The Ethereum decentralized finance (DeFi) space was just hit with a “rug pull,” with unknown developer(s) dragging in $12 million in what seems to be the biggest ostensible scam in recent weeks.
Here is that story.What is Compounder Finance?
Late last month, anonymous developers rolled out a project called “Compounder Finance” and a native token with the ticker CP3R. While the project’s name and token ticker has components from Compound’s COMP and Andre Cronje‘s Keep3r Network, it has nothing to do with these projects.
From what limited information there is on the web, Compounder Finance is a meta yield aggregator that deposited user deposits into different protocols to earn yield. Compounder also yielded CP3R, boosting returns considerably, to the point that they were far above those offered by other platforms.
This meant that users were willing to deposit millions into the contract, even though the project had just launched.The scam
While users earned regular yields on their deposits over the first few days, something happened on Sunday and Monday.
To most, the first steps of the scam were seemingly harmless: the owner of the Compounder Finance protocol deployed new yield farming strategies via the timelock function. As many users presumably thought these strategies were legitimate, they kept their funds on the protocol.
This was anything but the case, though.
A malicious function within the contracts allowed the contract owner to manipulate the pool to withdraw all funds to his own address. As coder “Vasa” wrote on his blog:“Compounder.Finance: Deployer (strategist) called inCaseStrategyTokenGetStuck() on StrategyController which abuse the manipulated withdraw() function of the Malicious Strategies to transfer the tokens in the Strategies to the StrategyController. Do this for all 7 Malicious Strategies.”
In all, $12.5 million was stolen. Much of these funds were in Wrapped Ethereum (WETH)...