defirisk.co
rubric v1.7.0

Admin has mint() with unlimited max

Convex Finance's assessment for RD-F-042 — scored green on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.

Evidence summary #

CVX token mint() is callable only by the designated operator (currently the VoterProxy / vecrvProxy, not the admin multisig). Max supply is hard-coded at 100M CVX (100*1000000*1e18). Current supply approximately 97.5M (~97.5% of cap). Declining cliff-emission schedule enforced on-chain; no admin path to override the cap or mint beyond it. Admin multisig has no mint authority.

Sources #

  • Etherscan
    CVX Token -- EtherscanCVX Token 0x4e3FBD56CD56c3e72c1403e103b45Db9da5B9D2B -- verified source; total supply ~97.5Mretrieved 2026-05-16
  • GitHub
    Convex Cvx.sol -- GitHub sourceCvx.sol: maxSupply = 100*1000000*1e18; mint() requires msg.sender == operator; operator != admin multisigretrieved 2026-05-16

Methodology #

Determine whether an admin-callable `mint` on a protocol token has no supply cap or an unlimited maximum supply.

See the full factor methodology and distribution across all protocols →

rubric_version v1.7.0 protocol convex-finance factor RD-F-042 score green collected_at 2026-05-16 02:41:28