Solc version used (known-bug versions flagged)

Curve Finance's assessment for RD-F-170 — scored yellow on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.

Evidence summary #

VYPER CODEBASE — factor reframed for Vyper. Current NG contracts use Vyper 0.3.10 (confirmed: CurveTricryptoOptimizedWETH.vy, CurveStableSwapNG.vy pragma; Etherscan verification of CurveStableSwapNGViews 0xFF530... shows Vyper 0.3.10 exact match). Legacy governance/DAO contracts (VotingEscrow.vy, ERC20CRV.vy, GaugeController) use Vyper 0.2.4 — EOL but not affected by the 0.2.15-0.3.0 reentrancy guard bug (bug introduced in 0.2.15). The 0.2.4 contracts are immutable governance infrastructure live since 2020. Vyper 0.2.4 has no known critical vulnerability in its implemented features but is an unsupported EOL version. Yellow (not red) because: (a) 0.2.4 is not in the known-bug class; (b) contracts have operated safely for 6 years; but the EOL status without migration plan is a residual risk.

Sources #

GitHub
CurveTricryptoOptimizedWETH.vy — Vyper 0.3.10 pragma confirmedCurveTricryptoOptimizedWETH.vy — pragma version 0.3.10retrieved 2026-04-28
Etherscan
CurveStableSwapNGViews Etherscan verificationCurveStableSwapNGViews at 0xFF53042865dF617de4bB871bD0988E7B93439cCF — Vyper 0.3.10 verified exact matchretrieved 2026-04-28
GitHub
VotingEscrow.vy source — Vyper 0.2.4 pragmaVotingEscrow.vy — pragma version 0.2.4retrieved 2026-04-28

Methodology #

Identify the Solidity compiler version used for deployed bytecode and flag if it appears on the known-bug list (solc bugs.json or Vyper 0.2.15–0.3.0 range).

See the full factor methodology and distribution across all protocols →

rubric_version v1.7.0 protocol curve-v2 factor RD-F-170 score yellow collected_at 2026-04-28 19:48:40