defirisk.co
rubric v1.7.0

Fix-merged-but-not-deployed gap

Across Protocol's assessment for RD-F-140 — scored gray on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.

Evidence summary #

Fix-merged-but-not-deployed gap | EIP-712 replay vulnerability in `CounterfactualDepositSpokePool` is known but explicitly "Acknowledged, not resolved" by team as an accepted design limitation. This is a different risk class from a merged fix not yet deployed — the fix was not merged. However, the team stated they "would never deploy clones with multiple implementation-type leaves" — a behavioral constraint, not a code fix. Not a classic fix-merged-but-not-deployed situation. | OZ Deposit Flo...

Sources #

  • Curator note
    Extracted from 02-governance-admin.md — RD-F-140; no URL citedretrieved 2026-04-28

Methodology #

Determine whether a known vulnerability has a PR merged in the repo but the fix has not been included in the deployed bytecode.

See the full factor methodology and distribution across all protocols →

rubric_version v1.7.0 protocol across-protocol factor RD-F-140 score gray collected_at 2026-04-30 21:19:18