★ Audit scope mismatch

Yearn Finance's assessment for RD-F-001 — scored yellow on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.

Evidence summary #

Three V3-core audits confirmed (ChainSecurity v3.0.0, Statemind v3.0.0, yAcademy v3.0.1) and two V2 audits (Trail of Bits v0.4.2, MixBytes v0.2.1). V3 canonical impl 0xd8063123BBA3B480569244AE66BFE72B6c84b00d is Etherscan-verified as Vyper 0.3.7 Exact Match. Specific commit SHAs inside audit PDFs are not publicly accessible without PDF internals — SHA-to-deployed-bytecode match is partially inferred from version labels, not confirmed SHA-by-SHA. V2 vaults show version-increment drift across API versions (0.2.8 to 0.3.3) between audit and deploy. Partial traceability.

Sources #

URL
Yearn Vaults V3 Smart Contract Audit by ChainSecurityChainSecurity Yearn V3 audit pageretrieved 2026-05-16
URL
Security Home — Yearn Docs (lists Statemind, ChainSecurity, yAudit V3 audits)Yearn docs security page — audit listingretrieved 2026-05-16
Etherscan
Yearn V3 Vault canonical impl — Etherscan verified Vyper:0.3.7 Exact Match0xd8063123BBA3B480569244AE66BFE72B6c84b00dretrieved 2026-05-16
GitHub
Trail of Bits Yearn Vaults V2 Audit directoryyearn-security/audits/20210719_ToB_yearn_vaultsv2retrieved 2026-05-16

Methodology #

Check whether the commit SHA cited in the audit report matches the bytecode deployed at the production proxy/implementation address.

See the full factor methodology and distribution across all protocols →

rubric_version v1.7.0 protocol yearn-finance factor RD-F-001 score yellow collected_at 2026-05-16 08:34:32