defirisk.co
rubric v1.7.0

Dependency had malicious-release incident (last 90d)

A fork / dependency lineage factor in the v1.7.0 rubric. Measured per protocol on a e cadence.

Methodology how we score #

**What this measures** This factor monitors whether any npm, PyPI, or crates.io dependency used by the protocol has had a flagged malicious release incident in the trailing 90 days. The assessment runs on an episodic, event-driven cadence by cross-referencing the protocol's public dependency list against security advisory feeds (npm advisories, OSV database, GitHub Security Advisories). A flag is recorded if any protocol dependency appears in a confirmed supply-chain compromise report within the 90-day window.

**Why it matters** Supply-chain attacks on DeFi tooling dependencies are an emerging and undermonitored risk vector. If a protocol's deployment scripts, testing infrastructure, or build tools depend on a compromised package, a malicious actor could inject code that modifies the deployment artifact, exfiltrates private keys used in the deployment process, or corrupts test results to hide a vulnerability. While approximately two directly linked instances exist in the T-01 inventory, the supply-chain attack surface is growing as DeFi protocols use increasingly complex build pipelines with many transitive dependencies.

**Green / Yellow / Red** Green: no dependencies in the protocol's public dependency list have appeared in any supply-chain compromise advisory in the trailing 90 days. Yellow: a dependency had a flagged advisory but only for versions the protocol does not use, confirmed by the pinned version check. Red: a dependency used by the protocol at its currently pinned version is under an active supply-chain compromise advisory.

**Common gray cases** This factor is gray when the protocol does not maintain a public repository and the dependency list cannot be assessed, or when the protocol uses proprietary tooling with no public advisory channel.

**Notable historical examples** The SolarWinds-style supply-chain attack pattern motivates this factor; no direct DeFi protocol exploit is yet in the dataset.

Measurement what to look for #

Determine whether any npm/PyPI/crates.io dependency of this protocol had a flagged malicious release in the trailing 90 days.

Data & output #

Data source
GitHub Security Advisories feed + npm audit + Socket.dev dependency scanner
Output format
Green / Yellow / Red
Evidence artifact
Advisory URL + affected dependency name + version range + this protocol's installed version
Confidence signal
green = no malicious-release advisories affecting this protocol's deps in 90 days; red = malicious-release advisory confirmed for a used dependency; gray = dependency list not accessible (private repo or no lockfile)

Scored protocols 80 carry this factor #

Protocol RD-F-134
Aave v3 ethereum green Across Protocol ethereum green Aerodrome Finance base green Axelar Network ethereum green Babylon Protocol bitcoin green Balancer (v2 + v3) ethereum not_assessed Beefy Finance ethereum not_applicable BENQI avalanche green BlackRock USD Institutional Digital Liquidity Fund (BUIDL) ethereum gray Cap (cUSD / stcUSD) ethereum green Centrifuge ethereum green Chainlink CCIP ethereum green Circle USYC binance not_applicable Compound V3 (Comet) ethereum green Concrete ethereum green Convex Finance ethereum green crvUSD (Curve Stablecoin) ethereum green Curve Finance ethereum green deBridge ethereum green Dolomite ethereum green dYdX v4 (dYdX Chain) dydx green EigenLayer ethereum green Ethena ethereum green ether.fi ethereum green Euler V2 ethereum green Falcon Finance ethereum gray Fluid ethereum green Frax Finance ethereum green GMX v2 (GMX Synthetics) arbitrum green Hyperlane ethereum green Hyperliquid arbitrum green Jito solana green Jupiter solana gray Jupiter Perpetual Exchange solana green JustLend DAO tron green Kamino Lend solana green Kinetiq hyperliquid green Lido ethereum green Liquid Collective (LsETH) ethereum green Liquity V1 + V2 (LUSD / BOLD) ethereum green Lista DAO bsc green Lombard Finance ethereum green M^0 ethereum green Maple Finance ethereum green Marinade Finance solana green Meteora solana green mETH Protocol ethereum green Midas ethereum not_applicable Morpho V1 (Morpho Blue + MetaMorpho) ethereum green Multipli ethereum green Ondo Finance ethereum green OpenEden ethereum green Orca solana green PancakeSwap bsc green Pendle Finance ethereum green Polymarket polygon green QuickSwap polygon green Raydium solana green Rocket Pool ethereum green Sanctum solana green Save (formerly Solend) solana green Sky Lending (formerly MakerDAO) ethereum green Spark Protocol ethereum green Spiko stellar green Stake DAO ethereum green StakeWise v3 ethereum green Stargate Finance ethereum green stHYPE (Valantis Labs) hyperliquid gray SUNSwap (sun.io) tron green Superstate ethereum not_applicable Sushi (SushiSwap) — v2 + v3 + Trident + BentoBox/Kashi + SushiXSwap ethereum green Symbiotic ethereum green Synapse Protocol ethereum green Uniswap (v2 + v3) ethereum not_applicable USDD (Decentralized USD) tron not_applicable Usual (USD0 / bUSD0 / USUAL) ethereum green Veda (BoringVault) ethereum green Venus Protocol bsc green Wormhole ethereum green Yearn Finance ethereum green
0 red · 0 yellow · 69 green

Linked hacks no historical incidents linked #

No historical incidents are linked to this factor.
rubric_version v1.7.0 factor RD-F-134 category 8 carried 80 critical no