Solc version used (known-bug versions flagged)

A tooling / compiler / ai factor in the v1.7.0 rubric. Measured per protocol on a s cadence.

Methodology how we score #

**What this measures** This factor records the Solidity compiler version used for the deployed bytecode of the protocol's primary contracts and flags any versions on the known-bug list. The known-bug list covers Solidity versions with documented compiler-level vulnerabilities (e.g., Vyper 0.2.15 through 0.3.0 which had reentrancy guard failures) and end-of-life versions no longer receiving security patches. The version is extracted from bytecode metadata and updated on a slow cadence (semi-annual or on code change).

**Why it matters** Compiler bugs are among the hardest vulnerability classes to detect through standard auditing because auditors review source code while the compiler translates that code into bytecode. A compiler with a known bug can produce incorrect bytecode even from correct source code, creating a gap between the audited behavior and the deployed behavior. The Vyper reentrancy bug (affecting versions 0.2.15 through 0.3.0) is the most documented example in the DeFi ecosystem: it disabled the reentrancy guard macro in those versions, making protocols that relied on the compiler-level guard vulnerable even when their source code appeared correct. Several protocols using these Vyper versions lost funds through reentrancy attacks that should have been prevented by their code.

**Green / Yellow / Red** Green: all deployed contracts use a current, supported Solidity or Vyper version with no known bugs, and the version is consistent across all deployments. Yellow: deployed contracts use a Solidity version that is no longer receiving active patches but has no documented critical bugs; or versions are inconsistent across deployments without a documented reason. Red: any deployed contract uses a Solidity or Vyper version on the known-bug list, particularly any version with a documented reentrancy or arithmetic vulnerability.

**Common gray cases** Protocols with contracts deployed across multiple versions (e.g., older V1 contracts still live alongside newer V2) must be assessed at the version of the contracts currently holding user funds, not the newest version used.

**Notable historical examples** No cross-hacked incidents currently linked in database for this factor.

Measurement what to look for #

Identify the Solidity compiler version used for deployed bytecode and flag if it appears on the known-bug list (solc bugs.json or Vyper 0.2.15–0.3.0 range).

Data & output #

Data source

Etherscan bytecode metadata (`0x6080...` CBOR suffix parsing for solc version) + `solc --list-bugs` or official solc bugs.json

Output format

Green / Yellow / Red

Evidence artifact

Deployed solc version string + known-bug list check result

Confidence signal

green = solc version not on known-bug list; yellow = on known-bug list with low/medium severity bugs only; red = on known-bug list with high/critical bug relevant to this contract type; gray = bytecode metadata not parseable

Scored protocols 80 carry this factor #

Protocol RD-F-170

Aave v3 ethereum yellow Across Protocol ethereum green Aerodrome Finance base green Axelar Network ethereum yellow Babylon Protocol bitcoin yellow Balancer (v2 + v3) ethereum yellow Beefy Finance ethereum green BENQI avalanche green BlackRock USD Institutional Digital Liquidity Fund (BUIDL) ethereum yellow Cap (cUSD / stcUSD) ethereum yellow Centrifuge ethereum yellow Chainlink CCIP ethereum yellow Circle USYC binance green Compound V3 (Comet) ethereum yellow Concrete ethereum yellow Convex Finance ethereum yellow crvUSD (Curve Stablecoin) ethereum yellow Curve Finance ethereum yellow deBridge ethereum green Dolomite ethereum yellow dYdX v4 (dYdX Chain) dydx not_applicable EigenLayer ethereum green Ethena ethereum green ether.fi ethereum yellow Euler V2 ethereum green Falcon Finance ethereum yellow Fluid ethereum green Frax Finance ethereum yellow GMX v2 (GMX Synthetics) arbitrum yellow Hyperlane ethereum yellow Hyperliquid arbitrum yellow Jito solana green Jupiter solana not_applicable Jupiter Perpetual Exchange solana not_applicable JustLend DAO tron yellow Kamino Lend solana green Kinetiq hyperliquid green Lido ethereum yellow Liquid Collective (LsETH) ethereum green Liquity V1 + V2 (LUSD / BOLD) ethereum green Lista DAO bsc yellow Lombard Finance ethereum green M^0 ethereum green Maple Finance ethereum green Marinade Finance solana not_applicable Meteora solana not_applicable mETH Protocol ethereum green Midas ethereum yellow Morpho V1 (Morpho Blue + MetaMorpho) ethereum yellow Multipli ethereum yellow Ondo Finance ethereum green OpenEden ethereum yellow Orca solana not_applicable PancakeSwap bsc green Pendle Finance ethereum green Polymarket polygon yellow QuickSwap polygon yellow Raydium solana green Rocket Pool ethereum yellow Sanctum solana green Save (formerly Solend) solana not_applicable Sky Lending (formerly MakerDAO) ethereum yellow Spark Protocol ethereum yellow Spiko stellar green Stake DAO ethereum yellow StakeWise v3 ethereum green Stargate Finance ethereum yellow stHYPE (Valantis Labs) hyperliquid yellow SUNSwap (sun.io) tron yellow Superstate ethereum yellow Sushi (SushiSwap) — v2 + v3 + Trident + BentoBox/Kashi + SushiXSwap ethereum yellow Symbiotic ethereum green Synapse Protocol ethereum yellow Uniswap (v2 + v3) ethereum yellow USDD (Decentralized USD) tron yellow Usual (USD0 / bUSD0 / USUAL) ethereum green Veda (BoringVault) ethereum green Venus Protocol bsc green Wormhole ethereum yellow Yearn Finance ethereum green

Linked hacks no historical incidents linked #

No historical incidents are linked to this factor.

rubric_version v1.7.0 factor RD-F-170 category 12 carried 80 critical no