★ Audit scope mismatch

Maple Finance's assessment for RD-F-001 — scored yellow on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.

Evidence summary #

15 audit engagements (6 firms, 2022–2025) cover V2 codebase; Jan 2026 CCIP Receiver audits (Dedaub/Sigma Prime) referenced in docs but PDFs not yet in public audits/ directory; commit-SHA-to-bytecode linkage unverifiable for the most recently deployed contracts.

Detail #

The 0xMacro Dec-2023 audit explicitly cites commit a2cf31c51e3efa44ae17ef5ab4bfc1ea2581c112. The Nov 2025 WM upgrade audits (Spearbit/Sherlock) are in the public audits directory. The Jan 2026 CCIP Receiver (deployed block 24,340,190, tx 0x4b9222a5) is listed in docs security page as audited by Dedaub and Sigma Prime but the PDFs are not yet in the public GitHub audits/ folder as of 2026-04-27. No direct bytecode mismatch confirmed, but full audit coverage of Jan 2026 contracts is not independently verifiable.

Sources #

Etherscan
https://etherscan.io/address/0x02B6A75c5D1F430F0614dc5AC8aD5F9D35fbA2c4retrieved 2026-04-27
Docs
https://docs.maple.finance/technical-resources/security/securityretrieved 2026-04-27
Audit
https://0xmacro.com/library/audits/maple-1retrieved 2026-04-27
GitHub
https://github.com/maple-labs/maple-core-v2/tree/main/auditsretrieved 2026-04-27

Methodology #

Check whether the commit SHA cited in the audit report matches the bytecode deployed at the production proxy/implementation address.

See the full factor methodology and distribution across all protocols →

rubric_version v1.7.0 protocol maple-finance factor RD-F-001 score yellow collected_at 2026-04-27 05:38:08