Solc version used (known-bug versions flagged)

Wormhole's assessment for RD-F-170 — scored yellow on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.

Evidence summary #

EVM core bridge and token bridge: compiled with Solidity v0.8.4 (confirmed via Etherscan metadata on proxy addresses 0x98f3c9e6 and 0x3ee18B22). Solidity 0.8.4 carries several known bugs per the Solidity bug list: (1) `KeccakCaching` — optimizer bug where keccak256 of same-size different-content memory treated as equal (severity: medium, fixed in 0.8.3 — so NOT present in 0.8.4); (2) `EmptyByteArrayCopy` — copying empty byte array to storage can corrupt (severity: low/medium); (3) `IncorrectB...

Sources #

Curator note
Extracted from 01-code-security.md — RD-F-170 finding; no URL cited in originalretrieved 2026-04-28

Methodology #

Identify the Solidity compiler version used for deployed bytecode and flag if it appears on the known-bug list (solc bugs.json or Vyper 0.2.15–0.3.0 range).

See the full factor methodology and distribution across all protocols →

rubric_version v1.7.0 protocol wormhole factor RD-F-170 score yellow collected_at 2026-04-28 01:38:43