defirisk.co
rubric v1.7.0

Audit firm tier

A code & audits factor in the v1.7.0 rubric. Measured per protocol on a s cadence.

Methodology how we score #

**What this measures** This factor records the categorical tier assigned to the audit firms that have reviewed the protocol's deployed code. Tier classifications are maintained by curators on a published reputation list and are based on firm track record, auditor count, methodology rigor, and industry recognition. The categories are: Tier-1 (Trail of Bits, OpenZeppelin, Spearbit, ChainSecurity, Sigma Prime), Tier-2 (Halborn, Peckshield, Certik, Dedaub, MixBytes, others with established track records), boutique (smaller or newer firms), and unknown (no assessable reputation).

**Why it matters** Audit firm quality affects the probability that a given bug survives review. KyberSwap Elastic ($48M, 2023) was reviewed by ChainSecurity (Tier-1) and Sherlock -- yet the sub-microscopic precision failure was missed by both, illustrating that tier alone does not guarantee coverage of novel vulnerability classes. Conversely, protocols audited only by unknown boutique firms or self-reported internal reviewers have a weaker baseline assurance. Audit firm tier is a soft signal that is most useful in combination with other Cat 1 factors -- particularly audit scope coverage and post-audit code change status.

**Green / Yellow / Red** Green: at least one Tier-1 firm has reviewed the currently deployed code. Yellow: all audits are from Tier-2 or boutique firms with established track records but no Tier-1 involvement. Red: all audits are from unknown-reputation firms, or the only audits are self-reported internal reviews with no independent third-party verification.

**Common gray cases** Curators cannot grade this factor when audit firm identity is not disclosed, or when the curator-maintained reputation list has not yet classified a newly active firm. This factor is also gray when no audit exists (in which case RD-F-004 captures the absence).

**Notable historical examples** The factor's value is as a quality modifier on the audit count signal.

Measurement what to look for #

Classify each auditing firm into: Tier-1 (Trail of Bits / OpenZeppelin / ConsenSys Diligence / Certora / Sigma Prime / Spearbit / Zellic) / Tier-2 (established, named firm with public track record) / boutique / unknown.

Data & output #

Data source
Curator-maintained firm-tier registry (updated monthly) + audit PDF firm letterhead
Output format
Green / Yellow / Red
Evidence artifact
Curator-maintained registry version slug + firm name → tier mapping JSON + audit PDF URL
Confidence signal
green = at least one Tier-1 audit of deployed code; yellow = Tier-2 only; red = boutique/unknown only; gray = no firm identifiable

Scored protocols 80 carry this factor #

Protocol RD-F-005
Aave v3 ethereum green Across Protocol ethereum green Aerodrome Finance base green Axelar Network ethereum yellow Babylon Protocol bitcoin green Balancer (v2 + v3) ethereum green Beefy Finance ethereum green BENQI avalanche green BlackRock USD Institutional Digital Liquidity Fund (BUIDL) ethereum gray Cap (cUSD / stcUSD) ethereum green Centrifuge ethereum green Chainlink CCIP ethereum yellow Circle USYC binance red Compound V3 (Comet) ethereum green Concrete ethereum green Convex Finance ethereum yellow crvUSD (Curve Stablecoin) ethereum yellow Curve Finance ethereum green deBridge ethereum yellow Dolomite ethereum yellow dYdX v4 (dYdX Chain) dydx green EigenLayer ethereum green Ethena ethereum green ether.fi ethereum green Euler V2 ethereum green Falcon Finance ethereum yellow Fluid ethereum yellow Frax Finance ethereum green GMX v2 (GMX Synthetics) arbitrum green Hyperlane ethereum green Hyperliquid arbitrum green Jito solana green Jupiter solana yellow Jupiter Perpetual Exchange solana yellow JustLend DAO tron yellow Kamino Lend solana green Kinetiq hyperliquid green Lido ethereum green Liquid Collective (LsETH) ethereum green Liquity V1 + V2 (LUSD / BOLD) ethereum green Lista DAO bsc yellow Lombard Finance ethereum green M^0 ethereum green Maple Finance ethereum green Marinade Finance solana yellow Meteora solana yellow mETH Protocol ethereum yellow Midas ethereum yellow Morpho V1 (Morpho Blue + MetaMorpho) ethereum green Multipli ethereum yellow Ondo Finance ethereum green OpenEden ethereum yellow Orca solana yellow PancakeSwap bsc yellow Pendle Finance ethereum green Polymarket polygon green QuickSwap polygon yellow Raydium solana yellow Rocket Pool ethereum green Sanctum solana yellow Save (formerly Solend) solana yellow Sky Lending (formerly MakerDAO) ethereum green Spark Protocol ethereum green Spiko stellar green Stake DAO ethereum yellow StakeWise v3 ethereum green Stargate Finance ethereum green stHYPE (Valantis Labs) hyperliquid yellow SUNSwap (sun.io) tron yellow Superstate ethereum yellow Sushi (SushiSwap) — v2 + v3 + Trident + BentoBox/Kashi + SushiXSwap ethereum yellow Symbiotic ethereum yellow Synapse Protocol ethereum red Uniswap (v2 + v3) ethereum green USDD (Decentralized USD) tron yellow Usual (USD0 / bUSD0 / USUAL) ethereum green Veda (BoringVault) ethereum green Venus Protocol bsc green Wormhole ethereum green Yearn Finance ethereum yellow
2 red · 32 yellow · 45 green

Linked hacks no historical incidents linked #

No historical incidents are linked to this factor.
rubric_version v1.7.0 factor RD-F-005 category 1 carried 80 critical no