★ Post-audit code changes without re-audit

Yearn Finance's assessment for RD-F-139 — scored yellow on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.

Evidence summary #

V3 core (VaultV3.vy): last external audits May-June 2024 (ChainSecurity, Statemind, yAcademy). ChainSecurity fixes deployed Oct 30, 2024; v3.0.4 final deploy Nov 1, 2024 — core vault is stable post-audit with the audit-fix commit deployed. Periphery/strategy ecosystem continues to evolve per governance forum retroactive review proposal (2026-04). Gov forum explicitly acknowledges ongoing unaudited strategy codebase changes. No comprehensive re-audit of strategy periphery since mid-2024. Yellow: core vault unchanged post-audit; strategy/periphery drift is documented and ongoing.

Sources #

Governance
Retroactive V3 Review Proposal — gov.yearn.fiRetroactive V3 review proposal acknowledges 'between external audits, Yearn V3 ships new strategies and tunes existing ones continuously'retrieved 2026-05-16
GitHub
yearn-security audits directoryyearn-security/audits: 20240502_Statemind_Yearn_V3, 20240504_ChainSecurity_Yearn_V3, 20240601_YAcademy_Yearn_V3retrieved 2026-05-16

Methodology #

Count deployed changes to audited bytecode where no subsequent audit or spot-review covers the changed code.

See the full factor methodology and distribution across all protocols →

rubric_version v1.7.0 protocol yearn-finance factor RD-F-139 score yellow collected_at 2026-05-16 08:34:32