Shared-library version with known-vuln status

Venus Protocol's assessment for RD-F-135 — scored green on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.

Evidence summary #

OpenZeppelin 4.9.3 (main repo, pinned) and ^4.8.3 (isolated-pools) are current stable releases in the 4.x series. No CVE or GHSA affecting these versions identified. Protocol does not use Solady (which had a recent advisory).

Sources #

GitHub
OpenZeppelin 4.9.3 release — no outstanding critical CVEsOZ 4.9.3 — no current critical advisoriesretrieved 2026-04-28
GitHub
Data cache: oz_contracts_version = 4.9.3Data cache OZ versionretrieved 2026-04-28

Methodology #

Identify the version of key shared libraries (OZ, Solady, Solmate) used and check against CVE/GHSA databases for any active advisory.

See the full factor methodology and distribution across all protocols →

rubric_version v1.7.0 protocol venus factor RD-F-135 score green collected_at 2026-04-28 18:30:49