Shared-library version with known-vuln status

deBridge's assessment for RD-F-135 — scored yellow on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.

Evidence summary #

debridge-contracts-v1: OZ `^4.3.2` deployed as OZ 4.x. Known GHSA for OZ 4.3.2-range: GHSA-5vp3-v4hc-gx76 (UUPSUpgradeable uninitialized impl) — fixed IN 4.3.2, so pinned at ≥4.3.2 means fix is included. GHSA-4h98-2769-gh6h (ECDSA malleability) affects <4.7.3 — deBridge-contracts-v1 uses OZ 4.3.2+ range, potentially below 4.7.3. However DeBridgeGate does NOT use ECDSA library directly (uses ecrecover in SignatureVerifier without OZ ECDSA library), so this advisory may not apply. dln-contracts...

Sources #

GitHub
https://github.com/advisories/GHSA-5vp3-v4hc-gx76retrieved 2026-04-28
GitHub
https://github.com/advisories/GHSA-4h98-2769-gh6hretrieved 2026-04-28
GitHub
https://github.com/debridge-finance/debridge-contracts-v1/blob/main/package.jsonretrieved 2026-04-28

Methodology #

Identify the version of key shared libraries (OZ, Solady, Solmate) used and check against CVE/GHSA databases for any active advisory.

See the full factor methodology and distribution across all protocols →

rubric_version v1.7.0 protocol debridge factor RD-F-135 score yellow collected_at 2026-04-28 01:27:58