• Myria (MYRIA)
    BOOK OF MEME (BOME)
    dogwifhat (WIF)
    Bonk (BONK)
    Toncoin (TON)
    Jupiter (JUP)
    SSV network (SSV)
    Biconomy (BICO)
    Band Protocol (BAND)
    Tellor (TRB)
    SKALE (SKL)
    Livepeer (LPT)
    Celestia (TIA)
    Steem (STEEM)
    0x (ZRX)
    WOO Network (WOO)
    SushiSwap (SUSHI)
    Safepal (SFP)
    Osmosis (OSMO)
    Mask Network (MASK)
    Magic (MAGIC)
    Kusama (KSM)
    Injective (INJ)
    Holo (HOT)
    STEPN (GMT)
    Moonbeam (GLMR)
    Golem (GLM)
    Frax Share (FXS)
    aelf (ELF)
    dYdX (DYDX)
    Convex Finance (CVX)
    Balancer (BAL)
    Audius (AUDIO)
    Astar (ASTR)
    Aragon (ANT)
    Alpaca Finance (ALPACA)
    Singularity NET (AGIX)
    Ocean Protocol (OCEAN)
    Kava (KAVA)
    Apecoin (APE)
    Immutable X (IMX)
    Maker (MKR)
    Worldcoin (WLD)
    Optimism (OP)
    Synthetix (SNX)
    GMX (GMX)
    Render (RNDR)
    FLOKI (FLOKI)
    Lido DAO (LDO)
    Phala Network (ERC-20) (PHA)
    NEAR Protocol (NEAR)
    Rocket Pool (RPL)
    1Inch (1INCH)
    Pepe (PEPE)
    Tether (ERC-20) (USDT)
    Arbitrum (ARB)
    Elrond (EGLD)
    Shiba Inu (SHIB)
    Ankr (ANKR)
    Bitcoin (BTC)
    DFI.money (YFII)
    Fetch.ai (FET)
    Ethereum (ETH)
    Solana (SOL)
    Binance Coin (BNB)
    Sandbox (SAND)
    Litecoin (LTC)
    Omisego (OMG)
    Ethereum Classic (ETC)
    EOS (EOS)
    Bitcoin Cash (BCH)
    Stellar Lumens (XLM)
    Uniswap (UNI)
    Chainlink (LINK)
    Cardano (ADA)
    PAX Gold (PAXG)
    Zilliqa (ZIL)
    Terra Luna Classic (LUNC)
    Litentry (LIT)
    Axie Infinity (AXS)
    VeChain (VET)
    Cronos (CRO)
    Hedera (HBAR)
    Ripple (XRP)
    Loopring (LRC)
    Dogecoin (DOGE)
    Gala (GALA)
    Cosmos (ATOM)
    Ethereum Name Service (ENS)
    TRON (TRX)
    Quant (QNT)
    Polygon (MATIC)
    Polkadot (DOT)
    Klaytn (KLAY)
    The Graph (GRT)
    PancakeSwap (CAKE)
    Storj (STORJ)
    Fantom (FTM)
    Waves (WAVES)
    Compound (COMP)
    Flow (FLOW)
    Decentraland (MANA)
    Celo (CELO)
    Basic Attention Token (BAT)
    AMP (AMP)
    Algorand (ALGO)
    Tezos (XTZ)
    NEO (NEO)
    Qtum (QTUM)
    Peercoin (PPC)
    Terra Luna (LUNA)
    Enjin (ENJ)
    Avalanche (AVAX)
    IOTA (MIOTA)
    Ontology Gas (ONG)
    Blackcoin (BLK)
    Verge (XVG)
    Pivx (PIVX)
    Stratis (STRAT)
    ZCash (ZEC)
    Dash (DASH)
    Monero (XMR)
    Ontology (ONT)
    Gulden (NLG)
    Gas (GAS)
  • Bull run
    AI
    Price update
    ETF
    NFT
    Mining
    Staking
    DeFi
    Stablecoin
    CBDC
    Elon Musk
    Metaverse
    Web 3.0
    Crypto acceptance
    Bankruptcy
    FTX
    Developments
    Altcoins
    Investing
    Laws and regulations
    Exchanges
    Shiba Inu
    Privacy and security
    USA
    Wallets and Whales
    Scams, crime and fraud
    Blockchain-Technology
    World Economy
  • Paul Hopmans
    Luc Vesters
    Ted Maas
    Anycoin Direct GmbH
    Mike Hesp
    Zenz van der Wielen
    Luuk van der Meijden
    Sam Fröling
    Kevin van der Linden
    Anycoin Direct

    • News - OpenZeppelin finds $15 billion risk in Convex Finance

    By Sam Fröling

    12-12-2023
    3 min read

    OpenZeppelin finds $15 billion risk in Convex Finance

    Convex Finance (CVX)
    Blockchain-Technology
    Privacy and security
    OpenZeppelin finds $15 billion risk, in Convex Finance

    OpenZeppelin, a company that security checks executes for Coinbase, has identified $15 billion in back-pull vulnerabilities in Convex Finance, whose anonymous developers later fixed the risk. The surprising discovery occurred during a security audit of the Convex Finance protocol.

    A bug that can only be used from within

    OpenZeppelin's Security Research Team discovered a significant bug in the protocol in late 2021 that could have led to the compromising of the $15B in locked assets. The research revealed that "if two of the three signers of the Convex multisig performed a specific number of steps, users would be able to access all lp tokens stacked in the target pool and thus could perform a backpull dor stealing all assets from the pool."

    Documentation from Convex at the time stated that such a disaster with the LP pools would not be possible. However, the security team later identified ways to exploit the vulnerabilities that fortunately were fixed by Convex on Dec. 14, 2021.

    Convex Finance is an open-source protocol whose developers have remained anonymous since its launch. In this case, as indicated by OpenZeppelin, only the developers of Convex Finance can actually exploit the vulnerabilities. Disclosure of the incident was particularly complicated because of the nature of anonymity.

    Complications in disclosure

    After analyzing the code and the effort Convex had to take to exploit the vulnerabilities, OpenZeppelin stated that the vulnerability was unintentional and that Convex's developers can be trusted.

    "A public disclosure would have created the wrong incentive for Convex's developers" and would have contributed to the loss of the anonymity crucial to the Convex team. Therefore, OpenZeppelin decided to "contact bug bounty partner Immunefi to introduce an intermediary between OpenZeppelin and Convex."

    After both parties agreed to invite publicly known entities to multisig, making the backpull impossible, OpenZeppelin disclosed the security flaw to Convex based on the team's assurance not to exploit the vulnerabilities. Convex quickly patched the problem, eliminating the risk of a $15 billion backpull.

    New posts

    Download the Anycoin App

    Finally, a crypto app for everyone!

    Check it out
    Anycoin Direct
    A bit smarter a bit easier.
    Get in touch
    Privacy policyGeneral terms and conditionsCookie policyAPI
    Anycoin Direct scores an average of 4.5 out of 5 based on 14104 reviews!