Ignored bounty disclosure

Convex Finance's assessment for RD-F-008 — scored green on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.

Evidence summary #

No evidence of a disclosed vulnerability that was reported and ignored before exploitation. The 2021 OZ disclosure was acted on within days (patched 2021-12-14, zero exploitation). The 2022 vlCVX v1 bug was disclosed by Popcorn team, Convex redeployed v2 before any exploitation. Both cases show prompt response to disclosures.

Sources #

URL
Convex Finance: vlCVX migration - no fund loss confirmedvlCVX v1 migration blog - no exploitationretrieved 2026-05-16
URL
OpenZeppelin: Convex vulnerability patched Dec 14 2021, zero exploitationOZ vulnerability disclosure - patched before exploitationretrieved 2026-05-16

Methodology #

Determine whether any prior post-mortem documents a disclosed vulnerability that was reported to the team and not actioned before exploit.

See the full factor methodology and distribution across all protocols →

rubric_version v1.7.0 protocol convex-finance factor RD-F-008 score green collected_at 2026-05-16 02:41:28