Scores/Uniswap V4

Uniswap V4

MITHRIL

DEX / AMM · Multi-chain · $3.5B TVL · 8 contracts

Official site: uniswap.org ↗

856

3004756508251000

Confidence93%

Z-Factor0.74

Updated 2026-05-27Public score

Security Profile

Access Control
92

Economic Soundness
88

Oracle Integrity
98

Compositional Risk
88

Governance
92

Maturity
89

Resilience
39

Supply Chain
88

Op Security
51

Cascade Exposure
100

Access Ctrl
92

Economic
88

Oracle
98

Compos.
88

Govern.
92

Maturity
89

Resilience
39

Supply Ch.
88

OpSec
51

Cascade
100

Min

Avg

Max

100

Audit History

OpenZeppelin

2024-09Report

Trail of Bits

2024-08

Spearbit

2024-10

ABDK

2024-07

Cantina Competition

2024-06

Bug Bounty Program

$15,500,000

Max payout on Cantina

View Program

Assessment

Best-in-class DEX architecture. Immutable core, transient storage reentrancy guard, flash accounting, zero oracle deps. D7 pulls score from ADAMANTINE due to 81 validated findings (13 Critical) from deep adversarial research. TRIB-SETTLE-001 (permissionless fund theft via Tribunal composition) is the most severe finding to date, additionally impacting D4. Below ADAMANTINE due to deployment age (18mo), hook extensibility model, and now-demonstrated periphery composition risks.

Dimension Breakdown

Methodology

Access Control

Weight 18% · 92% confidence

+18Minimal admin surface (fee setting only, capped)

+18Transient storage lock eliminates reentrancy class

+18Flash accounting enforces within-tx balance invariants

+1858 access control checks across 246 total checks (23.6% check density)

Provenance

Economic Soundness

Weight 13% · 90% confidence

+18Flash accounting IS the primitive, not a vulnerability

+18No share-inflation attack surface in singleton design

+1898 state writes but concentrated in ERC6909 token ops (balanceOf, allowance, isOperator)

+18MEV is user-side (sandwich), not protocol-level

Provenance

Oracle Integrity

Weight 13% · 95% confidence

+24Zero external oracle dependencies in core

+24Self-sovereign pricing via AMM math

+24Protocol is oracle SOURCE, not consumer

+242 price_feed edges are hook-level, sandboxed per-pool

Provenance

Battle-Tested Maturity

Weight 12% · 92% confidence

+15Deployed 2024-11-27 (~18 months live)

+15Uniswap org active since 2018 (8 years)

+15V3 never had a protocol-level exploit

+154 audit firms (ToB, OZ, Spearbit, C4)

Provenance

Governance & Upgradeability

Weight 10% · 92% confidence

+31Owner = 2-day Timelock controlled by GovernorBravo

+31Admin can ONLY set protocol fee controller (capped at 0.1%)

+31Cannot drain funds, modify logic, or upgrade contract

Provenance

Adversarial Resilienceredacted

Weight 10% · 95% confidence

2 low-severity validated findings

Provenance

Operational Security

Weight 10% · 60% confidence

-24No branch protection detected

-24CI/CD present but unstable (0% success)

+13Commit signing: 100% verified

+13Strong PR review culture (73% reviewed)

Provenance

Compositional Risk

Weight 5% · 88% confidence

+18Zero external dependencies in core PoolManager

+18Hook risk sandboxed per-pool, not protocol-wide

+1814 trust_dependency edges all hook-related

+18Bad hook affects one pool, not all of Uniswap

Provenance

Cascade Exposure

Weight 5% · 55% confidence

100

+25Appears in 1 cross-protocol cascade chain (XPC-014)

+25Member of 2 dependency clusters

+25Zero downstream protocol dependencies

+25Fully isolated architecture — no systemic contagion risk

Provenance

Supply Chain

Weight 4% · 95% confidence

+22Solidity 0.8.26 (stable, no critical known bugs)

+22Minimal external dependencies (custom libs)

+22Fully verified on Etherscan

+2241 mappings in singleton -- well-structured state

Provenance

Top Score Drivers

Dimensions with the greatest marginal impact on BRI.

Adversarial Resilience

39+54.9 potential

Operational Security

51+38.8 potential

No branch protection detected

Economic Soundness

88+9.3 potential

Flash accounting IS the primitive, not a vulnerability

Access Control

92+8.4 potential

Minimal admin surface (fee setting only, capped)

Battle-Tested Maturity

89+7.8 potential

Deployed 2024-11-27 (~18 months live)

Adversarial Risk Signals

Publicly verifiable security posture indicators.

Disclosure HistoryNot Assessed

Remediation VelocityNot Assessed

Bug Bounty ProgramNot Assessed

Audit CoverageNot Assessed

Incident HistoryNot Assessed

Deployed 2024-11-2710 dimensionsProvenance Ledger

methodology v2.1formula v1.1weights v1.1evidence sha256:sha256:0...

Score History & Verification

Score provenance tracking begins with the next reassessment.

Full provenance ledger

On-Chain Data

Protocol Slug: "uniswap-v4"
Oracle: BRORegistry (Base)
Evidence: IPFS (pinned)
Staleness Threshold: 24 hours

Read Score

registry.getScore("uniswap-v4")

Reduce exploitable risk

Continuous adversarial analysis, vulnerability detection, and verified reassessment.

View Plans Methodology

Embed this score

Live, updates automatically. Free for any site. Click-through links open the full report on BlackHart.

Public

Style

Theme

Format

Preview

Copy iframe code

<iframe
  src="https://blackhart.io/embed/oracle/uniswap-v4?variant=card&theme=dark"
  title="BlackHart Risk Index: Uniswap V4"
  width="340"
  height="290"
  frameborder="0"
  loading="lazy"
  style="border:0; max-width:100%;"
></iframe>

Believe this score contains a factual error? Submit evidence for review