defirisk.co
rubric v1.7.0

Solc version used (known-bug versions flagged)

crvUSD (Curve Stablecoin)'s assessment for RD-F-170 — scored yellow on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.

Evidence summary #

Deployed production contracts: Vyper 0.3.7 (crvUSD ERC-20 token, ControllerFactory v1) and Vyper 0.3.10 (Controllers, LLAMMA AMMs, PegKeepers, oracle contracts) — confirmed by Etherscan source verification with Exact Match. NOT in the July 2023 reentrancy-affected range (0.2.15–0.3.0). However, known advisories for Vyper 0.3.7/0.3.10 include: concat buffer overflow (GHSA-2q8v-3gqq-4f8p, High, CVE-2024-22419, fixed in 0.4.0), _abi_decode overflow (fixed in 0.3.10rc4), out-of-bounds write in raw_call/create_from_blueprint (fixed in 0.3.10rc4), function-call argument order (fixed in 0.3.8). Several advisories in 0.3.7 are fixed in 0.3.10. For 0.3.10: precompile success check (GHSA-vgf2-gvx8-xwc3, Moderate). Concat overflow (GHSA-2q8v-3gqq-4f8p) affects both 0.3.7 and 0.3.10. Contracts are immutable — vulnerabilities are not patchable without full redeploy. Vyper team's contract scan found no exploitable production contracts, but crvUSD was not specifically excluded from vulnerable pattern

Sources #

Methodology #

Identify the Solidity compiler version used for deployed bytecode and flag if it appears on the known-bug list (solc bugs.json or Vyper 0.2.15–0.3.0 range).

See the full factor methodology and distribution across all protocols →

rubric_version v1.7.0 protocol crvusd factor RD-F-170 score yellow collected_at 2026-05-16 19:09:40