Uncovered a vulnerability within Convex Finance that could have led to exorbitant damages

The Convex Finance, a platform that increases rewards for those using the Curve stablecoin, has mitigated an issue that could lead to a $15 billion rug pull.

Convex Finance addresses a bug that could’ve led to a $15 billion rug pull

Rug pull occurs when seemingly legitimate crypto projects escape with investor funds. It has become a significant issue in the decentralized finance space over the past year.

OpenZeppelin, a blockchain security company, discovered a critical vulnerability in the Coinbase security audit of the Convex Finance protocol. The company found that if two out of three Convex multisig wallet signers take a specific set of steps, they can gain access to a pool of liquidity provider tokens. OpenZeppelin details the steps in a post.

Since Convex holds most of Curve Finance’s CRV stablecoins in circulation, substantial funds are already at risk. The vulnerability could have allowed Convex’s anonymous developers – in the form of two out of three multi-signaturers – to gain control of Convex’s locked value, which was about $15 billion.

The bug can only be exploited or patched by Convex’s development team, which OpenZeppelin says complicates the disclosure process. The security company said it was reasonably certain that the problem was intentional, meaning the developers were unaware of the vulnerability or intended to evade funds. If the firm was wrong, the fallout of alerting the very people with the power to conduct the rug pull had the potential to be disastrous.

Finally, OpenZeppelin said it tried to ensure that the vulnerability would not be exploited before describing the exposure to the Convex team. They used bug bounty partner Immunefi as an intermediary.

Since then, the bug has been patched. The security hole was never exploited, and no funds were lost. Convex has posted additional resources to circumvent the multisig weakness in its public documentation.

Read more:

Join us on Telegram

Follow us on Twitter

Follow us on Facebook

You might also like