★ Oracle source = spot DEX pool (no TWAP)
crvUSD (Curve Stablecoin)'s assessment for RD-F-053 — scored yellow on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.
Evidence summary #
[★ CRITICAL] AggregatorStablePrice uses TVL-weighted EMA over multiple Curve stableswap pools (NOT spot). MIN_LIQUIDITY floor excludes thin pools. EMA provides flash-loan resistance. Collateral oracles use Curve TriCrypto EMA (ma_exp_time ~600s) + Chainlink ±1.5% safety limit. YELLOW not red: EMA design explicitly resists DEX manipulation. Not green: oracle derived entirely from Curve-controlled pools with no independent external data; MixBytes identified EMA manipulation residual when price_w() uncalled for extended periods (Medium, Acknowledged).
Sources #
- EtherscanAggregatorStablePrice v1 — EtherscanAggregatorStablePrice v1 ABI showing add_price_pair/remove_price_pair (admin-controlled pool list) and sigma=1e15 parameter confirming EMA designretrieved 2026-05-16
- Curve Stablecoin Deep Dive — StateMindStateMind deep dive confirming TVL-weighted EMA aggregation and hybrid Chainlink safety limit design for crvUSD oraclesretrieved 2026-05-16
- ChainSecurity Curve Stablecoin AuditChainSecurity crvUSD audit — confirmed EMA as manipulation mitigant; all high-severity issues resolved; overall good level of securityretrieved 2026-05-16
- MixBytes crvUSD Audit READMEMixBytes crvUSD audit README — EMA manipulation risk finding (Medium severity, Acknowledged): alpha degrades when price_w() uncalled, increasing totalSupply() manipulation influenceretrieved 2026-05-16
Methodology #
Determine whether the primary oracle for any asset/market reads spot price from a single DEX pool without a TWAP window or secondary source.
See the full factor methodology and distribution across all protocols →