Audit firm OpenZeppelin has just revealed that it discovered a flaw in the code of Convex Finance (CVX) that could have led to a $15 billion rug pull. This has since been fixed with the collaboration of the project’s developers. Let’s take a look at the details of this case, which could have caused a catastrophe in the world of decentralised finance.
Potential rug pull avoided on Convex Finance
During a security audit on the Convex protocol for the Coinbase platform, the specialized company OpenZeppelin has uncovered a flaw that could have led to a rug pull of all funds on the protocol.
As a reminder, Convex is a Curve flywheel (CRV). A flywheel is a protocol that depends on another, in order to multiply the returns that the latter initially offers. Thus, it is possible to deposit one’s CRVs on Convex rather than Curve, to generate more interest.
This case, detailed today by the auditing firm, was discovered in late 2021 and put $15 billion of assets at risk at the time, the total value locked in (TVL) on the project at the time.
Rugpull vulnerability patched in @ConvexFinance‘s live contracts. $15 billion in TVL secured.
Summary in thread below. See blog for technical details.https://t.co/dAkUom9qX1
– OpenZeppelin (@OpenZeppelin) April 4, 2022
It’s a disaster scenario that could have happened, if the developers had been ill-intentioned. Indeed, the sums at stake represented at that time about 10% of the Ethereum network (ETH) TVL. That’s just over 6% of the entire DeFi ecosystem, according to data from the Defi Llama website.
The bug in question was in the multisignature system (multisig), if two of the three signatories performed a specific series of actions, they had access to the entire platform’s funds.
Fortunately, the Convex team had no intention of triggering a rug pull and a patch was deployed on 14 December to correct this unintended flaw by making it impossible to use. Two publicly-identified signatories were also added to the multisig in order to increase the level of trust.
OpenZeppelin faces a difficult situation to manage
Although the auditing company had no doubts about the honesty and good faith of the developers, it was faced with a tricky situation when it discovered the flaw. To do so, it had to make strategic choices so as not to put users’ funds at risk.
Indeed, as the patch could only be deployed by the project’s developers, she was left with three options:
- Disclose the flaw directly to Convex, but this could have triggered the rug pull in case of bad attentions;
- Make the flaw public, with the same risks as the first possibility, while putting the reputation of the protocol at stake;
- Make sure the team is honest and proceed in stages.
The latter was the preferred solution. Because even if the breach was not intentional, having the opportunity to take $15 billion can present a high risk of temptation, especially since the founding team of Convex is anonymous.
OpenZeppelin then approached the team at Immunefi, a platform for setting up a bounty system for anyone who discovers a bug in a protocol. The latter, renting its services to Convex, agreed to act as an intermediary in order to carry out the correction process.
So it was a case that ended well and even led to an improvement in the security of the protocol. But it still provides interesting lessons, because while a major disaster was avoided, it reminds us that DeFi is still young and has risks that must be taken into account in one’s investment strategy.
