defirisk.co
rubric v1.7.0

Shared-library version with known-vuln status

Wormhole's assessment for RD-F-135 — scored yellow on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.

Evidence summary #

OZ 4.3.1+ (the floor of the `^4.3.1` range). OpenZeppelin 4.x has had various CVEs and advisories (e.g., GovernorCompatibilityBravo re-entrancy in 4.3.0 — below the floor; ERC777 cross-function re-entrancy in 4.3.x). The `^4.3.1` range potentially includes affected sub-versions depending on lock file. The Wormhole EVM contracts primarily use ERC1967Upgrade, ReentrancyGuard, SafeERC20, and IERC20 from OZ — components that have historically been stable. No current critical CVE affecting these s...

Sources #

  • Curator note
    Extracted from 01-code-security.md — RD-F-135 finding; no URL cited in originalretrieved 2026-04-28

Methodology #

Identify the version of key shared libraries (OZ, Solady, Solmate) used and check against CVE/GHSA databases for any active advisory.

See the full factor methodology and distribution across all protocols →

rubric_version v1.7.0 protocol wormhole factor RD-F-135 score yellow collected_at 2026-04-28 01:38:43