Shared-library version with known-vuln status

Stargate Finance's assessment for RD-F-135 — scored yellow on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.

Evidence summary #

OpenZeppelin 4.8.1 is in the vulnerable range for CVE-2023-40014 (GHSA-g4vp-m682-qqmp) — affects ERC2771Context when used with custom trusted forwarders where `calldata < 20 bytes`. Patched in OZ 4.9.3. **Stargate v2 does not appear to use ERC2771Context or meta-transaction forwarder patterns** (no such imports found in inspected source files), which substantially reduces exploit risk from this CVE. However, the caret-pinned dependency means the exact deployed version could be anywhere in the...

Sources #

GitHub
https://github.com/advisories/GHSA-g4vp-m682-qqmpretrieved 2026-04-28
URL
https://www.chainsecurity.com/security-audit/layerzero-oft-oappretrieved 2026-04-28

Methodology #

Identify the version of key shared libraries (OZ, Solady, Solmate) used and check against CVE/GHSA databases for any active advisory.

See the full factor methodology and distribution across all protocols →

rubric_version v1.7.0 protocol stargate factor RD-F-135 score yellow collected_at 2026-04-28 01:38:41