GitHub malicious-dependency incident touching protocol deps
Marinade Finance's assessment for RD-F-160 — scored green on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.
Evidence summary #
Marinade liquid staking program uses Anchor framework (v0.27.0 per 2023 upgrade) and Rust dependencies. No GitHub Security Advisory or public malicious-release incident flagging a malicious crate in Anchor, solana-program SDK, or core Marinade Cargo.toml dependencies as of 2026-05-16. Anchor framework maintained by Coral team; no supply-chain compromise incidents found in public sources. Green based on absence of advisory in public channels.
Sources #
- URLMarinade liquid staking program GitHub -- Rust/Anchor sourcehttps://github.com/marinade-finance/liquid-staking-programretrieved 2026-05-16
- Neodyme 2023 audit -- Anchor v0.27.0 upgrade scope, no dependency compromise flaggedhttps://marinade.finance/docs/Neodyme_2023.pdfretrieved 2026-05-16
Methodology #
Determine whether a security advisory flags a malicious release in a dependency consumed by this protocol.
See the full factor methodology and distribution across all protocols →