Curve Finance

About

Curve is a decentralized exchange (DEX) specializing in efficient trading of stablecoins and correlated assets through automated market makers. The ecosystem includes Llamalend, a permissionless lending protocol, and crvUSD, a decentralized stablecoin. Curve utilizes vote-escrow governance (veCRV) to align long-term incentives and distribute protocol rewards.

Where Does Yield Come From?

Yield on Curve Finance comes from a few structured sources:

1. CRV token emissions – Every week, new CRV tokens are distributed to people who provide liquidity in trading pools or lending markets. Which pools get how much is decided by votes from veCRV holders (users who have locked CRV for governance). The rate at which new CRV tokens are created drops by 16% each year in August.

2. Trading fees – When someone swaps tokens on Curve’s exchange, they pay a small fee. A portion of these fees is shared with veCRV holders as revenue.

3. Lending interest – Through Llamalend, Curve’s lending protocol, borrowers pay interest on loans. That interest becomes yield for the lenders who supplied the assets.

4. Boosted CRV rewards – Liquidity providers who also hold veCRV can earn extra CRV rewards. The boost depends on how much veCRV they have compared to the liquidity they provide.

The fee system also allocates parts to the DAO treasury, to fee distributors, and to outside integrations like CowSwap’s burn mechanism.

All this yield accumulates automatically through open, programmed smart contracts—there are no centralized intermediaries in the process.

Persons

Michael Egorov
Founder

Audits

Audit / Date	Findings	Verdict
Trail of Bits22-06-2020 - 10-07-2020	Critical0 High4 Medium8 Low4 Info5	The audit found multiple high and medium severity issues in Curve DAO's complex codebase, with the most critical risks relating to token confiscation and gas exhaustion; however, the development team addressed many findings before deployment, improving overall security posture.
MixBytes13-07-2020	Critical0 High1 Medium3 Low0 Info4	The audit identified one major logic flaw and several warnings, all of which were addressed; the final review concluded the fixed contract contains no vulnerabilities according to the auditor's analysis.
MixBytes22-07-2020	Critical0 High1 Medium4 Low0 Info4	The audit found no critical vulnerabilities and all identified issues were resolved, resulting in a secure voting contract implementation for Curve Finance's DAO governance.
Quantstamp21-07-2020 - 05-08-2020	Critical0 High1 Medium1 Low1 Info7	The audit identified and resolved the critical high-risk reward calculation issue, while acknowledging medium-risk gas limit concerns and leaving several informational findings for documentation improvements, indicating a focused review of specific contract files with reasonable remediation.
ChainSecurity25-09-2024	Critical0 High0 Medium0 Low5 Info6	The audit found no Critical, High, or Medium severity vulnerabilities, with all 5 Low-severity issues resolved before completion, indicating a well-secured Fee Splitter implementation for Curve Finance's crvUSD fee distribution system.
ChainSecurity17-09-2025	Critical0 High0 Medium0 Low0 Info7	This audit found no security vulnerabilities in the Curve Xgov system, with only minor informational issues that were all resolved, indicating the codebase provides a high level of security for cross-chain governance message forwarding.
Quantstamp29-09-2020 - 15-10-2020	Critical0 High0 Medium1 Low3 Info1	The audit found no critical or high-severity issues, with the single medium-risk vulnerability already fixed prior to report finalization, indicating robust security posture for the metapool implementation at the time of assessment.
ChainSecurity02-09-2021	Critical0 High0 Medium1 Low5 Info0	The audit identified and resolved a medium-severity reentrancy vulnerability, with remaining low-severity findings posing minimal risk to the Curve ETH/sETH pool's security.
MixBytes06-09-2023 - 26-10-2023	Critical3 High5 Medium12 Low21 Info0	MixBytes identified multiple critical and high-severity vulnerabilities in Curve's StableSwapNG system, but all issues were either fixed or acknowledged by the client before deployment, resulting in a comprehensively reviewed and secure implementation.
ChainSecurity29-09-2021	Critical0 High0 Medium1 Low9 Info0	The audit identified no critical or high severity vulnerabilities, with all medium and low severity issues either resolved or acknowledged, indicating robust security posture for the Tricrypto contracts with minor optimization opportunities noted.
ChainSecurity14-06-2023	Critical0 High1 Medium5 Low13 Info0	The audit found no critical vulnerabilities, with all high and medium severity issues resolved before deployment, indicating a robust security posture for the tricrypto-ng upgrade with only minor low-risk items acknowledged.
ChainSecurity07-02-2022	Critical0 High2 Medium2 Low12 Info0	This draft audit reveals significant oracle manipulation risks and fee calculation inconsistencies that could impact pool economics, though most issues appear addressable through code revisions before final deployment.
ChainSecurity08-08-2025 - 12-09-2025	Critical0 High0 Medium0 Low3 Info8	The audit found only low-severity issues that were fully resolved, concluding the codebase provides a high level of security, though the fast-bridge design carries inherent risks from pre-finality fund release that require careful operational monitoring.
MixBytes10-04-2023 - 01-06-2023	Critical2 High2 Medium4 Low6 Info0	The audit revealed critical vulnerabilities that were fixed before mainnet deployment, leaving only acknowledged medium and low-risk issues that do not threaten immediate fund loss. Curve's crvUSD implementation shows a robust security posture with all high-severity flaws addressed prior to launch.
ChainSecurity24-01-2024	Critical0 High3 Medium7 Low20 Info0	The audit demonstrates a robust security posture with all high-severity issues resolved and most medium-severity findings addressed, though one partially corrected medium-risk price manipulation vector requires ongoing monitoring. The codebase provides a good level of security according to the auditor, with residual low-severity issues typical for complex financial protocols.
ChainSecurity04-10-2022 - 15-02-2025	Critical1 High3 Medium23 Low61 Info1	The audit identified one critical vulnerability that was resolved, along with numerous medium and low severity issues, concluding the codebase provides a good security level despite its complexity and some remaining design risks like bad debt socialization in lending vaults.
ChainSecurity27-10-2023 - 11-12-2023	Critical0 High0 Medium0 Low2 Info2	The audit found no major security issues, with only two low-severity findings that were resolved, indicating a robust implementation of Curve's PegKeeperV2 system with strong protections against manipulation vectors.
StateMind15-01-2024 - 02-02-2024	Critical1 High1 Medium4 Low0 Info11	The audit revealed one critical vulnerability in share dilution via callbacks and a high-severity issue disabling key Controller functions, but all critical and high findings were fixed before final commit, leaving only minor informational items acknowledged.
ChainSecurity03-12-2024	Critical0 High0 Medium1 Low2 Info3	The audit revealed no critical or high-severity vulnerabilities, with the single medium issue resolved and low-severity items acknowledged. The codebase demonstrates a high level of security with only minor compliance and informational concerns remaining.

Legal

Legal form

AG (Aktiengesellschaft)

Registration jurisdiction

Zug, Switzerland

Status and notes

Website operator is Swiss Stake AG, registered in Zug, Switzerland. Terms & Conditions, Privacy Notice, and Risk Disclaimers accessible via /dex/ethereum/legal. Governed by Swiss law with exclusive jurisdiction in Zug courts.