Public record

Audit and Release Status

A project- and version-specific record of security reviews, deployment environments, and release status.

Published: June 24, 2026
Last reviewed: June 24, 2026
Record status: Public-source audit and release inventory
Data: audit-release-status.json

Security review is not a permanent label attached to a person or even to an entire project. It applies to a specific codebase, version, commit, scope, and date.

Some public descriptions have characterized my work generally as involving the release of code without public security review. That is too broad to be a factual description of the project record.

Multiple major production systems associated with me had published third-party audits, including Yearn components and vault versions, Keep3r V1, Fixed Forex components, and the original Solidly implementation. Flying Tulip has public security materials and a live public bug bounty; report-level audit entries should be added only when final approved reports are public.

Other work had different statuses. Some systems launched as beta. Eminence was an unreleased experiment whose pre-production contracts were deployed on Ethereum mainnet and discovered before an official launch. For any project where a public report has not been located, this page says so rather than inferring either that a review occurred or that no review occurred.

How to read this page

External audit published: A public report by an identified third-party reviewer exists for a defined scope.
Limited review: The reviewer examined only a restricted component or issue.
Internal review: A project or contributor review, not an independent external audit.
No public report located: No public report was found in the reviewed repositories; this is not proof that no review occurred.
Pre-production mainnet: Contracts were deployed on a public mainnet but were not represented as a completed production release.
Scope match unknown: The public record does not yet prove that the reviewed commit exactly matches the deployed bytecode.

Summary

Project or component	Release status	Public review status	Primary audit or security record	Key limitation
Yearn / iEarn / vaults	production and historical-production	multiple external audit reports published	Yearn security and audit repositories	Coverage varies by vault, strategy, version, and date.
Keep3r V1	public-beta	PeckShield report published	Keep3r V1 audit directory	Exact deployed-bytecode relationship is not asserted here.
Keep3r V2	production	one actual PeckShield V2 report located	Keep3r V2 audit directory	Coverage is report-specific and should not be generalized.
Fixed Forex components	historical-production	multiple component reports published	Fixed Forex audit directory	Component reports do not prove complete-system coverage.
Solidly V1	historical-production	PeckShield report published	PeckShield publication index	Does not cover later forks, successors, or modified deployments.
Eminence	pre-production-mainnet	no public report located	Eminence public-record page	Do not infer either a review or no review without a primary record.
Fantom Opera / Sonic client	network-client	public source, research, testing, and fuzzing evidence	Opera and Sonic repositories; Lachesis research	Network-client assurance is not equivalent to a smart-contract audit.
Flying Tulip	production staged rollout	public bug bounty; no approved public report directory located	FT security repo, risks docs, contract registry, Sherlock bounty	Only final approved public reports should be listed when published.

Yearn Finance

Release classification: Production protocol with multiple generations, vaults, strategies, and related components.

Public review classification: Multiple published third-party reports were located in the Yearn audit archives.

iEarn (early iEarn)
release: historical-production deployment: mainnet review: external-audit-published scope: historical-report-deployment-match-unknown

Reviewer/source: CryptoManiacs. Date: 2020. Record: source link.

Limitation: Early iEarn scope only; later Yearn contracts, strategies, governance, integrations, and deployments require separate review.
Yearn Finance (early Yearn)
release: historical-production deployment: mainnet review: external-audit-published scope: historical-report-deployment-match-unknown

Reviewer/source: Quantstamp. Date: 2020. Record: source link.

Limitation: Report scope is the early reviewed codebase; it is not evidence for every later vault, strategy, deployment, or operational setting.
Yearn Finance protocol (V1)
release: historical-production deployment: mainnet review: external-audit-published scope: historical-report-deployment-match-unknown

Reviewer/source: MixBytes. Date: 2020. Record: source link.

Limitation: V1 protocol report only; component coverage does not establish coverage for every strategy, vault, or later change.
iToken Finance (1.1.0)
release: historical-production deployment: mainnet review: external-audit-published scope: historical-report-deployment-match-unknown

Reviewer/source: CertiK. Date: 2020. Record: source link.

Limitation: iToken-specific report; not a generalized statement about all Yearn code or deployments.
Timeloans Finance (historical component)
release: historical-production deployment: mainnet review: external-audit-published scope: historical-report-deployment-match-unknown

Reviewer/source: MixBytes. Date: 2020. Record: source link.

Limitation: Component report only; does not prove full-system coverage.
Yearn Vaults (V2)
release: production deployment: mainnet review: external-audit-published scope: historical-report-deployment-match-unknown

Reviewer/source: Trail of Bits. Date: 2021-07-19. Record: source link.

Limitation: Vaults V2 review folder; deployment bytecode relationship is not independently verified on this page.
Yearn strategies (2021 strategies)
release: production deployment: mainnet review: external-audit-published scope: historical-report-deployment-match-unknown

Reviewer/source: PeckShield. Date: 2021-01. Record: source link.

Limitation: Strategy review scope varies by listed strategy and date; not evidence for unlisted strategies or later modifications.
Yearn partner tracker (2022 component)
release: production deployment: mainnet review: external-audit-published scope: historical-report-deployment-match-unknown

Reviewer/source: ChainSecurity. Date: 2022-01-23. Record: source link.

Limitation: Partner-tracker component only; not evidence for unrelated Yearn contracts or deployments.
Yearn V3 (V3)
release: production deployment: mainnet review: external-audit-published scope: historical-report-deployment-match-unknown

Reviewer/source: Statemind. Date: 2024-05-02. Record: source link.

Limitation: V3 review folder only; later integrations, parameter choices, and deployments require separate verification.
Yearn V3 (V3)
release: production deployment: mainnet review: external-audit-published scope: historical-report-deployment-match-unknown

Reviewer/source: ChainSecurity. Date: 2024-05-04. Record: source link.

Limitation: V3 review folder only; exact deployed bytecode is not asserted here.
Yearn V3 (V3)
release: production deployment: mainnet review: external-audit-published scope: historical-report-deployment-match-unknown

Reviewer/source: yAcademy. Date: 2024-06-01. Record: source link.

Limitation: V3 review folder only; scope should be read from the report materials before making component-specific claims.

Keep3r Network

Release classification: Keep3r V1 launched as public beta; V2 was a deployed successor version.

Public review classification: The V1 and V2 audit directories each contain a PeckShield report; claims should identify version and scope.

Keep3r protocol (V1)
release: public-beta deployment: mainnet review: external-audit-published scope: historical-report-deployment-match-unknown

Reviewer/source: PeckShield. Date: 2020. Record: source link.

Limitation: Keep3r V1 report; exact deployed-bytecode match is not independently verified on this page.
Keep3r protocol (V2)
release: production deployment: mainnet review: external-audit-published scope: historical-report-deployment-match-unknown

Reviewer/source: PeckShield. Date: 2021. Record: source link.

Limitation: One actual report was located in the V2 audit directory; coverage should not be generalized to every job, integration, or later change.

Fixed Forex

Release classification: Historical deployed system with component-level records.

Public review classification: The Fixed Forex audit directory contains multiple component reports; this is not a full-system statement.

Keep3r V2 PVEs (updated review)
release: historical-production deployment: mainnet review: external-limited-review-published scope: historical-report-deployment-match-unknown

Reviewer/source: PVE reviewers. Date: 2021. Record: source link.

Limitation: Limited component review; not a full-system statement for Fixed Forex or Keep3r.
ibEUR ERC-20 (1.0)
release: historical-production deployment: mainnet review: external-audit-published scope: historical-report-deployment-match-unknown

Reviewer/source: PeckShield. Date: 2021. Record: source link.

Limitation: ERC-20 component only; not evidence for every Fixed Forex contract or economic dependency.
OptionsLM (1.0)
release: historical-production deployment: mainnet review: external-audit-published scope: historical-report-deployment-match-unknown

Reviewer/source: PeckShield. Date: 2021. Record: source link.

Limitation: OptionsLM component only; interface, deployment configuration, and later changes are outside this page's scope.
StableV1Pair (1.0)
release: historical-production deployment: mainnet review: external-audit-published scope: historical-report-deployment-match-unknown

Reviewer/source: PeckShield. Date: 2021. Record: source link.

Limitation: StableV1Pair component only; oracle, route, and integration risks are not generalized from this report.
StakingRewardsV3 (1.0)
release: historical-production deployment: mainnet review: external-audit-published scope: historical-report-deployment-match-unknown

Reviewer/source: PeckShield. Date: 2021. Record: source link.

Limitation: StakingRewardsV3 component only; not a complete-system review.

Solidly

Release classification: Historical production deployment on Fantom.

Public review classification: A PeckShield report exists for the original Solidly V1 scope.

Solidly protocol (V1)
release: historical-production deployment: mainnet review: external-audit-published scope: historical-report-deployment-match-unknown

Reviewer/source: PeckShield. Date: 2022. Record: source link.

Limitation: Original Solidly V1 scope only; later forks, successor protocols, modified deployments, interfaces, and governance systems are separate.

Eminence

Release classification: Unreleased experiment with pre-production contracts deployed on Ethereum mainnet.

Public review classification: No public third-party report was located in the sources reviewed for this page; that is not proof that no review occurred.

Eminence experimental contracts (unreleased experiment)
release: pre-production-mainnet deployment: mainnet review: no-public-report-located scope: unknown

Reviewer/source: No public third-party report identified. Date: 2026-06-24. Record: source link.

Limitation: No public report located is not proof that no review occurred; the contracts were mainnet-accessible before a formal production release.

Fantom Opera and Sonic

Release classification: Production network clients and protocol research.

Public review classification: Public source, research, testing, and fuzzing are evidence but should not be reduced to a single audit label.

Fantom Opera client (network client)
release: network-client deployment: mainnet review: security-research scope: not-applicable

Reviewer/source: Public source and protocol research record. Date: 2026-06-24. Record: source link.

Limitation: Source code and research are security evidence but are not interchangeable with a component-scoped independent audit report.
Sonic client (network client)
release: network-client deployment: mainnet review: security-research scope: not-applicable

Reviewer/source: Public source and testing record. Date: 2026-06-24. Record: source link.

Limitation: This page has not mapped a component-level independent audit inventory for the client; do not reduce network assurance to a single smart-contract audit label.
Lachesis consensus research (protocol research)
release: research deployment: not-applicable review: security-research scope: not-applicable

Reviewer/source: Academic and protocol research record. Date: 2018-10-24. Record: source link.

Limitation: Academic or protocol research is not an independent deployment audit and does not establish smart-contract scope coverage.

Flying Tulip

Release classification: Staged production rollout.

Public review classification: Public security materials and a live Sherlock bug bounty are linked; private reports are withheld until approved public publication.

Security program and public bug bounty (staged rollout)
release: production deployment: multi-chain review: bug-bounty-live scope: not-applicable

Reviewer/source: Sherlock bug bounty program. Date: 2026-06-24. Record: source link.

Limitation: Bug bounty scope is not the same as a completed public audit report; component reports should be added only after final approved public publication.
Public security repository and known issues (staged rollout)
release: production deployment: multi-chain review: internal-review scope: unknown

Reviewer/source: Flying Tulip security repository. Date: 2026-06-24. Record: source link.

Limitation: The public security repository currently lists security materials and known issues; no approved public audit-report directory was located during this implementation.
Risks, security, audits, and contract registry (staged rollout)
release: production deployment: multi-chain review: internal-review scope: unknown

Reviewer/source: Flying Tulip documentation. Date: 2026-06-22. Record: source link.

Limitation: The documentation states the security process and links public registries; it is not a substitute for a report-level public audit record.

Correction to generalized descriptions

When requesting a correction, link this record and ask the publisher to identify the specific project and source underlying any audit-status assertion.

What this page does not claim

That every contract Andre wrote received external review.
That every version of a listed project had the same review status.
That reviewed code cannot fail.
That a review covered governance, keys, deployment configuration, integrations, or economic design unless expressly stated.
That no review occurred merely because no public report was located.
That pre-production mainnet deployment is equivalent to a formal production release.
That academic research and test coverage are equivalent to a third-party audit.
That a private or restricted report may be disclosed before approval.

Updates and corrections

This inventory is maintained as a factual source record. Audit coverage changes as code changes. Reports, scoped reviews, deployment-verification records, archived repositories, and corrections may be submitted to andre@flyingtulip.com. Every substantive revision will appear in the change log.

Change log

2026-06-24: Initial publication.