DeFi protocol removed an important line of code that led to a $212K hack

DeFi protocol Convergence has confirmed it was hacked via a smart contract exploit, losing over $210,000.
DeFi protocol Convergence has confirmed it was hacked via a smart contract exploit, losing over $210,000.

Decentralized finance protocol Convergence has confirmed it was hacked via a smart contract exploit on Aug. 1, with a hacker minting and selling $210 million in its native token, as well as stealing $2,000 in unclaimed staking rewards.

According to a newly released post-mortem from Wireshark, the pseudonymous founder of the Convergence protocol, the hacker exploited the protocol’s CvxRewardDistributor contract, allowing them to mint and sell 58 million CVG tokens for approximately $210,000.

The hacker also stole approximately $2,000 of unclaimed rewards from Convex, a DeFi protocol designed to maximize rewards for Curve liquidity providers.

According to Etherscan, the attack occurred on Aug. 1 at around 3:00 am UTC.

Blockchain security firm PeckShield noted that after minting the CVG tokens, the hacker quickly swapped it into 60 wrapped-Ether and 15,900 Curve.fi FRAX.

The movements have since led to a near-100% price wipeout of the CVG governance token, which is now trading at $0.0004 with a market cap of just $57,000. CoinMarketCap data shows.

Source: PeckShield

How the hack happened

Convergence said the attack was possible because the team accidentally removed an essential line of code in its smart contract, which distributes CVG staking rewards. They made the change after the smart contract code was audited four times. 

“The modification (gas-optimization on the first hand) led us to remove the line of code that was checking the input given to the function,” it explained. 

The hacker used this to exploit the CvxRewardDistributor contract through the claimMultipleStaking function.

This meant the staking contract couldn’t be validated, allowing the hacker to pass a separate malicious contract with the same signature as the claimCvgCvxMultiple function.

The hacker then minted all tokens dedicated to staking emissions and then dumped them into CVG liquidity pools, Convergence said. 

“We apologize to our community and investors, and we take full responsibility for what happened.”

Related: Over 70% of hacked funds are lost to CeFi entities — Cyvers

Convergence says that user funds are safe, but has recommended users withdraw assets from the platform.

“Due to the exploit, the rewards contract for the Stake DAO integration is currently broken. It will be fixed, and stakers will be able to claim their rewards once it’s done. No rewards are lost for Stake DAO integration users," it said. 

"We will soon communicate about the possibilities for the future of the protocol."

Convergence works to aggregate liquidity, boost returns and enable liquid locking across the Curve Finance ecosystem.

The total value locked on Convergence fell from $5.79 million to $3.69 million, DefiLlama data shows.

The cryptocurrency ecosystem lost around $266 million to hacks in July, mostly coming from the $230 million hack of Indian trading platform WazirX on July 18.

Magazine: THORChain founder and his plan to ‘vampire attack’ all of DeFi