An exit scam allegedly performed by Compounder Finance DeFi developers has left investors $11 million out of pocket.
Compounder Finance called itself a "smarter farming" platform and a Harvest/Yearn Finance clone, as first reported by CoinDesk.
At the time of writing, the project's website, Twitter, Medium, and Discord pages appear to have been deleted.
According to a cached version of a Medium blog post describing the project, dated November 8, Compounder Finance claimed to be an automated farming system offering compound interest on digital assets while also earning native CP3R tokens as a "reward."
See also: Chainalysis launches program to manage cryptocurrency seized by law enforcement
"We will examine yields, security and complexity of new pools that will keep our stakers comfortable knowing they have a competitive edge to other farmers. We hope to offer the next generation of high-interest returns," the developers claimed.
Pools supported ETH, DAI, USDT, and USDC.
Compounder Finance, having only launched last month, promised investors that the Ethereum-based decentralized finance (DeFi) project implemented 24-hour time locks on all smart contracts imposed in the interest of safety, but what wasn't known is that the developers allegedly included a hidden backdoor into the system.
In a 'rug-pull,' otherwise known as the unexpected removal of liquidity from a token, once the platform had secured enough funding from eager investors, roughly $10.8 million in wrapped Bitcoin (WBTC), ETH, DAI, and other tokens was transferred out of the project.
DefiYield, a Twitter user that claims to have lost $1 million in investment due to the rug pull, has offered a $100,000 reward for any information leading to the identity of the threat actor, or any means to return stolen funds to victims.
"As this is a substantial loss for me and many more crypto farmers, I will keep going on with the investigation and pushing the authorities now and in the coming years, until there will be a positive result," the investor said.
CNET: Google researcher demonstrates iPhone exploit with Wi-Fi takeover
A Telegram group has also been created for impacted investors to explore their legal options.
Solidity Finance previously audited the project (.PDF) for external threat potential and flagged the suspicious time-locked smart contract setup, as well as the control maintained by the central development team.
Malicious strategy contracts were added after the audit, allowing the rug pull deployer to withdraw funds.
TechRepublic: Sales of CEO email accounts may give cyber criminals access to the "crown jewels" of a company
Together with @vasa_develop from Stake Capital, a post-mortem report on the rug pull has now been published.
"The Compounder team swapped the safe/audited Strategy contracts and replaced them with malicious 'Evil Strategy' contracts that allowed them to steal user funds," Solidity Finance said. "They did this through a public, though clearly unmonitored, 24-hour timelock. The team had the power to update strategy pools and they did so maliciously here."
At the time of writing, the CP3R token is worth $0.34, down from $80.18 on November 25.
Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0