Convergence Finance Reward Distributor Minting Exploit

From Quadriga Initiative Cryptocurrency Hacks, Scams, and Frauds Repository
Revision as of 14:21, 25 September 2024 by Azoundria (talk | contribs) (Created page with "{{Imported Case Study With About|source=https://www.quadrigainitiative.com/casestudy/convergencefinancerewarddistributormintingexploit.php}} {{Unattributed Sources}} thumb|Convergence Finance Logo/HomepageConvergence Finance runs a decentralized autonomous organization which describes themselves as a “decentralized governance hedge fund” as well as a “sustainable liquidity providing incentivizer”. They obtained 4 audits of their s...")
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigation Jump to search

Notice: This page is a freshly imported case study from an original repository. While the original content had a similar format, some sections may not have been fully completed. Please help fill in any empty sections or any missing information you can find. If you are new here, please read General Tutorial on Wikis or Anatomy of a Case Study for help getting started.

Notice: This page contains sources which are not attributed to any text. The unattributed sources follow the initial description. Please assist by visiting each source, reviewing the content, and placing that reference next to any text it can be used to support. Feel free to add any information that you come across which isn't present already. Sources which don't contain any relevant information can be removed. Broken links can be replaced with versions from the Internet Archive. See General Tutorial on Wikis, Anatomy of a Case Study, and/or Citing Your Sources Guide for additional information. Thanks for your help!

Convergence Finance Logo/Homepage

Convergence Finance runs a decentralized autonomous organization which describes themselves as a “decentralized governance hedge fund” as well as a “sustainable liquidity providing incentivizer”. They obtained 4 audits of their smart contract. However, subsequent to those audits, part of the code was optimized to reduce gas cost, leaving a vulnerability where function inputs were not checked. This vulnerability was exploited by a malicious actor to pass in a malicious smart contract, minging 58 million of their native CVG tokens, which were quickly liquidated for wrapped ethereum. In addition, a small $2k fund was also able to be emptied. The protocol has published a postmortem on the incident and promises to take responsibility for the breach.[1][2][3]

About Convergence Finance

"One could describe Convergence as a “decentralized governance hedge fund” as well as a “sustainable liquidity providing incentivizer”, built on top of DeFi2.0 protocols. Like Convex, which is accumulating governance rights over Curve, Convergence is built to participate in various protocols governance, while optimizing their underlying yields. To fullfill this objective, different mechanisms are implemented to incentivize user’s participation to governance of both Convergence and underlying protocols."

"A governance token (Convergence governance token ($CVG)) will be implemented to ensure the functioning of the protocol, which will be, eventually, run as a DAO. Moreover, yields generated by Convergence, being generated either by internal or external growth, will be redistributed to stakeholders (governance participants) as dividends."

"Security has always been a concern for us, and Convergence Finance has been audited 4 times by different companies."

The Reality

"However, we modified this part of the code post-audit. The modification (gas-optimization on the first hand) led us to remove the line of code that was checking the input given to the function."

What Happened

"58M CVG have been minted and sold by the hacker for approximately $210,000 ( the whole portion of tokens dedicated to staking emissions); Approximately $2,000 of unclaimed rewards from Convex have also been stolen."

Key Event Timeline - Convergence Finance Reward Distributor Minting Exploit
Date Event Description
August 1st, 2024 8:59:47 AM MDT Exploit Transaction The exploit transaction happens on the blockchain, where the attacker is able to mint the Convergence Finance tokens, and swap them for Wrapped Ethereum in the same transaction.
August 1st, 2024 6:51:55 PM MDT Postmortem Published A postmortem for the incident is published by a team member named wireshark. This goes into details on the exploit and timeline.

Technical Details

"A lack of validation in the input given by the user in the function claimMultipleStaking of the reward distribution contract is the root cause of the exploit." "The claimContracts struct contains a field that is the address of the staking contract to call. A call is then performed on the staking contract and returns: The amount of CVG to mint to a user; The amount of Convex’s rewards to transfer to a user."

"Without validation of the staking contract, the hacker has been able to pass a malicious contract that he deployed in parameter, which contains a function with the same signature as claimCvgCvxMultiple, allowing him to mint all tokens that were dedicated to staking emissions (58,000,000 CVG). He then dumped all newly minted CVG into liquidity pools."

Total Amount Lost

"58M CVG have been minted and sold by the hacker for approximately $210,000 ( the whole portion of tokens dedicated to staking emissions); Approximately $2,000 of unclaimed rewards from Convex have also been stolen."

The total amount lost has been estimated at $212,000 USD.

Immediate Reactions

"Today, a vulnerability in the CvxRewardDistributor contract has been exploited."

"All users’ funds are safe. However, we recommend withdrawing your assets staked on the platform.

Due to the exploit, the rewards contract for the Stake DAO integration is currently broken. It will be fixed, and stakers will be able to claim their rewards once it’s done. No rewards are lost for Stake DAO integration users.

We will soon communicate about the possibilities for the future of the protocol.

Thanks for your understanding."

"We apologize to our community and investors, and we take full responsibility for what happened."

Ultimate Outcome

What was the end result? Was any investigation done? Were any individuals prosecuted? Was there a lawsuit? Was any tracing done?

Total Amount Recovered

The total amount recovered is unknown.

What funds were recovered? What funds were reimbursed for those affected users?

Ongoing Developments

What parts of this case are still remaining to be concluded?

Individual Prevention Policies

No specific policies for individual prevention have yet been identified in this case.

For the full list of how to protect your funds as an individual, check our Prevention Policies for Individuals guide.

Platform Prevention Policies

Policies for platforms to take to prevent this situation have not yet been selected in this case.

For the full list of how to protect your funds as a financial service, check our Prevention Policies for Platforms guide.

Regulatory Prevention Policies

No specific regulatory policies have yet been identified in this case.

For the full list of regulatory policies that can prevent loss, check our Prevention Policies for Regulators guide.

References

  1. Post-mortem | 08/01/2024. Today, a vulnerability in the… | by Wireshark | Aug, 2024 | Medium (Accessed Aug 9, 2024)
  2. Convergence. (Accessed Aug 9, 2024)
  3. https://ipfs.io/ipfs/QmR3VBUjh1VKAEF3LVyvZcLnznEuqUc2kRu3hrzqoESHmo/2022-11-15-wp.pdf (Accessed Aug 9, 2024)
Retrieved from "https://quadrigainitiative.com/cryptocurrencyhackscamfraudwiki/index.php?title=Convergence_Finance_Reward_Distributor_Minting_Exploit&oldid=6167"