Flawed code in the Compound Finance fork froze $ 1 million in Ethereum tokens

Faulty code in Compound Finance fork froze $ 1 million in Ethereum token - Compound Finance 1 1024x683On November 4, lending platform DeFi PercentFinance, a fork of Compound Finance, wrote in an official post that "some of its money markets have encountered a problem that can result in the permanent freezing of user funds."

The team froze the money markets specifically for USDC, ETH - here there quotation in real time - and bitcoin wrapping (WBTC). Currently 446.000 USDC, 28 WBTC and 313 ETH are frozen, valued at approximately 1 million dollars.

According to the post, half of these funds belong to PercentFinance's “community mod team”. Withdrawals for other markets are open, but the team has urged users not to borrow anything from PercentFinance's markets in the meantime.

The bug

In a Discord discussion about the vulnerability, Vfat, a developer of Ethereum and PercentFinance, said that the developer who forked PercentFinance from Compound Finance used "older Compound contracts instead of newer and much better versions."

Vfat has therefore decided to update some of these smart contracts, in particular those that manage the interest rates for the platform's loans. After Vfat finalized the changes and implemented them, he realized that the signatures for the old contracts and the new contracts were incompatible, so transactions could not be signed. Vfat also said in the chat that "Compound [the team] has confirmed that this means that the contract is blocked".

How to repair the damage

Vfat commented that it is still too early for a definitive recovery plan, especially considering that no one has yet had a chance to speak to Center or BitGo, the issuers of the USDC cryptocurrency and the WBTC token, respectively.

Since USDC and WBTC have backdoors in their smart contracts, these issuers would be able to blacklist addresses with blocked funds (even if they are already inaccessible, Vfat said this would be a good "extra precaution").

After the blacklist, BitGo and Center could then reissue new tokens to old token owners, which Tether already did when a trader mistakenly transferred $ 1 million in USDT tokens to the wrong address.

Another solution could be the launch of new contracts for the USDC loan markets, Vfat said. Although 27% of the loans are locked into old contracts, these new ones would allow borrowers to repay the rest of their loans, then recover their collateral and repay lenders 73 cents on the dollar.

100% of the WBTC of the PercentFinance lending platform is blocked, so without BitGo's cooperation those funds are lost. Likewise, 100% of PercentFinance's ETH funds have also been frozen and there is no practical way to recover these funds.

Vfat, for its part, stated in an interview that it wants to assume 100% of the responsibility for the accident, and that it will do everything possible to recover the lost funds.