Code complexity vs audit coverage

Frax Finance's assessment for RD-F-024 — scored yellow on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.

Evidence summary #

Large codebase (frax-solidity: 695 commits, 53% Solidity; plus frax-governance, frax-oft-upgradeable, frxETH-public repos). 20 total audit engagements across 7 firms. ToB engagements at Level 4 effort (highest tier). Code4rena scopes were small (frxETH 413 LOC, Fraxlend 2,110 LOC). AMO contracts (dozens by protocol's own note) appear not to have dedicated external audit coverage — the protocol notes AMOs 'number in the dozens across the Frax balance sheet.' This breadth relative to available audit coverage warrants yellow.

Sources #

GitHub
Trail of Bits PublicationsToB publications — all Frax engagements listed at Level 4 effortretrieved 2026-05-17
GitHub
FraxFinance/frax-solidity GitHubfrax-solidity repo — 695 commits, 53% Solidity, significant codebase breadthretrieved 2026-05-17

Methodology #

Determine whether the cyclomatic complexity or LOC-per-audit-day ratio exceeds the curator-declared credibility threshold for the audit to be meaningful.

See the full factor methodology and distribution across all protocols →

rubric_version v1.7.0 protocol frax factor RD-F-024 score yellow collected_at 2026-05-16 20:44:31