Solc version used (known-bug versions flagged)
stHYPE (Valantis Labs)'s assessment for RD-F-170 — scored yellow on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.
Evidence summary #
All three core contracts compiled with v0.8.28+commit.7893614a (EVM version: prague). Solidity 0.8.28 is affected by the TransientStorageClearingHelperCollision bug (HIGH severity, affects 0.8.28–0.8.33, fixed in 0.8.34). Exploitation requires ALL THREE: viaIR enabled + delete on transient storage variable + matching persistent storage clear in same unit. hyperevmscan.io compiler settings do not show viaIR enabled; no evidence of transient storage usage found. Bug is also flagged by second known issue LostStorageArrayWriteOnSlotOverflow (LOW). Effective risk likely low given missing prerequisites, but compiler version IS on the known-bug list for a high-severity vulnerability.
Sources #
- URLSolidity TransientStorageClearingHelperCollision bug announcementsoliditylang.org/blog/2026/02/18/transient-storage-clearing-helper-collision-bug/retrieved 2026-05-17
- OverseerV1 proxy — compiler version v0.8.28hyperevmscan.io/address/0xB96f07367e69e86d6e9C3F29215885104813eeAE#code — v0.8.28+commit.7893614aretrieved 2026-05-17
- stHYPE token proxy — compiler version v0.8.28hyperevmscan.io/address/0xfFaa4a3D97fE9107Cef8a3F48c069F577Ff76cC1#code — v0.8.28+commit.7893614aretrieved 2026-05-17
- wstHYPE proxy — compiler version v0.8.28hyperevmscan.io/address/0x94e8396e0869c9F2200760aF0621aFd240E1CF38#code — v0.8.28+commit.7893614aretrieved 2026-05-17
Methodology #
Identify the Solidity compiler version used for deployed bytecode and flag if it appears on the known-bug list (solc bugs.json or Vyper 0.2.15–0.3.0 range).
See the full factor methodology and distribution across all protocols →