Arbitrary call with user-controlled target

crvUSD (Curve Stablecoin)'s assessment for RD-F-013 — scored green on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.

Evidence summary #

The liquidate_extended() arbitrary callback vulnerability (MixBytes Critical Finding #1) was fixed pre-deployment by prohibiting arbitrary callbacks. Post-fix, no user-controlled arbitrary call target in deployed contracts. MixBytes confirmed all critical findings fixed before mainnet deploy.

Sources #

URL
Recap of the crvUSD Audit Findings — MixBytesMixBytes blog recap — Critical #1 arbitrary callback fixed by prohibiting arbitrary callbacksretrieved 2026-05-16
GitHub
Curve Stablecoin (crvUSD) Security Audit README — MixBytesMixBytes audit README — all critical findings 'Fixed in' commitretrieved 2026-05-16

Methodology #

Determine whether any contract performs `.call(target, data)` where target and/or data is user-supplied without a target allowlist or selector filter.

See the full factor methodology and distribution across all protocols →

rubric_version v1.7.0 protocol crvusd factor RD-F-013 score green collected_at 2026-05-16 19:09:40