Today, the contract for vote-locked CVX (vlCVX) has been re-deployed. Convex Finance was recently made aware of a potential bug in the vlCVX rewards system. This bug was responsibly disclosed before anyone utilized it; no loss of funds occurred, and user deposits were not at risk.
There were no instances of this being used prior to deployment of the new vlCVX contract. However, since Convex Finance contracts are immutable and non-upgradeable, a new contract had to be deployed. The new vlCVX contract has implemented a fix for this potential bug going forward.
User’s who vote-lock CVX earn 5%+1% rewards in the form of cvxCRV. This bug made it possible for expired locks to relock directly to a new address, which, in turn, enabled them to claim more cvxCRV rewards than they had earned.
Special thanks to the team at Popcorn for their assessment and disclosure. A bug bounty will be paid out from the Convex treasury.
Implementation and Actions for Vote-lockers
To migrate users to the new vlCVX contract, all currently locked CVX has been unlocked from the old contract. Anyone who has vote-locked their CVX will have to withdraw their tokens from the “Lock CVX” page and re-lock in the new contract.
Users will have a small grace period to move their previously-locked tokens over to the new contract. During this grace period, formerly locked CVX tokens that have not expired and have not yet been withdrawn will still be able to participate in the gauge-weight voting of March 3rd, 17th, and 31st. To participate in DAO votes and continue to earn 5%+1% of platform fees as cvxCRV , users must re-lock in the new vlCVX contract.
Example: A user who does not withdraw their CVX tokens from the previous vlCVX contract and who’s original lock expires on March 24th will be able to participate in gauge votes for March 3rd and 17th but not the 31st.
- A non-critical bug was found; user deposits are safe and were not / are not at risk.
- Go to https://www.convexfinance.com/lock-cvx and withdraw your unlocked CVX tokens.
- If desired, re-lock for 16 weeks to continue earning 5%+1% of platform fees as cvxCRV, and participate in gauge-weight and DAO votes.
- Previously locked but not withdrawn CVX tokens will retain gauge-weight voting rights for the voting period of March 3rd, 17th, 31st, even if not re-locked in the new contract.