Fix-merged-but-not-deployed gap

A post-deploy hygiene & change mgmt factor in the v1.7.0 rubric. Measured per protocol on a e cadence.

Methodology how we score #

**What this measures** This factor identifies whether a known vulnerability exists in the deployed codebase — confirmed via a PR merged in the public repository — but the fix has not been included in the currently deployed bytecode. This gap between a merged fix and a deployed fix is the "fix-merged-but-not-deployed" state: the team acknowledged the vulnerability and prepared a patch, but users' funds remain at risk from the unpatched deployed code.

**Why it matters** Mirror Protocol and the Venus REKT4 incident both exemplify this failure mode: a governance proposal to fix a known vulnerability was created and merged, but the production deployment lagged behind the repository state. The Deus DAO 2 exploit demonstrated the urgency particularly clearly — the attacker's bypass of a post-hack oracle fix came 40 days after the fix was deployed, but the window between the first fix being described and the second vector being closed was entirely preventable. A fix-merged-but-not-deployed gap means users are exposed to a vulnerability the team knows about and has solved — the only remaining question is when the attacker will find it.

**Green / Yellow / Red** Green is assigned when the deployed bytecode is current with the repository's main branch and no known vulnerabilities have open PRs without corresponding deployments. Yellow covers cases where a low-severity fix has been merged but not yet deployed, with a documented deployment timeline. Red is assigned when a high or critical severity fix has been merged into the repository but the corresponding upgrade has not been applied to the production deployment.

**Common gray cases** This factor is grayed when the protocol repository is private or when the PRs cannot be matched to specific bytecode changes within the assessment window.

**Notable historical examples** No cross-hacked incidents currently linked in database for this factor.

Measurement what to look for #

Determine whether a known vulnerability has a PR merged in the repo but the fix has not been included in the deployed bytecode.

Data & output #

Data source

GitHub merged PR list (security/fix labels) + bytecode diff vs post-fix commit SHA

Output format

Green / Yellow / Red

Evidence artifact

PR URL + merge date + deployed bytecode commit SHA + diff showing whether fix is present

Confidence signal

green = all merged security fixes are present in deployed bytecode; red = merged security fix not yet deployed; gray = cannot determine deployed bytecode commit (see F136)

Scored protocols 80 carry this factor #

Protocol RD-F-140

Aave v3 ethereum green Across Protocol ethereum gray Aerodrome Finance base green Axelar Network ethereum green Babylon Protocol bitcoin green Balancer (v2 + v3) ethereum green Beefy Finance ethereum gray BENQI avalanche not_assessed BlackRock USD Institutional Digital Liquidity Fund (BUIDL) ethereum gray Cap (cUSD / stcUSD) ethereum green Centrifuge ethereum green Chainlink CCIP ethereum green Circle USYC binance gray Compound V3 (Comet) ethereum green Concrete ethereum gray Convex Finance ethereum green crvUSD (Curve Stablecoin) ethereum green Curve Finance ethereum green deBridge ethereum gray Dolomite ethereum yellow dYdX v4 (dYdX Chain) dydx green EigenLayer ethereum green Ethena ethereum green ether.fi ethereum green Euler V2 ethereum green Falcon Finance ethereum gray Fluid ethereum not_assessed Frax Finance ethereum green GMX v2 (GMX Synthetics) arbitrum green Hyperlane ethereum yellow Hyperliquid arbitrum green Jito solana green Jupiter solana gray Jupiter Perpetual Exchange solana not_assessed JustLend DAO tron yellow Kamino Lend solana green Kinetiq hyperliquid yellow Lido ethereum green Liquid Collective (LsETH) ethereum green Liquity V1 + V2 (LUSD / BOLD) ethereum green Lista DAO bsc green Lombard Finance ethereum green M^0 ethereum green Maple Finance ethereum green Marinade Finance solana green Meteora solana green mETH Protocol ethereum green Midas ethereum gray Morpho V1 (Morpho Blue + MetaMorpho) ethereum green Multipli ethereum gray Ondo Finance ethereum gray OpenEden ethereum green Orca solana green PancakeSwap bsc green Pendle Finance ethereum not_assessed Polymarket polygon green QuickSwap polygon yellow Raydium solana green Rocket Pool ethereum green Sanctum solana green Save (formerly Solend) solana gray Sky Lending (formerly MakerDAO) ethereum green Spark Protocol ethereum green Spiko stellar green Stake DAO ethereum green StakeWise v3 ethereum green Stargate Finance ethereum gray stHYPE (Valantis Labs) hyperliquid gray SUNSwap (sun.io) tron gray Superstate ethereum green Sushi (SushiSwap) — v2 + v3 + Trident + BentoBox/Kashi + SushiXSwap ethereum green Symbiotic ethereum green Synapse Protocol ethereum not_assessed Uniswap (v2 + v3) ethereum green USDD (Decentralized USD) tron gray Usual (USD0 / bUSD0 / USUAL) ethereum gray Veda (BoringVault) ethereum green Venus Protocol bsc red Wormhole ethereum gray Yearn Finance ethereum green

Linked hacks no historical incidents linked #

No historical incidents are linked to this factor.

rubric_version v1.7.0 factor RD-F-140 category 9 carried 80 critical no