Buggy Code in This Compound Finance Fork Just Froze $1M in Ethereum Tokens

Some $1 million in Ethereum tokens is locked in a new DeFi app after its developers made changes to the protocol’s contracts.

AccessTimeIconNov 5, 2020 at 8:59 p.m. UTC
Updated Sep 14, 2021 at 10:28 a.m. UTC
10 Years of Decentralizing the Future
May 29-31, 2024 - Austin, TexasThe biggest and most established global hub for everything crypto, blockchain and Web3.Register Now

Some $1 million in Ethereum tokens is locked in a new DeFi app after its developers made changes to the protocol’s interest rate smart contracts.

DeFi lending platform PercentFinance, a fork of Compound Finance, wrote in a blog post on Nov. 4 “that some of [its] money markets experienced an issue that can result in permanent locking of user funds.” The team froze money markets specifically for USDC, ETH and wrapped bitcoin (WBTC).

A total of 446K USDC, 28 WBTC and 313 ETH , worth approximately $1 million, are currently frozen. Half of these immobile funds belong to PercentFinance’s “community mod team,” according to the post. Withdrawals for other markets are open, but the team is urging users not to borrow from any of PercentFinance’s markets in the meantime.

The error

In a Discord discussion regarding the vulnerability, Vfat, an Ethereum and PercentFinance developer, said the developer who forked PercentFinance from Compound Finance used “old contracts from Compound instead of ... newer, much better versions.”

Vfat moved to upgrade some of these smart contracts, specifically those that handle the interest rates for the platform’s loans. After Vfat finalized the changes and deployed them, he realized the signatures for the old contracts and the new contracts were incompatible, so transactions could not be signed to them.

“The old and new interest rate models have different function signatures on these all important functions,” he said in the Discord chat. “Essentially the token contract is trying to find an interest rate function that doesn't exit, so it always fails in every interaction.”

Vfat also said in the chat the “Compound [team has] confirmed that this means that the contract is bricked.”

The recourse

In direct messages with CoinDesk, Vfat said it is still too early on in the recovery process for a definitive plan, especially considering no one has had a chance to speak with Centre or BitGo yet, the issuers of the USDC crypto dollar and WBTC token, respectively.

Because USDC and WBTC have backdoors intp their smart contracts, these issuers would be able to blacklist the addresses with the locked funds (even though they are already inaccessible, Vfat said this would be a good “extra precaution''). After the blacklisting, BitGo and Centre could then reissue new tokens to the old tokens owners, something Tether did for a trader who mistakenly transferred $1 million in USDT tokens to the wrong address.

A Centre representative told CoinDesk the company can only meddle with USDC transactions if it receives “a valid, binding court-order from a competent U.S. court that has authority over Centre.” 

Representatives for BitGo were not available for comment at press time.

For other recovery efforts, Vfat said one early-stage proposal suggests launching new contracts for the USDC lending markets. Though 27% of the loans are locked in the old contracts, these new ones would allow borrowers to pay back the rest of their loans, and so retrieve their collateral and pay lenders back 73 cents on the dollar.

All of the PercentFinance lending platform’s WBTC is locked up, so without cooperation from BitGo those funds are lost to the ether. Likewise, 100% of PercentFinance’s ETH funds were also frozen, and there’s no practical way to recover these funds.

“Regardless of this haircut procedure I am taking responsibility for the full amount of these losses and will do everything I can to make everyone 100% whole,” Vfat told CoinDesk.

Disclosure

Please note that our privacy policy, terms of use, cookies, and do not sell my personal information has been updated.

CoinDesk is an award-winning media outlet that covers the cryptocurrency industry. Its journalists abide by a strict set of editorial policies. In November 2023, CoinDesk was acquired by the Bullish group, owner of Bullish, a regulated, digital assets exchange. The Bullish group is majority-owned by Block.one; both companies have interests in a variety of blockchain and digital asset businesses and significant holdings of digital assets, including bitcoin. CoinDesk operates as an independent subsidiary with an editorial committee to protect journalistic independence. CoinDesk employees, including journalists, may receive options in the Bullish group as part of their compensation.


Learn more about Consensus 2024, CoinDesk's longest-running and most influential event that brings together all sides of crypto, blockchain and Web3. Head to consensus.coindesk.com to register and buy your pass now.