defirisk.co
rubric v1.7.0

Fork retains upstream audit coverage

A fork / dependency lineage factor in the v1.7.0 rubric. Measured per protocol on a s cadence.

Methodology how we score #

**What this measures** This factor assesses whether the fork's audit coverage is adequate for its deployed code, specifically whether: (a) the upstream audit covers the portions of code the fork shares with the upstream, AND (b) any diverged portions (identified by RD-F-129 code divergence) have been covered by either a fresh fork-specific audit or a documented delta-review. The data source is audit PDFs combined with bytecode diffing against the upstream.

**Why it matters** A fork protocol that relies on the upstream's audit without its own review of diverged code has a false audit signal. Cork Protocol ($12M, 2025) is the sharpest example in the dataset: four separate audit firms reviewed the protocol across multiple rounds, yet the specific CorkHook contract that was exploited was outside at least three firms' scope. The protocol's management of a complex fork with multiple audit firms failed to cover the single most critical contract. For fork protocols specifically, the question is not 'has the protocol been audited?' but 'is the audit coverage continuous from the upstream through all divergence points to the deployed bytecode?'

**Green / Yellow / Red** Green: either (a) the fork divergence is below 10% and the upstream audit explicitly covers the shared code, or (b) the fork has a dedicated independent audit covering all deployed code including all diverged portions. Yellow: the fork has a delta-review or spot-review of the diverged portions but no full audit of the fork as a whole. Red: the fork relies entirely on the upstream's audit with no coverage of its own diverged code, or the diverged code exceeds 40% and no audit of any kind covers the fork-specific portions.

**Common gray cases** This factor is gray when audit PDFs are not publicly available and audit scope cannot be assessed, or when the fork origin cannot be confirmed to map the divergence.

**Notable historical examples** The factor functions as the integrated audit-coverage signal for the Cat 8 lineage assessment.

Measurement what to look for #

Determine whether the fork's deployed code is covered by either: (a) the upstream audit plus a delta-audit for fork-specific changes, or (b) a fresh independent audit of the fork.

Data & output #

Data source
Audit PDFs for this fork + upstream audit PDF + code diff to assess gap
Output format
Green / Yellow / Red
Evidence artifact
Audit coverage classification: full-fresh / upstream+delta / upstream-only (gap risk) / none + audit PDF URLs
Confidence signal
green = full fresh audit or upstream + delta-audit covering all changes; yellow = upstream audit only with <20% divergence; red = no audit covering fork-specific changes; gray = no audit at all

Scored protocols 80 carry this factor #

Protocol RD-F-131
Aave v3 ethereum not_applicable Across Protocol ethereum not_applicable Aerodrome Finance base yellow Axelar Network ethereum not_applicable Babylon Protocol bitcoin not_applicable Balancer (v2 + v3) ethereum not_applicable Beefy Finance ethereum not_applicable BENQI avalanche yellow BlackRock USD Institutional Digital Liquidity Fund (BUIDL) ethereum not_applicable Cap (cUSD / stcUSD) ethereum not_applicable Centrifuge ethereum not_applicable Chainlink CCIP ethereum not_applicable Circle USYC binance not_applicable Compound V3 (Comet) ethereum not_applicable Concrete ethereum not_applicable Convex Finance ethereum not_applicable crvUSD (Curve Stablecoin) ethereum not_applicable Curve Finance ethereum not_applicable deBridge ethereum not_applicable Dolomite ethereum yellow dYdX v4 (dYdX Chain) dydx not_applicable EigenLayer ethereum not_applicable Ethena ethereum not_applicable ether.fi ethereum not_applicable Euler V2 ethereum not_applicable Falcon Finance ethereum not_applicable Fluid ethereum not_applicable Frax Finance ethereum not_applicable GMX v2 (GMX Synthetics) arbitrum not_applicable Hyperlane ethereum not_applicable Hyperliquid arbitrum not_applicable Jito solana green Jupiter solana not_applicable Jupiter Perpetual Exchange solana not_applicable JustLend DAO tron yellow Kamino Lend solana not_applicable Kinetiq hyperliquid not_applicable Lido ethereum not_applicable Liquid Collective (LsETH) ethereum not_applicable Liquity V1 + V2 (LUSD / BOLD) ethereum not_applicable Lista DAO bsc yellow Lombard Finance ethereum not_applicable M^0 ethereum not_applicable Maple Finance ethereum not_applicable Marinade Finance solana not_applicable Meteora solana not_applicable mETH Protocol ethereum not_applicable Midas ethereum not_applicable Morpho V1 (Morpho Blue + MetaMorpho) ethereum not_applicable Multipli ethereum not_applicable Ondo Finance ethereum yellow OpenEden ethereum not_applicable Orca solana not_applicable PancakeSwap bsc green Pendle Finance ethereum not_applicable Polymarket polygon green QuickSwap polygon yellow Raydium solana not_applicable Rocket Pool ethereum not_applicable Sanctum solana not_applicable Save (formerly Solend) solana yellow Sky Lending (formerly MakerDAO) ethereum not_applicable Spark Protocol ethereum green Spiko stellar not_applicable Stake DAO ethereum not_applicable StakeWise v3 ethereum not_applicable Stargate Finance ethereum not_applicable stHYPE (Valantis Labs) hyperliquid not_applicable SUNSwap (sun.io) tron red Superstate ethereum not_applicable Sushi (SushiSwap) — v2 + v3 + Trident + BentoBox/Kashi + SushiXSwap ethereum yellow Symbiotic ethereum not_applicable Synapse Protocol ethereum red Uniswap (v2 + v3) ethereum not_applicable USDD (Decentralized USD) tron not_applicable Usual (USD0 / bUSD0 / USUAL) ethereum not_applicable Veda (BoringVault) ethereum not_applicable Venus Protocol bsc green Wormhole ethereum not_applicable Yearn Finance ethereum not_applicable
2 red · 9 yellow · 5 green

Linked hacks no historical incidents linked #

No historical incidents are linked to this factor.
rubric_version v1.7.0 factor RD-F-131 category 8 carried 80 critical no