Dependency tree uses EOL Solidity version

Lido's assessment for RD-F-174 — scored yellow on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.

Evidence summary #

Solidity 0.4.24 is EOL. Legacy stETH core (AppProxyUpgradeable impl) uses this version by design — intentionally frozen Aragon-era contract. V2/V3 new code on 0.8.9/0.8.25 (actively supported range). openzeppelin-solidity@2.0.0 is legacy tied to Aragon era. Known technical debt, not an oversight.

Sources #

URL
package.jsonhttps://github.com/lidofinance/core/blob/master/package.jsonretrieved 2026-04-28
URL
0x6ca84080381e43938476814be61b779a8bb6a600#codehttps://etherscan.io/address/0x6ca84080381e43938476814be61b779a8bb6a600#coderetrieved 2026-04-28
URL
0xFdDf38947aFB03C621C71b06C9C70bce73f12999#codehttps://etherscan.io/address/0xFdDf38947aFB03C621C71b06C9C70bce73f12999#coderetrieved 2026-04-28

Methodology #

Determine whether the deployed code or its dependencies use an EOL or unsupported Solidity version without a forward-compatibility patch.

See the full factor methodology and distribution across all protocols →

rubric_version v1.7.0 protocol lido factor RD-F-174 score yellow collected_at 2026-04-28 13:58:42