Convex Finance DeFi Integration Tips
0xB25C
January 16th, 2023

We continue our series of instructive posts with some special recommendations for developers using Convex Finance DeFi integration!

Greetings dear readers!

In this article, we present tips that we have acquired over the years of auditing such integrations, you will also find a list of tools and research for self-study, we strongly recommend that you read it separately for better understanding!

By the way, here are some vacant slots in the first quarter of 2023 now so if your project needs an audit — feel free to write to us, visit our public reports page here! Let’s get in touch: gm@pessimistic.io!


I — Introduction

Looking at this month’s never-ending hacks, one wonders why they happen so frequently. Have audit firms actually gotten worse at what they do?

This, in our opinion, is not the case; yet, the topic is rather tricky because you can, in certain ways, reduce the risks to yourself and your project!

By the way, we are working on such a solution within the team and hope to deliver it shortly!

We believe there is no one who doubts that the basis of any secure integration is a special approach to writing code. Consequently, this article will be focused only on those aspects that can be really useful for making your code safe and secure!

This is what we’ll cover in this post about using Convex into your project!


II — Convex Walkthrough

Convex Finance is a decentralized finance (DeFi) platform that provides boosted staking rewards on the Curve Finance exchange.

The protocol operates on the Ethereum and Arbitrum blockchains and acts as a yield optimizer for CRV token holders and Curve liquidity providers.

More about Convex:

Curve wars:

You may have heard this term somewhere before, but without a detailed study of the subject it will be difficult to understand how Convex works!

So, let’s get to the bottom of it!

The Curve Wars can be described as the competition between several DeFi protocols to get a share of the liquidity in the Curve Finance ecosystem; the hustle to accumulate veCRV, Curve‘s governance token, and decide which pool gets Curve’s reward boost.

Although Convex Finance, Yearn protocol, and StakeDAO are protagonists in the Curve wars incentivizing users to deposit their CRV tokens into their platform, the Curve Wars play out essentially on Convex protocol, which offers one of the highest ROI on CRV.

Read more about Convex and Curve wars here:

Check out this resource, visit blog and other official channels:

Let’s get started! We hope you find today’s article informative and helpful!


III — We Recommend

Following the tips below can significantly improve the security of your project’s integration:

  • If you get poolId, you can also get the corresponding BaseRewardPool through Booster.poolInfo(poolId).crvRewards

  • Booster.deposit, assuming that _stake = false, does not stake LP tokens, but just minting deposit tokens for the caller. Therefore, it should be possible to transmit stake=true in the integrating contract, or make BaseRewardPool.stakeFor() separately.

  • BaseRewardPool.stake stakes deposit tokens only, not real LP tokens. That’s why it’s better to stake through the Booster contract!

How to stake?

  • LP tokens — through the Booster contract: Booster.deposit(pool_id, amount, true)

  • CVX and cvxCRV — same as with LP tokens!

  • CVX will be staked in the cvxRewardPool, but cvxCRV will be staked in the regular BaseRewardPool!

  • If you stake through a booster contract, CVX and cvxCRV will go into the cvxRewardPool and BaseRewardPool, respectively.

Check to see if there is a code that takes away the staking rewards:

  • For LP tokens, CVX, or cvxCRV staking: BaseRewardPool.getReward(user, claimExtras=true); claimExtras determines whether extraRewards take tokens.

  • claimExtras determines whether the user wants to withdraw his extraRewards tokens.

  • Separate pools or the Booster contract itself can be in shutdown status — in it, you wouldn’t be able to make a deposit. Before initiating a deposit, you should check their status: !Booster.poolInfo(i).shutdown && !Booster.isShutdown

  • Booster contract can migrate, so don’t hardcode its address — it’s better to add an option to update it.

Checking the size of the staking rewards:

  • If you want to stake LP tokens: Call BaseRewardPool.earned().

  • For additional rewards from LP staking: get the VirtualBalanceRewardPool address via BaseRewardPool.extraRewards(i). Call VirtualBalanceRewardPool.earned().

  • In the case of the cvxCRV staking, it is exactly the same as you should do with the LP tokens: Call BaseRewardPool.earned().

  • In case of CVX staking — get cvxRewardPool via Booster.stakerRewards(). Get cvxRewardPool.earned()

Withdraw staked funds (LP, CVX, cvxCRV):

  • BaseRewardPool.withdrawAndUnwrap(amount, claim=false),

Keep in mind:

  • claim determines whether to collect awards via getReward()

  • If you call .withdraw() instead of .withdrawAndUnwrap(), the local Convex deposit tokens are returned, not the LP tokens.


We hope that this article was informative and useful for you! Thank you for reading!

Check out our article with tips on gas optimization as well as other articles!

What instruments should we review? What would you be interested in reading about? Please leave your comments, we will be happy to answer them, and the best answers and questions may be included in the next article!

**By the way, there are some vacant slots now so if your project needs an audit — feel free to write to us, visit our public reports page here. **

Let’s get in touch: gm@pessimistic.io!

Subscribe to Officer's Blog
Receive new entries directly to your inbox.
Collectors
View
#1
#2
#3
View collectors
This entry has been permanently stored on-chain and signed by its creator.
Author Address
0xB25C5E8fA1E53…9F6A66B786ED77A
Content Digest
tvtasrvZ3gaqm_j…KLFIckgOX8W7DTE