Deployed bytecode reproducibility

Concrete's assessment for RD-F-145 — scored yellow on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.

Evidence summary #

Source code is public in bug-bounty repo. Build toolchain is documented (foundry.toml: Solidity 0.8.27, optimizer 190 runs, viaIR false). Etherscan shows Exact Match verification for key contracts. However, no public reproducibility artifact (forge build verification script) was found. Bytecode should be reproducible via forge build but this has not been publicly demonstrated.

Sources #

Etherscan
ConcreteFactory Implementation — Exact Match Etherscan verificationConcreteFactory impl 0x224f3450: Exact Match verified on Etherscan (submitted source matches deployed bytecode)retrieved 2026-05-17
GitHub
Concrete GitHub — foundry.toml build paramsfoundry.toml: solc 0.8.27, optimizer_runs=190, viaIR=false — build params documentedretrieved 2026-05-17

Methodology #

Determine whether anyone can independently reproduce the deployed bytecode from the repo and declared build toolchain.

See the full factor methodology and distribution across all protocols →

rubric_version v1.7.0 protocol concrete factor RD-F-145 score yellow collected_at 2026-05-17 14:36:59