Shared-library version with known-vuln status

Aave v3's assessment for RD-F-135 — scored yellow on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.

Evidence summary #

No CVE or GHSA advisory affecting the pinned OZ version used by Aave v3.6.0 identified. However, a git submodule SHA ambiguity was flagged in T-10 (whether deployed bytecode exactly matches the submodule pinned SHA). Not an adverse advisory finding but an unresolved verification gap.

Sources #

Internal
T-10 Aave v3 Cat 8 F135T-10 §2.3.2 Cat 8 — F135 yellow (git submodule SHA ambiguity)retrieved 2026-04-27
GitHub
aave-v3-origin Git Submodulesaave-v3-origin git submodulesretrieved 2026-04-27

Methodology #

Identify the version of key shared libraries (OZ, Solady, Solmate) used and check against CVE/GHSA databases for any active advisory.

See the full factor methodology and distribution across all protocols →

rubric_version v1.7.0 protocol aave-v3 factor RD-F-135 score yellow collected_at 2026-04-27 23:28:46