defirisk.co
rubric v1.7.0

Audit scope mismatch

Circle USYC's assessment for RD-F-001 — scored red on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.

Evidence summary #

No named smart-contract security audit firm or public report has been located. The USYC documentation states the ERC-20 token is 'externally audited and verified on Etherscan' but provides no firm name, date, or report URL. Cohen and Company (listed as 'Auditor' in service-providers docs) is the fund's financial/accounting auditor, not a smart-contract security firm. No audit PDF, commit SHA, or report link found on Certora, Halborn, or any major audit firm index. 9 upgrades recorded on the ETH proxy; the most recent on 2025-12-09 would not be covered by any pre-2025 audit.

Sources #

  • Etherscan
    USYC ERC-20 Token Proxy - EtherscanETH proxy 0x136471a34f6ef19fE571EFFC1CA711fdb8E49f2b shows 9 upgrades most recent 2025-12-09; no audit commit SHA cross-referenceableretrieved 2026-05-16
  • Docs
    Service Providers - USYCUSYC service providers page listing Cohen and Company as Auditor with no smart-contract security firm listedretrieved 2026-05-16
  • Docs
    USYC Overview - Circle DocsCircle developer docs state token is 'audited and verified on Etherscan' but name no firmretrieved 2026-05-16

Methodology #

Check whether the commit SHA cited in the audit report matches the bytecode deployed at the production proxy/implementation address.

See the full factor methodology and distribution across all protocols →

rubric_version v1.7.0 protocol circle-usyc factor RD-F-001 score red collected_at 2026-05-15 21:56:43