Deployed bytecode matches signed release tag

A post-deploy hygiene & change mgmt factor in the v1.7.0 rubric. Measured per protocol on a s cadence.

Methodology how we score #

**What this measures** This factor checks whether the protocol's currently deployed runtime bytecode corresponds to a signed git tag in the protocol's public repository. The verification process compares the on-chain bytecode hash against the compiled artifact from the tagged commit, using the protocol's declared compiler settings. A match means the deployed code is traceable to a specific point in the public version history; a mismatch means the deployed code was compiled from a state that is not publicly verifiable.

**Why it matters** Bytecode-to-release-tag correspondence is the foundational transparency requirement for any post-audit assurance claim. When an audit references a specific commit, users need to know that the deployed bytecode corresponds to that commit — or to a subsequent tagged release that documents what changed. Without this correspondence, an audit report cannot be meaningfully linked to the production system. The synthesis notes that "audited protocol, unaudited upgrade" is a recurring failure mode: release tag correspondence would catch the case where the deployed bytecode diverges from the audited commit without a documented release entry.

**Green / Yellow / Red** Green is assigned when all production contracts have their bytecode verified against a signed release tag that is publicly accessible and the compiler settings are reproducible. Yellow covers cases where a tag exists but is unsigned, or where the correspondence is established for major contracts but not peripheral ones. Red is assigned when the deployed bytecode does not match any tagged release in the public repository, or when the repository has no tagged releases and the deploy commit is not documented.

**Common gray cases** This factor is grayed when the protocol repository is private and no public artifact verification path exists, or when the protocol operates on a chain where deterministic compilation tooling is not yet mature.

**Notable historical examples** No cross-hacked incidents currently linked in database for this factor.

Measurement what to look for #

Determine whether the deployed runtime bytecode corresponds to a signed git tag in the protocol's repository.

Data & output #

Data source

GitHub release tags + `git tag -v` signature check + Etherscan bytecode vs compiled artifact from tag

Output format

Green / Yellow / Red

Evidence artifact

Signed tag commit SHA + deployed bytecode hash + match result

Confidence signal

green = deployed bytecode matches a GPG-signed release tag; yellow = bytecode matches an unsigned tag; red = bytecode does not match any release tag; gray = repo is private or no release tags exist

Scored protocols 80 carry this factor #

Protocol RD-F-136

Aave v3 ethereum yellow Across Protocol ethereum gray Aerodrome Finance base gray Axelar Network ethereum yellow Babylon Protocol bitcoin yellow Balancer (v2 + v3) ethereum yellow Beefy Finance ethereum gray BENQI avalanche red BlackRock USD Institutional Digital Liquidity Fund (BUIDL) ethereum gray Cap (cUSD / stcUSD) ethereum yellow Centrifuge ethereum green Chainlink CCIP ethereum yellow Circle USYC binance gray Compound V3 (Comet) ethereum gray Concrete ethereum yellow Convex Finance ethereum yellow crvUSD (Curve Stablecoin) ethereum yellow Curve Finance ethereum yellow deBridge ethereum red Dolomite ethereum yellow dYdX v4 (dYdX Chain) dydx yellow EigenLayer ethereum yellow Ethena ethereum gray ether.fi ethereum gray Euler V2 ethereum yellow Falcon Finance ethereum red Fluid ethereum yellow Frax Finance ethereum yellow GMX v2 (GMX Synthetics) arbitrum yellow Hyperlane ethereum gray Hyperliquid arbitrum yellow Jito solana yellow Jupiter solana red Jupiter Perpetual Exchange solana red JustLend DAO tron gray Kamino Lend solana gray Kinetiq hyperliquid gray Lido ethereum green Liquid Collective (LsETH) ethereum gray Liquity V1 + V2 (LUSD / BOLD) ethereum green Lista DAO bsc yellow Lombard Finance ethereum yellow M^0 ethereum yellow Maple Finance ethereum yellow Marinade Finance solana green Meteora solana yellow mETH Protocol ethereum yellow Midas ethereum gray Morpho V1 (Morpho Blue + MetaMorpho) ethereum yellow Multipli ethereum gray Ondo Finance ethereum gray OpenEden ethereum red Orca solana gray PancakeSwap bsc yellow Pendle Finance ethereum gray Polymarket polygon yellow QuickSwap polygon yellow Raydium solana green Rocket Pool ethereum yellow Sanctum solana yellow Save (formerly Solend) solana gray Sky Lending (formerly MakerDAO) ethereum yellow Spark Protocol ethereum yellow Spiko stellar yellow Stake DAO ethereum gray StakeWise v3 ethereum yellow Stargate Finance ethereum gray stHYPE (Valantis Labs) hyperliquid gray SUNSwap (sun.io) tron gray Superstate ethereum yellow Sushi (SushiSwap) — v2 + v3 + Trident + BentoBox/Kashi + SushiXSwap ethereum gray Symbiotic ethereum yellow Synapse Protocol ethereum yellow Uniswap (v2 + v3) ethereum green USDD (Decentralized USD) tron gray Usual (USD0 / bUSD0 / USUAL) ethereum gray Veda (BoringVault) ethereum yellow Venus Protocol bsc gray Wormhole ethereum gray Yearn Finance ethereum yellow

Linked hacks no historical incidents linked #

No historical incidents are linked to this factor.

rubric_version v1.7.0 factor RD-F-136 category 9 carried 80 critical no