defirisk.co
rubric v1.7.0

Post-audit code changes without re-audit

USDD (Decentralized USD)'s assessment for RD-F-139 — scored yellow on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.

Evidence summary #

[U3 RECONCILED: red→yellow] Prior red rested on two claims: (1) 'Ethereum native USDD deployed Sept 2025, audited Oct 2025 — deployed-before-audited.' This claim dissolves: the canonical ETH ERC-20 is 0x4f8e5de400de08b164e7421b3ee387f461becd1a, which is an older, pre-existing contract; the Sept 2025 'deployment' referred to the wrong contract (0x8EbdcF3d, 84 holders, test/secondary). (2) 'USDD 2.0 CDP on TRON (Jan 2025) — pre-deploy audit not confirmed.' ChainSecurity V2 audit (Jan 2025) and the active cadence of 5 ChainSecurity engagements including the Jan-2025 V2 audit suggest the CDP architecture had contemporaneous audit coverage; however, exact scope of the Jan-2025 ChainSecurity V2 audit vs the new TRC-20 CDP contracts is unconfirmed. Yellow (not green) because: the TRON CDP pre-deploy audit scope is unresolved and partial confirmation is insufficient for green. Red is not sustained because the cleaner 'deployed-before-audited' evidence stream (ETH Sept 2025) was based on the wr

Sources #

  • Internal
    U3 cross-specialist reconciliation — F139 wrong-contract stream dissolvesU3 reconciliation: canonical ETH ERC-20 is 0x4f8e5de4 (pre-existing, verified); 0x8EbdcF3d (84 holders) is secondary/test; the 'Sept 2025 deployed-before-audited' stream was based on the wrong contractretrieved 2026-05-17
  • Audit
    ChainSecurity Smart Contract Audit — USDD on Ethereum and BSCChainSecurity USDD V2 audit (Jan 2025) — first ChainSecurity audit of the CDP architecture; active cadence of 5 total engagementsretrieved 2026-05-17
  • URL
    ChainSecurity Completes Fifth USDD Audit Report | MediumMedium — ChainSecurity completes fifth USDD audit report (Oct 2025, post-deployment): fifth in a series of engagements starting from USDD V2 Jan 2025retrieved 2026-05-17

Methodology #

Count deployed changes to audited bytecode where no subsequent audit or spot-review covers the changed code.

See the full factor methodology and distribution across all protocols →

rubric_version v1.7.0 protocol usdd factor RD-F-139 score yellow collected_at 2026-05-17 11:34:18