Shared-library version with known-vuln status

Babylon Protocol's assessment for RD-F-135 — scored yellow on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.

Evidence summary #

CometBFT GHSA-h598-3g3g-c67c: patched in v4.2.5 (current v4.2.7 is patched). Babylon also issued 4 own GHSAs in 2025-2026 (vote extension, BIP-322 sig, nil pointer, AfterBtcDelegationUnbonded hook) — all patched in v4.1.0–v4.2.0. cosmwasm-std RUSTSEC-2024-0338 (arithmetic overflow in pow/neg): affects <2.0.2; Cargo.lock pins 2.2.2 (patched). RUSTSEC-2024-0361 (gas mispricing, affects <2.1.3): 2.2.2 is patched. No open critical library vulnerabilities in current deployed versions, but the volume of self-issued GHSAs in 2025-2026 indicates active vulnerability surface in the chain modules.

Sources #

URL
RUSTSEC-2024-0361: CWA-2024-004 Gas mispricingRUSTSEC-2024-0361 (cosmwasm-vm gas mispricing)retrieved 2026-05-04
GitHub
Babylon CHANGELOG.md — security patchesBabylon CHANGELOG.md (GHSAs m6wq, 4rmq, 2fcv, xq4h, h598 all patched)retrieved 2026-05-04
URL
RUSTSEC-2024-0338: Arithmetic overflows in cosmwasm-stdRUSTSEC-2024-0338 (cosmwasm-std arithmetic overflow)retrieved 2026-05-04

Methodology #

Identify the version of key shared libraries (OZ, Solady, Solmate) used and check against CVE/GHSA databases for any active advisory.

See the full factor methodology and distribution across all protocols →

rubric_version v1.7.0 protocol babylon-protocol factor RD-F-135 score yellow collected_at 2026-05-04 19:43:27