Post-exploit response score

Curve Finance's assessment for RD-F-081 — scored yellow on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.

Evidence summary #

2023 Vyper exploit response: compensation paid (DAO voted $44M CRV, Dec 2023, vesting 1 year; 10% white-hat fee to attacker); root cause documented (LlamaRisk post-mortem); operational recovery via NG migration. Deductions: ~7-hour gap before first official Curve team status update (exploit began 13:10 UTC, Discord update ~20:30 UTC); post-mortem authored by LlamaRisk not Curve directly; no on-chain pause activated (AMM non-pausable). 2022 DNS hijack: no victim compensation; incomplete technical post-mortem. Composite: 3/5 — yellow.

Sources #

Governance
Proposal to Recompensate LPs Affected by Curve Pool ExploitCurve governance forum — reimbursement proposal 9825retrieved 2026-04-28
URL
Curve Pool Reentrancy Exploit Postmortem July 30th, 2023LlamaRisk post-mortem — root cause, recovery detailretrieved 2026-04-28
URL
August 10, 2022 — Curve frontend hackedCurve Substack — DNS hijack 2022 responseretrieved 2026-04-28
URL
Curve DAO agrees to $44m compensation for July hack victimsDL News — DAO voted $44M CRV compensation, Dec 2023retrieved 2026-04-28

Methodology #

Curator-score (1–5) the most recent incident response on: compensation completeness, transparency of disclosure, root-cause analysis depth, and operational recovery speed.

See the full factor methodology and distribution across all protocols →

rubric_version v1.7.0 protocol curve-v2 factor RD-F-081 score yellow collected_at 2026-04-28 19:48:40