★ Post-audit code changes without re-audit

Polymarket's assessment for RD-F-139 — scored yellow on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.

Evidence summary #

[★] Cantina + Quantstamp audits March 2026. Post-audit commits (pre-deploy): 'feat: pUSD (#90)' and 'chore: bump Solidity v0.8.34 (#86)' landed same week as audit PDF uploads. Residual concern: exact audit commit SHA not confirmed (binary PDFs). Post-deploy commits April 1–13 are metadata/docs only — no material source change. Cannot confirm all pre-deploy changes were inside audit scope without local git clone + commit SHA from PDFs.

Sources #

GitHub
Commit history March-April 2026 — audit PDFs added March 26 same day as pUSD feature commitPolymarket/ctf-exchange-v2/commits-march-april-2026retrieved 2026-04-29
GitHub
Audits directory — Cantina March 2026 + Quantstamp March 2026 PDFsPolymarket/ctf-exchange-v2/audits-directoryretrieved 2026-04-29

Methodology #

Count deployed changes to audited bytecode where no subsequent audit or spot-review covers the changed code.

See the full factor methodology and distribution across all protocols →

rubric_version v1.7.0 protocol polymarket factor RD-F-139 score yellow collected_at 2026-04-29 16:25:39