A potential rug pull avoided on Convex Finance
During a safety audit on the Convex Protocol on behalf of the Coinbase platform, the company specializing Open Zeppelin uncovered a flaw that could have resulted in a rug pull of all the funds present on the protocol.
As a reminder, Convex is a flywheel from Curve (CRV). A flying is a protocol that depends on another, in order to multiply the yields that this one initially offers. Thus, it is possible to deposit its CRV on Convex rather than on Curve, to generate more interest.
This case, detailed today by the audit company, was discovered at the end of 2021 and then endangered $15 billion in assetsor the total value locked (TVL) on the project at the time of the events.
Rugpull vulnerability fixed @ConvexFinance‘s live contracts. $15 billion in TVL secured.
Summary in the thread below. See blog for technical details.👇https://t.co/dAkUom9qX1
—OpenZeppelin (@OpenZeppelin) April 4, 2022
It’s a disaster scenario that could have happened, if the developers had been ill-intentioned. Indeed, the sums at stake represented at that time approximately 10% of the TVL of the Ethereum (ETH) network. That is just over 6% of the entire DeFi ecosystem according to data from the Defi Llama website.
The bug in question resided in the multisignature system (multisig), if two of the three signatories carried out a very precise series of actions, they then had access to all platform funds.
Fortunately, the Convex team had no intention of triggering a rug pull and a patch was deployed on December 14 in order to correct this involuntary flaw by making its use impossible. Two signers whose identities are public have also been added to the multisig in an effort to increase the level of trust.
👉 To go further – Discover our guide to keeping your cryptocurrency safe
OpenZeppelin faces a difficult situation to manage
Although the auditing company had no doubts about the honesty and good faith of the developers, they had to face a delicate situation when they discovered the flaw. For this she had to make strategic choices so as not to put users’ funds at risk.
Indeed, the fix could only be deployed by the developers of the project, so she ended up with three possibilities :
- Directly revealing the flaw to Convex, but this could have triggered the rug pull in the event of bad attention;
- Make the flaw public, with the same risks as the first possibility, while jeopardizing the reputation of the protocol;
- Ensure the honesty of the team to proceed in stages.
It is this latter solution that has been preferred. Because even if the flaw was unintentional, having the ability to grab $15 billion may pose a high risk of temptationespecially since the founding team of Convex is anonymous.
OpenZeppelin then approached the Immunefi teama platform to set up a bonus system for anyone who discovers a bug in a protocol. The latter, leasing its services to Convex, thus agreed to act as intermediary to complete the correction process.
It is therefore a case that ended well and even led to an improvement in the security of the protocol. But it still gives interesting lessons, because if a major disaster avertedthis reminds us that DeFi is still young and presents risks that must be taken into account in its investment strategy.
👉 Also in the News – Hacker Steals Over $620 Million From Axie Infinity’s Ronin Sidechain
Get a crypto news recap every Sunday 👌 And that’s it.