Convex Finance addresses bug that could've led to a $15 billion rug pull

Quick Take

  • Blockchain security firm OpenZepplin uncovered a vulnerability within Curve that could have led to exorbitant damages.
  • OpenZepplin disclosed the issue via Immunefi and the bug was fixed.

Convex Protocol, a platform that boosts rewards for those using the Curve stablecoin, has mitigated an issue that could've resulted in a $15 billion rug pull.

Rug pulls occur when seemingly legitimate cryptocurrency projects abscond with investor funds. It's become a considerable problem in the decentralized finance space in the past year

OpenZeppelin, a blockchain security firm, uncovered a significant vulnerability during a security audit for Coinbase of the Convex Finance protocol. The firm found that if two of the three multi-signature wallet signers of the Convex executed a specific series of steps, they could gain access to a pool of liquidity provider tokens. OpenZeppelin detailed the steps in a post

Because Convex holds the majority of Curve Finance's CRV stablecoins in circulation, considerable funds were at risk. The vulnerability could allow Convex's anonymous developers — in the form of two of three multisig signers — to gain control over Convex's locked value, which at the time was about $15 billion. 

The bug could only be exploited or patched by Convex's development team, which OpenZeppelin said made the disclosure process complicated. The security firm said it was reasonably sure that the issue was unintentional, meaning developers didn't know about the vulnerability or have the intention of absconding with funds, but if the firm was wrong, the fallout of alerting the very people with the power to conduct the rug pull had the potential to be disastrous. 

Ultimately, OpenZeppelin said it attempted to obtain assurances that the vulnerability would not be exploited ahead of describing the vulnerability to the Convex team. They used bug bounty partner Immunefi as an intermediary. 

Since then, the bug has been patched. The vulnerability was never exploited and no funds were ever lost. Convex posted additional resources breaking down the multisig weakness in its public documentation. 

© 2023 The Block. All Rights Reserved. This article is provided for informational purposes only. It is not offered or intended to be used as legal, tax, investment, financial, or other advice.