★ Post-audit code changes without re-audit

Curve Finance's assessment for RD-F-139 — scored yellow on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.

Evidence summary #

Curve NG series has continuous development. ChainSecurity audited Tricrypto-NG (June 2023), FeeSplitter (September 2024), Curve Stablecoin updated contracts through Feb 2025. GitHub shows ongoing activity through March 2026. Non-trivial gap between most recent audit coverage and latest deployment activity for DEX-scope contracts. Mitigated by recurring ChainSecurity/MixBytes audit engagement; factory-blueprint model limits blast radius.

Sources #

URL
ChainSecurity — Curve Tricrypto-NG auditchainsecurity.com/security-audit/curve-tricrypto-ng — Tricrypto-NG audit June 2023retrieved 2026-04-28
Audit
ChainSecurity Curve Stablecoin Code Assessment Feb 2025ChainSecurity Curve Stablecoin Feb 2025 — covers commits Nov 2024–Feb 2025retrieved 2026-04-28
Partner feed
Data cache: GitHub activity beyond audit date00-data-cache.json github.last_commit_date: 2026-03-20 — commits beyond audit coverageretrieved 2026-04-28

Methodology #

Count deployed changes to audited bytecode where no subsequent audit or spot-review covers the changed code.

See the full factor methodology and distribution across all protocols →

rubric_version v1.7.0 protocol curve-v2 factor RD-F-139 score yellow collected_at 2026-04-28 19:48:40