A routine security audit turned into a potential nightmare for Convex Finance as OpenZeppelin’s security team discovered a vulnerability during a security review of the Convex Finance protocol.
The bug, if exploited, could have potentially put Convex’s locked value, $15 billion at the time, at risk, giving explorers direct control over it. It is interesting to note that documentation by Convex had stated that such a level of control over its locked value would not have been possible. Since its discovery, the Convex team has been quick to patch the vulnerability.
Details Of The Bug
OpenZeppelin shed light on the bug's discovery and subsequent patching in a blog post. Convex, one of the most prominent DeFi protocols, had a significant bug that put $15 billion of its locked value at risk. The protocol holds a majority of Curve Finance’s CRV tokens. Curve is a leading stablecoin automated market maker that provides around 1/10th of the decentralized economy’s liquidity.
The bug discovered by OpenZeppelin’s Security Research Team meant that if two or three signers of Convex’s multisig execute a specific series of steps, they gained unrestricted access to Liquidity Provider tokens that have been staked in a target pool configured by the LP token and target gauge.
Documentation from Convex showed that such a scenario should not be possible, but has since been updated. This made the resolution slightly tricky. However, the vulnerability was patched on 14th December 2021. You can find out more about how the bug could have been exploited here.
Disclosure Complications
We mentioned that the bug’s disclosure was slightly tricky for OpenZeppelin’s team. Let’s understand why. It becomes slightly complicated if a team finds a protocol vulnerability that can be exploited or patched only by the protocol in question’s developer team. This vulnerability provides an ideal window for how misaligned incentives and imperfect situational knowledge could lead to complications when it comes to disclosures of vulnerabilities. In the case of Curve, the vulnerability could only be exploited by Convex’s anonymous developers.
OpenZeppelin was confident that the vulnerability on Convex was unintentional, but they could not be certain. Another layer of complication was that even if the Convex team was unaware of the bug, disclosure created an incentive for developers on Convex to act maliciously, with $15 billion up for grabs. While OpenZeppelin was willing to give the benefit of the doubt to Convex developers, the implications were significant if it were proved to be wrong.
The Way Forward With The Disclosure
OpenZeppelin’s concerns could be dispelled if Convex revealed the developers' identities. However, this could lead to security concerns at Convex’s end, with developers losing their anonymity. OpenZeppelin’s team was thus left with three ways forward.
- Disclosing the vulnerability details to Convex - This carried some risk as if the vulnerability was intentional, the disclosure would have prompted developers to execute their intended rug pull.
- Disclose the vulnerability to the community - While there was some argument in favor of disclosing the vulnerability to the community at large, OpenZeppelin felt this course of action would have been irresponsible. Two possible scenarios could have emerged from this course of action. If the vulnerability were disclosed and was intentional, developers would have executed their rug pull. However, if it were unintentional, it would have caused significant harm to Convex’s reputation.
- Obtain assurances that the Convex team would not exploit the vulnerability and then disclose - This was the approach taken by OpenZeppelin, with the team reaching out to bug bounty partner Immunefi for an intermediary between Convex and OpenZeppelin.
Addition Of Publicly Known Persons To Convex Multisig
Adding publicly known participants to the Convex multisig was key to reducing risk. OpenZeppelin’s security team and the anonymous developers at Convex agreed that the addition of publicly known parties to the multisig was the best course of action, making a rug pull impossible to execute. After communication between OpenZeppelin and Convex was established, the latter patched the vulnerability.
