★ Post-audit code changes without re-audit

Beefy Finance's assessment for RD-F-139 — scored red on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.

Evidence summary #

CRITICAL: BeefyVaultV7 (released August 2022) and all modern base strategy contracts (BaseAllToNativeStrat.sol, BaseAllToNativeFactoryStrat.sol, StratFeeManagerInitializable.sol) have NO audit coverage in the beefy-audits repository (12 engagements, last core audit 2021-CertiK/DefiYield). All 2023-2025 audits cover only specific modules: ERC-4626 Wrapper, BIFI token (xERC-20), Zap contract, CLM module, beS liquid staking token. Hundreds of individual strategy variants deployed continuously without audit. This constitutes large-scale ongoing post-audit code deployment without re-audit coverage on the core vault and strategy infrastructure.

Sources #

Audit
Sherlock CLM Audit 2024-07Sherlock CLM audit 2024-07: covers CLM (Concentrated Liquidity Manager) only — not core vaultsretrieved 2026-05-16
GitHub
Beefy Audits Repository — full audit listingbeefy-audits repository — 12 audit engagements listed, none covering BeefyVaultV7 or base strategy contracts post-2021retrieved 2026-05-16
Audit
Electisec beS Audit 2025-04Electisec 2025-04: covers beS (Beefy-escrowed Sonic) only — not core vaultsretrieved 2026-05-16

Methodology #

Count deployed changes to audited bytecode where no subsequent audit or spot-review covers the changed code.

See the full factor methodology and distribution across all protocols →

rubric_version v1.7.0 protocol beefy factor RD-F-139 score red collected_at 2026-05-16 13:10:30