Deployed bytecode matches signed release tag

Curve Finance's assessment for RD-F-136 — scored yellow on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.

Evidence summary #

Curve does not publish universally-signed release-tag commit hashes for all deployed bytecode. Core DAO contracts (VotingEscrow, GaugeController) are original 2020-2021 deploys with no subsequent bytecode change. GitHub v1.3.0 release tag (June 2021) exists for curve-dao-contracts. NG factory blueprint implementations are tracked via DAO votes but no universal signed-tag verification process is documented.

Sources #

GitHub
curve-dao-contracts GitHub repositorygithub.com/curvefi/curve-dao-contracts — v1.3.0 release June 2021; latest commit 2026-03-20 on tricrypto-ngretrieved 2026-04-28

Methodology #

Determine whether the deployed runtime bytecode corresponds to a signed git tag in the protocol's repository.

See the full factor methodology and distribution across all protocols →

rubric_version v1.7.0 protocol curve-v2 factor RD-F-136 score yellow collected_at 2026-04-28 19:48:40