Dependency manifest uses unpinned versions

Euler V2's assessment for RD-F-133 — scored green on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.

Evidence summary #

.gitmodules shows 4 dependencies all pinned to exact commit SHAs: openzeppelin-contracts (e682c7e5 = v5.0.2), ethereum-vault-connector (084b32284b), forge-std (b6a506db), permit2 (cc56ad0f). No ^ or ~ version ranges. All critical libraries pinned to exact version.

Sources #

GitHub
EVK .gitmodules — Pinned Dependencies.gitmodules — 4 submodules all pinned to exact commit SHAsretrieved 2026-05-04

Methodology #

Determine whether `package.json`, `Cargo.toml`, or `foundry.toml` uses `^` or `~` version ranges for security-critical libraries (OpenZeppelin, Solady, etc.).

See the full factor methodology and distribution across all protocols →

rubric_version v1.7.0 protocol euler-v2 factor RD-F-133 score green collected_at 2026-05-04 19:56:06