Dependency manifest uses unpinned versions

Ethena's assessment for RD-F-133 — scored yellow on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.

Evidence summary #

OpenZeppelin contracts are included as Foundry submodules (lib/openzeppelin-contracts and lib/openzeppelin-contracts-upgradeable confirmed in the Code4rena repo lib directory). Foundry submodules pin at a specific commit SHA when initialized via `forge install`. However, the exact OZ version or pinned SHA is not publicly disclosed (no accessible .gitmodules). Partial evidence of pinning via Foundry convention, but not independently confirmed. Unpinned version cannot be ruled out if `forge update` has been run post-initialization.

Sources #

GitHub
Code4rena Ethena lib folderCode4rena 2023-10-ethena lib directory — openzeppelin submodules presentretrieved 2026-04-28

Methodology #

Determine whether `package.json`, `Cargo.toml`, or `foundry.toml` uses `^` or `~` version ranges for security-critical libraries (OpenZeppelin, Solady, etc.).

See the full factor methodology and distribution across all protocols →

rubric_version v1.7.0 protocol ethena factor RD-F-133 score yellow collected_at 2026-04-28 13:58:51