★ Post-audit code changes without re-audit

Compound V3 (Comet)'s assessment for RD-F-139 — scored yellow on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.

Evidence summary #

OpenZeppelin has active ongoing security partnership: 12 comprehensive audits in 2024; 7 governance proposal reviews in 2024; annual renewal via governance vote. New chain deployments follow structured process including OZ security review. Individual per-upgrade audit reports for April 2026 implementations not individually published/publicly accessible — per-upgrade traceability insufficient for green. Not red because OZ partnership materially mitigates risk and 2023 vulnerability was proactively patched before public disclosure.

Sources #

URL
https://www.tally.xyz/gov/compound/proposal/203retrieved 2026-04-28
URL
https://messari.io/governor/proposal/7d7613d7-3834-477a-99f1-75e4f3769883retrieved 2026-04-28
URL
https://www.openzeppelin.com/news/strengthening-defi-openzeppelin-and-compounds-security-partnership-in-2024retrieved 2026-04-28

Methodology #

Count deployed changes to audited bytecode where no subsequent audit or spot-review covers the changed code.

See the full factor methodology and distribution across all protocols →

rubric_version v1.7.0 protocol compound-v3 factor RD-F-139 score yellow collected_at 2026-04-28 00:20:50