Dependency manifest uses unpinned versions

BlackRock USD Institutional Digital Liquidity Fund (BUIDL)'s assessment for RD-F-133 — scored gray on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.

Evidence summary #

No public repository or manifest (package.json / foundry.toml) found for BUIDL contracts. Securitize GitHub shows dstoken and bc-dstoken-class-swap-sc using Hardhat/TypeScript, but the BUIDL deployment manifest is not publicly accessible. Cannot determine version pinning.

Sources #

GitHub
https://github.com/securitize-ioretrieved 2026-04-26

Methodology #

Determine whether `package.json`, `Cargo.toml`, or `foundry.toml` uses `^` or `~` version ranges for security-critical libraries (OpenZeppelin, Solady, etc.).

See the full factor methodology and distribution across all protocols →

rubric_version v1.7.0 protocol blackrock-buidl factor RD-F-133 score gray collected_at 2026-05-12 09:40:42