Fix-merged-but-not-deployed gap

crvUSD (Curve Stablecoin)'s assessment for RD-F-140 — scored green on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.

Evidence summary #

No evidence of a known vulnerability fix merged in GitHub but not deployed to production. The non-upgradeable architecture means any undeployed fix would require a new blueprint deployment visible via governance. No post-mortem or security advisory documents an undeployed fix for crvUSD as of 2026-05-16.

Sources #

Audit
MixBytes crvUSD Audit (June 2023)MixBytes audit: all critical and high severity issues fixed pre-deploy; no pending fixes documentedretrieved 2026-05-16

Methodology #

Determine whether a known vulnerability has a PR merged in the repo but the fix has not been included in the deployed bytecode.

See the full factor methodology and distribution across all protocols →

rubric_version v1.7.0 protocol crvusd factor RD-F-140 score green collected_at 2026-05-16 19:09:40