GitHub malicious-dependency incident touching protocol deps

Superstate's assessment for RD-F-160 — scored green on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.

Evidence summary #

Key dependencies: OpenZeppelin upgradeable (standard Solidity library), Foundry. No active GitHub security advisory against OZ upgradeable packages found at assessment date. No flagged malicious dependency release in trailing 90 days identified. Dependency pinning gap (foundry.toml optimizer_runs=1 per data-cache; version not pinned) is a Cat 8 issue flagged to code-security-analyst, not a malicious-release event.

Sources #

GitHub
Superstate ustb GitHub — dependency checksuperstateinc/ustb — OpenZeppelin upgradeable library dependency; no active security advisory foundretrieved 2026-05-16

Methodology #

Determine whether a security advisory flags a malicious release in a dependency consumed by this protocol.

See the full factor methodology and distribution across all protocols →

rubric_version v1.7.0 protocol superstate factor RD-F-160 score green collected_at 2026-05-16 00:06:37