Shared-library version with known-vuln status

Frax Finance's assessment for RD-F-135 — scored green on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.

Evidence summary #

OZ contracts 5.0.1: no active CVE or GHSA advisory found. The Bytes.lastIndexOf OOB bug (Jul 2025, OZ 5.x new utility library) and Base64 dirty-memory bug (Feb 2024, OZ 4.x) are not applicable to core Frax contract surfaces (stablecoin, lending, LST, governance do not use these specific library functions). LayerZero OApp standard: no known CVE found. Green with low confidence that no undisclosed vulnerability exists.

Sources #

URL
OpenZeppelin Contracts Security CenterOpenZeppelin security center — checking v5.0.1 advisoriesretrieved 2026-05-17

Methodology #

Identify the version of key shared libraries (OZ, Solady, Solmate) used and check against CVE/GHSA databases for any active advisory.

See the full factor methodology and distribution across all protocols →

rubric_version v1.7.0 protocol frax factor RD-F-135 score green collected_at 2026-05-16 20:44:31