Convex Finance · DeFi Risk

DeploymentsArbitrum · —

Risk profile at a glance

0 red · 5 yellow · 7 green

Categories & evidence

184 factors · 13 categories

Code & audits Yellow 24 25 of 25

RD-F-007 red Bug bounty presence & max payout No standing Immunefi or equivalent bug bounty program found for Convex Finance. Data cache confirms bug_bounty.platform: null. Immunefi was used as a disclosure intermediary for the 2021 OZ vulnerability but no formal program was ever registered. The vlCVX v1 bug bounty paid ad hoc from treasury with no formal program. No Convex listing found on Immunefi as of 2026-05-16. RD-F-009 red Formal verification coverage No formal verification found in any Convex repository. No Certora prover specs, Kani, or Halmos proofs published. Audit list includes no FV engagement. At $613M TVL for a 5-year-old yield aggregator, absence of formal verification is a notable gap. Yellow-class at the $613M TVL band per invocation context guidance (below $1B auto-red for LSTs); however, absence of any FV effort and no declared critical invariants meets the red threshold (0% coverage). RD-F-001 yellow Audit scope mismatch MixBytes (2021-04) audited original platform pre-launch. Post-audit OZ-disclosed vulnerability patch (commit 0b52856, Dec 2021) added PoolManagerV2/V3 guard layer. CvxLockerV2 (deployed March 2022) and 2024 treasury lending module have no identified public audit. Core Booster (0xF403C1) is non-upgradeable and Etherscan-verified with Exact Match, so it cannot drift post-audit, but wrapper contracts added after MixBytes scope lack audit coverage. No single commit SHA pinned in accessible audit entries. RD-F-002 yellow Audit recency Most recent audit is ChainSecurity (2023-04), approximately 37 months before assessment date (2026-05-16), exceeding the 365-day green threshold. Core non-upgradeable contracts (Booster, VoterProxy) are unchanged since 2021 audit, partially mitigating recency risk. 2024 treasury lending module appears unaudited. RD-F-005 yellow Audit firm tier Audit firms engaged: MixBytes (Tier-2 established firm), PeckShield (Tier-2), Nomoi (boutique), ChainSecurity (Tier-2). No Tier-1 firm (Trail of Bits, OpenZeppelin, ConsenSys Diligence, Certora, Sigma Prime, Spearbit, Zellic) has a public PDF audit of Convex. OZ had an informal review in 2021 but no formal published report. Yellow: Tier-2 only, no Tier-1 public audit. RD-F-010 yellow Static-analyzer high-severity count No published Slither/Mythril output found. Source inspection reveals: (1) BaseRewardPool has no nonReentrant on getReward() which calls external reward token contracts; (2) Booster earmarkRewards() performs external CRV-claim calls before full state completion; (3) ExtraRewardStashV3 initialize() lacks OZ initializer modifier. These patterns would likely surface as medium-to-high Slither detectors. Tool run not performed; confidence low. RD-F-014 yellow Reentrancy guard on external-calling functions CvxLockerV2 has nonReentrant on lock(), processExpiredLocks(), kickExpiredLocks(), getReward(). However, the mainnet Booster (0xF403C1, 0.6.12) has NO nonReentrant guards on deposit(), withdraw(), or earmarkRewards() despite performing external calls. BaseRewardPool.sol has no nonReentrant on stake()/withdraw()/getReward(). Sidechain Booster (0.8.10) does have nonReentrant guards. The absence of reentrancy guards on the primary $613M TVL contract is a notable gap, mitigated by the fact that CRV/CVX/LP tokens are not ERC-777 and have no callbacks. RD-F-016 yellow Divide-before-multiply pattern CVX token (Cvx.sol) uses a cliff-based emission formula involving division operations. Source inspection suggests potential divide-before-multiply in the cliff reduction calculation. No Slither tool run performed to confirm. Conservative yellow assigned pending tool run. SafeMath is used throughout (0.6.12), which serializes arithmetic operations and may prevent but does not guarantee absence of divide-before-multiply in the original logic ordering. RD-F-022 yellow Public initialize() without initializer modifier ExtraRewardStashV3.initialize() uses require(gauge == address(0), '!init') rather than the OZ initializer modifier. The implementation contract starts with gauge=address(0), so anyone can initialize the implementation itself. This is a known proxy-clone pattern risk. In practice, the implementation holds no user TVL (value is in clones created by StashFactoryV2); exploiting this cannot drain user funds directly. No _disableInitializers() call equivalent exists (OZ 3.4.0 predates this pattern). Pattern deviates from the OZ standard but functional guard exists on clones. RD-F-023 yellow Constructor calls _disableInitializers() ExtraRewardStashV3 constructor only sets tokenWrapperImplementation and provides no initialization lock. All mainnet contracts use Solidity 0.6.12 with OZ 3.4.0, which predates the _disableInitializers() pattern (OZ 4.x, 0.8.x). For non-proxy contracts (Booster, VoterProxy), this factor is N/A by construction (they use constructors directly). The gap is specific to the ExtraRewardStashV3 implementation used in the clone pattern. RD-F-024 yellow Code complexity vs audit coverage Convex platform repo has 100+ Solidity files. The 7 audits cover different scope slices: MixBytes (original core), PeckShield (Frax, OhmSync, sidechain), Nomoi (cvxCRV wrapper, sidechain), ChainSecurity (Silo wrapper). The 2024 treasury lending module commits (treasury lend test and fixes, June 2024) appear unaudited. No audit-day count accessible from binary PDFs. Fragmented audit coverage across 7 narrow scopes rather than comprehensive reviews suggests code complexity may exceed effective audit coverage for newer additions. RD-F-017 gray Mixed-decimals math without explicit scaling ExtraRewardStashV3 handles arbitrary ERC-20 reward tokens that may have non-18 decimals. Without a full Slither run on the complete source tree, cross-decimal arithmetic paths cannot be authoritatively assessed. Core tokens (CRV, CVX, LP) are all 18 decimals so the primary deposit/reward path has no mixed-decimal issue. Gray pending tool run on wrapper contracts. RD-F-020 n/a EIP-712 domain separator missing chainId Convex Finance core contracts do not use EIP-712 signed messages. The Booster, VoterProxy, CvxLockerV2, and BaseRewardPool operate without signed message flows. No domain separator found in source inspection. Factor is not applicable to this protocol's architecture. RD-F-021 n/a UUPS _authorizeUpgrade correctly permissioned All core Convex contracts (Booster, VoterProxy, CVX token, CvxLockerV2, BaseRewardPool) are non-upgradeable. Profile §3 confirms all deployments listed with proxy: false. No UUPS or transparent proxy pattern to assess. BoosterOwner is an admin controller, not a proxy implementation. RD-F-183 n/a Bug bounty scope gap on highest-TVL contracts F183 measures bug bounty scope gap on highest-TVL contracts within an existing bounty program. Convex Finance has no active bug bounty program (confirmed red on F007). Without a bounty program, there is no scope to have a gap in. The more fundamental absence is captured by F007. Not applicable by construction.

RD-F-003 green Resolved-without-proof findings OZ-disclosed critical vulnerability (Dec 2021, affecting PoolManagerV2/Booster/VoterProxy) was patched via commit 0b52856 before any exploitation. The fix is verifiable on-chain: BoosterOwner now controls Booster admin rights, and PoolManagerV2/V3 were added with LP/gauge validation guards. No evidence found of audit findings marked resolved without corresponding verifiable code change. Audit PDFs not parseable (binary), so low confidence on full finding-resolution trace.

RD-F-004 green Audit count 4 distinct audit firms with public PDFs: MixBytes (original platform 2021), PeckShield (Frax 2022, OhmSync wrapper 2022, sidechain 2022), Nomoi (cvxCRV wrapper 2023, sidechain 2023), ChainSecurity (Silo wrapper 2023). OpenZeppelin conducted informal security review 2021 (no public PDF). Green threshold is 2 distinct firms; Convex exceeds this.

RD-F-006 green Audit-to-deploy gap MixBytes audit completed April 2021; Booster deployed May 17, 2021. Gap approximately 30-47 days, within the 60-day green threshold. Frax platform (PeckShield Apr 2022) and wrapper audits have comparable gaps based on available deploy timestamp evidence.

RD-F-008 green Ignored bounty disclosure No evidence of a disclosed vulnerability that was reported and ignored before exploitation. The 2021 OZ disclosure was acted on within days (patched 2021-12-14, zero exploitation). The 2022 vlCVX v1 bug was disclosed by Popcorn team, Convex redeployed v2 before any exploitation. Both cases show prompt response to disclosures.

RD-F-011 green SELFDESTRUCT reachable from non-admin path Source inspection of all major Convex contracts (Booster, VoterProxy, CVX token, CvxLockerV2, BaseRewardPool, ExtraRewardStashV3, BoosterOwner) found no SELFDESTRUCT opcode. Solidity 0.6.12 contracts confirmed via Etherscan source. VoterProxy source explicitly inspected and confirmed no selfdestruct.

RD-F-012 green delegatecall with user-controlled target No user-controlled delegatecall found in Convex core contracts. VoterProxy has execute() for Curve interactions but it is Booster-operator-only (not user-callable). BoosterOwner has execute() restricted to owner. ExtraRewardStashV3, ClaimZap, and BaseRewardPool have no delegatecall. Source inspection of all major contracts confirmed.

RD-F-013 green Arbitrary call with user-controlled target No user-controlled arbitrary call target found. ClaimZap makes calls only to hardcoded addresses. BoosterOwner.execute() is owner-only. VoterProxy.execute() is Booster-operator-only. No path found where a user can supply an arbitrary call target in any Convex core contract.

RD-F-015 green ERC-777/1155/721 hook without reentrancy guard Convex core deposit/reward path uses CRV, CVX, and Curve LP tokens — all standard ERC-20 without callbacks. No ERC-777 tokensReceived, ERC-1155 onReceived, or ERC-721 onReceived integrations found in Booster or BaseRewardPool. ExtraRewardStashV3 handles arbitrary ERC-20 reward tokens but does not hook into ERC-777 callback patterns.

RD-F-018 green Signed/unsigned arithmetic confusion Solidity 0.6.12 contracts use SafeMath throughout (imported and applied to all arithmetic). SafeMath prevents overflow/underflow but does not prevent all signed/unsigned confusion. However, the contracts use exclusively uint256 for all financial calculations — no signed int conversions found in source inspection of Booster, CvxLockerV2, BaseRewardPool. Low confidence without symbolic execution.

RD-F-019 green ecrecover zero-address return unchecked CvxLockerV2 source and Booster confirmed to have no ecrecover calls. Convex does not implement EIP-2612 permit-style signatures in its core contracts. No ecrecover usage found across all inspected contracts (Booster, VoterProxy, CvxLockerV2, BaseRewardPool, ExtraRewardStashV3).

Governance & admin Green 14 24 of 24

RD-F-028 yellow Low-threshold multisig vs TVL 3-of-5 Gnosis Safe at $613M TVL. Threshold is within the cohort norm for this TVL range (3/5 to 5/9 is typical for $500M-$1B protocols). However, two risk amplifiers: (1) all 5 signers are anonymous/pseudonymous with no public identity attestations -- effective trust is 3 of 5 unknown individuals; (2) no general timelock backstop on routine admin calls means a 3-signer compromise has immediate effect on fee rates, pool management, and vote delegation. Not abnormally low by count, but amplified by anonymity. RD-F-032 yellow Timelock duration on upgrades No general OZ TimelockController exists. BoosterOwner has a bespoke 30-day (2,592,000 second) delay ONLY on the forceShutdown emergency path (queueForceShutdown -> forceShutdownSystem). Routine admin calls (fee changes, pool management, stash factory, vote delegation, pool shutdowns) execute immediately upon 3-of-5 multisig signature with 0-hour delay. Effective timelock for routine operations: 0 hours. For forceShutdown emergency only: 720 hours (30 days). RD-F-033 yellow Timelock on sensitive actions Timelock presence per sensitive action: mint=N/A (operator-only, not admin); pause/shutdownPool=NO timelock (immediate multisig); rescue=N/A (no rescue function); setOracle=N/A (no oracle in core path); upgrade=N/A (immutable contracts); setFees=NO timelock; setVoteDelegate=NO timelock; forceShutdown=YES 30-day timelock via BoosterOwner. Majority of admin-callable sensitive actions have no timelock. RD-F-034 yellow Guardian/pause-keeper distinct from upgrader Contracts are immutable so no upgrader role exists. Pause/shutdown functions (shutdownSystem, shutdownPool on Booster; shutdown on CvxLockerV2) are callable by the admin multisig with no separate guardian role. The feeManager is a distinct role from the main owner, providing partial separation. No dedicated guardian address with distinct key from admin found. RD-F-035 yellow Role separation: upgrade ≠ fee ≠ oracle Immutable contracts: no upgrader role. Fee management: setFeeManager on Booster callable by owner (multisig); feeManager can then call setFees, setTreasury. Pool management: poolManager is a distinct configurable address. Vote delegation: voteDelegate is a configurable address set by owner. Partial separation (poolManager distinct) exists, but feeManager is multisig-delegated and voteDelegate is controlled by same multisig owner. Not a clean three-way separation. RD-F-038 yellow Proposal execution delay < 24h No formal execution delay enforced for routine admin operations. Snapshot vote conclusion to on-chain execution is multisig-dependent and can range from hours to days. No minimum execution delay enforced programmatically. BoosterOwner forceShutdown has 30-day delay, but this covers emergency path only. Routine admin actions (fee changes, pool management) can execute with 0 hours delay after 3-of-5 multisig signs. RD-F-040 yellow Emergency-veto multisig present No distinct emergency-veto multisig exists. The main 3-of-5 multisig serves all functions including emergency shutdown. The BoosterOwner provides the forceShutdown path but is owned by the same multisig. No separate veto address with independent key control found in docs or on-chain. RD-F-029 gray Multisig signers co-hosted All 5 multisig signer addresses are pseudonymous; no ASN/data-center/custodian information is publicly attested. One address (0xAdE9e51C9E23d64E538A7A38656B78aB6Bcc349e) appears on both Ethereum and Arbitrum multisig signer sets indicating same individual. Co-hosting risk cannot be ruled out or confirmed from public sources. [?] RD-F-030 gray Hot-wallet signer flag Cannot assess hot-wallet vs hardware-wallet signing without on-chain heuristics or public attestation. All signers are pseudonymous. No hardware wallet signing attestation published. Risk of hot-wallet signers cannot be confirmed or denied from public sources. [?] RD-F-031 gray Signer rotation recency Signer rotation history not assessable via public sources without Safe transaction history or on-chain event logs. No recent threshold reduction or new-signer addition events found in available data. The known-signer set appears stable. No negative directional signal found but no positive confirmation either. [?] RD-F-037 n/a Quorum achievable via single-entity flash loan Not applicable. vlCVX voting is not flash-loanable (see RD-F-036: 16-week lock + epoch checkpointing). No quorum threshold exists that could be met via flash loan in a single transaction. Snapshot proposals have no quorum parameter subject to flash-loan attack. RD-F-044 gray Admin wallet interacts with flagged addresses The 5 multisig signer addresses are anonymous/pseudonymous. No Chainalysis or OFAC flagging data is available from public sources for these addresses. Cannot confirm or deny interaction with flagged addresses. [?] Curator review recommended. RD-F-045 gray Constructor args match governance proposal Contracts are immutable and non-upgradeable; no proxy deployment governance proposals exist to cross-check. MixBytes 2021 audit covered pre-launch contracts but no specific constructor-arg attestation artifact is public. No deployment governance proposal artifacts available. [?] RD-F-047 gray Governance token concentration (Gini) vlCVX governance power concentration data not quantitatively assessed (Dune Analytics not accessible). Historical context from Curve Wars (2021-2022) indicates significant vlCVX concentration by Frax, Yearn, StakeDAO and other protocols. CVX total supply ~97.5M near cap. Qualitative: governance is likely concentrated among a few large holders but no Gini coefficient available. [?]

RD-F-025 green Admin key custody type Admin key custody type is multisig. Ethereum: 3-of-5 Gnosis Safe (0xa3C5A1e09150B75ff251c1a7815A07182c3de2FB). Arbitrum: 3-of-5 Gnosis Safe (0x6111ABF720051309012FcdBc2910054E41dcFF8c). BoosterOwner is a bespoke single-purpose controller owned by the multisig -- not a separate custody layer. No EOA admin, no full DAO+timelock, not immutable.

RD-F-026 green Upgrade multisig signer configuration (M/N) Ethereum multisig: 3-of-5 (required=3, total=5). Arbitrum multisig: 3-of-5 (required=3, total=5). Ethereum signers: 0xBd0a74e51729a4D0B92742e67183C4cBc97bCA92, 0xf7Bd34Dd44B92fB2f9C3D2e31aAAd06570a853A6, 0xAdE9e51C9E23d64E538A7A38656B78aB6Bcc349e, 0xAAc0aa431c237C2C0B5f041c8e59B3f1a43aC78F, 0x4D1b56274C01481C0312fCa332016d83512BEEe3. All pseudonymous -- no public identity attestations.

RD-F-027 green Single admin EOA Admin is a 3-of-5 Gnosis Safe (0xa3C5A1e09150B75ff251c1a7815A07182c3de2FB), not a single EOA. BoosterOwner (0x3cE6408F923326f81A7D7929952947748180f1E6) is owned by this multisig. Deployer EOA (0x947B7742C403f20e5FaCcDAc5E092C943E7D0277) does not hold current admin roles on core contracts. No single-EOA admin path exists for any material protocol function.

RD-F-036 green Flash-loanable voting weight vlCVX (CvxLockerV2, 0x72a19342...) requires a 16-week time-lock to acquire voting weight. Contract uses epoch-based historical checkpointing: voting power is calculated from past epoch snapshots stored in the epochs[] array, not current token balance. Flash loans cannot accumulate historical locked positions within a single transaction block. Vote-escrow design prevents flash-loan governance attacks by construction.

RD-F-039 green delegatecall/call in proposal execution without allowlist No on-chain Governor with arbitrary delegatecall-based proposal execution exists. Snapshot outcomes are executed by the 3-of-5 Safe via standard multisig transactions (not delegatecall payloads). BoosterOwner.execute() uses .call{} (not delegatecall) and blocks calls to the Booster itself. VoterProxy.execute() uses standard .call{}. The execute() blocklist (not allowlist) is weaker but the absence of delegatecall removes the primary attack vector.

RD-F-041 green Rescue/emergencyWithdraw without timelock No rescue() or emergencyWithdraw() function exists on Booster or VoterProxy. CvxLockerV2 has recoverERC20() callable by owner (admin multisig) but explicitly restricted to tokens accidentally sent -- not user-deposited CVX (which cannot be transferred this way). Admin docs confirm multisig does not have direct access to user deposits. BoosterOwner forceShutdown path has 30-day delay and only enables orderly withdrawal mode, not fund extraction.

RD-F-042 green Admin has mint() with unlimited max CVX token mint() is callable only by the designated operator (currently the VoterProxy / vecrvProxy, not the admin multisig). Max supply is hard-coded at 100M CVX (100*1000000*1e18). Current supply approximately 97.5M (~97.5% of cap). Declining cliff-emission schedule enforced on-chain; no admin path to override the cap or mint beyond it. Admin multisig has no mint authority.

RD-F-043 green Admin = deployer EOA after 7 days Deployer EOA (0x947B7742C403f20e5FaCcDAc5E092C943E7D0277) does not hold current admin roles on core protocol contracts. BoosterOwner is owned by the 3-of-5 multisig (0xa3C5A1e...). Protocol has been live 5 years (since May 2021); ownership was transferred to multisig structure at or shortly after launch. Recent deployer transactions route through the multisig (exec transaction pattern observed). Deployer is a historical artifact not a current admin.

RD-F-046 green Contract unverified on Etherscan/Sourcify All core contracts verified on Etherscan with exact-match source code: Booster (0xF403C1...), BoosterOwner (0x3cE640...), VoterProxy (0x989AEb...), CVX Token (0x4e3FBD...), CvxLockerV2 (0x72a193...). Protocol launched May 17, 2021 with publicly verifiable source code. No unverified core contracts at launch.

RD-F-167 green Deprecated contract paused but pause reversible by live admin vlCVX v1 contract (0xD18140b4B819b895A3dba5442F959fA44994AF50) was deprecated March 2022. User funds were fully migrated to vlCVX v2. The v1 contract is effectively empty; admin retains owner capabilities but there is no user value to capture in the deprecated surface. The pause capability over an empty deprecated contract poses negligible risk.

Oracle & external dependencies Yellow 27 17 of 17

RD-F-050 red Dependency graph (protocols depended upon) Convex's critical external dependency on Curve Finance (GaugeController, Minter, VotingEscrow, per-pool gauges) has no in-protocol fallback. The VoterProxy holds ~418M veCRV and calls Curve's gauge system on every reward cycle. Booster is non-upgradeable (Solidity 0.6.12 immutable). If Curve migrates or changes its gauge architecture, Convex's yield halts without a migration path. Secondary deps: Frax Finance (veFXS) for <2% TVL; Prisma Finance (sunset December 2024 — stranded cvxPRISMA); f(x) Protocol; Resupply.fi (associated but separate — exploited June 2025). July 2023 Curve/Vyper reentrancy materialized this risk for specific pools. RD-F-052 yellow Breakage analysis per dependency Breakage analysis partially documented. Curve GaugeController failure: all CRV reward claims revert, yield halts (existential severity). Curve Minter failure: CRV minting stops, yield halts. Curve VotingEscrow failure: gauge boost power lost, yield degrades to 1x. Curve per-pool gauge bugs: LP position loss in affected pools (materialized July 2023 Vyper reentrancy for select pools). Frax failure: cvxFXS impaired, <2% TVL. Resupply.fi: separate protocol, June 2025 exploit did not impair Convex core. No oracle dependency breakage scenario applies. Yellow because breakage analysis covers major deps but Prisma sunset and f(x) Protocol dependency impact are partially documented. RD-F-049 n/a Oracle role per asset No external price oracle is used in Convex's asset/market context. LP tokens are accepted at face value; CRV, CVX, cvxCRV rewards are denominated in token amounts. No Primary/Secondary/Fallback oracle role classification is possible or needed. RD-F-051 n/a Fallback behavior on oracle failure Convex has no oracle to fail; F051 (fallback behavior on oracle failure) is not applicable. The BoosterOwner's forceShutdown path (with 30-day FORCE_DELAY) is the only operational fallback mechanism, and it is triggered by gauge compatibility issues, not oracle failures. RD-F-054 n/a TWAP window duration Convex does not use any DEX-TWAP oracle; TWAP window duration is not applicable. RD-F-055 n/a Oracle pool depth (USD) Convex does not use a DEX pool as an oracle; oracle pool depth is not applicable. RD-F-056 n/a Single-pool oracle (no medianization) No oracle venue is used by Convex's contracts; single-pool vs medianization question is not applicable. RD-F-057 n/a Circuit breaker on price deviation Convex has no oracle price deviation to circuit-break; circuit breaker on price deviation is not applicable. RD-F-058 n/a Max-deviation threshold (bps) No circuit breaker exists (see F057); max-deviation threshold is not applicable. RD-F-059 n/a Oracle staleness check present No external oracle feed is consumed; oracle staleness check is not applicable or needed. RD-F-060 n/a Chainlink aggregator min/max bound misconfig Convex does not use any Chainlink aggregator in its core contracts; min/max bound misconfig check is not applicable. The 19 Chainlink feeds in the DeFiLlama/data cache oracle_feeds[] are not consumed by Convex's own contracts. RD-F-061 n/a LP token balanceOf used for pricing Convex does not derive prices from LP token balances. LP tokens are deposited and tracked by amount; no balanceOf-for-price pattern exists in Convex's reward distribution logic. RD-F-180 n/a Immutable oracle address [★ CRITICAL-CANDIDATE PD-017] Not applicable — Convex's core contracts contain no oracle address, immutable or otherwise. The immutable keyword does not appear on any oracle-type variable in Booster.sol, CvxLocker.sol, BaseRewardPool.sol, or any core contract because there are no oracle variables. The factor tests inability to swap a broken oracle; Convex has no oracle to swap. This is the correct not_applicable resolution for an oracle-free staking protocol, not a gray evasion. Orchestrator tracking: F180 critical-CANDIDATE status recorded; outcome is not_applicable for this protocol type. RD-F-181 n/a Permissionless-pool lending oracle Convex is a staking/wrapper protocol (protocol_type: YIELD), not a lending protocol. No lending market, no collateral acceptance logic, no borrow mechanics, and no oracle acceptance logic for loan-to-value computation exist in Convex's own contracts. The Resupply.fi June 2025 exploit involved a permissionless-pool-like attack on an associated lending protocol's ERC-4626 wrapper using Convex-staked tokens as collateral — that exploit occurred in Resupply's contracts, not Convex's.

RD-F-048 green Oracle providers used Zero external price oracle providers are used in Convex's core contracts. Source inspection of Booster.sol, CvxLocker.sol, BaseRewardPool.sol, and Interfaces.sol confirms no Chainlink AggregatorV3Interface, no Pyth, no Redstone, and no DEX-TWAP oracle imports or calls. The 19 Chainlink feeds in the data cache oracle_feeds[] belong to Curve pool contracts attributed to the convex-finance DeFiLlama slug, not to Convex's own contract logic.

RD-F-053 green Oracle source = spot DEX pool (no TWAP) [★ CRITICAL] No spot DEX oracle in any Convex core contract. Source inspection of Booster.sol, CvxLocker.sol, BaseRewardPool.sol, ExtraRewardStashV3.sol, and Interfaces.sol confirms zero oracle calls (no slot0(), getReserves(), consult(), latestAnswer(), latestRoundData(), getPrice()). The cvxCRV/CRV Curve factory pool carries Curve's internal EMA oracle (TWAP-based) inside the Curve pool contract — this oracle is not consumed by any Convex contract. No spot DEX oracle manipulation vector exists in Convex's core path. Scored green: no spot DEX oracle, no TWAP oracle, no oracle of any kind in Convex's executable logic.

RD-F-062 green External keeper/relayer not redundant No single keeper/relayer dependency. The earmarkRewards function on Booster is permissionless — any external caller can trigger gauge CRV claiming. No Gelato, Chainlink Automation, or single-keeper dependency in Convex's core reward path. Reward claiming is open to anyone.

Economic risk Yellow 33 13 of 13

RD-F-063 yellow TVL (current + 30d trend) Current TVL $613.3M (above $100M green threshold). 30-day change -3.28% (declining trend). 12-month peak ~$1,616M; ATH ~$19.8B. Long-term structural decline: TVL is ~97% below 2021 ATH. The declining trend (down from $916M mid-April to $613M in 6 weeks) pushes from green to yellow per threshold definition. Ethereum 98.33% of TVL. RD-F-065 yellow Liquidity depth per major asset Convex holds Curve LP tokens, not raw assets. Liquidity depth for LP token exits is Curve pool depth (adequate for major stablecoin and ETH pools). For cvxCRV specifically -- the derivative token representing locked CRV -- the CRV/cvxCRV Curve pool holds only ~$162K TVL with ~$280 24h volume (GeckoTerminal, 2026-05-16), making large cvxCRV exits subject to extreme slippage. cvxCRV trades at ~60% discount to CRV (CoinGecko: cvxCRV $0.1039 vs CRV ~$0.26 = 0.40 CRV per cvxCRV). This is structurally expected (one-way conversion) but is a real liquidity risk for cvxCRV holders. Scored yellow: depth adequate for underlying Curve LP exits but cvxCRV secondary liquidity is thin. RD-F-064 gray TVL concentration (top-10 wallet share) Top-10 Booster depositor concentration not directly enumerable without Dune or subgraph query (Dune 403 is a persistent data gap per process-learnings). CVX token holder concentration is available (top-10 wallets ~73% of CVX supply per CryptoNewsNavigator Jan 2026) but this is CVX token concentration, not Booster LP-deposit concentration -- two different metrics. Booster LP deposit concentration data gap flagged for curator. Scored gray. RD-F-066 n/a Utilization rate (lending protocols) Convex Finance is a yield and vote aggregator, not a lending protocol. It has no borrow markets, no utilization rate, and no interest rate model. Per PD-024 Cat 4 applicability table, F066 is lending-only and not applicable to non-lending protocol types. RD-F-067 n/a Historical bad-debt events Convex Finance has no lending book and therefore no bad-debt events. Resupply.fi (a separately-launched protocol using Convex/Curve infrastructure) suffered a $9.5M exploit on 2025-06-26, but Resupply.fi is not Convex Finance -- it is a distinct protocol. Convex Finance's own contracts were not exploited. Per PD-024, F067 is lending-only and not applicable. RD-F-068 n/a Collateralization under stress Convex Finance has no collateral book or borrowing mechanism. No collateralization ratio is definable or computable. Per PD-024, F068 is lending-only and not applicable. RD-F-069 n/a Algorithmic / under-collateralized stablecoin Convex Finance does not issue a stablecoin. cvxCRV is a derivative wrapper (1 CRV locked = 1 cvxCRV issued) backed fully by locked veCRV in the VoterProxy -- not an algorithmic or under-collateralized stablecoin design. Per PD-024, F069 is lending-only and not applicable. Note: cvxCRV trades at ~60% discount to CRV in secondary markets due to structural one-way conversion illiquidity, not under-collateralization. RD-F-070 n/a Empty cToken-style market (zero supply/borrow) Convex Finance is NOT a Compound V2 fork and does not implement cToken-style markets. The Booster contract (0xF403C135812408BFbE8713b5A23a04b3D48AAE31, Solidity 0.6.12, non-upgradeable) routes Curve LP tokens to Curve gauges for yield optimization. No totalSupply()/totalBorrow() market primitive exists in any Convex contract. The donation/empty-market attack pattern requires a share-based lending vault with zero liquidity; Convex has no such architecture. Taxonomy Cat 4 explicitly marks this factor as Compound-fork-only and N/A for non-Compound-fork protocols. RD-F-070 is not_applicable. RD-F-071 n/a Seed-deposit requirement for new market listing Convex does not list lending markets and has no seed-deposit requirement mechanism. New Curve pools are added to the Booster by admin (multisig-controlled gauge additions), but this is not a lending-market listing with minimum seed deposit requirements. Per PD-024, F071 is lending-only and not applicable. RD-F-072 n/a Market-listing governance threshold Convex does not support permissionless or governance-gated listing of lending markets. Per PD-024, F072 is lending-only and not applicable. Note: Convex's pool additions (new Curve gauges) are admin-controlled but are categorically different from lending market listings. RD-F-073 n/a Oracle-manipulation-proof borrow cap Convex has no borrow caps or DEX-TWAP oracle in its core deposit/reward path. Per PD-024, F073 is lending-only and not applicable. The oracle-proof borrow cap factor requires a lending protocol with per-asset borrow limits derived from oracle pool depth. RD-F-074 n/a ERC-4626 virtual-share offset (OZ ≥4.9) The Booster contract (0xF403C135812408BFbE8713b5A23a04b3D48AAE31, Solidity 0.6.12) is not an ERC-4626 vault and does not use share-based accounting in an ERC-4626 pattern. No virtual-share offset mitigation is relevant. Per PD-024, F074 is applicable only to ERC-4626 vault protocols. RD-F-075 n/a First-depositor / share-inflation guard Same as F074. Convex Booster is not a share-based vault and has no first-depositor attack surface. The deposit flow routes LP tokens to Curve gauges; no share-minting occurs within Convex's own contracts. Per PD-024, F075 applies only to share-based vault architectures.

Operational history Green 18 15 of 15

RD-F-089 red Insurance coverage active No active insurance coverage found for Convex Finance core protocol. Searched Nexus Mutual (no Convex-specific listing returned in search results; app.nexusmutual.io/cover product page returns no Convex listing), Sherlock (no Convex coverage found), Unslashed (no information). Data cache confirms no Immunefi program exists. At $613M TVL, absence of any protocol-level insurance coverage is a meaningful gap. Individual users may purchase third-party cover independently, but no protocol-facilitated or protocol-maintained insurance found. RD-F-081 yellow Post-exploit response score Dec 2021 OZ event: exemplary handling — Immunefi-mediated approach; multisig strengthened (publicly known parties added) before full vulnerability details shared with team; patch deployed same day. Mar 2022 vlCVX: rapid same-day public communication and v2 contract deployment; however, the Medium post is a migration guide, not a full post-mortem (no code diff, no timeline, no root-cause analysis depth). Scored yellow: strong response process but Mar 2022 post-mortem quality below 5/5 due to missing root-cause depth and code diff. RD-F-082 yellow Post-mortem published within 30 days Dec 2021 OZ event: OZ published their disclosure post in December 2021 (same day patch applied). Mar 2022 vlCVX: Convex published Medium post March 4, 2022 (same day as v2 contract deployment). Both events have public communication within 24 hours. Scored yellow rather than green because the Mar 2022 post is a migration guide (not a full post-mortem with root-cause analysis and code diff) — meets the 30-day threshold but quality is below the green standard. RD-F-083 yellow Auditor re-engaged after last exploit After the Mar 2022 vlCVX v1 redeploy, the replacement v2 contract (0x72a19342e8F1838460eBFCCEf09F6585e32db86E) was deployed without a public audit. Profile §8 notes MixBytes 2021 audit covers original platform only; subsequent PeckShield audits (2022-2023) cover Frax staking, OhmSync wrapper, sidechain; Nomoi 2023 audits cover cvxCRV wrapper and sidechain; ChainSecurity 2023 covers Silo wrapper. None of these audit reports appear to cover the core vlCVX Locker v2 contract specifically. Yellow: other audits exist but the specific replaced contract lacks public audit confirmation. RD-F-085 yellow Incident response time (minutes) Mar 2022 vlCVX event: Convex was 'recently made aware' of the issue (Popcorn team disclosure) and published the Medium post and deployed v2 on same day (March 4, 2022). Response was rapid. Exact response-time in minutes from notification to first public statement is not documented in the Medium post or secondary sources. Dec 2021 OZ event: Immunefi-mediated, multisig strengthened before details shared — the process took multiple days of coordination but the patching was done promptly. Specific minutes for last incident (Mar 2022) not determinable from public record. RD-F-166 yellow Deprecated contracts still holding value CVX Locker v1 (0xD18140b4B819b895A3dba5442F959fA44994AF50) is deprecated per March 2022 migration announcement. On-chain balance as of 2026-05-16: cvxCRV 103,205 tokens (~$10,682) + CVX 1.9 tokens (~$3) = total ~$10,685. This is below the $100K materiality threshold (red threshold per taxonomy definition). Residual value appears to be unclaimed reward tokens from former v1 lockers, not principal. Most recent tx March 4, 2026 'Get Reward' call — contract still callable. Migration of principal was successful; only dust/reward residue remains. Scored yellow per taxonomy band $1-$100K.

RD-F-076 green Protocol age (days) Booster contract verified on Etherscan 2021-05-17. As of 2026-05-16 approximately 1826 days (~60 months) live. Protocol experienced $19.8B ATH TVL in Oct-Nov 2021 during Curve Wars peak — significant operational stress-test period passed. Meets A-grade age threshold comfortably.

RD-F-077 green Prior exploit count Two Convex-native operational events in ~60 months, both $0 user-fund loss: (1) Dec 2021 OZ responsible disclosure of VoterProxy/Booster multisig-access vulnerability — patched before any exploitation; (2) Mar 2022 vlCVX Locker v1 reward-accounting bug — responsibly disclosed by Popcorn team before exploitation, v2 deployed same day. Realized-loss exploit count = 0. Bent Finance (Dec 2021, ~$1.75M) is a SEPARATE protocol incident, excluded. ResupplyFi (Jun 2025, ~$9.8M) is a separate protocol built by Convex-affiliated team, not a Convex-contract exploit — excluded per disambiguation in 00-profile.md §10 and rekt.news confirmation.

RD-F-078 green Chronic-exploit flag (≥3 incidents) Two Convex-native events (both $0 user-fund loss). Count is below the chronic threshold of >=3. Chronic flag does not fire.

RD-F-079 green Same-root-cause repeat exploit Two Convex-native events have distinct root causes: (1) Dec 2021 — multisig access control gap in VoterProxy/Booster combination (admin-key-posture class); (2) Mar 2022 — reward-accounting logic flaw in vlCVX Locker v1 (arithmetic/state-update class). No same-root-cause repeat. Both $0 user-fund loss.

RD-F-080 green Days since last exploit Most recent Convex-native event: March 4, 2022 (vlCVX Locker v1 redeployment). Days since as of 2026-05-16: approximately 1533 days (~4.2 years). No exploitation events or operational incidents since March 2022. Long quiescence period under significant TVL.

RD-F-084 green TVL stability (CoV over 90d) 90-day TVL coefficient of variation (CoV) = 0.0545 (mean $652M, std $35.6M, window 2026-02-16 to 2026-05-16 per data cache). CoV 0.0545 indicates moderate stability — well below high-volatility thresholds. Decline from ~$847-916M to ~$613M is gradual, not shock-exit pattern.

RD-F-086 green Pause activations (trailing 12 months) No on-chain evidence of Convex Booster or core contract pause activations in the trailing 12 months. The BoosterOwner has a bespoke ~30-day FORCE_DELAY gating only the forceShutdown emergency path (per docs known-issues page). No forceShutdown activation found in public record. ResupplyFi was paused in June 2025 but is a separate protocol. March 2022 vlCVX redeploy was a contract migration, not a pause of the Booster.

RD-F-087 green Pause > 7 consecutive days No evidence of Convex Booster being paused for more than 7 consecutive days in the last 12 months. No Booster pause events found in public record. ResupplyFi (separate protocol) was paused in June 2025 but that is not a Convex Booster pause.

RD-F-088 green Re-deployed to new addresses in last year The vlCVX Locker v1 to v2 migration (the most recent Convex core contract redeployment) occurred March 4, 2022, which is approximately 4.2 years before 2026-05-16 — well outside the trailing 12-month window. No evidence of core contract redeployment in the last 12 months.

Real-time signals Green 6 22 of 22

RD-F-099 yellow Oracle price deviation >X% from secondary T-09 phase-2 signal. Partially applicable. Convex Booster core reward path (deposit Curve LP, accrue CRV via gauge) does not consume an external price oracle — CRV rewards are on-chain gauge-based. However, the cvxCRV/CRV soft peg is a structural dependency: cvxCRV has historically traded at 1%-8% discount to CRV depending on market conditions, representing a persistent latent oracle-equivalent risk. The 19 Chainlink feeds in the data cache (USDT/USD, AVAX/USD, COMP/USD, etc.) are associated with periphery Convex-adjacent contracts and pool accounting, not the Booster core. No acute oracle deviation on any of these feeds detected as of 2026-05-16. Yellow assigned because the cvxCRV peg tension is a real latent risk even though the canonical signal does not fire on core Convex contracts today. RD-F-109 yellow Social-media impersonation scam spike Applicable. Convex is a major DeFi brand (Curve Wars era; $613M TVL; @ConvexFinance on X with significant following). No specific documented acute spike of fake ConvexFinance accounts in 2025-2026 found in public search results. However, Convex is a high-recognition DeFi brand: impersonation scams are structurally expected. Base rate for brand impersonation against top DeFi protocols is high (Zscaler ThreatLabz: ~33% of 30,000 lookalike domains across top brands are malicious). Absence of confirmed specific spike does not equal confirmed absence — social media scam activity is pervasive and under-reported for DeFi brands. Yellow: structurally elevated risk posture without confirmed acute spike. RD-F-090 gray Mixer withdrawal → protocol interaction Applicable in principle: Convex Booster holds $613M TVL and is a viable venue for mixer-funded wallet interactions. No confirmed mixer-funded wallet interaction with core Convex contracts detected via public OSINT. This is a T-09 phase-2 signal requiring a wallet-clustering attribution feed (Chainalysis/TRM). Without that feed, a live state cannot be authoritatively determined. No public incident report of mixer-to-Convex pre-strike pattern in 2024-2026. Production monitoring not configured; signal is gray. RD-F-091 gray Partial-drain test transactions Applicable in principle. Convex holds $613M TVL in Curve gauge positions. No small-drain test transaction pattern detected against Convex Booster in public OSINT. This signal requires a real-time transaction pattern baseline model per protocol; that baseline is not deployed for this static T-10 assessment. Gray — not observable without live pattern model. RD-F-092 gray Unusual mempool pattern from deployer wallet Deployer wallet 0x947B7742C403f20e5FaCcDAc5E092C943E7D0277 confirmed via Convex docs and Etherscan (3,214 transactions as of March 2026). Data cache shows deployer.address: null (pipeline gap). Most recent activity: incoming transactions from Deployer to Multisig on May 12, 2026 — consistent with routine operational pattern. Full behavioral baseline model not available. Gray — mempool baseline model not deployed for static assessment. RD-F-093 gray Abnormal gas-price willingness from attacker wallet No high-gas-priority attacker tx pattern against Convex core contracts detected in public OSINT. Signal requires live mempool EMA baseline; not deployed for static T-10 assessment. Gray. RD-F-094 gray New contract with similar bytecode to exploit template Convex Booster is an original Solidity 0.6.12 design — not a widely-forked template. Low applicability for bytecode-similarity exploit-template deployment. No public reports of exploit-template bytecode deployed against Convex's architecture. Signal requires per-protocol bytecode-similarity sweep; not deployed. Gray. RD-F-095 gray Known-exploit function-selector replay Limited applicability — Convex does not use the standard lending/oracle pattern that most selector-replay exploits target. The Booster's core functions (deposit, withdraw, CRV claim) are not typical replay-template targets. No replay patterns detected in public OSINT. Selector pattern index not maintained for Convex protocol class. Gray. RD-F-096 gray New ERC-20 approval to unverified contract from whale Applicable in principle for large CVX/cvxCRV holders. No specific whale-approval anomaly to unverified contracts detected via public OSINT. Signal requires user-level monitoring of high-TVL wallet approval events. Not deployed for static assessment. Gray. RD-F-097 gray Sybil surge of identical-pattern transactions Limited applicability for Convex's deposit-and-hold model (Curve LP token staking). Sybil surge of identical-pattern transactions is more relevant for AMM/lending protocols with frequent permissionless interactions. No sybil surge detected. Clustering algorithm not deployed. Gray. RD-F-103 n/a Bridge signer-set change proposed/executed Convex is not a bridge. Fraxtal, Arbitrum, and Polygon deployments are independent per-chain Booster instances with no protocol-operated cross-chain bridge. layerzero.present: false confirmed in data cache. has_bridge_surface: false and is_a_bridge: false confirmed in profile meta.json. RD-F-103 (bridge signer-set change) is structurally inapplicable. RD-F-106 n/a Cross-chain bridge unverified mint pattern Convex is not a bridge and does not operate cross-chain message paths. Independent per-chain Booster deployments (Fraxtal, Arbitrum, Polygon) do not create a cross-chain mint-without-proof attack surface. layerzero.present: false. Not applicable. RD-F-107 gray Admin EOA signing from new geography/device Team is anonymous/pseudonymous — no publicly declared geography or device baseline for admin signing exists. Signal requires team opt-in to signing telemetry. Practically ungatherable without that opt-in. Per process-learnings and methodology template notes, this factor is P2 and will be gray for virtually all anonymous-team protocols in v1. Gray.

RD-F-098 green TVL anomaly — % drop in <1h T-09 v1 launch signal (Tier A). TVL $613.3M as of 2026-05-16. 30d change: -3.28%; 1d change: -0.14%; 90d CoV: 0.0545 (mean $652M, std $35.6M). No single-hour TVL drop detected. Threshold condition: TVL_now / TVL_baseline_30d < 0.70; current ratio ~0.94 — well above threshold. 30d decline is slow market-correlated drift, not an exploit drain signal. Signal would not fire today.

RD-F-100 green Flash loan >$10M targeting protocol tokens T-09 phase-2 signal. Applicable in principle. No flash-loan exploit against core Convex contracts (Booster, VoterProxy, vlCVX) detected. The Resupply June 2025 exploit ($9.5M) used a $4,000 USDC Morpho flash loan but targeted a newly deployed Resupply vault — a separate protocol that is a Convex/Yearn subDAO. Resupply is not the Convex Booster. vlCVX 16-week lock prevents flash-loan governance takeover (cannot acquire vlCVX within a single block). No ongoing flash-loan targeting pattern detected. Green.

RD-F-101 green Large governance proposal queued T-09 v1 launch signal (Tier B). Applicable with adaptation: Convex has no on-chain Governor (governor_address: null confirmed in data cache). Governance is via Snapshot cvx.eth space + 3-of-5 multisig execution. Flash-loan governance attack structurally blocked by 16-week vlCVX lock — voting weight cannot be flash-loan-acquired within a block. Recent governance proposals (Dec 2025: treasury allocation ~$10M into Pendle yield strategies and USDf Curve pools; routine gauge-weight bi-weekly votes) are normal operational pattern. No malicious-pattern proposals detected. Signal cannot fire on the on-chain Governor path (no Governor exists), but the underlying governance attack vector is structurally closed. Green.

RD-F-102 green Admin/upgrade transaction in mempool T-09 phase-2 signal. Applicable with reduced scope. Booster contract (0xF403C135...) is immutable (Solidity 0.6.12, non-upgradeable — no upgradeTo, no proxy pattern). Admin calls via 3-of-5 multisig are constrained to fee parameters, gauge vote execution, and BoosterOwner forceShutdown path (~30-day delay). Multisig Etherscan activity shows routine transactions — incoming from Deployer on May 12, 2026 and ENS-named addresses. No anomalous admin-tx pattern detected. Multisig shows no Tornado Cash interaction. Signal has reduced applicability due to immutable core contracts; no anomalous mempool activity observed. Green.

RD-F-104 green Stablecoin depeg >2% on shared-LP venue T-09 v1 launch signal (Tier B). Applicable: Yes. Convex's TVL is primarily CRV/cvxCRV and Curve LP positions. USDC/USDT/DAI stablecoins are present in Curve pools Convex holds positions in. Chainlink USDT/USD feed (heartbeat 86400s, 0.25% deviation threshold) confirmed in data cache. As of 2026-05-16, no stablecoin depeg event (> 2% sustained on shared-LP venue) detected in public sources. The last major affecting events were March 2023 USDC episode and July 2023 Curve/Vyper exploit — both fully resolved. cvxCRV/CRV is a soft peg, not a hard-peg stablecoin. Current stablecoin layer is stable. Signal would not fire today.

RD-F-105 green DNS/CDN/frontend hash drift T-09 phase-2 signal. Applicable: Yes. convexfinance.com is the production domain; vote.convexfinance.com and docs.convexfinance.com are active subdomains. No DNS compromise, frontend injection, or certificate transparency anomaly reported in public sources for 2024-2026. Convex Finance domain has been stable for 5 years. No Etherscan or social media reports of frontend compromise. Contrast: Curve Finance (a separate but related protocol) had a DNS attack in August 2022 — Convex itself did not. Posture is stable. Signal would not fire today.

RD-F-108 green GitHub force-push to sensitive branch Applicable. Primary repo: github.com/convex-eth/platform. Data cache: last_commit_date: 2025-10-23. No force-push or unauthorized push to main branch reported in public sources. Last commit approximately 6.5 months ago (relative to assessment date 2026-05-16) suggests a period of low active development on the core platform repo — lower surface area for unauthorized push events. No GitHub security incident reported for Convex repos. Green.

RD-F-110 green Unusual pending/executed proposal ratio Partially applicable: Convex uses Snapshot (off-chain) not an on-chain Governor. On-chain proposal event monitoring is not directly applicable. Adapted reading: ratio of Snapshot proposals in pending vs. executed state. No anomalous proposal queuing ratio detected. Governance is operating normally — bi-weekly gauge-weight votes, periodic treasury proposals (Dec 2025 treasury allocation confirmed via public sources). No backlog or unusual queue observed. Green.

RD-F-182 green Security-Council threshold reduction (RT) Batch-24 factor (Cat 6B). T-09 v1.1 candidate signal. Applicable: Yes — Convex's 3-of-5 multisig functions as its de facto Security Council. Signal: threshold reduction, timelock removal, or new-signer addition within 14 days. Current posture: Safe API confirms threshold=3, owner_count=5 for Ethereum multisig (0xa3C5A1e09150B75ff251c1a7815A07182c3de2FB) and Arbitrum multisig (0x6111ABF720051309012FcdBc2910054E41dcFF8c) — both stable at 3-of-5. No threshold reduction detected. BoosterOwner delay (forceShutdown ~30-day) is narrow but has not been modified or removed. No signer addition/removal detected in recent transaction history. Reference pattern (Drift Protocol: 3/5 to 2/5 + timelock removal 6 days before $285M DPRK exploit) has no analog here. Green — signal would not fire today.

Dev identity & insider risk Green 11 16 of 16

RD-F-111 yellow Team doxx status Team is consistently pseudonymous. C2tP is the lead developer pseudonym active since 2021 with a multi-year track record (GitHub, Medium, ENS, Snapshot). No real-name disclosure found. Qualifies as consistent-pseudonym-with-track-record per taxonomy, not fully-anonymous. Winthorpe is a second co-founder pseudonym. Other multisig signers (Benny/Llama Airforce, Tommy/Votium, Sam/Frax) are semi-public DeFi pseudonyms. Yellow: pseudonymous-with-track-record is not green (not doxxed) but is meaningfully better than no-track-record. RD-F-112 yellow Team public accountability surface C2tP has GitHub account (C2tP-C2tP, 25 followers, pull-shark x2), ENS c2tp.eth, Medium authorship on Convex blog, active Snapshot voter, 5+ year DeFi presence. No LinkedIn, no conference talks, no prior employer identified. Accountability surface moderate for a pseudonymous team. External multisig signers (Benny/Votium/Frax) have DeFi-community pseudonyms. Yellow: meaningful trail but below doxxed standard. RD-F-121 yellow Contributor OSINT depth score C2tP OSINT depth score approximately 3/5: GitHub active with pull-shark achievement, ENS c2tp.eth bound, Medium authorship, active Snapshot voter, 5+ year DeFi presence, donated $1.4M personal funds in Resupply exploit response. No IRL verification, no LinkedIn, no conference presence. Other signers (Benny/Tommy/Sam) have moderate depth within their protocol communities. Overall team depth is meaningful pseudonymous trail, below doxxed standard. RD-F-123 yellow Sudden admin-rescue/ACL change without discussion Two historical admin/contract-change events reviewed. (1) March 2022 vlCVX redeployment: announced and executed same day via Medium post; no Snapshot vote or GitHub issue preceded the migration; emergency-response context (responsible bug disclosure, no funds at risk), but zero pre-execution community discussion window. (2) December 2021 OZ vulnerability patch (commit 0b52856): emergency fix under Immunefi-mediated adversarial disclosure constraints; no public pre-discussion. Neither event was a silent, unexplained admin-rescue or ACL reassignment; both had documented emergency-disclosure drivers and public same-day communications. No Snapshot governance vote has ever covered a core contract migration (Snapshot is reserved for gauge-weight/gauge-additions votes). Yellow: governance hygiene gap (no pre-execution discussion path exists) but no silent-exploit-motivated change identified. RD-F-119 gray Commit timezone consistent with stated geography C2tP has not publicly stated a geography. No commit-time timezone analysis performed. No timezone-anomaly flag raised in any public security research. Cannot conclusively assess without raw commit-timestamp distribution analysis. Gray: factor requires data not available from public OSINT. RD-F-120 gray Video-off/voice-consistency flag No public interviews with video or voice found for C2tP or Winthorpe. Team is consistently pseudonymous and has not made public media appearances. The OZ disclosure noted the anonymous-team dynamic as friction in vulnerability response. Gray: absence of video/voice is consistent with stated pseudonymous posture; cannot assess as positive or negative signal without a baseline expectation of public presence. RD-F-122 n/a Contributor paid to DPRK-cluster wallet Convex has off-chain and treasury-paid contributors. No on-chain payment streams from Treasury Vault (0x1389388d01708118b495f59521f6943Be2541bb7) to individual contributor wallets confirmed in publicly available data. The data pipeline did not find payment-stream contracts. Per process-learnings: mark not_assessed beyond the deployer unless on-chain payment streams exist. Curator review of treasury outflows warranted if contributor payment addresses become public. RD-F-184 gray Real-capital social-engineering persona Gray by policy for protocols with no curator-flagged persona. F184 requires curator-confirmed attribution of a social-engineering capital-build-up pattern (Drift/UNC4736 comparator: $1M+ deposits over 6 months). No public report links any Convex Finance investor, contributor, or team persona to such a pattern. The June 2025 Resupply exploit was an external code-exploitation attack (collateral price manipulation via cvcrvUSD), not a persona-based social-engineering event. Cannot prove absence of a pattern with no public trace; P1 factor requires curator confidence beyond on-chain trail before grading.

RD-F-113 green Team other-protocol involvement history C2tP co-founded Resupply.fi (2025); no prior rug or exit-scam found for any team member. The Resupply $9.5M exploit (June 2025) was an external code attack; C2tP donated $1.4M personal funds in response - a positive accountability signal. Winthorpe described as legitimate co-founder. Benny (Llama Airforce), Tommy (Votium), and Sam (Frax) have positive multi-year DeFi histories with no rug associations.

RD-F-114 green Deployer address prior on-chain history Deployer EOA 0x947B7742 has 3,256 transactions as of 2026-05-16, all consistent with a long-running protocol founder maintaining infrastructure. Interactions include Convex contracts, Uniswap, CoW Protocol, Arbitrum Bridge - standard DeFi-dev patterns. No prior rug deployment history found. Convex is the only major protocol deployed from this address. No C6 rug-deployer class membership found.

RD-F-115 green Prior rug/exit-scam affiliation No prior rug or exit-scam affiliation found for any identified Convex team member. Searched REKT, Quadriga Initiative, and general web for 'Convex Finance rug exit scam developer malicious 2021 2022 2023'; no positive results. The 2021 OZ disclosure is a vulnerability disclosure (not a rug) that was responsibly patched. The Resupply 2025 exploit was external. Convex Finance is the opposite of a rug-deployer profile: C2tP donated personal funds to cover protocol losses.

RD-F-116 green Contributor tenure at admin-permissioned PR All visible commits to convex-eth/platform are authored by C2tP-C2tP (GitHub ID 76080311) who has contributed since 2021 - over 5 years tenure. Most recent admin-permissioned commits (2026) are from the same long-standing developer. No short-tenure contributor making admin changes observed in publicly visible commit history.

RD-F-117 green ENS/NameStone identity bound to deployer c2tp.eth ENS name resolves to 0xAAc0aa431c237C2C0B5f041c8e59B3f1a43aC78F, which is a signer on the 3-of-5 Ethereum admin multisig. The deployer EOA itself does not have an ENS name, but the associated c2tp.eth address provides a persistent on-chain identity binding. ENS binding to a consistent 5-year pseudonym is a positive identity signal. Convex is EVM-native; U7 non-EVM exception does not apply.

RD-F-118 green Handle reuse across failed/rugged projects No evidence found that C2tP, Winthorpe, Benny, Tommy, or Sam social handles have been previously associated with rugged or failed projects under different aliases. Convex Finance is the only major protocol publicly associated with the C2tP identity. Winthorpe is associated with Convex and Resupply only. No alias cross-reference with rugged protocols found.

RD-F-124 green Deployer wallet mixer-funded within 30 days Deployer 0x947B7742C403f20e5FaCcDAc5E092C943E7D0277 was first funded approximately 85 days before the 2021-05-17 deploy (funding tx: 0xf0e2d8407b4f45edc05395c46543c4bb2d84198d58b7f40115928227818c6433). Funder address 0xB0c412dD...34BAcaeBE has NO Tornado Cash or Railgun label on Etherscan. The 30-day pre-deploy window shows no mixer interaction in visible on-chain history. RD-F-124 is not triggered. Note: 85 days pre-funding is outside the 30-day window even if the funder wallet itself had received mixer funds (which it has not, per Etherscan labels).

RD-F-125 green Deployer linked within 3 hops to DPRK/Lazarus No OFAC SDN designation for deployer 0x947B7742 or c2tp.eth signer 0xAAc0aa431c237C2C0B5f041c8e59B3f1a43aC78F. No Chainalysis public report, Arkham label, or Nansen label links the Convex deployer or any named team member to DPRK/Lazarus cluster. Web search 'Convex Finance C2tP DPRK Lazarus North Korea' returns zero protocol-specific results. OZ 2021 disclosure raises anonymous-team concerns but no nation-state affiliation. The July 2023 Curve/Vyper attacker wallets that drained pools where Convex held LP positions are NOT team proximity (per U4 instruction: external attacker using cvxCRV as drain venue is not team contamination; route to Cat 5/11 only). Not triggered. Note: 2-hop and 3-hop traces require Chainalysis API access not available; assessed on best available public evidence.

Fork / dependency lineage Green 0 10 of 10

RD-F-126 n/a Is-a-fork-of Convex Finance is an original protocol, not a fork. GitHub repo has no upstream fork relationship. The VoterProxy/Booster/gauge-staking mechanism was purpose-built for Curve's veCRV system. Pre-launch announcement (2021) and README confirm original design. No bytecode similarity to any prior protocol codebase. Profile §5 confirms: Forked from: Not forked / original protocol. RD-F-127 n/a Upstream patch not merged Not applicable — Convex is an original protocol with no upstream fork source. No upstream codebase from which security patches could propagate. RD-F-128 n/a Upstream vulnerability disclosure (last 90d) Not applicable — Convex is an original protocol with no upstream fork. No upstream vulnerability disclosure in last 90 days can affect a non-forked original protocol via this factor. RD-F-129 n/a Code divergence from upstream (%) Not applicable — Convex is an original protocol. No upstream to compute code divergence against. RD-F-130 n/a Fork depth (generations from original audit) Not applicable — Convex is the original protocol, not a fork of any audited upstream. Fork depth (generations from original audit) is meaningless for an original protocol. RD-F-131 n/a Fork retains upstream audit coverage Not applicable — Convex is an original protocol with no upstream. Audit coverage question (upstream audit + delta vs fresh audit) is not meaningful for a non-forked protocol. RD-F-132 n/a Fork has different economic parameters than upstream Not applicable — Convex is an original protocol with no upstream. Economic parameter divergence from upstream (LTV, fee, collateral factor) cannot be assessed without an upstream reference.

RD-F-133 green Dependency manifest uses unpinned versions platform/contracts/package.json pins OpenZeppelin contracts at exact version 3.4.0 (no caret or tilde). This is the security-critical library. Development-only dependencies (Truffle, chai, hdwallet-provider) use caret ranges but these are not production security-critical. OZ being pinned exactly is the critical finding — green.

RD-F-134 green Dependency had malicious-release incident (last 90d) No GitHub Security Advisory or npm security bulletin found affecting @openzeppelin/contracts 3.4.0 (the primary security-critical dependency) in the last 90 days. Truffle and chai (dev-only, caret-ranged) have no malicious release advisories affecting the pinned versions in use.

RD-F-135 green Shared-library version with known-vuln status OZ 3.4.0 is an older release (2021). Advisory search found no high/critical active advisories for OZ 3.4.0 that apply to Convex's specific usage patterns (Booster/VoterProxy/reward pool architecture). Known OZ 3.4.x advisories primarily affect Governor, ERC721, and AccessControlEnumerable features not used by Convex core contracts.

Post-deploy hygiene & change mgmt Green 14 13 of 13

RD-F-136 yellow Deployed bytecode matches signed release tag Etherscan shows Source Code Verified -- Exact Match for all core contracts. However, no signed git tag ceremony or formal release-tag-to-bytecode attestation is publicly documented. GitHub repo latest commits (Oct 2025) are data/script updates, not contract changes. Core contracts unchanged since 2021-2022 deployment. Formal release-tag signing process not published. [?] RD-F-139 yellow Post-audit code changes without re-audit Two relevant events: (1) Dec 2021 OZ-disclosed rug-pull vulnerability patched 2021-12-14 without a standalone re-audit of the patch (OZ informal review covered the fix but no audit PDF published). (2) vlCVX v2 contract (CvxLockerV2, 0x72a19342...) deployed 2022-03-04 has no public audit; it is absent from all 7 official audits listed in docs. vlCVX v2 holds governance weight over ~$613M TVL. Peripheral wrapper contracts added 2022-2023 do have audits. Core Booster/VoterProxy/CVX have only the 2021 MixBytes audit. RD-F-145 yellow Deployed bytecode reproducibility Etherscan exact-match source verification provides reasonable assurance. Compiler version Solidity 0.6.12 with stated optimization settings is documented. Full formal reproducibility requires local build from repo source. No formal reproducibility attestation or Docker/nix build environment published. [?] Partial assurance from Etherscan exact-match. RD-F-168 yellow Stale-approval exposure on deprecated router vlCVX v1 contract (0xD18140b...) was deprecated 2022-03; some users may retain token approvals to this contract. Platform docs do not include a dedicated revocation guide or revoke-notice. The v1 contract itself is empty (user funds migrated) so direct loss from stale approvals is low, but the hygiene gap exists. Cannot quantify without on-chain allowance scan. [?] RD-F-185 yellow Bridge rate-limiter / chain-pause as positive mitigant Convex is not a bridge so the factor applies only partially. Positive mitigants present: (1) Booster.shutdownSystem() callable by admin (via BoosterOwner, with 30-day forceShutdown delay for LP-mismatch emergency or directly for standard shutdown) enables an orderly withdrawal mode protecting user funds. (2) vlCVX.shutdown() callable by owner enables emergency withdrawal. No per-window outflow rate limiter on deposits. No independent chain-pause capability. Partial positive credit for protocol-level emergency shutdown capability. RD-F-142 n/a Storage-layout collision risk across upgrades Not applicable. All core Convex contracts are non-proxy, non-upgradeable. No storage layout exists across upgrade versions for core contracts. The vlCVX v1 to v2 transition was a fresh redeployment (not an upgrade to the same proxy), so no storage collision risk applies.

RD-F-137 green Upgrade frequency (per 90 days) All core contracts are immutable and non-proxy; zero proxy upgrade events. New staking wrappers and sidechain modules are deployed as fresh contracts (not upgrades to existing proxies). Zero upgrades per 90 days. GitHub commits in last 90 days are data/script files only (last contract commit Oct 2025).

RD-F-138 green Hot-patch deploys without timelock (last 30 days) No hot-patch deployments identified in the last 30 days. Core contracts are immutable. No proxy upgrade events found. GitHub commit history shows only data updates since Oct 2025 (last actual commit). No urgent hotfix deployments bypassing normal process found in available evidence.

RD-F-140 green Fix-merged-but-not-deployed gap The OZ 2021 vulnerability was patched and deployed 2021-12-14 (no gap). The vlCVX v1 reward bug was fixed in v2 deployed 2022-03-04 (no gap). No known PR-merged-but-not-deployed vulnerability gap identified in current state. Protocol has been operating for 5 years without further identified undeployed patches.

RD-F-141 green Test-mode parameters in deploy Booster, VoterProxy, CVX, and BoosterOwner are production contracts deployed May 2021 with 5 years of operation confirming production parameters. Fee ranges (10-15% cvxCRV, 3-6% CVX, 0-2% treasury, etc.) are within normal DeFi production ranges. No test-mode parameters identified. MixBytes 2021 audit covers this as part of general platform review.

RD-F-143 green Reinitializable implementation (no _disableInitializers) All core contracts (Booster, VoterProxy, CVX, CvxLockerV2, BoosterOwner) are non-proxy, non-upgradeable immutable contracts using constructors. No initialize() function; no _disableInitializers() requirement; no reinitializer risk. The proxy takeover attack vector (F143) does not apply to immutable contract architecture.

RD-F-144 green CREATE2 factory permits same-address redeploy No CREATE2-based deployment pattern found in core contracts. Standard CREATE deployment used for all core platform contracts (Booster, VoterProxy, CVX, BoosterOwner). Reward contracts for pools are deployed by factory contracts but not via CREATE2 in a way that permits same-address redeployment with different bytecode.

RD-F-146 green New contract deploys in last 30 days No new core contract deployments identified in the last 30 days. GitHub commits in the last 30 days are data/script files only (last commit Oct 2025). Protocol is in maintenance mode for core contracts. No fresh attack surface created recently.

Cross-chain & bridge Gray 0 12 of 12

RD-F-147 n/a Protocol has bridge surface Convex has no bridge surface. Profile §7 explicit: has_bridge_surface: false, is_a_bridge: false, cross_chain: false. Sidechain deployments (Fraxtal, Arbitrum, Polygon) are independent per-chain Booster instances with no Convex-operated cross-chain message path. This factor gates the rest of Cat 10; all remaining Cat 10 factors are not_applicable for the same reason. RD-F-148 n/a Bridge validator count (M) No bridge; no validator set. Convex has no cross-chain bridge architecture. RD-F-149 n/a Bridge validator threshold (k-of-M) No bridge; no validator threshold. Convex has no cross-chain bridge architecture. RD-F-150 n/a Bridge validator co-hosting No bridge; no validator co-hosting question applicable. Convex has no cross-chain bridge architecture. RD-F-151 n/a Bridge ecrecover checks result ≠ address(0) [★ CRITICAL] Not applicable — Convex has no bridge; no ecrecover signature verification path exists in any Convex contract. The Wormhole-class ecrecover zero-address check is not applicable to a protocol with no cross-chain message signing. RD-F-152 n/a Bridge binds message to srcChainId No bridge; no cross-chain message struct requiring srcChainId binding. RD-F-153 n/a Bridge tracks nonce-consumed mapping No bridge; no nonce-consumed mapping or replay protection needed. RD-F-154 n/a Default bytes32(0) acceptable as valid root [★ CRITICAL] Not applicable — Convex has no bridge; no Merkle root acceptance logic exists. The Nomad $190M bug class (default bytes32(0) valid root) is not applicable to a protocol with no cross-chain message verification. RD-F-155 n/a Bridge validator-set rotation recency No bridge; no validator set rotation to assess. RD-F-156 n/a Bridge uses same key custody for >30% validators No bridge; no validator key custodian structure to assess. RD-F-157 n/a Bridge TVL per validator ratio No bridge; no bridge TVL/validator ratio to compute. RD-F-179 n/a LayerZero OFT DVN config (count, threshold, diversity) No LayerZero OFT integration. Data cache confirms layerzero.present: false. Convex does not use LayerZero OFT for any token or cross-chain operation; DVN configuration assessment is not applicable.

Threat intelligence & recon Yellow 22 8 of 8

RD-F-158 yellow Known-threat-actor cluster has touched protocol T-09 phase-2 signal (Tier C — advisory only, never flips grade solo). Applicable: Yes. Resupply (Convex/Yearn subDAO) was exploited June 26, 2025 for $9.5M via a donation attack (flash loan $4,000 USDC from Morpho, inflated cvcrvUSD price, borrowed $9.5M reUSD with 1 wei collateral). Attacker is not publicly attributed to Lazarus/DPRK — attack vector is opportunistic donation/rounding exploit. Per U4 guidance: this is passive venue/infrastructure use by an unknown attacker, not team DPRK contamination. The July 2023 Curve/Vyper exploit ($70M) resulted in attacker fund flows through Curve pools that Convex held LP positions in — also a passive venue-use event. No confirmed direct touch of core Convex Booster/VoterProxy/vlCVX contracts by a Lazarus/DPRK-attributed cluster via public OSINT. Yellow: ecosystem-adjacent threat-actor touch at subDAO level; no confirmed core-contract touch by known OFAC-designated cluster. RD-F-161 yellow Protocol-impersonator domain registered (typosquat) Applicable. Convex Finance is a high-recognition DeFi brand (Curve Wars era, $613M TVL, convexfinance.com domain). Process-learnings: WHOIS/domain-registration lookups are a repeatable tool gap — production pipeline needs DomainTools API or similar. Web searches for specific typosquat domains targeting convexfinance.com returned no specific confirmed typosquat in 2024-2026. Registration-date-to-assessment-date delta: cannot compute without WHOIS access (tool gap acknowledged). Structural prior: base rate for lookalike-domain registration against top DeFi brands is high — Zscaler ThreatLabz found ~33% of 30,000 lookalike domains across top brands are malicious (Feb-Jul 2024 study period). Per process-learnings: for top-20 DeFi brands by recognition, F161 is almost always elevated. Yellow: structurally elevated risk, unconfirmed specific active domain, WHOIS tool gap explicitly acknowledged. RD-F-159 gray Attacker wallet pre-strike probe (low-gas failing txs) Applicable in principle. No mempool probe pattern (failing low-gas txs from threat-actor wallets) against Convex core contracts detected via public OSINT. Signal requires live mempool monitoring with threat-actor cluster feed — not available for static T-10 assessment. Gray. RD-F-162 gray Known-exploit-template selector deployed by any address Convex Booster is an original design — not a widely-forked template. Low applicability for known-exploit-template selector-pattern deployment. The Resupply June 2025 donation attack is a general DeFi pattern (ERC-4626 first-depositor inflation variant), not a Convex-specific exploit template. No Convex-specific exploit-template bytecode deployment detected in public OSINT. Signal requires per-protocol-class exploit-template index; not maintained for Convex class. Gray. RD-F-163 gray Avg attacker reconnaissance time for peer-class protocols The USPD 78-day reconnaissance pattern applies to complex DeFi protocols with extended pre-strike preparation. Convex's 2021 OZ disclosure was discovered via white-hat audit, not attacker reconnaissance. The Resupply June 2025 exploit occurred 1.5 hours after new market deployment — extremely short lead time (opportunistic, not extended reconnaissance). No reconnaissance clock currently running against core Convex contracts per public OSINT. Signal requires hack DB + curator analysis for peer-class baseline. Gray — static posture metric, not assessable without peer-class DB baseline. RD-F-164 gray Leaked credential on paste/sentry site Applicable. Convex runs infra endpoints (vote.convexfinance.com, docs.convexfinance.com). No public evidence of Convex credential dumps on paste/sentry sites found in search results. Team is anonymous — public key rotation and credential hygiene practices are opaque (no SIRT email, no security.md: security_md_present: false in data cache). Requires paste-site/credential-dump monitoring feed for authoritative assessment. Gray pending that feed. RD-F-165 gray Protocol social channel has scam-coordinator flag Applicable. Convex Discord (https://discord.com/invite/uAwvZfs9qU) is an active community channel. No specific scam-coordinator flagged in Convex Discord or Telegram in public OSINT searches. Scam-coordinator watchlist is a curator-maintained feed not available for static assessment. Gray pending curator social watchlist.

RD-F-160 green GitHub malicious-dependency incident touching protocol deps Applicable. Convex platform repo (github.com/convex-eth/platform) last commit 2025-10-23. Data cache: foundry_toml_present: false, hardhat_config_present: false — limited dependency footprint for automated supply-chain attack. Core contracts are Solidity 0.6.12 with minimal external library dependencies. No GitHub security advisory specifically flagging a malicious dependency in the Convex platform codebase found in public sources for 2024-2026. No active malicious-dependency incident detected. Green.

Tooling / compiler / AI Green 17 5 of 5

RD-F-170 yellow Solc version used (known-bug versions flagged) Mainnet core contracts compiled with Solidity v0.6.12+commit.27d51765 (confirmed via Etherscan Exact Match on Booster, VoterProxy, CvxLockerV2). Optimizer enabled at 200 runs. Solidity 0.6.12 was released 2020-07-22. Known applicable bugs for 0.6.12 with optimizer: StorageWriteRemovalBeforeConditionalTermination (medium severity, fixed 0.8.17) and KeccakCaching (medium severity, fixed 0.8.3). These are medium-severity risks; no high/critical bug confirmed applicable to the specific contract types deployed. Sidechain contracts use 0.8.10 (not EOL). Yellow for medium-severity known-bug exposure on the older compiler. RD-F-174 yellow Dependency tree uses EOL Solidity version Mainnet contracts use Solidity 0.6.12 (last 0.6.x release, dated 2020-07-22). This is technically not EOL by a formal Solidity team declaration, but it is over 5 years old with no further security updates. No forward-compatibility patches exist. The sidechain platform uses 0.8.10, which is within the supported 0.8.x branch. OZ 3.4.0 dependency is compatible with 0.6.x. Yellow for the aging compiler with no further updates, though not formally declared EOL. RD-F-171 n/a Bytecode similarity to audited upstream with behavior deviation Not applicable — Convex is an original protocol with no audited upstream to compare against for AI-copy risk (bytecode similarity with behavioral deviation from an audited codebase).

RD-F-172 green Repo shows AI-tool co-authorship in critical files GitHub commit history inspection of the last 15 commits (October 2025 through early 2024) found no AI-tool co-authorship metadata (no Co-authored-by: GitHub Copilot or similar trailers). Core contracts were developed pre-2022, before widespread AI coding tool adoption. Most recent commits are data/script changes, not security-critical contract changes.

RD-F-173 green Team self-disclosure of AI-generated Solidity No public disclosure found of AI-generated Solidity in Convex production contracts. Team is anonymous/pseudonymous; no named individual public statements to search. Medium blog and Discord are primary channels; no AI-code disclosure found in any accessible posts. No disclosure on X/Twitter either.

Response & disclosure hygiene Yellow 33 4 of 4

RD-F-176 red Disclosure SLA public Bug bounty page states researchers must allow 'a reasonable amount of time' before public disclosure. No specific acknowledgment time SLA is quantified. 'Reasonable time' is vague and not a public SLA. No 72-hour or equivalent acknowledgment commitment. Only one significant prior disclosure (Dec 2021, mediated by Immunefi with no defined SLA window). Scored red: no quantified SLA published. RD-F-175 yellow Disclosure channel exists Self-hosted bug bounty page exists at docs.convexfinance.com/convexfinance/faq/bug-bounties with contact email contact@convexfinance.com. Max payout $250,000. No Immunefi listing (data cache: bug_bounty.platform null). No SECURITY.md in GitHub repo (data cache: security_md_present false). The Dec 2021 OZ disclosure used Immunefi as a one-off intermediary but there is no standing program. Channel exists but no evidence of active monitoring SLA or recent response. Scored yellow: channel present but no Immunefi backing, no standing program with verified response cadence.

RD-F-177 green Prior known-ignored disclosure No evidence of a disclosed vulnerability that was reported to the team and ignored before an exploit. Both known Convex-native disclosures were acted upon promptly: Dec 2021 OZ/Immunefi disclosure — multisig strengthened and patch deployed before details fully disclosed; Mar 2022 Popcorn team disclosure — v2 contract deployed same day. The Dec 2021 handling specifically prevented exploitation by strengthening the multisig before sharing vulnerability details — an exemplary pre-exploitation mitigation.

RD-F-178 green CVE/GHSA advisory issued against protocol No CVE or GHSA advisory found against Convex Finance core contracts. The Dec 2021 vulnerability was publicly disclosed via OZ's blog post (not filed as a formal CVE or GHSA advisory). GitHub Security Advisories search and NVD CVE database search for 'Convex Finance' return no relevant entries. All known vulnerabilities were responsibly disclosed, patched, and resolved before any exploitation.

rubric_version v1.7.0 graded_at 2026-05-16 02:41:30 factors 184 protocol convex-finance