Shared-library version with known-vuln status

Orca's assessment for RD-F-135 — scored green on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.

Evidence summary #

Key shared library versions: anchor-lang 0.32.1, anchor-spl 0.32.1, solana-program 2.2.1. Two active GHSA advisories for anchor-lang: GHSA-429q-fhh4-r6hj (Critical — InterfaceAccount type substitution, affects 1.0.0-rc.1 only, fixed in 1.0.0-rc.2) and GHSA-c6rc-8jpp-2fgc (High — Program<System> validation, affects 1.0.0+, fixed in 1.0.2). Both explicitly affect the 1.0.x release series only. Orca uses anchor-lang 0.32.1 (the 0.x series) which is NOT in the affected version range for either advisory. No active advisories found for solana-program 2.2.1, pinocchio, borsh, or other pinned crates.

Sources #

URL
GHSA-429q-fhh4-r6hj — Anchor InterfaceAccount (affects 1.0.0-rc.1, not 0.32.1)https://github.com/coral-xyz/anchor/security/advisories/GHSA-429q-fhh4-r6hjretrieved 2026-05-16
GitHub
programs/whirlpool/Cargo.toml (all deps use = pinning)https://github.com/orca-so/whirlpools/blob/main/programs/whirlpool/Cargo.tomlretrieved 2026-05-16
URL
GHSA-c6rc-8jpp-2fgc — Anchor Program validation (affects 1.0.0+, not 0.32.1)https://github.com/coral-xyz/anchor/security/advisories/GHSA-c6rc-8jpp-2fgcretrieved 2026-05-16

Methodology #

Identify the version of key shared libraries (OZ, Solady, Solmate) used and check against CVE/GHSA databases for any active advisory.

See the full factor methodology and distribution across all protocols →

rubric_version v1.7.0 protocol orca factor RD-F-135 score green collected_at 2026-05-16 02:39:16