Compounder Finance Rug Pull

From Quadriga Initiative Cryptocurrency Hacks, Scams, and Frauds Repository
Jump to navigation Jump to search

Notice: This page is a freshly imported case study from the original repository. The original content was in a different format, and may not have relevant information for all sections. Please help restructure the content by moving information from the 'About' and 'General Prevention' sections to other sections, and add any missing information or sources you can find. If you are new here, please read General Tutorial on Wikis or Anatomy of a Case Study for help getting started.

Notice: This page contains sources which are not attributed to any text. The unattributed sources follow the initial description. Please assist by visiting each source, reviewing the content, and placing that reference next to any text it can be used to support. Feel free to add any information that you come across which isn't present already. Sources which don't contain any relevant information can be removed. Broken links can be replaced with versions from the Internet Archive. See General Tutorial on Wikis, Anatomy of a Case Study, and/or Citing Your Sources Guide for additional information. Thanks for your help!

Compounder Finance

Compounder run for months and gained significant traction. Because users continued to hold their private keys and only interacted with a smart contract, which was audited, many felt safe.

However, the smart contract had a time lock, which enabled the anonymous team to make an update with just 24 hours of notice. They decided to make an update that would allow them to withdraw all the funds. No one noticed that the update had vulnerabilities. They completed it, and then withdrew all the funds.

This is a global/international case not involving a specific country.[1][2][3][4][5][6][7][8][9][10][11][12][13][14][15][16][17]

About Compounder Finance

"Compounder automates farming for you into the best profit-making protocols available in DeFi. Giving you convenience of the strategies in one place, and keeping you ahead of the curve." "We will examine yields, security and complexity of new pools that will keep our stakers comfortable knowing they have a competitive edge to other farmers. We hope to offer the next generation of high-interest returns," the developers claimed. "Compounder provides high-return compound interest on assets and $CP3R rewards. The platform enables users to earn compounding interest on their assets while also earning $CP3R as a reward."

"Compound operates similar to a bank. You can deposit various cryptocurrencies and earn an annual interest on your deposits, similar to depositing your money into the bank. However, Compound’s main difference is that it does not have custody of your cryptocurrency deposits. Instead, you are actually sending your crypto to and interact with a smart contract, rather than another company or user. This feature is important because it means that no person or authority can control or take your funds."

"Compounder Finance, having only launched last month, promised investors that the Ethereum-based decentralized finance (DeFi) project implemented 24-hour time locks on all smart contracts imposed in the interest of safety, but what wasn't known is that the developers allegedly included a hidden backdoor into the system."

"Compounder’s developers drained the protocol’s wallets by replacing their asset pools with contracts that removed restrictions from the withdraw function." "Months ago, they had inserted this code into several compounder smart codebases by swapping the audited code for malicious “Evil Strategy” contracts. They could do this by a 24-hour timelock; if someone caught them in the act, they could raise it to the community. But nobody was watching, and the rug-puller managed to execute their code."

"The Compounder team swapped the safe & audited Strategy contracts and replaced them with malicious 'Evil Strategy' contracts that allowed them to steal users funds. They did this through a public, though clearly unmonitored, 24-hour timelock. This issue of centralized control by the C3PR team was raised in our audit report and our discussions with their team. The team had the power to update strategy pools and they did so maliciously here to steal users’ funds. In an effort to be transparent, anyone can view our chat logs with the C3PR team here. Everything below this line remains unchanged from the original report. View the full post-mortem here."

"At the time of writing, the project's website, Twitter, Medium, and Discord pages appear to have been deleted."

"[U]sers—who have collectively lost over $12 million—are understandably upset. So upset, in fact, some have waged death threats against Solidity Labs, the company responsible for auditing the project and ensuring the code was safe."

"“In the audit report we highlighted the Compounder Team's ability to update the pools through the timelock all through one address,” a spokesperson from Solidity Labs told Decrypt."

"“We will admit we should have been clearer here about the implications of this and how it could be used,” the Solidity spokesperson told Decrypt, but noted that it linked the timelock in its audit “for users to monitor.”" "“Evidently, no one monitored the timelock as malicious strategies started being deployed weeks ago,” they said."

"“Part of this is on users for not performing research,” noting, “Just because an audit report is released does not mean it is safe.”"

"Timelocks should not be trusted as a method to prevent rug pulls. If used anyway, an automated alert system or dashboard should be put in place to monitor transactions at that address. Moreover, as highlighted here, 24 hours appears to be insufficient to provide enough warning for users to remove funds."

"Not all projects with anonymous founders are scams. But nearly all scams are projects with anonymous founders. As a community, we need to be warier of anonymous founders going forward; especially those who use untraceable sources of funds like Tornado.cash."

"The project team has the ability to wreak havoc in nearly any project users invest in. Whether it be through the minting of tokens, dumping private supply, or clever contract swaps as we see here, risks to users almost always exist."

This is a global/international case not involving a specific country.

The background of the exchange platform, service, or individuals involved, as it would have been seen or understood at the time of the events.

Include:

  • Known history of when and how the service was started.
  • What problems does the company or service claim to solve?
  • What marketing materials were used by the firm or business?
  • Audits performed, and excerpts that may have been included.
  • Business registration documents shown (fake or legitimate).
  • How were people recruited to participate?
  • Public warnings and announcements prior to the event.

Don't Include:

  • Any wording which directly states or implies that the business is/was illegitimate, or that a vulnerability existed.
  • Anything that wasn't reasonably knowable at the time of the event.

There could be more than one section here. If the same platform is involved with multiple incidents, then it can be linked to a main article page.

The Reality

This sections is included if a case involved deception or information that was unknown at the time. Examples include:

  • When the service was actually started (if different than the "official story").
  • Who actually ran a service and their own personal history.
  • How the service was structured behind the scenes. (For example, there was no "trading bot".)
  • Details of what audits reported and how vulnerabilities were missed during auditing.

What Happened

The specific events of the loss and how it came about. What actually happened to cause the loss and some of the events leading up to it.

Key Event Timeline - Compounder Finance Rug Pull
Date Event Description
December 2nd, 2020 Main Event Expand this into a brief description of what happened and the impact. If multiple lines are necessary, add them here.

Technical Details

This section includes specific detailed technical analysis of any security breaches which happened. What specific software vulnerabilities contributed to the problem and how were they exploited?

Total Amount Lost

The total amount lost has been estimated at $12,000,000 USD.

How much was lost and how was it calculated? If there are conflicting reports, which are accurate and where does the discrepancy lie?

Immediate Reactions

How did the various parties involved (firm, platform, management, and/or affected individual(s)) deal with the events? Were services shut down? Were announcements made? Were groups formed?

Ultimate Outcome

What was the end result? Was any investigation done? Were any individuals prosecuted? Was there a lawsuit? Was any tracing done?

Total Amount Recovered

There do not appear to have been any funds recovered in this case.

What funds were recovered? What funds were reimbursed for those affected users?

Ongoing Developments

What parts of this case are still remaining to be concluded?

General Prevention Policies

As the "team" was anonymous, it's entirely possible that it was a single individual masquerading as a team of developers.

In general, ensuring that the operators of the platforms are known individuals and reside in a country with a solid legal system would assist in holding these individuals to account. When a wallet is set up with multiple signatures required, it prevents any individual from running away with the funds, and background checks can prevent known criminals from being operators.

Individual Prevention Policies

No specific policies for individual prevention have yet been identified in this case.

For the full list of how to protect your funds as an individual, check our Prevention Policies for Individuals guide.

Platform Prevention Policies

Policies for platforms to take to prevent this situation have not yet been selected in this case.

For the full list of how to protect your funds as a financial service, check our Prevention Policies for Platforms guide.

Regulatory Prevention Policies

No specific regulatory policies have yet been identified in this case.

For the full list of regulatory policies that can prevent loss, check our Prevention Policies for Regulators guide.

References

  1. Rekt - Leaderboard (May 13, 2021)
  2. Rekt - Compounder Finance - REKT (May 16, 2021)
  3. COMPOUNDER - Smarter Farming (May 17, 2021)
  4. Crypto Hacks 2020: A Comprehensive List - ImmuneBytes (May 18, 2021)
  5. Compounder Finance DeFi project allegedly pulls the rug from under investors, $11 million stolen | ZDNet (May 18, 2021)
  6. DeFi Auditor Receives Death Threats Over $12 Million 'Rug Pull' - Decrypt (May 18, 2021)
  7. Compounder (CP3R) Audit - Solidity Finance (May 18, 2021)
  8. Solidity Finance Chat Logs (May 18, 2021)
  9. Notion – The all-in-one workspace for your notes, tasks, wikis, and databases. (May 18, 2021)
  10. What is Compound Finance ($COMP)? A guide to hacks and tips on the latest DeFi platform (May 18, 2021)
  11. Ridiculous DeFi : Compound (COMP) Finance Explained - YouTube (May 18, 2021)
  12. @defiyield_app Twitter (May 24, 2021)
  13. Binance Smart Chain or Binance Scam Chain?- Here's what you need to know | ItsBlockchain (Jun 20, 2021)
  14. CipherTrace Cryptocurrency Crime and Anti-Money Laundering Report 2020 (Jun 20, 2021)
  15. SlowMist Hacked - SlowMist Zone (May 18, 2021)
  16. Blockchain Hacks: 2020 | $15 billion lost, how can we mitigate hacks in 2021? | CertiK Foundation Blog (Jul 23, 2021)
  17. Worldwide crypto & NFT rug pulls and scams tracker - Comparitech (Dec 15, 2022)
Retrieved from "https://quadrigainitiative.com/cryptocurrencyhackscamfraudwiki/index.php?title=Compounder_Finance_Rug_Pull&oldid=5822"