defirisk.co
rubric v1.7.0

Auditor re-engaged after last exploit

Curve Finance's assessment for RD-F-083 — scored yellow on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.

Evidence summary #

The 2023 exploit root cause was the Vyper compiler — a third-party toolchain. Curve cannot commission an audit of the Vyper compiler. Post-exploit, Curve continued audit engagement: ChainSecurity audited FeeSplitter.vy (2024-09-25). No dedicated post-incident audit of legacy pools (pools were drained / defunct). Migration to NG series (Vyper 0.3.10, audited by ChainSecurity Jun 2023 pre-exploit and ongoing) is the structural response. Yellow: audit engagement continued but no dedicated post-incident review of affected pools specifically.

Sources #

  • Docs
    Curve Finance audit indexProfile §8 audit table — ChainSecurity FeeSplitter.vy 2024-09-25; ChainSecurity Tricrypto-NG 2023-06-23retrieved 2026-04-28

Methodology #

Determine whether a reputable auditor performed a re-audit or incident review after the most recent exploit.

See the full factor methodology and distribution across all protocols →

rubric_version v1.7.0 protocol curve-v2 factor RD-F-083 score yellow collected_at 2026-04-28 19:48:40