- Blockbasis
- Posts
- Convergence Finance: $212K Exploit Revealed
Convergence Finance: $212K Exploit Revealed
How Convergence Finance's $212,000 Exploit Unfolded: Analysis of the Smart Contract Vulnerability, Impact on CVG Token, and Security Oversight Leading to the Incident
Blockbasis
August 05, 2024
In partnership with
TL;DR
On August 1, 2024, Convergence Finance experienced a $212,000 exploit due to a critical code removal in the CvxRewardDistributor contract. The hacker exploited the vulnerability to mint and sell 58 million CVG tokens. While user funds are secure, Convergence advises withdrawing assets from the platform.
Make Sure This Hack Doesn’t Happen To You 🫵
Subscribe to Blockbasis and get access to our premium scanner to check whether your the funds in your wallet is safeguarded from hacks 🔐
For a limited period only, you can get a 7 day FREE trial!
Tried to scan your wallet for any exploited contracts connected to your wallet?
If not, you probably should. Better be safe than sorry 🙏
— Blockbasis (@Blockbasis)
1:19 PM • May 6, 2022
All for just $50/month after the trial.
Don't miss out! Grab your FREE trial today 👇
Convergence Finance, a decentralized finance (DeFi) protocol, recently faced a devastating security breach that saw a hacker exploit a smart contract vulnerability.
This attack, which occurred around 3 a.m. UTC on August 1, led to the minting and selling of 58 million CVG tokens, which is approximately $210,000, resulting in a near-total price collapse of the token.
The breach underscores the critical importance of thorough code validation in the DeFi space.
Convergence swiftly acknowledged the breach and issued an apology to its community and investors.
"We apologize to our community and investors, and we take full responsibility for what happened," stated Convergence in their official communication.
🚨 IMPORTANT 🚨
The article below explains the cause of the exploit that happened a few hours ago on Convergence.
We will soon communicate about the options we have to move forward.
medium.com/@cvg_wireshark…x.com/i/web/status/1…— Convergence (@Convergence_fi)
12:55 AM • Aug 2, 2024
The protocol emphasized its commitment to security, noting that the compromised contract had been audited multiple times.
However, the critical error stemmed from an unchecked post-audit code change.
Convergence assured users that their funds were safe and recommended withdrawing staked assets as a precautionary measure.
Receive weekly Bitcoin summaries with news, insights and analysis on all things Bitcoin, all for free.
The root cause of the exploit was a lack of validation in the input given by the user in the claimMultipleStaking function of the reward distribution contract.
The claimContracts struct contains a field for the address of the staking contract to call.
When called, it returns the amount of CVG to mint to a user and the amount of Convex’s rewards to transfer to a user.
Without proper validation of the staking contract, the hacker was able to pass a malicious contract that contained a function with the same signature as claimCvgCvxMultiple.
This allowed the hacker to mint all tokens dedicated to staking emissions, totaling 58 million CVG, which were then dumped into liquidity pools.
The attack had immediate and severe financial repercussions. Approximately $210,000 worth of CVG tokens, earmarked for staking emissions, were sold by the hacker.
In addition, $2,000 of unclaimed rewards from Convex were stolen. The native CVG token's value plummeted over 99%, trading at a mere $0.0004, with its market cap dwindling to $57,000.
The exploit was enabled by a recent modification in the smart contract code.
Despite four audits from different security firms, a post-audit change aimed at gas optimization inadvertently removed a crucial line of code responsible for input validation.
This oversight allowed the hacker to pass a malicious contract, exploiting the lack of validation and minting all tokens dedicated to staking emissions.
The attacker's strategy was methodical and well-executed.
After minting the tokens, they quickly swapped the newly created CVG for 60 wrapped-Ether and 15,900 Curve.fi FRAX, as noted by blockchain security firm PeckShield.
This swift movement of funds highlights the hacker's preparedness and the speed at which DeFi exploits can be executed.
Context of the Exploit
The CvxRewardDistributor contract:
0x2b083beaaC310CC5E190B1d2507038CcB03E7606
Which plays a crucial role in the Convergence protocol by performing two primary functions:
Minting CVG Rewards: It generates CVG tokens as rewards for users who participate in staking.
Holding and Distributing Rewards: It stores rewards obtained from Convex and enables stakers to claim these rewards when they become eligible.
The transaction of the exploit: https://etherscan.io/tx/0x636be30e58acce0629b2bf975b5c3133840cd7d41ffc3b903720c528f01c65d9
Convergence Finance has faced significant scrutiny over its security practices, having undergone four separate audits by different firms.
Despite these extensive checks, a critical oversight occurred post-audit.
The Convergence team implemented a gas-optimization modification to the smart contract code, which inadvertently led to the removal of a vital input validation line.
The total value locked on Convergence dropped from $5.79 million to $3.69 million, reflecting the loss of investor confidence and the immediate financial impact of the hack.
Convergence announced that the rewards contract for the Stake DAO integration was broken but assured users that it would be fixed soon, with no rewards lost for Stake DAO integration users.
"We will soon communicate about the possibilities for the future of the protocol," Convergence added, indicating plans for addressing the breach and restoring user confidence.
While Convergence has assured that user funds are not at risk, the protocol recommends users to withdraw their staked assets to avoid potential future issues.
This incident serves as a stark reminder of the risks inherent in the DeFi space. The removal of a single line of code led to a massive financial loss and a significant hit to Convergence's reputation.
It underscores the importance of rigorous and continuous code validation, even post-audit, to prevent such vulnerabilities from being exploited.
Get Ahead In Crypto. Join 15,000+ subscribers and get our free 5-min daily newsletter
The Convergence hack is part of a broader trend of increasing DeFi exploits. In July alone, the cryptocurrency ecosystem lost around $266 million to hacks, including a significant $230 million breach of the Indian trading platform WazirX.
These incidents highlight the ongoing security challenges faced by DeFi protocols and the need for robust security measures and constant vigilance.
For DeFi protocols like Convergence, the path forward involves not only fixing the immediate vulnerabilities but also rebuilding trust with the community.
Transparent communication, enhanced security measures, and possibly re-auditing the entire codebase are essential steps to prevent future exploits.
The Convergence hack serves as a critical case study in the importance of security in decentralized finance.
As the DeFi space continues to grow, ensuring the robustness and security of smart contracts will be paramount in protecting users' assets and maintaining confidence in these innovative financial systems.
All your news. None of the bias.
Be the smartest person in the room by reading 1440! Dive into 1440, where 3.5 million readers find their daily, fact-based news fix. We navigate through 100+ sources to deliver a comprehensive roundup from every corner of the internet – politics, global events, business, and culture, all in a quick, 5-minute newsletter. It's completely free and devoid of bias or political influence, ensuring you get the facts straight.