TL;DR: On June 12, 2025, a reentrancy vulnerability was identified in Cove’s liquidity mining program and promptly neutralized. No user funds were lost, and 652,565 non-transferable COVE tokens were secured as a precaution.
The vulnerability was introduced in 1inch/token-plugins@1.0.0, and was integrated by Cove. Thankfully, 1inch infrastructure was not affected: it relies on a separate version of the code.
2025-06-12 13:35 UTC – Internal review confirmed no other contracts or projects were affected; incident contained and resolved.
2025-06-12 04:06 UTC – Executed a white-hat “rescue” transaction to drain and secure the remaining reward tokens, fully mitigating the vulnerability.
2025-06-12 01:06 UTC – Halting of the farming rewards program via an emergency stopFarming transaction (by Cove’s ops multisig) to prevent any exploitation of distributed rewards.
2025-06-12 00:18 UTC – Security researcher adriro (@adrianromero) from yAudit (Electi Security) reported a flaw in the farming plugin via Immunefi; incident response was immediately initiated.
This vulnerability could have allowed an attacker to drain all reward tokens from Cove’s liquidity mining program. Exactly 652,565 COVE tokens allocated for rewards were at risk. Importantly, no user deposits or non-reward funds were ever at risk. Due to COVE tokens currently being non-transferable, an attacker’s ability to monetize these tokens would have been severely limited. Prompt response ensured all vulnerable reward funds were secured before exploitation.
The vulnerability stemmed from a reentrancy flaw in a third-party farming plugin library (developed by 1inch) utilized for rewards distribution. A recent code optimization removed safeguards, inadvertently reintroducing a previously mitigated vulnerability. The farming plugin’s balance update function could be repeatedly invoked before completion, fraudulently inflating rewards.
Upon discovery, our team immediately paused the rewards contract and executed a controlled white-hat exploit to secure the at-risk tokens. Notifications were promptly made to 1inch maintainers, and thorough reviews conducted by security partners Zellic, Pashov Audit Group (Pashov Krum), pcaversaccio, and the SEAL 911 team. The feature will stay disabled, and we will provide further updates to resuming the liquidity mining program safely in the coming weeks.
No action required by users. All deposits and balances remain safe. The rewards program remains temporarily paused, and rewards will be calculated offchain in the interim so distributions are not affected. Users will be notified upon reactivation and secure redistribution of the rescued and other rewards tokens.
Special thanks to researcher adriro (@adrianromero) from yAudit (Electi Security) for responsible disclosure via Immunefi (awarded $15,000 USDC bounty). We deeply appreciate the rapid assistance from Zellic, Pashov Audit Group (Krum Pashov), pcaversaccio, Security Alliance’s SEAL 911, Taylor Monahan, samczsun, 0xc0ffeebabe, Anton Bukov and the 1inch team, Robert Chen (@NotDeGhost) from OtterSec, Jazzy from Zellic (@ret2jazzy), and Josselin Feist (@Montyly), who will conduct an end-to-end security audit for Cove in July, as well as numerous others who assisted during the incident response.
Additional thanks to Storm Labs team members for triage and mitigation efforts:
Mike Daly, Smart Contract Engineer
John Lim, Smart Contract Lead
Sunil Srivatsa, Founder/CEO
Security remains paramount. Cove will enhance monitoring and audit practices, accelerate migration to a more robust rewards distribution system, and refine emergency response protocols. We encourage responsible disclosures through our Immunefi bug bounty program.