Shared-library version with known-vuln status

ether.fi's assessment for RD-F-135 — scored yellow on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.

Evidence summary #

OZ v4.8.0 (contracts) and v4.8.2 (upgradeable): no critical CVEs in these versions; v4.8.2 is above the v4.8.1 security patch threshold. Solady commit 8583a6e: no specific CVE found. EigenLayer-contracts dependency: EigenLayer underwent significant slashing upgrade in 2025; the pinned SHA's compatibility with the deployed EigenLayer system is covered by the Certora 2025-04-12 EigenLayer Slashing FV report. The OZ v4.8.x versions do not include v5.x virtual share inflation protection (irrelevant as eETH/weETH are not ERC-4626). The residual risk is the EigenLayer dependency — any critical vulnerability in EigenLayer's deployed contracts (which ether.fi calls via EigenPod interfaces) would directly affect ether.fi.

Sources #

GitHub
OZ v4.8.0/v4.8.2 pinned — no known critical CVEs.gitmodules OZ version pinsretrieved 2026-04-28
Audit
Certora FV — EigenLayer slashing integration boundary coveredCertora EigenLayer Slashing 2025-04-12retrieved 2026-04-28

Methodology #

Identify the version of key shared libraries (OZ, Solady, Solmate) used and check against CVE/GHSA databases for any active advisory.

See the full factor methodology and distribution across all protocols →

rubric_version v1.7.0 protocol ether-fi factor RD-F-135 score yellow collected_at 2026-04-28 13:58:46