defirisk.co
rubric v1.7.0

Post-audit code changes without re-audit

Rocket Pool's assessment for RD-F-139 — scored yellow on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.

Evidence summary #

Two documented instances of post-audit code drift: (1) Houston hotfix (RPIP-63, Oct 2024) addressed 3 Immunefi bounties; formal re-audit of hotfix changes not confirmed. (2) Saturn One (Feb 2026): Bailsec stated before deployment they 'cannot say with high-confidence that there are no critical issues left' and recommended another full audit; two open Bailsec items remained at launch. Sigma Prime completed fix sign-offs. Not red because: 3 audit firms engaged, extensive follow-up rounds, acknowledgment was public and transparent.

Sources #

  • Governance
    Verifying 1.4 contract upgradeVerifying 1.4 upgrade post: Bailsec noted open items at Saturn One deploymentretrieved 2026-05-04
  • Governance
    RPIP-63: Houston HotfixRPIP-63 Houston hotfix - 3 Immunefi bounties addressed; audit coverage of hotfix unconfirmedretrieved 2026-05-04
  • URL
    Rocket Pool Saturn I UpgradeSaturn One audit summary: Sigma Prime, Cantina, Bailsec with follow-up roundsretrieved 2026-05-04

Methodology #

Count deployed changes to audited bytecode where no subsequent audit or spot-review covers the changed code.

See the full factor methodology and distribution across all protocols →

rubric_version v1.7.0 protocol rocket-pool factor RD-F-139 score yellow collected_at 2026-05-04 15:40:28