defirisk.co
rubric v1.7.0

Dependency manifest uses unpinned versions

A fork / dependency lineage factor in the v1.7.0 rubric. Measured per protocol on a s cadence.

Methodology how we score #

**What this measures** This factor detects whether the protocol's package manifest files -- package.json, Cargo.toml, foundry.toml, or equivalent -- use range specifiers (^ or ~) for security-critical library dependencies such as OpenZeppelin Contracts, Solady, or Solmate, rather than exact pinned version strings. Unpinned dependencies allow npm or package managers to silently update the library to a newer version on the next install, potentially introducing a newly-published vulnerability or a supply-chain-compromised release. The data source is the protocol's public repository.

**Why it matters** Unpinned critical library dependencies are a supply-chain attack surface. If an attacker compromises an npm package for OpenZeppelin at version 4.9.4 (hypothetically), all protocols using ^4.9.0 or ~4.9.0 in their package.json will pull the malicious version on their next npm install -- including CI/CD pipelines building the deployment artifact. Even without a malicious release, auto-updating to a library version with a newly-discovered bug can introduce a vulnerability that was not present in the previously pinned version. Approximately two documented instances in the T-01 inventory involve library dependency incidents.

**Green / Yellow / Red** Green: all security-critical library dependencies (OpenZeppelin, Solady, Solmate, or equivalents) are pinned to exact version strings (no ^ or ~ prefix) in all package manifest files, and lock files are committed. Yellow: non-security-critical development dependencies use range specifiers, but all deployed contract libraries are pinned. Red: any range specifier is used for OpenZeppelin, Solady, or equivalent libraries that are compiled into the deployed bytecode.

**Common gray cases** This factor is gray when the protocol does not use a package manager (e.g., vendored or inline library copies) or when the repository is private and the manifest cannot be inspected.

Measurement what to look for #

Determine whether `package.json`, `Cargo.toml`, or `foundry.toml` uses `^` or `~` version ranges for security-critical libraries (OpenZeppelin, Solady, etc.).

Data & output #

Data source
Protocol GitHub repo manifest files (`package.json`, `foundry.toml`) + library version pinning check
Output format
Green / Yellow / Red
Evidence artifact
Manifest file URL + commit SHA + dependency version strings
Confidence signal
green = all critical libraries pinned to exact version; yellow = minor libs unpinned but OZ and Solady pinned; red = OpenZeppelin or Solady unpinned; gray = repo not publicly accessible

Scored protocols 80 carry this factor #

Protocol RD-F-133
Aave v3 ethereum green Across Protocol ethereum green Aerodrome Finance base yellow Axelar Network ethereum green Babylon Protocol bitcoin green Balancer (v2 + v3) ethereum yellow Beefy Finance ethereum not_applicable BENQI avalanche yellow BlackRock USD Institutional Digital Liquidity Fund (BUIDL) ethereum gray Cap (cUSD / stcUSD) ethereum yellow Centrifuge ethereum yellow Chainlink CCIP ethereum yellow Circle USYC binance not_applicable Compound V3 (Comet) ethereum green Concrete ethereum green Convex Finance ethereum green crvUSD (Curve Stablecoin) ethereum yellow Curve Finance ethereum green deBridge ethereum yellow Dolomite ethereum red dYdX v4 (dYdX Chain) dydx green EigenLayer ethereum yellow Ethena ethereum yellow ether.fi ethereum green Euler V2 ethereum green Falcon Finance ethereum gray Fluid ethereum green Frax Finance ethereum yellow GMX v2 (GMX Synthetics) arbitrum green Hyperlane ethereum green Hyperliquid arbitrum gray Jito solana yellow Jupiter solana gray Jupiter Perpetual Exchange solana gray JustLend DAO tron yellow Kamino Lend solana yellow Kinetiq hyperliquid yellow Lido ethereum yellow Liquid Collective (LsETH) ethereum yellow Liquity V1 + V2 (LUSD / BOLD) ethereum green Lista DAO bsc yellow Lombard Finance ethereum yellow M^0 ethereum yellow Maple Finance ethereum green Marinade Finance solana green Meteora solana green mETH Protocol ethereum yellow Midas ethereum not_applicable Morpho V1 (Morpho Blue + MetaMorpho) ethereum green Multipli ethereum gray Ondo Finance ethereum red OpenEden ethereum gray Orca solana green PancakeSwap bsc yellow Pendle Finance ethereum yellow Polymarket polygon green QuickSwap polygon green Raydium solana green Rocket Pool ethereum yellow Sanctum solana yellow Save (formerly Solend) solana green Sky Lending (formerly MakerDAO) ethereum green Spark Protocol ethereum yellow Spiko stellar yellow Stake DAO ethereum green StakeWise v3 ethereum green Stargate Finance ethereum yellow stHYPE (Valantis Labs) hyperliquid gray SUNSwap (sun.io) tron green Superstate ethereum not_applicable Sushi (SushiSwap) — v2 + v3 + Trident + BentoBox/Kashi + SushiXSwap ethereum yellow Symbiotic ethereum green Synapse Protocol ethereum yellow Uniswap (v2 + v3) ethereum not_applicable USDD (Decentralized USD) tron not_applicable Usual (USD0 / bUSD0 / USUAL) ethereum gray Veda (BoringVault) ethereum yellow Venus Protocol bsc yellow Wormhole ethereum yellow Yearn Finance ethereum yellow
2 red · 34 yellow · 29 green

Linked hacks no historical incidents linked #

No historical incidents are linked to this factor.
rubric_version v1.7.0 factor RD-F-133 category 8 carried 80 critical no