★ Audit scope mismatch

Lista DAO's assessment for RD-F-001 — scored yellow on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.

Evidence summary #

Most recent cluster audit is BlockSec/Bailsec Nov 27 2024 (release v5.1 commit bc21c3f). Post-Nov 2024 commits (~Aug 2025) add xSolvBTC PriceFeed, PufETH PriceFeed, clisBNB renaming, and EVM version CI fix — these oracle contracts are unaudited. No audit PDF commit SHA matched to current deployed bytecode. Interaction proxy (0xB6..) compiled with solc 0.8.2; implementation (0xCe..) compiled with solc 0.8.10, confirming staged upgrade history. Lista Lending (~April 2025, ~$189.5M borrowed) has no audit PDF in /audits/ directory.

Sources #

GitHub
Lista DAO Contracts ReleasesLista DAO contracts releases page — v5.1 tag commit bc21c3f, Nov 26, 2024retrieved 2026-05-12
GitHub
Lista DAO Contracts Commit HistoryRecent commits Aug 2025 — xSolvBTC PriceFeed, PufETH PriceFeed, slisBNBx rename, EVM version CI fixretrieved 2026-05-12
Etherscan
BscScan Interaction Implementation SourceInteraction proxy 0xB6..: solc 0.8.2, TransparentUpgradeableProxy; implementation 0xCe..: solc 0.8.10, exact-match verifiedretrieved 2026-05-12

Methodology #

Check whether the commit SHA cited in the audit report matches the bytecode deployed at the production proxy/implementation address.

See the full factor methodology and distribution across all protocols →

rubric_version v1.7.0 protocol lista-dao factor RD-F-001 score yellow collected_at 2026-05-12 17:54:05