Post-mortem of Convergence $210,000 DeFi protocol hack emerges
Convergence, a DeFi protocol, was the victim of a hack in which the attackers looted $210,000 worth of its native token and $2,000 in unclaimed staking rewards. Convergence sent out a post warning its users not to interact with the protocol after news of the exploit broke. Security platform PeckShield initially shared the details of the […]
Convergence, a DeFi protocol, was the victim of a hack in which the attackers looted $210,000 worth of its native token and $2,000 in unclaimed staking rewards. Convergence sent out a post warning its users not to interact with the protocol after news of the exploit broke.
Security platform PeckShield initially shared the details of the hack through one of their X posts. According to the post, the hacker minted 58 million CVG tokens. Following the hack, the tokens were converted to 60 WETH and 15.9k crvFRAX.
Convergence releases post-mortem
It seems @Convergence_fi was just exploited (w/ ~$210k loss) to mint 58m $CVG (58,718,395.05681812), which are swapped to 60 WETH and 15.9k crvFRAX.
The bug is part of the CvxRewardDistributor contract, which does not validate the (untrusted) user input to claim rewards.
Here… pic.twitter.com/EOS7q4reUC
— PeckShield Inc. (@peckshield) August 1, 2024
The post-mortem revealed that the primary reason for the exploit is a lack of validation in the input given by the user in the function “claimMultipleStaking” of the reward distribution contract. According to the report, the hacker executed the malicious contract without the validation of the staking contract. This allowed the hacker to mint all tokens that were kept aside for staking emissions.
Following the hack, the hacker dumped all the newly minted CVG tokens into liquidity pools.
Convergence blames ‘post-audit modification’ for exploit
Convergence Finance mentioned in its post-mortem report that the protocol has been audited 4 times by various companies. However, the protocol had recently modified the compromised part of the code post-audit.
According to the team, “The modification (gas-optimization on the first hand) led us to remove the line of code that was checking the input given to the function. We apologize to our community and investors, and we take full responsibility for what happened.”
However, the team assures that all user funds are safe. In what seems like an additional cautionary measure, it also asked investors to withdraw their staked assets.
Following the hack, the rewards contract also got exploited. As a result, stakers will not be able to claim their rewards now. Convergence stated that it is working on a fix, and a resulting will soon be communicated.
Crypto hacks have been on the rise lately. The industry witnessed 16 reported crypto hacks, which contributed to the loss of over $266 million in July.
What's Your Reaction?