GitHub malicious-dependency incident touching protocol deps

Uniswap (v2 + v3)'s assessment for RD-F-160 — scored green on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.

Evidence summary #

V2+V3 combined: No GHSA advisory flagging a malicious release in a dependency consumed by V2 or V3 in the trailing 90 days identified. V2 core uses Solidity 0.5.16 (immutable deployed bytecode — supply-chain risk only affects new builds, not live deployed contracts). V3 core: GitHub last commit 2026-04-30 (data cache). No npm/PyPI/crates.io advisory found for Uniswap V2 or V3 dependencies. Signal would NOT fire today.

Detail #

Signal fires when a GHSA advisory flags a malicious release in a dependency consumed by the protocol. For V2 and V3: the immutable deployed bytecode cannot be affected by dependency supply-chain attacks after deployment. A malicious dependency would only affect new builds or off-chain tooling — not the live on-chain contracts. V3 core last commit 2026-04-30 per data cache; no associated GHSA advisory found. V2 core is a stable, minimally-active repository using Solidity 0.5.16 (old but immutably deployed). No npm/PyPI/crates.io advisories identified in public search for Uniswap V2 or V3 dependencies in the trailing 90 days.

Sources #

GitHub
Uniswap v3-core GitHub — No GHSA Advisorygithub.com/Uniswap/v3-core — last commit 2026-04-30; no active GHSA advisory on dependencies detectedretrieved 2026-05-12
GitHub
Uniswap v2-core GitHubgithub.com/Uniswap/v2-core — stable; Solidity 0.5.16; immutable deployed bytecoderetrieved 2026-05-12

Methodology #

Determine whether a security advisory flags a malicious release in a dependency consumed by this protocol.

See the full factor methodology and distribution across all protocols →

rubric_version v1.7.0 protocol uniswap factor RD-F-160 score green collected_at 2026-05-12 10:36:11