on the crypto
Another decentralized finance (DeFi) project has been breached in recent days, with approximately $ 10,8 million in investor funds stolen due to a hidden backdoor in the project's smart contracts.
A trap waiting to shoot
Compounder Finance - a Harvest and Yearn Finance clone built by pseudonymous programmers - has seen its contracts drained of $ 750.000 wrapped bitcoin (WBTC), $ 4,8 million ether, $ 5 million dai and a small assortment of others token, according to an address associated with the exploit.
And while the attack looks similar to other DeFi thefts or exploits, performed over and over again in 2020, this particular act is different due to the apparent scam the Compounder developers were playing, according to Robert Leshner, founder of the protocol. Compound Finance loan.
Leshner said Compounder looked like any other DeFi yield farming project that invaded the cryptocurrency industry last summer. But the developers had put in a feature that allowed them to withdraw all funds from the project - an action that a decentralized finance project should never allow - whenever they thought the loot was big enough.
On the hunt for the unknown Compounder developers
This threshold was likely reached last week, even though Compounder's token contracts were created on November 10, according to Etherscan. Leshner called rug-pull "one of the biggest" cryptocurrency exploits in recent memory; a DeFi exploit categorically different from the others due to its patient endgame.
He further stated that Compounder “took back the name of Compound Finance” to attract more victims. A group of Investors is currently discussing on Telegram what legal moves to take against the developers, although little information is known about the faces and names behind Compounder.
An investor who claims to have lost $ 1 million in funds offers a $ 50.000 bounty for information related to the seizure of the stolen funds. Compounder's native token, CP3R, has dropped 98,8% in the past 24 hours and is now trading at $ 0,24, according to CoinGecko.
More audits are needed for smart contracts
Compounder had been inspected by Solidity Finance in an audit, a procedure for verifying the conformity of a product or service, demonstrated through objective tests. Solidity Finance said it had identified the fraudulent contract in question as early as mid-November and reported it to the project developers, attaching the documentation.
Unfortunately, Compounder not only knew about the problem, but apparently had plans attached to it. Many DeFi investors are learning now that audits don't necessarily equate to a security protocol.
Akropolis Finance represents another recent example. The protocol was breached early last month for $ 2 million in dai, even though its contracts were verified by two different companies. Solidity Finance said it plans to provide more information on possible “developer control risks” in the future.
