Audit Decay

Audit Decay is the gradual divergence between a point-in-time audit report and the live protocol, caused by code changes, dependency upgrades, governance actions, and EVM-level shifts after the audit closes.

Why audit decay happens

An audit attests to a specific commit hash under specific assumptions: the compiler version, the EVM version, the set of dependencies and oracle feeds in use, the configured governance parameters, and the trust model the protocol documents. The moment any of those assumptions shifts, the audit's coverage narrows. Zellic's "audit drift" research analysed the top 20 Rekt Leaderboard incidents and found 15 occurred in code paths that were either never audited or had been modified after the audit closed — decay, not novel exploitation, was the dominant failure mode.

The five decay vectors

Code changes. Hotfixes, feature additions, and remediations applied after the audit window. Nomad's confirmAt[0x00] = 1 change was shipped mid-audit and slipped through remediation review in May 2022, enabling a $190M free-for-all drain in August 2022. Ronin's November 2021 gas-sponsorship allowlist was never revoked once the promotion ended.

Dependency shifts. The Vyper 0.2.15 / 0.2.16 / 0.3.0 compiler bug cost $73M across Curve pools in July 2023 despite every affected pool being individually audited — the bug lived in the toolchain, not the source. Chainlink feed deprecations, Aave API migrations, and LST exchange-rate assumption drift all follow the same pattern.

Composability changes. Penpie lost $27M in September 2024 to a permissionless Pendle market registration feature added months after the last audit; anyone could register a market with a malicious SY token and trigger reentrancy through _harvestBatchMarketRewards.

Governance actions. Timelock parameter adjustments, new role grants, oracle registry swaps, and collateral onboarding each alter the threat model the auditors reviewed.

EVM and compiler upgrades. The EEA EthTrust standard explicitly invalidates certification when the target EVM version changes. Every hard fork is an audit-decay event for protocols relying on fork-sensitive opcodes.

Controls that offset audit decay

Because decay is the default state, maintaining security between audits requires a layered post-audit stack: continuous on-chain monitoring with automated response, runtime invariant enforcement (EIP-7265 circuit breakers or view-function polling with auto-pause), signer-level controls against blind signing, timelock delays on privileged operations, and a rehearsed incident-response runbook with SEAL 911 contact on file. Protocols that pre-wire these controls recover 80–100% of funds from exploits; protocols that rely only on the audit rarely recover any.

Practical indicators of elevated decay

• Any commit merged after the last audit closed without a follow-up review.
• A dependency bump (OpenZeppelin, Chainlink interface, Safe contracts, Vyper, Solc).
• A governance vote that changed a parameter bounded by the audited invariant.
• A new chain deployment using code previously audited only on a different chain.
• An EVM hard fork (e.g., Cancun, Prague) that changed gas costs or opcode behaviour for any path in scope.

Treat each of these as a signal to re-run invariant suites against forked mainnet state and to schedule a spot review before the next privileged action.