defirisk.co
rubric v1.7.0

Deployed bytecode matches signed release tag

Across Protocol's assessment for RD-F-136 — scored gray on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.

Evidence summary #

Deployed bytecode matches signed release-tag commit | Not directly confirmed — no public release-tag-to-bytecode mapping document located for the Feb 2026 SpokePool upgrade (impl 0x5E5B726C…). OZ audited the changes, but the exact commit-to-deployed-bytecode chain is not publicly documented in the GitHub release pipeline. Confidence gap — no evidence of mismatch, but also no positive attestation. | OZ audit ERC-3009/DepositIds (2026-02-02): audited commits; Etherscan upgrade event Feb 2, 2026...

Sources #

  • Curator note
    Extracted from 02-governance-admin.md — RD-F-136; no URL citedretrieved 2026-04-28

Methodology #

Determine whether the deployed runtime bytecode corresponds to a signed git tag in the protocol's repository.

See the full factor methodology and distribution across all protocols →

rubric_version v1.7.0 protocol across-protocol factor RD-F-136 score gray collected_at 2026-04-30 21:19:18