★ Post-audit code changes without re-audit
JustLend DAO's assessment for RD-F-139 — scored yellow on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.
Evidence summary #
Post-audit changes deployed without identified re-audit of the changed components. The 2022 CertiK audit covers pre-GovernorBravo architecture. Post-audit significant changes: (1) GovernorBravo contracts added November 2022 — not covered by CertiK audit; (2) BUSD market addition February 2023; (3) March 2026 security config changes. SlowMist covers sTRX only; ChainSecurity 2024 covers stUSDT only. No audit identified covering the GovernorBravo governance infrastructure. Yellow not red: GovernorBravo follows standard Compound-Bravo (well-understood pattern); Timelock is minimal contract; no novel high-risk code detected in post-audit additions.
Sources #
- AuditJustLend CertiK Skynet — audit coverageCertiK audit date: April 8 2022 (pre-GovernorBravo migration). SlowMist: sTRX scope only. ChainSecurity July 2024: stUSDT scope only. No audit found covering GovernorBravo governance architecture.retrieved 2026-05-17
- JustLend Protocol GitHub — post-audit commit historyGitHub commit history: November 2022 — GovernorBravo feature merge; February 2023 — BUSD feature merge; March 2026 — security config. All post-April 2022 CertiK audit.retrieved 2026-05-17
Methodology #
Count deployed changes to audited bytecode where no subsequent audit or spot-review covers the changed code.
See the full factor methodology and distribution across all protocols →