Dependency tree uses EOL Solidity version

crvUSD (Curve Stablecoin)'s assessment for RD-F-174 — scored yellow on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.

Evidence summary #

Deployed production contracts use Vyper 0.3.7 (token, ControllerFactory v1) and Vyper 0.3.10 (Controllers, AMMs). Current latest Vyper stable is 0.4.3 (pinned in pyproject.toml for testing). Vyper does not formally declare versions 'EOL' in the same manner as Solidity, but 0.3.7/0.3.10 are two major sub-versions behind current and carry unpatched known advisories. Contracts are immutable — cannot be recompiled without protocol upgrade/redeploy. Yellow: not formally EOL but version-lagged with known unpatched compiler bugs.

Sources #

GitHub
curve-stablecoin pyproject.tomlpyproject.toml — vyper==0.4.3 for testing confirms current latest is 0.4.3retrieved 2026-05-16
Etherscan
crvUSD Stablecoin — Etherscan (Vyper 0.3.7)Etherscan deployed contracts confirm Vyper 0.3.7 and 0.3.10 in productionretrieved 2026-05-16

Methodology #

Determine whether the deployed code or its dependencies use an EOL or unsupported Solidity version without a forward-compatibility patch.

See the full factor methodology and distribution across all protocols →

rubric_version v1.7.0 protocol crvusd factor RD-F-174 score yellow collected_at 2026-05-16 19:09:40