Deployed bytecode matches signed release tag

M^0's assessment for RD-F-136 — scored yellow on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.

Evidence summary #

Core protocol contracts are immutable — bytecode fixed at deploy cannot drift. GitHub repos m0-foundation/protocol and m0-foundation/ttg are public. Release-tag-to-bytecode verification would require toolchain confirmation. Upgradeable periphery contracts were upgraded from audited baseline; specific commit SHAs vs deployed bytecode not confirmed by curator.

Sources #

GitHub
m0-foundation/protocol — GitHubm0-foundation/protocol — public repo with Foundry build, Solidity 0.8.23retrieved 2026-05-16
GitHub
m0-foundation/ttg — GitHubm0-foundation/ttg — public repo with Foundry buildretrieved 2026-05-16

Methodology #

Determine whether the deployed runtime bytecode corresponds to a signed git tag in the protocol's repository.

See the full factor methodology and distribution across all protocols →

rubric_version v1.7.0 protocol m0 factor RD-F-136 score yellow collected_at 2026-05-16 09:46:19