defirisk.co
rubric v1.7.0

Incident response time (minutes)

Curve Finance's assessment for RD-F-085 — scored yellow on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.

Evidence summary #

2023 Vyper exploit: first exploit transaction at 13:10 UTC; first official Curve team Discord update (acknowledging pools drained/white hacked) at approximately 20:30 UTC (~420 minutes / ~7 hours). Vyper team public acknowledgment at 16:44 UTC (third-party toolchain). Protocol non-pausable, so no faster on-chain protective action was structurally possible, but 7 hours for a $73M live exploit communication gap is slow. 2022 DNS hijack: ~62-minute response (acceptable). Most recent incident drives the score.

Sources #

  • GitHub
    Curve Vyper exploit timelinehacksdatabase/hacks/curve-vyper.md — timeline: 13:10 UTC first exploit; 16:44 UTC Vyper ack; 22:00 UTC whitehat recoveryretrieved 2026-04-28
  • URL
    Curve suffers $70M exploit, but damage contained — BlockworksBlockworks — 'Curve team wrote in Discord at roughly 4:30pm ET that all affected pools have been drained or white hacked'retrieved 2026-04-28

Methodology #

Measure the time in minutes from the first exploit transaction to the first official team statement for the most recent incident.

See the full factor methodology and distribution across all protocols →

rubric_version v1.7.0 protocol curve-v2 factor RD-F-085 score yellow collected_at 2026-04-28 19:48:40