Solc version used (known-bug versions flagged)

Balancer (v2 + v3)'s assessment for RD-F-170 — scored yellow on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.

Evidence summary #

v2 (higher-risk): Solidity 0.7.1 confirmed (Etherscan v2 Vault: v0.7.1+commit.f4a555be, optimizer 1500 runs). Known bug in 0.7.x: storage byte-array copy corruption (introduced before 0.7.4, medium severity, fixed in 0.7.4). v2 is permanently on EOL 0.7.1 as contracts are immutable. v3: Solidity 0.8.26 confirmed (Etherscan v3 Vault: v0.8.26+commit.8a97fa7a, optimizer 500 runs, Cancun EVM). The transient-storage-clearing-helper-collision bug affects 0.8.28-0.8.33 (IR pipeline only) — v3 at 0.8.26 is below this range and unaffected. 0.8.26 has no known high-severity compiler bug at assessment date. Overall yellow due to v2 on EOL 0.7.1.

Sources #

Etherscan
v2 Vault Etherscan: constructor-based, no proxyhttps://etherscan.io/address/0xBA12222222228d8Ba445958a75a0704d566BF2C8#coderetrieved 2026-05-05
URL
Solidity 0.8.25-0.8.33 TransientStorageClearingHelperCollision bug (HIGH)https://www.soliditylang.org/blog/2026/02/18/transient-storage-clearing-helper-collision-bug/retrieved 2026-04-26
Etherscan
v3 Vault Etherscan: delegatecall proxy to hardcoded VaultExtension, not UUPShttps://etherscan.io/address/0xbA1333333333a1BA1108E8412f11850A5C319bA9#coderetrieved 2026-05-05

Methodology #

Identify the Solidity compiler version used for deployed bytecode and flag if it appears on the known-bug list (solc bugs.json or Vyper 0.2.15–0.3.0 range).

See the full factor methodology and distribution across all protocols →

rubric_version v1.7.0 protocol balancer factor RD-F-170 score yellow collected_at 2026-05-05 12:41:36