Security Rating Level: 3
Evaluation Date: Mar 31st, 2021

1. History & Team (Weight 20%; Score 92)

1.1 Project age (8%; 80)
Launched on mainnet from 2020 Feb, alive for 14 months.
1.2 Past exploits (8%; 100)
Never got Attacked
1.3 Team anonymity (2%; 100)
Team are public
1.4 Team experience in programming (2%; 100)
CEO, Michael Egorov, started software engineering from 2007

2. Exposure (Weight 25%; Score 92.15)

2.1 Historical TVL (17.5%; 94.5)
Average market share in the past 4Q: 9.4%, 10.1%, 10.0%, 7.8%
Data collected from Curve Finance | Stats, Charts and Guide | DeFi Pulse
2.2 Industry segment (5%; 90)
Curve is an exchange
2.3 Infrastructure (2.5%; 80)
No oracle needed for price feed

3. Audit (Weight 35%; Score 65)

Audit report available on: Curve.fi
3.1 Transparency and scope (14%; 50)
Audit done on part of the smart contracts, and report is public
3.2 Audit firm trust score (10.5%; 70)
Audited by Trail of Bits and Quantstamp, Tier 2 audit firm
3.3 Audit findings (10.5%; 80)
No critical issues found in audit
3.4 Other credits (up to additive 5.25%; 0)
N/A

4. Code quality (Weight 15%; Score 50)

Repository on github: GitHub - curvefi/curve-contract: Vyper contracts used in Curve.fi exchange pools.
4.1 Documentation
Documentation is not clear
4.2 Test
Test done but code coverage not visible

5. Developer community (Weight 5%; Score 74)

5.1 Bug bounty program (3.5%; 80)
Exists. Reward up to $50,000
5.2 Issues raised on Github (1.5%; 60)
5 issues raised on github repository

The N-SCOSS for Compound is 75.3875, level 3

Curve v1 remained its security level at 3, as re-evaluated on 2021 December 20th.

The overall N-SCOSS dropped quite significantly, though not impact directly on the security rating. This is mainly a consequence of 2 exploits happened to Curve in March and November. According to Slowmist hack zone, the loss were resulted from contract vulnerability and a governance attack. While the latter one could be accepted or rejected based on specific claim assessor’s judgment, the former one is definitely under our policy coverage. As a result, the score of pillar one dropped by 40. On the other hand, pillar 5 score got improved since the bug bounty reward increased from 50k to 250k, and the number of issues under discussion also got largely increased.

Below are the details of updated rating for Curve v1 based on data up to 2021 December 20th.

Security Rating Level: 3
Evaluation Date: Dec 20th, 2021

1. History & Team (Weight 20%; Score 52)

1.1 Project age (8%; 80)
Launched on mainnet from 2020 Feb, alive for 23 months.
1.2 Past exploits (8%; 0)
In the past 12 months, Curve was hacked twice in 2021 March and November (loss ~30mil)
1.3 Team anonymity (2%; 100)
Team are public
1.4 Team experience in programming (2%; 100)
CEO, Michael Egorov, started software engineering from 2007

2. Exposure (Weight 25%; Score 94.95)

2.1 Historical TVL (17.5%; 98.5)
Average market share in the past 4Q: 11.4%, 10.7%, 10.2%, 9.7%
Data collected from Curve Protocol: TVL and stats - DefiLlama
2.2 Industry segment (5%; 90)
Curve is an exchange
2.3 Infrastructure (2.5%; 80)
No oracle needed for price feed

3. Audit (Weight 35%; Score 65)

Audit report available on: Curve.fi
3.1 Transparency and scope (14%; 50)
Audit done on part of the smart contracts, and report is public
3.2 Audit firm trust score (10.5%; 70)
Audited by Trail of Bits and Quantstamp, Tier 2 audit firm
3.3 Audit findings (10.5%; 80)
No critical issues found in audit
3.4 Other credits (up to additive 5.25%; 0)
N/A

4. Code quality (Weight 15%; Score 50)

Repository on github: GitHub - curvefi/curve-contract: Vyper contracts used in Curve.fi exchange pools.
4.1 Documentation
Documentation is not clear
4.2 Test
Test done but code coverage not visible

5. Developer community (Weight 5%; Score 97)

5.1 Bug bounty program (3.5%; 100)
Exists. Reward up to $250,000
5.2 Issues raised on Github (1.5%; 90)
27 issues raised on github repository
(Note that the count of number of issues was different from last evaluation, changing from counting open issues only to open+closed issues. Such adjustment is to better reflect all historical discussion in github repository and hence a more precise measure of the developer activity)

The N-SCOSS for Compound is 69.2375, level 3