Single-pool oracle (no medianization)

Curve Finance's assessment for RD-F-056 — scored yellow on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.

Evidence summary #

StableSwap-NG rate oracle: single source per token type (wstETH -> Lido only via one address, cbETH -> Coinbase only via one address). No medianization across multiple venues. Single point of failure: if the token's upstream rate contract is compromised or returns a wrong value, the pool uses that wrong rate. CryptoSwap v2 EMA: single pool, single EMA — no medianization. Mitigated: these are canonical protocol-level rates (not DEX spot prices), and their manipulation would require exploiting the Lido or Coinbase protocol itself.

Sources #

GitHub
Curve StableSwap-NG main contractCurveStableSwapNG.vy _stored_rates(): single raw_call per token (no median/aggregation logic)retrieved 2026-04-28

Methodology #

Determine whether the oracle reads from a single DEX venue with no medianization across multiple pools or venues.

See the full factor methodology and distribution across all protocols →

rubric_version v1.7.0 protocol curve-v2 factor RD-F-056 score yellow collected_at 2026-04-28 19:48:40