defirisk.co
rubric v1.7.0

Shared-library version with known-vuln status

BENQI's assessment for RD-F-135 — scored yellow on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.

Evidence summary #

Lending core uses Solidity 0.5.17 with standalone SafeMath.sol (no OZ library dependency). sAVAX uses @openzeppelin/contracts-upgradeable (Solidity 0.6.12 era — OZ version ~3.x based on import style). No active high/critical GHSA advisory found for OZ v3.x range as of 2026-05-16. However, specific OZ version is not pinned in any visible manifest (no lockfile in public repo), making exact version verification impossible. Yellow: library versions likely safe but not precisely verifiable due to missing lockfile.

Sources #

  • URL
    OZ Security AdvisoriesOZ security advisories — no high/critical advisory for relevant OZ version rangeretrieved 2026-05-16
  • GitHub
    StakedAvax.sol — OZ dependency versionStakedAvax.sol imports @openzeppelin/contracts-upgradeable — version range not determinable (no lockfile in public repo)retrieved 2026-05-16

Methodology #

Identify the version of key shared libraries (OZ, Solady, Solmate) used and check against CVE/GHSA databases for any active advisory.

See the full factor methodology and distribution across all protocols →

rubric_version v1.7.0 protocol benqi factor RD-F-135 score yellow collected_at 2026-05-16 11:02:12