DeFi Rug Pull Scam Steals $11 Million in Crypto Tokens; $50K Bounty Set On C3PR’s Developers
- The wild west of decentralized finance (DeFi) is full of scams and rug pulls, yet another bunch of investors lose millions.
- On Tuesday, a DeFi project labeled ‘Compounder Finance' made away with over $10.8 million in investors’ funds in a rug pull as the developers exploited a hidden back door in the smart contract.
- What’s shocking is that Solidity Finance independently audited the smart contract.
Compounder Finance, a DeFi yield farming protocol raising as a “combination of Harvest protocol and Yearn Finance, made away with nearly $11 million in users funds in an elaborate “backdoor rug pull scam.” According to records on Zerion, the Compounder wallet holds over $5.2 million worth of DAI, $4.9 million worth of Ethereum (ETH), and $757,000 worth of wrapped BTC (wBTC), among other tokens.
According to Robert Leshner, founder of Compound Finance, the developers used an elaborate scheme, different from other rug pulls witnessed across the year, to dup the investors into stealing their funds. The project was named very similar to Compound Finance (COMP) with its ticker, C3PR, closely related to the booming DeFi blue-chip Keeper Network (KP3R).
Hoping that @defiyield_info tracks them down.
— 🤖 Leshner (@rleshner) December 1, 2020
Rug pull scams have become more common in the world of DeFi as outright scams are shilled and sold to investors only for the team members to make away with the pooed funds. However, this $11 million rug pull scheme was different from others in the market given its smart contract was audited and checked by Solidity Finance, an independent, smart contract audit firm.
Audited smart contracts pull investors’ funds quicker than unaudited ones as vulnerabilities and problems with the smart contract are checked to ensure everything is running fine. So what happened to C3PR’s smart contract to enable the rug to pull on investors?
In an audit report released on Nov. 19, Solidity Finance disclosed a flaw in C3PR’s smart contract. According to the report, the developers had snuck in a call function that allowed them to withdraw all the smart contract funds whenever they could. A spokesperson from Solidity explained,
“In the audit report, we highlighted the Compounder Team's ability to update the pools through the time lock all through one address.”
The developers knew of this flaw and purposefully chose to exploit it once the booty would be large enough; an $11 million heist did it. A Solidity Finance spokesperson explains that C3PR developers were aware of their centralized control of the project, which gave them the power to update the “audited and safe strategy pools.”
The developers then switched the audited smart contracts with “Evil Strategy smart contract pools” through the 24-hour time lock, which allowed them to start stealing users’ funds. According to the auditors, the process could have been stopped if the community raised the alarm, but the platform was unmonitored during that period.
So far, efforts are being made to locate the rug pull scammers with Defiyield.info, an investor who claims to have lost over $1 million in the C3PR scam, offering up to $50,000 bounty for any help in locating the funds and the developers.
I will allocate personally 50k$ as bounty to whoever can find any information which will help tracking you down, and returning the funds to those who suffered from your fraud.
— DefiYield.info 👨🌾🚜 (@defiyield_info) December 1, 2020