Yes, Curve smart contracts were audited by Trail of Bits but it’s worth noting that audits don’t eliminate risks entirely.
Trail of bits, Quantstamp and mixBytes have all audited the DAO contracts.
Security audits don’t eliminate risks completely so it’s still possible a vulnerability could be found in Curve smart contracts. High returns never come without risks.
On top of the Curve smart contracts themselves, whenever you join a pool, you’re also accepting systemic risks from the coins in the pool. For example, if you do not want to have exposure to USDT, then you cannot join a pool that has it.
Curve uses smart contracts from lending protocols on top of its own which means risk is stacked (for y and c pools only). It’s important to choose a pool that matches your risk tolerance.
On top of its audit, curve pools have now held several millions for nearly six months and it goes without saying that hackers would have already unsuccessfully tried numerous times to steal those funds.
Curve DAO smart contracts were audited by Trail of Bits, MixedBytes and Quantstamp.
Admin keys allow the Curve team to pause the contract in an emergency for the first two months.
Smart contracts cannot be upgraded with the admin key. This limits actions in a case of emergency but leaves users fully in control of their funds.
Most all Curve governance is operated by the DAO, decentralized with the help of the CRV token.
Due to the liquidity pool mechanism, if one of the coin in a pool were to significantly lose its peg, the liquidity providers would hold almost all of their liquidity in that currency.