Oracle staleness check present

Curve Finance's assessment for RD-F-059 — scored yellow on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.

Evidence summary #

No staleness check on StableSwap-NG rate oracle. _stored_rates() performs raw_call(..., is_static_call=True), asserts response length == 32, but does NOT check updatedAt timestamp or any maximum age. CryptoSwap v2 internal EMA: staleness is self-managed by EMA decay (uses block.timestamp delta in tweak_price()) — staleness concern applies to EXTERNAL users of the price_oracle() output, not to Curve's own swap logic which only uses internal pool balances.

Sources #

URL
MixBytes StableSwap-NG Security AuditMixBytes StableSwap-NG audit README — confirms oracle implementation detailsretrieved 2026-04-28
GitHub
Curve StableSwap-NG main contractCurveStableSwapNG.vy _stored_rates(): raw_call with assert len(oracle_response) == 32 only — no timestamp validationretrieved 2026-04-28

Methodology #

Determine whether the protocol rejects oracle reads older than a declared maximum age (i.e., checks `updatedAt > block.timestamp - maxStaleness`).

See the full factor methodology and distribution across all protocols →

rubric_version v1.7.0 protocol curve-v2 factor RD-F-059 score yellow collected_at 2026-04-28 19:48:40