News - OpenZeppelin finds $15 billion risk in Convex Finance

By Sam Fröling

OpenZeppelin finds $15 billion risk in Convex Finance

Convex Finance (CVX)
Privacy and security
OpenZeppelin finds $15 billion risk, in Convex Finance

OpenZeppelin, a company that security checks executes for Coinbase, has identified $15 billion in back-pull vulnerabilities in Convex Finance, whose anonymous developers later fixed the risk. The surprising discovery occurred during a security audit of the Convex Finance protocol.

A bug that can only be used from within

OpenZeppelin's Security Research Team discovered a significant bug in the protocol in late 2021 that could have led to the compromising of the $15B in locked assets. The research revealed that "if two of the three signers of the Convex multisig performed a specific number of steps, users would be able to access all lp tokens stacked in the target pool and thus could perform a backpull dor stealing all assets from the pool."

Documentation from Convex at the time stated that such a disaster with the LP pools would not be possible. However, the security team later identified ways to exploit the vulnerabilities that fortunately were fixed by Convex on Dec. 14, 2021.

Convex Finance is an open-source protocol whose developers have remained anonymous since its launch. In this case, as indicated by OpenZeppelin, only the developers of Convex Finance can actually exploit the vulnerabilities. Disclosure of the incident was particularly complicated because of the nature of anonymity.

Complications in disclosure

After analyzing the code and the effort Convex had to take to exploit the vulnerabilities, OpenZeppelin stated that the vulnerability was unintentional and that Convex's developers can be trusted.

"A public disclosure would have created the wrong incentive for Convex's developers" and would have contributed to the loss of the anonymity crucial to the Convex team. Therefore, OpenZeppelin decided to "contact bug bounty partner Immunefi to introduce an intermediary between OpenZeppelin and Convex."

After both parties agreed to invite publicly known entities to multisig, making the backpull impossible, OpenZeppelin disclosed the security flaw to Convex based on the team's assurance not to exploit the vulnerabilities. Convex quickly patched the problem, eliminating the risk of a $15 billion backpull.

Download the Anycoin App

Finally, a crypto app for everyone!

Check it out