$12 000 000 USD

DECEMBER 2020

GLOBAL

COMPOUNDER FINANCE

DESCRIPTION OF EVENTS

"Compounder automates farming for you into the best profit-making protocols available in DeFi. Giving you convenience of the strategies in one place, and keeping you ahead of the curve." "We will examine yields, security and complexity of new pools that will keep our stakers comfortable knowing they have a competitive edge to other farmers. We hope to offer the next generation of high-interest returns," the developers claimed. "Compounder provides high-return compound interest on assets and $CP3R rewards. The platform enables users to earn compounding interest on their assets while also earning $CP3R as a reward."

 

"Compound operates similar to a bank. You can deposit various cryptocurrencies and earn an annual interest on your deposits, similar to depositing your money into the bank. However, Compound’s main difference is that it does not have custody of your cryptocurrency deposits. Instead, you are actually sending your crypto to and interact with a smart contract, rather than another company or user. This feature is important because it means that no person or authority can control or take your funds."

 

"Compounder Finance, having only launched last month, promised investors that the Ethereum-based decentralized finance (DeFi) project implemented 24-hour time locks on all smart contracts imposed in the interest of safety, but what wasn't known is that the developers allegedly included a hidden backdoor into the system."

 

"Compounder’s developers drained the protocol’s wallets by replacing their asset pools with contracts that removed restrictions from the withdraw function." "Months ago, they had inserted this code into several compounder smart codebases by swapping the audited code for malicious “Evil Strategy” contracts. They could do this by a 24-hour timelock; if someone caught them in the act, they could raise it to the community. But nobody was watching, and the rug-puller managed to execute their code."

 

"The Compounder team swapped the safe & audited Strategy contracts and replaced them with malicious 'Evil Strategy' contracts that allowed them to steal users funds. They did this through a public, though clearly unmonitored, 24-hour timelock. This issue of centralized control by the C3PR team was raised in our audit report and our discussions with their team. The team had the power to update strategy pools and they did so maliciously here to steal users’ funds. In an effort to be transparent, anyone can view our chat logs with the C3PR team here. Everything below this line remains unchanged from the original report. View the full post-mortem here."

 

"At the time of writing, the project's website, Twitter, Medium, and Discord pages appear to have been deleted."

 

"[U]sers—who have collectively lost over $12 million—are understandably upset. So upset, in fact, some have waged death threats against Solidity Labs, the company responsible for auditing the project and ensuring the code was safe."

 

"“In the audit report we highlighted the Compounder Team's ability to update the pools through the timelock all through one address,” a spokesperson from Solidity Labs told Decrypt."

 

"“We will admit we should have been clearer here about the implications of this and how it could be used,” the Solidity spokesperson told Decrypt, but noted that it linked the timelock in its audit “for users to monitor.”" "“Evidently, no one monitored the timelock as malicious strategies started being deployed weeks ago,” they said."

 

"“Part of this is on users for not performing research,” noting, “Just because an audit report is released does not mean it is safe.”"

 

"Timelocks should not be trusted as a method to prevent rug pulls. If used anyway, an automated alert system or dashboard should be put in place to monitor transactions at that address. Moreover, as highlighted here, 24 hours appears to be insufficient to provide enough warning for users to remove funds."

 

"Not all projects with anonymous founders are scams. But nearly all scams are projects with anonymous founders. As a community, we need to be warier of anonymous founders going forward; especially those who use untraceable sources of funds like Tornado.cash."

 

"The project team has the ability to wreak havoc in nearly any project users invest in. Whether it be through the minting of tokens, dumping private supply, or clever contract swaps as we see here, risks to users almost always exist."

Compounder run for months and gained significant traction. Because users continued to hold their private keys and only interacted with a smart contract, which was audited, many felt safe.

 

However, the smart contract had a time lock, which enabled the anonymous team to make an update with just 24 hours of notice. They decided to make an update that would allow them to withdraw all the funds. No one noticed that the update had vulnerabilities. They completed it, and then withdrew all the funds.

HOW COULD THIS HAVE BEEN PREVENTED?

As the "team" was anonymous, it's entirely possible that it was a single individual masquerading as a team of developers.

 

In general, ensuring that the operators of the platforms are known individuals and reside in a country with a solid legal system would assist in holding these individuals to account. When a wallet is set up with multiple signatures required, it prevents any individual from running away with the funds, and background checks can prevent known criminals from being operators.

 

Check Our Framework For Safe Secure Exchange Platforms

Sources And Further Reading

 For questions or enquiries, email info@quadrigainitiative.com.

Get Social

  • email
  • reddit
  • telegram
  • Twitter

© 2021 Quadriga Initiative. Your use of this site/service accepts the Terms of Use and Privacy Policy. This site is not associated with Ernst & Young, Miller Thompson, or the Official Committee of Affected Users. Hosted in Canada by HosterBox.