★ Audit scope mismatch

Sanctum's assessment for RD-F-001 — scored red on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.

Evidence summary #

verify.osec.io confirms hash mismatch for the Infinity/S Controller program: on-chain hash 25d3ade9... does not match executable hash 9bbcaada... at audited commit 4e35462. The program was upgraded to V2 (inf-1.5, commit c695912, March 2026) with no identified audit covering V2. Router program (stkitrT1...) has no verified build and no identified audit. Unstake program (unpXTU2...) is unlinked on verify.osec.io.

Sources #

URL
OtterSec Verified Builds — Sanctum Unstake Programverify.osec.io Unstake program not verifiedretrieved 2026-05-04
GitHub
igneous-labs/inf-1.5 Releasesinf-1.5 Controller Program V2 release tag ctl-v2.0.0 commit c695912retrieved 2026-05-04
GitHub
igneous-labs/S commit historyS repo archived November 2025; commits post-dating Feb 2024 auditsretrieved 2026-05-04
URL
OtterSec Verified Builds — Sanctum Infinity Programverify.osec.io Infinity program hash mismatchretrieved 2026-05-04
URL
OtterSec Verified Builds — Sanctum Router Programverify.osec.io Router program not verifiedretrieved 2026-05-04

Methodology #

Check whether the commit SHA cited in the audit report matches the bytecode deployed at the production proxy/implementation address.

See the full factor methodology and distribution across all protocols →

rubric_version v1.7.0 protocol sanctum factor RD-F-001 score red collected_at 2026-05-04 18:49:23