DeFi lending platform PercentFinance, a fork of Compound Finance, wrote in a blog post on Nov. 4 â€œthat some of [its] money markets experienced an issue that can result in permanent locking of user funds.â€ The team froze money markets specifically for USDC, ETH and wrapped bitcoin (WBTC).
A total of 446K USDC, 28 WBTC and 313 ETH , worth approximately $1 million, are currently frozen. Half of these immobile funds belong to PercentFinanceâ€™s â€œcommunity mod team,â€ according to the post. Withdrawals for other markets are open, but the team is urging users not to borrow from any of PercentFinanceâ€™s markets in the meantime.
Read more: Supply of Tokenized Bitcoin on Ethereum Now Tops $1.1B: Hereâ€™s Why
In a Discord discussion regarding the vulnerability, Vfat, an Ethereum and PercentFinance developer, said the developer who forked PercentFinance from Compound Finance used â€œold contracts from Compound instead of â€¦ newer, much better versions.â€
Vfat moved to upgrade some of these smart contracts, specifically those that handle the interest rates for the platformâ€™s loans. After Vfat finalized the changes and deployed them, he realized the signatures for the old contracts and the new contracts were incompatible, so transactions could not be signed to them.
â€œThe old and new interest rate models have different function signatures on these all important functions,â€ he said in the Discord chat. â€œEssentially the token contract is trying to find an interest rate function that doesnâ€™t exit, so it always fails in every interaction.â€
Vfat also said in the chat the â€œCompound [team has] confirmed that this means that the contract is bricked.â€
In direct messages with CoinDesk, Vfat said it is still too early on in the recovery process for a definitive plan, especially considering no one has had a chance to speak with Centre or BitGo yet, the issuers of the USDC crypto dollar and WBTC token, respectively.
Because USDC and WBTC have backdoors intp their smart contracts, these issuers would be able to blacklist the addresses with the locked funds (even though they are already inaccessible, Vfat said this would be a good â€œextra precautionâ€). After the blacklisting, BitGo and Centre could then reissue new tokens to the old tokens owners, something Tether did for a trader who mistakenly transferred $1 million in USDT tokens to the wrong address.
Read more: Tether Still Dominates Stablecoins, but USDC and Dai Are Winning DeFi
A Centre representative told CoinDesk the company can only meddle with USDC transactions if it receives â€œa valid, binding court-order from a competent U.S. court that has authority over Centre.â€
Representatives for BitGo were not available for comment at press time.
For other recovery efforts, Vfat said one early-stage proposal suggests launching new contracts for the USDC lending markets. Though 27% of the loans are locked in the old contracts, these new ones would allow borrowers to pay back the rest of their loans, and so retrieve their collateral and pay lenders back 73 cents on the dollar.
All of the PercentFinance lending platformâ€™s WBTC is locked up, so without cooperation from BitGo those funds are lost to the ether. Likewise, 100% of PercentFinanceâ€™s ETH funds were also frozen, and thereâ€™s no practical way to recover these funds.
â€œRegardless of this haircut procedure I am taking responsibility for the full amount of these losses and will do everything I can to make everyone 100% whole,â€ Vfat told CoinDesk.