Shared-library version with known-vuln status

Pendle Finance's assessment for RD-F-135 — scored green on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.

Evidence summary #

OZ 4.9.3: GHSA-g4vp-m682-qqmp (ERC2771Context) was PATCHED IN 4.9.3 — this version is the fix. OZ 4.9.4 introduced GHSA-699g-q6qh-q4v8 (Multicall double-execute) but Pendle is on 4.9.3 (unaffected). No high/critical active GHSA advisory for OZ 4.9.3 as used by Pendle.

Sources #

URL
OZ Multicall double-execute (affects 4.9.4, Pendle on 4.9.3)GHSA-699g-q6qh-q4v8 — affects 4.9.4, not 4.9.3retrieved 2026-04-29
URL
OZ ERC2771Context vulnerability (fixed in 4.9.3)GHSA-g4vp-m682-qqmp — fixed in 4.9.3retrieved 2026-04-29

Methodology #

Identify the version of key shared libraries (OZ, Solady, Solmate) used and check against CVE/GHSA databases for any active advisory.

See the full factor methodology and distribution across all protocols →

rubric_version v1.7.0 protocol pendle factor RD-F-135 score green collected_at 2026-04-28 21:09:40