Post-exploit response score

Convex Finance's assessment for RD-F-081 — scored yellow on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.

Evidence summary #

Dec 2021 OZ event: exemplary handling — Immunefi-mediated approach; multisig strengthened (publicly known parties added) before full vulnerability details shared with team; patch deployed same day. Mar 2022 vlCVX: rapid same-day public communication and v2 contract deployment; however, the Medium post is a migration guide, not a full post-mortem (no code diff, no timeline, no root-cause analysis depth). Scored yellow: strong response process but Mar 2022 post-mortem quality below 5/5 due to missing root-cause depth and code diff.

Sources #

URL
Vote-Locked CVX Contract Migration — Convex Finance MediumConvex vlCVX migration post — same-day publication but migration-guide format, not full post-mortemretrieved 2026-05-16
URL
OpenZeppelin: Convex Finance Vulnerability DisclosureOZ public disclosure documenting the disclosure process (Immunefi intermediary, multisig strengthening before details shared)retrieved 2026-05-16

Methodology #

Curator-score (1–5) the most recent incident response on: compensation completeness, transparency of disclosure, root-cause analysis depth, and operational recovery speed.

See the full factor methodology and distribution across all protocols →

rubric_version v1.7.0 protocol convex-finance factor RD-F-081 score yellow collected_at 2026-05-16 02:41:28