Convex Finance DeFi project team fixed a vulnerability that allowed plan execution carpet pulling. The bug was spotted by OpenZeppelin experts.

Rugpull vulnerability fixed @ConvexFinanslive contracts. $15 billion TVL secured.

summary below. See the blog for technical details.👇https://t.co/dAkUom9qX1

— OpenZeppelin (@OpenZeppelin) April 4, 2022

Experts conducted a protocol security audit for the Coinbase exchange. They found that two of the three anonymous multi-signature wallet signers were able to access their liquidity pools by following a specific set of steps. at that moment TVL The project was approximately $15 billion.

Convex Finance documents stated that such a control is not possible. At the same time, only the protocol development team can exploit the vulnerability to cash out or fix it.

OpenZeppelin experts evaluated the most likely unintentional error in the code, but there was no complete certainty.

According to them, they faced a dilemma regarding the anonymity of teams of such projects:

• report the vulnerability to developers and encourage them to implement a fraudulent scheme if designed;
• publicly disclose the vulnerability and damage the reputation of the protocol with accompanying financial losses if the team did not plan illegal actions.

The research firm considered the best option to apply to the awards platform Immunefi as an intermediary. This way made it possible to get guarantees that the bug would not be exploited and report it to the developers.

The OpenZeppelin and Convex Finance teams have agreed to add additional trusted parties to multisig wallet signatories to make unauthorized withdrawals impossible.

After that, the researchers provided the developers of the protocol with full information about the vulnerability and testing methods.

Recall that in 2021, attackers stole $2.8 billion worth of cryptocurrencies from users using the carpet pull scheme.