The Convex protocol — a platform that increases rewards for stablecoin Curve users — has patched a bug that could lead to a $15 billion rug pull.
OpenZeppelin – a blockchain security company – discovered a critical vulnerability during its audit for Coinbase.
The company discovered that if two out of three Convex multi-signature wallet signers take a specific set of steps, they can gain access to a pool of liquidity provider tokens. OpenZeppelin details the steps in one post.
Since Convex holds the majority of Curve Finance's CRV stablecoins in circulation, much of the fund is already at risk. The vulnerability could have allowed Convex's anonymous developers — in the form of two of three multi-signature signers — to gain control of Convex's locked value, which was at the time about $15 billion. .
Finally, OpenZeppelin said it tried to make sure the vulnerability wouldn't be exploited before notifying the Convex team. They used bug bounty partner Immunefi as an intermediary.
Then the bug was fixed. The security hole was not exploited and no funds were lost. Convex posted additional resources to circumvent the multisig weakness in public documents.