Code complexity vs audit coverage

Uniswap (v2 + v3)'s assessment for RD-F-024 — scored yellow on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.

Evidence summary #

V3: ToB 3 engineers 10 person-weeks; ABDK comprehensive (159 issues). Manticore + Echidna + manual review provides multi-method tick-math coverage. V2: dapp.org.uk review + formal verification. AMM code well-covered. Governance contracts (GovernorBravoDelegator, Timelock) outside audit scope — main complexity-coverage gap. Scored yellow for governance audit gap.

Detail #

Trail of Bits used 3 engineers over 10 person-weeks (mid-January through March 12 2021), combining manual review, Echidna property-based testing, and Manticore symbolic execution. ABDK's 159-issue review demonstrates thorough coverage. DeFiSafety gives high marks for test coverage and documentation. For V2, dapp.org.uk performed both formal verification and security review of v2-core and v2-periphery. The main complexity-coverage gap is the governance contracts (GovernorBravoDelegator and Timelock) which have no identified dedicated audit covering their interaction in the Uniswap governance context.

Sources #

URL
DeFiSafety — test coverage and documentation assessmentDeFiSafety detailed reportretrieved 2026-04-29
Audit
Trail of Bits audit — 3 engineers 10 person-weeksTrail of Bits audit — scope and engagement durationretrieved 2026-05-12

Methodology #

Determine whether the cyclomatic complexity or LOC-per-audit-day ratio exceeds the curator-declared credibility threshold for the audit to be meaningful.

See the full factor methodology and distribution across all protocols →

rubric_version v1.7.0 protocol uniswap factor RD-F-024 score yellow collected_at 2026-05-12 10:36:11