defirisk.co
rubric v1.7.0

Audit scope mismatch

JustLend DAO's assessment for RD-F-001 — scored yellow on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.

Evidence summary #

CertiK audit (April 8, 2022) covered 37 files. Post-audit GitHub commits November 2022 (GovernorBravo module addition), February 2023 (governance + BUSD update), March 2026 (security config change) have no documented re-audit. TVM bytecode-to-commit matching not automatable via standard tools. GovernorBravo governance module appears added post-audit without independent audit coverage. Material divergence cannot be ruled out. Downgraded from red because post-audit changes appear primarily governance/configuration rather than core CToken lending logic.

Sources #

  • Audit
    JustLend - CertiK Skynet Project InsightCertiK security assessment JustLend Apr 8 2022 — 16 findings (6 major acknowledged), 37 files auditedretrieved 2026-05-17
  • GitHub
    justlend-protocol commit historyGitHub commit history — Nov 2022 GovernorBravo feature, Feb 2023 governance+BUSD, Mar 2026 security-config; all post CertiK auditretrieved 2026-05-17

Methodology #

Check whether the commit SHA cited in the audit report matches the bytecode deployed at the production proxy/implementation address.

See the full factor methodology and distribution across all protocols →

rubric_version v1.7.0 protocol justlend factor RD-F-001 score yellow collected_at 2026-05-17 10:25:32