Fix-merged-but-not-deployed gap
Chainlink CCIP's assessment for RD-F-140 — scored green on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.
Evidence summary #
No known fix-merged-but-not-deployed gap identified. CCIP uses redeployment cycles (v1.0 -> v1.2 -> v1.5 -> v1.6). Code4rena and Cyfrin audit systems generally require fixes to be implemented before final report acceptance. No public record of a merged fix not yet deployed found.
Sources #
- GitHubsmartcontractkit/audits — Chainlink audit reports reposmartcontractkit/audits — repo confirmed to exist with reports directory; no specific undeployed-fix report identifiedretrieved 2026-05-16
- Code4rena Chainlink Nov 2024 AuditCode4rena 2023 and 2024 CCIP audit repos — no known undeployed fix found in public contest repositoriesretrieved 2026-05-16
Methodology #
Determine whether a known vulnerability has a PR merged in the repo but the fix has not been included in the deployed bytecode.
See the full factor methodology and distribution across all protocols →
rubric_version v1.7.0 protocol chainlink-ccip factor RD-F-140 score green collected_at 2026-05-16 01:55:09