★ Rescue/emergencyWithdraw without timelock

Convex Finance's assessment for RD-F-041 — scored green on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.

Evidence summary #

No rescue() or emergencyWithdraw() function exists on Booster or VoterProxy. CvxLockerV2 has recoverERC20() callable by owner (admin multisig) but explicitly restricted to tokens accidentally sent -- not user-deposited CVX (which cannot be transferred this way). Admin docs confirm multisig does not have direct access to user deposits. BoosterOwner forceShutdown path has 30-day delay and only enables orderly withdrawal mode, not fund extraction.

Sources #

Docs
Convex Finance -- Multisig Admin RightsAdmin controls explicitly state: multisig does NOT have direct access to user depositsretrieved 2026-05-16
GitHub
Convex Booster.sol -- GitHub sourceBooster.sol: no rescue/emergencyWithdraw/sweep/skim functions presentretrieved 2026-05-16

Methodology #

Determine whether a `rescue(…)` or `emergencyWithdraw(…)` function exists callable by admin without a timelock delay on execution.

See the full factor methodology and distribution across all protocols →

rubric_version v1.7.0 protocol convex-finance factor RD-F-041 score green collected_at 2026-05-16 02:41:28