★ Audit scope mismatch

Symbiotic's assessment for RD-F-001 — scored yellow on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.

Evidence summary #

Six pre-launch audits (Statemind, ChainSecurity, Zellic, OtterSec, Certora FV, Cantina) conducted July-September 2024 against devnet-era commits (devnet-v1.0.0 commit 085c54d through devnet.10 commit 106d10b). Mainnet deployed at release 1.0.0 commit 3b6add2 on January 24 2025. Contracts are immutable and non-upgradeable, so no post-deploy code changes are possible. However, the exact diff between the last audited devnet commit and deployed commit 3b6add2 is not publicly confirmed clean. The pre-deploy audit-to-deploy gap carries residual risk.

Sources #

GitHub
symbioticfi/core GitHub Releasessymbioticfi/core releases page listing 1.0.0 at commit 3b6add2 (Jan 24 2025) and devnet releases at 085c54d, fda1655, f38f1b1, 106d10bretrieved 2026-05-16
URL
ChainSecurity Symbiotic Core AuditChainSecurity audit summary stating only minor issues foundretrieved 2026-05-16
URL
Symbiotic Arrives on MainnetSymbiotic mainnet launch blog January 28 2025 confirming non-upgradeable core contractsretrieved 2026-05-16
Audit
Zellic Symbiotic Core Audit ReportZellic audit of Symbiotic core, July 15-22 2024retrieved 2026-05-16

Methodology #

Check whether the commit SHA cited in the audit report matches the bytecode deployed at the production proxy/implementation address.

See the full factor methodology and distribution across all protocols →

rubric_version v1.7.0 protocol symbiotic factor RD-F-001 score yellow collected_at 2026-05-16 09:25:24