Convex Finance Rug Pull Vulnerability
Notice: This page is a freshly imported case study from the original repository. The original content was in a different format, and may not have relevant information for all sections. Please help restructure the content by moving information from the 'About' section to other sections, and add any missing information or sources you can find. If you are new here, please read General Tutorial on Wikis or Anatomy of a Case Study for help getting started.
Notice: This page contains sources which are not attributed to any text. The unattributed sources follow the initial description. Please assist by visiting each source, reviewing the content, and placing that reference next to any text it can be used to support. Feel free to add any information that you come across which isn't present already. Sources which don't contain any relevant information can be removed. Broken links can be replaced with versions from the Internet Archive. See General Tutorial on Wikis, Anatomy of a Case Study, and/or Citing Your Sources Guide for additional information. Thanks for your help!
Convex Finance is a tool to increase rewards for stakers and liquidity providers on the curve protocol. Management of pools is overseen by a multi-signature wallet run by 3 anonymous developers. There was a potential malicious attack pattern that would have allowed 2 of the anonymous developers to steal funds from the liquidity pool.
The issue was ultimately fixed by the team and no funds were taken.
This is a global/international case not involving a specific country. [1][2][3][4][5][6][7][8][9][10][11][12]
About Convex Finance
"Introducing Convex Finance, a platform built to boost rewards for CRV stakers and liquidity providers alike, all in a simple and easy to use interface. Convex aims to simplify staking on Curve, as well as the CRV-locking system with the help of its native fee-earning token: CVX."
"Convex allows Curve.fi liquidity providers to earn trading fees and claim boosted CRV without locking CRV themselves. Liquidity providers can receive boosted CRV and liquidity mining rewards with minimal effort."
"Deposit liquidity, earn boosted CRV and rewards." "Deposit your Curve LP tokens to earn Curve trading fees, boosted CRV and CVX tokens. Boost is pooled from CRV stakers so you do not need to worry about locking yourself."
"If you’ve ever been a Curve LP, you know it is somewhat non-trivial to maximize your boost by depositing/maintaining your veCRV balance. If you’ve never been a Curve LP, it may be intimidating to do so without being a DeFi power user. Convex aims to make this process easy and bring the CRV boost ecosystem to everyone."
"Convex Finance is a notable protocol, as it holds the majority of Curve Finance’s CRV tokens in circulation. Curve Finance—the leading stablecoin automated market maker—provides approximately one-tenth of the decentralized economy’s liquidity in terms of total locked value."
"Convex has strived to be a trustless platform in which deposits can never be touched or accessed by the admin account."
"Since launch we have determined a few vectors that would go against that stance and thus have implemented various checks and conditions that the admin account must clear before certain actions can be taken."
"With the help from V (OpenZeppelin) and 0xJuicer/0xPhaedra0x (Tang Finance) we have implemented layers that either completely block some patterns or make it extremely difficult to put into action."
"These layers, to our knowledge, successfully block most vectors that could be used. However there is still one known path that uses a series of fake gauges to create fake pools and exploits the shutdown system."
"In late 2021, as part of a security audit for a client, OpenZeppelin conducted a security review of the Convex Finance protocol. As part of the audit, the Security Research Team uncovered a vulnerability that, if exploited by two of three anonymous multi-signature wallet (multisig) signers, would have given the Convex multisig direct control over Convex’s locked value—then approximately $15 billion."
"The vulnerability represented a potential rugpull, a new and significant threat vector in the DeFi space. As OpenZeppelin’s mission is to protect the decentralized economy, the research team created a plan of action to help resolve the vulnerability with minimal risk to the funds in any possible scenario."
"The Security Research Team found that if two of the three signers of the Convex multisig executed a specific series of steps, those users would be provided with unrestricted access to LP tokens staked in a target pool configured with the LP token and target gauge. (Curve uses gauges to allot financial rewards relative to a given user’s contribution of liquidity.)"
"The vulnerability, which was remedied via a patch on December 14, 2021, could have been exploited as follows: (1) Call the revertControl function of the PoolManagerV2 contract to become the poolManager of the Booster contract. (2) Add a new pool configured with the target gauge and an attacker-controlled LP token. (3) Add another new pool configured with target LP token and an attacker-controlled gauge. (4) Deposit to the second pool an amount of attacker-controlled LP token equal to the amount of LP tokens currently deposited in the target gauge. (5) Call the withdrawAll function of the Booster contract to withdraw from the first pool: this will withdraw all the LP tokens from targeted gauge and leave them in the CurveVoterProxy contract. (6) Deposit at least 1 LP token in the second pool by calling the deposit function of the Booster contract: this will approve the entire targeted LP token balance held by the CurveVoterProxy to the fake gauge and call a deposit function on it which can be used to drain the CurveVoterProxy’s balance."
"The dynamics of contacting anonymous teams about issues can be complex. In many cases, a vulnerability in open-source software can be exploited by anyone who finds it. In this specific instance, however, the vulnerability could only be exploited—or patched—by Convex’s anonymous developers."
"From the outset, OpenZeppelin’s analysis of the code (on behalf of a client) and the effort required by Convex to exploit it gave the Security Research Team a high degree of confidence that the vulnerability was unintentional. However, at the time, this could not be known with absolute certainty. Moreover, even if it were unintentional and Convex was unaware of it, disclosure created a perverse incentive for Convex’s developers with $15 billion on the line. There was reason to believe that Convex’s developers were good-faith actors, but the potential costs of being wrong in this belief were astronomical."
"From OpenZeppelin’s point of view, its concerns could be alleviated if the identities of Convex’s developers were known. Convex, on the other hand, was faced with the legitimate security concerns associated with potential loss of its anonymity. For these reasons, both parties had strong incentives to be cautious."
"OpenZeppelin Security Research Team along with Convex anonymous developers agreed that the best course of action to this dilemma was to incorporate additional publicly known parties to the multisig, making a rugpull impossible."
"At this point, the Security Research Team commenced open communication with Convex, providing full vulnerability details and a testing method. Shortly thereafter, Convex patched the vulnerability."
"This vulnerability has since been patched by the Convex Team."
"Recently, the team was made aware of a complicated series of actions that could, in theory, result in the Convex Finance multi-sig holders gaining access and control of staked Curve LP tokens on Convex. This series of events did not transpire, and user funds were not at risk at anytime from any outside actors. The team has already deployed an immutable fix which adds extra checks, removing the opportunity for the multi-sig to gain access to any LP tokens."
"Convex Finance appreciates the team at OpenZeppelin for their disclosure. Our team has opted to provide a bug bounty as a reward, paid from the treasury."
"A full write-up of the bug disclosure from December 2021 from @OpenZeppelin [was posted on April 4th, 2022]."
This is a global/international case not involving a specific country.
The background of the exchange platform, service, or individuals involved, as it would have been seen or understood at the time of the events.
Include:
- Known history of when and how the service was started.
- What problems does the company or service claim to solve?
- What marketing materials were used by the firm or business?
- Audits performed, and excerpts that may have been included.
- Business registration documents shown (fake or legitimate).
- How were people recruited to participate?
- Public warnings and announcements prior to the event.
Don't Include:
- Any wording which directly states or implies that the business is/was illegitimate, or that a vulnerability existed.
- Anything that wasn't reasonably knowable at the time of the event.
There could be more than one section here. If the same platform is involved with multiple incidents, then it can be linked to a main article page.
The Reality
This sections is included if a case involved deception or information that was unknown at the time. Examples include:
- When the service was actually started (if different than the "official story").
- Who actually ran a service and their own personal history.
- How the service was structured behind the scenes. (For example, there was no "trading bot".)
- Details of what audits reported and how vulnerabilities were missed during auditing.
What Happened
The specific events of the loss and how it came about. What actually happened to cause the loss and some of the events leading up to it.
| Date | Event | Description |
|---|---|---|
| December 14th, 2021 7:26:00 PM | Main Event | Expand this into a brief description of what happened and the impact. If multiple lines are necessary, add them here. |
Total Amount Lost
The total amount at risk has been estimated at $15,000,000,000 USD. No funds were lost.
How much was lost and how was it calculated? If there are conflicting reports, which are accurate and where does the discrepancy lie?
Immediate Reactions
How did the various parties involved (firm, platform, management, and/or affected individual(s)) deal with the events? Were services shut down? Were announcements made? Were groups formed?
Ultimate Outcome
What was the end result? Was any investigation done? Were any individuals prosecuted? Was there a lawsuit? Was any tracing done?
Total Amount Recovered
There do not appear to have been any funds recovered in this case.
What funds were recovered? What funds were reimbursed for those affected users?
Ongoing Developments
What parts of this case are still remaining to be concluded?
Prevention Policies
Convex Finance correctly used a multi-signature setup on the smart contract, however we recommend ensuring that multi-signature setups use at least 3 of 4 signatures and that the signatories of public projects be known and background checked individuals.
We have proposed a way to create a decentralized industry insurance fund which could protect in the event of a rug pull of a registered/compliant project.
References
- ↑ https://www.convexfinance.com/ (Aug 23, 2022)
- ↑ Convex for Curve.fi - ConvexFinance (Aug 23, 2022)
- ↑ @ConvexFinance Twitter (Aug 24, 2022)
- ↑ @OpenZeppelin Twitter (Aug 24, 2022)
- ↑ Known Issues - ConvexFinance (Aug 24, 2022)
- ↑ December Update Protocol Expansion Cvx Eth Incentive Migration (Aug 24, 2022)
- ↑ add pool manager layer to safe gaurd lp and gauge address checks · convex-eth/platform@0b52856 · GitHub (Aug 24, 2022)
- ↑ @ConvexFinance Twitter (Aug 24, 2022)
- ↑ @JustinCBram Twitter (Aug 24, 2022)
- ↑ @ConvexFinance Twitter (Aug 24, 2022)
- ↑ @ConvexFinance Twitter (Aug 24, 2022)
- ↑ Convex Finance Pre Launch Announcement (Aug 24, 2022)