The Convex Finance, a platform that increases rewards for those using the Curve stablecoin, has mitigated an issue that could lead to a $15 billion rug pull.
Convex Finance addresses a bug that could’ve led to a $15 billion rug pull
Rug pull occurs when seemingly legitimate crypto projects escape with investor funds. It has become a significant issue in the decentralized finance space over the past year.
OpenZeppelin, a blockchain security company, discovered a critical vulnerability in the Coinbase security audit of the Convex Finance protocol. The company found that if two out of three Convex multisig wallet signers take a specific set of steps, they can gain access to a pool of liquidity provider tokens. OpenZeppelin details the steps in a post.
Since Convex holds most of Curve Finance’s CRV stablecoins in circulation, substantial funds are already at risk. The vulnerability could have allowed Convex’s anonymous developers – in the form of two out of three multi-signaturers – to gain control of Convex’s locked value, which was about $15 billion.
The bug can only be exploited or patched by Convex’s development team, which OpenZeppelin says complicates the disclosure process. The security company said it was reasonably certain that the problem was intentional, meaning the developers were unaware of the vulnerability or intended to evade funds. If the firm was wrong, the fallout of alerting the very people with the power to conduct the rug pull had the potential to be disastrous.
Finally, OpenZeppelin said it tried to ensure that the vulnerability would not be exploited before describing the exposure to the Convex team. They used bug bounty partner Immunefi as an intermediary.
Since then, the bug has been patched. The security hole was never exploited, and no funds were lost. Convex has posted additional resources to circumvent the multisig weakness in its public documentation.
Read more:
- The Discord Server Of The Famous Bored Ape Yacht Club NFT Collection Was Compromised By Hackers
- Yet Another Prominent DeFi Protocol Has Fallen Victim To A Crippling Security Breach