Dependency had malicious-release incident (last 90d)

ether.fi's assessment for RD-F-134 — scored green on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.

Evidence summary #

No malicious-release incident found for any of the 6 GitHub-hosted git submodule dependencies (forge-std, OZ contracts, OZ upgradeable, solady, v3-core, v3-periphery, eigenlayer-contracts) in trailing 90 days as of 2026-04-28. These are GitHub-hosted git submodules (not npm registry packages), which significantly reduces supply-chain attack surface.

Sources #

GitHub
All dependencies are GitHub git submodules (not npm packages)api.github.com/repos/etherfi-protocol/smart-contracts/git/trees/HEADretrieved 2026-04-28

Methodology #

Determine whether any npm/PyPI/crates.io dependency of this protocol had a flagged malicious release in the trailing 90 days.

See the full factor methodology and distribution across all protocols →

rubric_version v1.7.0 protocol ether-fi factor RD-F-134 score green collected_at 2026-04-28 13:58:46