Known-threat-actor cluster has touched protocol
Convex Finance's assessment for RD-F-158 — scored yellow on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.
Evidence summary #
T-09 phase-2 signal (Tier C — advisory only, never flips grade solo). Applicable: Yes. Resupply (Convex/Yearn subDAO) was exploited June 26, 2025 for $9.5M via a donation attack (flash loan $4,000 USDC from Morpho, inflated cvcrvUSD price, borrowed $9.5M reUSD with 1 wei collateral). Attacker is not publicly attributed to Lazarus/DPRK — attack vector is opportunistic donation/rounding exploit. Per U4 guidance: this is passive venue/infrastructure use by an unknown attacker, not team DPRK contamination. The July 2023 Curve/Vyper exploit ($70M) resulted in attacker fund flows through Curve pools that Convex held LP positions in — also a passive venue-use event. No confirmed direct touch of core Convex Booster/VoterProxy/vlCVX contracts by a Lazarus/DPRK-attributed cluster via public OSINT. Yellow: ecosystem-adjacent threat-actor touch at subDAO level; no confirmed core-contract touch by known OFAC-designated cluster.
Sources #
- URLResupply Hack Analysis — QuillAuditsQuillAudits — Resupply hack analysis: donation attack via Morpho flash loan on newly deployed wstUSR vaultretrieved 2026-05-16
- Convex Yearn subDAO Resupply $9.5M exploit — InvezzInvezz — Convex Yearn DeFi tokens fall after subDAO Resupply loses $9.5M in exploit, June 26, 2025retrieved 2026-05-16
- Curve Finance Liquidity Pool Hack — ChainalysisChainalysis — Curve Finance July 2023 liquidity pool hack via Vyper re-entrancy, attacker fund flows through Curve pools including Convex-held positionsretrieved 2026-05-16
Methodology #
Detect whether an address from the curator-maintained threat-actor cluster (past exploiters, labeled attacker families) interacted with this protocol in the last 30 days.
See the full factor methodology and distribution across all protocols →