defirisk.co
rubric v1.7.0

GitHub malicious-dependency incident touching protocol deps

Midas's assessment for RD-F-160 — scored gray on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.

Evidence summary #

GitHub malicious-dependency incident. Protocol uses OpenZeppelin contracts and foundry/npm dependencies. Main repo RedDuck-Software/midas-contracts is private (github_private: true) — dependency manifest not accessible via public API. No GitHub Security Advisory (GHSA) feed configured against Midas dependencies. Sherlock audit repos (2024-05, 2024-08) reference OpenZeppelin upgradeable contracts (Solidity v0.8.x) — no known active GHSA advisory against these versions as of 2026-05-16. Production pipeline not implemented; dependency manifest not accessible from private repo.

Sources #

  • Internal
    Data cache — private repo prevents dependency manifest access00-data-cache.json: github_private=true; dependency manifest not accessible via public API — GHSA feed cannot be mapped to this protocol's specific dependency treeretrieved 2026-05-16

Methodology #

Determine whether a security advisory flags a malicious release in a dependency consumed by this protocol.

See the full factor methodology and distribution across all protocols →

rubric_version v1.7.0 protocol midas factor RD-F-160 score gray collected_at 2026-05-16 09:34:55