Shared-library version with known-vuln status

A fork / dependency lineage factor in the v1.7.0 rubric. Measured per protocol on a s cadence.

Methodology how we score #

**What this measures** This factor records the specific version numbers of key shared libraries used in the protocol's deployed contracts -- primarily OpenZeppelin Contracts, Solady, and Solmate -- and checks whether those versions carry any current CVE or public security advisory. The data source is the protocol's repository (package lock or import paths) combined with the CVE database and GitHub Security Advisories for the relevant library packages.

**Why it matters** Shared libraries are a systemic risk amplifier: a bug in a widely-used library version affects every protocol that has deployed that version, simultaneously. The Curve/Vyper compiler bug ($69M across four protocols simultaneously, July 2023) is the most dramatic example in the dataset -- all four affected protocols used the same Vyper compiler version (0.2.15-0.3.0) with the reentrancy guard bug. A depositor-facing dashboard that can identify 'this protocol uses library version X, and a CVE was published for version X last week' provides actionable advance warning before an exploit occurs. The 90-day gap between the publication of a library CVE and the first documented exploit in that class is a common pattern.

**Green / Yellow / Red** Green: all shared libraries are at versions with no current CVE or public advisory, or the protocol has deployed a patch addressing any known advisory. Yellow: a library advisory exists but the advisory severity is medium or low, and the specific vulnerable code path is not exercised by the protocol's usage pattern (confirmed by curator review). Red: a library used in deployed contracts has an active high or critical CVE with no patch deployed.

**Common gray cases** This factor is gray when library version cannot be determined from the repository (vendored inline copies without version metadata) or when the library is proprietary with no public advisory channel.

**Notable historical examples** The Curve/Vyper compiler incident ($69M, 2023) is the closest motivating case, though it involves RD-F-170 (compiler version) rather than shared library version specifically.

Measurement what to look for #

Identify the version of key shared libraries (OZ, Solady, Solmate) used and check against CVE/GHSA databases for any active advisory.

Data & output #

Data source

GitHub repo `package.json` / `foundry.toml` + GHSA API + NVD CVE query for OZ/Solady version

Output format

Green / Yellow / Red

Evidence artifact

Library name + version + GHSA advisory URL (if any) + severity

Confidence signal

green = all shared libraries on versions with no active high/critical advisories; yellow = advisory exists but severity is low/medium; red = high/critical advisory for a used library version; gray = library versions not determinable

Scored protocols 80 carry this factor #

Protocol RD-F-135

Aave v3 ethereum yellow Across Protocol ethereum green Aerodrome Finance base yellow Axelar Network ethereum green Babylon Protocol bitcoin yellow Balancer (v2 + v3) ethereum yellow Beefy Finance ethereum not_applicable BENQI avalanche yellow BlackRock USD Institutional Digital Liquidity Fund (BUIDL) ethereum gray Cap (cUSD / stcUSD) ethereum green Centrifuge ethereum green Chainlink CCIP ethereum green Circle USYC binance gray Compound V3 (Comet) ethereum yellow Concrete ethereum green Convex Finance ethereum green crvUSD (Curve Stablecoin) ethereum yellow Curve Finance ethereum green deBridge ethereum yellow Dolomite ethereum yellow dYdX v4 (dYdX Chain) dydx green EigenLayer ethereum yellow Ethena ethereum yellow ether.fi ethereum yellow Euler V2 ethereum green Falcon Finance ethereum gray Fluid ethereum green Frax Finance ethereum green GMX v2 (GMX Synthetics) arbitrum green Hyperlane ethereum green Hyperliquid arbitrum gray Jito solana green Jupiter solana yellow Jupiter Perpetual Exchange solana gray JustLend DAO tron green Kamino Lend solana green Kinetiq hyperliquid green Lido ethereum green Liquid Collective (LsETH) ethereum yellow Liquity V1 + V2 (LUSD / BOLD) ethereum green Lista DAO bsc yellow Lombard Finance ethereum green M^0 ethereum green Maple Finance ethereum yellow Marinade Finance solana green Meteora solana green mETH Protocol ethereum green Midas ethereum not_applicable Morpho V1 (Morpho Blue + MetaMorpho) ethereum green Multipli ethereum gray Ondo Finance ethereum green OpenEden ethereum yellow Orca solana green PancakeSwap bsc green Pendle Finance ethereum green Polymarket polygon yellow QuickSwap polygon green Raydium solana green Rocket Pool ethereum yellow Sanctum solana green Save (formerly Solend) solana yellow Sky Lending (formerly MakerDAO) ethereum green Spark Protocol ethereum yellow Spiko stellar green Stake DAO ethereum green StakeWise v3 ethereum green Stargate Finance ethereum yellow stHYPE (Valantis Labs) hyperliquid gray SUNSwap (sun.io) tron green Superstate ethereum not_applicable Sushi (SushiSwap) — v2 + v3 + Trident + BentoBox/Kashi + SushiXSwap ethereum green Symbiotic ethereum green Synapse Protocol ethereum yellow Uniswap (v2 + v3) ethereum not_applicable USDD (Decentralized USD) tron not_applicable Usual (USD0 / bUSD0 / USUAL) ethereum green Veda (BoringVault) ethereum yellow Venus Protocol bsc green Wormhole ethereum yellow Yearn Finance ethereum green

Linked hacks no historical incidents linked #

No historical incidents are linked to this factor.

rubric_version v1.7.0 factor RD-F-135 category 8 carried 80 critical no