★ Audit scope mismatch
Sushi (SushiSwap) — v2 + v3 + Trident + BentoBox/Kashi + SushiXSwap's assessment for RD-F-001 — scored yellow on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.
Evidence summary #
v2-core PeckShield audit (Sep 2020) plausibly covers the deployed UniswapV2Factory (pragma 0.6.12, Etherscan verified). v3-core: the audits in sushiswap/v3-core/audits/ (ABDK + ToB) are copies of the original Uniswap v3 upstream reports (March 2021), NOT Sushi-specific audits of the deployed fork bytecode. No commit SHA matching the Sushi v3-core deployed factory to a Sushi-specific audit report was found. RouteProcessor2 had no completed audit at deploy (confirmed in post-mortem: 'lesson: respecting auditors timelines'). Overall: material audit-scope uncertainty for v3-core and RP2; v2-core is borderline yellow.
Sources #
- URLRouteProcessor2 Post Mortem — SushiRouteProcessor2 post-mortem: 'lesson — respecting auditors timelines; fast-tracking leads to overlooked vulnerabilities'retrieved 2026-05-17
- SushiV3Factory Etherscan verificationSushiV3Factory 0xbaceb8ec6b9355dfc0269c18bac9d6e2bdc29c4f — verified, pragma 0.7.6retrieved 2026-05-17
- PeckShield-Audit-Report-SushiSwap-v1.0.pdfPeckShield SushiSwap v1 audit Sep 2020 — 13 findings, no critical business logicretrieved 2026-05-17
- sushiswap/v3-core audits directorysushiswap/v3-core/audits/ contains ToB + ABDK reports for original Uniswap v3, not Sushi fork-specificretrieved 2026-05-17
- SushiV2Factory Etherscan verificationSushiV2Factory 0xc0aEe478e3658e2610c5f7a4a2e1777ce9e4f2aC — verified, pragma 0.6.12retrieved 2026-05-17
Methodology #
Check whether the commit SHA cited in the audit report matches the bytecode deployed at the production proxy/implementation address.
See the full factor methodology and distribution across all protocols →