The Ethereum decentralized finance (DeFi) space was just hit with a “rug pull,” with unknown developer(s) dragging in $12 million in what seems to be the biggest ostensible scam in recent weeks.Here is that story.What is Compounder Finance?Late last month, anonymous developers rolled out a project called “Compounder Finance” and a native token with the ticker CP3R. While the project’s name and token ticker has components from Compound’s COMP and Andre Cronje‘s Keep3r Network, it has nothing to do with these projects.From what limited information there is on the web, Compounder Finance is a meta yield aggregator that deposited user deposits into different protocols to earn yield. Compounder also yielded CP3R, boosting returns considerably, to the point that they were far above those offered by other platforms.This meant that users were willing to deposit millions into the contract, even though the project had just launched.The scamWhile users earned regular yields on their deposits over the first few days, something happened on Sunday and Monday.To most, the first steps of the scam were seemingly harmless: the owner of the Compounder Finance protocol deployed new yield farming strategies via the timelock function. As many users presumably thought these strategies were legitimate, they kept their funds on the protocol.This was anything but the case, though.A malicious function within the contracts allowed the contract owner to manipulate the pool to withdraw all funds to his own address. As coder “Vasa” wrote on his blog:
“Compounder.Finance: Deployer (strategist) called inCaseStrategyTokenGetStuck() on StrategyController which abuse the manipulated withdraw() function of the Malicious Strategies to transfer the tokens in the Strategies to the StrategyController. Do this for all 7 Malicious Strategies.”
In all, $12.5 million was stolen. Much of these funds were in Wrapped Ethereum (WETH), stablecoins, and Yearn.finance (YFI), and Uniswap (UNI).The CP3R market has taken a beating since the hack was executed. The Ethereum-based coin trades for $0.27 now, down more than 99.5 percent from its all-time high price near $100.Taken, the sequelThe scam affected large players in yield farming.Yield farmer DeFiYield.info, who has been releasing investigative information about top Ethereum protocols over the past few months, recently issued a personal message to the scammer. They claim to have deposited $1,000,000 into the protocol, which has now been stolen.
“It’s only a matter of time before a criminal authority will find you and arrest you. I will not have any limit of time and budget to make a report as detailed as possible about your scam/rugpull, file it to all criminal authorities with the best lawyers I can find.”
Message to the scammer of https://t.co/kZv6MWkB3E just scammed approximately $10,800,000
I have personally lost approx. 1m$ and the rest of the crypto community lost approx. 10m$ from your rug pull.
— DefiYield.info ??? (@defiyield_info) December 1, 2020
The individual has since made a Telegram group for those affected by the attack. In this group, they’re attempting to track down the scammer(s) through on-chain analytics and other methods.Many are cheering for DeFiYield and others looking to take down the scammer, even if DeFiYield’s Twitter thread reads like a sequel to Taken, as one Twitter user put it.