Coding Error Triggers $212K DeFi Hack

DeFi protocol Convergence was hacked on August 1 via a smart contract flaw. The hacker created and sold $210M of its token, stealing $2,000 in staking rewards.

The attack happened around 3 am UTC on August 1, and Convergence’s native token, CVG, dropped by more than 99%.

A new post-mortem from Wireshark, the founder of the Convergence protocol under a fake name, says that the hacker took advantage of the protocol’s CvxRewardDistributor contract to mint and sell 58 million CVG coins for around $210,000.

The hacker also took around $2,000 in unclaimed rewards from Convex, a DeFi protocol that helps Curve liquidity sources get the most rewards.

As per Etherscan, the attack occurred on August 1 at around 3:00 am UTC.

A blockchain security company called PeckShield said that after the hacker made the CVG coins, they quickly traded them for 60-wrapped Ethereum and 15,900 Curve—-fi FRAX.

Since then, the changes have caused the price of the CVG governance token to drop almost 100%. It is now worth only $0.0004 and has a market cap of only $57,000—the info from CoinMarketCap.

How the hack took place

Convergence said the attack was possible because the team took out an essential piece of code from its smart contract that automatically gives out CVG staking payouts. The change was made after four checks of the smart contract code.

That’s why we removed the line of code that checked the input to the function because of the change (gas improvement on the first hand).

The hacker used this to take advantage of the claimMultipleStaking function in the CvxRewardDistributor contract.

This meant that the staking contract could not be checked, letting the hacker send a different lousy contract with the same signature as the claimCvgCvxMultiple function.

Convergence said the thief made all the tokens for staking emissions and dumped them into the CVG liquidity pools.

“We apologize to our community and investors, and we take full responsibility for what happened.”

Convergence says that user funds are safe, but they advise users to remove their assets from the site.

“The rewards contract for the Stake DAO integration is broken because of the exploit.” People who bet on it will be able to get their prizes once it’s fixed. It said, “No rewards are lost for Stake DAO integration users.”

“We will soon communicate about the possibilities for the future of the protocol.”

In the Curve Finance environment, Convergence works to increase returns, bring together more liquidity, and allow liquid locking.

ADefiLlama report shows that the total value locked on Convergence dropped from $5.79 million to $3.69 million.

About $266 million was stolen from cryptocurrencies in July. The Indian trading site WazirX was hacked for $230 million on July 18.