Team statement: Liquidity mining program vesting bug
There was a bug in the CVP LM program. It is fixed now.
Thanks to our fellow community members we found a bug in the vesting algorithm of the CVP liquidity mining program. Since the contract was audited by Pessimistic and covered by our tests, we thought that it was a minor UI/UX bug. We even conducted a special test after community reports and stated about it in one of the previous articles — it also didn’t reveal anything. However, it was a real issue.
We are extremely grateful to all community members, who notified us about this issue and tried explaining that it is not a UI/UX bug
Once we found out that it was an actual issue, we paused all withdrawals from the Reservoir and fixed this problem. Last few days we have been carefully investigating this problem, calculating damage, and taking necessary measures.
Now, when all work is done we can explain this issue publicly.
The bug was that liquidity providers could claim more tokens than they could according to the vesting schedule. The bug occurred since the user.pendedCVP variable wasn’t updated after LP tokens withdrawal. Audits missed this bug as well as our own tests.
So, some LPs used this malfunction, claiming more CVP than they earned and selling these tokens on the open market. Once we found it out, we rapidly fixed it.
Damage minimization strategy
To minimize damage to the protocol we decided to do the following:
(1) we conducted on-chain analysis and tracked all LPs that used this bug for personal enrichment
(2) since all these addresses were LPs, the majority of them had pending (still vested) tokens. We decided to slash all illegally claimed tokens from their accounts using team multi-sig, which can update the contract
(3) We decreased “pending” token balances by the number of illegally claimed tokens. Of course, the value of pending tokens cannot be below zero:
The typical case:
LP1 claimed 30,000 CVP while he had 20,000 pending CVP. So, he illegally claimed 10k CVP from Reservoir (basically stole them from the community). We slashed his 20k pending CVP in order to minimize damage to the protocol from his actions. Note: he still has 10k extra CVP.
Now some of these guys are claiming that they “lost” tokens due to this bug. But it is not true — all of them got extra tokens even after this slashing.
According to our investigation, the total number of illegally claimed CVP is 993,005 and we slashed 351,101 from these dishonest LPs. Finally, the damage for the protocol is 641,904 CVP.
Here is a file with addresses that used this bug. Now you know all of them.
Future plans and conclusion
This bug revealed one more time for us and the community that any audit can miss serious issues. However, we were surprised how many people tried to contact us and bring this bug to our own knowledge. Some of them even didn’t use this bug to get additional CVP. We appreciate it and we can state that support from the community really matters for us. Thank you guys, you motivate us to build and deliver.
From this moment we will double audit all our code (it is important to point out that the most important PowerPool code was double audited before) and in some cases run bug bounty.
We expect to launch xCVP (if a proposal from the community will be approved) and YLA (Yearn Lazy Ape) ASAP. Also, we expect that the CVP community will decrease CVP inflation. Besides that we have several major tech updates related to the utilization of L2 networks, decreasing gas costs, and brand new products. Stay tuned.