Upstream patch not merged

Sushi (SushiSwap) — v2 + v3 + Trident + BentoBox/Kashi + SushiXSwap's assessment for RD-F-127 — scored green on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.

Evidence summary #

Uniswap v3-core GitHub security page: 'There aren't any published security advisories.' No outstanding upstream patches for v3 identified. The ToB Uniswap v3 audit found 10 issues (2 high: TOB-UNI-005 balance comparison, TOB-UNI-009 failed transfer check) — both fixed by Uniswap pre-launch (March 2021). SushiSwap forked v3 in May 2023 from a post-fix codebase. Uniswap v2 is a 6-year-old minimal AMM with no known outstanding vulnerability patches. No upstream patches unmerged in SushiSwap's forks.

Sources #

URL
Trail of Bits Uniswap V3 Core Security AssessmentToB Uniswap v3 audit — 2 high findings fixed pre-launch; SushiSwap forked post-fix codebase (May 2023)retrieved 2026-05-17
GitHub
Uniswap v3-core GitHub Security AdvisoriesUniswap/v3-core security page — 'There aren't any published security advisories'retrieved 2026-05-17

Methodology #

Determine whether the upstream fork source has published a known-vulnerability patch that has not been merged into this fork's deployed code.

See the full factor methodology and distribution across all protocols →

rubric_version v1.7.0 protocol sushi factor RD-F-127 score green collected_at 2026-05-16 19:50:37