Dependency tree uses EOL Solidity version

BENQI's assessment for RD-F-174 — scored yellow on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.

Evidence summary #

Core lending contracts use Solidity 0.5.17 (deployed 2021, last active patch release was 0.5.17 itself — the 0.5.x series reached its final release in mid-2020). sAVAX uses 0.6.12 (similarly in the legacy supported category; the 0.6.x series final release was 0.6.12). Both versions are no longer receiving active security patches and are in the legacy/EOL spectrum by 2026-05-16. No critical known compiler bug affects these contracts for their specific patterns (SafeMath-based 0.5.17, OZ-upgradeable 0.6.12). The contracts are non-upgradeable (lending) or proxy-upgradeable (sAVAX), so the EOL compiler risk is static. Ignite uses 0.8.x which is current. Yellow: legacy compiler versions (0.5.17, 0.6.12) in use for core contracts without forward-compatibility patch plan, though no critical bugs are known for the patterns used.

Sources #

URL
Solidity Releases — version historySolidity release history — 0.5.x and 0.6.x series both in legacy/EOL as of 2026retrieved 2026-05-16
Etherscan
Comptroller Snowtrace — 0.5.17 legacy compilerComptroller Snowtrace verified at Solidity 0.5.17 — legacy compiler seriesretrieved 2026-05-16
GitHub
StakedAvax.sol — pragma 0.6.12StakedAvax.sol pragma 0.6.12 — legacy compiler series (final release 0.6.12 mid-2020)retrieved 2026-05-16

Methodology #

Determine whether the deployed code or its dependencies use an EOL or unsupported Solidity version without a forward-compatibility patch.

See the full factor methodology and distribution across all protocols →

rubric_version v1.7.0 protocol benqi factor RD-F-174 score yellow collected_at 2026-05-16 11:02:12