Friday, June 2, 2023

OpenZeppelin Outsmarts $15B Rug Pull


OpenZeppelin has discovered a serious vulnerability in the Convex Finance (CVX) DeFi protocol code that, if abused, might have resulted in a $15 billion rug pull.

The Convex development team has since closed the loophole.

Outsmarted Rugpull Attack

OpenZeppelin is a blockchain security company that claims to be the gold standard for safe blockchain apps. It offers tools for creating, automating, and running decentralized apps, among other things. They revealed that a Convex Finance flaw was just corrected, which could have resulted in a $15 billion rug pull.

When the founder of a decentralized financial project transfers or takes all of the funds in the platform’s liquidity pools, this labels as a rug pull attack. They also leave the initiative, putting investors at risk.

The weakness in the Convex Finance smart contracts discovered in December 2021 during a security audit for the Coinbase cryptocurrency exchange.

Convex Finance is a DeFi platform that helps Curve (CRV) stakers and liquidity suppliers earn more money. An unknown developer founded it on May 2021. This has since evolved to become a prominent project in the Curve ecosystem. At the time, it had a total value locked (TVL) of $15 billion.

The majority of Curve Finance’s CRV stablecoins are held by Convex Finance. A rug pull would have been disastrous for the inhabitants of both habitats.

The Predicament

The bug has since resolved, according to the team. The fact that the vulnerability could only exploit or correct the protocol’s anonymous developers made the disclosure procedure a monumental undertaking, according to the report.

Contacting anonymous teams about problems might have complicated dynamics. In many circumstances, anyone who discovers a vulnerability in open-source software can exploit it. However, the issue could only attack (or patch) by Convex’s anonymous developers in this case.

The team claims it considered different ways for informing Convex about the security problem. Regardless of the fact that it believed the security flaw was unintentionally caused. If the dev team were to play dirty, their anonymity may help them get away with a rug pull attack.

OpenZeppelin claims it opted to bring in a bug bounty firm, Immunefi, to act as a middleman between it and Convex.

Both parties eventually reached an agreement. In order to avoid a rug pull, the best course of action was to add more publicly known parties to the multisig.

The Security Research Team began open communication with Convex at this moment. This document contains detailed information on the vulnerability as well as a way for testing it. Convex quickly responded by patching the flaw.

According to Defi Llama, Convex Finance (CVX) has a TVL of $14.41 billion as of press time. The price of its native CVX coin, on the other hand, is currently hovering at $36.57.

Ivan Cruz
Ivan Cruz
Ivan Cruz is a writer for Cryptoconstellation. He has his Masters in Applied Research in Economics & Business. Ivan has been trading crypto for the past 7 years himself and feels it is his duty to bring you all the latest news.

More from Crypto News Constellation

[tds_leads input_placeholder="Email address" btn_horiz_align="content-horiz-center" pp_checkbox="yes" pp_msg="SSd2ZSUyMHJlYWQlMjBhbmQlMjBhY2NlcHQlMjB0aGUlMjAlM0NhJTIwaHJlZiUzRCUyMiUyMyUyMiUzRVByaXZhY3klMjBQb2xpY3klM0MlMkZhJTNFLg==" msg_composer="success" display="column" gap="10" input_padd="eyJhbGwiOiIxNXB4IDEwcHgiLCJsYW5kc2NhcGUiOiIxMnB4IDhweCIsInBvcnRyYWl0IjoiMTBweCA2cHgifQ==" input_border="1" btn_text="I want in" btn_tdicon="tdc-font-tdmp tdc-font-tdmp-arrow-right" btn_icon_size="eyJhbGwiOiIxOSIsImxhbmRzY2FwZSI6IjE3IiwicG9ydHJhaXQiOiIxNSJ9" btn_icon_space="eyJhbGwiOiI1IiwicG9ydHJhaXQiOiIzIn0=" btn_radius="0" input_radius="0" f_msg_font_family="521" f_msg_font_size="eyJhbGwiOiIxMyIsInBvcnRyYWl0IjoiMTIifQ==" f_msg_font_weight="400" f_msg_font_line_height="1.4" f_input_font_family="521" f_input_font_size="eyJhbGwiOiIxMyIsImxhbmRzY2FwZSI6IjEzIiwicG9ydHJhaXQiOiIxMiJ9" f_input_font_line_height="1.2" f_btn_font_family="521" f_input_font_weight="500" f_btn_font_size="eyJhbGwiOiIxMyIsImxhbmRzY2FwZSI6IjEyIiwicG9ydHJhaXQiOiIxMSJ9" f_btn_font_line_height="1.2" f_btn_font_weight="600" f_pp_font_family="521" f_pp_font_size="eyJhbGwiOiIxMiIsImxhbmRzY2FwZSI6IjEyIiwicG9ydHJhaXQiOiIxMSJ9" f_pp_font_line_height="1.2" pp_check_color="#000000" pp_check_color_a="#fdbf46" pp_check_color_a_h="#000000" f_btn_font_transform="uppercase" tdc_css="eyJhbGwiOnsibWFyZ2luLWJvdHRvbSI6IjQwIiwiZGlzcGxheSI6IiJ9LCJsYW5kc2NhcGUiOnsibWFyZ2luLWJvdHRvbSI6IjMwIiwiZGlzcGxheSI6IiJ9LCJsYW5kc2NhcGVfbWF4X3dpZHRoIjoxMTQwLCJsYW5kc2NhcGVfbWluX3dpZHRoIjoxMDE5LCJwb3J0cmFpdCI6eyJtYXJnaW4tYm90dG9tIjoiMjUiLCJkaXNwbGF5IjoiIn0sInBvcnRyYWl0X21heF93aWR0aCI6MTAxOCwicG9ydHJhaXRfbWluX3dpZHRoIjo3Njh9" msg_succ_radius="0" btn_bg="#fdbf46" btn_bg_h="#dd9933" title_space="eyJwb3J0cmFpdCI6IjEyIiwibGFuZHNjYXBlIjoiMTQiLCJhbGwiOiIwIn0=" msg_space="eyJsYW5kc2NhcGUiOiIwIDAgMTJweCJ9" btn_padd="eyJsYW5kc2NhcGUiOiIxMiIsInBvcnRyYWl0IjoiMTBweCJ9" msg_padd="eyJwb3J0cmFpdCI6IjZweCAxMHB4In0=" msg_err_radius="0" f_btn_font_spacing="1" title_text="Stay Up to Date"]


Related Crypto News

Celsius Gets Lawyer to Recoup $180M

Holders of accounts amount to 4% of the total funds held by the bankrupt crypto lender. Customers of the...

El Salvador’s Surprising Debt Buyback

On Tuesday, the president of El Salvador announced plans to extend a voluntary repurchase offer to bondholders whose...

Crypto Crisis Prompts Regulation

Bills and the human toll create a perfect storm. Cryptos thrived as old-system alternatives. The recent crypto crash has...

Chipotle Buys the Dip Game Mainstreams Crypto

Despite a drop in pricing this year, Bitcoin and other crypto assets continue to enter the mainstream. Some...