Shared-library version with known-vuln status

Rocket Pool's assessment for RD-F-135 — scored yellow on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.

Evidence summary #

OZ 3.4.0: GHSA-5vp3-v4hc-gx76 (UUPSUpgradeable critical) affects 4.1.0–4.3.2 only — 3.4.0 NOT affected. TimelockController vulns affect 3.x but RP does not use OZ TimelockController. OZ 4.9.2: CVE-2023-40014 (ERC2771Context) affects 4.0.0–4.9.2 — RP does NOT use ERC2771Context (confirmed by source inspection). Net: no known active critical CVE applicable to RP's specific usage patterns. Yellow (not green) because OZ 4.9.2 is a version with a known GHSA even though the specific vulnerability does not apply to RP's usage.

Sources #

URL
GHSA-g4vp-m682-qqmpCVE-2023-40014 ERC2771Context affects 4.0.0–4.9.2 — RP does not use ERC2771retrieved 2026-05-04
URL
OpenZeppelin UUPS Advisory GHSA-5vp3-v4hc-gx76GHSA-5vp3-v4hc-gx76 — affects OZ 4.1.0–4.3.2, not 3.4.0retrieved 2026-05-04

Methodology #

Identify the version of key shared libraries (OZ, Solady, Solmate) used and check against CVE/GHSA databases for any active advisory.

See the full factor methodology and distribution across all protocols →

rubric_version v1.7.0 protocol rocket-pool factor RD-F-135 score yellow collected_at 2026-05-04 15:40:28