Dependency had malicious-release incident (last 90d)

Sushi (SushiSwap) — v2 + v3 + Trident + BentoBox/Kashi + SushiXSwap's assessment for RD-F-134 — scored green on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.

Evidence summary #

No malicious-release advisory found for @uniswap/lib, @openzeppelin/contracts 3.x, or other primary SushiSwap dependencies in the trailing 90 days. OSINT search and GitHub security advisory review did not surface any malicious-release incident for packages used by SushiSwap v2-core, v3-core, or v3-periphery in this window.

Sources #

GitHub
OpenZeppelin contracts security advisoriesGitHub OpenZeppelin security advisories — no malicious-release advisory for OZ 3.x or @uniswap/lib in last 90dretrieved 2026-05-17

Methodology #

Determine whether any npm/PyPI/crates.io dependency of this protocol had a flagged malicious release in the trailing 90 days.

See the full factor methodology and distribution across all protocols →

rubric_version v1.7.0 protocol sushi factor RD-F-134 score green collected_at 2026-05-16 19:50:37