Dependency manifest uses unpinned versions

Falcon Finance's assessment for RD-F-133 — scored gray on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.

Evidence summary #

No public GitHub repository for Falcon Finance smart contracts. Cannot inspect package.json or foundry.toml for version pinning. Data cache confirms github.repo_url: null.

Detail #

The methodology asks to check package.json / foundry.toml for pinned vs caret versions for OZ and Solady. No public GitHub repo exists for Falcon Finance smart contracts per profile §9 and data cache (github.repo_url: null, foundry_toml_present: false). OZ upgradeable contracts are clearly used (Etherscan dependency listings) but their exact version cannot be determined. Cannot assess pinning status.

Sources #

Etherscan
USDf Implementation — Etherscan dependency listingUSDf impl dependencies include openzeppelin-contracts-upgradeable; version unknownretrieved 2026-05-12

Methodology #

Determine whether `package.json`, `Cargo.toml`, or `foundry.toml` uses `^` or `~` version ranges for security-critical libraries (OpenZeppelin, Solady, etc.).

See the full factor methodology and distribution across all protocols →

rubric_version v1.7.0 protocol falcon-finance factor RD-F-133 score gray collected_at 2026-05-12 04:06:37