Solc version used (known-bug versions flagged)

Cap (cUSD / stcUSD)'s assessment for RD-F-170 — scored yellow on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.

Evidence summary #

All Cap contracts use Solidity v0.8.28 (foundry.toml: solc='0.8.28'; Etherscan verified source: v0.8.28+commit.7893614a). Per Etherscan solcbuginfo: v0.8.28 is affected by 'TransientStorageClearingHelperCollision' (HIGH severity, introduced 0.8.28, fixed 0.8.34). Bug affects clearing both persistent and transient storage variables in the same contract. Inspected Cap contracts do not appear to use transient storage (EIP-1153 TSTORE/TLOAD), and viaIR is only in the release profile. Effective exploitability is low given no transient storage usage, but the compiler version remains on the known-bug list for a high-severity issue. Upgrade to solc 0.8.34+ would remediate.

Sources #

URL
Solidity Compiler Bug Information — 0.8.28etherscan.io/solcbuginfo — TransientStorageClearingHelperCollision: HIGH, affects 0.8.28, fixed 0.8.34retrieved 2026-05-17
GitHub
foundry.toml — Solc Versionfoundry.toml — solc = '0.8.28'retrieved 2026-05-17
Etherscan
cUSD Contract — Compiler Version Verifiedetherscan.io/address/0xcCcc62962d17b8914c62D74FfB843d73B2a3cccC#code — Compiler: v0.8.28+commit.7893614aretrieved 2026-05-17

Methodology #

Identify the Solidity compiler version used for deployed bytecode and flag if it appears on the known-bug list (solc bugs.json or Vyper 0.2.15–0.3.0 range).

See the full factor methodology and distribution across all protocols →

rubric_version v1.7.0 protocol cap factor RD-F-170 score yellow collected_at 2026-05-17 10:56:24