★ Audit scope mismatch

SUNSwap (sun.io)'s assessment for RD-F-001 — scored red on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.

Evidence summary #

SlowMist 2020 audit covers V1/JustSwap only. V2 (~$240M TVL), V3 (~$112M), and V4 (singleton+hooks, 76d old) have no publicly confirmed third-party audit with a mapped commit SHA. No audit PDF found for V2/V3/V4 in any GitHub repo, SlowMist KB, CertiK (404), or Hacken portfolio. TRON substrate prevents Etherscan-style bytecode verification.

Sources #

Audit
SlowMist JustSwap Smart Contract Security Audit ReportSlowMist JustSwap V1 audit 2020-08-17 (V1 only)retrieved 2026-05-17
GitHub
SUNSwap V4 core repositorysun-protocol/sunswap-v4-core — no /audits directoryretrieved 2026-05-17
URL
Hacken audit portfolioHacken audit portfolio — sunswap not listedretrieved 2026-05-17
GitHub
SUNSwap V2 contracts repositorysun-protocol/sunswap-v2-contracts — no /audits directoryretrieved 2026-05-17
GitHub
SUNSwap V3 contracts repositorysun-protocol/sunswap-v3-contracts — no /audits directoryretrieved 2026-05-17
URL
CertiK Skynet SUNSwap (404)CertiK Skynet sunswap page — 404 as of 2026-05-17retrieved 2026-05-17

Methodology #

Check whether the commit SHA cited in the audit report matches the bytecode deployed at the production proxy/implementation address.

See the full factor methodology and distribution across all protocols →

rubric_version v1.7.0 protocol sunswap factor RD-F-001 score red collected_at 2026-05-17 14:37:31