★ Audit scope mismatch

Raydium's assessment for RD-F-001 — scored yellow on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.

Evidence summary #

8 audit engagements with PDFs cover all 4 core programs. Solana BPF programs lack Etherscan-equivalent CBOR bytecode metadata for commit-SHA verification. CLMM received anchor upgrade to 0.32.1 (SHA a5a46ff, Dec 29 2025) post-Sec3 Q3 2025; Sec3 Q2 2026 covers CLMM new features. CPMM received fix commit (SHA ec3b20d, Nov 4 2025) partially post-Sec3 Q3 2025 audit. No confirmed mismatch but cryptographic bytecode-to-commit verification infeasible on Solana via public tooling.

Sources #

GitHub
Raydium audit directory (all 8 engagements)raydium-io/raydium-docs/tree/master/auditretrieved 2026-04-29
Commit
CPMM fix-audit commit (post-Sec3 Q3 2025)ec3b20d (CPMM Fix audit, Nov 4 2025)retrieved 2026-04-29
Commit
CLMM latest commit (post-audit)a5a46ff (CLMM anchor 0.32.1 upgrade, Dec 29 2025)retrieved 2026-04-29

Methodology #

Check whether the commit SHA cited in the audit report matches the bytecode deployed at the production proxy/implementation address.

See the full factor methodology and distribution across all protocols →

rubric_version v1.7.0 protocol raydium factor RD-F-001 score yellow collected_at 2026-04-29 12:31:55