Curve’s Convex Finance Patches $15B Rug Pull Vulnerability

2 years ago

Quick take:

  • The squad astatine Convex Finance has patched a rug propulsion vulnerability worthy $15 billion
  • The bug was discovered aft Coinbase tasked OpenZeppelin with conducting a information reappraisal of Convex Finance
  • OpenZeppelin discovered the vulnerability could effect successful 2 of 3 anonymous multi-signature wallet signers, having nonstop power implicit Convex’s locked worth of $15 Billion astatine the clip of the audit

Convex Finance has patched a rug propulsion vulnerability that could person resulted successful the nonaccomplishment of the full entire worth locked connected the protocol.

The find of the bug was made aft Coinbase tasked OpenZeppelin with conducting a information audit of Convex Finance. The Defi protocol is fashionable amongst the holders of Curve (CRV) who usage it to boost yields and rewards.

OpenZeppelin kick-started the audit successful precocious 2021 and resulted successful its information squad discovering that if the vulnerability was exploited by 2 of the 3 anonymous multi-signature wallet signers, it ‘would person fixed the Convex multisig nonstop power implicit Convex’s locked value—then astir $15 billion’.

The squad astatine OpenZeppelin explained that if ‘two of the 3 signers of the Convex multisig executed a circumstantial bid of steps, those users would beryllium provided with unrestricted entree to LP tokens staked successful a people excavation configured with the LP token and people gauge’. Furthermore, ‘Convex’s documentation astatine the time…stated that this should not beryllium possible—hence the cautious attack to resolution’.

Disclosure of the Bug was Tricky Given Convex’s Developers are Anonymous

In presumption of remedial action, the spot was implemented connected December 14th, 2021.

However, the process was a spot ‘tricky’ arsenic the Convex improvement squad is anonymous. Consequently, OpenZeppelin was not definite that disclosing the bug to the developers, would beryllium the close determination fixed that they could exploit it themselves.

OpenZeppelin solved this dilemma by reaching retired to the bug bounty partner, Immunefi. The second introduced ‘an intermediary betwixt OpenZeppelin and Convex’.

Eventually, the bug was disclosed by incorporating further publically known parties to the multisig, making a rug pull intolerable till a spot was instituted.

[Feature representation courtesy of convexfinance.com]

View source