★ Post-audit code changes without re-audit

Cap (cUSD / stcUSD)'s assessment for RD-F-139 — scored red on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.

Evidence summary #

[★ CRITICAL] cUSD upgraded 2026-02-25 (~90 days after Spearbit PR Review 2025-11-27). GitHub shows 8-10 commits between Nov 2025 and Feb 2026 upgrade (timelock implementation, EigenLayer operator updates merged). Octane audit (2026-03-24) post-dates the upgrade by ~27 days but its commit SHA scope is unconfirmed. EigenAgentManager and SymbioticMiddleware also upgraded ~Feb 2026 — Certora (2025-09-15) scope predates by ~5 months. Material post-audit code changes deployed without confirmed subsequent audit coverage.

Sources #

Etherscan
cUSD proxy — Upgraded events (Feb 2026)cUSD Upgraded events: Feb 25 2026 (impl 0xa764...fe6 current). Prior impl 0xDb54...782D active Nov 2025.retrieved 2026-05-17
URL
Octane audit 2026-03-24 — scope unconfirmed for Feb 2026 upgradesOctane audit (2026-03-24): post-dates Feb 2026 upgrade by ~27 days. Scope/commit SHA not confirmed to cover Feb deployed bytecode.retrieved 2026-05-17
GitHub
cap-contracts commit history — post-Spearbit changesGitHub commit history: ~8-10 commits between Nov 2025 Spearbit review and Feb 25 2026 'Merge dev'. Changes include timelock implementation, EigenLayer operator updates.retrieved 2026-05-17

Methodology #

Count deployed changes to audited bytecode where no subsequent audit or spot-review covers the changed code.

See the full factor methodology and distribution across all protocols →

rubric_version v1.7.0 protocol cap factor RD-F-139 score red collected_at 2026-05-17 10:56:24