Solc version used (known-bug versions flagged)
Sushi (SushiSwap) — v2 + v3 + Trident + BentoBox/Kashi + SushiXSwap's assessment for RD-F-170 — scored yellow on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.
Evidence summary #
v2-core: Solidity 0.6.12 (Etherscan confirmed). v3-core: Solidity 0.7.6+commit.7338295f (Etherscan confirmed, 800 optimizer runs). SushiXSwap v2: pragma 0.8.10. Sushi-peripherals: 0.8.15. Both 0.6.12 and 0.7.6 are EOL (unsupported) Solidity versions below the 0.8.x series. 0.8.x introduced built-in overflow/underflow protection as a breaking change. No high/critical solc bugs specifically applicable to the factory/pair/pool patterns used in these contracts are identified in the official bug list. However, both versions are unsupported and below the 0.8.x safety baseline. Core AMM contracts are immutable (cannot be redeployed to newer compiler without full upgrade).
Sources #
- EtherscanSushiV3Factory Etherscan — compiler metadataSushiV3Factory 0xbaceb8ec — compiler v0.7.6+commit.7338295f; Etherscan 'Exact Match' verifiedretrieved 2026-05-17
- sushiswap/v3-core hardhat.config.tssushiswap/v3-core hardhat.config.ts — solidity version 0.7.6, optimizer 800 runsretrieved 2026-05-17
- SushiV2Factory Etherscan — compiler metadataSushiV2Factory 0xc0aEe478 — compiler v0.6.12+commit.27d51765; Etherscan verifiedretrieved 2026-05-17
Methodology #
Identify the Solidity compiler version used for deployed bytecode and flag if it appears on the known-bug list (solc bugs.json or Vyper 0.2.15–0.3.0 range).
See the full factor methodology and distribution across all protocols →