★ Post-audit code changes without re-audit

StakeWise v3's assessment for RD-F-139 — scored yellow on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.

Evidence summary #

[★ not-critical yellow] Major upgrades received external reviews: Vaults v2.0 — Sigma Prime June 2024; SWIP-25 Vault Factory v3 — Sigma Prime + Hexens per forum post; SWIP-28 exit queue fix — Sigma Prime approval; v5.0.0 — Statemind April 2026. However: (1) Nov 2025 emergency controller action was NOT preceded by audit — used pre-existing capability; (2) SWIP-28 review is described as approval rather than formal full-scope re-audit. Pattern is review-for-each-upgrade, not no-review; yellow for coverage gaps on rapid-review completeness.

Sources #

Audit
Sigma Prime June 2024 audit — GitHubSigma Prime 2024-06 audit: Vaults v2.0 covered; Statemind 2026-04-20: v5.0.0 coveredretrieved 2026-05-16
URL
Balancer hacker loses $20M — DL NewsDL News: emergency controller action (Nov 2025) had no prior audit — used pre-existing code capabilityretrieved 2026-05-16
Governance
SWIP-25 Vault Factory v3 — forum.stakewise.ioSWIP-25 forum post: changes received audits from Sigma Prime and Hexensretrieved 2026-05-16

Methodology #

Count deployed changes to audited bytecode where no subsequent audit or spot-review covers the changed code.

See the full factor methodology and distribution across all protocols →

rubric_version v1.7.0 protocol stakewise factor RD-F-139 score yellow collected_at 2026-05-16 01:03:28