$10.8M Stolen, Developers Implicated in Alleged Smart Contract 'Rug Pull'

Another decentralized finance (DeFi) project was rug-pulled Tuesday, with some $10.8 million in investor funds stolen due to a hidden backdoor in the project's smart contracts.

Compounder Finance – a self-described clone of Harvest and Yearn Finance built by pseudonymous programmers – had its contracts drained of $750,000 worth of wrapped bitcoin (WBTC), $4.8 million ether, $5 million dai and a small assortment of other tokens, according to an address associated with the exploit.

And while the attack looks similar to other DeFi rug-pulls or exploits, performed time and time again in 2020, this act of thievery is different because of the apparent con Compounder’s developers were playing, according to Robert Leshner, founder of lending protocol Compound Finance.

Read more: DeFi Exploits Can’t Be Pinned on Flash Loans, Industry Leaders Say

In a phone interview, Leshner told CoinDesk Compounder looked like any other yield farming DeFi project that took the cryptocurrency industry by storm this past summer. But the developers had snuck in a call function that allowed them to withdraw all funds from the project – an action a decentralized finance project should never allow – whenever they deemed the booty large enough.

Rug pull

That threshold was apparently met Tuesday, even though Compounder’s token contracts were only created Nov. 10, according to Etherscan.

Leshner called the rug-pull “one of the largest '' purposeful cryptocurrency exploits in recent memory; an exploit categorically different from other DeFi exploits because of its patient endgame. He also alleges that Compounder “impersonated [Compound Finance’s] name” in order to lure in more victims.

A Telegram group of investors is currently investigating legal moves against the developers, although little information is known about the faces behind Compounder. One investor who claims to have lost $1 million in funds is offering a $50,000 bounty for information leading to the seizure of stolen funds.

Compounder’s native token, CP3R, is down 98.8% in the last 24 hours and is now trading hands at $0.24, according to CoinGecko.

Smart contract audits not enough

Compounder was audited by Solidity Finance. Audits are typically seen as an act of good faith in the wild west of DeFi. Solidity Finance told CoinDesk it found the time-locked contract in question as early as mid-November and flagged it to the project’s developers. It offered documentation as well.

Unfortunately, Compounder not only knew about the function, but apparently had plans for it.

“The Compounder team swapped the safe and audited Strategy contracts and replaced them with malicious 'Evil Strategy' contracts that allowed them to steal users funds,” Solidity Finance told CoinDesk in a Telegram message, adding:

“They did this through a public, though clearly unmonitored, 24-hour timelock. This issue of centralized control by the C3PR team was raised in our audit report and our discussions with their team. The team had the power to update strategy pools and they did so maliciously here to steal users’ funds.” In other words, investors overlooked the security hole even though the time lock in question was flagged by the audit.

Many DeFi investors are learning audits don’t necessarily equate to a secure protocol. Akropolis Finance stands as another recent example. It was hacked earlier last month for $2 million worth of dai, even though its contracts had been audited by two firms.

Indeed, audits come in different flavors. Solidity Finance told CoinDesk it was mainly looking for “external attackers.” The firm plans on providing more information on possible “risks stemming from developers’ control” going forward.

Correction (Dec. 3, 2020 19:40 UTC): A previous version of this article stated that the time lock function was only disclosed too Compounder Finance's team. The public audit report included this information.