Convex Finance Rug Pull Vulnerability

From Quadriga Initiative Cryptocurrency Hacks, Scams, and Frauds Repository
Jump to navigation Jump to search

Notice: This page is a new case study and some aspects have not been fully researched. Some sections may be incomplete or reflect inaccuracies present in initial sources. Please check the References at the bottom for further information and perform your own additional assessment. Please feel free to contribute by adding any missing information or sources you come across. If you are new here, please read General Tutorial on Wikis or Anatomy of a Case Study for help getting started.

Notice: This page contains sources which are not attributed to any text. The unattributed sources follow the initial description. Please assist by visiting each source, reviewing the content, and placing that reference next to any text it can be used to support. Feel free to add any information that you come across which isn't present already. Sources which don't contain any relevant information can be removed. Broken links can be replaced with versions from the Internet Archive. See General Tutorial on Wikis, Anatomy of a Case Study, and/or Citing Your Sources Guide for additional information. Thanks for your help!

Convex Finance Homepage

Convex Finance is a tool to increase rewards for stakers and liquidity providers on the curve protocol. Management of pools is overseen by a multi-signature wallet run by 3 anonymous developers. There was a potential malicious attack pattern that would have allowed 2 of the anonymous developers to steal funds from the liquidity pool.

The issue was ultimately fixed by the team and no funds were taken.

This is a global/international case not involving a specific country.[1][2][3][4][5][6][7]

About Convex Finance

[8][9][10][11]

"Introducing Convex Finance, a platform built to boost rewards for CRV stakers and liquidity providers alike, all in a simple and easy to use interface. Convex aims to simplify staking on Curve, as well as the CRV-locking system with the help of its native fee-earning token: CVX."

"Convex allows Curve.fi liquidity providers to earn trading fees and claim boosted CRV without locking CRV themselves. Liquidity providers can receive boosted CRV and liquidity mining rewards with minimal effort."

"Deposit liquidity, earn boosted CRV and rewards." "Deposit your Curve LP tokens to earn Curve trading fees, boosted CRV and CVX tokens. Boost is pooled from CRV stakers so you do not need to worry about locking yourself."

"If you’ve ever been a Curve LP, you know it is somewhat non-trivial to maximize your boost by depositing/maintaining your veCRV balance. If you’ve never been a Curve LP, it may be intimidating to do so without being a DeFi power user. Convex aims to make this process easy and bring the CRV boost ecosystem to everyone."

"Convex Finance is a notable protocol, as it holds the majority of Curve Finance’s CRV tokens in circulation. Curve Finance—the leading stablecoin automated market maker—provides approximately one-tenth of the decentralized economy’s liquidity in terms of total locked value."

"Convex has strived to be a trustless platform in which deposits can never be touched or accessed by the admin account."

The Reality

"Since launch we have determined a few vectors that would go against that stance and thus have implemented various checks and conditions that the admin account must clear before certain actions can be taken."

"With the help from V (OpenZeppelin) and 0xJuicer/0xPhaedra0x (Tang Finance) we have implemented layers that either completely block some patterns or make it extremely difficult to put into action."

"These layers, to our knowledge, successfully block most vectors that could be used. However there is still one known path that uses a series of fake gauges to create fake pools and exploits the shutdown system."

What Happened

"In late 2021, as part of a security audit for a client, OpenZeppelin conducted a security review of the Convex Finance protocol. As part of the audit, the Security Research Team uncovered a vulnerability that, if exploited by two of three anonymous multi-signature wallet (multisig) signers, would have given the Convex multisig direct control over Convex’s locked value—then approximately $15 billion."

Key Event Timeline - Convex Finance Rug Pull Vulnerability
Date Event Description
April 15th, 2021 6:04:00 AM MDT Convex Finance Launch Announcement Convex Finance announces the launch of their protocol on Twitter, with a link to a Medium article[8][11].
December 14th, 2021 7:26:00 PM MST Main Event Expand this into a brief description of what happened and the impact. If multiple lines are necessary, add them here.
April 4th, 2022 12:15:00 PM MDT Write-Up Available Convex Finance posts on Twitter to let the community know that a full write-up about the issue disclosure is available from OpenZeppelin[12].

Technical Details

"In late 2021, as part of a security audit for a client, OpenZeppelin conducted a security review of the Convex Finance protocol. As part of the audit, the Security Research Team uncovered a vulnerability that, if exploited by two of three anonymous multi-signature wallet (multisig) signers, would have given the Convex multisig direct control over Convex’s locked value—then approximately $15 billion."


"The vulnerability represented a potential rugpull, a new and significant threat vector in the DeFi space. As OpenZeppelin’s mission is to protect the decentralized economy, the research team created a plan of action to help resolve the vulnerability with minimal risk to the funds in any possible scenario."

"The Security Research Team found that if two of the three signers of the Convex multisig executed a specific series of steps, those users would be provided with unrestricted access to LP tokens staked in a target pool configured with the LP token and target gauge. (Curve uses gauges to allot financial rewards relative to a given user’s contribution of liquidity.)"

"The vulnerability, which was remedied via a patch on December 14, 2021, could have been exploited as follows: (1) Call the revertControl function of the PoolManagerV2 contract to become the poolManager of the Booster contract. (2) Add a new pool configured with the target gauge and an attacker-controlled LP token. (3) Add another new pool configured with target LP token and an attacker-controlled gauge. (4) Deposit to the second pool an amount of attacker-controlled LP token equal to the amount of LP tokens currently deposited in the target gauge. (5) Call the withdrawAll function of the Booster contract to withdraw from the first pool: this will withdraw all the LP tokens from targeted gauge and leave them in the CurveVoterProxy contract. (6) Deposit at least 1 LP token in the second pool by calling the deposit function of the Booster contract: this will approve the entire targeted LP token balance held by the CurveVoterProxy to the fake gauge and call a deposit function on it which can be used to drain the CurveVoterProxy’s balance."


Total Amount Lost

The total amount at risk has been estimated at $15,000,000,000 USD. No funds were lost.

Immediate Reactions

"The dynamics of contacting anonymous teams about issues can be complex. In many cases, a vulnerability in open-source software can be exploited by anyone who finds it. In this specific instance, however, the vulnerability could only be exploited—or patched—by Convex’s anonymous developers."

"From the outset, OpenZeppelin’s analysis of the code (on behalf of a client) and the effort required by Convex to exploit it gave the Security Research Team a high degree of confidence that the vulnerability was unintentional. However, at the time, this could not be known with absolute certainty. Moreover, even if it were unintentional and Convex was unaware of it, disclosure created a perverse incentive for Convex’s developers with $15 billion on the line. There was reason to believe that Convex’s developers were good-faith actors, but the potential costs of being wrong in this belief were astronomical."

"From OpenZeppelin’s point of view, its concerns could be alleviated if the identities of Convex’s developers were known. Convex, on the other hand, was faced with the legitimate security concerns associated with potential loss of its anonymity. For these reasons, both parties had strong incentives to be cautious."

"OpenZeppelin Security Research Team along with Convex anonymous developers agreed that the best course of action to this dilemma was to incorporate additional publicly known parties to the multisig, making a rugpull impossible."

"At this point, the Security Research Team commenced open communication with Convex, providing full vulnerability details and a testing method. Shortly thereafter, Convex patched the vulnerability."

"This vulnerability has since been patched by the Convex Team."

Ultimate Outcome

The Convex Finance team finally posted about the vulnerability the following April.


[13]

"Why not make this post in December after it was patched?"


"Recently, the team was made aware of a complicated series of actions that could, in theory, result in the Convex Finance multi-sig holders gaining access and control of staked Curve LP tokens on Convex. This series of events did not transpire, and user funds were not at risk at anytime from any outside actors. The team has already deployed an immutable fix which adds extra checks, removing the opportunity for the multi-sig to gain access to any LP tokens."

"Convex Finance appreciates the team at OpenZeppelin for their disclosure. Our team has opted to provide a bug bounty as a reward, paid from the treasury."

"A full write-up of the bug disclosure from December 2021 from @OpenZeppelin [was posted on April 4th, 2022]."

Total Amount Recovered

There do not appear to have been any funds recovered in this case.

Ongoing Developments

TBD

Individual Prevention Policies

This case does not appear to have resulted in a loss to any individual. Individuals can reduce smart contract losses by avoiding the use of unaudited smart contracts and storing funds offline.

Avoid the use of smart contracts unless necessary. Minimize the level of exposure by removing or withdrawing assets whenever possible. Aim to choose smart contracts which have obtained third party security audits, preferably having been audited by at least three separate reputable firms. Pay attention to the audit reports, which smart contracts are covered, and whether the smart contract has been upgraded or modified since the report. Ensure that any administrative functions with the ability to remove funds from the smart contract are under the authority of a multi-signature wallet which is controlled by at least three separate and reputable entities.

Store the majority of funds offline. By offline, it means that the private key and/or seed phrase is exclusively held by you and not connected to any networked device. Examples of offline storage include paper wallets (seed phrase or key written down and deleted from all electronic media), hardware wallets, steel wallet devices, etc...

For the full list of how to protect your funds as an individual, check our Prevention Policies for Individuals guide.

Platform Prevention Policies

This case does not appear to have resulted in a loss to any platform. The risk of smart contract losses can be reduced through greater validation of the smart contract and placing treasury funds in a multi-signature wallet. An industry insurance fund can provide a method of providing relief for any affected users.

Additional Third Party Validation

Having additional reviews and analysis of the security setup for the smart contract can significantly increase the possibility of finding vulnerabilities before a protocol launches.

All aspects of any platform should undergo a regular validation/inspection by experts. This validation should include a security audit of any smart contracts, reporting any risks to the backing (of any customer assets, ensuring treasuries or minting functions are properly secured under the control of a multi-signature wallet, and finding any inadequacies in the level of training or integrity of the team. The recommended interval is twice prior to launch or significant system upgrade, once after 3 months, and every 6 months thereafter. It is recommended that the third party performing the inspection not be repeated within a 14 month period.

Multi-Signature Wallet Setup

Convex Finance correctly used a multi-signature setup on the smart contract, however we recommend ensuring that multi-signature setups use at least 3 of 4 signatures. We have also recommended that the signatories of public projects be known and background checked individuals.

All wallets, minting functions, and critical infrastructure should be implemented with a multi-signature requirement, with a recommended minimum of 3 signatures required. This means that making important changes or approving spending will require the keys held by at least 3 separate individuals within the organization to approve. The multi-signature should be implemented at the lowest layer possible, all key holders should have security training, and all key holders should be empowered and encouraged to exercise diligence.

Industry Insurance Fund

In the event of a large scale breach or a protocol without a large treasury set aside, an industry insurance fund can provide fast assistance to affected users.

Work with other industry platforms to set up a multi-signature wallet with private keys held separately by delegate signatories from seven prominent platforms and services within the industry. Establish requirements for contributions by all platforms and services, designed to be affordable for small platforms yet large enough to cover anticipated breach events. Any breach event can be brought forth by a member platform or a petition of 100 signatures for consideration by the delegate signatories. A vote of 4 or more delegate signatures is required to release any funds, which could partially or fully restore lost funds based on their assessment.

For the full list of how to protect your funds as a financial service, check our Prevention Policies for Platforms guide.

Regulatory Prevention Policies

It does not appear that any funds were lost in this case. The risk of smart contract losses can be reduced through greater validation of the smart contract. An industry insurance fund can provide a method of providing relief for any affected users.

Additional Third Party Validation

Having additional reviews and analysis of the security setup for the smart contract can significantly increase the possibility of finding vulnerabilities before a protocol launches.

All platforms should undergo published security and risk assessments by independent third parties. Two assessments are required at founding or major upgrade, one after 3 months, and one every 6 months thereafter. The third parties must not repeat within the past 14 months. A risk assessment needs to include what assets back customer deposits and the risk of default from any third parties being lent to. The security assessment must include ensuring a proper multi-signature wallet, and that all signatories are properly trained. Assessments must be performed on social media, databases, and DNS security.

Industry Insurance Fund

In the event of a large scale breach or a protocol without a large treasury set aside, an industry insurance fund can provide fast assistance to affected users.

Set up a multi-signature wallet with private keys held separately by delegate signatories from seven prominent platforms and services within the industry. Establish requirements for contributions by all platforms and services within the country, designed to be affordable for small platforms yet large enough to cover anticipated breach events. Any breach event can be brought forth by a member platform or a petition of 100 signatures for consideration by the delegate signatories. A vote of 4 or more delegate signatures is required to release any funds, which could partially or fully restore lost funds based on their assessment.

For the full list of regulatory policies that can prevent loss, check our Prevention Policies for Regulators guide.

References

  1. @OpenZeppelin Twitter (Aug 24, 2022)
  2. Known Issues - ConvexFinance (Aug 24, 2022)
  3. December Update Protocol Expansion Cvx Eth Incentive Migration (Aug 24, 2022)
  4. add pool manager layer to safe gaurd lp and gauge address checks · convex-eth/platform@0b52856 · GitHub (Aug 24, 2022)
  5. @ConvexFinance Twitter (Aug 24, 2022)
  6. @JustinCBram Twitter (Aug 24, 2022)
  7. @ConvexFinance Twitter (Aug 24, 2022)
  8. 8.0 8.1 Convex Finance - "Introducing Convex Finance! A new platform, built by Defi Natives, to simplify your Curve-boosting experience to maximize your yields." - Twitter (Aug 24, 2022)
  9. https://www.convexfinance.com/ (Aug 23, 2022)
  10. Convex for Curve.fi - ConvexFinance (Aug 23, 2022)
  11. 11.0 11.1 Convex Finance Pre Launch Announcement - Convex Finance Medium (Aug 24, 2022)
  12. Convex Finance - "A full write-up of the bug disclosure from December 2021 from @OpenZeppelin." - Twitter (Aug 24, 2022)
  13. fewture - "Why not make this post in December after it was patched?" - Twitter (Sep 6, 2023)
Retrieved from "https://quadrigainitiative.com/cryptocurrencyhackscamfraudwiki/index.php?title=Convex_Finance_Rug_Pull_Vulnerability&oldid=4994"