Bug Puts $162 Million at Risk in DeFi Platform Compound

Some, including a core developer at DeFi platform Yearn, are billing this as the biggest-ever fund loss in a smart contract incident.
Bug Puts $162 Million up For Grabs in DeFi Platform Compound

In Brief:

  • The bug in the upgrade put about $162M at risk in Compound
  • Yearn Finance core developer Banteg estimated this is the largest fund loss in the smart contract incident.
  • Lashner disclosed that users returned around 117,000 comp tokens

Robert Leshner, the founder of Compound Labs, said that about $162M is at risk as there is a bug in the upgrade. The bug was first reported by Banteg, Yearn Finance’s core developer.

DeFi staking protocol Compound Labs, put another millions more than thought at risk. Before this, on Sept 30, Robert Leshner tweeted about the bug and said that the impact is limited and at worst 280K COMP Tokens are at Risk. The tokens were mistakenly offered to users as rewards after an update to fix bugs.

On Oct 3, Leshner tweeted that 202,472.5 COMP worth approx $65 million at the current price had been set in danger. After the protocol’s drip() function was called, the first time in roughly two months, it sent a backlog into the protocol for distribution to users.

The drip() makes COMP tokens held in Compound Reservoir claimable to users. The Compound Reservoir holds the majority of COMP for distribution to users and drips .50 COMP/block into the protocol.

Banteg estimated that it seemed ¼ of that could be drained. Banteg tallied a bug to $147m, making it officially the largest fund loss in a smart contract incident.

However, Leshner is positive about the bug fixing through the governance process. The bug will fix the issue of distribution. Community members are already working on bug fixing.

SushiSwap developer Mudit Gupta explained, “There are a few proposals to fix the bug, but Compound’s governance model is such that any changes to the protocol require a multi day voting window”. Gupta said it takes another week for the successful proposal to be executed.

The company made clear that no supplied or borrowed funds were at risk, which is some consolation. Last week, Leshner asked users to return the funds back following the bug and thanked the users who returned them. Leshner’s tweet disclosed that about 117,000 comp tokens, or $38.7 million, had been returned.

The Comptroller is the heart of Compound, Gupta explained. It facilitates all core features like borrowing, lending, and rewarding. The current problem is that the Comptroller has given away tokens reserved for future rewards.

The price of Compound’s native token, called COMP, is down 4.8% in the last 24 hours.

Related Posts