Deployed bytecode matches signed release tag

Liquid Collective (LsETH)'s assessment for RD-F-136 — scored gray on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.

Evidence summary #

Most recent public release tag is v1.3.0 (commit 964f0e3, Apr 10, 2024). Most recent mainnet upgrade deployed Nov 20, 2024 to implementation 0x34E46177...D58, which corresponds to Certora audit remediation. The deployed implementation appears to be a post-v1.2.1 Certora-audited version, not v1.3.0 BYOV. Exact commit SHA of deployed implementation cannot be confirmed without bytecode diff — requires curator (code-security-analyst) to diff deployed bytecode against tagged commits. Cannot confirm signed-release-tag match for current deployment.

Sources #

GitHub
GitHub release v1.3.0 — most recent tag, commit 964f0e3liquid-collective/liquid-collective-protocol/releases/tag/v1.3.0 — commit 964f0e3retrieved 2026-05-17
Etherscan
River proxy — last upgrade Nov 20, 2024 to Certora-audited impl0x8c1BEd5b — Upgraded event Nov 20, 2024 to 0x34E461...D58retrieved 2026-05-17

Methodology #

Determine whether the deployed runtime bytecode corresponds to a signed git tag in the protocol's repository.

See the full factor methodology and distribution across all protocols →

rubric_version v1.7.0 protocol liquid-collective factor RD-F-136 score gray collected_at 2026-05-16 19:46:23