Bug Causes Convex Finance to Redeploy $12 Billion Smart Contract
A “non-crucial” bug in Convex Finance’s reward system has necessitated the protocol to redeploy the US$12 billion smart contract, releasing all the users’ vote-locked CVX.
According to a Twitter post by Convex Finance (CVX), the bug had made it possible for expired locks to relock directly to a new address, allowing them to claim more cvxCRV rewards than they had actually earned:
Important update for vote-locked $CVX holders: the vote-locking contract has been re-deployed, and users will need to re-lock their $CVX tokens.
— Convex Finance (@ConvexFinance) March 4, 2022
Full details in our latest medium post:https://t.co/qMGhn7aAqP
Due to the way Convex works, a simple edit to the contract would not have sufficed and it needed to be redeployed. This meant that all the vote-locked tokens held in the contract would be unlocked upon redeployment.
As the team wrote in a blog post: “There were no instances of [the bug] being used prior to deployment of the new vlCVX contract. However, since Convex Finance contracts are immutable and non-upgradeable, a new contract had to be deployed. The new vlCVX contract has implemented a fix for this potential bug going forward.”
Redeployment Causes Supply Shock
With the smart contract bug causing a premature unlock of a massive portion of CVX’s token supply, the market behaved in an unfavourable way. All the unlocked CVX was now eligible to be sold on the open market. Within the first 30 minutes, prices were down 20 per cent due to sellers and a resultant massive supply shock.
According to one user: “Based on the website, 72.11 percent of $CVX supply, or 38.1 million tokens, have been unlocked. If only 30 percent of these tokens are dumped today, then about US$250 million in buys will be needed to maintain the $20 price.”
Whales Ever Buying the Dip
This provided an opportunity for a few whales to snatch up some extra CVX. With prices falling to US$15 from around $20 in a matter of hours, some whales managed to snatch up quite a parcel:
Also seeing the best fill size buyers (filtered for +$100k buys) entering back into positions, this address bought $2.5m CVX about 30 minutes ago. https://t.co/pyO19oWVxo pic.twitter.com/zBkoLhNKtu
— Matt Casto (@mcasto_) March 4, 2022
The nascent DeFi industry is unfortunately infamous for hacks and bugs due to its complexity. Crypto projects generally work hard to secure users’ funds, and DeFi protocols as large as CVX have billions to worry about. Keeping the protocol secure and fixing bugs are key to ensuring user confidence. Last October, for instance, Compound Finance (COMP) fixed a bug that had been plaguing the protocol for some time.