Auditor re-engaged after last exploit

Wormhole's assessment for RD-F-083 — scored gray on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.

Evidence summary #

- Finding: TRUE — extensively. Post-exploit audit engagements from the profile §8: - Neodyme (Jan 2022, pre-exploit; July 2022 post-exploit window), Kudelski Security (Jul and Aug 2022), Trail of Bits (Sep 2022, Apr 2023 follow-on), CertiK (Mar 2023), Runtime Verification (May 2023 — formal verification), OtterSec (multiple from 2022–2025), Zellic (Nov 2022), Cyfrin (multiple 2024), Cantina (Apr 2024), Code4rena (Jul 2024), Sherlock (Mar 2025). 29 total third-party engagements across 4 years ...

Sources #

URL
https://wormhole.com/docs/protocol/security/retrieved 2026-04-28
GitHub
https://github.com/wormhole-foundation/wormhole-auditsretrieved 2026-04-28

Methodology #

Determine whether a reputable auditor performed a re-audit or incident review after the most recent exploit.

See the full factor methodology and distribution across all protocols →

rubric_version v1.7.0 protocol wormhole factor RD-F-083 score gray collected_at 2026-04-28 01:38:43