DeFi Rug Pull Scam Steals $11 Million in Crypto Tokens; $50K Bounty Set On C3PR’s Developers

  • The wild west of decentralized finance (DeFi) is full of scams and rug pulls, yet another bunch of investors lose millions.
  • On Tuesday, a DeFi project labeled ‘Compounder Finance' made away with over $10.8 million in investors’ funds in a rug pull as the developers exploited a hidden back door in the smart contract.
  • What’s shocking is that Solidity Finance independently audited the smart contract.

Compounder Finance, a DeFi yield farming protocol raising as a “combination of Harvest protocol and Yearn Finance, made away with nearly $11 million in users funds in an elaborate “backdoor rug pull scam.” According to records on Zerion, the Compounder wallet holds over $5.2 million worth of DAI, $4.9 million worth of Ethereum (ETH), and $757,000 worth of wrapped BTC (wBTC), among other tokens.

According to Robert Leshner, founder of Compound Finance, the developers used an elaborate scheme, different from other rug pulls witnessed across the year, to dup the investors into stealing their funds. The project was named very similar to Compound Finance (COMP) with its ticker, C3PR, closely related to the booming DeFi blue-chip Keeper Network (KP3R).

Rug pull scams have become more common in the world of DeFi as outright scams are shilled and sold to investors only for the team members to make away with the pooed funds. However, this $11 million rug pull scheme was different from others in the market given its smart contract was audited and checked by Solidity Finance, an independent, smart contract audit firm.

Audited smart contracts pull investors’ funds quicker than unaudited ones as vulnerabilities and problems with the smart contract are checked to ensure everything is running fine. So what happened to C3PR’s smart contract to enable the rug to pull on investors?

In an audit report released on Nov. 19, Solidity Finance disclosed a flaw in C3PR’s smart contract. According to the report, the developers had snuck in a call function that allowed them to withdraw all the smart contract funds whenever they could. A spokesperson from Solidity explained,

“In the audit report, we highlighted the Compounder Team's ability to update the pools through the time lock all through one address.”

The developers knew of this flaw and purposefully chose to exploit it once the booty would be large enough; an $11 million heist did it. A Solidity Finance spokesperson explains that C3PR developers were aware of their centralized control of the project, which gave them the power to update the “audited and safe strategy pools.”

The developers then switched the audited smart contracts with “Evil Strategy smart contract pools” through the 24-hour time lock, which allowed them to start stealing users’ funds. According to the auditors, the process could have been stopped if the community raised the alarm, but the platform was unmonitored during that period.

So far, efforts are being made to locate the rug pull scammers with, an investor who claims to have lost over $1 million in the C3PR scam, offering up to $50,000 bounty for any help in locating the funds and the developers.

Get Daily Headlines

Enter Best Email to Get Trending Crypto News & Bitcoin Market Updates

What to Know More?

Join Our Telegram Group to Receive Live Updates on The Latest Blockchain & Crypto News From Your Favorite Projects

Join Our Telegram

Stay Up to Date!

Join us on Twitter to Get The Latest Trading Signals, Blockchain News, and Daily Communication with Crypto Users!

Join Our Twitter

Add comment

E-mail is already registered on the site. Please use the Login form or enter another.

You entered an incorrect username or password

Sorry, you must be logged in to post a comment.
Bitcoin Exchange Guide