defirisk.co
rubric v1.7.0

Resolved-without-proof findings

Sushi (SushiSwap) — v2 + v3 + Trident + BentoBox/Kashi + SushiXSwap's assessment for RD-F-003 — scored yellow on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.

Evidence summary #

CertiK 2021 audit: 2 major centralization findings marked 'acknowledged' not resolved. Code4rena MISO (Sep 2021): 3 high findings; MISO exploit occurred contemporaneously but from different root cause (supply-chain, not audited finding). PeckShield v2 audit: findings reported as fixed; commit-SHA verification not possible from available data. No confirmed 'resolved without proof' finding at high/critical severity, but verification coverage is incomplete for v3-core and BentoBox/Kashi. Yellow: partial evidence.

Sources #

  • Audit
    CertiK Skynet SushiSwap ProjectCertiK SushiSwap skynet — 2 major centralization findings marked acknowledged, not resolvedretrieved 2026-05-17
  • Audit
    Code4rena Sushi MISO Audit ReportCode4rena MISO Sep 2021 — 3 high, 1 medium, 21 low findings; resolution status uncertain given contemporaneous exploitretrieved 2026-05-17

Methodology #

Count the number of findings the audit report marks "Resolved" or "Fixed" where no matching on-chain bytecode change or verifiable commit can be found.

See the full factor methodology and distribution across all protocols →

rubric_version v1.7.0 protocol sushi factor RD-F-003 score yellow collected_at 2026-05-16 19:50:37