Dependency manifest uses unpinned versions

Liquid Collective (LsETH)'s assessment for RD-F-133 — scored yellow on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.

Evidence summary #

foundry.toml pins solc = '0.8.34' (version pinned). TLC.1.sol and WLSETH.1.sol import OpenZeppelin upgradeable contracts. NPM package.json not accessible via raw GitHub (404 returned). Exact OZ version not precisely determinable. Foundry typically manages deps via git submodules with commit-SHA pins, but submodule file also returned 404. Cannot confirm OZ pin vs floating version — yellow assigned conservatively.

Sources #

GitHub
Liquid Collective Protocol GitHubMain repo — dependency management files not fully accessibleretrieved 2026-05-17
GitHub
foundry.toml — Liquid Collective Protocolfoundry.toml — solc pinned at 0.8.34retrieved 2026-05-17

Methodology #

Determine whether `package.json`, `Cargo.toml`, or `foundry.toml` uses `^` or `~` version ranges for security-critical libraries (OpenZeppelin, Solady, etc.).

See the full factor methodology and distribution across all protocols →

rubric_version v1.7.0 protocol liquid-collective factor RD-F-133 score yellow collected_at 2026-05-16 19:46:23