Dependency manifest uses unpinned versions
Polymarket's assessment for RD-F-133 — scored green on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.
Evidence summary #
CTF Exchange V1 submodules all pinned to exact SHA commits: forge-std (1801b054...), openzeppelin-contracts (8769b198...), solady (acd959aa...), solmate (bff24e83...). CTF Exchange V2 submodules pinned: forge-std (0844d7e1...), solady (acd959aa...). All security-critical libraries pinned.
Sources #
- GitHubCTF Exchange V1 submodule SHAsapi.github.com/repos/Polymarket/ctf-exchange/git/trees/HEAD — submodule SHAs confirmedretrieved 2026-04-29
- CTF Exchange V2 submodule SHAsapi.github.com/repos/Polymarket/ctf-exchange-v2/git/trees/HEAD — forge-std 0844d7e1, solady acd959aaretrieved 2026-04-29
Methodology #
Determine whether `package.json`, `Cargo.toml`, or `foundry.toml` uses `^` or `~` version ranges for security-critical libraries (OpenZeppelin, Solady, etc.).
See the full factor methodology and distribution across all protocols →
rubric_version v1.7.0 protocol polymarket factor RD-F-133 score green collected_at 2026-04-29 16:25:39