Omniscia Convex Finance Due Diligence
Manual Analysis
Manual Analysis
Original Audit Coverage
The Convex Finance team has performed a single security audit that was produced by MixBytes(). The report is dated at the 19th of April, 2021 whilst the project launched on the 17th of May, 2021 indicating that potentially some of the currently live code has not undergone a security audit.
To identify these contracts we performed a delta check between the contract's code at the final commit hash of the audit and the live code. Using this method we were able to identify the following contracts containing un-audited code:
| Contract | Change Identified |
|---|---|
| Booster | Introduction of graceful error handling, introduction of gauge mapping for PoolManager, removal of time threshold enabling mints |
| VoterProxy | Introduction of graceful error handling, arbitrary call execute function |
| Cvx | Increase of total supply to 100 million from 10 million, gas optimizations |
| cCrv | Rename from Convex Crv & cCrv to Convex CRV & cvxCRV |
| CrvDepositor | Logical changes across the board |
| RewardFactory | Introduction of an active reward list |
| StashFactory | Support for V3 gauges |
| cvxRewardPool | Support for re-staking rewards to the Base Reward Pool of cvxCRV |
| BaseRewardPool | Unwrapping logic adjustment and queued reward calculation |
| PoolManager | Usage of gauge mapping to avoid loop |
Additionally, the following contracts are considered completely out of scope and did not exist when the audit was conducted:
This renders a decent portion of the codebase never officially audited and thus potentially containing undiscovered issues.
Manual Review
As part of our due diligence, we manually inspected the codebase of Convex Finance to get a sense of the overall quality of the project and attempt to pick apart the security principles it is based on to evaluate the project's security.
A thorough line-by-line review was conducted on the codebase to identify potential malfunctions and vulnerabilities in the Convex system. We validated that all state transitions of the system occur within sane criteria and that all rudimentary formulas within the system execute as expected. We identified 3 projects the Convex team has derived code from: SushiSwap, Synthetix, Smartz (Defunct).
Overall, we were able to identify potential non-critical misbehaviours in the newly introduced code between the audit and the deployment date. As an example, when a pool is shut-down the funds within the pool are not ensured to be extracted and the gauge associated with it is immediately set as deprecated even though another pool with the same gauge may exist.
Additionally, we identified incorrect code in the new contracts such as misleading events being emitted in VestedEscrow further validating our assessment that certain contracts were out of scope. Analyzing GitHub activity and correlating it with the contributed code, our assessment is that the codebase is developed by individual(s) with mediocre expertise and refined by another individual with a high level of expertise prior to launch who is an active contributor to the Curve project and can be seen as contributing to Convex eponymously.
Although there are some non-critical logical mistakes in the codebase of the Convex project, we have to state that the access control imposed by the project is rigorous. Almost every function call of the system is guarded by a caller evaluation check, meaning that the interaction surface for simple users is minimal consisting of binary actions such as depositing and withdrawing.
This significantly limits the risk factor of an exploit occurring given that a would-be attacker does not have multiple endpoints to work from.