The DeFi protocol has removed an important line of code that led to the $212K hack
Decentralized financial protocol Convergence confirmed it was hacked by a smart contract exploit on August 1, with the hacker making and selling $210 million, as well as stealing $2,000 in undisclosed stock awards.
According to an obituary released by Wireshark, the founder of the Convergence Protocol, the hacker exploited the protocol's CvxRewardDistributor contract, allowing them to sell 58 million CVG tokens for approximately $210,000.
The hacker also stole nearly $2,000 in unclaimed rewards from Convex, a DeFi protocol designed to maximize rewards for Curve Liquidity providers.
According to Eterscan, the attack took place on August 1 around 3:00 am UTC.
Blockchain security firm PeckShield claims that after generating the CVG tokens, the hacker quickly converted them to 60 wrapped-Ether and 15,900 Curve.fi FRAX.
The moves have since resulted in a nearly 100% price loss of the CVG Management token, which now trades at a market cap of $0.0004 at $57,000. CoinMarketCap shows data.
How the hacking happened
Convergence says the attack was possible because the team accidentally removed the necessary code in its smart contract that distributes CVG rewards. They made the change after the smart contract code was audited four times.
“The update[the gas optimization on the first side]made us remove the line of code that was checking the input given to the function,” he explained.
The hacker used this CvxRewardDistributor contract to exploit the claim multiplestacking function.
This means that the share contract cannot be verified, which allows the hacker to pass a different malicious contract with the same signature as the claimCvgCvxMultiple function.
Convergence said the hacker extracted all tokens issued to save emissions and dumped them into CVG's liquidity pools.
“We apologize to our community and investors and take full responsibility for what happened.”
RELATED: Over 70% of Hacked Funds Lost to SeFi Entities – CYVERS
Convergence says user funds are safe, but advises users to remove assets from the platform.
Due to the exploit, the Stake DAO merger reward contract is currently broken. It will be fixed, and once it's done, stakeholders can claim their rewards. “No rewards will be lost for Stake DAO integration users,” he said.
“We will soon discuss the future possibilities of the protocol.”
Convergence works to consolidate liquidity, increase returns and enable liquidity lock-in across the Curve Finance ecosystem.
The total price locked in at Convergence dropped from $5.79 million to $3.69 million, according to Defillama data.
Most of the cryptocurrency ecosystem that lost $266 million to hacks in July came from the $230 million hack of Indian trading platform WazirX on July 18.
Magazine: The founder of THORChain and his plan to ‘vampire attack' all DeFi.
