Percent Finance Funds Frozen
Notice: This page is a freshly imported case study from the original repository. The original content was in a different format, and may not have relevant information for all sections. Please help restructure the content by moving information from the 'About' section to other sections, and add any missing information or sources you can find. If you are new here, please read General Tutorial on Wikis or Anatomy of a Case Study for help getting started.
Percent finance was originally launched by an anonymous developer.
The smart contract was handed off to be managed by the community in a multi-signature fashion. Some members of this new management were not familiar with how all of the assets operated, and made a mistake which resulted in almost a full million dollars worth of users funds being locked up.
At last check, the project still has not changed since November 2020, so the situation does not look promising for affected users.
This is a global/international case not involving a specific country.
About Percent Finance
"Percent Finance is a decentralized protocol that came to life in September 2020." "Percent Finance is a community-owned fork of Compound, which uses Chainlink as its price oracle. These two key differences meant that Percent could innovate quickly, and carve its own path, while of course standing on the shoulders of the above two giants. Percent already succeeded in adding 15 tokens to its money market, all securely using Chainlink prices, and there are plans for more."
"On Nov 5, Percent Finance, a community-owned fork of Compound Finance declared that some trouble in the platform might cause locking up of user funds. According to the reports, almost $1M was stuck in money market smart contracts. Further explanation reveals that the markets were frozen as they used an old style of CToken."
"The one million frozen by the company consists of 313 Ethereum, 446k USDC, 28 WBTC. The total amount of value frozen is $996,000. The blog described how the error came from an update that has frozen Percent Finance’s markets across the USDC, ETH, and WBTC."
"This meant that these 3 contracts were no longer usable, and the user funds in them were permanently locked. These amounted to: 446,813 USDC, 28 wBTC and 313 ETH." "As the team further explained, the frozen markets use an older style of CToken copied from Compound protocol as part of the fork. The error occurred when old-style tokens were updated to use a new style interest rate model, which is not compatible with them. As a result, CToken failed when trying to accrue interest."
"I attempted to contact both Circle and BitGo to see about possibly retrieving the USDC and wBTC, but both avenues were dead-ends. I was not able to get an official response from either, however I was made aware that Circle does not offer this functionality, at least currently, although they might do in the future. They only respond to requests from law enforcement. BitGo on the other hand only offers this functionality for funds send to the wBTC contract, but no other contracts."
"Percent Finance’s clients are no longer able to withdraw, repay, supply, or borrow their funds. The team said that they would try and do all they could to rectify the situation." "According to the thread, while the team has detected the error and can code for a new contract that will be compatible, the tokens from the old contract cannot be migrated over to the new contract." "The affected users are invited to contact the community moderator via direct messages of a dedicated Discord channel."
"Unfortunately, it seems the locked ETH may be irretrievable, but we are currently working on potential scenarios to make affected users whole."
This is a global/international case not involving a specific country.
The background of the exchange platform, service, or individuals involved, as it would have been seen or understood at the time of the events.
Include:
- Known history of when and how the service was started.
- What problems does the company or service claim to solve?
- What marketing materials were used by the firm or business?
- Audits performed, and excerpts that may have been included.
- Business registration documents shown (fake or legitimate).
- How were people recruited to participate?
- Public warnings and announcements prior to the event.
Don't Include:
- Any wording which directly states or implies that the business is/was illegitimate, or that a vulnerability existed.
- Anything that wasn't reasonably knowable at the time of the event.
There could be more than one section here. If the same platform is involved with multiple incidents, then it can be linked to a main article page.
The Reality
This sections is included if a case involved deception or information that was unknown at the time. Examples include:
- When the service was actually started (if different than the "official story").
- Who actually ran a service and their own personal history.
- How the service was structured behind the scenes. (For example, there was no "trading bot".)
- Details of what audits reported and how vulnerabilities were missed during auditing.
What Happened
The specific events of the loss and how it came about. What actually happened to cause the loss and some of the events leading up to it.
| Date | Event | Description |
|---|---|---|
| November 5th, 2020 12:00:00 AM | First Event | This is an expanded description of what happened and the impact. If multiple lines are necessary, add them here. |
Total Amount Lost
The total amount lost is unknown.
How much was lost and how was it calculated? If there are conflicting reports, which are accurate and where does the discrepancy lie?
Immediate Reactions
How did the various parties involved (firm, platform, management, and/or affected individual(s)) deal with the events? Were services shut down? Were announcements made? Were groups formed?
Ultimate Outcome
What was the end result? Was any investigation done? Were any individuals prosecuted? Was there a lawsuit? Was any tracing done?
Total Amount Recovered
It is unknown how much was recovered.
What funds were recovered? What funds were reimbursed for those affected users?
Ongoing Developments
What parts of this case are still remaining to be concluded?
Prevention Policies
Unfortunately, cryptocurrency is not forgiving when funds are locked in an inaccessible wallet.
It is therefore prudent that all changes be tested before deployment.
To have certainty of security, it would be recommended to stick to known wallet setups that leave the funds in the control of an multi-sig of trained, background checked individuals who store keys properly offline.
References
Crypto Hacks 2020: A Comprehensive List - ImmuneBytes (May 17)
Percent Finance Homepage (May 23)
Percent Finance Incident Post-Mortem (May 23)
Percent Finance announces $1 million frozen | Cryptopolitan (May 23)
Over $1 million locked in a DeFi protocol due to a smart contract error (May 23)
@PercentFinance Twitter (May 23)
Over $1M in user funds on Compound fork Perfect Finance are frozen after code change error (May 23)
Percent Finance - Important Announcement (May 23)
DeFi Protocol Percent Finance Accidentally Freezes $1M of Users Funds | News | ihodl.com (May 23)
Close to $1 Million Frozen in Percent Finance Smart Contracts (May 23)
SlowMist Hacked - SlowMist Zone (May 17)
Millions Lost: The Top 19 DeFi Cryptocurrency Hacks of 2020 | Crypto Briefing (May 21)
@PercentFinance Twitter (Jun 26)