★ Post-audit code changes without re-audit
Midas's assessment for RD-F-139 — scored red on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.
Evidence summary #
Three post-audit upgrades with no confirmed covering re-audit: (1) Sep-4-2024: mTBILL impl upgraded 0xefED40D1 → 0xD4998Cc1, executed by direct EOA, 27 days after Sherlock 2024-08 contest (commit 4abcc5b, closed ~Aug-2024). (2) Apr-23-2025: unknown proxy 0x9b2c5e30 upgraded to impl 0xd0BdEf8 via direct EOA — no public audit covering this. (3) Dec-11-2025: Issuance Vault 0x99361435 upgraded to 0xC8AF8477 via Safe+Timelock — no confirmed public covering audit found. Private repo prevents diff quantification. Additionally, Hacken Dec-2023 finding F-2023-0292 (decimal handling, High severity, Accepted/not fixed) remains active in deployed contracts. Material post-audit drift without audit coverage confirmed. [★ CRITICAL]
Sources #
- EtherscanIssuance Vault Dec-2025 upgrade — EtherscanDec-2025 Issuance Vault upgrade to 0xC8AF8477 — no public re-audit covering this implementationretrieved 2026-05-16
- Hacken Dec-2023 audit — F-2023-0292 unresolvedHacken Dec-2023: F-2023-0292 'USD Tokens With Custom Decimals Are Not Handled Properly' — High severity, status=Accepted (not fixed)retrieved 2026-05-16
- Sep-2024 mTBILL upgrade — EtherscanSep-2024 mTBILL direct-EOA upgrade tx — post-audit (last Sherlock contest Aug-2024)retrieved 2026-05-16
Methodology #
Count deployed changes to audited bytecode where no subsequent audit or spot-review covers the changed code.
See the full factor methodology and distribution across all protocols →