Quick take:
- The team at Convex Finance has patched a rug pull vulnerability worth $15 billion
- The bug was discovered after Coinbase tasked OpenZeppelin with conducting a security review of Convex Finance
- OpenZeppelin discovered the vulnerability could result in 2 of 3 anonymous multi-signature wallet signers, having direct control over Convex’s locked value of $15 Billion at the time of the audit
Convex Finance has patched a rug pull vulnerability that could have resulted in the loss of the entire total value locked on the protocol.
The discovery of the bug was made after Coinbase tasked OpenZeppelin with conducting a security audit of Convex Finance. The Defi protocol is popular amongst the holders of Curve (CRV) who use it to boost yields and rewards.
OpenZeppelin kick-started the audit in late 2021 and resulted in its security team discovering that if the vulnerability was exploited by two of the three anonymous multi-signature wallet signers, it ‘would have given the Convex multisig direct control over Convex’s locked value—then approximately $15 billion’.
The team at OpenZeppelin explained that if ‘two of the three signers of the Convex multisig executed a specific series of steps, those users would be provided with unrestricted access to LP tokens staked in a target pool configured with the LP token and target gauge’. Furthermore, ‘Convex’s documentation at the time…stated that this should not be possible—hence the cautious approach to resolution’.
Disclosure of the Bug was Tricky Given Convex’s Developers are Anonymous
In terms of remedial action, the patch was implemented on December 14th, 2021.
However, the process was a bit ‘tricky’ as the Convex development team is anonymous. Consequently, OpenZeppelin was not sure that disclosing the bug to the developers, would be the right decision given that they could exploit it themselves.
OpenZeppelin solved this dilemma by reaching out to the bug bounty partner, Immunefi. The latter introduced ‘an intermediary between OpenZeppelin and Convex’.
Eventually, the bug was disclosed by incorporating additional publicly known parties to the multisig, making a rug pull impossible till a patch was instituted.
[Feature image courtesy of convexfinance.com]