Shared-library version with known-vuln status

Veda (BoringVault)'s assessment for RD-F-135 — scored yellow on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.

Evidence summary #

Solmate (transmissions11/solmate) and OpenZeppelin contracts are used but version-pinned to floating branches (see F133). The exact deployed version cannot be confirmed from the manifest alone. No current high/critical CVE or GHSA advisory for solmate's core Auth/ERC20 or OZ contracts was identified. Yellow because floating-pin ambiguity prevents confirming the exact version has no advisory.

Sources #

GitHub
boring-vault .gitmodules — library version ambiguity.gitmodules — floating solmate and openzeppelin-contracts; exact version not pinnedretrieved 2026-05-17
URL
GHSA — solmate advisory searchGHSA search — no active high/critical advisory for transmissions11/solmate or openzeppelin/openzeppelin-contracts core modulesretrieved 2026-05-17

Methodology #

Identify the version of key shared libraries (OZ, Solady, Solmate) used and check against CVE/GHSA databases for any active advisory.

See the full factor methodology and distribution across all protocols →

rubric_version v1.7.0 protocol veda factor RD-F-135 score yellow collected_at 2026-05-17 12:41:22