defirisk.co
rubric v1.7.0

Post-audit code changes without re-audit

Wormhole's assessment for RD-F-139 — scored gray on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.

Evidence summary #

Post-audit code changes deployed without re-audit | Core Bridge: last upgrade September 2022; Trail of Bits (Sept 2022) and CertiK (March 2023) audits cover this period. No post-September-2022 Core Bridge upgrade without corresponding audit. NTT, MultiGov, Settlement: each major version received dedicated audits prior to deployment (extensive audit table confirms). For NTT v3 specifically: OtterSec audits April 2025 and May 2025. MultiGov v2: Cyfrin Feb 2025. Pattern of re-auditing before maj...

Sources #

  • Curator note
    Extracted from 02-governance-admin.md — RD-F-139; no URL citedretrieved 2026-04-28

Methodology #

Count deployed changes to audited bytecode where no subsequent audit or spot-review covers the changed code.

See the full factor methodology and distribution across all protocols →

rubric_version v1.7.0 protocol wormhole factor RD-F-139 score gray collected_at 2026-04-28 01:38:43