GitHub malicious-dependency incident touching protocol deps

Beefy Finance's assessment for RD-F-160 — scored green on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.

Evidence summary #

T-09 phase-2 signal. Beefy contracts use OpenZeppelin libraries (ERC20Upgradeable, OwnableUpgradeable, ClonesUpgradeable). No GitHub security advisory (GHSA) or npm security advisory for OpenZeppelin or other Beefy dependencies filed within the last 90 days as of 2026-05-16. The beefy-contracts repo uses standard OZ dependencies. No known malicious-release incident on Beefy's dependency chain at this date.

Sources #

GitHub
Beefy Finance beefy-contracts GitHubbeefyfinance/beefy-contracts — OZ dependency usageretrieved 2026-05-16

Methodology #

Determine whether a security advisory flags a malicious release in a dependency consumed by this protocol.

See the full factor methodology and distribution across all protocols →

rubric_version v1.7.0 protocol beefy factor RD-F-160 score green collected_at 2026-05-16 13:10:30