defirisk.co
rubric v1.7.0

Post-audit code changes without re-audit

Spiko's assessment for RD-F-139 — scored red on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.

Evidence summary #

[CRITICAL] Trail of Bits audit October 2023. Two post-audit EVM upgrades deployed without re-audit: (1) USTBL Ethereum 2024-04-19 impl to 0x15EA0EC4; (2) EUTBL Arbitrum 2024-10-25. Nethermind covers Starknet only; Halborn covers Stellar only. No EVM re-audit found covering post-2023 deployed code. Euler lineage failure pattern.

Sources #

  • Internal
    Spiko protocol profile section 11Profile section 11 explicit flag: deployed EVM contracts have been upgraded post-audit; code-security-analyst must assess F139retrieved 2026-05-16
  • Tx
    USTBL Ethereum upgrade transactionUSTBL Ethereum upgrade tx 2024-04-19: new impl 0x15EA0EC4, no re-audit covering this impl foundretrieved 2026-05-16
  • Audit
    Trail of Bits Spiko security review 2023-10Trail of Bits October 2023 EVM audit: https://github.com/trailofbits/publications/blob/master/reviews/2023-10-spiko-securityreview.pdf; post-dating the April 2024 and October 2024 upgradesretrieved 2026-05-16

Methodology #

Count deployed changes to audited bytecode where no subsequent audit or spot-review covers the changed code.

See the full factor methodology and distribution across all protocols →

rubric_version v1.7.0 protocol spiko factor RD-F-139 score red collected_at 2026-05-15 22:52:13