Deployed bytecode matches signed release tag
Concrete's assessment for RD-F-136 — scored yellow on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.
Evidence summary #
No signed release tags found in the public bug-bounty repo. GitHub repo (Blueprint-Finance/concrete-earn-v2-bug-bounty) shows no releases. Last commit April 20, 2026 but no tagged version corresponding to deployed factory impl (0x224f3450, March 19, 2026) is public. Etherscan shows Exact Match verified source, confirming deployed bytecode matches verified source, but no signed release artifact.
Sources #
- EtherscanConcreteFactory Implementation — Exact Match verification (no signed release)ConcreteFactory impl 0x224f3450 verified Exact Match — deployed bytecode matches submitted sourceretrieved 2026-05-17
- Blueprint-Finance GitHub — no signed release tagsGitHub repo Blueprint-Finance/concrete-earn-v2-bug-bounty: no releases/tags visible; last commit 2026-04-20retrieved 2026-05-17
Methodology #
Determine whether the deployed runtime bytecode corresponds to a signed git tag in the protocol's repository.
See the full factor methodology and distribution across all protocols →
rubric_version v1.7.0 protocol concrete factor RD-F-136 score yellow collected_at 2026-05-17 14:36:59