Code complexity vs audit coverage

Yearn Finance's assessment for RD-F-024 — scored yellow on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.

Evidence summary #

V3 core: single ~1600 LOC Vyper contract reviewed by 3 firms (ChainSecurity, Statemind, yAcademy). yAudit V3 report: 25-day review, 2 auditors (June 3–28, 2023 per report). Audit coverage relative to code size appears adequate for the core vault. However, dozens of strategy contracts have individual audits by various firms — not all strategy combinations have been co-audited together. Complexity relative to the strategy ecosystem introduces residual gap.

Sources #

GitHub
Yearn security audits — strategy-level audits (MixBytes, Optimum, Dedaub)yearn-security/audits — strategy-level individual auditsretrieved 2026-05-16
URL
yAudit 06-2023-Yearn-v3 — 25-day audit, 2 auditorsyAudit V3 report — 25 days, 2 auditorsretrieved 2026-05-16

Methodology #

Determine whether the cyclomatic complexity or LOC-per-audit-day ratio exceeds the curator-declared credibility threshold for the audit to be meaningful.

See the full factor methodology and distribution across all protocols →

rubric_version v1.7.0 protocol yearn-finance factor RD-F-024 score yellow collected_at 2026-05-16 08:34:32