Shared-library version with known-vuln status

Lido's assessment for RD-F-135 — scored green on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.

Evidence summary #

OZ 3.4.0: UUPS vulnerability (GHSA-5vp3-v4hc-gx76) affects 4.1.0-4.3.2 only — not 3.4.0. TimelockController CVE-2021-39168 affects 3.x but Lido does NOT use OZ TimelockController (uses Aragon ACL + custom EmergencyProtectedTimelock). OZ 5.2.0: no current critical advisories. Net: no currently-applicable critical CVE for Lido's actual usage pattern.

Sources #

URL
GHSA-5vp3-v4hc-gx76https://github.com/OpenZeppelin/openzeppelin-contracts/security/advisories/GHSA-5vp3-v4hc-gx76retrieved 2026-04-28
URL
GHSA-vrw4-w73r-6mm8https://github.com/advisories/GHSA-vrw4-w73r-6mm8retrieved 2026-04-28

Methodology #

Identify the version of key shared libraries (OZ, Solady, Solmate) used and check against CVE/GHSA databases for any active advisory.

See the full factor methodology and distribution across all protocols →

rubric_version v1.7.0 protocol lido factor RD-F-135 score green collected_at 2026-04-28 13:58:42