★ Audit scope mismatch

Chainlink CCIP's assessment for RD-F-001 — scored yellow on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.

Evidence summary #

Four audits confirmed (Code4rena May-2023, Jul-2023, Nov-2024; Cyfrin Jul-2024). No audit provides a machine-readable commit SHA in public contest READMEs. Nov-2024 scope covers v1.6 contracts (OffRamp/OnRamp at pragma 0.8.24) but no SHA pinning confirmed. Ethereum mainnet Router/ARM compiled at solc 0.8.19 represent earlier versions. Bytecode matching between Nov-2024 audit and currently deployed contracts cannot be confirmed from available public data.

Sources #

Etherscan
Chainlink CCIP Router — Etherscan (solc 0.8.19, verified)Ethereum mainnet Router bytecode at solc 0.8.19retrieved 2026-05-16
URL
Chainlink Audit | Code4rena (Nov 2024)Code4rena Nov-2024 CCIP audit contest pageretrieved 2026-05-16
GitHub
Cyfrin CCIP v1.5 audit (2014-07)Cyfrin Jul-2024 CCIP v1.5 audit reporetrieved 2026-05-16
GitHub
code-423n4/2024-11-chainlink — audit source codeCode4rena Nov-2024 CCIP audit GitHub reporetrieved 2026-05-16

Methodology #

Check whether the commit SHA cited in the audit report matches the bytecode deployed at the production proxy/implementation address.

See the full factor methodology and distribution across all protocols →

rubric_version v1.7.0 protocol chainlink-ccip factor RD-F-001 score yellow collected_at 2026-05-16 01:55:09