Reentrancy guard on external-calling functions

crvUSD (Curve Stablecoin)'s assessment for RD-F-014 — scored green on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.

Evidence summary #

ControllerFactory.vy uses @nonreentrant('lock') decorator on admin functions (Vyper 0.3.10). Master branch controller.vy and AMM.vy use '# pragma nonreentrancy on' for automatic reentrancy protection (Vyper 0.4.3). Deployed contracts (Vyper 0.3.7/0.3.10) are OUTSIDE the July 2023 reentrancy bug range (0.2.15–0.3.0). PegKeeper.vy does not use @nonreentrant but does not have the vulnerable external-call-before-state-change pattern. Reentrancy protection is present and appropriately applied.

Sources #

GitHub
controller.vy (master) — GitHubcontroller.vy master — pragma nonreentrancy onretrieved 2026-05-16
GitHub
ControllerFactory.vy — GitHubControllerFactory.vy — @nonreentrant('lock') decorator confirmedretrieved 2026-05-16

Methodology #

Determine whether all state-mutating functions that perform external calls carry `nonReentrant` or an equivalent reentrancy guard.

See the full factor methodology and distribution across all protocols →

rubric_version v1.7.0 protocol crvusd factor RD-F-014 score green collected_at 2026-05-16 19:09:40