CVE/GHSA advisory issued against protocol

Curve Finance's assessment for RD-F-178 — scored yellow on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.

Evidence summary #

CVE-2023-39363 was filed against the Vyper compiler project, covering the reentrancy guard storage slot misalignment bug in Vyper 0.2.15/0.2.16/0.3.0. This CVE directly describes the root cause of the July 2023 Curve exploit. However, the advisory is against Vyper (the compiler), not Curve Finance (the protocol). No Curve-issued GHSA or Curve-specific CVE found. Yellow: relevant CVE exists but was not issued by or against Curve as the protocol itself.

Sources #

URL
Curve Pool Reentrancy Exploit Postmortem July 30th, 2023LlamaRisk post-mortem — root cause matches CVE-2023-39363 descriptionretrieved 2026-04-28
URL
CVE-2023-39363 — Vyper reentrancy guard vulnerabilityNIST NVD — CVE-2023-39363 — Vyper reentrancy guard bugretrieved 2026-04-28

Methodology #

Determine whether a CVE, GHSA, or equivalent public advisory has been issued against this protocol or its code.

See the full factor methodology and distribution across all protocols →

rubric_version v1.7.0 protocol curve-v2 factor RD-F-178 score yellow collected_at 2026-04-28 19:48:40