Shared-library version with known-vuln status

Sushi (SushiSwap) — v2 + v3 + Trident + BentoBox/Kashi + SushiXSwap's assessment for RD-F-135 — scored green on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.

Evidence summary #

v2-core: @openzeppelin/contracts 3.1.0 (data-cache confirmed). v3-periphery: @openzeppelin/contracts 3.4.2-solc-0.7. Known OZ high/critical advisories: GHSA-5vp3-v4hc-gx76 (UUPSUpgradeable) affects >=4.1.0 — not 3.x. GHSA-4h98-2769-gh6h (ECDSA malleability) affects >=4.1.0 — not 3.x. GHSA-wmpv (ERC1155Supply) affects >=4.2.0 — not 3.x. No active high/critical advisory found for OZ 3.1.0 or 3.4.2. @uniswap/lib is a utility library with no known active security advisories. Scoring green.

Sources #

GitHub
OZ UUPSUpgradeable vulnerability advisory (>=4.1.0 only)OpenZeppelin security advisories — GHSA-5vp3-v4hc-gx76 affects >=4.1.0; not applicable to 3.xretrieved 2026-05-17
Internal
00-data-cache.json — github sectiondata-cache github.oz_contracts_version: '3.1.0'retrieved 2026-05-17

Methodology #

Identify the version of key shared libraries (OZ, Solady, Solmate) used and check against CVE/GHSA databases for any active advisory.

See the full factor methodology and distribution across all protocols →

rubric_version v1.7.0 protocol sushi factor RD-F-135 score green collected_at 2026-05-16 19:50:37