DeFi Protocol Hack Results in $212K Loss Due to Smart Contract Vulnerability

[TL; DR]

On August 1, the decentralized finance protocol Convergence suffered a security breach due to a smart contract vulnerability.

A hacker or a team of hackers managed to exploit the flaw, minting and selling $210,000 worth of its native token, and also stealing $2,000 in unclaimed staking rewards.

Wireshark, the pseudonymous founder of Convergence, provided a detailed post-mortem report revealing that the hacker targeted the protocol's CvxRewardDistributor contract.

This allowed the hacker to mint and sell 58 million CVG tokens, netting approximately $210,000.

Read also: DeFi Ecosystem 2024 Outlook: Key Trends and Directions

Additionally, the hacker stole about $2,000 in unclaimed rewards from Convex, a DeFi protocol aimed at optimizing rewards for Curve liquidity providers. Etherscan data indicates the attack took place around 3:00 am UTC on August 1.

PeckShield, a blockchain security firm, observed that after minting the CVG tokens, the hacker swiftly converted them into 60 wrapped Ether and 15,900 Curve.fi FRAX. As a result of these actions, the CVG governance token experienced a nearly 100% price collapse, now trading at $0.0004 with a market capitalization of just $57,000, according to CoinMarketCap.

Incident Details

Convergence disclosed that the breach occurred because the team inadvertently removed a crucial line of code in its smart contract responsible for distributing CVG staking rewards. This change was made after the smart contract had been audited four times. "The modification, intended as a gas optimization, led us to remove the line of code that checked the input provided to the function," the team explained.

The hacker exploited the CvxRewardDistributor contract via the claimMultipleStaking function, bypassing validation. This allowed the hacker to use a separate malicious contract with the same signature as the claimCvgCvxMultiple function. Consequently, the hacker minted all tokens allocated for staking emissions and sold them in CVG liquidity pools, Convergence reported.

While Convergence assured that user funds remain secure, it recommended users withdraw their assets from the platform. "Due to the exploit, the rewards contract for the Stake DAO integration is currently non-functional. It will be repaired, and stakers will be able to claim their rewards once it is fixed. No rewards have been lost for Stake DAO integration users," Convergence stated.

Convergence aims to aggregate liquidity, enhance returns, and enable liquid locking within the Curve Finance ecosystem. Following the hack, the total value locked on Convergence dropped from $5.79 million to $3.69 million, according to DefiLlama data. In July, the cryptocurrency ecosystem saw approximately $266 million lost to hacks, primarily from the $230 million breach of the Indian trading platform WazirX on July 18.

Convergence Protocol Explained

Convergence Protocol is a decentralized finance (DeFi) platform designed to enhance liquidity and yield opportunities within the Curve Finance ecosystem. Its primary goal is to aggregate liquidity from various sources, optimize returns for users, and facilitate liquid staking, allowing participants to lock their assets while still maintaining liquidity.

The protocol achieves this by integrating various DeFi services and products, creating a seamless experience for users looking to maximize their returns on staked assets. It provides a platform where users can stake their tokens and earn rewards, participate in liquidity pools, and engage in yield farming strategies. By doing so, Convergence helps users make the most of their digital assets without the need for constant manual intervention and monitoring.

Recent news: Curve Founder's $168 million Stash Faces Stress

One of the key features of Convergence is its focus on gas optimization and efficient smart contract design. This ensures that transactions on the platform are cost-effective and swift, minimizing the overhead costs associated with blockchain operations. Additionally, Convergence employs a robust security framework to protect user funds and maintain the integrity of the platform.

Through its approach to DeFi, Convergence aims to open up access to advanced financial tools and opportunities, empowering users to participate in the decentralized economy with ease and confidence. Its integration with the Curve Finance ecosystem further enhances its appeal.

Read also: 8 DeFi protocols with potential - airdrops, yield, GF

Post Exploit Market Reaction

The market reaction to the Convergence protocol hack on August 1, 2024, was severe and immediate. The hack led to the minting and unauthorized sale of 58 million CVG tokens, resulting in a loss of approximately $210,000. This exploit caused the price of CVG to plummet by 99%, dropping from around $0.12 to a mere $0.0004. This drastic decline wiped out the token’s fully diluted market value, which was previously estimated at $17 million​

In the wake of the hack, Convergence issued an urgent communication advising users to avoid interacting with the protocol to prevent further risks. The funds stolen by the hacker were quickly converted into wrapped Ether (wETH) and crvFRAX stablecoins, which were then funneled through Tornado Cash to obscure their trail​.

The market response highlighted a significant loss of trust in the protocol, with investors rapidly pulling out their funds and the overall sentiment turning highly negative. The incident underscored the critical importance of robust security measures in DeFi protocols and the potential impact of security breaches on token value and investor confidence.

DeFi Hacks of 2024

In 2024, the decentralized finance (DeFi) sector has continued to face significant security challenges, with several high-profile hacks resulting in substantial financial losses. One of the most notable incidents occurred with Prisma Finance, a liquid restaking platform that suffered a $10 million loss due to a flash loan exploit in March 2024. The attacker drained approximately 3,257.7 ETH from the protocol, prompting Prisma Finance to pause its operations for a thorough investigation​.

Read also: A DeFi Protocol Tailored for Market Volatility

Another major breach involved BitForex, a cryptocurrency exchange that vanished after withdrawing nearly $57 million from its hot wallets in February 2024. This incident left users unable to access their accounts and highlighted ongoing regulatory challenges in Hong Kong, where BitForex was registered​.

In addition, PlayDapp, a crypto gaming and NFT platform, experienced exploits in February that led to the unauthorized minting of 1.79 billion PLA tokens, valued at over $290 million. The hacker began laundering the funds following the exploit, demonstrating the complexities involved in tracking and recovering stolen assets in the DeFi space​.

The month of May 2024 also saw a significant number of hacks, totaling over $600 million in losses. Among these, a private key compromise led to a $70 million loss for a crypto whale, although the stolen funds were later returned by the attacker. Additionally, GNUS, a Fantom-based project, suffered a $1.27 million hack due to a vulnerability that allowed the minting of fake GNUS tokens​.