Same-root-cause repeat exploit

Convex Finance's assessment for RD-F-079 — scored green on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.

Evidence summary #

Two Convex-native events have distinct root causes: (1) Dec 2021 — multisig access control gap in VoterProxy/Booster combination (admin-key-posture class); (2) Mar 2022 — reward-accounting logic flaw in vlCVX Locker v1 (arithmetic/state-update class). No same-root-cause repeat. Both $0 user-fund loss.

Sources #

URL
OpenZeppelin: Convex Finance Vulnerability DisclosureOZ disclosure — access control root cause (2-of-3 multisig could access LP tokens)retrieved 2026-05-16
URL
Vote-Locked CVX Contract Migration — Convex Finance MediumvlCVX migration — reward accounting root cause (expired locks could relock to new address, claim excess cvxCRV rewards)retrieved 2026-05-16

Methodology #

Determine whether the protocol has been exploited ≥2 times via the same root-cause cluster.

See the full factor methodology and distribution across all protocols →

rubric_version v1.7.0 protocol convex-finance factor RD-F-079 score green collected_at 2026-05-16 02:41:28