★ Post-audit code changes without re-audit

Convex Finance's assessment for RD-F-139 — scored yellow on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.

Evidence summary #

Two relevant events: (1) Dec 2021 OZ-disclosed rug-pull vulnerability patched 2021-12-14 without a standalone re-audit of the patch (OZ informal review covered the fix but no audit PDF published). (2) vlCVX v2 contract (CvxLockerV2, 0x72a19342...) deployed 2022-03-04 has no public audit; it is absent from all 7 official audits listed in docs. vlCVX v2 holds governance weight over ~$613M TVL. Peripheral wrapper contracts added 2022-2023 do have audits. Core Booster/VoterProxy/CVX have only the 2021 MixBytes audit.

Sources #

Docs
Convex Finance -- AuditsAudits page: 7 audits listed; no vlCVX v2 (CvxLockerV2) audit in listretrieved 2026-05-16
URL
Convex Finance -- vlCVX Contract Migration BlogvlCVX v2 migration blog: no audit mentioned for new contractretrieved 2026-05-16
URL
OpenZeppelin -- Convex Finance Vulnerability DisclosureOZ disclosure: vulnerability patched 2021-12-14; no re-audit mentioned; patch was OZ-reviewed informallyretrieved 2026-05-16

Methodology #

Count deployed changes to audited bytecode where no subsequent audit or spot-review covers the changed code.

See the full factor methodology and distribution across all protocols →

rubric_version v1.7.0 protocol convex-finance factor RD-F-139 score yellow collected_at 2026-05-16 02:41:28