Convex Finance

Stage 1
TVL $721M
convexfinance.com
2026-01-28
Chains ethereum

Risk Assessment

Upgradeability
Immutable
Admin Control
DAO Governance
Fund Access
Impossible
Audits
Multiple
Oracle
Self-Contained
Track Record
4+ years

Convex Finance Risk Assessment

Overview

Convex Finance is a yield optimization protocol built on top of Curve Finance. It aggregates CRV staking power from multiple users, maximizing boost rewards without requiring individual users to lock CRV themselves. CVX token holders participate in governance of both Convex and Curve through vote-locked CVX (vlCVX).

Convex has become a “kingmaker” in the Curve ecosystem, controlling significant veCRV voting power that directs CRV emissions to various pools.

Smart Contract Risk

Contract Architecture:

  • Non-upgradeable, immutable contracts
  • Wrapper contracts for Curve LP positions
  • cvxCRV for liquid staked CRV
  • vlCVX for vote-locked governance participation

Immutability:

  • Core contracts cannot be upgraded
  • When bugs discovered, new contracts must be deployed
  • March 2022 vlCVX bug required new contract deployment
  • Users must migrate to new contracts voluntarily

Code Quality:

  • Audited by MixBytes
  • Open source on GitHub
  • Battle-tested through multiple market cycles
  • Bug bounty program

Attack Surface:

  • Dependency on Curve Finance contracts
  • Complex reward distribution mechanisms
  • Gauge weight voting introduces governance attack vectors
  • Large CVX concentration in few wallets (70%+)

Admin/Governance Risk

Governance Structure:

  • vlCVX holders vote on gauge weights every 14 days
  • Participate in Curve, Frax, f(x), and Convex governance
  • Lock period required for voting power
  • Protocol fee distribution to vlCVX holders

Fee Structure:

  • 16% of CRV rewards retained by protocol
  • 10% platform fees distributed to vlCVX stakers
  • Fee parameters set at deployment (immutable)
  • No admin ability to change core fees

Trust Assumptions:

  • Contracts are immutable (trust in code, not admins)
  • Curve dependency for underlying yield
  • Gauge weight voting subject to bribery markets
  • Large holder concentration affects governance

Oracle Risk

Self-Contained:

  • No external price oracle dependencies
  • Reward calculations based on on-chain data
  • Curve pool interactions use Curve’s internal pricing
  • No oracle manipulation vectors

Economic Risk

Liquidity Risk:

  • $1.5B+ TVL
  • Deep liquidity in cvxCRV markets
  • vlCVX lock-up reduces circulating supply
  • Curve ecosystem health affects Convex

Yield Dynamics:

  • Returns depend on CRV emissions and prices
  • Bribery markets (Votium, Hidden Hand) drive vlCVX value
  • Curve governance participation increasingly competitive
  • Cross-protocol coordination common

Operational History:

  • Launched May 2021
  • Rapidly accumulated majority of veCRV
  • March 2022 vlCVX bug (no funds lost, new contract deployed)
  • No successful exploits of core contracts
  • Critical infrastructure for Curve ecosystem

Stage Assessment

Stage 1 Criteria Met:

  • Immutable, non-upgradeable contracts
  • Decentralized governance via vlCVX
  • No admin fund access capability
  • Security audits completed
  • 4+ years operational track record

Why Not Stage 2:

  • Bug fixes require migration (user inconvenience)
  • Heavy dependency on external Curve contracts
  • Concentrated CVX ownership
  • Governance limited to gauge weights

Justification: Convex achieves Stage 1 (Limited Trust) status due to its fully immutable contracts, inability for admins to access funds, and proven security track record. The protocol’s design prioritizes trustlessness over upgradeability - when bugs occur, new contracts are deployed rather than upgraded. While this creates migration friction, it provides strong guarantees that protocol behavior cannot change. The main trust assumptions relate to the underlying Curve protocol rather than Convex itself.