defirisk.co
rubric v1.7.0

Audit scope mismatch

Wormhole's assessment for RD-F-001 — scored yellow on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.

Evidence summary #

EVM core bridge and token bridge proxy source is Etherscan-verified with "Exact Match" (Solidity 0.8.4, optimizer 200 runs, Istanbul EVM). The implementation contracts (0x3c3d and 0x3817) are verified. However, no public document links a specific audit report commit SHA to the currently deployed implementation address on all 35+ chains. The most recent EVM core bridge audit was Trail of Bits 2023-04 (follow-on to 2022-09). NTT, MultiGov, CCTP v2.1, and Swap Layer have 2024–2025 audits scoped ...

Sources #

  • Curator note
    Extracted from 01-code-security.md — RD-F-001 finding; no URL cited in originalretrieved 2026-04-28

Methodology #

Check whether the commit SHA cited in the audit report matches the bytecode deployed at the production proxy/implementation address.

See the full factor methodology and distribution across all protocols →

rubric_version v1.7.0 protocol wormhole factor RD-F-001 score yellow collected_at 2026-04-28 01:38:43