defirisk.co
rubric v1.7.0

Deployed bytecode matches signed release tag

Meteora's assessment for RD-F-136 — scored yellow on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.

Evidence summary #

MeteoraAg GitHub has active repos with tags and releases matching version strings used in audit file naming. Audit files are keyed to version strings (e.g., damm-v2-audit-0.2.0.pdf). Exact bytecode hash match between deployed program and release-tag commit not independently verified — requires local build + RPC bytecode comparison. Policy appears followed based on audit file versioning, but cannot confirm bytecode-level match.

Sources #

  • GitHub
    DAMM v2 GitHubMeteoraAg/damm-v2 — version tags in reporetrieved 2026-05-16
  • GitHub
    MeteoraAg Audits RepositoryMeteoraAg/audits — audit files named by version string matching GitHub release tagsretrieved 2026-05-16

Methodology #

Determine whether the deployed runtime bytecode corresponds to a signed git tag in the protocol's repository.

See the full factor methodology and distribution across all protocols →

rubric_version v1.7.0 protocol meteora factor RD-F-136 score yellow collected_at 2026-05-16 10:03:05