defirisk.co
rubric v1.7.0

Audit recency

A code & audits factor in the v1.7.0 rubric. Measured per protocol on a s cadence.

Methodology how we score #

**What this measures** This factor records the number of days between the most recent audit report sign-off date and the current assessment date, measured over the currently deployed bytecode. If the protocol has deployed code changes since the audit, the clock resets to zero coverage for that surface and the factor is assessed relative to the most recent audit that covers the live code. The data source is audit PDF metadata combined with on-chain deploy timestamps.

**Why it matters** Code that was reviewed two or more years ago was reviewed against the vulnerability knowledge of that era. The Onyx Protocol's second exploit (September 2024) came 32 months after a January 2022 CertiK audit -- the longest audit-to-exploit gap for an 'audited' protocol in the dataset -- and crucially, the empty-market attack pattern exploited had only been publicly documented after the audit was completed. Audit recency is not a guarantee of safety, but a stale audit is a leading indicator that the protocol's code has drifted beyond what the security review covered, particularly for fast-moving ecosystems where new vulnerability classes emerge regularly.

**Green / Yellow / Red** Green: the most recent audit covering the deployed bytecode was completed within 12 months and no code changes have been deployed since. Yellow: the audit is 12 to 24 months old, or code changes have been deployed since the audit with a delta-review covering the changes. Red: the most recent audit is older than 24 months, or deployed code has changed substantially since the last audit with no subsequent review of any kind.

**Common gray cases** Curators cannot grade this factor when no audit report with a clear sign-off date is publicly available, or when the protocol refuses to disclose audit metadata.

**Notable historical examples** - **Atomic Wallet** ($100M est., 2023): Least Authority findings from a 2021 audit were never addressed; the audit was approximately two years stale at exploit time. - **Onyx Protocol 2nd** ($3.8M, 2024): CertiK audit from January 2022 was 32 months stale; the exploited empty-market pattern was not known at audit time. - **GMX V1** ($42M recovered, 2025): Approximately three years of post-audit code changes had accumulated before the exploit. - **Yearn Finance** ($10M, 2023): Exploit occurred approximately three years after a February 2020 audit. - **Venus Protocol** ($3.7M, 2026): Code4rena audit that had flagged the exact vulnerability class was approximately three years old at exploit time.

Measurement what to look for #

Measure the number of days between today and the sign-off date of the most recent audit report covering the currently-deployed bytecode.

Data & output #

Data source
Auditor firm's published PDF (sign-off date) + Etherscan deploy timestamp for current bytecode
Output format
Green / Yellow / Red
Evidence artifact
Audit PDF URL + sign-off date + deploy block timestamp + days-delta integer
Confidence signal
green = ≤365 days; yellow = 366–730 days; red = >730 days or no audit found; gray = no audit report accessible

Scored protocols 80 carry this factor #

Protocol RD-F-002
Aave v3 ethereum green Across Protocol ethereum green Aerodrome Finance base yellow Axelar Network ethereum green Babylon Protocol bitcoin yellow Balancer (v2 + v3) ethereum yellow Beefy Finance ethereum yellow BENQI avalanche red BlackRock USD Institutional Digital Liquidity Fund (BUIDL) ethereum red Cap (cUSD / stcUSD) ethereum green Centrifuge ethereum green Chainlink CCIP ethereum green Circle USYC binance red Compound V3 (Comet) ethereum green Concrete ethereum yellow Convex Finance ethereum yellow crvUSD (Curve Stablecoin) ethereum yellow Curve Finance ethereum yellow deBridge ethereum green Dolomite ethereum red dYdX v4 (dYdX Chain) dydx yellow EigenLayer ethereum yellow Ethena ethereum yellow ether.fi ethereum green Euler V2 ethereum yellow Falcon Finance ethereum red Fluid ethereum green Frax Finance ethereum yellow GMX v2 (GMX Synthetics) arbitrum yellow Hyperlane ethereum yellow Hyperliquid arbitrum red Jito solana green Jupiter solana green Jupiter Perpetual Exchange solana red JustLend DAO tron red Kamino Lend solana green Kinetiq hyperliquid yellow Lido ethereum green Liquid Collective (LsETH) ethereum green Liquity V1 + V2 (LUSD / BOLD) ethereum green Lista DAO bsc yellow Lombard Finance ethereum green M^0 ethereum yellow Maple Finance ethereum green Marinade Finance solana red Meteora solana green mETH Protocol ethereum green Midas ethereum yellow Morpho V1 (Morpho Blue + MetaMorpho) ethereum yellow Multipli ethereum green Ondo Finance ethereum yellow OpenEden ethereum yellow Orca solana green PancakeSwap bsc yellow Pendle Finance ethereum green Polymarket polygon green QuickSwap polygon red Raydium solana yellow Rocket Pool ethereum yellow Sanctum solana red Save (formerly Solend) solana red Sky Lending (formerly MakerDAO) ethereum yellow Spark Protocol ethereum yellow Spiko stellar yellow Stake DAO ethereum green StakeWise v3 ethereum green Stargate Finance ethereum yellow stHYPE (Valantis Labs) hyperliquid green SUNSwap (sun.io) tron red Superstate ethereum yellow Sushi (SushiSwap) — v2 + v3 + Trident + BentoBox/Kashi + SushiXSwap ethereum red Symbiotic ethereum yellow Synapse Protocol ethereum red Uniswap (v2 + v3) ethereum yellow USDD (Decentralized USD) tron green Usual (USD0 / bUSD0 / USUAL) ethereum yellow Veda (BoringVault) ethereum yellow Venus Protocol bsc green Wormhole ethereum yellow Yearn Finance ethereum yellow
15 red · 36 yellow · 29 green

Linked hacks 9 historical incidents #

relatedHyperbridge (Polkadot-native interoperability rollup built by Polytope Labs; Token Gateway / HandlerV1) — Smart-contract proof-verification bypass — MMR bounds-check failure + missing proof-to-request binding + zero challenge period + single-step admin transfer2026-04-13 · $3M · Smart-contract proof-verification bypass — MMR bounds-check failure + missing proof-to-request binding + zero challenge period + single-step admin transfer · Audit recency (stale signal — text variants only; numeric thresholds need value-parser, deferred) [via dashboard_risk_factors/Time since last audit: ~16–18 months (2024 → April 2026)]
illustrativeVenus Protocol — Donation Attack → Supply Cap Bypass → Collateral Inflation → Recursive Borrow Loop2026-03-15 · $4M · Donation Attack → Supply Cap Bypass → Collateral Inflation → Recursive Borrow Loop · Audit recency (stale signal — text variants only; numeric thresholds need value-parser, deferred) [via dashboard_risk_factors/Time since last audit: ~3 years since Code4rena audit that flagged the exact vulnerability]
illustrativeGMX V1 — Cross-Contract Reentrancy via Order-Keeper Callback2025-07-09 · Cross-Contract Reentrancy via Order-Keeper Callback · Audit recency (stale signal — text variants only; numeric thresholds need value-parser, deferred) [via dashboard_risk_factors/Time since last audit: ~3 years at exploit (extensive post-audit code changes)]
related1inch (Fusion v1 resolver contracts) — Integer underflow in deprecated assembly — calldata pointer corruption → resolver address forgery2025-03-05 · $5M · Integer underflow in deprecated assembly — calldata pointer corruption → resolver address forgery · Audit recency (stale signal — text variants only; numeric thresholds need value-parser, deferred) [via dashboard_risk_factors/Time since last audit: Unknown; v1 deprecated mid-2023 — ~18 months before exploit]
relatedOnyx Protocol (2nd incident) — Compound V2 empty-market donation attack — VUSD governance-added market2024-09-25 · $4M · Compound V2 empty-market donation attack — VUSD governance-added market · Audit recency (stale signal — text variants only; numeric thresholds need value-parser, deferred) [via dashboard_risk_factors/Time since last audit: ~2 years 8 months at time of exploit]
relatedUnizen — Unvalidated external call in upgraded DEX Aggregation contract — approval drain2024-03-08 · $2M · Unvalidated external call in upgraded DEX Aggregation contract — approval drain · Audit recency (stale signal — text variants only; numeric thresholds need value-parser, deferred) [via dashboard_risk_factors/Time since last audit: ~2 years (2022 audit; exploit March 2024)]
relatedAtomic Wallet (non-custodial multi-chain wallet) — Unknown officially; suspected: BGP hijacking combined with client-side vulnerability (possibly private key logging); Least Authority had flagged vulnerabilities in 2021 that were never addressed2023-06-02 · $100M · Unknown officially; suspected: BGP hijacking combined with client-side vulnerability (possibly private key logging); Least Authority had flagged vulnerabilities in 2021 that were never addressed · Audit recency (stale signal — text variants only; numeric thresholds need value-parser, deferred) [via dashboard_risk_factors/Time since last audit: ~2 years (Least Authority findings from 2021 never addressed)]
relatedYearn Finance (iearn yUSDT) — Misconfiguration (copy/paste error) in yUSDT — wrong Fulcrum USDC address used instead of USDT → share price manipulation → 1.2 quadrillion yUSDT minted2023-04-13 · $10M · Misconfiguration (copy/paste error) in yUSDT — wrong Fulcrum USDC address used instead of USDT → share price manipulation → 1.2 quadrillion yUSDT minted · Audit recency (stale signal — text variants only; numeric thresholds need value-parser, deferred) [via dashboard_risk_factors/Time since last audit: ~3 years (Feb 2020 audit; April 2023 exploit)]
relatedHedera (Network-level — Hashgraph Smart Contract Service) — Smart Contract Service (HTS) Code Bug — Uniswap V2 Port Exploit2023-03-09 · $515K · Smart Contract Service (HTS) Code Bug — Uniswap V2 Port Exploit · Audit recency (stale signal — text variants only; numeric thresholds need value-parser, deferred) [via dashboard_risk_factors/Time since last audit: ~2 years (2021 audit; exploit 2023)]
rubric_version v1.7.0 factor RD-F-002 category 1 carried 80 critical no