BlackHartBlackHart
Scores/Curve Finance

Curve Finance

MITHRIL

DEX / AMM · Multi-chain · $2B+ TVL · 30 contracts

Confidence 78%Z-Factor 0.93Updated 2026-05-17Public Score

Public risk assessment — scores are produced with the same methodology as monitored protocols

875
BRI Score
3004756508251000

Security Profile

Access Ctrl
90
Economic
92
Oracle
88
Compos.
78
Govern.
85
Maturity
96
Resilience
72
Supply Ch.
78
OpSec
64
Cascade
55
Min
55
Avg
80
Max
96

Audit History

Trail of Bits
2020-02
Quantstamp
2020-01
MixBytes
2023-06

Bug Bounty Program

$250,000
Max payout on Immunefi
View Program →

Assessment

Foundational DeFi AMM, 76+ months live, zero core logic exploits. StableSwap invariant is the most battle-tested AMM formula in DeFi. Vyper compiler dependency and massive downstream integration surface are the main risk vectors.

Dimension Breakdown

How scores work →
Access Control
Weight 18%90% conf
90
Excellent
arrow_forward
+22DAO-controlled with veCRV voting
+22Admin functions behind timelock
+22Emergency kill switch on pools
+22Vyper-native reentrancy locks
receipt_longView provenance chainarrow_forward
Economic Soundness
Weight 13%88% conf
92
Excellent
arrow_forward
+23StableSwap invariant proven over 5+ years
+23CRV emissions model well-understood
+23Deep liquidity across major pools
+23ve-tokenomics creates long-term alignment
receipt_longView provenance chainarrow_forward
Oracle Integrity
Weight 13%85% conf
88
Strong
arrow_forward
+29Internal EMA oracles for TWAP
-12No external oracle dependency for core AMM
+29Price oracle manipulation resistant via EMA
+29Oracle used by external protocols (Curve oracle consumer)
receipt_longView provenance chainarrow_forward
Battle-Tested Maturity
Weight 12%95% conf
96
Excellent
arrow_forward
+24Live since January 2020 (76+ months)
+24Survived multiple market crashes
+24Largest stableswap DEX in DeFi
+24Zero protocol-level exploits on V1/V2 core
receipt_longView provenance chainarrow_forward
Governance & Upgradeability
Weight 10%85% conf
85
Strong
arrow_forward
+21veCRV governance with 4-year lock maximum
+21Emergency DAO for rapid response
+21Timelock on parameter changes
+21Gauge weight voting transparent on-chain
receipt_longView provenance chainarrow_forward
Adversarial Resiliencelock
Weight 10%85% conf
72
Good
  • Vyper compiler vulnerability disclosed 2023 (external dep, not logic bug)
  • Active bug bounty program
  • Multiple audit firms across versions
  • EMA oracle manipulation vectors researched extensively
Operational Security
Weight 10%60% conf
64
Moderate
arrow_forward
-9No branch protection detected
-9CI/CD present but unstable (20% success)
+16Commit signing: 76% verified
+16Strong PR review culture (93% reviewed)
receipt_longView provenance chainarrow_forward
Compositional Risk
Weight 5%80% conf
78
Good
arrow_forward
+20Deep DeFi integration surface (lending, stablecoins)
+20LP tokens widely used as collateral
+20Metapool pattern adds composition complexity
+20Factory pools reduce per-pool audit coverage
receipt_longView provenance chainarrow_forward
Cascade Exposure
Weight 5%80% conf
55
Moderate
arrow_forward
+14Curve pools are foundation for many stablecoin pegs
+14crvUSD creates additional dependency surface
+14Gauge emissions affect downstream protocol economics
+14LP token repricing cascades to lending protocols
receipt_longView provenance chainarrow_forward
Supply Chain
Weight 4%82% conf
78
Good
arrow_forward
+26Vyper language (smaller auditor pool)
-22Custom math libraries (no OZ)
+26Verified on Etherscan
+26Factory pattern means new pools may have untested configs
receipt_longView provenance chainarrow_forward

Risk Drivers

Primary risk factors driving this score, ordered by severity.

Cascade Exposure55
Operational Security64
Adversarial Resilience72

Adversarial Risk Signals

Observable security posture indicators. These signals reflect publicly verifiable information and responsible disclosure outcomes. No specific vulnerability details are exposed.

Disclosure HistoryNot Assessed
Remediation VelocityNot Assessed
Bug Bounty ProgramNot Assessed
Audit CoverageNot Assessed
Incident HistoryNot Assessed
Deployed 2020-01-20Z-Factor 0.93010 active dimensionsreceipt_longProvenance Ledger

Score History & Verification

Score provenance tracking begins with the next reassessment.

receipt_longView full provenance ledger →

On-Chain Data

Protocol Slug
"curve"
Oracle
BRORegistry (Base)
Evidence
IPFS (pinned)
Staleness Threshold
24 hours
Read Score
registry.getScore("curve")

Reduce exploitable risk

BlackHart Monitoring provides continuous adversarial analysis, vulnerability detection, remediation support, and verified reassessment when your risk posture improves.

View Monitoring PlansHow Scores Work
Believe this score contains a factual error? Submit evidence for review →