defirisk.co
rubric v1.7.0

Audit scope mismatch

mETH Protocol's assessment for RD-F-001 — scored yellow on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.

Evidence summary #

16 audit engagements across 7 firms cover all three product generations (v1 core 2023, v2 cmETH 2024, v3 LiquidityBuffer 2025). No audit report on the public docs page cites a commit SHA enabling bytecode-to-report matching. The most recently upgraded Staking implementation (0x01a360392c74b5b8bf4973f438ff3983507a06a2, upgraded 2025-10-30) post-dates the 2023 v1 audits by ~24 months. MixBytes v1 README does cite audit commits (bd15a96, 93a55d8) but those cannot be traced to the current deployed bytecode. Continuous multi-firm coverage per generation prevents a red; absence of commit SHA matching prevents a green.

Sources #

  • GitHub
    MixBytes Mantle METH Audit READMEMixBytes v1 audit README with commit SHAs: bd15a96aee7df0fc0566d662df0cf50ff2619d31 (initial), 93a55d8a3e9dfdb40ebd95e1e350af9d0c821883 (reaudit)retrieved 2026-05-16
  • Etherscan
    mETH Staking Proxy — EtherscanStaking proxy last upgrade: tx 0x047881f371231128d316d4c944fe90bb75d043611e50c3dc4f1c3323932cf0d4, block 23689062, 2025-10-30retrieved 2026-05-16
  • URL
    mETH Protocol Security AuditsmETH Protocol audit index — 16 engagements listed without commit SHAsretrieved 2026-05-16

Methodology #

Check whether the commit SHA cited in the audit report matches the bytecode deployed at the production proxy/implementation address.

See the full factor methodology and distribution across all protocols →

rubric_version v1.7.0 protocol meth-protocol factor RD-F-001 score yellow collected_at 2026-05-16 02:17:50