Fix-merged-but-not-deployed gap

Midas's assessment for RD-F-140 — scored gray on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.

Evidence summary #

Private main repo prevents verification of merged PRs vs deployed bytecode. Sherlock 2024-08 judging README confirms all 6 findings were Fixed (PRs #64–#69), but whether the Dec-2025 impl (0xC8AF8477) includes all fixes is unverifiable without repo access. Cannot determine fix-merged-but-not-deployed status.

Sources #

GitHub
Sherlock 2024-08 judging — fix statusSherlock 2024-08 judging: all 6 findings (M-1 through M-6) marked Fixed with specific PR numbersretrieved 2026-05-16
Curator note
Private repo limitationPrivate repo: RedDuck-Software/midas-contracts — cannot verify PR merge vs deployed bytecoderetrieved 2026-05-16

Methodology #

Determine whether a known vulnerability has a PR merged in the repo but the fix has not been included in the deployed bytecode.

See the full factor methodology and distribution across all protocols →

rubric_version v1.7.0 protocol midas factor RD-F-140 score gray collected_at 2026-05-16 09:34:55