Shared-library version with known-vuln status

Ethena's assessment for RD-F-135 — scored yellow on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.

Evidence summary #

OpenZeppelin version appears to be 4.x (compatible with Solidity 0.8.19 and draft-ERC20Permit import pattern visible in StakedUSDe). OZ 4.x is current-stable with no known CVEs affecting ERC-20/ERC-4626/Ownable2Step/AccessControl modules. Notably, Ethena's sUSDe does NOT use OZ 4.9's virtual share offset (_decimalsOffset()) — instead uses MIN_SHARES constant (1 ether) as first-depositor guard. This is a valid alternative mitigation for the ERC-4626 inflation attack, but the specific OZ submodule commit SHA is not publicly confirmed. The DoS vector via MIN_SHARES (Code4rena 2023 M-04) was Acknowledged but mitigated only by deployment practice.

Sources #

GitHub
StakedUSDe.solStakedUSDe.sol — OZ ERC4626 import, MIN_SHARES guard, no decimalsOffsetretrieved 2026-04-28
URL
Ethena C4 2023 — M-04 MinShares DoSCode4rena 2023 M-04 — DoS via MinShares acknowledgedretrieved 2026-04-28

Methodology #

Identify the version of key shared libraries (OZ, Solady, Solmate) used and check against CVE/GHSA databases for any active advisory.

See the full factor methodology and distribution across all protocols →

rubric_version v1.7.0 protocol ethena factor RD-F-135 score yellow collected_at 2026-04-28 13:58:51