defirisk.co
rubric v1.7.0

Resolved-without-proof findings

A code & audits factor in the v1.7.0 rubric. Measured per protocol on a s cadence.

Methodology how we score #

**What this measures** This factor counts the number of findings in the protocol's most recent audit report that are marked 'Resolved' or 'Fixed' where no corresponding on-chain bytecode change or verifiable commit can be identified. A finding is counted as unverified-resolved when the audit marks it closed, but the deployed bytecode at the audited commit hash shows no change consistent with the described fix. The data source is audit PDF cross-referenced against commit trails and deployed bytecode.

**Why it matters** Audit findings marked Resolved without on-chain proof create a false paper trail. Merlin DEX's CertiK audit marked a critical centralization risk -- maximum approval granted to a single EOA -- as Resolved after the team verbally promised to implement a multisig. The EOA was never replaced; the finding remained fully exploitable and was the direct vector for the $1.82M exploit. This pattern -- verbal or self-reported fixes accepted by auditors without on-chain verification -- is a documented class of false assurance. A protocol with multiple unverified Resolved findings has potentially fewer real security properties than its audit certificate suggests.

**Green / Yellow / Red** Green: all findings marked Resolved in the audit have on-chain proof of fix, either via a verifiable commit hash or a subsequent audit confirming the remediation. Yellow: one or two low-severity findings lack verifiable on-chain proof, but high and critical findings are all confirmed fixed. Red: any high or critical severity finding is marked Resolved without on-chain or commit-level proof of the fix.

**Common gray cases** Curators cannot grade this factor when the audit report is not publicly available or when the protocol does not publish source code with verifiable commit history, making it impossible to cross-reference stated resolutions against deployed code.

**Notable historical examples** The Merlin DEX case ($1.82M, 2023) is the clearest documented instance: CertiK accepted a verbal commitment of a multisig migration as resolution for a critical centralization finding; the EOA was never replaced and remained the direct exploit vector.

Measurement what to look for #

Count the number of findings the audit report marks "Resolved" or "Fixed" where no matching on-chain bytecode change or verifiable commit can be found.

Data & output #

Data source
Audit PDF findings table + protocol GitHub commit history + Etherscan bytecode diff vs report commit
Output format
Green / Yellow / Red
Evidence artifact
Audit PDF URL + finding IDs marked resolved + commit SHA(s) purporting to fix each + bytecode diff confirming fix; curator sign-off
Confidence signal
green = 0 unverifiable resolutions; yellow = 1–2 low/medium severity unverified; red = any high/critical finding marked resolved without verifiable on-chain proof; gray = audit PDF not accessible

Scored protocols 80 carry this factor #

Protocol RD-F-003
Aave v3 ethereum green Across Protocol ethereum yellow Aerodrome Finance base yellow Axelar Network ethereum yellow Babylon Protocol bitcoin yellow Balancer (v2 + v3) ethereum red Beefy Finance ethereum yellow BENQI avalanche yellow BlackRock USD Institutional Digital Liquidity Fund (BUIDL) ethereum gray Cap (cUSD / stcUSD) ethereum gray Centrifuge ethereum yellow Chainlink CCIP ethereum gray Circle USYC binance gray Compound V3 (Comet) ethereum yellow Concrete ethereum green Convex Finance ethereum green crvUSD (Curve Stablecoin) ethereum green Curve Finance ethereum yellow deBridge ethereum gray Dolomite ethereum yellow dYdX v4 (dYdX Chain) dydx green EigenLayer ethereum green Ethena ethereum yellow ether.fi ethereum yellow Euler V2 ethereum green Falcon Finance ethereum yellow Fluid ethereum yellow Frax Finance ethereum yellow GMX v2 (GMX Synthetics) arbitrum yellow Hyperlane ethereum gray Hyperliquid arbitrum green Jito solana yellow Jupiter solana gray Jupiter Perpetual Exchange solana gray JustLend DAO tron yellow Kamino Lend solana yellow Kinetiq hyperliquid yellow Lido ethereum yellow Liquid Collective (LsETH) ethereum green Liquity V1 + V2 (LUSD / BOLD) ethereum yellow Lista DAO bsc gray Lombard Finance ethereum yellow M^0 ethereum yellow Maple Finance ethereum green Marinade Finance solana yellow Meteora solana gray mETH Protocol ethereum green Midas ethereum green Morpho V1 (Morpho Blue + MetaMorpho) ethereum yellow Multipli ethereum gray Ondo Finance ethereum yellow OpenEden ethereum yellow Orca solana yellow PancakeSwap bsc green Pendle Finance ethereum yellow Polymarket polygon yellow QuickSwap polygon yellow Raydium solana yellow Rocket Pool ethereum gray Sanctum solana yellow Save (formerly Solend) solana yellow Sky Lending (formerly MakerDAO) ethereum green Spark Protocol ethereum green Spiko stellar yellow Stake DAO ethereum yellow StakeWise v3 ethereum yellow Stargate Finance ethereum gray stHYPE (Valantis Labs) hyperliquid gray SUNSwap (sun.io) tron gray Superstate ethereum green Sushi (SushiSwap) — v2 + v3 + Trident + BentoBox/Kashi + SushiXSwap ethereum yellow Symbiotic ethereum green Synapse Protocol ethereum green Uniswap (v2 + v3) ethereum green USDD (Decentralized USD) tron yellow Usual (USD0 / bUSD0 / USUAL) ethereum gray Veda (BoringVault) ethereum green Venus Protocol bsc red Wormhole ethereum yellow Yearn Finance ethereum yellow
2 red · 42 yellow · 20 green

Linked hacks no historical incidents linked #

No historical incidents are linked to this factor.
rubric_version v1.7.0 factor RD-F-003 category 1 carried 80 critical no