Curve's new FXSwap AMM ships clean — after a continuous-audit AI engagement surfaces a donation-protection bypass Curve patched before live deployment.

How to read these numbers: the bug provably broke the contract's intent (the protection window was bypassable), and Firepan held the finding at High importance on that soundness basis. Realized PnL in the tested attack shapes was indistinguishable from honest LP swap-arbitrage; the $193,660 figure is the bounded ceiling, not a measured drain. The $334M is the production TVL across the pools the bypass would have applied to had Curve deployed without the patch.

Curve's FXSwap branch introduced a donation mechanism: external donors could top up the pool, and a built-in donation-protection window would prevent new liquidity providers from immediately claiming a pro-rata share of that donation. The protection scales with the size of each new deposit — bigger add, longer extension.

Three properties of that design, each individually harmless:

1. Integer division floors small inputs to zero. The formula for the protection extension divides by a large threshold, so any deposit below ~1.67% of pool supply produces an extension of exactly zero seconds.
2. Each deposit is processed independently. A single add_liquidity call computes its own extension and adds it to the running protection window.
3. N times zero is zero. If each deposit produces a zero extension, ten thousand deposits still produce zero total extension.

The exploit chained these together. An attacker breaks one large deposit into many sub-threshold chunks, each one flooring to zero protection time. The pool happily mints them all the LP tokens, never extends the protection window, and the attacker can then claim a pro-rata share of the external donation — exactly the value the protection mechanism was designed to lock away.

It is the textbook composition bug: integer-division flooring is well-known; chunked deposits are well-known; per-call accounting is well-known. The combination is the bug. None of the three properties, on its own, would warrant a finding from a careful reviewer — they would all read as ordinary code. The bypass only surfaces when something drives all three through their full interaction space together.

Curve is one of the most heavily reviewed protocols in DeFi. Over the years they have published audits from six independent firms and built one of the strongest internal test cultures in the industry — they were early adopters of property-based fuzz testing, Michael Egorov personally funded the development of the Vyper compiler (a technically independent project that many Curve developers have contributed to over the years, designed to make secure smart-contract code easier to write), and they maintain a stateful invariant suite — the kind you rarely see in production DeFi — directly inside their repo.

The donation-protection bypass is the kind of finding that lives in the seams among different review surfaces. Each property — integer division, chunked deposits, per-call accounting — is a routine pattern that any careful reviewer would read as ordinary code in isolation. The vulnerability only exists when an exhaustive search drives all three through their interaction space at once. That is precisely the work a frontier-model AI auditor, paired with deterministic verification gates and a real test harness, is built to do at scale.

Firepan's deep-audit pipeline was triggered on April 10, 2026. It begins by reading the source and building a knowledge graph of every contract, function, storage slot, and authorization edge — generating a diagram like the one pictured above. Audit agents then propose hypothetical attack vectors against the graph and prosecute each one against the live test suite, surfacing only those that survive deterministic verification.

Firepan privately disclosed the donation-protection bypass to the Curve engineering team on 2026-04-27, the same day it surfaced. The Curve team independently affirmed the mechanism the next day. Curve shipped a fix in the following commit revision — a per-call remainder accumulator that prevents the sub-threshold flooring — before the FXSwap branch was deployed to production. Firepan's final report draft, delivered on 2026-05-26, confirmed the fix against the patched source, including under ramp-and-thaw stress conditions.

Michael Egorov is one of DeFi's most respected technical founders. He founded both Curve Finance and Yield Basis, and serves as a major advocate of Vyper. He had been notably cautious about the role of AI in smart-contract programming, but became a convert after watching Firepan surface novel composition bugs. He drew parallels to the marketing behind Mythos, for which AI was able to identify software bugs that eluded human overseers.

That framing matters because of who he is. Firepan does not replace the six audit firms Curve already trusts; it does the work that complements them — the exhaustive composition search, the property-graph traversal, the deterministic PoC generation — at a depth and speed that is simply not feasible in a human-review-only model.

April 2026 was one of the worst months for DeFi exploits in cryptocurrency history, with a high-severity incident occurring nearly every day, including the Kelp DAO incident that led DeFi founders to pass the hat to help secure lending giant Aave. The industry is converging on a hard truth: AI-driven attacker tooling is real, and the defenders' side of that asymmetry needs to catch up.

That convergence is now mainstream. Manuel Aráoz — co-founder and former CTO of OpenZeppelin (he departed the firm in 2019; OpenZeppelin has separately distanced itself from his statement) and a respected voice in smart-contract security in his own right — publicly stated his updated position the day before this case study was written:

The donation-protection bypass is a small story in dollar terms — the pre-rollout exposure was bounded and the fix shipped before deployment. But it is a meaningful story in kind. It is exactly the class of bug that human-only audits, however well-resourced, can miss in the seams. And it is exactly the class of bug that an AI auditor paired with real verification infrastructure is built to find.

Curve's posture on security — six audit firms, custom-funded compiler, stateful invariant suite, an AI engagement before traditional audit — is the posture that makes finding these bugs possible. Most DeFi protocols have nothing like it. As of this writing, that gap is the asymmetry Aráoz is talking about.

Curve's deployed contracts are immutable — that is part of what makes them trustable. The flip side is that the threat model around those contracts is not. New exploit patterns emerge constantly: novel MEV shapes, freshly-documented compiler edge cases, attack research from elsewhere in DeFi that turns out to apply to Curve's surfaces. A one-shot audit reviews the contract as the threat landscape looked the day of the review, then walks away.

That is what continuous AI audit changes. Once Firepan has built the knowledge graph of a protocol and the verification harness around it, re-running coverage against new exploit classes as they emerge is a tractable, recurring operation rather than a fresh engagement each time. Immutable contracts get continuously hardened review against an evolving threat model — the same model an attacker is working from. For protocols like Curve, that is the shape of coverage worth maintaining.

The full technical report is published alongside this case study at firepan.com/reports/curve-twocrypto-ng-v2-review/ (FP-AUDT-2026-0001 V2.0). The donation-protection bypass is documented there as F-7, with the d737d45 fix and Firepan's re-verification trace.