OpenZeppelin has discovered a serious vulnerability in the Convex Finance (CVX) DeFi protocol code that, if abused, might have resulted in a $15 billion rug pull.
The Convex development team has since closed the loophole.
Outsmarted Rugpull Attack
OpenZeppelin is a blockchain security company that claims to be the gold standard for safe blockchain apps. It offers tools for creating, automating, and running decentralized apps, among other things. They revealed that a Convex Finance flaw was just corrected, which could have resulted in a $15 billion rug pull.
When the founder of a decentralized financial project transfers or takes all of the funds in the platform’s liquidity pools, this labels as a rug pull attack. They also leave the initiative, putting investors at risk.
The weakness in the Convex Finance smart contracts discovered in December 2021 during a security audit for the Coinbase cryptocurrency exchange.
Convex Finance is a DeFi platform that helps Curve (CRV) stakers and liquidity suppliers earn more money. An unknown developer founded it on May 2021. This has since evolved to become a prominent project in the Curve ecosystem. At the time, it had a total value locked (TVL) of $15 billion.
The majority of Curve Finance’s CRV stablecoins are held by Convex Finance. A rug pull would have been disastrous for the inhabitants of both habitats.
The Predicament
The bug has since resolved, according to the team. The fact that the vulnerability could only exploit or correct the protocol’s anonymous developers made the disclosure procedure a monumental undertaking, according to the report.
Contacting anonymous teams about problems might have complicated dynamics. In many circumstances, anyone who discovers a vulnerability in open-source software can exploit it. However, the issue could only attack (or patch) by Convex’s anonymous developers in this case.
The team claims it considered different ways for informing Convex about the security problem. Regardless of the fact that it believed the security flaw was unintentionally caused. If the dev team were to play dirty, their anonymity may help them get away with a rug pull attack.
OpenZeppelin claims it opted to bring in a bug bounty firm, Immunefi, to act as a middleman between it and Convex.
Both parties eventually reached an agreement. In order to avoid a rug pull, the best course of action was to add more publicly known parties to the multisig.
The Security Research Team began open communication with Convex at this moment. This document contains detailed information on the vulnerability as well as a way for testing it. Convex quickly responded by patching the flaw.
According to Defi Llama, Convex Finance (CVX) has a TVL of $14.41 billion as of press time. The price of its native CVX coin, on the other hand, is currently hovering at $36.57.
