On August 1, 2024, the decentralized finance (DeFi) protocol Convergence experienced a major security breach that resulted in a loss of approximately $212,000. The incident occurred due to the removal of a crucial line of code from the CvxRewardDistributor smart contract. This line, which was accidentally deleted during a routine gas optimization update, had previously played a key role in validating staking rewards. Without this validation, the attacker was able to exploit the contract to mint and sell 58 million CVG tokens, leading to a dramatic drop in the token’s value.
Following the hack, the price of the CVG governance token plummeted by over 99%, with its market cap collapsing to just $57,000. The attacker also managed to steal about $2,000 in unclaimed staking rewards from the Convex protocol, which aims to maximize rewards for Curve liquidity providers. Blockchain security firm PeckShield reported that the stolen CVG tokens were quickly swapped for wrapped Ether and Curve.fi FRAX, compounding the impact on the market.
Convergence has acknowledged the breach and expressed regret over the incident. The protocol’s team explained that the vulnerability was caused by a gas-optimization modification that inadvertently removed an essential input validation check from the staking rewards contract. This oversight allowed the attacker to exploit the system and mint tokens indiscriminately. Convergence has advised users to withdraw their assets from the platform while it works to address the broken rewards contract and restore normal operations.
Despite the setback, Convergence assured users that their funds remain secure. The total value locked (TVL) on the platform has decreased from $5.79 million to $3.69 million, reflecting the negative impact of the breach. The team is committed to resolving the issues and will provide updates on the protocol’s future plans. This incident underscores the risks associated with smart contract management and highlights the importance of thorough code audits and validation procedures in DeFi projects.
Reference: