Buggy Code in This Compound Finance Fork Just Froze $1M in Ethereum Tokens
Some $1 million in Ethereum tokens is locked in a new DeFi app after its developers made changes to the protocol’s contracts.
Some $1 million in Ethereum tokens is locked in a new DeFi app after its developers made changes to the protocol’s interest rate smart contracts.
A total of 446K USDC, 28 WBTC and 313 ETH , worth approximately $1 million, are currently frozen. Half of these immobile funds belong to PercentFinance’s “community mod team,” according to the post. Withdrawals for other markets are open, but the team is urging users not to borrow from any of PercentFinance’s markets in the meantime.
The error
In a Discord discussion regarding the vulnerability, Vfat, an Ethereum and PercentFinance developer, said the developer who forked PercentFinance from Compound Finance used “old contracts from Compound instead of ... newer, much better versions.”
Vfat moved to upgrade some of these smart contracts, specifically those that handle the interest rates for the platform’s loans. After Vfat finalized the changes and deployed them, he realized the signatures for the old contracts and the new contracts were incompatible, so transactions could not be signed to them.
“The old and new interest rate models have different function signatures on these all important functions,” he said in the Discord chat. “Essentially the token contract is trying to find an interest rate function that doesn't exit, so it always fails in every interaction.”
Vfat also said in the chat the “Compound [team has] confirmed that this means that the contract is bricked.”
The recourse
In direct messages with CoinDesk, Vfat said it is still too early on in the recovery process for a definitive plan, especially considering no one has had a chance to speak with Centre or BitGo yet, the issuers of the USDC crypto dollar and WBTC token, respectively.
Because USDC and WBTC have backdoors intp their smart contracts, these issuers would be able to blacklist the addresses with the locked funds (even though they are already inaccessible, Vfat said this would be a good “extra precaution''). After the blacklisting, BitGo and Centre could then reissue new tokens to the old tokens owners, something Tether did for a trader who mistakenly transferred $1 million in USDT tokens to the wrong address.
A Centre representative told CoinDesk the company can only meddle with USDC transactions if it receives “a valid, binding court-order from a competent U.S. court that has authority over Centre.”
Representatives for BitGo were not available for comment at press time.
For other recovery efforts, Vfat said one early-stage proposal suggests launching new contracts for the USDC lending markets. Though 27% of the loans are locked in the old contracts, these new ones would allow borrowers to pay back the rest of their loans, and so retrieve their collateral and pay lenders back 73 cents on the dollar.
STORY CONTINUES BELOW
All of the PercentFinance lending platform’s WBTC is locked up, so without cooperation from BitGo those funds are lost to the ether. Likewise, 100% of PercentFinance’s ETH funds were also frozen, and there’s no practical way to recover these funds.
“Regardless of this haircut procedure I am taking responsibility for the full amount of these losses and will do everything I can to make everyone 100% whole,” Vfat told CoinDesk.