defirisk.co
rubric v1.7.0

Static-analyzer high-severity count

crvUSD (Curve Stablecoin)'s assessment for RD-F-010 — scored gray on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.

Evidence summary #

Slither, Mythril, and Semgrep are Solidity-only tools and cannot parse Vyper source. The crvUSD production codebase is entirely Vyper (0.3.7/0.3.10). No Vyper-equivalent static analysis tool has been run against deployed contracts. Published audits did not include a programmatic static analysis artifact.

Sources #

  • Internal
    M3a Process-Learnings: Vyper/Curve-v2 templateprocess-learnings.md Vyper template — confirms Slither/Mythril do not parse Vyperretrieved 2026-05-16
  • Etherscan
    crvUSD Stablecoin Etherscan — Vyper 0.3.7Etherscan confirmed all crvUSD core contracts are Vyper (not Solidity)retrieved 2026-05-16

Methodology #

Count the number of unique high-severity detector findings from Slither + Mythril + Semgrep run against the deployed verified source (after deduplication across tools).

See the full factor methodology and distribution across all protocols →

rubric_version v1.7.0 protocol crvusd factor RD-F-010 score gray collected_at 2026-05-16 19:09:40