★ Post-audit code changes without re-audit

Pendle Finance's assessment for RD-F-139 — scored yellow on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.

Evidence summary #

[★] sPENDLE module audit (WatchPug.pdf in audits/sPendle/) exists but exact scope date vs deployment date cannot be confirmed (PDF binary). governanceProxy upgraded 2025-09-18 with no corresponding audit file in repository. Spearbit-2024 and ChainSecurity-2024 cover 2024 main codebase; post-2024 factory versions (V5/V6) and the governance proxy upgrade may not be covered. Yellow pending curator confirmation of sPENDLE audit date.

Sources #

Etherscan
governanceProxy — unaudited upgrade 2025-09-18governanceProxy upgraded 2025-09-18 — no audit file for this upgrade found in repositoryretrieved 2026-04-29
GitHub
Pendle sPENDLE audit directoryaudits/sPendle/WatchPug.pdf — scope date not confirmable (PDF binary)retrieved 2026-04-29

Methodology #

Count deployed changes to audited bytecode where no subsequent audit or spot-review covers the changed code.

See the full factor methodology and distribution across all protocols →

rubric_version v1.7.0 protocol pendle factor RD-F-139 score yellow collected_at 2026-04-28 21:09:40