Dependency had malicious-release incident (last 90d)

Liquity V1 + V2 (LUSD / BOLD)'s assessment for RD-F-134 — scored green on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.

Evidence summary #

v2 dependencies are git submodules pinned to specific commits (Solady, OZ v4.9.5, forge-std). No GitHub Security Advisory flagging malicious releases in any of these pinned library commits. OZ v4.9.5 (Dec 2023) has no known malicious-release history. Solady and forge-std have no known malicious-release history.

Sources #

GitHub
OZ contracts commit bd325d56 version confirmationOZ submodule bd325d56 = v4.9.5 Dec 2023 — no malicious releaseretrieved 2026-05-16

Methodology #

Determine whether any npm/PyPI/crates.io dependency of this protocol had a flagged malicious release in the trailing 90 days.

See the full factor methodology and distribution across all protocols →

rubric_version v1.7.0 protocol liquity factor RD-F-134 score green collected_at 2026-05-16 10:35:50