Convex Finance fixes bug that could have endangered $15 billion

The team behind the DeFi project Convex Finance fixed a vulnerability that could have enabled a rug pull rug pull. The bug was identified by OpenZeppelin researchers.

Rugpull vulnerability patched in @ConvexFinance’s live contracts. $15 billion in TVL secured.

Summary in thread below. See blog for technical details.👇https://t.co/dAkUom9qX1

— OpenZeppelin (@OpenZeppelin) April 4, 2022

Security researchers conducted a safety audit of the protocol for Coinbase. They found that two of the three anonymous signatories of the multisig wallet could access liquidity pools by executing a specific sequence of steps. At the time, the project’s TVL stood at about $15 billion.

In Convex Finance’s documentation, such control was claimed to be impossible. However, only the protocol’s developers could exploit the vulnerability to withdraw funds or fix it.

OpenZeppelin researchers judged that an inadvertent coding error was the most likely explanation, but they were not wholly confident.

According to them, they faced a dilemma related to the anonymity of teams of such projects:

• Inform the developers of the vulnerability and prompt them to implement a fraudulent scheme, if one had been intended;
• Disclose the vulnerability publicly and damage the protocol’s reputation with accompanying financial losses, if the team did not intend illicit actions.

The researchers chose Immunefi, a bug-bounty platform, as an intermediary. This path provided assurances that the bug would not be exploited and allowed reporting it to the developers.

OpenZeppelin and Convex Finance teams agreed to add additional trusted parties to the multisig signatories to render unauthorized withdrawals impossible.

Subsequently, the researchers handed the full details of the vulnerability and the testing methods to the protocol developers.

In 2021, via rug-pull schemes, criminals stole about $2.8 billion in cryptocurrency from users.