Shared-library version with known-vuln status

Falcon Finance's assessment for RD-F-135 — scored gray on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.

Evidence summary #

OZ version unknown (no package.json). Solidity 0.8.28 used for core contracts — SOL-2026-1 exists (affects 0.8.28-0.8.33) but requires viaIR + tstore delete patterns not confirmed present. Cannot fully assess.

Detail #

OZ upgradeable version cannot be determined without a public package.json. Etherscan shows core contracts use Solidity v0.8.28 (USDf impl, sUSDf impl, FF token) and newer contracts use v0.8.30 (sFF, FF Staking Vault). SOL-2026-1 (TransientStorageClearingHelperCollision, high severity) affects 0.8.28-0.8.33 when using viaIR pipeline + transient storage delete patterns. viaIR is not confirmed enabled on USDf impl (Etherscan shows standard optimizer). Newer contracts on Prague EVM target (0.8.30) have higher likelihood of tstore usage but this is not confirmed. Gray because OZ version unconfirmable and viaIR/tstore pattern unverifiable for full contract suite.

Sources #

Etherscan
USDf Implementation — EtherscanUSDf impl: Solidity v0.8.28, standard optimizer (viaIR not confirmed)retrieved 2026-05-12
URL
Solidity Known Bugs ListSOL-2026-1 TransientStorageClearingHelperCollision affects 0.8.28-0.8.33retrieved 2026-05-12

Methodology #

Identify the version of key shared libraries (OZ, Solady, Solmate) used and check against CVE/GHSA databases for any active advisory.

See the full factor methodology and distribution across all protocols →

rubric_version v1.7.0 protocol falcon-finance factor RD-F-135 score gray collected_at 2026-05-12 04:06:37