era.zksync.network). When direct fetch is blocked, use `site:<explorer> <protocol_name>` via search grounding. Record every address that surfaces with the protocol's tag, plus neighbouring "Token Contract" / "Multisig" / "Timelock" labels.

- **D2. Official deployments doc.** From `protocol.website` and the docs site, locate the canonical "Deployed contracts" / "Addresses" / "Contracts" / "Deployments" page (often at `/docs/deployments`, `/docs/addresses`, `/dashboard/contracts`). Cite the URL, record every address listed with its named role, and set `protocol_metadata.deployed_contracts_doc` to this URL.

- **D3. Audit PDFs.** From `protocol.audit_links` (and any audits surfaced by D2), open each. Most reports include a "Scope" / "Contracts in scope" address table in the first 5 pages. Extract every in-scope address with its labelled role. If the audit predates the current deployment, record the addresses anyway with role suffixed `(audit-era)` so downstream slices know to re-verify.

- **D4. GitHub deployment artifacts.** From `protocol.github`, walk the repo at a pinned commit SHA looking for: Foundry `broadcast/<script>/<chainId>/run-latest.json` (`transactions[].contractAddress` per chainId); hardhat-deploy `deployments/<network>/<Contract>.json` (`address` field); manual indexes (`deployments.json`, `addresses.json`, `contracts.json`, `networks.json`); markdown indexes (`docs/deployments.md`, `README.md` tables). Cite the file URL with the commit SHA; pin SHAs (`?ref=<sha>`) so the citation is content-addressed.

- **D5. Multi-chain enumeration.** If `protocol.chains.length > 1`, repeat D1–D4 per chain. Cross-chain deployments of the same logical contract get SEPARATE `admin_addresses[]` entries — one per chain. The chain field is part of the identity; do not collapse. If a chain has zero results, record `"D5: chain <name>: zero addresses surfaced from <sources tried>"` in unknowns[].

- **D6. Factory-discovered children.** For factory addresses surfaced in D1–D4, fetch the enumeration view via the read API (`/api/contract/read?...&method=allPools` / `getPool` / `getMarket` / `getVault`) and record each child with role like `"pool (from factory <0xFactory>)"`. **Cap at 50 children per factory.** Protocols with thousands of pools (Uniswap, Sushi) need dedicated ingestion — record the factory + the cap notice in unknowns[].

- **D7. Role taxonomy.** Every `admin_addresses[]` entry's `role` uses this controlled vocabulary (free-text suffixes OK for disambiguation, e.g. `"multisig (treasury)"`, but the leading token must match):

    `owner | admin | proxy_admin | governor | timelock | guardian | multisig | treasury | oracle | factory | router | token | pool | vault | other`

  Tentative classifications are encouraged. `actor_class` ∈ `eoa | multisig | timelock | governance | unknown` — use `unknown` when you found the address but didn't read its bytecode.

- **D8. Ratchet output integrity.** Every address in `admin_addresses[]` must trace to ≥1 fetched URL in evidence[]. Snippet-only sightings go in unknowns[] with a `D8` code, NOT in admin_addresses[].

### Discovery rationale framing

- `rationale.findings`: one entry per D-code, terse, factual. Per-address detail belongs in evidence[] and admin_addresses[], not here. Example: `"D1: 8 addresses surfaced from etherscan.io name-tag search for 'Aave V3'"`.
- `rationale.steelman`: ALWAYS null.
- `rationale.verdict`: one short line summarizing what corpora were walked and how many addresses were catalogued.
- `headline`: factual and quantitative — `"24 contracts catalogued across Ethereum, Arbitrum, and Base; 6 governance/admin and 18 protocol contracts."`.
- `short_headline`: under 60 chars — `"24 contracts across 3 chains"`.

### What discovery is NOT

- Not a verdict slice. `grade` must be `"unknown"`.
- Not exhaustive enumeration of leaf assets — record the factory + cap and move on (see D6).
- Not classification of trust assumptions — whether a multisig threshold is safe / timelock delay is sufficient / proxy admin is an EOA is the control slice's job.
- Not address-book reconciliation: when addressBook is non-empty, EXTEND it (find addresses prior runs missed) rather than re-cite the same addresses; re-cite only when you have new evidence for a refined role.

### protocol_metadata side-effects

While walking the corpora, populate every `protocol_metadata` field you can support with citations: `github`, `docs_url`, `audits` (one per D3 audit walked), `governance_forum`, `bug_bounty_url`, `security_contact`, `deployed_contracts_doc` (URL from D2), `upgradeability` (best-effort), and `about` (2–4 sentences sourced from docs/website, not memory). Discovery is the natural home for these — evaluation slices should not have to rediscover them.

---

### JSON output contract

Return exactly one JSON object inside a single ```json fenced block. Shape:

{
  "schema_version": 4,
  "slug": "<copy protocol.slug from the per-protocol context>",
  "slice": "discovery",
  "snapshot_generated_at": "<copy snapshot.generated_at from the per-protocol context>",
  "prompt_version": 29,
  "analysis_date": "<copy analysis_date from the per-protocol context>",
  "model": "<exact model name, e.g. claude-opus-4-7 / gpt-5-thinking / gemini-3-pro>",
  "chat_url": null,
  "grading_basis": "on-chain | off-chain-only | mixed (optional; omit for on-chain)",
  "grade": "green | orange | red | unknown",
  "headline": "<one-line summary>",
  "short_headline": "<≤6 words, ≤80 chars; omit if you can't fit>",
  "rationale": {
    "findings": [{ "code": "E1", "text": "<concrete, source-cited finding>" }],
    "steelman": { "red": "<one sentence>", "orange": "<one sentence>", "green": "<one sentence>" },
    "verdict": "Choosing <grade> because <reason ranking one steel-man above the others, citing specific evidence>."
  },
  "evidence": [{ "url": "https://...", "shows": "<what this URL demonstrates>", "chain": "...", "address": "0x...", "commit": "<hex SHA>", "fetched_at": "2026-04-23T11:20:00Z" }],
  "unknowns": ["E3: <thing you looked for but couldn't determine>"],
  "protocol_metadata": {
    "github": ["https://github.com/org/repo"],
    "docs_url": "https://docs.protocol.xyz",
    "audits": [{ "firm": "Trail of Bits", "url": "https://...report.pdf", "date": "2025-09" }],
    "governance_forum": "https://forum.protocol.xyz",
    "voting_token": { "chain": "Ethereum", "address": "0x...", "symbol": "XYZ" },
    "bug_bounty_url": "https://immunefi.com/bounty/protocol",
    "security_contact": "security@protocol.xyz",
    "deployed_contracts_doc": "https://docs.protocol.xyz/deployments",
    "admin_addresses": [{ "chain": "Ethereum", "address": "0x...", "role": "DAO treasury multisig", "actor_class": "multisig" }],
    "upgradeability": "immutable | upgradeable | mixed | unknown",
    "about": "<2–4 sentences>"
  }
}

Rules recap:
- grade="unknown" ⇒ steelman=null; unknowns[] ≥1; evidence[] may be empty.
- grade!="unknown" ⇒ steelman={red,orange,green}; evidence[] ≥1; verdict starts with "Choosing ".
- findings[].code matches the slice's checklist prefix verbatim (E1, C2-emergency, V4a, …); unknowns[] entries are checklist-coded ("E3: …").
- Wrap in a single ```json fence; nothing before or after. URLs are bare strings, never markdown links.

Verifiability Unverified Submit run ↗

### Per-protocol context (ground truth for this run)

- protocol.slug:              aave-arc
- protocol.name:              Aave Arc
- protocol.chains:            Ethereum
- protocol.category:          Lending
- protocol.website:           https://aave.com
- protocol.github:            aave, bgd-labs
- protocol.audit_links:       https://aave.com/security, https://github.com/code-423n4/2022-02-aave-lens, https://github.com/code-423n4/2022-02-aave-lens-findings, https://github.com/sherlock-protocol/sherlock-reports/blob/main/audits/2025.02.15%20-%20Final%20-%20Aave%20Public%20Audit%20Contest%20Report.pdf, https://github.com/sherlock-protocol/sherlock-reports/blob/main/audits/2026.02.05%20-%20Final%20-%20Aave%20Labs%20Collaborative%20Audit%20Report%201770295450.pdf, https://github.com/trailofbits/publications/blob/master/reviews/2021-11-aave-v3-securityreview.pdf, https://github.com/trailofbits/publications/blob/master/reviews/2026-02-aave-v4-securityreview.pdf
- snapshot.generated_at:      2026-06-01T11:27:13.878Z
- analysis_date:              2026-06-07
- prompt_version:             29
- address_book:               null

### Pre-built read-API surfacer URLs (verbatim — fetchable as-is)
(no addresses pinned in this run — discover candidates from fetched website / GitHub / audit / explorer pages, record discovered addresses in evidence[] and protocol_metadata.admin_addresses, and put any reads you couldn't perform in unknowns[]. The next assessment will inherit your discoveries.)


---

You are contributing a single-slice assessment to defipunkd, a git-native transparency registry for DeFi protocols. Your JSON output will be attached to a pull request and compared against ≥2 other independent runs. Disagreements are surfaced publicly — be conservative, cite everything, return grade="unknown" when a signal cannot be determined, and resist stopping at the first damning finding.

### Per-protocol context (do not infer; these are ground truth)

A "Per-protocol context" block (provided alongside this prompt — either as a user message in API mode, or as a section appended below in copy-paste mode) lists the pinned inputs (protocol.slug, name, chains, category, website, github, audit_links, snapshot.generated_at, analysis_date, prompt_version, address_book) and a list of pre-built read-API surfacer URLs for each pinned address. Treat those values as authoritative for this run.

The pre-built surfacer URLs are accepted by your fetch tool's allowlist because they appear verbatim in the per-protocol context. Each surfacer page pre-executes the contract's zero-arg view methods and renders any address-typed return values as /address/{chainId}/0x… links inline — those rendered links are also fetchable post-fetch. /api/contract/read and /api/safe/owners JSON responses include a top-level `crawl.surfacers` array of /address/{chainId}/0x… URLs for every address-typed value in the result, so you can crawl directly from API responses. For addresses surfaced from non-defipunkd sources (block-explorer pages, GitHub, audit PDFs), the allowlist will reject your generated surfacer URL — record the address in protocol_metadata.admin_addresses and add a checklist-coded entry to unknowns[]; the next run will inherit it as a fetchable surfacer.

### Step 0 — Capability probe (do this before producing JSON)

Identify what fetch tool your environment exposes — `web_fetch`, `browser`, `url_context`, `google_search` (with underscore, colon, or space), Bing grounding, Perplexity, `web.run`, or anything similar. Search-grounding tools ARE valid fetch paths and you should use them; they are not forbidden. The distinction that matters is what the tool returned, not its name: a grounded response with the underlying page body is sufficient evidence; a bare 1–3-line preview snippet is not.

Probe: attempt one fetch of `protocol.website` and one fetch of a pre-built surfacer URL above (or the protocol's primary block-explorer page if no surfacer is pinned). Record the tool you used, the URL, and what came back (response body, HTTP status, allowlist rejection text, or "tool not present: <name>"). If either probe succeeded, proceed.

If both direct probes failed, **DO NOT STOP** — try search. Issue at least two broad search queries (protocol name + "Etherscan" / "official docs" / "GitHub" / "audit"; `site:` operators against etherscan.io / github.com / the docs domain). If a search query returns the underlying page body, that page URL is fetched evidence and goes in evidence[]. Set `grading_basis: "off-chain-only"` and continue with whatever you can extract. Empty `evidence[]` + `grade="unknown"` is only valid if BOTH direct probes AND ≥2 search queries returned nothing usable; in that case, log the attempted queries and observed-zero outcomes in unknowns[]. A submission claiming "blocked" without those receipts is treated as a non-submission (zero quorum weight). Search engines do not index raw JSON API endpoints — zero results for `defipunkd.com/api/contract/read` URLs is expected and is itself a recordable failure mode, not a system restriction.

### Anti-fabrication (the most important rule on this page)

Memory is not evidence. Treat your training data, prior conversations, and general knowledge as suggestions for what to look up — never as citations. Every URL in evidence[] must have been fetched in this run via any tool exposed in your environment, OR pasted into this conversation by the user. Constructing a URL is fine, but every variable part (address, commit SHA, repo path, contract name, method, args, block number) must come from a fetched/pasted source in this run, and the URL must then have been successfully fetched before it appears in evidence[]. URLs constructed from remembered addresses, repo paths, contract names, or guessed API methods are fabrication.

Before emitting JSON, run an evidence ledger check on every evidence[] entry:
1. The exact URL appears in your fetch transcript or in a user-pasted source body.
2. The fetched/pasted body contains the fact you're citing in evidence[].shows.
3. Every rationale.findings / protocol_metadata claim that depends on this evidence follows directly from that body, without recourse to memory.
4. Derived (rather than verbatim) claims are explicitly labelled as derived in evidence[].shows.
5. `fetched_at` is set ONLY when you actually fetched the URL in this run; if no timestamp is available, omit the field — never invent one.

If any check fails, remove the evidence entry and demote dependent claims to unknowns[]. Set grade="unknown" if demotion empties the grading basis. Do not ask the user to paste anything; do not withhold JSON; do not improvise from memory.

A plausible-sounding answer backed by unsupported evidence is WORSE than grade="unknown" — it pollutes the quorum. If the assessment requires leaning on remembered public facts ("Lido is governed by LDO token-weighted voting"), historical reports, common knowledge, or likely-architecture reasoning ("UUPS proxies typically have an admin role"), return grade="unknown" with specific unknowns[] entries. Optimize for reproducibility, not completeness — if a reviewer can't re-verify each claim from the evidence URLs alone, the claim does not belong in the JSON. Empty unknowns[] on a non-trivial protocol is a red flag, not a quality signal.

When the address_book is null/empty, you do not yet know any deployed address. Discover candidates from fetched website / GitHub / audit / explorer-search pages — addresses you "remember" from training data are not eligible, even for famous tokens (USDC, WBTC, stETH, UNI). If no address can be discovered after a good-faith attempt, return grade="unknown" with checklist-coded unknowns[] entries; do not invent addresses to fill the gap.

### Hard rules

1. Source classes that count as evidence:
   a) Public block explorers (etherscan.io, basescan.org, arbiscan.io, optimistic.etherscan.io, polygonscan.com, bscscan.com, snowtrace.io, scrollscan.com, lineascan.build, blastscan.io, era.zksync.network) for pinned addresses or addresses you discover transitively from them.
   b) The linked GitHub repos, at a specific commit SHA recorded in evidence[].commit.
   c) The audit PDFs / reports linked above.
   d) DeFiLlama's pinned fields (for category / chain lists only — not for risk assessment).
   e) DeFiPunkd's read API at https://defipunkd.com/api/{contract,safe}/... — see "On-chain reading" below.
2. If a signal cannot be determined after checking these, set grade="unknown" with ≥1 entry in unknowns[] naming what you looked for.
3. Every factual claim in rationale must map to ≥1 evidence[] entry.
4. Output exactly one JSON object matching the contract at the end, wrapped in a single ```json fenced code block. This rule applies to your FINAL assistant message only — issue tool calls freely during the run; tool-call reasoning lives in your model's tool-use channel and is not subject to this rule. Nothing before or after the fence — no prose, no follow-up questions, no requests for the user to paste anything. If evidence is incomplete, the correct response is still JSON, with claims demoted to unknowns[] and grade="unknown".

### Format rules (validation will reject submissions that violate these)
5. evidence[].url must be a bare `https://...` string — NEVER markdown link syntax. WRONG: `"url": "[Etherscan](https://etherscan.io/...)"`. RIGHT: `"url": "https://etherscan.io/..."`.
6. evidence[].commit, when present, must match `^[0-9a-f]{7,40}$` (lowercase hex, 7–40 chars). NEVER branch names or tags. Omit if you cannot pin a SHA.
7. evidence[].fetched_at, when present, must be ISO-8601 UTC (e.g. `2026-04-23T11:20:00Z`). Set whenever you actually fetched in this run.
8. evidence[].address, when present, must be `^0x[0-9a-fA-F]{40}$` (mixed case OK; checksum not validated).
9. Checklist codes (used in findings[].code and as unknowns[] prefixes) match `^[A-Z][A-Za-z0-9-]{0,16}$` — start with an uppercase letter, then digits / letters / hyphens. Examples: `E1`, `A3b`, `C2-emergency`, `V4-auditor`. No parens, spaces, dots, slashes, underscores. Use slice-defined codes verbatim. unknowns[] entries must be prefixed with the relevant code + colon (e.g. `"A3b: frontend fetch failed"`).
10. chat_url: ALWAYS null. Default share links (claude.ai/chat, chatgpt.com, gemini.google.com) require viewer login and are not publicly readable. The user enables "Share publicly" after you respond and pastes the public URL into the JSON before opening the PR.

### Thoroughness rules

11. Each per-slice body contains a "MANDATORY INSPECTION CHECKLIST". Every item must EITHER produce an evidence[] entry OR a specific unknowns[] entry naming it by code. Silent skips are rejected as incomplete.
12. Before assigning a grade other than "unknown", rationale.steelman must contain a one-sentence strongest argument for each of red / orange / green, and rationale.verdict must state which fits the evidence and why. If the steel-man for the chosen grade is weaker than for an adjacent grade, you have probably picked the wrong grade. When grade="unknown", set steelman to null and use verdict to summarize what blocked the assessment.
13. Distinguish actor classes (EOA, 2-of-3 multisig, 4-of-7+ multisig with identified signers, emergency-scoped time-capped multisig, on-chain governance vote with timelock) and function classes (claim-of-finalized vs new-request-placement, deposit vs borrow, mint vs redeem) — say which actor holds which power, on what time bound. "An admin can pause" is insufficient.
14. For on-chain slices (control, ability-to-exit, autonomy, verifiability), evidence[] must include ≥1 on-chain URL: a block-explorer URL OR a DeFiPunkd /api/{contract/read,safe/owners} URL (preferred — content-addressed when block-pinned). /api/contract/abi alone is metadata, not on-chain evidence. Source repos tell you what code SHOULD do; deployed contracts tell you what it ACTUALLY does. The "open-access" slice is exempt when claims are entirely about frontend / off-chain operator behavior. CARVE-OUT: `grading_basis="off-chain-only"` is exempt from this rule but is downweighted by the quorum bot regardless of grade.
15. Prompt-meta-check: if your verdict quotes prompt language as evidence ("the protocol meets the 'documented fallback' condition"), re-do the verdict — the prompt describes the rubric, not the protocol. Evidence cites what THIS protocol does, not what the rubric says protocols of type X do.
16. `grading_basis` is one of `"on-chain"` (default; omit field), `"off-chain-only"`, or `"mixed"`. Describes what was READ this run, not the verdict — `grade="unknown"` is allowed under any basis. Set `"off-chain-only"` ONLY when BOTH (a) ≥1 successful fetch of a docs / forum / audit / GitHub URL appears in evidence[], AND (b) ≥1 failed on-chain fetch attempt for THIS run is recorded in unknowns[] with a `-offchain` suffix. Empty `evidence[]` with `"off-chain-only"` is a category error and is rejected by the validator. Set `"mixed"` when some checklist codes were on-chain and others fell back. ABI-only finds (you read the ABI but couldn't read live state) are valid as `grade="unknown"` with the ABI cited; do not infer a grade from ABI shape alone.

### On-chain reading via the DeFiPunkd API

Don't encode calldata, decode return data, or guess at ABIs by hand. Three deterministic GET endpoints return JSON with blockNumber, blockHash, raw calldata, and rawReturnData — content-addressed when block-pinned (`&block=<n>`):

  ABI (auto-resolves proxies):
    https://defipunkd.com/api/contract/abi?chainId=<id>&address=0x...
  View call (any view method on the merged ABI; flat scalar args):
    https://defipunkd.com/api/contract/read?chainId=<id>&address=0x...&method=getOwners
    https://defipunkd.com/api/contract/read?chainId=<id>&address=0x...&method=balanceOf&args=0x...
  Safe (threshold + owners + version in one call):
    https://defipunkd.com/api/safe/owners?chainId=<id>&address=0x...

Use the BARE method name in `&method=` (e.g. `&method=totalSupply`, NOT `&method=totalSupply()`). Browser tools normalize `(` to `%28` and reject the normalized URL; bare names dodge that. Pass arguments via `&args=` (comma-separated, declaration order). Append `&block=<n>` for content-addressed evidence.

Supported chainIds: 1 (ethereum), 10 (optimism), 56 (bsc), 130 (unichain), 137 (polygon), 324 (zksync), 8453 (base), 42161 (arbitrum), 43114 (avalanche), 59144 (linea), 81457 (blast), 534352 (scroll), 11155111 (sepolia).

Use this API for any factual claim about contract ABI shape, view-method return values (owner(), getOwners(), getThreshold(), totalSupply(), implementation(), paused(), MIN_DELAY(), …), and Safe membership. Do NOT invent ABIs or return values from training data.

Note on noisy address_book: the pinned address_book is sourced from prior assessments. It may include token deployments, oracle feeds, peripheral contracts, or mis-classified entries. Skip surfacer URLs that don't fit your slice — fetch only those whose role hints suggest control / pause / upgrade authority.

### Protocol metadata refresh (populate `protocol_metadata` in the output)

DeFiLlama's pinned inputs may be stale or wrong. As a side-effect of this assessment, populate `protocol_metadata` with anything you verify. Leave fields null / empty arrays if you did not verify them — do NOT echo pinned inputs through; null means "not re-verified this run".

- `github`: array of canonical source-code repo URLs.
- `docs_url`: canonical developer / protocol documentation site.
- `audits`: array of `{ firm, url, date }` (date as YYYY-MM or YYYY-MM-DD).
- `governance_forum`: primary discussion forum URL (Discourse, Commonwealth, etc.).
- `voting_token`: `{ chain, address, symbol }` or null. Omit if not token-governed.
- `bug_bounty_url`: public bug bounty page (Immunefi, HackerOne, self-hosted).
- `security_contact`: private-disclosure channel — security@ email or SECURITY.md URL. Distinct from public bug bounty.
- `deployed_contracts_doc`: docs page that lists deployed addresses per chain. Don't enumerate; just link.
- `admin_addresses`: array of `{ chain, address, role, actor_class }` for multisig / timelock / owner / proxy-admin addresses. `actor_class` ∈ `"eoa" | "multisig" | "timelock" | "governance" | "unknown"`. These are the anchors for future runs' address_book.
- `upgradeability`: `"immutable" | "upgradeable" | "mixed" | "unknown"`. "mixed" = some core contracts immutable, others behind proxies.
- `about`: 2–4 sentence plain-English description. Name the user action (stake, borrow, swap, bridge, mint, redeem), the asset / market, and the distinctive mechanism (liquid staking receipt, isolated lending pools, constant-product AMM, intents auction, etc.). Do not restate category / chains / TVL.

Every non-null field in `protocol_metadata` must be backed by ≥1 entry in evidence[].

---

### Slice: VERIFIABILITY

Evaluate whether an outsider can independently confirm what the deployed code does.

MANDATORY INSPECTION CHECKLIST (every item below must appear in evidence[] OR unknowns[]):
- V1. For each address you assess: is the bytecode verified on the chain's block explorer? Record the "Contract Source Code Verified" indicator. https://defipunkd.com/api/contract/abi?chainId=<id>&address=0x... returns this as a top-level "verified" boolean plus "abiSource" ("etherscan" / "sourcify") and an inline ABI — useful when the explorer page is rate-limited. If the contract is a proxy, verify BOTH the proxy contract AND the current implementation contract. The same /api/contract/abi response auto-resolves proxies and includes a "proxy.implementation" address when present, so one call covers V1 + V6 in one shot. An explorer "Similar Match" on a well-known proxy pattern (Aragon AppProxyUpgradeable, ERC1967Proxy, OssifiableProxy, OZ TransparentUpgradeableProxy) is expected for that pattern and does NOT count as a verification gap on its own — what matters is that the implementation is independently verified.
- V2. Source-to-repo correspondence: for each verified contract, attempt to find a matching commit in the linked GitHub repos. Record evidence[].commit on a match. Independent compile/bytecode-match is NOT required for green — a recognized public repo whose structure and file contents correspond to the explorer-visible source is sufficient. If you did not pin a commit SHA or run a bytecode diff, record that plainly in unknowns[] and proceed; it is a scope limit, not a downgrade signal.
- V3. Audit coverage: for each URL in protocol.audit_links, open it and record: auditor name, audit date, the specific contracts / commit in scope. Flag audits that predate the current deployment by >6 months without a follow-up review.
- V4. Auditor recognition: the following firms are broadly recognized in Solidity: Trail of Bits, Zellic, Spearbit, OpenZeppelin, ConsenSys Diligence, Certora (formal verification), Quantstamp, Halborn, Peckshield, Sigma Prime, ChainSecurity, Ackee Blockchain, MixBytes, Statemind. Unknown firms are orange-at-best for any green-grade claim. Name the firm explicitly in evidence[].
- V5. Post-audit drift: compare the most recent in-scope audit(s) against the currently-deployed source, weighted by what each contract does and by what the changes actually contain. SCOPE — drift only downgrades the grade when ALL of the following hold: (i) the drifting contract is fund-custody / settlement / accounting-critical (NOT a peripheral router, lens, quoter, or pure-view contract that holds no balances); (ii) the changes are material — new functions, modified access control, modified accounting, modified fund flow — and not refactors / struct relocations / import reorgs / build or CI fixes / formatting; (iii) no later audit, fix-audit, or differential audit from a recognized firm covers the changed files (audits often pin a pre-fix commit while a follow-up reviews the delta — match by file scope, not by commit-hash equality). When you cite drift as a downgrade reason, name the specific behavior change (function added, role granted, accounting formula altered) — "N commits ahead" or "+X/-Y LOC" alone is not evidence of material drift. If you have not sampled the diff content (e.g. via the GitHub compare view or the top commits in the window), record drift as an unknowns[] entry rather than auto-downgrading; commit-count and LOC are starting signals, not findings.
- V6. Implementation vs proxy: a verified proxy with an unverified implementation is effectively unverified. State whether the implementation is verified separately.

EVIDENCE DISCIPLINE (read before writing findings[]):
- Do not assert a specific deploy-commit SHA, bytecode equivalence, or "identical to audited commit" unless you actually fetched the artifact that shows it (e.g., a deployed-addresses JSON you opened, an explorer page you read). Inferred or plausible matches belong in unknowns[], never in findings[] or evidence[].
- Evidence[] entries must correspond to pages/files you actually retrieved this run. A URL you did not open is not evidence.

Then write the steel-man section per Hard Rule 11.

Grade rules:
- green   = deployed bytecode verified on the explorer (proxy AND implementation if proxied; "Similar Match" on a standard proxy pattern is fine per V1), a public source repo exists whose contents correspond to the explorer-visible source, AND ≥1 audit from a recognized firm covering the currently-deployed contracts (≤6 months of drift OR drift was re-audited). A missing local compile-match is not a downgrade — record it in unknowns[] and still grade green if the other conditions hold.
- orange  = verified but with visible drift from the public repo, OR audit scope is stale relative to deployment, OR only minor / unknown-firm audits exist, OR only some of the main contracts are verified, OR proxy verified but implementation only partially verified.
- red     = unverified bytecode (or verified proxy with unverified implementation), OR no audit in protocol.audit_links, OR no public repo.
- unknown = reserved for when the protocol's verifiability posture genuinely cannot be assessed (e.g., explorer and repo both inaccessible for this protocol). Do NOT use unknown merely because you, the analyst, could not run a particular check such as a bytecode diff — that goes in unknowns[] while the grade is still assigned from the evidence you do have.

---

### JSON output contract

Return exactly one JSON object inside a single ```json fenced block. Shape:

{
  "schema_version": 4,
  "slug": "<copy protocol.slug from the per-protocol context>",
  "slice": "verifiability",
  "snapshot_generated_at": "<copy snapshot.generated_at from the per-protocol context>",
  "prompt_version": 29,
  "analysis_date": "<copy analysis_date from the per-protocol context>",
  "model": "<exact model name, e.g. claude-opus-4-7 / gpt-5-thinking / gemini-3-pro>",
  "chat_url": null,
  "grading_basis": "on-chain | off-chain-only | mixed (optional; omit for on-chain)",
  "grade": "green | orange | red | unknown",
  "headline": "<one-line summary>",
  "short_headline": "<≤6 words, ≤80 chars; omit if you can't fit>",
  "rationale": {
    "findings": [{ "code": "E1", "text": "<concrete, source-cited finding>" }],
    "steelman": { "red": "<one sentence>", "orange": "<one sentence>", "green": "<one sentence>" },
    "verdict": "Choosing <grade> because <reason ranking one steel-man above the others, citing specific evidence>."
  },
  "evidence": [{ "url": "https://...", "shows": "<what this URL demonstrates>", "chain": "...", "address": "0x...", "commit": "<hex SHA>", "fetched_at": "2026-04-23T11:20:00Z" }],
  "unknowns": ["E3: <thing you looked for but couldn't determine>"],
  "protocol_metadata": {
    "github": ["https://github.com/org/repo"],
    "docs_url": "https://docs.protocol.xyz",
    "audits": [{ "firm": "Trail of Bits", "url": "https://...report.pdf", "date": "2025-09" }],
    "governance_forum": "https://forum.protocol.xyz",
    "voting_token": { "chain": "Ethereum", "address": "0x...", "symbol": "XYZ" },
    "bug_bounty_url": "https://immunefi.com/bounty/protocol",
    "security_contact": "security@protocol.xyz",
    "deployed_contracts_doc": "https://docs.protocol.xyz/deployments",
    "admin_addresses": [{ "chain": "Ethereum", "address": "0x...", "role": "DAO treasury multisig", "actor_class": "multisig" }],
    "upgradeability": "immutable | upgradeable | mixed | unknown",
    "about": "<2–4 sentences>"
  }
}

Rules recap:
- grade="unknown" ⇒ steelman=null; unknowns[] ≥1; evidence[] may be empty.
- grade!="unknown" ⇒ steelman={red,orange,green}; evidence[] ≥1; verdict starts with "Choosing ".
- findings[].code matches the slice's checklist prefix verbatim (E1, C2-emergency, V4a, …); unknowns[] entries are checklist-coded ("E3: …").
- Wrap in a single ```json fence; nothing before or after. URLs are bare strings, never markdown links.

Control Unverified Submit run ↗

### Per-protocol context (ground truth for this run)

- protocol.slug:              aave-arc
- protocol.name:              Aave Arc
- protocol.chains:            Ethereum
- protocol.category:          Lending
- protocol.website:           https://aave.com
- protocol.github:            aave, bgd-labs
- protocol.audit_links:       https://aave.com/security, https://github.com/code-423n4/2022-02-aave-lens, https://github.com/code-423n4/2022-02-aave-lens-findings, https://github.com/sherlock-protocol/sherlock-reports/blob/main/audits/2025.02.15%20-%20Final%20-%20Aave%20Public%20Audit%20Contest%20Report.pdf, https://github.com/sherlock-protocol/sherlock-reports/blob/main/audits/2026.02.05%20-%20Final%20-%20Aave%20Labs%20Collaborative%20Audit%20Report%201770295450.pdf, https://github.com/trailofbits/publications/blob/master/reviews/2021-11-aave-v3-securityreview.pdf, https://github.com/trailofbits/publications/blob/master/reviews/2026-02-aave-v4-securityreview.pdf
- snapshot.generated_at:      2026-06-01T11:27:13.878Z
- analysis_date:              2026-06-07
- prompt_version:             29
- address_book:               null

### Pre-built read-API surfacer URLs (verbatim — fetchable as-is)
(no addresses pinned in this run — discover candidates from fetched website / GitHub / audit / explorer pages, record discovered addresses in evidence[] and protocol_metadata.admin_addresses, and put any reads you couldn't perform in unknowns[]. The next assessment will inherit your discoveries.)


---

You are contributing a single-slice assessment to defipunkd, a git-native transparency registry for DeFi protocols. Your JSON output will be attached to a pull request and compared against ≥2 other independent runs. Disagreements are surfaced publicly — be conservative, cite everything, return grade="unknown" when a signal cannot be determined, and resist stopping at the first damning finding.

### Per-protocol context (do not infer; these are ground truth)

A "Per-protocol context" block (provided alongside this prompt — either as a user message in API mode, or as a section appended below in copy-paste mode) lists the pinned inputs (protocol.slug, name, chains, category, website, github, audit_links, snapshot.generated_at, analysis_date, prompt_version, address_book) and a list of pre-built read-API surfacer URLs for each pinned address. Treat those values as authoritative for this run.

The pre-built surfacer URLs are accepted by your fetch tool's allowlist because they appear verbatim in the per-protocol context. Each surfacer page pre-executes the contract's zero-arg view methods and renders any address-typed return values as /address/{chainId}/0x… links inline — those rendered links are also fetchable post-fetch. /api/contract/read and /api/safe/owners JSON responses include a top-level `crawl.surfacers` array of /address/{chainId}/0x… URLs for every address-typed value in the result, so you can crawl directly from API responses. For addresses surfaced from non-defipunkd sources (block-explorer pages, GitHub, audit PDFs), the allowlist will reject your generated surfacer URL — record the address in protocol_metadata.admin_addresses and add a checklist-coded entry to unknowns[]; the next run will inherit it as a fetchable surfacer.

### Step 0 — Capability probe (do this before producing JSON)

Identify what fetch tool your environment exposes — `web_fetch`, `browser`, `url_context`, `google_search` (with underscore, colon, or space), Bing grounding, Perplexity, `web.run`, or anything similar. Search-grounding tools ARE valid fetch paths and you should use them; they are not forbidden. The distinction that matters is what the tool returned, not its name: a grounded response with the underlying page body is sufficient evidence; a bare 1–3-line preview snippet is not.

Probe: attempt one fetch of `protocol.website` and one fetch of a pre-built surfacer URL above (or the protocol's primary block-explorer page if no surfacer is pinned). Record the tool you used, the URL, and what came back (response body, HTTP status, allowlist rejection text, or "tool not present: <name>"). If either probe succeeded, proceed.

If both direct probes failed, **DO NOT STOP** — try search. Issue at least two broad search queries (protocol name + "Etherscan" / "official docs" / "GitHub" / "audit"; `site:` operators against etherscan.io / github.com / the docs domain). If a search query returns the underlying page body, that page URL is fetched evidence and goes in evidence[]. Set `grading_basis: "off-chain-only"` and continue with whatever you can extract. Empty `evidence[]` + `grade="unknown"` is only valid if BOTH direct probes AND ≥2 search queries returned nothing usable; in that case, log the attempted queries and observed-zero outcomes in unknowns[]. A submission claiming "blocked" without those receipts is treated as a non-submission (zero quorum weight). Search engines do not index raw JSON API endpoints — zero results for `defipunkd.com/api/contract/read` URLs is expected and is itself a recordable failure mode, not a system restriction.

### Anti-fabrication (the most important rule on this page)

Memory is not evidence. Treat your training data, prior conversations, and general knowledge as suggestions for what to look up — never as citations. Every URL in evidence[] must have been fetched in this run via any tool exposed in your environment, OR pasted into this conversation by the user. Constructing a URL is fine, but every variable part (address, commit SHA, repo path, contract name, method, args, block number) must come from a fetched/pasted source in this run, and the URL must then have been successfully fetched before it appears in evidence[]. URLs constructed from remembered addresses, repo paths, contract names, or guessed API methods are fabrication.

Before emitting JSON, run an evidence ledger check on every evidence[] entry:
1. The exact URL appears in your fetch transcript or in a user-pasted source body.
2. The fetched/pasted body contains the fact you're citing in evidence[].shows.
3. Every rationale.findings / protocol_metadata claim that depends on this evidence follows directly from that body, without recourse to memory.
4. Derived (rather than verbatim) claims are explicitly labelled as derived in evidence[].shows.
5. `fetched_at` is set ONLY when you actually fetched the URL in this run; if no timestamp is available, omit the field — never invent one.

If any check fails, remove the evidence entry and demote dependent claims to unknowns[]. Set grade="unknown" if demotion empties the grading basis. Do not ask the user to paste anything; do not withhold JSON; do not improvise from memory.

A plausible-sounding answer backed by unsupported evidence is WORSE than grade="unknown" — it pollutes the quorum. If the assessment requires leaning on remembered public facts ("Lido is governed by LDO token-weighted voting"), historical reports, common knowledge, or likely-architecture reasoning ("UUPS proxies typically have an admin role"), return grade="unknown" with specific unknowns[] entries. Optimize for reproducibility, not completeness — if a reviewer can't re-verify each claim from the evidence URLs alone, the claim does not belong in the JSON. Empty unknowns[] on a non-trivial protocol is a red flag, not a quality signal.

When the address_book is null/empty, you do not yet know any deployed address. Discover candidates from fetched website / GitHub / audit / explorer-search pages — addresses you "remember" from training data are not eligible, even for famous tokens (USDC, WBTC, stETH, UNI). If no address can be discovered after a good-faith attempt, return grade="unknown" with checklist-coded unknowns[] entries; do not invent addresses to fill the gap.

### Hard rules

1. Source classes that count as evidence:
   a) Public block explorers (etherscan.io, basescan.org, arbiscan.io, optimistic.etherscan.io, polygonscan.com, bscscan.com, snowtrace.io, scrollscan.com, lineascan.build, blastscan.io, era.zksync.network) for pinned addresses or addresses you discover transitively from them.
   b) The linked GitHub repos, at a specific commit SHA recorded in evidence[].commit.
   c) The audit PDFs / reports linked above.
   d) DeFiLlama's pinned fields (for category / chain lists only — not for risk assessment).
   e) DeFiPunkd's read API at https://defipunkd.com/api/{contract,safe}/... — see "On-chain reading" below.
2. If a signal cannot be determined after checking these, set grade="unknown" with ≥1 entry in unknowns[] naming what you looked for.
3. Every factual claim in rationale must map to ≥1 evidence[] entry.
4. Output exactly one JSON object matching the contract at the end, wrapped in a single ```json fenced code block. This rule applies to your FINAL assistant message only — issue tool calls freely during the run; tool-call reasoning lives in your model's tool-use channel and is not subject to this rule. Nothing before or after the fence — no prose, no follow-up questions, no requests for the user to paste anything. If evidence is incomplete, the correct response is still JSON, with claims demoted to unknowns[] and grade="unknown".

### Format rules (validation will reject submissions that violate these)
5. evidence[].url must be a bare `https://...` string — NEVER markdown link syntax. WRONG: `"url": "[Etherscan](https://etherscan.io/...)"`. RIGHT: `"url": "https://etherscan.io/..."`.
6. evidence[].commit, when present, must match `^[0-9a-f]{7,40}$` (lowercase hex, 7–40 chars). NEVER branch names or tags. Omit if you cannot pin a SHA.
7. evidence[].fetched_at, when present, must be ISO-8601 UTC (e.g. `2026-04-23T11:20:00Z`). Set whenever you actually fetched in this run.
8. evidence[].address, when present, must be `^0x[0-9a-fA-F]{40}$` (mixed case OK; checksum not validated).
9. Checklist codes (used in findings[].code and as unknowns[] prefixes) match `^[A-Z][A-Za-z0-9-]{0,16}$` — start with an uppercase letter, then digits / letters / hyphens. Examples: `E1`, `A3b`, `C2-emergency`, `V4-auditor`. No parens, spaces, dots, slashes, underscores. Use slice-defined codes verbatim. unknowns[] entries must be prefixed with the relevant code + colon (e.g. `"A3b: frontend fetch failed"`).
10. chat_url: ALWAYS null. Default share links (claude.ai/chat, chatgpt.com, gemini.google.com) require viewer login and are not publicly readable. The user enables "Share publicly" after you respond and pastes the public URL into the JSON before opening the PR.

### Thoroughness rules

11. Each per-slice body contains a "MANDATORY INSPECTION CHECKLIST". Every item must EITHER produce an evidence[] entry OR a specific unknowns[] entry naming it by code. Silent skips are rejected as incomplete.
12. Before assigning a grade other than "unknown", rationale.steelman must contain a one-sentence strongest argument for each of red / orange / green, and rationale.verdict must state which fits the evidence and why. If the steel-man for the chosen grade is weaker than for an adjacent grade, you have probably picked the wrong grade. When grade="unknown", set steelman to null and use verdict to summarize what blocked the assessment.
13. Distinguish actor classes (EOA, 2-of-3 multisig, 4-of-7+ multisig with identified signers, emergency-scoped time-capped multisig, on-chain governance vote with timelock) and function classes (claim-of-finalized vs new-request-placement, deposit vs borrow, mint vs redeem) — say which actor holds which power, on what time bound. "An admin can pause" is insufficient.
14. For on-chain slices (control, ability-to-exit, autonomy, verifiability), evidence[] must include ≥1 on-chain URL: a block-explorer URL OR a DeFiPunkd /api/{contract/read,safe/owners} URL (preferred — content-addressed when block-pinned). /api/contract/abi alone is metadata, not on-chain evidence. Source repos tell you what code SHOULD do; deployed contracts tell you what it ACTUALLY does. The "open-access" slice is exempt when claims are entirely about frontend / off-chain operator behavior. CARVE-OUT: `grading_basis="off-chain-only"` is exempt from this rule but is downweighted by the quorum bot regardless of grade.
15. Prompt-meta-check: if your verdict quotes prompt language as evidence ("the protocol meets the 'documented fallback' condition"), re-do the verdict — the prompt describes the rubric, not the protocol. Evidence cites what THIS protocol does, not what the rubric says protocols of type X do.
16. `grading_basis` is one of `"on-chain"` (default; omit field), `"off-chain-only"`, or `"mixed"`. Describes what was READ this run, not the verdict — `grade="unknown"` is allowed under any basis. Set `"off-chain-only"` ONLY when BOTH (a) ≥1 successful fetch of a docs / forum / audit / GitHub URL appears in evidence[], AND (b) ≥1 failed on-chain fetch attempt for THIS run is recorded in unknowns[] with a `-offchain` suffix. Empty `evidence[]` with `"off-chain-only"` is a category error and is rejected by the validator. Set `"mixed"` when some checklist codes were on-chain and others fell back. ABI-only finds (you read the ABI but couldn't read live state) are valid as `grade="unknown"` with the ABI cited; do not infer a grade from ABI shape alone.

### On-chain reading via the DeFiPunkd API

Don't encode calldata, decode return data, or guess at ABIs by hand. Three deterministic GET endpoints return JSON with blockNumber, blockHash, raw calldata, and rawReturnData — content-addressed when block-pinned (`&block=<n>`):

  ABI (auto-resolves proxies):
    https://defipunkd.com/api/contract/abi?chainId=<id>&address=0x...
  View call (any view method on the merged ABI; flat scalar args):
    https://defipunkd.com/api/contract/read?chainId=<id>&address=0x...&method=getOwners
    https://defipunkd.com/api/contract/read?chainId=<id>&address=0x...&method=balanceOf&args=0x...
  Safe (threshold + owners + version in one call):
    https://defipunkd.com/api/safe/owners?chainId=<id>&address=0x...

Use the BARE method name in `&method=` (e.g. `&method=totalSupply`, NOT `&method=totalSupply()`). Browser tools normalize `(` to `%28` and reject the normalized URL; bare names dodge that. Pass arguments via `&args=` (comma-separated, declaration order). Append `&block=<n>` for content-addressed evidence.

Supported chainIds: 1 (ethereum), 10 (optimism), 56 (bsc), 130 (unichain), 137 (polygon), 324 (zksync), 8453 (base), 42161 (arbitrum), 43114 (avalanche), 59144 (linea), 81457 (blast), 534352 (scroll), 11155111 (sepolia).

Use this API for any factual claim about contract ABI shape, view-method return values (owner(), getOwners(), getThreshold(), totalSupply(), implementation(), paused(), MIN_DELAY(), …), and Safe membership. Do NOT invent ABIs or return values from training data.

Note on noisy address_book: the pinned address_book is sourced from prior assessments. It may include token deployments, oracle feeds, peripheral contracts, or mis-classified entries. Skip surfacer URLs that don't fit your slice — fetch only those whose role hints suggest control / pause / upgrade authority.

### Protocol metadata refresh (populate `protocol_metadata` in the output)

DeFiLlama's pinned inputs may be stale or wrong. As a side-effect of this assessment, populate `protocol_metadata` with anything you verify. Leave fields null / empty arrays if you did not verify them — do NOT echo pinned inputs through; null means "not re-verified this run".

- `github`: array of canonical source-code repo URLs.
- `docs_url`: canonical developer / protocol documentation site.
- `audits`: array of `{ firm, url, date }` (date as YYYY-MM or YYYY-MM-DD).
- `governance_forum`: primary discussion forum URL (Discourse, Commonwealth, etc.).
- `voting_token`: `{ chain, address, symbol }` or null. Omit if not token-governed.
- `bug_bounty_url`: public bug bounty page (Immunefi, HackerOne, self-hosted).
- `security_contact`: private-disclosure channel — security@ email or SECURITY.md URL. Distinct from public bug bounty.
- `deployed_contracts_doc`: docs page that lists deployed addresses per chain. Don't enumerate; just link.
- `admin_addresses`: array of `{ chain, address, role, actor_class }` for multisig / timelock / owner / proxy-admin addresses. `actor_class` ∈ `"eoa" | "multisig" | "timelock" | "governance" | "unknown"`. These are the anchors for future runs' address_book.
- `upgradeability`: `"immutable" | "upgradeable" | "mixed" | "unknown"`. "mixed" = some core contracts immutable, others behind proxies.
- `about`: 2–4 sentence plain-English description. Name the user action (stake, borrow, swap, bridge, mint, redeem), the asset / market, and the distinctive mechanism (liquid staking receipt, isolated lending pools, constant-product AMM, intents auction, etc.). Do not restate category / chains / TVL.

Every non-null field in `protocol_metadata` must be backed by ≥1 entry in evidence[].

---

### Slice: CONTROL

Evaluate who can change the protocol's rules, how fast, and how broadly.

(Step 0 capability probe and the off-chain-only fallback live in the preamble — those rules apply here.)

### MANDATORY INSPECTION CHECKLIST (every item below must appear in evidence[] OR unknowns[])

- **C1.** For each address you assess: who is the contract owner / admin / pendingAdmin / governor — read these via the block explorer's "Read Contract" tab OR `https://defipunkd.com/api/contract/read?chainId=<id>&address=0x...&method=owner` (BARE method names: `&method=owner`, `&method=admin`, `&method=pendingOwner`, `&method=governor`). For Safes use `/api/safe/owners?chainId=<id>&address=0x...`. When a protocol has multiple major versions deployed (v2/v3/v4), perform C1 reads on the NEWEST deployment separately — newer deployments often have weaker control surfaces than the legacy core.
- **C2.** Upgrade mechanism: transparent proxy / UUPS / Beacon / Diamond / immutable. Identify the proxy admin address. Check upgradeability of GOVERNANCE contracts too — a Governor / Aragon Voting / OZ Governor is often itself a proxy whose admin is the Timelock. Asymmetry: when fund-holding cores are immutable AND governance has no admin path that reaches them, an upgradable Governor/Timelock is T3-only and must NOT drag the verdict below green on that basis alone (see grade rules and the "immutable cores" caveat). Only call upgradability "mixed" if you can name a concrete function on the upgradable surface that reaches T1 or T2 on user funds.
- **C3.** EXECUTION PATH (enumerate every stage, in order, with delays in seconds). The operative path is usually a chain (voting → scheduler → timelock → executor; or governor → queue → execute; or Aragon Voting → DualGovernance → EmergencyProtectedTimelock → AdminExecutor). For each stage, record (a) the contract address, (b) the delay constant name + value in seconds, (c) the URL you read it from (block-explorer Read Contract OR `/api/contract/read?...&method=MIN_DELAY&block=<n>`). Do NOT stop at the first timelock-shaped contract — if its admin is itself called by another contract, keep walking. The grading delay is the SUM OF DELAYS ON THE UNCONTESTED FAST PATH (shortest time a proposal with no opposition can go from submission to executable). Dynamic / contested extensions (veto signaling, rage quit, escrow delay) are modifiers, not the basis — note them separately.
- **C4.** Enumerate EVERY multisig with reachable control — main proxy admin, emergency activation, emergency execution, reseal / pause, gate-seal committees, tiebreaker, per-module admins. For each Safe, fetch threshold + owners + version via `/api/safe/owners?chainId=<id>&address=0x...` (response includes raw eth_call data, so the URL is citable evidence). Enumerate ops/council/incentives multisigs even when off the upgrade path — record their scope so a reader can see they are NOT on the upgrade path. For each: (a) address, (b) threshold / total signers, (c) signer identities classified as insider (team, paid auditors under ongoing engagement, mandated service providers) vs non-insider (independent community members, unaffiliated researchers), (d) the specific power held (upgrade, pause, parameter, etc.).
- **C5.** On-chain governance: Governor / GovernorBravo / OZ Governor / Aragon Voting with token-weighted voting? Record proposal threshold, voting period, quorum, and the timelock delay between queue and execute. Every numeric constant must come from a Read Contract call you can link to, or be in unknowns[] with the C-code. If votingDelay / votingPeriod are denominated in BLOCKS, convert to seconds at the chain's CURRENT block time (Ethereum mainnet ≈ 12s post-Merge, not the 15s in older Compound/Bravo deployments) — cite both block count and converted seconds.
- **C6.** EMERGENCY POWERS: separate emergency-pause / guardian role with a different time cap or different actor than the main upgrade authority? Record it explicitly.
- **C7.** POWER TIER (blast radius). For each privileged path in C3–C6, classify the WORST thing that path can do, choosing the highest applicable tier. Cite the specific function name and any on-chain bound — tier claims without a named function are unsupported.
    - **T1 — FUND-CRITICAL**: replace implementation of contracts holding user funds; change AMM math / accounting / collateral logic; mint unbacked debt or shares; pause withdrawals; drain user-fund treasury; change oracle to attacker-controlled source; replace upgrade admin with EOA.
    - **T2 — ECONOMICALLY MATERIAL**: change fee parameters within bounded ranges; redirect protocol fees; add/remove markets / collateral types; bounded inflation or token mint within hard-capped schedule; spend protocol-owned (non-user) treasury.
    - **T3 — GOVERNANCE-INTERNAL**: change voting rules, quorum, voting period, proposal threshold; upgrade the Governor itself; rotate Timelock admin; mint governance tokens within a capped annual schedule.
    - **T4 — OPERATIONAL**: incentives distribution, grants, ENS / frontend canonicalization, deployment coordination, periphery router deprecation.
  The grade is set by the HIGHEST tier reachable on the uncontested fast path, not the median. State the tier and the binding function in the verdict.

### Read Contract discipline (applies to C3, C4, C5)

Every numeric constant cited (timelock delays, voting periods, multisig thresholds, quorum percentages) must come from EITHER (a) a block-explorer Read Contract URL, OR (b) a DeFiPunkd `/api/contract/read` or `/api/safe/owners` URL (preferred with `&block=<n>` for content-addressed evidence), OR (c) an unknowns[] entry with the C-code. Docs / blog posts are corroboration only — they cannot be the sole citation for a value that is also readable on-chain.

### Off-chain-only substitute hierarchy (when grading_basis="off-chain-only" — see preamble Rule 16)

When on-chain reads were genuinely unreachable this run, eligible off-chain substitutes in priority order:
1. Linked audit PDFs (admin roles, multisig members, timelock delays usually enumerated).
2. Governance forum posts that quote constants from a successful on-chain proposal (cite post URL + linked execution-tx URL).
3. Official protocol docs pages with named addresses and roles (must be on a domain owned by the protocol).
4. GitHub README / SECURITY.md / governance/*.md at a pinned commit SHA.

Forbidden substitutes: third-party blog posts, X / Twitter threads, search-result snippets, model memory. Required degradation: any C-code citing a numeric constant from docs/forum/audit prose ONLY must also carry an `unknowns[]` entry with `-offchain` suffix noting "value not re-read on-chain in this run; corroboration only".

### Grade rules (apply the timelock bar conditional on the highest C7 tier reachable on the fast path)

Security Council standard (used below): a multisig qualifies as "Security Council" only if ALL of: ≥7 signers, ≥51% threshold, ≥50% non-insider signers, every signer publicly announced. Failing any criterion = NOT a Security Council, regardless of signer reputation.

- **green**: highest reachable tier is T3 or T4 regardless of timelock; OR T2 reachable with uncontested-fast-path delay ≥7 days; OR T1 reachable only via immutable contracts (T1 is unreachable); OR T1 reachable with uncontested-fast-path delay ≥7 days combined with a Security Council multisig; OR T1 reachable with uncontested-fast-path delay ≥7 days through active on-chain governance with broad token distribution.
- **orange**: T2 reachable with uncontested-fast-path delay >0 but <7 days; OR T1 reachable with uncontested-fast-path delay >0 but <7 days; OR a multisig failing one or more Security Council criteria sits on a T1/T2 path; OR unclear upgrade authority on a T1/T2 path; OR governance with very short timelock or low quorum on a T1/T2 path.
- **red**: T1 reachable with no timelock by a single EOA or 2-of-3 multisig; OR a T1 upgrade admin that is not a smart contract you can audit.
- **unknown**: completed the checklist but still cannot determine the upgrade authority OR cannot classify the highest tier reachable on the main contracts.

Tiering caveats:
- "Bounded" must be enforced ON-CHAIN to count as T2. A function that sets fees with no upper-bound check is T1 — cite the bound check.
- Recurring T2 economic extraction (e.g. fee redirect with no rate limit) approaches T1 over time. A single proposal that can permanently redirect all future revenue is T1.
- T3 assumes the governance contract cannot itself authorize a T1/T2 action without going through the same timelock. If governance can self-upgrade to bypass the timelock, T3 collapses into T1.
- Do not downgrade tier by hand-waving ("realistically governance would never…"). Tier on what the contract permits, not what feels likely.

Notes:
- **Dynamic / dual-governance timelocks** (Lido, Compound escrow veto): the rubric grades on the uncontested path because that is the path most upgrades take. A dynamic extension that fires only under stake-weighted opposition is a real protection — name it in the green steel-man, but it does not lift an orange fast path into green; state the tension in the verdict.
- **Immutable cores with upgradable governance** (Uniswap-style): if fund-holding contracts are immutable and have no admin-reachable function moving / freezing / re-routing user funds, the highest reachable tier on the upgrade path is T3 — green regardless of timelock. Don't grade this orange just because the Governor is a proxy — that's a C2 fact, not a downgrade. Downgrade only applies if you can cite a concrete function on the upgradable surface that reaches T1 or T2 (privileged hook, upgradable factory controlling fund-routing, fee-switch redirecting protocol revenue without bound).
- **The 7-day bar** reflects the exit-window standard — users need notice after a queued upgrade to withdraw if they disagree. The ability-to-exit slice grades the exit side; this slice grades the delay side; both must hold for users to actually benefit from the delay.

---

### JSON output contract

Return exactly one JSON object inside a single ```json fenced block. Shape:

{
  "schema_version": 4,
  "slug": "<copy protocol.slug from the per-protocol context>",
  "slice": "control",
  "snapshot_generated_at": "<copy snapshot.generated_at from the per-protocol context>",
  "prompt_version": 29,
  "analysis_date": "<copy analysis_date from the per-protocol context>",
  "model": "<exact model name, e.g. claude-opus-4-7 / gpt-5-thinking / gemini-3-pro>",
  "chat_url": null,
  "grading_basis": "on-chain | off-chain-only | mixed (optional; omit for on-chain)",
  "grade": "green | orange | red | unknown",
  "headline": "<one-line summary>",
  "short_headline": "<≤6 words, ≤80 chars; omit if you can't fit>",
  "rationale": {
    "findings": [{ "code": "E1", "text": "<concrete, source-cited finding>" }],
    "steelman": { "red": "<one sentence>", "orange": "<one sentence>", "green": "<one sentence>" },
    "verdict": "Choosing <grade> because <reason ranking one steel-man above the others, citing specific evidence>."
  },
  "evidence": [{ "url": "https://...", "shows": "<what this URL demonstrates>", "chain": "...", "address": "0x...", "commit": "<hex SHA>", "fetched_at": "2026-04-23T11:20:00Z" }],
  "unknowns": ["E3: <thing you looked for but couldn't determine>"],
  "protocol_metadata": {
    "github": ["https://github.com/org/repo"],
    "docs_url": "https://docs.protocol.xyz",
    "audits": [{ "firm": "Trail of Bits", "url": "https://...report.pdf", "date": "2025-09" }],
    "governance_forum": "https://forum.protocol.xyz",
    "voting_token": { "chain": "Ethereum", "address": "0x...", "symbol": "XYZ" },
    "bug_bounty_url": "https://immunefi.com/bounty/protocol",
    "security_contact": "security@protocol.xyz",
    "deployed_contracts_doc": "https://docs.protocol.xyz/deployments",
    "admin_addresses": [{ "chain": "Ethereum", "address": "0x...", "role": "DAO treasury multisig", "actor_class": "multisig" }],
    "upgradeability": "immutable | upgradeable | mixed | unknown",
    "about": "<2–4 sentences>"
  }
}

Rules recap:
- grade="unknown" ⇒ steelman=null; unknowns[] ≥1; evidence[] may be empty.
- grade!="unknown" ⇒ steelman={red,orange,green}; evidence[] ≥1; verdict starts with "Choosing ".
- findings[].code matches the slice's checklist prefix verbatim (E1, C2-emergency, V4a, …); unknowns[] entries are checklist-coded ("E3: …").
- Wrap in a single ```json fence; nothing before or after. URLs are bare strings, never markdown links.

Ability to exit Unverified Submit run ↗

### Per-protocol context (ground truth for this run)

- protocol.slug:              aave-arc
- protocol.name:              Aave Arc
- protocol.chains:            Ethereum
- protocol.category:          Lending
- protocol.website:           https://aave.com
- protocol.github:            aave, bgd-labs
- protocol.audit_links:       https://aave.com/security, https://github.com/code-423n4/2022-02-aave-lens, https://github.com/code-423n4/2022-02-aave-lens-findings, https://github.com/sherlock-protocol/sherlock-reports/blob/main/audits/2025.02.15%20-%20Final%20-%20Aave%20Public%20Audit%20Contest%20Report.pdf, https://github.com/sherlock-protocol/sherlock-reports/blob/main/audits/2026.02.05%20-%20Final%20-%20Aave%20Labs%20Collaborative%20Audit%20Report%201770295450.pdf, https://github.com/trailofbits/publications/blob/master/reviews/2021-11-aave-v3-securityreview.pdf, https://github.com/trailofbits/publications/blob/master/reviews/2026-02-aave-v4-securityreview.pdf
- snapshot.generated_at:      2026-06-01T11:27:13.878Z
- analysis_date:              2026-06-07
- prompt_version:             29
- address_book:               null

### Pre-built read-API surfacer URLs (verbatim — fetchable as-is)
(no addresses pinned in this run — discover candidates from fetched website / GitHub / audit / explorer pages, record discovered addresses in evidence[] and protocol_metadata.admin_addresses, and put any reads you couldn't perform in unknowns[]. The next assessment will inherit your discoveries.)


---

You are contributing a single-slice assessment to defipunkd, a git-native transparency registry for DeFi protocols. Your JSON output will be attached to a pull request and compared against ≥2 other independent runs. Disagreements are surfaced publicly — be conservative, cite everything, return grade="unknown" when a signal cannot be determined, and resist stopping at the first damning finding.

### Per-protocol context (do not infer; these are ground truth)

A "Per-protocol context" block (provided alongside this prompt — either as a user message in API mode, or as a section appended below in copy-paste mode) lists the pinned inputs (protocol.slug, name, chains, category, website, github, audit_links, snapshot.generated_at, analysis_date, prompt_version, address_book) and a list of pre-built read-API surfacer URLs for each pinned address. Treat those values as authoritative for this run.

The pre-built surfacer URLs are accepted by your fetch tool's allowlist because they appear verbatim in the per-protocol context. Each surfacer page pre-executes the contract's zero-arg view methods and renders any address-typed return values as /address/{chainId}/0x… links inline — those rendered links are also fetchable post-fetch. /api/contract/read and /api/safe/owners JSON responses include a top-level `crawl.surfacers` array of /address/{chainId}/0x… URLs for every address-typed value in the result, so you can crawl directly from API responses. For addresses surfaced from non-defipunkd sources (block-explorer pages, GitHub, audit PDFs), the allowlist will reject your generated surfacer URL — record the address in protocol_metadata.admin_addresses and add a checklist-coded entry to unknowns[]; the next run will inherit it as a fetchable surfacer.

### Step 0 — Capability probe (do this before producing JSON)

Identify what fetch tool your environment exposes — `web_fetch`, `browser`, `url_context`, `google_search` (with underscore, colon, or space), Bing grounding, Perplexity, `web.run`, or anything similar. Search-grounding tools ARE valid fetch paths and you should use them; they are not forbidden. The distinction that matters is what the tool returned, not its name: a grounded response with the underlying page body is sufficient evidence; a bare 1–3-line preview snippet is not.

Probe: attempt one fetch of `protocol.website` and one fetch of a pre-built surfacer URL above (or the protocol's primary block-explorer page if no surfacer is pinned). Record the tool you used, the URL, and what came back (response body, HTTP status, allowlist rejection text, or "tool not present: <name>"). If either probe succeeded, proceed.

If both direct probes failed, **DO NOT STOP** — try search. Issue at least two broad search queries (protocol name + "Etherscan" / "official docs" / "GitHub" / "audit"; `site:` operators against etherscan.io / github.com / the docs domain). If a search query returns the underlying page body, that page URL is fetched evidence and goes in evidence[]. Set `grading_basis: "off-chain-only"` and continue with whatever you can extract. Empty `evidence[]` + `grade="unknown"` is only valid if BOTH direct probes AND ≥2 search queries returned nothing usable; in that case, log the attempted queries and observed-zero outcomes in unknowns[]. A submission claiming "blocked" without those receipts is treated as a non-submission (zero quorum weight). Search engines do not index raw JSON API endpoints — zero results for `defipunkd.com/api/contract/read` URLs is expected and is itself a recordable failure mode, not a system restriction.

### Anti-fabrication (the most important rule on this page)

Memory is not evidence. Treat your training data, prior conversations, and general knowledge as suggestions for what to look up — never as citations. Every URL in evidence[] must have been fetched in this run via any tool exposed in your environment, OR pasted into this conversation by the user. Constructing a URL is fine, but every variable part (address, commit SHA, repo path, contract name, method, args, block number) must come from a fetched/pasted source in this run, and the URL must then have been successfully fetched before it appears in evidence[]. URLs constructed from remembered addresses, repo paths, contract names, or guessed API methods are fabrication.

Before emitting JSON, run an evidence ledger check on every evidence[] entry:
1. The exact URL appears in your fetch transcript or in a user-pasted source body.
2. The fetched/pasted body contains the fact you're citing in evidence[].shows.
3. Every rationale.findings / protocol_metadata claim that depends on this evidence follows directly from that body, without recourse to memory.
4. Derived (rather than verbatim) claims are explicitly labelled as derived in evidence[].shows.
5. `fetched_at` is set ONLY when you actually fetched the URL in this run; if no timestamp is available, omit the field — never invent one.

If any check fails, remove the evidence entry and demote dependent claims to unknowns[]. Set grade="unknown" if demotion empties the grading basis. Do not ask the user to paste anything; do not withhold JSON; do not improvise from memory.

A plausible-sounding answer backed by unsupported evidence is WORSE than grade="unknown" — it pollutes the quorum. If the assessment requires leaning on remembered public facts ("Lido is governed by LDO token-weighted voting"), historical reports, common knowledge, or likely-architecture reasoning ("UUPS proxies typically have an admin role"), return grade="unknown" with specific unknowns[] entries. Optimize for reproducibility, not completeness — if a reviewer can't re-verify each claim from the evidence URLs alone, the claim does not belong in the JSON. Empty unknowns[] on a non-trivial protocol is a red flag, not a quality signal.

When the address_book is null/empty, you do not yet know any deployed address. Discover candidates from fetched website / GitHub / audit / explorer-search pages — addresses you "remember" from training data are not eligible, even for famous tokens (USDC, WBTC, stETH, UNI). If no address can be discovered after a good-faith attempt, return grade="unknown" with checklist-coded unknowns[] entries; do not invent addresses to fill the gap.

### Hard rules

1. Source classes that count as evidence:
   a) Public block explorers (etherscan.io, basescan.org, arbiscan.io, optimistic.etherscan.io, polygonscan.com, bscscan.com, snowtrace.io, scrollscan.com, lineascan.build, blastscan.io, era.zksync.network) for pinned addresses or addresses you discover transitively from them.
   b) The linked GitHub repos, at a specific commit SHA recorded in evidence[].commit.
   c) The audit PDFs / reports linked above.
   d) DeFiLlama's pinned fields (for category / chain lists only — not for risk assessment).
   e) DeFiPunkd's read API at https://defipunkd.com/api/{contract,safe}/... — see "On-chain reading" below.
2. If a signal cannot be determined after checking these, set grade="unknown" with ≥1 entry in unknowns[] naming what you looked for.
3. Every factual claim in rationale must map to ≥1 evidence[] entry.
4. Output exactly one JSON object matching the contract at the end, wrapped in a single ```json fenced code block. This rule applies to your FINAL assistant message only — issue tool calls freely during the run; tool-call reasoning lives in your model's tool-use channel and is not subject to this rule. Nothing before or after the fence — no prose, no follow-up questions, no requests for the user to paste anything. If evidence is incomplete, the correct response is still JSON, with claims demoted to unknowns[] and grade="unknown".

### Format rules (validation will reject submissions that violate these)
5. evidence[].url must be a bare `https://...` string — NEVER markdown link syntax. WRONG: `"url": "[Etherscan](https://etherscan.io/...)"`. RIGHT: `"url": "https://etherscan.io/..."`.
6. evidence[].commit, when present, must match `^[0-9a-f]{7,40}$` (lowercase hex, 7–40 chars). NEVER branch names or tags. Omit if you cannot pin a SHA.
7. evidence[].fetched_at, when present, must be ISO-8601 UTC (e.g. `2026-04-23T11:20:00Z`). Set whenever you actually fetched in this run.
8. evidence[].address, when present, must be `^0x[0-9a-fA-F]{40}$` (mixed case OK; checksum not validated).
9. Checklist codes (used in findings[].code and as unknowns[] prefixes) match `^[A-Z][A-Za-z0-9-]{0,16}$` — start with an uppercase letter, then digits / letters / hyphens. Examples: `E1`, `A3b`, `C2-emergency`, `V4-auditor`. No parens, spaces, dots, slashes, underscores. Use slice-defined codes verbatim. unknowns[] entries must be prefixed with the relevant code + colon (e.g. `"A3b: frontend fetch failed"`).
10. chat_url: ALWAYS null. Default share links (claude.ai/chat, chatgpt.com, gemini.google.com) require viewer login and are not publicly readable. The user enables "Share publicly" after you respond and pastes the public URL into the JSON before opening the PR.

### Thoroughness rules

11. Each per-slice body contains a "MANDATORY INSPECTION CHECKLIST". Every item must EITHER produce an evidence[] entry OR a specific unknowns[] entry naming it by code. Silent skips are rejected as incomplete.
12. Before assigning a grade other than "unknown", rationale.steelman must contain a one-sentence strongest argument for each of red / orange / green, and rationale.verdict must state which fits the evidence and why. If the steel-man for the chosen grade is weaker than for an adjacent grade, you have probably picked the wrong grade. When grade="unknown", set steelman to null and use verdict to summarize what blocked the assessment.
13. Distinguish actor classes (EOA, 2-of-3 multisig, 4-of-7+ multisig with identified signers, emergency-scoped time-capped multisig, on-chain governance vote with timelock) and function classes (claim-of-finalized vs new-request-placement, deposit vs borrow, mint vs redeem) — say which actor holds which power, on what time bound. "An admin can pause" is insufficient.
14. For on-chain slices (control, ability-to-exit, autonomy, verifiability), evidence[] must include ≥1 on-chain URL: a block-explorer URL OR a DeFiPunkd /api/{contract/read,safe/owners} URL (preferred — content-addressed when block-pinned). /api/contract/abi alone is metadata, not on-chain evidence. Source repos tell you what code SHOULD do; deployed contracts tell you what it ACTUALLY does. The "open-access" slice is exempt when claims are entirely about frontend / off-chain operator behavior. CARVE-OUT: `grading_basis="off-chain-only"` is exempt from this rule but is downweighted by the quorum bot regardless of grade.
15. Prompt-meta-check: if your verdict quotes prompt language as evidence ("the protocol meets the 'documented fallback' condition"), re-do the verdict — the prompt describes the rubric, not the protocol. Evidence cites what THIS protocol does, not what the rubric says protocols of type X do.
16. `grading_basis` is one of `"on-chain"` (default; omit field), `"off-chain-only"`, or `"mixed"`. Describes what was READ this run, not the verdict — `grade="unknown"` is allowed under any basis. Set `"off-chain-only"` ONLY when BOTH (a) ≥1 successful fetch of a docs / forum / audit / GitHub URL appears in evidence[], AND (b) ≥1 failed on-chain fetch attempt for THIS run is recorded in unknowns[] with a `-offchain` suffix. Empty `evidence[]` with `"off-chain-only"` is a category error and is rejected by the validator. Set `"mixed"` when some checklist codes were on-chain and others fell back. ABI-only finds (you read the ABI but couldn't read live state) are valid as `grade="unknown"` with the ABI cited; do not infer a grade from ABI shape alone.

### On-chain reading via the DeFiPunkd API

Don't encode calldata, decode return data, or guess at ABIs by hand. Three deterministic GET endpoints return JSON with blockNumber, blockHash, raw calldata, and rawReturnData — content-addressed when block-pinned (`&block=<n>`):

  ABI (auto-resolves proxies):
    https://defipunkd.com/api/contract/abi?chainId=<id>&address=0x...
  View call (any view method on the merged ABI; flat scalar args):
    https://defipunkd.com/api/contract/read?chainId=<id>&address=0x...&method=getOwners
    https://defipunkd.com/api/contract/read?chainId=<id>&address=0x...&method=balanceOf&args=0x...
  Safe (threshold + owners + version in one call):
    https://defipunkd.com/api/safe/owners?chainId=<id>&address=0x...

Use the BARE method name in `&method=` (e.g. `&method=totalSupply`, NOT `&method=totalSupply()`). Browser tools normalize `(` to `%28` and reject the normalized URL; bare names dodge that. Pass arguments via `&args=` (comma-separated, declaration order). Append `&block=<n>` for content-addressed evidence.

Supported chainIds: 1 (ethereum), 10 (optimism), 56 (bsc), 130 (unichain), 137 (polygon), 324 (zksync), 8453 (base), 42161 (arbitrum), 43114 (avalanche), 59144 (linea), 81457 (blast), 534352 (scroll), 11155111 (sepolia).

Use this API for any factual claim about contract ABI shape, view-method return values (owner(), getOwners(), getThreshold(), totalSupply(), implementation(), paused(), MIN_DELAY(), …), and Safe membership. Do NOT invent ABIs or return values from training data.

Note on noisy address_book: the pinned address_book is sourced from prior assessments. It may include token deployments, oracle feeds, peripheral contracts, or mis-classified entries. Skip surfacer URLs that don't fit your slice — fetch only those whose role hints suggest control / pause / upgrade authority.

### Protocol metadata refresh (populate `protocol_metadata` in the output)

DeFiLlama's pinned inputs may be stale or wrong. As a side-effect of this assessment, populate `protocol_metadata` with anything you verify. Leave fields null / empty arrays if you did not verify them — do NOT echo pinned inputs through; null means "not re-verified this run".

- `github`: array of canonical source-code repo URLs.
- `docs_url`: canonical developer / protocol documentation site.
- `audits`: array of `{ firm, url, date }` (date as YYYY-MM or YYYY-MM-DD).
- `governance_forum`: primary discussion forum URL (Discourse, Commonwealth, etc.).
- `voting_token`: `{ chain, address, symbol }` or null. Omit if not token-governed.
- `bug_bounty_url`: public bug bounty page (Immunefi, HackerOne, self-hosted).
- `security_contact`: private-disclosure channel — security@ email or SECURITY.md URL. Distinct from public bug bounty.
- `deployed_contracts_doc`: docs page that lists deployed addresses per chain. Don't enumerate; just link.
- `admin_addresses`: array of `{ chain, address, role, actor_class }` for multisig / timelock / owner / proxy-admin addresses. `actor_class` ∈ `"eoa" | "multisig" | "timelock" | "governance" | "unknown"`. These are the anchors for future runs' address_book.
- `upgradeability`: `"immutable" | "upgradeable" | "mixed" | "unknown"`. "mixed" = some core contracts immutable, others behind proxies.
- `about`: 2–4 sentence plain-English description. Name the user action (stake, borrow, swap, bridge, mint, redeem), the asset / market, and the distinctive mechanism (liquid staking receipt, isolated lending pools, constant-product AMM, intents auction, etc.). Do not restate category / chains / TVL.

Every non-null field in `protocol_metadata` must be backed by ≥1 entry in evidence[].

---

### Slice: ABILITY-TO-EXIT

Evaluate whether users can withdraw their funds on their own terms, even under adversarial admin conditions.

MANDATORY INSPECTION CHECKLIST (every item below must appear in evidence[] OR unknowns[]):
- E1. Enumerate every user-facing exit function in the main contracts: withdraw, redeem, burn, requestWithdrawal, claim, exit, etc. List them by name. Do NOT treat the contract as a monolith.
- E2. For EACH exit function in E1: identify its access modifiers and any pause guards (e.g. _checkResumed, whenNotPaused, onlyRole). Functions that gate REQUEST PLACEMENT often differ from functions that CLAIM FINALIZED FUNDS — check both separately.
- E3. For each pause guard: identify the role holder (which address holds PAUSE_ROLE / GUARDIAN / etc.) and the maximum pause duration. Specifically check whether PAUSE_INFINITELY (or equivalent uncapped pause) is callable, and which actor can call it (single multisig vs governance vote). For role-holder reads use https://defipunkd.com/api/contract/read?chainId=<id>&address=0x...&method=hasRole&args=0x...,0x... or &method=getRoleAdmin&args=0x.... For "is currently paused" checks use &method=paused or &method=isPaused&args=<resume-code>. Use the BARE method name (no parens). Cite the URL with &block=<n> in evidence[].
- E4. EMERGENCY vs GOVERNANCE pause distinction: many protocols have a fast-acting emergency pause capped at N days and a slow governance pause that can be indefinite. Record both paths separately if present, with their time caps and actor classes.
- E5. Queued redemption: documented maximum queue duration, daily withdrawal caps, whether the queue itself is pausable.
- E6. Forced-exit / escape-hatch / permissionless emergency-exit mechanism for adversarial-admin scenarios.
- E7. Frontend dependency: confirm exit functions are directly callable on-chain (e.g. via Etherscan write tab or a generic wallet) without the project's frontend.

Then write the steel-man section per Hard Rule 11. Common red-vs-orange tension on this slice: indefinite pause exists (suggests red) BUT the realistic emergency path is time-capped AND claims of already-finalized exits are not pause-gated (suggests orange). Resolve this by stating who can do what for how long, not by stopping at the worst-case sentence.

Grade rules:
- green   = permissionless exit; pause is either absent, narrowly scoped to clearly-described emergencies with auto-expiry, or capped at ≤7 days; no frontend dependency for exit; claims of already-finalized exits are not pause-gated under any path.
- orange  = pausable with broad scope OR indefinite pause is reachable only through governance vote (not unilateral admin action), OR queued redemption with documented max > 7 days, OR claims-of-finalized are exempt but new-request placement can be paused indefinitely by governance.
- red     = exit requires admin signature, OR ANY actor (including governance) can pause CLAIMS of finalized exits indefinitely, OR there is no on-chain exit function at all (purely custodial), OR pause is held by a single EOA / 2-of-3 multisig with no time cap.
- unknown = checklist incomplete after checking the sources above.

---

### JSON output contract

Return exactly one JSON object inside a single ```json fenced block. Shape:

{
  "schema_version": 4,
  "slug": "<copy protocol.slug from the per-protocol context>",
  "slice": "ability-to-exit",
  "snapshot_generated_at": "<copy snapshot.generated_at from the per-protocol context>",
  "prompt_version": 29,
  "analysis_date": "<copy analysis_date from the per-protocol context>",
  "model": "<exact model name, e.g. claude-opus-4-7 / gpt-5-thinking / gemini-3-pro>",
  "chat_url": null,
  "grading_basis": "on-chain | off-chain-only | mixed (optional; omit for on-chain)",
  "grade": "green | orange | red | unknown",
  "headline": "<one-line summary>",
  "short_headline": "<≤6 words, ≤80 chars; omit if you can't fit>",
  "rationale": {
    "findings": [{ "code": "E1", "text": "<concrete, source-cited finding>" }],
    "steelman": { "red": "<one sentence>", "orange": "<one sentence>", "green": "<one sentence>" },
    "verdict": "Choosing <grade> because <reason ranking one steel-man above the others, citing specific evidence>."
  },
  "evidence": [{ "url": "https://...", "shows": "<what this URL demonstrates>", "chain": "...", "address": "0x...", "commit": "<hex SHA>", "fetched_at": "2026-04-23T11:20:00Z" }],
  "unknowns": ["E3: <thing you looked for but couldn't determine>"],
  "protocol_metadata": {
    "github": ["https://github.com/org/repo"],
    "docs_url": "https://docs.protocol.xyz",
    "audits": [{ "firm": "Trail of Bits", "url": "https://...report.pdf", "date": "2025-09" }],
    "governance_forum": "https://forum.protocol.xyz",
    "voting_token": { "chain": "Ethereum", "address": "0x...", "symbol": "XYZ" },
    "bug_bounty_url": "https://immunefi.com/bounty/protocol",
    "security_contact": "security@protocol.xyz",
    "deployed_contracts_doc": "https://docs.protocol.xyz/deployments",
    "admin_addresses": [{ "chain": "Ethereum", "address": "0x...", "role": "DAO treasury multisig", "actor_class": "multisig" }],
    "upgradeability": "immutable | upgradeable | mixed | unknown",
    "about": "<2–4 sentences>"
  }
}

Rules recap:
- grade="unknown" ⇒ steelman=null; unknowns[] ≥1; evidence[] may be empty.
- grade!="unknown" ⇒ steelman={red,orange,green}; evidence[] ≥1; verdict starts with "Choosing ".
- findings[].code matches the slice's checklist prefix verbatim (E1, C2-emergency, V4a, …); unknowns[] entries are checklist-coded ("E3: …").
- Wrap in a single ```json fence; nothing before or after. URLs are bare strings, never markdown links.

Autonomy Unverified Submit run ↗

### Per-protocol context (ground truth for this run)

- protocol.slug:              aave-arc
- protocol.name:              Aave Arc
- protocol.chains:            Ethereum
- protocol.category:          Lending
- protocol.website:           https://aave.com
- protocol.github:            aave, bgd-labs
- protocol.audit_links:       https://aave.com/security, https://github.com/code-423n4/2022-02-aave-lens, https://github.com/code-423n4/2022-02-aave-lens-findings, https://github.com/sherlock-protocol/sherlock-reports/blob/main/audits/2025.02.15%20-%20Final%20-%20Aave%20Public%20Audit%20Contest%20Report.pdf, https://github.com/sherlock-protocol/sherlock-reports/blob/main/audits/2026.02.05%20-%20Final%20-%20Aave%20Labs%20Collaborative%20Audit%20Report%201770295450.pdf, https://github.com/trailofbits/publications/blob/master/reviews/2021-11-aave-v3-securityreview.pdf, https://github.com/trailofbits/publications/blob/master/reviews/2026-02-aave-v4-securityreview.pdf
- snapshot.generated_at:      2026-06-01T11:27:13.878Z
- analysis_date:              2026-06-07
- prompt_version:             29
- address_book:               null

### Pre-built read-API surfacer URLs (verbatim — fetchable as-is)
(no addresses pinned in this run — discover candidates from fetched website / GitHub / audit / explorer pages, record discovered addresses in evidence[] and protocol_metadata.admin_addresses, and put any reads you couldn't perform in unknowns[]. The next assessment will inherit your discoveries.)


---

You are contributing a single-slice assessment to defipunkd, a git-native transparency registry for DeFi protocols. Your JSON output will be attached to a pull request and compared against ≥2 other independent runs. Disagreements are surfaced publicly — be conservative, cite everything, return grade="unknown" when a signal cannot be determined, and resist stopping at the first damning finding.

### Per-protocol context (do not infer; these are ground truth)

A "Per-protocol context" block (provided alongside this prompt — either as a user message in API mode, or as a section appended below in copy-paste mode) lists the pinned inputs (protocol.slug, name, chains, category, website, github, audit_links, snapshot.generated_at, analysis_date, prompt_version, address_book) and a list of pre-built read-API surfacer URLs for each pinned address. Treat those values as authoritative for this run.

The pre-built surfacer URLs are accepted by your fetch tool's allowlist because they appear verbatim in the per-protocol context. Each surfacer page pre-executes the contract's zero-arg view methods and renders any address-typed return values as /address/{chainId}/0x… links inline — those rendered links are also fetchable post-fetch. /api/contract/read and /api/safe/owners JSON responses include a top-level `crawl.surfacers` array of /address/{chainId}/0x… URLs for every address-typed value in the result, so you can crawl directly from API responses. For addresses surfaced from non-defipunkd sources (block-explorer pages, GitHub, audit PDFs), the allowlist will reject your generated surfacer URL — record the address in protocol_metadata.admin_addresses and add a checklist-coded entry to unknowns[]; the next run will inherit it as a fetchable surfacer.

### Step 0 — Capability probe (do this before producing JSON)

Identify what fetch tool your environment exposes — `web_fetch`, `browser`, `url_context`, `google_search` (with underscore, colon, or space), Bing grounding, Perplexity, `web.run`, or anything similar. Search-grounding tools ARE valid fetch paths and you should use them; they are not forbidden. The distinction that matters is what the tool returned, not its name: a grounded response with the underlying page body is sufficient evidence; a bare 1–3-line preview snippet is not.

Probe: attempt one fetch of `protocol.website` and one fetch of a pre-built surfacer URL above (or the protocol's primary block-explorer page if no surfacer is pinned). Record the tool you used, the URL, and what came back (response body, HTTP status, allowlist rejection text, or "tool not present: <name>"). If either probe succeeded, proceed.

If both direct probes failed, **DO NOT STOP** — try search. Issue at least two broad search queries (protocol name + "Etherscan" / "official docs" / "GitHub" / "audit"; `site:` operators against etherscan.io / github.com / the docs domain). If a search query returns the underlying page body, that page URL is fetched evidence and goes in evidence[]. Set `grading_basis: "off-chain-only"` and continue with whatever you can extract. Empty `evidence[]` + `grade="unknown"` is only valid if BOTH direct probes AND ≥2 search queries returned nothing usable; in that case, log the attempted queries and observed-zero outcomes in unknowns[]. A submission claiming "blocked" without those receipts is treated as a non-submission (zero quorum weight). Search engines do not index raw JSON API endpoints — zero results for `defipunkd.com/api/contract/read` URLs is expected and is itself a recordable failure mode, not a system restriction.

### Anti-fabrication (the most important rule on this page)

Memory is not evidence. Treat your training data, prior conversations, and general knowledge as suggestions for what to look up — never as citations. Every URL in evidence[] must have been fetched in this run via any tool exposed in your environment, OR pasted into this conversation by the user. Constructing a URL is fine, but every variable part (address, commit SHA, repo path, contract name, method, args, block number) must come from a fetched/pasted source in this run, and the URL must then have been successfully fetched before it appears in evidence[]. URLs constructed from remembered addresses, repo paths, contract names, or guessed API methods are fabrication.

Before emitting JSON, run an evidence ledger check on every evidence[] entry:
1. The exact URL appears in your fetch transcript or in a user-pasted source body.
2. The fetched/pasted body contains the fact you're citing in evidence[].shows.
3. Every rationale.findings / protocol_metadata claim that depends on this evidence follows directly from that body, without recourse to memory.
4. Derived (rather than verbatim) claims are explicitly labelled as derived in evidence[].shows.
5. `fetched_at` is set ONLY when you actually fetched the URL in this run; if no timestamp is available, omit the field — never invent one.

If any check fails, remove the evidence entry and demote dependent claims to unknowns[]. Set grade="unknown" if demotion empties the grading basis. Do not ask the user to paste anything; do not withhold JSON; do not improvise from memory.

A plausible-sounding answer backed by unsupported evidence is WORSE than grade="unknown" — it pollutes the quorum. If the assessment requires leaning on remembered public facts ("Lido is governed by LDO token-weighted voting"), historical reports, common knowledge, or likely-architecture reasoning ("UUPS proxies typically have an admin role"), return grade="unknown" with specific unknowns[] entries. Optimize for reproducibility, not completeness — if a reviewer can't re-verify each claim from the evidence URLs alone, the claim does not belong in the JSON. Empty unknowns[] on a non-trivial protocol is a red flag, not a quality signal.

When the address_book is null/empty, you do not yet know any deployed address. Discover candidates from fetched website / GitHub / audit / explorer-search pages — addresses you "remember" from training data are not eligible, even for famous tokens (USDC, WBTC, stETH, UNI). If no address can be discovered after a good-faith attempt, return grade="unknown" with checklist-coded unknowns[] entries; do not invent addresses to fill the gap.

### Hard rules

1. Source classes that count as evidence:
   a) Public block explorers (etherscan.io, basescan.org, arbiscan.io, optimistic.etherscan.io, polygonscan.com, bscscan.com, snowtrace.io, scrollscan.com, lineascan.build, blastscan.io, era.zksync.network) for pinned addresses or addresses you discover transitively from them.
   b) The linked GitHub repos, at a specific commit SHA recorded in evidence[].commit.
   c) The audit PDFs / reports linked above.
   d) DeFiLlama's pinned fields (for category / chain lists only — not for risk assessment).
   e) DeFiPunkd's read API at https://defipunkd.com/api/{contract,safe}/... — see "On-chain reading" below.
2. If a signal cannot be determined after checking these, set grade="unknown" with ≥1 entry in unknowns[] naming what you looked for.
3. Every factual claim in rationale must map to ≥1 evidence[] entry.
4. Output exactly one JSON object matching the contract at the end, wrapped in a single ```json fenced code block. This rule applies to your FINAL assistant message only — issue tool calls freely during the run; tool-call reasoning lives in your model's tool-use channel and is not subject to this rule. Nothing before or after the fence — no prose, no follow-up questions, no requests for the user to paste anything. If evidence is incomplete, the correct response is still JSON, with claims demoted to unknowns[] and grade="unknown".

### Format rules (validation will reject submissions that violate these)
5. evidence[].url must be a bare `https://...` string — NEVER markdown link syntax. WRONG: `"url": "[Etherscan](https://etherscan.io/...)"`. RIGHT: `"url": "https://etherscan.io/..."`.
6. evidence[].commit, when present, must match `^[0-9a-f]{7,40}$` (lowercase hex, 7–40 chars). NEVER branch names or tags. Omit if you cannot pin a SHA.
7. evidence[].fetched_at, when present, must be ISO-8601 UTC (e.g. `2026-04-23T11:20:00Z`). Set whenever you actually fetched in this run.
8. evidence[].address, when present, must be `^0x[0-9a-fA-F]{40}$` (mixed case OK; checksum not validated).
9. Checklist codes (used in findings[].code and as unknowns[] prefixes) match `^[A-Z][A-Za-z0-9-]{0,16}$` — start with an uppercase letter, then digits / letters / hyphens. Examples: `E1`, `A3b`, `C2-emergency`, `V4-auditor`. No parens, spaces, dots, slashes, underscores. Use slice-defined codes verbatim. unknowns[] entries must be prefixed with the relevant code + colon (e.g. `"A3b: frontend fetch failed"`).
10. chat_url: ALWAYS null. Default share links (claude.ai/chat, chatgpt.com, gemini.google.com) require viewer login and are not publicly readable. The user enables "Share publicly" after you respond and pastes the public URL into the JSON before opening the PR.

### Thoroughness rules

11. Each per-slice body contains a "MANDATORY INSPECTION CHECKLIST". Every item must EITHER produce an evidence[] entry OR a specific unknowns[] entry naming it by code. Silent skips are rejected as incomplete.
12. Before assigning a grade other than "unknown", rationale.steelman must contain a one-sentence strongest argument for each of red / orange / green, and rationale.verdict must state which fits the evidence and why. If the steel-man for the chosen grade is weaker than for an adjacent grade, you have probably picked the wrong grade. When grade="unknown", set steelman to null and use verdict to summarize what blocked the assessment.
13. Distinguish actor classes (EOA, 2-of-3 multisig, 4-of-7+ multisig with identified signers, emergency-scoped time-capped multisig, on-chain governance vote with timelock) and function classes (claim-of-finalized vs new-request-placement, deposit vs borrow, mint vs redeem) — say which actor holds which power, on what time bound. "An admin can pause" is insufficient.
14. For on-chain slices (control, ability-to-exit, autonomy, verifiability), evidence[] must include ≥1 on-chain URL: a block-explorer URL OR a DeFiPunkd /api/{contract/read,safe/owners} URL (preferred — content-addressed when block-pinned). /api/contract/abi alone is metadata, not on-chain evidence. Source repos tell you what code SHOULD do; deployed contracts tell you what it ACTUALLY does. The "open-access" slice is exempt when claims are entirely about frontend / off-chain operator behavior. CARVE-OUT: `grading_basis="off-chain-only"` is exempt from this rule but is downweighted by the quorum bot regardless of grade.
15. Prompt-meta-check: if your verdict quotes prompt language as evidence ("the protocol meets the 'documented fallback' condition"), re-do the verdict — the prompt describes the rubric, not the protocol. Evidence cites what THIS protocol does, not what the rubric says protocols of type X do.
16. `grading_basis` is one of `"on-chain"` (default; omit field), `"off-chain-only"`, or `"mixed"`. Describes what was READ this run, not the verdict — `grade="unknown"` is allowed under any basis. Set `"off-chain-only"` ONLY when BOTH (a) ≥1 successful fetch of a docs / forum / audit / GitHub URL appears in evidence[], AND (b) ≥1 failed on-chain fetch attempt for THIS run is recorded in unknowns[] with a `-offchain` suffix. Empty `evidence[]` with `"off-chain-only"` is a category error and is rejected by the validator. Set `"mixed"` when some checklist codes were on-chain and others fell back. ABI-only finds (you read the ABI but couldn't read live state) are valid as `grade="unknown"` with the ABI cited; do not infer a grade from ABI shape alone.

### On-chain reading via the DeFiPunkd API

Don't encode calldata, decode return data, or guess at ABIs by hand. Three deterministic GET endpoints return JSON with blockNumber, blockHash, raw calldata, and rawReturnData — content-addressed when block-pinned (`&block=<n>`):

  ABI (auto-resolves proxies):
    https://defipunkd.com/api/contract/abi?chainId=<id>&address=0x...
  View call (any view method on the merged ABI; flat scalar args):
    https://defipunkd.com/api/contract/read?chainId=<id>&address=0x...&method=getOwners
    https://defipunkd.com/api/contract/read?chainId=<id>&address=0x...&method=balanceOf&args=0x...
  Safe (threshold + owners + version in one call):
    https://defipunkd.com/api/safe/owners?chainId=<id>&address=0x...

Use the BARE method name in `&method=` (e.g. `&method=totalSupply`, NOT `&method=totalSupply()`). Browser tools normalize `(` to `%28` and reject the normalized URL; bare names dodge that. Pass arguments via `&args=` (comma-separated, declaration order). Append `&block=<n>` for content-addressed evidence.

Supported chainIds: 1 (ethereum), 10 (optimism), 56 (bsc), 130 (unichain), 137 (polygon), 324 (zksync), 8453 (base), 42161 (arbitrum), 43114 (avalanche), 59144 (linea), 81457 (blast), 534352 (scroll), 11155111 (sepolia).

Use this API for any factual claim about contract ABI shape, view-method return values (owner(), getOwners(), getThreshold(), totalSupply(), implementation(), paused(), MIN_DELAY(), …), and Safe membership. Do NOT invent ABIs or return values from training data.

Note on noisy address_book: the pinned address_book is sourced from prior assessments. It may include token deployments, oracle feeds, peripheral contracts, or mis-classified entries. Skip surfacer URLs that don't fit your slice — fetch only those whose role hints suggest control / pause / upgrade authority.

### Protocol metadata refresh (populate `protocol_metadata` in the output)

DeFiLlama's pinned inputs may be stale or wrong. As a side-effect of this assessment, populate `protocol_metadata` with anything you verify. Leave fields null / empty arrays if you did not verify them — do NOT echo pinned inputs through; null means "not re-verified this run".

- `github`: array of canonical source-code repo URLs.
- `docs_url`: canonical developer / protocol documentation site.
- `audits`: array of `{ firm, url, date }` (date as YYYY-MM or YYYY-MM-DD).
- `governance_forum`: primary discussion forum URL (Discourse, Commonwealth, etc.).
- `voting_token`: `{ chain, address, symbol }` or null. Omit if not token-governed.
- `bug_bounty_url`: public bug bounty page (Immunefi, HackerOne, self-hosted).
- `security_contact`: private-disclosure channel — security@ email or SECURITY.md URL. Distinct from public bug bounty.
- `deployed_contracts_doc`: docs page that lists deployed addresses per chain. Don't enumerate; just link.
- `admin_addresses`: array of `{ chain, address, role, actor_class }` for multisig / timelock / owner / proxy-admin addresses. `actor_class` ∈ `"eoa" | "multisig" | "timelock" | "governance" | "unknown"`. These are the anchors for future runs' address_book.
- `upgradeability`: `"immutable" | "upgradeable" | "mixed" | "unknown"`. "mixed" = some core contracts immutable, others behind proxies.
- `about`: 2–4 sentence plain-English description. Name the user action (stake, borrow, swap, bridge, mint, redeem), the asset / market, and the distinctive mechanism (liquid staking receipt, isolated lending pools, constant-product AMM, intents auction, etc.). Do not restate category / chains / TVL.

Every non-null field in `protocol_metadata` must be backed by ≥1 entry in evidence[].

---

### Slice: AUTONOMY

Evaluate this protocol's autonomy: can a failure of anything outside its own contracts cause theft or loss of user principal, loss of unclaimed yield, or materially change the protocol's expected performance? "Autonomy" is not "has zero external touchpoints" — it is "external failures are either survivable or recoverable without user loss". This slice adapts DefiScan v1's Autonomy dimension; dependencies are one of several criteria, not the whole frame.

GUARDRAILS (read before grading):
- Category alone (Liquid Staking, Bridge, RWA Lending, Restaking, …) does NOT force a grade. A category is a hint about where to look; the grade must come from the concrete A1–A9 findings below.
- Base-chain consensus (Ethereum PoS, the chain's validator set, the canonical Deposit Contract at 0x00000000219ab540356cBB839Cbe05303d7705Fa) is the SUBSTRATE, not a dependency, for any protocol deployed on that chain. Do not list "depends on Ethereum" as a finding.
- Oracles or other integrations used by DOWNSTREAM protocols that happen to read this protocol's token (e.g. Chainlink stETH/USD consumed by Aave) are NOT this protocol's dependencies. Count only what THIS protocol's contracts call or trust on-chain. If a feed or contract appears in the protocol's docs only as reference material for third-party integrators, EXCLUDE IT ENTIRELY — do not log it as a finding even with a "peripheral" or "referenced only" caveat.
- "Upgradeable admin can change things" belongs to the CONTROL slice; only count it here when the upgrade surface lets governance silently swap an external dependency (see A9).
- Underlying-asset risk in opt-in, isolated markets is NOT autonomy-red on its own. When a protocol wraps third-party yield-bearing assets (LSTs, LRTs, ERC-4626 vaults, lending receipts, restaked tokens) into per-market silos that users explicitly choose, a failure of one underlying does NOT propagate to other markets and is risk the user opted into per-market. Record it under A4 with depth and propagation scope, but do not let it alone drive a red verdict — red requires an external dependency that cross-cuts the protocol or that the user did not opt into at deposit time. A failure mode that is "if the LRT you deposited is hacked, your principal in that LRT-backed market is impaired" is the underlying's autonomy story, not this protocol's; grade it on whether THIS protocol introduces additional dependencies on top.
- Sub-module enumeration is mandatory before grading. If the protocol ships distinct product lines or modules (e.g., a v2 core AMM plus a newer perps/funding-rate module, a lending pool plus a separate vault layer, an L1 core plus a cross-chain extension), enumerate each in findings and grade against the WORST module weighted by its share of TVS or its blast radius. A green core does not rescue an orange/red sub-module; conversely, a small red sub-module with capped TVS may bound the overall grade to orange. Name each module by its on-chain factory or router address. If you do not know whether a module exists, that is an unknowns[] entry, not silence. EXPLICIT TVS WEIGHTING: in the verdict, state each module's approximate share of total protocol TVS (use "~X%" if exact figures unavailable; check DeFiLlama or block-explorer balances on the module's main contract) and how that share informs the weighted grade. Format: "Module A holds ~X% of TVS (grade: <g>); Module B holds ~Y% (grade: <g>); weighted overall = <grade> because <reason>." If a red sub-module holds <5% of total TVS and is capped, the overall grade may be orange; if it holds >25%, the overall grade is red. Do not let qualitative reasoning substitute for the percentages — write the numbers.

MANDATORY INSPECTION CHECKLIST (every item below must appear in evidence[] OR unknowns[]):
- A1. External contract calls. Enumerate every external contract the core contracts call or read from (oracles, price feeds, AMM pools, lending pools, staking/deposit contracts, yield wrappers). For each, identify the address, the provider, and what user-facing function of this protocol would break or mis-price if that external contract paused, mis-reported, or behaved adversarially. Grep for "oracle", "aggregator", "getPrice", "latestAnswer", "chainlink", "pyth", "redstone" as a starting point. To verify an oracle is live and what it currently reports, hit https://defipunkd.com/api/contract/read?chainId=<id>&address=<oracle>&method=latestAnswer (or &method=latestRoundData, &method=getPrice, &method=description; use the BARE method name without parens) and cite the URL — the response includes blockNumber/blockHash and rawReturnData, which is stronger evidence than a docs page about which feed "should" be used.
- A2. Off-chain actor committees reporting INTO the protocol. Oracle committees, guardian multisigs, DAO-selected validator sets acting as protocol reporters, exit-bus signers, fraud-proof challengers. For each, record committee size, quorum, who picks the members, and what mis-reporting could do (mint, burn, finalize withdrawal, freeze). Distinguish this from governance admins (control slice). NOTE ON STAKING PROTOCOLS: validator slashing and node-operator misbehavior are properties of the base-chain substrate, NOT external dependencies, when the operator set is diversified enough that a coordinated failure caps at <5% principal loss. Count validator/operator risk under A2 ONLY if the operator set is small, non-diversified, or lacks bonding / slashing-insurance / diversification mitigations. A curated set of 30+ independent operators with documented diversification falls under the mitigated path; a 3-operator LST does not. Do not cite the protocol's own risk disclosure as evidence that operator failure = principal loss unless you also check the diversification and bond mitigations.
- A3. Bridge / cross-chain messaging dependencies. Only count bridges that carry material TVL or are required for a core user flow. For each, name the bridge operator (canonical L1↔L2, LayerZero, Wormhole, Axelar, custom multisig), the trust model (canonical, optimistic, light-client, guardian set), and what fraction of TVL or users ride on it. "wstETH exists on 15 chains" is not a finding unless material TVL sits there. Before listing any non-primary chain deployment as a dependency, verify it is still operational as of analysis_date — retired or sunset deployments (e.g., Lido-on-Terra, Lido-on-Solana) belong in unknowns[] or should be omitted, never cited as a current dependency.
- A4. Nested collateral / restaking chains. For restaking / LRT / receipt-of-receipt designs: record the depth of the collateral chain, every actor with slashing or freezing power at each level, and whether a failure N levels deep propagates to user principal here.
- A5. Fork lineage (silent check). If DeFiLlama's forkedFrom is non-empty, record it as one finding and move on. If empty, do NOT add a placeholder finding; it adds noise.
- A6. Fallback mechanisms and circuit breakers. What catches an external failure? Sanity-check contracts on oracle reports, rebase bounds, pause paths triggered by bad prices, second-opinion oracles, max-per-block throughput caps, withdrawal queues that absorb bad reports. Record which A1–A4 risks are mitigated by which fallback, and which are unmitigated. For EACH fallback you cite, state its activation status explicitly: (i) LIVE and enforcing on-chain today, (ii) DEPLOYED but not yet wired / activated (e.g., interface exists but the address is zero or the role is unassigned), or (iii) DOCUMENTED / PROPOSED only (forum post, LIP draft, audit pending). Only (i) counts as mitigation for the grade. A fallback in state (ii) or (iii) should be noted but must not reduce the risk in your steel-man or verdict. If you cannot determine activation status, add an unknowns[] entry rather than assume it is live.
- A7. Sequencer / L1-liveness dependency BEYOND the base-chain substrate. SCOPE — sequencer risk only counts here when the protocol IS its own L2/L3 appchain or app-rollup, where the sequencer is part of the protocol's own stack and a freeze is a protocol-level outage. A protocol permissionlessly deployed on a third-party L2 inherits that L2's sequencer as substrate, not an A7 dependency. Record the sequencer/DA trust model when A7 applies.
- A8. Keeper / relayer / off-chain bot liveness. Protocols that need permissionless-but-necessary off-chain actors (liquidation bots, auto-compounders, deposit relayers, intent solvers). Record whether the role is permissionless, what degrades if nobody runs it (yield paused, bad debt accumulates, positions go stale), and whether the failure mode is graceful or catastrophic.
- A9. Governance-mutable dependency surface. Can an admin or DAO action silently INTRODUCE a NEW EXTERNAL dependency — swap the oracle address to a different provider, register a new staking module that calls an untrusted contract, add a new bridge, route SY through a new external vault — without an exit window for users? Check the upgrade / router / module-registry contracts. Answer: which EXTERNAL dependencies are governance-mutable, who holds that power, and whether there is a timelock or exit window. SCOPE LIMIT — read carefully: A9 is about the *external dependency surface*, not the upgrade surface in general. "The proxyAdmin / EOA can upgrade the router implementation to arbitrary bytecode" is a CONTROL-slice finding (admin can rug), NOT an autonomy-A9 finding. A9 fires only when the upgrade specifically swaps out or adds a contract that THIS protocol calls or trusts (e.g., changing the oracle address from Chainlink to a malicious feed, registering a new SY adapter that points to a third-party vault, redirecting a bridge endpoint). If the only finding is "admin can change implementation," do not log it under A9 and do not let it drive the autonomy grade — note it under control instead. The autonomy-relevant version of the same upgrade key is "admin can swap [specific external address X] without timelock"; that requires identifying the specific external dependency that becomes mutable.

STEEL-MAN (per Hard Rule 13): write one-sentence strongest arguments for red, orange, and green using the A1–A9 findings.

IMPACTED TVS ESTIMATE: the headline MUST include a rough impacted-TVS figure — the fraction of protocol TVS that could be lost or frozen if the worst-unmitigated dependency you identified failed. Use "~X%" if exact numbers are unavailable, "<1%" for de minimis, "unclear" only if A1–A9 left the question genuinely open (in which case grade=unknown is usually correct). Do NOT substitute qualitative phrases like "significant" — give a number or bracket.

GRADE ANCHORS (mapped to DefiScan v1 stages):
- green = Stage 2 equivalent. Failure of any external dependency cannot cause loss of user principal or unclaimed yield. Either there are no material external dependencies, or every critical one has a documented fallback (A6) that keeps users whole. Governance cannot silently introduce new dependencies without an exit window (A9). Impacted TVS under any single-dependency failure: effectively 0.
- orange = Stage 1 equivalent. Failure of some external dependency can cause loss of unclaimed yield, or can materially change expected performance (pause withdrawals, freeze positions, degrade price quality), but cannot cause loss of principal. Committee-based oracles with sanity checks, canonical-only bridges, fallback paths that exist but are incomplete, or governance-mutable dependencies protected by a ≥7-day timelock. Impacted TVS is bounded and recoverable.
- red = Stage 0 equivalent. Failure of an external dependency CAN cause theft or loss of principal. Examples: single-provider oracle with no sanity check or fallback, material TVL on a non-canonical bridge with a guardian multisig, governance can hot-swap oracles or add staking modules with no timelock or exit window, unmitigated keeper-liveness dependency where positions become insolvent if bots stop. Impacted TVS is material.
- unknown = checklist incomplete after inspecting source + verified contracts. Prefer unknown over guessing when A1/A6 could not be reconstructed. RESERVE unknown for cases where the CORE ARCHITECTURE itself is unverifiable — not for cases where you merely cannot enumerate every per-market dependency in a multi-market protocol. If the core router/factory/oracle architecture is verifiable on-chain and you can determine whether the core requires external dependencies, grade the architecture even when an exhaustive per-market external-dependency census is infeasible. Acknowledge the per-market gap in unknowns[] but still issue a grade. Refusing to grade a multi-market protocol because you cannot list every SY/vault/market is over-use of unknown; grade the architecture and say so.

PROMPT-META CHECK (per Hard Rule 17): before finalizing, verify the verdict cites concrete contract addresses, docs, or code — not the rubric itself. If your verdict says "the protocol belongs to a category the rubric marks red", rewrite it with the A1–A9 finding that actually justifies the grade, or drop to grade=unknown.

---

### JSON output contract

Return exactly one JSON object inside a single ```json fenced block. Shape:

{
  "schema_version": 4,
  "slug": "<copy protocol.slug from the per-protocol context>",
  "slice": "autonomy",
  "snapshot_generated_at": "<copy snapshot.generated_at from the per-protocol context>",
  "prompt_version": 29,
  "analysis_date": "<copy analysis_date from the per-protocol context>",
  "model": "<exact model name, e.g. claude-opus-4-7 / gpt-5-thinking / gemini-3-pro>",
  "chat_url": null,
  "grading_basis": "on-chain | off-chain-only | mixed (optional; omit for on-chain)",
  "grade": "green | orange | red | unknown",
  "headline": "<one-line summary>",
  "short_headline": "<≤6 words, ≤80 chars; omit if you can't fit>",
  "rationale": {
    "findings": [{ "code": "E1", "text": "<concrete, source-cited finding>" }],
    "steelman": { "red": "<one sentence>", "orange": "<one sentence>", "green": "<one sentence>" },
    "verdict": "Choosing <grade> because <reason ranking one steel-man above the others, citing specific evidence>."
  },
  "evidence": [{ "url": "https://...", "shows": "<what this URL demonstrates>", "chain": "...", "address": "0x...", "commit": "<hex SHA>", "fetched_at": "2026-04-23T11:20:00Z" }],
  "unknowns": ["E3: <thing you looked for but couldn't determine>"],
  "protocol_metadata": {
    "github": ["https://github.com/org/repo"],
    "docs_url": "https://docs.protocol.xyz",
    "audits": [{ "firm": "Trail of Bits", "url": "https://...report.pdf", "date": "2025-09" }],
    "governance_forum": "https://forum.protocol.xyz",
    "voting_token": { "chain": "Ethereum", "address": "0x...", "symbol": "XYZ" },
    "bug_bounty_url": "https://immunefi.com/bounty/protocol",
    "security_contact": "security@protocol.xyz",
    "deployed_contracts_doc": "https://docs.protocol.xyz/deployments",
    "admin_addresses": [{ "chain": "Ethereum", "address": "0x...", "role": "DAO treasury multisig", "actor_class": "multisig" }],
    "upgradeability": "immutable | upgradeable | mixed | unknown",
    "about": "<2–4 sentences>"
  }
}

Rules recap:
- grade="unknown" ⇒ steelman=null; unknowns[] ≥1; evidence[] may be empty.
- grade!="unknown" ⇒ steelman={red,orange,green}; evidence[] ≥1; verdict starts with "Choosing ".
- findings[].code matches the slice's checklist prefix verbatim (E1, C2-emergency, V4a, …); unknowns[] entries are checklist-coded ("E3: …").
- Wrap in a single ```json fence; nothing before or after. URLs are bare strings, never markdown links.

Open Access Unverified Submit run ↗

### Per-protocol context (ground truth for this run)

- protocol.slug:              aave-arc
- protocol.name:              Aave Arc
- protocol.chains:            Ethereum
- protocol.category:          Lending
- protocol.website:           https://aave.com
- protocol.github:            aave, bgd-labs
- protocol.audit_links:       https://aave.com/security, https://github.com/code-423n4/2022-02-aave-lens, https://github.com/code-423n4/2022-02-aave-lens-findings, https://github.com/sherlock-protocol/sherlock-reports/blob/main/audits/2025.02.15%20-%20Final%20-%20Aave%20Public%20Audit%20Contest%20Report.pdf, https://github.com/sherlock-protocol/sherlock-reports/blob/main/audits/2026.02.05%20-%20Final%20-%20Aave%20Labs%20Collaborative%20Audit%20Report%201770295450.pdf, https://github.com/trailofbits/publications/blob/master/reviews/2021-11-aave-v3-securityreview.pdf, https://github.com/trailofbits/publications/blob/master/reviews/2026-02-aave-v4-securityreview.pdf
- snapshot.generated_at:      2026-06-01T11:27:13.878Z
- analysis_date:              2026-06-07
- prompt_version:             29
- address_book:               null

### Pre-built read-API surfacer URLs (verbatim — fetchable as-is)
(no addresses pinned in this run — discover candidates from fetched website / GitHub / audit / explorer pages, record discovered addresses in evidence[] and protocol_metadata.admin_addresses, and put any reads you couldn't perform in unknowns[]. The next assessment will inherit your discoveries.)


---

You are contributing a single-slice assessment to defipunkd, a git-native transparency registry for DeFi protocols. Your JSON output will be attached to a pull request and compared against ≥2 other independent runs. Disagreements are surfaced publicly — be conservative, cite everything, return grade="unknown" when a signal cannot be determined, and resist stopping at the first damning finding.

### Per-protocol context (do not infer; these are ground truth)

A "Per-protocol context" block (provided alongside this prompt — either as a user message in API mode, or as a section appended below in copy-paste mode) lists the pinned inputs (protocol.slug, name, chains, category, website, github, audit_links, snapshot.generated_at, analysis_date, prompt_version, address_book) and a list of pre-built read-API surfacer URLs for each pinned address. Treat those values as authoritative for this run.

The pre-built surfacer URLs are accepted by your fetch tool's allowlist because they appear verbatim in the per-protocol context. Each surfacer page pre-executes the contract's zero-arg view methods and renders any address-typed return values as /address/{chainId}/0x… links inline — those rendered links are also fetchable post-fetch. /api/contract/read and /api/safe/owners JSON responses include a top-level `crawl.surfacers` array of /address/{chainId}/0x… URLs for every address-typed value in the result, so you can crawl directly from API responses. For addresses surfaced from non-defipunkd sources (block-explorer pages, GitHub, audit PDFs), the allowlist will reject your generated surfacer URL — record the address in protocol_metadata.admin_addresses and add a checklist-coded entry to unknowns[]; the next run will inherit it as a fetchable surfacer.

### Step 0 — Capability probe (do this before producing JSON)

Identify what fetch tool your environment exposes — `web_fetch`, `browser`, `url_context`, `google_search` (with underscore, colon, or space), Bing grounding, Perplexity, `web.run`, or anything similar. Search-grounding tools ARE valid fetch paths and you should use them; they are not forbidden. The distinction that matters is what the tool returned, not its name: a grounded response with the underlying page body is sufficient evidence; a bare 1–3-line preview snippet is not.

Probe: attempt one fetch of `protocol.website` and one fetch of a pre-built surfacer URL above (or the protocol's primary block-explorer page if no surfacer is pinned). Record the tool you used, the URL, and what came back (response body, HTTP status, allowlist rejection text, or "tool not present: <name>"). If either probe succeeded, proceed.

If both direct probes failed, **DO NOT STOP** — try search. Issue at least two broad search queries (protocol name + "Etherscan" / "official docs" / "GitHub" / "audit"; `site:` operators against etherscan.io / github.com / the docs domain). If a search query returns the underlying page body, that page URL is fetched evidence and goes in evidence[]. Set `grading_basis: "off-chain-only"` and continue with whatever you can extract. Empty `evidence[]` + `grade="unknown"` is only valid if BOTH direct probes AND ≥2 search queries returned nothing usable; in that case, log the attempted queries and observed-zero outcomes in unknowns[]. A submission claiming "blocked" without those receipts is treated as a non-submission (zero quorum weight). Search engines do not index raw JSON API endpoints — zero results for `defipunkd.com/api/contract/read` URLs is expected and is itself a recordable failure mode, not a system restriction.

### Anti-fabrication (the most important rule on this page)

Memory is not evidence. Treat your training data, prior conversations, and general knowledge as suggestions for what to look up — never as citations. Every URL in evidence[] must have been fetched in this run via any tool exposed in your environment, OR pasted into this conversation by the user. Constructing a URL is fine, but every variable part (address, commit SHA, repo path, contract name, method, args, block number) must come from a fetched/pasted source in this run, and the URL must then have been successfully fetched before it appears in evidence[]. URLs constructed from remembered addresses, repo paths, contract names, or guessed API methods are fabrication.

Before emitting JSON, run an evidence ledger check on every evidence[] entry:
1. The exact URL appears in your fetch transcript or in a user-pasted source body.
2. The fetched/pasted body contains the fact you're citing in evidence[].shows.
3. Every rationale.findings / protocol_metadata claim that depends on this evidence follows directly from that body, without recourse to memory.
4. Derived (rather than verbatim) claims are explicitly labelled as derived in evidence[].shows.
5. `fetched_at` is set ONLY when you actually fetched the URL in this run; if no timestamp is available, omit the field — never invent one.

If any check fails, remove the evidence entry and demote dependent claims to unknowns[]. Set grade="unknown" if demotion empties the grading basis. Do not ask the user to paste anything; do not withhold JSON; do not improvise from memory.

A plausible-sounding answer backed by unsupported evidence is WORSE than grade="unknown" — it pollutes the quorum. If the assessment requires leaning on remembered public facts ("Lido is governed by LDO token-weighted voting"), historical reports, common knowledge, or likely-architecture reasoning ("UUPS proxies typically have an admin role"), return grade="unknown" with specific unknowns[] entries. Optimize for reproducibility, not completeness — if a reviewer can't re-verify each claim from the evidence URLs alone, the claim does not belong in the JSON. Empty unknowns[] on a non-trivial protocol is a red flag, not a quality signal.

When the address_book is null/empty, you do not yet know any deployed address. Discover candidates from fetched website / GitHub / audit / explorer-search pages — addresses you "remember" from training data are not eligible, even for famous tokens (USDC, WBTC, stETH, UNI). If no address can be discovered after a good-faith attempt, return grade="unknown" with checklist-coded unknowns[] entries; do not invent addresses to fill the gap.

### Hard rules

1. Source classes that count as evidence:
   a) Public block explorers (etherscan.io, basescan.org, arbiscan.io, optimistic.etherscan.io, polygonscan.com, bscscan.com, snowtrace.io, scrollscan.com, lineascan.build, blastscan.io, era.zksync.network) for pinned addresses or addresses you discover transitively from them.
   b) The linked GitHub repos, at a specific commit SHA recorded in evidence[].commit.
   c) The audit PDFs / reports linked above.
   d) DeFiLlama's pinned fields (for category / chain lists only — not for risk assessment).
   e) DeFiPunkd's read API at https://defipunkd.com/api/{contract,safe}/... — see "On-chain reading" below.
2. If a signal cannot be determined after checking these, set grade="unknown" with ≥1 entry in unknowns[] naming what you looked for.
3. Every factual claim in rationale must map to ≥1 evidence[] entry.
4. Output exactly one JSON object matching the contract at the end, wrapped in a single ```json fenced code block. This rule applies to your FINAL assistant message only — issue tool calls freely during the run; tool-call reasoning lives in your model's tool-use channel and is not subject to this rule. Nothing before or after the fence — no prose, no follow-up questions, no requests for the user to paste anything. If evidence is incomplete, the correct response is still JSON, with claims demoted to unknowns[] and grade="unknown".

### Format rules (validation will reject submissions that violate these)
5. evidence[].url must be a bare `https://...` string — NEVER markdown link syntax. WRONG: `"url": "[Etherscan](https://etherscan.io/...)"`. RIGHT: `"url": "https://etherscan.io/..."`.
6. evidence[].commit, when present, must match `^[0-9a-f]{7,40}$` (lowercase hex, 7–40 chars). NEVER branch names or tags. Omit if you cannot pin a SHA.
7. evidence[].fetched_at, when present, must be ISO-8601 UTC (e.g. `2026-04-23T11:20:00Z`). Set whenever you actually fetched in this run.
8. evidence[].address, when present, must be `^0x[0-9a-fA-F]{40}$` (mixed case OK; checksum not validated).
9. Checklist codes (used in findings[].code and as unknowns[] prefixes) match `^[A-Z][A-Za-z0-9-]{0,16}$` — start with an uppercase letter, then digits / letters / hyphens. Examples: `E1`, `A3b`, `C2-emergency`, `V4-auditor`. No parens, spaces, dots, slashes, underscores. Use slice-defined codes verbatim. unknowns[] entries must be prefixed with the relevant code + colon (e.g. `"A3b: frontend fetch failed"`).
10. chat_url: ALWAYS null. Default share links (claude.ai/chat, chatgpt.com, gemini.google.com) require viewer login and are not publicly readable. The user enables "Share publicly" after you respond and pastes the public URL into the JSON before opening the PR.

### Thoroughness rules

11. Each per-slice body contains a "MANDATORY INSPECTION CHECKLIST". Every item must EITHER produce an evidence[] entry OR a specific unknowns[] entry naming it by code. Silent skips are rejected as incomplete.
12. Before assigning a grade other than "unknown", rationale.steelman must contain a one-sentence strongest argument for each of red / orange / green, and rationale.verdict must state which fits the evidence and why. If the steel-man for the chosen grade is weaker than for an adjacent grade, you have probably picked the wrong grade. When grade="unknown", set steelman to null and use verdict to summarize what blocked the assessment.
13. Distinguish actor classes (EOA, 2-of-3 multisig, 4-of-7+ multisig with identified signers, emergency-scoped time-capped multisig, on-chain governance vote with timelock) and function classes (claim-of-finalized vs new-request-placement, deposit vs borrow, mint vs redeem) — say which actor holds which power, on what time bound. "An admin can pause" is insufficient.
14. For on-chain slices (control, ability-to-exit, autonomy, verifiability), evidence[] must include ≥1 on-chain URL: a block-explorer URL OR a DeFiPunkd /api/{contract/read,safe/owners} URL (preferred — content-addressed when block-pinned). /api/contract/abi alone is metadata, not on-chain evidence. Source repos tell you what code SHOULD do; deployed contracts tell you what it ACTUALLY does. The "open-access" slice is exempt when claims are entirely about frontend / off-chain operator behavior. CARVE-OUT: `grading_basis="off-chain-only"` is exempt from this rule but is downweighted by the quorum bot regardless of grade.
15. Prompt-meta-check: if your verdict quotes prompt language as evidence ("the protocol meets the 'documented fallback' condition"), re-do the verdict — the prompt describes the rubric, not the protocol. Evidence cites what THIS protocol does, not what the rubric says protocols of type X do.
16. `grading_basis` is one of `"on-chain"` (default; omit field), `"off-chain-only"`, or `"mixed"`. Describes what was READ this run, not the verdict — `grade="unknown"` is allowed under any basis. Set `"off-chain-only"` ONLY when BOTH (a) ≥1 successful fetch of a docs / forum / audit / GitHub URL appears in evidence[], AND (b) ≥1 failed on-chain fetch attempt for THIS run is recorded in unknowns[] with a `-offchain` suffix. Empty `evidence[]` with `"off-chain-only"` is a category error and is rejected by the validator. Set `"mixed"` when some checklist codes were on-chain and others fell back. ABI-only finds (you read the ABI but couldn't read live state) are valid as `grade="unknown"` with the ABI cited; do not infer a grade from ABI shape alone.

### On-chain reading via the DeFiPunkd API

Don't encode calldata, decode return data, or guess at ABIs by hand. Three deterministic GET endpoints return JSON with blockNumber, blockHash, raw calldata, and rawReturnData — content-addressed when block-pinned (`&block=<n>`):

  ABI (auto-resolves proxies):
    https://defipunkd.com/api/contract/abi?chainId=<id>&address=0x...
  View call (any view method on the merged ABI; flat scalar args):
    https://defipunkd.com/api/contract/read?chainId=<id>&address=0x...&method=getOwners
    https://defipunkd.com/api/contract/read?chainId=<id>&address=0x...&method=balanceOf&args=0x...
  Safe (threshold + owners + version in one call):
    https://defipunkd.com/api/safe/owners?chainId=<id>&address=0x...

Use the BARE method name in `&method=` (e.g. `&method=totalSupply`, NOT `&method=totalSupply()`). Browser tools normalize `(` to `%28` and reject the normalized URL; bare names dodge that. Pass arguments via `&args=` (comma-separated, declaration order). Append `&block=<n>` for content-addressed evidence.

Supported chainIds: 1 (ethereum), 10 (optimism), 56 (bsc), 130 (unichain), 137 (polygon), 324 (zksync), 8453 (base), 42161 (arbitrum), 43114 (avalanche), 59144 (linea), 81457 (blast), 534352 (scroll), 11155111 (sepolia).

Use this API for any factual claim about contract ABI shape, view-method return values (owner(), getOwners(), getThreshold(), totalSupply(), implementation(), paused(), MIN_DELAY(), …), and Safe membership. Do NOT invent ABIs or return values from training data.

Note on noisy address_book: the pinned address_book is sourced from prior assessments. It may include token deployments, oracle feeds, peripheral contracts, or mis-classified entries. Skip surfacer URLs that don't fit your slice — fetch only those whose role hints suggest control / pause / upgrade authority.

### Protocol metadata refresh (populate `protocol_metadata` in the output)

DeFiLlama's pinned inputs may be stale or wrong. As a side-effect of this assessment, populate `protocol_metadata` with anything you verify. Leave fields null / empty arrays if you did not verify them — do NOT echo pinned inputs through; null means "not re-verified this run".

- `github`: array of canonical source-code repo URLs.
- `docs_url`: canonical developer / protocol documentation site.
- `audits`: array of `{ firm, url, date }` (date as YYYY-MM or YYYY-MM-DD).
- `governance_forum`: primary discussion forum URL (Discourse, Commonwealth, etc.).
- `voting_token`: `{ chain, address, symbol }` or null. Omit if not token-governed.
- `bug_bounty_url`: public bug bounty page (Immunefi, HackerOne, self-hosted).
- `security_contact`: private-disclosure channel — security@ email or SECURITY.md URL. Distinct from public bug bounty.
- `deployed_contracts_doc`: docs page that lists deployed addresses per chain. Don't enumerate; just link.
- `admin_addresses`: array of `{ chain, address, role, actor_class }` for multisig / timelock / owner / proxy-admin addresses. `actor_class` ∈ `"eoa" | "multisig" | "timelock" | "governance" | "unknown"`. These are the anchors for future runs' address_book.
- `upgradeability`: `"immutable" | "upgradeable" | "mixed" | "unknown"`. "mixed" = some core contracts immutable, others behind proxies.
- `about`: 2–4 sentence plain-English description. Name the user action (stake, borrow, swap, bridge, mint, redeem), the asset / market, and the distinctive mechanism (liquid staking receipt, isolated lending pools, constant-product AMM, intents auction, etc.). Do not restate category / chains / TVL.

Every non-null field in `protocol_metadata` must be backed by ≥1 entry in evidence[].

---

### Slice: OPEN-ACCESS

Evaluate who is allowed to use the protocol and whether any of that permission is granted off-chain.

Scope: this slice is about ADMISSION — who can enter, exit, or transact. Operator LIVENESS (what breaks if keepers/oracles go offline) is assessed in the dependencies slice and is out of scope for the grade here. You may note operator dependencies as context, but do not let "the protocol halts if operator X disappears" drive the access grade on its own; that belongs in dependencies. Source verification / contract verification on block explorers is assessed in the verifiability slice and is out of scope here — do NOT let "contract is unverified" drive the access grade.

Framing: the smart contracts are the access layer; frontends are UX. A permissionless contract is reachable by any client (SDK, third-party UI, aggregator, wallet integration). Frontend ToS, IP geo-blocking, and wallet screening are publisher policies on one specific client — they are reported as context but do NOT determine the grade. The grade hinges on (1) what the contract itself permits, and (2) whether the protocol is practically reachable without the official publisher's cooperation.

Meta-check before finalizing: if your verdict cites phrases from this prompt as evidence ("the protocol meets the 'credible alternatives' condition", "this fits the 'documented fallback' rule"), redo the verdict. The prompt describes the rubric; evidence must come from the protocol. A verdict should cite what the protocol does, not what the rubric says.

MANDATORY INSPECTION CHECKLIST (every item below must appear in evidence[] OR unknowns[]):
- A1. Whitelist / allowlist modifiers in user-facing entry points. Grep for "onlyWhitelisted", "onlyRole", "allowlist", "isAccredited", "isKYCed". Note which functions are gated and who can add/remove from the list.
- A2. Off-chain operators in the admission path: keepers, sequencers, privileged relayers, oracle posters whose approval is required to admit a user action (not just to keep the protocol live). For each, identify whether the role is held by a single operator, a permissioned committee, or is permissionless. Enumerate per user-facing function class (deposit vs withdraw-request vs claim-finalized vs transfer) which ones require operator approval to be admitted, and which ones admit users unconditionally. A function whose placement is unconditional but whose downstream settlement depends on an operator is an admission-permissionless function — flag the liveness dependency as context and defer its grading weight to the dependencies slice.
- A3. Frontend restrictions on the official interface — record as context, not as a grade lever. Distinguish:
    - A3-passive: boilerplate ToS clauses (sanctions attestation, restricted-territory self-certification, VPN-circumvention prohibition, "comply with applicable law" eligibility, age of majority).
    - A3-active: runtime enforcement — IP-based geo-blocking, wallet-address screening against a sanctions oracle (Chainalysis, TRM, Elliptic), KYC wall, rendering-blocking jurisdiction banner.
  Record findings under the correct tier. Quote ToS text or banner text in evidence[].shows. These findings populate the headline and rationale but do NOT move the grade by themselves; the grade is set by A1, A2, and the A3b path check below.
- A3b. Independent access paths (the operative grade input). Enumerate paths that do not require the official publisher's cooperation:
    - Published SDK / library / CLI for direct contract interaction.
    - Third-party frontends operated by separate legal entities.
    - Wallet-integrated access (MetaMask Swaps, Safe apps, etc.).
    - DEX / lending / yield aggregators that route through the contracts.
  Record at least one concrete link per path that exists. The protocol does NOT have to self-document these — the test is existence, not UX cost. An A3b-i redistribution of the official UI bound by the same ToS does NOT count as an independent path.
- A4. Sanctions / compliance tooling at the contract level: does the protocol check addresses against OFAC lists or similar on-chain blocklists in the contract itself? (Frontend-only screening belongs in A3.)
- A5. Differentiate read access vs write access: many protocols are read-permissionless (anyone can view state) but write-gated (only certain addresses can deposit/borrow). Record both.
- A6. ToS / Legal links: locate them on the website and produce a VERBATIM quote of any jurisdictional, sanctions, or eligibility clause in evidence[].shows. If you cannot extract the clause text verbatim (SPA render failure, paywall, dead link, etc.), do NOT paraphrase or infer from general knowledge — record the ToS URL in unknowns[] with the reason extraction failed. Assertions about ToS content without a verbatim quote will be downweighted by reviewers.

Then write the steel-man section per Hard Rule 11.

Grade rules (admission-focused; liveness concerns belong in dependencies; source verification belongs in verifiability):
- green   = no contract-level whitelist/KYC on user entry/exit; no operator approval required to admit a user action; AND at least one independent A3b path exists (published SDK, third-party frontend, wallet integration, or aggregator routing). Frontend ToS posture and A3-active enforcement on the official UI do NOT block green when contracts are permissionless and an independent path exists — they are reported as context.
- orange  = contracts admit users unconditionally, BUT the protocol is operationally captured by the official publisher: no published SDK, no third-party frontend, no wallet integration, no aggregator routing. The contract is theoretically open but practically reachable only through the official UI. Also applies when admission requires approval from a permissioned committee that is governance-managed with a documented replacement procedure.
- red     = contract-level whitelist / KYC on user entry/exit, OR admission of a core user action requires approval from a single privileged operator or a small committee with no documented replacement procedure, OR enforces an on-chain blocklist updatable by a single party.
- unknown = checklist incomplete after checking the sources above.

Default-grade guidance: when contracts are fully permissionless AND any A3b independent path exists, the default grade is green regardless of frontend ToS or A3-active enforcement on the official UI. Frontend geo-blocking, sanctions-oracle wallet screening, and ToS sanctions clauses are publisher policies on one client and are reported in findings/headline as context, not as grade levers. To grade orange on operational-capture grounds, the auditor must affirmatively show that ALL independent paths are absent or also gated.

Guideline on committees: where admission depends on a multi-operator committee, the relevant axes are (a) set size, (b) whether replacement/rotation is governed on-chain, (c) whether the replacement procedure is publicly documented. A large set with on-chain governance replacement should not be graded as a single-party operator even if rotation is not instantaneous. A small set with informal replacement should be treated as a single-party operator.

---

### JSON output contract

Return exactly one JSON object inside a single ```json fenced block. Shape:

{
  "schema_version": 4,
  "slug": "<copy protocol.slug from the per-protocol context>",
  "slice": "open-access",
  "snapshot_generated_at": "<copy snapshot.generated_at from the per-protocol context>",
  "prompt_version": 29,
  "analysis_date": "<copy analysis_date from the per-protocol context>",
  "model": "<exact model name, e.g. claude-opus-4-7 / gpt-5-thinking / gemini-3-pro>",
  "chat_url": null,
  "grading_basis": "on-chain | off-chain-only | mixed (optional; omit for on-chain)",
  "grade": "green | orange | red | unknown",
  "headline": "<one-line summary>",
  "short_headline": "<≤6 words, ≤80 chars; omit if you can't fit>",
  "rationale": {
    "findings": [{ "code": "E1", "text": "<concrete, source-cited finding>" }],
    "steelman": { "red": "<one sentence>", "orange": "<one sentence>", "green": "<one sentence>" },
    "verdict": "Choosing <grade> because <reason ranking one steel-man above the others, citing specific evidence>."
  },
  "evidence": [{ "url": "https://...", "shows": "<what this URL demonstrates>", "chain": "...", "address": "0x...", "commit": "<hex SHA>", "fetched_at": "2026-04-23T11:20:00Z" }],
  "unknowns": ["E3: <thing you looked for but couldn't determine>"],
  "protocol_metadata": {
    "github": ["https://github.com/org/repo"],
    "docs_url": "https://docs.protocol.xyz",
    "audits": [{ "firm": "Trail of Bits", "url": "https://...report.pdf", "date": "2025-09" }],
    "governance_forum": "https://forum.protocol.xyz",
    "voting_token": { "chain": "Ethereum", "address": "0x...", "symbol": "XYZ" },
    "bug_bounty_url": "https://immunefi.com/bounty/protocol",
    "security_contact": "security@protocol.xyz",
    "deployed_contracts_doc": "https://docs.protocol.xyz/deployments",
    "admin_addresses": [{ "chain": "Ethereum", "address": "0x...", "role": "DAO treasury multisig", "actor_class": "multisig" }],
    "upgradeability": "immutable | upgradeable | mixed | unknown",
    "about": "<2–4 sentences>"
  }
}

Rules recap:
- grade="unknown" ⇒ steelman=null; unknowns[] ≥1; evidence[] may be empty.
- grade!="unknown" ⇒ steelman={red,orange,green}; evidence[] ≥1; verdict starts with "Choosing ".
- findings[].code matches the slice's checklist prefix verbatim (E1, C2-emergency, V4a, …); unknowns[] entries are checklist-coded ("E3: …").
- Wrap in a single ```json fence; nothing before or after. URLs are bare strings, never markdown links.

Audit all 5 dimensions · one prompt Submit run ↗

### Per-protocol context (ground truth for this run)

- protocol.slug:              aave-arc
- protocol.name:              Aave Arc
- protocol.chains:            Ethereum
- protocol.category:          Lending
- protocol.website:           https://aave.com
- protocol.github:            aave, bgd-labs
- protocol.audit_links:       https://aave.com/security, https://github.com/code-423n4/2022-02-aave-lens, https://github.com/code-423n4/2022-02-aave-lens-findings, https://github.com/sherlock-protocol/sherlock-reports/blob/main/audits/2025.02.15%20-%20Final%20-%20Aave%20Public%20Audit%20Contest%20Report.pdf, https://github.com/sherlock-protocol/sherlock-reports/blob/main/audits/2026.02.05%20-%20Final%20-%20Aave%20Labs%20Collaborative%20Audit%20Report%201770295450.pdf, https://github.com/trailofbits/publications/blob/master/reviews/2021-11-aave-v3-securityreview.pdf, https://github.com/trailofbits/publications/blob/master/reviews/2026-02-aave-v4-securityreview.pdf
- snapshot.generated_at:      2026-06-01T11:27:13.878Z
- analysis_date:              2026-06-07
- prompt_version:             29
- address_book:               null

### Pre-built read-API surfacer URLs (verbatim — fetchable as-is)
(no addresses pinned in this run — discover candidates from fetched website / GitHub / audit / explorer pages, record discovered addresses in evidence[] and protocol_metadata.admin_addresses, and put any reads you couldn't perform in unknowns[]. The next assessment will inherit your discoveries.)


---

You are contributing a single-slice assessment to defipunkd, a git-native transparency registry for DeFi protocols. Your JSON output will be attached to a pull request and compared against ≥2 other independent runs. Disagreements are surfaced publicly — be conservative, cite everything, return grade="unknown" when a signal cannot be determined, and resist stopping at the first damning finding.

### Per-protocol context (do not infer; these are ground truth)

A "Per-protocol context" block (provided alongside this prompt — either as a user message in API mode, or as a section appended below in copy-paste mode) lists the pinned inputs (protocol.slug, name, chains, category, website, github, audit_links, snapshot.generated_at, analysis_date, prompt_version, address_book) and a list of pre-built read-API surfacer URLs for each pinned address. Treat those values as authoritative for this run.

The pre-built surfacer URLs are accepted by your fetch tool's allowlist because they appear verbatim in the per-protocol context. Each surfacer page pre-executes the contract's zero-arg view methods and renders any address-typed return values as /address/{chainId}/0x… links inline — those rendered links are also fetchable post-fetch. /api/contract/read and /api/safe/owners JSON responses include a top-level `crawl.surfacers` array of /address/{chainId}/0x… URLs for every address-typed value in the result, so you can crawl directly from API responses. For addresses surfaced from non-defipunkd sources (block-explorer pages, GitHub, audit PDFs), the allowlist will reject your generated surfacer URL — record the address in protocol_metadata.admin_addresses and add a checklist-coded entry to unknowns[]; the next run will inherit it as a fetchable surfacer.

### Step 0 — Capability probe (do this before producing JSON)

Identify what fetch tool your environment exposes — `web_fetch`, `browser`, `url_context`, `google_search` (with underscore, colon, or space), Bing grounding, Perplexity, `web.run`, or anything similar. Search-grounding tools ARE valid fetch paths and you should use them; they are not forbidden. The distinction that matters is what the tool returned, not its name: a grounded response with the underlying page body is sufficient evidence; a bare 1–3-line preview snippet is not.

Probe: attempt one fetch of `protocol.website` and one fetch of a pre-built surfacer URL above (or the protocol's primary block-explorer page if no surfacer is pinned). Record the tool you used, the URL, and what came back (response body, HTTP status, allowlist rejection text, or "tool not present: <name>"). If either probe succeeded, proceed.

If both direct probes failed, **DO NOT STOP** — try search. Issue at least two broad search queries (protocol name + "Etherscan" / "official docs" / "GitHub" / "audit"; `site:` operators against etherscan.io / github.com / the docs domain). If a search query returns the underlying page body, that page URL is fetched evidence and goes in evidence[]. Set `grading_basis: "off-chain-only"` and continue with whatever you can extract. Empty `evidence[]` + `grade="unknown"` is only valid if BOTH direct probes AND ≥2 search queries returned nothing usable; in that case, log the attempted queries and observed-zero outcomes in unknowns[]. A submission claiming "blocked" without those receipts is treated as a non-submission (zero quorum weight). Search engines do not index raw JSON API endpoints — zero results for `defipunkd.com/api/contract/read` URLs is expected and is itself a recordable failure mode, not a system restriction.

### Anti-fabrication (the most important rule on this page)

Memory is not evidence. Treat your training data, prior conversations, and general knowledge as suggestions for what to look up — never as citations. Every URL in evidence[] must have been fetched in this run via any tool exposed in your environment, OR pasted into this conversation by the user. Constructing a URL is fine, but every variable part (address, commit SHA, repo path, contract name, method, args, block number) must come from a fetched/pasted source in this run, and the URL must then have been successfully fetched before it appears in evidence[]. URLs constructed from remembered addresses, repo paths, contract names, or guessed API methods are fabrication.

Before emitting JSON, run an evidence ledger check on every evidence[] entry:
1. The exact URL appears in your fetch transcript or in a user-pasted source body.
2. The fetched/pasted body contains the fact you're citing in evidence[].shows.
3. Every rationale.findings / protocol_metadata claim that depends on this evidence follows directly from that body, without recourse to memory.
4. Derived (rather than verbatim) claims are explicitly labelled as derived in evidence[].shows.
5. `fetched_at` is set ONLY when you actually fetched the URL in this run; if no timestamp is available, omit the field — never invent one.

If any check fails, remove the evidence entry and demote dependent claims to unknowns[]. Set grade="unknown" if demotion empties the grading basis. Do not ask the user to paste anything; do not withhold JSON; do not improvise from memory.

A plausible-sounding answer backed by unsupported evidence is WORSE than grade="unknown" — it pollutes the quorum. If the assessment requires leaning on remembered public facts ("Lido is governed by LDO token-weighted voting"), historical reports, common knowledge, or likely-architecture reasoning ("UUPS proxies typically have an admin role"), return grade="unknown" with specific unknowns[] entries. Optimize for reproducibility, not completeness — if a reviewer can't re-verify each claim from the evidence URLs alone, the claim does not belong in the JSON. Empty unknowns[] on a non-trivial protocol is a red flag, not a quality signal.

When the address_book is null/empty, you do not yet know any deployed address. Discover candidates from fetched website / GitHub / audit / explorer-search pages — addresses you "remember" from training data are not eligible, even for famous tokens (USDC, WBTC, stETH, UNI). If no address can be discovered after a good-faith attempt, return grade="unknown" with checklist-coded unknowns[] entries; do not invent addresses to fill the gap.

### Hard rules

1. Source classes that count as evidence:
   a) Public block explorers (etherscan.io, basescan.org, arbiscan.io, optimistic.etherscan.io, polygonscan.com, bscscan.com, snowtrace.io, scrollscan.com, lineascan.build, blastscan.io, era.zksync.network) for pinned addresses or addresses you discover transitively from them.
   b) The linked GitHub repos, at a specific commit SHA recorded in evidence[].commit.
   c) The audit PDFs / reports linked above.
   d) DeFiLlama's pinned fields (for category / chain lists only — not for risk assessment).
   e) DeFiPunkd's read API at https://defipunkd.com/api/{contract,safe}/... — see "On-chain reading" below.
2. If a signal cannot be determined after checking these, set grade="unknown" with ≥1 entry in unknowns[] naming what you looked for.
3. Every factual claim in rationale must map to ≥1 evidence[] entry.
4. Output exactly one JSON object matching the contract at the end, wrapped in a single ```json fenced code block. This rule applies to your FINAL assistant message only — issue tool calls freely during the run; tool-call reasoning lives in your model's tool-use channel and is not subject to this rule. Nothing before or after the fence — no prose, no follow-up questions, no requests for the user to paste anything. If evidence is incomplete, the correct response is still JSON, with claims demoted to unknowns[] and grade="unknown".

### Format rules (validation will reject submissions that violate these)
5. evidence[].url must be a bare `https://...` string — NEVER markdown link syntax. WRONG: `"url": "[Etherscan](https://etherscan.io/...)"`. RIGHT: `"url": "https://etherscan.io/..."`.
6. evidence[].commit, when present, must match `^[0-9a-f]{7,40}$` (lowercase hex, 7–40 chars). NEVER branch names or tags. Omit if you cannot pin a SHA.
7. evidence[].fetched_at, when present, must be ISO-8601 UTC (e.g. `2026-04-23T11:20:00Z`). Set whenever you actually fetched in this run.
8. evidence[].address, when present, must be `^0x[0-9a-fA-F]{40}$` (mixed case OK; checksum not validated).
9. Checklist codes (used in findings[].code and as unknowns[] prefixes) match `^[A-Z][A-Za-z0-9-]{0,16}$` — start with an uppercase letter, then digits / letters / hyphens. Examples: `E1`, `A3b`, `C2-emergency`, `V4-auditor`. No parens, spaces, dots, slashes, underscores. Use slice-defined codes verbatim. unknowns[] entries must be prefixed with the relevant code + colon (e.g. `"A3b: frontend fetch failed"`).
10. chat_url: ALWAYS null. Default share links (claude.ai/chat, chatgpt.com, gemini.google.com) require viewer login and are not publicly readable. The user enables "Share publicly" after you respond and pastes the public URL into the JSON before opening the PR.

### Thoroughness rules

11. Each per-slice body contains a "MANDATORY INSPECTION CHECKLIST". Every item must EITHER produce an evidence[] entry OR a specific unknowns[] entry naming it by code. Silent skips are rejected as incomplete.
12. Before assigning a grade other than "unknown", rationale.steelman must contain a one-sentence strongest argument for each of red / orange / green, and rationale.verdict must state which fits the evidence and why. If the steel-man for the chosen grade is weaker than for an adjacent grade, you have probably picked the wrong grade. When grade="unknown", set steelman to null and use verdict to summarize what blocked the assessment.
13. Distinguish actor classes (EOA, 2-of-3 multisig, 4-of-7+ multisig with identified signers, emergency-scoped time-capped multisig, on-chain governance vote with timelock) and function classes (claim-of-finalized vs new-request-placement, deposit vs borrow, mint vs redeem) — say which actor holds which power, on what time bound. "An admin can pause" is insufficient.
14. For on-chain slices (control, ability-to-exit, autonomy, verifiability), evidence[] must include ≥1 on-chain URL: a block-explorer URL OR a DeFiPunkd /api/{contract/read,safe/owners} URL (preferred — content-addressed when block-pinned). /api/contract/abi alone is metadata, not on-chain evidence. Source repos tell you what code SHOULD do; deployed contracts tell you what it ACTUALLY does. The "open-access" slice is exempt when claims are entirely about frontend / off-chain operator behavior. CARVE-OUT: `grading_basis="off-chain-only"` is exempt from this rule but is downweighted by the quorum bot regardless of grade.
15. Prompt-meta-check: if your verdict quotes prompt language as evidence ("the protocol meets the 'documented fallback' condition"), re-do the verdict — the prompt describes the rubric, not the protocol. Evidence cites what THIS protocol does, not what the rubric says protocols of type X do.
16. `grading_basis` is one of `"on-chain"` (default; omit field), `"off-chain-only"`, or `"mixed"`. Describes what was READ this run, not the verdict — `grade="unknown"` is allowed under any basis. Set `"off-chain-only"` ONLY when BOTH (a) ≥1 successful fetch of a docs / forum / audit / GitHub URL appears in evidence[], AND (b) ≥1 failed on-chain fetch attempt for THIS run is recorded in unknowns[] with a `-offchain` suffix. Empty `evidence[]` with `"off-chain-only"` is a category error and is rejected by the validator. Set `"mixed"` when some checklist codes were on-chain and others fell back. ABI-only finds (you read the ABI but couldn't read live state) are valid as `grade="unknown"` with the ABI cited; do not infer a grade from ABI shape alone.

### On-chain reading via the DeFiPunkd API

Don't encode calldata, decode return data, or guess at ABIs by hand. Three deterministic GET endpoints return JSON with blockNumber, blockHash, raw calldata, and rawReturnData — content-addressed when block-pinned (`&block=<n>`):

  ABI (auto-resolves proxies):
    https://defipunkd.com/api/contract/abi?chainId=<id>&address=0x...
  View call (any view method on the merged ABI; flat scalar args):
    https://defipunkd.com/api/contract/read?chainId=<id>&address=0x...&method=getOwners
    https://defipunkd.com/api/contract/read?chainId=<id>&address=0x...&method=balanceOf&args=0x...
  Safe (threshold + owners + version in one call):
    https://defipunkd.com/api/safe/owners?chainId=<id>&address=0x...

Use the BARE method name in `&method=` (e.g. `&method=totalSupply`, NOT `&method=totalSupply()`). Browser tools normalize `(` to `%28` and reject the normalized URL; bare names dodge that. Pass arguments via `&args=` (comma-separated, declaration order). Append `&block=<n>` for content-addressed evidence.

Supported chainIds: 1 (ethereum), 10 (optimism), 56 (bsc), 130 (unichain), 137 (polygon), 324 (zksync), 8453 (base), 42161 (arbitrum), 43114 (avalanche), 59144 (linea), 81457 (blast), 534352 (scroll), 11155111 (sepolia).

Use this API for any factual claim about contract ABI shape, view-method return values (owner(), getOwners(), getThreshold(), totalSupply(), implementation(), paused(), MIN_DELAY(), …), and Safe membership. Do NOT invent ABIs or return values from training data.

Note on noisy address_book: the pinned address_book is sourced from prior assessments. It may include token deployments, oracle feeds, peripheral contracts, or mis-classified entries. Skip surfacer URLs that don't fit your slice — fetch only those whose role hints suggest control / pause / upgrade authority.

### Protocol metadata refresh (populate `protocol_metadata` in the output)

DeFiLlama's pinned inputs may be stale or wrong. As a side-effect of this assessment, populate `protocol_metadata` with anything you verify. Leave fields null / empty arrays if you did not verify them — do NOT echo pinned inputs through; null means "not re-verified this run".

- `github`: array of canonical source-code repo URLs.
- `docs_url`: canonical developer / protocol documentation site.
- `audits`: array of `{ firm, url, date }` (date as YYYY-MM or YYYY-MM-DD).
- `governance_forum`: primary discussion forum URL (Discourse, Commonwealth, etc.).
- `voting_token`: `{ chain, address, symbol }` or null. Omit if not token-governed.
- `bug_bounty_url`: public bug bounty page (Immunefi, HackerOne, self-hosted).
- `security_contact`: private-disclosure channel — security@ email or SECURITY.md URL. Distinct from public bug bounty.
- `deployed_contracts_doc`: docs page that lists deployed addresses per chain. Don't enumerate; just link.
- `admin_addresses`: array of `{ chain, address, role, actor_class }` for multisig / timelock / owner / proxy-admin addresses. `actor_class` ∈ `"eoa" | "multisig" | "timelock" | "governance" | "unknown"`. These are the anchors for future runs' address_book.
- `upgradeability`: `"immutable" | "upgradeable" | "mixed" | "unknown"`. "mixed" = some core contracts immutable, others behind proxies.
- `about`: 2–4 sentence plain-English description. Name the user action (stake, borrow, swap, bridge, mint, redeem), the asset / market, and the distinctive mechanism (liquid staking receipt, isolated lending pools, constant-product AMM, intents auction, etc.). Do not restate category / chains / TVL.

Every non-null field in `protocol_metadata` must be backed by ≥1 entry in evidence[].

---

### Slice: CONTROL

Evaluate who can change the protocol's rules, how fast, and how broadly.

(Step 0 capability probe and the off-chain-only fallback live in the preamble — those rules apply here.)

### MANDATORY INSPECTION CHECKLIST (every item below must appear in evidence[] OR unknowns[])

- **C1.** For each address you assess: who is the contract owner / admin / pendingAdmin / governor — read these via the block explorer's "Read Contract" tab OR `https://defipunkd.com/api/contract/read?chainId=<id>&address=0x...&method=owner` (BARE method names: `&method=owner`, `&method=admin`, `&method=pendingOwner`, `&method=governor`). For Safes use `/api/safe/owners?chainId=<id>&address=0x...`. When a protocol has multiple major versions deployed (v2/v3/v4), perform C1 reads on the NEWEST deployment separately — newer deployments often have weaker control surfaces than the legacy core.
- **C2.** Upgrade mechanism: transparent proxy / UUPS / Beacon / Diamond / immutable. Identify the proxy admin address. Check upgradeability of GOVERNANCE contracts too — a Governor / Aragon Voting / OZ Governor is often itself a proxy whose admin is the Timelock. Asymmetry: when fund-holding cores are immutable AND governance has no admin path that reaches them, an upgradable Governor/Timelock is T3-only and must NOT drag the verdict below green on that basis alone (see grade rules and the "immutable cores" caveat). Only call upgradability "mixed" if you can name a concrete function on the upgradable surface that reaches T1 or T2 on user funds.
- **C3.** EXECUTION PATH (enumerate every stage, in order, with delays in seconds). The operative path is usually a chain (voting → scheduler → timelock → executor; or governor → queue → execute; or Aragon Voting → DualGovernance → EmergencyProtectedTimelock → AdminExecutor). For each stage, record (a) the contract address, (b) the delay constant name + value in seconds, (c) the URL you read it from (block-explorer Read Contract OR `/api/contract/read?...&method=MIN_DELAY&block=<n>`). Do NOT stop at the first timelock-shaped contract — if its admin is itself called by another contract, keep walking. The grading delay is the SUM OF DELAYS ON THE UNCONTESTED FAST PATH (shortest time a proposal with no opposition can go from submission to executable). Dynamic / contested extensions (veto signaling, rage quit, escrow delay) are modifiers, not the basis — note them separately.
- **C4.** Enumerate EVERY multisig with reachable control — main proxy admin, emergency activation, emergency execution, reseal / pause, gate-seal committees, tiebreaker, per-module admins. For each Safe, fetch threshold + owners + version via `/api/safe/owners?chainId=<id>&address=0x...` (response includes raw eth_call data, so the URL is citable evidence). Enumerate ops/council/incentives multisigs even when off the upgrade path — record their scope so a reader can see they are NOT on the upgrade path. For each: (a) address, (b) threshold / total signers, (c) signer identities classified as insider (team, paid auditors under ongoing engagement, mandated service providers) vs non-insider (independent community members, unaffiliated researchers), (d) the specific power held (upgrade, pause, parameter, etc.).
- **C5.** On-chain governance: Governor / GovernorBravo / OZ Governor / Aragon Voting with token-weighted voting? Record proposal threshold, voting period, quorum, and the timelock delay between queue and execute. Every numeric constant must come from a Read Contract call you can link to, or be in unknowns[] with the C-code. If votingDelay / votingPeriod are denominated in BLOCKS, convert to seconds at the chain's CURRENT block time (Ethereum mainnet ≈ 12s post-Merge, not the 15s in older Compound/Bravo deployments) — cite both block count and converted seconds.
- **C6.** EMERGENCY POWERS: separate emergency-pause / guardian role with a different time cap or different actor than the main upgrade authority? Record it explicitly.
- **C7.** POWER TIER (blast radius). For each privileged path in C3–C6, classify the WORST thing that path can do, choosing the highest applicable tier. Cite the specific function name and any on-chain bound — tier claims without a named function are unsupported.
    - **T1 — FUND-CRITICAL**: replace implementation of contracts holding user funds; change AMM math / accounting / collateral logic; mint unbacked debt or shares; pause withdrawals; drain user-fund treasury; change oracle to attacker-controlled source; replace upgrade admin with EOA.
    - **T2 — ECONOMICALLY MATERIAL**: change fee parameters within bounded ranges; redirect protocol fees; add/remove markets / collateral types; bounded inflation or token mint within hard-capped schedule; spend protocol-owned (non-user) treasury.
    - **T3 — GOVERNANCE-INTERNAL**: change voting rules, quorum, voting period, proposal threshold; upgrade the Governor itself; rotate Timelock admin; mint governance tokens within a capped annual schedule.
    - **T4 — OPERATIONAL**: incentives distribution, grants, ENS / frontend canonicalization, deployment coordination, periphery router deprecation.
  The grade is set by the HIGHEST tier reachable on the uncontested fast path, not the median. State the tier and the binding function in the verdict.

### Read Contract discipline (applies to C3, C4, C5)

Every numeric constant cited (timelock delays, voting periods, multisig thresholds, quorum percentages) must come from EITHER (a) a block-explorer Read Contract URL, OR (b) a DeFiPunkd `/api/contract/read` or `/api/safe/owners` URL (preferred with `&block=<n>` for content-addressed evidence), OR (c) an unknowns[] entry with the C-code. Docs / blog posts are corroboration only — they cannot be the sole citation for a value that is also readable on-chain.

### Off-chain-only substitute hierarchy (when grading_basis="off-chain-only" — see preamble Rule 16)

When on-chain reads were genuinely unreachable this run, eligible off-chain substitutes in priority order:
1. Linked audit PDFs (admin roles, multisig members, timelock delays usually enumerated).
2. Governance forum posts that quote constants from a successful on-chain proposal (cite post URL + linked execution-tx URL).
3. Official protocol docs pages with named addresses and roles (must be on a domain owned by the protocol).
4. GitHub README / SECURITY.md / governance/*.md at a pinned commit SHA.

Forbidden substitutes: third-party blog posts, X / Twitter threads, search-result snippets, model memory. Required degradation: any C-code citing a numeric constant from docs/forum/audit prose ONLY must also carry an `unknowns[]` entry with `-offchain` suffix noting "value not re-read on-chain in this run; corroboration only".

### Grade rules (apply the timelock bar conditional on the highest C7 tier reachable on the fast path)

Security Council standard (used below): a multisig qualifies as "Security Council" only if ALL of: ≥7 signers, ≥51% threshold, ≥50% non-insider signers, every signer publicly announced. Failing any criterion = NOT a Security Council, regardless of signer reputation.

- **green**: highest reachable tier is T3 or T4 regardless of timelock; OR T2 reachable with uncontested-fast-path delay ≥7 days; OR T1 reachable only via immutable contracts (T1 is unreachable); OR T1 reachable with uncontested-fast-path delay ≥7 days combined with a Security Council multisig; OR T1 reachable with uncontested-fast-path delay ≥7 days through active on-chain governance with broad token distribution.
- **orange**: T2 reachable with uncontested-fast-path delay >0 but <7 days; OR T1 reachable with uncontested-fast-path delay >0 but <7 days; OR a multisig failing one or more Security Council criteria sits on a T1/T2 path; OR unclear upgrade authority on a T1/T2 path; OR governance with very short timelock or low quorum on a T1/T2 path.
- **red**: T1 reachable with no timelock by a single EOA or 2-of-3 multisig; OR a T1 upgrade admin that is not a smart contract you can audit.
- **unknown**: completed the checklist but still cannot determine the upgrade authority OR cannot classify the highest tier reachable on the main contracts.

Tiering caveats:
- "Bounded" must be enforced ON-CHAIN to count as T2. A function that sets fees with no upper-bound check is T1 — cite the bound check.
- Recurring T2 economic extraction (e.g. fee redirect with no rate limit) approaches T1 over time. A single proposal that can permanently redirect all future revenue is T1.
- T3 assumes the governance contract cannot itself authorize a T1/T2 action without going through the same timelock. If governance can self-upgrade to bypass the timelock, T3 collapses into T1.
- Do not downgrade tier by hand-waving ("realistically governance would never…"). Tier on what the contract permits, not what feels likely.

Notes:
- **Dynamic / dual-governance timelocks** (Lido, Compound escrow veto): the rubric grades on the uncontested path because that is the path most upgrades take. A dynamic extension that fires only under stake-weighted opposition is a real protection — name it in the green steel-man, but it does not lift an orange fast path into green; state the tension in the verdict.
- **Immutable cores with upgradable governance** (Uniswap-style): if fund-holding contracts are immutable and have no admin-reachable function moving / freezing / re-routing user funds, the highest reachable tier on the upgrade path is T3 — green regardless of timelock. Don't grade this orange just because the Governor is a proxy — that's a C2 fact, not a downgrade. Downgrade only applies if you can cite a concrete function on the upgradable surface that reaches T1 or T2 (privileged hook, upgradable factory controlling fund-routing, fee-switch redirecting protocol revenue without bound).
- **The 7-day bar** reflects the exit-window standard — users need notice after a queued upgrade to withdraw if they disagree. The ability-to-exit slice grades the exit side; this slice grades the delay side; both must hold for users to actually benefit from the delay.

---

### Slice: ABILITY-TO-EXIT

Evaluate whether users can withdraw their funds on their own terms, even under adversarial admin conditions.

MANDATORY INSPECTION CHECKLIST (every item below must appear in evidence[] OR unknowns[]):
- E1. Enumerate every user-facing exit function in the main contracts: withdraw, redeem, burn, requestWithdrawal, claim, exit, etc. List them by name. Do NOT treat the contract as a monolith.
- E2. For EACH exit function in E1: identify its access modifiers and any pause guards (e.g. _checkResumed, whenNotPaused, onlyRole). Functions that gate REQUEST PLACEMENT often differ from functions that CLAIM FINALIZED FUNDS — check both separately.
- E3. For each pause guard: identify the role holder (which address holds PAUSE_ROLE / GUARDIAN / etc.) and the maximum pause duration. Specifically check whether PAUSE_INFINITELY (or equivalent uncapped pause) is callable, and which actor can call it (single multisig vs governance vote). For role-holder reads use https://defipunkd.com/api/contract/read?chainId=<id>&address=0x...&method=hasRole&args=0x...,0x... or &method=getRoleAdmin&args=0x.... For "is currently paused" checks use &method=paused or &method=isPaused&args=<resume-code>. Use the BARE method name (no parens). Cite the URL with &block=<n> in evidence[].
- E4. EMERGENCY vs GOVERNANCE pause distinction: many protocols have a fast-acting emergency pause capped at N days and a slow governance pause that can be indefinite. Record both paths separately if present, with their time caps and actor classes.
- E5. Queued redemption: documented maximum queue duration, daily withdrawal caps, whether the queue itself is pausable.
- E6. Forced-exit / escape-hatch / permissionless emergency-exit mechanism for adversarial-admin scenarios.
- E7. Frontend dependency: confirm exit functions are directly callable on-chain (e.g. via Etherscan write tab or a generic wallet) without the project's frontend.

Then write the steel-man section per Hard Rule 11. Common red-vs-orange tension on this slice: indefinite pause exists (suggests red) BUT the realistic emergency path is time-capped AND claims of already-finalized exits are not pause-gated (suggests orange). Resolve this by stating who can do what for how long, not by stopping at the worst-case sentence.

Grade rules:
- green   = permissionless exit; pause is either absent, narrowly scoped to clearly-described emergencies with auto-expiry, or capped at ≤7 days; no frontend dependency for exit; claims of already-finalized exits are not pause-gated under any path.
- orange  = pausable with broad scope OR indefinite pause is reachable only through governance vote (not unilateral admin action), OR queued redemption with documented max > 7 days, OR claims-of-finalized are exempt but new-request placement can be paused indefinitely by governance.
- red     = exit requires admin signature, OR ANY actor (including governance) can pause CLAIMS of finalized exits indefinitely, OR there is no on-chain exit function at all (purely custodial), OR pause is held by a single EOA / 2-of-3 multisig with no time cap.
- unknown = checklist incomplete after checking the sources above.

---

### Slice: AUTONOMY

Evaluate this protocol's autonomy: can a failure of anything outside its own contracts cause theft or loss of user principal, loss of unclaimed yield, or materially change the protocol's expected performance? "Autonomy" is not "has zero external touchpoints" — it is "external failures are either survivable or recoverable without user loss". This slice adapts DefiScan v1's Autonomy dimension; dependencies are one of several criteria, not the whole frame.

GUARDRAILS (read before grading):
- Category alone (Liquid Staking, Bridge, RWA Lending, Restaking, …) does NOT force a grade. A category is a hint about where to look; the grade must come from the concrete A1–A9 findings below.
- Base-chain consensus (Ethereum PoS, the chain's validator set, the canonical Deposit Contract at 0x00000000219ab540356cBB839Cbe05303d7705Fa) is the SUBSTRATE, not a dependency, for any protocol deployed on that chain. Do not list "depends on Ethereum" as a finding.
- Oracles or other integrations used by DOWNSTREAM protocols that happen to read this protocol's token (e.g. Chainlink stETH/USD consumed by Aave) are NOT this protocol's dependencies. Count only what THIS protocol's contracts call or trust on-chain. If a feed or contract appears in the protocol's docs only as reference material for third-party integrators, EXCLUDE IT ENTIRELY — do not log it as a finding even with a "peripheral" or "referenced only" caveat.
- "Upgradeable admin can change things" belongs to the CONTROL slice; only count it here when the upgrade surface lets governance silently swap an external dependency (see A9).
- Underlying-asset risk in opt-in, isolated markets is NOT autonomy-red on its own. When a protocol wraps third-party yield-bearing assets (LSTs, LRTs, ERC-4626 vaults, lending receipts, restaked tokens) into per-market silos that users explicitly choose, a failure of one underlying does NOT propagate to other markets and is risk the user opted into per-market. Record it under A4 with depth and propagation scope, but do not let it alone drive a red verdict — red requires an external dependency that cross-cuts the protocol or that the user did not opt into at deposit time. A failure mode that is "if the LRT you deposited is hacked, your principal in that LRT-backed market is impaired" is the underlying's autonomy story, not this protocol's; grade it on whether THIS protocol introduces additional dependencies on top.
- Sub-module enumeration is mandatory before grading. If the protocol ships distinct product lines or modules (e.g., a v2 core AMM plus a newer perps/funding-rate module, a lending pool plus a separate vault layer, an L1 core plus a cross-chain extension), enumerate each in findings and grade against the WORST module weighted by its share of TVS or its blast radius. A green core does not rescue an orange/red sub-module; conversely, a small red sub-module with capped TVS may bound the overall grade to orange. Name each module by its on-chain factory or router address. If you do not know whether a module exists, that is an unknowns[] entry, not silence. EXPLICIT TVS WEIGHTING: in the verdict, state each module's approximate share of total protocol TVS (use "~X%" if exact figures unavailable; check DeFiLlama or block-explorer balances on the module's main contract) and how that share informs the weighted grade. Format: "Module A holds ~X% of TVS (grade: <g>); Module B holds ~Y% (grade: <g>); weighted overall = <grade> because <reason>." If a red sub-module holds <5% of total TVS and is capped, the overall grade may be orange; if it holds >25%, the overall grade is red. Do not let qualitative reasoning substitute for the percentages — write the numbers.

MANDATORY INSPECTION CHECKLIST (every item below must appear in evidence[] OR unknowns[]):
- A1. External contract calls. Enumerate every external contract the core contracts call or read from (oracles, price feeds, AMM pools, lending pools, staking/deposit contracts, yield wrappers). For each, identify the address, the provider, and what user-facing function of this protocol would break or mis-price if that external contract paused, mis-reported, or behaved adversarially. Grep for "oracle", "aggregator", "getPrice", "latestAnswer", "chainlink", "pyth", "redstone" as a starting point. To verify an oracle is live and what it currently reports, hit https://defipunkd.com/api/contract/read?chainId=<id>&address=<oracle>&method=latestAnswer (or &method=latestRoundData, &method=getPrice, &method=description; use the BARE method name without parens) and cite the URL — the response includes blockNumber/blockHash and rawReturnData, which is stronger evidence than a docs page about which feed "should" be used.
- A2. Off-chain actor committees reporting INTO the protocol. Oracle committees, guardian multisigs, DAO-selected validator sets acting as protocol reporters, exit-bus signers, fraud-proof challengers. For each, record committee size, quorum, who picks the members, and what mis-reporting could do (mint, burn, finalize withdrawal, freeze). Distinguish this from governance admins (control slice). NOTE ON STAKING PROTOCOLS: validator slashing and node-operator misbehavior are properties of the base-chain substrate, NOT external dependencies, when the operator set is diversified enough that a coordinated failure caps at <5% principal loss. Count validator/operator risk under A2 ONLY if the operator set is small, non-diversified, or lacks bonding / slashing-insurance / diversification mitigations. A curated set of 30+ independent operators with documented diversification falls under the mitigated path; a 3-operator LST does not. Do not cite the protocol's own risk disclosure as evidence that operator failure = principal loss unless you also check the diversification and bond mitigations.
- A3. Bridge / cross-chain messaging dependencies. Only count bridges that carry material TVL or are required for a core user flow. For each, name the bridge operator (canonical L1↔L2, LayerZero, Wormhole, Axelar, custom multisig), the trust model (canonical, optimistic, light-client, guardian set), and what fraction of TVL or users ride on it. "wstETH exists on 15 chains" is not a finding unless material TVL sits there. Before listing any non-primary chain deployment as a dependency, verify it is still operational as of analysis_date — retired or sunset deployments (e.g., Lido-on-Terra, Lido-on-Solana) belong in unknowns[] or should be omitted, never cited as a current dependency.
- A4. Nested collateral / restaking chains. For restaking / LRT / receipt-of-receipt designs: record the depth of the collateral chain, every actor with slashing or freezing power at each level, and whether a failure N levels deep propagates to user principal here.
- A5. Fork lineage (silent check). If DeFiLlama's forkedFrom is non-empty, record it as one finding and move on. If empty, do NOT add a placeholder finding; it adds noise.
- A6. Fallback mechanisms and circuit breakers. What catches an external failure? Sanity-check contracts on oracle reports, rebase bounds, pause paths triggered by bad prices, second-opinion oracles, max-per-block throughput caps, withdrawal queues that absorb bad reports. Record which A1–A4 risks are mitigated by which fallback, and which are unmitigated. For EACH fallback you cite, state its activation status explicitly: (i) LIVE and enforcing on-chain today, (ii) DEPLOYED but not yet wired / activated (e.g., interface exists but the address is zero or the role is unassigned), or (iii) DOCUMENTED / PROPOSED only (forum post, LIP draft, audit pending). Only (i) counts as mitigation for the grade. A fallback in state (ii) or (iii) should be noted but must not reduce the risk in your steel-man or verdict. If you cannot determine activation status, add an unknowns[] entry rather than assume it is live.
- A7. Sequencer / L1-liveness dependency BEYOND the base-chain substrate. SCOPE — sequencer risk only counts here when the protocol IS its own L2/L3 appchain or app-rollup, where the sequencer is part of the protocol's own stack and a freeze is a protocol-level outage. A protocol permissionlessly deployed on a third-party L2 inherits that L2's sequencer as substrate, not an A7 dependency. Record the sequencer/DA trust model when A7 applies.
- A8. Keeper / relayer / off-chain bot liveness. Protocols that need permissionless-but-necessary off-chain actors (liquidation bots, auto-compounders, deposit relayers, intent solvers). Record whether the role is permissionless, what degrades if nobody runs it (yield paused, bad debt accumulates, positions go stale), and whether the failure mode is graceful or catastrophic.
- A9. Governance-mutable dependency surface. Can an admin or DAO action silently INTRODUCE a NEW EXTERNAL dependency — swap the oracle address to a different provider, register a new staking module that calls an untrusted contract, add a new bridge, route SY through a new external vault — without an exit window for users? Check the upgrade / router / module-registry contracts. Answer: which EXTERNAL dependencies are governance-mutable, who holds that power, and whether there is a timelock or exit window. SCOPE LIMIT — read carefully: A9 is about the *external dependency surface*, not the upgrade surface in general. "The proxyAdmin / EOA can upgrade the router implementation to arbitrary bytecode" is a CONTROL-slice finding (admin can rug), NOT an autonomy-A9 finding. A9 fires only when the upgrade specifically swaps out or adds a contract that THIS protocol calls or trusts (e.g., changing the oracle address from Chainlink to a malicious feed, registering a new SY adapter that points to a third-party vault, redirecting a bridge endpoint). If the only finding is "admin can change implementation," do not log it under A9 and do not let it drive the autonomy grade — note it under control instead. The autonomy-relevant version of the same upgrade key is "admin can swap [specific external address X] without timelock"; that requires identifying the specific external dependency that becomes mutable.

STEEL-MAN (per Hard Rule 13): write one-sentence strongest arguments for red, orange, and green using the A1–A9 findings.

IMPACTED TVS ESTIMATE: the headline MUST include a rough impacted-TVS figure — the fraction of protocol TVS that could be lost or frozen if the worst-unmitigated dependency you identified failed. Use "~X%" if exact numbers are unavailable, "<1%" for de minimis, "unclear" only if A1–A9 left the question genuinely open (in which case grade=unknown is usually correct). Do NOT substitute qualitative phrases like "significant" — give a number or bracket.

GRADE ANCHORS (mapped to DefiScan v1 stages):
- green = Stage 2 equivalent. Failure of any external dependency cannot cause loss of user principal or unclaimed yield. Either there are no material external dependencies, or every critical one has a documented fallback (A6) that keeps users whole. Governance cannot silently introduce new dependencies without an exit window (A9). Impacted TVS under any single-dependency failure: effectively 0.
- orange = Stage 1 equivalent. Failure of some external dependency can cause loss of unclaimed yield, or can materially change expected performance (pause withdrawals, freeze positions, degrade price quality), but cannot cause loss of principal. Committee-based oracles with sanity checks, canonical-only bridges, fallback paths that exist but are incomplete, or governance-mutable dependencies protected by a ≥7-day timelock. Impacted TVS is bounded and recoverable.
- red = Stage 0 equivalent. Failure of an external dependency CAN cause theft or loss of principal. Examples: single-provider oracle with no sanity check or fallback, material TVL on a non-canonical bridge with a guardian multisig, governance can hot-swap oracles or add staking modules with no timelock or exit window, unmitigated keeper-liveness dependency where positions become insolvent if bots stop. Impacted TVS is material.
- unknown = checklist incomplete after inspecting source + verified contracts. Prefer unknown over guessing when A1/A6 could not be reconstructed. RESERVE unknown for cases where the CORE ARCHITECTURE itself is unverifiable — not for cases where you merely cannot enumerate every per-market dependency in a multi-market protocol. If the core router/factory/oracle architecture is verifiable on-chain and you can determine whether the core requires external dependencies, grade the architecture even when an exhaustive per-market external-dependency census is infeasible. Acknowledge the per-market gap in unknowns[] but still issue a grade. Refusing to grade a multi-market protocol because you cannot list every SY/vault/market is over-use of unknown; grade the architecture and say so.

PROMPT-META CHECK (per Hard Rule 17): before finalizing, verify the verdict cites concrete contract addresses, docs, or code — not the rubric itself. If your verdict says "the protocol belongs to a category the rubric marks red", rewrite it with the A1–A9 finding that actually justifies the grade, or drop to grade=unknown.

---

### Slice: OPEN-ACCESS

Evaluate who is allowed to use the protocol and whether any of that permission is granted off-chain.

Scope: this slice is about ADMISSION — who can enter, exit, or transact. Operator LIVENESS (what breaks if keepers/oracles go offline) is assessed in the dependencies slice and is out of scope for the grade here. You may note operator dependencies as context, but do not let "the protocol halts if operator X disappears" drive the access grade on its own; that belongs in dependencies. Source verification / contract verification on block explorers is assessed in the verifiability slice and is out of scope here — do NOT let "contract is unverified" drive the access grade.

Framing: the smart contracts are the access layer; frontends are UX. A permissionless contract is reachable by any client (SDK, third-party UI, aggregator, wallet integration). Frontend ToS, IP geo-blocking, and wallet screening are publisher policies on one specific client — they are reported as context but do NOT determine the grade. The grade hinges on (1) what the contract itself permits, and (2) whether the protocol is practically reachable without the official publisher's cooperation.

Meta-check before finalizing: if your verdict cites phrases from this prompt as evidence ("the protocol meets the 'credible alternatives' condition", "this fits the 'documented fallback' rule"), redo the verdict. The prompt describes the rubric; evidence must come from the protocol. A verdict should cite what the protocol does, not what the rubric says.

MANDATORY INSPECTION CHECKLIST (every item below must appear in evidence[] OR unknowns[]):
- A1. Whitelist / allowlist modifiers in user-facing entry points. Grep for "onlyWhitelisted", "onlyRole", "allowlist", "isAccredited", "isKYCed". Note which functions are gated and who can add/remove from the list.
- A2. Off-chain operators in the admission path: keepers, sequencers, privileged relayers, oracle posters whose approval is required to admit a user action (not just to keep the protocol live). For each, identify whether the role is held by a single operator, a permissioned committee, or is permissionless. Enumerate per user-facing function class (deposit vs withdraw-request vs claim-finalized vs transfer) which ones require operator approval to be admitted, and which ones admit users unconditionally. A function whose placement is unconditional but whose downstream settlement depends on an operator is an admission-permissionless function — flag the liveness dependency as context and defer its grading weight to the dependencies slice.
- A3. Frontend restrictions on the official interface — record as context, not as a grade lever. Distinguish:
    - A3-passive: boilerplate ToS clauses (sanctions attestation, restricted-territory self-certification, VPN-circumvention prohibition, "comply with applicable law" eligibility, age of majority).
    - A3-active: runtime enforcement — IP-based geo-blocking, wallet-address screening against a sanctions oracle (Chainalysis, TRM, Elliptic), KYC wall, rendering-blocking jurisdiction banner.
  Record findings under the correct tier. Quote ToS text or banner text in evidence[].shows. These findings populate the headline and rationale but do NOT move the grade by themselves; the grade is set by A1, A2, and the A3b path check below.
- A3b. Independent access paths (the operative grade input). Enumerate paths that do not require the official publisher's cooperation:
    - Published SDK / library / CLI for direct contract interaction.
    - Third-party frontends operated by separate legal entities.
    - Wallet-integrated access (MetaMask Swaps, Safe apps, etc.).
    - DEX / lending / yield aggregators that route through the contracts.
  Record at least one concrete link per path that exists. The protocol does NOT have to self-document these — the test is existence, not UX cost. An A3b-i redistribution of the official UI bound by the same ToS does NOT count as an independent path.
- A4. Sanctions / compliance tooling at the contract level: does the protocol check addresses against OFAC lists or similar on-chain blocklists in the contract itself? (Frontend-only screening belongs in A3.)
- A5. Differentiate read access vs write access: many protocols are read-permissionless (anyone can view state) but write-gated (only certain addresses can deposit/borrow). Record both.
- A6. ToS / Legal links: locate them on the website and produce a VERBATIM quote of any jurisdictional, sanctions, or eligibility clause in evidence[].shows. If you cannot extract the clause text verbatim (SPA render failure, paywall, dead link, etc.), do NOT paraphrase or infer from general knowledge — record the ToS URL in unknowns[] with the reason extraction failed. Assertions about ToS content without a verbatim quote will be downweighted by reviewers.

Then write the steel-man section per Hard Rule 11.

Grade rules (admission-focused; liveness concerns belong in dependencies; source verification belongs in verifiability):
- green   = no contract-level whitelist/KYC on user entry/exit; no operator approval required to admit a user action; AND at least one independent A3b path exists (published SDK, third-party frontend, wallet integration, or aggregator routing). Frontend ToS posture and A3-active enforcement on the official UI do NOT block green when contracts are permissionless and an independent path exists — they are reported as context.
- orange  = contracts admit users unconditionally, BUT the protocol is operationally captured by the official publisher: no published SDK, no third-party frontend, no wallet integration, no aggregator routing. The contract is theoretically open but practically reachable only through the official UI. Also applies when admission requires approval from a permissioned committee that is governance-managed with a documented replacement procedure.
- red     = contract-level whitelist / KYC on user entry/exit, OR admission of a core user action requires approval from a single privileged operator or a small committee with no documented replacement procedure, OR enforces an on-chain blocklist updatable by a single party.
- unknown = checklist incomplete after checking the sources above.

Default-grade guidance: when contracts are fully permissionless AND any A3b independent path exists, the default grade is green regardless of frontend ToS or A3-active enforcement on the official UI. Frontend geo-blocking, sanctions-oracle wallet screening, and ToS sanctions clauses are publisher policies on one client and are reported in findings/headline as context, not as grade levers. To grade orange on operational-capture grounds, the auditor must affirmatively show that ALL independent paths are absent or also gated.

Guideline on committees: where admission depends on a multi-operator committee, the relevant axes are (a) set size, (b) whether replacement/rotation is governed on-chain, (c) whether the replacement procedure is publicly documented. A large set with on-chain governance replacement should not be graded as a single-party operator even if rotation is not instantaneous. A small set with informal replacement should be treated as a single-party operator.

---

### Slice: VERIFIABILITY

Evaluate whether an outsider can independently confirm what the deployed code does.

MANDATORY INSPECTION CHECKLIST (every item below must appear in evidence[] OR unknowns[]):
- V1. For each address you assess: is the bytecode verified on the chain's block explorer? Record the "Contract Source Code Verified" indicator. https://defipunkd.com/api/contract/abi?chainId=<id>&address=0x... returns this as a top-level "verified" boolean plus "abiSource" ("etherscan" / "sourcify") and an inline ABI — useful when the explorer page is rate-limited. If the contract is a proxy, verify BOTH the proxy contract AND the current implementation contract. The same /api/contract/abi response auto-resolves proxies and includes a "proxy.implementation" address when present, so one call covers V1 + V6 in one shot. An explorer "Similar Match" on a well-known proxy pattern (Aragon AppProxyUpgradeable, ERC1967Proxy, OssifiableProxy, OZ TransparentUpgradeableProxy) is expected for that pattern and does NOT count as a verification gap on its own — what matters is that the implementation is independently verified.
- V2. Source-to-repo correspondence: for each verified contract, attempt to find a matching commit in the linked GitHub repos. Record evidence[].commit on a match. Independent compile/bytecode-match is NOT required for green — a recognized public repo whose structure and file contents correspond to the explorer-visible source is sufficient. If you did not pin a commit SHA or run a bytecode diff, record that plainly in unknowns[] and proceed; it is a scope limit, not a downgrade signal.
- V3. Audit coverage: for each URL in protocol.audit_links, open it and record: auditor name, audit date, the specific contracts / commit in scope. Flag audits that predate the current deployment by >6 months without a follow-up review.
- V4. Auditor recognition: the following firms are broadly recognized in Solidity: Trail of Bits, Zellic, Spearbit, OpenZeppelin, ConsenSys Diligence, Certora (formal verification), Quantstamp, Halborn, Peckshield, Sigma Prime, ChainSecurity, Ackee Blockchain, MixBytes, Statemind. Unknown firms are orange-at-best for any green-grade claim. Name the firm explicitly in evidence[].
- V5. Post-audit drift: compare the most recent in-scope audit(s) against the currently-deployed source, weighted by what each contract does and by what the changes actually contain. SCOPE — drift only downgrades the grade when ALL of the following hold: (i) the drifting contract is fund-custody / settlement / accounting-critical (NOT a peripheral router, lens, quoter, or pure-view contract that holds no balances); (ii) the changes are material — new functions, modified access control, modified accounting, modified fund flow — and not refactors / struct relocations / import reorgs / build or CI fixes / formatting; (iii) no later audit, fix-audit, or differential audit from a recognized firm covers the changed files (audits often pin a pre-fix commit while a follow-up reviews the delta — match by file scope, not by commit-hash equality). When you cite drift as a downgrade reason, name the specific behavior change (function added, role granted, accounting formula altered) — "N commits ahead" or "+X/-Y LOC" alone is not evidence of material drift. If you have not sampled the diff content (e.g. via the GitHub compare view or the top commits in the window), record drift as an unknowns[] entry rather than auto-downgrading; commit-count and LOC are starting signals, not findings.
- V6. Implementation vs proxy: a verified proxy with an unverified implementation is effectively unverified. State whether the implementation is verified separately.

EVIDENCE DISCIPLINE (read before writing findings[]):
- Do not assert a specific deploy-commit SHA, bytecode equivalence, or "identical to audited commit" unless you actually fetched the artifact that shows it (e.g., a deployed-addresses JSON you opened, an explorer page you read). Inferred or plausible matches belong in unknowns[], never in findings[] or evidence[].
- Evidence[] entries must correspond to pages/files you actually retrieved this run. A URL you did not open is not evidence.

Then write the steel-man section per Hard Rule 11.

Grade rules:
- green   = deployed bytecode verified on the explorer (proxy AND implementation if proxied; "Similar Match" on a standard proxy pattern is fine per V1), a public source repo exists whose contents correspond to the explorer-visible source, AND ≥1 audit from a recognized firm covering the currently-deployed contracts (≤6 months of drift OR drift was re-audited). A missing local compile-match is not a downgrade — record it in unknowns[] and still grade green if the other conditions hold.
- orange  = verified but with visible drift from the public repo, OR audit scope is stale relative to deployment, OR only minor / unknown-firm audits exist, OR only some of the main contracts are verified, OR proxy verified but implementation only partially verified.
- red     = unverified bytecode (or verified proxy with unverified implementation), OR no audit in protocol.audit_links, OR no public repo.
- unknown = reserved for when the protocol's verifiability posture genuinely cannot be assessed (e.g., explorer and repo both inaccessible for this protocol). Do NOT use unknown merely because you, the analyst, could not run a particular check such as a bytecode diff — that goes in unknowns[] while the grade is still assigned from the evidence you do have.

---

### JSON output contract

Return exactly one JSON array inside a single ```json fenced block. The array MUST contain exactly five objects, one per risk slice, in this exact order: "control", "ability-to-exit", "autonomy", "open-access", "verifiability". Do not include the discovery slice.

Each object has the same shape as a normal slice submission:

{
  "schema_version": 4,
  "slug": "<copy protocol.slug from the per-protocol context>",
  "slice": "<one of: control | ability-to-exit | autonomy | open-access | verifiability>",
  "snapshot_generated_at": "<copy snapshot.generated_at from the per-protocol context>",
  "prompt_version": 29,
  "analysis_date": "<copy analysis_date from the per-protocol context>",
  "model": "<exact model name, e.g. claude-opus-4-7 / gpt-5-thinking / gemini-3-pro>",
  "chat_url": null,
  "grading_basis": "on-chain | off-chain-only | mixed (optional; omit for on-chain)",
  "grade": "green | orange | red | unknown",
  "headline": "<one-line summary>",
  "short_headline": "<≤6 words, ≤80 chars; omit if you can't fit>",
  "rationale": {
    "findings": [{ "code": "E1", "text": "<concrete, source-cited finding>" }],
    "steelman": { "red": "<one sentence>", "orange": "<one sentence>", "green": "<one sentence>" },
    "verdict": "Choosing <grade> because <reason ranking one steel-man above the others, citing specific evidence>."
  },
  "evidence": [{ "url": "https://...", "shows": "<what this URL demonstrates>", "chain": "...", "address": "0x...", "commit": "<hex SHA>", "fetched_at": "2026-04-23T11:20:00Z" }],
  "unknowns": ["E3: <thing you looked for but couldn't determine>"],
  "protocol_metadata": {
    "github": ["https://github.com/org/repo"],
    "docs_url": "https://docs.protocol.xyz",
    "audits": [{ "firm": "Trail of Bits", "url": "https://...report.pdf", "date": "2025-09" }],
    "governance_forum": "https://forum.protocol.xyz",
    "voting_token": { "chain": "Ethereum", "address": "0x...", "symbol": "XYZ" },
    "bug_bounty_url": "https://immunefi.com/bounty/protocol",
    "security_contact": "security@protocol.xyz",
    "deployed_contracts_doc": "https://docs.protocol.xyz/deployments",
    "admin_addresses": [{ "chain": "Ethereum", "address": "0x...", "role": "DAO treasury multisig", "actor_class": "multisig" }],
    "upgradeability": "immutable | upgradeable | mixed | unknown",
    "about": "<2–4 sentences>"
  }
}

Rules recap:
- Produce one complete object for each of these slices only: control, ability-to-exit, autonomy, open-access, verifiability.
- Reuse the same model, chat_url, snapshot_generated_at, prompt_version, analysis_date, and slug values across all five objects.
- grade="unknown" ⇒ steelman=null; unknowns[] ≥1; evidence[] may be empty.
- grade!="unknown" ⇒ steelman={red,orange,green}; evidence[] ≥1; verdict starts with "Choosing ".
- findings[].code matches that object's slice checklist prefix verbatim (C1, E2, AU3, A3b, V4a, …); unknowns[] entries are checklist-coded ("C3: …").
- Wrap the array in a single ```json fence; nothing before or after. URLs are bare strings, never markdown links.

Verifiability tentative

Open source + 7 audits

Protocol publishes a GitHub repository and has at least one audit on record. This is a coarse Phase-0 signal only: auditor reputation, scope, and post-audit review coverage are not yet weighted.

Run your own prompt Submit run ↗

### Per-protocol context (ground truth for this run)

- protocol.slug:              aave-arc
- protocol.name:              Aave Arc
- protocol.chains:            Ethereum
- protocol.category:          Lending
- protocol.website:           https://aave.com
- protocol.github:            aave, bgd-labs
- protocol.audit_links:       https://aave.com/security, https://github.com/code-423n4/2022-02-aave-lens, https://github.com/code-423n4/2022-02-aave-lens-findings, https://github.com/sherlock-protocol/sherlock-reports/blob/main/audits/2025.02.15%20-%20Final%20-%20Aave%20Public%20Audit%20Contest%20Report.pdf, https://github.com/sherlock-protocol/sherlock-reports/blob/main/audits/2026.02.05%20-%20Final%20-%20Aave%20Labs%20Collaborative%20Audit%20Report%201770295450.pdf, https://github.com/trailofbits/publications/blob/master/reviews/2021-11-aave-v3-securityreview.pdf, https://github.com/trailofbits/publications/blob/master/reviews/2026-02-aave-v4-securityreview.pdf
- snapshot.generated_at:      2026-06-01T11:27:13.878Z
- analysis_date:              2026-06-07
- prompt_version:             29
- address_book:               null

### Pre-built read-API surfacer URLs (verbatim — fetchable as-is)
(no addresses pinned in this run — discover candidates from fetched website / GitHub / audit / explorer pages, record discovered addresses in evidence[] and protocol_metadata.admin_addresses, and put any reads you couldn't perform in unknowns[]. The next assessment will inherit your discoveries.)


---

You are contributing a single-slice assessment to defipunkd, a git-native transparency registry for DeFi protocols. Your JSON output will be attached to a pull request and compared against ≥2 other independent runs. Disagreements are surfaced publicly — be conservative, cite everything, return grade="unknown" when a signal cannot be determined, and resist stopping at the first damning finding.

### Per-protocol context (do not infer; these are ground truth)

A "Per-protocol context" block (provided alongside this prompt — either as a user message in API mode, or as a section appended below in copy-paste mode) lists the pinned inputs (protocol.slug, name, chains, category, website, github, audit_links, snapshot.generated_at, analysis_date, prompt_version, address_book) and a list of pre-built read-API surfacer URLs for each pinned address. Treat those values as authoritative for this run.

The pre-built surfacer URLs are accepted by your fetch tool's allowlist because they appear verbatim in the per-protocol context. Each surfacer page pre-executes the contract's zero-arg view methods and renders any address-typed return values as /address/{chainId}/0x… links inline — those rendered links are also fetchable post-fetch. /api/contract/read and /api/safe/owners JSON responses include a top-level `crawl.surfacers` array of /address/{chainId}/0x… URLs for every address-typed value in the result, so you can crawl directly from API responses. For addresses surfaced from non-defipunkd sources (block-explorer pages, GitHub, audit PDFs), the allowlist will reject your generated surfacer URL — record the address in protocol_metadata.admin_addresses and add a checklist-coded entry to unknowns[]; the next run will inherit it as a fetchable surfacer.

### Step 0 — Capability probe (do this before producing JSON)

Identify what fetch tool your environment exposes — `web_fetch`, `browser`, `url_context`, `google_search` (with underscore, colon, or space), Bing grounding, Perplexity, `web.run`, or anything similar. Search-grounding tools ARE valid fetch paths and you should use them; they are not forbidden. The distinction that matters is what the tool returned, not its name: a grounded response with the underlying page body is sufficient evidence; a bare 1–3-line preview snippet is not.

Probe: attempt one fetch of `protocol.website` and one fetch of a pre-built surfacer URL above (or the protocol's primary block-explorer page if no surfacer is pinned). Record the tool you used, the URL, and what came back (response body, HTTP status, allowlist rejection text, or "tool not present: <name>"). If either probe succeeded, proceed.

If both direct probes failed, **DO NOT STOP** — try search. Issue at least two broad search queries (protocol name + "Etherscan" / "official docs" / "GitHub" / "audit"; `site:` operators against etherscan.io / github.com / the docs domain). If a search query returns the underlying page body, that page URL is fetched evidence and goes in evidence[]. Set `grading_basis: "off-chain-only"` and continue with whatever you can extract. Empty `evidence[]` + `grade="unknown"` is only valid if BOTH direct probes AND ≥2 search queries returned nothing usable; in that case, log the attempted queries and observed-zero outcomes in unknowns[]. A submission claiming "blocked" without those receipts is treated as a non-submission (zero quorum weight). Search engines do not index raw JSON API endpoints — zero results for `defipunkd.com/api/contract/read` URLs is expected and is itself a recordable failure mode, not a system restriction.

### Anti-fabrication (the most important rule on this page)

Memory is not evidence. Treat your training data, prior conversations, and general knowledge as suggestions for what to look up — never as citations. Every URL in evidence[] must have been fetched in this run via any tool exposed in your environment, OR pasted into this conversation by the user. Constructing a URL is fine, but every variable part (address, commit SHA, repo path, contract name, method, args, block number) must come from a fetched/pasted source in this run, and the URL must then have been successfully fetched before it appears in evidence[]. URLs constructed from remembered addresses, repo paths, contract names, or guessed API methods are fabrication.

Before emitting JSON, run an evidence ledger check on every evidence[] entry:
1. The exact URL appears in your fetch transcript or in a user-pasted source body.
2. The fetched/pasted body contains the fact you're citing in evidence[].shows.
3. Every rationale.findings / protocol_metadata claim that depends on this evidence follows directly from that body, without recourse to memory.
4. Derived (rather than verbatim) claims are explicitly labelled as derived in evidence[].shows.
5. `fetched_at` is set ONLY when you actually fetched the URL in this run; if no timestamp is available, omit the field — never invent one.

If any check fails, remove the evidence entry and demote dependent claims to unknowns[]. Set grade="unknown" if demotion empties the grading basis. Do not ask the user to paste anything; do not withhold JSON; do not improvise from memory.

A plausible-sounding answer backed by unsupported evidence is WORSE than grade="unknown" — it pollutes the quorum. If the assessment requires leaning on remembered public facts ("Lido is governed by LDO token-weighted voting"), historical reports, common knowledge, or likely-architecture reasoning ("UUPS proxies typically have an admin role"), return grade="unknown" with specific unknowns[] entries. Optimize for reproducibility, not completeness — if a reviewer can't re-verify each claim from the evidence URLs alone, the claim does not belong in the JSON. Empty unknowns[] on a non-trivial protocol is a red flag, not a quality signal.

When the address_book is null/empty, you do not yet know any deployed address. Discover candidates from fetched website / GitHub / audit / explorer-search pages — addresses you "remember" from training data are not eligible, even for famous tokens (USDC, WBTC, stETH, UNI). If no address can be discovered after a good-faith attempt, return grade="unknown" with checklist-coded unknowns[] entries; do not invent addresses to fill the gap.

### Hard rules

1. Source classes that count as evidence:
   a) Public block explorers (etherscan.io, basescan.org, arbiscan.io, optimistic.etherscan.io, polygonscan.com, bscscan.com, snowtrace.io, scrollscan.com, lineascan.build, blastscan.io, era.zksync.network) for pinned addresses or addresses you discover transitively from them.
   b) The linked GitHub repos, at a specific commit SHA recorded in evidence[].commit.
   c) The audit PDFs / reports linked above.
   d) DeFiLlama's pinned fields (for category / chain lists only — not for risk assessment).
   e) DeFiPunkd's read API at https://defipunkd.com/api/{contract,safe}/... — see "On-chain reading" below.
2. If a signal cannot be determined after checking these, set grade="unknown" with ≥1 entry in unknowns[] naming what you looked for.
3. Every factual claim in rationale must map to ≥1 evidence[] entry.
4. Output exactly one JSON object matching the contract at the end, wrapped in a single ```json fenced code block. This rule applies to your FINAL assistant message only — issue tool calls freely during the run; tool-call reasoning lives in your model's tool-use channel and is not subject to this rule. Nothing before or after the fence — no prose, no follow-up questions, no requests for the user to paste anything. If evidence is incomplete, the correct response is still JSON, with claims demoted to unknowns[] and grade="unknown".

### Format rules (validation will reject submissions that violate these)
5. evidence[].url must be a bare `https://...` string — NEVER markdown link syntax. WRONG: `"url": "[Etherscan](https://etherscan.io/...)"`. RIGHT: `"url": "https://etherscan.io/..."`.
6. evidence[].commit, when present, must match `^[0-9a-f]{7,40}$` (lowercase hex, 7–40 chars). NEVER branch names or tags. Omit if you cannot pin a SHA.
7. evidence[].fetched_at, when present, must be ISO-8601 UTC (e.g. `2026-04-23T11:20:00Z`). Set whenever you actually fetched in this run.
8. evidence[].address, when present, must be `^0x[0-9a-fA-F]{40}$` (mixed case OK; checksum not validated).
9. Checklist codes (used in findings[].code and as unknowns[] prefixes) match `^[A-Z][A-Za-z0-9-]{0,16}$` — start with an uppercase letter, then digits / letters / hyphens. Examples: `E1`, `A3b`, `C2-emergency`, `V4-auditor`. No parens, spaces, dots, slashes, underscores. Use slice-defined codes verbatim. unknowns[] entries must be prefixed with the relevant code + colon (e.g. `"A3b: frontend fetch failed"`).
10. chat_url: ALWAYS null. Default share links (claude.ai/chat, chatgpt.com, gemini.google.com) require viewer login and are not publicly readable. The user enables "Share publicly" after you respond and pastes the public URL into the JSON before opening the PR.

### Thoroughness rules

11. Each per-slice body contains a "MANDATORY INSPECTION CHECKLIST". Every item must EITHER produce an evidence[] entry OR a specific unknowns[] entry naming it by code. Silent skips are rejected as incomplete.
12. Before assigning a grade other than "unknown", rationale.steelman must contain a one-sentence strongest argument for each of red / orange / green, and rationale.verdict must state which fits the evidence and why. If the steel-man for the chosen grade is weaker than for an adjacent grade, you have probably picked the wrong grade. When grade="unknown", set steelman to null and use verdict to summarize what blocked the assessment.
13. Distinguish actor classes (EOA, 2-of-3 multisig, 4-of-7+ multisig with identified signers, emergency-scoped time-capped multisig, on-chain governance vote with timelock) and function classes (claim-of-finalized vs new-request-placement, deposit vs borrow, mint vs redeem) — say which actor holds which power, on what time bound. "An admin can pause" is insufficient.
14. For on-chain slices (control, ability-to-exit, autonomy, verifiability), evidence[] must include ≥1 on-chain URL: a block-explorer URL OR a DeFiPunkd /api/{contract/read,safe/owners} URL (preferred — content-addressed when block-pinned). /api/contract/abi alone is metadata, not on-chain evidence. Source repos tell you what code SHOULD do; deployed contracts tell you what it ACTUALLY does. The "open-access" slice is exempt when claims are entirely about frontend / off-chain operator behavior. CARVE-OUT: `grading_basis="off-chain-only"` is exempt from this rule but is downweighted by the quorum bot regardless of grade.
15. Prompt-meta-check: if your verdict quotes prompt language as evidence ("the protocol meets the 'documented fallback' condition"), re-do the verdict — the prompt describes the rubric, not the protocol. Evidence cites what THIS protocol does, not what the rubric says protocols of type X do.
16. `grading_basis` is one of `"on-chain"` (default; omit field), `"off-chain-only"`, or `"mixed"`. Describes what was READ this run, not the verdict — `grade="unknown"` is allowed under any basis. Set `"off-chain-only"` ONLY when BOTH (a) ≥1 successful fetch of a docs / forum / audit / GitHub URL appears in evidence[], AND (b) ≥1 failed on-chain fetch attempt for THIS run is recorded in unknowns[] with a `-offchain` suffix. Empty `evidence[]` with `"off-chain-only"` is a category error and is rejected by the validator. Set `"mixed"` when some checklist codes were on-chain and others fell back. ABI-only finds (you read the ABI but couldn't read live state) are valid as `grade="unknown"` with the ABI cited; do not infer a grade from ABI shape alone.

### On-chain reading via the DeFiPunkd API

Don't encode calldata, decode return data, or guess at ABIs by hand. Three deterministic GET endpoints return JSON with blockNumber, blockHash, raw calldata, and rawReturnData — content-addressed when block-pinned (`&block=<n>`):

  ABI (auto-resolves proxies):
    https://defipunkd.com/api/contract/abi?chainId=<id>&address=0x...
  View call (any view method on the merged ABI; flat scalar args):
    https://defipunkd.com/api/contract/read?chainId=<id>&address=0x...&method=getOwners
    https://defipunkd.com/api/contract/read?chainId=<id>&address=0x...&method=balanceOf&args=0x...
  Safe (threshold + owners + version in one call):
    https://defipunkd.com/api/safe/owners?chainId=<id>&address=0x...

Use the BARE method name in `&method=` (e.g. `&method=totalSupply`, NOT `&method=totalSupply()`). Browser tools normalize `(` to `%28` and reject the normalized URL; bare names dodge that. Pass arguments via `&args=` (comma-separated, declaration order). Append `&block=<n>` for content-addressed evidence.

Supported chainIds: 1 (ethereum), 10 (optimism), 56 (bsc), 130 (unichain), 137 (polygon), 324 (zksync), 8453 (base), 42161 (arbitrum), 43114 (avalanche), 59144 (linea), 81457 (blast), 534352 (scroll), 11155111 (sepolia).

Use this API for any factual claim about contract ABI shape, view-method return values (owner(), getOwners(), getThreshold(), totalSupply(), implementation(), paused(), MIN_DELAY(), …), and Safe membership. Do NOT invent ABIs or return values from training data.

Note on noisy address_book: the pinned address_book is sourced from prior assessments. It may include token deployments, oracle feeds, peripheral contracts, or mis-classified entries. Skip surfacer URLs that don't fit your slice — fetch only those whose role hints suggest control / pause / upgrade authority.

### Protocol metadata refresh (populate `protocol_metadata` in the output)

DeFiLlama's pinned inputs may be stale or wrong. As a side-effect of this assessment, populate `protocol_metadata` with anything you verify. Leave fields null / empty arrays if you did not verify them — do NOT echo pinned inputs through; null means "not re-verified this run".

- `github`: array of canonical source-code repo URLs.
- `docs_url`: canonical developer / protocol documentation site.
- `audits`: array of `{ firm, url, date }` (date as YYYY-MM or YYYY-MM-DD).
- `governance_forum`: primary discussion forum URL (Discourse, Commonwealth, etc.).
- `voting_token`: `{ chain, address, symbol }` or null. Omit if not token-governed.
- `bug_bounty_url`: public bug bounty page (Immunefi, HackerOne, self-hosted).
- `security_contact`: private-disclosure channel — security@ email or SECURITY.md URL. Distinct from public bug bounty.
- `deployed_contracts_doc`: docs page that lists deployed addresses per chain. Don't enumerate; just link.
- `admin_addresses`: array of `{ chain, address, role, actor_class }` for multisig / timelock / owner / proxy-admin addresses. `actor_class` ∈ `"eoa" | "multisig" | "timelock" | "governance" | "unknown"`. These are the anchors for future runs' address_book.
- `upgradeability`: `"immutable" | "upgradeable" | "mixed" | "unknown"`. "mixed" = some core contracts immutable, others behind proxies.
- `about`: 2–4 sentence plain-English description. Name the user action (stake, borrow, swap, bridge, mint, redeem), the asset / market, and the distinctive mechanism (liquid staking receipt, isolated lending pools, constant-product AMM, intents auction, etc.). Do not restate category / chains / TVL.

Every non-null field in `protocol_metadata` must be backed by ≥1 entry in evidence[].

---

### Slice: VERIFIABILITY

Evaluate whether an outsider can independently confirm what the deployed code does.

MANDATORY INSPECTION CHECKLIST (every item below must appear in evidence[] OR unknowns[]):
- V1. For each address you assess: is the bytecode verified on the chain's block explorer? Record the "Contract Source Code Verified" indicator. https://defipunkd.com/api/contract/abi?chainId=<id>&address=0x... returns this as a top-level "verified" boolean plus "abiSource" ("etherscan" / "sourcify") and an inline ABI — useful when the explorer page is rate-limited. If the contract is a proxy, verify BOTH the proxy contract AND the current implementation contract. The same /api/contract/abi response auto-resolves proxies and includes a "proxy.implementation" address when present, so one call covers V1 + V6 in one shot. An explorer "Similar Match" on a well-known proxy pattern (Aragon AppProxyUpgradeable, ERC1967Proxy, OssifiableProxy, OZ TransparentUpgradeableProxy) is expected for that pattern and does NOT count as a verification gap on its own — what matters is that the implementation is independently verified.
- V2. Source-to-repo correspondence: for each verified contract, attempt to find a matching commit in the linked GitHub repos. Record evidence[].commit on a match. Independent compile/bytecode-match is NOT required for green — a recognized public repo whose structure and file contents correspond to the explorer-visible source is sufficient. If you did not pin a commit SHA or run a bytecode diff, record that plainly in unknowns[] and proceed; it is a scope limit, not a downgrade signal.
- V3. Audit coverage: for each URL in protocol.audit_links, open it and record: auditor name, audit date, the specific contracts / commit in scope. Flag audits that predate the current deployment by >6 months without a follow-up review.
- V4. Auditor recognition: the following firms are broadly recognized in Solidity: Trail of Bits, Zellic, Spearbit, OpenZeppelin, ConsenSys Diligence, Certora (formal verification), Quantstamp, Halborn, Peckshield, Sigma Prime, ChainSecurity, Ackee Blockchain, MixBytes, Statemind. Unknown firms are orange-at-best for any green-grade claim. Name the firm explicitly in evidence[].
- V5. Post-audit drift: compare the most recent in-scope audit(s) against the currently-deployed source, weighted by what each contract does and by what the changes actually contain. SCOPE — drift only downgrades the grade when ALL of the following hold: (i) the drifting contract is fund-custody / settlement / accounting-critical (NOT a peripheral router, lens, quoter, or pure-view contract that holds no balances); (ii) the changes are material — new functions, modified access control, modified accounting, modified fund flow — and not refactors / struct relocations / import reorgs / build or CI fixes / formatting; (iii) no later audit, fix-audit, or differential audit from a recognized firm covers the changed files (audits often pin a pre-fix commit while a follow-up reviews the delta — match by file scope, not by commit-hash equality). When you cite drift as a downgrade reason, name the specific behavior change (function added, role granted, accounting formula altered) — "N commits ahead" or "+X/-Y LOC" alone is not evidence of material drift. If you have not sampled the diff content (e.g. via the GitHub compare view or the top commits in the window), record drift as an unknowns[] entry rather than auto-downgrading; commit-count and LOC are starting signals, not findings.
- V6. Implementation vs proxy: a verified proxy with an unverified implementation is effectively unverified. State whether the implementation is verified separately.

EVIDENCE DISCIPLINE (read before writing findings[]):
- Do not assert a specific deploy-commit SHA, bytecode equivalence, or "identical to audited commit" unless you actually fetched the artifact that shows it (e.g., a deployed-addresses JSON you opened, an explorer page you read). Inferred or plausible matches belong in unknowns[], never in findings[] or evidence[].
- Evidence[] entries must correspond to pages/files you actually retrieved this run. A URL you did not open is not evidence.

Then write the steel-man section per Hard Rule 11.

Grade rules:
- green   = deployed bytecode verified on the explorer (proxy AND implementation if proxied; "Similar Match" on a standard proxy pattern is fine per V1), a public source repo exists whose contents correspond to the explorer-visible source, AND ≥1 audit from a recognized firm covering the currently-deployed contracts (≤6 months of drift OR drift was re-audited). A missing local compile-match is not a downgrade — record it in unknowns[] and still grade green if the other conditions hold.
- orange  = verified but with visible drift from the public repo, OR audit scope is stale relative to deployment, OR only minor / unknown-firm audits exist, OR only some of the main contracts are verified, OR proxy verified but implementation only partially verified.
- red     = unverified bytecode (or verified proxy with unverified implementation), OR no audit in protocol.audit_links, OR no public repo.
- unknown = reserved for when the protocol's verifiability posture genuinely cannot be assessed (e.g., explorer and repo both inaccessible for this protocol). Do NOT use unknown merely because you, the analyst, could not run a particular check such as a bytecode diff — that goes in unknowns[] while the grade is still assigned from the evidence you do have.

---

### JSON output contract

Return exactly one JSON object inside a single ```json fenced block. Shape:

{
  "schema_version": 4,
  "slug": "<copy protocol.slug from the per-protocol context>",
  "slice": "verifiability",
  "snapshot_generated_at": "<copy snapshot.generated_at from the per-protocol context>",
  "prompt_version": 29,
  "analysis_date": "<copy analysis_date from the per-protocol context>",
  "model": "<exact model name, e.g. claude-opus-4-7 / gpt-5-thinking / gemini-3-pro>",
  "chat_url": null,
  "grading_basis": "on-chain | off-chain-only | mixed (optional; omit for on-chain)",
  "grade": "green | orange | red | unknown",
  "headline": "<one-line summary>",
  "short_headline": "<≤6 words, ≤80 chars; omit if you can't fit>",
  "rationale": {
    "findings": [{ "code": "E1", "text": "<concrete, source-cited finding>" }],
    "steelman": { "red": "<one sentence>", "orange": "<one sentence>", "green": "<one sentence>" },
    "verdict": "Choosing <grade> because <reason ranking one steel-man above the others, citing specific evidence>."
  },
  "evidence": [{ "url": "https://...", "shows": "<what this URL demonstrates>", "chain": "...", "address": "0x...", "commit": "<hex SHA>", "fetched_at": "2026-04-23T11:20:00Z" }],
  "unknowns": ["E3: <thing you looked for but couldn't determine>"],
  "protocol_metadata": {
    "github": ["https://github.com/org/repo"],
    "docs_url": "https://docs.protocol.xyz",
    "audits": [{ "firm": "Trail of Bits", "url": "https://...report.pdf", "date": "2025-09" }],
    "governance_forum": "https://forum.protocol.xyz",
    "voting_token": { "chain": "Ethereum", "address": "0x...", "symbol": "XYZ" },
    "bug_bounty_url": "https://immunefi.com/bounty/protocol",
    "security_contact": "security@protocol.xyz",
    "deployed_contracts_doc": "https://docs.protocol.xyz/deployments",
    "admin_addresses": [{ "chain": "Ethereum", "address": "0x...", "role": "DAO treasury multisig", "actor_class": "multisig" }],
    "upgradeability": "immutable | upgradeable | mixed | unknown",
    "about": "<2–4 sentences>"
  }
}

Rules recap:
- grade="unknown" ⇒ steelman=null; unknowns[] ≥1; evidence[] may be empty.
- grade!="unknown" ⇒ steelman={red,orange,green}; evidence[] ≥1; verdict starts with "Choosing ".
- findings[].code matches the slice's checklist prefix verbatim (E1, C2-emergency, V4a, …); unknowns[] entries are checklist-coded ("E3: …").
- Wrap in a single ```json fence; nothing before or after. URLs are bare strings, never markdown links.

4 dimensions not yet assessed (Control, Ability to exit, Autonomy, Open Access)

Control unknown Unverified

Not yet assessed

No model has graded this dimension yet. Run the slice prompt through any LLM and submit the JSON — once ≥3 independent runs agree, the quorum bot merges the verdict here.

Submit run ↗

### Per-protocol context (ground truth for this run)

- protocol.slug:              aave-arc
- protocol.name:              Aave Arc
- protocol.chains:            Ethereum
- protocol.category:          Lending
- protocol.website:           https://aave.com
- protocol.github:            aave, bgd-labs
- protocol.audit_links:       https://aave.com/security, https://github.com/code-423n4/2022-02-aave-lens, https://github.com/code-423n4/2022-02-aave-lens-findings, https://github.com/sherlock-protocol/sherlock-reports/blob/main/audits/2025.02.15%20-%20Final%20-%20Aave%20Public%20Audit%20Contest%20Report.pdf, https://github.com/sherlock-protocol/sherlock-reports/blob/main/audits/2026.02.05%20-%20Final%20-%20Aave%20Labs%20Collaborative%20Audit%20Report%201770295450.pdf, https://github.com/trailofbits/publications/blob/master/reviews/2021-11-aave-v3-securityreview.pdf, https://github.com/trailofbits/publications/blob/master/reviews/2026-02-aave-v4-securityreview.pdf
- snapshot.generated_at:      2026-06-01T11:27:13.878Z
- analysis_date:              2026-06-07
- prompt_version:             29
- address_book:               null

### Pre-built read-API surfacer URLs (verbatim — fetchable as-is)
(no addresses pinned in this run — discover candidates from fetched website / GitHub / audit / explorer pages, record discovered addresses in evidence[] and protocol_metadata.admin_addresses, and put any reads you couldn't perform in unknowns[]. The next assessment will inherit your discoveries.)


---

You are contributing a single-slice assessment to defipunkd, a git-native transparency registry for DeFi protocols. Your JSON output will be attached to a pull request and compared against ≥2 other independent runs. Disagreements are surfaced publicly — be conservative, cite everything, return grade="unknown" when a signal cannot be determined, and resist stopping at the first damning finding.

### Per-protocol context (do not infer; these are ground truth)

A "Per-protocol context" block (provided alongside this prompt — either as a user message in API mode, or as a section appended below in copy-paste mode) lists the pinned inputs (protocol.slug, name, chains, category, website, github, audit_links, snapshot.generated_at, analysis_date, prompt_version, address_book) and a list of pre-built read-API surfacer URLs for each pinned address. Treat those values as authoritative for this run.

The pre-built surfacer URLs are accepted by your fetch tool's allowlist because they appear verbatim in the per-protocol context. Each surfacer page pre-executes the contract's zero-arg view methods and renders any address-typed return values as /address/{chainId}/0x… links inline — those rendered links are also fetchable post-fetch. /api/contract/read and /api/safe/owners JSON responses include a top-level `crawl.surfacers` array of /address/{chainId}/0x… URLs for every address-typed value in the result, so you can crawl directly from API responses. For addresses surfaced from non-defipunkd sources (block-explorer pages, GitHub, audit PDFs), the allowlist will reject your generated surfacer URL — record the address in protocol_metadata.admin_addresses and add a checklist-coded entry to unknowns[]; the next run will inherit it as a fetchable surfacer.

### Step 0 — Capability probe (do this before producing JSON)

Identify what fetch tool your environment exposes — `web_fetch`, `browser`, `url_context`, `google_search` (with underscore, colon, or space), Bing grounding, Perplexity, `web.run`, or anything similar. Search-grounding tools ARE valid fetch paths and you should use them; they are not forbidden. The distinction that matters is what the tool returned, not its name: a grounded response with the underlying page body is sufficient evidence; a bare 1–3-line preview snippet is not.

Probe: attempt one fetch of `protocol.website` and one fetch of a pre-built surfacer URL above (or the protocol's primary block-explorer page if no surfacer is pinned). Record the tool you used, the URL, and what came back (response body, HTTP status, allowlist rejection text, or "tool not present: <name>"). If either probe succeeded, proceed.

If both direct probes failed, **DO NOT STOP** — try search. Issue at least two broad search queries (protocol name + "Etherscan" / "official docs" / "GitHub" / "audit"; `site:` operators against etherscan.io / github.com / the docs domain). If a search query returns the underlying page body, that page URL is fetched evidence and goes in evidence[]. Set `grading_basis: "off-chain-only"` and continue with whatever you can extract. Empty `evidence[]` + `grade="unknown"` is only valid if BOTH direct probes AND ≥2 search queries returned nothing usable; in that case, log the attempted queries and observed-zero outcomes in unknowns[]. A submission claiming "blocked" without those receipts is treated as a non-submission (zero quorum weight). Search engines do not index raw JSON API endpoints — zero results for `defipunkd.com/api/contract/read` URLs is expected and is itself a recordable failure mode, not a system restriction.

### Anti-fabrication (the most important rule on this page)

Memory is not evidence. Treat your training data, prior conversations, and general knowledge as suggestions for what to look up — never as citations. Every URL in evidence[] must have been fetched in this run via any tool exposed in your environment, OR pasted into this conversation by the user. Constructing a URL is fine, but every variable part (address, commit SHA, repo path, contract name, method, args, block number) must come from a fetched/pasted source in this run, and the URL must then have been successfully fetched before it appears in evidence[]. URLs constructed from remembered addresses, repo paths, contract names, or guessed API methods are fabrication.

Before emitting JSON, run an evidence ledger check on every evidence[] entry:
1. The exact URL appears in your fetch transcript or in a user-pasted source body.
2. The fetched/pasted body contains the fact you're citing in evidence[].shows.
3. Every rationale.findings / protocol_metadata claim that depends on this evidence follows directly from that body, without recourse to memory.
4. Derived (rather than verbatim) claims are explicitly labelled as derived in evidence[].shows.
5. `fetched_at` is set ONLY when you actually fetched the URL in this run; if no timestamp is available, omit the field — never invent one.

If any check fails, remove the evidence entry and demote dependent claims to unknowns[]. Set grade="unknown" if demotion empties the grading basis. Do not ask the user to paste anything; do not withhold JSON; do not improvise from memory.

A plausible-sounding answer backed by unsupported evidence is WORSE than grade="unknown" — it pollutes the quorum. If the assessment requires leaning on remembered public facts ("Lido is governed by LDO token-weighted voting"), historical reports, common knowledge, or likely-architecture reasoning ("UUPS proxies typically have an admin role"), return grade="unknown" with specific unknowns[] entries. Optimize for reproducibility, not completeness — if a reviewer can't re-verify each claim from the evidence URLs alone, the claim does not belong in the JSON. Empty unknowns[] on a non-trivial protocol is a red flag, not a quality signal.

When the address_book is null/empty, you do not yet know any deployed address. Discover candidates from fetched website / GitHub / audit / explorer-search pages — addresses you "remember" from training data are not eligible, even for famous tokens (USDC, WBTC, stETH, UNI). If no address can be discovered after a good-faith attempt, return grade="unknown" with checklist-coded unknowns[] entries; do not invent addresses to fill the gap.

### Hard rules

1. Source classes that count as evidence:
   a) Public block explorers (etherscan.io, basescan.org, arbiscan.io, optimistic.etherscan.io, polygonscan.com, bscscan.com, snowtrace.io, scrollscan.com, lineascan.build, blastscan.io, era.zksync.network) for pinned addresses or addresses you discover transitively from them.
   b) The linked GitHub repos, at a specific commit SHA recorded in evidence[].commit.
   c) The audit PDFs / reports linked above.
   d) DeFiLlama's pinned fields (for category / chain lists only — not for risk assessment).
   e) DeFiPunkd's read API at https://defipunkd.com/api/{contract,safe}/... — see "On-chain reading" below.
2. If a signal cannot be determined after checking these, set grade="unknown" with ≥1 entry in unknowns[] naming what you looked for.
3. Every factual claim in rationale must map to ≥1 evidence[] entry.
4. Output exactly one JSON object matching the contract at the end, wrapped in a single ```json fenced code block. This rule applies to your FINAL assistant message only — issue tool calls freely during the run; tool-call reasoning lives in your model's tool-use channel and is not subject to this rule. Nothing before or after the fence — no prose, no follow-up questions, no requests for the user to paste anything. If evidence is incomplete, the correct response is still JSON, with claims demoted to unknowns[] and grade="unknown".

### Format rules (validation will reject submissions that violate these)
5. evidence[].url must be a bare `https://...` string — NEVER markdown link syntax. WRONG: `"url": "[Etherscan](https://etherscan.io/...)"`. RIGHT: `"url": "https://etherscan.io/..."`.
6. evidence[].commit, when present, must match `^[0-9a-f]{7,40}$` (lowercase hex, 7–40 chars). NEVER branch names or tags. Omit if you cannot pin a SHA.
7. evidence[].fetched_at, when present, must be ISO-8601 UTC (e.g. `2026-04-23T11:20:00Z`). Set whenever you actually fetched in this run.
8. evidence[].address, when present, must be `^0x[0-9a-fA-F]{40}$` (mixed case OK; checksum not validated).
9. Checklist codes (used in findings[].code and as unknowns[] prefixes) match `^[A-Z][A-Za-z0-9-]{0,16}$` — start with an uppercase letter, then digits / letters / hyphens. Examples: `E1`, `A3b`, `C2-emergency`, `V4-auditor`. No parens, spaces, dots, slashes, underscores. Use slice-defined codes verbatim. unknowns[] entries must be prefixed with the relevant code + colon (e.g. `"A3b: frontend fetch failed"`).
10. chat_url: ALWAYS null. Default share links (claude.ai/chat, chatgpt.com, gemini.google.com) require viewer login and are not publicly readable. The user enables "Share publicly" after you respond and pastes the public URL into the JSON before opening the PR.

### Thoroughness rules

11. Each per-slice body contains a "MANDATORY INSPECTION CHECKLIST". Every item must EITHER produce an evidence[] entry OR a specific unknowns[] entry naming it by code. Silent skips are rejected as incomplete.
12. Before assigning a grade other than "unknown", rationale.steelman must contain a one-sentence strongest argument for each of red / orange / green, and rationale.verdict must state which fits the evidence and why. If the steel-man for the chosen grade is weaker than for an adjacent grade, you have probably picked the wrong grade. When grade="unknown", set steelman to null and use verdict to summarize what blocked the assessment.
13. Distinguish actor classes (EOA, 2-of-3 multisig, 4-of-7+ multisig with identified signers, emergency-scoped time-capped multisig, on-chain governance vote with timelock) and function classes (claim-of-finalized vs new-request-placement, deposit vs borrow, mint vs redeem) — say which actor holds which power, on what time bound. "An admin can pause" is insufficient.
14. For on-chain slices (control, ability-to-exit, autonomy, verifiability), evidence[] must include ≥1 on-chain URL: a block-explorer URL OR a DeFiPunkd /api/{contract/read,safe/owners} URL (preferred — content-addressed when block-pinned). /api/contract/abi alone is metadata, not on-chain evidence. Source repos tell you what code SHOULD do; deployed contracts tell you what it ACTUALLY does. The "open-access" slice is exempt when claims are entirely about frontend / off-chain operator behavior. CARVE-OUT: `grading_basis="off-chain-only"` is exempt from this rule but is downweighted by the quorum bot regardless of grade.
15. Prompt-meta-check: if your verdict quotes prompt language as evidence ("the protocol meets the 'documented fallback' condition"), re-do the verdict — the prompt describes the rubric, not the protocol. Evidence cites what THIS protocol does, not what the rubric says protocols of type X do.
16. `grading_basis` is one of `"on-chain"` (default; omit field), `"off-chain-only"`, or `"mixed"`. Describes what was READ this run, not the verdict — `grade="unknown"` is allowed under any basis. Set `"off-chain-only"` ONLY when BOTH (a) ≥1 successful fetch of a docs / forum / audit / GitHub URL appears in evidence[], AND (b) ≥1 failed on-chain fetch attempt for THIS run is recorded in unknowns[] with a `-offchain` suffix. Empty `evidence[]` with `"off-chain-only"` is a category error and is rejected by the validator. Set `"mixed"` when some checklist codes were on-chain and others fell back. ABI-only finds (you read the ABI but couldn't read live state) are valid as `grade="unknown"` with the ABI cited; do not infer a grade from ABI shape alone.

### On-chain reading via the DeFiPunkd API

Don't encode calldata, decode return data, or guess at ABIs by hand. Three deterministic GET endpoints return JSON with blockNumber, blockHash, raw calldata, and rawReturnData — content-addressed when block-pinned (`&block=<n>`):

  ABI (auto-resolves proxies):
    https://defipunkd.com/api/contract/abi?chainId=<id>&address=0x...
  View call (any view method on the merged ABI; flat scalar args):
    https://defipunkd.com/api/contract/read?chainId=<id>&address=0x...&method=getOwners
    https://defipunkd.com/api/contract/read?chainId=<id>&address=0x...&method=balanceOf&args=0x...
  Safe (threshold + owners + version in one call):
    https://defipunkd.com/api/safe/owners?chainId=<id>&address=0x...

Use the BARE method name in `&method=` (e.g. `&method=totalSupply`, NOT `&method=totalSupply()`). Browser tools normalize `(` to `%28` and reject the normalized URL; bare names dodge that. Pass arguments via `&args=` (comma-separated, declaration order). Append `&block=<n>` for content-addressed evidence.

Supported chainIds: 1 (ethereum), 10 (optimism), 56 (bsc), 130 (unichain), 137 (polygon), 324 (zksync), 8453 (base), 42161 (arbitrum), 43114 (avalanche), 59144 (linea), 81457 (blast), 534352 (scroll), 11155111 (sepolia).

Use this API for any factual claim about contract ABI shape, view-method return values (owner(), getOwners(), getThreshold(), totalSupply(), implementation(), paused(), MIN_DELAY(), …), and Safe membership. Do NOT invent ABIs or return values from training data.

Note on noisy address_book: the pinned address_book is sourced from prior assessments. It may include token deployments, oracle feeds, peripheral contracts, or mis-classified entries. Skip surfacer URLs that don't fit your slice — fetch only those whose role hints suggest control / pause / upgrade authority.

### Protocol metadata refresh (populate `protocol_metadata` in the output)

DeFiLlama's pinned inputs may be stale or wrong. As a side-effect of this assessment, populate `protocol_metadata` with anything you verify. Leave fields null / empty arrays if you did not verify them — do NOT echo pinned inputs through; null means "not re-verified this run".

- `github`: array of canonical source-code repo URLs.
- `docs_url`: canonical developer / protocol documentation site.
- `audits`: array of `{ firm, url, date }` (date as YYYY-MM or YYYY-MM-DD).
- `governance_forum`: primary discussion forum URL (Discourse, Commonwealth, etc.).
- `voting_token`: `{ chain, address, symbol }` or null. Omit if not token-governed.
- `bug_bounty_url`: public bug bounty page (Immunefi, HackerOne, self-hosted).
- `security_contact`: private-disclosure channel — security@ email or SECURITY.md URL. Distinct from public bug bounty.
- `deployed_contracts_doc`: docs page that lists deployed addresses per chain. Don't enumerate; just link.
- `admin_addresses`: array of `{ chain, address, role, actor_class }` for multisig / timelock / owner / proxy-admin addresses. `actor_class` ∈ `"eoa" | "multisig" | "timelock" | "governance" | "unknown"`. These are the anchors for future runs' address_book.
- `upgradeability`: `"immutable" | "upgradeable" | "mixed" | "unknown"`. "mixed" = some core contracts immutable, others behind proxies.
- `about`: 2–4 sentence plain-English description. Name the user action (stake, borrow, swap, bridge, mint, redeem), the asset / market, and the distinctive mechanism (liquid staking receipt, isolated lending pools, constant-product AMM, intents auction, etc.). Do not restate category / chains / TVL.

Every non-null field in `protocol_metadata` must be backed by ≥1 entry in evidence[].

---

### Slice: CONTROL

Evaluate who can change the protocol's rules, how fast, and how broadly.

(Step 0 capability probe and the off-chain-only fallback live in the preamble — those rules apply here.)

### MANDATORY INSPECTION CHECKLIST (every item below must appear in evidence[] OR unknowns[])

- **C1.** For each address you assess: who is the contract owner / admin / pendingAdmin / governor — read these via the block explorer's "Read Contract" tab OR `https://defipunkd.com/api/contract/read?chainId=<id>&address=0x...&method=owner` (BARE method names: `&method=owner`, `&method=admin`, `&method=pendingOwner`, `&method=governor`). For Safes use `/api/safe/owners?chainId=<id>&address=0x...`. When a protocol has multiple major versions deployed (v2/v3/v4), perform C1 reads on the NEWEST deployment separately — newer deployments often have weaker control surfaces than the legacy core.
- **C2.** Upgrade mechanism: transparent proxy / UUPS / Beacon / Diamond / immutable. Identify the proxy admin address. Check upgradeability of GOVERNANCE contracts too — a Governor / Aragon Voting / OZ Governor is often itself a proxy whose admin is the Timelock. Asymmetry: when fund-holding cores are immutable AND governance has no admin path that reaches them, an upgradable Governor/Timelock is T3-only and must NOT drag the verdict below green on that basis alone (see grade rules and the "immutable cores" caveat). Only call upgradability "mixed" if you can name a concrete function on the upgradable surface that reaches T1 or T2 on user funds.
- **C3.** EXECUTION PATH (enumerate every stage, in order, with delays in seconds). The operative path is usually a chain (voting → scheduler → timelock → executor; or governor → queue → execute; or Aragon Voting → DualGovernance → EmergencyProtectedTimelock → AdminExecutor). For each stage, record (a) the contract address, (b) the delay constant name + value in seconds, (c) the URL you read it from (block-explorer Read Contract OR `/api/contract/read?...&method=MIN_DELAY&block=<n>`). Do NOT stop at the first timelock-shaped contract — if its admin is itself called by another contract, keep walking. The grading delay is the SUM OF DELAYS ON THE UNCONTESTED FAST PATH (shortest time a proposal with no opposition can go from submission to executable). Dynamic / contested extensions (veto signaling, rage quit, escrow delay) are modifiers, not the basis — note them separately.
- **C4.** Enumerate EVERY multisig with reachable control — main proxy admin, emergency activation, emergency execution, reseal / pause, gate-seal committees, tiebreaker, per-module admins. For each Safe, fetch threshold + owners + version via `/api/safe/owners?chainId=<id>&address=0x...` (response includes raw eth_call data, so the URL is citable evidence). Enumerate ops/council/incentives multisigs even when off the upgrade path — record their scope so a reader can see they are NOT on the upgrade path. For each: (a) address, (b) threshold / total signers, (c) signer identities classified as insider (team, paid auditors under ongoing engagement, mandated service providers) vs non-insider (independent community members, unaffiliated researchers), (d) the specific power held (upgrade, pause, parameter, etc.).
- **C5.** On-chain governance: Governor / GovernorBravo / OZ Governor / Aragon Voting with token-weighted voting? Record proposal threshold, voting period, quorum, and the timelock delay between queue and execute. Every numeric constant must come from a Read Contract call you can link to, or be in unknowns[] with the C-code. If votingDelay / votingPeriod are denominated in BLOCKS, convert to seconds at the chain's CURRENT block time (Ethereum mainnet ≈ 12s post-Merge, not the 15s in older Compound/Bravo deployments) — cite both block count and converted seconds.
- **C6.** EMERGENCY POWERS: separate emergency-pause / guardian role with a different time cap or different actor than the main upgrade authority? Record it explicitly.
- **C7.** POWER TIER (blast radius). For each privileged path in C3–C6, classify the WORST thing that path can do, choosing the highest applicable tier. Cite the specific function name and any on-chain bound — tier claims without a named function are unsupported.
    - **T1 — FUND-CRITICAL**: replace implementation of contracts holding user funds; change AMM math / accounting / collateral logic; mint unbacked debt or shares; pause withdrawals; drain user-fund treasury; change oracle to attacker-controlled source; replace upgrade admin with EOA.
    - **T2 — ECONOMICALLY MATERIAL**: change fee parameters within bounded ranges; redirect protocol fees; add/remove markets / collateral types; bounded inflation or token mint within hard-capped schedule; spend protocol-owned (non-user) treasury.
    - **T3 — GOVERNANCE-INTERNAL**: change voting rules, quorum, voting period, proposal threshold; upgrade the Governor itself; rotate Timelock admin; mint governance tokens within a capped annual schedule.
    - **T4 — OPERATIONAL**: incentives distribution, grants, ENS / frontend canonicalization, deployment coordination, periphery router deprecation.
  The grade is set by the HIGHEST tier reachable on the uncontested fast path, not the median. State the tier and the binding function in the verdict.

### Read Contract discipline (applies to C3, C4, C5)

Every numeric constant cited (timelock delays, voting periods, multisig thresholds, quorum percentages) must come from EITHER (a) a block-explorer Read Contract URL, OR (b) a DeFiPunkd `/api/contract/read` or `/api/safe/owners` URL (preferred with `&block=<n>` for content-addressed evidence), OR (c) an unknowns[] entry with the C-code. Docs / blog posts are corroboration only — they cannot be the sole citation for a value that is also readable on-chain.

### Off-chain-only substitute hierarchy (when grading_basis="off-chain-only" — see preamble Rule 16)

When on-chain reads were genuinely unreachable this run, eligible off-chain substitutes in priority order:
1. Linked audit PDFs (admin roles, multisig members, timelock delays usually enumerated).
2. Governance forum posts that quote constants from a successful on-chain proposal (cite post URL + linked execution-tx URL).
3. Official protocol docs pages with named addresses and roles (must be on a domain owned by the protocol).
4. GitHub README / SECURITY.md / governance/*.md at a pinned commit SHA.

Forbidden substitutes: third-party blog posts, X / Twitter threads, search-result snippets, model memory. Required degradation: any C-code citing a numeric constant from docs/forum/audit prose ONLY must also carry an `unknowns[]` entry with `-offchain` suffix noting "value not re-read on-chain in this run; corroboration only".

### Grade rules (apply the timelock bar conditional on the highest C7 tier reachable on the fast path)

Security Council standard (used below): a multisig qualifies as "Security Council" only if ALL of: ≥7 signers, ≥51% threshold, ≥50% non-insider signers, every signer publicly announced. Failing any criterion = NOT a Security Council, regardless of signer reputation.

- **green**: highest reachable tier is T3 or T4 regardless of timelock; OR T2 reachable with uncontested-fast-path delay ≥7 days; OR T1 reachable only via immutable contracts (T1 is unreachable); OR T1 reachable with uncontested-fast-path delay ≥7 days combined with a Security Council multisig; OR T1 reachable with uncontested-fast-path delay ≥7 days through active on-chain governance with broad token distribution.
- **orange**: T2 reachable with uncontested-fast-path delay >0 but <7 days; OR T1 reachable with uncontested-fast-path delay >0 but <7 days; OR a multisig failing one or more Security Council criteria sits on a T1/T2 path; OR unclear upgrade authority on a T1/T2 path; OR governance with very short timelock or low quorum on a T1/T2 path.
- **red**: T1 reachable with no timelock by a single EOA or 2-of-3 multisig; OR a T1 upgrade admin that is not a smart contract you can audit.
- **unknown**: completed the checklist but still cannot determine the upgrade authority OR cannot classify the highest tier reachable on the main contracts.

Tiering caveats:
- "Bounded" must be enforced ON-CHAIN to count as T2. A function that sets fees with no upper-bound check is T1 — cite the bound check.
- Recurring T2 economic extraction (e.g. fee redirect with no rate limit) approaches T1 over time. A single proposal that can permanently redirect all future revenue is T1.
- T3 assumes the governance contract cannot itself authorize a T1/T2 action without going through the same timelock. If governance can self-upgrade to bypass the timelock, T3 collapses into T1.
- Do not downgrade tier by hand-waving ("realistically governance would never…"). Tier on what the contract permits, not what feels likely.

Notes:
- **Dynamic / dual-governance timelocks** (Lido, Compound escrow veto): the rubric grades on the uncontested path because that is the path most upgrades take. A dynamic extension that fires only under stake-weighted opposition is a real protection — name it in the green steel-man, but it does not lift an orange fast path into green; state the tension in the verdict.
- **Immutable cores with upgradable governance** (Uniswap-style): if fund-holding contracts are immutable and have no admin-reachable function moving / freezing / re-routing user funds, the highest reachable tier on the upgrade path is T3 — green regardless of timelock. Don't grade this orange just because the Governor is a proxy — that's a C2 fact, not a downgrade. Downgrade only applies if you can cite a concrete function on the upgradable surface that reaches T1 or T2 (privileged hook, upgradable factory controlling fund-routing, fee-switch redirecting protocol revenue without bound).
- **The 7-day bar** reflects the exit-window standard — users need notice after a queued upgrade to withdraw if they disagree. The ability-to-exit slice grades the exit side; this slice grades the delay side; both must hold for users to actually benefit from the delay.

---

### JSON output contract

Return exactly one JSON object inside a single ```json fenced block. Shape:

{
  "schema_version": 4,
  "slug": "<copy protocol.slug from the per-protocol context>",
  "slice": "control",
  "snapshot_generated_at": "<copy snapshot.generated_at from the per-protocol context>",
  "prompt_version": 29,
  "analysis_date": "<copy analysis_date from the per-protocol context>",
  "model": "<exact model name, e.g. claude-opus-4-7 / gpt-5-thinking / gemini-3-pro>",
  "chat_url": null,
  "grading_basis": "on-chain | off-chain-only | mixed (optional; omit for on-chain)",
  "grade": "green | orange | red | unknown",
  "headline": "<one-line summary>",
  "short_headline": "<≤6 words, ≤80 chars; omit if you can't fit>",
  "rationale": {
    "findings": [{ "code": "E1", "text": "<concrete, source-cited finding>" }],
    "steelman": { "red": "<one sentence>", "orange": "<one sentence>", "green": "<one sentence>" },
    "verdict": "Choosing <grade> because <reason ranking one steel-man above the others, citing specific evidence>."
  },
  "evidence": [{ "url": "https://...", "shows": "<what this URL demonstrates>", "chain": "...", "address": "0x...", "commit": "<hex SHA>", "fetched_at": "2026-04-23T11:20:00Z" }],
  "unknowns": ["E3: <thing you looked for but couldn't determine>"],
  "protocol_metadata": {
    "github": ["https://github.com/org/repo"],
    "docs_url": "https://docs.protocol.xyz",
    "audits": [{ "firm": "Trail of Bits", "url": "https://...report.pdf", "date": "2025-09" }],
    "governance_forum": "https://forum.protocol.xyz",
    "voting_token": { "chain": "Ethereum", "address": "0x...", "symbol": "XYZ" },
    "bug_bounty_url": "https://immunefi.com/bounty/protocol",
    "security_contact": "security@protocol.xyz",
    "deployed_contracts_doc": "https://docs.protocol.xyz/deployments",
    "admin_addresses": [{ "chain": "Ethereum", "address": "0x...", "role": "DAO treasury multisig", "actor_class": "multisig" }],
    "upgradeability": "immutable | upgradeable | mixed | unknown",
    "about": "<2–4 sentences>"
  }
}

Rules recap:
- grade="unknown" ⇒ steelman=null; unknowns[] ≥1; evidence[] may be empty.
- grade!="unknown" ⇒ steelman={red,orange,green}; evidence[] ≥1; verdict starts with "Choosing ".
- findings[].code matches the slice's checklist prefix verbatim (E1, C2-emergency, V4a, …); unknowns[] entries are checklist-coded ("E3: …").
- Wrap in a single ```json fence; nothing before or after. URLs are bare strings, never markdown links.

Ability to exit unknown Unverified

Not yet assessed

Whether users can exit on their own terms if the team disappears or acts adversarially. Requires per-protocol review; not available at Phase 0.

No model has graded this dimension yet. Run the slice prompt through any LLM and submit the JSON — once ≥3 independent runs agree, the quorum bot merges the verdict here.

Submit run ↗

### Per-protocol context (ground truth for this run)

- protocol.slug:              aave-arc
- protocol.name:              Aave Arc
- protocol.chains:            Ethereum
- protocol.category:          Lending
- protocol.website:           https://aave.com
- protocol.github:            aave, bgd-labs
- protocol.audit_links:       https://aave.com/security, https://github.com/code-423n4/2022-02-aave-lens, https://github.com/code-423n4/2022-02-aave-lens-findings, https://github.com/sherlock-protocol/sherlock-reports/blob/main/audits/2025.02.15%20-%20Final%20-%20Aave%20Public%20Audit%20Contest%20Report.pdf, https://github.com/sherlock-protocol/sherlock-reports/blob/main/audits/2026.02.05%20-%20Final%20-%20Aave%20Labs%20Collaborative%20Audit%20Report%201770295450.pdf, https://github.com/trailofbits/publications/blob/master/reviews/2021-11-aave-v3-securityreview.pdf, https://github.com/trailofbits/publications/blob/master/reviews/2026-02-aave-v4-securityreview.pdf
- snapshot.generated_at:      2026-06-01T11:27:13.878Z
- analysis_date:              2026-06-07
- prompt_version:             29
- address_book:               null

### Pre-built read-API surfacer URLs (verbatim — fetchable as-is)
(no addresses pinned in this run — discover candidates from fetched website / GitHub / audit / explorer pages, record discovered addresses in evidence[] and protocol_metadata.admin_addresses, and put any reads you couldn't perform in unknowns[]. The next assessment will inherit your discoveries.)


---

You are contributing a single-slice assessment to defipunkd, a git-native transparency registry for DeFi protocols. Your JSON output will be attached to a pull request and compared against ≥2 other independent runs. Disagreements are surfaced publicly — be conservative, cite everything, return grade="unknown" when a signal cannot be determined, and resist stopping at the first damning finding.

### Per-protocol context (do not infer; these are ground truth)

A "Per-protocol context" block (provided alongside this prompt — either as a user message in API mode, or as a section appended below in copy-paste mode) lists the pinned inputs (protocol.slug, name, chains, category, website, github, audit_links, snapshot.generated_at, analysis_date, prompt_version, address_book) and a list of pre-built read-API surfacer URLs for each pinned address. Treat those values as authoritative for this run.

The pre-built surfacer URLs are accepted by your fetch tool's allowlist because they appear verbatim in the per-protocol context. Each surfacer page pre-executes the contract's zero-arg view methods and renders any address-typed return values as /address/{chainId}/0x… links inline — those rendered links are also fetchable post-fetch. /api/contract/read and /api/safe/owners JSON responses include a top-level `crawl.surfacers` array of /address/{chainId}/0x… URLs for every address-typed value in the result, so you can crawl directly from API responses. For addresses surfaced from non-defipunkd sources (block-explorer pages, GitHub, audit PDFs), the allowlist will reject your generated surfacer URL — record the address in protocol_metadata.admin_addresses and add a checklist-coded entry to unknowns[]; the next run will inherit it as a fetchable surfacer.

### Step 0 — Capability probe (do this before producing JSON)

Identify what fetch tool your environment exposes — `web_fetch`, `browser`, `url_context`, `google_search` (with underscore, colon, or space), Bing grounding, Perplexity, `web.run`, or anything similar. Search-grounding tools ARE valid fetch paths and you should use them; they are not forbidden. The distinction that matters is what the tool returned, not its name: a grounded response with the underlying page body is sufficient evidence; a bare 1–3-line preview snippet is not.

Probe: attempt one fetch of `protocol.website` and one fetch of a pre-built surfacer URL above (or the protocol's primary block-explorer page if no surfacer is pinned). Record the tool you used, the URL, and what came back (response body, HTTP status, allowlist rejection text, or "tool not present: <name>"). If either probe succeeded, proceed.

If both direct probes failed, **DO NOT STOP** — try search. Issue at least two broad search queries (protocol name + "Etherscan" / "official docs" / "GitHub" / "audit"; `site:` operators against etherscan.io / github.com / the docs domain). If a search query returns the underlying page body, that page URL is fetched evidence and goes in evidence[]. Set `grading_basis: "off-chain-only"` and continue with whatever you can extract. Empty `evidence[]` + `grade="unknown"` is only valid if BOTH direct probes AND ≥2 search queries returned nothing usable; in that case, log the attempted queries and observed-zero outcomes in unknowns[]. A submission claiming "blocked" without those receipts is treated as a non-submission (zero quorum weight). Search engines do not index raw JSON API endpoints — zero results for `defipunkd.com/api/contract/read` URLs is expected and is itself a recordable failure mode, not a system restriction.

### Anti-fabrication (the most important rule on this page)

Memory is not evidence. Treat your training data, prior conversations, and general knowledge as suggestions for what to look up — never as citations. Every URL in evidence[] must have been fetched in this run via any tool exposed in your environment, OR pasted into this conversation by the user. Constructing a URL is fine, but every variable part (address, commit SHA, repo path, contract name, method, args, block number) must come from a fetched/pasted source in this run, and the URL must then have been successfully fetched before it appears in evidence[]. URLs constructed from remembered addresses, repo paths, contract names, or guessed API methods are fabrication.

Before emitting JSON, run an evidence ledger check on every evidence[] entry:
1. The exact URL appears in your fetch transcript or in a user-pasted source body.
2. The fetched/pasted body contains the fact you're citing in evidence[].shows.
3. Every rationale.findings / protocol_metadata claim that depends on this evidence follows directly from that body, without recourse to memory.
4. Derived (rather than verbatim) claims are explicitly labelled as derived in evidence[].shows.
5. `fetched_at` is set ONLY when you actually fetched the URL in this run; if no timestamp is available, omit the field — never invent one.

If any check fails, remove the evidence entry and demote dependent claims to unknowns[]. Set grade="unknown" if demotion empties the grading basis. Do not ask the user to paste anything; do not withhold JSON; do not improvise from memory.

A plausible-sounding answer backed by unsupported evidence is WORSE than grade="unknown" — it pollutes the quorum. If the assessment requires leaning on remembered public facts ("Lido is governed by LDO token-weighted voting"), historical reports, common knowledge, or likely-architecture reasoning ("UUPS proxies typically have an admin role"), return grade="unknown" with specific unknowns[] entries. Optimize for reproducibility, not completeness — if a reviewer can't re-verify each claim from the evidence URLs alone, the claim does not belong in the JSON. Empty unknowns[] on a non-trivial protocol is a red flag, not a quality signal.

When the address_book is null/empty, you do not yet know any deployed address. Discover candidates from fetched website / GitHub / audit / explorer-search pages — addresses you "remember" from training data are not eligible, even for famous tokens (USDC, WBTC, stETH, UNI). If no address can be discovered after a good-faith attempt, return grade="unknown" with checklist-coded unknowns[] entries; do not invent addresses to fill the gap.

### Hard rules

1. Source classes that count as evidence:
   a) Public block explorers (etherscan.io, basescan.org, arbiscan.io, optimistic.etherscan.io, polygonscan.com, bscscan.com, snowtrace.io, scrollscan.com, lineascan.build, blastscan.io, era.zksync.network) for pinned addresses or addresses you discover transitively from them.
   b) The linked GitHub repos, at a specific commit SHA recorded in evidence[].commit.
   c) The audit PDFs / reports linked above.
   d) DeFiLlama's pinned fields (for category / chain lists only — not for risk assessment).
   e) DeFiPunkd's read API at https://defipunkd.com/api/{contract,safe}/... — see "On-chain reading" below.
2. If a signal cannot be determined after checking these, set grade="unknown" with ≥1 entry in unknowns[] naming what you looked for.
3. Every factual claim in rationale must map to ≥1 evidence[] entry.
4. Output exactly one JSON object matching the contract at the end, wrapped in a single ```json fenced code block. This rule applies to your FINAL assistant message only — issue tool calls freely during the run; tool-call reasoning lives in your model's tool-use channel and is not subject to this rule. Nothing before or after the fence — no prose, no follow-up questions, no requests for the user to paste anything. If evidence is incomplete, the correct response is still JSON, with claims demoted to unknowns[] and grade="unknown".

### Format rules (validation will reject submissions that violate these)
5. evidence[].url must be a bare `https://...` string — NEVER markdown link syntax. WRONG: `"url": "[Etherscan](https://etherscan.io/...)"`. RIGHT: `"url": "https://etherscan.io/..."`.
6. evidence[].commit, when present, must match `^[0-9a-f]{7,40}$` (lowercase hex, 7–40 chars). NEVER branch names or tags. Omit if you cannot pin a SHA.
7. evidence[].fetched_at, when present, must be ISO-8601 UTC (e.g. `2026-04-23T11:20:00Z`). Set whenever you actually fetched in this run.
8. evidence[].address, when present, must be `^0x[0-9a-fA-F]{40}$` (mixed case OK; checksum not validated).
9. Checklist codes (used in findings[].code and as unknowns[] prefixes) match `^[A-Z][A-Za-z0-9-]{0,16}$` — start with an uppercase letter, then digits / letters / hyphens. Examples: `E1`, `A3b`, `C2-emergency`, `V4-auditor`. No parens, spaces, dots, slashes, underscores. Use slice-defined codes verbatim. unknowns[] entries must be prefixed with the relevant code + colon (e.g. `"A3b: frontend fetch failed"`).
10. chat_url: ALWAYS null. Default share links (claude.ai/chat, chatgpt.com, gemini.google.com) require viewer login and are not publicly readable. The user enables "Share publicly" after you respond and pastes the public URL into the JSON before opening the PR.

### Thoroughness rules

11. Each per-slice body contains a "MANDATORY INSPECTION CHECKLIST". Every item must EITHER produce an evidence[] entry OR a specific unknowns[] entry naming it by code. Silent skips are rejected as incomplete.
12. Before assigning a grade other than "unknown", rationale.steelman must contain a one-sentence strongest argument for each of red / orange / green, and rationale.verdict must state which fits the evidence and why. If the steel-man for the chosen grade is weaker than for an adjacent grade, you have probably picked the wrong grade. When grade="unknown", set steelman to null and use verdict to summarize what blocked the assessment.
13. Distinguish actor classes (EOA, 2-of-3 multisig, 4-of-7+ multisig with identified signers, emergency-scoped time-capped multisig, on-chain governance vote with timelock) and function classes (claim-of-finalized vs new-request-placement, deposit vs borrow, mint vs redeem) — say which actor holds which power, on what time bound. "An admin can pause" is insufficient.
14. For on-chain slices (control, ability-to-exit, autonomy, verifiability), evidence[] must include ≥1 on-chain URL: a block-explorer URL OR a DeFiPunkd /api/{contract/read,safe/owners} URL (preferred — content-addressed when block-pinned). /api/contract/abi alone is metadata, not on-chain evidence. Source repos tell you what code SHOULD do; deployed contracts tell you what it ACTUALLY does. The "open-access" slice is exempt when claims are entirely about frontend / off-chain operator behavior. CARVE-OUT: `grading_basis="off-chain-only"` is exempt from this rule but is downweighted by the quorum bot regardless of grade.
15. Prompt-meta-check: if your verdict quotes prompt language as evidence ("the protocol meets the 'documented fallback' condition"), re-do the verdict — the prompt describes the rubric, not the protocol. Evidence cites what THIS protocol does, not what the rubric says protocols of type X do.
16. `grading_basis` is one of `"on-chain"` (default; omit field), `"off-chain-only"`, or `"mixed"`. Describes what was READ this run, not the verdict — `grade="unknown"` is allowed under any basis. Set `"off-chain-only"` ONLY when BOTH (a) ≥1 successful fetch of a docs / forum / audit / GitHub URL appears in evidence[], AND (b) ≥1 failed on-chain fetch attempt for THIS run is recorded in unknowns[] with a `-offchain` suffix. Empty `evidence[]` with `"off-chain-only"` is a category error and is rejected by the validator. Set `"mixed"` when some checklist codes were on-chain and others fell back. ABI-only finds (you read the ABI but couldn't read live state) are valid as `grade="unknown"` with the ABI cited; do not infer a grade from ABI shape alone.

### On-chain reading via the DeFiPunkd API

Don't encode calldata, decode return data, or guess at ABIs by hand. Three deterministic GET endpoints return JSON with blockNumber, blockHash, raw calldata, and rawReturnData — content-addressed when block-pinned (`&block=<n>`):

  ABI (auto-resolves proxies):
    https://defipunkd.com/api/contract/abi?chainId=<id>&address=0x...
  View call (any view method on the merged ABI; flat scalar args):
    https://defipunkd.com/api/contract/read?chainId=<id>&address=0x...&method=getOwners
    https://defipunkd.com/api/contract/read?chainId=<id>&address=0x...&method=balanceOf&args=0x...
  Safe (threshold + owners + version in one call):
    https://defipunkd.com/api/safe/owners?chainId=<id>&address=0x...

Use the BARE method name in `&method=` (e.g. `&method=totalSupply`, NOT `&method=totalSupply()`). Browser tools normalize `(` to `%28` and reject the normalized URL; bare names dodge that. Pass arguments via `&args=` (comma-separated, declaration order). Append `&block=<n>` for content-addressed evidence.

Supported chainIds: 1 (ethereum), 10 (optimism), 56 (bsc), 130 (unichain), 137 (polygon), 324 (zksync), 8453 (base), 42161 (arbitrum), 43114 (avalanche), 59144 (linea), 81457 (blast), 534352 (scroll), 11155111 (sepolia).

Use this API for any factual claim about contract ABI shape, view-method return values (owner(), getOwners(), getThreshold(), totalSupply(), implementation(), paused(), MIN_DELAY(), …), and Safe membership. Do NOT invent ABIs or return values from training data.

Note on noisy address_book: the pinned address_book is sourced from prior assessments. It may include token deployments, oracle feeds, peripheral contracts, or mis-classified entries. Skip surfacer URLs that don't fit your slice — fetch only those whose role hints suggest control / pause / upgrade authority.

### Protocol metadata refresh (populate `protocol_metadata` in the output)

DeFiLlama's pinned inputs may be stale or wrong. As a side-effect of this assessment, populate `protocol_metadata` with anything you verify. Leave fields null / empty arrays if you did not verify them — do NOT echo pinned inputs through; null means "not re-verified this run".

- `github`: array of canonical source-code repo URLs.
- `docs_url`: canonical developer / protocol documentation site.
- `audits`: array of `{ firm, url, date }` (date as YYYY-MM or YYYY-MM-DD).
- `governance_forum`: primary discussion forum URL (Discourse, Commonwealth, etc.).
- `voting_token`: `{ chain, address, symbol }` or null. Omit if not token-governed.
- `bug_bounty_url`: public bug bounty page (Immunefi, HackerOne, self-hosted).
- `security_contact`: private-disclosure channel — security@ email or SECURITY.md URL. Distinct from public bug bounty.
- `deployed_contracts_doc`: docs page that lists deployed addresses per chain. Don't enumerate; just link.
- `admin_addresses`: array of `{ chain, address, role, actor_class }` for multisig / timelock / owner / proxy-admin addresses. `actor_class` ∈ `"eoa" | "multisig" | "timelock" | "governance" | "unknown"`. These are the anchors for future runs' address_book.
- `upgradeability`: `"immutable" | "upgradeable" | "mixed" | "unknown"`. "mixed" = some core contracts immutable, others behind proxies.
- `about`: 2–4 sentence plain-English description. Name the user action (stake, borrow, swap, bridge, mint, redeem), the asset / market, and the distinctive mechanism (liquid staking receipt, isolated lending pools, constant-product AMM, intents auction, etc.). Do not restate category / chains / TVL.

Every non-null field in `protocol_metadata` must be backed by ≥1 entry in evidence[].

---

### Slice: ABILITY-TO-EXIT

Evaluate whether users can withdraw their funds on their own terms, even under adversarial admin conditions.

MANDATORY INSPECTION CHECKLIST (every item below must appear in evidence[] OR unknowns[]):
- E1. Enumerate every user-facing exit function in the main contracts: withdraw, redeem, burn, requestWithdrawal, claim, exit, etc. List them by name. Do NOT treat the contract as a monolith.
- E2. For EACH exit function in E1: identify its access modifiers and any pause guards (e.g. _checkResumed, whenNotPaused, onlyRole). Functions that gate REQUEST PLACEMENT often differ from functions that CLAIM FINALIZED FUNDS — check both separately.
- E3. For each pause guard: identify the role holder (which address holds PAUSE_ROLE / GUARDIAN / etc.) and the maximum pause duration. Specifically check whether PAUSE_INFINITELY (or equivalent uncapped pause) is callable, and which actor can call it (single multisig vs governance vote). For role-holder reads use https://defipunkd.com/api/contract/read?chainId=<id>&address=0x...&method=hasRole&args=0x...,0x... or &method=getRoleAdmin&args=0x.... For "is currently paused" checks use &method=paused or &method=isPaused&args=<resume-code>. Use the BARE method name (no parens). Cite the URL with &block=<n> in evidence[].
- E4. EMERGENCY vs GOVERNANCE pause distinction: many protocols have a fast-acting emergency pause capped at N days and a slow governance pause that can be indefinite. Record both paths separately if present, with their time caps and actor classes.
- E5. Queued redemption: documented maximum queue duration, daily withdrawal caps, whether the queue itself is pausable.
- E6. Forced-exit / escape-hatch / permissionless emergency-exit mechanism for adversarial-admin scenarios.
- E7. Frontend dependency: confirm exit functions are directly callable on-chain (e.g. via Etherscan write tab or a generic wallet) without the project's frontend.

Then write the steel-man section per Hard Rule 11. Common red-vs-orange tension on this slice: indefinite pause exists (suggests red) BUT the realistic emergency path is time-capped AND claims of already-finalized exits are not pause-gated (suggests orange). Resolve this by stating who can do what for how long, not by stopping at the worst-case sentence.

Grade rules:
- green   = permissionless exit; pause is either absent, narrowly scoped to clearly-described emergencies with auto-expiry, or capped at ≤7 days; no frontend dependency for exit; claims of already-finalized exits are not pause-gated under any path.
- orange  = pausable with broad scope OR indefinite pause is reachable only through governance vote (not unilateral admin action), OR queued redemption with documented max > 7 days, OR claims-of-finalized are exempt but new-request placement can be paused indefinitely by governance.
- red     = exit requires admin signature, OR ANY actor (including governance) can pause CLAIMS of finalized exits indefinitely, OR there is no on-chain exit function at all (purely custodial), OR pause is held by a single EOA / 2-of-3 multisig with no time cap.
- unknown = checklist incomplete after checking the sources above.

---

### JSON output contract

Return exactly one JSON object inside a single ```json fenced block. Shape:

{
  "schema_version": 4,
  "slug": "<copy protocol.slug from the per-protocol context>",
  "slice": "ability-to-exit",
  "snapshot_generated_at": "<copy snapshot.generated_at from the per-protocol context>",
  "prompt_version": 29,
  "analysis_date": "<copy analysis_date from the per-protocol context>",
  "model": "<exact model name, e.g. claude-opus-4-7 / gpt-5-thinking / gemini-3-pro>",
  "chat_url": null,
  "grading_basis": "on-chain | off-chain-only | mixed (optional; omit for on-chain)",
  "grade": "green | orange | red | unknown",
  "headline": "<one-line summary>",
  "short_headline": "<≤6 words, ≤80 chars; omit if you can't fit>",
  "rationale": {
    "findings": [{ "code": "E1", "text": "<concrete, source-cited finding>" }],
    "steelman": { "red": "<one sentence>", "orange": "<one sentence>", "green": "<one sentence>" },
    "verdict": "Choosing <grade> because <reason ranking one steel-man above the others, citing specific evidence>."
  },
  "evidence": [{ "url": "https://...", "shows": "<what this URL demonstrates>", "chain": "...", "address": "0x...", "commit": "<hex SHA>", "fetched_at": "2026-04-23T11:20:00Z" }],
  "unknowns": ["E3: <thing you looked for but couldn't determine>"],
  "protocol_metadata": {
    "github": ["https://github.com/org/repo"],
    "docs_url": "https://docs.protocol.xyz",
    "audits": [{ "firm": "Trail of Bits", "url": "https://...report.pdf", "date": "2025-09" }],
    "governance_forum": "https://forum.protocol.xyz",
    "voting_token": { "chain": "Ethereum", "address": "0x...", "symbol": "XYZ" },
    "bug_bounty_url": "https://immunefi.com/bounty/protocol",
    "security_contact": "security@protocol.xyz",
    "deployed_contracts_doc": "https://docs.protocol.xyz/deployments",
    "admin_addresses": [{ "chain": "Ethereum", "address": "0x...", "role": "DAO treasury multisig", "actor_class": "multisig" }],
    "upgradeability": "immutable | upgradeable | mixed | unknown",
    "about": "<2–4 sentences>"
  }
}

Rules recap:
- grade="unknown" ⇒ steelman=null; unknowns[] ≥1; evidence[] may be empty.
- grade!="unknown" ⇒ steelman={red,orange,green}; evidence[] ≥1; verdict starts with "Choosing ".
- findings[].code matches the slice's checklist prefix verbatim (E1, C2-emergency, V4a, …); unknowns[] entries are checklist-coded ("E3: …").
- Wrap in a single ```json fence; nothing before or after. URLs are bare strings, never markdown links.

Autonomy unknown Unverified

No Phase-0 autonomy signal

No model has graded this dimension yet. Run the slice prompt through any LLM and submit the JSON — once ≥3 independent runs agree, the quorum bot merges the verdict here.

Submit run ↗

### Per-protocol context (ground truth for this run)

- protocol.slug:              aave-arc
- protocol.name:              Aave Arc
- protocol.chains:            Ethereum
- protocol.category:          Lending
- protocol.website:           https://aave.com
- protocol.github:            aave, bgd-labs
- protocol.audit_links:       https://aave.com/security, https://github.com/code-423n4/2022-02-aave-lens, https://github.com/code-423n4/2022-02-aave-lens-findings, https://github.com/sherlock-protocol/sherlock-reports/blob/main/audits/2025.02.15%20-%20Final%20-%20Aave%20Public%20Audit%20Contest%20Report.pdf, https://github.com/sherlock-protocol/sherlock-reports/blob/main/audits/2026.02.05%20-%20Final%20-%20Aave%20Labs%20Collaborative%20Audit%20Report%201770295450.pdf, https://github.com/trailofbits/publications/blob/master/reviews/2021-11-aave-v3-securityreview.pdf, https://github.com/trailofbits/publications/blob/master/reviews/2026-02-aave-v4-securityreview.pdf
- snapshot.generated_at:      2026-06-01T11:27:13.878Z
- analysis_date:              2026-06-07
- prompt_version:             29
- address_book:               null

### Pre-built read-API surfacer URLs (verbatim — fetchable as-is)
(no addresses pinned in this run — discover candidates from fetched website / GitHub / audit / explorer pages, record discovered addresses in evidence[] and protocol_metadata.admin_addresses, and put any reads you couldn't perform in unknowns[]. The next assessment will inherit your discoveries.)


---

You are contributing a single-slice assessment to defipunkd, a git-native transparency registry for DeFi protocols. Your JSON output will be attached to a pull request and compared against ≥2 other independent runs. Disagreements are surfaced publicly — be conservative, cite everything, return grade="unknown" when a signal cannot be determined, and resist stopping at the first damning finding.

### Per-protocol context (do not infer; these are ground truth)

A "Per-protocol context" block (provided alongside this prompt — either as a user message in API mode, or as a section appended below in copy-paste mode) lists the pinned inputs (protocol.slug, name, chains, category, website, github, audit_links, snapshot.generated_at, analysis_date, prompt_version, address_book) and a list of pre-built read-API surfacer URLs for each pinned address. Treat those values as authoritative for this run.

The pre-built surfacer URLs are accepted by your fetch tool's allowlist because they appear verbatim in the per-protocol context. Each surfacer page pre-executes the contract's zero-arg view methods and renders any address-typed return values as /address/{chainId}/0x… links inline — those rendered links are also fetchable post-fetch. /api/contract/read and /api/safe/owners JSON responses include a top-level `crawl.surfacers` array of /address/{chainId}/0x… URLs for every address-typed value in the result, so you can crawl directly from API responses. For addresses surfaced from non-defipunkd sources (block-explorer pages, GitHub, audit PDFs), the allowlist will reject your generated surfacer URL — record the address in protocol_metadata.admin_addresses and add a checklist-coded entry to unknowns[]; the next run will inherit it as a fetchable surfacer.

### Step 0 — Capability probe (do this before producing JSON)

Identify what fetch tool your environment exposes — `web_fetch`, `browser`, `url_context`, `google_search` (with underscore, colon, or space), Bing grounding, Perplexity, `web.run`, or anything similar. Search-grounding tools ARE valid fetch paths and you should use them; they are not forbidden. The distinction that matters is what the tool returned, not its name: a grounded response with the underlying page body is sufficient evidence; a bare 1–3-line preview snippet is not.

Probe: attempt one fetch of `protocol.website` and one fetch of a pre-built surfacer URL above (or the protocol's primary block-explorer page if no surfacer is pinned). Record the tool you used, the URL, and what came back (response body, HTTP status, allowlist rejection text, or "tool not present: <name>"). If either probe succeeded, proceed.

If both direct probes failed, **DO NOT STOP** — try search. Issue at least two broad search queries (protocol name + "Etherscan" / "official docs" / "GitHub" / "audit"; `site:` operators against etherscan.io / github.com / the docs domain). If a search query returns the underlying page body, that page URL is fetched evidence and goes in evidence[]. Set `grading_basis: "off-chain-only"` and continue with whatever you can extract. Empty `evidence[]` + `grade="unknown"` is only valid if BOTH direct probes AND ≥2 search queries returned nothing usable; in that case, log the attempted queries and observed-zero outcomes in unknowns[]. A submission claiming "blocked" without those receipts is treated as a non-submission (zero quorum weight). Search engines do not index raw JSON API endpoints — zero results for `defipunkd.com/api/contract/read` URLs is expected and is itself a recordable failure mode, not a system restriction.

### Anti-fabrication (the most important rule on this page)

Memory is not evidence. Treat your training data, prior conversations, and general knowledge as suggestions for what to look up — never as citations. Every URL in evidence[] must have been fetched in this run via any tool exposed in your environment, OR pasted into this conversation by the user. Constructing a URL is fine, but every variable part (address, commit SHA, repo path, contract name, method, args, block number) must come from a fetched/pasted source in this run, and the URL must then have been successfully fetched before it appears in evidence[]. URLs constructed from remembered addresses, repo paths, contract names, or guessed API methods are fabrication.

Before emitting JSON, run an evidence ledger check on every evidence[] entry:
1. The exact URL appears in your fetch transcript or in a user-pasted source body.
2. The fetched/pasted body contains the fact you're citing in evidence[].shows.
3. Every rationale.findings / protocol_metadata claim that depends on this evidence follows directly from that body, without recourse to memory.
4. Derived (rather than verbatim) claims are explicitly labelled as derived in evidence[].shows.
5. `fetched_at` is set ONLY when you actually fetched the URL in this run; if no timestamp is available, omit the field — never invent one.

If any check fails, remove the evidence entry and demote dependent claims to unknowns[]. Set grade="unknown" if demotion empties the grading basis. Do not ask the user to paste anything; do not withhold JSON; do not improvise from memory.

A plausible-sounding answer backed by unsupported evidence is WORSE than grade="unknown" — it pollutes the quorum. If the assessment requires leaning on remembered public facts ("Lido is governed by LDO token-weighted voting"), historical reports, common knowledge, or likely-architecture reasoning ("UUPS proxies typically have an admin role"), return grade="unknown" with specific unknowns[] entries. Optimize for reproducibility, not completeness — if a reviewer can't re-verify each claim from the evidence URLs alone, the claim does not belong in the JSON. Empty unknowns[] on a non-trivial protocol is a red flag, not a quality signal.

When the address_book is null/empty, you do not yet know any deployed address. Discover candidates from fetched website / GitHub / audit / explorer-search pages — addresses you "remember" from training data are not eligible, even for famous tokens (USDC, WBTC, stETH, UNI). If no address can be discovered after a good-faith attempt, return grade="unknown" with checklist-coded unknowns[] entries; do not invent addresses to fill the gap.

### Hard rules

1. Source classes that count as evidence:
   a) Public block explorers (etherscan.io, basescan.org, arbiscan.io, optimistic.etherscan.io, polygonscan.com, bscscan.com, snowtrace.io, scrollscan.com, lineascan.build, blastscan.io, era.zksync.network) for pinned addresses or addresses you discover transitively from them.
   b) The linked GitHub repos, at a specific commit SHA recorded in evidence[].commit.
   c) The audit PDFs / reports linked above.
   d) DeFiLlama's pinned fields (for category / chain lists only — not for risk assessment).
   e) DeFiPunkd's read API at https://defipunkd.com/api/{contract,safe}/... — see "On-chain reading" below.
2. If a signal cannot be determined after checking these, set grade="unknown" with ≥1 entry in unknowns[] naming what you looked for.
3. Every factual claim in rationale must map to ≥1 evidence[] entry.
4. Output exactly one JSON object matching the contract at the end, wrapped in a single ```json fenced code block. This rule applies to your FINAL assistant message only — issue tool calls freely during the run; tool-call reasoning lives in your model's tool-use channel and is not subject to this rule. Nothing before or after the fence — no prose, no follow-up questions, no requests for the user to paste anything. If evidence is incomplete, the correct response is still JSON, with claims demoted to unknowns[] and grade="unknown".

### Format rules (validation will reject submissions that violate these)
5. evidence[].url must be a bare `https://...` string — NEVER markdown link syntax. WRONG: `"url": "[Etherscan](https://etherscan.io/...)"`. RIGHT: `"url": "https://etherscan.io/..."`.
6. evidence[].commit, when present, must match `^[0-9a-f]{7,40}$` (lowercase hex, 7–40 chars). NEVER branch names or tags. Omit if you cannot pin a SHA.
7. evidence[].fetched_at, when present, must be ISO-8601 UTC (e.g. `2026-04-23T11:20:00Z`). Set whenever you actually fetched in this run.
8. evidence[].address, when present, must be `^0x[0-9a-fA-F]{40}$` (mixed case OK; checksum not validated).
9. Checklist codes (used in findings[].code and as unknowns[] prefixes) match `^[A-Z][A-Za-z0-9-]{0,16}$` — start with an uppercase letter, then digits / letters / hyphens. Examples: `E1`, `A3b`, `C2-emergency`, `V4-auditor`. No parens, spaces, dots, slashes, underscores. Use slice-defined codes verbatim. unknowns[] entries must be prefixed with the relevant code + colon (e.g. `"A3b: frontend fetch failed"`).
10. chat_url: ALWAYS null. Default share links (claude.ai/chat, chatgpt.com, gemini.google.com) require viewer login and are not publicly readable. The user enables "Share publicly" after you respond and pastes the public URL into the JSON before opening the PR.

### Thoroughness rules

11. Each per-slice body contains a "MANDATORY INSPECTION CHECKLIST". Every item must EITHER produce an evidence[] entry OR a specific unknowns[] entry naming it by code. Silent skips are rejected as incomplete.
12. Before assigning a grade other than "unknown", rationale.steelman must contain a one-sentence strongest argument for each of red / orange / green, and rationale.verdict must state which fits the evidence and why. If the steel-man for the chosen grade is weaker than for an adjacent grade, you have probably picked the wrong grade. When grade="unknown", set steelman to null and use verdict to summarize what blocked the assessment.
13. Distinguish actor classes (EOA, 2-of-3 multisig, 4-of-7+ multisig with identified signers, emergency-scoped time-capped multisig, on-chain governance vote with timelock) and function classes (claim-of-finalized vs new-request-placement, deposit vs borrow, mint vs redeem) — say which actor holds which power, on what time bound. "An admin can pause" is insufficient.
14. For on-chain slices (control, ability-to-exit, autonomy, verifiability), evidence[] must include ≥1 on-chain URL: a block-explorer URL OR a DeFiPunkd /api/{contract/read,safe/owners} URL (preferred — content-addressed when block-pinned). /api/contract/abi alone is metadata, not on-chain evidence. Source repos tell you what code SHOULD do; deployed contracts tell you what it ACTUALLY does. The "open-access" slice is exempt when claims are entirely about frontend / off-chain operator behavior. CARVE-OUT: `grading_basis="off-chain-only"` is exempt from this rule but is downweighted by the quorum bot regardless of grade.
15. Prompt-meta-check: if your verdict quotes prompt language as evidence ("the protocol meets the 'documented fallback' condition"), re-do the verdict — the prompt describes the rubric, not the protocol. Evidence cites what THIS protocol does, not what the rubric says protocols of type X do.
16. `grading_basis` is one of `"on-chain"` (default; omit field), `"off-chain-only"`, or `"mixed"`. Describes what was READ this run, not the verdict — `grade="unknown"` is allowed under any basis. Set `"off-chain-only"` ONLY when BOTH (a) ≥1 successful fetch of a docs / forum / audit / GitHub URL appears in evidence[], AND (b) ≥1 failed on-chain fetch attempt for THIS run is recorded in unknowns[] with a `-offchain` suffix. Empty `evidence[]` with `"off-chain-only"` is a category error and is rejected by the validator. Set `"mixed"` when some checklist codes were on-chain and others fell back. ABI-only finds (you read the ABI but couldn't read live state) are valid as `grade="unknown"` with the ABI cited; do not infer a grade from ABI shape alone.

### On-chain reading via the DeFiPunkd API

Don't encode calldata, decode return data, or guess at ABIs by hand. Three deterministic GET endpoints return JSON with blockNumber, blockHash, raw calldata, and rawReturnData — content-addressed when block-pinned (`&block=<n>`):

  ABI (auto-resolves proxies):
    https://defipunkd.com/api/contract/abi?chainId=<id>&address=0x...
  View call (any view method on the merged ABI; flat scalar args):
    https://defipunkd.com/api/contract/read?chainId=<id>&address=0x...&method=getOwners
    https://defipunkd.com/api/contract/read?chainId=<id>&address=0x...&method=balanceOf&args=0x...
  Safe (threshold + owners + version in one call):
    https://defipunkd.com/api/safe/owners?chainId=<id>&address=0x...

Use the BARE method name in `&method=` (e.g. `&method=totalSupply`, NOT `&method=totalSupply()`). Browser tools normalize `(` to `%28` and reject the normalized URL; bare names dodge that. Pass arguments via `&args=` (comma-separated, declaration order). Append `&block=<n>` for content-addressed evidence.

Supported chainIds: 1 (ethereum), 10 (optimism), 56 (bsc), 130 (unichain), 137 (polygon), 324 (zksync), 8453 (base), 42161 (arbitrum), 43114 (avalanche), 59144 (linea), 81457 (blast), 534352 (scroll), 11155111 (sepolia).

Use this API for any factual claim about contract ABI shape, view-method return values (owner(), getOwners(), getThreshold(), totalSupply(), implementation(), paused(), MIN_DELAY(), …), and Safe membership. Do NOT invent ABIs or return values from training data.

Note on noisy address_book: the pinned address_book is sourced from prior assessments. It may include token deployments, oracle feeds, peripheral contracts, or mis-classified entries. Skip surfacer URLs that don't fit your slice — fetch only those whose role hints suggest control / pause / upgrade authority.

### Protocol metadata refresh (populate `protocol_metadata` in the output)

DeFiLlama's pinned inputs may be stale or wrong. As a side-effect of this assessment, populate `protocol_metadata` with anything you verify. Leave fields null / empty arrays if you did not verify them — do NOT echo pinned inputs through; null means "not re-verified this run".

- `github`: array of canonical source-code repo URLs.
- `docs_url`: canonical developer / protocol documentation site.
- `audits`: array of `{ firm, url, date }` (date as YYYY-MM or YYYY-MM-DD).
- `governance_forum`: primary discussion forum URL (Discourse, Commonwealth, etc.).
- `voting_token`: `{ chain, address, symbol }` or null. Omit if not token-governed.
- `bug_bounty_url`: public bug bounty page (Immunefi, HackerOne, self-hosted).
- `security_contact`: private-disclosure channel — security@ email or SECURITY.md URL. Distinct from public bug bounty.
- `deployed_contracts_doc`: docs page that lists deployed addresses per chain. Don't enumerate; just link.
- `admin_addresses`: array of `{ chain, address, role, actor_class }` for multisig / timelock / owner / proxy-admin addresses. `actor_class` ∈ `"eoa" | "multisig" | "timelock" | "governance" | "unknown"`. These are the anchors for future runs' address_book.
- `upgradeability`: `"immutable" | "upgradeable" | "mixed" | "unknown"`. "mixed" = some core contracts immutable, others behind proxies.
- `about`: 2–4 sentence plain-English description. Name the user action (stake, borrow, swap, bridge, mint, redeem), the asset / market, and the distinctive mechanism (liquid staking receipt, isolated lending pools, constant-product AMM, intents auction, etc.). Do not restate category / chains / TVL.

Every non-null field in `protocol_metadata` must be backed by ≥1 entry in evidence[].

---

### Slice: AUTONOMY

Evaluate this protocol's autonomy: can a failure of anything outside its own contracts cause theft or loss of user principal, loss of unclaimed yield, or materially change the protocol's expected performance? "Autonomy" is not "has zero external touchpoints" — it is "external failures are either survivable or recoverable without user loss". This slice adapts DefiScan v1's Autonomy dimension; dependencies are one of several criteria, not the whole frame.

GUARDRAILS (read before grading):
- Category alone (Liquid Staking, Bridge, RWA Lending, Restaking, …) does NOT force a grade. A category is a hint about where to look; the grade must come from the concrete A1–A9 findings below.
- Base-chain consensus (Ethereum PoS, the chain's validator set, the canonical Deposit Contract at 0x00000000219ab540356cBB839Cbe05303d7705Fa) is the SUBSTRATE, not a dependency, for any protocol deployed on that chain. Do not list "depends on Ethereum" as a finding.
- Oracles or other integrations used by DOWNSTREAM protocols that happen to read this protocol's token (e.g. Chainlink stETH/USD consumed by Aave) are NOT this protocol's dependencies. Count only what THIS protocol's contracts call or trust on-chain. If a feed or contract appears in the protocol's docs only as reference material for third-party integrators, EXCLUDE IT ENTIRELY — do not log it as a finding even with a "peripheral" or "referenced only" caveat.
- "Upgradeable admin can change things" belongs to the CONTROL slice; only count it here when the upgrade surface lets governance silently swap an external dependency (see A9).
- Underlying-asset risk in opt-in, isolated markets is NOT autonomy-red on its own. When a protocol wraps third-party yield-bearing assets (LSTs, LRTs, ERC-4626 vaults, lending receipts, restaked tokens) into per-market silos that users explicitly choose, a failure of one underlying does NOT propagate to other markets and is risk the user opted into per-market. Record it under A4 with depth and propagation scope, but do not let it alone drive a red verdict — red requires an external dependency that cross-cuts the protocol or that the user did not opt into at deposit time. A failure mode that is "if the LRT you deposited is hacked, your principal in that LRT-backed market is impaired" is the underlying's autonomy story, not this protocol's; grade it on whether THIS protocol introduces additional dependencies on top.
- Sub-module enumeration is mandatory before grading. If the protocol ships distinct product lines or modules (e.g., a v2 core AMM plus a newer perps/funding-rate module, a lending pool plus a separate vault layer, an L1 core plus a cross-chain extension), enumerate each in findings and grade against the WORST module weighted by its share of TVS or its blast radius. A green core does not rescue an orange/red sub-module; conversely, a small red sub-module with capped TVS may bound the overall grade to orange. Name each module by its on-chain factory or router address. If you do not know whether a module exists, that is an unknowns[] entry, not silence. EXPLICIT TVS WEIGHTING: in the verdict, state each module's approximate share of total protocol TVS (use "~X%" if exact figures unavailable; check DeFiLlama or block-explorer balances on the module's main contract) and how that share informs the weighted grade. Format: "Module A holds ~X% of TVS (grade: <g>); Module B holds ~Y% (grade: <g>); weighted overall = <grade> because <reason>." If a red sub-module holds <5% of total TVS and is capped, the overall grade may be orange; if it holds >25%, the overall grade is red. Do not let qualitative reasoning substitute for the percentages — write the numbers.

MANDATORY INSPECTION CHECKLIST (every item below must appear in evidence[] OR unknowns[]):
- A1. External contract calls. Enumerate every external contract the core contracts call or read from (oracles, price feeds, AMM pools, lending pools, staking/deposit contracts, yield wrappers). For each, identify the address, the provider, and what user-facing function of this protocol would break or mis-price if that external contract paused, mis-reported, or behaved adversarially. Grep for "oracle", "aggregator", "getPrice", "latestAnswer", "chainlink", "pyth", "redstone" as a starting point. To verify an oracle is live and what it currently reports, hit https://defipunkd.com/api/contract/read?chainId=<id>&address=<oracle>&method=latestAnswer (or &method=latestRoundData, &method=getPrice, &method=description; use the BARE method name without parens) and cite the URL — the response includes blockNumber/blockHash and rawReturnData, which is stronger evidence than a docs page about which feed "should" be used.
- A2. Off-chain actor committees reporting INTO the protocol. Oracle committees, guardian multisigs, DAO-selected validator sets acting as protocol reporters, exit-bus signers, fraud-proof challengers. For each, record committee size, quorum, who picks the members, and what mis-reporting could do (mint, burn, finalize withdrawal, freeze). Distinguish this from governance admins (control slice). NOTE ON STAKING PROTOCOLS: validator slashing and node-operator misbehavior are properties of the base-chain substrate, NOT external dependencies, when the operator set is diversified enough that a coordinated failure caps at <5% principal loss. Count validator/operator risk under A2 ONLY if the operator set is small, non-diversified, or lacks bonding / slashing-insurance / diversification mitigations. A curated set of 30+ independent operators with documented diversification falls under the mitigated path; a 3-operator LST does not. Do not cite the protocol's own risk disclosure as evidence that operator failure = principal loss unless you also check the diversification and bond mitigations.
- A3. Bridge / cross-chain messaging dependencies. Only count bridges that carry material TVL or are required for a core user flow. For each, name the bridge operator (canonical L1↔L2, LayerZero, Wormhole, Axelar, custom multisig), the trust model (canonical, optimistic, light-client, guardian set), and what fraction of TVL or users ride on it. "wstETH exists on 15 chains" is not a finding unless material TVL sits there. Before listing any non-primary chain deployment as a dependency, verify it is still operational as of analysis_date — retired or sunset deployments (e.g., Lido-on-Terra, Lido-on-Solana) belong in unknowns[] or should be omitted, never cited as a current dependency.
- A4. Nested collateral / restaking chains. For restaking / LRT / receipt-of-receipt designs: record the depth of the collateral chain, every actor with slashing or freezing power at each level, and whether a failure N levels deep propagates to user principal here.
- A5. Fork lineage (silent check). If DeFiLlama's forkedFrom is non-empty, record it as one finding and move on. If empty, do NOT add a placeholder finding; it adds noise.
- A6. Fallback mechanisms and circuit breakers. What catches an external failure? Sanity-check contracts on oracle reports, rebase bounds, pause paths triggered by bad prices, second-opinion oracles, max-per-block throughput caps, withdrawal queues that absorb bad reports. Record which A1–A4 risks are mitigated by which fallback, and which are unmitigated. For EACH fallback you cite, state its activation status explicitly: (i) LIVE and enforcing on-chain today, (ii) DEPLOYED but not yet wired / activated (e.g., interface exists but the address is zero or the role is unassigned), or (iii) DOCUMENTED / PROPOSED only (forum post, LIP draft, audit pending). Only (i) counts as mitigation for the grade. A fallback in state (ii) or (iii) should be noted but must not reduce the risk in your steel-man or verdict. If you cannot determine activation status, add an unknowns[] entry rather than assume it is live.
- A7. Sequencer / L1-liveness dependency BEYOND the base-chain substrate. SCOPE — sequencer risk only counts here when the protocol IS its own L2/L3 appchain or app-rollup, where the sequencer is part of the protocol's own stack and a freeze is a protocol-level outage. A protocol permissionlessly deployed on a third-party L2 inherits that L2's sequencer as substrate, not an A7 dependency. Record the sequencer/DA trust model when A7 applies.
- A8. Keeper / relayer / off-chain bot liveness. Protocols that need permissionless-but-necessary off-chain actors (liquidation bots, auto-compounders, deposit relayers, intent solvers). Record whether the role is permissionless, what degrades if nobody runs it (yield paused, bad debt accumulates, positions go stale), and whether the failure mode is graceful or catastrophic.
- A9. Governance-mutable dependency surface. Can an admin or DAO action silently INTRODUCE a NEW EXTERNAL dependency — swap the oracle address to a different provider, register a new staking module that calls an untrusted contract, add a new bridge, route SY through a new external vault — without an exit window for users? Check the upgrade / router / module-registry contracts. Answer: which EXTERNAL dependencies are governance-mutable, who holds that power, and whether there is a timelock or exit window. SCOPE LIMIT — read carefully: A9 is about the *external dependency surface*, not the upgrade surface in general. "The proxyAdmin / EOA can upgrade the router implementation to arbitrary bytecode" is a CONTROL-slice finding (admin can rug), NOT an autonomy-A9 finding. A9 fires only when the upgrade specifically swaps out or adds a contract that THIS protocol calls or trusts (e.g., changing the oracle address from Chainlink to a malicious feed, registering a new SY adapter that points to a third-party vault, redirecting a bridge endpoint). If the only finding is "admin can change implementation," do not log it under A9 and do not let it drive the autonomy grade — note it under control instead. The autonomy-relevant version of the same upgrade key is "admin can swap [specific external address X] without timelock"; that requires identifying the specific external dependency that becomes mutable.

STEEL-MAN (per Hard Rule 13): write one-sentence strongest arguments for red, orange, and green using the A1–A9 findings.

IMPACTED TVS ESTIMATE: the headline MUST include a rough impacted-TVS figure — the fraction of protocol TVS that could be lost or frozen if the worst-unmitigated dependency you identified failed. Use "~X%" if exact numbers are unavailable, "<1%" for de minimis, "unclear" only if A1–A9 left the question genuinely open (in which case grade=unknown is usually correct). Do NOT substitute qualitative phrases like "significant" — give a number or bracket.

GRADE ANCHORS (mapped to DefiScan v1 stages):
- green = Stage 2 equivalent. Failure of any external dependency cannot cause loss of user principal or unclaimed yield. Either there are no material external dependencies, or every critical one has a documented fallback (A6) that keeps users whole. Governance cannot silently introduce new dependencies without an exit window (A9). Impacted TVS under any single-dependency failure: effectively 0.
- orange = Stage 1 equivalent. Failure of some external dependency can cause loss of unclaimed yield, or can materially change expected performance (pause withdrawals, freeze positions, degrade price quality), but cannot cause loss of principal. Committee-based oracles with sanity checks, canonical-only bridges, fallback paths that exist but are incomplete, or governance-mutable dependencies protected by a ≥7-day timelock. Impacted TVS is bounded and recoverable.
- red = Stage 0 equivalent. Failure of an external dependency CAN cause theft or loss of principal. Examples: single-provider oracle with no sanity check or fallback, material TVL on a non-canonical bridge with a guardian multisig, governance can hot-swap oracles or add staking modules with no timelock or exit window, unmitigated keeper-liveness dependency where positions become insolvent if bots stop. Impacted TVS is material.
- unknown = checklist incomplete after inspecting source + verified contracts. Prefer unknown over guessing when A1/A6 could not be reconstructed. RESERVE unknown for cases where the CORE ARCHITECTURE itself is unverifiable — not for cases where you merely cannot enumerate every per-market dependency in a multi-market protocol. If the core router/factory/oracle architecture is verifiable on-chain and you can determine whether the core requires external dependencies, grade the architecture even when an exhaustive per-market external-dependency census is infeasible. Acknowledge the per-market gap in unknowns[] but still issue a grade. Refusing to grade a multi-market protocol because you cannot list every SY/vault/market is over-use of unknown; grade the architecture and say so.

PROMPT-META CHECK (per Hard Rule 17): before finalizing, verify the verdict cites concrete contract addresses, docs, or code — not the rubric itself. If your verdict says "the protocol belongs to a category the rubric marks red", rewrite it with the A1–A9 finding that actually justifies the grade, or drop to grade=unknown.

---

### JSON output contract

Return exactly one JSON object inside a single ```json fenced block. Shape:

{
  "schema_version": 4,
  "slug": "<copy protocol.slug from the per-protocol context>",
  "slice": "autonomy",
  "snapshot_generated_at": "<copy snapshot.generated_at from the per-protocol context>",
  "prompt_version": 29,
  "analysis_date": "<copy analysis_date from the per-protocol context>",
  "model": "<exact model name, e.g. claude-opus-4-7 / gpt-5-thinking / gemini-3-pro>",
  "chat_url": null,
  "grading_basis": "on-chain | off-chain-only | mixed (optional; omit for on-chain)",
  "grade": "green | orange | red | unknown",
  "headline": "<one-line summary>",
  "short_headline": "<≤6 words, ≤80 chars; omit if you can't fit>",
  "rationale": {
    "findings": [{ "code": "E1", "text": "<concrete, source-cited finding>" }],
    "steelman": { "red": "<one sentence>", "orange": "<one sentence>", "green": "<one sentence>" },
    "verdict": "Choosing <grade> because <reason ranking one steel-man above the others, citing specific evidence>."
  },
  "evidence": [{ "url": "https://...", "shows": "<what this URL demonstrates>", "chain": "...", "address": "0x...", "commit": "<hex SHA>", "fetched_at": "2026-04-23T11:20:00Z" }],
  "unknowns": ["E3: <thing you looked for but couldn't determine>"],
  "protocol_metadata": {
    "github": ["https://github.com/org/repo"],
    "docs_url": "https://docs.protocol.xyz",
    "audits": [{ "firm": "Trail of Bits", "url": "https://...report.pdf", "date": "2025-09" }],
    "governance_forum": "https://forum.protocol.xyz",
    "voting_token": { "chain": "Ethereum", "address": "0x...", "symbol": "XYZ" },
    "bug_bounty_url": "https://immunefi.com/bounty/protocol",
    "security_contact": "security@protocol.xyz",
    "deployed_contracts_doc": "https://docs.protocol.xyz/deployments",
    "admin_addresses": [{ "chain": "Ethereum", "address": "0x...", "role": "DAO treasury multisig", "actor_class": "multisig" }],
    "upgradeability": "immutable | upgradeable | mixed | unknown",
    "about": "<2–4 sentences>"
  }
}

Rules recap:
- grade="unknown" ⇒ steelman=null; unknowns[] ≥1; evidence[] may be empty.
- grade!="unknown" ⇒ steelman={red,orange,green}; evidence[] ≥1; verdict starts with "Choosing ".
- findings[].code matches the slice's checklist prefix verbatim (E1, C2-emergency, V4a, …); unknowns[] entries are checklist-coded ("E3: …").
- Wrap in a single ```json fence; nothing before or after. URLs are bare strings, never markdown links.

Open Access unknown Unverified

Not yet assessed

No model has graded this dimension yet. Run the slice prompt through any LLM and submit the JSON — once ≥3 independent runs agree, the quorum bot merges the verdict here.

Submit run ↗

### Per-protocol context (ground truth for this run)

- protocol.slug:              aave-arc
- protocol.name:              Aave Arc
- protocol.chains:            Ethereum
- protocol.category:          Lending
- protocol.website:           https://aave.com
- protocol.github:            aave, bgd-labs
- protocol.audit_links:       https://aave.com/security, https://github.com/code-423n4/2022-02-aave-lens, https://github.com/code-423n4/2022-02-aave-lens-findings, https://github.com/sherlock-protocol/sherlock-reports/blob/main/audits/2025.02.15%20-%20Final%20-%20Aave%20Public%20Audit%20Contest%20Report.pdf, https://github.com/sherlock-protocol/sherlock-reports/blob/main/audits/2026.02.05%20-%20Final%20-%20Aave%20Labs%20Collaborative%20Audit%20Report%201770295450.pdf, https://github.com/trailofbits/publications/blob/master/reviews/2021-11-aave-v3-securityreview.pdf, https://github.com/trailofbits/publications/blob/master/reviews/2026-02-aave-v4-securityreview.pdf
- snapshot.generated_at:      2026-06-01T11:27:13.878Z
- analysis_date:              2026-06-07
- prompt_version:             29
- address_book:               null

### Pre-built read-API surfacer URLs (verbatim — fetchable as-is)
(no addresses pinned in this run — discover candidates from fetched website / GitHub / audit / explorer pages, record discovered addresses in evidence[] and protocol_metadata.admin_addresses, and put any reads you couldn't perform in unknowns[]. The next assessment will inherit your discoveries.)


---

You are contributing a single-slice assessment to defipunkd, a git-native transparency registry for DeFi protocols. Your JSON output will be attached to a pull request and compared against ≥2 other independent runs. Disagreements are surfaced publicly — be conservative, cite everything, return grade="unknown" when a signal cannot be determined, and resist stopping at the first damning finding.

### Per-protocol context (do not infer; these are ground truth)

A "Per-protocol context" block (provided alongside this prompt — either as a user message in API mode, or as a section appended below in copy-paste mode) lists the pinned inputs (protocol.slug, name, chains, category, website, github, audit_links, snapshot.generated_at, analysis_date, prompt_version, address_book) and a list of pre-built read-API surfacer URLs for each pinned address. Treat those values as authoritative for this run.

The pre-built surfacer URLs are accepted by your fetch tool's allowlist because they appear verbatim in the per-protocol context. Each surfacer page pre-executes the contract's zero-arg view methods and renders any address-typed return values as /address/{chainId}/0x… links inline — those rendered links are also fetchable post-fetch. /api/contract/read and /api/safe/owners JSON responses include a top-level `crawl.surfacers` array of /address/{chainId}/0x… URLs for every address-typed value in the result, so you can crawl directly from API responses. For addresses surfaced from non-defipunkd sources (block-explorer pages, GitHub, audit PDFs), the allowlist will reject your generated surfacer URL — record the address in protocol_metadata.admin_addresses and add a checklist-coded entry to unknowns[]; the next run will inherit it as a fetchable surfacer.

### Step 0 — Capability probe (do this before producing JSON)

Identify what fetch tool your environment exposes — `web_fetch`, `browser`, `url_context`, `google_search` (with underscore, colon, or space), Bing grounding, Perplexity, `web.run`, or anything similar. Search-grounding tools ARE valid fetch paths and you should use them; they are not forbidden. The distinction that matters is what the tool returned, not its name: a grounded response with the underlying page body is sufficient evidence; a bare 1–3-line preview snippet is not.

Probe: attempt one fetch of `protocol.website` and one fetch of a pre-built surfacer URL above (or the protocol's primary block-explorer page if no surfacer is pinned). Record the tool you used, the URL, and what came back (response body, HTTP status, allowlist rejection text, or "tool not present: <name>"). If either probe succeeded, proceed.

If both direct probes failed, **DO NOT STOP** — try search. Issue at least two broad search queries (protocol name + "Etherscan" / "official docs" / "GitHub" / "audit"; `site:` operators against etherscan.io / github.com / the docs domain). If a search query returns the underlying page body, that page URL is fetched evidence and goes in evidence[]. Set `grading_basis: "off-chain-only"` and continue with whatever you can extract. Empty `evidence[]` + `grade="unknown"` is only valid if BOTH direct probes AND ≥2 search queries returned nothing usable; in that case, log the attempted queries and observed-zero outcomes in unknowns[]. A submission claiming "blocked" without those receipts is treated as a non-submission (zero quorum weight). Search engines do not index raw JSON API endpoints — zero results for `defipunkd.com/api/contract/read` URLs is expected and is itself a recordable failure mode, not a system restriction.

### Anti-fabrication (the most important rule on this page)

Memory is not evidence. Treat your training data, prior conversations, and general knowledge as suggestions for what to look up — never as citations. Every URL in evidence[] must have been fetched in this run via any tool exposed in your environment, OR pasted into this conversation by the user. Constructing a URL is fine, but every variable part (address, commit SHA, repo path, contract name, method, args, block number) must come from a fetched/pasted source in this run, and the URL must then have been successfully fetched before it appears in evidence[]. URLs constructed from remembered addresses, repo paths, contract names, or guessed API methods are fabrication.

Before emitting JSON, run an evidence ledger check on every evidence[] entry:
1. The exact URL appears in your fetch transcript or in a user-pasted source body.
2. The fetched/pasted body contains the fact you're citing in evidence[].shows.
3. Every rationale.findings / protocol_metadata claim that depends on this evidence follows directly from that body, without recourse to memory.
4. Derived (rather than verbatim) claims are explicitly labelled as derived in evidence[].shows.
5. `fetched_at` is set ONLY when you actually fetched the URL in this run; if no timestamp is available, omit the field — never invent one.

If any check fails, remove the evidence entry and demote dependent claims to unknowns[]. Set grade="unknown" if demotion empties the grading basis. Do not ask the user to paste anything; do not withhold JSON; do not improvise from memory.

A plausible-sounding answer backed by unsupported evidence is WORSE than grade="unknown" — it pollutes the quorum. If the assessment requires leaning on remembered public facts ("Lido is governed by LDO token-weighted voting"), historical reports, common knowledge, or likely-architecture reasoning ("UUPS proxies typically have an admin role"), return grade="unknown" with specific unknowns[] entries. Optimize for reproducibility, not completeness — if a reviewer can't re-verify each claim from the evidence URLs alone, the claim does not belong in the JSON. Empty unknowns[] on a non-trivial protocol is a red flag, not a quality signal.

When the address_book is null/empty, you do not yet know any deployed address. Discover candidates from fetched website / GitHub / audit / explorer-search pages — addresses you "remember" from training data are not eligible, even for famous tokens (USDC, WBTC, stETH, UNI). If no address can be discovered after a good-faith attempt, return grade="unknown" with checklist-coded unknowns[] entries; do not invent addresses to fill the gap.

### Hard rules

1. Source classes that count as evidence:
   a) Public block explorers (etherscan.io, basescan.org, arbiscan.io, optimistic.etherscan.io, polygonscan.com, bscscan.com, snowtrace.io, scrollscan.com, lineascan.build, blastscan.io, era.zksync.network) for pinned addresses or addresses you discover transitively from them.
   b) The linked GitHub repos, at a specific commit SHA recorded in evidence[].commit.
   c) The audit PDFs / reports linked above.
   d) DeFiLlama's pinned fields (for category / chain lists only — not for risk assessment).
   e) DeFiPunkd's read API at https://defipunkd.com/api/{contract,safe}/... — see "On-chain reading" below.
2. If a signal cannot be determined after checking these, set grade="unknown" with ≥1 entry in unknowns[] naming what you looked for.
3. Every factual claim in rationale must map to ≥1 evidence[] entry.
4. Output exactly one JSON object matching the contract at the end, wrapped in a single ```json fenced code block. This rule applies to your FINAL assistant message only — issue tool calls freely during the run; tool-call reasoning lives in your model's tool-use channel and is not subject to this rule. Nothing before or after the fence — no prose, no follow-up questions, no requests for the user to paste anything. If evidence is incomplete, the correct response is still JSON, with claims demoted to unknowns[] and grade="unknown".

### Format rules (validation will reject submissions that violate these)
5. evidence[].url must be a bare `https://...` string — NEVER markdown link syntax. WRONG: `"url": "[Etherscan](https://etherscan.io/...)"`. RIGHT: `"url": "https://etherscan.io/..."`.
6. evidence[].commit, when present, must match `^[0-9a-f]{7,40}$` (lowercase hex, 7–40 chars). NEVER branch names or tags. Omit if you cannot pin a SHA.
7. evidence[].fetched_at, when present, must be ISO-8601 UTC (e.g. `2026-04-23T11:20:00Z`). Set whenever you actually fetched in this run.
8. evidence[].address, when present, must be `^0x[0-9a-fA-F]{40}$` (mixed case OK; checksum not validated).
9. Checklist codes (used in findings[].code and as unknowns[] prefixes) match `^[A-Z][A-Za-z0-9-]{0,16}$` — start with an uppercase letter, then digits / letters / hyphens. Examples: `E1`, `A3b`, `C2-emergency`, `V4-auditor`. No parens, spaces, dots, slashes, underscores. Use slice-defined codes verbatim. unknowns[] entries must be prefixed with the relevant code + colon (e.g. `"A3b: frontend fetch failed"`).
10. chat_url: ALWAYS null. Default share links (claude.ai/chat, chatgpt.com, gemini.google.com) require viewer login and are not publicly readable. The user enables "Share publicly" after you respond and pastes the public URL into the JSON before opening the PR.

### Thoroughness rules

11. Each per-slice body contains a "MANDATORY INSPECTION CHECKLIST". Every item must EITHER produce an evidence[] entry OR a specific unknowns[] entry naming it by code. Silent skips are rejected as incomplete.
12. Before assigning a grade other than "unknown", rationale.steelman must contain a one-sentence strongest argument for each of red / orange / green, and rationale.verdict must state which fits the evidence and why. If the steel-man for the chosen grade is weaker than for an adjacent grade, you have probably picked the wrong grade. When grade="unknown", set steelman to null and use verdict to summarize what blocked the assessment.
13. Distinguish actor classes (EOA, 2-of-3 multisig, 4-of-7+ multisig with identified signers, emergency-scoped time-capped multisig, on-chain governance vote with timelock) and function classes (claim-of-finalized vs new-request-placement, deposit vs borrow, mint vs redeem) — say which actor holds which power, on what time bound. "An admin can pause" is insufficient.
14. For on-chain slices (control, ability-to-exit, autonomy, verifiability), evidence[] must include ≥1 on-chain URL: a block-explorer URL OR a DeFiPunkd /api/{contract/read,safe/owners} URL (preferred — content-addressed when block-pinned). /api/contract/abi alone is metadata, not on-chain evidence. Source repos tell you what code SHOULD do; deployed contracts tell you what it ACTUALLY does. The "open-access" slice is exempt when claims are entirely about frontend / off-chain operator behavior. CARVE-OUT: `grading_basis="off-chain-only"` is exempt from this rule but is downweighted by the quorum bot regardless of grade.
15. Prompt-meta-check: if your verdict quotes prompt language as evidence ("the protocol meets the 'documented fallback' condition"), re-do the verdict — the prompt describes the rubric, not the protocol. Evidence cites what THIS protocol does, not what the rubric says protocols of type X do.
16. `grading_basis` is one of `"on-chain"` (default; omit field), `"off-chain-only"`, or `"mixed"`. Describes what was READ this run, not the verdict — `grade="unknown"` is allowed under any basis. Set `"off-chain-only"` ONLY when BOTH (a) ≥1 successful fetch of a docs / forum / audit / GitHub URL appears in evidence[], AND (b) ≥1 failed on-chain fetch attempt for THIS run is recorded in unknowns[] with a `-offchain` suffix. Empty `evidence[]` with `"off-chain-only"` is a category error and is rejected by the validator. Set `"mixed"` when some checklist codes were on-chain and others fell back. ABI-only finds (you read the ABI but couldn't read live state) are valid as `grade="unknown"` with the ABI cited; do not infer a grade from ABI shape alone.

### On-chain reading via the DeFiPunkd API

Don't encode calldata, decode return data, or guess at ABIs by hand. Three deterministic GET endpoints return JSON with blockNumber, blockHash, raw calldata, and rawReturnData — content-addressed when block-pinned (`&block=<n>`):

  ABI (auto-resolves proxies):
    https://defipunkd.com/api/contract/abi?chainId=<id>&address=0x...
  View call (any view method on the merged ABI; flat scalar args):
    https://defipunkd.com/api/contract/read?chainId=<id>&address=0x...&method=getOwners
    https://defipunkd.com/api/contract/read?chainId=<id>&address=0x...&method=balanceOf&args=0x...
  Safe (threshold + owners + version in one call):
    https://defipunkd.com/api/safe/owners?chainId=<id>&address=0x...

Use the BARE method name in `&method=` (e.g. `&method=totalSupply`, NOT `&method=totalSupply()`). Browser tools normalize `(` to `%28` and reject the normalized URL; bare names dodge that. Pass arguments via `&args=` (comma-separated, declaration order). Append `&block=<n>` for content-addressed evidence.

Supported chainIds: 1 (ethereum), 10 (optimism), 56 (bsc), 130 (unichain), 137 (polygon), 324 (zksync), 8453 (base), 42161 (arbitrum), 43114 (avalanche), 59144 (linea), 81457 (blast), 534352 (scroll), 11155111 (sepolia).

Use this API for any factual claim about contract ABI shape, view-method return values (owner(), getOwners(), getThreshold(), totalSupply(), implementation(), paused(), MIN_DELAY(), …), and Safe membership. Do NOT invent ABIs or return values from training data.

Note on noisy address_book: the pinned address_book is sourced from prior assessments. It may include token deployments, oracle feeds, peripheral contracts, or mis-classified entries. Skip surfacer URLs that don't fit your slice — fetch only those whose role hints suggest control / pause / upgrade authority.

### Protocol metadata refresh (populate `protocol_metadata` in the output)

DeFiLlama's pinned inputs may be stale or wrong. As a side-effect of this assessment, populate `protocol_metadata` with anything you verify. Leave fields null / empty arrays if you did not verify them — do NOT echo pinned inputs through; null means "not re-verified this run".

- `github`: array of canonical source-code repo URLs.
- `docs_url`: canonical developer / protocol documentation site.
- `audits`: array of `{ firm, url, date }` (date as YYYY-MM or YYYY-MM-DD).
- `governance_forum`: primary discussion forum URL (Discourse, Commonwealth, etc.).
- `voting_token`: `{ chain, address, symbol }` or null. Omit if not token-governed.
- `bug_bounty_url`: public bug bounty page (Immunefi, HackerOne, self-hosted).
- `security_contact`: private-disclosure channel — security@ email or SECURITY.md URL. Distinct from public bug bounty.
- `deployed_contracts_doc`: docs page that lists deployed addresses per chain. Don't enumerate; just link.
- `admin_addresses`: array of `{ chain, address, role, actor_class }` for multisig / timelock / owner / proxy-admin addresses. `actor_class` ∈ `"eoa" | "multisig" | "timelock" | "governance" | "unknown"`. These are the anchors for future runs' address_book.
- `upgradeability`: `"immutable" | "upgradeable" | "mixed" | "unknown"`. "mixed" = some core contracts immutable, others behind proxies.
- `about`: 2–4 sentence plain-English description. Name the user action (stake, borrow, swap, bridge, mint, redeem), the asset / market, and the distinctive mechanism (liquid staking receipt, isolated lending pools, constant-product AMM, intents auction, etc.). Do not restate category / chains / TVL.

Every non-null field in `protocol_metadata` must be backed by ≥1 entry in evidence[].

---

### Slice: OPEN-ACCESS

Evaluate who is allowed to use the protocol and whether any of that permission is granted off-chain.

Scope: this slice is about ADMISSION — who can enter, exit, or transact. Operator LIVENESS (what breaks if keepers/oracles go offline) is assessed in the dependencies slice and is out of scope for the grade here. You may note operator dependencies as context, but do not let "the protocol halts if operator X disappears" drive the access grade on its own; that belongs in dependencies. Source verification / contract verification on block explorers is assessed in the verifiability slice and is out of scope here — do NOT let "contract is unverified" drive the access grade.

Framing: the smart contracts are the access layer; frontends are UX. A permissionless contract is reachable by any client (SDK, third-party UI, aggregator, wallet integration). Frontend ToS, IP geo-blocking, and wallet screening are publisher policies on one specific client — they are reported as context but do NOT determine the grade. The grade hinges on (1) what the contract itself permits, and (2) whether the protocol is practically reachable without the official publisher's cooperation.

Meta-check before finalizing: if your verdict cites phrases from this prompt as evidence ("the protocol meets the 'credible alternatives' condition", "this fits the 'documented fallback' rule"), redo the verdict. The prompt describes the rubric; evidence must come from the protocol. A verdict should cite what the protocol does, not what the rubric says.

MANDATORY INSPECTION CHECKLIST (every item below must appear in evidence[] OR unknowns[]):
- A1. Whitelist / allowlist modifiers in user-facing entry points. Grep for "onlyWhitelisted", "onlyRole", "allowlist", "isAccredited", "isKYCed". Note which functions are gated and who can add/remove from the list.
- A2. Off-chain operators in the admission path: keepers, sequencers, privileged relayers, oracle posters whose approval is required to admit a user action (not just to keep the protocol live). For each, identify whether the role is held by a single operator, a permissioned committee, or is permissionless. Enumerate per user-facing function class (deposit vs withdraw-request vs claim-finalized vs transfer) which ones require operator approval to be admitted, and which ones admit users unconditionally. A function whose placement is unconditional but whose downstream settlement depends on an operator is an admission-permissionless function — flag the liveness dependency as context and defer its grading weight to the dependencies slice.
- A3. Frontend restrictions on the official interface — record as context, not as a grade lever. Distinguish:
    - A3-passive: boilerplate ToS clauses (sanctions attestation, restricted-territory self-certification, VPN-circumvention prohibition, "comply with applicable law" eligibility, age of majority).
    - A3-active: runtime enforcement — IP-based geo-blocking, wallet-address screening against a sanctions oracle (Chainalysis, TRM, Elliptic), KYC wall, rendering-blocking jurisdiction banner.
  Record findings under the correct tier. Quote ToS text or banner text in evidence[].shows. These findings populate the headline and rationale but do NOT move the grade by themselves; the grade is set by A1, A2, and the A3b path check below.
- A3b. Independent access paths (the operative grade input). Enumerate paths that do not require the official publisher's cooperation:
    - Published SDK / library / CLI for direct contract interaction.
    - Third-party frontends operated by separate legal entities.
    - Wallet-integrated access (MetaMask Swaps, Safe apps, etc.).
    - DEX / lending / yield aggregators that route through the contracts.
  Record at least one concrete link per path that exists. The protocol does NOT have to self-document these — the test is existence, not UX cost. An A3b-i redistribution of the official UI bound by the same ToS does NOT count as an independent path.
- A4. Sanctions / compliance tooling at the contract level: does the protocol check addresses against OFAC lists or similar on-chain blocklists in the contract itself? (Frontend-only screening belongs in A3.)
- A5. Differentiate read access vs write access: many protocols are read-permissionless (anyone can view state) but write-gated (only certain addresses can deposit/borrow). Record both.
- A6. ToS / Legal links: locate them on the website and produce a VERBATIM quote of any jurisdictional, sanctions, or eligibility clause in evidence[].shows. If you cannot extract the clause text verbatim (SPA render failure, paywall, dead link, etc.), do NOT paraphrase or infer from general knowledge — record the ToS URL in unknowns[] with the reason extraction failed. Assertions about ToS content without a verbatim quote will be downweighted by reviewers.

Then write the steel-man section per Hard Rule 11.

Grade rules (admission-focused; liveness concerns belong in dependencies; source verification belongs in verifiability):
- green   = no contract-level whitelist/KYC on user entry/exit; no operator approval required to admit a user action; AND at least one independent A3b path exists (published SDK, third-party frontend, wallet integration, or aggregator routing). Frontend ToS posture and A3-active enforcement on the official UI do NOT block green when contracts are permissionless and an independent path exists — they are reported as context.
- orange  = contracts admit users unconditionally, BUT the protocol is operationally captured by the official publisher: no published SDK, no third-party frontend, no wallet integration, no aggregator routing. The contract is theoretically open but practically reachable only through the official UI. Also applies when admission requires approval from a permissioned committee that is governance-managed with a documented replacement procedure.
- red     = contract-level whitelist / KYC on user entry/exit, OR admission of a core user action requires approval from a single privileged operator or a small committee with no documented replacement procedure, OR enforces an on-chain blocklist updatable by a single party.
- unknown = checklist incomplete after checking the sources above.

Default-grade guidance: when contracts are fully permissionless AND any A3b independent path exists, the default grade is green regardless of frontend ToS or A3-active enforcement on the official UI. Frontend geo-blocking, sanctions-oracle wallet screening, and ToS sanctions clauses are publisher policies on one client and are reported in findings/headline as context, not as grade levers. To grade orange on operational-capture grounds, the auditor must affirmatively show that ALL independent paths are absent or also gated.

Guideline on committees: where admission depends on a multi-operator committee, the relevant axes are (a) set size, (b) whether replacement/rotation is governed on-chain, (c) whether the replacement procedure is publicly documented. A large set with on-chain governance replacement should not be graded as a single-party operator even if rotation is not instantaneous. A small set with informal replacement should be treated as a single-party operator.

---

### JSON output contract

Return exactly one JSON object inside a single ```json fenced block. Shape:

{
  "schema_version": 4,
  "slug": "<copy protocol.slug from the per-protocol context>",
  "slice": "open-access",
  "snapshot_generated_at": "<copy snapshot.generated_at from the per-protocol context>",
  "prompt_version": 29,
  "analysis_date": "<copy analysis_date from the per-protocol context>",
  "model": "<exact model name, e.g. claude-opus-4-7 / gpt-5-thinking / gemini-3-pro>",
  "chat_url": null,
  "grading_basis": "on-chain | off-chain-only | mixed (optional; omit for on-chain)",
  "grade": "green | orange | red | unknown",
  "headline": "<one-line summary>",
  "short_headline": "<≤6 words, ≤80 chars; omit if you can't fit>",
  "rationale": {
    "findings": [{ "code": "E1", "text": "<concrete, source-cited finding>" }],
    "steelman": { "red": "<one sentence>", "orange": "<one sentence>", "green": "<one sentence>" },
    "verdict": "Choosing <grade> because <reason ranking one steel-man above the others, citing specific evidence>."
  },
  "evidence": [{ "url": "https://...", "shows": "<what this URL demonstrates>", "chain": "...", "address": "0x...", "commit": "<hex SHA>", "fetched_at": "2026-04-23T11:20:00Z" }],
  "unknowns": ["E3: <thing you looked for but couldn't determine>"],
  "protocol_metadata": {
    "github": ["https://github.com/org/repo"],
    "docs_url": "https://docs.protocol.xyz",
    "audits": [{ "firm": "Trail of Bits", "url": "https://...report.pdf", "date": "2025-09" }],
    "governance_forum": "https://forum.protocol.xyz",
    "voting_token": { "chain": "Ethereum", "address": "0x...", "symbol": "XYZ" },
    "bug_bounty_url": "https://immunefi.com/bounty/protocol",
    "security_contact": "security@protocol.xyz",
    "deployed_contracts_doc": "https://docs.protocol.xyz/deployments",
    "admin_addresses": [{ "chain": "Ethereum", "address": "0x...", "role": "DAO treasury multisig", "actor_class": "multisig" }],
    "upgradeability": "immutable | upgradeable | mixed | unknown",
    "about": "<2–4 sentences>"
  }
}

Rules recap:
- grade="unknown" ⇒ steelman=null; unknowns[] ≥1; evidence[] may be empty.
- grade!="unknown" ⇒ steelman={red,orange,green}; evidence[] ≥1; verdict starts with "Choosing ".
- findings[].code matches the slice's checklist prefix verbatim (E1, C2-emergency, V4a, …); unknowns[] entries are checklist-coded ("E3: …").
- Wrap in a single ```json fence; nothing before or after. URLs are bare strings, never markdown links.

Stage

Preview of the Phase-3 maturity framework. DeFiPunk'd will adopt DeFiScan v2's stages verbatim; the section is rendered below in its intended shape so the structure is visible today.

Aave Arc has not yet been assessed under the DeFiScan v2 stage framework.

The walkaway test is the central criterion. Once stages land, protocols reach Stage 1 only if users can exit in the presence of malicious operators even when the emergency council disappears.

Scope of assessment

Stage 0 requirements pending

Stage 1 requirements pending

Stage 2 requirements pending

Learn more about DeFiScan v2 stages →

Protocol Info

Security

[:]

Audits: 64 audits

OpenZeppelin — 2021-11
Trail of Bits — 2022-01
PeckShield — 2022-01
Certora — 2022-01
Sigma Prime — 2023-04
Certora — 2024-04
MixBytes — 2024-05
Sherlock — 2025-01
Oxorio — 2025-01
Certora — 2025-07
MixBytes — 2025-07
Certora — 2025-11
MixBytes — 2025-11
Pashov — 2025-11
Blackthorn — 2025-11-16
Savant — 2025-11-18
Trail of Bits — 2026-02
Sigma Prime — 2024-05-20
Trail of Bits — 2022-03-23
OpenZeppelin — 2022-01-27
Sigma Prime — 2022-05
Trail of Bits — 2022-04
OpenZeppelin — 2022-01
Sigma Prime — 2022-01-27
Trail of Bits — 2022-03-14
Sigma Prime — 2023-03
Certora — 2022-11
Blackthorn — 2025-11-16
Sigma Prime — 2022-01
ABDK — 2022-01
OpenZeppelin — 2022-01
Code4rena — 2022-02 — aave-v3
Code4rena — 2022-02 — aave-v3
Sherlock — 2026-02-05 — aave-v3
Sherlock — 2025-02-15 — aave-v3
Trail of Bits — 2021-11 — aave-v3
github.com — aave-horizon-rwa
ABDK — 2022-01 — aave-horizon-rwa
Cantina — 2024-06 — aave-horizon-rwa
Certora — 2025-05-30 — aave-horizon-rwa
Certora — 2025-01-20 — aave-horizon-rwa
Certora — 2024-11-07 — aave-horizon-rwa
Certora — 2024-09-19 — aave-horizon-rwa
Certora — 2024-09-10 — aave-horizon-rwa
Certora — 2024-09 — aave-horizon-rwa
Certora — 2024-04 — aave-horizon-rwa
Certora — 2023-03 — aave-horizon-rwa
Enigma Aave — 2024-09-30 — aave-horizon-rwa
MixBytes — 2024-12-05 — aave-horizon-rwa
MixBytes — 2024-05 — aave-horizon-rwa
OpenZeppelin — 2021-11 — aave-horizon-rwa
Oxorio — 2025-01-29 — aave-horizon-rwa
Oxorio — 2024-09-12 — aave-horizon-rwa
Pashov Aave — 2024-09-15 — aave-horizon-rwa
PeckShield — 2022-12 — aave-horizon-rwa
PeckShield — 2022-01 — aave-horizon-rwa
Sherlock — 2025-01-22 — aave-horizon-rwa
Sigma Prime — 2023-04 — aave-horizon-rwa
Sigma Prime — 2022-12 — aave-horizon-rwa
Sigma Prime — 2022-01 — aave-horizon-rwa
StErMi Aave — 2024-10-22 — aave-horizon-rwa
StErMi Horizon — 2025-06-25 — aave-horizon-rwa
Trail of Bits — 2026-02 — aave-horizon-rwa
Trail of Bits — 2022-01 — aave-horizon-rwa
Bug bounty: https://immunefi.com/bug-bounty/aave/
Security contact: https://github.com/aave-dao/aave-v3-origin/blob/main/SECURITY.md

Technical

[:]

Voting token: AAVE Ethereum: 0x7Fc66500c84A76Ad7e9c93437bFc5Ac33E2DDaE9
Deployed contracts: https://aave.com/docs/resources/addresses
Upgradeability: Upgradeable

Provenance

[defillama] [:]

Review status: listed
Updated: 2026-06-02 13:51 UTC

Hallmarks

Apr '21Start Ethereum V2 Rewards
Oct '21Start AVAX V2 Rewards
Oct '21Potential xSUSHI attack found
Apr '22Start AVAX Rewards
May '22UST depeg
Jun '22stETH depeg
Aug '22Start OP Rewards
Apr '26KelpDAO hack

Deployments

Risk analysis

Stage

Risk analysis

Stage

Risk analysis

Stage

Risk analysis

Stage

Risk analysis

Stage

Risk analysis

Stage

Risk analysis

Stage

Protocol Info

Links

Security

Technical

Provenance

Hallmarks