Open in app

Sign in

Write

Sign in

Post-mortem | 08/01/2024

Wireshark
2 min read4 days ago

Today, a vulnerability in the CvxRewardDistributor contract has been exploited.

  • 58M CVG have been minted and sold by the hacker for approximately $210,000 ( the whole portion of tokens dedicated to staking emissions);
  • Approximately $2,000 of unclaimed rewards from Convex have also been stolen.

Context

The CvxRewardDistributor contract (0x2b083beaaC310CC5E190B1d2507038CcB03E7606):

  • Mints CVG rewards to eligible stakers;
  • Holds the rewards claimed from Convex, and allows stakers to claim them.

The exploit

  • A lack of validation in the input given by the user in the function claimMultipleStaking of the reward distribution contract is the root cause of the exploit.

The claimContracts struct contains a field that is the address of the staking contract to call.

A call is then performed on the staking contract and returns:

  • The amount of CVG to mint to a user;
  • The amount of Convex’s rewards to transfer to a user.

Without validation of the staking contract, the hacker has been able to pass a malicious contract that he deployed in parameter, which contains a function with the same signature as claimCvgCvxMultiple, allowing him to mint all tokens that were dedicated to staking emissions (58,000,000 CVG). He then dumped all newly minted CVG into liquidity pools.

The transaction of the exploit: https://etherscan.io/tx/0x636be30e58acce0629b2bf975b5c3133840cd7d41ffc3b903720c528f01c65d9

How did it happen?

Security has always been a concern for us, and Convergence Finance has been audited 4 times by different companies.

However, we modified this part of the code post-audit. The modification (gas-optimization on the first hand) led us to remove the line of code that was checking the input given to the function.

We apologize to our community and investors, and we take full responsibility for what happened.

Recommendations

All users’ funds are safe. However, we recommend withdrawing your assets staked on the platform.

Due to the exploit, the rewards contract for the Stake DAO integration is currently broken. It will be fixed, and stakers will be able to claim their rewards once it’s done. No rewards are lost for Stake DAO integration users.

We will soon communicate about the possibilities for the future of the protocol.

Thanks for your understanding.

--

--

Wireshark

Written by Wireshark

61 Followers

Founder of the Convergence protocol

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams