Scores/USDC

USDC

TEMPERED

Stablecoin · Multi-chain · $52B+ circulating TVL · 2 contracts

Official site: www.circle.com/usdc ↗

733

3004756508251000

Confidence75%

Z-Factor0.95

Updated 2026-06-01Public score

Security Profile

Access Control
45

Economic Soundness
82

Oracle Integrity
62

Compositional Risk
78

Governance
38

Maturity
97

Resilience
70

Supply Chain
84

Op Security
72

Cascade Exposure
30

Access Ctrl
45

Economic
82

Oracle
62

Compos.
78

Govern.
38

Maturity
97

Resilience
70

Supply Ch.
84

OpSec
72

Cascade
30

Min

Avg

Max

Audit History

ChainSecurity (CCTP V2, shared role/sig patterns)

2025-03Report

EtherAuthority (FiatTokenV2_2)

2024-01Report

Deloitte & Touche (monthly reserve attestation)

2025-09Report

Bug Bounty Program

$5,000

Max payout on HackerOne

View Program

Assessment

Issuer-only re-scope = 733 TEMPERED, up from the combined baseline 703 (which was dragged by CCTP's single-signature attestation surface, now split out). Exceptional maturity (D6=97, ~93 months, $52.46B, zero contract exploit) and clean economic surface (D2=82, Deloitte monthly attestations + S&P '2 strong') are balanced against extreme centralization — infinite-mint masterMinter + freeze-any blacklister + instant no-timelock upgradeable proxy (D1=45, D5=38) — and the highest systemic blast radius in the portfolio (D12=30). The $5,000 critical bug-bounty cap is a genuine governance/opsec drag (D5, D11). Confidence 75: on-chain role holders confirmed, real GitHub OpSec data, audits cited; only D7 (light pass, not full Mode-B) and D12 (analyst judgment) remain soft.

Dimension Breakdown

Methodology

12 dimensions · Updated 2026-06-01

Additional Dimensions

Top Score Drivers

Dimensions with the greatest marginal impact on BRI.

Access Control

45+66.9 potential

Still scored well below a decentralized lending protocol: infinite-mint + freeze-any + instant-upgrade on a $52B base under a single corporate operator with no on-chain delay

Governance & Upgradeability

38+44 potential

Bug-bounty governance signal: Circle BBP (HackerOne, public mode) caps the CRITICAL payout at $5,000 (min $150) for a $52B+ issuer — the circlefin/stablecoin-evm repo IS in scope as a bounty-eligible smart-contract asset; the low cap drew public criticism (LlamaRisk called it 'vastly insufficient')

Oracle Integrity

62+27.8 potential

The token has NO on-chain price oracle — its $1 peg is an off-chain banking/reserve property, not a verifiable on-chain safety property

Cascade Exposure

30+26.9 potential

USDC is the MOST systemically embedded asset in DeFi: PSM collateral (Sky), quote/collateral across Aave/Compound/Morpho/Curve, and the dominant CEX/DEX settlement leg

Adversarial Resilience

70+15.7 potential

Adversarial Risk Signals

Publicly verifiable security posture indicators.

Disclosure HistoryNot Assessed

Remediation VelocityNot Assessed

Bug Bounty ProgramNot Assessed

Audit CoverageNot Assessed

Incident HistoryNot Assessed

Deployed 2018-08-0310 dimensionsProvenance Ledger

methodology v2.1formula v1.1weights v1.1

Score History & Verification

Score provenance tracking begins with the next reassessment.

Full provenance ledger

On-Chain Data

Protocol Slug: "usdc"
Oracle: BRORegistry (Base)
Evidence: IPFS (pinned)
Staleness Threshold: 24 hours

Read Score

registry.getScore("usdc")

Reduce exploitable risk

Continuous adversarial analysis, vulnerability detection, and verified reassessment.

Embed this score

Live, updates automatically. Free for any site. Click-through links open the full report on BlackHart.

Public

Style

Theme

Format

Preview

Copy iframe code

<iframe
  src="https://blackhart.io/embed/oracle/usdc?variant=card&theme=dark"
  title="BlackHart Risk Index: USDC"
  width="340"
  height="290"
  frameborder="0"
  loading="lazy"
  style="border:0; max-width:100%;"
></iframe>

Believe this score contains a factual error? Submit evidence for review