Shared-library version with known-vuln status

Ondo Finance's assessment for RD-F-135 — scored green on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.

Evidence summary #

OZ 4.8.x has no current critical or high GHSA advisories as of April 2026. Flux Finance cToken contracts use Solidity 0.5.17 with Compound v2 vendored dependencies; no active GHSA for Compound v2 core contracts.

Sources #

URL
https://github.com/OpenZeppelin/openzeppelin-contracts/security/advisoriesretrieved 2026-04-28
GitHub
https://github.com/ondoprotocol/usdy/blob/main/package.jsonretrieved 2026-04-28

Methodology #

Identify the version of key shared libraries (OZ, Solady, Solmate) used and check against CVE/GHSA databases for any active advisory.

See the full factor methodology and distribution across all protocols →

rubric_version v1.7.0 protocol ondo-finance factor RD-F-135 score green collected_at 2026-05-14 12:01:55