Shared-library version with known-vuln status

Convex Finance's assessment for RD-F-135 — scored green on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.

Evidence summary #

OZ 3.4.0 is an older release (2021). Advisory search found no high/critical active advisories for OZ 3.4.0 that apply to Convex's specific usage patterns (Booster/VoterProxy/reward pool architecture). Known OZ 3.4.x advisories primarily affect Governor, ERC721, and AccessControlEnumerable features not used by Convex core contracts.

Sources #

GitHub
OpenZeppelin CHANGELOG (3.4.x security context)OZ changelogretrieved 2026-05-16
URL
GitHub Security Advisories (OZ 3.4.0 - no high/critical applicable advisory found)GitHub Advisory Database for openzeppelin/openzeppelin-contractsretrieved 2026-05-16

Methodology #

Identify the version of key shared libraries (OZ, Solady, Solmate) used and check against CVE/GHSA databases for any active advisory.

See the full factor methodology and distribution across all protocols →

rubric_version v1.7.0 protocol convex-finance factor RD-F-135 score green collected_at 2026-05-16 02:41:28