★ Audit scope mismatch

Frax Finance's assessment for RD-F-001 — scored yellow on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.

Evidence summary #

Dec-2025 stealth-patch allegation: researcher 'clarkcorrin' claims FraxEtherRedemptionQueueV2 (0xfDC69e6BE352BD5644C438302DE4E311AAD5565b) was silently patched to add CannotRedeemZero check after Frax denied the reported DoS. Etherscan currently shows 'Exact Match' (solc 0.8.28, Cancun) and CannotRedeemZero is present in ABI. No re-verification tx hash produced by either party. Two sources corroborate allegation timeline (Medium + Frax gov post). Additionally: frxUSD/sfrxUSD launched Jan 2025 with first audit coverage (Zellic) only Jul 2025 — 6-month audit gap on live funds. BAMM similarly pre-audited. Combined: yellow (not green due to process failure evidence; not red without confirmed bytecode-hash diff).

Sources #

Etherscan
FraxEtherRedemptionQueueV2 EtherscanFraxEtherRedemptionQueueV2 contract verification (Exact Match, solc 0.8.28)retrieved 2026-05-17
Docs
Frax Protocol Security AuditsFrax official audits list — frxUSD first Zellic audit Jul 2025 vs Jan 2025 launchretrieved 2026-05-17
Governance
Attribution Dispute - RedemptionQueueV2 DoS VulnerabilityFrax gov attribution dispute postretrieved 2026-05-17
URL
FRAX FINANCE: The Stealth Patch & The Stolen BountyResearcher stealth-patch allegation (Medium/coinsbench)retrieved 2026-05-17

Methodology #

Check whether the commit SHA cited in the audit report matches the bytecode deployed at the production proxy/implementation address.

See the full factor methodology and distribution across all protocols →

rubric_version v1.7.0 protocol frax factor RD-F-001 score yellow collected_at 2026-05-16 20:44:31