Deployed bytecode matches signed release tag

Frax Finance's assessment for RD-F-136 — scored yellow on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.

Evidence summary #

frxGov contracts audited against their GitHub repo by Trail of Bits (2023-07 audit) — bytecode likely matches audited commit. FraxEtherRedemptionQueueV2 Etherscan shows Source Code Verified Exact Match but Dec 2025 stealth-patch allegation claims deployed bytecode behavior differs from verified source (zero-amount rejection present in bytecode, absent in source). No signed release-tag commit found for frxUSD. Partial coverage confirmed; discrepancy alleged for frxETH redemption queue.

Sources #

Governance
Attribution Dispute - RedemptionQueueV2 DoS Vulnerability | Frax Governancegov.frax.finance attribution dispute: researcher claims bytecode mismatch on FraxEtherRedemptionQueueV2retrieved 2026-05-17
Audit
frxGov Security Review — Trail of Bits 2023Trail of Bits frxGov security review 2023-07 — audited against specific commitretrieved 2026-05-17

Methodology #

Determine whether the deployed runtime bytecode corresponds to a signed git tag in the protocol's repository.

See the full factor methodology and distribution across all protocols →

rubric_version v1.7.0 protocol frax factor RD-F-136 score yellow collected_at 2026-05-16 20:44:31