Prior exploit count

Convex Finance's assessment for RD-F-077 — scored green on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.

Evidence summary #

Two Convex-native operational events in ~60 months, both $0 user-fund loss: (1) Dec 2021 OZ responsible disclosure of VoterProxy/Booster multisig-access vulnerability — patched before any exploitation; (2) Mar 2022 vlCVX Locker v1 reward-accounting bug — responsibly disclosed by Popcorn team before exploitation, v2 deployed same day. Realized-loss exploit count = 0. Bent Finance (Dec 2021, ~$1.75M) is a SEPARATE protocol incident, excluded. ResupplyFi (Jun 2025, ~$9.8M) is a separate protocol built by Convex-affiliated team, not a Convex-contract exploit — excluded per disambiguation in 00-profile.md §10 and rekt.news confirmation.

Sources #

URL
OpenZeppelin: $15B Rugpull Vulnerability in Convex Finance Uncovered and ResolvedOZ public disclosure of Dec 2021 VoterProxy/Booster vulnerability — $0 actual lossretrieved 2026-05-16
URL
ResupplyFi Rekt — rekt.newsResupplyFi rekt.news confirms exploited contracts belonged to ResupplyFi not Convexretrieved 2026-05-16
Internal
Bent Finance hacks DB entry — separate protocol disambiguationhacksdatabase/hacks/bent-finance.md confirms Bent Finance is a separate protocol (insider exploit, not a Convex exploit)retrieved 2026-05-16
URL
Vote-Locked CVX Contract Migration — Convex Finance MediumConvex vlCVX migration announcement — $0 user fund loss, responsible disclosure by Popcorn teamretrieved 2026-05-16

Methodology #

Count the number of distinct incidents in the hack database affecting this protocol.

See the full factor methodology and distribution across all protocols →

rubric_version v1.7.0 protocol convex-finance factor RD-F-077 score green collected_at 2026-05-16 02:41:28