★ Post-audit code changes without re-audit

Meteora's assessment for RD-F-139 — scored yellow on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.

Evidence summary #

Meteora policy: at least 2 auditors per program update. Audit file evidence shows consistent coverage: DBC v0.1.1 through v0.1.10 (Offside Labs + Zenith + OtterSec for v0.1.3); DLMM v0.8.2 through v0.11.0 (Offside Labs + Zenith + OtterSec + Sec3); DAMM v2 v0.1.2 through v0.2.0 (Offside Labs + Zenith + OtterSec). Policy broadly followed. DBC Protocol v0.1.8 has Offside Labs and Zenith audit PDFs in repo. However, exact deployed bytecode hash to audit-version matching not independently confirmed; yellow reflects unconfirmed alignment rather than confirmed gap.

Sources #

Audit
MeteoraAg Audits — DLMM v0.11.0 CoverageMeteoraAg/audits DLMM — offside-labs-dlmm-audit-0.11.0.pdf, zenith-dlmm-audit-0.11.0.pdfretrieved 2026-05-16
Audit
MeteoraAg Audits — DBC v0.1.8 CoverageMeteoraAg/audits DBC — offside-labs-dbc-audit-0.1.8.pdf, zenith-dbc-audit-0.1.8.pdfretrieved 2026-05-16
URL
Meteora Community Call April 2024 — Audit PolicyMeteora community call April 2024 — all programs through at least 2 auditors per updateretrieved 2026-05-16

Methodology #

Count deployed changes to audited bytecode where no subsequent audit or spot-review covers the changed code.

See the full factor methodology and distribution across all protocols →

rubric_version v1.7.0 protocol meteora factor RD-F-139 score yellow collected_at 2026-05-16 10:03:05