Dimension 8: Supply Chain
Compiler version CVEs, library dependencies, build reproducibility, and proxy pattern risk.
What We Measure
We analyze the software supply chain that produces the deployed bytecode: from source code dependencies through compilation to on-chain deployment. Supply chain attacks are rare in DeFi but potentially catastrophic when they succeed. We assess compiler versions and known CVEs, library dependencies and their maintenance status, build reproducibility (can the deployed bytecode be regenerated from source), proxy patterns and their supply chain implications, dependency freshness and update cadence, and the trust assumptions embedded in the build and deployment pipeline.
What Raises This Score
Modern compiler versions with no known critical CVEs
Minimal external dependencies (self-contained codebases)
Fully reproducible builds with verified on-chain bytecode
Immutable deployment (no proxy = no upgrade supply chain risk)
Industry-standard libraries (OpenZeppelin) with active maintenance
Pinned dependency versions with explicit upgrade decisions
CI/CD pipelines with integrity verification
What Lowers This Score
Outdated compiler versions with known vulnerabilities
Exotic or unmaintained library dependencies
Non-reproducible builds (deployed bytecode cannot be verified from source)
Complex proxy patterns that add upgrade-path supply chain risk
Unpinned dependencies that could be silently modified
Build toolchain with unverified or unsigned components
Dependencies on deprecated or abandoned libraries
Why This Weight
At 4%, Supply Chain carries the lowest active weight because supply chain attacks on DeFi protocols are extremely rare — most exploits target logic bugs, not compromised compilers or libraries. However, when supply chain attacks do occur (as seen in broader software ecosystems), they can be devastating and difficult to detect. The low weight reflects frequency, not potential impact.