★ Post-audit code changes without re-audit

Concrete's assessment for RD-F-139 — scored red on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.

Evidence summary #

ConcreteFactory upgraded to 0x224f3450 on March 19, 2026 (block 24692293). Most recent V2 audit: Halborn Sep 3–16, 2025 (commit b1b7cec, remediation Oct 3, 2025). No audit identified for the March 2026 factory implementation. VaultProxy (0x0e609b) upgraded March 30 and May 6, 2026 — also post any known audit scope. Zellic (May–Jun 2025) predates all 2026 upgrades. Total unaudited deployment window: ~5 months. This is a [★ CRITICAL] factor.

Sources #

Audit
Halborn Earn V2 Core Audit — Sep 2025 (pre-2026 upgrades)Halborn V2 audit: Sep 3–16, 2025; commit b1b7cec; remediation commit 4f64163 through Oct 3, 2025; scope does NOT cover 2026 deployed implementationsretrieved 2026-05-17
Tx
ConcreteFactory upgrade tx March 2026 — post-audit driftConcreteFactory Upgraded event March 19, 2026 (block 24692293, tx 0xb0fcfaf...): new impl 0x224f3450 — not covered by Halborn V2 (Oct 2025) or Zellic (Jun 2025)retrieved 2026-05-17
Internal
00-profile.md §3 — VaultProxy upgrades (both post-audit)Profile §3: VaultProxy 0x0e609b upgraded March 30, 2026 and May 6, 2026 — both post any known audit scoperetrieved 2026-05-17

Methodology #

Count deployed changes to audited bytecode where no subsequent audit or spot-review covers the changed code.

See the full factor methodology and distribution across all protocols →

rubric_version v1.7.0 protocol concrete factor RD-F-139 score red collected_at 2026-05-17 14:36:59