defirisk.co
rubric v1.7.0

Upstream patch not merged

Lista DAO's assessment for RD-F-127 — scored yellow on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.

Evidence summary #

MakerDAO core (vat/jug) uses Solidity 0.5.x immutable contracts with no active patching cadence. No critical security patch from MakerDAO upstream identified as unmerged. However, the architectural divergence (upgradeable proxies, OZ Ownable, removed LibNote) means upstream patches may not apply cleanly and cannot be cleanly evaluated. Scored yellow due to architectural incompatibility making upstream patch applicability indeterminate.

Sources #

  • GitHub
    MakerDAO DSS Upstream RepositoryMakerDAO dss repo — no recent CDP core security patches identified; Lista fork uses Solidity 0.8.x upgradeable vs MakerDAO 0.5.x immutableretrieved 2026-05-12

Methodology #

Determine whether the upstream fork source has published a known-vulnerability patch that has not been merged into this fork's deployed code.

See the full factor methodology and distribution across all protocols →

rubric_version v1.7.0 protocol lista-dao factor RD-F-127 score yellow collected_at 2026-05-12 17:54:05