Convex Finance: Potential Rugpull Discovered By OpenZepplin, Might Have Costed $15B

Convex Finance

  • Security audit firm OpenZepplin discover a potential rug pull in Convex Finance which might have resulted in a loss worth $15 Billion. 
  • If two of the three signers of the Convex multisig implemented a particular series of steps, the investigation highlighted the users would be able to access all the LP tokens. 
  • The Convex team later fixed the potential bug.

A security audit firm for the crypto exchange Coinbase has highlighted rug pull vulnerabilities worth $15B in Convex Finance, whose anonymous developers took care of the risks later on. This was found out during a Convex Finance Protocol’s Security review. 

OpenZepplin’s Security Research Team discovered late last year that a considerable bug in the protocol might have led to getting $15 billion worth of locked assets prone to risk. Furthermore, their findings disclosed that if two of the three signers of the Convex multisig implemented a particular series of steps, the users would be able to access all the LP tokens staked in the target pool. Further conducting a rug pull, stealing all the assets from the pool. 

However, Convex Finance’s documentation highlighted that such a blunder occurring to the LP pools would not be possible. But the security team discovered ways to exploit the vulnerabilities later on, which were then taken care of by Convex in mid-December. 

Also Read: Whoever Made Forbes Yearly Listing Of Cryptocurrency Billionaires Which Grew Over 60% Within A Year?

The Vulnerability Was Solely Exploitable By the Anonymous Developers 

Convex Finance is an open-source protocol, and its developers have chosen to stay anonymous so far. The security audit firm signified that only developers of Convex Finance could exploit the vulnerabilities. The revelation about the vulnerabilities became a bit complicated due to the anonymity of the developers. 

It further highlighted that the vulnerability was not really intended and that the developers are good-faith actors after analysing the effort ad code needed by Convex to exploit those vulnerabilities. 

According to OpenZepplin, public disclosure would have created a perverse incentive for the developers of Convex Finance and contributed to the loss of anonymousness essential for the Convex team. 

The Security Audit firm revealed the potential bug to Convex on the basis that the team assured them to not take advantage of those. After which, Convex fixed the potential rug pull problem. 

The crypto industry is not free from these kinds of frauds. Security issues are inevitable, and the potential rug pulls are going to crawl over the space anyway. One thing we can do is identify the threat and eliminate it before the loss like the Convex team did. 

Source: https://www.thecoinrepublic.com/2022/04/07/convex-finance-potential-rugpull-discovered-by-openzepplin-might-have-costed-15b/