Fix-merged-but-not-deployed gap

Curve Finance's assessment for RD-F-140 — scored green on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.

Evidence summary #

No documented case of a fix merged to GitHub but not deployed for active contracts. The July 2023 exploit affected immutable Vyper pools that could not be patched in-place; they were killed/emptied by eDAO. No known Mirror-class fix-not-deployed gap in Curve's history.

Sources #

URL
Curve Pool Reentrancy Exploit Postmortem — LlamaRiskhackmd.io/@LlamaRisk/BJzSKHNjn — 2023 exploit post-mortem, no fix-not-deployed patternretrieved 2026-04-28

Methodology #

Determine whether a known vulnerability has a PR merged in the repo but the fix has not been included in the deployed bytecode.

See the full factor methodology and distribution across all protocols →

rubric_version v1.7.0 protocol curve-v2 factor RD-F-140 score green collected_at 2026-04-28 19:48:40