Fix-merged-but-not-deployed gap

Compound V3 (Comet)'s assessment for RD-F-140 — scored green on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.

Evidence summary #

No evidence of merged security fix not yet deployed. GitHub last commit 2025-12-19; on-chain upgrades continued April 2026 (governance latency, not fix-withholding). 2023 Comet vulnerability (flash loan COMP reward manipulation) patched before public disclosure, confirmed by Tally proposal 203 and Messari record showing bug bounty reward was approved. Data cache rekt.incidents = [].

Sources #

URL
https://www.tally.xyz/gov/compound/proposal/203retrieved 2026-04-28
GitHub
https://github.com/compound-finance/cometretrieved 2026-04-28

Methodology #

Determine whether a known vulnerability has a PR merged in the repo but the fix has not been included in the deployed bytecode.

See the full factor methodology and distribution across all protocols →

rubric_version v1.7.0 protocol compound-v3 factor RD-F-140 score green collected_at 2026-04-28 00:20:50