Is it possible that at least one of them had an exploit in them?
Making all of the transactions/addresses sent during that period vulnerable to attack?
Hi,
To answer the question in the title : since 0.10 (maybe before?), bitcoin-core uses its own implementation of secp256k1 :
https://github.com/bitcoin/bitcoin/tree/v0.10.0/src/secp256k1 .
To answer the question in the post :
Is it possible that at least one of them had an exploit in them?
It is indeed possible but I think we would have heard about it, and I think core devs read the code they use for something as touchy as Bitcoin network.
Making all of the transactions/addresses sent during that period vulnerable to attack?
How ?
EDIT : To complete the answer here is the first commit of the secp256k1 library used by bitcoin-core
https://github.com/bitcoin-core/secp256k1/commit/2e4ca460721c96a560be70f86a0f9bd9f71cf699 .