Shared-library version with known-vuln status

EigenLayer's assessment for RD-F-135 — scored yellow on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.

Evidence summary #

OpenZeppelin v4.9.0 (the pinned version) has two known advisories: (1) GHSA-g4vp-m682-qqmp — Governor proposal frontrunning in v4.9.0 only, fixed in v4.9.1; (2) ERC2771Context _msgSender returns address(0) for calldata < 20 bytes (v4.0.0–v4.9.2), fixed in v4.9.3. Neither advisory is applicable to EigenLayer's current usage pattern (EigenLayer uses TimelockController not OZ Governor; does not use ERC2771Context). However, the pin is not patched to v4.9.1 or v4.9.3 — future code additions could inherit these patterns. Scored yellow for the unpatched library version, not red, given current inapplicability.

Sources #

URL
OpenZeppelin GHSA-g4vp-m682-qqmp Governor frontrunningGHSA-g4vp-m682-qqmp — OZ Governor frontrunning advisory v4.9.0retrieved 2026-04-28
GitHub
EigenLayer foundry.toml — OZ v4.9.0 dependencyLayr-Labs/eigenlayer-contracts foundry.toml — OZ v4.9.0 pinretrieved 2026-04-28

Methodology #

Identify the version of key shared libraries (OZ, Solady, Solmate) used and check against CVE/GHSA databases for any active advisory.

See the full factor methodology and distribution across all protocols →

rubric_version v1.7.0 protocol eigenlayer factor RD-F-135 score yellow collected_at 2026-04-28 13:58:44