Dependency tree uses EOL Solidity version

Convex Finance's assessment for RD-F-174 — scored yellow on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.

Evidence summary #

Mainnet contracts use Solidity 0.6.12 (last 0.6.x release, dated 2020-07-22). This is technically not EOL by a formal Solidity team declaration, but it is over 5 years old with no further security updates. No forward-compatibility patches exist. The sidechain platform uses 0.8.10, which is within the supported 0.8.x branch. OZ 3.4.0 dependency is compatible with 0.6.x. Yellow for the aging compiler with no further updates, though not formally declared EOL.

Sources #

GitHub
Solidity GitHub releases (0.6.12 is last in 0.6.x series, no further updates)Solidity releases - 0.6.12 is final 0.6.xretrieved 2026-05-16
Etherscan
Convex Booster Etherscan (Solidity 0.6.12 confirmed)Booster - v0.6.12 confirmedretrieved 2026-05-16

Methodology #

Determine whether the deployed code or its dependencies use an EOL or unsupported Solidity version without a forward-compatibility patch.

See the full factor methodology and distribution across all protocols →

rubric_version v1.7.0 protocol convex-finance factor RD-F-174 score yellow collected_at 2026-05-16 02:41:28