defirisk.co
rubric v1.7.0

GitHub malicious-dependency incident touching protocol deps

crvUSD (Curve Stablecoin)'s assessment for RD-F-160 — scored green on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.

Evidence summary #

GitHub-flagged malicious-dependency incident touching protocol deps. Applicable: curvefi/curve-stablecoin uses Vyper 0.3.7/0.3.10 and Python toolchain. No GitHub security advisory for malicious release affecting Vyper 0.3.7/0.3.10 or protocol Python dependencies in trailing 90 days found via OSINT. GitHub repo shows active maintenance (last commit 2026-05-15). No npm/PyPI malicious releases flagged against Vyper or Curve's toolchain found in public security advisory feeds. Signal would NOT fire today.

Sources #

  • GitHub
    curvefi/curve-stablecoin GitHub repocurvefi/curve-stablecoin — no security advisories flagged on repo; last commit 2026-05-15retrieved 2026-05-16
  • GitHub
    Vyper compiler GitHub releasesvyperlang/vyper releases page — no malicious release advisory in trailing 90 days; latest stable release follows normal cadenceretrieved 2026-05-16

Methodology #

Determine whether a security advisory flags a malicious release in a dependency consumed by this protocol.

See the full factor methodology and distribution across all protocols →

rubric_version v1.7.0 protocol crvusd factor RD-F-160 score green collected_at 2026-05-16 19:09:40