Project DevOps

Compilation Method

The project utilizes truffle as its development pipeline tool, containing an array of tests and scripts coded in JavaScript.

To compile the project, the compile command needs to be issued via the truffle CLI tool:

Copy
truffle compile

During compilation with the truffle pipeline, no errors were identified that relate to the syntax or bytecode size of the contracts of the project.

The truffle tool is set to Solidity version 0.6.12 within the configurational file of the Convex code repository and all contracts currently active in the system have been compiled with 0.6.12 apart from the Gnosis Multi-Signature wallet which had been compiled with 0.5.14.

The lower version for the multisig wallet is expected given that it uses a proxy-based system that has been in place for longer than Convex and is beyond their control development-wise.

Solidity-Specific Bugs

Given that the version used across the project is relatively recent, there were few compiler issues that had to be cross-checked against the codebase to ensure they do not manifest. We validated that the following IDs in the official bug-list of Solidity do not appear: SOL-2021-2, SOL-2021-1, SOL-2020-11, SOL-2020-10.

We should note that the absence of confirmed compilation bugs does not necessarily mean that there are no bugs as some may not have been identified yet similarly to how new vulnerabilities for operating systems arise.

Deployment Actor

All contracts have been deployed by the same Externally Owned Account (EOA), the Convex Finance Deployer address. The deployments of the contracts appear methodic and the contract solely acts for this purpose indicating that this is an account managed by a development-operations service and is solely utilized during the deployment of Convex's updates.

Upgrade-Ability

The contracts of the system are not upgrade-able and instead rely on manual setter functions to conduct an "upgrade". We should note that this significantly inhibits extensibility as upgrades cannot change the interfaces of the contracts and thus cannot pass new data between them. The access controls of these functions will be evaluated in the Centralization chapter.

Test Suites

The source code repository of the project contains numerous test suites geared towards achieving a high degree of code coverage for the project. The coding style within those tests appears to be legacy, indicating that some of the code may have been copied by existing work which is logical as the codebase of Convex derives from multiple pre-existing projects.