Shared-library version with known-vuln status

Compound V3 (Comet)'s assessment for RD-F-135 — scored yellow on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.

Evidence summary #

OZ 4.8.3 has GHSA-g4vp-m682-qqmp (CVE-2023-40014, Moderate/CVSS 5.3) affecting ERC2771Context with custom forwarder. Compound V3 does NOT use ERC2771Context — advisory is non-exploitable in Compound's usage. No high/critical CVE for OZ 4.8.3 in any Compound-relevant pattern.

Sources #

URL
https://github.com/OpenZeppelin/openzeppelin-contracts/security/advisoriesretrieved 2026-04-28
GitHub
https://github.com/compound-finance/comet/blob/main/package.jsonretrieved 2026-04-27
URL
https://github.com/advisories/GHSA-g4vp-m682-qqmpretrieved 2026-04-28

Methodology #

Identify the version of key shared libraries (OZ, Solady, Solmate) used and check against CVE/GHSA databases for any active advisory.

See the full factor methodology and distribution across all protocols →

rubric_version v1.7.0 protocol compound-v3 factor RD-F-135 score yellow collected_at 2026-04-28 00:20:50