Test-mode parameters in deploy

Sushi (SushiSwap) — v2 + v3 + Trident + BentoBox/Kashi + SushiXSwap's assessment for RD-F-141 — scored yellow on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.

Evidence summary #

RP2 was deployed with missing input validation on processRoute function — effectively a production-readiness failure analogous to test-mode parameters left in deploy. Post-mortem confirmed the vulnerability was a missing check that should have been caught pre-production. For current live contracts (V2/V3 factories, BentoBox), no test-mode parameters identified.

Sources #

URL
RouteProcessor2 Post Mortem — SushiRouteProcessor2 Post Mortem — 'processRoute function does not check if the pool field is a valid pool'retrieved 2026-05-17

Methodology #

Determine whether the deployed configuration retains test-mode parameters (test oracle address, infinite allowance, admin = deployer EOA).

See the full factor methodology and distribution across all protocols →

rubric_version v1.7.0 protocol sushi factor RD-F-141 score yellow collected_at 2026-05-16 19:50:37