Shared-library version with known-vuln status

OpenEden's assessment for RD-F-135 — scored yellow on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.

Evidence summary #

OZ 4.9.0 is in use (cache confirmed). GHSA-699g-q6qh-q4v8 (Dec 2023, Moderate: duplicated subcall execution) explicitly affects version 4.9.4 — not 4.9.0. GHSA-9vx6 (Feb 2024, Low: Base64 dirty memory) affects certain versions but is Low severity. OZ 5.x has been released; the 4.9.x minor track receives no new security patches. The 4.9.0 version carries no active Critical/High CVE but is on an unsupported minor track relative to current 5.x releases. Yellow for library age / inactive patch track.

Sources #

Internal
00-data-cache.json — github.oz_contracts_versionCache github.oz_contracts_version: 4.9.0retrieved 2026-05-16
URL
OpenZeppelin Contracts — Security Advisories (GHSA-699g)OZ GHSA-699g-q6qh-q4v8 — affects 4.9.4 specifically, not 4.9.0retrieved 2026-05-16

Methodology #

Identify the version of key shared libraries (OZ, Solady, Solmate) used and check against CVE/GHSA databases for any active advisory.

See the full factor methodology and distribution across all protocols →

rubric_version v1.7.0 protocol openeden factor RD-F-135 score yellow collected_at 2026-05-16 10:11:45