Verify a decision

{"actor":"system:backfill","investigation_id":"34a60e5e-0a2a-43d3-bbb1-d6b00c4cb1d1","kind":"publish","page_slug":"convex-finance","published_at":"2026-05-31T07:32:13.350Z","sequence_num":1,"snapshot":{"content_type":"investigation","entity_name":"Convex Finance","sections":[{"content":"Convex Finance is a Ethereum-based DeFi protocol that acts as a yield optimizer and governance aggregator for Curve Finance. Users deposit Curve LP tokens or CRV into Convex, which pools the assets and permanently locks CRV to accumulate veCRV. The protocol then distributes boosted CRV rewards, trading fees, and additional incentives back to depositors. By amassing a dominant share of veCRV, Convex gained significant influence over Curve gauge votes — effectively controlling which liquidity pools receive the highest CRV emissions. Convex introduced its own governance token, CVX, which can be vote-locked as vlCVX to direct how the protocol allocates its accumulated veCRV. The protocol subsequently expanded to support Frax Finance in December 2021, enabling similar yield-boosting mechanics for the FXS ecosystem. Cross-chain expansion to Arbitrum followed in November 2022, and to Polygon thereafter.","heading":"Protocol Overview","severity":"low","sources":[{"credibility":2,"name":"Nansen: What is Convex Finance?","type":"research","url":"https://www.nansen.ai/post/what-is-convex-fi"},{"credibility":2,"name":"IQ.wiki: Convex Finance","type":"research","url":"https://iq.wiki/wiki/convex-finance"},{"credibility":1,"name":"Convex Finance Official Documentation","type":"official","url":"https://docs.convexfinance.com/"}]},{"content":"Convex Finance was created and launched in April–May 2021 by a fully anonymous team of developers. The identities of the founders have not been publicly disclosed, and the team has made no indication it plans to unmask itself. This anonymity is a structural risk factor: at the time of the December 2021 vulnerability disclosure, OpenZeppelin noted that the anonymous developer team could have exploited the bug for personal gain without accountability. As part of the vulnerability resolution, additional publicly known parties were added to the multisig to counterbalance this risk. Despite the anonymous team, the protocol has continued operating since 2021 without a rug pull or misappropriation of treasury funds.","heading":"Team and Founders","severity":"medium","sources":[{"credibility":2,"name":"BeInCrypto: Convex Finance CVX — Everything You Need to Know","type":"news_article","url":"https://beincrypto.com/learn/convex-finance-cvx/"},{"credibility":1,"name":"OpenZeppelin: $15 Billion Rugpull Vulnerability Uncovered and Resolved","type":"research","url":"https://www.openzeppelin.com/news/15-billion-rugpull-vulnerability-in-convex-finance-protocol-uncovered-and-resolved"}]},{"content":"In late 2021, OpenZeppelin's Security Research Team conducted a review of Convex Finance's smart contracts and uncovered a critical vulnerability. If exploited by two of the three anonymous multisig signers, the flaw would have provided unrestricted access to all LP tokens staked in target pools configured with a specified LP token and gauge. The attack vector involved calling revertControl on the PoolManagerV2 contract, adding attacker-controlled fake pools, and draining the CurveVoterProxy contract — directly contradicting Convex's own documentation, which stated such control was not possible. At the time, approximately $15 billion in user funds was at risk. The vulnerability was complicated to disclose because only the anonymous developers could patch or exploit it, creating a perverse incentive scenario. OpenZeppelin coordinated through Immunefi as an intermediary to reach the Convex team. The resolution required adding publicly identifiable parties to the multisig to make a unilateral rug pull impossible before disclosing the patch route. The vulnerability was patched on December 14, 2021. No funds were lost.","heading":"Critical Vulnerability: $15 Billion Rug Pull Risk (December 2021)","severity":"critical","sources":[{"credibility":1,"name":"OpenZeppelin: $15 Billion Rugpull Vulnerability Uncovered and Resolved","type":"research","url":"https://www.openzeppelin.com/news/15-billion-rugpull-vulnerability-in-convex-finance-protocol-uncovered-and-resolved"},{"credibility":1,"name":"The Block: Convex Finance addresses bug that could have led to a $15 billion rug pull","type":"news_article","url":"https://www.theblock.co/post/140554/convex-finance-addresses-bug-that-couldve-led-to-a-15-billion-rug-pull"},{"credibility":1,"name":"CoinDesk: Convex Finance Bug Causes CVX Token to Sink on Forced Token Unlock","type":"news_article","url":"https://www.coindesk.com/tech/2022/03/04/convex-finance-bug-causes-cvx-token-to-sink-on-forced-token-unlock"}]},{"content":"In March 2022, a bug was responsibly disclosed to the Convex team by employees of Popcorn, a separate yield-generator protocol. The vulnerability allowed expired vote-locks to re-lock directly to a new address, enabling those users to claim disproportionate cvxCRV rewards beyond what they had earned. Because Convex's contracts are immutable and non-upgradeable, the team was forced to redeploy the vote-locking smart contract, which automatically unlocked all CVX tokens held in the affected contract at that time — approximately $12 billion in value. No funds were lost, but the forced unlock caused a visible drop in the CVX token price. Popcorn received a bounty from the Convex treasury for the responsible disclosure.","heading":"Vote-Locking Contract Bug and Redeployment (March 2022)","severity":"high","sources":[{"credibility":1,"name":"CoinDesk: Convex Finance Bug Causes CVX Token to Sink on Forced Token Unlock","type":"news_article","url":"https://www.coindesk.com/tech/2022/03/04/convex-finance-bug-causes-cvx-token-to-sink-on-forced-token-unlock"},{"credibility":2,"name":"BeInCrypto: Convex Finance Forced to Redeploy Smart Contract Due to Vulnerability","type":"news_article","url":"https://beincrypto.com/convex-finance-forced-to-redeploy-smart-contract-due-to-vulnerability/"},{"credibility":1,"name":"Convex Finance Medium: Vote-Locked CVX Contract Migration","type":"official","url":"https://convexfinance.medium.com/vote-locked-cvx-contract-migration-8546b3d9a38c"}]},{"content":"On June 23–24, 2022, the domain www.convexfinance.com was compromised via a social-engineering attack against NameCheap's customer support. An attacker impersonated the Convex team to NameCheap and successfully changed the DNS settings, redirecting the site to a phishing page that requested approval for a malicious smart contract. NameCheap's CEO confirmed on Twitter that a specific customer support agent was compromised and had all access removed. At least 40 addresses approved the malicious contract; of those, only 3 had funds drained. Estimated losses were approximately 15,968 cvxCRV and 433 CRV, with the phishing wallet transferring under $1,000 worth of USDC and CRV through a DEX according to on-chain data cited by CoinDesk. Convex compensated affected users from its treasury in CVX tokens at the USD equivalent of losses. The team set up alternative URLs (convexfinance.fi and frax.convexfinance.fi) while the investigation proceeded.","heading":"DNS Hijack and Front-End Phishing Attack (June 2022)","severity":"high","sources":[{"credibility":1,"name":"CoinDesk: Convex Finance Sets Up New URLs After Website Address Is Hijacked","type":"news_article","url":"https://www.coindesk.com/tech/2022/06/24/convex-finance-sets-up-new-urls-after-website-address-is-hijacked"},{"credibility":3,"name":"Quadriga Initiative: Jun 2022 Convex Finance Malicious DNS Hijack","type":"community_report","url":"https://www.quadrigainitiative.com/casestudy/convexfinancemaliciousdnshijack.php"},{"credibility":2,"name":"The Cryptonomist: A problem with the Convex Finance site","type":"news_article","url":"https://en.cryptonomist.ch/2022/06/24/problem-convex-finance-site/"}]},{"content":"Convex Finance accumulated a dominant share of veCRV, holding approximately 47% of all veCRV supply by January 2022 and roughly 50% by mid-2022. This concentration made Convex a de-facto kingmaker in Curve governance, with whoever controlled CVX voting power effectively directing CRV emissions across Curve's pools. The protocol captured approximately 73% of all CRV emissions at its peak, and roughly 85% of Curve TVL was routed through Convex at its height. This concentration spawned what market observers termed the 'Curve Wars' — competition among protocols to acquire CVX (and by extension vlCVX) to direct Curve emissions favorably. The Mochi Finance incident of November 2021 demonstrated how this governance structure could be weaponized: Mochi minted tokens against near-worthless collateral, used proceeds to acquire over 1 million CVX, and attempted to vote for favorable gauge weights before Curve's Emergency DAO intervened. The concentration of veCRV in a protocol controlled by an anonymous team has been consistently flagged as a systemic DeFi risk.","heading":"Governance Concentration and Curve Wars","severity":"high","sources":[{"credibility":1,"name":"CoinDesk: Curve Wars Heat Up, Emergency DAO Invoked After Clear Governance Attack","type":"news_article","url":"https://www.coindesk.com/business/2021/11/11/curve-wars-heat-up-emergency-dao-invoked-after-clear-governance-attack"},{"credibility":2,"name":"Halborn: Explained — The Mochi Inu Governance Hack (November 2021)","type":"research","url":"https://www.halborn.com/blog/post/explained-the-mochi-inu-governance-hack-november-2021"},{"credibility":1,"name":"CoinDesk: DeFi Protocol Convex Finance Crosses $20B in Locked Value","type":"news_article","url":"https://www.coindesk.com/markets/2022/01/03/defi-protocol-convex-finance-crosses-20b-in-locked-value"}]},{"content":"CVX has a maximum supply of 100 million tokens. The token allocation at launch was: 50% to Curve LP rewards (distributed pro-rata as CRV is earned on Convex), 25% for liquidity mining over four years, 10% to the Convex team, 9.7% to the treasury (vested over one year), 3.3% to investors (vested over one year), and 2% airdropped to veCRV holders and addresses that voted to whitelist Convex in Curve governance. Uniquely, CVX minting is not time-based but tied to CRV earnings: the more CRV the protocol claims, the less CVX is minted, following a logarithmic decay curve. As of early 2026, approximately 94–99 million CVX tokens have been issued. CVX reached an all-time high of approximately $60.33 on January 1, 2022, and subsequently declined more than 97% from that peak. As of mid-2026, market cap is approximately $164 million with TVL on the protocol at approximately $1.28 billion.","heading":"Tokenomics and CVX Distribution","severity":"low","sources":[{"credibility":1,"name":"Convex Finance Tokenomics Documentation","type":"official","url":"https://docs.convexfinance.com/convexfinance/general-information/tokenomics"},{"credibility":2,"name":"TokenInsight: Convex Finance CVX Tokenomics","type":"research","url":"https://tokeninsight.com/en/coins/convex-finance/tokenomics"},{"credibility":2,"name":"CoinGecko: Convex Finance Price","type":"other","url":"https://www.coingecko.com/en/coins/convex-finance"}]},{"content":"Convex Finance has undergone multiple third-party security audits. MixBytes conducted a general contracts audit in April 2021, prior to launch. PeckShield audited Convex Frax staking (April 2022), the Convex staking wrapper (September 2022), and Convex sidechain contracts (November 2022). Nomoi audited the cvxCRV staking wrapper and Convex sidechain in January 2023. ChainSecurity reviewed the Silo Finance Curve and Convex integration in April 2023. All audit reports are listed on the official documentation site. Despite these audits, the December 2021 rug-pull vulnerability and the March 2022 vote-locking bug were not caught by MixBytes' initial audit, indicating the limitations of point-in-time security reviews for evolving smart contract systems.","heading":"Security Audits","severity":"medium","sources":[{"credibility":1,"name":"Convex Finance Audits Documentation","type":"official","url":"https://docs.convexfinance.com/convexfinance/faq/audits"},{"credibility":2,"name":"MixBytes: Convex Platform Security Audit Report","type":"research","url":"https://github.com/mixbytes/audits_public/blob/master/Convex%20Platform/Convex%20Platform%20Security%20Audit%20Report.pdf"}]},{"content":"In November 2021, Mochi Finance — a separate protocol — exploited CVX's governance power in a manner described by Curve's Emergency DAO as a 'clear governance attack.' Mochi minted approximately 46 million USDM using 10 billion MOCHI tokens assigned a hardcoded oracle price despite near-zero market value, then swapped the USDM for DAI via the Curve USDM/3CRV pool, draining real stablecoin liquidity. Proceeds were used to purchase over 1,050,285 CVX, which were immediately locked to acquire vlCVX voting power. The intended goal was to vote for increased CRV emissions to the Mochi pool, attracting further liquidity to repeat the cycle. Curve's Emergency DAO killed the Mochi gauge and blocked further emissions. Aggregate losses to Curve liquidity providers are estimated at more than $54 million. Convex Finance itself was not the attacker; however, the incident demonstrated that CVX governance power could be weaponized by bad actors. As of 2026, Azeem Ahmed — alleged founder of Mochi Finance — has been linked by crypto news outlets to fraud allegations across multiple DeFi projects and sold 550,000 CVX from proceeds in March 2026, though these allegations remain unproven in a court of law.","heading":"Third-Party Misuse of CVX: Mochi Finance Incident (2021)","severity":"high","sources":[{"credibility":1,"name":"CoinDesk: Curve Wars Heat Up, Emergency DAO Invoked After Clear Governance Attack","type":"news_article","url":"https://www.coindesk.com/business/2021/11/11/curve-wars-heat-up-emergency-dao-invoked-after-clear-governance-attack"},{"credibility":2,"name":"Halborn: Explained — The Mochi Inu Governance Hack (November 2021)","type":"research","url":"https://www.halborn.com/blog/post/explained-the-mochi-inu-governance-hack-november-2021"},{"credibility":2,"name":"Crypto.news: Mochi Finance founder offloads 550K CVX as fraud claims deepen","type":"news_article","url":"https://crypto.news/mochi-finance-founder-offloads-550k-cvx-as-fraud-claims-deepen-across-defi/"}]},{"content":"No regulatory actions by the SEC, CFTC, DOJ, or other government bodies against Convex Finance or its developers have been identified in publicly available records as of May 2026. The anonymous nature of the development team means that no named individuals are associated with the protocol for potential enforcement purposes. The CVX token has been listed on major centralized exchanges including Binance, Coinbase, and Kraken without public regulatory objection to date. As with most DeFi governance tokens, CVX carries inherent exposure to potential future regulatory classification as a security, though no such action has been initiated.","heading":"Regulatory Status","severity":"low","sources":[{"credibility":1,"name":"CoinDesk: Convex Finance — general coverage","type":"news_article","url":"https://www.coindesk.com/markets/2022/01/03/defi-protocol-convex-finance-crosses-20b-in-locked-value"}]}],"sources_used":[{"credibility":1,"name":"OpenZeppelin: $15 Billion Rugpull Vulnerability in Convex Finance Protocol Uncovered and Resolved","type":"research","url":"https://www.openzeppelin.com/news/15-billion-rugpull-vulnerability-in-convex-finance-protocol-uncovered-and-resolved"},{"credibility":1,"name":"CoinDesk: Convex Finance Bug Causes CVX Token to Sink on Forced Token Unlock","type":"news_article","url":"https://www.coindesk.com/tech/2022/03/04/convex-finance-bug-causes-cvx-token-to-sink-on-forced-token-unlock"},{"credibility":1,"name":"CoinDesk: Convex Finance Sets Up New URLs After Website Address Is Hijacked","type":"news_article","url":"https://www.coindesk.com/tech/2022/06/24/convex-finance-sets-up-new-urls-after-website-address-is-hijacked"},{"credibility":1,"name":"CoinDesk: Curve Wars Heat Up, Emergency DAO Invoked After Clear Governance Attack","type":"news_article","url":"https://www.coindesk.com/business/2021/11/11/curve-wars-heat-up-emergency-dao-invoked-after-clear-governance-attack"},{"credibility":1,"name":"CoinDesk: DeFi Protocol Convex Finance Crosses $20B in Locked Value","type":"news_article","url":"https://www.coindesk.com/markets/2022/01/03/defi-protocol-convex-finance-crosses-20b-in-locked-value"},{"credibility":1,"name":"The Block: Convex Finance addresses bug that could have led to $15B rug pull","type":"news_article","url":"https://www.theblock.co/post/140554/convex-finance-addresses-bug-that-couldve-led-to-a-15-billion-rug-pull"},{"credibility":2,"name":"Halborn: Explained — The Mochi Inu Governance Hack (November 2021)","type":"research","url":"https://www.halborn.com/blog/post/explained-the-mochi-inu-governance-hack-november-2021"},{"credibility":2,"name":"BeInCrypto: Convex Finance Forced to Redeploy Smart Contract Due to Vulnerability","type":"news_article","url":"https://beincrypto.com/convex-finance-forced-to-redeploy-smart-contract-due-to-vulnerability/"},{"credibility":2,"name":"BeInCrypto: Convex Finance CVX — Everything You Need to Know","type":"news_article","url":"https://beincrypto.com/learn/convex-finance-cvx/"},{"credibility":2,"name":"Crypto.news: Mochi Finance founder offloads 550K CVX as fraud claims deepen","type":"news_article","url":"https://crypto.news/mochi-finance-founder-offloads-550k-cvx-as-fraud-claims-deepen-across-defi/"},{"credibility":2,"name":"IQ.wiki: Convex Finance","type":"research","url":"https://iq.wiki/wiki/convex-finance"},{"credibility":2,"name":"Nansen: What is Convex Finance?","type":"research","url":"https://www.nansen.ai/post/what-is-convex-fi"},{"credibility":1,"name":"Convex Finance Official Documentation","type":"official","url":"https://docs.convexfinance.com/"},{"credibility":1,"name":"Convex Finance Audits Documentation","type":"official","url":"https://docs.convexfinance.com/convexfinance/faq/audits"},{"credibility":1,"name":"Convex Finance Tokenomics Documentation","type":"official","url":"https://docs.convexfinance.com/convexfinance/general-information/tokenomics"},{"credibility":1,"name":"Convex Finance Risks Documentation","type":"official","url":"https://docs.convexfinance.com/convexfinance/faq/risks"},{"credibility":2,"name":"MixBytes: Convex Platform Security Audit Report","type":"research","url":"https://github.com/mixbytes/audits_public/blob/master/Convex%20Platform/Convex%20Platform%20Security%20Audit%20Report.pdf"},{"credibility":1,"name":"Convex Finance Medium: Vote-Locked CVX Contract Migration","type":"official","url":"https://convexfinance.medium.com/vote-locked-cvx-contract-migration-8546b3d9a38c"},{"credibility":1,"name":"CVX Token Contract — Etherscan","type":"on_chain","url":"https://etherscan.io/token/0x4e3fbd56cd56c3e72c1403e103b45db9da5b9d2b"},{"credibility":2,"name":"CoinGecko: Convex Finance","type":"other","url":"https://www.coingecko.com/en/coins/convex-finance"},{"credibility":2,"name":"TokenInsight: Convex Finance CVX Tokenomics","type":"research","url":"https://tokeninsight.com/en/coins/convex-finance/tokenomics"}],"summary":"Convex Finance is a decentralized finance yield-optimization protocol launched in May 2021 on Ethereum, designed to boost rewards for Curve Finance liquidity providers and CRV stakers by aggregating veCRV voting power. The protocol rapidly became one of the largest DeFi platforms by total value locked, peaking near $21 billion in January 2022, and accumulated controlling influence over Curve governance by holding approximately 47–50% of all veCRV supply at peak. The team has remained anonymous since launch, and the protocol experienced a critical multi-signature vulnerability in December 2021 — discovered and disclosed by OpenZeppelin — which was patched without any loss of user funds.","timeline":[{"date":"2021-04-01","event":"Convex Finance announced and introduced by an anonymous developer team","source":"BeInCrypto","source_url":"https://beincrypto.com/learn/convex-finance-cvx/"},{"date":"2021-05-01","event":"Convex Finance protocol goes live on Ethereum mainnet; records $68 million TVL in first month","source":"IQ.wiki: Convex Finance","source_url":"https://iq.wiki/wiki/convex-finance"},{"date":"2021-06-01","event":"Convex Finance TVL reaches $1 billion","source":"Gate.com: What Is Convex Finance","source_url":"https://www.gate.com/learn/articles/what-is-convex-finance/542"},{"date":"2021-10-01","event":"Convex Finance TVL reaches $10 billion","source":"Gate.com: What Is Convex Finance","source_url":"https://www.gate.com/learn/articles/what-is-convex-finance/542"},{"date":"2021-11-11","event":"Mochi Finance executes governance attack using CVX voting power; Curve Emergency DAO kills Mochi gauge","source":"CoinDesk","source_url":"https://www.coindesk.com/business/2021/11/11/curve-wars-heat-up-emergency-dao-invoked-after-clear-governance-attack"},{"date":"2021-12-14","event":"Critical $15 billion rug pull vulnerability discovered by OpenZeppelin and patched; publicly known signers added to multisig","source":"OpenZeppelin","source_url":"https://www.openzeppelin.com/news/15-billion-rugpull-vulnerability-in-convex-finance-protocol-uncovered-and-resolved"},{"date":"2022-01-01","event":"CVX token reaches all-time high of approximately $60.33; protocol TVL peaks near $21 billion","source":"CoinDesk","source_url":"https://www.coindesk.com/markets/2022/01/03/defi-protocol-convex-finance-crosses-20b-in-locked-value"},{"date":"2022-03-04","event":"Vote-locking bug disclosed by Popcorn; Convex forced to redeploy $12 billion smart contract and unlock all vlCVX","source":"CoinDesk","source_url":"https://www.coindesk.com/tech/2022/03/04/convex-finance-bug-causes-cvx-token-to-sink-on-forced-token-unlock"},{"date":"2022-06-23","event":"Domain www.convexfinance.com hijacked via NameCheap social engineering attack; phishing site deployed; Convex sets up alternative URLs","source":"CoinDesk","source_url":"https://www.coindesk.com/tech/2022/06/24/convex-finance-sets-up-new-urls-after-website-address-is-hijacked"},{"date":"2022-11-01","event":"Cross-chain expansion to Arbitrum","source":"IQ.wiki: Convex Finance","source_url":"https://iq.wiki/wiki/convex-finance"},{"date":"2023-02-01","event":"cvxFXS single-sided staking enabled; expansion to Polygon","source":"IQ.wiki: Convex Finance","source_url":"https://iq.wiki/wiki/convex-finance"},{"date":"2026-03-19","event":"Azeem Ahmed (alleged Mochi Finance founder) sells 550,000 CVX on-chain; fraud allegations spanning four DeFi projects reported","source":"Crypto.news","source_url":"https://crypto.news/mochi-finance-founder-offloads-550k-cvx-as-fraud-claims-deepen-across-defi/"}]},"v":1}