★ Post-audit code changes without re-audit

OpenEden's assessment for RD-F-139 — scored red on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.

Evidence summary #

Hacken V4 audit finalized 2024-12-10 (final commit 1299050d). Post-audit GitHub commits (6 total, Jul 11 – Sep 8, 2025) include: (1) instant redemption logic; (2) BUIDL redemption interface; (3) removal of setTotalSupplyCap(), mintTo(), burnFrom(), reIssue(); (4) renamed state variables; (5) checkLiquidity() addition; (6) Sep 8 major restructure (78 additions, 119 deletions). These changes deployed to mainnet as V5 (0xc4545Bf80f, 2025-08-14). Halborn Jul-Aug 2025 audit covered only StabilityVault.sol (USDO TGE) — NOT the vault V5 upgrade. No subsequent audit of vault V5 code found. Material post-audit code changes deployed without re-audit. [★ CRITICAL]

Sources #

Audit
Halborn StabilityVault audit — scope confirmationHalborn Jul-Aug 2025: scope = StabilityVault.sol only (USDO TGE); does NOT cover vault V5 changesretrieved 2026-05-16
GitHub
Post-audit vault code change (Sep 8, 2025)Commit 47a77ab (Sep 8, 2025): 78 additions / 119 deletions to OpenEdenVaultV4Impl.sol — post-audit changes deployed as V5retrieved 2026-05-16
Audit
Hacken V4 audit — final date and scopeHacken V4 audit final: 2024-12-10, commit 1299050d; scope OpenEdenVaultV4Impl.sol — does not cover post-Jul-2025 changesretrieved 2026-05-16

Methodology #

Count deployed changes to audited bytecode where no subsequent audit or spot-review covers the changed code.

See the full factor methodology and distribution across all protocols →

rubric_version v1.7.0 protocol openeden factor RD-F-139 score red collected_at 2026-05-16 10:11:45