Deployed bytecode matches signed release tag

crvUSD (Curve Stablecoin)'s assessment for RD-F-136 — scored yellow on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.

Evidence summary #

No formal signed release-tag-to-deployment matching discipline found for crvUSD. GitHub repo has 3,025 commits and 1 tag. Etherscan source verification is used as the primary bytecode authenticity mechanism rather than a cryptographically-signed release tag. Marking yellow: source is public and verifiable but no formal release artifact hash discipline.

Sources #

GitHub
Curve Stablecoin GitHub repositorycurvefi/curve-stablecoin: 3025 commits, 1 tag — no structured signed release process foundretrieved 2026-05-16

Methodology #

Determine whether the deployed runtime bytecode corresponds to a signed git tag in the protocol's repository.

See the full factor methodology and distribution across all protocols →

rubric_version v1.7.0 protocol crvusd factor RD-F-136 score yellow collected_at 2026-05-16 19:09:40