Deployed bytecode reproducibility

A post-deploy hygiene & change mgmt factor in the v1.7.0 rubric. Measured per protocol on a s cadence.

Methodology how we score #

**What this measures** This factor checks whether the protocol's deployed bytecode is independently reproducible from the public repository and the protocol's declared build toolchain — meaning a third party can clone the repo, install the declared compiler version and dependencies, run the declared build command, and produce bytecode that matches the deployed runtime bytecode byte-for-byte. Reproducible builds are a necessary condition for independent verification of any deployment claim.

**Why it matters** Build reproducibility is the technical foundation for auditability. Without it, even a fully audited and source-verified protocol cannot be confirmed to deploy what it published: compiler version drift, dependency version differences, and build-environment assumptions can all produce materially different bytecode from identical source. The StableMagnet exploit ($27M) demonstrated this attack class: Techrate audited code from the GitHub repository while the deployed BSC library was a completely different binary — users had no way to detect the discrepancy because build reproducibility was not established. Reproducible builds create a deterministic verification path from source to deployment that any party can independently audit.

**Green / Yellow / Red** Green is assigned when the protocol provides a documented build configuration (Dockerfile, pinned foundry.toml, or equivalent) and independent reproduction of the deployed bytecode is confirmed for at least the most recent deployment. Yellow covers cases where build instructions are published but contain environment-specific assumptions, or where reproducibility has been verified for earlier versions but not the current deployment. Red is assigned when no build reproducibility documentation exists and independent bytecode reproduction cannot be performed.

**Common gray cases** This factor is grayed when the protocol operates on a non-EVM chain where deterministic compilation tooling is not yet standardized, or when the deployment predates the availability of reproducible build tooling for the relevant compiler.

**Notable historical examples** No cross-hacked incidents currently linked in database for this factor.

Measurement what to look for #

Determine whether anyone can independently reproduce the deployed bytecode from the repo and declared build toolchain.

Data & output #

Data source

Protocol docs build instructions + curator attempt to reproduce bytecode from declared toolchain (solc version, optimizer settings)

Output format

Green / Yellow / Red

Evidence artifact

Reproduction attempt result: match/mismatch + build command used + source commit SHA

Confidence signal

green = bytecode reproducible with declared toolchain; yellow = minor metadata hash difference only (non-logic); red = bytecode not reproducible; gray = build instructions not published

Scored protocols 80 carry this factor #

Protocol RD-F-145

Aave v3 ethereum yellow Across Protocol ethereum gray Aerodrome Finance base gray Axelar Network ethereum yellow Babylon Protocol bitcoin yellow Balancer (v2 + v3) ethereum not_assessed Beefy Finance ethereum gray BENQI avalanche red BlackRock USD Institutional Digital Liquidity Fund (BUIDL) ethereum gray Cap (cUSD / stcUSD) ethereum yellow Centrifuge ethereum green Chainlink CCIP ethereum yellow Circle USYC binance gray Compound V3 (Comet) ethereum gray Concrete ethereum yellow Convex Finance ethereum yellow crvUSD (Curve Stablecoin) ethereum yellow Curve Finance ethereum yellow deBridge ethereum yellow Dolomite ethereum gray dYdX v4 (dYdX Chain) dydx yellow EigenLayer ethereum yellow Ethena ethereum gray ether.fi ethereum gray Euler V2 ethereum yellow Falcon Finance ethereum red Fluid ethereum yellow Frax Finance ethereum yellow GMX v2 (GMX Synthetics) arbitrum yellow Hyperlane ethereum yellow Hyperliquid arbitrum yellow Jito solana green Jupiter solana yellow Jupiter Perpetual Exchange solana red JustLend DAO tron gray Kamino Lend solana yellow Kinetiq hyperliquid gray Lido ethereum green Liquid Collective (LsETH) ethereum green Liquity V1 + V2 (LUSD / BOLD) ethereum green Lista DAO bsc yellow Lombard Finance ethereum yellow M^0 ethereum yellow Maple Finance ethereum yellow Marinade Finance solana yellow Meteora solana yellow mETH Protocol ethereum yellow Midas ethereum yellow Morpho V1 (Morpho Blue + MetaMorpho) ethereum yellow Multipli ethereum yellow Ondo Finance ethereum gray OpenEden ethereum yellow Orca solana gray PancakeSwap bsc yellow Pendle Finance ethereum gray Polymarket polygon yellow QuickSwap polygon yellow Raydium solana green Rocket Pool ethereum yellow Sanctum solana yellow Save (formerly Solend) solana gray Sky Lending (formerly MakerDAO) ethereum yellow Spark Protocol ethereum green Spiko stellar yellow Stake DAO ethereum gray StakeWise v3 ethereum yellow Stargate Finance ethereum gray stHYPE (Valantis Labs) hyperliquid yellow SUNSwap (sun.io) tron yellow Superstate ethereum yellow Sushi (SushiSwap) — v2 + v3 + Trident + BentoBox/Kashi + SushiXSwap ethereum gray Symbiotic ethereum yellow Synapse Protocol ethereum yellow Uniswap (v2 + v3) ethereum green USDD (Decentralized USD) tron gray Usual (USD0 / bUSD0 / USUAL) ethereum gray Veda (BoringVault) ethereum yellow Venus Protocol bsc yellow Wormhole ethereum gray Yearn Finance ethereum yellow

Linked hacks no historical incidents linked #

No historical incidents are linked to this factor.

rubric_version v1.7.0 factor RD-F-145 category 9 carried 80 critical no