★ Empty cToken-style market (zero supply/borrow)

crvUSD (Curve Stablecoin)'s assessment for RD-F-070 — scored not_applicable on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.

Evidence summary #

[★ CRITICAL — N/A] crvUSD is NOT a Compound V2 fork and does not use cToken-style share markets. Controllers track per-borrower positions via user-address-indexed state (loan_exists(user: address) pattern); no pooled share token is issued. The donation-inflation attack vector requires a totalSupply=0 share-token market — this architecture is absent. The 2026-03-02 LlamaLend empty-market attack ($240K) is attributed to LlamaLend factory (curve-v2 slug), not the crvUSD CDP system assessed here. F070 is not applicable to crvUSD CDP/LLAMMA.

Sources #

Etherscan
crvUSD Controller WETH — EtherscancrvUSD Controller WETH — 0xa920de414ea4ab66b97da1bfe9e6eca7d4219635 — ABI shows per-user position functions (loan_exists, debt, health), no ERC-20 share token interfaceretrieved 2026-05-16
Internal
crvUSD profile §10 incidents and §11 flagsrisk-dashboard/.research/protocols/crvusd/00-profile.md §10 — LlamaLend 2026 exploit attributed to curve-v2 slug; §11 — economic-market-analyst F070 N/A instructionretrieved 2026-05-16

Methodology #

Determine whether any listed Compound V2-fork market has `totalSupply == 0` and `totalBorrow == 0`, the precondition for a donation-exploit.

See the full factor methodology and distribution across all protocols →

rubric_version v1.7.0 protocol crvusd factor RD-F-070 score not_applicable collected_at 2026-05-16 19:09:40