defirisk.co
rubric v1.7.0

GitHub malicious-dependency incident touching protocol deps

Yearn Finance's assessment for RD-F-160 — scored green on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.

Evidence summary #

GitHub-flagged malicious-dependency incident touching Yearn's deps. Yearn V3 dependencies: OZ 4.9.5 (Solidity periphery), foundry toolchain, package.json present (cache github.package_json_present=true). No GitHub security advisory flagging a malicious release in OZ 4.9.5 or the foundry toolchain as of 2026-05-16. OZ 4.9.5 is a stable release with no known CVEs affecting the deployed version. Vyper 0.3.7 (V3 core): outside the July-2023 reentrancy-affected range (0.2.15-0.3.0).

Sources #

  • GitHub
    GitHub — yearn-vaults-v3 dependency manifestgithub.com/yearn/yearn-vaults-v3: OZ 4.9.5 in package.json; foundry toolchain. No GitHub security advisory for OZ 4.9.5 or foundry as of 2026-05-16.retrieved 2026-05-16
  • Internal
    Yearn Finance data cache — dependency versions00-data-cache.json: sources.github.oz_contracts_version='4.9.5'; vyper_detected=true; vyper_version=null (cache gap; V3 confirmed Vyper 0.3.7 per briefing §7 — outside reentrancy-affected 0.2.15-0.3.0 range).retrieved 2026-05-16

Methodology #

Determine whether a security advisory flags a malicious release in a dependency consumed by this protocol.

See the full factor methodology and distribution across all protocols →

rubric_version v1.7.0 protocol yearn-finance factor RD-F-160 score green collected_at 2026-05-16 08:34:32