Prior known-ignored disclosure
crvUSD (Curve Stablecoin)'s assessment for RD-F-177 — scored green on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.
Evidence summary #
No evidence of any previously-disclosed vulnerability against crvUSD being reported and then ignored before exploitation. The June 2024 PegKeeper deviation-check issue was a design tradeoff discovered in production via the liquidation event — it was not a disclosed-then-ignored bug. The July 2023 Vyper reentrancy was a compiler-level zero-day unknown to all parties. The LlamaLend 2026 donation attack (not crvUSD core) was an unpatched class of vulnerability, but not a prior-disclosed crvUSD-specific report. Data cache rekt.incidents=[] and no post-mortem language indicating ignored prior disclosure found in any primary source. Green.
Sources #
- URLcrvUSD Upward Depeg (June 12, 2024) Incident Report — LlamaRiskLlamaRisk depeg incident report — confirms peg event was not a prior-disclosed vulnerabilityretrieved 2026-05-16
- Curve Finance / Vyper Hack Report — hacksdatabasehacksdatabase/hacks/curve-vyper.md — Vyper compiler zero-day; not a prior-disclosed crvUSD vulnerabilityretrieved 2026-05-16
- crvUSD data cache — Rekt incidents00-data-cache.json rekt.incidents=[] — no Rekt-listed incidents with ignored-disclosure patternretrieved 2026-05-16
Methodology #
Determine whether evidence exists in prior-incident post-mortems that a disclosed vulnerability was reported to the team and not actioned before exploit.
See the full factor methodology and distribution across all protocols →