Code complexity vs audit coverage

Curve Finance's assessment for RD-F-024 — scored yellow on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.

Evidence summary #

NG contracts are complex multi-thousand-line Vyper AMM math implementations. MixBytes stableswap-ng audit engaged 3 auditors over approximately 7 weeks (Sept-Oct 2023). ChainSecurity tricrypto-ng audit was June 2023. Zealynx notes 'complex financial mathematics' as a persistent risk. No audit firm has declined coverage or flagged complexity as blocking, but the mathematical complexity of the StableSwap and CryptoSwap invariants means audit coverage is necessarily bounded.

Sources #

URL
Curve Finance Security Architecture — Zealynx SecurityZealynx — complex financial mathematics noted as riskretrieved 2026-04-28
GitHub
MixBytes StableSwapNG Audit READMEMixBytes StableSwapNG README — 3 auditors over Sept-Oct 2023retrieved 2026-04-28

Methodology #

Determine whether the cyclomatic complexity or LOC-per-audit-day ratio exceeds the curator-declared credibility threshold for the audit to be meaningful.

See the full factor methodology and distribution across all protocols →

rubric_version v1.7.0 protocol curve-v2 factor RD-F-024 score yellow collected_at 2026-04-28 19:48:40