Shared-library version with known-vuln status

dYdX v4 (dYdX Chain)'s assessment for RD-F-135 — scored green on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.

Evidence summary #

dYdX maintains custom forks of cosmos-sdk and cometbft with security patches applied. ISA-2025-005 (critical, cosmos-sdk <= v0.50.13, integer overflow in x/distribution) was patched in protocol/v8.2.0 (July 2025). v9.6.1 release notes confirm further security updates: upgrade cometbft and cosmos-sdk for tachyon security fix. v9.6.3 (May 14, 2026 — current latest) contains height poisoning fix via cosmos-sdk/cometbft upgrade. No active high/critical advisory for the current dYdX fork versions identified.

Sources #

GitHub
dYdX v4-chain releases — v9.6.x security updatesdydxprotocol/v4-chain releases pageretrieved 2026-05-17
GitHub
protocol/v8.2.0 — cosmos-sdk ISA-2025-005 security patch (July 2025)protocol/v8.2.0 release — ISA-2025-005 patchretrieved 2026-05-17
GitHub
ISA-2025-005 — integer overflow, fixed in v0.50.14cosmos/cosmos-sdk ISA-2025-005 advisoryretrieved 2026-05-17

Methodology #

Identify the version of key shared libraries (OZ, Solady, Solmate) used and check against CVE/GHSA databases for any active advisory.

See the full factor methodology and distribution across all protocols →

rubric_version v1.7.0 protocol dydx-v4 factor RD-F-135 score green collected_at 2026-05-17 09:58:47