Deployed bytecode matches signed release tag

Jupiter Perpetual Exchange's assessment for RD-F-136 — scored red on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.

Evidence summary #

No public source repository exists for Jupiter Perps. No signed release tags. verify.osec.io confirms is_verified=false with no on-chain hash or executable hash. Deployed bytecode cannot be matched to any signed commit. Structural red for closed-source program with no build reproducibility.

Sources #

URL
OtterSec Program Verification Statusverify.osec.io: is_verified=false, on_chain_hash empty — no verifiable build artifact existsretrieved 2026-05-16
GitHub
Jupiter GitHub organizationgithub.com/jup-ag: no perps source repo; 185 public repos searchedretrieved 2026-05-16

Methodology #

Determine whether the deployed runtime bytecode corresponds to a signed git tag in the protocol's repository.

See the full factor methodology and distribution across all protocols →

rubric_version v1.7.0 protocol jupiter-perps factor RD-F-136 score red collected_at 2026-05-16 01:53:11