OpenZeppelin, a security audit company for Coinbase, identified B rugpull vulnerabilities in Convex Finance, whose anonymous developers later resolved the risk. The surprising discovery occurred during a security review of the Convex Finance protocol. A Bug Only Exploitable From the Inside The Security Research Team from OpenZeppelin found in late 2021 that a significant bug in the protocol could have led to putting the B worth of locked assets at risk. The investigation revealed that “if two of the three signers of the Convex multisig executed a specific series of steps, users would be able to access all the LP tokens staked in the target pool and thus conduct a rugpull – stealing all the assets from the pool.” Documentation from Convex at that time stated that such
Topics:
Jordan Lyanchev considers the following as important: AA News, defi, DeFi News
This could be interesting, too:
Andrew Throuvalas writes Jack Dorsey’s Bitcoin Mining Chip Is Now Complete
Anthonia Isichei writes Venezuela to Accelerate Crypto Usage in Response to Reimposed US Oil Sanctions: Report
Chayanika Deka writes Bitcoin (BTC) Fails to Attract Safe-Haven Flows: Kaiko
Andrew Throuvalas writes SEC Demands .3 Billion From Do Kwon And Terraform Labs
OpenZeppelin, a security audit company for Coinbase, identified $15B rugpull vulnerabilities in Convex Finance, whose anonymous developers later resolved the risk. The surprising discovery occurred during a security review of the Convex Finance protocol.
A Bug Only Exploitable From the Inside
The Security Research Team from OpenZeppelin found in late 2021 that a significant bug in the protocol could have led to putting the $15B worth of locked assets at risk. The investigation revealed that “if two of the three signers of the Convex multisig executed a specific series of steps, users would be able to access all the LP tokens staked in the target pool and thus conduct a rugpull – stealing all the assets from the pool.”
Documentation from Convex at that time stated that such a disaster occurring to its LP pools would not be possible. However, the security team later identified ways of exploiting the vulnerabilities – which fortunately were patched by Convex on 14th December 2021.
Convex Finance is an open-source protocol whose developers have remained anonymous since its launch. In this instance, as indicated by OpenZeppelin, only developers of Convex Finance can actually exploit the vulnerabilities. The disclosure regarding the incident became particularly complicated due to the nature of anonymousness.
Disclosure Complications
After analyzing the code and the effort required by Convex to exploit the vulnerabilities, OpenZeppelin asserted that the vulnerability was unintentional and that Convex’s developers are good-faith actors.
“Public disclosure would have created a perverse incentive for Convex’s developers” and contributed to the loss of anonymousness crucial to the Convex team. As such, OpenZeppelin decided to “reach out to bug bounty partner Immunefi for an introduction to an intermediary between OpenZeppelin and Convex.”
After both parties agreed to invite publicly known entities to multisig, rendering the rugpull impossible, OpenZeppelin disclosed the bug to Convex on the basis of having the team’s assurance of not taking advantage of the vulnerabilities. Convex patched the issue soon after and thus terminated the risk of a rugpull that would have been worth $15B.