Shared-library version with known-vuln status

Lista DAO's assessment for RD-F-135 — scored yellow on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.

Evidence summary #

@openzeppelin/contracts 4.6.0 is affected by GHSA-4h98-2769-gh6h (ECDSA signature malleability, HIGH severity, affected >=4.1.0 <4.7.3, patched 4.7.3). Lista's package.json pins OZ exactly at 4.6.0 — squarely in the affected range. hay.sol and LisUSD.sol implement EIP-712 permit. Exploitability depends on whether signatures themselves (vs nonces) are used as replay protection. Marked yellow pending verification of permit implementation.

Sources #

GitHub
OZ ECDSA HIGH Advisory GHSA-4h98-2769-gh6hGHSA-4h98-2769-gh6h — ECDSA HIGH severity, affected >=4.1.0 <4.7.3, patched 4.7.3retrieved 2026-05-12
GitHub
Lista DAO package.json OZ 4.6.0package.json — @openzeppelin/contracts pinned at exactly 4.6.0 (in affected range >=4.1.0 <4.7.3)retrieved 2026-05-12

Methodology #

Identify the version of key shared libraries (OZ, Solady, Solmate) used and check against CVE/GHSA databases for any active advisory.

See the full factor methodology and distribution across all protocols →

rubric_version v1.7.0 protocol lista-dao factor RD-F-135 score yellow collected_at 2026-05-12 17:54:05