Shared-library version with known-vuln status

Across Protocol's assessment for RD-F-135 — scored green on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.

Evidence summary #

OZ 5.5.0: latest stable as of assessment date; no active high/critical advisory. OZ 4.9.6 (aliased legacy): latest 4.x patch; the GHSA-699g-q6qh-q4v8 (Duplicated execution of subcalls) affected 4.9.4 — 4.9.6 is the patched version. No active high/critical GHSA against 5.5.0 or 4.9.6. ethers.js 5.7.2: not a Solidity library. OZ Foundry upgrades 0.4.0: no known critical advisory.

Sources #

GitHub
https://github.com/OpenZeppelin/openzeppelin-contracts/securityretrieved 2026-04-28
GitHub
https://github.com/OpenZeppelin/openzeppelin-contracts/security/advisories/GHSA-699g-q6qh-q4v8retrieved 2026-04-28

Methodology #

Identify the version of key shared libraries (OZ, Solady, Solmate) used and check against CVE/GHSA databases for any active advisory.

See the full factor methodology and distribution across all protocols →

rubric_version v1.7.0 protocol across-protocol factor RD-F-135 score green collected_at 2026-04-30 21:19:18