★ Post-audit code changes without re-audit
mETH Protocol's assessment for RD-F-139 — scored red on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.
Evidence summary #
LiquidityBuffer (Aave v3 integration) was activated October 2024 per protocol docs but was only audited in October-November 2025 (Exvul 2025-10-20, Blocksec 2025-10-21, Hexens 2025-10-22, MixBytes 2025-11-13). Additionally, GitHub commit history shows active code changes (liquidity buffer improvements, security enhancements, position manager fixes) from June-October 2025, with concurrent audits in October 2025. The gap between the feature's activation and its first audit coverage represents material post-audit code deployment without re-audit — matching the Euler lineage (F138 ~8P) definition. The 2025-06-17 mETH token upgrade also occurs between the 2024 cmETH/BoringVault audits and the 2025 LiquidityBuffer audits with no confirmed audit coverage.
Sources #
- GitHubmETH Protocol commit history showing development between auditsmantle-lsp/contracts commit history: active development Jun-Oct 2025 including liquidity buffer improvements and security enhancements; latest commit 2025-10-31retrieved 2026-05-16
- mETH Protocol security audits pagedocs.mantle.xyz/meth/security/audits: LiquidityBuffer/PositionManagerAAVE first audited Oct 2025 (Exvul 2025-10-20, Blocksec 2025-10-21, Hexens 2025-10-22, MixBytes 2025-11-13); prior mETH audits end Oct 2024retrieved 2026-05-16
- LiquidityBuffer proxy deployment dateLiquidityBuffer proxy 0x006fad... deployed ~Oct 2025 (203 days before May 2026); initial LiquidityBuffer feature activation documented as Oct 2024 in protocol docsretrieved 2026-05-16
Methodology #
Count deployed changes to audited bytecode where no subsequent audit or spot-review covers the changed code.
See the full factor methodology and distribution across all protocols →