GitHub malicious-dependency incident touching protocol deps

Falcon Finance's assessment for RD-F-160 — scored green on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.

Evidence summary #

GitHub-flagged malicious-dependency incident | Applicable: Limited (no public GitHub) | No GHSA for Falcon Finance dependencies confirmed. OZ upgradeable contracts (inferred from proxy architecture) have no current critical advisories. Signal structurally limited by closed-source posture.

Detail #

Falcon Finance has no public GitHub repository (data cache: github.repo_url: null). No npm/PyPI dependency tree is publicly visible. The protocol uses OpenZeppelin upgradeable proxy patterns (TransparentUpgradeableProxy per Etherscan contract verification), inferred from the EIP-1967 proxy pattern. No GitHub Security Advisory (GHSA) for OZ upgradeable contracts versions in current use has been identified. No malicious-release incident affecting likely Falcon dependencies identified. Signal is structurally limited because the closed-source posture prevents comprehensive dependency scanning.

Sources #

Etherscan
USDf proxy — initialOwner constructor arg = Safe addresshttps://etherscan.io/token/0xFa2B947eEc368f42195f24F36d2aF29f7c24CeC2retrieved 2026-05-12

Methodology #

Determine whether a security advisory flags a malicious release in a dependency consumed by this protocol.

See the full factor methodology and distribution across all protocols →

rubric_version v1.7.0 protocol falcon-finance factor RD-F-160 score green collected_at 2026-05-12 04:06:37