★ Post-audit code changes without re-audit

SUNSwap (sun.io)'s assessment for RD-F-139 — scored red on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.

Evidence summary #

Multiple deployed versions with no public audit evidence: V2 router/factory (Dec 2021) — no public audit found; V3 suite (Jun 2023) — no public audit found (V3 launch announcement makes no audit mention); Smart Router Sep 2024 upgrade to TJ4NNy8xZEqsowCBhLvZ45LCqPdGjkET5j — no audit mention; V4 launch Mar 2026 — no public audit found (sunswap-v4-core repo has no audits/ directory). Only publicly accessible audit: SlowMist 2020 for V1/JustSwap. Sunswap.com claims 'multiple security audits by SlowMist, CertiK, and Hacken' but no V2/V3/V4 reports publicly accessible at any firm URL, GitHub, or protocol docs directory. Data cache confirms single unspecified audit entry.

Sources #

GitHub
sun-protocol GitHub org — no audit directories in V3/V4 repossunswap-v3-contracts: no audits/ directory; sunswap-v4-core: no audits/ directoryretrieved 2026-05-17
URL
SUN Support: V3 launch — no audit referencedsunio.zendesk.com V3 launch: no audit mentionretrieved 2026-05-17
URL
SUN Support: Smart Router upgrade — no audit referencedsunio.zendesk.com Sep 2024 Smart Router upgrade: no audit mentionretrieved 2026-05-17
URL
SlowMist 2020 — V1 JustSwap audit (only confirmed public audit)sunswap.com/docs/audit-report_en.pdf — SlowMist 2020 V1/JustSwap onlyretrieved 2026-05-17

Methodology #

Count deployed changes to audited bytecode where no subsequent audit or spot-review covers the changed code.

See the full factor methodology and distribution across all protocols →

rubric_version v1.7.0 protocol sunswap factor RD-F-139 score red collected_at 2026-05-17 14:37:31