Convergence Hack: $210 Million Worth of Tokens Stolen Through Smart Contract Exploit

Convergence, a decentralized finance protocol, has confirmed that it was hacked on August 1 via a smart contract exploit, in which a hacker stole and sold $210 million worth of native tokens. The hacker was also able to steal approximately $2,000 in unclaimed staking rewards from the platform.

One specific contract has been abused

The hacker reportedly managed to abuse the CvxRewardDistributor contract, allowing him to mint and sell 58 million CVG tokens for approximately $210,000.

Additionally, the hacker stole approximately $2,000 in unclaimed rewards from Convex, a DeFi protocol designed to maximize rewards for Curve liquidity providers. According to Etherscan, the attack occurred on August 1 at around 3:00 UTC.

Blockchain security firm PeckShield, for their part, noted that after minting the CVG tokens, the hacker quickly exchanged them for 60 wrapped Ether and 15,900 Curve.fi FRAX.

These actions have led to a nearly 100% drop in the price of the CVG governance token, which is now trading at $0.0004 with a market cap of just $57,000, according to data sourced from CoinMarketCap.

One line of code removed from their smart contract

Convergence stated that the attack was possible because the team accidentally removed a key line of code from their smart contract, which distributes CVG staking rewards. This change was made after the smart contract code had been audited four times.

“The change (first-hand gas optimization) resulted in us removing the line of code that checked the input given to the function,” Convergence explained.

The hacker used this to exploit the CvxRewardDistributor contract via the claimMultipleStaking function. This caused the staking contract to fail validation, allowing the hacker to pass a separate malicious contract with the same signature as the claimCvgCvxMultiple function.

The hacker then minted the tokens earmarked for staking issuance and dumped them into CVG liquidity pools, Convergence said.

“We apologize to our community and investors and take full responsibility for what happened.”

User funds are still safe

However, Convergence assures that user funds are safe. However, they have recommended their users to withdraw their assets from the platform through a withdrawal.

“The exploit currently breaks the Stake DAO integration reward contract. It will be fixed and stakers can claim their rewards once it is done. No rewards will be lost for Stake DAO integration users. We will communicate about future options for the protocol soon,” the protocol said.

Convergence is working to aggregate liquidity, increase yields and enable liquid locking in the Curve Finance ecosystem. The total value locked on Convergence decreased from $5.79 million to $3.69 million, according to data sourced from DefiLlama.