defirisk.co
rubric v1.7.0

GitHub malicious-dependency incident touching protocol deps

Circle USYC's assessment for RD-F-160 — scored gray on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.

Evidence summary #

USYC contract source repo not publicly identified (circlefin GitHub org has 87 repos but none verified as USYC production source). Cannot assess dependency tree for malicious releases. Standard EVM dependencies (OZ proxy primitives - the only identified deps from profile) have no current malicious release advisories per public GitHub advisory feed.

Sources #

  • Internal
    circle-usyc profile - closed-source contracts00-profile.md section 8 - no public audit report URL; no public USYC contract GitHub repo foundretrieved 2026-05-16
  • GitHub
    Circle Financial GitHub Organizationcirclefin GitHub org - 87 repos; no USYC-specific contract repo identifiedretrieved 2026-05-16

Methodology #

Determine whether a security advisory flags a malicious release in a dependency consumed by this protocol.

See the full factor methodology and distribution across all protocols →

rubric_version v1.7.0 protocol circle-usyc factor RD-F-160 score gray collected_at 2026-05-15 21:56:43