Code complexity vs audit coverage

Chainlink CCIP's assessment for RD-F-024 — scored yellow on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.

Evidence summary #

Code4rena Nov-2024: 2697 nSLOC over 25 days (~108 nSLOC/day). Cyfrin Jul-2024: 2114 nSLOC over 15 days (~141 nSLOC/day). Per-audit ratios are within typical bounds. However, total CCIP complexity across 60+ chains (per-lane OnRamp/OffRamp, full OCR2 library, Go offchain) vastly exceeds what any single audit has covered. The on-chain Solidity scope in audits is a subset of total system complexity.

Sources #

URL
Chainlink Audit | Code4rena (Nov 2024) — scope and datesCode4rena Nov-2024 — 2697 nSLOC, Nov 1-25 2024retrieved 2026-05-16
GitHub
Cyfrin CCIP v1.5 audit — scope and datesCyfrin Jul-2024 — 2114 nSLOC, Jul 2-17 2024retrieved 2026-05-16

Methodology #

Determine whether the cyclomatic complexity or LOC-per-audit-day ratio exceeds the curator-declared credibility threshold for the audit to be meaningful.

See the full factor methodology and distribution across all protocols →

rubric_version v1.7.0 protocol chainlink-ccip factor RD-F-024 score yellow collected_at 2026-05-16 01:55:09