defirisk.co
rubric v1.7.0

TWAP window duration

Curve Finance's assessment for RD-F-054 — scored yellow on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.

Evidence summary #

CryptoSwap v2 (Tricrypto-NG) internal EMA: ma_time parameter configurable 60s–7d (values 87–872541 in Vyper units, where value = window / ln(2)). Default is deployment-specific. Admin can change via commit_new_parameters() (requires factory admin) + apply_new_parameters() (3-day delay). A very short ma_time (near 60s minimum) in a low-liquidity pool would be manipulation-vulnerable. StableSwap-NG: no TWAP window — uses token exchange rate directly. Yellow: the minimum allowed window (60s) is below the 30-min threshold in the taxonomy, even if current deployment values are likely longer.

Sources #

  • GitHub
    Curve Tricrypto-NG main contractCurveTricryptoOptimizedWETH.vy commit_new_parameters(): assert new_ma_time >= 87 and new_ma_time <= 872541retrieved 2026-04-28

Methodology #

For each DEX-TWAP oracle, measure the TWAP window duration in minutes; flag any window < 30 minutes as high risk.

See the full factor methodology and distribution across all protocols →

rubric_version v1.7.0 protocol curve-v2 factor RD-F-054 score yellow collected_at 2026-04-28 19:48:40