defirisk.co
rubric v1.7.0

Bytecode similarity to audited upstream with behavior deviation

A tooling / compiler / ai factor in the v1.7.0 rubric. Measured per protocol on a s cadence.

Methodology how we score #

**What this measures** This factor flags whether the protocol's deployed bytecode has high similarity to an audited upstream codebase but deviates in state-mutation ordering or control flow in a way consistent with AI-generated code modification. The detection method is a bytecode diff against known-audited upstream deployments, combined with curator inspection of state-mutation patterns. A positive flag does not prove AI generation but warrants additional scrutiny of the deviated sections.

**Why it matters** AI-assisted code generation can produce code that appears syntactically correct and semantically similar to audited upstream code but introduces subtle ordering violations (e.g., checks after effects, state mutations before external calls) that create exploitable vulnerabilities. The risk is amplified when the AI-modified code closely resembles audited code, because security reviewers may rely on pattern-recognition from the upstream audit rather than re-reviewing the modified sections from scratch. Two post-mortems in the in-sample dataset explicitly attributed exploited vulnerabilities to AI-generated code that deviated from the audited upstream pattern.

**Green / Yellow / Red** Green: bytecode diff against known-audited upstream shows only expected, documented modifications with no state-mutation ordering changes in security-critical paths. Yellow: bytecode diff reveals unexplained deviations in non-critical paths, or deviations in critical paths that can be explained by documented intentional changes. Red: bytecode diff reveals state-mutation ordering changes in security-critical functions (e.g., external calls before state updates, reentrancy-guard bypasses) that are not present in the audited upstream.

**Common gray cases** Protocols that fork from upstream code with documented security improvements (e.g., adding reentrancy guards that the upstream lacked) will show bytecode differences in security-critical paths; curator must evaluate whether the deviation is an improvement or a regression.

**Notable historical examples** No cross-hacked incidents currently linked in database for this factor.

Measurement what to look for #

Determine whether the bytecode has high structural similarity to an audited upstream but deviates in state-mutation ordering (AI-generated copy risk pattern).

Data & output #

Data source
Bytecode diff tool + Slither CFG comparison between this contract and upstream audited version
Output format
Green / Yellow / Red
Evidence artifact
Bytecode similarity score + CFG comparison highlighting state-mutation order differences
Confidence signal
green = no significant behavioral deviation from audited upstream; yellow = similarity >80% with minor ordering differences; red = similarity >80% with material state-mutation ordering deviation; gray = no audited upstream to compare against

Scored protocols 80 carry this factor #

Protocol RD-F-171
Aave v3 ethereum not_applicable Across Protocol ethereum not_applicable Aerodrome Finance base green Axelar Network ethereum not_applicable Babylon Protocol bitcoin not_applicable Balancer (v2 + v3) ethereum not_applicable Beefy Finance ethereum not_applicable BENQI avalanche green BlackRock USD Institutional Digital Liquidity Fund (BUIDL) ethereum not_applicable Cap (cUSD / stcUSD) ethereum not_applicable Centrifuge ethereum not_applicable Chainlink CCIP ethereum not_applicable Circle USYC binance gray Compound V3 (Comet) ethereum not_applicable Concrete ethereum not_applicable Convex Finance ethereum not_applicable crvUSD (Curve Stablecoin) ethereum not_applicable Curve Finance ethereum not_applicable deBridge ethereum not_applicable Dolomite ethereum green dYdX v4 (dYdX Chain) dydx not_applicable EigenLayer ethereum green Ethena ethereum not_applicable ether.fi ethereum not_applicable Euler V2 ethereum not_applicable Falcon Finance ethereum not_applicable Fluid ethereum not_applicable Frax Finance ethereum green GMX v2 (GMX Synthetics) arbitrum not_applicable Hyperlane ethereum not_applicable Hyperliquid arbitrum not_applicable Jito solana green Jupiter solana not_applicable Jupiter Perpetual Exchange solana gray JustLend DAO tron not_applicable Kamino Lend solana not_applicable Kinetiq hyperliquid not_applicable Lido ethereum green Liquid Collective (LsETH) ethereum not_applicable Liquity V1 + V2 (LUSD / BOLD) ethereum not_applicable Lista DAO bsc gray Lombard Finance ethereum not_applicable M^0 ethereum not_applicable Maple Finance ethereum not_applicable Marinade Finance solana not_applicable Meteora solana not_applicable mETH Protocol ethereum not_applicable Midas ethereum not_applicable Morpho V1 (Morpho Blue + MetaMorpho) ethereum not_applicable Multipli ethereum not_applicable Ondo Finance ethereum green OpenEden ethereum not_applicable Orca solana not_applicable PancakeSwap bsc green Pendle Finance ethereum not_applicable Polymarket polygon green QuickSwap polygon green Raydium solana not_applicable Rocket Pool ethereum not_applicable Sanctum solana not_applicable Save (formerly Solend) solana green Sky Lending (formerly MakerDAO) ethereum green Spark Protocol ethereum green Spiko stellar not_applicable Stake DAO ethereum not_applicable StakeWise v3 ethereum not_applicable Stargate Finance ethereum green stHYPE (Valantis Labs) hyperliquid not_applicable SUNSwap (sun.io) tron green Superstate ethereum not_applicable Sushi (SushiSwap) — v2 + v3 + Trident + BentoBox/Kashi + SushiXSwap ethereum green Symbiotic ethereum not_applicable Synapse Protocol ethereum not_assessed Uniswap (v2 + v3) ethereum not_applicable USDD (Decentralized USD) tron not_applicable Usual (USD0 / bUSD0 / USUAL) ethereum green Veda (BoringVault) ethereum green Venus Protocol bsc green Wormhole ethereum green Yearn Finance ethereum not_applicable
0 red · 0 yellow · 21 green

Linked hacks no historical incidents linked #

No historical incidents are linked to this factor.
rubric_version v1.7.0 factor RD-F-171 category 12 carried 80 critical no