Dependency manifest uses unpinned versions

BENQI's assessment for RD-F-133 — scored yellow on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.

Evidence summary #

Public BENQI-Smart-Contracts repo has no package.json or foundry.toml in the lending directory (only Solidity .sol files — no manifest file found). sAVAX directory: no package.json found in public repo. Dedaub Ignite audit flagged floating pragma ('^0.8.0' or 'Solidity 0.8.0 or higher') as an advisory issue in the Ignite contracts (private repo). Without a lockfile or pinned manifest, cannot confirm OZ or other dependency versions are pinned. Yellow: floating pragma advisory identified in Ignite; no visible pinned manifests in core lending.

Sources #

GitHub
BENQI Lending — no manifest filesBENQI lending directory — no package.json or foundry.toml presentretrieved 2026-05-16
Audit
Dedaub Ignite Audit — floating pragma advisoryDedaub Ignite advisory — floating pragma ('Solidity 0.8.0 or higher') noted as advisory issueretrieved 2026-05-16

Methodology #

Determine whether `package.json`, `Cargo.toml`, or `foundry.toml` uses `^` or `~` version ranges for security-critical libraries (OpenZeppelin, Solady, etc.).

See the full factor methodology and distribution across all protocols →

rubric_version v1.7.0 protocol benqi factor RD-F-133 score yellow collected_at 2026-05-16 11:02:12