★ Post-audit code changes without re-audit

Orca's assessment for RD-F-139 — scored yellow on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.

Evidence summary #

Six audit engagements: Kudelski (2022-01), Neodyme (2022-05), OtterSec (2024-08), Sec3 (2025-02, 2025-06, 2025-08). GitHub commits in Jan-Feb 2026 show post-audit code changes (adaptive fee constants, slippage precision, reposition liquidity instruction, idempotent token account creation) after the last audit (Aug 2025). Estimated <200 LOC in new instructions/changes. Yellow not red: open-source codebase, three Sec3 audits in 2025 demonstrate strong re-audit cadence, changes are functional extensions not security-core rewrites, 9-month gap is meaningful but not unusually long for an active protocol.

Sources #

Audit
Sec3 Audit Report 2025-08-22 (most recent)https://github.com/orca-so/whirlpools/blob/main/.audits/2025-08-22.pdfretrieved 2026-05-16
URL
DexRank Orca Review 2026 (secondary corroboration — zero hacks)https://dexrank.com/reviews/orcaretrieved 2026-05-16
GitHub
Whirlpool commit history — Feb 2026 changes post Aug 2025 audithttps://github.com/orca-so/whirlpools/commits/mainretrieved 2026-05-16

Methodology #

Count deployed changes to audited bytecode where no subsequent audit or spot-review covers the changed code.

See the full factor methodology and distribution across all protocols →

rubric_version v1.7.0 protocol orca factor RD-F-139 score yellow collected_at 2026-05-16 02:39:16