defirisk.co
rubric v1.7.0

Solc version used (known-bug versions flagged)

Uniswap (v2 + v3)'s assessment for RD-F-170 — scored yellow on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.

Evidence summary #

V2-core: Solidity 0.5.16 (EOL). V3-core: Solidity 0.7.6 confirmed (Etherscan: v0.7.6+commit.7338295f, 800 runs). 0.7.6 known bugs: DynamicArrayCleanup (medium), EmptyByteArrayCopy (medium) — neither applies to pool pattern (fixed-layout structs). UniversalRouter: 0.8.26 (no known high/critical bugs). Both V2 and V3 deployed immutably — no recompilation possible. Scored yellow for older compiler versions on known-bug lists. V2 (0.5.16): yellow; V3 (0.7.6): yellow. Combined: yellow.

Detail #

Etherscan source verification for the V3 Factory (0x1F98431c8aD98523631AE4a59f267346ea31F984) confirms compilation with v0.7.6+commit.7338295f using 800 optimizer runs. The hardhat.config.ts in the v3-core repo confirms `solidity: '0.7.6'`. Known bugs for Solidity 0.7.6 per Etherscan solcbuginfo include DynamicArrayCleanup (medium severity: incorrect clearing of storage arrays when a dynamic array is shortened) and EmptyByteArrayCopy (medium severity: copying empty byte arrays to storage). Neither pattern appears in the V3 Pool contract, which uses fixed-size struct slots (Slot0, Position, etc.). V2 uses Solidity 0.5.16 which also has known bugs from that era; the constant-product AMM pattern is similarly unlikely to trigger them. Both codebases are immutably deployed — the compiler version risk is historical and fixed, not ongoing.

Sources #

Methodology #

Identify the Solidity compiler version used for deployed bytecode and flag if it appears on the known-bug list (solc bugs.json or Vyper 0.2.15–0.3.0 range).

See the full factor methodology and distribution across all protocols →

rubric_version v1.7.0 protocol uniswap factor RD-F-170 score yellow collected_at 2026-05-12 10:36:11