★ Post-audit code changes without re-audit

Raydium's assessment for RD-F-139 — scored yellow on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.

Evidence summary #

Active re-audit cadence (8 engagements, 5 firms, 2021-Q2 2026). However: (1) Jan 2024 tick manipulation bug patch deployed without confirmed re-audit of specific fix; Sec3 Q2 2026 CLMM audit post-dates it. (2) CLMM anchor upgrades (0.31 May 2025, 0.32.1 Dec 2025) between audit cycles. (3) Allowlist feature (Jul 2025) and reward authority update (Jul 2025) before Sec3 Q2 2026. No commit-SHA-to-audit-coverage mapping published. Yellow not red because re-audit cadence is active and most recent audits post-date material changes.

Sources #

URL
Immunefi Raydium Liquidity Drain Bugfix Review — Mar 2025immunefi.com/blog/all/raydium-liquidity-drain-bug-fix-reviewretrieved 2026-04-29
GitHub
Raydium Audit Directory — 8 engagements through Q2 2026github.com/raydium-io/raydium-docs/tree/master/auditretrieved 2026-04-29
URL
Immunefi Raydium Tick Manipulation Bugfix Review — Jan 2024medium.com/immunefi/raydium-tick-manipulation-bugfix-review-c6aae4527ed6retrieved 2026-04-29

Methodology #

Count deployed changes to audited bytecode where no subsequent audit or spot-review covers the changed code.

See the full factor methodology and distribution across all protocols →

rubric_version v1.7.0 protocol raydium factor RD-F-139 score yellow collected_at 2026-04-29 12:31:55