defirisk.co
rubric v1.7.0

Code complexity vs audit coverage

A code & audits factor in the v1.7.0 rubric. Measured per protocol on a s cadence.

Methodology how we score #

**What this measures** This factor assesses whether the protocol's code complexity -- measured by cyclomatic complexity of critical functions or by lines-of-code per audit-day ratio -- exceeds a curator-declared threshold that indicates the audit coverage was likely insufficient. The threshold is calibrated per audit type: a three-week, two-person audit of 5,000 LOC is flagged differently than the same audit applied to 50,000 LOC. The data source is static analyzer output (cyclomatic complexity) combined with audit PDF metadata (duration, auditor count, LOC covered).

**Why it matters** Code complexity is a proxy for the probability that an audit missed a bug. KyberSwap Elastic ($48M, 2023) was a highly complex concentrated-liquidity AMM where the exploited precision failure in tick-crossing boundary arithmetic was a corner case invisible to conventional audit review and only detectable through exhaustive boundary testing or formal verification. MonoX ($31.4M, 2021) implemented a novel single-token AMM with complex pricing invariants that two independent auditors missed. In both cases, the code was too complex for the audit coverage applied. When LOC per audit-day is very high, the statistical probability of a missed bug increases substantially.

**Green / Yellow / Red** Green: the audit LOC-per-auditor-day ratio is below the curator threshold (approximately 300 LOC/day for novel math-heavy code, 500 LOC/day for standard DeFi patterns), and no individual function exceeds cyclomatic complexity of 20. Yellow: the ratio is 1.5x to 2x the threshold, or complexity is elevated in peripheral functions only. Red: the LOC-per-auditor-day ratio exceeds 2x the threshold for the protocol type, or any critical function has cyclomatic complexity above 30 with no dedicated review or formal verification.

**Common gray cases** This factor is gray when the audit does not disclose duration or auditor count, making the LOC-per-day calculation impossible.

**Notable historical examples** - **KyberSwap Elastic** ($48M, 2023): Complex concentrated-liquidity tick arithmetic exceeded what conventional audit methods could reliably verify. - **MonoX** ($31.4M, 2021): Novel single-token AMM pricing model too complex for two independent auditors to fully verify. - **Value DeFi** ($10M, 2021): Complex multi-token pool math produced an exploitable edge case. - **Bunni** ($8.4M, 2025): Concentrated liquidity math without formal verification or sufficient complexity-adjusted audit depth.

Measurement what to look for #

Determine whether the cyclomatic complexity or LOC-per-audit-day ratio exceeds the curator-declared credibility threshold for the audit to be meaningful.

Data & output #

Data source
Slither complexity metrics on Etherscan-verified source + audit PDF page count + duration from PDF metadata
Output format
Green / Yellow / Red
Evidence artifact
Complexity score JSON + audit-day count + LOC count + derived ratio
Confidence signal
green = ratio within threshold (audit appears adequate for code size); yellow = ratio borderline (audit scope narrow relative to code size); red = ratio clearly exceeds threshold (e.g. >500 LOC/audit-day); gray = audit duration not stated in PDF

Scored protocols 80 carry this factor #

Protocol RD-F-024
Aave v3 ethereum green Across Protocol ethereum green Aerodrome Finance base yellow Axelar Network ethereum yellow Babylon Protocol bitcoin yellow Balancer (v2 + v3) ethereum gray Beefy Finance ethereum yellow BENQI avalanche yellow BlackRock USD Institutional Digital Liquidity Fund (BUIDL) ethereum red Cap (cUSD / stcUSD) ethereum yellow Centrifuge ethereum green Chainlink CCIP ethereum yellow Circle USYC binance red Compound V3 (Comet) ethereum green Concrete ethereum green Convex Finance ethereum yellow crvUSD (Curve Stablecoin) ethereum yellow Curve Finance ethereum yellow deBridge ethereum green Dolomite ethereum yellow dYdX v4 (dYdX Chain) dydx gray EigenLayer ethereum yellow Ethena ethereum green ether.fi ethereum green Euler V2 ethereum green Falcon Finance ethereum yellow Fluid ethereum yellow Frax Finance ethereum yellow GMX v2 (GMX Synthetics) arbitrum green Hyperlane ethereum yellow Hyperliquid arbitrum green Jito solana green Jupiter solana gray Jupiter Perpetual Exchange solana gray JustLend DAO tron gray Kamino Lend solana yellow Kinetiq hyperliquid yellow Lido ethereum yellow Liquid Collective (LsETH) ethereum green Liquity V1 + V2 (LUSD / BOLD) ethereum green Lista DAO bsc yellow Lombard Finance ethereum green M^0 ethereum green Maple Finance ethereum green Marinade Finance solana yellow Meteora solana green mETH Protocol ethereum green Midas ethereum yellow Morpho V1 (Morpho Blue + MetaMorpho) ethereum green Multipli ethereum gray Ondo Finance ethereum yellow OpenEden ethereum yellow Orca solana yellow PancakeSwap bsc green Pendle Finance ethereum yellow Polymarket polygon yellow QuickSwap polygon yellow Raydium solana yellow Rocket Pool ethereum yellow Sanctum solana yellow Save (formerly Solend) solana red Sky Lending (formerly MakerDAO) ethereum green Spark Protocol ethereum green Spiko stellar yellow Stake DAO ethereum yellow StakeWise v3 ethereum yellow Stargate Finance ethereum yellow stHYPE (Valantis Labs) hyperliquid green SUNSwap (sun.io) tron red Superstate ethereum yellow Sushi (SushiSwap) — v2 + v3 + Trident + BentoBox/Kashi + SushiXSwap ethereum yellow Symbiotic ethereum green Synapse Protocol ethereum yellow Uniswap (v2 + v3) ethereum yellow USDD (Decentralized USD) tron green Usual (USD0 / bUSD0 / USUAL) ethereum green Veda (BoringVault) ethereum yellow Venus Protocol bsc green Wormhole ethereum green Yearn Finance ethereum yellow
4 red · 41 yellow · 29 green

Linked hacks 4 historical incidents #

causalBunni — Precision/Rounding Error in Custom Liquidity Distribution Function (LDF)2025-09-01 · $8M · Precision/Rounding Error in Custom Liquidity Distribution Function (LDF) · Code complexity above threshold for audit coverage [via cross-hack: Factor 53: Custom Proprietary AMM Math Without Independent Verification]
causalKyberSwap Elastic — Tick Manipulation + Double Liquidity Counting — Precision Arithmetic Edge Case2023-11-22 · $48M · Tick Manipulation + Double Liquidity Counting — Precision Arithmetic Edge Case · Code complexity above threshold for audit coverage [via cross-hack: Factor 53: Custom Proprietary AMM Math Without Independent Verification]
causalMonoX — Native token self-swap price inflation — tokenIn/tokenOut identity bypass2021-11-30 · $31M · Native token self-swap price inflation — tokenIn/tokenOut identity bypass · Code complexity above threshold for audit coverage [via cross-hack: Factor 53: Custom Proprietary AMM Math Without Independent Verification]
causalValue DeFi — Uninitialized Pool Re-initialization (Missing initialized = true)2021-05-05 · $10M · Uninitialized Pool Re-initialization (Missing initialized = true) · Code complexity above threshold for audit coverage [via cross-hack: Factor 53: Custom Proprietary AMM Math Without Independent Verification]
rubric_version v1.7.0 factor RD-F-024 category 1 carried 80 critical no