★ Post-audit code changes without re-audit

Sushi (SushiSwap) — v2 + v3 + Trident + BentoBox/Kashi + SushiXSwap's assessment for RD-F-139 — scored red on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.

Evidence summary #

CRITICAL. RouteProcessor2 deployed April 5-8, 2023 with acknowledged insufficient audit ('fast-tracking contracts through the auditing process' per official post-mortem), exploited April 8-9, 2023 ($3.3M loss across 14 chains). This is a confirmed deployment without adequate prior independent audit. RP3 was audited by Zellic (April 13-14, 2023 — 2-day engagement AFTER the exploit). RP4 audit not publicly confirmed. RP5 (Aug 2024) audit not found in public sources. RP6 (Feb 2025) audit not confirmed. Active routing layer with TVL-adjacent exposure cycles through versions with unconfirmed or minimal audit coverage.

Sources #

URL
RouteProcessor2 Post Mortem — SushiRouteProcessor2 Post Mortem — 'Attempting to fast-track contracts through the auditing process can lead to overlooked vulnerabilities'retrieved 2026-05-17
URL
SushiSwap RouteProcessor3 — Zellic Audit ReportZellic RP3 audit — conducted April 13-14, 2023 (after RP2 exploit); confirms RP3 was audited post-exploitretrieved 2026-05-17
URL
Post Mortem: SushiSwap — CertiKCertiK post-mortem — confirms RP2 vulnerability and insufficient audit pre-deploymentretrieved 2026-05-17

Methodology #

Count deployed changes to audited bytecode where no subsequent audit or spot-review covers the changed code.

See the full factor methodology and distribution across all protocols →

rubric_version v1.7.0 protocol sushi factor RD-F-139 score red collected_at 2026-05-16 19:50:37