★ Post-audit code changes without re-audit

dYdX v4 (dYdX Chain)'s assessment for RD-F-139 — scored yellow on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.

Evidence summary #

Informal Systems maintains a continuous quarterly audit program: Q1 2024, Q2 2024, Q2+ supplemental 2024, Q3 2025 Proposer Selection Updates, plus the Vaults audit for MegaVault. Major upgrades v4.0, v8.0, v9.0 all had governance proposals and pre-deployment audit coverage. Identified gap: (1) The October 2025 emergency chain-halt patch was deployed without pre-deployment audit coverage (emergency scenario). (2) Rapid v9.x minor versions between quarterly audits may include unaudited incremental changes. Yellow: strong continuous audit program but one confirmed instance (Oct 2025 emergency patch) of unaudited code deployed.

Sources #

URL
dYdX v9.0 Software Upgrade Approvedv9.0 upgrade governance voteretrieved 2026-05-17
URL
October 2025 dYdX Chain Incident ReviewOctober 2025 incident — emergency patch without pre-auditretrieved 2026-05-17
GitHub
Informal Systems Audits RepositoryInformal Systems audits repository — dYdX quarterly reviews and Vaults auditretrieved 2026-05-17

Methodology #

Count deployed changes to audited bytecode where no subsequent audit or spot-review covers the changed code.

See the full factor methodology and distribution across all protocols →

rubric_version v1.7.0 protocol dydx-v4 factor RD-F-139 score yellow collected_at 2026-05-17 09:58:47