Dependency graph (protocols depended upon)
Convex Finance's assessment for RD-F-050 — scored red on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.
Evidence summary #
Convex's critical external dependency on Curve Finance (GaugeController, Minter, VotingEscrow, per-pool gauges) has no in-protocol fallback. The VoterProxy holds ~418M veCRV and calls Curve's gauge system on every reward cycle. Booster is non-upgradeable (Solidity 0.6.12 immutable). If Curve migrates or changes its gauge architecture, Convex's yield halts without a migration path. Secondary deps: Frax Finance (veFXS) for <2% TVL; Prisma Finance (sunset December 2024 — stranded cvxPRISMA); f(x) Protocol; Resupply.fi (associated but separate — exploited June 2025). July 2023 Curve/Vyper reentrancy materialized this risk for specific pools.
Sources #
- URLLlamaRisk — Curve/Vyper July 2023 Post-mortemCurve/Vyper July 2023 reentrancy post-mortem confirms that Convex-deposited LP positions in affected pools were exposed via Curve-side bug; Convex's own contracts were not exploited but dependency exposure materializedretrieved 2026-05-16
- Convex Finance Platform Contracts — CurveVoterProxy.solconvex-eth/platform — CurveVoterProxy.sol calls Curve VotingEscrow, GaugeController, and Minter; no fallback internal to Convex if these contracts changeretrieved 2026-05-16
- Convex Finance — RisksConvex risks docs explicitly list Curve.fi and Frax Finance as load-bearing external dependencies: users are subject to any risks associated with these platformsretrieved 2026-05-16
Methodology #
List all external protocols whose failure would directly impair this protocol (LST providers, bridges, stablecoin issuers, keepers).
See the full factor methodology and distribution across all protocols →