Shared-library version with known-vuln status

Stake DAO's assessment for RD-F-135 — scored green on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.

Evidence summary #

OpenZeppelin 5.2.0 is current and not on any known CVE/advisory list. Solidity 0.8.28: the TransientStorageClearingHelperCollision bug only applies when viaIR=true AND transient storage is used; foundry-base-config.toml does not enable viaIR, so this bug is not triggered. Older contracts (Solidity 0.5.17, 0.8.7) have known limitations but no active critical CVEs specific to their usage patterns in this protocol.

Sources #

GitHub
Stake DAO Foundry Base Configfoundry-base-config.toml — viaIR absent, TransientStorageClearingHelperCollision not triggeredretrieved 2026-05-16
GitHub
OpenZeppelin Contracts ReleasesOpenZeppelin 5.2.0 — current, no active CVEsretrieved 2026-05-16

Methodology #

Identify the version of key shared libraries (OZ, Solady, Solmate) used and check against CVE/GHSA databases for any active advisory.

See the full factor methodology and distribution across all protocols →

rubric_version v1.7.0 protocol stake-dao factor RD-F-135 score green collected_at 2026-05-16 12:29:20