GitHub malicious-dependency incident touching protocol deps
M^0's assessment for RD-F-160 — scored green on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.
Evidence summary #
No active GitHub security advisory identified against m0-foundation dependencies. Solidity v0.8.23 (confirmed on all core Etherscan-verified contracts) has no known critical vulnerability in the solc bug list. OpenZeppelin library patterns are expected (standard ERC-20); no recent malicious OZ release incidents. M0 GitHub repos use Foundry toolchain; no malicious Foundry dependency advisory identified.
Sources #
- GitHubM0 Foundation Protocol GitHub — Solidity v0.8.23, no malicious dependency advisorym0-foundation/protocol GitHub; Solidity v0.8.23 used across all core contracts (confirmed via Etherscan); no malicious dependency advisory in GitHub security advisory database for this ecosystemretrieved 2026-05-16
Methodology #
Determine whether a security advisory flags a malicious release in a dependency consumed by this protocol.
See the full factor methodology and distribution across all protocols →
rubric_version v1.7.0 protocol m0 factor RD-F-160 score green collected_at 2026-05-16 09:46:19