★ Audit scope mismatch

Convex Finance's assessment for RD-F-001 — scored yellow on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.

Evidence summary #

MixBytes (2021-04) audited original platform pre-launch. Post-audit OZ-disclosed vulnerability patch (commit 0b52856, Dec 2021) added PoolManagerV2/V3 guard layer. CvxLockerV2 (deployed March 2022) and 2024 treasury lending module have no identified public audit. Core Booster (0xF403C1) is non-upgradeable and Etherscan-verified with Exact Match, so it cannot drift post-audit, but wrapper contracts added after MixBytes scope lack audit coverage. No single commit SHA pinned in accessible audit entries.

Sources #

Commit
OZ vulnerability patch: add pool manager layer with LP/gauge address checks0b52856470c389a7ab496786583d200bcb03995aretrieved 2026-05-16
Audit
Convex Platform Security Audit Report (MixBytes 2021)MixBytes 2021-04 platform auditretrieved 2026-05-16
Etherscan
Convex Booster contract source verification (Etherscan)Booster 0xF403C135812408BFbE8713b5A23a04b3D48AAE31 Exact Match verificationretrieved 2026-05-16

Methodology #

Check whether the commit SHA cited in the audit report matches the bytecode deployed at the production proxy/implementation address.

See the full factor methodology and distribution across all protocols →

rubric_version v1.7.0 protocol convex-finance factor RD-F-001 score yellow collected_at 2026-05-16 02:41:28