Upstream patch not merged

dYdX v4 (dYdX Chain)'s assessment for RD-F-127 — scored not_applicable on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.

Evidence summary #

Not a fork; factor is structurally moot. As a library-dependency note: cosmos-sdk ISA-2025-005 (integer overflow in x/distribution, affects <= v0.50.13) was patched in dYdX protocol/v8.2.0 (July 2025), well ahead of the 90-day window. Current main branch uses dYdX cosmos-sdk fork at v0.50.6-0.20260428, incorporating all current upstream security patches.

Sources #

GitHub
protocol/v8.2.0 — ISA-2025-005 cosmos-sdk patchdydxprotocol/v4-chain release protocol/v8.2.0retrieved 2026-05-17
GitHub
ISA-2025-005 — integer overflow, fixed in v0.50.14cosmos/cosmos-sdk ISA-2025-005 advisoryretrieved 2026-05-17

Methodology #

Determine whether the upstream fork source has published a known-vulnerability patch that has not been merged into this fork's deployed code.

See the full factor methodology and distribution across all protocols →

rubric_version v1.7.0 protocol dydx-v4 factor RD-F-127 score not_applicable collected_at 2026-05-17 09:58:47