Deployed bytecode matches signed release tag
Jupiter's assessment for RD-F-136 — scored red on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.
Evidence summary #
Cannot verify — aggregator and perps programs are closed-source binaries. jup-ag/metis-binary shows binary releases but no signed git tags linking binary to source commit hash. Jupiter Lend (open-source) has a Code4rena competition snapshot at a fixed commit, which is more verifiable. Cannot confirm for the core closed-source programs that deployed bytecode matches any signed release.
Sources #
- GitHubJupiter metis-binary releases | GitHubjup-ag/metis-binary — binary releases without source code tagsretrieved 2026-04-29
Methodology #
Determine whether the deployed runtime bytecode corresponds to a signed git tag in the protocol's repository.
See the full factor methodology and distribution across all protocols →
rubric_version v1.7.0 protocol jupiter factor RD-F-136 score red collected_at 2026-04-29 11:51:25