ConvexFinance
Search…
ConvexFinance
Welcome to Convex Finance
General Information
Convex for Curve.fi
Convex for Frax Finance
Tokenomics
Understanding CVX
How-To Guides
Using Convex Finance
Claiming Rewards
Claiming your Airdrop
FAQ
Platform Rewards: Current vs Projected APR
Contract Addresses
Fees
Risks
Audits
Convex Treasury
Multisig Admin Rights
Airdrops From Other Platforms
Bug Bounties
Known Issues
Links
Convex Finance
Blog
Github
Twitter
Curve.fi
Integration Docs
Powered By GitBook
Known Issues

Convex has strived to be a trustless platform in which deposits can never be touched or accessed by the admin account.
Since launch we have determined a few vectors that would go against that stance and thus have implemented various checks and conditions that the admin account must clear before certain actions can be taken.
With the help from V (OpenZeppelin) and 0xJuicer/0xPhaedra0x (Tang Finance) we have implemented layers that either completely block some patterns or make it extremely difficult to put into action.
Additional Layers: poolManagerProxy: 0x5F47010F230cE1568BeA53a06eBAF528D05c5c1B poolManagerSecondaryProxy: 0xD20904e5916113D11414F083229e9C8C6F91D1e1 boosterOwner: 0x3cE6408F923326f81A7D7929952947748180f1E6​
These layers, to our knowledge, successfully block most vectors that could be used. However there is still one known path that uses a series of fake gauges to create fake pools and exploits the shutdown system. We believe this has been sufficiently mitigated as the steps that must be taken are as follows:
  • Create a fake gauge for an existing pool and create an Curve DAO proposal to add said fake gauge
  • Pass Curve DAO proposal undetected (7 day voting period)
  • Give the fake gauge weight on Curve's gauge controller.
  • Shutdown an existing legit Convex pool. (Curve LP tokens are unstaked and returned to Booster contract)
  • Add a new pool on Convex that uses the fake gauge but legitimate LP tokens
  • Loop fake liquidity onto the gauge to increase Convex Deposit Tokens (deposit, withdraw directly from gauge, deposit again)
  • Call shutdownSystem() on Pool Manager Secondary Proxy. New pools can no longer be added
  • Call queueForceShutdown() on Booster Owner. A normal shutdown call will fail with the fake pool as there are more Convex Deposit Tokens than there are LP tokens, thus need to use this timelock shutdown feature.
  • Wait 30 days for the timelock to complete
  • Call forceShutdownSystem() on Booster Owner
  • Withdraw real Curve LP tokens using the illegitimate Convex Deposit Tokens
We believe this process which requires a DAO proposal, shutting down a legitimate pool, and waiting for a 30 day timelock should be sufficient mitigation. We are writing this process here as well so that this weakness is known and can be detected.
FAQ - Previous
Bug Bounties
Last modified 6mo ago
Copy link