Audit-to-deploy gap

Sushi (SushiSwap) — v2 + v3 + Trident + BentoBox/Kashi + SushiXSwap's assessment for RD-F-006 — scored red on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.

Evidence summary #

RouteProcessor2 (RP2): deployed April 4, 2023; exploited April 8, 2023 (4 days post-deploy). Post-mortem states 'attempting to fast-track contracts through the auditing process can lead to overlooked vulnerabilities' — confirming no completed pre-deploy audit. PeckShield v2 audit was September 2020, after the August 2020 launch (post-launch audit). Threshold: red = >180 days or audit done post-deploy. RP2 was zero days post-deploy (audit not completed). v2 was post-launch. Scoring red on the worst-case component per combined-slug rule.

Sources #

URL
Sushi Yoink Rekt — rekt.newsrekt.news RP2 exploit context — '4 days old when exploited'retrieved 2026-05-17
URL
RouteProcessor2 Post Mortem — SushiRP2 post-mortem: deployed April 4 2023, exploited April 8 2023 — no completed pre-deploy auditretrieved 2026-05-17

Methodology #

Measure the number of days between the audit report sign-off date and the mainnet deploy of the audited bytecode.

See the full factor methodology and distribution across all protocols →

rubric_version v1.7.0 protocol sushi factor RD-F-006 score red collected_at 2026-05-16 19:50:37