Fix-merged-but-not-deployed gap

Centrifuge's assessment for RD-F-140 — scored green on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.

Evidence summary #

Sherlock Feb 2026 deployment verification audit explicitly covers whether fixes from Oct 2025 Sherlock V3.1 contest were included in deployed bytecode. yAudit Jan 2026 fix review covers post-Sherlock remediation. No public evidence of a merged vulnerability fix not included in deployed V3.1.0. Fix-verification chain: contest (Oct 2025) → fix review (Jan 2026) → deployment verification (Feb 2026).

Sources #

URL
https://audits.sherlock.xyz/contests/1028retrieved 2026-04-28
GitHub
https://github.com/centrifuge/protocol/tree/main/docs/auditsretrieved 2026-04-28
GitHub
https://github.com/centrifuge/protocol/blob/main/docs/audits/2026-01-yAudit.pdfretrieved 2026-04-28

Methodology #

Determine whether a known vulnerability has a PR merged in the repo but the fix has not been included in the deployed bytecode.

See the full factor methodology and distribution across all protocols →

rubric_version v1.7.0 protocol centrifuge factor RD-F-140 score green collected_at 2026-04-30 21:19:10