defirisk.co
rubric v1.7.0

Compounder Finance: Malicious Strategy Contracts — Backdoor Withdrawal (Insider Rug Pull)

Compounder Finance's anonymous founder deployed 7 malicious strategy contracts after completing an audit, then used the protocol's own admin functions to drain $12M from user vaults in a premeditated insider exit.

Occurred 2020-12-02 Loss $12M Status closed

Summary #

Compounder Finance suffered a Yield Aggregator on 2020-12-02, resulting in a loss of approximately $12M.

What happened #

Compounder Finance's anonymous founder deployed 7 malicious strategy contracts after completing an audit, then used the protocol's own admin functions to drain $12M from user vaults in a premeditated insider exit.

Linked factors #

  • RD-F-004 — causal : Audit count likely 0; floor display [via dashboard_risk_factors/Vulnerability in audited or unaudited code: Unaudited — the malicious strategies were added after audit completion]
  • RD-F-006 — causal : Audit-deploy gap (RD-F-006 time between audit and deploy) [via dashboard_risk_factors/Exploited code newly deployed/upgraded?: Y — 7 malicious strategy contracts were deployed post-audit specifically to enable the rug] || Audit-deploy gap — alternate field name [via dashboard_risk_factors/Exploited code newly deployed/upgraded?: Y — 7 malicious strategy contracts were deployed post-audit specifically to enable the rug]
  • RD-F-007 — related : Bug bounty absent — baseline integrity gap [via dashboard_risk_factors/Bug bounty: None mentioned]
  • RD-F-096 — illustrative : New ERC-20 approval to unverified contract [via realtime_signals/Pre-exploit on-chain signals: Y — the 7 malicious Strategy contracts were deployed and approved through the Timelock (24-hour delay) before the rug; these approvals were ...]
  • RD-F-101 — illustrative : Large governance proposal queued — RT signal would have fired [via realtime_signals/Governance/admin action: Y — malicious Strategy contracts added and approved via StrategyController timelock]
  • RD-F-111 — causal : Team doxx status — pseudonymous-no-track-record class [via dashboard_risk_factors/Team anonymity: Anonymous — identified only as "keccak" / "Vlad"; likely Ukrainian based on investigation context]
  • RD-F-126 — causal : Is-a-fork-of (Cat 8 anchor) [via dashboard_risk_factors/Forked?: Y — Yearn Finance fork (yield aggregator architecture with Vaults, Strategies, and StrategyController)]
  • RD-F-146 — related : New deploys in last 30 days — fresh attack surface [via dashboard_risk_factors/Exploited code newly deployed/upgraded?: Y — 7 malicious strategy contracts were deployed post-audit specifically to enable the rug]