defirisk.co
rubric v1.7.0

Post-audit code changes without re-audit

A post-deploy hygiene & change mgmt factor in the v1.7.0 rubric. Measured per protocol on a e cadence.

Critical factor. A Red on this factor alone is sufficient to gate a protocol to grade D or F regardless of other category rollups.

Methodology how we score #

**What this measures** This factor counts the number of deployed changes to previously-audited bytecode for which no subsequent audit or targeted spot review is on record. The assessment compares the deployed bytecode hash at the time of the most recent audit against the current deployed bytecode, then cross-references any changes against the protocol's published audit history. Changes introduced after the audit cutoff that are not covered by a subsequent review increment this factor's count; a non-zero count triggers a red assessment.

**Why it matters** Post-audit code changes are the most reliable predictor of upgrade-introduced vulnerabilities in the evidence base. The synthesis identifies this as the second-most impactful risk factor by dollar volume: Euler Finance ($197M) shipped a donateToReserves function that was specifically reviewed by Sherlock but contained the exploited flaw; GMX V1, Hedgey Finance, PancakeBunny, Pickle Finance, and Penpie all share the same structural failure — new code shipped without holistic re-audit, and the new code is where the vulnerability lived. The core insight is that time-since-last-upgrade is a more useful risk signal than time-since-last-audit: an audit is a point-in-time certification of a specific bytecode, and its assurance expires the moment any audited contract is modified.

**Green / Yellow / Red** Green is assigned when the current deployed bytecode hash matches the audited commit, or when any post-audit changes are fully covered by a subsequent professional audit or targeted spot review by a recognized firm. Yellow covers cases where one or two minor changes (parameter-only adjustments, non-logic updates) are unaudited but their scope can be bounded by curator review. Red is assigned when any logic change to an audited contract — particularly in reward distribution, collateral accounting, liquidation, or access control — has been deployed without subsequent audit coverage.

**Common gray cases** This factor is grayed when the bytecode comparison cannot be completed due to source verification gaps, or when the protocol uses an immutable (non-upgradeable) architecture where post-audit changes are structurally impossible.

**Notable historical examples** - **PancakeBunny** ($45M, 2021): VaultFlipToFlip upgrade was not audited by Haechi; the new vault contained the exploited flash-loan manipulation path. - **Hedgey Finance** ($44.7M, 2024): Post-audit contract version introduced the vulnerability; Ethereum and Arbitrum drained simultaneously. - **Penpie** ($27M, 2024): Post-audit permissionless market registration introduced the reentrancy path; three audit firms had reviewed earlier code. - **Pickle Finance** ($19.7M, 2020): ControllerV4 strategy added after audit completed; contained the exploited cross-strategy drain. - **Safemoon** ($8.9M, 2023): Public burn() function introduced in an upgrade six hours before exploit; no re-audit of the change.

**★ Critical factor** This factor alone is sufficient to trigger a D or F grade under rubric v1.7.0 — a single red assessment here overrides all other category scores. Post-audit code changes without re-audit are the structural mechanism by which protocols convert a high-assurance codebase into an unreviewed one — the Euler Finance lineage demonstrates that even well-resourced protocols with multiple auditors cannot treat audited status as permanent once code changes.

Measurement what to look for #

Count deployed changes to audited bytecode where no subsequent audit or spot-review covers the changed code.

Data & output #

Data source
Audit PDF report commit SHA + deployed bytecode commits after audit + diff LOC + any post-audit audit PDF
Output format
Green / Yellow / Red · critical gate active
Evidence artifact
Diff between audit commit and deployed commit + LOC changed + subsequent audit PDF URLs (if any)
Confidence signal
green = all post-audit changes covered by follow-on audit or zero material changes; yellow = minor post-audit changes (<50 LOC) not covered but documented; red = material post-audit code changes deployed without any audit coverage; gray = audit commit SHA not determinable

Scored protocols 80 carry this factor #

Protocol RD-F-139
Aave v3 ethereum green Across Protocol ethereum gray Aerodrome Finance base yellow Axelar Network ethereum yellow Babylon Protocol bitcoin yellow Balancer (v2 + v3) ethereum yellow Beefy Finance ethereum red BENQI avalanche red BlackRock USD Institutional Digital Liquidity Fund (BUIDL) ethereum yellow Cap (cUSD / stcUSD) ethereum red Centrifuge ethereum green Chainlink CCIP ethereum yellow Circle USYC binance red Compound V3 (Comet) ethereum yellow Concrete ethereum red Convex Finance ethereum yellow crvUSD (Curve Stablecoin) ethereum yellow Curve Finance ethereum yellow deBridge ethereum yellow Dolomite ethereum red dYdX v4 (dYdX Chain) dydx yellow EigenLayer ethereum yellow Ethena ethereum yellow ether.fi ethereum yellow Euler V2 ethereum green Falcon Finance ethereum red Fluid ethereum green Frax Finance ethereum red GMX v2 (GMX Synthetics) arbitrum yellow Hyperlane ethereum red Hyperliquid arbitrum red Jito solana yellow Jupiter solana red Jupiter Perpetual Exchange solana yellow JustLend DAO tron yellow Kamino Lend solana yellow Kinetiq hyperliquid yellow Lido ethereum green Liquid Collective (LsETH) ethereum yellow Liquity V1 + V2 (LUSD / BOLD) ethereum green Lista DAO bsc red Lombard Finance ethereum yellow M^0 ethereum yellow Maple Finance ethereum yellow Marinade Finance solana green Meteora solana yellow mETH Protocol ethereum red Midas ethereum red Morpho V1 (Morpho Blue + MetaMorpho) ethereum green Multipli ethereum yellow Ondo Finance ethereum green OpenEden ethereum red Orca solana yellow PancakeSwap bsc yellow Pendle Finance ethereum yellow Polymarket polygon yellow QuickSwap polygon red Raydium solana yellow Rocket Pool ethereum yellow Sanctum solana red Save (formerly Solend) solana red Sky Lending (formerly MakerDAO) ethereum yellow Spark Protocol ethereum green Spiko stellar red Stake DAO ethereum yellow StakeWise v3 ethereum yellow Stargate Finance ethereum gray stHYPE (Valantis Labs) hyperliquid yellow SUNSwap (sun.io) tron red Superstate ethereum yellow Sushi (SushiSwap) — v2 + v3 + Trident + BentoBox/Kashi + SushiXSwap ethereum red Symbiotic ethereum green Synapse Protocol ethereum red Uniswap (v2 + v3) ethereum green USDD (Decentralized USD) tron yellow Usual (USD0 / bUSD0 / USUAL) ethereum green Veda (BoringVault) ethereum yellow Venus Protocol bsc red Wormhole ethereum gray Yearn Finance ethereum yellow
23 red · 41 yellow · 13 green

Linked hacks 9 historical incidents #

relatedGMX V1 — Cross-Contract Reentrancy via Order-Keeper Callback2025-07-09 · Cross-Contract Reentrancy via Order-Keeper Callback · ★ Post-audit code changes deployed without re-audit [via cross-hack: Factor 21: Post-Audit Code Change Without Re-Audit]
causalBedrock (uniBTC vault) — Unregistered NATIVE_BTC in SigmaSupplier → disabled supply cap → ETH-to-BTC 1:1 minting (infinite mint)2024-09-25 · $2M · Unregistered NATIVE_BTC in SigmaSupplier → disabled supply cap → ETH-to-BTC 1:1 minting (infinite mint) · ★ Post-audit code changes deployed without re-audit [via cross-hack: Factor 21: Post-Audit Code Change Without Re-Audit]
causalPenpie — Reentrancy via fake Pendle market → staking balance inflation → excess reward drain2024-09-03 · $27M · Reentrancy via fake Pendle market → staking balance inflation → excess reward drain · ★ Post-audit code changes deployed without re-audit [via cross-hack: Factor 21: Post-Audit Code Change Without Re-Audit]
causalHedgey Finance — Unverified User Input — Flash Loan Enabled Approval Manipulation2024-04-19 · $45M · Unverified User Input — Flash Loan Enabled Approval Manipulation · ★ Post-audit code changes deployed without re-audit [via cross-hack: Factor 21: Post-Audit Code Change Without Re-Audit]
causalPlatypus Finance (3rd exploit) — Flash loan + LP-AVAX pool cash/liability manipulation → slippage-inflated swap output2023-10-12 · $2M · Flash loan + LP-AVAX pool cash/liability manipulation → slippage-inflated swap output · ★ Post-audit code changes deployed without re-audit [via cross-hack: Factor 21: Post-Audit Code Change Without Re-Audit]
causalLevel Finance — Logic bug — referral reward claimMultiple() epoch not checked for reuse2023-05-01 · $1M · Logic bug — referral reward claimMultiple() epoch not checked for reuse · ★ Post-audit code changes deployed without re-audit [via cross-hack: Factor 21: Post-Audit Code Change Without Re-Audit]
causalSafemoon — Upgrade introduced public burn() function → LP token burn → pool price manipulation → BNB drain2023-03-28 · $9M · Upgrade introduced public burn() function → LP token burn → pool price manipulation → BNB drain · ★ Post-audit code changes deployed without re-audit [via cross-hack: Factor 21: Post-Audit Code Change Without Re-Audit]
causalPancakeBunny — Flash loan + spot price manipulation → inflated LP token valuation → excess BUNNY minting2021-05-19 · $45M · Flash loan + spot price manipulation → inflated LP token valuation → excess BUNNY minting · ★ Post-audit code changes deployed without re-audit [via cross-hack: Factor 21: Post-Audit Code Change Without Re-Audit]
causalPickle Finance — Fake jar injection — missing whitelist in Controller's jar-swap function2020-11-22 · $20M · Fake jar injection — missing whitelist in Controller's jar-swap function · ★ Post-audit code changes deployed without re-audit [via cross-hack: Factor 21: Post-Audit Code Change Without Re-Audit]
rubric_version v1.7.0 factor RD-F-139 category 9 carried 80 critical yes