Dependency manifest uses unpinned versions

dYdX v4 (dYdX Chain)'s assessment for RD-F-133 — scored green on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.

Evidence summary #

dYdX v4 uses Go modules (go.mod + go.sum). All dependencies are pinned to exact versions or pseudoversions: cosmos-sdk at v0.50.6-0.20260428191449-a212821dc2c3 (dYdX fork), cometbft at v0.38.6-0.20260428184537-904204b11c9e (dYdX fork), slinky at v1.3.2, ibc-go at v8.5.1, go-ethereum at v1.14.11. go.sum provides cryptographic hash pinning for all transitive dependencies. No unpinned version ranges possible in Go module system.

Sources #

GitHub
dYdX v4-chain go.mod — all deps pinned to exact versionsdydxprotocol/v4-chain protocol/go.mod main branchretrieved 2026-05-17

Methodology #

Determine whether `package.json`, `Cargo.toml`, or `foundry.toml` uses `^` or `~` version ranges for security-critical libraries (OpenZeppelin, Solady, etc.).

See the full factor methodology and distribution across all protocols →

rubric_version v1.7.0 protocol dydx-v4 factor RD-F-133 score green collected_at 2026-05-17 09:58:47