Code complexity vs audit coverage

crvUSD (Curve Stablecoin)'s assessment for RD-F-024 — scored yellow on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.

Evidence summary #

crvUSD codebase is algorithmically novel (LLAMMA soft-liquidation AMM, PegKeeper, MonetaryPolicy). MixBytes 52-day audit covered 9 core contracts with 14 findings (2C/2H/4M/6L). ChainSecurity conducted two subsequent audits. AMM.vy is ~1,500 LOC with complex band math. No Slither cyclomatic complexity metrics available for Vyper. Two independent audits with high finding counts suggest reasonable coverage for complexity, but the novel algorithmic design and absence of formal verification leave residual uncertainty. Marking yellow as borderline (adequate audit coverage for size, but novel architecture warrants higher scrutiny).

Sources #

Audit
Curve Stablecoin (crvUSD) Security Audit README — MixBytesMixBytes README — 52-day audit, 9 contracts, 14 findingsretrieved 2026-05-16
GitHub
curvefi/curve-stablecoin — GitHubcurve-stablecoin repo stats — 34.2% Vyper, 3,025 commitsretrieved 2026-05-16

Methodology #

Determine whether the cyclomatic complexity or LOC-per-audit-day ratio exceeds the curator-declared credibility threshold for the audit to be meaningful.

See the full factor methodology and distribution across all protocols →

rubric_version v1.7.0 protocol crvusd factor RD-F-024 score yellow collected_at 2026-05-16 19:09:40