Azoundria: Created page with "{{Imported Case Study With About|source=https://www.quadrigainitiative.com/casestudy/convergencefinancerewarddistributormintingexploit.php}} {{Unattributed Sources}} Convergence Finance Logo/HomepageConvergence Finance runs a decentralized autonomous organization which describes themselves as a “decentralized governance hedge fund” as well as a “sustainable liquidity providing incentivizer”. They obtained 4 audits of their s..."

2024-09-25T20:21:09Z

Created page with "{{Imported Case Study With About|source=https://www.quadrigainitiative.com/casestudy/convergencefinancerewarddistributormintingexploit.php}} {{Unattributed Sources}} thumb|Convergence Finance Logo/HomepageConvergence Finance runs a decentralized autonomous organization which describes themselves as a “decentralized governance hedge fund” as well as a “sustainable liquidity providing incentivizer”. They obtained 4 audits of their s..."

New page

{{Imported Case Study With About|source=https://www.quadrigainitiative.com/casestudy/convergencefinancerewarddistributormintingexploit.php}}
{{Unattributed Sources}}

[[File:Convergencefinance.jpg|thumb|Convergence Finance Logo/Homepage]]Convergence Finance runs a decentralized autonomous organization which describes themselves as a “decentralized governance hedge fund” as well as a “sustainable liquidity providing incentivizer”. They obtained 4 audits of their smart contract. However, subsequent to those audits, part of the code was optimized to reduce gas cost, leaving a vulnerability where function inputs were not checked. This vulnerability was exploited by a malicious actor to pass in a malicious smart contract, minging 58 million of their native CVG tokens, which were quickly liquidated for wrapped ethereum. In addition, a small $2k fund was also able to be emptied. The protocol has published a postmortem on the incident and promises to take responsibility for the breach.<ref name="cvgwiresharkmedium-14880" /><ref name="cvgfinance-14881" /><ref name="ipfs-14882" />

== About Convergence Finance ==
"One could describe Convergence as a “decentralized governance hedge fund” as well as a “sustainable liquidity providing incentivizer”, built on top of DeFi2.0 protocols. Like Convex, which is accumulating governance rights over Curve, Convergence is built to participate in various protocols governance, while optimizing their underlying yields. To fullfill this objective, different mechanisms are implemented to incentivize user’s participation to governance of both Convergence and underlying protocols."

"A governance token (Convergence governance token ($CVG)) will be implemented to ensure the functioning of the protocol, which will be, eventually, run as a DAO. Moreover, yields generated by Convergence, being generated either by internal or external growth, will be redistributed to stakeholders (governance participants) as dividends."

"Security has always been a concern for us, and Convergence Finance has been audited 4 times by different companies."

== The Reality ==
"However, we modified this part of the code post-audit. The modification (gas-optimization on the first hand) led us to remove the line of code that was checking the input given to the function."

== What Happened ==
"58M CVG have been minted and sold by the hacker for approximately $210,000 ( the whole portion of tokens dedicated to staking emissions);
Approximately $2,000 of unclaimed rewards from Convex have also been stolen."
{| class="wikitable"
|+Key Event Timeline - Convergence Finance Reward Distributor Minting Exploit
!Date
!Event
!Description
|-
|August 1st, 2024 8:59:47 AM MDT
|Exploit Transaction
|The exploit transaction happens on the blockchain, where the attacker is able to mint the Convergence Finance tokens, and swap them for Wrapped Ethereum in the same transaction.
|-
|August 1st, 2024 6:51:55 PM MDT
|Postmortem Published
|A postmortem for the incident is published by a team member named wireshark. This goes into details on the exploit and timeline.
|}

== Technical Details ==
"A lack of validation in the input given by the user in the function claimMultipleStaking of the reward distribution contract is the root cause of the exploit." "The claimContracts struct contains a field that is the address of the staking contract to call. A call is then performed on the staking contract and returns: The amount of CVG to mint to a user; The amount of Convex’s rewards to transfer to a user."

"Without validation of the staking contract, the hacker has been able to pass a malicious contract that he deployed in parameter, which contains a function with the same signature as claimCvgCvxMultiple, allowing him to mint all tokens that were dedicated to staking emissions (58,000,000 CVG). He then dumped all newly minted CVG into liquidity pools."

== Total Amount Lost ==
"58M CVG have been minted and sold by the hacker for approximately $210,000 ( the whole portion of tokens dedicated to staking emissions);
Approximately $2,000 of unclaimed rewards from Convex have also been stolen."

The total amount lost has been estimated at $212,000 USD.

== Immediate Reactions ==
"Today, a vulnerability in the CvxRewardDistributor contract has been exploited."

"All users’ funds are safe. However, we recommend withdrawing your assets staked on the platform.

Due to the exploit, the rewards contract for the Stake DAO integration is currently broken. It will be fixed, and stakers will be able to claim their rewards once it’s done. No rewards are lost for Stake DAO integration users.

We will soon communicate about the possibilities for the future of the protocol.

Thanks for your understanding."

"We apologize to our community and investors, and we take full responsibility for what happened."

== Ultimate Outcome ==
What was the end result? Was any investigation done? Were any individuals prosecuted? Was there a lawsuit? Was any tracing done?

== Total Amount Recovered ==
The total amount recovered is unknown.

What funds were recovered? What funds were reimbursed for those affected users?

== Ongoing Developments ==
What parts of this case are still remaining to be concluded?
== Individual Prevention Policies ==
{{Prevention:Individuals:Placeholder}}

{{Prevention:Individuals:End}}

== Platform Prevention Policies ==
{{Prevention:Platforms:Placeholder}}

{{Prevention:Platforms:End}}

== Regulatory Prevention Policies ==
{{Prevention:Regulators:Placeholder}}

{{Prevention:Regulators:End}}

== References ==
<references><ref name="cvgwiresharkmedium-14880">[https://medium.com/@cvg_wireshark/post-mortem-08-01-2024-e80a49d108a0 Post-mortem | 08/01/2024. Today, a vulnerability in the… | by Wireshark | Aug, 2024 | Medium] (Accessed Aug 9, 2024)</ref>

<ref name="cvgfinance-14881">[https://cvg.finance/ Convergence.] (Accessed Aug 9, 2024)</ref>

<ref name="ipfs-14882">[https://ipfs.io/ipfs/QmR3VBUjh1VKAEF3LVyvZcLnznEuqUc2kRu3hrzqoESHmo/2022-11-15-wp.pdf https://ipfs.io/ipfs/QmR3VBUjh1VKAEF3LVyvZcLnznEuqUc2kRu3hrzqoESHmo/2022-11-15-wp.pdf] (Accessed Aug 9, 2024)</ref></references>

Convergence Finance Reward Distributor Minting Exploit - Revision history