What, like, read the source code [1] or reverse engineered a binary? Would be easy(ish) to tell if the code in the binary was different from the source, probably.
Being a large open source project is an even lower standard of transparency than a formal NIST review of a very small codebase, from which the NSA was able to hide at least one backdoor. It wasn't until use in the wild for decades revealed the ECC magic number that this vulnerability was uncovered [0].
Similarly RE has a way of investigating the actual functioning of code in a way more thorough than a human tasked with hunting for an intentionally obfuscated defect (if even any human has undergone that process)
