★ Audit scope mismatch
Lombard Finance's assessment for RD-F-001 — scored yellow on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.
Evidence summary #
Most recent Ethereum LBTC upgrade was 2026-04-24 (block 24950539). Latest audit with EVM scope: OZ multipauser (sign-off 2026-04-09) and Sherlock multipauser (sign-off 2026-04-01). The feature PR #393 (multipauser) was merged 2026-04-17 via commit 6784d65 — after both audit close dates — and deployed 2026-04-24, creating a 15-day gap between last audit sign-off and on-chain upgrade. Earlier audits match stated commits (Veridise V2 audited commits 109a3f2 and ebfda9f; OZ V2 audited commits 282b484/5622904). The delta between audit close and deploy includes commits c1f0f19, 3308690, cb510bb, f066bfb (all April 15-17). Audit commit SHA for the OZ multipauser engagement was not published on the OZ news page preventing exact bytecode-level match. Scored yellow (not red) because the April 17 changes are logically within the multipauser feature scope covered by both audit firms, but the deployed bytecode post-dates both audit sign-off dates.
Sources #
- AuditSherlock Multipauser + BridgeV2 Audit PDFSherlock multipauser audit sign-off 2026-04-01retrieved 2026-05-05
- lombard-finance/evm-smart-contracts commitsMerge PR #393 multipauser commit 6784d65 — 2026-04-17retrieved 2026-05-05
- LBTC TransparentUpgradeableProxy — EtherscanLBTC proxy upgrade tx 2026-04-24 block 24950539retrieved 2026-05-05
Methodology #
Check whether the commit SHA cited in the audit report matches the bytecode deployed at the production proxy/implementation address.
See the full factor methodology and distribution across all protocols →