Dependency tree uses EOL Solidity version

Curve Finance's assessment for RD-F-174 — scored yellow on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.

Evidence summary #

VYPER CODEBASE — reframed as EOL Vyper version in dependency tree. Legacy governance infrastructure (VotingEscrow.vy at Vyper 0.2.4, ERC20CRV.vy at Vyper 0.2.4, GaugeController) uses EOL Vyper versions. Vyper 0.2.4 is not actively maintained; current supported releases are 0.3.x/0.4.x. These immutable contracts cannot be upgraded to newer Vyper without full redeployment via DAO vote. GovernanceDAO contracts at 0.2.4 are deployed since 2020 without known exploit from compiler-level bug. EOL without migration plan is a persistent residual risk, scored yellow.

Sources #

GitHub
ERC20CRV.vy — Vyper 0.2.4 EOL compilerERC20CRV.vy — pragma version 0.2.4 (EOL)retrieved 2026-04-28
GitHub
VotingEscrow.vy — Vyper 0.2.4 EOL compilerVotingEscrow.vy — pragma version 0.2.4 (EOL)retrieved 2026-04-28

Methodology #

Determine whether the deployed code or its dependencies use an EOL or unsupported Solidity version without a forward-compatibility patch.

See the full factor methodology and distribution across all protocols →

rubric_version v1.7.0 protocol curve-v2 factor RD-F-174 score yellow collected_at 2026-04-28 19:48:40