A flaw in Convex Finance (CVX) could have triggered a $15 billion rug pull

A potential rug pull avoided on Convex Finance

During a safety audit on the Convex Protocol on behalf of the Coinbase platform, the company specializing Open Zeppelin uncovered a flaw that could have resulted in a rug pull of all the funds present on the protocol.

As a reminder, Convex is a flywheel from Curve (CRV). A flying is a protocol that depends on another, in order to multiply the yields that this one initially offers. Thus, it is possible to deposit its CRV on Convex rather than on Curve, to generate more interest.

This case, detailed today by the audit company, was discovered at the end of 2021 and then endangered $15 billion in assetsor the total value locked (TVL) on the project at the time of the events.

It’s a disaster scenario that could have happened, if the developers had been ill-intentioned. Indeed, the sums at stake represented at that time approximately 10% of the TVL of the Ethereum (ETH) network. That is just over 6% of the entire DeFi ecosystem according to data from the Defi Llama website.

The bug in question resided in the multisignature system (multisig), if two of the three signatories carried out a very precise series of actions, they then had access to all platform funds.

Fortunately, the Convex team had no intention of triggering a rug pull and a patch was deployed on December 14 in order to correct this involuntary flaw by making its use impossible. Two signers whose identities are public have also been added to the multisig in an effort to increase the level of trust.

๐Ÿ‘‰ To go further โ€“ Discover our guide to keeping your cryptocurrency safe

OpenZeppelin faces a difficult situation to manage

Although the auditing company had no doubts about the honesty and good faith of the developers, they had to face a delicate situation when they discovered the flaw. For this she had to make strategic choices so as not to put users’ funds at risk.

Indeed, the fix could only be deployed by the developers of the project, so she ended up with three possibilities :

  • Directly revealing the flaw to Convex, but this could have triggered the rug pull in the event of bad attention;
  • Make the flaw public, with the same risks as the first possibility, while jeopardizing the reputation of the protocol;
  • Ensure the honesty of the team to proceed in stages.

It is this latter solution that has been preferred. Because even if the flaw was unintentional, having the ability to grab $15 billion may pose a high risk of temptationespecially since the founding team of Convex is anonymous.

OpenZeppelin then approached the Immunefi teama platform to set up a bonus system for anyone who discovers a bug in a protocol. The latter, leasing its services to Convex, thus agreed to act as intermediary to complete the correction process.

It is therefore a case that ended well and even led to an improvement in the security of the protocol. But it still gives interesting lessons, because if a major disaster avertedthis reminds us that DeFi is still young and presents risks that must be taken into account in its investment strategy.

๐Ÿ‘‰ Also in the News โ€“ Hacker Steals Over $620 Million From Axie Infinity’s Ronin Sidechain

Source: OpenZeppelin

Newsletter ๐Ÿž

Get a crypto news recap every Sunday ๐Ÿ‘Œ And that’s it.

What you need to know about affiliate links. This page presents assets, products or services relating to investments. Some links in this article are affiliated. This means that if you buy a product or register on a site from this article, our partner pays us a commission. This allows us to continue to offer you original and useful content. There is no impact on you and you can even get a bonus by using our links.

Investments in cryptocurrencies are risky. Cryptoast is not responsible for the quality of the products or services presented on this page and could not be held responsible, directly or indirectly, for any damage or loss caused following the use of a good or service highlighted in this item. Investments related to crypto-assets are risky in nature, readers should do their own research before taking any action and only invest within the limits of their financial capabilities. This article does not constitute investment advice.

About the Author : Vincent Mayor


I timidly discovered the world of blockchain at the end of 2018 during my quest for financial freedom. Initially invested moderately, it was only two years later that I took the gamble of betting everything on the movement that was taking shape then. I then dedicate 2021 to training myself better to acquire more knowledge and seriousness. As I often like to say: I still have a billion things to learn. And what I do know, I want to share with you.
All articles by Vincent Maire.

Leave a Comment