The DeFi protocol Convex Finance which boosts rewards for CRV stakeholders, had a significant bug putting $15 billion of its locked value at risk. Convex Finance has fixed the $15 billion rug pull vulnerability uncovered by blockchain security firm OpenZeppelin.
OpenZeppelin’s Security Research Team discovered the bug as a part of the security audit of the Convex Finance protocol for Coinbase.
The vulnerability was that if two of the three anonymous multi-signature wallets (multisig) signers exploited the bug, the Convex multisig would have had direct control over the protocol’s locked value of $15 billion.
“Those users would be provided with unrestricted access to LP tokens staked in a target pool configured with the LP token and target gauge,” the announcement by the blockchain audit firm read.
Curve is a leading stablecoin automated market maker that provides roughly one-tenth of the liquidity in the decentralized economy.
The bug’s disclosure became complicated because the protocol’s developer team can only exploit or patch a vulnerability. Given that the developers could exploit the bug, OpenZeppelin was unsure whether disclosing it to them would be the best decision.
Another complication was that, even if the Convex team was unaware of the bug, the disclosure created an incentive for Convex developers to act fraudulently, with $15 billion on the line.
Concerns raised by OpenZeppelin could have been eased if Convex had revealed the developers’ identities. However, this would have raised security concerns for developers as their anonymity would be compromised.
As a result, the security firm approached bug bounty partner Immunefi to act as an intermediary between Convex and OpenZeppelin and sought assurances that the vulnerability would not be exploited before describing it.
The Security Research Team and the anonymous developers agreed that the best solution to this situation was to add more publicly known parties to the multisig, making rug pull impossible.
Rug pulls, a well-known type of NFT scam, now cost investors hundreds of millions of dollars each year. However, it was only last month that federal authorities made their first NFT “rug pull” bust. The U.S. DOJ two men for defrauding investors of over $1 million NFT project.
