$14 000 USD

JUNE 2022

GLOBAL

CONVEX FINANCE

DESCRIPTION OF EVENTS

"Introducing Convex Finance, a platform built to boost rewards for CRV stakers and liquidity providers alike, all in a simple and easy to use interface. Convex aims to simplify staking on Curve, as well as the CRV-locking system with the help of its native fee-earning token: CVX."

 

"Convex allows Curve.fi liquidity providers to earn trading fees and claim boosted CRV without locking CRV themselves. Liquidity providers can receive boosted CRV and liquidity mining rewards with minimal effort."

 

"Deposit liquidity, earn boosted CRV and rewards." "Deposit your Curve LP tokens to earn Curve trading fees, boosted CRV and CVX tokens. Boost is pooled from CRV stakers so you do not need to worry about locking yourself."

 

"If you’ve ever been a Curve LP, you know it is somewhat non-trivial to maximize your boost by depositing/maintaining your veCRV balance. If you’ve never been a Curve LP, it may be intimidating to do so without being a DeFi power user. Convex aims to make this process easy and bring the CRV boost ecosystem to everyone."

 

"Convex Finance is a notable protocol, as it holds the majority of Curve Finance’s CRV tokens in circulation. Curve Finance—the leading stablecoin automated market maker—provides approximately one-tenth of the decentralized economy’s liquidity in terms of total locked value."

 

"Convex used NameCheap as it’s domain registrar for convexfinance.com. The attacker was able to access the NameCheap account, even with 2-factor authentication enabled, a strong password, and security alerts. Convex team still had access to the account; 2FA was still enabled, the password was the same, but the attacker was still able to access the account, change the DNS to point to the malicious website, and disable security alerts."

 

"On June 23, 2022, @alexintosh on Twitter reported some abnormal activity on the Convex Finance website. Suspicious contract approvals were suspected."

 

"What is this unverified contract? 0xF403a2c10B0B9feF8f0d4F931df5d86aD187AE31. [The] @ConvexFinance website is asking for approval for that but the correct one is 0xF403C135812408BFbE8713b5A23a04b3D48AAE31. 4 Starting/Ending Characters are the same. DNS spoofing?"

 

"Shortly after this, @samczsun sent a direct-message to the Convex Twitter account with the same suspicions. Convex Twitter issued this initial warning tweet as a result of the two similar notifications."

 

"The potential malicious contract appears to transfer funds to address 0xcdc0f019f0ec0a903ca689e2bced3996efc53939."

 

"[T]here are also new contracts generating. The attacker seems to be generating similar addresses to well know protocols. Be sure to be very careful when approving new spending transactions."

 

"Please review approvals while we evaluate a potential front end issue."

 

"After some initial investigation, it was confirmed that the DNS of www.convexfinance.com had been hijacked, taking users to a copy of the website containing malicious contracts. The attack replaced web elements that interact with smart-contracts across varying portions of the site to new contracts under the attackers control. Unsuspecting users could have clicked familiar buttons in the UI, but been prompted to approve new, malicious contracts. Many contract addresses even contained the same first and last 4 characters, making it easier to glance at these new contracts and potentially accept them as the originals. Furthermore, the malicious contracts did not seem to be presented to all users, nor were they always presented on the same web elements."

 

"Convex team immediately changed the DNS back to point to the real website, and re-enabled security alerts, but it was still unknown how the attacker gained access in the first place."

 

"After this, Convex immediately reached out to Namecheap support, and after some short discussion about the incident, was told the domain may be disabled entirely for an unknown time period. Since the attack vector was not entirely understood, and the domain could potentially go offline, a new, temporary domain was deployed using a new registrar, at which time Convex Twitter tweeted the new domain."

 

"An alternate domain has been set-up as a precaution for Convex users. http://convexfinance.fi and http://frax.convexfinance.fi Users are encouraged to use these URLs to interact with the site while the investigation into the DNS hijack is conducted."

 

"Several individuals pointed out that the Convex Twitter account could have also been compromised, and this tweet may also have linked to malicious websites. In retrospect, this was a fair criticism. An attempt at alleviating those fears was made later, with @c2tp signing a message confirming the temporary URLs were indeed coming from the Convex team."

 

"[C]ommunication with NameCheap’s CEO on Twitter confirmed the attack vector; a customer support agent at NameCheap altered the DNS records."

 

"We've traced this down to a specific CS agent that was either hacked or compromised somehow and have removed all access from this agent. This affected a few targeted domains but we will continue investigating."

 

"Having regained control of the website, and a root cause confirmed, Convex Twitter communicated again with a brief summary of events."

 

"You tried to safe some bucks…don’t blame them. It’s obvious that major DeFi products shouldn’t take the free plan. Don’t blame, own."

 

"Usually we require a pin code from customer. We also monitor all actions as well a monitor a real time vip list. In the end our cs needs to be able to modify to help customers especially when 99% don't understand dns. If you want complete security use [Domain Vault]."

 

"The website is now using a new DNS registrar. Multiple layers of DNS monitoring are enabled to help identify these types of attacks in the future."

 

"If you used convexfinance.com in any capacity from June 20th — June 23rd, please review your contract approvals using https://etherscan.io/tokenapprovalchecker, revoke.cash, or similar tools, and remove any unknown approvals. Review and compare approvals with [the] list from the Convex Finance Docs."

 

"As of today, there are 40 known addresses that approved malicious contracts as a result of this incident. In total, an estimated 15,968 cvxCRV and 433 CRV are suspected of being stolen from users. Only 3 of the 40 addresses listed had funds taken. Please review this list if you have not already, and revoke malicious contract approvals if your address is listed here."

 

"Convex Finance will attempt to compensate losses stemming from the DNS hijacking from June 20–23, 2022, sourced from the treasury, and paid in CVX tokens equivalent to the USD values at time of loss. Funds will go directly to the addresses affected once approvals have been revoked to the malicious contracts."

Convex Finance is a tool to increase rewards for stakers and liquidity providers on the curve protocol. The service used NameCheap to host their primary domain where customers would interact with the service. On June 23rd, the Convex team was impersonated to NameCheap and a request was made to change the DNS settings on their domain name. This redirected the website to a phishing version, which looked identical to main version but requested approval on a new smart contract with a similar address. The new smart contract allowed the attacker to steal approved funds and was active on the site for a few hours, plus DNS propagation time. While at least 40 wallet addresses gave approvals, it appears that only a limited number of tokens were taken from those wallets. The Convex Finance team has agreed to reimburse all affected users from their treasury.

HOW COULD THIS HAVE BEEN PREVENTED?

The issue could have been prevented by ensuring that the domain name was protected by a proper multi-signature setup. NameCheap offers such a setup for $20/mo. There are other services which offer similar protections on domain names.

 

Users of platforms need to be careful and double check any new approval requested by any platform against the proper smart contract address.

 

Check Our Framework For Safe Secure Exchange Platforms

https://en.cryptonomist.ch/2022/06/24/convex-more-info-on-the-hack/ (Jul 2)
https://www.convexfinance.com/ (Aug 23)
Convex for Curve.fi - ConvexFinance (Aug 23)
platform/Convex Platform Security Audit Report.pdf at main · convex-eth/platform · GitHub (Aug 23)
@Alexintosh Twitter (Aug 23)
@ConvexFinance Twitter (Aug 23)
@ConvexFinance Twitter (Aug 23)
https://etherscan.io/address/0xb73261481064f717a63e6f295d917c28385af9aa (Aug 23)
https://etherscan.io/address/0x72a1a639c69f8002f035a7dc231d634d74e6b86e (Aug 23)
https://etherscan.io/address/0x56d3191ee65f1f76e4e902ec983c6420398d49c8 (Aug 23)
https://etherscan.io/address/0xba63402bdf0e1b245333e5ef008baee69d669f2a (Aug 23)
@StefanPatatu Twitter (Aug 23)
Post Mortem Of Events June 23 (Aug 24)
@ConvexFinance Twitter (Aug 24)
@NamecheapCEO Twitter (Aug 24)
@ConvexFinance Twitter (Aug 24)
Contract Addresses - ConvexFinance (Aug 24)
Known Approvals - Pastebin.com (Aug 24)
@flubdubster Twitter (Aug 24)
@NamecheapCEO Twitter (Aug 24)
@flubdubster Twitter (Aug 24)
@flubdubster Twitter (Aug 24)
@ConvexFinance Twitter (Aug 24)
@ConvexFinance Twitter (Aug 24)
@DevanCollins3 Twitter (Aug 24)
@HarukoTech Twitter (Aug 24)
$15 Billion Rugpull Vulnerability in Convex Finance protocol Uncovered and Resolved - OpenZeppelin blog (Aug 24)
@JustinCBram Twitter (Aug 24)
@ConvexFinance Twitter (Aug 24)
@ConvexFinance Twitter (Aug 24)
Convex Finance Pre Launch Announcement (Aug 24)
https://coinmarketcap.com/currencies/convex-crv/historical-data/ (Aug 24)
https://coinmarketcap.com/currencies/curve-dao-token/historical-data/ (Aug 24)

Sources And Further Reading

 For questions or enquiries, email info@quadrigainitiative.com.

Get Social

  • email
  • reddit
  • telegram
  • Twitter

© 2021 Quadriga Initiative. Your use of this site/service accepts the Terms of Use and Privacy Policy. This site is not associated with Ernst & Young, Miller Thompson, or the Official Committee of Affected Users. Hosted in Canada by HosterBox.