defirisk.co
rubric v1.7.0

GitHub malicious-dependency incident touching protocol deps

Pendle Finance's assessment for RD-F-160 — scored gray on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.

Evidence summary #

GitHub-flagged malicious-dependency (Cat 11). Threshold: security advisory flags malicious release in a dep consumed by this protocol. Pendle uses OZ v4.9.3 (data cache); Hardhat project with npm dependencies. No GHSA/CVE advisory for OZ v4.9.3 known. Full npm dependency tree not assessed (PH-level). Requires automated dependency-monitoring feed.

Sources #

  • Curator note
    Pendle Core V2 Public GitHubOZ version 4.9.3 per data cache; Hardhat project per data cache; no known GHSA for OZ v4.9.3. Full dep scan not run.retrieved 2026-04-29

Methodology #

Determine whether a security advisory flags a malicious release in a dependency consumed by this protocol.

See the full factor methodology and distribution across all protocols →

rubric_version v1.7.0 protocol pendle factor RD-F-160 score gray collected_at 2026-04-28 21:09:40