Fix-merged-but-not-deployed gap
Superstate's assessment for RD-F-140 — scored green on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.
Evidence summary #
No evidence of a known vulnerability with a PR merged in repo but not in deployed code. All audit findings from superstate-1 through superstate-7 are documented as addressed. Most recent public-scope audit (superstate-6) found only 2 code-quality issues (Q-1 and Q-2), both marked fixed. Solana audit (superstate-7): 2 Critical, 1 High, all fixed.
Sources #
- Audit0xMacro Superstate-6 Findings - All Addressed0xMacro superstate-6: 0 Critical, 0 High, 0 Medium, 0 Low, 2 Code Quality (both fixed)retrieved 2026-05-16
- 0xMacro Superstate-5 Findings - All Addressed0xMacro superstate-5: 0 Critical/High/Medium/Low, 3 Code Quality (all addressed)retrieved 2026-05-16
Methodology #
Determine whether a known vulnerability has a PR merged in the repo but the fix has not been included in the deployed bytecode.
See the full factor methodology and distribution across all protocols →
rubric_version v1.7.0 protocol superstate factor RD-F-140 score green collected_at 2026-05-16 00:06:37