defirisk.co
rubric v1.7.0

Audit scope mismatch

Aave v3's assessment for RD-F-001 — scored yellow on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.

Evidence summary #

Governance proposal 429 cites commit b3ce634; v3.6.0 release tag is 5a230ec. Discrepancy unresolved programmatically. No affirmative evidence of material bytecode mismatch, but programmatic bytecode diff has not been performed. Nov 2025 v3.6 audit batch (Pashov, Certora, MixBytes, Savant, Blackthorn) covers v3.6 code without individually resolving this SHA discrepancy.

Detail #

The discrepancy was identified in T-10 and remains open as of 2026-04-27. The yellow threshold applies: no verifiable commit SHA match confirmed, but no material divergence found in any published analysis either. The critical-factor cheat-sheet yellow criterion is 'minor non-logic diff (<=5 LOC whitespace/comments, no state-mutating change)' — the SHA discrepancy does not affirmatively establish even that, making it yellow rather than green.

Sources #

  • Internal
    T-10 Aave v3 Dry Run §2.3.2T-10 §2.3.2 Cat 1 — RD-F-001 yellow findingretrieved 2026-04-27
  • Governance
    Aave Governance Proposal 429Aave governance proposal 429 (commit b3ce634)retrieved 2026-04-27
  • GitHub
    aave-v3-origin Releasesaave-v3-origin v3.6.0 release tag (5a230ec)retrieved 2026-04-27

Methodology #

Check whether the commit SHA cited in the audit report matches the bytecode deployed at the production proxy/implementation address.

See the full factor methodology and distribution across all protocols →

rubric_version v1.7.0 protocol aave-v3 factor RD-F-001 score yellow collected_at 2026-04-27 23:28:46