[Proposal] Trust & Security Scoring System for Protocols

[rontoTech]

Summary

I've built LlamaScan, an open-source trust scoring system that analyzes DeFi protocols across multiple security dimensions. I'd like to propose integrating this into DefiLlama to help users make more informed decisions.

Working code: https://github.com/rontoTech/llamascan

The Problem

DefiLlama lists 4000+ protocols, but users have no easy way to assess:

• Is this protocol actively maintained?
• Are the contracts verified and auditable?
• Can the admin drain funds, pause the contract, or blacklist addresses?
• Is it upgradeable without a timelock?

Currently, users must manually check GitHub, Etherscan, and read contract code - most don't.

Proposed Solution: 5-Layer Trust Analysis

Layer 1: Source Code    - GitHub activity, contributors, code maturity
Layer 2: Verification   - Contracts verified on Etherscan/Sourcify
Layer 3: Privileges     - Admin powers, proxy detection, ownership analysis
Layer 4: AI Audit       - Automated vulnerability scanning
Layer 5: On-chain       - Historical admin behavior, fund flows

What's Already Built

Working end-to-end:

• ✅ GitHub analyzer - fetches activity, stars, contributors
• ✅ Trust scoring algorithm - 0-100 score with A-F grades
• ✅ CLI tool - npm run dev -- scan aave
• ✅ 32 passing unit tests

Code complete, needs integration:

• 🔨 Dangerous function detection - 40+ patterns (pause, blacklist, mint, withdraw, etc.)
• 🔨 Proxy pattern detection - EIP-1967, Diamond, Beacon, Minimal
• 🔨 Etherscan verification checker (multi-chain)
• 🔨 Privilege analysis framework

Example Output

🦙 LlamaScan v0.1.0

Scanning: aave (organization)

📊 Fetching GitHub metrics...
   Found 96 repositories
   Total stars: 6,739
   Contributors: 5

Trust Score: 94/100 (Grade: A)

Breakdown:
  Activity:     90/100
  Maturity:     100/100
  Community:    90/100
  Transparency: 95/100

How It Aligns with DefiLlama Values

From the careers page:

"I believe it's very important that we stay completely unopinionated and list everything, even if it's a scam"

LlamaScan doesn't gatekeep - it provides transparent, objective data and lets users decide. It's:

• 🔓 Open source - All methodology is auditable
• 📊 Data-driven - Uses only verifiable on-chain and GitHub data
• ⚖️ Neutral - No paid rankings, no conflicts of interest
• 🎯 User choice - Shows data, doesn't hide protocols

Dangerous Functions Detected

🔴 CRITICAL: pause(), blacklist(), withdraw(), emergencyWithdraw()
🟠 HIGH:     upgradeTo(), mint(), burn()
🟡 MEDIUM:   setFee(), setOracle(), transferOwnership()

Integration Ideas

1. Protocol page badge - Show trust score on each protocol page
2. Trust filter - Let users filter protocols by trust grade
3. Warning banners - Auto-generate warnings for critical findings
4. API endpoint - /trust/:protocol for external integrations

Current Limitation

LlamaScan currently works for protocols that have a GitHub link on DefiLlama. Protocols without public GitHub repositories cannot be analyzed for code quality metrics.

This covers a significant portion of legitimate DeFi protocols, but not all. Future versions could add alternative signals for closed-source protocols.

What I'm Asking

1. Is this something DefiLlama would be interested in?
2. Any feedback on the approach?
3. Would you prefer a PR to integrate, or keep it as a separate tool?

Happy to adjust the direction based on your feedback. I'm building this because I believe in DefiLlama's mission of transparent, neutral data for DeFi.

---

Repo: https://github.com/rontoTech/llamascan
Author: rontoTech (contact@ronto.tech)

Related issue: #10822