Shared-library version with known-vuln status

crvUSD (Curve Stablecoin)'s assessment for RD-F-135 — scored yellow on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.

Evidence summary #

Production contracts use Vyper 0.3.7 (crvUSD token, ControllerFactory v1) and Vyper 0.3.10 (Controllers, AMMs). Known GHSA advisories: GHSA-2q8v-3gqq-4f8p (concat overflow, high severity, affects <=0.3.10, fixed in 0.4.0), GHSA-vgf2-gvx8-xwc3 (precompile success not checked, moderate, affects <=0.4.0, fixed in 0.4.1). Snyk lists 7+ high-severity entries for Vyper 0.3.7. Contracts are immutable non-proxy deployments — cannot be recompiled to fix. Vyper team's Sept 2024 security review found no vulnerable production contracts in their 30,000-contract scan. Practical exploitability low but advisories exist. Threshold: yellow = advisory exists but low/medium severity.

Sources #

URL
Vyper 0.3.7 Vulnerabilities — SnykSnyk Vyper 0.3.7 known vulnerabilitiesretrieved 2026-05-16
URL
Success of Certain Precompile Calls not Checked — Vyper Security AdvisoryGHSA-vgf2-gvx8-xwc3 — precompile success not checked, Moderate, affects <=0.4.0retrieved 2026-05-16
URL
concat built-in can corrupt memory — Vyper Security AdvisoryGHSA-2q8v-3gqq-4f8p — concat overflow, affects <=0.3.10, High severityretrieved 2026-05-16

Methodology #

Identify the version of key shared libraries (OZ, Solady, Solmate) used and check against CVE/GHSA databases for any active advisory.

See the full factor methodology and distribution across all protocols →

rubric_version v1.7.0 protocol crvusd factor RD-F-135 score yellow collected_at 2026-05-16 19:09:40