★ Audit scope mismatch

Usual (USD0 / bUSD0 / USUAL)'s assessment for RD-F-001 — scored yellow on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.

Evidence summary #

Seven firms, 20+ engagements cover all major contracts across upgrade cycles. Private 'pegasus' repo blocks independent commit-SHA-to-bytecode verification. December 2024 DaoCollateral/SwapperEngine upgrade and post-May-2025 exploit remediation represent post-audit-coverage windows that cannot be independently verified. Subsequent audits (Cantina Phase 1+2 Oct 2024, Halborn Nov 2024, Spearbit Jan 2025, Sherlock #832 March 2025 $209.5K pool) were staged to cover each upgrade cycle, but private repo prevents confirming audit scope commit matches deployed bytecode.

Sources #

URL
Cantina Pegasus CompetitionCantina Pegasus competition — June 2024, $80K, 346 findingsretrieved 2026-05-17
URL
Audits | Usual Tech DocsUsual tech docs audits page — 20+ engagements listedretrieved 2026-05-17
Etherscan
DaoCollateral TransparentProxy — upgrade 2024-12-17DaoCollateral proxy readProxyContract — upgrade block 21423592 (2024-12-17)retrieved 2026-05-17
URL
Sherlock Contest #832 — Usual LabsSherlock contest #832 — Usual Labs, $209.5K poolretrieved 2026-05-17

Methodology #

Check whether the commit SHA cited in the audit report matches the bytecode deployed at the production proxy/implementation address.

See the full factor methodology and distribution across all protocols →

rubric_version v1.7.0 protocol usual factor RD-F-001 score yellow collected_at 2026-05-16 20:39:44