GitHub force-push to sensitive branch

Frax Finance's assessment for RD-F-108 — scored gray on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.

Evidence summary #

v2-deferred signal. FraxFinance GitHub org has 41 repos; frax-solidity last commit 2025-10-03. No public evidence of force-push on protected branches in trailing 30d. The Dec 2025 stealth-patch allegation involves deployed bytecode differing from Etherscan-verified source — a different pattern from a force-push on the repo (more relevant to Cat 9 RD-F-136/RD-F-138). Requires GitHub API monitoring with per-protocol protected-branch list.

Sources #

GitHub
FraxFinance/frax-solidity GitHub repositoryFraxFinance GitHub org — 41 repos; frax-solidity last commit 2025-10-03; no force-push events visible in public commit historyretrieved 2026-05-17

Methodology #

Detect whether the repository shows a force-push or push to a sensitive branch (main, production tag) from a non-protocol account.

See the full factor methodology and distribution across all protocols →

rubric_version v1.7.0 protocol frax factor RD-F-108 score gray collected_at 2026-05-16 20:44:31