Curve's new FXSwap AMM ships clean — after a continuous-audit AI engagement surfaces a donation-protection bypass Curve patched before live deployment.

How to read these numbers: the finding provably broke the contract's intent (the protection window could be under-armed), and Firepan held it at High importance on that soundness basis. Realized PnL in the tested attack shapes was indistinguishable from honest LP swap-arbitrage; the at-risk figure is a bounded ceiling, not a measured drain. The $334M is the production TVL across the pools in scope. The precise exposure measurement is held in the private report at Curve's request.

Curve's FXSwap branch introduced a donation mechanism: external donors could top up the pool, and a built-in donation-protection window would prevent new liquidity providers from immediately claiming a pro-rata share of that donation. The protection was designed to scale with the size of each new deposit.

At Curve's request, the precise mechanism of this finding is not described publicly — the same class of behavior touches pools that are still live, and the full technical detail is held in the private report shared with the Curve team. At the class level, the finding was a composition bug: several individually-routine properties of the arming logic — each of which any careful reviewer would read as ordinary code in isolation — combined to leave the protection window armed for less than its intended duration under a particular liquidity-add pattern.

That is the defining feature of a composition bug: none of the constituent properties, on its own, would warrant a finding. The issue only surfaces when something drives all of them through their full interaction space together. Firepan held the finding at High importance on that soundness basis; subsequent analysis found no asymmetric value capture in any tested attack shape, and Curve patched the behavior before the branch was deployed to production.

Curve is one of the most heavily reviewed protocols in DeFi. Over the years they have published audits from six independent firms and built one of the strongest internal test cultures in the industry — they were early adopters of property-based fuzz testing, Michael Egorov personally funded the development of the Vyper compiler (a technically independent project that many Curve developers have contributed to over the years, designed to make secure smart-contract code easier to write), and they maintain a stateful invariant suite — the kind you rarely see in production DeFi — directly inside their repo.

The donation-protection finding is the kind that lives in the seams among different review surfaces. Each of its constituent properties is a routine pattern that any careful reviewer would read as ordinary code in isolation. The issue only exists when an exhaustive search drives all of them through their interaction space at once. That is precisely the work a frontier-model AI auditor, paired with deterministic verification gates and a real test harness, is built to do at scale.

Firepan's deep-audit pipeline was triggered on April 10, 2026. It begins by reading the source and building a knowledge graph of every contract, function, storage slot, and authorization edge — generating a diagram like the one pictured above. Audit agents then propose hypothetical attack vectors against the graph and prosecute each one against the live test suite, surfacing only those that survive deterministic verification.

Firepan privately disclosed the donation-protection bypass to the Curve engineering team on 2026-04-27, the same day it surfaced. The Curve team independently affirmed the mechanism the next day. Curve shipped a fix in the following commit revision — closing the under-arming behavior — before the FXSwap branch was deployed to production. Firepan's final report draft, delivered on 2026-05-26, confirmed the fix against the patched source, including under ramp-and-thaw stress conditions.

Michael Egorov is one of DeFi's most respected technical founders. He founded both Curve Finance and Yield Basis, and serves as a major advocate of Vyper. He had been notably cautious about the role of AI in smart-contract programming, but became a convert after watching Firepan surface novel composition bugs. He drew parallels to the marketing behind Mythos, for which AI was able to identify software bugs that eluded human overseers.

That framing matters because of who he is. Firepan does not replace the six audit firms Curve already trusts; it does the work that complements them — the exhaustive composition search, the property-graph traversal, the deterministic PoC generation — at a depth and speed that is simply not feasible in a human-review-only model.

April 2026 was one of the worst months for DeFi exploits in cryptocurrency history, with a high-severity incident occurring nearly every day, including the Kelp DAO incident that led DeFi founders to pass the hat to help secure lending giant Aave. The industry is converging on a hard truth: AI-driven attacker tooling is real, and the defenders' side of that asymmetry needs to catch up.

That convergence is now mainstream. Manuel Aráoz — co-founder and former CTO of OpenZeppelin (he departed the firm in 2019; OpenZeppelin has separately distanced itself from his statement) and a respected voice in smart-contract security in his own right — publicly stated his updated position the day before this case study was written:

The donation-protection bypass is a small story in dollar terms — the pre-rollout exposure was bounded and the fix shipped before deployment. But it is a meaningful story in kind. It is exactly the class of bug that human-only audits, however well-resourced, can miss in the seams. And it is exactly the class of bug that an AI auditor paired with real verification infrastructure is built to find.

Curve's posture on security — six audit firms, custom-funded compiler, stateful invariant suite, an AI engagement before traditional audit — is the posture that makes finding these bugs possible. Most DeFi protocols have nothing like it. As of this writing, that gap is the asymmetry Aráoz is talking about.

Curve's deployed contracts are immutable — that is part of what makes them trustable. The flip side is that the threat model around those contracts is not. New exploit patterns emerge constantly: novel MEV shapes, freshly-documented compiler edge cases, attack research from elsewhere in DeFi that turns out to apply to Curve's surfaces. A one-shot audit reviews the contract as the threat landscape looked the day of the review, then walks away.

That is what continuous AI audit changes. Once Firepan has built the knowledge graph of a protocol and the verification harness around it, re-running coverage against new exploit classes as they emerge is a tractable, recurring operation rather than a fresh engagement each time. Immutable contracts get continuously hardened review against an evolving threat model — the same model an attacker is working from. For protocols like Curve, that is the shape of coverage worth maintaining.

The full technical report is published alongside this case study at firepan.com/reports/curve-twocrypto-ng-v2-review/ (FP-AUDT-2026-0001 V2.0). The donation-protection bypass is documented there as F-7, with the d737d45 fix and Firepan's re-verification trace.