defirisk.co
rubric v1.7.0

Dependency manifest uses unpinned versions

Multipli's assessment for RD-F-133 — scored gray on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.

Evidence summary #

Data cache records oz_contracts_version=null. The .gitmodules file exists in repo but returned 404 on all direct fetch attempts. foundry.lock also 404. OZ library version pinning (exact-version vs floating ^) cannot be confirmed from public data. Import paths in verified source do not include version tags.

Sources #

  • GitHub
    Multipli repo — .gitmodules inaccessibleBarebones-MultipliVault .gitmodules — file present in repo listing but 404 on fetchretrieved 2026-05-17
  • Internal
    00-data-cache.json — oz_contracts_version=nullData cache github.oz_contracts_version=nullretrieved 2026-05-17

Methodology #

Determine whether `package.json`, `Cargo.toml`, or `foundry.toml` uses `^` or `~` version ranges for security-critical libraries (OpenZeppelin, Solady, etc.).

See the full factor methodology and distribution across all protocols →

rubric_version v1.7.0 protocol multipli factor RD-F-133 score gray collected_at 2026-05-17 11:48:35