defirisk.co
rubric v1.7.0

GitHub malicious-dependency incident touching protocol deps

Convex Finance's assessment for RD-F-160 — scored green on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.

Evidence summary #

Applicable. Convex platform repo (github.com/convex-eth/platform) last commit 2025-10-23. Data cache: foundry_toml_present: false, hardhat_config_present: false — limited dependency footprint for automated supply-chain attack. Core contracts are Solidity 0.6.12 with minimal external library dependencies. No GitHub security advisory specifically flagging a malicious dependency in the Convex platform codebase found in public sources for 2024-2026. No active malicious-dependency incident detected. Green.

Sources #

  • GitHub
    Convex Finance Platform Repository — GitHubconvex-eth/platform — GitHub repository, last commit 2025-10-23, foundry and hardhat absentretrieved 2026-05-16
  • Internal
    Convex Finance data cache — GitHub metadata.research/protocols/convex-finance/00-data-cache.json — github.foundry_toml_present: false, github.hardhat_config_present: falseretrieved 2026-05-16

Methodology #

Determine whether a security advisory flags a malicious release in a dependency consumed by this protocol.

See the full factor methodology and distribution across all protocols →

rubric_version v1.7.0 protocol convex-finance factor RD-F-160 score green collected_at 2026-05-16 02:41:28