★ Post-audit code changes without re-audit

BENQI's assessment for RD-F-139 — scored red on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.

Evidence summary #

Halborn audited BENQI Liquidity Market in May 2021. Public repo last commit 2023-01-11 — meaning the repo was committed to for nearly 2 years post-audit without any corresponding re-audit of core lending contracts visible in the public audit record. Isolated Markets (~2024) and Ignite (Dedaub 2023, Cyfrin Dec 2024) received separate audits covering their own new modules but not the original Comptroller and qiToken codebase. No audit PDF with a current commit SHA matching the deployed core lending contracts is publicly documented. This represents material post-audit code changes (market listings, parameter updates, potential codebase changes) deployed without re-audit of core contracts over a 4-year period.

Sources #

GitHub
GitHub — Benqi-fi/BENQI-Smart-ContractsBENQI-Smart-Contracts repo: last commit 2023-01-11; repo covers lending/, sAVAX/, veQI/ directoriesretrieved 2026-05-16
Docs
Risks & Audits | BENQIBENQI risks page: audit list shows new-module audits but no core lending market re-audit after 2021retrieved 2026-05-16
Audit
Benqi Smart Contract Security Audit — Halborn v1.1Halborn lending market audit May 2021 — original audit covering Compound V2 fork; no subsequent re-audit of core lending contracts publicly documentedretrieved 2026-05-16

Methodology #

Count deployed changes to audited bytecode where no subsequent audit or spot-review covers the changed code.

See the full factor methodology and distribution across all protocols →

rubric_version v1.7.0 protocol benqi factor RD-F-139 score red collected_at 2026-05-16 11:02:12