The DeFi protocol Convergence was hit with a hack on August 1, stemming from its team removing a single line of code to optimize gas fees for users. A hacker noticed the deletion of the code and took advantage to mint and drain $210,000 worth of tokens and $2000 worth of staking rewards.
Blockchain security and analytics firm PeckShield took to X to report the occurrence, “It seems @Convergence_fiwas just exploited (w/ ~$210k loss) to mint 58m $CVG (58,718,395.05681812), which are swapped to 60 WETH and 15.9k crvFRAX.”
58 million CVG tokens, native to Convergence, were minted and dumped into CVG pools to execute the heist. The token has since lost 99% of its value. The contract in question, CvxRewardDistributor, was audited four times prior. The code alterations came after the multiple audits, removing a crucial contract validation mechanism. That allowed the hacker to add a malicious contract of their own, which minted the tokens that they ran off with.
A post-mortem report of the attack released by the protocol’s pseudonymous founder, Wireshark, read, “Security has always been a concern for us, and Convergence Finance has been audited four times by different companies.” They added, “However, we modified this part of the code post-audit. The modification (gas-optimization on the first hand) led us to remove the line of code that was checking the input given to the function.”
They also accepted full responsibility for the issue, apologizing to their community of users, supporters, and investors. Furthermore, they assured users their funds were safe but asked them to withdraw their assets due to the broken staking implementation.
“Due to the exploit, the rewards contract for the Stake DAO integration is currently broken. It will be fixed, and stakers will be able to claim their rewards once it’s done. No rewards are lost for Stake DAO integration users.”