$10.8M Stolen, Developers Implicated in Alleged Smart Contract 'Rug Pull'

Rogue developers seem to have rug-pulled their own project, Compounder Finance, netting some $10.8 million in funds from the project’s investors.

AccessTimeIconDec 2, 2020 at 4:24 p.m. UTC
Updated Sep 14, 2021 at 10:37 a.m. UTC
10 Years of Decentralizing the Future
May 29-31, 2024 - Austin, TexasThe biggest and most established global hub for everything crypto, blockchain and Web3.Register Now

Another decentralized finance (DeFi) project was rug-pulled Tuesday, with some $10.8 million in investor funds stolen due to a hidden backdoor in the project's smart contracts.

Compounder Finance – a self-described clone of Harvest and Yearn Finance built by pseudonymous programmers – had its contracts drained of $750,000 worth of wrapped bitcoin (WBTC), $4.8 million ether, $5 million dai and a small assortment of other tokens, according to an address associated with the exploit.

And while the attack looks similar to other DeFi rug-pulls or exploits, performed time and time again in 2020, this act of thievery is different because of the apparent con Compounder’s developers were playing, according to Robert Leshner, founder of lending protocol Compound Finance.

In a phone interview, Leshner told CoinDesk Compounder looked like any other yield farming DeFi project that took the cryptocurrency industry by storm this past summer. But the developers had snuck in a call function that allowed them to withdraw all funds from the project – an action a decentralized finance project should never allow – whenever they deemed the booty large enough. 

Rug pull

That threshold was apparently met Tuesday, even though Compounder’s token contracts were only created Nov. 10, according to Etherscan.

Leshner called the rug-pull “one of the largest '' purposeful cryptocurrency exploits in recent memory; an exploit categorically different from other DeFi exploits because of its patient endgame. He also alleges that Compounder “impersonated [Compound Finance’s] name” in order to lure in more victims.

A Telegram group of investors is currently investigating legal moves against the developers, although little information is known about the faces behind Compounder. One investor who claims to have lost $1 million in funds is offering a $50,000 bounty for information leading to the seizure of stolen funds. 

Compounder’s native token, CP3R, is down 98.8% in the last 24 hours and is now trading hands at $0.24, according to CoinGecko.

Smart contract audits not enough

Compounder was audited by Solidity Finance. Audits are typically seen as an act of good faith in the wild west of DeFi. Solidity Finance told CoinDesk it found the time-locked contract in question as early as mid-November and flagged it to the project’s developers. It offered documentation as well.

Unfortunately, Compounder not only knew about the function, but apparently had plans for it. 

“The Compounder team swapped the safe and audited Strategy contracts and replaced them with malicious 'Evil Strategy' contracts that allowed them to steal users funds,” Solidity Finance told CoinDesk in a Telegram message, adding:

“They did this through a public, though clearly unmonitored, 24-hour timelock. This issue of centralized control by the C3PR team was raised in our audit report and our discussions with their team. The team had the power to update strategy pools and they did so maliciously here to steal users’ funds.” In other words, investors overlooked the security hole even though the time lock in question was flagged by the audit.

Many DeFi investors are learning audits don’t necessarily equate to a secure protocol. Akropolis Finance stands as another recent example. It was hacked earlier last month for $2 million worth of dai, even though its contracts had been audited by two firms. 

Indeed, audits come in different flavors. Solidity Finance told CoinDesk it was mainly looking for “external attackers.” The firm plans on providing more information on possible “risks stemming from developers’ control” going forward.

Correction (Dec. 3, 2020 19:40 UTC): A previous version of this article stated that the time lock function was only disclosed too Compounder Finance's team. The public audit report included this information.

Disclosure

Please note that our privacy policy, terms of use, cookies, and do not sell my personal information has been updated.

CoinDesk is an award-winning media outlet that covers the cryptocurrency industry. Its journalists abide by a strict set of editorial policies. In November 2023, CoinDesk was acquired by the Bullish group, owner of Bullish, a regulated, digital assets exchange. The Bullish group is majority-owned by Block.one; both companies have interests in a variety of blockchain and digital asset businesses and significant holdings of digital assets, including bitcoin. CoinDesk operates as an independent subsidiary with an editorial committee to protect journalistic independence. CoinDesk employees, including journalists, may receive options in the Bullish group as part of their compensation.


Learn more about Consensus 2024, CoinDesk's longest-running and most influential event that brings together all sides of crypto, blockchain and Web3. Head to consensus.coindesk.com to register and buy your pass now.