Fix-merged-but-not-deployed gap

Yearn Finance's assessment for RD-F-140 — scored green on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.

Evidence summary #

ChainSecurity audit fixes merged Oct 30, 2024 (PR #215) and deployed Nov 1, 2024 (PR #216 v3.0.4). No known merged security fixes not yet deployed in V3 core. Periphery fix tracking not exhaustively verified. Green for core vault; periphery gap is partially covered by ongoing Immunefi program.

Sources #

URL
ChainSecurity Yearn V3 AuditChainSecurity V3 audit — 'no critical or highly severe issues uncovered'; two medium findings resolvedretrieved 2026-05-16
GitHub
yearn-vaults-v3 commit historyyearn-vaults-v3 PR #215 (chainsec fixes) merged Oct 30, 2024 → PR #216 deployed Nov 1, 2024retrieved 2026-05-16

Methodology #

Determine whether a known vulnerability has a PR merged in the repo but the fix has not been included in the deployed bytecode.

See the full factor methodology and distribution across all protocols →

rubric_version v1.7.0 protocol yearn-finance factor RD-F-140 score green collected_at 2026-05-16 08:34:32