Hack Analysis

Convergence Finance Hack Analysis

PUBLISHED ON

Sep 19, 2024

WRITTEN BY

Kaif Ahmed

DURATION

5 min

Hack Impact

On August 1, 2024, Convergence Finance experienced a major security breach, resulting in the loss of approximately $212,000 worth of CVG tokens. The attacker exploited a vulnerability in the CvxRewardDistributor contract, allowing them to mint 58 million CVG tokens without proper validation. This exploit was possible due to a post-audit modification that removed a critical line of code responsible for input validation. The impact of this attack was severe, causing a 99% collapse in the token’s value and leading to a significant loss of confidence among the community and investors.

Learn more about Top 10 Smart Contract Vulnerabilities

Convergence Finance Hack Explained

The Convergence Finance hack involved a sophisticated exploitation of the CvxRewardDistributor contract. Here’s a detailed breakdown of the incident:

Vulnerability and Exploit:

Code Change and Vulnerability:

The vulnerability was introduced during a post-audit modification for gas optimization, which inadvertently removed an essential line of code responsible for validating input in the claimMultipleStaking function.
This lack of input validation allowed the attacker to pass a malicious contract into this function.

Execution of the Exploit:

The attacker used a malicious contract mimicking the function signature of claimCvgCvxMultiple to exploit the lack of validation. By invoking the claimMultipleStaking function, the attacker could trick the contract into minting 58 million CVG tokens meant for staking rewards.
The attack leveraged the absence of a check on the staking contract address, allowing them to use a contract that returned a manipulated amount of CVG tokens for minting.

Learn more about How Gas Works in Blockchain?

Aftermath of the Exploit:

Impact on Convergence and CVG Token:

Following the minting, the attacker quickly sold these tokens, swapping them into 60 wrapped-Ether (WETH) and 15,900 Curve.fi FRAX, as identified by blockchain security firm PeckShield.
This caused the price of CVG to collapse by over 99%, leaving it trading at a mere $0.0004 and drastically reducing its market cap to $57,000.
In addition to the token sale, the attacker also stole approximately $2,000 worth of unclaimed rewards from Convex, exacerbating the financial impact on the protocol.
The movements have since led to a near-100% price wipeout of the CVG governance token, which is now trading at $0.0004 with a market cap of just $57,000. CoinMarketCap data shows.

Convergence’s Response:

Convergence acknowledged the breach, issuing an apology to the community and taking responsibility for the incident. They advised users to withdraw staked assets as a precautionary measure, despite ensuring that user funds were otherwise safe.

“The modification led us to remove the line of code that was checking the input given to the function,” it explained.
They emphasized that the compromised contract had been audited multiple times, but the critical error stemmed from unchecked code changes made after the audits. The team announced plans to communicate the steps for moving forward to address the breach and restore user confidence.

Simulate the Attack

To better understand the Convergence Finance exploit, you can replicate the attack using a proof of concept (PoC). Here is a link, you can create one by analyzing the specific vulnerability in the CvxRewardDistributor contract. This would involve exploiting the lack of input validation in the claimMultipleStaking function, allowing you to simulate how the attacker was able to mint and sell unauthorized CVG tokens.

Transaction Analysis

The following are key details of the malicious transactions:

Attacker’s Address: 0x03560a9d7a2c391fb1a087c33650037ae30de3aa

Malicious Contract: 0xee45384d4861b6fb422dfa03fbdcc6e29d7beb69

Victim’s Proxy Contract Address: 0x2b083beaaC310CC5E190B1d2507038CcB03E7606

Victim’s Implementation Contract Address: 0x47c69e8c909ce626Af73c955A5e34A20B7c71f19

Attack Transaction Hash: 0x636be30e58acce0629b2bf975b5c3133840cd7d41ffc3b903720c528f01c65d9

Funds Flow

The attacker began the exploit with a small initial amount and quickly turned it into a significant profit by exploiting a flaw in Convergence Finance’s contract. Within a short time, he managed to accumulate and liquidate a large number of CVG tokens, draining approximately $212,000 from the protocol.

Recommendation for Enhanced Security

To prevent such vulnerabilities in the future, it is critical to implement several security measures:

Input Validation: Ensure that the smart contract validates inputs, especially in critical functions like transfers, to prevent unintended behaviors.
Proper Handling of Edge Cases: The contract should account for all edge cases, such as transfers where the sender and recipient are the same, to avoid exploits like double-spending.
Comprehensive Audits: Conduct thorough and continuous audits of smart contracts, focusing on both logic and edge case testing, to identify and fix potential vulnerabilities before deployment.
Access Controls: Implement strict access controls and modifiers on critical contract functions to prevent unauthorized manipulations.

Conclusion

The Convergence Finance hack underscores the critical importance of robust security measures and thorough audits in the DeFi space. Despite the protocol’s innovative features, this incident revealed that even well-established platforms are vulnerable if security isn’t prioritized. It serves as a reminder that every project, regardless of its potential, is at risk without a strong security foundation.

Organizations like BlockApex, with their specialized expertise in smart contract auditing, are instrumental in identifying and addressing vulnerabilities before they can be exploited. This hack serves as a clear reminder of the importance of maintaining stringent security protocols to build trust and support the sustained growth of DeFi platforms.