Scores/Curve Finance

Curve Finance

MITHRIL

DEX / AMM · Multi-chain · $2B+ TVL · 30 contracts

Official site: curve.fi ↗

875

3004756508251000

Confidence78%

Z-Factor0.93

Updated 2026-05-27Public score

Security Profile

Access Control
90

Economic Soundness
92

Oracle Integrity
88

Compositional Risk
78

Governance
85

Maturity
96

Resilience
72

Supply Chain
78

Op Security
64

Cascade Exposure
55

Access Ctrl
90

Economic
92

Oracle
88

Compos.
78

Govern.
85

Maturity
96

Resilience
72

Supply Ch.
78

OpSec
64

Cascade
55

Min

Avg

Max

Audit History

Trail of Bits

2020-02

Quantstamp

2020-01

MixBytes

2023-06

Bug Bounty Program

$250,000

Max payout on HackerOne

View Program

Assessment

Foundational DeFi AMM, 76+ months live, zero core logic exploits. StableSwap invariant is the most battle-tested AMM formula in DeFi. Vyper compiler dependency and massive downstream integration surface are the main risk vectors.

Dimension Breakdown

Methodology

Access Control

Weight 18% · 90% confidence

+22DAO-controlled with veCRV voting

+22Admin functions behind timelock

+22Emergency kill switch on pools

+22Vyper-native reentrancy locks

Provenance

Economic Soundness

Weight 13% · 88% confidence

+23StableSwap invariant proven over 5+ years

+23CRV emissions model well-understood

+23Deep liquidity across major pools

+23ve-tokenomics creates long-term alignment

Provenance

Oracle Integrity

Weight 13% · 85% confidence

+22Internal EMA oracles for TWAP

+22No external oracle dependency for core AMM

+22Price oracle manipulation resistant via EMA

+22Oracle used by external protocols (Curve oracle consumer)

Provenance

Battle-Tested Maturity

Weight 12% · 95% confidence

+19Live since January 2020 (76+ months)

+19Survived multiple market crashes

+19Largest stableswap DEX in DeFi

+19Zero protocol-level exploits on V1/V2 core

Provenance

Governance & Upgradeability

Weight 10% · 85% confidence

+21veCRV governance with 4-year lock maximum

+21Emergency DAO for rapid response

+21Timelock on parameter changes

+21Gauge weight voting transparent on-chain

Provenance

Adversarial Resilienceredacted

Weight 10% · 85% confidence

Vyper compiler vulnerability disclosed 2023 (external dep, not logic bug)
Active bug bounty program
Multiple audit firms across versions
EMA oracle manipulation vectors researched extensively

Provenance

Operational Security

Weight 10% · 60% confidence

-18No branch protection detected

-18CI/CD present but unstable (60% success)

+21Strong PR review culture (87% reviewed)

+21Moderate development (17 commits/month)

Provenance

Compositional Risk

Weight 5% · 80% confidence

+20Deep DeFi integration surface (lending, stablecoins)

+20LP tokens widely used as collateral

+20Metapool pattern adds composition complexity

+20Factory pools reduce per-pool audit coverage

Provenance

Cascade Exposure

Weight 5% · 80% confidence

+14Curve pools are foundation for many stablecoin pegs

+14crvUSD creates additional dependency surface

+14Gauge emissions affect downstream protocol economics

+14LP token repricing cascades to lending protocols

Provenance

Supply Chain

Weight 4% · 82% confidence

+20Vyper language (smaller auditor pool)

+20Custom math libraries (no OZ)

+20Verified on Etherscan

+20Factory pattern means new pools may have untested configs

Provenance

Top Score Drivers

Dimensions with the greatest marginal impact on BRI.

Operational Security

64+26.2 potential

Strong PR review culture (87% reviewed)

Adversarial Resilience

72+19.2 potential

Cascade Exposure

55+17.4 potential

Curve pools are foundation for many stablecoin pegs

Access Control

90+11 potential

DAO-controlled with veCRV voting

Oracle Integrity

88+9.6 potential

Internal EMA oracles for TWAP

Adversarial Risk Signals

Publicly verifiable security posture indicators.

Disclosure HistoryNot Assessed

Remediation VelocityNot Assessed

Bug Bounty ProgramNot Assessed

Audit CoverageNot Assessed

Incident HistoryNot Assessed

Deployed 2020-01-2010 dimensionsProvenance Ledger

methodology v2.1formula v1.0weights v1.0evidence sha256:sha256:2...

Score History & Verification

Score provenance tracking begins with the next reassessment.

Full provenance ledger

On-Chain Data

Protocol Slug: "curve"
Oracle: BRORegistry (Base)
Evidence: IPFS (pinned)
Staleness Threshold: 24 hours

Read Score

registry.getScore("curve")

Reduce exploitable risk

Continuous adversarial analysis, vulnerability detection, and verified reassessment.

View Plans Methodology

Embed this score

Live, updates automatically. Free for any site. Click-through links open the full report on BlackHart.

Public

Style

Theme

Format

Preview

Copy iframe code

<iframe
  src="https://blackhart.io/embed/oracle/curve?variant=card&theme=dark"
  title="BlackHart Risk Index: Curve Finance"
  width="340"
  height="290"
  frameborder="0"
  loading="lazy"
  style="border:0; max-width:100%;"
></iframe>

Believe this score contains a factual error? Submit evidence for review