defirisk.co
rubric v1.7.0

Dependency manifest uses unpinned versions

Frax Finance's assessment for RD-F-133 — scored yellow on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.

Evidence summary #

Data cache confirms OZ contracts version 5.0.1 used. The frax-solidity foundry.toml (solc 0.8.19, viaIR=true, 100k runs) does not show a version string for OZ in the foundry.toml itself. .gitmodules file returned 404. Whether OZ 5.0.1 is pinned to a commit SHA (more secure) vs. a floating version tag was not confirmed. The frax-oft-upgradeable repo uses solc 0.8.22, 200 runs — OZ dependency pinning not independently verified. Yellow: version tag is specific (5.0.1) but commit SHA pinning status unconfirmed.

Sources #

  • GitHub
    frax-solidity foundry.tomlfrax-solidity foundry.toml — solc 0.8.19, optimizer, viaIR=true; no OZ commit SHA visibleretrieved 2026-05-17
  • Internal
    frax .research 00-data-cache.json - github.oz_contracts_version = 5.0.1 (in-repo data-pipeline cache)retrieved 2026-05-17

Methodology #

Determine whether `package.json`, `Cargo.toml`, or `foundry.toml` uses `^` or `~` version ranges for security-critical libraries (OpenZeppelin, Solady, etc.).

See the full factor methodology and distribution across all protocols →

rubric_version v1.7.0 protocol frax factor RD-F-133 score yellow collected_at 2026-05-16 20:44:31