★ Post-audit code changes without re-audit

Chainlink CCIP's assessment for RD-F-139 — scored yellow on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.

Evidence summary #

Substantial audit coverage: Code4rena May 2023 (v1.0 core+ARM), Code4rena July 2023 (ccip-owner-contracts), Cyfrin July 2024 (v1.5 CCT/TokenPool), Code4rena November 2024 (16 contracts, 2,697 SLOC, v1.5/v1.6 prep). Gap: token pools were explicitly out of scope in Nov 2024 audit; v1.6 launched May 2025 adding Solana/non-EVM support — no identified public audit for v1.6 Solana components. Gap is ~6-12 months on new surfaces. Yellow not red: core EVM contracts well-audited; private/internal review likely not captured in public list.

Sources #

Audit
Code4rena Chainlink Nov 2024 AuditCode4rena Nov 2024 audit scope — 16 contracts, 2,697 SLOC; token pools explicitly out of scoperetrieved 2026-05-16
URL
CCIP v1.6 Launch | Chainlink BlogCCIP v1.6 launched May 2025 adding Solana/non-EVM support; no identified public audit for v1.6 non-EVM components as of May 2026retrieved 2026-05-16
Audit
Cyfrin CCIP v1.5 Audit — GitHubCyfrin July 2024 — CCIP v1.5 TokenPool/CCT standard (2,114 nSLOC)retrieved 2026-05-16

Methodology #

Count deployed changes to audited bytecode where no subsequent audit or spot-review covers the changed code.

See the full factor methodology and distribution across all protocols →

rubric_version v1.7.0 protocol chainlink-ccip factor RD-F-139 score yellow collected_at 2026-05-16 01:55:09