defirisk.co
rubric v1.7.0

Audit scope mismatch

Uniswap (v2 + v3)'s assessment for RD-F-001 — scored green on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.

Evidence summary #

V2: dapp.org.uk (2020) report commit consistent with deployed immutable V2 bytecode; Etherscan source verified. V3: Etherscan Exact Match on Factory (0x1F98431c8aD98523631AE4a59f267346ea31F984) with v1.0.0 tag commit e3589b1 (May 4 2021). ToB high-severity findings (TOB-UNI-005, TOB-UNI-009) confirmed resolved before v1.0.0 tag. Post-v1.0.0 commits are network config only. Governance contracts not in ToB/ABDK scope — gap, not mismatch. Combined: green.

Detail #

V2 Factory (0x5C69bEe701ef814a2B6a3EDD4B1652CB9cc5aA6f) is immutable — deployed bytecode cannot change post-deploy. V3 Factory Etherscan shows Exact Match with source submitted at v1.0.0 tag (commit e3589b1, May 4 2021). Trail of Bits signed off March 12 2021 and ABDK signed off approximately March 23 2021, both pre-launch. The RC cycle (rc.0 March 22 -> rc.2 April 20 -> v1.0.0 May 4) shows controlled post-audit stabilization with only configuration-level changes. GovernorBravoDelegator and Timelock were not in ToB/ABDK v3-core scope — this is a governance audit gap flagged separately; it does not constitute a scope mismatch for the AMM contracts that were audited.

Sources #

Methodology #

Check whether the commit SHA cited in the audit report matches the bytecode deployed at the production proxy/implementation address.

See the full factor methodology and distribution across all protocols →

rubric_version v1.7.0 protocol uniswap factor RD-F-001 score green collected_at 2026-05-12 10:36:11