OpenZeppelin has revealed that it recently uncovered a severe vulnerability in the Convex Finance (CVX) DeFi protocol code that would have led to a $15 billion rug pull if exploited. The loophole has since been patched by the Convex development team, according to an April 4, 2022 blog post by the team.
Convex Finance Rugpull Attack Foiled
OpenZeppelin, a blockchain security firm that claims to be the standard for secure blockchain applications, providing solutions to build, automate and operate decentralized applications and more, has revealed that it recently patched a Convex Finance bug that could have led to a $15 billion rug pull.
For those who are unaware, a rug pull attack happens when a decentralized finance project creator suddenly transfers or steals the entire funds in the platform’s liquidity pools and abandons the project, to the detriment of investors.
Per a blog post by the OpenZeppelin team, the vulnerability in the Convex Finance smart contracts was discovered during a security audit exercise for Coinbase crypto exchange in December 2021.
Convex Finance is a DeFi platform that boosts rewards for Curve (CRV) stakers and liquidity providers. Launched by an anonymous developer in May 2021, Convex Finance has grown to become a notable project in the Curve ecosystem, with $15 billion in total value locked (TVL) at the time.
Since Convex Finance holds the majority of Curve Finance’s CRV stablecoins in circulation, a rug pull would have had a devastating effect on the members of both ecosystems.
“As part of the audit, the Security Research Team uncovered a vulnerability that, if exploited by two of three anonymous multi-signature wallet (multisig) signers, would have given the Convex multisig direct control over Convex’s locked value – then approximately $15 billion. Convex documentation specifically stated such control was not possible.”
Though the team has made it clear that the bug has since been fixed, it however notes that the fact that the vulnerability could only be exploited or patched by the anonymous devs in charge of the protocol made the disclosure process a herculean task.
“The dynamics of contacting anonymous teams about issues can be complex. In many cases, a vulnerability in open-source software can be exploited by anyone who finds it. In this specific instance, however, the vulnerability could only be exploited (or patched) by Convex’s anonymous developers,” revealed OpenZeppelin.
The team says it weighed several options as to how to disclose the security flaw to Convex, even though it believed the security loophole wasn’t intentionally created, as the anonymous status of the dev team could let them get away with a rug pull attack easily if they decided to play dirty.
OpenZeppelin says it decided to add a bug bounty firm, Immunefi to the picture, to function as an intermediary between it and Convex.
In the end, both parties agreed that:
“The best course of action to this dilemma was to incorporate additional publicly known parties to the multisig, making a rug pull impossible. At this point, the Security Research Team commenced open communication with Convex, providing full vulnerability details and a testing method. Shortly thereafter, Convex patched the vulnerability,” the team stated.
At press time, Convex Finance (CVX) has a TVL of $14.41 billion, according to Defi Llama, while the price of its native CVX token is sitting around $36.57, as seen on CoinMarketCap.