Dependency manifest uses unpinned versions

Compound V3 (Comet)'s assessment for RD-F-133 — scored green on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.

Evidence summary #

package.json pins @openzeppelin/contracts at exact version '4.8.3' (no caret or tilde). Security-critical library is exact-pinned. Dev tooling (hardhat ^2.22.17, ethers ^5.7.2) uses ^ ranges which is standard practice for non-deployed build tooling.

Sources #

GitHub
https://github.com/compound-finance/comet/blob/main/package.jsonretrieved 2026-04-28

Methodology #

Determine whether `package.json`, `Cargo.toml`, or `foundry.toml` uses `^` or `~` version ranges for security-critical libraries (OpenZeppelin, Solady, etc.).

See the full factor methodology and distribution across all protocols →

rubric_version v1.7.0 protocol compound-v3 factor RD-F-133 score green collected_at 2026-04-28 00:20:50