Reentrancy guard on external-calling functions

Convex Finance's assessment for RD-F-014 — scored yellow on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.

Evidence summary #

CvxLockerV2 has nonReentrant on lock(), processExpiredLocks(), kickExpiredLocks(), getReward(). However, the mainnet Booster (0xF403C1, 0.6.12) has NO nonReentrant guards on deposit(), withdraw(), or earmarkRewards() despite performing external calls. BaseRewardPool.sol has no nonReentrant on stake()/withdraw()/getReward(). Sidechain Booster (0.8.10) does have nonReentrant guards. The absence of reentrancy guards on the primary $613M TVL contract is a notable gap, mitigated by the fact that CRV/CVX/LP tokens are not ERC-777 and have no callbacks.

Sources #

GitHub
Convex CvxLockerV2.sol (nonReentrant on lock/processExpiredLocks/getReward)CvxLockerV2 - nonReentrant confirmed on key functionsretrieved 2026-05-16
GitHub
Convex BaseRewardPool.sol source (no reentrancy guards on getReward/stake/withdraw)BaseRewardPool - no nonReentrant on external-calling functionsretrieved 2026-05-16

Methodology #

Determine whether all state-mutating functions that perform external calls carry `nonReentrant` or an equivalent reentrancy guard.

See the full factor methodology and distribution across all protocols →

rubric_version v1.7.0 protocol convex-finance factor RD-F-014 score yellow collected_at 2026-05-16 02:41:28