Curve's Convex Finance Patches $15B Rug Pull Vulnerability

The discovery of the bug was made after Coinbase tasked OpenZeppelin with conducting a security audit of Convex Finance. The Defi protocol is popular amongst the holders of Curve (CRV) who use it to boost yields and rewards.

OpenZeppelin kick-started the audit in late 2021 and resulted in its security team discovering that if the vulnerability was exploited by two of the three anonymous multi-signature wallet signers, it ‘would have given the Convex multisig direct control over Convex’s locked value—then approximately $15 billion’.

The team at OpenZeppelin explained that if ‘two of the three signers of the Convex multisig executed a specific series of steps, those users would be provided with unrestricted access to LP tokens staked in a target pool configured with the LP token and target gauge’. Furthermore, ‘Convex’s documentation at the time…stated that this should not be possible—hence the cautious approach to resolution’.

Disclosure of the Bug was Tricky Given Convex’s Developers are Anonymous

In terms of remedial action, the patch was implemented on December 14th, 2021.

However, the process was a bit ‘tricky’ as the Convex development team is anonymous. Consequently, OpenZeppelin was not sure that disclosing the bug to the developers, would be the right decision given that they could exploit it themselves.

OpenZeppelin solved this dilemma by reaching out to the bug bounty partner, Immunefi. The latter introduced ‘an intermediary between OpenZeppelin and Convex’.

Eventually, the bug was disclosed by incorporating additional publicly known parties to the multisig, making a rug pull impossible till a patch was instituted.

[Feature image courtesy of convexfinance.com]

Source: Read Full Article

Crypto Comments Off on Curve's Convex Finance Patches $15B Rug Pull Vulnerability