Auditor re-engaged after last exploit

Convex Finance's assessment for RD-F-083 — scored yellow on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.

Evidence summary #

After the Mar 2022 vlCVX v1 redeploy, the replacement v2 contract (0x72a19342e8F1838460eBFCCEf09F6585e32db86E) was deployed without a public audit. Profile §8 notes MixBytes 2021 audit covers original platform only; subsequent PeckShield audits (2022-2023) cover Frax staking, OhmSync wrapper, sidechain; Nomoi 2023 audits cover cvxCRV wrapper and sidechain; ChainSecurity 2023 covers Silo wrapper. None of these audit reports appear to cover the core vlCVX Locker v2 contract specifically. Yellow: other audits exist but the specific replaced contract lacks public audit confirmation.

Sources #

Internal
Convex Finance Protocol Profile §8 — Audit note on vlCVX v200-profile.md §8 note: MixBytes 2021 covers original platform only; no audit covers CVX Locker v2 deployed after March 2022 redeploymentretrieved 2026-05-16
Docs
Audits — Convex Finance DocsConvex Finance audit list — 7 audits enumerated, none explicitly covering vlCVX Locker v2retrieved 2026-05-16

Methodology #

Determine whether a reputable auditor performed a re-audit or incident review after the most recent exploit.

See the full factor methodology and distribution across all protocols →

rubric_version v1.7.0 protocol convex-finance factor RD-F-083 score yellow collected_at 2026-05-16 02:41:28