★ Post-audit code changes without re-audit
Frax Finance's assessment for RD-F-139 — scored red on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.
Evidence summary #
CRITICAL: Two confirmed post-audit changes without documented re-audit. (1) FraxEtherRedemptionQueueV2 (0xfDC69e6BE): Dec 5, 2025 researcher reported CannotRedeemZero DoS vulnerability; Frax team denied bug; deployed bytecode subsequently exhibited the proposed fix (zero-amount rejection) while Etherscan-verified source lacks this check — source/bytecode discrepancy; no governance announcement, no re-audit, no bounty paid. (2) frxUSD launched Jan 2025: no frxUSD-targeted audit in public audit list; nearest applicable audit (Trail of Bits Oct 2023) covers FXB/sFRAX/frxETH Redemption Queue V1, not frxUSD. April 2, 2026 upgrade of frxUSD also lacks confirmed re-audit.
Sources #
- GovernanceAttribution Dispute - RedemptionQueueV2 DoS Vulnerability | Frax Governancegov.frax.finance attribution dispute — FraxEtherRedemptionQueueV2 DoS vulnerability, team denied, subsequent behavioral change without announcementretrieved 2026-05-17
- FraxEtherRedemptionQueueV2 | EtherscanFraxEtherRedemptionQueueV2 0xfDC69e6BE — Etherscan shows Source Code Verified Exact Match, yet deployed behavior differs from source per researcher claimretrieved 2026-05-17
- FRAX FINANCE: The Stealth Patch & The Stolen Bounty | MediumMedium/@clarkcorrin stealth-patch allegation: Frax Finance quietly fixed vulnerability while denying it; Token Sniffer flagged bytecode anomalyretrieved 2026-05-17
- 00-profile.md §8 Audit Firms EngagedProfile §8 audit list — no frxUSD-targeted audit; Trail of Bits Oct 2023 covers FXB/sFRAX/frxETH Queue V1 scope onlyretrieved 2026-05-17
Methodology #
Count deployed changes to audited bytecode where no subsequent audit or spot-review covers the changed code.
See the full factor methodology and distribution across all protocols →