Convex Finance addresses bug that could've led to a $15 billion rug pull

Quick Take

  • Blockchain security firm OpenZepplin uncovered a vulnerability within Curve that could have led to exorbitant damages.
  • OpenZepplin disclosed the issue via Immunefi and the bug was fixed.

Convex Protocol, a platform that boosts rewards for those using the Curve stablecoin, has mitigated an issue that could've resulted in a $15 billion rug pull.

Rug pulls occur when seemingly legitimate cryptocurrency projects abscond with investor funds. It's become a considerable problem in the decentralized finance space in the past year

OpenZeppelin, a blockchain security firm, uncovered a significant vulnerability during a security audit for Coinbase of the Convex Finance protocol. The firm found that if two of the three multi-signature wallet signers of the Convex executed a specific series of steps, they could gain access to a pool of liquidity provider tokens. OpenZeppelin detailed the steps in a post

Because Convex holds the majority of Curve Finance's CRV stablecoins in circulation, considerable funds were at risk. The vulnerability could allow Convex's anonymous developers — in the form of two of three multisig signers — to gain control over Convex's locked value, which at the time was about $15 billion.