Prior known-ignored disclosure

Curve Finance's assessment for RD-F-177 — scored green on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.

Evidence summary #

No evidence of a prior known-and-ignored disclosure. The 2023 Vyper compiler bug (CVE-2023-39363) was unknown until the day of exploit per LlamaRisk post-mortem ('remained unknown until July 30th'). The 2022 DNS hijack was an infrastructure failure, not a disclosed vulnerability. The May 2024 Marco Croc disclosure was promptly rewarded ($250K) with no subsequent exploit. Green: no ignored disclosure pattern found.

Sources #

URL
Curve Finance rewards dev $250K for vulnerability discoveryCryptoTimes — May 2024 disclosure promptly rewardedretrieved 2026-04-28
URL
Curve Pool Reentrancy Exploit Postmortem July 30th, 2023LlamaRisk post-mortem — 'bug remained unknown until July 30th' — no prior disclosureretrieved 2026-04-28

Methodology #

Determine whether evidence exists in prior-incident post-mortems that a disclosed vulnerability was reported to the team and not actioned before exploit.

See the full factor methodology and distribution across all protocols →

rubric_version v1.7.0 protocol curve-v2 factor RD-F-177 score green collected_at 2026-04-28 19:48:40