Buggy Code in This Compound Finance Fork Just Froze $1M in Ethereum Tokens

GettyImages-1128497868-scaled
5 November 2020

Some $1 million in Ethereum tokens is locked in a new DeFi app after its developers made changes to the protocol’s interest rate smart contracts.

DeFi lending platform PercentFinance, a fork of Compound Finance, wrote in a blog post on Nov. 4 that “that some of [its] money markets experienced an issue that can result in permanent locking of user funds.” The team froze money markets specifically for USDC, ETH and wrapped bitcoin (WBTC).

A total of 446K USDC, 28 WBTC and 313 ETH , worth approximately $1 million, are currently frozen. Half of these immobile funds belong to PercentFinance’s “community mod team,” according to the post. Withdrawals for other markets are open, but the team is urging users not to borrow from any of PercentFinance’s markets in the meantime.

Read more: Supply of Tokenized Bitcoin on Ethereum Now Tops $1.1B: Here’s Why

The error

In a Discord discussion regarding the vulnerability, Vfat, an Ethereum and PercentFinance developer, said the developer who forked PercentFinance from Compound Finance used “old contracts from Compound instead of … newer, much better versions.”

Vfat moved to upgrade some of these smart contracts, specifically those that handle the interest rates for the platform’s loans. After Vfat finalized the changes and deployed them, he realized the signatures for the old contracts and the new contracts were incompatible, so transactions could not be signed to them.

“The old and new interest rate models have different function signatures on these all important functions,” he said in the Discord chat. “Essentially the token contract is trying to find an interest rate function that doesn’t exit, so it always fails in every interaction.”

Vfat also said in the chat the “Compound [team has] confirmed that this means that the contract is bricked.”

The recourse

In direct messages with CoinDesk, Vfat said it is still too early on in the recovery process for a definitive plan, especially considering no one has had a chance to speak with Centre or BitGo yet, the issuers of the USDC crypto dollar and WBTC token, respectively.

Because USDC and WBTC have backdoors intp their smart contracts, these issuers would be able to blacklist the addresses with the locked funds (even though they are already inaccessible, Vfat said this would be a good “extra precaution”). After the blacklisting, BitGo and Centre could then reissue new tokens to the old tokens owners, something Tether did for a trader who mistakenly transferred $1 million in USDT tokens to the wrong address.

Read more: Tether Still Dominates Stablecoins, but USDC and Dai Are Winning DeFi

A Centre representative told CoinDesk the company can only meddle with USDC transactions if it receives “a valid, binding court-order from a competent U.S. court that has authority over Centre.” 

Representatives for BitGo were not available for comment at press time.

For other recovery efforts, Vfat said one early-stage proposal suggests launching new contracts for the USDC lending markets. Though 27% of the loans are locked in the old contracts, these new ones would allow borrowers to pay back the rest of their loans, and so retrieve their collateral and pay lenders back 73 cents on the dollar.

All, 100%, of the PercentFinance lending platform’s WBTC is locked up, so without cooperation from BitGo those funds are lost to the ether. Likewise, 100% of PercentFinance’s ETH funds were also frozen, and there’s no practical way to recover these funds.

“Regardless of this haircut procedure I am taking responsibility for the full amount of these losses and will do everything I can to make everyone 100% whole,” Vfat told CoinDesk.

Disclosure
The leader in blockchain news, CoinDesk is a media outlet that strives for the highest journalistic standards and abides by a strict set of editorial policies. CoinDesk is an independent operating subsidiary of Digital Currency Group, which invests in cryptocurrencies and blockchain startups.