Upstream vulnerability disclosure (last 90d)

Sushi (SushiSwap) — v2 + v3 + Trident + BentoBox/Kashi + SushiXSwap's assessment for RD-F-128 — scored green on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.

Evidence summary #

Uniswap v3-core: no published security advisories as of assessment date (GitHub security page explicitly states 'There aren't any published security advisories'). Uniswap v2 is a mature well-understood minimal AMM; no active public vulnerability disclosures found for the upstream codebase in the trailing 90 days. No upstream disclosure affecting either SushiSwap fork in the assessment window.

Sources #

GitHub
sushiswap/v2-core GitHubsushiswap/v2-core — Uniswap v2 upstream has no known outstanding vulnerabilities (6-year mature codebase)retrieved 2026-05-17
GitHub
Uniswap v3-core GitHub Security AdvisoriesUniswap/v3-core security page — no active advisories in last 90 daysretrieved 2026-05-17

Methodology #

Determine whether the upstream has a public vulnerability disclosure in the last 90 days that affects this fork's deployed code.

See the full factor methodology and distribution across all protocols →

rubric_version v1.7.0 protocol sushi factor RD-F-128 score green collected_at 2026-05-16 19:50:37