Audits are point-in-time. Upgradeable contracts routinely ship changes that reopen audited surfaces — with no re-audit required.
Pillar: Safety
The problem
An audit performed on a version-1 contract gives no assurance about a version-2 contract that ships six months later. There is no on-chain standard that ties an audit’s validity to the specific contract version it covers, or that requires re-auditing after material upgrades.
Protocol UIs regularly display audit badges without noting which version was audited or when.
Why it matters
- Safety: The audit badge I see may refer to code that no longer exists.
- Agency: I am making risk decisions based on stale assurances.
What exists today
Audit firms publish reports with version hashes. No standard for machine-readable, version-linked audit status.
The gap
No standard for version-linked audit status that protocols are required to surface to users.
Open questions
- What would a versioned audit attestation standard look like?
- Should continuous auditing services (code4rena, Sherlock) be treated differently than point-in-time audits?