Ignored bounty disclosure

Curve Finance's assessment for RD-F-008 — scored green on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.

Evidence summary #

No evidence of Curve ignoring a disclosed vulnerability before exploit. July 2023 was a Vyper compiler-level bug undiscoverable by application-level audit. May 2024 Marco Croc finding paid at maximum bounty ($250K) and remediated. No pattern of ignored disclosures in post-mortems.

Sources #

URL
Vyper Nonreentrancy Lock Vulnerability Post-MortemVyper official post-mortem — compiler bug not a bounty-disclosable application findingretrieved 2026-04-28
URL
Curve Finance Rewards Dev $250K — CryptoTimesMarco Croc payout — evidence of bounty program responsivenessretrieved 2026-04-28

Methodology #

Determine whether any prior post-mortem documents a disclosed vulnerability that was reported to the team and not actioned before exploit.

See the full factor methodology and distribution across all protocols →

rubric_version v1.7.0 protocol curve-v2 factor RD-F-008 score green collected_at 2026-04-28 19:48:40