Does the big case of 80 million RMB remind you of the RMB in the "In the Name of the People"?
In daily life, maybe you accidentally lost your wallet and you can't lose too much money. But in the world of cryptocurrency, if you are a little careless, the amount of loss may be the effect of throwing it out to cover the sky.
In the endless mine pits, if one mistake or omission is made, the whole game will be lost. Often project owners, like investors, are concerned about the safety of their own projects.
But there is one exception.....
At 3:00 pm on December 1, Beijing time, the CertiK security technology team found the Compounder.Finance project via Skynet at0x0b283b107f70d23250f882fbfe7216c38abbd7caSeveral large-value transactions occurred in the smart contract at the address.
After verification by the CertiK security technology team, it was found that these transactions were internal operations of the Compounder.Finance project owner, transferring a large amount of tokens to their own accounts.
According to statistics, Compounder.Finance eventually lost about 80 million RMB worth of tokens.
The attack events are as follows:
Figure 1: inCaseTokenGetStuck() function
The owner of the Compounder.Finance project is located in the0x0b283b107f70d23250f882fbfe7216c38abbd7caThe inCaseTokenGetStuck() function in transfers the token to its own specified address.
When calling this function, it will first check whether the caller of the external function is a strategist or a governance role address at line 1471.0x0b283b107f70d23250f882fbfe7216c38abbd7caThe address of the strategist role of the smart contract was found to be consistent with the address of the Compounder.Finance project owner.
Figure 2: Address of the role of strategist in Compounder.Finance: StrategyControllerV1
Figure 3: Examples of transactions where project managers steal tokens
List of transactions where project managers have stolen tokens:
https://etherscan.io/tx/0x9c75f70670d94e6d37f60a585f9b57d13193998d64866f720489efbea4809056
From Compounder.Finance: StrategyControllerV1To Compounder.Finance: Deployer For 6,230,432.06773805 ($458,310.58) Compound Uni... (cUNI)
https://etherscan.io/tx/0x18e0efcaabe64299666fd78bb33dae2a4b25c6f11b469fc0498db714970cacfa
From Compounder.Finance: StrategyControllerV1To Compounder.Finance: Deployer For 1,934.23347357 ($745,530.95) Compound Wra... (cWBTC)
https://etherscan.io/tx/0xf94de5a083f16700f4d26ec8ca3e03dc01889a54f472bf630079c54a77f033e6
From Compounder.Finance: StrategyControllerV1To Compounder.Finance: Deployer For 97,944,481.39815207 ($2,086,547.53) Compound USD... (cUSDC)
https://etherscan.io/tx/0x0763afe207015ed7c1aa8858d2c092cf7b6a20397f2408bff20b044ef1901822
From Compounder.Finance: StrategyControllerV1To Compounder.Finance: Deployer For 105,102,172.66293264 ($2,159,301.01) Compound USD... (cUSDT)
https://etherscan.io/tx/0x10d245e61e76c7bf44257985789463ed89f624a0d5ffc45cfa671b16a7113d77
From Compounder.Finance: StrategyControllerV1To Compounder.Finance: Deployer For 1,300,610.936154161964594323 ($1,521,714.80) yearn Curve.... (yyDAI+...)
https://etherscan.io/tx/0x57c61df91e46b191424bfdd9223f277457a07999b58420e3b540059aad3fc7fe
From Compounder.Finance: StrategyControllerV1To Compounder.Finance: Deployer For 8,077.540667 ($4,788,285.33) Wrapped Ethe... (WETH)
In today's DeFi market, there are projects with too much authority of project owners and projects with a high degree of centralization everywhere.
At present, there is a lack of additional governance or restrictive measures for project owners, and internal operation attacks due to such reasons are gradually increasing.
The incident caused huge losses, and the technical details of the attack were simple, which sounded the alarm for all DeFi projects:
1. The current DeFi market lacks effective restrictions on project owners.
2. Investors mainly rely on the method of finding project endorsement to confirm this type of security risk.
Welcome to search WeChat [certikchina] and follow CertiK's official WeChat public account, click on the dialog box at the bottom of the public account, leave a message to get free consultation and quotation!
Welcome to search WeChat [certikchina] and follow CertiK's official WeChat public account, click on the dialog box at the bottom of the public account, leave a message to get free consultation and quotation!
