owned this note
owned this note
Published
Linked with GitHub
# Protocol Due Diligence: Convex Finance
## Overview + Links
- **[Site](https://www.convexfinance.com/)**
- **Team**
- **[Docs](https://docs.convexfinance.com/convexfinance/)**
- **[MixBytes Audit](https://github.com/mixbytes/audits_public/tree/master/Convex%20Platform)**
## Rug-ability
**Multi-sig:** Yes
**Number of Multi-sig signers / threshold:** 2 of 3 team members; seem to only control rewards
**Upgradable Contracts:** No
**Decentralization:** N/A
## Misc Risks
- Yield is generated via farming CRV tokens, and also minting their own CVX token currently at a 1:2 CVX:CRV farmed ratio.
- Project has been endorsed by Curve Team. Several Curve team members are very active in their discord and telegram groups (Charlie and Kendrick Llama).
### Audit Reports / Key Findings
**[MixBytes Audit](https://github.com/mixbytes/audits_public/tree/master/Convex%20Platform)**
### Protocol Deep-Dive
I’ve looked into Convex’s rewards contracts, the stash contracts (verifying a few of them 🙂 ), and mapping out all of the places our funds could go.
The only way I could’ve seen something fishy happening is this, but it’s blocked:
- Deploy new StashFactory from Booster (they can do this for changes to Curve’s gauges)
- Deploy malicious Stash contracts via malicious factory
- While stash contracts can deploy virtual balance reward pools, they can only do this via an immutable rewardsFactory. Even if you set up a virtual balance pool with a malicious token designed to freeze the pool or something, withdrawing from the virtual balance rewards pools doesn’t check anything about the extra rewards token balance; it just withdraws pool balance from the mirrored virtual pool balance.
So, tl;dr, I think we’re gucci to ramp this up, both from a code point of view and it sounds like from a social point of view as well since Convex didn’t seem to have any ill will with Yearn farming them.
Booster: https://etherscan.io/address/0xf403c135812408bfbe8713b5a23a04b3d48aae31
RewardFactory: https://etherscan.io/address/0xedccb35798fae4925718a43cc608ae136208aa8d
Current StashFactory: https://etherscan.io/address/0x877288c4e6eba4f635ba7428706447353b47de75
Example BaseRewards Pool (stETH): https://etherscan.io/address/0x0a760466e1b4621579a82a39cb56dda2f4e70f03
Example Virtual Rewards Pool (stETH): https://etherscan.io/address/0x008aea5036b819b4feaed10b2190fbb3954981e8
Example Stash Contract (stETH): https://etherscan.io/address/0x9710fd4e5ca524f1049ebed8936c07c81b5eab9f
- Our biggest concern was the `withdraw` that occurs from `extraRewards` during a withdrawal from a `BaseRewards` pool, as we were worried that a malicious (or simply reverting) `VirtualRewards` pool (these are the pools in the array `extraRewards`) could lock our funds.
- However, on closer inspection, all `VirtualRewards` pools are only deployed via an immutable factory:
![telegram-cloud-photo-size-1-5008402849410951534-y](https://user-images.githubusercontent.com/23222916/119913415-e025ba80-bf2b-11eb-89f1-ce8efb346ac7.jpg)
- Furthermore, the `VirtualRewards.withdraw` call simply updates balances for the virtual pool, nothing else
![telegram-cloud-photo-size-1-5008402849410951537-x](https://user-images.githubusercontent.com/23222916/119913442-efa50380-bf2b-11eb-821b-f1a3ecf02fce.jpg)
- Thus, it appears to be impossible to deploy a malicious `VirtualRewards` pool and lock our funds via revert on withdrawal.
# Path to Prod
## Strategy Details
- **Description:** Stake Curve LP in their staking contract (it is wrapped first 1:1 to their deposit token so they can deposit LP token in gauges).
- **Strategy current APR:** 51% for Iron Bank, 3-70% for other pools
- **Does Strategy delegate assets?:** No
- **Target Prod Vault:** All Curve Pool vaults
- **BaseStrategy Version #:** 0.3.0 (stETH), 0.3.2 (IronBank, sETH), 0.3.3 (hBTC), 0.3.5 (Orb's Curve template)
- **Target Prod Vault Version #:** Same as above
## Testing Plan
### Ape.tax
- **Will Ape.tax be used?:** If we do, we will need to deploy new ape tax curve vaults. I would prefer to attach these to prod vaults with a very small debtRatio to start with, especially since these strategies have minimal changes from the existing curve strategies.
- **Will Ape.tax vault be same version # as prod vault?:**
- **What conditions are needed to graduate? (e.g. number of harvest cycles, min funds, etc):**
## Prod Deployment Plan
- **Suggested position in withdrawQueue?:** 1, if yields are higher than VoterProxy strat
- **Does strategy have any deposit/withdraw fees?:** No
- **Suggested debtRatio?:** Start low (0.01% even) for live testing, confirm harvest etc works, then scale up
- **Suggested max debtRatio to scale to?:** ~50% or more depending on yields
## Emergency Plan
- **Shutdown Plan:**
- Before shutting down, need to know what is or isn't working.
- The two main boolean controls here are `claimRewards` and `harvestExtras`
- `extraRewards`
- **Things to know:**
- **Scripts / steps needed:**
- **Is it safe to...**
- call EmergencyShutdown
- remove from withdrawQueue
- call revoke and then harvest