Fix-merged-but-not-deployed gap

Convex Finance's assessment for RD-F-140 — scored green on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.

Evidence summary #

The OZ 2021 vulnerability was patched and deployed 2021-12-14 (no gap). The vlCVX v1 reward bug was fixed in v2 deployed 2022-03-04 (no gap). No known PR-merged-but-not-deployed vulnerability gap identified in current state. Protocol has been operating for 5 years without further identified undeployed patches.

Sources #

URL
OpenZeppelin -- Convex Finance Vulnerability DisclosureOZ disclosure confirms patch was deployed 2021-12-14 before any exploitationretrieved 2026-05-16
URL
Convex Finance -- vlCVX Contract Migration BlogvlCVX v2 deployed 2022-03-04 as fix for v1 reward bugretrieved 2026-05-16

Methodology #

Determine whether a known vulnerability has a PR merged in the repo but the fix has not been included in the deployed bytecode.

See the full factor methodology and distribution across all protocols →

rubric_version v1.7.0 protocol convex-finance factor RD-F-140 score green collected_at 2026-05-16 02:41:28