Reading time: ~2 m
The Convex Finance DeFi project team fixed a vulnerability that allowed the implementation of the scheme rug pull. The bug was identified by specialists from OpenZeppelin.
Rugpull vulnerability patched in @ConvexFinance’s live contracts. $15 billion in TVL secured.
Summary in thread below. See blog for technical details.👇https://t.co/dAkUom9qX1
— OpenZeppelin (@OpenZeppelin) April 4, 2022
Experts conducted a protocol security audit for the Coinbase exchange. They found that two out of three anonymous multisig wallet signers could access the liquidity pools by following a specific sequence of steps. On that moment TVL The project was about $15 billion.
The Convex Finance documentation stated that such control was not possible. At the same time, only the protocol development team could use the vulnerability to withdraw funds or fix it.
OpenZeppelin experts considered the most likely unintentional error in the code, but there was no complete certainty.
According to them, they faced a dilemma related to the anonymity of the teams of such projects:
- report the vulnerability to developers and provoke them to implement a fraudulent scheme, if it was conceived;
- disclose the vulnerability publicly and damage the reputation of the protocol with accompanying financial losses if the team was not plotting illegal actions.
The research firm considered the best option to turn to the bounty platform Immunefi as an intermediary. This path made it possible to obtain guarantees that the bug will not be exploited and to report it to the developers.
The OpenZeppelin and Convex Finance teams have agreed to include additional trusted parties in the multisig wallet signatories to make unauthorized withdrawals impossible.
After that, the researchers gave the developers of the protocol full information about the vulnerability and testing methods.
Recall that in 2021, using the rug pull scheme, attackers stole $2.8 billion worth of cryptocurrencies from users.
#Convex #Finance #fixes #bug #potentially #cost #billion