defirisk.co
rubric v1.7.0

GitHub malicious-dependency incident touching protocol deps

Liquid Collective (LsETH)'s assessment for RD-F-160 — scored green on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.

Evidence summary #

No GitHub advisory flagging a malicious release in any dependency consumed by Liquid Collective found in public sources or data cache. Data cache static_analysis = []. Protocol uses Solidity 0.8.34 (foundry.toml per data cache), a recent stable version not on the known-bug list. OpenZeppelin libraries in use; oz_contracts_version not captured in data cache but protocol's active audit program (9 audits including Certora formal verification in Nov 2024 and Quantstamp offchain review in May 2024) substantially reduces undetected malicious-dependency risk. No CVE/GHSA advisory found for this protocol's dependency tree.

Sources #

  • URL
    Security Audits - Liquid CollectiveCertora formal verification Nov 2024 and Quantstamp offchain audit May 2024 confirm active dependency review; no malicious dependency foundretrieved 2026-05-17
  • Internal
    Liquid Collective data cache - github fields00-data-cache.json github.solidity_version = '0.8.34'; github.foundry_toml_present = true; static_analysis = []retrieved 2026-05-17

Methodology #

Determine whether a security advisory flags a malicious release in a dependency consumed by this protocol.

See the full factor methodology and distribution across all protocols →

rubric_version v1.7.0 protocol liquid-collective factor RD-F-160 score green collected_at 2026-05-16 19:46:23