Dependency tree uses EOL Solidity version

A tooling / compiler / ai factor in the v1.7.0 rubric. Measured per protocol on a s cadence.

Methodology how we score #

**What this measures** This factor flags whether the protocol's deployed code or its key dependencies use an end-of-life (EOL) Solidity version -- defined as a version no longer receiving any security patches from the Solidity team. EOL status is determined by the official Solidity changelog and is updated on a semi-annual cadence. The factor covers both the protocol's own contracts and the shared library versions (OpenZeppelin, Solady) where the library was compiled with an EOL version.

**Why it matters** End-of-life compiler versions accumulate known vulnerabilities without patches, creating a growing gap between the deployed code's security properties and the current state of compiler knowledge. Unlike active versions where bugs are reported and patched, EOL versions have no patch pathway: a discovered vulnerability in an EOL version will never be fixed, and protocols using that version must migrate their entire codebase to receive the fix. The migration cost is exactly the risk that leads to extended use of EOL versions, creating a compounding risk: the longer the protocol stays on EOL, the more known-but-unpatched compiler bugs accumulate. This factor is forward-looking -- it flags exposure before a specific compiler bug is exploited rather than after.

**Green / Yellow / Red** Green: all deployed contracts use a Solidity version that is currently supported and receiving security patches, with no EOL versions in the dependency tree. Yellow: deployed contracts use a Solidity version that is in the final six months of active support (approaching EOL) but has no currently-known critical bugs. Red: any deployed contract uses an EOL Solidity version with no active patching, or any shared library dependency was compiled with an EOL version that affects the protocol's deployed bytecode.

**Common gray cases** Protocols that use a pinned older version for reproducibility reasons but have documented, audited evidence of compatibility with a patched newer version may be treated as yellow rather than red; curator must verify that the documented upgrade path has been implemented or has a firm timeline.

**Notable historical examples** No cross-hacked incidents currently linked in database for this factor.

Measurement what to look for #

Determine whether the deployed code or its dependencies use an EOL or unsupported Solidity version without a forward-compatibility patch.

Data & output #

Data source

Etherscan bytecode metadata for deployed contracts + `package.json` / `foundry.toml` dep versions

Output format

Green / Yellow / Red

Evidence artifact

Solidity version per contract + EOL status per the solc versioning schedule

Confidence signal

green = all contracts on supported (non-EOL) Solidity version; yellow = minor deps on EOL version but core contracts supported; red = core contracts on EOL Solidity version; gray = version not determinable from bytecode metadata

Scored protocols 80 carry this factor #

Protocol RD-F-174

Aave v3 ethereum green Across Protocol ethereum green Aerodrome Finance base green Axelar Network ethereum yellow Babylon Protocol bitcoin green Balancer (v2 + v3) ethereum yellow Beefy Finance ethereum green BENQI avalanche yellow BlackRock USD Institutional Digital Liquidity Fund (BUIDL) ethereum yellow Cap (cUSD / stcUSD) ethereum green Centrifuge ethereum green Chainlink CCIP ethereum green Circle USYC binance green Compound V3 (Comet) ethereum green Concrete ethereum green Convex Finance ethereum yellow crvUSD (Curve Stablecoin) ethereum yellow Curve Finance ethereum yellow deBridge ethereum yellow Dolomite ethereum yellow dYdX v4 (dYdX Chain) dydx not_applicable EigenLayer ethereum green Ethena ethereum green ether.fi ethereum green Euler V2 ethereum green Falcon Finance ethereum green Fluid ethereum green Frax Finance ethereum yellow GMX v2 (GMX Synthetics) arbitrum green Hyperlane ethereum green Hyperliquid arbitrum green Jito solana green Jupiter solana not_applicable Jupiter Perpetual Exchange solana not_applicable JustLend DAO tron yellow Kamino Lend solana green Kinetiq hyperliquid green Lido ethereum yellow Liquid Collective (LsETH) ethereum green Liquity V1 + V2 (LUSD / BOLD) ethereum green Lista DAO bsc yellow Lombard Finance ethereum green M^0 ethereum green Maple Finance ethereum green Marinade Finance solana not_applicable Meteora solana not_applicable mETH Protocol ethereum green Midas ethereum green Morpho V1 (Morpho Blue + MetaMorpho) ethereum yellow Multipli ethereum green Ondo Finance ethereum yellow OpenEden ethereum yellow Orca solana not_applicable PancakeSwap bsc yellow Pendle Finance ethereum yellow Polymarket polygon yellow QuickSwap polygon yellow Raydium solana green Rocket Pool ethereum red Sanctum solana green Save (formerly Solend) solana yellow Sky Lending (formerly MakerDAO) ethereum yellow Spark Protocol ethereum yellow Spiko stellar green Stake DAO ethereum yellow StakeWise v3 ethereum green Stargate Finance ethereum green stHYPE (Valantis Labs) hyperliquid green SUNSwap (sun.io) tron yellow Superstate ethereum green Sushi (SushiSwap) — v2 + v3 + Trident + BentoBox/Kashi + SushiXSwap ethereum yellow Symbiotic ethereum green Synapse Protocol ethereum yellow Uniswap (v2 + v3) ethereum yellow USDD (Decentralized USD) tron yellow Usual (USD0 / bUSD0 / USUAL) ethereum green Veda (BoringVault) ethereum green Venus Protocol bsc yellow Wormhole ethereum yellow Yearn Finance ethereum green

Linked hacks no historical incidents linked #

No historical incidents are linked to this factor.

rubric_version v1.7.0 factor RD-F-174 category 12 carried 80 critical no