★ Post-audit code changes without re-audit
Sanctum's assessment for RD-F-139 — scored red on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.
Evidence summary #
Three audits (OtterSec, Neodyme INV-24-01, Sec3) all dated ~February 2024 cover the original Infinity/S V1 program. The inf-1.5 repository (Reworked INF, aka S) has 348 commits and was tagged Controller Program V2 on March 12 2026 — a material rewrite deployed as Infinity V2. The sanctum-static/audits directory contains only the three V1 PDFs. No V2 audit PDF found via GitHub directory check or web search. With $1.37B TVL in Infinity, a material post-audit code deployment without confirmed re-audit coverage is a critical finding.
Sources #
- GitHubGitHub: sanctum-static audits directory — no V2 auditigneous-labs/sanctum-static/audits/ — only V1 PDFs present: Ottersec-sanctum_audit_final.pdf, Neodyme-INV-24-01.pdf, Sec3-Sanctum_S_final_report.pdfretrieved 2026-05-04
- GitHub: igneous-labs/inf-1.5igneous-labs/inf-1.5: Reworked INF; 348 commits; Controller Program V2 tag March 12 2026 — material rewrite from audited V1retrieved 2026-05-04
- Neodyme INV-24-01 — Infinity V1 auditNeodyme INV-24-01 audit of Infinity V1 (S program) — February 2024retrieved 2026-05-04
Methodology #
Count deployed changes to audited bytecode where no subsequent audit or spot-review covers the changed code.
See the full factor methodology and distribution across all protocols →