defirisk.co
rubric v1.7.0

GitHub malicious-dependency incident touching protocol deps

Save (formerly Solend)'s assessment for RD-F-160 — scored yellow on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.

Evidence summary #

GitHub-flagged malicious-dependency incident touching protocol deps. The December 2024 @solana/web3.js library backdoor (versions 1.95.6 and 1.95.7 contained a hidden private-key-stealing backdoor) is a confirmed supply-chain event directly affecting the Solana ecosystem. Solend/Save's frontend and off-chain tooling (liquidation bots, governance tooling) depend on @solana/web3.js. Whether Save's production systems pinned affected versions 1.95.6 or 1.95.7 is NOT confirmed in public sources. The on-chain lending program itself (Rust/BPF) does not depend on the JS SDK, but frontends do. No GitHub security advisory has been issued against solendprotocol/solana-program-library specifically as of 2026-05-17. Score: yellow (ecosystem-level supply-chain event with unconfirmed but plausible exposure to Save's off-chain components; requires code-security-analyst to check frontend package.json).

Sources #

  • URL
    Solend GitHub organizationSolend GitHub org — solendprotocol/solana-program-library; no specific security advisory on package deps as of 2026-05-17retrieved 2026-05-17
  • URL
    Bitdefender — @solana/web3.js backdoor Dec 2024Dec 2024 @solana/web3.js backdoor — versions 1.95.6 and 1.95.7 contained key-stealing code; affected DeFi frontends across Solana ecosystemretrieved 2026-05-17

Methodology #

Determine whether a security advisory flags a malicious release in a dependency consumed by this protocol.

See the full factor methodology and distribution across all protocols →

rubric_version v1.7.0 protocol save factor RD-F-160 score yellow collected_at 2026-05-17 15:20:15