Shared-library version with known-vuln status

Aerodrome Finance's assessment for RD-F-135 — scored yellow on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.

Evidence summary #

OZ 4.8.0 has active GHSA advisories: (1) CVE-2023-40014 (ERC2771Context + short calldata, GHSA-g4vp-m682-qqmp, medium severity, affects 4.0â€“4.9.2, fixed in 4.9.3); (2) GHSA-93hq-5wgc-jc82 (GovernorCompatibilityBravo calldata trimming, moderate, affects 4.3â€“4.8.2, fixed in 4.8.3); (3) CVE-2023-30541 (TransparentUpgradeableProxy selector clash, affects 3.2â€“4.8.2, fixed in 4.8.3). No high/critical severity advisory for OZ 4.8.0. Yellow (medium-severity advisories exist; none directly exploitable in Aerodrome's specific OZ usage pattern for AMM).

Sources #

URL
GHSA-93hq-5wgc-jc82 (GovernorBravo advisory)GHSA-93hq-5wgc-jc82 â€” GovernorCompatibilityBravo calldata trimmingretrieved 2026-05-04
URL
CVE-2023-30541 (TransparentProxy advisory)CVE-2023-30541 TransparentUpgradeableProxy selector clashretrieved 2026-05-04
URL
GHSA-g4vp-m682-qqmp (OZ 4.8.0 medium advisory)GHSA-g4vp-m682-qqmp â€” CVE-2023-40014 ERC2771Context medium severityretrieved 2026-05-04

Methodology #

Identify the version of key shared libraries (OZ, Solady, Solmate) used and check against CVE/GHSA databases for any active advisory.

See the full factor methodology and distribution across all protocols →

rubric_version v1.7.0 protocol aerodrome factor RD-F-135 score yellow collected_at 2026-05-04 19:56:03