Flash loan >$10M targeting protocol tokens

Convex Finance's assessment for RD-F-100 — scored green on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.

Evidence summary #

T-09 phase-2 signal. Applicable in principle. No flash-loan exploit against core Convex contracts (Booster, VoterProxy, vlCVX) detected. The Resupply June 2025 exploit ($9.5M) used a $4,000 USDC Morpho flash loan but targeted a newly deployed Resupply vault — a separate protocol that is a Convex/Yearn subDAO. Resupply is not the Convex Booster. vlCVX 16-week lock prevents flash-loan governance takeover (cannot acquire vlCVX within a single block). No ongoing flash-loan targeting pattern detected. Green.

Sources #

URL
Voting and Gauge Weights — ConvexFinanceConvex governance docs — vlCVX 16-week lock requirement preventing flash-loan governance attacksretrieved 2026-05-16
URL
Resupply Hack Analysis — QuillAuditsQuillAudits Resupply hack analysis — donation attack via $4,000 Morpho flash loan on Resupply vault, not Convex Boosterretrieved 2026-05-16

Methodology #

Detect whether a flash loan >$10M denominated in protocol tokens or LP tokens has originated, likely to interact with this protocol.

See the full factor methodology and distribution across all protocols →

rubric_version v1.7.0 protocol convex-finance factor RD-F-100 score green collected_at 2026-05-16 02:41:28