Ignored bounty disclosure

crvUSD (Curve Stablecoin)'s assessment for RD-F-008 — scored green on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.

Evidence summary #

No post-mortem or OSINT evidence of a vulnerability disclosed to Curve and not actioned before a crvUSD-specific exploit. The July 2023 Vyper reentrancy exploit affected other pools (NOT crvUSD — verified Vyper 0.3.7/0.3.10 are outside affected 0.2.15–0.3.0 range). The June 2024 depeg was a market/operational event with no prior undisclosed vulnerability.

Sources #

URL
crvUSD Incident Report 2024-06-12 — LlamaRiskLlamaRisk crvUSD June 2024 depeg incident report — confirms no smart contract exploitretrieved 2026-05-16
Internal
Hacksdatabase: curve-vyper incident (local)hacksdatabase/hacks/curve-vyper.md — confirms crvUSD unaffected by 2023 Vyper exploitretrieved 2026-05-16

Methodology #

Determine whether any prior post-mortem documents a disclosed vulnerability that was reported to the team and not actioned before exploit.

See the full factor methodology and distribution across all protocols →

rubric_version v1.7.0 protocol crvusd factor RD-F-008 score green collected_at 2026-05-16 19:09:40