Yes, Curve smart contracts were audited by Trail of Bits but it’s worth noting that audits don’t eliminate risks entirely.
Trail of bits, Quantstamp and mixBytes have all audited the DAO contracts.
Admin keys allow the Curve team to pause the contract in an emergency for the first two months.
Smart contracts cannot be upgraded with the admin key. This limits actions in a case of emergency but leaves users fully in control of their funds.
Curve will be transitioning to a DAO to be fully decentralized with the help of the CRV token.
Due to the liquidity pool mechanism, if one of the coin in a pool were to significantly lose its peg, the liquidity providers would hold almost all of their liquidity in that currency.