A DeFi protocol's code removal caused a $212K hack.
Convergence confirmed an August 1 hack, with a hacker minting and selling $210 million in tokens and stealing $2,000 in rewards.
The decentralized finance protocol Convergence confirmed a smart contract exploit on August 1, leading to a hacker minting and selling $210 million of its native token, as well as stealing $2,000 in unclaimed staking rewards.
Wireshark, the pseudonymous founder of Convergence, released a post-mortem report detailing that the hacker exploited the protocol’s CvxRewardDistributor contract, minting and selling 58 million CVG tokens for approximately $210,000.
Additionally, the hacker took around $2,000 of unclaimed rewards from Convex, a DeFi protocol designed to maximize rewards for Curve liquidity providers. Etherscan records indicate that the attack occurred on August 1 at around 3:00 am UTC.
PeckShield, a blockchain security firm, noted that the hacker quickly converted the minted CVG tokens into 60 wrapped Ether and 15,900 Curve.fi FRAX. This resulted in a nearly 100% price collapse of the CVG governance token, now trading at $0.0004 with a market cap of just $57,000, according to CoinMarketCap data.
Convergence explained that the attack was possible because an essential line of code in its smart contract, responsible for distributing CVG staking rewards, was accidentally removed. This modification, initially intended for gas optimization, led to the removal of the code line checking the input to the function.
The hacker exploited the CvxRewardDistributor contract via the claimMultipleStaking function, bypassing the staking contract validation and using a separate malicious contract with the same signature as the claimCvgCvxMultiple function. Consequently, the hacker minted all tokens dedicated to staking emissions and dumped them into CVG liquidity pools.
Convergence assured that user funds are safe but recommended users withdraw assets from the platform.Convergence stated, "The exploit has broken the rewards contract for Stake DAO integration. It will be repaired, allowing stakers to claim their rewards afterward. No rewards have been lost for Stake DAO users."
The protocol aims to aggregate liquidity, boost returns, and enable liquid locking across the Curve Finance ecosystem. Following the attack, the total value locked on Convergence dropped from $5.79 million to $3.69 million, according to DefiLlama.
In July, the cryptocurrency ecosystem saw losses of approximately $266 million due to hacks, primarily from the $230 million hack of the Indian trading platform WazirX on July 18.
What's Your Reaction?
