MAINNETBETA

curve.fi

curve.fi
6.7ELEVATEDhigh
6 sectionsrun #1
Findings5 critical17 high8 medium
DEPGOVTKNAUDCTR
Last analyzed 16d ago runs

Summary

Curve Finance is a six-year-old DEX and stablecoin stack holding roughly $1.5B across 30+ chains, anchored by legacy pools like 3pool and newer crvUSD/LlamaLend products. On paper it has mature veCRV governance, 17+ audits, and a strong 2023 exploit response—but on-chain reality exposes a single EOA controlling the canonical AddressProvider registry on every chain, nine unverified core contracts including GaugeController and scrvUSD, FastBridge pre-minting crvUSD on LayerZero messages before bridge finality, and permissionless LlamaLend markets that already produced a March 2026 oracle attack. Three verified incidents ($61.7M Vyper compiler exploit, $575K DNS hijack, $240K sDOLA donation attack) show failures in supply chain, Web2 infrastructure, and market configuration—not just bad luck. Overall risk is elevated at 6.7/10.

Trust Assumptions

Users must trust that the AddressProvider admin EOA (0x2d12…03ee) will not repoint registry IDs that integrators rely on across all chains; that LayerZero messaging and FastBridge peer configuration will not mint unbacked L1 crvUSD; that the Emergency DAO 5-of-9 multisig will use gauge-kill and bridge-kill powers only in genuine emergencies without timelock delay; that veCRV governance routed through unverified Ownership Agent and GaugeController bytecode reflects actual voter intent despite Convex controlling ~53% of veCRV voting power; that legacy Vyper pools compiled on unaffected compiler versions remain safe while 1,200+ deployments sit outside audit scope; and that permissionless LlamaLend markets with AMM-band oracles—not Chainlink—will not repeat the sDOLA donation pattern.

What Could Go Wrong

A compromised AddressProvider admin key could instantly redirect factories, routers, and admin contracts ecosystem-wide before any DAO vote. FastBridge could credit unbacked crvUSD if LayerZero infrastructure fails, peers are misconfigured, or the unverified Arbitrum FastBridgeL2 behaves differently than audited code. Another Vyper compiler defect or unverified contract bug in GaugeController, scrvUSD, or the LLAMMA Controller Factory could drain funds that prior audits never covered at the bytecode level. Permissionless LlamaLend markets with thin collateral and manipulable internal oracles remain live attack surface—the March 2026 sDOLA incident liquidated 27 borrowers for ~$822K in equity with no compensation announced. External stablecoin depegs in 3pool (~$1.35B Ethereum TVL) propagate directly into LP losses and crvUSD peg defense. Convex-dominated gauge voting can block funding and redirect emissions regardless of broader community preference.

Recommendation

Curve is acceptable for experienced DeFi users who stick to well-audited, verified legacy pools (3pool, major NG factories) and avoid obscure LlamaLend markets, unverified scrvUSD deposits, and FastBridge fast-withdraw paths until registry admin is DAO-controlled and remaining contracts are verified on-chain. Treat audit reports as necessary but insufficient—the 2023 Vyper incident proved compiled bytecode can diverge from reviewed source across 1,200+ deployments. Monitor AddressProvider admin activity, Emergency DAO signer changes, new permissionless market deployments, and crvUSD PegKeeper reserve releases that can suddenly expand circulating supply. Reduce exposure if using curve.fi directly (DNS risk persists), holding CRV for governance value (Convex concentration and ~7.6% annual inflation), borrowing against exotic LlamaLend collateral, or relying on cross-chain crvUSD via unverified L2 bridge contracts. Conservative allocators and institutional treasuries should demand verified source for all core contracts and per-market oracle review before meaningful capital deployment.

Key Findings (30)

critical
AddressProvider Registry Controlled by Single EOA Adminaccess-control
critical
FastBridge Pre-Mints L1 crvUSD on LayerZero Messagesbridge
critical
FastBridge Pre-Mint Trust on LayerZero Messagesbridge
critical
Vyper Compiler Bug Bypassed All Pool Auditsaudit-gap
critical
July 2023 Vyper Compiler Reentrancy Exploitincident
high
Nine Scoped Contracts Are Unverified on Etherscanverification
high
GaugeController and Ownership Agent Are Unverified Core Governance Proxiesverification
high
crvUSD Controller Factory Unverified — Permissionless Market Creationverification
high
scrvUSD Savings Vault Is Unverifiedverification
high
L2 AddressProvider and FastBridgeL2 Unverified on Multiple Chainsverification
high
Legacy Vyper 0.2.4 Pools Amid Historical Compiler Exploitcompiler
high
LlamaLend Controllers Depend on AMM-Band Oracles, Not Chainlinkoracle
high
AddressProvider Admin Is a Single EOA Without DAO Controlcentralization
high
Same Registry EOA Admin Controls AddressProvider on All Checked Chainscross-chain
high
veCRV Voting Power Concentrated in Liquid Lockersgovernance
high
LlamaLend Permissionless Oracle Configuration (sDOLA Incident)oracle
high
Vyper Compiler Supply-Chain Dependency (2023 Exploit)supply-chain
high
External Stablecoin Peg Concentration (3pool and LPs)protocol
high
Massive Deployment Surface vs. Spot Auditsaudit-gap
high
Permissionless LlamaLend Markets Outside Audit Scopeaudit-gap
high
August 2022 DNS Frontend Hijackincident
high
March 2026 LlamaLend sDOLA Donation Attackincident
medium
Arbitrum crvUSD Uses Upgradeable Beacon Proxyupgradability
medium
Emergency DAO 5-of-9 Multisig With Broad Kill Powersemergency-powers
medium
3pool Owner Is DAO Agent Contract With Timelocked Admin Actionsaccess-control
medium
Emergency DAO Is 5-of-9 Multisig With Broad Kill/Pause Powers and No Timelockemergency-powers
medium
veCRV DAO Controls Major Changes via Aragon Agents, Not Direct Tokenholder Executiongovernance-process
medium
xGov Relays L1 Admin Actions to Per-Chain L2 Agents; FastBridge L2 Owners Are Chain-Specific Contractscross-chain
medium
FastBridgeVault Grants Mint Authority to Messenger and Admin to Ownership Agentbridge-governance
medium
Ongoing CRV Emissions Despite Vesting Completioninflation

Analysis Sections

Curve has a mature veCRV → Aragon DAO path for ownership and parameter changes, backed by a verified 5-of-9 Emergency DAO multisig. However, the canonical AddressProvider registry on every deployed chain is controlled by a single EOA (0x2d12…03ee) that can rewrite registry IDs immediately without a DAO vote or timelock. FastBridge and xGov extend mainnet admin agents to L2s, but bridge mint/kill roles and the registry admin remain concentrated trust points.

Findings (8)

highAddressProvider Admin Is a Single EOA Without DAO Control

The CurveAddressProvider registry (0x5ffe7FB82894076ECB99A30D6A32e969e6e35E98) on Ethereum, Arbitrum, Optimism, Base, and Polygon is controlled by admin 0x2d12d0907a388811e3aa855a550f959501d303ee, verified as an EOA via eth_getCode. This admin can add, update, or remove registry IDs instantly (admin-only functions with no vote or delay). Registry entries include Ownership Admin (ID 21), Parameter Admin (ID 22), and Emergency Admin (ID 23), so a compromised key could redirect the canonical registry that integrators rely on.

on-chain RPCAddressProvider.admin() = 0x2d12d0907a388811e3aa855a550f959501d303ee; eth_getCode returns 0x (EOA) on ethereum.publicnode.com
contract sourcecontracts/ethereum/0x5ffe7fb82894076ecb99a30d6a32e969e6e35e98.sol:179 assert msg.sender == self.admin on add_new_id/update_id/remove_id
highSame Registry EOA Admin Controls AddressProvider on All Checked Chains

The identical AddressProvider admin EOA governs the registry on Ethereum, Arbitrum, Optimism, Base, and Polygon. Unlike core protocol changes routed through veCRV votes and Aragon agents, registry updates on any chain require only this single key. This is a cross-chain governance weak link: one compromised admin can repoint factory, router, and admin IDs across deployments.

on-chain RPCadmin() = 0x2d12d0907a388811e3aa855a550f959501d303ee on ethereum, arbitrum, optimism, base, polygon via publicnode RPCs
mediumEmergency DAO Is 5-of-9 Multisig With Broad Kill/Pause Powers and No Timelock

Emergency Admin (AddressProvider ID 23) resolves to Gnosis Safe 0x467947EE34aF926cF1DCac093870f613C96B1E0c, verified on-chain as 5-of-9 with nine owner addresses. A second Safe at 0x6d447e544D01a59cb0774763bf15526574CffFeD has the same threshold and owner set (deployments registry). Emergency admin holds FastBridgeVault KILLER_ROLE and can halt bridge minting; community docs describe gauge-kill and peg-pause powers. Actions require five signatures but no enforced delay.

on-chain RPCgetThreshold()=5, getOwners() returns 9 addresses on 0x467947… and 0x6d447e…
on-chain RPCFastBridgeVault.hasRole(KILLER_ROLE, 0x467947…) = true
contract sourceFastBridgeVault.vy grants KILLER_ROLE to _emergency; set_killed() restricted to KILLER_ROLE
mediumveCRV DAO Controls Major Changes via Aragon Agents, Not Direct Tokenholder Execution

Ownership changes flow through veCRV-weighted Aragon voting to the Ownership Agent proxy (0x40907540d8a6C65c637785e8f8B742ae6b0b9968), verified as an Aragon Agent (kernel 0xad06868167bc5ac5cfcbef2cafa82bc76961d72d). Parameter Admin is a separate agent at 0x4eeb3ba4f221ca16ed4a0cc7254e2e32df948c5f. VotingEscrow admin is the Ownership Agent. Gauge weight allocation uses GaugeController (0x2F50D538D60856CF27039851d725A46949860Fc8), driven by veCRV votes, though GaugeController bytecode is unverified on Etherscan.

on-chain RPCVotingEscrow.admin() = 0x40907540d8a6c65c637785e8f8b742ae6b0b9968; OwnershipAgent.kernel() = 0xad06868167bc5ac5cfcbef2cafa82bc76961d72d
on-chain RPCAddressProvider id 21/22/23 -> ownership/parameter/emergency admin contracts
protocol docs
mediumxGov Relays L1 Admin Actions to Per-Chain L2 Agents; FastBridge L2 Owners Are Chain-Specific Contracts

xGov L1 Broadcaster (0x7BA33456EC00812C6B6BB6C1C3dfF579c34CC2cc) accepts broadcasts only from registry-configured ownership, parameter, and emergency admins. On Arbitrum, relayer 0xb7b0FF38E0A01D798B5cd395BbA6Ddb56A323830 deploys separate OWNERSHIP/PARAMETER/EMERGENCY agents (e.g. ownership agent 0x452030a5D962d37D97A9D65487663cD5fd9C2B32). FastBridgeL2.owner() on Arbitrum, Optimism, and Fraxtal points to these chain-local agent contracts (all verified as contracts, not EOAs). This design avoids naked EOA L2 admins but adds reliance on correct xGov relay and message integrity.

on-chain RPCxGovBroadcaster.admins() matches AddressProvider IDs 21/22/23
on-chain RPCArbitrum relayer OWNERSHIP_AGENT=0x452030…; FastBridgeL2.owner()=0x452030…
contract sourcecontracts/arbitrum/0xb7b0ff38e0a01d798b5cd395bba6ddb56a323830.sol relay() requires ArbSys aliasing
mediumFastBridgeVault Grants Mint Authority to Messenger and Admin to Ownership Agent

FastBridgeVault (0xadB10d2d5A95e58Ddb1A0744a0d2D7B55Db7843D) assigns DEFAULT_ADMIN_ROLE to the Ownership Agent, MINTER_ROLE to VaultMessengerLZ (0x15945526b5c32d963391343e9bc080838fe3e6d9), and KILLER_ROLE to the Emergency DAO Safe. The messenger can mint crvUSD against LayerZero messages, creating bridge-governance and oracle-trust dependencies beyond standard DAO votes.

on-chain RPChasRole(DEFAULT_ADMIN_ROLE, 0x409075…) = true; hasRole(MINTER_ROLE, 0x159455…) = true; hasRole(KILLER_ROLE, 0x467947…) = true
contract sourceFastBridgeVault.__init__ grants roles to _ownership, _emergency, and _minters
lowAddressProvider Admin Transfer Has 3-Day Delay; Registry Updates Do Not

AddressProvider implements commit_transfer_ownership / apply_transfer_ownership with a three-day delay before admin rotation (documented in contract NatSpec). However, routine registry mutations (add_new_id, update_address, remove_id) execute immediately once the current admin signs, with no community review window.

contract sourcecommit_transfer_ownership notes "actual transfer may be performed three days later"; registry functions have no delay
on-chain RPCfuture_admin() = 0x0000000000000000000000000000000000000000 (no pending transfer)
infoSeveral High-Value Governance Contracts Are Unverified On-Chain

GaugeController, Ownership Agent proxy bytecode, FastBridgeL2 on several chains, and scrvUSD are marked unverified in the local contract cache, limiting source-level assurance of admin modifiers even where on-chain role checks succeed.

contract cachecontracts/ethereum/0x2f50d53860856cf27039851d725a46949860fc8.sol and 0x40907540d8a6c65c637785e8f8b742ae6b0b9968.sol marked source NOT VERIFIED

Governance Checklist

On-chain tokenholder governance (veCRV / Aragon)Ownership & parameter agents behind DAO votes
Emergency controls use multisig (not EOA)5-of-9 Gnosis Safe, two instances with identical signers
Timelock on privileged upgradesEmergency actions and registry edits lack enforced delay
Registry/admin not controlled by single EOAAddressProvider admin is EOA on all checked chains
Cross-chain governance parityxGov extends L1 agents to L2 contracts; registry still single EOA
Core governance contracts verifiedGaugeController and some agents unverified

Key Governance Entities

eoa-adminmultiAddressProvider admin
aragon-agentethereumOwnership Agent
aragon-agentethereumParameter Agent
gnosis-safeethereumEmergency DAO
gnosis-safeethereumEmergency DAO (deployments registry)
broadcasterethereumxGov L1 Broadcaster
bridge-vaultethereumFastBridgeVault (Arbitrum route)

Emergency DAO Multisig (5-of-9) — Verified Owners

#Owner Address
10xe9a65fe8190fa5a4b5e277b84f0aace686fdc174
20x7a1057e6e9093da9c1d4c1d049609b6889fc4c67
30x2b47c57a4c9fc1649b43500f4c0cda6cf29be278
40xdaa094a0ed166fedf8a0a4310f3f74a1e96f9195
50x99bc02c239025e431d5741cc1dba8ce77fc51ce3
60xaf17517acd484429fc0da2312fd1f42039592cd0
70xc6f3aac21d8282f166938a8b30a9ec62de30accc
80xaac0aa431c237c2c0b5f041c8e59b3f1a43ac78f
90x8a7dbc2824acac4d272289a33b255c3f1f3cdf32
Loading dependency graph…

Analysis History

#1completed6.716d agocurrent