defirisk.co
rubric v1.7.0

Permissionless-pool lending oracle

Convex Finance's assessment for RD-F-181 — scored not_applicable on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.

Evidence summary #

Convex is a staking/wrapper protocol (protocol_type: YIELD), not a lending protocol. No lending market, no collateral acceptance logic, no borrow mechanics, and no oracle acceptance logic for loan-to-value computation exist in Convex's own contracts. The Resupply.fi June 2025 exploit involved a permissionless-pool-like attack on an associated lending protocol's ERC-4626 wrapper using Convex-staked tokens as collateral — that exploit occurred in Resupply's contracts, not Convex's.

Sources #

  • URL
    QuillAudits — Resupply Hack: Donation Attack $9.5MResupply June 2025 $9.5M exploit analysis confirms the attack targeted Resupply's own cvcrvUSD ERC-4626 wrapper; Convex's Booster, VoterProxy, and BaseRewardPool were not involved in the exploitretrieved 2026-05-16
  • Docs
    Convex Finance Primary DocsConvex Finance is a yield optimizer / staking wrapper for Curve LP tokens; no lending or borrowing functionality in core protocolretrieved 2026-05-16

Methodology #

Determine whether the lending protocol accepts spot prices from a DEX where any user can permissionlessly create new pools, without requiring a TWAP window, liquidity floor, or token-age minimum on the venue side.

See the full factor methodology and distribution across all protocols →

rubric_version v1.7.0 protocol convex-finance factor RD-F-181 score not_applicable collected_at 2026-05-16 02:41:28