{"id":59632,"date":"2022-04-05T15:34:47","date_gmt":"2022-04-05T12:34:47","guid":{"rendered":"https:\/\/forklog.com\/en\/?p=59632"},"modified":"2025-09-04T22:55:36","modified_gmt":"2025-09-04T19:55:36","slug":"convex-finance-fixes-bug-that-could-have-endangered-15-billion","status":"publish","type":"post","link":"https:\/\/u1f987.com\/en\/convex-finance-fixes-bug-that-could-have-endangered-15-billion\/","title":{"rendered":"Convex Finance fixes bug that could have endangered $15 billion"},"content":{"rendered":"<p>The team behind the DeFi project Convex Finance fixed a vulnerability that could have enabled a rug pull <span data-descr=\"anonymous project developers abruptly shut it down, absconding with users' funds\" class=\"old_tooltip\">rug pull<\/span>. The bug was identified by OpenZeppelin researchers.<\/p>\n<blockquote class=\"twitter-tweet\" data-lang=\"en\">\n<p lang=\"en\" dir=\"ltr\">Rugpull vulnerability patched in <a href=\"https:\/\/twitter.com\/ConvexFinance?ref_src=twsrc%5Etfw\">@ConvexFinance<\/a>\u2019s live contracts. $15 billion in TVL secured. <\/p>\n<p>Summary in thread below. See blog for technical details.\ud83d\udc47<a href=\"https:\/\/t.co\/dAkUom9qX1\">https:\/\/t.co\/dAkUom9qX1<\/a><\/p>\n<p>\u2014 OpenZeppelin (@OpenZeppelin) <a href=\"https:\/\/twitter.com\/OpenZeppelin\/status\/1511026513356877830?ref_src=twsrc%5Etfw\">April 4, 2022<\/a><\/p><\/blockquote>\n<p> <script async src=\"https:\/\/platform.twitter.com\/widgets.js\" charset=\"utf-8\"><\/script><\/p>\n<p>Security researchers conducted a safety audit of the protocol for Coinbase. They found that two of the three anonymous signatories of the multisig wallet could access liquidity pools by executing a specific sequence of steps. At the time, the project\u2019s <span data-descr=\"total value locked in smart contracts\" class=\"old_tooltip\">TVL<\/span> stood at about $15 billion.<\/p>\n<p>In Convex Finance\u2019s documentation, such control was claimed to be impossible. However, only the protocol\u2019s developers could exploit the vulnerability to withdraw funds or fix it.<\/p>\n<p>OpenZeppelin researchers judged that an inadvertent coding error was the most likely explanation, but they were not wholly confident.<\/p>\n<p>According to them, they faced a dilemma related to the anonymity of teams of such projects:<\/p>\n<ul class=\"wp-block-list\">\n<li>Inform the developers of the vulnerability and prompt them to implement a fraudulent scheme, if one had been intended;<\/li>\n<li>Disclose the vulnerability publicly and damage the protocol\u2019s reputation with accompanying financial losses, if the team did not intend illicit actions.<\/li>\n<\/ul>\n<p>The researchers chose Immunefi, a bug-bounty platform, as an intermediary. This path provided assurances that the bug would not be exploited and allowed reporting it to the developers.<\/p>\n<p>OpenZeppelin and Convex Finance teams agreed to add additional trusted parties to the multisig signatories to render unauthorized withdrawals impossible.<\/p>\n<p>Subsequently, the researchers handed the full details of the vulnerability and the testing methods to the protocol developers.<\/p>\n<p>In 2021, via rug-pull schemes, criminals <a href=\"https:\/\/u1f987.com\/en\/news\/chainalysis-rug-pull-schemes-accounted-for-37-of-scammers-income-in-2021\">stole<\/a> about $2.8 billion in cryptocurrency from users.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>The DeFi project Convex Finance fixed a vulnerability that could enable a rug-pull scheme. The bug was identified by OpenZeppelin researchers.<\/p>\n","protected":false},"author":1,"featured_media":26216,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"select":"1","news_style_id":"1","cryptorium_level":"","_short_excerpt_text":"","creation_source":"","_metatest_mainpost_news_update":false,"footnotes":""},"categories":[3],"tags":[1301,1093],"class_list":["post-59632","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-news-and-analysis","tag-blockchain-vulnerabilities","tag-defi"],"aioseo_notices":[],"amp_enabled":true,"views":"36","promo_type":"1","layout_type":"1","short_excerpt":"","is_update":"","_links":{"self":[{"href":"https:\/\/u1f987.com\/en\/wp-json\/wp\/v2\/posts\/59632","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/u1f987.com\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/u1f987.com\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/u1f987.com\/en\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/u1f987.com\/en\/wp-json\/wp\/v2\/comments?post=59632"}],"version-history":[{"count":1,"href":"https:\/\/u1f987.com\/en\/wp-json\/wp\/v2\/posts\/59632\/revisions"}],"predecessor-version":[{"id":59633,"href":"https:\/\/u1f987.com\/en\/wp-json\/wp\/v2\/posts\/59632\/revisions\/59633"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/u1f987.com\/en\/wp-json\/wp\/v2\/media\/26216"}],"wp:attachment":[{"href":"https:\/\/u1f987.com\/en\/wp-json\/wp\/v2\/media?parent=59632"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/u1f987.com\/en\/wp-json\/wp\/v2\/categories?post=59632"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/u1f987.com\/en\/wp-json\/wp\/v2\/tags?post=59632"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}