Quorum achievable via single-entity flash loan

crvUSD (Curve Stablecoin)'s assessment for RD-F-037 — scored yellow on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.

Evidence summary #

Flash loan attack on quorum is not possible (veCRV non-flash-loanable per F036). However, Convex Finance controls approximately 42% of circulating veCRV — a single meta-protocol entity could sway or pass governance votes if allied with other large holders. 30% quorum is structurally achievable by Convex alone if it voted entirely one direction. This is a governance concentration risk, not a technical exploit vector.

Sources #

URL
Governance of DeFi Giant Curve in Flux as Convex Exerts Control (The Defiant)Convex controls ~42% of total veCRV in circulation as of 2024-2025retrieved 2026-05-16
Docs
Curve DAO Governance and Voting30% minimum quorum for Ownership votes per Curve DAO docsretrieved 2026-05-16

Methodology #

Determine whether the governance quorum threshold is ≤ the largest available flash-loan notional in the governance token at reference DEX depth.

See the full factor methodology and distribution across all protocols →

rubric_version v1.7.0 protocol crvusd factor RD-F-037 score yellow collected_at 2026-05-16 19:09:40