Shared-library version with known-vuln status
Cap (cUSD / stcUSD)'s assessment for RD-F-135 — scored green on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.
Evidence summary #
OpenZeppelin Contracts v5.2.0 (primary security-critical library) has no active high/critical CVE or GHSA advisory as of 2026-05-17. OZ 5.2.0 was released December 2024 and has no known critical issues. LayerZero v2 library was covered by the Electisec LZ vault audit (2025-05-25). forge-std is a testing library, not a production security-critical dependency.
Sources #
- GitHubCap Contracts OZ v5.2.0 Versionpackage.json — @openzeppelin/contracts ^5.2.0; OZ v5.2.0 has no active high/critical GHSA advisoryretrieved 2026-05-17
- Electisec LZ Vault Audit2025-05-25-Electisec.pdf — LayerZero v2 OFT vault component auditedretrieved 2026-05-17
Methodology #
Identify the version of key shared libraries (OZ, Solady, Solmate) used and check against CVE/GHSA databases for any active advisory.
See the full factor methodology and distribution across all protocols →
rubric_version v1.7.0 protocol cap factor RD-F-135 score green collected_at 2026-05-17 10:56:24