Fix-merged-but-not-deployed gap

Babylon Protocol's assessment for RD-F-140 — scored green on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.

Evidence summary #

OZ-identified vulnerabilities (2026-04-01) were fixed and deployed per OZ blog ('fixes shipped promptly'). GitHub PR #1911 (type assertion fix) referenced in OZ blog. Fixes appear in v4.2.x releases after OZ discovery (v4.2.5 Feb 2026, v4.2.7 Apr 2026 both post-date the vulnerabilities' probable discovery). No evidence of an undeployed security fix currently pending in the repository.

Sources #

GitHub
Babylon Genesis Chain Releasesv4.2.x patch releases post-date OZ findingsretrieved 2026-05-04
URL
State Changes at the Boundary — OpenZeppelin Babylon ResearchOZ: 'Babylon Labs triaged reports quickly... shipped fixes promptly'; PR #1911 referencedretrieved 2026-05-04

Methodology #

Determine whether a known vulnerability has a PR merged in the repo but the fix has not been included in the deployed bytecode.

See the full factor methodology and distribution across all protocols →

rubric_version v1.7.0 protocol babylon-protocol factor RD-F-140 score green collected_at 2026-05-04 19:43:27