Code complexity vs audit coverage

EigenLayer's assessment for RD-F-024 — scored yellow on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.

Evidence summary #

EigenLayer's beacon chain proof verification (EigenPod) is exceptionally complex. Hexens found a critical Merkle bit-length validation gap (EIG-10) in the nested Merkle tree system. Certora found a critical validator hazard in checkpoint/Electra interaction. Both were pre-exploitation findings — demonstrating the complexity has strained audit coverage at least twice. AllocationManager was split into two contracts for size (v1.9.0). However, 22 audit engagements across 4 firms over 3 years provides adequate coverage-per-complexity ratio overall.

Sources #

URL
One Tiny Error, Massive Impact: Inside EigenPods Critical Merkle BugHexens blog — critical EigenPods Merkle bug (EIG-10) findingretrieved 2026-04-28
URL
How EigenLayer Prevented a Critical Validator Hazard in Ethereum's Electra UpgradeCertora blog — critical validator hazard in EigenLayer Electra interactionretrieved 2026-04-28

Methodology #

Determine whether the cyclomatic complexity or LOC-per-audit-day ratio exceeds the curator-declared credibility threshold for the audit to be meaningful.

See the full factor methodology and distribution across all protocols →

rubric_version v1.7.0 protocol eigenlayer factor RD-F-024 score yellow collected_at 2026-04-28 13:58:44