GitHub malicious-dependency incident touching protocol deps
Multipli's assessment for RD-F-160 — scored green on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.
Evidence summary #
Applicable: OpenZeppelin ERC-4626Upgradeable, AuthUpgradeable, PausableUpgradeable are confirmed dependencies (from GitHub repo). Solidity 0.8.30. Foundry toolchain. No GitHub Security Advisory (GHSA) filed against OpenZeppelin ERC-4626Upgradeable or Foundry in trailing 90 days (February – May 2026) as of assessment date. OZ contracts actively maintained. No CVE against Solidity 0.8.30. Optimizer runs=8 (low) — unusual but not a malicious-dependency signal.
Sources #
- InternalMultipli data cache — Solidity version.research/protocols/multipli/00-data-cache.json §sources.github.solidity_version=0.8.30retrieved 2026-05-17
- Multipli GitHub repo — dependency confirmationmultipli-libs/Barebones-MultipliVault — OZ ERC-4626Upgradeable dependency confirmed; Solidity 0.8.30; last commit 2026-01-16retrieved 2026-05-17
Methodology #
Determine whether a security advisory flags a malicious release in a dependency consumed by this protocol.
See the full factor methodology and distribution across all protocols →