Static-analyzer high-severity count

Uniswap (v2 + v3)'s assessment for RD-F-010 — scored yellow on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.

Evidence summary #

No published Slither/Mythril/Semgrep high-severity report on deployed V2 or V3 core bytecode found. ToB used Manticore; ABDK used mathematical review. V3-core CI mentions MythX. 5-6 year exploit-free record provides corroborating evidence. Marked [?] needs tool run for strict compliance.

Detail #

No public static analysis output from Slither, Mythril, or Semgrep on the deployed V2 or V3 bytecode was found in any publicly accessible source. Trail of Bits used Manticore (symbolic execution) and Echidna (property-based testing) for V3, which are stronger than Slither but are different tools. The V3-core GitHub repository mentions a MythX CI workflow, which would provide some static analysis coverage, but no public output of MythX findings was located. Given the 5-year (V3) and 6-year (V2) exploit-free records and two thorough audit engagements each, the practical probability of exploitable static-analysis findings is low. Scored yellow rather than gray because evidence supports low-risk but cannot confirm zero findings without a tool run.

Sources #

Audit
Trail of Bits V3 audit — Manticore symbolic execution usedTrail of Bits — Manticore used (not Slither)retrieved 2026-05-12
GitHub
v3-core GitHub repo — CI mentions MythX security analysis workflowv3-core GitHub — CI description mentions MythXretrieved 2026-05-12

Methodology #

Count the number of unique high-severity detector findings from Slither + Mythril + Semgrep run against the deployed verified source (after deduplication across tools).

See the full factor methodology and distribution across all protocols →

rubric_version v1.7.0 protocol uniswap factor RD-F-010 score yellow collected_at 2026-05-12 10:36:11