★ Sudden admin-rescue/ACL change without discussion
Convex Finance's assessment for RD-F-123 — scored yellow on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.
Evidence summary #
Two historical admin/contract-change events reviewed. (1) March 2022 vlCVX redeployment: announced and executed same day via Medium post; no Snapshot vote or GitHub issue preceded the migration; emergency-response context (responsible bug disclosure, no funds at risk), but zero pre-execution community discussion window. (2) December 2021 OZ vulnerability patch (commit 0b52856): emergency fix under Immunefi-mediated adversarial disclosure constraints; no public pre-discussion. Neither event was a silent, unexplained admin-rescue or ACL reassignment; both had documented emergency-disclosure drivers and public same-day communications. No Snapshot governance vote has ever covered a core contract migration (Snapshot is reserved for gauge-weight/gauge-additions votes). Yellow: governance hygiene gap (no pre-execution discussion path exists) but no silent-exploit-motivated change identified.
Sources #
- CommitConvex Platform patch commit (OZ vulnerability fix)GitHub commit 0b52856470c389a7ab496786583d200bcb03995a - the patch commit for the OZ-disclosed vulnerabilityretrieved 2026-05-16
- Vote-Locked CVX Contract Migration - Convex Finance MediumConvex Finance Medium post announcing vlCVX redeployment on same day as execution (2022-03-04); no prior discussion referencedretrieved 2026-05-16
- $15 Billion Rugpull Vulnerability Uncovered and Resolved - OpenZeppelinOpenZeppelin disclosure of December 2021 patch; confirms emergency patch executed under Immunefi mediation without prior public discussionretrieved 2026-05-16
Methodology #
Determine whether any admin-rescue function or ACL change was committed to the repo or executed on-chain without corresponding public discussion in issues, PRs, or governance forum.
See the full factor methodology and distribution across all protocols →