★ Post-audit code changes without re-audit

Save (formerly Solend)'s assessment for RD-F-139 — scored red on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.

Evidence summary #

[★ CRITICAL] Only confirmed public audit: Kudelski (2021, v1.0). Post-audit changes: (1) V2 launch April 2023 — new features including protected collateral, TWAP oracle, borrow weights, outflow rate limits, collateralization limits, isolated tier assets (major new code). (2) November 2022 oracle attack response. (3) Recovery Mode mechanism. (4) Rebrand/new products July 2024. No confirmed re-audit from Neodyme or OSEC — their reports not found as public documents as of 2026-05-17 despite references in secondary sources. Single-EOA can push unaudited bytecode at any time.

Sources #

Audit
Kudelski Security — Solend Audit v1.0 (2021)Kudelski Security Solend v1.0 audit PDF (only confirmed public audit; 2021)retrieved 2026-05-17
URL
Gate.com — Solend v2 launch (major code changes post-2021 audit)gate.com/learn — Solend v2 launched April 2023 with major new features (unconfirmed re-audit)retrieved 2026-05-17

Methodology #

Count deployed changes to audited bytecode where no subsequent audit or spot-review covers the changed code.

See the full factor methodology and distribution across all protocols →

rubric_version v1.7.0 protocol save factor RD-F-139 score red collected_at 2026-05-17 15:20:15