Deployed bytecode matches signed release tag

Yearn Finance's assessment for RD-F-136 — scored yellow on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.

Evidence summary #

V3 core: v3.0.4 release deployed Nov 1, 2024 (commit PR #216 'chore: deploy 304'). ChainSecurity audit fixes merged and tagged (PR #215 Oct 30, 2024). GitHub releases exist. However, not all V3 strategy/periphery deployments have corresponding GPG-signed release tags (permissionless factory model makes this impractical). V2 vaults: individual Vyper deployments without factory pattern; release tag matching for all V2 instances not verified.

Sources #

GitHub
yearn-security audits directoryyearn-security/audits — 20240504_ChainSecurity_Yearn_V3 confirms audit scope and fixesretrieved 2026-05-16
GitHub
yearn-vaults-v3 commit historyyearn-vaults-v3 commit history: Nov 1 2024 'chore: deploy 304 #216'; Oct 30 2024 'fix: chainsec audit fixes #215'retrieved 2026-05-16

Methodology #

Determine whether the deployed runtime bytecode corresponds to a signed git tag in the protocol's repository.

See the full factor methodology and distribution across all protocols →

rubric_version v1.7.0 protocol yearn-finance factor RD-F-136 score yellow collected_at 2026-05-16 08:34:32