Static-analyzer high-severity count

Convex Finance's assessment for RD-F-010 — scored yellow on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.

Evidence summary #

No published Slither/Mythril output found. Source inspection reveals: (1) BaseRewardPool has no nonReentrant on getReward() which calls external reward token contracts; (2) Booster earmarkRewards() performs external CRV-claim calls before full state completion; (3) ExtraRewardStashV3 initialize() lacks OZ initializer modifier. These patterns would likely surface as medium-to-high Slither detectors. Tool run not performed; confidence low.

Sources #

GitHub
Convex BaseRewardPool.sol source (no reentrancy guards confirmed)BaseRewardPool.sol - no nonReentrant on getReward()retrieved 2026-05-16
GitHub
Convex Booster.sol source (no reentrancy guards confirmed)Booster.sol - no nonReentrant on deposit/earmarkretrieved 2026-05-16

Methodology #

Count the number of unique high-severity detector findings from Slither + Mythril + Semgrep run against the deployed verified source (after deduplication across tools).

See the full factor methodology and distribution across all protocols →

rubric_version v1.7.0 protocol convex-finance factor RD-F-010 score yellow collected_at 2026-05-16 02:41:28