Solc version used (known-bug versions flagged)

Compound V3 (Comet)'s assessment for RD-F-170 — scored yellow on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.

Evidence summary #

Deployed on solc 0.8.15 (confirmed via foundry.toml and Etherscan). Contains CalldataTupleReencodingHeadOverflow bug (medium severity, fixed in 0.8.16) which affects BOTH via-IR and legacy pipelines. Configurator.sol passes structs as calldata (setConfiguration, addAsset) potentially satisfying trigger. Functions are governance-restricted (Timelock-only), substantially reducing exploitability.

Sources #

Etherscan
https://etherscan.io/address/0xc3d688B66703497DAA19211EEdff47f25384cdc3retrieved 2026-04-28
GitHub
https://github.com/compound-finance/comet/blob/main/foundry.tomlretrieved 2026-04-28
URL
https://www.soliditylang.org/blog/2022/08/08/calldata-tuple-reencoding-head-overflow-bug/retrieved 2026-04-28
GitHub
https://github.com/compound-finance/comet/blob/main/contracts/Configurator.solretrieved 2026-04-28

Methodology #

Identify the Solidity compiler version used for deployed bytecode and flag if it appears on the known-bug list (solc bugs.json or Vyper 0.2.15–0.3.0 range).

See the full factor methodology and distribution across all protocols →

rubric_version v1.7.0 protocol compound-v3 factor RD-F-170 score yellow collected_at 2026-04-28 00:20:50