Code complexity vs audit coverage

Sushi (SushiSwap) — v2 + v3 + Trident + BentoBox/Kashi + SushiXSwap's assessment for RD-F-024 — scored yellow on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.

Evidence summary #

v3-core is highly complex (concentrated liquidity, Q64.96 tick math, multiple fee tiers). The Uniswap v3 ToB audit was a 10 person-week engagement. SushiSwap's v3 fork has no fresh Sushi-specific audit. RouteProcessor2: 4-day-old contract at time of exploit — extreme LOC-to-audit-day ratio (effectively infinite, audit not completed). BentoBox/Kashi: covered by PeckShield + Certora FV, reasonable ratio. Overall: v3-core and RP2 clearly exceeded credible audit coverage thresholds.

Sources #

URL
Uniswap v3 Security DocumentationUniswap v3 security docs — ToB audit '10 person-weeks'; SushiSwap fork has no equivalent Sushi-specific engagementretrieved 2026-05-17
URL
RouteProcessor2 Post Mortem — SushiRP2 post-mortem — fast-tracked contract; no completed audit at time of deployretrieved 2026-05-17

Methodology #

Determine whether the cyclomatic complexity or LOC-per-audit-day ratio exceeds the curator-declared credibility threshold for the audit to be meaningful.

See the full factor methodology and distribution across all protocols →

rubric_version v1.7.0 protocol sushi factor RD-F-024 score yellow collected_at 2026-05-16 19:50:37