Resolved-without-proof findings

Convex Finance's assessment for RD-F-003 — scored green on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.

Evidence summary #

OZ-disclosed critical vulnerability (Dec 2021, affecting PoolManagerV2/Booster/VoterProxy) was patched via commit 0b52856 before any exploitation. The fix is verifiable on-chain: BoosterOwner now controls Booster admin rights, and PoolManagerV2/V3 were added with LP/gauge validation guards. No evidence found of audit findings marked resolved without corresponding verifiable code change. Audit PDFs not parseable (binary), so low confidence on full finding-resolution trace.

Sources #

Commit
OZ vulnerability patch: add pool manager layer with LP/gauge address checks0b52856470c389a7ab496786583d200bcb03995aretrieved 2026-05-16
URL
OpenZeppelin: $15B Rugpull Vulnerability in Convex Finance Uncovered and ResolvedOpenZeppelin $15B rugpull vulnerability disclosureretrieved 2026-05-16

Methodology #

Count the number of findings the audit report marks "Resolved" or "Fixed" where no matching on-chain bytecode change or verifiable commit can be found.

See the full factor methodology and distribution across all protocols →

rubric_version v1.7.0 protocol convex-finance factor RD-F-003 score green collected_at 2026-05-16 02:41:28