GitHub malicious-dependency incident touching protocol deps
Sushi (SushiSwap) — v2 + v3 + Trident + BentoBox/Kashi + SushiXSwap's assessment for RD-F-160 — scored green on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.
Evidence summary #
No current GitHub security advisory flagging a malicious release in Sushi's npm or Hardhat dependency tree. sushi-labs/sushiswap security tab explicitly states no published security advisories. MISO 2021 supply-chain attack was a contractor code injection, not a malicious npm package release — different attack class. OZ 3.1.0 (per data-cache for v2-core) is not flagged with current CVEs relevant to Sushi's usage patterns.
Sources #
- GitHubsushi-labs/sushiswap Security — GitHubsushi-labs/sushiswap security — no published security advisoriesretrieved 2026-05-17
Methodology #
Determine whether a security advisory flags a malicious release in a dependency consumed by this protocol.
See the full factor methodology and distribution across all protocols →