★ Post-audit code changes without re-audit

Babylon Protocol's assessment for RD-F-139 — scored yellow on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.

Evidence summary #

Multiple audit engagements covered different versions. KEY: OpenZeppelin 2026-04-01 research found 4 active vulnerabilities (delegation status flaw, FP jailing bypass, co-staking accounting error, type assertion panic) in deployed code. OZ states 'fixes shipped promptly' with PR #1911 and #390 referenced. However: (1) V4 upgrade (v4.0.0, Nov 2025) has Halborn and Coinspect audits listed but reports NOT publicly available at assessment date — cannot verify audit coverage; (2) whether OZ-identified fixes were independently re-audited post-deployment is not confirmed. Graded yellow (not red) because OZ stated fixes were shipped, and a formal audit culture exists (9+ engagements total). Missing public V4 audit reports reduce confidence.

Sources #

Docs
Babylon Security Audit ReportsAudit reports page — V4 audits by Halborn and Coinspect listed but reports not publicly accessibleretrieved 2026-05-04
URL
State Changes at the Boundary — OpenZeppelin Babylon ResearchOpenZeppelin 2026-04-01 research — 4 vulnerabilities found in active code, fixes shipped promptlyretrieved 2026-05-04

Methodology #

Count deployed changes to audited bytecode where no subsequent audit or spot-review covers the changed code.

See the full factor methodology and distribution across all protocols →

rubric_version v1.7.0 protocol babylon-protocol factor RD-F-139 score yellow collected_at 2026-05-04 19:43:27