Shared-library version with known-vuln status

Yearn Finance's assessment for RD-F-135 — scored green on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.

Evidence summary #

OZ 4.9.5: no active high/critical CVE or GHSA advisory as of 2026-05-16. Vyper 0.3.7 (V3): outside the July 2023 reentrancy-affected range (0.2.15, 0.2.16, 0.3.0 only). V2 Vyper versions 0.2.8 and 0.2.12: all outside the three affected versions confirmed by Vyper post-mortem. No active high-severity advisories for any used library version.

Sources #

Etherscan
Etherscan yvDAI V2 — vyper:0.2.8 (outside affected range)Multiple V2 vaults: 0x5f18c75a (vyper:0.2.8), 0xdA816459 (vyper:0.2.12)retrieved 2026-05-16
URL
Vyper Nonreentrancy Lock Vulnerability Post-Mortem — affected: 0.2.15, 0.2.16, 0.3.0 onlyVyper reentrancy postmortem — exact affected versionsretrieved 2026-05-16

Methodology #

Identify the version of key shared libraries (OZ, Solady, Solmate) used and check against CVE/GHSA databases for any active advisory.

See the full factor methodology and distribution across all protocols →

rubric_version v1.7.0 protocol yearn-finance factor RD-F-135 score green collected_at 2026-05-16 08:34:32