★ Audit scope mismatch
Midas's assessment for RD-F-001 — scored yellow on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.
Evidence summary #
Four audit engagements exist with public commit SHAs: Hacken Dec-2023 (commit d84b0ed), Sherlock 2024-05 (commit 0b1644f519876cadc1d6ca0e02fdfe8a32cefa12), a second Hacken engagement (scope/date unconfirmed), and Sherlock 2024-08 (commit 4abcc5b26cb80a725132c6b21f4d03228d804a59). Two post-audit implementation upgrades confirmed on Etherscan: mTBILL impl (0xD4998Cc1ba435298c521f250b81856b1f25c8455) upgraded 2024-09-04, and Issuance Vault impl (0xC8AF8477f3caa89f60fe9d1f48eee5433c55982b) upgraded 2025-12-11 via tx 0x78c25177e211f66359969323ed065761d7aa875ee60c3f012d5dda198c431b5f. Both post-audit upgrades are on the private RedDuck-Software/midas-contracts repo with no confirmed covering re-audit. Bytecode diff between Sherlock audit commits and current deployed impls is structurally unverifiable from public sources. Yellow (not red) because Midas IS audited with multi-firm coverage — the gap is post-audit drift on two implementations, not absent audits across the board.
Sources #
- Audit
- Sherlock 2024-08 Midas Minter/Redeemer AuditSherlock 2024-08 contest repo, commit 4abcc5b26cb80a725132c6b21f4d03228d804a59retrieved 2026-05-16
- Issuance Vault Implementation — EtherscanIssuance Vault implementation, upgraded 2025-12-11 via tx 0x78c25177e211f66359969323ed065761d7aa875ee60c3f012d5dda198c431b5fretrieved 2026-05-16
- mTBILL Implementation — EtherscanmTBILL implementation contract, upgraded 2024-09-04retrieved 2026-05-16
Methodology #
Check whether the commit SHA cited in the audit report matches the bytecode deployed at the production proxy/implementation address.
See the full factor methodology and distribution across all protocols →