OpenZeppelin Found Potential $15B Rugpull in Convex Finance

OpenZeppelin, a security audit company for Coinbase, identified $15B rugpull vulnerabilities in Convex Finance, whose anonymous developers later resolved the risk. The surprising discovery occurred during a security review of the Convex Finance protocol.

A Bug Only Exploitable From the Inside

The Security Research Team from OpenZeppelin found in late 2021 that a significant bug in the protocol could have led to putting the $15B worth of locked assets at risk. The investigation revealed that “if two of the three signers of the Convex multisig executed a specific series of steps, users would be able to access all the LP tokens staked in the target pool and thus conduct a rugpull – stealing all the assets from the pool.”

Documentation from Convex at that time stated that such a disaster occurring to its LP pools would not be possible. However, the security team later identified ways of exploiting the vulnerabilities – which fortunately were patched by Convex on 14th December 2021.

Convex Finance is an open-source protocol whose developers have remained anonymous since its launch. In this instance, as indicated by OpenZeppelin, only developers of Convex Finance can actually exploit the vulnerabilities. The disclosure regarding the incident became particularly complicated due to the nature of anonymousness.

Disclosure Complications

After analyzing the code and the effort required by Convex to exploit the vulnerabilities, OpenZeppelin asserted that the vulnerability was unintentional and that Convex’s developers are good-faith actors.

“Public disclosure would have created a perverse incentive for Convex’s developers” and contributed to the loss of anonymousness crucial to the Convex team. As such, OpenZeppelin decided to “reach out to bug bounty partner Immunefi for an introduction to an intermediary between OpenZeppelin and Convex.”

After both parties agreed to invite publicly known entities to multisig, rendering the rugpull impossible, OpenZeppelin disclosed the bug to Convex on the basis of having the team’s assurance of not taking advantage of the vulnerabilities. Convex patched the issue soon after and thus terminated the risk of a rugpull that would have been worth $15B.