Fix-merged-but-not-deployed gap

Liquid Collective (LsETH)'s assessment for RD-F-140 — scored green on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.

Evidence summary #

No known exploitable vulnerability with a fix-merged-but-not-deployed gap found. March 2026 commits fix Certora-flagged issues (H-01 etc.) but these are in-development fixes for the upcoming BYOV release — they have not been deployed to mainnet yet, which is the intended state (fixes land with the release, not before). No Mirror-class scenario (known exploitable fix in repo, not deployed to block live exploit) identified.

Sources #

GitHub
GitHub — fix commits are for unreleased BYOV version, no live-exploit gapliquid-collective-protocol commits Mar 2026 — security fixes for upcoming BYOV releaseretrieved 2026-05-17

Methodology #

Determine whether a known vulnerability has a PR merged in the repo but the fix has not been included in the deployed bytecode.

See the full factor methodology and distribution across all protocols →

rubric_version v1.7.0 protocol liquid-collective factor RD-F-140 score green collected_at 2026-05-16 19:46:23