Deployed bytecode matches signed release tag

dYdX v4 (dYdX Chain)'s assessment for RD-F-136 — scored yellow on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.

Evidence summary #

Go binary releases on GitHub use GPG-signed tags — release protocol/v9.4.0 was signed by committer jusbar23 (GPG key 8BD52CBD93180098) and GitHub (GPG key B5690EEEBB952194). However, binary checksums for compiled Go artifacts were not confirmed on the release page. The February 2026 npm/PyPI compromise showed developer credential risk for client libraries (not chain binary), but demonstrates underlying developer account exposure. Yellow: signed tags exist; binary checksum confirmation absent.

Sources #

GitHub
dYdX v4-chain release protocol/v9.4.0Release protocol/v9.4.0 — GPG-signed tag by jusbar23 and GitHubretrieved 2026-05-17
URL
Compromised dYdX npm and PyPI PackagesFeb 2026 npm/PyPI compromise — developer credential compromiseretrieved 2026-05-17

Methodology #

Determine whether the deployed runtime bytecode corresponds to a signed git tag in the protocol's repository.

See the full factor methodology and distribution across all protocols →

rubric_version v1.7.0 protocol dydx-v4 factor RD-F-136 score yellow collected_at 2026-05-17 09:58:47