- A smart contract auditor said that the community of a DeFi protocol should have done its own research to prevent a rug pull.
- Compounder was looted for $12 million.
- The auditors disclosed the vulnerability.
Another decentralized finance protocol bites the dust, and its users—who have collectively lost over $12 million—are understandably upset. So upset, in fact, some have waged death threats against Solidity Labs, the company responsible for auditing the project and ensuring the code was safe.
The downed DeFi protocol in question is Compounder, a decentralized finance protocol that shifts investors’ money around other DeFi protocols to eke out the best returns.
The DeFi tool allegedly pulled the rug on its customers, looting $12.5 million worth of cryptocurrency from its vaults.
It’s not an unfamiliar scenario in the wild west of DeFi. The users of such protocols, many of which are used to lend out crypto or trade crypto on non-custodial exchanges, have become victims to such hacks, exploits, or outright scams on a nearly weekly basis.
The thing is, unlike other DeFi protocols, Compounder’s smart contracts are audited, meaning that an independent team had rooted around the code to ensure that everything was a-ok.
Audited smart contracts are the gold standard in DeFi—independent verification that the code does what its developers claim, as well as a laundry list of vulnerabilities.
So, how did Compounder’s developers still pull the wool over everyone’s eyes?
They didn’t: the auditors, Solidity Labs, had disclosed the flaw in its audit on November 19.
“In the audit report we highlighted the Compounder Team's ability to update the pools through the timelock all through one address,” a spokesperson from Solidity Labs told Decrypt.
Put another way, Compounder’s developers drained the protocol’s wallets by replacing their asset pools with contracts that removed restrictions from the withdraw function.
Months ago, they had inserted this code into several compounder smart codebases by swapping the audited code for malicious “Evil Strategy” contracts. They could do this by a 24-hour timelock; if someone caught them in the act, they could raise it to the community. But nobody was watching, and the rug-puller managed to execute their code.
So, who is to blame? According to a post-mortem written by Solidity and DeFi researcher Vaibhav Saini, “Nobody.”
"Theauditors didtheir audit which included making sure that the Compounder Finance stays safe from external attacks,” and raised concerns about the prospect of a rug-pull in the audit and in Telegram chats.
“We will admit we should have been clearer here about the implications of this and how it could be used,” the Solidity spokesperson told Decrypt, but noted that it linked the timelock in its audit “for users to monitor.”
“Evidently, no one monitored the timelock as malicious strategies started being deployed weeks ago,” they said.
If anything, wrote Saini in the post-mortem, “the whole DeFi ecosystem has the responsibility to work together to prevent such rug-pulls from happening.”
The Solidity spokesperson would not go into further detail on the death threats that the firm has received so as not to “feed the trolls,” but said its account had received such threats over the last 36 hours since the Compounder accounts were drained.
Though the Solidity spokesperson noted that the firm could have done more to explain the issue, they said that “Part of this is on users for not performing research,” noting, “Just because an audit report is released does not mean it is safe.”
Do your own research, folks.