Security
Curve Finance prioritizes the security of its protocols and user funds above all else. We maintain a bug bounty program to encourage responsible disclosure of potential vulnerabilities and actively collaborate with security researchers and whitehat hackers to ensure the safety of our ecosystem. Our security practices include regular audits, continuous monitoring, and swift response to potential threats.
Security Contact & Disclosure Reports
For security-related inquiries and vulnerability reports: security@curve.fi
Security audits and disclosure reports are available on GitHub
Bug Bounty¶
Scope
Issues which can lead to substantial loss of money, critical bugs like a broken live-ness condition or irreversible loss of funds.
Disclosure policy
Let us know as soon as possible upon discovery of a potential security issue. Provide us a reasonable amount of time to resolve the issue before any disclosure to the public or a third-party.
Exclusions
Already known vulnerabilities. Vulnerabilities in front-end code not leading to smart contract vulnerabilities.
Eligibility
You must be the first reporter of the vulnerability You must be able to verify a signature from same address Provide enough information about the vulnerability
Bug Bounty Payout
Likelihood ↓ / Severity → | Low | Moderate | High |
---|---|---|---|
Almost Certain | $10,000 | $50,000 | $250,000 |
Possible | $1,000 | $10,000 | $50,000 |
Unlikely | $250 | $1,000 | $5,000 |
Security Audits¶
DAO¶
-
Curve DAO Contracts
Auditor: TrailOfBits
Date: 10. July, 2020 -
BalanceTimeForwarder.sol
Auditor: MixBytes
Date: 13. July, 2020 -
Voting.sol
(Aragon Voting Fork)
Auditor: MixBytes
Date: 22. July, 2020 -
Curve DAO Contracts
Auditor: Quantstamp
Date: 5. August, 2020 -
Docs
FeeSplitter.vy
Auditor: ChainSecurity
Date: 25. September, 2024
DEX¶
-
Docs Metapools
Auditor: Quantstamp
Date: 15. October, 2020 -
ETH/sETH Pool
Auditor: ChainSecurity
Date: 27. September, 2021 -
Tricrypto
Auditor: ChainSecurity
Date: 29. September, 2021 -
Docs Tricrypto-NG
Auditor: ChainSecurity
Date: 23. June, 2023 -
Docs Twocrypto
Auditor: ChainSecurity
Date: 1. April, 2022
Stablecoin and Lending¶
-
Docs Curve Stablecoin
Auditor: MixBytes
Date: 5. June, 2023 -
Docs Curve Stablecoin
Auditor: ChainSecurity
Date: 24. January, 2024 -
Docs crvUSD PegKeeperV2
Auditor: ChainSecurity
Date: 12. December, 2023 -
Docs Curve Lending
Auditor: StateMind
Date: 2. February, 2024