Deployed bytecode matches signed release tag

Convex Finance's assessment for RD-F-136 — scored yellow on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.

Evidence summary #

Etherscan shows Source Code Verified -- Exact Match for all core contracts. However, no signed git tag ceremony or formal release-tag-to-bytecode attestation is publicly documented. GitHub repo latest commits (Oct 2025) are data/script updates, not contract changes. Core contracts unchanged since 2021-2022 deployment. Formal release-tag signing process not published. [?]

Sources #

Etherscan
Booster -- Etherscan Source VerificationBooster 0xF403C1... -- Source Code Verified, Exact Matchretrieved 2026-05-16
GitHub
Convex Platform -- GitHub commitsconvex-eth/platform commits -- last contract-relevant commit 2024; no signed release tags foundretrieved 2026-05-16

Methodology #

Determine whether the deployed runtime bytecode corresponds to a signed git tag in the protocol's repository.

See the full factor methodology and distribution across all protocols →

rubric_version v1.7.0 protocol convex-finance factor RD-F-136 score yellow collected_at 2026-05-16 02:41:28