★ Audit scope mismatch

crvUSD (Curve Stablecoin)'s assessment for RD-F-001 — scored yellow on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.

Evidence summary #

MixBytes audit (Apr–Jun 2023) cited commit 0d9265cc2dbd221b0f27f880fac1c590e1f12d28. ChainSecurity audited Jan 2024 and Feb 2025 covering updated Controller/AMM implementations. Etherscan confirms deployed contracts source-verified (Exact Match) in Vyper 0.3.7 and 0.3.10. Current repo master uses Vyper 0.4.3 (test/dev only). Nov 2024 governance proposal for new blueprint implementations was also audited by ChainSecurity. No confirmed bytecode-vs-commit mismatch found, but full commit-SHA traceability across all deployed markets is incomplete — Etherscan Vyper verification does not expose the source commit SHA. Partial traceability warrants yellow rather than green.

Sources #

GitHub
Curve Stablecoin (crvUSD) Security Audit README — MixBytesMixBytes audit README — commit 0d9265cc2dbd221b0f27f880fac1c590e1f12d28 auditedretrieved 2026-05-16
Etherscan
crvUSD Controller (wstETH) — Etherscan verified sourceController wstETH 0x584B0Fd8F038fe8AEDf4057Ca3cB3D840446fBbf — Vyper 0.3.10 Exact Matchretrieved 2026-05-16
URL
Curve Stablecoin Smart Contract Audit — ChainSecurityChainSecurity crvUSD audit page — all high-severity resolved, some medium/low openretrieved 2026-05-16
Etherscan
crvUSD Stablecoin — Etherscan verified sourcecrvUSD token 0xf939e0a03fb07f59a73314e73794be0e57ac1b4e — Vyper 0.3.7 Exact Match source verificationretrieved 2026-05-16

Methodology #

Check whether the commit SHA cited in the audit report matches the bytecode deployed at the production proxy/implementation address.

See the full factor methodology and distribution across all protocols →

rubric_version v1.7.0 protocol crvusd factor RD-F-001 score yellow collected_at 2026-05-16 19:09:40