Solc version used (known-bug versions flagged)

Frax Finance's assessment for RD-F-170 — scored yellow on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.

Evidence summary #

Main frax-solidity repo: solc 0.8.19 (foundry.toml confirmed), viaIR=true, 100k optimizer runs. Individual deployed contracts: sfrxETH and FraxlendPair V1 use solc 0.8.16; FraxGovernorAlpha uses 0.8.19; frxUSD OFT adapter uses 0.8.22; FraxEtherRedemptionQueueV2 uses solc 0.8.28+Cancun. The TransientStorageClearingHelperCollision high-severity bug (Feb 2026 disclosure, affects solc 0.8.28-0.8.33 with viaIR=true, using delete on transient storage) potentially affects FraxEtherRedemptionQueueV2 if it: (a) was compiled with viaIR=true AND (b) uses delete on transient state variables. The Etherscan verification for this contract shows 800 optimizer runs, Cancun EVM — viaIR flag not confirmed from metadata. Condition (b) not verified without full source inspection. All other contracts (0.8.16-0.8.22) are outside the 0.8.28-0.8.33 affected range. Yellow pending viaIR+transient-storage verification for FraxEtherRedemptionQueueV2.

Sources #

Etherscan
FraxEtherRedemptionQueueV2 Etherscan VerificationFraxEtherRedemptionQueueV2 — solc 0.8.28, Cancun EVM, 800 runsretrieved 2026-05-17
GitHub
frax-solidity foundry.tomlfrax-solidity foundry.toml — solc 0.8.19, viaIR=trueretrieved 2026-05-17
URL
Transient Storage Clearing Helper Collision BugSolidity blog — TransientStorageClearingHelperCollision bug (0.8.28-0.8.33, viaIR, transient storage)retrieved 2026-05-17

Methodology #

Identify the Solidity compiler version used for deployed bytecode and flag if it appears on the known-bug list (solc bugs.json or Vyper 0.2.15–0.3.0 range).

See the full factor methodology and distribution across all protocols →

rubric_version v1.7.0 protocol frax factor RD-F-170 score yellow collected_at 2026-05-16 20:44:31