Hacker Steals $210,000 in CVG Tokens from Convergence

As a seasoned analyst with over two decades of experience in the tech and finance industries, I’ve seen more than my fair share of security breaches and hacks. The recent incident with Convergence is no exception, and it serves as a stark reminder that even the most innovative and promising projects can succumb to human error.


On August 1st, the decentralized finance (DeFi) platform Convergence experienced a significant security breach. A hacker took advantage of a weakness in the CvxRewardDistributor smart contract within the protocol, leading to the creation and sale of approximately 58 million CVG tokens valued at around $210,000. Furthermore, the attacker drained an additional $2,000 from unclaimed staking rewards.

Based on a recent report by Wireshark, it appears that the hacker’s strategy took advantage of an oversight within the Convergence team’s work. A crucial piece of code was mistakenly left out from the smart contract following multiple audits, which was meant to save gas but unintentionally provided the attacker with an opportunity to manipulate the contract’s claimMultipleStaking function.

At approximately 3:00 am UTC on August 1st, a hacker took advantage of the CVG token by manipulating it. They then quickly transformed this newly minted CVG into about 60 wrapped Ether and 15,900 Curve.fi FRAX. This action significantly decreased the value of the CVG token, now trading at $0.0004 with a market capitalization of $57,000.

Hacker Steals $210,000 in CVG Tokens from Convergence

As an analyst, I’ve discovered that a crafty individual managed to circumvent the verification processes of the contract, introducing a malevolent contract with a matching function signature to the legitimate one (CvgCvxMultiple). This tactic allowed them to execute their malicious intentions.

To alleviate concerns, Convergence has guaranteed the safety of user funds and encouraged members to remove their assets from the system. The group admitted their error, offered an apology, and accepted accountability for the occurrence.

As a long-time user of Stake DAO, I can attest to the platform’s reliability and effectiveness in yield farming. However, I recently learned that their rewards contract for Stake DAO integration is temporarily out of commission. Despite this temporary setback, I am confident that the team at Convergence will address the issue promptly and communicate their future plans soon. In my experience, they have always been proactive in resolving any issues that arise, and I trust that they will do so again. While it’s unfortunate that rewards may not be flowing as usual during this time, I remain optimistic about the platform’s long-term potential and am excited to see what the future holds for Stake DAO.

The security breach occurs during a concerning period in the crypto market, as July saw approximately $266 million in combined losses due to multiple exploits. Particularly noteworthy is the incident involving the Indian trading platform WazirX, which suffered a loss of $230 million on July 18th.

As Convergence focuses on fixing issues and rebuilding trust, the wider Decentralized Finance (DeFi) community stays extra cautious, underscoring the essential role of strong smart contract security and continuous vigilance.

Read More

Sorry. No data so far.

2024-08-02 09:41