Compounder Finance Rug Pull - December 2020 ($12M)
Overview
In December 2020, approximately $10.8 million in investor funds were stolen from Compounder Finance due to a hidden backdoor in the project's smart contracts. Compounder Finance was a self-described clone of Harvest and Yearn Finance built by pseudonymous programmers, with its contracts drained of $750,000 worth of wrapped bitcoin (WBTC), $4.8 million ether, $5 million dai and a small assortment of other tokens.
The Exploit Mechanism
The developers had snuck in a call function that allowed them to withdraw all funds from the project – an action a decentralized finance project should never allow. The Compounder team swapped the safe and audited Strategy contracts and replaced them with malicious 'Evil Strategy' contracts that allowed them to steal users funds through a public, though clearly unmonitored, 24-hour timelock.
Compounder's token contracts were created November 10, 2020, and the threshold for the exploit was apparently met on Tuesday, December 1st.
Social Engineering
Compounder impersonated Compound Finance's name in order to lure in more victims. Robert Leshner, founder of Compound Finance, called the rug-pull "one of the largest purposeful cryptocurrency exploits in recent memory; an exploit categorically different from other DeFi exploits because of its patient endgame."
Audit Failure
Solidity Finance found the time-locked contract in question as early as mid-November and flagged it to the project's developers. However, Compounder not only knew about the function, but apparently had plans for it, swapping safe audited Strategy contracts with malicious 'Evil Strategy' contracts.
Aftermath
A Telegram group of investors investigated legal moves against the developers, although little information was known about the faces behind Compounder, with one investor who claimed to have lost $1 million offering a $50,000 bounty for information leading to the seizure of stolen funds.
Sources