Fork retains upstream audit coverage

JustLend DAO's assessment for RD-F-131 — scored yellow on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.

Evidence summary #

Classification: upstream-only with gap risk. CertiK April 2022 covers JustLend-specific TVM-adapted code partially. Upstream Compound v2 EVM audits (Trail of Bits) do not cover TVM execution environment. GovernorBravo module added November 2022 has no documented audit. ~30-50% code divergence means upstream audit coverage significantly diluted. Yellow: CertiK provides partial coverage but governance additions and TVM-specific code create uncovered gaps.

Sources #

GitHub
JustLend GitHub — GovernorBravo added post-auditGitHub commits Nov 2022 — GovernorBravo feature added after CertiK audit with no follow-on auditretrieved 2026-05-17
Audit
JustLend CertiK audit PDF — covers TVM-adapted coreCertiK April 2022 — covers JustLend TVM-adapted SBM core; GovernorBravo added Nov 2022 post-auditretrieved 2026-05-17

Methodology #

Determine whether the fork's deployed code is covered by either: (a) the upstream audit plus a delta-audit for fork-specific changes, or (b) a fresh independent audit of the fork.

See the full factor methodology and distribution across all protocols →

rubric_version v1.7.0 protocol justlend factor RD-F-131 score yellow collected_at 2026-05-17 10:25:32