Prior known-ignored disclosure

Convex Finance's assessment for RD-F-177 — scored green on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.

Evidence summary #

No evidence of a disclosed vulnerability that was reported to the team and ignored before an exploit. Both known Convex-native disclosures were acted upon promptly: Dec 2021 OZ/Immunefi disclosure — multisig strengthened and patch deployed before details fully disclosed; Mar 2022 Popcorn team disclosure — v2 contract deployed same day. The Dec 2021 handling specifically prevented exploitation by strengthening the multisig before sharing vulnerability details — an exemplary pre-exploitation mitigation.

Sources #

URL
OpenZeppelin: Convex Finance Vulnerability DisclosureOZ disclosure documenting prompt response: multisig strengthened before details shared, patch deployed same dayretrieved 2026-05-16
URL
Vote-Locked CVX Contract Migration — Convex Finance MediumvlCVX migration post confirming Popcorn disclosure was acted on promptly — no instances of bug being used before v2 deploymentretrieved 2026-05-16

Methodology #

Determine whether evidence exists in prior-incident post-mortems that a disclosed vulnerability was reported to the team and not actioned before exploit.

See the full factor methodology and distribution across all protocols →

rubric_version v1.7.0 protocol convex-finance factor RD-F-177 score green collected_at 2026-05-16 02:41:28