Dependency tree uses EOL Solidity version

Frax Finance's assessment for RD-F-174 — scored yellow on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.

Evidence summary #

Core Solidity contracts use 0.8.16-0.8.28 — modern 0.8.x series, not EOL. The frax-governance repo uses Vyper 0.2.12 (per README) for veFXS. Vyper 0.2.12 is an aged version of Vyper (pre-dating 0.3.x series). Vyper had a known reentrancy bug in versions 0.2.15-0.3.0 — 0.2.12 is BEFORE the affected range, so not in the known-vuln window. However, 0.2.12 is significantly aged (Vyper is now at 0.4.x). The veFXS contract is governance-critical. Yellow: veFXS on aged Vyper 0.2.12 is not in a known-CVE version but is significantly behind current Vyper releases.

Sources #

Etherscan
sfrxETH EtherscansfrxETH solc 0.8.16; FraxlendPair V1 solc 0.8.16 — modern 0.8.xretrieved 2026-05-17
GitHub
FraxFinance/frax-governance GitHubfrax-governance README — requires Vyper 0.2.12 install for veFXSretrieved 2026-05-17

Methodology #

Determine whether the deployed code or its dependencies use an EOL or unsupported Solidity version without a forward-compatibility patch.

See the full factor methodology and distribution across all protocols →

rubric_version v1.7.0 protocol frax factor RD-F-174 score yellow collected_at 2026-05-16 20:44:31