defirisk.co
rubric v1.7.0

Post-audit code changes without re-audit

Across Protocol's assessment for RD-F-139 — scored gray on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.

Evidence summary #

Post-audit code changes deployed without re-audit | The 2026-02-23 Deposit Flow audit explicitly documents: (1) EIP-712 replay in `CounterfactualDepositSpokePool` — "Acknowledged, not resolved" (design limitation accepted, not a deployed-but-unpatched fix per se); (2) post-audit PRs merged after the audit window (documentation, visibility, events). The Aug 2024 diff audit left 1 medium unresolved (outdated SafeERC20). Neither constitutes the Euler-lineage pattern (critical logic added post-au...

Sources #

  • Curator note
    Extracted from 02-governance-admin.md — RD-F-139; no URL citedretrieved 2026-04-28

Methodology #

Count deployed changes to audited bytecode where no subsequent audit or spot-review covers the changed code.

See the full factor methodology and distribution across all protocols →

rubric_version v1.7.0 protocol across-protocol factor RD-F-139 score gray collected_at 2026-04-30 21:19:18