Read on Twitter
Compounder Finance Post-Mortem Report
https://simpleaswater.com/cp3r
See the full report for a better explanation.
See thread for summary
https://simpleaswater.com/cp3r
See the full report for a better explanation.
See thread for summary
Average Joe Executive Summary:
TOTAL RUGGED VAULE (TRV): $12,464,316.329
The rug-pull was being planned/worked on for about (or more) than a MONTH.
(The oldest malicious strategy, was deployed on Nov-08-2020 02:00:49 AM +UTC) https://etherscan.io/tx/0x847b85734c342b706454c9b79e126eaa0e54bcacf437b1180be92c04df109e5b
TOTAL RUGGED VAULE (TRV): $12,464,316.329
The rug-pull was being planned/worked on for about (or more) than a MONTH.
(The oldest malicious strategy, was deployed on Nov-08-2020 02:00:49 AM +UTC) https://etherscan.io/tx/0x847b85734c342b706454c9b79e126eaa0e54bcacf437b1180be92c04df109e5b
Assets Rugged (8):
1. 8,077.540667 Wrapped Ether ($4,820,030.07)
2. 1,300,610.936154161964594323 yearn: yCRV Vault ($1,521,714.80)
3. 0.016390153857154838 Compound (COMP) ($1.79)
4. 105,102,172.66293264 Compound USDT ($2,169,782.85)
1. 8,077.540667 Wrapped Ether ($4,820,030.07)
2. 1,300,610.936154161964594323 yearn: yCRV Vault ($1,521,714.80)
3. 0.016390153857154838 Compound (COMP) ($1.79)
4. 105,102,172.66293264 Compound USDT ($2,169,782.85)
Assets Rugged (8):
5. 97,944,481.39815207 Compound USD Coin ($2,096,403.68)
6. 1,934.23347357 Compound Wrapped BTC ($744,396.89)
7. 23.368131489683158482 Aave Interest bearing YFI ($628,650.174379401)
8. 6,230,432.06773805 Compound Uniswap ($466,378.99)
5. 97,944,481.39815207 Compound USD Coin ($2,096,403.68)
6. 1,934.23347357 Compound Wrapped BTC ($744,396.89)
7. 23.368131489683158482 Aave Interest bearing YFI ($628,650.174379401)
8. 6,230,432.06773805 Compound Uniswap ($466,378.99)
Wallets with the funds after rug-pull:
https://etherscan.io/address/0x944f214a343025593d8d9fd2b2a6d43886fb2474
Assets under control: 1,800,000 DAI
Request to @etherscan to flag this account. To exchanges, please blacklist this address.
https://etherscan.io/address/0x944f214a343025593d8d9fd2b2a6d43886fb2474
Assets under control: 1,800,000 DAI
Request to @etherscan to flag this account. To exchanges, please blacklist this address.
Wallets with the funds after rug-pull:
https://etherscan.io/address/0x079667f4f7a0b440ad35ebd780efd216751f0758
Assets under control:
- 5,066,124.665456504419940414 DAI
- 39.05381415 WBTC
- 4.38347845834390477 CP3R
- 0.004842656997849285 COMP
- 0.000007146621650034 UNI-V2
Request to @etherscan, exchanges to flag this account
https://etherscan.io/address/0x079667f4f7a0b440ad35ebd780efd216751f0758
Assets under control:
- 5,066,124.665456504419940414 DAI
- 39.05381415 WBTC
- 4.38347845834390477 CP3R
- 0.004842656997849285 COMP
- 0.000007146621650034 UNI-V2
Request to @etherscan, exchanges to flag this account
We're still investigating, and we might add more addresses here. If you find something, feel free to reach out via DM.
Actors involved
1. http://Compounder.Finance : Deployer: [Externally Owned Address] https://etherscan.io/address/0x079667f4f7a0b440ad35ebd780efd216751f0758
The main address which orchestrated the rug-pull.
1. http://Compounder.Finance : Deployer: [Externally Owned Address] https://etherscan.io/address/0x079667f4f7a0b440ad35ebd780efd216751f0758
The main address which orchestrated the rug-pull.
Actors involved
2. Timelock Contract (copied from http://compound.finance ) [contract]
https://etherscan.io/address/0xc70b945fc25897bb218110f6b0a53fe1f8f881f0
The 24h Timelock was used to set & approve 7 malicious Strategies.
2. Timelock Contract (copied from http://compound.finance ) [contract]
https://etherscan.io/address/0xc70b945fc25897bb218110f6b0a53fe1f8f881f0
The 24h Timelock was used to set & approve 7 malicious Strategies.
Actors involved
3. http://Compounder.Finance : StrategyControllerV1 (copied from http://yearn.finance ) [contract]
https://etherscan.io/address/0b283b107f70d23250f882fbfe7216c38abbd7ca
The contract is used to keep track of active Strategies/Vaults.
The TimeLock (24h) set/approved malicious strategies on this contract.
3. http://Compounder.Finance : StrategyControllerV1 (copied from http://yearn.finance ) [contract]
https://etherscan.io/address/0b283b107f70d23250f882fbfe7216c38abbd7ca
The contract is used to keep track of active Strategies/Vaults.
The TimeLock (24h) set/approved malicious strategies on this contract.
Actors involved
4. StrategyEmptyWETH [malicious strategy contract]
https://etherscan.io/address/0xe2577123244255eCAD0d405381b452292acC5049
8,077.540667 Wrapped Ether ($4,820,030.07) was robbed from this strategy using the manipulated withdraw() function.
4. StrategyEmptyWETH [malicious strategy contract]
https://etherscan.io/address/0xe2577123244255eCAD0d405381b452292acC5049
8,077.540667 Wrapped Ether ($4,820,030.07) was robbed from this strategy using the manipulated withdraw() function.
Actors involved
5. StrategyCompoundUSDT [malicious strategy contract]
https://etherscan.io/address/0x87654f58fAFf71F04291B293E4Af2d52dCbe7F15
0.8399598696088154 COMP ($91.35), 105,102,172.66293264 Compound USDT ($2,146,741.31) were robbed from this strategy using the manipulated withdraw() function.
5. StrategyCompoundUSDT [malicious strategy contract]
https://etherscan.io/address/0x87654f58fAFf71F04291B293E4Af2d52dCbe7F15
0.8399598696088154 COMP ($91.35), 105,102,172.66293264 Compound USDT ($2,146,741.31) were robbed from this strategy using the manipulated withdraw() function.
Actors involved
6. StrategyCompoundUSDC [malicious strategy contract]
https://etherscan.io/address/0x6a14fDCbF6FEc2F7221B54536279932582f9964c
0.172580200843980945 COMP ($18.77),
97,944,481.39815207 Compound USDT ($2,084,825.66) were robbed from this strategy using the manipulated withdraw() function.
6. StrategyCompoundUSDC [malicious strategy contract]
https://etherscan.io/address/0x6a14fDCbF6FEc2F7221B54536279932582f9964c
0.172580200843980945 COMP ($18.77),
97,944,481.39815207 Compound USDT ($2,084,825.66) were robbed from this strategy using the manipulated withdraw() function.
Actors involved
7. StrategyDAICurve [malicious strategy contract]
https://etherscan.io/address/0xaf274e912243b19B882f02d731dacd7CD13072D0
1,300,610.936154161964594323 yearn: yCRV Vault ($1,547,727.01) were robbed from this strategy using the manipulated withdraw() function.
7. StrategyDAICurve [malicious strategy contract]
https://etherscan.io/address/0xaf274e912243b19B882f02d731dacd7CD13072D0
1,300,610.936154161964594323 yearn: yCRV Vault ($1,547,727.01) were robbed from this strategy using the manipulated withdraw() function.
Actors involved
8. StrategyCompoundWBTC [malicious strategy contract]
https://etherscan.io/address/0x478c070341265d5Fc563512AD7c9c6481A4A3a24
1,934.23347357 Compound Wrapped BTC ($744,396.89) were robbed from this strategy using the manipulated withdraw() function.
8. StrategyCompoundWBTC [malicious strategy contract]
https://etherscan.io/address/0x478c070341265d5Fc563512AD7c9c6481A4A3a24
1,934.23347357 Compound Wrapped BTC ($744,396.89) were robbed from this strategy using the manipulated withdraw() function.
Actors involved
9. StrategyAaveYFI [malicious strategy contract]
https://etherscan.io/address/0x785038E55C3c77256bDC9a03535FD3e8d948A116
23.368131489683158482 Aave Interest bearing YFI ($628,650.174379401) were robbed from this strategy using the manipulated withdraw() function.
9. StrategyAaveYFI [malicious strategy contract]
https://etherscan.io/address/0x785038E55C3c77256bDC9a03535FD3e8d948A116
23.368131489683158482 Aave Interest bearing YFI ($628,650.174379401) were robbed from this strategy using the manipulated withdraw() function.
Actors involved
10. StrategyAaveYFI [malicious strategy contract]
https://etherscan.io/address/0x785038E55C3c77256bDC9a03535FD3e8d948A116
23.368131489683158482 Aave Interest bearing YFI ($628,650.174379401) were robbed from this strategy using the manipulated withdraw() function.
10. StrategyAaveYFI [malicious strategy contract]
https://etherscan.io/address/0x785038E55C3c77256bDC9a03535FD3e8d948A116
23.368131489683158482 Aave Interest bearing YFI ($628,650.174379401) were robbed from this strategy using the manipulated withdraw() function.
Actors involved
11. StrategyCompoundUNI [malicious strategy contract]
https://etherscan.io/address/0xe693e36cf773f4A47eB03d46666Ee5116e04aFD5
0.133955849024785085 COMP ($14.52), 6,230,432.06773805 ($469,793.27) Compound Uniswap were robbed from this strategy using the manipulated withdraw() function.
11. StrategyCompoundUNI [malicious strategy contract]
https://etherscan.io/address/0xe693e36cf773f4A47eB03d46666Ee5116e04aFD5
0.133955849024785085 COMP ($14.52), 6,230,432.06773805 ($469,793.27) Compound Uniswap were robbed from this strategy using the manipulated withdraw() function.
Who is to blame?
Nobody.
The auditors ( https://solidity.finance/ ) did their audit ( https://solidity.finance/audits/CP3R/ ) which included making sure that the Compounder Finance stays safe from external attacks.
Nobody.
The auditors ( https://solidity.finance/ ) did their audit ( https://solidity.finance/audits/CP3R/ ) which included making sure that the Compounder Finance stays safe from external attacks.
They did mention their concern about the centralization in Compounder Finance in their audit report ( https://solidity.finance/audits/CP3R/ ) and the TG chat ( https://solidity.finance/audits/CP3R/ChatLogs.pdf).
To some extent, the whole DeFi ecosystem has the responsibility to work together to prevent such rug-pulls.
To some extent, the whole DeFi ecosystem has the responsibility to work together to prevent such rug-pulls.
How to be safe from such rug-pulls?
Timelocks should not be trusted as a method to prevent rug pulls. If used anyway, an automated alert system or dashboard should be put in place to monitor transactions at that address.
Timelocks should not be trusted as a method to prevent rug pulls. If used anyway, an automated alert system or dashboard should be put in place to monitor transactions at that address.
Moreover, as highlighted here, 24 hours appears to be insufficient to provide enough warning for users to remove funds.
Not all projects with anonymous founders are scams. But nearly all scams are projects with anonymous founders. As a community, we need to be warier of anonymous founders going forward; especially those who use untraceable sources of funds like http://Tornado.cash .
What should we learn from this as a community?
The mere existence of an audit report should not be sufficient to convince users to invest in or assure them of a projects' safety and legitimacy.
The mere existence of an audit report should not be sufficient to convince users to invest in or assure them of a projects' safety and legitimacy.
Audits often focus on risks from external attackers more than from internal ones - and this is likely an issue within the community that auditors need to improve upon.
Moreover, auditors often do not explain issues in a way the average DeFi user can understand - this is another area for improvement.
It is not wise to chase high APYs into small or suspect projects. Obtaining a *sustainable* APY above 5% is difficult in the current financial environment; any project offering higher APYs should be viewed with some level of suspicion.
The project team has the ability to wreak havoc in nearly any project users invest in. Whether it be through the minting of tokens, dumping private supply, or clever contract swaps as we see here, risks to users almost always exist.
